paulmudgett.com

A recent eWeek article “Cyber-security Hurts Federal Government Productivity, Survey Says” clearly demonstrates the significant security issues related to perception and communication.   There seems to be a significant disconnect between what is thought to be needed to perform an agency’s mission and doing so without compromising computer systems.

“Surveyed federal executives believe that cyber-security policies and procedures should be modified to provide more emphasis on the importance of allowing federal managers to achieve their agency’s mission,” said Bryan Klopack, GBC’s director of research.

I get a two-for-one with this comment.  First, it is apparent that federal managers don’t understand that a compromise of their agency’s computer systems will prevent them from delivering or performing their mission.  Second, it seems as though policies and procedures are written in a vacuum without discussion with those the policy impacts.

There is no doubt that over-restrictive policies exist when it comes to web-site and e-mail access.  Knee-jerk reaction usually leads to common sense being thrown out the window.   That said, the threatscape has changed and there is real potential for systems to be compromised because of “choice failure” with e-mail and website use.   Some system-wide protections simply need to be in place and inconvenience, by itself, is not a good enough reason to abandon good security practices.

In an editors note in SANS NewsBites, John Pescatore put it into perspective:

The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity.

The problem seems to stem from an over-reaction to a Presidential “mandate”.

President Obama signaled early in his administration that cyber-security in the federal government, especially in communications, and coordination, was a priority. “This status quo is no longer acceptable—not when there’s so much at stake. We can and we must do better,” he said.

Various agencies have responded to Obama’s mandate with their own rules.

Unilateral response to a “do better” mandate usually generates bad outcomes for everybody.   This is what appears to have happened here.  No communication.  No requirements definition.  Just a policy that is enforced through technology.  Damn the torpedoes… full speed ahead!

What should be happening here?

First, business leaders (aka management) need to step up and gain some understanding that the threats they face could essentially grind productivity, and subsequently their mission, to a halt.   It is no longer okay to say “this is the security group’s problem” and then walk away.  Participation, horizontally and vertically throughout an organization, is required.  Second, the security team needs to understand how people work, what they need to get their job done, and then work with them to find solutions.

It’s easier said than done but the status quo is indeed unacceptable.  There is no such thing as 100% secure.  There is, however, the potential to reduce risk while providing for business (or agency) needs.   Without business, there is no need for security.  Without security, business will fall victim to attack and fail.   Contribution and collaboration is required to bridge this gap.

Based on this survey, I’m afraid we’re trying to cross Alaska’s Bridge to Nowhere.

The recent VBMania virus (Trojan Horse)  is simple proof that education and awareness programs are not sufficient to overcome human curiosity and stupidity.  For years computer users have heard the same message:  “Don’t open attachments or click on links in unsolicited e-mails.”    Yet, they still do!

Yesterday’s simple spam attack  infected servers at ABC, NASA, and likely other federal agencies and clearly shows that the message delivered ad nauseum has essentially fallen on deaf ears.  This unfortunate impact to services was caused by the three biggest risks in information security:   Man, woman and child.

Two things are infinite:  the universe and human stupidity; and I’m not sure about the universe.  ~Albert Einstein.

I’m afraid awareness and education will not be able to overcome the gullible, curious, and greedy nature of humans.  We can only keep trying but it’s a tall order when faced with people who:  believe they have won a lottery they never entered; will pay an unknown person in Nigeria their entire savings account to receive their fortune; or believe that their luck hinges on sending an e-mail to all their friends.

It seems that exploiting humans is much easier than exploiting technology.  Without a clear defense against poor choices, it’s only a matter of time before a similar attack targets something a bit more critical.

One of the deficiencies that came to light in the aftermath of the 9/11 terrorist attacks was the communication failure between competing intelligence agencies.  A report released this past Monday from the Government Accountability Office shows that the same failure to communicate is happening in the cybersecurity arena.  The breakdown in this arena is between the government who has the cyberthreat information and the private sector that manages critical infrastructure that is susceptible to cyber attack.   Ah yes… history repeats itself… at least that appears to be the direction.

“Auditors pointed to recent reports of cyberattacks — such as a denial-of-service attack in Estonia in May 2007, which created mass outages of government and commercial websites in that country, as well as breaches at technology companies, many in California, in January — as examples of the debilitating impact a cybersecurity breach could have on national and economic security.”

- Kalish, Brian, “Spotty coordination on cyberthreats is recipe for disaster:  GAO Study“, NextGov, August 18, 2010

The planets are coming into alignment when considering the quality of attacks, the advanced persistent threat, and the unstable world climate identified easily by reading recent headlines.  The failure to leverage lessons learned in communicating threats to those in position to take action seems to be lost.  Unless the so-called public-private partnership learns how to talk to each other our cyber-connected critical infrastructure may be primed for a rude awakening .

By the way…. where is the CyberSecurity Coordinator Howard Schmidt and all his talk about private sector solutions?

I’m getting a kick out of some fun videos put together by the fine folks at StaySafeOnline.org.  Check them out and enjoy this awareness video:  “Don’t be a Billy”

A “security” consultant wrote a script that collected profile listings in Facebooks’ public profile directory according to the article “The Facebook Data Torrent Debacle:  Q&A“  appearing on Yahoo News yesterday.  Of course, this is all public information that is available to anybody who looks.  The difference in my opinion is a “security” consultant compiling such a list and then making it available online.  171 million Facebook profiles!   As of the date of the article, about 10,000 people have downloaded the entire file.

It doesn’t take a whole lot of imagination to think what a person with nefarious intentions might do with your e-mail address, phone number, and your home town.  A little more research on your “public” profile would make it easy for a criminal to know when you’re out of town so they can have uninterrupted access to your home.   Or perhaps someone notices where your kids go to school and that they will be home alone on Tuesdays because that’s what is publicly available.

Funny thing is, it’s not just this “security” consultant providing this type of consolidated information to whoever wants it, including criminals.  In my hometown, the local newspaper has been collecting the names, titles, work information, and salaries of public employees and publishing them online.  Sure, the story is about government spending but why invade people’s personal lives to do it?  Certainly the point could be made without attaching individual names.  Yellow journalism and a violation of individual privacy is all I can think of.

The bottom line is there is too much personal information available to anybody looking.  It is undoubtedly a self-inflicted problem that is exacerbated by so-called “security” consultants and news outlets that make the criminal’s job easier by consolidating and making this information available for download.   They should know better.

The demand for a trained and educated information security workforce here in the U.S. continues to grow.   Creating a pipeline of information security professionals has to start early.   A national campaign to develop the next generation of “Cyber Defenders” has been happening without the fanfare or kudos that it needs.

The Collegiate Cyber Defense Competition has existed since 2005 where, according to a USA Today article, has grown from five competing schools to 83 teams from colleges and universities.  A similar high school competition has also been established and is seeing great participation.   This is exciting!  An environment where talent merges with enthusiasm for the the information security field is the right environment to recruit professionals.

I hope these events continue to grow and inspire similar local and regional “cyberwar games” for high school and college teams.  I hope they become common recruiting grounds for both the public and private sector.     Well done.

A June 8 Bloomberg Businessweek article noted that publicly traded companies have started including the “material risk” of computer attacks in their SEC filings.  It’s interesting to see the admission of some major companies that the threat of targeted attacks can impact the bottom line.

In what will undoubtedly become the trend in risk reporting to shareholders in annual reports there should be a corresponding effort to take actions to counter the threat.  Perhaps the increased visibility into the advanced persistent threat will spur organizations out from behind their Cyber-Maginot lines and into more agile defenses.

Policies, procedures, guidelines, standards.  Most organizations have these in some form or another but how the organization manages these important “documents” is quite telling.

The Story Teller

These organizations rely on word of mouth.  People just “know” what the procedure is or what they are “supposed” to do.  Just like nomadic tribes passing down their history from generation to generation through the use of stories, these organizations pass down standards from new hire to new hire through the proverbial grapevine.  Policies, procedures, and standards are only as good and consistent as the story.

The Stone Tablet

These organizations go through the process of creating and documenting policy, procedure and standards but once written, these documents are never visited again.  They sit on the shelf gathering dust and if they are ever reviewed, they tend to be years or even decades out of date.  These documents lose their relevance and efforts to update them become a monumental task with little payback.

The File Clerk

The organizations keep their documents filed either physically or electronically on a file server.  They may even have a numbering system and a process to review and renew the documents.  These documents are sometimes difficult to find due to multiple storage locations and the review process is sometimes overlooked because there is relatively little control or ownership.

The Document Management System

These organizations are using a system that manages review cycles, has an approval work-flow, keeps version control, and supports multiple file types.  Policies, procedures, and standards are kept current as the process becomes part of the organizational culture.  Documents have owners and responsibility.  Standards for systems are documented and current as the single system provides a central repository and process for updating.

Where does your organization sit in the evolution of policy & procedure management?

This was pretty cool.   Thanks to OnlineMBA and their post.

Via: Online MBA

I guess that headline wouldn’t sell too many papers but in most cases this is the reality that drives many decisions related to information security investment.  For most executives, the sky isn’t always falling and a security team that tries to operate under that premise is soon thought of as the Boy Who Cried Wolf.  This is exactly why pushing security investment through FUD (Fear, Uncertainty and Doubt) is ineffective as a strategy.

There is a fine line between being vigilant defenders of information and being alarmists.  The need for information security has never been more important.  Surveys suggest that executives understand this so now is not the time to be lighting the warning beacons of Gondor.  Keep the focus on the business when proposing new security investments.

I’m not a fan of using predictive models such as “Annualized Loss Expectancy” (ALE), which pretty much takes a guess and multiplies it by another guess, to make a case for security investment.  ROI?  What is your return on something that doesn’t generate revenue?  Again, using this type of tool in a security sense leaves too much guesswork to provide any real benefit.

It’s important to take the time to build a case using solid metrics and be able to clearly articulate the need from a business perspective.  Some points to remember:

• Knowing how information is used, where it is stored, how it is processed, and where and how it is transmitted is a vital requirement when proposing new security investments.  It is surprising how many organizations can’t meet this requirement but you simply can’t protect what you don’t know.
• Leverage what you already have.  Show that you can maximize the value of currently deployed security tools.
• Demonstrate how the threat applies to your specific infrastructure and business environment.
• Use regulatory compliance to compliment the proposal, not BE the only argument for the proposed solution.

Remember, information security is driven by the needs of the business, the value of information, and the validity of the threat to both.  Being able to articulate the message in these terms helps make the case for security investments when things are otherwise uneventful.