[BreachExchange] Idea to retire: Information security is IT security

Audrey McNeil audrey at riskbasedsecurity.com
Thu Mar 31 20:30:54 EDT 2016


http://www.brookings.edu/blogs/techtank/posts/2016/03/28-information-security-is-it-security-ahmad-shedden

Government cannot survive without consuming, digesting, and generating
masses of information on a routine basis. Much of this information is
sensitive and must be actively protected from an increasingly sophisticated
security threat landscape.

The profiles of attackers within this modern threat landscape vary
considerably—they may be based locally or internationally; and they may be
motivated by financial greed, competitive advantage, or even terrorism.
However, across all of these various profiles some general trends have
emerged: attackers are becoming more resourceful, possess increasingly
varied skill sets, and are willing to engage their targets for longer
periods of time in order to achieve their aims.

One high profile incident occurred in June of 2015, when hackers stole
sensitive personnel data related to every current or retired federal
employee from the Office of Personnel Management (OPM). The information
included their names, addresses, social security numbers, and even some
fingerprints. The leak included information from background investigations
into prospective employees, which concerned intimate details about their
families and friends. The OPM incident was certainly not the only recent
breach to attract considerable attention from the mainstream news media. In
the last few years alone there has been a steady drumbeat of cyber
incidents in the news:  Anthem Insurance, Home Depot, JPMorgan Chase,
Ashley Madison, and T-mobile, to name a few.

However, this obsessive focus on cyber hacking has obscured the fact that
there are many pathways to access sensitive information. Cyberspace is not
always the preferred avenue, and technology is not always the preferred
tool. There is no denying that most information is stored on computers and
transmitted across computer networks these days, but a significant volume
of information is still stored on paper and transported by hand. Perhaps an
even greater volume is stored in the minds of employees and shared at their
discretion in conversations.

Path of least resistance

So here is a truism many of us will agree with: attackers will take the
path of least resistance to achieve their goals.

Often, the easiest way to transmit information is verbally or by simply
handing someone a document. So, why does government cling to the belief
that information security is essentially the responsibility of the
organizational IT function, and that information assets can be adequately
protected using technological solutions alone?

Of course there are reasons for the obsessive focus on cyber hacking. The
framing of issues by media outlets is partially to blame, as is the inertia
of existing systems and practices. The threat perceptions of key decision
makers are heavily influenced by news media. IT hacks such as the OPM
incident can be readily packaged as a news item; they attract attention
from the general population and they reinforce existing beliefs that the
Internet is the “Wild West.” Contrast the IT hack with an errant
conversation between two senior executives or even a leaked hardcopy
document: which is more likely to make the headlines?

The technological perspective on information security is also reinforced in
organizations by the ways in which these organizations are typically
structured. The responsibility to protect information generally falls to
the Chief Information Security Officer (CISO)—who very likely reports to
the Chief Information Officer (CIO)—and here the term ‘Information’ is
widely interpreted to mean bytes of data rather than paper documents,
knowledge, or conversations. The CIO’s primary responsibility is to
maintain the availability of information infrastructure, which typically
means IT services. Although preserving the confidentiality of information
falls within their scopes of duty, information outside of the digital
environment is widely agreed to be outside this area of responsibility.

A recent review of Information Security courses taught at colleges and
universities revealed that the curricula are dominated by IT-related
content, with little or no mention of paper-document- or
human-communications-related security management techniques.1 This kind of
techno-centric myopia can also be found in academic research projects and
Information Security textbooks intended to prepare our future generations
of scholars and practitioners.

So, if organizational notions of Information Security are oriented toward
technological problems and solutions, who is normally responsible for
protecting information outside of the digital environment? In most
organizations, the answer is “nobody.”

The way forward

We need to change how we view the government’s interaction with
information. We often think of government organizations as being
“information machines” that work quite predictably insofar as they follow
rigid patterns and routines. In doing so, we tend to discount the entropy
associated with human behaviour. We must pay close attention to the social
contexts within which work actually takes place.

Information assets are not necessarily discrete, enumerated objects that
can be easily inventoried on a spread-sheet. Nor can they be necessarily
captured in formal representations of organizational processes. Rather,
information assets are fluid; they exist in rich organizational
environments where their roles evolve and change as they are applied to
different formal and informal work activities. This work environment is a
flexible and ‘messy’ field of activity in which individuals often pursue
work-around approaches and shortcuts according to their own initiative.

The ‘static’ and isolated view of information assets largely ignores the
social elements of information systems—which are made up of people,
processes, and informal practices and activities, in addition to data and
technology. This is a major problem because these social, practice-based
elements can be significant sources of information security risk. For
example, individuals who create their own assets (e.g. spread-sheets, used
for their own work tasks, that incorporate sensitive data taken from a
secure computing system), can engage in informal activities that involve
the uncontrolled copying of information between digital and physical
information ‘containers.’ This can in turn present vulnerabilities for
organizations. What was formerly secure owing to limited accessibility is
then easily passed on in spoken conversation or hardcopy documents.

Discussion of mundane threats like these is conspicuously absent from most
media treatments of information security. Perhaps this is because evidence
is difficult to come by, as there are obvious disincentives for
self-reporting, or perhaps more likely, this kind of thing is just not that
exciting for the average person to read about. Regardless of the reason no
one is saying much about information security, ignoring the issue will not
make it go away. An informal review of unclassified government reports
spanning the last 5 years showed considerable evidence of information
security incidents that owed to information leakage via non-technological
means. For example, a recent GAO report found over 67,000 “information
security incidents” in the fiscal year of 2014. Of these, 25 percent were
classified as ‘non-cyber’. The report described such incidents as ‘spillage
or mishandling’ of‘hard copies or printed material’.2 For example, David
Major’s expert testimony to the House of Representatives in 2013 recounted
evidence of US government employees’ verbal disclosure of sensitive
information to foreign agents at overseas universities and conferences.3
There have also been a large number of incidents of hardcopy paper theft,
such as an incident at the Brooke Medical Center in 2010, where a
three-ring Army binder containing the personal health records of over a
thousand patients was stolen from a car belonging to one of the Center’s
case managers.4

In the interest of security, governments need to be able to keep certain
kinds of information secret. Given the reality that 25 percent of 2014’s
information security incidents did not take place in cyberspace, this means
that government organizations must resist the temptation to fixate wholly
on technological solutions while sensitive information continues to be
leaked in other ways. Instead, decision-makers must recognize that
government organizations are ecosystems of ‘information work,’ where work
practices and the broader security culture directly impact the ability to
keep secrets.

The implications of taking this broader view are significant. Government
needs to redefine roles and responsibilities to accommodate a more holistic
view of information work in the organization. This includes appointing an
executive officer with broader security responsibilities and commissioning
a multi-disciplinary support team of professionals with skills ranging from
IT to behavioral and organizational psychology.

Research into security culture is still in its infancy. Measuring security
culture given the increasing casualization of the workforce is a
challenging problem (see a second GAO report that suggests up to 40% of the
workforce may be on temporary, contract and other forms of non-standard
employment).5 Creating a security culture that addresses the information
security needs of an organization in a routine fashion is a problem of a
higher order of difficulty.

At the very least, government must change the way it perceives the problem
of information security. Security cannot be achieved by tending to some
sources of vulnerability while ignoring others. This is not an effective
approach to safeguarding information. As Khalil Gibran points out, the
problem lies in the ability to keep secrets, not in the technology that
reveals them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160331/d765178c/attachment-0001.html>


More information about the BreachExchange mailing list