MITS: The Grey, The Dark and The Dirty

Treasury Board Secretariat is updating its entire security policy suite, including MITS (Management of IT Security) and the GSP (Government Security Policy).

The revised specifications promise to be more in mind of what a standard should be, with additional documentation, underlying guidelines and directives that will help departments and agencies understand how to implement the policies.

As the deadline approaches for compliance to the first iteration of MITS, one security expert offers a mini assessment of the standard. MITS is a mix of good and bad, suggests Brian O’Higgins, CTO of Third Brigade Inc., and the payment card industry may have some spot-on suggestions for avoiding the ugly.

The Grey

MITS is strong on risk management. “It’s a good story for best practices,” says O’Higgins. “But you’re supposed to use the parts that apply to your environment.”

Different environments have different risk levels, he explains. Some things may not make sense in your environment and could get you into even more trouble. “There’s a whole risk management overlay to MITS that says only do things that are important to your environment. It allows for that flexibility in interpretation.”

The problem is there’s a lot of grey in the translation. You can declare that you comply with MITS, but you’re still not necessarily secure. “It can be effective, and could be not effective at all,” says O’Higgins. “Even worse, people might be compliant and think they’re secure, but they’re not.”

The Dark

If you have any Internet identification application, you’re wide open to command injections, such as SQL and AJAX, and targeted attacks.

MITS doesn’t address anything in this kind of detail, but these are the biggest attacks, says O’Higgins.

“MITS does have that notion of vulnerability scanning, and that’s the real answer — rather than being so prescriptive about using one particular technology or another.

“If you have a complicated Web app, it’s not unusual to find a thousand problems with a vulnerability scanner. Vulnerability scanning is the best bang for the buck right now.” Security is always defence in depth.

You’ll always need a lot of layers, he adds. “It’s a constant scan and mitigation.”

The Dirty

The modern, criminal hacker is now absolutely the biggest threat, says O’Higgins. The payment card industry recommends merchants follow a set of specifications to protect credit card numbers. Visa USA Inc. recently identified the top five data security vulnerabilities and provided tips for risk mitigation.

Visa’s top five vulnerabilities are storage of unnecessary data; missing or outdated patches; default settings and passwords; SQL injection attacks; and unused, susceptible services on servers. O’Higgins concedes they’re in the realm of common sense, but notes there is a sense of urgency now.

“Visa’s recommendations have huge relevance for what governments should do — more so than MITS because MITS is very generic and designed to be a minimum,” says O’Higgins. “And you could easily comply with MITS and not be secure.”

— Mark Els

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now