Where do I start looking?

This past weekend I was lucky enough to get to hear some great conversations and presentations. It was part of my company's (Entrust) annual conference. The many conversations were with colleagues, partners and customers. The presentations that stood out were from customers, all saying what wonderful things we have done to help them but two in particular stand out that were more general. These two were talks given by Michael Chertoff (former head of DHS) and John Adams (former head of CSE, sort of NSA in Canada for those that need a basic explanation of CSE). Both men have a wonderful breadth of experience and a great view of what is needed to help protect the nations better.

Both men presented an interesting view of things and they certainly have the experience to be able to support their views. Their stories of how things were uncovered are beyond entertaining - the stories truly are frightening when it comes to what could have happened.

Given their experiences in very different environments they did have fairly common views as to what is needed:
- mitigation is key
- layering security is critical to achieve this
- there is no silver bullet
- you cannot protect the network - you must protect the data
- identity is single most valuable asset
- security challenges start with the individual

When one starts to look at these elements it can be broken down to items that apply specifically to businesses but also items that carry across both business and individuals. One important element of that is education. We need to do a better job of educating people with the elements of security that they need to be aware of and address themselves. We do this fairly well in medium to large businesses as to how they protect data with strong passwords and changing them often; keeping security software current; and managing patch updates. What we do not consistently do is to carry those ideas to end users in their homes. End users should not be using the same userid and password on all accounts. Grades of passwords are an effective way of reducing risk. One view that was shared was that 80% of security issues can be addressed by patch and password management. I am not sure that is measurable but certainly we could mitigate a lot of elements with these guidelines.

To re-enforce the above idea, in his discussion former Secretary Chertoff presented an interesting analogy - for some environments security is like an M&M - it has a hard shell but some soft, good eating on the inside. This goes directly to the idea that if users do not effectively manage their security they can create this false sense of security. "I have Microsoft Security Essentials - I am good". This view certainly does not address the password breach issue.

The idea of common userid/passwords across multiple applications at different assurance levels also challenges the implementation of your identity as your most valuable asset. Today too many of us use our email address and password as the login mechanism for a variety of applications, including things like online shopping, access to medical records and other applications. This opens users to phishing attacks that expose more than just access to email accounts but also to this potentially sensitive and possibly damaging information. We need to do a better job at making people aware of these things.

So the title of this post was "Where do I start looking?". Well maybe we need to start with looking at what we do ourselves and how we teach our children and friends about what is important to do when it comes to computer security. I know my kids are aware - are yours?

- Posted using BlogPress from my iPad

Location:Ellis St,San Francisco,United States