Dave Ramsey Applied to Security, Baby Step #1
I've been on a Dave Ramsey kick lately. I like his message and his concept of declaring war on debt. One of his mantras can save people TONS of cash if they would just use basic things they learned in school.
"Do the math!"
Everyone out there has a brother-in-law, church buddy, or friend of a friend who is "a finance guy." We tend to listen to people we consider experts without questioning their motives, simply because we don't believe we can comprehend the complexity of the question enough to figure the answer out ourselves.
For example, several years ago I went to a car dealership to buy my wife a new car. I had just recently graduated with my MBA, brought my Texas Instruments BAII Plus, and got ready to talk numbers ((Hey, that education should be good for SOMETHING, right?!?)). I left my wife at home and headed out with strict instructions on make, model, and of course COLOR. Negotiators at car dealerships want you to focus on the monthly payment instead of what you are paying for the vehicle (at least in my experience). When I got the first offer back, I did the math and learned while most auto loans at the time were going for 6%, this dealer wanted to put me into a 9.5% loan. I ran the numbers MANY times thinking that my MBA failed me.
It didn't.
Because I did the math, not only did I save money on the monthly, but I also cut the money I paid in interest over the life of the loan almost in half!
You know what? I dreaded doing the math, but once I did it, I found it was easy to do, and kicked myself for not doing it more often. By starting with the basic math going into a financial instrument like a car loan, I was able to make smart decisions about the purchase to save money and ensure that it did not have an adverse effect on my financial situation.
If Dave Ramsey were a security pundit, I think he would modify the phrase to say "Find the Data!" In fact, let's call that Baby Step #1. FIND THE DATA.
Information security is designed to protect information (or data). So how exactly can we protect it if we don't know where it is?
(Please pause for a moment to let the enormity of the question sink in....)
How many of you out there work for companies with extensive data maps? My guess is probably no-one does. There may be a few of you out there that do, but most companies just make assumptions about systems needing to be secure, but pay no attention to the data stored on said systems. Here's why that is important.
Groups have tried to attach a cost per record should that record be stolen and part of a data breach. The data backing up these numbers is so wildly varying that making any decisions based on the results are foolish. It is a nice benchmark that can at least legitimize the cost associated with a data breach. And, more importantly, it quickly points out that if you don't store the data, you don't need to secure the data!!
So if you really go "Find the Data," you will exit that tremend0usly difficult project with a good idea of how bad the situation is. I promise you, it is worse than you think. You will find data that will shock you into rapidly doing SOMETHING about the mess. That is a vital tipping point to the whole process. Now that you know what data you store, and where you store it, you can begin to securely destroy data you do not need, and evaluate options for the data you do.
For the data that you DO need (and really, ask the hard questions), you should fight to the death to protect it. Centralized data is easier to protect than distributed data, but there are options to protect both.
Going about finding data in your enterprise looks like a daunting, near impossible task. I would probably agree! But spending the time to REALLY find it out will pay off in spades when you let someone else get breached.
Comments
If Dave Ramsey were reading this he'd whip you and tell you to buy that car with cash! (insert laughter here)
Anyway, I get your point. Nice analogy.
Posted by: Screwed Up Texan | August 20, 2009 8:59 AM
No doubt! In my extremely weak defense, that was before I found Dave! That car has since been paid off!
Posted by: Branden Williams
|
August 20, 2009 9:14 AM
Regarding: Baby Step #1. FIND THE DATA
OK, let's assume a fictitious organization that does NOT have any/some/all of the following in place:
a. can perform data discovery
b. knows of and has access to all the information repositories (structured or unstructured)
c. has "sample" sensitive data and patterns so that it knows what is looking for in the information repositories
The organization has a "security lite" team with few resources, and budget is being focused on more critical activities (e.g. database activity monitoring of specific known sensitive DBs and data).
What processes, resourcing, enabling products (preferrably something open source that can be repurposed without major effort - see security staffing/resource/budget constraints above) would this organization need to commence with the basics of their FIND THE DATA initiative? Examples of questionnaires that can be used to solicit answers to the FIND THE DATA question, enabling tech (e.g. SharePoint surveys), database to capture/store/manipulate this data for reporting purposes, management buy-in, policies, etc.???
Posted by: SK | August 21, 2009 7:27 AM
Great question! I believe that there is a significant group of companies with a similar makeup noting that some of those items may be in place. The great news, you can start with open source!
Questionnaires are a great idea to really grasp how well your business knows how it functions and what its requirements are. You can start with basic questions like, “do you interface, access, or store X type of data,” where X is something like SSN, Federal ID, Credit Card, Track Data, or any other type of prohibited or covered data. Start with the obvious, and then go grab a couple of state’s laws to see what kind of data they might classify. HIPAA lists 18 different types of data that it covers as well.
Unfortunately, people make mistakes. If you have been following along for a while, you will remember a post based on my first Herding Cats edition that showed ways to discover certain kinds of data (i.e., known formats) on *NIX-based systems using grep. Another option is the free, open source tool from Cornell, Spider. Granted, specialized environments will not be able to use tools like this, and you may need to resort to custom scripting in those areas.
I’ll work on some more pieces here because you bring up some excellent points! Look for more next week!
Posted by: Branden Williams
|
August 21, 2009 9:43 AM