2007 in Review

Every year at this time we share with clients and selected industry leaders the key trends we’ve been seeing over the course of the year. Our conclusions are distilled from a combination of the types of projects we’ve completed and a reflection on the discussions we’ve had with clients and prospective clients about their security needs and concerns.

Overarching Trends

IT Security in the public view

IT Security awareness among the general public has never been higher. The highly visible TJX debacle is illustrative, but hardly an isolated incident. Almost every week sees the announcement that some major corporation or public entity has been breached or has lost control over private data. What is common in nearly every case is that they are woefully unprepared to handle a security incident. They typically have no real plan in place to categorize an incident (high, medium, or low business impact), manage the technical response including determining the extent of the breach, and manage the business response including notifying customers and handling investor and public relations.

Compliance, compliance, compliance and standards based assessments

2007 was a watershed for compliance. It is amazing how fast compliance requirements have come to drive security programs. Just a few years ago compliance was the tail of the dog. For many organizations, compliance now drives the security program.

Take HIPPA for example – it finally happened. Atlanta’s Piedmont Hospital became the poster child for Health Insurance Portability and Accountability Act enforcement when it was audited by Health and Human Services earlier this year. It has been clear to even casual observers that the health care industry has largely ignored the Act’s Privacy and Security Rules regarding the protection of Electronic Protected Health Information (EPHI). This long overdue action has health care providers and the organizations that service them scrambling. We’ve not seen this level of interest in HIPAA assessments since the law was first enacted.

Similarly, merchants are far more security conscious. They have to be. The contractual structure between card acquirers, banks, and the payment card companies rest much of the liability for security problems on the merchants. Smaller merchants need to complete an Annual Self Assessment Questionnaire (self assessing for most small businesses is about as practical as giving yourself an annual physical). Level one merchants need to conduct an annual PCI Data Security Standard (DSS) on site review. For this reason, SystemExperts became a Qualified Security Assessor Company (QSAC) this year and nearly all of our staff Qualified Security Assessors (QSA). If you are not familiar with the PCI Security Standards Council’s QSA qualification requirements, they are exacting and detailed.

ISO 17799/27002 compliance continues to grow in importance. It provides organizations with an objective measure of their security stance, enables them to easily communicate the extent and effectiveness of their overall security program, and is recognized and accepted as a high hurdle by prospective customers and business partners. Interestingly, we are finding that we often use the table of contents from the standard as a gauge of completeness even when we are not performing an ISO 17799/27002 review per se. For example, we recently completed a combined ASP/HIPAA review for a company that provides on line medical record management. At the end of several days of detailed discussion, I found myself looking over the ISO table of contents to make sure we hadn’t inadvertently omitted a critical topic.

The more compliance reviews we perform, the more confirmed we become of the fact that good security is good security. These standards are fundamentally consistent in the policies and best practices that they require.

Identity management

With the major security standards and regulations requiring close management of access controls, it is not surprising that identity management is such an important topic. Now, managing user accounts and privileges is nothing new. Every one has been dealing with it since the very beginning of the computer era. What is new – and this is where the identity management products come in – is the recognition of the importance of the management work flow. Specifically, work flow approval process that provides auditable controls over authorization, creation, review, and disablement of user accounts.

Application level vulnerabilities

In past years I’ve noted that web applications continue to be the fastest growing exploit area. That trend is only accelerating. I’m beginning to sound like a broken record on this subject. Traditional web development methodologies are failing to protect sensitive data. Many of these applications are fundamentally flawed in both their design and their implementation. We all know the old software development joke about good, fast, cheap – pick any two. It doesn’t have to apply in this case. It doesn’t take longer or cost more to design and implement an effective authentication mechanism or to make valid assumptions about session management. What is needed is security consciousness or security staff participation early in the application’s lifecycle.


Removable Media: The explosive innovation that has occurred in the area of removable media with devices like USB flash drives and iPods that can hold large amounts of unstructured data poses a real security threat to many organizations. On the one hand, the uncontrolled use of these devices puts an organization’s intellectual property at risk. Rouge employees can walk off with analytics, client lists, and trade secrets and never be detected. On the other hand, indiscriminate use of these devices violates basic system hygiene practices and might lead to the introduction of a damaging virus or worm into the environment. Many organizations have reacted (largely unsuccessfully) by adopting policies than ban their use. Others try to manage the risk by authorizing designated staff members and systems and adopting a procedure for checking the drives for malware.

Virtualization: Many organizations are exploring the use of virtualization technology (products like VMWare) and are just beginning to wrestle with security implications. Security people tend to like to see application environments physically and logically self contained so we can turn the security knobs appropriately for each one. Properly securing the future highly virtualized environments will be challenging all of us for years to come.

Security Infrastructure: In the same way that corporate and departmental web sites burst onto the scene about ten years ago, suddenly SharePoint servers to store security documents and Wikis for policies and procedures are everywhere. Simply, these are great tools for capturing institutional knowledge and reducing the time and cost of documenting key processes. The Wiki in particular directly addresses a chronic security problem; documentation never keeps pace with actual practices or policies.