Treasury Board Secretariat is updating its entire security policy suite, including MITS (Management of IT Security) and the GSP (Government Security Policy).
The revised specifications promise to be more in mind of what a standard should be, with additional documentation, underlying guidelines and directives that will help departments and agencies understand how to implement the policies.
As the deadline approaches for compliance to the first iteration of MITS, one security expert offers a mini assessment of the standard. MITS is a mix of good and bad, suggests Brian O’Higgins, CTO of Third Brigade Inc., and the payment card industry may have some spot-on suggestions for avoiding the ugly.
MITS is strong on risk management. “It’s a good story for best practices,” says O’Higgins. “But you’re supposed to use the parts that apply to your environment.”
Different environments have different risk levels, he explains. Some things may not make sense in your environment and could get you into even more trouble. “There’s a whole risk management overlay to MITS that says only do things that are important to your environment. It allows for that flexibility in interpretation.”
The problem is there’s a lot of grey in the translation. You can declare that you comply with MITS, but you’re still not necessarily secure. “It can be effective, and could be not effective at all,” says O’Higgins. “Even worse, people might be compliant and think they’re secure, but they’re not.”
If you have any Internet identification application, you’re wide open to command injections, such as SQL and AJAX, and targeted attacks.
MITS doesn’t address anything in this kind of detail, but these are the biggest attacks, says O’Higgins.
“MITS does have that notion of vulnerability scanning, and that’s the real answer – rather than being so prescriptive about using one particular technology or another.
“If you have a complicated Web app, it’s not unusual to find a thousand problems with a vulnerability scanner. Vulnerability scanning is the best bang for the buck right now.” Security is always defence in depth.
You’ll always need a lot of layers, he adds. “It’s a constant scan and mitigation.”
The modern, criminal hacker is now absolutely the biggest threat, says O’Higgins. The payment card industry recommends merchants follow a set of specifications to protect credit card numbers. Visa USA Inc. recently identified the top five data security vulnerabilities and provided tips for risk mitigation.
Visa’s top five vulnerabilities are storage of unnecessary data; missing or outdated patches; default settings and passwords; SQL injection attacks; and unused, susceptible services on servers. O’Higgins concedes they’re in the realm of common sense, but notes there is a sense of urgency now.
“Visa’s recommendations have huge relevance for what governments should do – more so than MITS because MITS is very generic and designed to be a minimum,” says O’Higgins. “And you could easily comply with MITS and not be secure.”
– Mark Els