Information Security News: All I want for Christmas...

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2006/12/20/security_wish_list/

By Mark Rasch
SecurityFocus
20th December 2006 

Mark Rasch takes a step back and offers his holiday and New Year's wish 
list of all things security - items that should exist, be made available 
and be easy to use for everyone over the coming year.

It is traditional this time of year for people to make lists of what 
they want for the holidays. You know, a Nintendo Wii, a PS3, a Treo 
700p... depending on whether you have been naughty or nice (I hope you 
all are taking notes). But for the information security-minded, I have 
developed my own personal wish list of technologies and applications 
which, as both a lawyer and an information security professional, I 
would like to see both developed and implemented in the coming year. Now 
I know that individual aspects of these technologies actually already 
exist - some of them for many many years. And I know that niche products 
may meet some or all of the goals I want to achieve here. I welcome 
comments about how a particular technology may meet the needs. What I 
want for Christmas (or Hanukkah, Kwanzaa, Eid, or whatever) is a 
solution that works seamlessly and with no user input. So here is my 
Christmas list:


1. Easy encryption

Lets face it, communications and files are not secure. What I want is to 
send an e-mail just the way I always do: look up an address (or click on 
a link, or retrieve a stored address) and have it sent in a way that 
cannot be intercepted, read or interfered with by anyone other than the 
intended recipient. Oh, and authentication of both the sender and 
receiver would be nice as well, so I can block spam more easily, and so 
the recipient can know the mail came from me. I want this done with 
little or no overhead costs, and no user input. I just want to send 
secure e-mail.

The files on my computer also should be encrypted seamlessly and 
effortlessly. In other words, when (note I say when, and not if) I lose 
my laptop computer, I want to know that the only thing they got that was 
useful was the hardware itself no data, and I mean absolutely no data 
should be compromised. Imagine if the Veterans Administration had 
something like that. Yeah, I know RSA and PGP have programs that do 
this, and that Vista will do the same thing, but I want it to be 
idiot-proof, or at least idiot resistant. I want the stuff scrambled 
without my input. So much for data breach notifications.

On the other hand, as an administrator, manager or compliance officer, I 
want to be able to monitor everything going on inside the company. I 
want free range (with appropriate auditing) to look at any files within 
the company I need to see. Nobody said this was going to be easy or even 
possible. Remember, as Ralph Waldo Emerson said, a foolish consistency 
is the hobgoblin of little minds.


2. Know what you know...search for the rest

I can conduct a Google search of a few billion web pages in about 3.2 
seconds, including the use of boolean searches, key word searches, and 
other kinds of searches to find relevant information. But, as a lawyer 
and litigator, if I get a document request in discovery for all 
documents relating to the Jones contract, it takes months to sort 
through all the files in the company and index them to find the right 
documents. In fact, most companies see the process of inventorying, 
collating and examining documents as a necessary evil in preparation for 
or in response to litigation or threats of litigation.

What this means as a practical matter is that the company is spending 
money and resources to help out the person suing them to learn what 
happened in a particular transaction or series of transactions. This is 
silly. What a company should be able to do is to conduct a search of all 
documents oh, and I mean all documents (documents, spreadsheets, 
e-mails, instant messages, chat sessions) within the company (on every 
desktop, laptop, and server anywhere in the world) no matter how it is 
maintained (or stored on i Pod, thumb drive, and so on) It should be 
able to find these documents long before and irrespective of any 
litigation.

The law presumes that a collective entity known as a company, a 
partnership, or a government agency knows everything that any part of 
that entity knows. So if Employee X in Chicago knows one thing, and 
Employee Y in Santiago Chile knows something else, then the Company 
knows both things. We all know that this presumption is absurd. The 
problem is, as a decision maker, you should have the ability to at least 
find the information that is collected within the IT systems of the 
company as easily as you could find a decent pair of tennis shoes. 
Moreover, you shouldn't wait for a lawsuit to do this. It is important 
to know what you know as you are making decisions, not afterwards.

Of course, this would require not only indexing and searching every bit 
of digital information within the enterprise, but also deciding in 
advance who would have the authority to search for these files, and for 
what purposes. Oh, and remember where I said above that everything in 
the company would be encrypted? Again, consistency is not essential 
here, we are talking Santa Claus today. This is a wish list. If Santa 
can fit down the chimney of my gas powered fireplace, surely he can do 
this.


3. Permission please (document permissions, retention and destruction)

One of the biggest problems for IT and legal staff is the fact that 
document destruction and retention policies simply don't work. This is 
because there is currently no available technology to effectively 
enforce them. The problem is part legal, part administrative, and part 
technological.

First of all, there is the old adage that delete doesn't and restore 
won't. Thus, to some extent deleting documents compounds the problems 
related to discovery and disclosure, and doesn't solve them. You see, if 
a document or record exists, it is discoverable. If you simply delete 
the document, but fail to wipe it (or if you only delete some but not 
all copies of the document) not only is the document still discoverable 
(because it exists), but you have increased the cost of recovery and 
therefore disclosure of that document at a cost that you may be 
responsible for (although new US federal e-discovery rules have had some 
marginal impact on this). When we are talking about electronic 
communications (including documents transmitted electronically) it 
becomes very difficult for a company to effectively enforce a document 
retention or destruction policy (well, really it's just a document 
destruction policy), unless every copy of the communication and document 
remains within the enterprise. You can only delete your copy of the 
document.

Thus, what I would love to see is something whereby, with no 
intervention on the part of the user, the document (or communication) is 
automatically assigned both permissions and embedded with some document 
destruction rules (such as, "Good morning, Mr. Phelps.. this document 
will self-destruct in five minutes..."). The document permissions would 
control things like who had rights to read, forward, print, view, and 
edit the document. It could also know whether the document related to 
corporate trade secrets or privilege (based upon the identity of sender, 
recipient and subject matter), or other protected matter. It would know 
if it was required to be kept for 30 days, 3 months or 6 years based on 
the same things a human (remember humans?) would do, such as its subject 
matter and regulatory requirements and document retention policies. 
Sure, we could set such permissions right now but most of us don't.

These permissions would need to be embedded at the file level so that no 
matter where the document was sent, it couldn't be misused. And upon 
expiration, the document would die (or irreversibly encrypt itself). 
Thus, your document destruction and retention policy would enforce 
itself even on stored or sent documents irrespective of where the 
documents are stored.


4. Mobile devices that phone home

Modern enterprises are, in a very real sense, distributed environments. 
They are fundamentally different than the office of 20 years ago where 
creation and storage of electronic records took place on a large 
mainframe computer. They're even different from just five years ago 
where many documents were created on desktop machines which stayed 
resident at the office. Now, most information is created on and stored 
on mobile devices, typically laptop computers. This trend will 
accelerate as more corporate information will be created and stored on 
smaller, lighter and even more portable devices palmtops, sub-notebooks, 
smart phones and the like.

While the encryption schemes mentioned above may serve to protect the 
data on these devices, there remains the problem that under many current 
configuration schemes, the data only resides on the portable device, and 
is not backed up onto any server or storage device by the employer. 
Thus, if the portable machine is lost or stolen, the company permanently 
loses the data on the machine. What is worse, the company doesn't know 
what it has lost, because it had no reference to the latest version of 
the files that may have been lost. Now of course, companies can 
configure their networks to allow for automatic backup of files onto a 
network drive or server, but many do not. This should change.


5. Mobile access

I want my files, and I want them now! I want to be able to seamlessly 
access all of my files and records no matter where they are. I want to 
get to them from my desktop, my laptop, any machine in my house, my palm 
pilot, cell phone and any other device. If I change a document, I want 
the changes to synchronize. I don't want to have to put all my music, 
video, etc., on every machine separately. Store it once, and forget it. 
Oh, and I want it 100% secure.


6. Strong authentication with anonymity

Once again, from the mutually contradictory wishes I want my access to 
be strongly authenticated - preferably without something I have to carry 
around (which I will misplace) or remember (which I won't remember). 
That probably leaves me with a biometric device, which scares the 
bejeezus out of me. I want me and only me to access my files (okay, 
maybe my boss too) but - and here is the big one - I don't want there to 
be a record of what I did. In other words, I want to be anonymous when I 
want or need to.


7. Milk and cookies for Santa

So that's it. My holiday and New Year's wish list for the security 
community. Oh, and while I am at it, I want a pony and peace on earth, 
and good will towards men. If all of that is too much to ask, well, how 
'bout that Wii?

This article originally appeared in Security Focus.

Copyright 2006, SecurityFocus

-=-

SecurityFocus columnist Mark D Rasch, J.D., is a former head of the 
Justice Department's computer crime unit, and now serves as a lawyer 
specialising in computer crime, computer security, and privacy matters 
in Bethesda, Maryland.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn