paulmudgett.com

It never fails. Information security controls are immediately put into place AFTER a significant security incident has happened.  This is true even when these controls are reasonable to have in place and could have prevented the incident from happening at all.   Often, decisions made after an incident are knee-jerk reactions rather than business-minded protections.

As a case in point, the Department of Defense issued a new ban on removable media being used on classified machines in response to the WikiLeaks release of diplomatic cables.  Completely reactive.  The point here isn’t the effectiveness of the control but the timing.

For those who haven’t followed the WikiLeaks drama, here is a tidbit taken from a December 10, 2010 CNN article that can be applied to many organizations.

“Pfc. Bradley Manning says he downloaded hundreds of thousands of files from SIPRNET to a CD marked “Lady Gaga” before giving the files to WikiLeaks.”

Do you have a Private Manning in your organization who has access to sensitive information?  Can he easily take that information out of your environment and sell it to the highest bidder?  Why not consider that risk and address it before it becomes an issue?

The culprit often lies in the attitude of executive leadership.   How often have you heard the following?

• “We’ve been doing things this way for years and haven’t had a breach.”  (that you know of)

• “Show me the hard dollar return on investment before I sign off on these security thingies.”  (BTW, since most security implementations aren’t revenue generating, a ROI will always be zero.)

• “It’s not convenient.”

These excuses need to be replaced with a desire to take ownership of information you have.  The focus needs to be on protecting your intellectual property and maintaining competitive advantage.  It should examine the risks to information and appropriate measures to reduce risk without impacting the functions of the business.

Controls don’t have to be expensive or fancy.  They just need to be effective.  Understand and take control of your information before an incident forces rushed decisions that impact your ability to conduct business.

A recent eWeek article “Cyber-security Hurts Federal Government Productivity, Survey Says” clearly demonstrates the significant security issues related to perception and communication.   There seems to be a significant disconnect between what is thought to be needed to perform an agency’s mission and doing so without compromising computer systems.

“Surveyed federal executives believe that cyber-security policies and procedures should be modified to provide more emphasis on the importance of allowing federal managers to achieve their agency’s mission,” said Bryan Klopack, GBC’s director of research.

I get a two-for-one with this comment.  First, it is apparent that federal managers don’t understand that a compromise of their agency’s computer systems will prevent them from delivering or performing their mission.  Second, it seems as though policies and procedures are written in a vacuum without discussion with those the policy impacts.

There is no doubt that over-restrictive policies exist when it comes to web-site and e-mail access.  Knee-jerk reaction usually leads to common sense being thrown out the window.   That said, the threatscape has changed and there is real potential for systems to be compromised because of “choice failure” with e-mail and website use.   Some system-wide protections simply need to be in place and inconvenience, by itself, is not a good enough reason to abandon good security practices.

In an editors note in SANS NewsBites, John Pescatore put it into perspective:

The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity.

The problem seems to stem from an over-reaction to a Presidential “mandate”.

President Obama signaled early in his administration that cyber-security in the federal government, especially in communications, and coordination, was a priority. “This status quo is no longer acceptable—not when there’s so much at stake. We can and we must do better,” he said.

Various agencies have responded to Obama’s mandate with their own rules.

Unilateral response to a “do better” mandate usually generates bad outcomes for everybody.   This is what appears to have happened here.  No communication.  No requirements definition.  Just a policy that is enforced through technology.  Damn the torpedoes… full speed ahead!

What should be happening here?

First, business leaders (aka management) need to step up and gain some understanding that the threats they face could essentially grind productivity, and subsequently their mission, to a halt.   It is no longer okay to say “this is the security group’s problem” and then walk away.  Participation, horizontally and vertically throughout an organization, is required.  Second, the security team needs to understand how people work, what they need to get their job done, and then work with them to find solutions.

It’s easier said than done but the status quo is indeed unacceptable.  There is no such thing as 100% secure.  There is, however, the potential to reduce risk while providing for business (or agency) needs.   Without business, there is no need for security.  Without security, business will fall victim to attack and fail.   Contribution and collaboration is required to bridge this gap.

Based on this survey, I’m afraid we’re trying to cross Alaska’s Bridge to Nowhere.

The New Jersey Supreme Court recently ruled that a company shouldn’t have read an ex-staffer’s private e-mails even though they were sent from her employer’s computer.    NorthJersey.com article.

Interesting ruling which will certainly change some thoughts as to personal use of work computers.  While I’m a proponent of privacy rights, I’m torn on this particular ruling.   The company had a policy in place that warned e-mails “are not to be considered private or personal to any individual employee”.  That’s a fairly common policy statement but the usual intent is the use of company e-mail not a personal Yahoo account.  I tend to side with the court that the attorney-client privilege applied because there was an attempt to keep the personal e-mail secure.  Personal e-mail accounts, especially with an attorney seems to be reasonably outside the reach of an employer in my non-legal opinion.

That said, I think the issue here revolves around the personal use of company-owned computers rather than specific e-mail.  In this case the employee was absolutely out of her mind to be exchanging communications with her attorney in preparation for a lawsuit against her company using a company issued laptop.  Stupidity aside, the question is if the company had a right to “monitor, audit, intercept, access and disclose” any information that was sent using, or stored on company-owned equipment.  This is where things get a little fuzzy for me.

Since businesses are responsible for the protection of PII that is transmitted from or stored on their equipment, there is certainly an obligation to monitor and audit their equipment to assure compliance.    While I don’t think that extends into people’s personal e-mail accounts let’s create a scenario based on the patient privacy breach at University Medical Center I blogged about in November.

What if the employee was “hired” by a dubious attorney to provide them with face sheets as part of an unethical “referral gathering” scheme.  Now, instead of taking the hard copy face sheet as was done in this case that employee used a personal Yahoo account to send this information to their “attorney”.    I doubt this hits the same measure of attorney-client privilege identified in the New Jersey case but certainly this illustrates a point regarding potential misuse of employer-owned computer assets that can be quite damaging to both business reputation and finances.

As this New Jersey ruling resonates it will be interesting to see how organizations shift their policies, if they do at all.  With the proliferation of social media and smart phones, it may not be an unreasonable time to revisit policies anyway.

Let’s look at a very simple risk equation:

Risk =  Threat x Vulnerability

Now let’s apply that formula to a disgruntled employee.   You have an angry employee (threat) who has access to sensitive company information based on their role in the organization (vulnerability).  The combination of these two creates a situation where sensitive information, say the “secret recipe”, can potentially be disclosed to competitors (risk).  This could have very serious consequences to your competitive advantage, your shareholders, your market share, etc.

The typical security response is to deploy preventive, detective, and corrective controls that hopefully reduce the risk by mitigating the threat and/or vulnerability.  Most often, the controls lean heavily towards detection which is an after-the-fact, reactive response to the problem.  I believe the root cause of this issue lies with the management of an organization rather than the employee.  Here’s why.

I’ve yet to see a person start a new job saying “this place sucks” or “I hate it here”.  Instead, these new employees are often the most enthusiastic and engaged members of your workforce.  Something has to occur that shifts this positive behavior to disengaged and/or destructive action.  Something changes the attitude of the employee.  I contend that it is the systems developed by management that are responsible for the growth and development of disgruntled behavior in the workplace.

Systems for employee review are often filled with hidden agendas and surprises designed to “put the employee in their place”.   Systems are designed to punish failure by taking power away from “empowered” employees who didn’t meet performance expectations (that probably weren’t defined well anyway).  Systems are designed to give responsibility but no authority to act.  It is these types of unfortunately common management systems that set the stage for the development of disgruntled employees.

So, doesn’t it make sense to mitigate or eliminate the risk associated with the disgruntled employee threat by fixing systems that spawn that type of dissatisfaction?  I’m by no means saying that employees rule the roost or that you won’t have an employee unhappy over a disagreement.  What I am saying is by treating employees fairly, enabling them to be successful, helping them learn from mistakes rather than punish them, and creating an environment where ideas are freely discussed without fear will go a long way toward eliminating this threat to information security.

Remember the equation:

Risk =  Threat x Vulnerability

Without the threat, there is no risk.

When an employee leaves a company either voluntarily or involuntary, the business must have the processes and procedures in place to immediately revoke access to information resources.   This isn’t a new concept in the information security realm but it is something that is often applied lackadaisically in organizations.  With the cost of breaches rising, leaving doors open for potentially disgruntled ex-employees can be a costly mistake for your business.  Just as you provide access to new employees, you must be ready to remove access when an employee separates.

The article snip below is a recent addition to the “should have known better” club:

The ex-employee, Dong Chul Shin, was fired from the company March 3 for performance reasons, and escorted off the premises, according to court records.  But the company failed to immediately shut off his VPN access.  That afternoon, someone using Shin’s account began logging onto the corporate network, e-mailing out proprietary data to a personal Yahoo account linked to Shin, and modifying and deleting files, according to a search warrant affidavit by the Dallas FBI agent Robert Smith.

Poulsen, Keven.  “Ex-Employee Fingered in Texas Power Company Hack.” WIRED 29 May 2009.

http://www.wired.com/threatlevel/2009/05/efh/