Government Security
Network Security Resources

Jump to content

Photo

What Is Reasonable?


  • Please log in to reply
8 replies to this topic

#1 beardednose

beardednose

    Retired GSO First Lieutenant

  • Sergeant Major
  • 1,916 posts

Posted 02 May 2005 - 04:36 AM

I had an interesting discussion with a lawyer recently regarding "what is reasonable." The criteria is changing as more and more security issues surface and the public becomes more aware how companies are/are NOT protecting their data.

Now that several high profile banks have lost tapes, the question of "is encrypting tapes reasonable?" is not such an easy question to answer (the answer used to be NO!). The more backup tape issues are reported, the more reasonable it is to encrypt. Encryption costs are also going down and you can now encrypt data inline as it is placed on the tape.

The same is true with all security measures...

Think about 9/11...hasn't that changed what the government, the public, and security experts term as "reasonable" security measures?

While you may not agree with some or all of the measures that have been taken since 9/11, can you not see that "what is reasonable" has changed? And that change includes more security, which may be bothersome and irritating today, but pre-9/11, no one would have sat for it?

What about Enron and all the SOX stuff? Ditto.
Don't post just a THANKS! Here's why...

Forum Rules you need to know...RuLeS

#2 Guest_SilverSandStorm_*

Guest_SilverSandStorm_*
  • Guests

Posted 02 May 2005 - 07:43 AM

I had an interesting discussion with a lawyer recently regarding "what is reasonable." The criteria is changing as more and more security issues surface and the public becomes more aware how companies are/are NOT protecting their data.

Now that several high profile banks have lost tapes, the question of "is encrypting tapes reasonable?" is not such an easy question to answer (the answer used to be NO!). The more backup tape issues are reported, the more reasonable it is to encrypt. Encryption costs are also going down and you can now encrypt data inline as it is placed on the tape.

The same is true with all security measures...

Think about 9/11...hasn't that changed what the government, the public, and security experts term as "reasonable" security measures?

While you may not agree with some or all of the measures that have been taken since 9/11, can you not see that "what is reasonable" has changed? And that change includes more security, which may be bothersome and irritating today, but pre-9/11, no one would have sat for it?

What about Enron and all the SOX stuff? Ditto.

<{POST_SNAPBACK}>


While 9/11 or Enron/Sarbanes-Oxley might have changed what the public view as reasonable, that should have no bearing on a security pro really, apart from influencing the degree to which she/he can get the public to accept her/his measures.

When it comes to the example mentioned above, advances in technology enable the pro to do what would actually be quite natural for her/him to do on some other medium. So that really is independent of 9/11 or Enron/S-Ox (in this particular set of cases, where advances in technology matter, and are transparent to the general public/lay[wo]men).

#3 beardednose

beardednose

    Retired GSO First Lieutenant

  • Sergeant Major
  • 1,916 posts

Posted 02 May 2005 - 12:49 PM

SSS,
Not sure I'm understanding you. I'm asking the question, "what is reasonable" from the public's standpoint, not the security pro's. If a company gets sued successfully for not following "reasonable" practices, it doesn't matter what the security pro thinks.

The point is that the public determines what's reasonable and then the lawyers enforce it. NOt saying that's right, but that's the way life is.

Usually you're very clear; sorry I didn't follow your point. Fill me in.
Don't post just a THANKS! Here's why...

Forum Rules you need to know...RuLeS

#4 myth

myth

    Staff Sergeant

  • Members
  • 408 posts

Posted 03 May 2005 - 04:13 AM

The point is that the public determines what's reasonable and then the lawyers enforce it. NOt saying that's right, but that's the way life is.


Side Point:

....and thats the way it should be...

If i my policies were made law, service pack two wouldve been linux...

The general public set the standard, and private businesses and other entities that are using the technology can improve on the facilities...

But i also see this point as, are 'we' grabbing onto too much technology before it has evolved into a proven technology processes... Ie, IPv4 did not have any idea it would be used to such a scale, but we're basing almost everything onto a technology, like banking and personal details, onto a product that cannot sustain a true sense of security. For Example, coins, evolved into very detailed coins and paper, almost inpossible to forge. Back in the day, you could easily forge a few coins, but as money became more important, governments made it harder to forge. Could you imagine now if it was remotely possible to forge mass amounts of money, how quickly this could make a negative effect ?

Newer technology is just like old coins in todays day. Easily 'played' with on the 'blackmarkets' of hackers and other parties. Because the rest of the laws have been based, many on the ten commandments, over centuries of ethics and rules, they have become more reliable. (lets ignore the stupid law cases of man falls over on mopped floor scenarios). Now, the technology works, but it needs to be refined, and more or less education....

After all, many of the older community in higher political places do not have the education to handle such decisions without easy influence.

If you get what i mean ? Or im completely off topic ??

#5 beardednose

beardednose

    Retired GSO First Lieutenant

  • Sergeant Major
  • 1,916 posts

Posted 03 May 2005 - 04:31 AM

I understand what you're saying, but not sure I agree.

But i also see this point as, are 'we' grabbing onto too much technology before it has evolved into a proven technology processes...


The tech that we have is all we have. Unless I'm missed you, that's like saying we should have ignored candles until litebulbs were invented because candle cause too many fires. I doubt you meant that, so please clarify.

Perhaps we put tech to use before it's vetted properly, but isn't the use by the bleeding edge adopters the way we find out the issues? and learn to do better?
Don't post just a THANKS! Here's why...

Forum Rules you need to know...RuLeS

#6 myth

myth

    Staff Sergeant

  • Members
  • 408 posts

Posted 03 May 2005 - 04:34 PM

The tech that we have is all we have. Unless I'm missed you, that's like saying we should have ignored candles until litebulbs were invented because candle cause too many fires. I doubt you meant that, so please clarify.

That is the direction my tangent was going, however, with a candle you can see the risks, everyone can. But with a computer, there are only more 'logical' risks, and many 'cure-all' fixes, acting as a false security blanket.

Perhaps we put tech to use before it's vetted properly, but isn't the use by the bleeding edge adopters the way we find out the issues? and learn to do better?


May sound kind of wierd, but in a sense an IT license. My fathers work decided to put in wireless, thats great. He walked down to computer store, bought a netgear, plugged it in, and was very happy when he had harnesses technology to work w/o a problem. We both know what he's neglected to discover.

Too many people are using technology when it really shouldnt be, ie, online banking shouldnt become available for another year or two, imo. For the fact, the majority users are sending their details to other people without realising its even possible.

But just because the public becomes more aware of the next few years, does not means in anyway, that the threat will decrease. So, we need more education ? Well, just a thought from the other post, maybe we could fire'em... Just a very open thought, not saying i completely agree either....

But taking us back to our original point, 'reasonable' security ? XP only just started thinking about this in SP2, and many others since the Blaster worm. Perhaps are more reformed method of education ? Perhaps taking the media, ie, the front page could have a small highlight of technology as it is today, ie recent attacks and or tips or advice..

What im trying to say, reasonable security isnt gonna come until a reasonable education standard can come onboard. But this is occuring very very slowly, and only usually over major events, ie 9/11 etc...

#7 digitalk2003

digitalk2003

    Specialist

  • Members
  • 116 posts

Posted 03 May 2005 - 05:43 PM

As dictated by recent legislation, enacting "reasonable security" really boil down to compliance as it related to governance of the organization. SOX, GLBA, HIPAA, and various other legislative measure rely on showing compliance or a progress towards compliance, or abiding by establish security standards and policies.

"Reasonable security" is defined based on the organization. What amounts to reasonable security for a 7-11 is drastically different from what banks and financial institutions are required to comply with. As always, the more sensitive the information the greater the protection needs are.

Even if an organization is found to posess insufficent security measures, this organizational risk can be mitigated by enacting steps and showing progress towards complying.

I don't know if this really provides a clear answer to your question. I hope it points your in the right direction. A lot of variables are inherent in the question, complicating the issue. There are a lot of very good information security consultanting agencies out there. Depending on your industry, research and pick one that has strenghts within your industry.

Ciau,

digitalk2003 B)

#8 Guest_SilverSandStorm_*

Guest_SilverSandStorm_*
  • Guests

Posted 03 May 2005 - 08:20 PM

SSS,
Not sure I'm understanding you. I'm asking the question, "what is reasonable" from the public's standpoint, not the security pro's. If a company gets sued successfully for not following "reasonable" practices, it doesn't matter what the security pro thinks.

The point is that the public determines what's reasonable and then the lawyers enforce it. NOt saying that's right, but that's the way life is.

Usually you're very clear; sorry I didn't follow your point. Fill me in.

<{POST_SNAPBACK}>


Ah I'm afraid I got the wrong end of the stick there.
To answer your original question....

I would first of all separate the public into *general public* and *regulatory lay[wo]men*.

The general public is increasingly looking at issues like privacy and security of their personal information ("Is my credit profile safe ?"). I would say this is increasingly the case after Enron/other fiascoes like the ChoicePoint fiasco, and not so much motivated by 9/11 (S-OX was motivated by Enron etc). 9/11 did lead to an overall increase in the level of paranoia (not condemning it) among the general public, so that would have played some role in their feeling very threatened if a leak of information of some sort were to occur.

The general public however does not look into specific measures there, nor does it directly tend to influence corporates to change their methods in general. However, what it does do is get lawmakers to make laws, and the executive arm of government to enforce them. So their pressure is indirect - we cant qualify the nature of that pressure (directly determine its effect on a corporation's processes), but we can quantify it to some extent.


The regulatory law[wo]men form the second category. They are professionals in their own fields of course, but not security. This category is motivated by two things - direct failures of businesses to protect their data/similar corporate malpractices. They are influenced to a good extent by political lobbies, and to some extent by public pressure (which one could consider a lobby). They simply create and enforce regulations that a corporation *has* to follow.


For a corporation, there are two pressures. One, the regulatory pressure to adhere to every regulation. Two, the public pressure to not screw up. I'm pretty sure theres many a company that has handled #2 but not #1, they really don't want the public out for their blood.

The problem is that this is still a level *removed* from the security pro's job. The security pro can only get very general instructions...although the regulators are getting more and more finicky and specific (just as say Visa has got far more specific in its guidelines to its merchants). I would say a large part of the pro's job - and pretty much why she/he's going to be paid that much - is in making sure the company adheres to the guidelines mentioned, by deciding just how much technical work is required, and *what* is required.

In other words, what I'm really saying is that the definition of "reasonable" is still to a great extent in the hands of the pro. However, the pressure on the pro is very heavy, to the extent that if she/he mucks up that definition, she/he is screwed. And there are *more* very specific elements to that definition (as there have always been) these days.

The presence of specific elements makes the pro's workload larger, but it makes the process of decision making much easier, not to mention the task of convincing management to authorise changes.

The advantage that S-OX and other pressure gives the truly impeccable pro is that it gives him/her an edge while convincing people to agree to changes. A truly impeccable pro in the average organisation has spent years ruing the fact that management doesn't allow him/her to make the changes needed - now its finally time to make all that happened.

However, the "disadvantage" is the pressure on the pro to perform. A small mistake could be a fatal one.


Ultimately though two things still haven't reduced much. One is the degree to which corporations work to cover up their own goofups (although it is much tougher now under the various disclosure rules). The second is the degree to which commercial interests influence and dilute the security process - lobbyists lobby for lighter regulations, companies don't want to tighten up since that would cost, the executive allows companies to get away with all kinds of crap (short of something that causes the company to fall apart) since those companies form the heart of the system.

Very big and very small companies find it the toughest to adhere to security guidelines (looking at cost/benefit, and practicality)


I'm aware I haven't addressed your question very directly here but I do think this subject called for an overall view of the situation.

#9 beardednose

beardednose

    Retired GSO First Lieutenant

  • Sergeant Major
  • 1,916 posts

Posted 10 May 2005 - 01:31 PM

Nice overview.

For a corporation, there are two pressures. One, the regulatory pressure to adhere to every regulation. Two, the public pressure to not screw up. I'm pretty sure theres many a company that has handled #2 but not #1, they really don't want the public out for their blood.

True. Most companies seem to comply only as little as possible to pass with a C- grade.

To deal with execs who don't understand security, you need to talk in terms of one or more of the ABC's:

Assets
Brand
Compliance

If you can tie all of them around your point, you'll have more success...in other words, how will the ABCs be impacted if X...

the definition of "reasonable" is still to a great extent in the hands of the pro.


I may have missed you again on this, but I disagree. What's reasonable in the organization is what the company will pay for. If THEY don't think it is, it ain't (forget logic and public pressure and all that stuff). Doesn't make it right, but it does make it the company "law"

...until the inevitable happens...then it's back to plan A, and do it fast! :o
Don't post just a THANKS! Here's why...

Forum Rules you need to know...RuLeS




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users