Close that door!
When it comes to protecting your data, there is a wealth of encryption/security options available today. They run the gamut from cheap to expensive, from simple to complex and from stand-alone to components in an overall system.And unfortunately, none of them are perfect. And unfortunately, this imperfection has led to the point where many people view encryption and security programs much like life insurance; it’s nice to have, but not if they have to pay a lot for it up front.
|
In a world where we still debate the merits of exporting security tools, we cannot afford to overlook one simple fact: everything we know of today can be broken - especially when it comes to encryption. It is no longer a matter of if, but when. Already we have seen some fairly sophisticated encryption programs (i.e., long keys) that have been defeated by brute force. And unfortunately, the time it takes a brute force assault to defeat even the most elaborate security tools on the market today is decreasing with each assault. While the length and sophistication of encryption programs has increased, so too has the power and performance of these "massive code breaking engines" (also known as PCs) on the market.
But encryption is not the only security concern today. There are many other areas where our networked data is routinely exposed. One big area of concern involves unexpected holes in security-enabled products on the market. We're not talking about firewall or encryption programs here, but rather end-user applications that include (or not) security functions. For example, we have seen repeated warnings regarding security flaws in various Internet browsers, e-mail clients and OSes. And while we all think that programs like secure sockets will save the day, they too are likely to be vulnerable if the implementing program is not tight.
Whether it is a 20-year old system, or a 20-day old system, any security system can be beat if there is a weak spot. Remember "Loose Lips Sink Ships"? Well today it is "Loose Code Opens The Load (of data to the prying eyes of evil people everywhere)".
And of course, statistically you are much more likely to suffer data loss at the hands of an “insider” than you are from an external hacker. Current and ex-employees are as much, or more, of a security risk than outsiders since they 1) often know what encryption/security measures are in place, 2) often have access to the appropriate keys, 3) often know where the really “valuable” data is stored, and 4) often feel they have some pretty good motivation for their dirty deeds that are occasionally done dirt cheap (i.e., disgruntled employee syndrome). Further, they are often the most unwatched group.
I bring this up because I have noticed a bit of a defeatist attitude of late on the part of some users regarding security efforts. Their feelings, which are somewhat understandable, are that whatever system they implement can ultimately be broken by a person with an evil bent and a $2,000 PC. In some cases they fear the casual hacker. In other cases they fear the corporate infiltrator (when they should really be fearing the pilferer inside their firewalls).
But in all of these cases they seem reluctant to implement a complete security system, instead relying on a patchwork of individual applications or security measures that often are redundant or inconsistent with other aspects of their security program.
This can be deadly to your secure data since gaps in security can be more easily identified and exploited by outsiders when there is no overall "system" control mechanism (i.e., management, monitoring or intrusion detection/reporting plan). Likewise, only with a complete review of all aspects of your security operations are you likely to spot the gaps in your own system.
But even if the best of security programs can be broken, does this mean that security is a wasted effort? Absolutely not. While any security system can be broken (just like any car can be stolen by a real professional), we should never make it easy for the casual (or even experienced hacker) to pry into our most secret corporate files or communications.
Remember that when it comes to encryption, most of the efforts to break codes that are publicized today are special cases that do not reflect real-world circumstances. However, most hacker break-ins are not. Every user of technology needs to have a strong - and well enforced security/encryption policy in place. It needs to be a careful balance of "make it difficult for the hacker to penetrate" and the all important "make it easy enough for your staff to implement on a daily basis." It should incorporate all facets of security within your organization, from the corporate VPN to the programs used to encrypt files on individual user’s computers (i.e., try recovering data from an ex-worker's PC after that ex-worker has encrypted their files with some 3rd party application and “forgotten” the password).
With that in mind, there is never a good reason to skimp on security.
Rather than view it as comparable to a life insurance policy, perhaps we
should think of it as a form of job security insurance.
