When 'convenience trumps security'

Consequences, embarrassment often follow

When it comes to prioritizing IT security solutions, "convenience trumps security, but embarrassment trumps convenience."

That's the rule of thumb offered by Alan Paller, director of research at the SANS Institute, and a guest speaker at FOSE 2007 today. He said that organizations are investing in security solutions sometimes to address material weaknesses, but frequently in response to the crisis du jour.

This rule can be seen at work in the most recent results of an ongoing survey conducted by SANS of what about 1,000 organizations consider their purchasing priorities.

Tops on the list? Laptop encryption, with 25 percent of respondents listing it "because of the head of the [Veterans Administration] looking like he was being torn apart during his congressional testimony," and no one wants to follow in those particular footsteps, Paller said.

Similarly, log management was cited by 23 percent of respondents, but Paller said it was being acquired in response to "three or four laws ... so they can say to regulators that they've done it."

Rather than look at purchasing plans, according to Paller, there is a specific collection of security challenges that should be driving resource allocation.

"There are five problems at a critical level," Paller said. "If we don't solve them, we can't trust the computers." Fortunately, there are technological approaches that can be applied to each.

The problems, and possible solutions:
  • Federal systems are deeply penetrated, by hackers and other hostile interests; to address this, Paller advocates training and "inoculating" users, running exercises targeting one's own users and seeing how many people fall for the ploy.
  • Patches can't be installed before attacks are launched against vulnerabilities, and
  • Botnets are so pervasive and powerful, they can send billions of spam messages and deny Internet service to almost any organization; there is no real solution for these two other than implementing common, secure configurations for computers, and denying all users access to any system administration powers.
  • Personal data is being lost on a massive scale, whether on laptops or through extrusion; while laptop encryption is well known and a popular answer, Paller said, content filtering and search functions that monitor a computer's contents and what data it transmits are rising sharply.
  • Programmers are still making major security mistakes; Paller said he has personally spoken with the heads of every major computer science department at colleges and universities around the country, and they dismiss the idea of teaching about the pitfalls of "buffer overflow," for example, because "we aren't vocational trainers." To address this, some organizations are developing online exams and certifications, testing programmers' ability to find flaws in actual code.

Patience Wait is a staff writer for Government Computer News, an 1105 Government Information Group publication.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

I agree to this site's Privacy Policy.