So, I got an email the other day from SC magazine informing me that they have a new feature called "Hot or Not" which claims to take the media to task for their hype. That sounded appealing as did the "hot or not" part (because much like Project Runway, in security you are either hot or you are not.)
For background, SC has apparently decided that there's quite a bit of media hype in infosec, and they've apparently decided to separate the wheat from the chaff and tell us if stuff is really a threat - or if it's just hype. Reading the description, I approached the column with cautious optimism: optimism because I'm all for people calling out the media hype, but caution because to do this correctly SC will need to be ready to take the occassional controversial stand on things and cut against the traditional wisdom.
In the first edition of this new feature, SC tells us that laptop theft is, in fact, "hot" and not just wind:
Should I be worried? Yes. Every organization that deals with PII should be concerned about proper protection and potential loss wherever the data resides.
Agreed; I think it's probably "hot" too. Of course, I think you'd be hard-pressed to find anyone who doesn't agree with that assessment. As to what practical things that they recommend that practitioners do to mitigate laptop theft:
Procedures should separate PII from other general user population information. The enterprise should employ hard disk passwords, disk encryption or file encryption for computers that must contain PII. In addition to the built-in (but not automatically enabled) file system encryption that PCs (EFS) and Macs have, there are other hard-drive encryption solutions on the market. Additionally, developers or programmers should not work with live data.
True, true. My only issue with this would be with the degree of difficulty in doing these things. Having implemented EFS, for example, I can tell you with certainly that it is a technology that's difficult to implement (and of questionable utility) in the best of situations and less than useless in the worst of them. Additionally, I have yet to come across an enterprise where developers don't work with production data somewhere in the firm (I'm not saying it's right mind you, just that everybody's doing it - kind of like speeding.) Useful material around this would be a "real world guide to implementing EFS for laptop protection" if somebody would care to write it; of course, SC might not be the best forum for that...
So, I'll remain cautiously optimistic about this new feature; if SC decides they don't mind pissing off a few readers, authors, and sponsors by actually taking the hype to task (consider "hot or not: source code scanners", "hot or not: web application firewalls", "hot or not: phone-borne malware", etc.) then I'll keep reading it. On the other hand, if they stick to topic guaranteed not to stir the pot, then I'll probably stop reading after a few entries.
Posted by Ed at October 3, 2006 04:06 PM | TrackBack