Ever since the Edward Snowden case, the U.S. Government has been in a damage control mode. What network (or pipes) did he use to extract the information? What methods did he use to defeat the countermeasures, rules and protective procedures (protocols)? And what pieces of information leaked? Along with his motive, these are the three basic questions that may take years to uncover.
“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then, I have my doubts.” Eugene Spafford
Not All Information is Created Equal
Having spent over three decades in varying capacities working on government programs, I firmly believe the same basic disciplines and processes can be applied to the private sector, at an individual or company level. Think about it; what you communicate to others might reveal:
- indicators of a specific vulnerability,
- a small proprietary piece of your product or service,
- part of a trade secret or specialized know how, or
- tidbits of personal information.
All these are items that a competitor, hacker or adversary can piece together to defeat you, put you out of business or even steal your identity.
“Even minutiae should have a place in our collection for things of a seemingly trifling nature when enjoined with others of a more serious cast may lead to valuable conclusion.”
The good news is you can do something about it. Take a look at the diagram below for a simplified model of the challenge.
- The black pipe represents whatever network you are using. Unless you have your own satellite or limited, closed network, you are depending on someone else’s pipe.
- The blue gauges, valves, and meters represent the various protocols. The protocols are the monitoring methods, rules, measures and audits used as countermeasures to detect and identify threats as well as protect the system.
- The green pieces are bits of information that flow through the pipe (network).
Pipes and Protocols
The pipes and protocols evolve and change constantly no matter what program or platform you use. As Spafford suggests in the opening quote, it is a huge and almost daunting challenge. But we can’t give up on it, either.
First, realize that you must stay on top of the pipe and protocol challenge. Next take some action. That action, comes with some time and investment, but is not only worthwhile, it’s absolutely necessary.
I know how you feel, I felt the same way, but I found that investing just a little bit of time, I learned a great deal that about how the pipes and protocols work. You don’t have to be a geek, and there are some things you can do once you learn and establish a routine. Here is what I found:
- Updating your site is fundamental in staying ahead of threats and vulnerabilities
- Better use and management of passwords and the proper use of administrative accounts
- Understanding the nature of hacking and attacks help you think like the adversary
- Using protection against viruses and malware
- Keeping your site clean and backing it up properly and effectively
Awareness and action are absolutely required steps for clean, healthy pipes and protocols!
Understanding the nature of the pieces can be a big challenge. If you put a piece of information, a picture or a tweet in the pipe, there can be some risk! Even if it is only a social blunder! And contrary to some belief, if you later delete or discard it, some digital trails remain out there in cyberspace.
Snowden’s pieces were largely classified. Our jobs and lives, while maybe not at that level, can have similar consequences if not well thought out. By communicating, posting, chatting or tweeting, you can reveal certain pieces, that we term sensitive information. We define sensitive information as any privileged, personal, or proprietary information which, if improperly leveraged, altered, corrupted, lost, misused, or disclosed could cause harm to the person, organization or operation.
As we try to communicate; whether it is a personal or company website, Facebook, LinkedIn or a Twitter account, the risks are real. We find this to be particularly challenging in the business development arenas. It is a double-edged sword. While trying to get a message out about a product or service, we risk telling our secret. There are ways to do it, but it requires thinking, delicate balance and a collaborative approach, particularly for business.
“Oh, but it is only one piece of information.” I hear this often. Okay, then later you add another, and another. Pretty soon you have revealed enough pieces to put a picture together, discover a trade secret, or foil an operation!
Process: Protecting Sensitive Information (PSI©)
Identifying your sensitive information is the first of five steps to protect your pieces. Subsequent steps help you highlight hazards, weaknesses and clues. After weighing these factors, you can then consider the risk by examining the likelihood of loss against the consequence of compromise. The final step is to determine what to do – it requires that you or a team make a decision after considering alternatives and scenarios.
There are some tried and true techniques to make the process simple and effective. Although, the process is not considered rocket science, the teams I have worked with over the years can become very passionate, detailed and invested in the outcome. I have also found that the journey is sometimes more valuable than getting to the destination. Diverse teams that work across traditional organizational boundaries forge stronger bonds, continue collaboration and ultimately ensure survival.
What About You?
All three elements: pipes, protocols and pieces are important to consider as you think about protecting yourself, your team or your business. Awareness and action in that order are necessary to be successful. No awareness: You are like the proverbial ostrich with a head in the sand! Awareness without action: “Hope” might work for some things but is not the best strategy here! Awareness with action: Means you are working to put a plan in place! And that is good!
If you want to connect with me, click on the LinkedIn icon (located at the top or on the right side) on this site.