Feeds

All I want for Christmas...

Security wish list

Protecting users from Firesheep and other Sidejacking attacks with SSL

Mark Rasch takes a step back and offers his holiday and New Year's wish list of all things security - items that should exist, be made available and be easy to use for everyone over the coming year.

It is traditional this time of year for people to make lists of what they want for the holidays. You know, a Nintendo Wii, a PS3, a Treo 700p... depending on whether you have been naughty or nice (I hope you all are taking notes). But for the information security-minded, I have developed my own personal wish list of technologies and applications which, as both a lawyer and an information security professional, I would like to see both developed and implemented in the coming year. Now I know that individual aspects of these technologies actually already exist - some of them for many many years. And I know that niche products may meet some or all of the goals I want to achieve here. I welcome comments about how a particular technology may meet the needs. What I want for Christmas (or Hanukkah, Kwanzaa, Eid, or whatever) is a solution that works seamlessly and with no user input. So here is my Christmas list:

1. Easy encryption

Lets face it, communications and files are not secure. What I want is to send an e-mail just the way I always do: look up an address (or click on a link, or retrieve a stored address) and have it sent in a way that cannot be intercepted, read or interfered with by anyone other than the intended recipient. Oh, and authentication of both the sender and receiver would be nice as well, so I can block spam more easily, and so the recipient can know the mail came from me. I want this done with little or no overhead costs, and no user input. I just want to send secure e-mail.

The files on my computer also should be encrypted seamlessly and effortlessly. In other words, when (note I say when, and not if) I lose my laptop computer, I want to know that the only thing they got that was useful was the hardware itself no data, and I mean absolutely no data should be compromised. Imagine if the Veterans Administration had something like that. Yeah, I know RSA and PGP have programs that do this, and that Vista will do the same thing, but I want it to be idiot-proof, or at least idiot resistant. I want the stuff scrambled without my input. So much for data breach notifications.

On the other hand, as an administrator, manager or compliance officer, I want to be able to monitor everything going on inside the company. I want free range (with appropriate auditing) to look at any files within the company I need to see. Nobody said this was going to be easy or even possible. Remember, as Ralph Waldo Emerson said, a foolish consistency is the hobgoblin of little minds.

2. Know what you know...search for the rest

I can conduct a Google search of a few billion web pages in about 3.2 seconds, including the use of boolean searches, key word searches, and other kinds of searches to find relevant information. But, as a lawyer and litigator, if I get a document request in discovery for all documents relating to the Jones contract, it takes months to sort through all the files in the company and index them to find the right documents. In fact, most companies see the process of inventorying, collating and examining documents as a necessary evil in preparation for or in response to litigation or threats of litigation.

What this means as a practical matter is that the company is spending money and resources to help out the person suing them to learn what happened in a particular transaction or series of transactions. This is silly. What a company should be able to do is to conduct a search of all documents oh, and I mean all documents (documents, spreadsheets, e-mails, instant messages, chat sessions) within the company (on every desktop, laptop, and server anywhere in the world) no matter how it is maintained (or stored on i Pod, thumb drive, and so on) It should be able to find these documents long before and irrespective of any litigation.

The law presumes that a collective entity known as a company, a partnership, or a government agency knows everything that any part of that entity knows. So if Employee X in Chicago knows one thing, and Employee Y in Santiago Chile knows something else, then the Company knows both things. We all know that this presumption is absurd. The problem is, as a decision maker, you should have the ability to at least find the information that is collected within the IT systems of the company as easily as you could find a decent pair of tennis shoes. Moreover, you shouldn't wait for a lawsuit to do this. It is important to know what you know as you are making decisions, not afterwards.

Of course, this would require not only indexing and searching every bit of digital information within the enterprise, but also deciding in advance who would have the authority to search for these files, and for what purposes. Oh, and remember where I said above that everything in the company would be encrypted? Again, consistency is not essential here, we are talking Santa Claus today. This is a wish list. If Santa can fit down the chimney of my gas powered fireplace, surely he can do this.

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.