Analytics //

Security Monitoring

6/11/2013
01:35 PM
Wendy Nather
Wendy Nather
Commentary
50%
50%

Getting Out Of PRISM

What we can learn from national security monitoring

Call this the bandwagon blog post. There has been more discussion around the U.S. government monitoring revelations than probably anybody wants to read about. Right wing, left wing, not even on a wing but already bailed out in a parachute -- everyone has an opinion.

If it's one thing I've learned during my career, it's that institutions are never monolithic. If you're referring to anything in the singular -- "the government wants to do this," or "Company X hates puppies" -- then you don't know enough about it. If you've ever been a manager, you know how hard it is to get even one other person to do things just the way you intended. Multiply that by thousands of employees, and it's pretty clear that nobody's marching in perfect lockstep. (By the way, this is also why grand conspiracy theories are bunk: Nobody's that good.)

So entities aren't monolithic, and there is always something going on behind the scenes that you don't know about -- and that might change your opinion on what you do know. For anything that sounds wrong, there is generally a reason behind it that made good sense at the time. This is why I'm not going to opine about the topic of national surveillance: I don't have enough background information (and I probably never will).

But we can draw lessons from this controversy for our own topic: enterprise security monitoring. I've written before about the privacy implications and logistical complexity of making your monitoring fit your policy. It's not just that you have to comply with data privacy laws in different jurisdictions. It's a matter of setting the right tone within your organization for the monitoring you need to do.

Can you justify each type of monitoring you perform and its granularity? Or are you just collecting everything because it's easier to sort it out later? (Also: Big Data!)

Do you have explicit notifications in place for this monitoring? For example, an employee might have to sign an acknowledgment form upon initial hire, which explains what types of monitoring are being performed on the systems, networks, and facilities, including any traffic to sites for personal use. Or you might have a sign next to the guest WiFi in the conference room that reads, "We reserve the right to monitor all traffic on our guest networks, and may log, alter, or block any traffic that we determine to be a security risk."

Do your employees know that you can dig up every page in their browsing history? Maybe they know it theoretically, but it doesn't hit home until they're sitting in HR, being faced with a PDF report of their Web usage. Do they know that you may be monitoring on a general level, but reserve the right to monitor an individual more closely at any time? Do they know who has access to that monitoring data and how often they look at it, or whether it's shared with anyone else?

This is a conversation (perhaps one-sided, but a conversation nevertheless) that every organization should have -- not just about what's technically feasible to monitor; not just about what monitoring is required or prohibited by regulations; but what monitoring is appropriate. And the policies should be transparent to employees, partners, customers, and anyone else who uses the systems.

Transparency is what was implied by the name PRISM, and transparency is what we didn't have. Now's the time to talk to your board about PRISM.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy. Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
6/20/2013 | 7:04:04 PM
re: Getting Out Of PRISM
Good advice Wendy. Hopefully PRISM helps spur enterprises to take a closer look at their own monitoring programs and the transparency around them.
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.