Security Made Simple
By Tara Savage, Senior Marketing Manager, BT Global Services
Cryptography. Several books have been written on the topic, many from our own experts within BT. But what is cryptography? Bruce Schneier, chief security technology officer at BT, recently created a video for the RSA 2011 conference that explains in simple terms how it works.
Bruce’s explanation centers around a relationship between two people — meet Bob and Alice. They are having a conversation when Eve begins to eavesdrop. She listens in to what Bob and Alice are saying but does nothing with the information she hears. However, around the corner is Mallory. She is intent on taking the conversation between Bob and Alice and intruding on it for her own malicious purposes.
PART #5: Security and Fraud — It’s a leap of faith
By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services
In the last post, PART #4: Security and Fraud — Look for what is wrong and know what is right, I talked briefly about the difference of looking for what is wrong as opposed to looking for what is right. In short, it is an overly simplistic representation of the difference between security and fraud.
Fraud exists in many areas of the business, and I expect it to find its way into IT security. We’ll see point solutions as the demand increases and as more technology is developed. But if we look way out in front of us, we can see this as the beginning of a monumental shift, a complete and fundamental shift. At the extreme, it’s not firewalls and IDS … it’s business profiling. Every system, application and person is modeled. Everything gets a “digital persona” that is constantly and intelligently updated to reflect acceptable changes, becoming more and more acute to the specific “condition” of the person or asset.
As a very basic example, we have FBI criminal profilers, who are highly educated and informed people who can offer a perspective of a criminal based on information about the perp. He’s a 30-year old man, grew up in NY, born in Mexico, his mother was murdered, he was molested, he lived here, he read this magazine, he interacted with these people, etc.
From this and other information, you can begin to draw a picture, predicting potential next steps. You can predict the threat as well as, in some cases, the tactic.
This profiling already exists in many three letter organizations, military and law enforcement. It’s a long-standing, proven practice. So why can’t we do this in the digital world? The government is already there, but why not business?
It’s brutally expensive. There is no “meaningful” technology available to the business, and it’s a reversal of today’s security strategy – not something senior executives are going to like.
Nevertheless, it’s coming. Throughout this series, PART #1 — Security and Fraud: Do we need to be fraud experts?, I’ve been trying to draw a line between security and fraud, yet in time, I’m not sure we’re going to differentiate between the two.
Separating them here was to convey the dynamic that’s occurring. And in the short-term, security and fraud will be two separate features of the security program. However, eventually security controls and fraud controls will work together under a common model, building off one another. Security controls will be tuned to address measurable fraud activities as opposed to being strictly related to threats and classifications. Fraud will respond to information and visibility that flows in from traditional security so that tools, tactics and modeling of normal activities and related boundaries can be refined – constantly balancing business and threat conditions.
Moreover, risk management will act as the basis of unification, creating a framework that allows effective interactions. Ultimately, it will all become risk management and fraud management; and all this implies will become another feature within risk amongst threats, vulnerabilities, potential, impact, and so on.
In the long-term, we’re going to see the demand for greater fraud management stem from today’s emerging practices and focus. For example, DLP is about understanding information assets and looking to control – or at least gain visibility into – how they are flowing. In time, the focus on information flow will feed into information flow relative to function, access, purpose, and business process.
To elaborate, DLP can help us stop Social Security numbers from crossing from one environment to another, but in the future, it will be about the business processes, operational model, and digital persona of the networks, systems, applications, and people involved in how that information is stored, processed and transmitted.
While today’s security is about stopping the unwanted and undesirable, changes in the threat landscape are going to force security professionals and organizations to focus on determining what is normal. Fraud is, in many ways, a luxury in today’s IT security and realized through smart people doing smart things with various forms of technology and security services.
Eventually, it’s likely we’ll see fraud detection and management become a centerpiece of security and ultimately, a core function.