2008-09-21

HiR Reading Room: Into The Breach

"Missing: 25 million child benefit records..."

"South Korean police on Sunday arrested four people over the theft of data on 11 million customers of a local oil refiner in what is being called the country's largest-ever data leak..."

Data Loss Headlines like these are enough to leave many consumers dumbfounded. Now, imagine being the director of the team tasked with protecting the data.  


Michael J. Santarcangelo, II (a.k.a. Security Catalyst) takes us Into The Breach to expose how these things happen. Usually, human error, ignorance and apathy is to blame. In both of the above headlines, data had been stored on media, then that media was later misplaced or discarded improperly. Catalyst asks "What happens when breach is only a symptom?"

The industry has responded to breach threats with Data Loss Prevention suites that disable external media and ports on computers, Network Access Control schemes that ensure only authorized computers can get on the network, and network content analysis tools.

None of these can protect all of the data all of the time. It's not because technology fails. It's because humans and business processes fail. Throwing more technology at this problem is not the only answer. Santarcangelo asserts that technology is best used to support information security in an environment where people think and act responsibly and are held accountable for information under their care. 

Furthermore, what with all the compliance buzz about electronic data, "sensitive information" has become synonymous with "data" whereas the truth is that sensitive information is everywhere: it lies within stacks of papers and as facts rattling around within peoples' heads. Breach encompasses any and all leaks, whether from attackers, a misplaced laptop or DVD, phone conversations or casual discussions in a public place. Folks, all the software in the world won't help you so long as the people who need that information lack understanding and/or accountability.

Into The Breach's sub-title is Protect your business by managing people, information and risk and that's exactly what's covered. From understanding peoples' justification for their behavior patterns and implementing The Strategy and beyond, the end result is a surprisingly concise angle on covering your ass while maximizing the effectiveness of your security budget... After all, your money goes a lot further with awareness than it does with six- and seven-figure software suites that will only serve to further mask the symptoms of a much larger systemic problem in your organization...

I got my hands on a pre-release copy of this book directly from Catalyst himself at DefCon. I'd like to personally thank him for handing over a few copies for me to pass around to colleagues and giving me a chance to get an advance peek at his work. I'm looking forward to flipping through the finished product, which likely has a little more information than the copy I've got in my hands right now.

The electronic edition of the final version is already available for the Kindle with the hardcover book hitting shelves (and Amazon) soon.

blog comments powered by Disqus