Q&A with Linda Lynch - Hugh Thompson, chief security strategist, People Security.
You keep a pretty busy schedule: you're a professor, an entrepreneur and have written four books. What drives you?
My passion is security education and getting other people excited about our industry, what it has to offer, and why information security is one of the most interesting fields on the planet. I started a consultancy several years ago called People Security that focuses on methods to educate people on security, with a focus on software. I also teach a class on software security to PhD students at Columbia University in New York. I enjoy challenging them to look ahead and build creative solutions for the complex puzzles yet to be solved in security.
You gave a keynote at RSA Conference Europe 2009 in London on ‘gateway data'. I'd never heard of that term before.
OK, you've got me – I made it up. It's a term I use for the new classes of sensitive data, some of which we're just starting to understand. Take Personally Identifiable Information (PII). This has inherent value to an attacker. Data in this class would include things such as credit card numbers, bank account information, passwords etc. Knowing that this information directly provides access to accounts, money and so on, we know it is sensitive and we need to protect it.
Gateway data, though, is more subtle. This is data that seems harmless but, when used properly, can facilitate access to highly sensitive information. Online password-reset schemes use seemingly trivial information such as the name of your favourite pet or your favourite teacher to grant access to your account after you've forgotten a password. This ‘harmless' information becomes a ‘gateway' that an attacker can use to get access to an account.
You got named the chair of the programme committee for RSA Conferences, so congratulations.
Thanks. This has been an interesting year in security and we're seeing that reflected in the talks coming up for RSA Conference USA 2010.
This has also been a rough year financially. Interestingly, that seems to have led to a lot of innovation, especially with respect to security metrics.
Will we get to the point where we can really measure security?
A more approachable way might be measuring risk, and yes, we have to make a lot of progress. Some controls are must-haves because they are mandated by regulation. Controls that fall outside of the must-have are coming under scrutiny, due to budget pressures. The result has been a mini metrics renaissance where people have been forced to look at fresh ways to measure the value of security. You will see that play out in the 2010 RSA Conferences.
You did a session on ‘collateral hacking'. What is that exactly?
Everybody's talking about the cloud and leveraging shared resources to get things done cheaper and better. We could spend an entire issue of SC talking about the challenges of cloud security, but one of the most interesting things is how pooling data and resources increases the risk of a breach or a failure. It's not very appealing for an attacker to go after the payroll data of a small company. When the data from thousands of small companies are pooled at an outsourcer, though, it then becomes an appealing target – and these small companies become collateral damage from the big breach. We are increasingly reliant on third parties to manage our data and we need to rethink their SLAs and make sure they factor security service in.
Lastly, what do you think is the biggest mistake companies make today with respect to security?
Where companies go wrong is not building good security awareness programs. Most employees are good people who want to do the right thing, but with security, many employees don't know what the right thing is to do. Real security comes down to lots of little decisions that employees make every day. Building a security-savvy culture has benefits far beyond what we are currently able to measure.