In the movie Sneakers (one of my favorite all-time movies), the bad guy makes the prophetic statement ‘It’s all about the data’ in his pseudo mob voice. With that utterance, he is describing where all of the power resides to control the world. For those of you that have not seen the movie, the plot revolves around the ultimate code breaking chip that will render all encryption useless. With this chip in the wrong hands, all data then is available and readily used for malicious purposes and profit. In the world of digital information security, it must be all about the data, right? We certainly sit around worrying about the bits and bytes. Where are they? Where are they going? Who is creating them? Who is looking at them?
After spending time at Blackhat and DefCon last month, I heard much talk about the 1′s and 0′s. Between the corporate data security folks and the Mohawk hacker crowd, those two simple digits are the common language. However, I think there is a very important topic to be discussed – the space between the 1′s and 0′s – that sometimes gets lost in the discussion. While in pure physical terms, the 1′s and 0′s on a disk drive are virtually adjacent, I view the distance as very great – almost infinite. In between those digits are the people and processes that led to those tiny magnetic states sitting on the disk.
All of the nefarious threats to our data we talk about in digital information security do not exploit the bits and bytes. Hackers don’t hack the system; malware doesn’t hack the code. It may look like that on the surface but really they are hacking the human elements between those 1ks and 0ks – the overworked sys admin that missed a crucial configuration; the distracted developer who missed a critical input check; the unaware end user that used their first name as their password. Malware and malicious code are hot topics these days as well as the usual suspects of vulnerabilities, encryption and network forensics. There is more to digital security than those subjects. We need to keep in the discussion how and why those 1′s and 0′s got there in the first place.
Holistic digital information security includes many facets. The “who, what, where, why, how” of these 1′s and 0′s is a very important equation. That equation can be found in this space between the 1′s and 0′s. Some of that space can be controlled; some of it will always be random and chaotic. Over the course of the next few blogs, I will explore that space.
Balancing the technical world and the physical world is a core tenet of information security. We all use the “people, process and technology” paradigm in InfoSec. The immeasurable, microscopic, sprawling space between the 1′s and 0′s represents that paradigm and can be a fun, interesting and scary world to explore.