Fail to plan, plan to fail… incident response preparation

March 25, 2010 by · Leave a Comment

Consider this:  A review of an application or database that processes and stores customer information, including personally identifiable information, has been compromised.  What are you going to do?

Many organizations fail to plan for a compromise and unfortunately, often exacerbate the damage while attempting an “on the fly” response to an incident.  The absolute worst time to figure out what you should be doing is in the middle of an incident.  Having a plan and preparation is key.

Plans often fail to include:

  • Explicit authority for the primary incident handler to take decisive action to “stop the bleeding” and prevent further escalation of the incident.   Decision-by-committee with endless debate often leads to delayed action that increases financial and reputation damage.
  • A backup (or more) for the primary incident handler in case they are not available.  The backup should fully understand the role and be capable of making decisions in critical situations.
  • The inclusion of more than technical resources for the incident response team.  HR, Legal, and the PIO are often left out but essential.
  • Templates for press releases and notifications.  Writing your first draft during an incident is a mistake.
  • A communication plan for the team.  If your e-mail system is compromised, sending e-mail to your team about your response may not be the best option.
  • Checklists to help keep a response on track when the heat is on.

When developing the plan, consider the potential scenarios you may face and plan for them.  Different scenarios may require different responses so it’s best to have thought some of these through before they happen.  Malware outbreak; denial of service; illegal material on an employee PC; lost or stolen laptop; compromised system; or accidental disclosure to name a few.

Last, the first time you try out the plan shouldn’t be during an actual incident.  Practice builds confidence for the incident response team and shines a light on gaps in your plan that may need to be addressed.  A calm response to an incident is more likely when you can say “yeah, we’ve practiced this… let’s get to work” versus “oh man… what do we do now”.

Prior Proper Planning Prevents Piss Poor Performance.

Be prepared and hope you never need to use your plan.

Filed Under: Business and Security · Tagged With: , ,

Be an Agile Defender

March 18, 2010 by · Leave a Comment

Anti-virus software is based on signatures of known viruses.  It’s a reactive product by nature and it should be known by now that these products are ineffective against new viruses and new variants.    That said, why test AV products against attacks they haven’t seen and then make a stink about it in a ComputerWorld article?  Isn’t that like standing out in a rain storm to test if you’ll get wet and then writing an article about your finding?

While the testing part of the story was silly, the real point of the story is we need to think differently about the way we defend against the changing threatscape.  We need to be “Agile Defenders” who are capable of aligning and re-aligning resources against a constantly shifting threat while maintaining a solid foundation.  It’s hard work and I don’t believe it is understood by leadership in most organizations.

That said, we can’t protect against the new threats if we fail to apply basics.   If you don’t believe that organizations get burned because of basic security failures check out this story out of New Zealand.  What is funny here is they blame a Conficker-infected USB thumb drive for shutting down the company instead of their failure to keep their systems patched.   That is misdirection worthy of a master politician.

Bottom-line:  Businesses cannot rely on AV or single layers of defenses.  Protecting information against a constantly moving adversary requires more than static thinking to be effective.  If you’re responsible for securing your organization, be an Agile Defender, not a stationary target.

Filed Under: Business and Security, Should Have Known Better · Tagged With: , , , ,

Tip Tuesday – Business and Pleasure

March 16, 2010 by · Leave a Comment

Tip Tuesday!

Most small business owners understand that they need a business checking account in order to keep their personal and business finances separate.  That just makes good sense.  What some, especially home-based business owners, fail to do is separate their business and personal computing, especially userID and passwords.  Maintaining that dividing line between your personal and business assets, especially how they are accessed, is important to protect your business and your customers.

A handful of areas to think about:

  • Online banking – access to personal and business accounts should not be the same.
  • E-mail – Customers should send and receive e-mail from a “business” account.
  • CRM – If you use an online CRM took, don’t access it the same way you access your personal Facebook page.
  • Social Media – Personal accounts should be accessed differently than business or “fan” pages (even if your name is your business).

Treat your business like a business.  Protect yourself, your business, and your customers.

Filed Under: Tip Tuesday · Tagged With: ,

A Shame for InfoSec Transparency

March 13, 2010 by · Leave a Comment

The CISO of Pennsylvania was apparently fired after discussing a breach while serving on a panel at the recent RSA conference.  The removal appeared in several articles including this SCMagazine report.   The information provided by Bob Maley was a clear description of a threat that some states may face, an appropriate discussion for this panel.  However, it seems Maley didn’t get explicit permission to talk about this issue and was terminated for this breach of protocol.

There may be other personnel issues involved but the timing of this is certainly suspect.  While Maley should have been disciplined for violating communication protocol, the end result appears to be disproportionate to the offense.

The RSA panel was a great opportunity to share information and lessons learned.  Instead of embracing that level of transparency, we see a SCMagazine CISO of the Year finalist losing his job by trying to help others learn from his experience.  If others fear such action for sharing sanitized lessons learned then our field has taken a step backward in transparency and communication.  That’s a shame.

Filed Under: Awareness and Education · Tagged With: , ,

Back to Basics

March 11, 2010 by · 1 Comment

I just read an article “Basic security measures do wonders” and it drove home a point that seems to have been lost with the inundation of terms such as “CyberWar” and “Advanced Persistent Threat”.  While we spend a lot of time implementing new technologies or applying frameworks, we sometimes forget that applying basics and using our current tools more effectively can go a long way to improving the security posture of our organizations.

I’m not implying that we be stagnant in our approach to securing our information from changing threats.  It’s vitally important that we be agile in our defenses else we create the Cyber-Maginot line I’ve discussed earlier.  That said, we sometimes fail to tighten our current infrastructure in our pursuit of the latest headlines and buzzwords.

The article mentioned some basics that are worth repeating:

  • Turn logging on and monitor files but be careful that you don’t inundate yourself with irrelevant messages.
  • Examine network traffic patterns.  Learn what is normal traffic so that you can better identify abnormal patterns.
  • Access control to make sure employees have access to what they need to do their jobs but nothing else.
  • Enforcing security policies.
  • Having a consistent process for patching systems.
  • Know where your data is!

I would imagine most security professionals reading this will say “duh”.  I’d also be willing to bet that many organizations fail to apply all of these basic principles. Why?  Wouldn’t it be dumb to deploy the latest and greatest security technology only to be breached through an unpatched workstation?  It happens all the time.

Now, especially during an economic downturn, is a great time to re-evaluate your current tools to see where you can improve their effectiveness.  Can you improve your user provisioning/de-provisioning process?  Can you leverage scanning tools and results to improve a vulnerability remediation program?  Can you tighten up audit logs and alerts?  Can you create an inventory of sensitive information?  Can you engage business units to build a stronger relationship with security?  Can you develop an awareness campaign that is engaging and informative?

It seems to me improving what you have creates a stronger security program than having a huge number of half implemented tools and processes.  Tell me.  What areas can you improve today?

Filed Under: Awareness and Education, Business and Security · Tagged With: , ,

Leave “Cyberwar” in Hollywood

March 5, 2010 by · Leave a Comment

The more I read about Howard Schmidt, the new cybersecurity czar for the Obama administration, the more I tend to like what I’m hearing.  I still think the position is limited because he has no budegtary authority but he appears to be quite capable of delivering the message of information security without resorting to FUD.  I like that.

There continues to be an overuse of terms such as “cyberwar”.  I hope we can end the movie hype and get down to business.  I don’t disagree that there is a persistent threat from state sponsored attackers.  I believe there is a rise in targeted attacks that are designed to steal sensitive information and perhaps disrupt business as usual.  The government and the private sector need to address our information security needs and be agile in development of defenses against new threats.

In an interview with Wired.com, Schmidt had this to say:

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.

- Ryan Singel, “White House Cyber Czar: There Is No Cyberwar“, Wired.com Threat Level, March 4, 2010

This is in direct contrast to Michael McConnell, former director of national intelligence who continues to ramp up the rhetoric about a cyberwar.  Let’s look at McConnell’s history.

  • McConnell convinced President Bush to provide funds to the NSA to lock down the government’s classified networks.   Of course, McConnell’s position placed him in charge of that effort.
  • McConnell now calls for a “re-engineering” of the Internet.  Of course, the company he works with stands to profit incredibly from this type of effort.

You can decide for yourself McConnell’s motivation.

Schmidt doesn’t appear to turn a blind eye to the need for government to protect classified information and the NSA has a role in this.  The government certainly has an eye on things that just aren’t visible to the private sector.    The private sector has a big dog in this fight as well, especially in regards to financial transactions and the use of personally identifiable information.

“A pessimist is an optimist with experience” (unknown).  I share in McConnell’s call to action but not his drastic, doom and gloom approach where excessive government control over the Internet is the only solution.  His passion is admirable, if not misguided.

Schmidt, on the other hand,  isn’t ignoring the need for government to bolster its defenses, he appears to simply approach the necessity for action without inciting knee-jerk reactions from ignorant politicians.  I like this approach rather than the call for citizens to put their head in the sand and let Uncle Sam take over.

“We can’t sit there and be waiting for the next intrusion attempts to take place,” Schmidt said. “We need to become stronger in what we are doing so we are better able to resist the things that are being thrown at us.”

That’s a call to action.  This isn’t a problem that is owned exclusively by the government nor does the solution reside entirely in that realm.  However, if the private sector doesn’t step up and be proactive in the way we protect our infrastructure and information, then we deserve to have government do it for us.

Filed Under: National InfoSec · Tagged With: , ,

National Cybersecurity Initiatives – Quick thoughts

March 4, 2010 by · Leave a Comment

The White House just recently published a summary of the Comprehensive National Cybersecurity Initiative.  While there hasn’t been any time to debate this or even digest the implications of the 12 initiatives, I had some initial thoughts that I wanted to put down.  Certainly, this may change as (or if) more details are provided.

Initiative #1.  Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet. This is an effort of gargantuan proportions.  The enormous complexity of this initiative has failure written all over it.  If this somehow manages to be implemented I can only think “One ring to rule them all”… or “own” them all may be more appropriate.

Initiative #7.  Increase the security of our classified networks. Wow!  You think?  Common sense is not that common.

Initiative #8.  Expand cyber education. It will be interesting to see how programs are implemented when colleges and universities are dropping programs due to budget crisis.  Creating an InfoSec educated workforce is a long term strategy in a rapidly changing arena.  It may be difficult to find instructors who aren’t so grounded in academia that they become unaware of the changes in the environment..

Initiative #9.  Define and develop enduring “leap-ahead” technology, strategies, and programs. This assumes that an environment that rewards innovation in the private sector is created.  At least in writing, there appears to be a recognition of the need for public-private partnerships to be successful.

This may be a good start but without details on how government will implement these initiatives, it’s impossible to determine if this will be good, bad or ugly.  I’ll be keeping an eye on developments here.

Filed Under: Uncategorized ·