paulmudgett.com

Disclaimer – I’m not an HR professional.    Okay, that covers that.

So, I’m diverting a bit from information security today.  I’ve read a lot of comments and questions recently related to what a hiring manager is looking for in interviews for IT and InfoSec jobs.  For instance, a reader question at IT World was submitted by a person who has “had a lot of first interviews but not many second interviews.”  The reader asked “what is the biggest turn-off for hiring managers in an interview?”  While a lot of the application and interview process is common sense, too often I see both recent grads and professionals shoot themselves in the foot.  While I can’t speak for others, here are my pet-peeves and thoughts on what I look for in a new hire…. you may be surprised (or maybe not).

1. Follow instructions!   If the job posting asks that you submit a cover letter, resume and 3 references, DO IT!   Promising resumes have ended up in the trash because the person didn’t submit a cover letter as requested.  If you take shortcuts in the application process, you’re likely to take shortcuts at work.  I don’t want you no matter how great you think you are.
2. Shine your shoes!   IT and Information Security requires attention to detail.  An old boss of mine said he always looked at candidate’s shoes as a measure of their attention to detail.  While not a deal killer, terribly scuffed up shoes may just help you stand out…. in a negative way.
3. Be creative!   Most hiring managers have read the “career advice” websites too.  If your answer to “what is a weakness” is as canned as the question then you’re boring me.  It’s amazing how many times you’ll hear “I work too hard or too much” as a weakness.  Blah, blah, blah.   Try something new.
4. Do your homework!  Nothing is more disappointing than a candidate that doesn’t know the first thing about the company s/he is applying for.  A candidate who knows about a project or news item that was in a press release is more impressive than a candidate who says “you sell widgets”.   I don’t expect anyone to know details.  It’s the demonstrated effort and interest that scores points with me.
5. Ask questions!   If someone told you there is no such thing as a dumb question… they were lying.   Ask meaningful questions.  Are there specific projects this position will be responsible for or engaged in?  How does the organization encourage professional development (not “do you pay for training”)?  What does the interviewer like/dislike about the company?  Be engaging… don’t be the candidate that just wants to be done with the interview.  Those who treat it as an interview for them AND for the company really shine.

For me, I’m interested in candidates who demonstrate passion.  While there is an expectation that the person has sufficient knowledge to meet the requirements of the job, I’m most interested in people with enthusiasm and talent, not a know-it-all.   Are they going to work well in the environment or well they be grating and disruptive.   If you are engaging, stay away from canned answers, and show that you are truly interested in the company rather than just landing a job, you’re going to improve the likelihood of a second interview and offer.  At least with me.

Mobile devices, use of social networking sites, and consumer cloud services are quickly becoming, if they aren’t already, a part of your business environment.  As is often the case, the ability and tools to securely manage new technologies lags behind the flood of use in organizations leaving a gap in the protection of sensitive information.

Quite frankly, we should have seen this coming.  The “new” workforce communicates differently and often more efficiently (not necessarily more effectively).  Text messages, tweets, IM, oh my!  There is a different, and often reduced, perspective on risk even while regulatory requirements for privacy and security become more stringent.

Now here we are.  Playing catch up in order to enable business to keep up with the times while preventing the unauthorized release of protected information (and the associated costs).   It’s not enough to deploy the “hope” method of information security but when the cat is out of the bag, it’s often hard to reign in perceived freedom without suffering a blow to the new work culture and reputation of information security.    To do nothing isn’t an option as quoted from a recent CSO Online article:

Organizations that have no control over unauthorized use of technologies on their networks are in “serious peril,” says David Knight, executive vice president of product management and marketing at Proofpoint. Sooner or later an unprotected device, social media site or IM platform will provide unauthorized access to regulated information, he says.   -  “Security concerns aside, consumer devices, services take over the enterprise” CSOOnline article by Bob Violino

Can you sandbox work applications and data on mobile devices to separate it from “personal” use?   Can you require connections to business functions and data over secure channels?  Can you remotely wipe a “lost” phone?  Can we provide the services and functionality required for the “new” workforce to be efficient and effective without sacrificing security and compliance?

We’ll see.

Photo credit:  David Fisher

I love this conversation:

“Is your workstation protected?”

“Of course, I have anti-virus installed.”

While anti-virus products are one piece of protecting your workstation, it isn’t enough.  Most AV products do a poor job of detecting new malware.  It does better over time protecting against old malware that happens to still be floating around IF (and a big “if” at that) signatures are updated frequently.

So what else is needed?

Single technologies can fail.  Think in layers when it comes to comprehensive security.  Here are a few considerations:

1. The bad guys have figured out that the quickest way to get to your computer is through 3rd party applications that are vulnerable and out of date.  Adobe seems to have taken Microsoft’s place as the malware whipping boy.   So, consider extending your patch management program beyond the operating system and common productivity suites like Office to include all applications that reside on business workstations.
2. Remove, where possible, local Administrator rights for users.  Most don’t need it.  Malware loves it.
3. Managing your endpoints and the software that can be installed helps control the “rogue” software that tends to magically appear on workstations.  If it’s needed for business then there is no reason it can’t be managed appropriately.  Application white listing tools may help here.
4. Consider host IPS and other features that come with suites of anti-malware products.  Tie them in with a central logging environment or management console.
5. Consider virtualizing the browser application to confine drive-by infections.

I could have sworn I was in a Dilbert cartoon when I got a phone call over the weekend from a small business owner who claimed a system on our network was attacking him.   The conversation went something like this:

Him:  “Your system has been attacking me on port 3389″

Me:  “Port 3389?  Did this just start?

Him:  “Yeah.  I’ve been having issues but I just looked at the firewall log today and saw your IP address.”

Me:  “What else is happening?  Can you send me the log for this?”

Him:  “Sure.  Just sent it.  As far as the server, my firewall rules have changed.  I keep getting gigabytes of files that I think are X-box games that keep reappearing after I delete them.  Oh, and there are some services running that look to be just one letter off from legitimate ones.”

Me:  “How long has this been going on? ”

Him:  “Oh, I don’t know.  I ran out of disk space about a week ago and have been cleaning it off every day.”

Me:  “Sir, I’m pretty confident your server has been compromised and if you are allowing RDP connections from the Internet, you might want to reconsider that.  You might also want to wipe and reload your server.”

Him:  “Oh, I had to do that just six months ago.  I had a SQL server that was compromised just like this.  Crazy.  I’m not sure why I’m a target.”

Me:  “So, you keep getting compromised.  Did you have RDP running on that server as well and open to the Internet?”

Him:  “Yeah.  It sure is convenient since I travel a lot.”

Me:  “Oh.  Just checking the log file you sent me sir and it looks like you may have transposed some numbers.  This isn’t coming from our network but it’s coming from a network in Texas.

Him:  “Oh.  I’m terribly sorry to bother you then.

Me:  “Not a bother at all.   If you dont’ mind can I make a suggestion?

Him:  “Sure.”

Me:  “You may want to consider getting some help securing your server and finding a safer way to access it when you’re traveling.  It may help so you don’t have to rebuild your system every few months and you can concentrate on more pressing business matters.

Him:  “Thanks but really, no need.  I’ve got it under control.”

Me:  “I wish you good luck then.  Have a good day.”

Certainly he had all good intentions but probably lacked the skills to adequately protect himself and his customers.  I’m a bit saddened that he wasn’t open to getting some help with this problem because I’m sure he has better things to do than rebuilding a server every few months.  Small business owners should concentrate on their core competencies and get some assistance in areas where they may not be as strong (or simply don’t want to spend the time).   In this case, it appears this business owner will be a repeat customer in the land of self-inflicted problems.

Anup Ghosh wrote in his SC Magazine article titled “Unwitting accomplices and complicit security teams“:

Cyber miscreants have figured out there is no sense in spending the energy trying to break through firewalls when you can simply ask any one of the thousands of users connected to the internet to invite you in.

How true!  What Ghosh refers to as castles and moats I call the Cyber Maginot Line.  The over reliance on simple perimeter defenses ignores the shift of focus that has been made to user behavior.  While not as sexy as the “hack” seen in movies it is simply easier to just ask.  Many users will oblige with information or are easily convinced to click on an official looking link in an e-mail.  Most are “addicted to click”.

While I agree with Ghosh that the philosophy of “users should know better” is not a strategy, awareness IS a component of an overall security strategy.  The problem is, many companies use hour long presentations on policy in hopes of convincing users to change their behavior.  Good luck with that.   A series of 5 minute videos over the course of a year is much more effective.  The goal isn’t to “train” people.  It’s to raise the level of awareness.  If an employee gets an “aha” moment and reports strange behavior or decides not to click on a link, mission accomplished.  If it helps them keep their home computer safe, all the better for everybody.  But again, it’s a small piece and can’t be relied on to adequately protect an organization.

That said, implementing technology that makes users “mistakes irrelevant” is absolutely a good approach AND the technology to do that exists while continuing to be refined.  Ghosh’s suggestion to isolate the desktop from web browsing would be a significant step in the right direction.  The threatscape continues to evolve and we need to be agile in our defense.  That includes protecting our users from themselves by not enabling their “click habit”.

I was recently reminded how easy one can become focused on a single, technical solution to a problem and completely miss process or people solutions.  With the pressure of a fast-paced environment and constantly changing priorities, technically oriented people will often fall back on their bread-and-butter to churn out a quick solution.  I’m guilty of this just like many others I’m sure.  This is unfortunate.

I’m convinced that the best solutions can only be found if all options are on the table and you can’t possibly understand all the options if you don’t gather information from affected business units and the people actually doing the work.  How dumb would I have been if I had suggested spending tens of thousands of dollars on a technical solution when a simple change in work flow or business process/procedure could solve the problem equally well?

Sometimes you have no choice but you owe it to yourself, your company or your client, to examine all possible options (within reason).  Explore the benefits and impacts of each.  Show the costs of each proposed solutions in dollars, resources, and reputation.  By all means, don’t think you can adequately come up with a solution sitting behind a desk and not talking with those affected.  Don’t let the pressure of deadlines and multiple priorities prevent you from tapping into the valuable resource of the folks performing the day to day work.

It’s easy to fall back into a comfort zone of technical solutions but to add value to your organization as a security professional, you must learn to provide a broad range of business solutions that encompass technology, people, and processes.

Last night I was thinking about my start in the information security field.  I was working as a network analyst for an international company and was simply assigned “the firewall” for the relatively new Internet connectivity.  I quickly caught the security bug, attended a conference or two, read anything I could get my hands on and then presented a new idea of an “information security” function for my boss and his boss.

I thought I was being diligent in explaining the security triad – Confidentiality, Integrity, and Availability when I hit a road block.  The Director at the time said “Availability isn’t a security issue at all… you don’t know what you’re talking about.”   Perhaps I could have talked about Denial of Service attacks or viruses preventing employees from accessing resources needed to do their job.  I could have talked about lost revenue, customers going with alternative products, or other examples of how “availability” could impact the business bottom line but, I didn’t have the skills at the time to counter her argument.   Security remained an “other duties as assigned function” for the rest of my tenure there.

Revisiting with the organization after 18 years I found their security posture to have matured dramatically since then (along with my business, communication and security skills).  Good for them!  They have a fantastic security team that has the ear of senior leadership.

What’s funny is after 18 years, I will still come across similar failures in understanding.  For instance, at one organization their primary servers filled with customer data, including personally identifying information, sat outside of their firewalls.  The executive leadership at the time didn’t think that was a big deal because “the servers are secure”.   Another time, a plan to eliminate social security numbers that weren’t needed on a server was met with near hostility and a comment of “it’s protected by a firewall anyway”.

Examples like this continue to plague the information security field.  Is this an executive problem or a problem with CISO’s not educating or communicating the issues in a way that is understood by “business-minded” folks?  If we can’t relate the threat in terms that are used in other business disciplines, in 18 years, we’ll be hearing the same stories repeated by the next generation of security professionals.

A company has a PC infected with malware that steals the User ID and password for their bank account.  The bad guys proceed to steal a large sum of money from the company bank account.  The bank won’t refund the money and the FDIC doesn’t insure commercial accounts.   This sums up a recent case described at Krebs on Security where an Escrow company had $440,000 stolen from it’s bank account and is now suing the bank claiming inadequate controls for the movement of funds.

The bank probably shouldn’t be offering a single password to govern the approval and release of a wire transfer but are they responsible for protecting an endpoint they had no control over?  That’s quite a leap.   As a business owner you have to take responsibility for protecting your assets.

Krebs suggests two alternatives for small businesses.  I agree with both which I’ll summarize here.

1.  Separate your banking PC from your general purpose PC.   In other words, don’t access your online bank accounts from the same PC you use to check E-mail, open attachments, browse the Internet, perform work for your clients, etc.

2.  Use a Live CD that boots your computer into a version of Linux that is used only to access your online bank accounts.

A third option is to use a virtual guest machine that is purposed specifically for online banking and appropriately configured/updated.  (Not a bad idea for personal banking too)

Hopefully, this incident doesn’t lead to a knee-jerk legislative mandate that requires banks to implement vague “effective security measures”, especially those that would require them to effectively manage the endpoint systems of other businesses.  Banks could, however, provide option 2 above to their commercial customers to access online banking using a secure, bank branded Linux distribution.

Bottom line – personal responsibility.  Don’t rely on other parties to protect your information.

Five 2011 small business/entrepreneur resolutions to protect you and your customers and make for a safer new year!

1.  Install and maintain an  anti-malware product on your PC and/or laptop.  No matter what vendor you choose to use, look for one that works like a broad spectrum antibiotic.  Trojans, viruses, worms, and other nasty little beasts that can infect your computer through e-mail attachments or simply surfing to a compromised web site will continue to be prevalent in 2011.  While most AV products do a poor job of protecting you against zero-day attacks, you can all but eliminate the known little buggers.

2.  Setup a non-administrator level account on your laptop/PC and use it for your daily work.  By setting up an account that cannot install software (and therefore cannot install malware) you offer yourself a level of protection that is effective and cheap (is free cheap enough for you?)  Login to your administrator account anytime you need to install new applications.

3.  If you carry any sensitive information on your laptop, especially personally identifiable information of your customers (or yourself for that matter), invest in an encryption product and keep your keys safe.  Consider encrypting thumb drives and other removable media.  Laptops, at least in Nevada, are considered “removable media” under state law (check the  requirements in your state).  Whether you choose to use a commercial product or open source, encrypting PII on your laptop is a good practice and is becoming law in many states.

4.  Backup your data.   Portable hard drives are cheap!  So are CD/DVD’s.  Even online services are offered at a reasonable rate.  There is no reason not to backup your business data so you can quickly recover in case of a system crash, compromise, or other “disaster”.

5.  Use social media sites safely. While a great avenue for connecting with customers (or “fans”), don’t play games and download all the “for fun” applications.  Attackers go where the people are therefore,  social media sites are great places for the bad guys to play.

Best wishes for a prosperous and cyber-safe new year!

Today in the Los Angeles Times – “Nearly 12 Million in U.S. were victims of identity theft, report says”

Not a surprising headline quite frankly.  Many people recognize that identity theft is a real problem in the U.S. and abroad but have the banks created a situation of moral hazard by covering losses?

From the article:

Three-quarters of victims said they suffered no out-of-pocket financial loss, presumably because their banks covered the loss, the report said.

Moral hazard, by definition, occurs when a party behaves differently because they are insulated from the risks.  In this case, identity theft victims are insulated from the risk of out-of-pocket financial loss.   So, are people more likely to engage in risky behavior with their personal information because the financial risk is mitigated?

I wonder if people would be more likely to practice behaviors that protects their personal information if the out-of-pocket risks were higher?  Would people think twice about responding to e-mail requesting bank account, social security number, and online userID and password if they knew they wouldn’t be reimbursed for losses?  What if businesses covered losses only if you could verify your PC was up to date with patches, anti-malware, and personal firewall protection?

I’m all for insulating those who take efforts to protect themselves and become true victims of identity theft through no fault of their own.  I become a bit skeptical when people engage in risky behavior merely because they know the consequences of their behavior will be covered by someone else.