I Was Just Trying To Help…

March 23, 2012 by · Leave a Comment

“I don’t have access to that budget file.  Can you give it to me?”

As easy as that security controls meant to provide access to information to only those who need it to do their job (the practice of least privilege) is bypassed by well intentioned employees.  They only want to help but their behavior puts your organization at risk.

Jamie Bodley-Scott wrote in March 23, 2012 Help Net Security piece “Securing SharePoint“:

For example – two colleagues sitting next to each other will have access to data.  However, this doesn’t mean that they both need, or in fact should, be able to access the same information.

In their quest for being a “team player” an employee may simply copy the file to a shared directory, a flash drive, or may even e-mail it to their team member in need.  The article refers to SharePoint as another tool to share information that may not be meant to be shared with others.

This is a common problem.  Most people are programmed to be helpful.  Saying “no” to another team member isn’t a natural response so it’s important to educate employees that their access to information is linked to their particular role in the organization.  Others may not have the same access but if they need it, there are proper channels to make the request. Bypassing security controls may have consequences for the “helpful” employee and such consequences need be enforced fairly and consistently to develop new patterns of behavior.

 

Photo credit:  sscreation at freedigitalphotos.net

Filed Under: Awareness and Education, Business and Security · Tagged With: , , ,

Hacker Motivation – Does it Matter?

March 22, 2012 by · Leave a Comment

Motivation according to Dictionary.com is “the act or an instance of motivating, or providing with a reason to act in a certain way.”   While stealing data from organizations continues to be financially motivated the 2012 Verizon Data Breach Report indicated an increase in data theft as a result of hacktivism (data breaches aimed at advancing political and social objectives).  Who cares?

It’s interesting to see shifts in the motivation behind attacks on computer infrastructure but from a security perspective, a thief is a thief is a thief.  Whether motivated by fame, money, or political causes, the need to protect sensitive information in transit and at rest is still the same.

Bill Brenner blogged about this in his Salted Hash blog while referencing hacktivists and cybercriminals.

True, when it comes to motivation, there is a difference.  Hactivists are trying to advance a cause and target those they believe are against that cause.  Obviously, a different motivation from the simple pursuit of other people’s money.  But the tactics and results are the same.  – Bill Brenner “Hacktivists and cybercriminals:  Is there really a difference“, Salted Hash – IT Security News, March 22, 2012

I couldn’t agree more.  While the motivation behind an attack is certainly interesting, the type of information and method of attack is much more important.   If you’re stuck doing mandatory reporting of a breach I doubt those affected care who stole their information, only that it was stolen.

The bottom line here is somebody wants to steal your information and you must defend against that reality.  Figuring out why they want it doesn’t really change that.

 

Photo credit:  Salvatore Vuono and Freedigitalphotos.net

Filed Under: Business and Security · Tagged With: , , , , ,

New Dog…. Old Tricks

September 17, 2011 by · Leave a Comment

Funny how the anonymous nature of the Internet continues to mock us all.   Back on September 8th, a fake FBI profile was distributed via Twitter as shown in a recent post on Naked Security – Fake FBI Anonymous psychological profile – a lesson to all Internet users.

It takes me back to an old New Yorker cartoon that ran when the Internet was still an infant.  Enjoying the nostalgia.

Creative Commons License - Ben Larson

 

 

 

 

 

 

 

 

 

Photo credit:  Ben Larson

Filed Under: Awareness and Education, Should Have Known Better · Tagged With: ,

“Addicted to Click” and Supporting the Habit

February 25, 2011 by · Leave a Comment

Anup Ghosh wrote in his SC Magazine article titled “Unwitting accomplices and complicit security teams“:

Cyber miscreants have figured out there is no sense in spending the energy trying to break through firewalls when you can simply ask any one of the thousands of users connected to the internet to invite you in.

How true!  What Ghosh refers to as castles and moats I call the Cyber Maginot Line.  The over reliance on simple perimeter defenses ignores the shift of focus that has been made to user behavior.  While not as sexy as the “hack” seen in movies it is simply easier to just ask.  Many users will oblige with information or are easily convinced to click on an official looking link in an e-mail.  Most are “addicted to click”.

While I agree with Ghosh that the philosophy of “users should know better” is not a strategy, awareness IS a component of an overall security strategy.  The problem is, many companies use hour long presentations on policy in hopes of convincing users to change their behavior.  Good luck with that.   A series of 5 minute videos over the course of a year is much more effective.  The goal isn’t to “train” people.  It’s to raise the level of awareness.  If an employee gets an “aha” moment and reports strange behavior or decides not to click on a link, mission accomplished.  If it helps them keep their home computer safe, all the better for everybody.  But again, it’s a small piece and can’t be relied on to adequately protect an organization.

That said, implementing technology that makes users “mistakes irrelevant” is absolutely a good approach AND the technology to do that exists while continuing to be refined.  Ghosh’s suggestion to isolate the desktop from web browsing would be a significant step in the right direction.  The threatscape continues to evolve and we need to be agile in our defense.  That includes protecting our users from themselves by not enabling their “click habit”.

Filed Under: Awareness and Education, Business and Security · Tagged With: ,

Remember when….

January 21, 2011 by · Leave a Comment

Last night I was thinking about my start in the information security field.  I was working as a network analyst for an international company and was simply assigned “the firewall” for the relatively new Internet connectivity.  I quickly caught the security bug, attended a conference or two, read anything I could get my hands on and then presented a new idea of an “information security” function for my boss and his boss.

I thought I was being diligent in explaining the security triad – Confidentiality, Integrity, and Availability when I hit a road block.  The Director at the time said “Availability isn’t a security issue at all… you don’t know what you’re talking about.”   Perhaps I could have talked about Denial of Service attacks or viruses preventing employees from accessing resources needed to do their job.  I could have talked about lost revenue, customers going with alternative products, or other examples of how “availability” could impact the business bottom line but, I didn’t have the skills at the time to counter her argument.   Security remained an “other duties as assigned function” for the rest of my tenure there.

Revisiting with the organization after 18 years I found their security posture to have matured dramatically since then (along with my business, communication and security skills).  Good for them!  They have a fantastic security team that has the ear of senior leadership.

What’s funny is after 18 years, I will still come across similar failures in understanding.  For instance, at one organization their primary servers filled with customer data, including personally identifying information, sat outside of their firewalls.  The executive leadership at the time didn’t think that was a big deal because “the servers are secure”.   Another time, a plan to eliminate social security numbers that weren’t needed on a server was met with near hostility and a comment of “it’s protected by a firewall anyway”.

Examples like this continue to plague the information security field.  Is this an executive problem or a problem with CISO’s not educating or communicating the issues in a way that is understood by “business-minded” folks?  If we can’t relate the threat in terms that are used in other business disciplines, in 18 years, we’ll be hearing the same stories repeated by the next generation of security professionals.

Filed Under: Awareness and Education, Business and Security · Tagged With: , ,

Accountability Links Behavior and Outcomes

November 30, 2010 by · Leave a Comment

It amazes me that I still hear executive level IT people say that information security is a technology problem.  Sure, technology has a vital role in the building blocks of a solid information security program but even the best technology can be circumvented by unknowing or malicious people.  Getting people to understand their role in protecting a customer’s information or heck, even their own, continues to be a challenge.

In a recent CSO online article, “Security Awareness:  Helping employees really “get” company policy“, security consultant Michael Santacangelo explained the problem in the most succinct way I’ve seen.

When people are disconnected from the consequences of their actions, they do not take responsibility and are not held accountable, he said.

The link between behavior and outcomes is accountability.  Unfortunately, it seems as though most awareness programs stop with the behavior and potential outcome duo, leaving out the accountability piece of the triad.  That is, awareness programs will list out the unacceptable behaviors and highlight the potential financial and reputation costs for the organization but fail to link that back to individual accountability of staff members.

Once you have established that everyone plays a role in protecting sensitive information and clearly set the expectation for behavior, it MUST be followed up with accountability.  It’s not “mean” to enforce policy AS LONG as the expectation for proper behavior is established and well communicated to all staff.   There should be consequences for those engaging in behaviors that place an organization and its customers at risk as long as everyone knows the behaviors and the consequences up front.

Filed Under: Awareness and Education, Business and Security · Tagged With: ,

Business and Security Need Each Other

October 4, 2010 by · Leave a Comment

A recent eWeek article “Cyber-security Hurts Federal Government Productivity, Survey Says” clearly demonstrates the significant security issues related to perception and communication.   There seems to be a significant disconnect between what is thought to be needed to perform an agency’s mission and doing so without compromising computer systems.

“Surveyed federal executives believe that cyber-security policies and procedures should be modified to provide more emphasis on the importance of allowing federal managers to achieve their agency’s mission,” said Bryan Klopack, GBC’s director of research.

I get a two-for-one with this comment.  First, it is apparent that federal managers don’t understand that a compromise of their agency’s computer systems will prevent them from delivering or performing their mission.  Second, it seems as though policies and procedures are written in a vacuum without discussion with those the policy impacts.

There is no doubt that over-restrictive policies exist when it comes to web-site and e-mail access.  Knee-jerk reaction usually leads to common sense being thrown out the window.   That said, the threatscape has changed and there is real potential for systems to be compromised because of “choice failure” with e-mail and website use.   Some system-wide protections simply need to be in place and inconvenience, by itself, is not a good enough reason to abandon good security practices.

In an editors note in SANS NewsBites, John Pescatore put it into perspective:

The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity.

The problem seems to stem from an over-reaction to a Presidential “mandate”.

President Obama signaled early in his administration that cyber-security in the federal government, especially in communications, and coordination, was a priority. “This status quo is no longer acceptable—not when there’s so much at stake. We can and we must do better,” he said.

Various agencies have responded to Obama’s mandate with their own rules.

Unilateral response to a “do better” mandate usually generates bad outcomes for everybody.   This is what appears to have happened here.  No communication.  No requirements definition.  Just a policy that is enforced through technology.  Damn the torpedoes… full speed ahead!

What should be happening here?

First, business leaders (aka management) need to step up and gain some understanding that the threats they face could essentially grind productivity, and subsequently their mission, to a halt.   It is no longer okay to say “this is the security group’s problem” and then walk away.  Participation, horizontally and vertically throughout an organization, is required.  Second, the security team needs to understand how people work, what they need to get their job done, and then work with them to find solutions.

It’s easier said than done but the status quo is indeed unacceptable.  There is no such thing as 100% secure.  There is, however, the potential to reduce risk while providing for business (or agency) needs.   Without business, there is no need for security.  Without security, business will fall victim to attack and fail.   Contribution and collaboration is required to bridge this gap.

Based on this survey, I’m afraid we’re trying to cross Alaska’s Bridge to Nowhere.

Filed Under: Business and Security, National InfoSec · Tagged With: , , , ,

Education and awareness loses to the exploitability of humans

September 10, 2010 by · Leave a Comment

The recent VBMania virus (Trojan Horse)  is simple proof that education and awareness programs are not sufficient to overcome human curiosity and stupidity.  For years computer users have heard the same message:  “Don’t open attachments or click on links in unsolicited e-mails.”    Yet, they still do!

Yesterday’s simple spam attack  infected servers at ABC, NASA, and likely other federal agencies and clearly shows that the message delivered ad nauseum has essentially fallen on deaf ears.  This unfortunate impact to services was caused by the three biggest risks in information security:   Man, woman and child.

Two things are infinite:  the universe and human stupidity; and I’m not sure about the universe.  ~Albert Einstein.

I’m afraid awareness and education will not be able to overcome the gullible, curious, and greedy nature of humans.  We can only keep trying but it’s a tall order when faced with people who:  believe they have won a lottery they never entered; will pay an unknown person in Nigeria their entire savings account to receive their fortune; or believe that their luck hinges on sending an e-mail to all their friends.

It seems that exploiting humans is much easier than exploiting technology.  Without a clear defense against poor choices, it’s only a matter of time before a similar attack targets something a bit more critical.

Filed Under: Awareness and Education · Tagged With: ,

Don’t Be a Billy

August 4, 2010 by · Leave a Comment

I’m getting a kick out of some fun videos put together by the fine folks at StaySafeOnline.org.  Check them out and enjoy this awareness video:  “Don’t be a Billy”

Filed Under: Awareness and Education · Tagged With: ,

Security Professional Pipeline

June 25, 2010 by · Leave a Comment

The demand for a trained and educated information security workforce here in the U.S. continues to grow.   Creating a pipeline of information security professionals has to start early.   A national campaign to develop the next generation of “Cyber Defenders” has been happening without the fanfare or kudos that it needs.

The Collegiate Cyber Defense Competition has existed since 2005 where, according to a USA Today article, has grown from five competing schools to 83 teams from colleges and universities.  A similar high school competition has also been established and is seeing great participation.   This is exciting!  An environment where talent merges with enthusiasm for the the information security field is the right environment to recruit professionals.

I hope these events continue to grow and inspire similar local and regional “cyberwar games” for high school and college teams.  I hope they become common recruiting grounds for both the public and private sector.     Well done.

Filed Under: Awareness and Education · Tagged With: , ,
« Older Posts