Accountability Links Behavior and Outcomes

November 30, 2010 by · Leave a Comment

It amazes me that I still hear executive level IT people say that information security is a technology problem.  Sure, technology has a vital role in the building blocks of a solid information security program but even the best technology can be circumvented by unknowing or malicious people.  Getting people to understand their role in protecting a customer’s information or heck, even their own, continues to be a challenge.

In a recent CSO online article, “Security Awareness:  Helping employees really “get” company policy“, security consultant Michael Santacangelo explained the problem in the most succinct way I’ve seen.

When people are disconnected from the consequences of their actions, they do not take responsibility and are not held accountable, he said.

The link between behavior and outcomes is accountability.  Unfortunately, it seems as though most awareness programs stop with the behavior and potential outcome duo, leaving out the accountability piece of the triad.  That is, awareness programs will list out the unacceptable behaviors and highlight the potential financial and reputation costs for the organization but fail to link that back to individual accountability of staff members.

Once you have established that everyone plays a role in protecting sensitive information and clearly set the expectation for behavior, it MUST be followed up with accountability.  It’s not “mean” to enforce policy AS LONG as the expectation for proper behavior is established and well communicated to all staff.   There should be consequences for those engaging in behaviors that place an organization and its customers at risk as long as everyone knows the behaviors and the consequences up front.

Filed Under: Awareness and Education, Business and Security · Tagged With: ,

Business and Security Need Each Other

October 4, 2010 by · Leave a Comment

A recent eWeek article “Cyber-security Hurts Federal Government Productivity, Survey Says” clearly demonstrates the significant security issues related to perception and communication.   There seems to be a significant disconnect between what is thought to be needed to perform an agency’s mission and doing so without compromising computer systems.

“Surveyed federal executives believe that cyber-security policies and procedures should be modified to provide more emphasis on the importance of allowing federal managers to achieve their agency’s mission,” said Bryan Klopack, GBC’s director of research.

I get a two-for-one with this comment.  First, it is apparent that federal managers don’t understand that a compromise of their agency’s computer systems will prevent them from delivering or performing their mission.  Second, it seems as though policies and procedures are written in a vacuum without discussion with those the policy impacts.

There is no doubt that over-restrictive policies exist when it comes to web-site and e-mail access.  Knee-jerk reaction usually leads to common sense being thrown out the window.   That said, the threatscape has changed and there is real potential for systems to be compromised because of “choice failure” with e-mail and website use.   Some system-wide protections simply need to be in place and inconvenience, by itself, is not a good enough reason to abandon good security practices.

In an editors note in SANS NewsBites, John Pescatore put it into perspective:

The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity.

The problem seems to stem from an over-reaction to a Presidential “mandate”.

President Obama signaled early in his administration that cyber-security in the federal government, especially in communications, and coordination, was a priority. “This status quo is no longer acceptable—not when there’s so much at stake. We can and we must do better,” he said.

Various agencies have responded to Obama’s mandate with their own rules.

Unilateral response to a “do better” mandate usually generates bad outcomes for everybody.   This is what appears to have happened here.  No communication.  No requirements definition.  Just a policy that is enforced through technology.  Damn the torpedoes… full speed ahead!

What should be happening here?

First, business leaders (aka management) need to step up and gain some understanding that the threats they face could essentially grind productivity, and subsequently their mission, to a halt.   It is no longer okay to say “this is the security group’s problem” and then walk away.  Participation, horizontally and vertically throughout an organization, is required.  Second, the security team needs to understand how people work, what they need to get their job done, and then work with them to find solutions.

It’s easier said than done but the status quo is indeed unacceptable.  There is no such thing as 100% secure.  There is, however, the potential to reduce risk while providing for business (or agency) needs.   Without business, there is no need for security.  Without security, business will fall victim to attack and fail.   Contribution and collaboration is required to bridge this gap.

Based on this survey, I’m afraid we’re trying to cross Alaska’s Bridge to Nowhere.

Filed Under: Business and Security, National InfoSec · Tagged With: , , , ,

Cyber Risk being disclosed in SEC filings

June 15, 2010 by · Leave a Comment

A June 8 Bloomberg Businessweek article noted that publicly traded companies have started including the “material risk” of computer attacks in their SEC filings.  It’s interesting to see the admission of some major companies that the threat of targeted attacks can impact the bottom line.

In what will undoubtedly become the trend in risk reporting to shareholders in annual reports there should be a corresponding effort to take actions to counter the threat.  Perhaps the increased visibility into the advanced persistent threat will spur organizations out from behind their Cyber-Maginot lines and into more agile defenses.

Filed Under: Business and Security · Tagged With: , , ,

Evolution of Policy Management

June 2, 2010 by · Leave a Comment

Policies, procedures, guidelines, standards.  Most organizations have these in some form or another but how the organization manages these important “documents” is quite telling.

The Story Teller

These organizations rely on word of mouth.  People just “know” what the procedure is or what they are “supposed” to do.  Just like nomadic tribes passing down their history from generation to generation through the use of stories, these organizations pass down standards from new hire to new hire through the proverbial grapevine.  Policies, procedures, and standards are only as good and consistent as the story.

The Stone Tablet

These organizations go through the process of creating and documenting policy, procedure and standards but once written, these documents are never visited again.  They sit on the shelf gathering dust and if they are ever reviewed, they tend to be years or even decades out of date.  These documents lose their relevance and efforts to update them become a monumental task with little payback.

The File Clerk

The organizations keep their documents filed either physically or electronically on a file server.  They may even have a numbering system and a process to review and renew the documents.  These documents are sometimes difficult to find due to multiple storage locations and the review process is sometimes overlooked because there is relatively little control or ownership.

The Document Management System

These organizations are using a system that manages review cycles, has an approval work-flow, keeps version control, and supports multiple file types.  Policies, procedures, and standards are kept current as the process becomes part of the organizational culture.  Documents have owners and responsibility.  Standards for systems are documented and current as the single system provides a central repository and process for updating.

Where does your organization sit in the evolution of policy & procedure management?

Filed Under: Business and Security · Tagged With: ,

Thousands of Businesses had an Uneventful Day

May 27, 2010 by · Leave a Comment

I guess that headline wouldn’t sell too many papers but in most cases this is the reality that drives many decisions related to information security investment.  For most executives, the sky isn’t always falling and a security team that tries to operate under that premise is soon thought of as the Boy Who Cried Wolf.  This is exactly why pushing security investment through FUD (Fear, Uncertainty and Doubt) is ineffective as a strategy.

There is a fine line between being vigilant defenders of information and being alarmists.  The need for information security has never been more important.  Surveys suggest that executives understand this so now is not the time to be lighting the warning beacons of Gondor.  Keep the focus on the business when proposing new security investments.

I’m not a fan of using predictive models such as “Annualized Loss Expectancy” (ALE), which pretty much takes a guess and multiplies it by another guess, to make a case for security investment.  ROI?  What is your return on something that doesn’t generate revenue?  Again, using this type of tool in a security sense leaves too much guesswork to provide any real benefit.

It’s important to take the time to build a case using solid metrics and be able to clearly articulate the need from a business perspective.  Some points to remember:

  • Knowing how information is used, where it is stored, how it is processed, and where and how it is transmitted is a vital requirement when proposing new security investments.  It is surprising how many organizations can’t meet this requirement but you simply can’t protect what you don’t know.
  • Leverage what you already have.  Show that you can maximize the value of currently deployed security tools.
  • Demonstrate how the threat applies to your specific infrastructure and business environment.
  • Use regulatory compliance to compliment the proposal, not BE the only argument for the proposed solution.

Remember, information security is driven by the needs of the business, the value of information, and the validity of the threat to both.  Being able to articulate the message in these terms helps make the case for security investments when things are otherwise uneventful.

Filed Under: Business and Security · Tagged With: , ,

New CyberSecurity Coordinator points to private sector solutions

April 7, 2010 by · 1 Comment

Once again I find myself liking White House Cybersecurity Coordinator Howard Schmidt’s approach even if I think his position is weakened based on placement, authority, etc.  In a Bill Brenner article today on CSOonline, Schmidt points to the defense against the wide range of threats, including coordinated attacks, to be best lead from the private sector.

“You guys have been carrying the water,” Schmidt told attendees at CSO Perspectives 2010 Tuesday. The government can do a lot to improve the nation’s cyber defenses. But ultimately, he said, the key to warding off attacks like the one Google experienced remains private-sector vigilance.

The information security community cannot expect a government bailout when it comes to defending infrastructure and information.  The private sector not only is the key to defense but also is the problem.  Too many organizations have created a Cyber-Maginot line that merely creates the illusion of security while the more agile attackers circumvent stale and slow moving defensive positions.  The private sector needs to participate in an active defense against multiple threats and have a solid response plan should the defenses fail.

Schmidt is right.  The threats and motivations for attacks are varied and we must be in a position to defend against them all.  This is a day-to-day fight.

But the lack of state-against-state warfare shouldn’t keep IT security practitioners from serious concern, Schmidt said. The attacks undermine global infrastructure and endanger our way of life, he said, adding that this is a battle every IT security professional must fight from the foxholes.

What have you done today to improve security for your organization?  Are you an agile defender or are you hunkered down behind your own cyber-Maginot line using the “hope” method as a security strategy?

Filed Under: Business and Security, National InfoSec · Tagged With: , , , ,

NJ Supreme Court impacts privacy expectation

April 5, 2010 by · Leave a Comment

The New Jersey Supreme Court recently ruled that a company shouldn’t have read an ex-staffer’s private e-mails even though they were sent from her employer’s computer.    NorthJersey.com article.

Interesting ruling which will certainly change some thoughts as to personal use of work computers.  While I’m a proponent of privacy rights, I’m torn on this particular ruling.   The company had a policy in place that warned e-mails “are not to be considered private or personal to any individual employee”.  That’s a fairly common policy statement but the usual intent is the use of company e-mail not a personal Yahoo account.  I tend to side with the court that the attorney-client privilege applied because there was an attempt to keep the personal e-mail secure.  Personal e-mail accounts, especially with an attorney seems to be reasonably outside the reach of an employer in my non-legal opinion.

That said, I think the issue here revolves around the personal use of company-owned computers rather than specific e-mail.  In this case the employee was absolutely out of her mind to be exchanging communications with her attorney in preparation for a lawsuit against her company using a company issued laptop.  Stupidity aside, the question is if the company had a right to “monitor, audit, intercept, access and disclose” any information that was sent using, or stored on company-owned equipment.  This is where things get a little fuzzy for me.

Since businesses are responsible for the protection of PII that is transmitted from or stored on their equipment, there is certainly an obligation to monitor and audit their equipment to assure compliance.    While I don’t think that extends into people’s personal e-mail accounts let’s create a scenario based on the patient privacy breach at University Medical Center I blogged about in November.

What if the employee was “hired” by a dubious attorney to provide them with face sheets as part of an unethical “referral gathering” scheme.  Now, instead of taking the hard copy face sheet as was done in this case that employee used a personal Yahoo account to send this information to their “attorney”.    I doubt this hits the same measure of attorney-client privilege identified in the New Jersey case but certainly this illustrates a point regarding potential misuse of employer-owned computer assets that can be quite damaging to both business reputation and finances.

As this New Jersey ruling resonates it will be interesting to see how organizations shift their policies, if they do at all.  With the proliferation of social media and smart phones, it may not be an unreasonable time to revisit policies anyway.

Filed Under: Business and Security, National and State Privacy/Security Law · Tagged With: , , , , ,

Fail to plan, plan to fail… incident response preparation

March 25, 2010 by · Leave a Comment

Consider this:  A review of an application or database that processes and stores customer information, including personally identifiable information, has been compromised.  What are you going to do?

Many organizations fail to plan for a compromise and unfortunately, often exacerbate the damage while attempting an “on the fly” response to an incident.  The absolute worst time to figure out what you should be doing is in the middle of an incident.  Having a plan and preparation is key.

Plans often fail to include:

  • Explicit authority for the primary incident handler to take decisive action to “stop the bleeding” and prevent further escalation of the incident.   Decision-by-committee with endless debate often leads to delayed action that increases financial and reputation damage.
  • A backup (or more) for the primary incident handler in case they are not available.  The backup should fully understand the role and be capable of making decisions in critical situations.
  • The inclusion of more than technical resources for the incident response team.  HR, Legal, and the PIO are often left out but essential.
  • Templates for press releases and notifications.  Writing your first draft during an incident is a mistake.
  • A communication plan for the team.  If your e-mail system is compromised, sending e-mail to your team about your response may not be the best option.
  • Checklists to help keep a response on track when the heat is on.

When developing the plan, consider the potential scenarios you may face and plan for them.  Different scenarios may require different responses so it’s best to have thought some of these through before they happen.  Malware outbreak; denial of service; illegal material on an employee PC; lost or stolen laptop; compromised system; or accidental disclosure to name a few.

Last, the first time you try out the plan shouldn’t be during an actual incident.  Practice builds confidence for the incident response team and shines a light on gaps in your plan that may need to be addressed.  A calm response to an incident is more likely when you can say “yeah, we’ve practiced this… let’s get to work” versus “oh man… what do we do now”.

Prior Proper Planning Prevents Piss Poor Performance.

Be prepared and hope you never need to use your plan.

Filed Under: Business and Security · Tagged With: , ,

Be an Agile Defender

March 18, 2010 by · Leave a Comment

Anti-virus software is based on signatures of known viruses.  It’s a reactive product by nature and it should be known by now that these products are ineffective against new viruses and new variants.    That said, why test AV products against attacks they haven’t seen and then make a stink about it in a ComputerWorld article?  Isn’t that like standing out in a rain storm to test if you’ll get wet and then writing an article about your finding?

While the testing part of the story was silly, the real point of the story is we need to think differently about the way we defend against the changing threatscape.  We need to be “Agile Defenders” who are capable of aligning and re-aligning resources against a constantly shifting threat while maintaining a solid foundation.  It’s hard work and I don’t believe it is understood by leadership in most organizations.

That said, we can’t protect against the new threats if we fail to apply basics.   If you don’t believe that organizations get burned because of basic security failures check out this story out of New Zealand.  What is funny here is they blame a Conficker-infected USB thumb drive for shutting down the company instead of their failure to keep their systems patched.   That is misdirection worthy of a master politician.

Bottom-line:  Businesses cannot rely on AV or single layers of defenses.  Protecting information against a constantly moving adversary requires more than static thinking to be effective.  If you’re responsible for securing your organization, be an Agile Defender, not a stationary target.

Filed Under: Business and Security, Should Have Known Better · Tagged With: , , , ,

Back to Basics

March 11, 2010 by · 1 Comment

I just read an article “Basic security measures do wonders” and it drove home a point that seems to have been lost with the inundation of terms such as “CyberWar” and “Advanced Persistent Threat”.  While we spend a lot of time implementing new technologies or applying frameworks, we sometimes forget that applying basics and using our current tools more effectively can go a long way to improving the security posture of our organizations.

I’m not implying that we be stagnant in our approach to securing our information from changing threats.  It’s vitally important that we be agile in our defenses else we create the Cyber-Maginot line I’ve discussed earlier.  That said, we sometimes fail to tighten our current infrastructure in our pursuit of the latest headlines and buzzwords.

The article mentioned some basics that are worth repeating:

  • Turn logging on and monitor files but be careful that you don’t inundate yourself with irrelevant messages.
  • Examine network traffic patterns.  Learn what is normal traffic so that you can better identify abnormal patterns.
  • Access control to make sure employees have access to what they need to do their jobs but nothing else.
  • Enforcing security policies.
  • Having a consistent process for patching systems.
  • Know where your data is!

I would imagine most security professionals reading this will say “duh”.  I’d also be willing to bet that many organizations fail to apply all of these basic principles. Why?  Wouldn’t it be dumb to deploy the latest and greatest security technology only to be breached through an unpatched workstation?  It happens all the time.

Now, especially during an economic downturn, is a great time to re-evaluate your current tools to see where you can improve their effectiveness.  Can you improve your user provisioning/de-provisioning process?  Can you leverage scanning tools and results to improve a vulnerability remediation program?  Can you tighten up audit logs and alerts?  Can you create an inventory of sensitive information?  Can you engage business units to build a stronger relationship with security?  Can you develop an awareness campaign that is engaging and informative?

It seems to me improving what you have creates a stronger security program than having a huge number of half implemented tools and processes.  Tell me.  What areas can you improve today?

Filed Under: Awareness and Education, Business and Security · Tagged With: , ,
« Older Posts
Newer Posts »