Holistic Security

By: (CISSP, CISA, Security+)

Publication: The Kansas Banker , January 2013

The Kansas Banker January 2013 Holistic medicine has always made more sense to me than the more popular modern approach of taking away your symptoms so you can be comfortable as whatever it was that caused your disease still exists. Holism is related to or concerned with wholes or complete systems rather than with the analysis of, treatment of, or dissection into parts. As more and more of our favorite security controls have proven themselves less effective than we thought and hoped, I believe a successful security program has to be more holistic in nature.

As a security professional, I too have been guilty of the fragmented approach. Don’t want malware? Keep your antivirus up-to-date. Using laptops? All I care about is that you’re using whole disk encryption. 2012 saw my faith in these golden children shaken. First, it was the discovery of the Flame virus. Arguably the most complex piece of malware we’ve ever seen, Flame rested safely and soundly on infected computers for two years, recording audio, capturing keystrokes, and copying documents. Flame left those in the antivirus industry – and those of us who have put our trust and our money into their products – scratching our heads. So it turns out that a signature or list-based antivirus product is only as good as the list it depends on?

Then came the news that whole disk encryption was fallible. Last month, a Russian company announced that, for $299, someone can purchase a new forensic tool and potentially decrypt disks encrypted with BitLocker, PGP, and TrueCrypt. The ElcomSoft product analyzes either a memory dump or a hibernation file and can get in and out with zero footprint. Well, it’s a good thing my antivirus software would prevent any malicious program from accessing these files... oh wait...

Some of you may be feeling proud of yourselves that you have never put too much trust in any one security control….well, I’ll applaud you as soon as I adjust the rose-colored glasses that have been my constant companion for 32 years. I always knew that too, but it didn’t stop me from feeling completely confident in my BitLocker encryption! From a security perspective, you have to assume that any one of your controls will fail….even those you feel the most confident about. This will ensure that your layers of security are strong. If you’re not very confident in your antivirus program, you will be more likely to limit local administration privileges, ensure all software patches are up-to-date, and beef up your web content filtering. If you are aware that the disk encryption on your bank laptops can be decrypted, you are more likely to stress physical security controls and train your laptop users more sufficiently. I think most IT professionals – especially those in the financial industry – already implement a layered approach to security, but I wonder if you are still placing a majority of your confidence in that one golden layer. If so, I encourage you to consider the very real possibility that your golden layer doesn’t come through for you…what information could someone get to? What other security layers need to come to the rescue and are those layers given enough priority and maintenance to get the job done?

One layer that I continually see given a lower priority is that of user training. I know as an IT professional, it has to be frustrating because the users are the hardest thing to control…they have their own brains that can be dictated by emotion, hunger, and stress. Because they have their own brains capable of reason and of sensing that something “just isn’t right,” they are also a very powerful security layer in your program. Adequate and up-to-date security training are even more crucial now than they have been in the past. An annual PowerPoint presentation over security expectations just isn’t going to cut it anymore. Your security training must happen more frequently and must contain relevant and current material (like online security) if you expect your users to provide a much needed layer of your effective security program. Attackers are relying on your users to be oblivious and uninformed. Let’s allow them to feel disappointment in something they’re trusting in for a change...