“You Have My Word On It”

May 11, 2012 by · Leave a Comment

Over the years I’ve had the privilege to hire and work with some talented information security consultants.  Whether they came on to perform a 3rd party assessment necessary to drive remediation efforts (or satisfy compliance obligations), helped troubleshoot an issue or perform initial configuration on new tools, I’ve been fortunate, in most cases, to separate the wheat from the chaff.  I’ve gotten better over time at recognizing the real deal from Joe Isuzu but some small businesses don’t have those hard learned lessons to fall back on.  So…. here’s a few tips.

1.   There is no such thing as 100% security.  If someone is promising “complete security and protection” of your data find out what they are smoking because it’s probably really good stuff.

2.  Do they throw around buzzwords and technical jargon OR do they talk about your business and how security controls not only fit within your business model but benefit your customers as well?

3.  Do they spend the time to understand your needs or do they  “already know” what you need (assumptions… bah!).  If they don’t want to know about your business and how they can help YOU then you probably don’t want to hire them.

4.  Do they up-sell unrelated services BEFORE delivering excellent results for the project you hired them for?  If you’re looking for a point-in-time assessment, then pressuring you to buy long term managed services is pretty lame.  If they deliver good work, THEN I want to know what other services they might offer… not before.

Big or small, there may come a time when you need a little help in protecting your business and your customers.  A good consultant places your business success at the very top of any work they are doing.  If they don’t care about your business, you shouldn’t care about theirs.

 

Photo credit:  Master isolated images at FreeDigitalPhotos.net

Filed Under: Business and Security · Tagged With: , , ,

Checkbox Security Fails Again

April 4, 2012 by · Leave a Comment

Regulatory compliance is often a confusing mess.  Rattling off the alphabet of compliance can often result in dizziness, headaches, and for some, a bad case of nausea.   PCI-DSS, HIPAA, HITECH, GLB, SOX, and heck, might as well throw in some state data breach notification laws as well.  Congress doesn’t want to stop there as they continue their efforts to add even more to this list of rules to live by.

Don’t get me wrong.  The rules are there for a reason (though often they arise from knee-jerk reactions to events so that our Representatives can appear to be doing something useful).  The problem is, with so many different regulations with varying definitions and requirements attempts at compliance start to resemble the traffic signal depicted to the right.   The cure for one bout of “alphabetitis” doesn’t necessarily vaccinate you for the others.  In the meantime, while you’re running around creating paperwork for compliance and checking off boxes, your ongoing security efforts essentially fall into the “to do” bucket.

Unfortunately, it has been proven time and time again that point-in-time, checkbox security is ineffective.  Unless you live in a spider hole like a Doomsday Prepper you may have noticed a recent breach of credit card data.   If you are a “prepper”, here’s a quick catch-you-up article from ABC News, April 2 -  “Experts Say Global Payments’ Breach May Not Be Only One“.

But wait!!  How could this have happened in the era of PCI Compliance? 

To be blunt, building an information security program around compliance is an approach steeped in failure.  The desire is very strong to have a favorable audit report but once that is over, the focus tends to shift away from the continuous protection of sensitive information.   As we continue to see breaches impacting organizations that have been engaged in and satisfying compliance requirements, you have to think about where the real problem lies.

Michael Mimoso was quite clear in an article “Global Payments credit card security breach exposes PCI shortcomings” where he said:

Clearly, PCI DSS continues to be a joke and a money pit that isn’t about security, but at a minimum, point-in-time compliance.

With that in mind, how do we step away from the point-in-time compliance effort and focus strictly on security.  As is often the case, let’s look at something entirely basic.  In order to protect something you have to know what it is.  Regulators and legislators aren’t helping in this regard.  Protected information is defined differently depending on the flavor of legislation you’re working with.  Wouldn’t it make sense to have a single definition of sensitive or protected information and then set in motion the defenses necessary to protect and monitor that data on an ongoing basis? If you store, process or transmit data under this one definition then you have to protect it regardless if you’re in healthcare, finance, or any industry vertical that uses such information.

I don’t think we can rely on government to help in this regard.  So, create your own matrix of sensitive information (maybe I’ll take that on as a project and post it) and then apply the SANS 20 Critical Controls or use some other framework to build a year-round, continuous information security program that protects that data all the time rather than playing the mark and erase checkbox game of compliance.  If you have deployed a solid information security program then compliance audits should, quite frankly, be a simple verification process.

 

_________________________________

Photo Credit: Stuart Miles at Freedigitalphotos
Illustration Credit: digitalart at Freedigitalphotos

Filed Under: Business and Security, National and State Privacy/Security Law · Tagged With: , , , , , , , ,

Follow-up Thought: Facebook Credentials and Hiring Process

April 2, 2012 by · Leave a Comment

Just a quick follow-up to my previous post “Before I hire you I’ll need the keys to your home…

I read a comment on LinkedIn that said there were no laws prohibiting employers from asking you to turn over your Facebook credentials so they can see your private information.  In my non-lawyerly view I think it relates to plenty of laws that declare certain questions as “off-limits” as part of the hiring process.   Age.  Sexual orientation.  Pregnancy.  Disabilities.   It is not uncommon to find details related to these personal issues shared with friends and family on Facebook but often, they are explicitly hidden from public view.

By asking a candidate for their Facebook credentials so that the employer can rummage through these personal details is no different, at least in my view, from them asking these questions directly during an interview.   If certain pre-employment questions are already prohibited by law, then requiring a candidate to turn over access to that information via another avenue seems to splashdown in the same swimming hole.

Let me play a scenario:

A candidate had a pretty good interview.  A few days later an HR rep from the company calls him up and says there is just one more step in the process.  Since their Facebook page isn’t public, they’ll need the userID and password “just as routine”. He gives it and within a week receives a letter that he was not selected for the job.

On his Facebook page, it’s pretty clear he’s gay.  Many of his posts and those of his friends refer to him and his partner.  He believes that is the only reason he didn’t get the job.  He thinks that asking for his userID and password wasn’t “routine” at all but merely an excuse to find out information they were prohibited from asking him directly.

His next two calls are to an attorney and the media….

Now, it may be that the company had a legitimate reason to hire someone else but the perception here is what matters.  Imagine your company being dragged through the media and labeled as discriminatory.   We’ve all seen what happens when the media plants an idea into the minds of its audience.  The truth is often pushed to the back burner while the sensational, ratings-grabbing story rules the day.  There may or may not be any legal ground but it sure makes good publicity for a hard hitting lawyer.

If this came to pass, would you reconsider asking for those Facebook credentials?  Maybe sticking with traditional background checks, interview questions, reference checks, and looking at publicly available profile information with social media sites is the better choice.

 

Filed Under: Business and Security, Ethics · Tagged With: , , ,

They did WHAT with my data?

March 29, 2012 by · Leave a Comment

What are your employees doing with your data?

I know… they are all doing their jobs and not doing anything out of the ordinary.  Unfortunately, that isn’t always the case.  Time and time again, we see individuals inside an organization abusing their access to inappropriately view, or in the worst case steal, sensitive information.

Take for example this recently reported case in Hawaii – “HCFCU admits member information breached“.   Almost a year ago some “trusted” employees accessed information to fill up petitions for the credit union board nomination process.  Another employee thought this was messed up and reported it.   The credit union is putting employees through “new training” to reinforce policies.   I hope they have other tools to detect inappropriate access other than relying on the “just tell us” approach.

This is just one of many example of insiders breaching confidentiality.  This happens quite frequently whether it is the budding entrepreneur stealing your customer lists to go into business on his own or the hospital employee swiping medical records of celebrities to sell to the paparazzi.    The insider threat appears in just about any industry vertical.

Ask yourself:

  1. Who has access to what information?  Do they need that access to perform their job?
  2. When someone changes jobs internally, do you just tack on their new permissions to their old OR do you remove previous access and give them what they need for their new position?
  3. Do you have generic user accounts or does each person have a user account that identifies them and their access?
  4. Can you tell who has accessed your most sensitive information and when?   Is access times or number of records accessed outside of the norm?   Do you know what to do when that happens?
  5. Do you have incident response procedures in place that direct you on how to handle a breach should it occur?

Based on your answers, you may be at greater risk of a breach.   There is no such thing as 100% security but taking appropriate measures to safeguard sensitive information from external and internal threats, being able to detect abnormal behavior, and having a plan “just in case” all fit within the practice of due diligence.

In information security, you can’t assume that everyone will do the right thing.  Too many organizations have experienced the results of such assumptions in terms of dollars and cents, tarnished reputation, lost customers, and for some..they shut their doors.   It simply isn’t worth the risk.

Photo Credit:  photostock at freedigitalphotos.net

Filed Under: Business and Security · Tagged With: , , , ,

I Was Just Trying To Help…

March 23, 2012 by · Leave a Comment

“I don’t have access to that budget file.  Can you give it to me?”

As easy as that security controls meant to provide access to information to only those who need it to do their job (the practice of least privilege) is bypassed by well intentioned employees.  They only want to help but their behavior puts your organization at risk.

Jamie Bodley-Scott wrote in March 23, 2012 Help Net Security piece “Securing SharePoint“:

For example – two colleagues sitting next to each other will have access to data.  However, this doesn’t mean that they both need, or in fact should, be able to access the same information.

In their quest for being a “team player” an employee may simply copy the file to a shared directory, a flash drive, or may even e-mail it to their team member in need.  The article refers to SharePoint as another tool to share information that may not be meant to be shared with others.

This is a common problem.  Most people are programmed to be helpful.  Saying “no” to another team member isn’t a natural response so it’s important to educate employees that their access to information is linked to their particular role in the organization.  Others may not have the same access but if they need it, there are proper channels to make the request. Bypassing security controls may have consequences for the “helpful” employee and such consequences need be enforced fairly and consistently to develop new patterns of behavior.

 

Photo credit:  sscreation at freedigitalphotos.net

Filed Under: Awareness and Education, Business and Security · Tagged With: , , ,

Hacker Motivation – Does it Matter?

March 22, 2012 by · Leave a Comment

Motivation according to Dictionary.com is “the act or an instance of motivating, or providing with a reason to act in a certain way.”   While stealing data from organizations continues to be financially motivated the 2012 Verizon Data Breach Report indicated an increase in data theft as a result of hacktivism (data breaches aimed at advancing political and social objectives).  Who cares?

It’s interesting to see shifts in the motivation behind attacks on computer infrastructure but from a security perspective, a thief is a thief is a thief.  Whether motivated by fame, money, or political causes, the need to protect sensitive information in transit and at rest is still the same.

Bill Brenner blogged about this in his Salted Hash blog while referencing hacktivists and cybercriminals.

True, when it comes to motivation, there is a difference.  Hactivists are trying to advance a cause and target those they believe are against that cause.  Obviously, a different motivation from the simple pursuit of other people’s money.  But the tactics and results are the same.  – Bill Brenner “Hacktivists and cybercriminals:  Is there really a difference“, Salted Hash – IT Security News, March 22, 2012

I couldn’t agree more.  While the motivation behind an attack is certainly interesting, the type of information and method of attack is much more important.   If you’re stuck doing mandatory reporting of a breach I doubt those affected care who stole their information, only that it was stolen.

The bottom line here is somebody wants to steal your information and you must defend against that reality.  Figuring out why they want it doesn’t really change that.

 

Photo credit:  Salvatore Vuono and Freedigitalphotos.net

Filed Under: Business and Security · Tagged With: , , , , ,

“We Don’t Need Security.. We Collect Taxes”

March 21, 2012 by · Leave a Comment

If looking for a gold mine of sensitive information, the IRS appears to be the place to find it.  When individuals file their returns, the expectation is that it is well protected by the United States Government.  Unfortunately, the Government Accountability Office (GAO) has found a pattern of weakness in how the IRS protects our sensitive information.

Try this on for size.

“Around tax time in 2007, 2008, 2009, 2010, 2011 and now this year, the Government Accountability Office has identified similar, recurring weaknesses that could expose sensitive taxpayer information and agency financial data, according to archived GAO reports.”  – Aliya Sternstein, “IRS plagued by computer vulnerabilities five consecutive years” 3/19/2012 Nextgov

It seems the IRS doesn’t want to play by the same rules as other federal agencies who are required to institute mandatory information security programs.  They not only have failed to properly train personnel but have failed miserably in testing technical controls.  AND… this is the same problem year after year after year.

It’s even more disheartening to see continued patterns of security failings and still have IRS officials say they have “fully implemented a comprehensive security program.”   That just doesn’t jive.

I hope they fix these problems before they take on the enforcement of Obamacare.  That’s a disaster waiting to happen.

Photo credit:  Arvind Balaraman and freedigitalphotos.net

Filed Under: National InfoSec, Should Have Known Better · Tagged With: , , , , ,

The real 1 percenters….

March 12, 2012 by · Leave a Comment

There are a lot of vendors pushing their wares using zero-day exploits as a chief selling piece in their propaganda.  The problem is, the vast majority of servers are compromised by known vulnerabilities and a failure in the patching process.   It stands to reason that there is more bang-for-the-buck by addressing issues such as vulnerability and patch management, rogue IT (the pesky groups who stand up their own unprotected, poorly managed and vulnerable servers and workstations), and user behavior.  Simply put, Pareto’s principle is an effective technique in dealing with a big chunk of information security issues, especially when working with a slim budget.

Zero-day exploits aren’t hype but I’m afraid the term has been over-used as a sales technique designed to evoke an emotional response from executives.  Sales really is an emotional business.  Keep this in mind though… if you are ill-prepared to deal with the known you have little chance of protecting yourself against the unknown.  Does it make any business sense at all to apply resources to 1% of the problem while leaving 99% unattended to?   Of course not but, it’s just not as sexy or fun to play in the mundane and repetitive when the world of APT’s and Zero-Day’s are grabbing headline news.

By no means am I suggesting to ignore the evolving threats to information.  The dynamics of technology and growing demand for full-time access to information doesn’t allow for that kind of laissez-faire attitude.  The new problems we face and any solutions need to be viewed from an innovate and creative lens.  However, the need to constantly evolve a security program is no excuse for ignoring or forgetting about the known threats and vulnerabilities to information assets.

Photo credit: ddpavumba / FreeDigitalPhotos.net

Filed Under: Business and Security · Tagged With: , ,

Cybersecurity Act of 2012 – Uh oh!

February 22, 2012 by · Leave a Comment

The US Government appears serious about passing The Cybersecurity Act of 2012 but it does little more than grab additional power while placing additional burden on the private sector.  While there are a few provisions that may create opportunities for improved protection of critical assets this bill essentially takes us down the path of “check mark security” which is a failing proposition.   If the goal is to eventually create state-controlled infrastructure, this is a step in that direction.

I’m inclined to agree with Gartner’s John Pascatore in his comments in a recent CSO article,  that the government already has a mechanism in place that could be used to vastly improve the ability to defend against cyber attacks.   Purchasing.   By demanding tighter security controls from software and product manufacturers as part of the US government purchasing program we tackle a major issue when it comes to securing our infrastructure.

Check mark compliance usually means an organization will do the least amount necessary in order to satisfy their regulatory compliance obligations.  That simply does not equate to applying the right security mechanism to deal with current and trending threats.  Static regulatory requirements are not agile enough to keep up with a rapidly changing and evolving cyber ecosystem.

So where does government fit in?

  • Support for education efforts and a salary schedule that attracts talent into federal agencies and the general workforce is a good thing.  As outlined in the proposed legislation, scholarship-for-service, internships, funding competitions (that should be administered through a private sector partnership), and additional training opportunities for current federal employees are all good things.
  • Improve mechanisms for information sharing among the private and public sector.

Unfortunately, creating a compliance culture leads to building incentives to do the minimal amount necessary to satisfy requirements.  It does not necessarily improve the security of critical infrastructure or information.   Using the threat of a “catastrophic cyber attack” as a guise to power-grab is irresponsible and does not solve the issue at hand.   Our legislators need to take a step back, understand what they want to accomplish and consider the unintended consequences that often accompanies their actions.

 

Photo credit:  Jeroen van Oostrom / FreeDigitalPhotos.net

Filed Under: National and State Privacy/Security Law · Tagged With: , , ,

History of Malware

January 5, 2012 by · Leave a Comment

The history of viruses.  Pretty cool actually to look back at where we’ve been and the advances made in nefarious code. Courtesy of Bitdefender.

Filed Under: Awareness and Education · Tagged With: ,
« Older Posts