Tip Tuesday – Business and Pleasure

March 16, 2010 by · Leave a Comment

Tip Tuesday!

Most small business owners understand that they need a business checking account in order to keep their personal and business finances separate.  That just makes good sense.  What some, especially home-based business owners, fail to do is separate their business and personal computing, especially userID and passwords.  Maintaining that dividing line between your personal and business assets, especially how they are accessed, is important to protect your business and your customers.

A handful of areas to think about:

  • Online banking – access to personal and business accounts should not be the same.
  • E-mail – Customers should send and receive e-mail from a “business” account.
  • CRM – If you use an online CRM took, don’t access it the same way you access your personal Facebook page.
  • Social Media – Personal accounts should be accessed differently than business or “fan” pages (even if your name is your business).

Treat your business like a business.  Protect yourself, your business, and your customers.

Filed Under: Tip Tuesday · Tagged With: ,

A Shame for InfoSec Transparency

March 13, 2010 by · Leave a Comment

The CISO of Pennsylvania was apparently fired after discussing a breach while serving on a panel at the recent RSA conference.  The removal appeared in several articles including this SCMagazine report.   The information provided by Bob Maley was a clear description of a threat that some states may face, an appropriate discussion for this panel.  However, it seems Maley didn’t get explicit permission to talk about this issue and was terminated for this breach of protocol.

There may be other personnel issues involved but the timing of this is certainly suspect.  While Maley should have been disciplined for violating communication protocol, the end result appears to be disproportionate to the offense.

The RSA panel was a great opportunity to share information and lessons learned.  Instead of embracing that level of transparency, we see a SCMagazine CISO of the Year finalist losing his job by trying to help others learn from his experience.  If others fear such action for sharing sanitized lessons learned then our field has taken a step backward in transparency and communication.  That’s a shame.

Filed Under: Awareness and Education · Tagged With: , ,

“Jargon” follow-up: InfoSec and the MBA

February 24, 2010 by · 2 Comments

Nomenclature is simply a way to name things that are used in communication.  Every profession has their own taxonomy that allows them to understand and identify “things” that are specific to their area of expertise.  This has a downside.  Those outside of “the club” have difficulty understanding the terms and principles that come naturally to the “initiated”.

For information security professionals working in business environments, the ability to translate InfoSec into terms understandable to other business professionals is essential to success.  The lack of this skill often leads to a misunderstanding of risk that essentially leads to an unnecessary exposure.

To overcome this, I have found it useful to set foot into the world of accounting, finance, economics, organizational behavior, marketing, and logistics by earning my MBA.  While certainly not an expert in any of the fields mentioned, I have been initiated into their ranks through education.  This at least provides an opportunity to build a bridge between security and business functions because I am able to communicate, at least partially, using their “language” rather than forcing them to learn mine.

So, “jargon” can be useful.  It certainly allows more efficient communication between peers.  Even more important, learning other “professional languages”  creates an opportunity to translate your terms and principles into something understandable to others.   I’m convinced that this skill provides value by creating more “aha” information security moments across multiple business disciplines.

I’d be remiss if I did not provide a plug for my alma mater.  The University of Nevada part-time MBA program was nationally ranked #21 by Business Week, and #5 in the West.  Go Pack!

Filed Under: Business and Security · Tagged With: , ,

InfoSec targeted for use of “jargon” – Blah!

February 24, 2010 by · Leave a Comment

Why is it that terms used in the information security profession is referred to as “gobbledegook” while in other professions it’s known as nomenclature.  Every profession has its own jargon so for “experts” to label this as something unique to information security is rather unfair.

“One problem is that computer “geeks” use jargon to cloak their work in scholarly mystique, resulting in a lack of clarity in everything from instruction manuals and systems design to professional training, the experts said.”

- Maclean, William, “Computer jargon baffles users, hinders security“, msnbc – Technology & Science, February 19, 2010.

This isn’t some malicious attempt to create a mystical club with secret words and handshakes.  Industry specific terminology helps those professionals within that industry communicate clearly with each other.  Isn’t this also true in finance, medicine, law, software design, architecture, etc?

Former U.S. Homeland Security Secretary Michael Chertoff had this to say:

Doctors and lawyers used to enjoy “a sense of mystified special knowledge,” Chertoff said. “But … once you empower people to understand what’s going on, doctors do a better job. So with cybersecurity the task is to make the architecture more user-friendly — and to teach people better.”

I don’t know about you but when a physician rattles off medical terminology I’m certainly not feeling empowered.  I do however trust that I’m being treated by someone trained in that particular field who understand the complexities and can communicate with peers (referrals) who also understand the “jargon”.  Isn’t this what they are paid for?  It’s no surprise that such a comment came from Chertoff who recently ran point for the miserably ineffective Cyber Shockwave simulation (aka propaganda) show.

Having “experts” come out and say things like “plain language is vital” is nothing new.  In any awareness or education campaign, the content of the message must be audience appropriate.  If you’re dealing with individuals with little experience in technology, then the awareness campaign has to incorporate examples and terms that are familiar with them in order to be effective.  That’s a no-brainer.

Perhaps next time these “experts” get together, someone should suggest they don’t need to tell us the completely obvious, the merely obvious will do.

Filed Under: Awareness and Education · Tagged With: , ,

Don’t Let FUD Trump Value

January 22, 2010 by · Leave a Comment

The Google “Aurora” incident illustrates an ongoing problem with the “media motivated” approach many organization take in regards to information security.  A major event happens and there is a short-lived window of opportunity to ride the “it can happen to us” wave to secure some funding for the latest toy or gadget.  Unfortunately, some executives are unable to step out of the headline grabbing world of FUD (Fear, Uncertainty, and Doubt) and that is the only way security efforts ever show up on their radar.  That is unfortunate but shouldn’t convince information security professionals to operate entirely in that realm.

Threats are constantly evolving.  “Aurora’ today will be something else tomorrow.  Constantly jumping from one fire to the next unfortunately takes us out of the process improvement mode of operation.  Certainly there is some lessons learned from this incident that should be applied but ultimately, information security should be an evolving proactive process, not a panic stricken FUD game.

  1. Vulnerability management is a process that requires checks and balances.  How do you know that all your systems are patched?  This goes beyond O/S patches but applications as well.
  2. Do you know what your users are installing?  Software deployment and management is part of an overall strategy to protect your systems.
  3. How do you know your systems have the latest anti-virus updates and signatures?  Obviously, anti-virus is a reactionary tool that typically fares poorly in detecting new malware but keeping out the old stuff is important too.
  4. Do you actively look for compromised systems?  How do you manage event information?  Do logs come in to a centralized location that can be indexed and analyzed or do you really believe an analyst is manually looking through millions of log events each day?
  5. Understand where your attacks are coming from and take action.  Look for weaknesses in your defenses and fix them or provide some type of compensating controls.  Learn from compromised systems and the information already available to you from IDS, SEIM, logs, etc.

Show that information security provides value without resorting to scare tactics else you become the “boy who cried wolf” and ineffective in your long term efforts.

Filed Under: Awareness and Education, Business and Security · Tagged With: , , ,

Lawsuit, breaches and bashing… oh my!

January 19, 2010 by · Leave a Comment

Though it seems obvious that corporations have an obligation to protect the sensitive information they use for business it still amazes me that corporate behavior in this regard is still quite dismissive.  Lawsuits and public embarrassment seem to be the only catalyst for action for many organizations.  That is kind of sad.  Not only is information not being adequately protected by companies are ill-prepared for dealing with crisis.

As a recent example, in Connecticut, the Attorney General is suing Health Net for failure to protect medical records of over 450,000 patients.  The information was stored on a portable disk drive that “disappeared” from an office.   The information on that drive wasn’t encrypted.  Add to this the fact that the organization took six months to send notification to Connecticut residents whose information may have been compromised.  This is a failure on many levels but certainly a failure in leadership and crisis management.

What should we be asking ourselves?

  1. We need to understand the information that we use and how we use it.  How is information accessed, transmitted and stored?  What is our legal (and moral) obligation to protect this information?
  2. There is no such thing as 100% security.  If/when there is a breach, are we prepared to act swiftly and appropriately to mitigate the damage for our customers and ourselves?
  3. Do we have a communication plan in place so that we can effectively provide notification internally and externally?
  4. When examining other breaches, do we practice the same way?  Are we at risk of compromise?  How do we change this?

Part of information security isn’t just applying best practices and being vigilent.  Unfortunately, there is a need to be prepared for an incident or crisis.  I believe that one of the best recoveries from a crisis has to be credited to Tylenol in 1982.  Another example would be the handling of a Southwest airlines crash at Midway airport in 2005.  Neither one of these are information security incidents but certainly the lessons learned from their handling of a major crisis can be applied.  Just do a search and look at the response from a corporate point of view.  It’s really quite educational.

I hope we reach a time when breaches, lawsuits and embarrassment are not the motivators for applying sound information security practices and incident response plans.  I’m afraid I may be waiting for awhile.

Filed Under: Business and Security, National and State Privacy/Security Law, Should Have Known Better · Tagged With: , , , , , ,

2010 Information Security Predictions

January 3, 2010 by · 2 Comments

I may as well get on the 2010 prediction bandwagon.

1.  With the rush to get into the “cloud” businesses will sacrifice security for the promise of efficiencies.  Attacks will be focused on the applications placed in the cloud, not necessarily the underlying OS infrastructure.  I predict there will be a large compromise of information stored in the cloud this year that will disrupt business processes for several businesses.

2.  The big talk about “cybersecurity” that comes from the Obama administration will be nothing more than talk.  Action taken will have little impact as the new Cybersecurity Czar/Coordinator has little authority to implement necessary changes in national information security.  This is most likely because of the pure volume of important “initiatives” being taken on by this Administration that will result in some areas, cybersecurity in this case, receiving less attention than required.  This isn’t a dig on the Administration, merely an observation that issues in terrorism, healthcare, economy, etc. will take precedence over fixing the cybersecurity issues facing the U.S.

3.  I predict there will be an even larger breach than what we saw with Heartland Payment Systems last year.  The financial motivations and organization surrounding cybercrime makes this type of criminal activity very profitable.  Attacks are being perfected while the resources to defend against such attacks continue to be too thin in most organizations.

4.  Mobile platforms will be the target of attacks this year.  The proliferation of iPhone/Blackberry and availability of mobile applications will prove a fertile environment for malware writers.  As more of these mobile devices are integrated into both business and personal worlds, the target will simply get too big to pass up.  Expect 2010 to be a big year for mobile attacks.

5.    With major attacks taking place in 2010 and hopefully and improving economy, the investment in information security will improve.  Specifically, there will be some growth in the need for both skilled technical staff and leadership positions where the ability to understand the business environment are emphasized.

I’ll be interested in seeing the twists and turns that are inevitable in the cybersecurity world and how organizations adapt to such a dynamic environment to protect sensitive information.  Good luck in 2010.

Filed Under: Awareness and Education, Business and Security, National InfoSec · Tagged With: , , , ,

The Cloud Does Not Absolve Responsibility

November 17, 2009 by · 1 Comment

Cloud computing certainly offers cost management opportunities for organizations straining to maintain server infrastructure but there is more to consider than just server management.  Security in the cloud simply has not had an opportunity to mature.  Protecting servers, which no doubt cloud providers can do pretty effectively, is different than protecting information.   Those organizations that believe they can outsource the responsibility of securing their information by shipping applications into the cloud are being naive.

There are three issues that come to mind immediately.

  1. I think it is true that cloud providers can maintain the security of their systems much better than companies due to the resources available to them.  However, attackers will target web and database applications not servers.  While the servers are protected, your data can still be exposed due to poor practices and controls.
  2. Cloud computing by its very nature will limit the type of security tools that can be applied in that environment.  While you could manage firewalls, intrusion detection/prevention systems, and other data leak prevention tools in an internal network, these additional layers aren’t specifically provided in the cloud.  You may be able to design them into the environment for additional costs but are you now minimizing your return on investment?
  3. You may have little control over how much audit information is collected which can prevent you from being proactive.   Cloud providers are initiating contracts that give you ownership of your data but you may not own all of your log data.  To get this information may require a court order.

Ultimately, you need to be aware of how data flows inside and outside your organization whether you choose to house servers internally or move applications to the cloud.   If your business relies on highly valuable intellectual property then you may want to think twice about the types of controls available to you in the cloud.   If you wouldn’t normally apply additional controls or monitoring devices to your data, then the cloud may be a cost effective solution with good basic security measures.

If considering cloud computing consider the following:

  1. Computer security is not the same as information security.  Understand the value of information to your business and what level of protection is required for that information.
  2. Understand that even if you own your data, the audit log data may not be accessible to you.  Determine the consequences of not having access to audit logs and decide whether it’s important or not.
  3. Once applications and data are in the cloud, you may not be able to apply compensating detective and preventive controls like you would internally.  If that raises concern then you may not want to put that type of data into the cloud environment.

Cloud computing offers incredible opportunities for business processing at lower costs but the business decision must also consider security and privacy concerns.  The responsibility and reputation consequences for a breach do not disappear into the cloud when your data goes there.  It’s important to consider the risk as well as the benefit when making decisions about cloud computing.  Remember, you are protecting information and that goes beyond just the physical location of servers.

Filed Under: Business and Security · Tagged With: , , , , ,

Where Did That Come From?

November 16, 2009 by · Leave a Comment

Many victims of identity theft have no idea how their information was stolen.  Unfortunately, business processes may be leading to the disclosure of customer or employee personal information.  It seems obvious that hard drives that are in desktop and laptop computers need to be sanitized before being surplussed but a recent article identifies copy machines as having similar issues with the storage of personal information.  Who’d have thought!?!?

56 percent of people victims of ID theft have no idea how perpetrators got their ID,” said Sean O’Leary of Digital Copier Security, “And we can assume a portion or large part is a result of data breeches from photocopiers.”

That’s right – photocopiers.

O’Leary says he believes most companies don’t realize their copy machines have hard drives.

“We just take it for granted this little photocopier sitting in the corner of an office is safe and innocuous,” said O’Leary, “But in reality, with that hard drive it’s storing personal information.”

Today’s copy machines do a whole lot more than copy. They print. They scan. They email. They fax.

The machine has to have a way to remember all that information.

Between 1998 and 2002, companies began equipping copy machines with hard drives.

“Press Copy to have your Identity Stolen.”  Melissa Yeager, WINK News, Nov 12, 2009

Considering the type of information that is “copied”, it seems that copier hard drives may be an ideal source for the malicious person looking to steal sensitive data.   While it may seem simple to use a program like DBAN to wipe the hard drive of a desktop or laptop, removing data from a leased copy machine may create a challenge for most organizations.  Leasing companies should be warning companies about the hard drives and providing either a manner in which to sanitize the hard drive by the customer OR certifying the destruction of personal information when the copier is exchanged as part of a lease.

Sometimes the information security challenges come from unusual places.  With technology advances, we need to be mindful of where information flows throughout ALL of the organization, even in what most would consider to be rather innocuous places.

Filed Under: Business and Security · Tagged With: , , ,

Information Delivery vs. Information Security

November 9, 2009 by · Leave a Comment

A System Administrator and an Information Security Administrator were sitting in a room.  The question was asked “When you install a new server, what is the first two things you do?”

Both of them answer, “install the latest patches and updates and remove all unnecessary services”.  Good answers but the reasoning behind these answers are entirely different.

System Administrator: By applying the latest patches and removing unnecessary services, I  make sure that any known problems are fixed and improve the performance of the system by not tying up system resources on things I’m not using.

Information Security Administrator: By applying the latest patches I close known vulnerabilities that could potentially lead to a compromise.  By shutting off unnecessary services, I reduce the number of potential openings to my system, again, reducing the potential for compromise.

Why is this difference important as long as the work is getting done?

It’s about a mindset.   In mid-sized or large organizations where information security sits underneath the IT umbrella, the differences are usually very apparent.  The need to deliver information to customers and staff more often than not trumps the need to secure that information.  In an environment where resources compete with each other in the IT organization, when push comes to shove, delivery almost always wins even if it increases the risk.

This is why I believe the information security function has to be independent of IT, much like internal audit is independent of finance.   Information security needs to be positioned to provide unfiltered advice and recommendations.  When information security is funneled through an information delivery point of view, the message may unintentionally be diminished or lost.

Additionally, the acceptance of risk and the responsibility for consequences should rest with the data owner, not with IT or Information Security.  These are recommending bodies that should be working together to develop solutions that clearly describe functionality and risk so that data owners can make informed decisions.  The way information is used is a business decision, not a technology decision.  Information security leadership requires the ability to identify and clearly communicate risk.  Information technology leadership requires the ability to clearly communicate the functional delivery of information.   Both need to be able to provide this advice unobstructed by the different missions of these departments.

Both are distinct.  Both are important.  Being independent allows both functions to leverage their expertise by creating an information-intensive environment that leads to informed decision making.   Doesn’t your business deserve at least that much?

Filed Under: Business and Security · Tagged With: , , ,
« Older Posts
Newer Posts »