How has whistleblower Edward Snowdens exposs affected the ways organisations deal with internal and external security threats? <\/p>\n
Edward Snowdens revelations about mass internet surveillance conducted by the US National Security Agency (NSA) and the UKs GCHQ has caused consternation around the world, particularly in Europe. <\/p>\n
While the revelations have generated much debate and given security suppliers a golden opportunity to say how they could have stopped the CIA contractor in his tracks, one question remains for security professionals. <\/p>\n
Regardless of motives and objectives, how should Snowdens revelations influence businesses information security strategies? <\/p>\n
While it is difficult to get a clear-cut, unqualified answer to this, most information security professionals feel Snowden did not really uncover anything new, and some are unequivocal in their response. \"Organisations should not build their strategy around stopping the NSA or GCHQ monitoring: this is a very negative, reactive and ultimately pointless exercise,\" says Adrian Davis, principal research analyst at the Information Security Forum (ISF). <\/p>\n
\"At the ISF, we state that an organisations information security strategy should support the business strategy and allow the organisation to conduct and grow its business in a secure and robust manner, by protecting the organisations assets including information against a range of threats.\" <\/p>\n
An important part of the strategy, he says, should be to create and implement processes to manage contractors; control access rights and stop accrual of such rights by employees and contractors; and to monitor and review critical system activity on a regular basis. <\/p>\n
These were some of the flaws that allowed the leaks to occur, says Davis. <\/p>\n
But, like many others in the security industry, he feels the revelations that certain technologies, especially encryption, have back doors should come as no surprise. \"The key here is to determine whether the back doors pose an exploitable vulnerability and if the organisation has deployed or can deploy measures to mitigate the vulnerability,\" says Davis.\"This brings us to risk assessment, which should inform the choice about what software to use, decide whether to use open source software, or choose another control to apply.\" <\/p>\n
In the wake of the Snowden revelations, the open source community has suggested that having software open to the scrutiny of all will eliminate back doors for spy agencies. \"This seems counterintuitive,\" says Robert Newby, analyst and managing partner at KuppingerCole UK. \"But, simply put, if everyone can see it, it tends to keep people honest and is that not what Snowden was trying to do in the first place?\" <\/p>\n
<\/p>\n