August 10, 2018
In the not-so-distant past, as a teenager, I can remember my excitement when I would start a new job. The only dreadful part was the paperwork. I would have to juggle a pile of paperwork. Forget one item, and I would have to go back to the manager with a new form filled out correctly. Life has since become far more convenient for us. Signing is done electronically; paperwork is sorted at the office without me even seeing it. This has eased the process but where has all this completed paperwork gone?
The digital age is still fairly young and now, more than ever, security professionals have the challenging task of protecting sensitive data from malicious actors. More mature organizations and federal agencies may seek a risk-based approach such as that found in the NIST Special Publication, Guide for Applying the Risk Management Framework to Federal Information Systems (NIST SP 800-37) to protect the sensitive information and utilize the NIST Special Publication, Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53) to select the appropriate controls to reduce those risks.
All security begins with planning and preventive controls. Some organizations believe the use of a unique username and passwords are sufficient to guard access to the sensitive information. I am surprised that so many websites housing critical information have yet to adopt multi-factor authentication. Individuals who create simple passwords because they don’t want to go through the headache of remembering a tougher one, limit how effectively information is guarded. Multi-Factor Authentication (MFA) has proven to make it more difficult for hackers to penetrate systems by using more than one process to authenticate individuals. Not only does a malicious actor need to gain access to your username and determine your password, they also need access to something of yours like a phone or token, or something biometric such as fingerprint or retinal scan.
All the other controls are meant to be after-the-fact or post- breach. This does not imply that detecting, responding, or recovering are unnecessary controls. Many security professionals believe that preventing a problem is better than trying to recover after it occurs. It is our duty as security professionals to provide the proper guidance and subject matter expertise to our clients and peers. Under many circumstances, the decision to implement a solution will not be in our hands, but that does not discount the effect our recommendations may have on an enterprise or agency.
-Contributed by Ahmad Rasool