“You Have My Word On It”

May 11, 2012 by · Leave a Comment

Over the years I’ve had the privilege to hire and work with some talented information security consultants.  Whether they came on to perform a 3rd party assessment necessary to drive remediation efforts (or satisfy compliance obligations), helped troubleshoot an issue or perform initial configuration on new tools, I’ve been fortunate, in most cases, to separate the wheat from the chaff.  I’ve gotten better over time at recognizing the real deal from Joe Isuzu but some small businesses don’t have those hard learned lessons to fall back on.  So…. here’s a few tips.

1.   There is no such thing as 100% security.  If someone is promising “complete security and protection” of your data find out what they are smoking because it’s probably really good stuff.

2.  Do they throw around buzzwords and technical jargon OR do they talk about your business and how security controls not only fit within your business model but benefit your customers as well?

3.  Do they spend the time to understand your needs or do they  “already know” what you need (assumptions… bah!).  If they don’t want to know about your business and how they can help YOU then you probably don’t want to hire them.

4.  Do they up-sell unrelated services BEFORE delivering excellent results for the project you hired them for?  If you’re looking for a point-in-time assessment, then pressuring you to buy long term managed services is pretty lame.  If they deliver good work, THEN I want to know what other services they might offer… not before.

Big or small, there may come a time when you need a little help in protecting your business and your customers.  A good consultant places your business success at the very top of any work they are doing.  If they don’t care about your business, you shouldn’t care about theirs.

 

Photo credit:  Master isolated images at FreeDigitalPhotos.net

Filed Under: Business and Security · Tagged With: , , ,

Occam’s Razor for Information Security

April 10, 2012 by · Leave a Comment

What if the principle of Occam’s Razor was applied to information security controls?

“All things being equal, a simpler explanation is better than a more complex one”

In other words, if we spent more time applying simple controls rather than chasing buzzwords and “big stories”, would we see an overall reduction in data breaches?  According to the recent  Verizon Communications report (pdf)  we would.  The report indicates that 97-percent of data breaches were the result of bad guys using simple techniques that could have been countered by applying “simple or intermediate” controls.  Have we been running in circles for this long when the “simple” solution has been staring right at us?

I think this is the case because “simple” things are boring and mundane.  As such, people become complacent and start to believe that effort placed on simple tasks is a waste of time since the “real” threat is going to be much more sophisticated.  If the reported facts of data breaches are true, then that belief isn’t supported.

A variation of Pareto’s Principle (the 80/20 rule) seems to come into play.  Perhaps if we are diligent in applying simple controls (the 20%) then maybe 80% of breaches can be avoided.  Maybe instead of focusing on complex systems that require massive amounts of human resource overhead, a focus on simple controls would yield greater security results.  Applying the principle of least privilege to limit access to sensitive information or replacing local administrator rights on workstations with user or power user may just have a bigger payoff than a $100k SEIM solution that is never fully deployed.

If most breaches are due to a failure in applying simple security measures, then doesn’t it make sense to apply our efforts in improving simple controls?

———————————————————-
Photo Credit:  ddpavumba at freedigitalphotos.net

Filed Under: Business and Security, Should Have Known Better · Tagged With: , , , ,

Checkbox Security Fails Again

April 4, 2012 by · Leave a Comment

Regulatory compliance is often a confusing mess.  Rattling off the alphabet of compliance can often result in dizziness, headaches, and for some, a bad case of nausea.   PCI-DSS, HIPAA, HITECH, GLB, SOX, and heck, might as well throw in some state data breach notification laws as well.  Congress doesn’t want to stop there as they continue their efforts to add even more to this list of rules to live by.

Don’t get me wrong.  The rules are there for a reason (though often they arise from knee-jerk reactions to events so that our Representatives can appear to be doing something useful).  The problem is, with so many different regulations with varying definitions and requirements attempts at compliance start to resemble the traffic signal depicted to the right.   The cure for one bout of “alphabetitis” doesn’t necessarily vaccinate you for the others.  In the meantime, while you’re running around creating paperwork for compliance and checking off boxes, your ongoing security efforts essentially fall into the “to do” bucket.

Unfortunately, it has been proven time and time again that point-in-time, checkbox security is ineffective.  Unless you live in a spider hole like a Doomsday Prepper you may have noticed a recent breach of credit card data.   If you are a “prepper”, here’s a quick catch-you-up article from ABC News, April 2 -  “Experts Say Global Payments’ Breach May Not Be Only One“.

But wait!!  How could this have happened in the era of PCI Compliance? 

To be blunt, building an information security program around compliance is an approach steeped in failure.  The desire is very strong to have a favorable audit report but once that is over, the focus tends to shift away from the continuous protection of sensitive information.   As we continue to see breaches impacting organizations that have been engaged in and satisfying compliance requirements, you have to think about where the real problem lies.

Michael Mimoso was quite clear in an article “Global Payments credit card security breach exposes PCI shortcomings” where he said:

Clearly, PCI DSS continues to be a joke and a money pit that isn’t about security, but at a minimum, point-in-time compliance.

With that in mind, how do we step away from the point-in-time compliance effort and focus strictly on security.  As is often the case, let’s look at something entirely basic.  In order to protect something you have to know what it is.  Regulators and legislators aren’t helping in this regard.  Protected information is defined differently depending on the flavor of legislation you’re working with.  Wouldn’t it make sense to have a single definition of sensitive or protected information and then set in motion the defenses necessary to protect and monitor that data on an ongoing basis? If you store, process or transmit data under this one definition then you have to protect it regardless if you’re in healthcare, finance, or any industry vertical that uses such information.

I don’t think we can rely on government to help in this regard.  So, create your own matrix of sensitive information (maybe I’ll take that on as a project and post it) and then apply the SANS 20 Critical Controls or use some other framework to build a year-round, continuous information security program that protects that data all the time rather than playing the mark and erase checkbox game of compliance.  If you have deployed a solid information security program then compliance audits should, quite frankly, be a simple verification process.

 

_________________________________

Photo Credit: Stuart Miles at Freedigitalphotos
Illustration Credit: digitalart at Freedigitalphotos

Filed Under: Business and Security, National and State Privacy/Security Law · Tagged With: , , , , , , , ,

Follow-up Thought: Facebook Credentials and Hiring Process

April 2, 2012 by · Leave a Comment

Just a quick follow-up to my previous post “Before I hire you I’ll need the keys to your home…

I read a comment on LinkedIn that said there were no laws prohibiting employers from asking you to turn over your Facebook credentials so they can see your private information.  In my non-lawyerly view I think it relates to plenty of laws that declare certain questions as “off-limits” as part of the hiring process.   Age.  Sexual orientation.  Pregnancy.  Disabilities.   It is not uncommon to find details related to these personal issues shared with friends and family on Facebook but often, they are explicitly hidden from public view.

By asking a candidate for their Facebook credentials so that the employer can rummage through these personal details is no different, at least in my view, from them asking these questions directly during an interview.   If certain pre-employment questions are already prohibited by law, then requiring a candidate to turn over access to that information via another avenue seems to splashdown in the same swimming hole.

Let me play a scenario:

A candidate had a pretty good interview.  A few days later an HR rep from the company calls him up and says there is just one more step in the process.  Since their Facebook page isn’t public, they’ll need the userID and password “just as routine”. He gives it and within a week receives a letter that he was not selected for the job.

On his Facebook page, it’s pretty clear he’s gay.  Many of his posts and those of his friends refer to him and his partner.  He believes that is the only reason he didn’t get the job.  He thinks that asking for his userID and password wasn’t “routine” at all but merely an excuse to find out information they were prohibited from asking him directly.

His next two calls are to an attorney and the media….

Now, it may be that the company had a legitimate reason to hire someone else but the perception here is what matters.  Imagine your company being dragged through the media and labeled as discriminatory.   We’ve all seen what happens when the media plants an idea into the minds of its audience.  The truth is often pushed to the back burner while the sensational, ratings-grabbing story rules the day.  There may or may not be any legal ground but it sure makes good publicity for a hard hitting lawyer.

If this came to pass, would you reconsider asking for those Facebook credentials?  Maybe sticking with traditional background checks, interview questions, reference checks, and looking at publicly available profile information with social media sites is the better choice.

 

Filed Under: Business and Security, Ethics · Tagged With: , , ,

They did WHAT with my data?

March 29, 2012 by · Leave a Comment

What are your employees doing with your data?

I know… they are all doing their jobs and not doing anything out of the ordinary.  Unfortunately, that isn’t always the case.  Time and time again, we see individuals inside an organization abusing their access to inappropriately view, or in the worst case steal, sensitive information.

Take for example this recently reported case in Hawaii – “HCFCU admits member information breached“.   Almost a year ago some “trusted” employees accessed information to fill up petitions for the credit union board nomination process.  Another employee thought this was messed up and reported it.   The credit union is putting employees through “new training” to reinforce policies.   I hope they have other tools to detect inappropriate access other than relying on the “just tell us” approach.

This is just one of many example of insiders breaching confidentiality.  This happens quite frequently whether it is the budding entrepreneur stealing your customer lists to go into business on his own or the hospital employee swiping medical records of celebrities to sell to the paparazzi.    The insider threat appears in just about any industry vertical.

Ask yourself:

  1. Who has access to what information?  Do they need that access to perform their job?
  2. When someone changes jobs internally, do you just tack on their new permissions to their old OR do you remove previous access and give them what they need for their new position?
  3. Do you have generic user accounts or does each person have a user account that identifies them and their access?
  4. Can you tell who has accessed your most sensitive information and when?   Is access times or number of records accessed outside of the norm?   Do you know what to do when that happens?
  5. Do you have incident response procedures in place that direct you on how to handle a breach should it occur?

Based on your answers, you may be at greater risk of a breach.   There is no such thing as 100% security but taking appropriate measures to safeguard sensitive information from external and internal threats, being able to detect abnormal behavior, and having a plan “just in case” all fit within the practice of due diligence.

In information security, you can’t assume that everyone will do the right thing.  Too many organizations have experienced the results of such assumptions in terms of dollars and cents, tarnished reputation, lost customers, and for some..they shut their doors.   It simply isn’t worth the risk.

Photo Credit:  photostock at freedigitalphotos.net

Filed Under: Business and Security · Tagged With: , , , ,

I Was Just Trying To Help…

March 23, 2012 by · Leave a Comment

“I don’t have access to that budget file.  Can you give it to me?”

As easy as that security controls meant to provide access to information to only those who need it to do their job (the practice of least privilege) is bypassed by well intentioned employees.  They only want to help but their behavior puts your organization at risk.

Jamie Bodley-Scott wrote in March 23, 2012 Help Net Security piece “Securing SharePoint“:

For example – two colleagues sitting next to each other will have access to data.  However, this doesn’t mean that they both need, or in fact should, be able to access the same information.

In their quest for being a “team player” an employee may simply copy the file to a shared directory, a flash drive, or may even e-mail it to their team member in need.  The article refers to SharePoint as another tool to share information that may not be meant to be shared with others.

This is a common problem.  Most people are programmed to be helpful.  Saying “no” to another team member isn’t a natural response so it’s important to educate employees that their access to information is linked to their particular role in the organization.  Others may not have the same access but if they need it, there are proper channels to make the request. Bypassing security controls may have consequences for the “helpful” employee and such consequences need be enforced fairly and consistently to develop new patterns of behavior.

 

Photo credit:  sscreation at freedigitalphotos.net

Filed Under: Awareness and Education, Business and Security · Tagged With: , , ,

Hacker Motivation – Does it Matter?

March 22, 2012 by · Leave a Comment

Motivation according to Dictionary.com is “the act or an instance of motivating, or providing with a reason to act in a certain way.”   While stealing data from organizations continues to be financially motivated the 2012 Verizon Data Breach Report indicated an increase in data theft as a result of hacktivism (data breaches aimed at advancing political and social objectives).  Who cares?

It’s interesting to see shifts in the motivation behind attacks on computer infrastructure but from a security perspective, a thief is a thief is a thief.  Whether motivated by fame, money, or political causes, the need to protect sensitive information in transit and at rest is still the same.

Bill Brenner blogged about this in his Salted Hash blog while referencing hacktivists and cybercriminals.

True, when it comes to motivation, there is a difference.  Hactivists are trying to advance a cause and target those they believe are against that cause.  Obviously, a different motivation from the simple pursuit of other people’s money.  But the tactics and results are the same.  – Bill Brenner “Hacktivists and cybercriminals:  Is there really a difference“, Salted Hash – IT Security News, March 22, 2012

I couldn’t agree more.  While the motivation behind an attack is certainly interesting, the type of information and method of attack is much more important.   If you’re stuck doing mandatory reporting of a breach I doubt those affected care who stole their information, only that it was stolen.

The bottom line here is somebody wants to steal your information and you must defend against that reality.  Figuring out why they want it doesn’t really change that.

 

Photo credit:  Salvatore Vuono and Freedigitalphotos.net

Filed Under: Business and Security · Tagged With: , , , , ,

The real 1 percenters….

March 12, 2012 by · Leave a Comment

There are a lot of vendors pushing their wares using zero-day exploits as a chief selling piece in their propaganda.  The problem is, the vast majority of servers are compromised by known vulnerabilities and a failure in the patching process.   It stands to reason that there is more bang-for-the-buck by addressing issues such as vulnerability and patch management, rogue IT (the pesky groups who stand up their own unprotected, poorly managed and vulnerable servers and workstations), and user behavior.  Simply put, Pareto’s principle is an effective technique in dealing with a big chunk of information security issues, especially when working with a slim budget.

Zero-day exploits aren’t hype but I’m afraid the term has been over-used as a sales technique designed to evoke an emotional response from executives.  Sales really is an emotional business.  Keep this in mind though… if you are ill-prepared to deal with the known you have little chance of protecting yourself against the unknown.  Does it make any business sense at all to apply resources to 1% of the problem while leaving 99% unattended to?   Of course not but, it’s just not as sexy or fun to play in the mundane and repetitive when the world of APT’s and Zero-Day’s are grabbing headline news.

By no means am I suggesting to ignore the evolving threats to information.  The dynamics of technology and growing demand for full-time access to information doesn’t allow for that kind of laissez-faire attitude.  The new problems we face and any solutions need to be viewed from an innovate and creative lens.  However, the need to constantly evolve a security program is no excuse for ignoring or forgetting about the known threats and vulnerabilities to information assets.

Photo credit: ddpavumba / FreeDigitalPhotos.net

Filed Under: Business and Security · Tagged With: , ,

Who will I hire?

September 16, 2011 by · Leave a Comment

Disclaimer – I’m not an HR professional.    Okay, that covers that.

So, I’m diverting a bit from information security today.  I’ve read a lot of comments and questions recently related to what a hiring manager is looking for in interviews for IT and InfoSec jobs.  For instance, a reader question at IT World was submitted by a person who has “had a lot of first interviews but not many second interviews.”  The reader asked “what is the biggest turn-off for hiring managers in an interview?”  While a lot of the application and interview process is common sense, too often I see both recent grads and professionals shoot themselves in the foot.  While I can’t speak for others, here are my pet-peeves and thoughts on what I look for in a new hire…. you may be surprised (or maybe not).

  1. Follow instructions!   If the job posting asks that you submit a cover letter, resume and 3 references, DO IT!   Promising resumes have ended up in the trash because the person didn’t submit a cover letter as requested.  If you take shortcuts in the application process, you’re likely to take shortcuts at work.  I don’t want you no matter how great you think you are.
  2. Shine your shoes!   IT and Information Security requires attention to detail.  An old boss of mine said he always looked at candidate’s shoes as a measure of their attention to detail.  While not a deal killer, terribly scuffed up shoes may just help you stand out…. in a negative way.
  3. Be creative!   Most hiring managers have read the “career advice” websites too.  If your answer to “what is a weakness” is as canned as the question then you’re boring me.  It’s amazing how many times you’ll hear “I work too hard or too much” as a weakness.  Blah, blah, blah.   Try something new.
  4. Do your homework!  Nothing is more disappointing than a candidate that doesn’t know the first thing about the company s/he is applying for.  A candidate who knows about a project or news item that was in a press release is more impressive than a candidate who says “you sell widgets”.   I don’t expect anyone to know details.  It’s the demonstrated effort and interest that scores points with me.
  5. Ask questions!   If someone told you there is no such thing as a dumb question… they were lying.   Ask meaningful questions.  Are there specific projects this position will be responsible for or engaged in?  How does the organization encourage professional development (not “do you pay for training”)?  What does the interviewer like/dislike about the company?  Be engaging… don’t be the candidate that just wants to be done with the interview.  Those who treat it as an interview for them AND for the company really shine.

For me, I’m interested in candidates who demonstrate passion.  While there is an expectation that the person has sufficient knowledge to meet the requirements of the job, I’m most interested in people with enthusiasm and talent, not a know-it-all.   Are they going to work well in the environment or well they be grating and disruptive.   If you are engaging, stay away from canned answers, and show that you are truly interested in the company rather than just landing a job, you’re going to improve the likelihood of a second interview and offer.  At least with me.

Filed Under: Business and Security ·

Playing Catchup – Consumer Devices in the Workplace

June 24, 2011 by · Leave a Comment

Mobile devices, use of social networking sites, and consumer cloud services are quickly becoming, if they aren’t already, a part of your business environment.  As is often the case, the ability and tools to securely manage new technologies lags behind the flood of use in organizations leaving a gap in the protection of sensitive information.

Quite frankly, we should have seen this coming.  The “new” workforce communicates differently and often more efficiently (not necessarily more effectively).  Text messages, tweets, IM, oh my!  There is a different, and often reduced, perspective on risk even while regulatory requirements for privacy and security become more stringent.

Now here we are.  Playing catch up in order to enable business to keep up with the times while preventing the unauthorized release of protected information (and the associated costs).   It’s not enough to deploy the “hope” method of information security but when the cat is out of the bag, it’s often hard to reign in perceived freedom without suffering a blow to the new work culture and reputation of information security.    To do nothing isn’t an option as quoted from a recent CSO Online article:

Organizations that have no control over unauthorized use of technologies on their networks are in “serious peril,” says David Knight, executive vice president of product management and marketing at Proofpoint. Sooner or later an unprotected device, social media site or IM platform will provide unauthorized access to regulated information, he says.   -  “Security concerns aside, consumer devices, services take over the enterprise” CSOOnline article by Bob Violino

Can you sandbox work applications and data on mobile devices to separate it from “personal” use?   Can you require connections to business functions and data over secure channels?  Can you remotely wipe a “lost” phone?  Can we provide the services and functionality required for the “new” workforce to be efficient and effective without sacrificing security and compliance?

We’ll see.

Photo credit:  David Fisher

Filed Under: Business and Security · Tagged With: ,
« Older Posts