With over 30 sessions in two days there was a lot to cover at this year’s SC Congress conference in Toronto. Here are a few highlights I couldn’t squeeze into other stories:
Dump Windows where needed
–Worried about the vulnerability of workstations used by several thousand IBM system administrators who had access to clients’ production systems, about four years ago the company took away their Windows computers and put them all on Linux PCs.
Those who needed Windows could run it in a KVN virtual environment. In addition, the admins were told no personal browsing or email could be done on the Linux platform.
It was, admitted IBM CISO Koos Lodewijkx, “very unpopular” decision but it “significantly reduced malware infection rates” on those users’ machines.
“For long we had been permissive,” he said, encouraging people to experiment with computing. But, he added there’s a lot less Linux malware. Plus if the work environment was infected, as a virtual machine the image could quickly be replaced.
Senior leadership realized how important this was, he said, if a client’s system was infected and made it clear.
How was it sold to staff? “You don’t want to force it down the users’ throats,” wondered one audience member. “We did,” Lodewijkx replied.
“We told them how critical their role is for the survival of our company and our clients.” Most accepted that.
Let the business learn our language
— Infosec pros are often told to put their reports in words the business side will understand. Not any more, said Greg
Thompson, Scotiabank’s vice-president of IT risk. “We’re at the point now in cybersecurity where we should not be dumbing down our message. We should not be talking in a language the business understands. The business needs to understand our language. Boards of directors need to understand our language.”
These days boards in large companies understand very complex risk issues like liquidity risk, credit risk, market risk, he argued. “It’s kind of naïve to think they don’t have the capacity to learn a little bit about security.
“The focus might be to educating the non-security people (executives and line-of-business leaders) on security terminology so we don’t have to dumb down our message.”
Breaches don’t necessarily earn a rebuke
–Some executives fear regulators, believing that whenever they investigate a data breach bad news happens. Not necessarily.
In 2013 the Canadian, Australian and Irish privacy commissioners investigated a data breach at Adobe that involved 38 million customer records. As Andrew Patrick, an IT research analyst with this country’s federal privacy commissioner’s office told the conference, the breach was “quite shocking” — attackers had been in the software company’s system for quite a while, leveraging old systems and poor encryption.
That earned it a rebuke that Adobe’s security safeguards “were not appropriate to the sensitivity of the personal information being protected.
By contrast, he noted in an interview, the Canadian privacy commissioner had nothing to say about the 2004 breach at an unnamed data processor which was the victim of a zero day exploit that exposed personal records.
Why? Investigators found nothing to complain about the company’s IT security. It had used encryption appropriately and there were multiple intrusion detection systems.
“Just because you have a breach doesn’t mean we’d find the safeguards were inadequate,” Patrick said. “Due diligence will get recognized.”