Trust is part of our daily lives. Its what gets us to work in the morning and its what keeps our society from going insane. That car in the lane next to me on the freeway this morning, I trusted it not to swerve into my lane and cause me to go careening off into the guardrail. But, did I trust the car or the driver? How is trust created and are we using regulations and money to buy customer trust?

On Tuesday July 17th, the Deputy Attorney General made remarks at the Corporate Fraud Task Force, in which he said.

"For the past five years, the Task Force has worked to restore public confidence and trust in the American business community." Deputy Attorney General Paul J. McNulty, July 17th, 2007

What does this have to do with information security?
McNulty's quote refers to Sarbanes Oxley and other regulatory matters put in place since the "Enron and WorldCom" fallout. While he does pointedly say business community, he still talks of business as an entity capable of trust. Many of us like to think we trust an organization, a business or some concrete entity. Regulation does not drive trust in a business, it aids in ensuring that people do the right thing. Further, the people for whom in we really should be questioning our trust are the auditors. Adherence to regulation can, today, only be fully measured by a human. It is the auditor for whom has the job to rate compliance.

The point(s)
The crux of this discussion of trust is that businesses and consumers have since come to define their trust in another company based on regulations and frameworks. The first thing we ask for from any potential vendor is their latest audit findings (SAS70, SysTrust, etc). It's actually become a cop out for many, as opposed to doing the real personal work of investigation. Fail to provide a SAS70 report and you can instantly expect to either loose the deal or need to reduce your bid by 50%. Somehow its thought that a good audit translates into a well-run company for which we can impart our trust.

Do Audits and regulation equate to trust?
Lets get this out in the open; the SAS70 is one step above a note from your mom. It has no standard framework and it's easy enough to change your stated controls to ensure a passing grade. Yes, the SAS70 report does include both the stated controls and their findings. So you as the evaluator of the findings take the risk in ensuring that the stated controls are what you desire in a vendor. After reviewing a SAS70 report, is the consumer now in a position to trust the provider or is that still in the eye of the beholder?

Those of you who work for a company bound by regulatory policy know the pain very well. According to some estimates, 10% to 15% of your overall IT budget is spent on SOX efforts. While some might say that spending 15% of your budget to gain someone's trust is cheap, but that would be false. That 15% was your admission fee to just get in the game.

Lets move out from the cover of policies, regulations and frameworks as a method to judge trust in a corporation. A person awards trust. Audit reports move us along the road to shared knowledge, but don't be lazy. In order for someone to earn trust, both entities need to co-develop a priori knowledge of each.

Friday July 27th is Sysadmin Day.

Actual things I've heard said to a sysadmin....(yes, for real):

So my printer hums when it's printing. You need to get me a new one.
You need to get over this whole password thing.
Since you don't do anything important around here, how about faxing this for me?
Awesome Star Trek actions figures...I bought this new computer for my wife, I need you to ...
Don't worry, I wrote my password on a piece of paper and put it under my keyboard.
My old school mate sent me an e-greeting and now my computer is doing weird stuff.
I don't know what happened, all my files are gone and I have a presentation in 5 minutes.
Nothing, not a thing; I didn't install anything or make any changes.

Network lockdown checklist

NetworkWorld reports that numerous classified government documents along with corporate confidential information is being leaked by use of peer-to-peer networks. Included in the list of documents found are: "The Pentagon's entire secret backbone network diagram, complete with IP addresses" and "physical terrorism threat assessments for three major U.S. cities". The fright night doesn't end there, many corporate documents were also discovered, including: board minutes; launch plans, growth targets and patent information.

Their networks are setup well, but their configuration management is Swiss cheese

Too much energy is being placed on network perimeter defenses. Those who still believe that a good perimeter wall solves the problem need not look any further for proof to the contrary.

Eric Johnson is a professor at the center for Digital Strategies from Dartmouth College who testified at the House Committee on Oversight and Government Reform regarding this issue of inadvertent information disclosure.

Quoting from the NetworkWorld article:

"I spend a lot of time with CISOs and CIOs who think they have locked down their networks and made it difficult for people to join P2P networks," Johnson said. But those controls fail when employees take work home and then connect their systems to a P2P network. "CISOs can do a great job hardening their own networks but controlling what thousands and thousands of individuals do is impossible," he said

Mr. Johnson paints the picture perfectly; the problem is not with the networks, but with the overall configuration and compliance strategy. There is a classic use case when it comes to managing PCs that prove the difficulty of the situation.

The use case

The IT department configures and deploys systems based on a common operating environment. This includes hardware, an operating system and software all configured to a known gold standard. When that device leaves the hands of IT, it instantly changes and it changes in so many unpredictable ways. Even with a good set of centralized administrative controls like Group Policy Objects on Windows, extraneous business needs lead to weaker controls. For example, many enterprises permit the user local administrator access to the system in order to install patches or run legacy applications. Not to mention that not every organization is running Windows 2003 server with Vista on the end points. These reasons and many others open the door for persons to install applications, make changes and overall quickly divert from the IT gold standard.

Continuous Compliance

Beginning with the gold standard is a must, but more importantly once the device leaves the nest of IT, it must be continuously monitored. This is one job of the vulnerability, configuration and compliance strategy.

According to the story at hand, the information was inadvertently leaked using peer-to-peer file sharing applications. If the device were under continuous configuration monitoring, then the application such as LimeWire, Kazaa or other would have been discovered and reported to the security operations team for investigation.

This is the latest security challenge and every organization must tackle the possibility of loss of confidential information and intellectual property. Continuous monitoring has to be addressed as a component of a layered proactive strategy.

Quick note for anyone at BlackHat this week.

nCircle is a sponsor at BlackHat USA 2007. There is a contingent of us at the show. Stop by the booth and say hello.