Playing Catchup – Consumer Devices in the Workplace

Mobile devices, use of social networking sites, and consumer cloud services are quickly becoming, if they aren’t already, a part of your business environment.  As is often the case, the ability and tools to securely manage new technologies lags behind the flood of use in organizations leaving a gap in the protection of sensitive information.

Quite frankly, we should have seen this coming.  The “new” workforce communicates differently and often more efficiently (not necessarily more effectively).  Text messages, tweets, IM, oh my!  There is a different, and often reduced, perspective on risk even while regulatory requirements for privacy and security become more stringent.

Now here we are.  Playing catch up in order to enable business to keep up with the times while preventing the unauthorized release of protected information (and the associated costs).   It’s not enough to deploy the “hope” method of information security but when the cat is out of the bag, it’s often hard to reign in perceived freedom without suffering a blow to the new work culture and reputation of information security.    To do nothing isn’t an option as quoted from a recent CSO Online article:

Organizations that have no control over unauthorized use of technologies on their networks are in “serious peril,” says David Knight, executive vice president of product management and marketing at Proofpoint. Sooner or later an unprotected device, social media site or IM platform will provide unauthorized access to regulated information, he says.   -  “Security concerns aside, consumer devices, services take over the enterprise” CSOOnline article by Bob Violino

Can you sandbox work applications and data on mobile devices to separate it from “personal” use?   Can you require connections to business functions and data over secure channels?  Can you remotely wipe a “lost” phone?  Can we provide the services and functionality required for the “new” workforce to be efficient and effective without sacrificing security and compliance?

We’ll see.

Photo credit:  David Fisher

Don’t Rely on Others to Protect Your Assets

A company has a PC infected with malware that steals the User ID and password for their bank account.  The bad guys proceed to steal a large sum of money from the company bank account.  The bank won’t refund the money and the FDIC doesn’t insure commercial accounts.   This sums up a recent case described at Krebs on Security where an Escrow company had $440,000 stolen from it’s bank account and is now suing the bank claiming inadequate controls for the movement of funds.

The bank probably shouldn’t be offering a single password to govern the approval and release of a wire transfer but are they responsible for protecting an endpoint they had no control over?  That’s quite a leap.   As a business owner you have to take responsibility for protecting your assets.

Krebs suggests two alternatives for small businesses.  I agree with both which I’ll summarize here.

1.  Separate your banking PC from your general purpose PC.   In other words, don’t access your online bank accounts from the same PC you use to check E-mail, open attachments, browse the Internet, perform work for your clients, etc.

2.  Use a Live CD that boots your computer into a version of Linux that is used only to access your online bank accounts.

A third option is to use a virtual guest machine that is purposed specifically for online banking and appropriately configured/updated.  (Not a bad idea for personal banking too)

Hopefully, this incident doesn’t lead to a knee-jerk legislative mandate that requires banks to implement vague “effective security measures”, especially those that would require them to effectively manage the endpoint systems of other businesses.  Banks could, however, provide option 2 above to their commercial customers to access online banking using a secure, bank branded Linux distribution.

Bottom line – personal responsibility.  Don’t rely on other parties to protect your information.

Five Small Business Information Security Resolutions

Five 2011 small business/entrepreneur resolutions to protect you and your customers and make for a safer new year!

1.  Install and maintain an  anti-malware product on your PC and/or laptop.  No matter what vendor you choose to use, look for one that works like a broad spectrum antibiotic.  Trojans, viruses, worms, and other nasty little beasts that can infect your computer through e-mail attachments or simply surfing to a compromised web site will continue to be prevalent in 2011.  While most AV products do a poor job of protecting you against zero-day attacks, you can all but eliminate the known little buggers.

2.  Setup a non-administrator level account on your laptop/PC and use it for your daily work.  By setting up an account that cannot install software (and therefore cannot install malware) you offer yourself a level of protection that is effective and cheap (is free cheap enough for you?)  Login to your administrator account anytime you need to install new applications.

3.  If you carry any sensitive information on your laptop, especially personally identifiable information of your customers (or yourself for that matter), invest in an encryption product and keep your keys safe.  Consider encrypting thumb drives and other removable media.  Laptops, at least in Nevada, are considered “removable media” under state law (check the  requirements in your state).  Whether you choose to use a commercial product or open source, encrypting PII on your laptop is a good practice and is becoming law in many states.

4.  Backup your data.   Portable hard drives are cheap!  So are CD/DVD’s.  Even online services are offered at a reasonable rate.  There is no reason not to backup your business data so you can quickly recover in case of a system crash, compromise, or other “disaster”.

5.  Use social media sites safely. While a great avenue for connecting with customers (or “fans”), don’t play games and download all the “for fun” applications.  Attackers go where the people are therefore,  social media sites are great places for the bad guys to play.

Best wishes for a prosperous and cyber-safe new year!

Do you know where your data is?

Where is your sensitive information?

Many times the answer I hear is… “it’s stored in our database” but that unfortunately is only a partial answer.   If you look at the business process surrounding access to information, you may be surprised at where sensitive information ends up.   Have you considered:

Printed documents – Hard copy printouts of reports, spreadsheets, e-mail or other documents containing sensitive information have a way of being thrown in the trash without being shredded.  They get left out on desks for anybody to see, including enlightened janitorial staff.  What about the printer or copy machine hard drive that may be storing information that slips outside the walls of your facility when this equipment gets surplussed.

Forwarded E-mail – Ever hear this?  “It’s easier to work from home if I just send these spreadsheets with social security numbers as an attachment to my home e-mail account.”

Laptops -  The portability of laptops also carries with it the problem of portability of information.  Without encryption, the ease of stealing information from a “smash and grab” attack from the backseat of your car becomes quite an issue.  Some State laws, like Nevada, require the encryption of personally identifiable information on removable media… this includes laptops.

Removable Media -  It’s so easy to just move this information from point to point using a thumb drive.  The large storage capacity of these devices, not to mention USB hard drives, makes it a considerable risk point for sensitive information sneaking out of an otherwise controlled environment.

There are probably many other examples but the point is to not develop tunnel vision when considering strategies to protect sensitive information.  Getting fixated on the most obvious point of data storage is a bad move.  Think about how information is used in your organization.  Who needs and has access to it?  How are they sending the information to coworkers and business partners?

It’s important to consider ALL the possible ways information can be compromised.  You can bet the bad guys have already considered it.

Cyber Risk being disclosed in SEC filings

A June 8 Bloomberg Businessweek article noted that publicly traded companies have started including the “material risk” of computer attacks in their SEC filings.  It’s interesting to see the admission of some major companies that the threat of targeted attacks can impact the bottom line.

In what will undoubtedly become the trend in risk reporting to shareholders in annual reports there should be a corresponding effort to take actions to counter the threat.  Perhaps the increased visibility into the advanced persistent threat will spur organizations out from behind their Cyber-Maginot lines and into more agile defenses.

Thousands of Businesses had an Uneventful Day

I guess that headline wouldn’t sell too many papers but in most cases this is the reality that drives many decisions related to information security investment.  For most executives, the sky isn’t always falling and a security team that tries to operate under that premise is soon thought of as the Boy Who Cried Wolf.  This is exactly why pushing security investment through FUD (Fear, Uncertainty and Doubt) is ineffective as a strategy.

There is a fine line between being vigilant defenders of information and being alarmists.  The need for information security has never been more important.  Surveys suggest that executives understand this so now is not the time to be lighting the warning beacons of Gondor.  Keep the focus on the business when proposing new security investments.

I’m not a fan of using predictive models such as “Annualized Loss Expectancy” (ALE), which pretty much takes a guess and multiplies it by another guess, to make a case for security investment.  ROI?  What is your return on something that doesn’t generate revenue?  Again, using this type of tool in a security sense leaves too much guesswork to provide any real benefit.

It’s important to take the time to build a case using solid metrics and be able to clearly articulate the need from a business perspective.  Some points to remember:

  • Knowing how information is used, where it is stored, how it is processed, and where and how it is transmitted is a vital requirement when proposing new security investments.  It is surprising how many organizations can’t meet this requirement but you simply can’t protect what you don’t know.
  • Leverage what you already have.  Show that you can maximize the value of currently deployed security tools.
  • Demonstrate how the threat applies to your specific infrastructure and business environment.
  • Use regulatory compliance to compliment the proposal, not BE the only argument for the proposed solution.

Remember, information security is driven by the needs of the business, the value of information, and the validity of the threat to both.  Being able to articulate the message in these terms helps make the case for security investments when things are otherwise uneventful.

NJ Supreme Court impacts privacy expectation

The New Jersey Supreme Court recently ruled that a company shouldn’t have read an ex-staffer’s private e-mails even though they were sent from her employer’s computer.    NorthJersey.com article.

Interesting ruling which will certainly change some thoughts as to personal use of work computers.  While I’m a proponent of privacy rights, I’m torn on this particular ruling.   The company had a policy in place that warned e-mails “are not to be considered private or personal to any individual employee”.  That’s a fairly common policy statement but the usual intent is the use of company e-mail not a personal Yahoo account.  I tend to side with the court that the attorney-client privilege applied because there was an attempt to keep the personal e-mail secure.  Personal e-mail accounts, especially with an attorney seems to be reasonably outside the reach of an employer in my non-legal opinion.

That said, I think the issue here revolves around the personal use of company-owned computers rather than specific e-mail.  In this case the employee was absolutely out of her mind to be exchanging communications with her attorney in preparation for a lawsuit against her company using a company issued laptop.  Stupidity aside, the question is if the company had a right to “monitor, audit, intercept, access and disclose” any information that was sent using, or stored on company-owned equipment.  This is where things get a little fuzzy for me.

Since businesses are responsible for the protection of PII that is transmitted from or stored on their equipment, there is certainly an obligation to monitor and audit their equipment to assure compliance.    While I don’t think that extends into people’s personal e-mail accounts let’s create a scenario based on the patient privacy breach at University Medical Center I blogged about in November.

What if the employee was “hired” by a dubious attorney to provide them with face sheets as part of an unethical “referral gathering” scheme.  Now, instead of taking the hard copy face sheet as was done in this case that employee used a personal Yahoo account to send this information to their “attorney”.    I doubt this hits the same measure of attorney-client privilege identified in the New Jersey case but certainly this illustrates a point regarding potential misuse of employer-owned computer assets that can be quite damaging to both business reputation and finances.

As this New Jersey ruling resonates it will be interesting to see how organizations shift their policies, if they do at all.  With the proliferation of social media and smart phones, it may not be an unreasonable time to revisit policies anyway.

Fail to plan, plan to fail… incident response preparation

Consider this:  A review of an application or database that processes and stores customer information, including personally identifiable information, has been compromised.  What are you going to do?

Many organizations fail to plan for a compromise and unfortunately, often exacerbate the damage while attempting an “on the fly” response to an incident.  The absolute worst time to figure out what you should be doing is in the middle of an incident.  Having a plan and preparation is key.

Plans often fail to include:

  • Explicit authority for the primary incident handler to take decisive action to “stop the bleeding” and prevent further escalation of the incident.   Decision-by-committee with endless debate often leads to delayed action that increases financial and reputation damage.
  • A backup (or more) for the primary incident handler in case they are not available.  The backup should fully understand the role and be capable of making decisions in critical situations.
  • The inclusion of more than technical resources for the incident response team.  HR, Legal, and the PIO are often left out but essential.
  • Templates for press releases and notifications.  Writing your first draft during an incident is a mistake.
  • A communication plan for the team.  If your e-mail system is compromised, sending e-mail to your team about your response may not be the best option.
  • Checklists to help keep a response on track when the heat is on.

When developing the plan, consider the potential scenarios you may face and plan for them.  Different scenarios may require different responses so it’s best to have thought some of these through before they happen.  Malware outbreak; denial of service; illegal material on an employee PC; lost or stolen laptop; compromised system; or accidental disclosure to name a few.

Last, the first time you try out the plan shouldn’t be during an actual incident.  Practice builds confidence for the incident response team and shines a light on gaps in your plan that may need to be addressed.  A calm response to an incident is more likely when you can say “yeah, we’ve practiced this… let’s get to work” versus “oh man… what do we do now”.

Prior Proper Planning Prevents Piss Poor Performance.

Be prepared and hope you never need to use your plan.

Be an Agile Defender

Anti-virus software is based on signatures of known viruses.  It’s a reactive product by nature and it should be known by now that these products are ineffective against new viruses and new variants.    That said, why test AV products against attacks they haven’t seen and then make a stink about it in a ComputerWorld article?  Isn’t that like standing out in a rain storm to test if you’ll get wet and then writing an article about your finding?

While the testing part of the story was silly, the real point of the story is we need to think differently about the way we defend against the changing threatscape.  We need to be “Agile Defenders” who are capable of aligning and re-aligning resources against a constantly shifting threat while maintaining a solid foundation.  It’s hard work and I don’t believe it is understood by leadership in most organizations.

That said, we can’t protect against the new threats if we fail to apply basics.   If you don’t believe that organizations get burned because of basic security failures check out this story out of New Zealand.  What is funny here is they blame a Conficker-infected USB thumb drive for shutting down the company instead of their failure to keep their systems patched.   That is misdirection worthy of a master politician.

Bottom-line:  Businesses cannot rely on AV or single layers of defenses.  Protecting information against a constantly moving adversary requires more than static thinking to be effective.  If you’re responsible for securing your organization, be an Agile Defender, not a stationary target.

Cyber Shockwave – A Bust

CNN recently broadcast a cyber-attack simulation meant to demonstrate the potential cascading effects of a widespread attack on our nation’s infrastructure.  The exercise included former federal officials who played the role of key positions in the executive branch to show how the government would respond to the escalating incident.  They even had a flashy headline:

“Cyber Shockwave”


As much as I hoped that this would be a worthwhile simulation with good discussion, this really came across as propaganda wrapped in FUD.   It seemed like a sales pitch for more government control, especially with the catchphrase “We Warned You” included in the program.  We all should be concerned when government officials talk about “nationalizing Telco and Power”, “quarantine cell phones”, and “giving the option of unilateral disconnect”.

There is no doubt the threatscape is changing with the way we use technology.  Mobile devices certainly will see their share of malware.  Both public and private sector have lapses in their information security practices.  As we’ve seen with the latest attacks from China, there is a rise in targeted attacks.   That said, I have my doubts about a mobile botnet that wipes out cell phone communications, creates widespread power outages, and takes down Wall Street.

Cyber security is not a unilateral issue with government alone stepping in to save the day.  The private sector is particularly good at finding solutions to problems and they too have a dog in this fight.  Let’s bring the right players to the table to find a solution other than marshal law.

Bottom line:  Simulations are useful if they are appropriately scoped and are meaningful.  We could learn a lot from a good simulation that includes government and private sector participation.  In this case, CNN used the script from “Live Free or Die Hard” and wasted a lot of time and money.