Marcus Ranum on 2011 Security OutlookCISOs Need to Sell Security to Peers and Senior Leaders
"It's very enlightening for everybody," says Ranum, a noted security thought-leader, :and it actually helps a great deal in helping sell the need for security to the entire executive team."
In an exclusive interview on the 2011 information security outlook, as well as the biggest stories of 2010, Ranum discusses:
- The growing insider threat and how organizations must respond;
- Biggest lessons learned from 2010;
- Potential storylines of 2011.
Ranum is CSO of Tenable Network Security. Since the late 1980s, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Ranum has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC "Clue" award for service to the security community, and also holds the ISSA lifetime achievement award. In 2005 he was awarded Security Professional of the Year by Techno Security Conference.
Lessons from WikiLeaksTOM FIELD: So, this is hot in the news; I've got to ask you up front. What is your take on the security and privacy issues that have been raised by the WikiLeaks case we've all been reading about?
MARCUS RANUM: Wow, well there is a tremendous amount there. Let me not focus on the obvious stuff. I think one of the things that we are seeing from the WikiLeaks case is there is a transition that happened after 9/11 from the old school need-to-know in intelligence, where only people who absolutely needed to have access to a particular piece of intelligence data were granted access to it. And I think in an attempt to kind of clear up communications post-9/11 there was a breakdown of those walls as far as need-to-publish. I think what we may be seeing is that the chicken is coming home to roost on that, because one of the questions that's not being asked about this is why is it that a relatively junior analyst was given access to all of this information? No one human being can legitimately have anything useful to do with that.
Then the other piece of the puzzle that I find is really interesting is the apparent inability of the people who lost the data, the original data holders, to tell what data was stolen and while it was being stolen. And this is an important message for anyone who is a CISO because it shows what can happen when your data leaks if you don't have auditing and logging in place so that you can go back and say, "Well, OK if we do believe this guy leaked a bunch of information, what information did he actually access and when?" Of course, ideally you would get in front of that process and maybe detect the fact that somebody who really didn't have a need to access this particular information was downloading [this information] in one fell swoop. That is kind of a red flag, I would think.
So, from a security prospective, I think the story behind the story is almost interesting to me then kind of the details of government has lied to us, what a surprise.
FIELD: So, since then we've seen the response by WikiLeaks' supporters this week against MasterCard, PayPal and others that are deemed "unfriendly" against CEO Julian Assange. What should we make of the response and the sites have been shut down, that've been affected by this.
RANUM: Well, I think that was inappropriate. I mean more interesting would have been if people had started to say, "Hey, by shutting us off you're violating your service agreement," or a passive protest would have been effective. If we're concerned with this as a freedom of speech issue, let's not do business people who are supporting the government against freedom of speech. I don't think that kind of going on the warpath is necessarily an appropriate response.
FIELD: So, what are the questions that organizations ought to be asking and answering for themselves now after witnessing data leakage certainly, but then also after the response -- because this sort of signals a new level of protest against organizations that do business.
RANUM: You should obviously make certain that you've got a polished incident response program in place -- that would be the first thing. Run exercises with your executive management so that everybody knows who's got the ball and who's going to make the official communications and who's going to make the decisions in the event of some kind of a breach that shows up in the front pages of the Google news. That is one thing that is crucial.
Then, of course, I would say this isn't a bad time to trigger your information asset management review. To just go back and maybe reassess: Have we been opening things up a little bit too much over here, or is there somewhere we need to re-engineer one of our processes around kind of the new reality where people have got access to Twitter and Facebook and they are pushing stuff out constantly? I think what happens is a lot of those things kind of sneak up on enterprises, and then they are horrified to discover that there is a problem.
Then another thing that is very useful as part of your response practices is to game through them and do a scenario and say "OK, suppose that we had a leak like this. What would we do?" Then you can use that exercise to stress load your management process as well as your technology process. If our financial plans found themselves out on the internet, would we have the wherewithal to discover how that happened? Do we have the correct logging and auditing in place? Do we have procedures to look through the audit logs? Do we have people who are capable of performing basic forensic analysis for that sort of thing? Do we have contact with the correct people in law enforcement if it needs to go in that direction, do we have contacts with third parties who can come in and help us? Do we have the correct processes set up with our legal counsel etc? So I think one thing that might be fun to do for a CSO would be to look at the WikiLeaks things and say if that happened to us, what would we do?
Biggest Lessons Learned in 2010FIELD: So, taking a step back from WikiLeaks, Marcus, and looking over all of 2010, we look at the healthcare information security breaches we've seen and financial services and WikiLeaks and all of the other stories that we've been involved with. When you look at these, what do you see are the biggest lessons we've learned from incidents this year?
RANUM: Well, to me the biggest lesson is that the people who are inside your organization are the ones who can really hurt you, because they know where the good stuff is. That is a serious problem. So, to me that is the big takeaway. Now that is not [news]. I think I've been banging that drum for 20 something years, and security practitioners before me were banging it for 20 years before that. So that is nothing new.
I do think another one is that we really need to reassess the role of how much control an organization is going to have over it's applications, over it's run time, because I think when we start talking about problems like people getting hit by malware and data being leaked out, all of that is really a symptom of the fact that we don't really have very good controls on who is running what and where the data is moving inside of our networks. That is very crucial.
Then the other big problem, because of the breach reporting laws -- you've got things like HITECH now and so on -- organizations are getting increasingly stressed to be able to show that they know what happened in the event that something is going wrong. You know there are large amounts of money at stake there.
I have a friend who is a CSO of a Fortune 500 firm and they were able to save several million dollars a year by having a reasonably strong forensic capability so that if a machine is compromised, they're able to with a degree of accuracy that they could testify to in court stand up and say this machine did not [fall victim to] horizontal penetration. So the only credit card numbers that were compromised were the ones that were on the machine during the time of the break-in, and we know when the break-in started and when the break-in was terminated. So we don't need to notify all of our customers. We only need to notify five. That kind of thing is huge. So I think organizations who are looking in the coming years towards "How do we put in place procedures that will allow us to do damage control that could withstand challenges from lawyers, lawmakers and people who want to assess fines against us?"
Biggest Stories of 2011FIELD: Well looking ahead, Marcus, what do you see as potentially being the biggest security stories that we will pursue?
RANUM: I think next year hopefully the big security story is going to be how to find the leak we've been seeing in WikiLeaks -- how did that happen? Why did this one guy allegedly have access to so much material? We understand how data can be caused to leak. That is not a big deal, but the question is why was the kimono so completely open to this one guy?
FIELD: Final question for you Marcus. If I'm a CISO of any type in any organization or industry, my New Year's resolution for 2011 should be ... what?
RANUM: My New Year's resolution should be to do a war games-style role playing game surrounding a major information breach, and bring into that my executive management if I possibly can. I have a friend who did one of those and it was very enlightening for everybody, and it actually helped a great deal with selling the need for security to everyone in the executive team. The way that he did it was he basically convinced the CFO to believe that his BlackBerry had been left in the back of a Taxi in New York City and showed up on eBay. They just gamed through that, and they basically sat there and said "What do you have on there? Why do you have it on there?" That was a very enlightening thing. So, I think coming up with some scenarios that you can work through with your peers would be a good thing to do.