March
25
2010
Consider this: A review of an application or database that processes and stores customer information, including personally identifiable information, has been compromised. What are you going to do?
Many organizations fail to plan for a compromise and unfortunately, often exacerbate the damage while attempting an “on the fly” response to an incident. The absolute worst time to figure out what you should be doing is in the middle of an incident. Having a plan and preparation is key.
Plans often fail to include:
- Explicit authority for the primary incident handler to take decisive action to “stop the bleeding” and prevent further escalation of the incident. Decision-by-committee with endless debate often leads to delayed action that increases financial and reputation damage.
- A backup (or more) for the primary incident handler in case they are not available. The backup should fully understand the role and be capable of making decisions in critical situations.
- The inclusion of more than technical resources for the incident response team. HR, Legal, and the PIO are often left out but essential.
- Templates for press releases and notifications. Writing your first draft during an incident is a mistake.
- A communication plan for the team. If your e-mail system is compromised, sending e-mail to your team about your response may not be the best option.
- Checklists to help keep a response on track when the heat is on.
When developing the plan, consider the potential scenarios you may face and plan for them. Different scenarios may require different responses so it’s best to have thought some of these through before they happen. Malware outbreak; denial of service; illegal material on an employee PC; lost or stolen laptop; compromised system; or accidental disclosure to name a few.
Last, the first time you try out the plan shouldn’t be during an actual incident. Practice builds confidence for the incident response team and shines a light on gaps in your plan that may need to be addressed. A calm response to an incident is more likely when you can say “yeah, we’ve practiced this… let’s get to work” versus “oh man… what do we do now”.
Prior Proper Planning Prevents Piss Poor Performance.
Be prepared and hope you never need to use your plan.
March
18
2010
Anti-virus software is based on signatures of known viruses. It’s a reactive product by nature and it should be known by now that these products are ineffective against new viruses and new variants. That said, why test AV products against attacks they haven’t seen and then make a stink about it in a ComputerWorld article? Isn’t that like standing out in a rain storm to test if you’ll get wet and then writing an article about your finding?
While the testing part of the story was silly, the real point of the story is we need to think differently about the way we defend against the changing threatscape. We need to be “Agile Defenders” who are capable of aligning and re-aligning resources against a constantly shifting threat while maintaining a solid foundation. It’s hard work and I don’t believe it is understood by leadership in most organizations.
That said, we can’t protect against the new threats if we fail to apply basics. If you don’t believe that organizations get burned because of basic security failures check out this story out of New Zealand. What is funny here is they blame a Conficker-infected USB thumb drive for shutting down the company instead of their failure to keep their systems patched. That is misdirection worthy of a master politician.
Bottom-line: Businesses cannot rely on AV or single layers of defenses. Protecting information against a constantly moving adversary requires more than static thinking to be effective. If you’re responsible for securing your organization, be an Agile Defender, not a stationary target.
March
16
2010
Tip Tuesday!
Most small business owners understand that they need a business checking account in order to keep their personal and business finances separate. That just makes good sense. What some, especially home-based business owners, fail to do is separate their business and personal computing, especially userID and passwords. Maintaining that dividing line between your personal and business assets, especially how they are accessed, is important to protect your business and your customers.
A handful of areas to think about:
- Online banking – access to personal and business accounts should not be the same.
- E-mail – Customers should send and receive e-mail from a “business” account.
- CRM – If you use an online CRM took, don’t access it the same way you access your personal Facebook page.
- Social Media – Personal accounts should be accessed differently than business or “fan” pages (even if your name is your business).
Treat your business like a business. Protect yourself, your business, and your customers.
March
13
2010
The CISO of Pennsylvania was apparently fired after discussing a breach while serving on a panel at the recent RSA conference. The removal appeared in several articles including this SCMagazine report. The information provided by Bob Maley was a clear description of a threat that some states may face, an appropriate discussion for this panel. However, it seems Maley didn’t get explicit permission to talk about this issue and was terminated for this breach of protocol.
There may be other personnel issues involved but the timing of this is certainly suspect. While Maley should have been disciplined for violating communication protocol, the end result appears to be disproportionate to the offense.
The RSA panel was a great opportunity to share information and lessons learned. Instead of embracing that level of transparency, we see a SCMagazine CISO of the Year finalist losing his job by trying to help others learn from his experience. If others fear such action for sharing sanitized lessons learned then our field has taken a step backward in transparency and communication. That’s a shame.
March
11
2010
I just read an article “Basic security measures do wonders” and it drove home a point that seems to have been lost with the inundation of terms such as “CyberWar” and “Advanced Persistent Threat”. While we spend a lot of time implementing new technologies or applying frameworks, we sometimes forget that applying basics and using our current tools more effectively can go a long way to improving the security posture of our organizations.
I’m not implying that we be stagnant in our approach to securing our information from changing threats. It’s vitally important that we be agile in our defenses else we create the Cyber-Maginot line I’ve discussed earlier. That said, we sometimes fail to tighten our current infrastructure in our pursuit of the latest headlines and buzzwords.
The article mentioned some basics that are worth repeating:
- Turn logging on and monitor files but be careful that you don’t inundate yourself with irrelevant messages.
- Examine network traffic patterns. Learn what is normal traffic so that you can better identify abnormal patterns.
- Access control to make sure employees have access to what they need to do their jobs but nothing else.
- Enforcing security policies.
- Having a consistent process for patching systems.
- Know where your data is!
I would imagine most security professionals reading this will say “duh”. I’d also be willing to bet that many organizations fail to apply all of these basic principles. Why? Wouldn’t it be dumb to deploy the latest and greatest security technology only to be breached through an unpatched workstation? It happens all the time.
Now, especially during an economic downturn, is a great time to re-evaluate your current tools to see where you can improve their effectiveness. Can you improve your user provisioning/de-provisioning process? Can you leverage scanning tools and results to improve a vulnerability remediation program? Can you tighten up audit logs and alerts? Can you create an inventory of sensitive information? Can you engage business units to build a stronger relationship with security? Can you develop an awareness campaign that is engaging and informative?
It seems to me improving what you have creates a stronger security program than having a huge number of half implemented tools and processes. Tell me. What areas can you improve today?
March
5
2010
The more I read about Howard Schmidt, the new cybersecurity czar for the Obama administration, the more I tend to like what I’m hearing. I still think the position is limited because he has no budegtary authority but he appears to be quite capable of delivering the message of information security without resorting to FUD. I like that.
There continues to be an overuse of terms such as “cyberwar”. I hope we can end the movie hype and get down to business. I don’t disagree that there is a persistent threat from state sponsored attackers. I believe there is a rise in targeted attacks that are designed to steal sensitive information and perhaps disrupt business as usual. The government and the private sector need to address our information security needs and be agile in development of defenses against new threats.
In an interview with Wired.com, Schmidt had this to say:
“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.
“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”
Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.
- Ryan Singel, “White House Cyber Czar: There Is No Cyberwar“, Wired.com Threat Level, March 4, 2010
This is in direct contrast to Michael McConnell, former director of national intelligence who continues to ramp up the rhetoric about a cyberwar. Let’s look at McConnell’s history.
- McConnell convinced President Bush to provide funds to the NSA to lock down the government’s classified networks. Of course, McConnell’s position placed him in charge of that effort.
- McConnell now calls for a “re-engineering” of the Internet. Of course, the company he works with stands to profit incredibly from this type of effort.
You can decide for yourself McConnell’s motivation.
Schmidt doesn’t appear to turn a blind eye to the need for government to protect classified information and the NSA has a role in this. The government certainly has an eye on things that just aren’t visible to the private sector. The private sector has a big dog in this fight as well, especially in regards to financial transactions and the use of personally identifiable information.
“A pessimist is an optimist with experience” (unknown). I share in McConnell’s call to action but not his drastic, doom and gloom approach where excessive government control over the Internet is the only solution. His passion is admirable, if not misguided.
Schmidt, on the other hand, isn’t ignoring the need for government to bolster its defenses, he appears to simply approach the necessity for action without inciting knee-jerk reactions from ignorant politicians. I like this approach rather than the call for citizens to put their head in the sand and let Uncle Sam take over.
“We can’t sit there and be waiting for the next intrusion attempts to take place,” Schmidt said. “We need to become stronger in what we are doing so we are better able to resist the things that are being thrown at us.”
That’s a call to action. This isn’t a problem that is owned exclusively by the government nor does the solution reside entirely in that realm. However, if the private sector doesn’t step up and be proactive in the way we protect our infrastructure and information, then we deserve to have government do it for us.
March
4
2010
The White House just recently published a summary of the Comprehensive National Cybersecurity Initiative. While there hasn’t been any time to debate this or even digest the implications of the 12 initiatives, I had some initial thoughts that I wanted to put down. Certainly, this may change as (or if) more details are provided.
Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet. This is an effort of gargantuan proportions. The enormous complexity of this initiative has failure written all over it. If this somehow manages to be implemented I can only think “One ring to rule them all”… or “own” them all may be more appropriate.
Initiative #7. Increase the security of our classified networks. Wow! You think? Common sense is not that common.
Initiative #8. Expand cyber education. It will be interesting to see how programs are implemented when colleges and universities are dropping programs due to budget crisis. Creating an InfoSec educated workforce is a long term strategy in a rapidly changing arena. It may be difficult to find instructors who aren’t so grounded in academia that they become unaware of the changes in the environment..
Initiative #9. Define and develop enduring “leap-ahead” technology, strategies, and programs. This assumes that an environment that rewards innovation in the private sector is created. At least in writing, there appears to be a recognition of the need for public-private partnerships to be successful.
This may be a good start but without details on how government will implement these initiatives, it’s impossible to determine if this will be good, bad or ugly. I’ll be keeping an eye on developments here.
February
24
2010
Nomenclature is simply a way to name things that are used in communication. Every profession has their own taxonomy that allows them to understand and identify “things” that are specific to their area of expertise. This has a downside. Those outside of “the club” have difficulty understanding the terms and principles that come naturally to the “initiated”.
For information security professionals working in business environments, the ability to translate InfoSec into terms understandable to other business professionals is essential to success. The lack of this skill often leads to a misunderstanding of risk that essentially leads to an unnecessary exposure.
To overcome this, I have found it useful to set foot into the world of accounting, finance, economics, organizational behavior, marketing, and logistics by earning my MBA. While certainly not an expert in any of the fields mentioned, I have been initiated into their ranks through education. This at least provides an opportunity to build a bridge between security and business functions because I am able to communicate, at least partially, using their “language” rather than forcing them to learn mine.
So, “jargon” can be useful. It certainly allows more efficient communication between peers. Even more important, learning other “professional languages” creates an opportunity to translate your terms and principles into something understandable to others. I’m convinced that this skill provides value by creating more “aha” information security moments across multiple business disciplines.
I’d be remiss if I did not provide a plug for my alma mater. The University of Nevada part-time MBA program was nationally ranked #21 by Business Week, and #5 in the West. Go Pack!
February
24
2010
Why is it that terms used in the information security profession is referred to as “gobbledegook” while in other professions it’s known as nomenclature. Every profession has its own jargon so for “experts” to label this as something unique to information security is rather unfair.
“One problem is that computer “geeks” use jargon to cloak their work in scholarly mystique, resulting in a lack of clarity in everything from instruction manuals and systems design to professional training, the experts said.”
- Maclean, William, “Computer jargon baffles users, hinders security“, msnbc – Technology & Science, February 19, 2010.
This isn’t some malicious attempt to create a mystical club with secret words and handshakes. Industry specific terminology helps those professionals within that industry communicate clearly with each other. Isn’t this also true in finance, medicine, law, software design, architecture, etc?
Former U.S. Homeland Security Secretary Michael Chertoff had this to say:
Doctors and lawyers used to enjoy “a sense of mystified special knowledge,” Chertoff said. “But … once you empower people to understand what’s going on, doctors do a better job. So with cybersecurity the task is to make the architecture more user-friendly — and to teach people better.”
I don’t know about you but when a physician rattles off medical terminology I’m certainly not feeling empowered. I do however trust that I’m being treated by someone trained in that particular field who understand the complexities and can communicate with peers (referrals) who also understand the “jargon”. Isn’t this what they are paid for? It’s no surprise that such a comment came from Chertoff who recently ran point for the miserably ineffective Cyber Shockwave simulation (aka propaganda) show.
Having “experts” come out and say things like “plain language is vital” is nothing new. In any awareness or education campaign, the content of the message must be audience appropriate. If you’re dealing with individuals with little experience in technology, then the awareness campaign has to incorporate examples and terms that are familiar with them in order to be effective. That’s a no-brainer.
Perhaps next time these “experts” get together, someone should suggest they don’t need to tell us the completely obvious, the merely obvious will do.
February
23
2010
CNN recently broadcast a cyber-attack simulation meant to demonstrate the potential cascading effects of a widespread attack on our nation’s infrastructure. The exercise included former federal officials who played the role of key positions in the executive branch to show how the government would respond to the escalating incident. They even had a flashy headline:
“Cyber Shockwave”
As much as I hoped that this would be a worthwhile simulation with good discussion, this really came across as propaganda wrapped in FUD. It seemed like a sales pitch for more government control, especially with the catchphrase “We Warned You” included in the program. We all should be concerned when government officials talk about “nationalizing Telco and Power”, “quarantine cell phones”, and “giving the option of unilateral disconnect”.
There is no doubt the threatscape is changing with the way we use technology. Mobile devices certainly will see their share of malware. Both public and private sector have lapses in their information security practices. As we’ve seen with the latest attacks from China, there is a rise in targeted attacks. That said, I have my doubts about a mobile botnet that wipes out cell phone communications, creates widespread power outages, and takes down Wall Street.
Cyber security is not a unilateral issue with government alone stepping in to save the day. The private sector is particularly good at finding solutions to problems and they too have a dog in this fight. Let’s bring the right players to the table to find a solution other than marshal law.
Bottom line: Simulations are useful if they are appropriately scoped and are meaningful. We could learn a lot from a good simulation that includes government and private sector participation. In this case, CNN used the script from “Live Free or Die Hard” and wasted a lot of time and money.