Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Cyber Security Group

Is Security a Myth?

Created: 03 Apr 2013 • 2 comments
Robert Shaker's picture
+1 1 Vote
Login to vote

Is it naïve of us to think we can ever be perfectly secure? Whether it’s physically or digitally there is always a risk that something bad is going to happen. To protect ourselves physically we install alarms, locks, buy safe cars, have automatic lights, cameras, firearms, etc. These don’t eliminate risks but give us a reasonable sense of safety and we go about our normal daily business. For digital security we install endpoint protection, anti-spam, anti-malware, firewalls, IDS, IDP, and DLP, etc. and go about our normal daily business.

But what happens when these controls fail and we are attacked or injured? For our physical side we have police, fire, ambulatory services, hospitals and doctors that are there to help us after the incident. We buy health, life, and disability insurance, we pre-prepare for what happens post incident. We create an entire support system to back us up.

For our digital side shouldn’t we do the same? Yes, there are public organizations and pay for organizations available for us to get notifications and assistance on a large scale, like US-CERT, FBI, NSA, FS-ISAC etc. but these are either notification or criminal reactionary. For other incidents we should have a type of “insurance” that provides us with the “health care” professionals we need in the event of a digital incident. A team people experts that can assist with triaging and remediating both during and post incident.

I think we can all agree that we do a better job protecting our physical security than our digital security. If so, don’t we need stronger incident response protection for our digital life?

 

Comments 2 CommentsJump to latest comment

hforman's picture

I agree with all of this.  Some of the issues that I see today is that people, especially digital techs, do not work with their own data so they assume that, if something bad does happen, they can just say "oh, well" and move on.  Techs don't realize that the owner of the data is actually the company/government agency's clientele.  They fail to put themselves in the true owners' shoes.  Suppose you bought something either online or in a store and then found out that the company keeps your credit card information (name, number, security codes, expiration date) maybe along with your SSN out on the web somewhere just because it is "convenient" or "cool" to do that.  Suppose the information is on someone's tablet or laptop which can easily be stolen.

People today are very blind-sighted by all of the sparkle of new technology that seems to make their lives easier but they don't want to look at the down-side of the technology nor put themselves in the shoes of the true owners of the data they work with.  This gets more important when we deal with governed data.  By this I mean: patient medical records, criminal history, Credit card information, etc. and I';m talking about how the data MUST be treated according to law (usually U.S. federal but also European Union regulations).  Here, the person who "lost" the data or the company who employs that person could be left with very LARGE federal fines.  But many people will find any "excuse" to use the new technologies in a very unsecure manner as "security" does require inconvienience.

True, you can never be 100% safe in either the digital or physical world.  There are always going to be the "bad guys" out there.  So, must of us need to suffer along having to lock our doors at night and have to use appropriate tools to secure the data that we are entrusted with, rather than finding excuses.

All this is in my humble opinion.

0
Login to vote
Robert Shaker's picture

Right on hforman! In the future I predict that there will be no privacy and we will all just be cool with it. It might be our kids, grand kids, or great grand kids time before it happens but if that we're the case this would no longer be a problem :-D

Bob is a Senior Leader on the Symantec Managed Incident Response Service team. He can be found online at LinkedIn or Twitter

0
Login to vote