Tuesday, February 5, 2008

Productivity vs Security

This is a copy of a comment I posted on Rich Mogul's website. I thought that my answer clearly shows my present way of thinking about Information Security and the value thereof. I have edited my answer for this Blog Post but the essence is the same.

Rich was answering a question of Scott who assumed that as productivity goes up security goes down and vice versa and at some point there must be a sweet spot where you get the most productivity at the least cost to security. Scott uses the word "obviously"

Your (Rich and Scott) assumption is that all security controls actually decrease productivity. This may be the case in an example where passwords are used versus not used. But information security may actually increase productivity eg where spam is blocked and the user does not need to spend hours sorting email. Alternatively if browsing is restricted and time-wasting sites like facebook are blocked then productivity goes up.

My big security theory (which I wish I could put into practice) is that once companies achieve a security zen state (sorry if that is copyright) when security becomes part of the culture and is built into all systems then it actually increases productivity in a way that could actually help the bottom line.

In response to the original poster - if Information Security is at odds with the processes of the business then either the process is wrong or the information security is wrong.

If you tack on security after the fact your thinking will always be wrong.

Example:
A sales-rep is always on the road. Because he lives in the North part of town that is where his customers are. He has a list of customers and their details in his laptop. He also has their buying trends and banking details so he can confirm payment. The ISO sees all of this and almost has a heart attack. He implements a rule that the sales person can download only the clients that he is going to see that day onto his laptop and it must be done over a VPN. Sales guy also has to have his laptop encrypted and a password protected screensaver. He can, if he wants to, drive into work and download the information over the network but work is far from his house and his customers.

Man, productivity has gone to hell. He now has to dial in every day for a few minutes where in the past he didn't. He has to type in passwords every time he needs to use his PC. What a shlep.

But... if you think about the savings in terms of productivity compared to driving to work and getting the information, printing it out and then filing it away at the end of the day (another trip) - the complete system is amazing. It is saving the sales rep from making two trips a day into the office. All that needs to happen now is that it needs to be made secure and a few extra seconds each time information is needed and a few minutes at the beginning and end of each day to sync information is a pleasure compared to driving to work in rush hour traffic for no reason.

Friday, February 1, 2008

Prediction 3 - A major site gets hacked

I'm not so sure about this one and I have been thinking about it for too long. If I take much longer my predictions will be very accurate because it will be December and I'll have hindsight.

Online service providers (yahoo, gmail (google), hotmail (microsoft)) seem to take their security really seriously and that is great. I think that they are targets but they are aware of this and they realise that an attack could render them dead. Their business is all about trust and a loss of trust would break their business.

However, the web was never designed to be so secure and application based. It is meant to be static pages delivered non sequentially (images load up when they can). This is not a very good base to have for a service.

I see that the hackers are already playing with session keys and such. My prediction is that this year or in the foreseeable future malware (all kinds including bots) will try suck session keys from traffic and use them to steal information or do unauthorised actions on "behalf" of a user. This has happened in the past but I believe that it will become more widespread, targetted and automated.

Example possible attack scenario: "Bob logs onto Gmail from an infected PC. He logs into his account on gmail waking and wakes up the malware which either forwards the session key to the attacker or drafts an email to the attacker from Bob with a list of all his contacts. Attacker sells these good emails to spammer. Or malware downloads a preconfigured spam message and sends the message to all of Bob's contacts. All of this happens in a scripting environment and Bob is not aware of anything strange because windows don't pop up."

If this is happening already then I applogise for coming to the prediction party late.. and I'll just predict that it will increase until http is replaced with something else, new online standards are developed for services or it becomes as bad as spam is today.