paulmudgett.com

Nomenclature is simply a way to name things that are used in communication.  Every profession has their own taxonomy that allows them to understand and identify “things” that are specific to their area of expertise.  This has a downside.  Those outside of “the club” have difficulty understanding the terms and principles that come naturally to the “initiated”.

For information security professionals working in business environments, the ability to translate InfoSec into terms understandable to other business professionals is essential to success.  The lack of this skill often leads to a misunderstanding of risk that essentially leads to an unnecessary exposure.

To overcome this, I have found it useful to set foot into the world of accounting, finance, economics, organizational behavior, marketing, and logistics by earning my MBA.  While certainly not an expert in any of the fields mentioned, I have been initiated into their ranks through education.  This at least provides an opportunity to build a bridge between security and business functions because I am able to communicate, at least partially, using their “language” rather than forcing them to learn mine.

So, “jargon” can be useful.  It certainly allows more efficient communication between peers.  Even more important, learning other “professional languages”  creates an opportunity to translate your terms and principles into something understandable to others.   I’m convinced that this skill provides value by creating more “aha” information security moments across multiple business disciplines.

I’d be remiss if I did not provide a plug for my alma mater.  The University of Nevada part-time MBA program was nationally ranked #21 by Business Week, and #5 in the West.  Go Pack!

Why is it that terms used in the information security profession is referred to as “gobbledegook” while in other professions it’s known as nomenclature.  Every profession has its own jargon so for “experts” to label this as something unique to information security is rather unfair.

“One problem is that computer “geeks” use jargon to cloak their work in scholarly mystique, resulting in a lack of clarity in everything from instruction manuals and systems design to professional training, the experts said.”

- Maclean, William, “Computer jargon baffles users, hinders security“, msnbc – Technology & Science, February 19, 2010.

This isn’t some malicious attempt to create a mystical club with secret words and handshakes.  Industry specific terminology helps those professionals within that industry communicate clearly with each other.  Isn’t this also true in finance, medicine, law, software design, architecture, etc?

Former U.S. Homeland Security Secretary Michael Chertoff had this to say:

Doctors and lawyers used to enjoy “a sense of mystified special knowledge,” Chertoff said. “But … once you empower people to understand what’s going on, doctors do a better job. So with cybersecurity the task is to make the architecture more user-friendly — and to teach people better.”

I don’t know about you but when a physician rattles off medical terminology I’m certainly not feeling empowered.  I do however trust that I’m being treated by someone trained in that particular field who understand the complexities and can communicate with peers (referrals) who also understand the “jargon”.  Isn’t this what they are paid for?  It’s no surprise that such a comment came from Chertoff who recently ran point for the miserably ineffective Cyber Shockwave simulation (aka propaganda) show.

Having “experts” come out and say things like “plain language is vital” is nothing new.  In any awareness or education campaign, the content of the message must be audience appropriate.  If you’re dealing with individuals with little experience in technology, then the awareness campaign has to incorporate examples and terms that are familiar with them in order to be effective.  That’s a no-brainer.

Perhaps next time these “experts” get together, someone should suggest they don’t need to tell us the completely obvious, the merely obvious will do.

The Google “Aurora” incident illustrates an ongoing problem with the “media motivated” approach many organization take in regards to information security.  A major event happens and there is a short-lived window of opportunity to ride the “it can happen to us” wave to secure some funding for the latest toy or gadget.  Unfortunately, some executives are unable to step out of the headline grabbing world of FUD (Fear, Uncertainty, and Doubt) and that is the only way security efforts ever show up on their radar.  That is unfortunate but shouldn’t convince information security professionals to operate entirely in that realm.

Threats are constantly evolving.  “Aurora’ today will be something else tomorrow.  Constantly jumping from one fire to the next unfortunately takes us out of the process improvement mode of operation.  Certainly there is some lessons learned from this incident that should be applied but ultimately, information security should be an evolving proactive process, not a panic stricken FUD game.

1. Vulnerability management is a process that requires checks and balances.  How do you know that all your systems are patched?  This goes beyond O/S patches but applications as well.
2. Do you know what your users are installing?  Software deployment and management is part of an overall strategy to protect your systems.
3. How do you know your systems have the latest anti-virus updates and signatures?  Obviously, anti-virus is a reactionary tool that typically fares poorly in detecting new malware but keeping out the old stuff is important too.
4. Do you actively look for compromised systems?  How do you manage event information?  Do logs come in to a centralized location that can be indexed and analyzed or do you really believe an analyst is manually looking through millions of log events each day?
5. Understand where your attacks are coming from and take action.  Look for weaknesses in your defenses and fix them or provide some type of compensating controls.  Learn from compromised systems and the information already available to you from IDS, SEIM, logs, etc.

Show that information security provides value without resorting to scare tactics else you become the “boy who cried wolf” and ineffective in your long term efforts.

Though it seems obvious that corporations have an obligation to protect the sensitive information they use for business it still amazes me that corporate behavior in this regard is still quite dismissive.  Lawsuits and public embarrassment seem to be the only catalyst for action for many organizations.  That is kind of sad.  Not only is information not being adequately protected by companies are ill-prepared for dealing with crisis.

As a recent example, in Connecticut, the Attorney General is suing Health Net for failure to protect medical records of over 450,000 patients.  The information was stored on a portable disk drive that “disappeared” from an office.   The information on that drive wasn’t encrypted.  Add to this the fact that the organization took six months to send notification to Connecticut residents whose information may have been compromised.  This is a failure on many levels but certainly a failure in leadership and crisis management.

What should we be asking ourselves?

1. We need to understand the information that we use and how we use it.  How is information accessed, transmitted and stored?  What is our legal (and moral) obligation to protect this information?
2. There is no such thing as 100% security.  If/when there is a breach, are we prepared to act swiftly and appropriately to mitigate the damage for our customers and ourselves?
3. Do we have a communication plan in place so that we can effectively provide notification internally and externally?
4. When examining other breaches, do we practice the same way?  Are we at risk of compromise?  How do we change this?

Part of information security isn’t just applying best practices and being vigilent.  Unfortunately, there is a need to be prepared for an incident or crisis.  I believe that one of the best recoveries from a crisis has to be credited to Tylenol in 1982.  Another example would be the handling of a Southwest airlines crash at Midway airport in 2005.  Neither one of these are information security incidents but certainly the lessons learned from their handling of a major crisis can be applied.  Just do a search and look at the response from a corporate point of view.  It’s really quite educational.

I hope we reach a time when breaches, lawsuits and embarrassment are not the motivators for applying sound information security practices and incident response plans.  I’m afraid I may be waiting for awhile.

I may as well get on the 2010 prediction bandwagon.

1.  With the rush to get into the “cloud” businesses will sacrifice security for the promise of efficiencies.  Attacks will be focused on the applications placed in the cloud, not necessarily the underlying OS infrastructure.  I predict there will be a large compromise of information stored in the cloud this year that will disrupt business processes for several businesses.

2.  The big talk about “cybersecurity” that comes from the Obama administration will be nothing more than talk.  Action taken will have little impact as the new Cybersecurity Czar/Coordinator has little authority to implement necessary changes in national information security.  This is most likely because of the pure volume of important “initiatives” being taken on by this Administration that will result in some areas, cybersecurity in this case, receiving less attention than required.  This isn’t a dig on the Administration, merely an observation that issues in terrorism, healthcare, economy, etc. will take precedence over fixing the cybersecurity issues facing the U.S.

3.  I predict there will be an even larger breach than what we saw with Heartland Payment Systems last year.  The financial motivations and organization surrounding cybercrime makes this type of criminal activity very profitable.  Attacks are being perfected while the resources to defend against such attacks continue to be too thin in most organizations.

4.  Mobile platforms will be the target of attacks this year.  The proliferation of iPhone/Blackberry and availability of mobile applications will prove a fertile environment for malware writers.  As more of these mobile devices are integrated into both business and personal worlds, the target will simply get too big to pass up.  Expect 2010 to be a big year for mobile attacks.

5.    With major attacks taking place in 2010 and hopefully and improving economy, the investment in information security will improve.  Specifically, there will be some growth in the need for both skilled technical staff and leadership positions where the ability to understand the business environment are emphasized.

I’ll be interested in seeing the twists and turns that are inevitable in the cybersecurity world and how organizations adapt to such a dynamic environment to protect sensitive information.  Good luck in 2010.

Cloud computing certainly offers cost management opportunities for organizations straining to maintain server infrastructure but there is more to consider than just server management.  Security in the cloud simply has not had an opportunity to mature.  Protecting servers, which no doubt cloud providers can do pretty effectively, is different than protecting information.   Those organizations that believe they can outsource the responsibility of securing their information by shipping applications into the cloud are being naive.

There are three issues that come to mind immediately.

1. I think it is true that cloud providers can maintain the security of their systems much better than companies due to the resources available to them.  However, attackers will target web and database applications not servers.  While the servers are protected, your data can still be exposed due to poor practices and controls.
2. Cloud computing by its very nature will limit the type of security tools that can be applied in that environment.  While you could manage firewalls, intrusion detection/prevention systems, and other data leak prevention tools in an internal network, these additional layers aren’t specifically provided in the cloud.  You may be able to design them into the environment for additional costs but are you now minimizing your return on investment?
3. You may have little control over how much audit information is collected which can prevent you from being proactive.   Cloud providers are initiating contracts that give you ownership of your data but you may not own all of your log data.  To get this information may require a court order.

Ultimately, you need to be aware of how data flows inside and outside your organization whether you choose to house servers internally or move applications to the cloud.   If your business relies on highly valuable intellectual property then you may want to think twice about the types of controls available to you in the cloud.   If you wouldn’t normally apply additional controls or monitoring devices to your data, then the cloud may be a cost effective solution with good basic security measures.

If considering cloud computing consider the following:

1. Computer security is not the same as information security.  Understand the value of information to your business and what level of protection is required for that information.
2. Understand that even if you own your data, the audit log data may not be accessible to you.  Determine the consequences of not having access to audit logs and decide whether it’s important or not.
3. Once applications and data are in the cloud, you may not be able to apply compensating detective and preventive controls like you would internally.  If that raises concern then you may not want to put that type of data into the cloud environment.

Cloud computing offers incredible opportunities for business processing at lower costs but the business decision must also consider security and privacy concerns.  The responsibility and reputation consequences for a breach do not disappear into the cloud when your data goes there.  It’s important to consider the risk as well as the benefit when making decisions about cloud computing.  Remember, you are protecting information and that goes beyond just the physical location of servers.

Many victims of identity theft have no idea how their information was stolen.  Unfortunately, business processes may be leading to the disclosure of customer or employee personal information.  It seems obvious that hard drives that are in desktop and laptop computers need to be sanitized before being surplussed but a recent article identifies copy machines as having similar issues with the storage of personal information.  Who’d have thought!?!?

56 percent of people victims of ID theft have no idea how perpetrators got their ID,” said Sean O’Leary of Digital Copier Security, “And we can assume a portion or large part is a result of data breeches from photocopiers.”

That’s right – photocopiers.

O’Leary says he believes most companies don’t realize their copy machines have hard drives.

“We just take it for granted this little photocopier sitting in the corner of an office is safe and innocuous,” said O’Leary, “But in reality, with that hard drive it’s storing personal information.”

Today’s copy machines do a whole lot more than copy. They print. They scan. They email. They fax.

The machine has to have a way to remember all that information.

Between 1998 and 2002, companies began equipping copy machines with hard drives.

“Press Copy to have your Identity Stolen.”  Melissa Yeager, WINK News, Nov 12, 2009

Considering the type of information that is “copied”, it seems that copier hard drives may be an ideal source for the malicious person looking to steal sensitive data.   While it may seem simple to use a program like DBAN to wipe the hard drive of a desktop or laptop, removing data from a leased copy machine may create a challenge for most organizations.  Leasing companies should be warning companies about the hard drives and providing either a manner in which to sanitize the hard drive by the customer OR certifying the destruction of personal information when the copier is exchanged as part of a lease.

Sometimes the information security challenges come from unusual places.  With technology advances, we need to be mindful of where information flows throughout ALL of the organization, even in what most would consider to be rather innocuous places.

A System Administrator and an Information Security Administrator were sitting in a room.  The question was asked “When you install a new server, what is the first two things you do?”

Both of them answer, “install the latest patches and updates and remove all unnecessary services”.  Good answers but the reasoning behind these answers are entirely different.

System Administrator: By applying the latest patches and removing unnecessary services, I  make sure that any known problems are fixed and improve the performance of the system by not tying up system resources on things I’m not using.

Information Security Administrator: By applying the latest patches I close known vulnerabilities that could potentially lead to a compromise.  By shutting off unnecessary services, I reduce the number of potential openings to my system, again, reducing the potential for compromise.

Why is this difference important as long as the work is getting done?

It’s about a mindset.   In mid-sized or large organizations where information security sits underneath the IT umbrella, the differences are usually very apparent.  The need to deliver information to customers and staff more often than not trumps the need to secure that information.  In an environment where resources compete with each other in the IT organization, when push comes to shove, delivery almost always wins even if it increases the risk.

This is why I believe the information security function has to be independent of IT, much like internal audit is independent of finance.   Information security needs to be positioned to provide unfiltered advice and recommendations.  When information security is funneled through an information delivery point of view, the message may unintentionally be diminished or lost.

Additionally, the acceptance of risk and the responsibility for consequences should rest with the data owner, not with IT or Information Security.  These are recommending bodies that should be working together to develop solutions that clearly describe functionality and risk so that data owners can make informed decisions.  The way information is used is a business decision, not a technology decision.  Information security leadership requires the ability to identify and clearly communicate risk.  Information technology leadership requires the ability to clearly communicate the functional delivery of information.   Both need to be able to provide this advice unobstructed by the different missions of these departments.

Both are distinct.  Both are important.  Being independent allows both functions to leverage their expertise by creating an information-intensive environment that leads to informed decision making.   Doesn’t your business deserve at least that much?

Social networking has enhanced collaboration for many companies but it creates a risk of employees sharing intellectual property or other strategically important company information with outsiders.  This certainly places an increased burden on strategically aligned CSO’s who must balance the need for security with business goals and objectives.

The Global State of Information Security survey produced by Price-Waterhouse-Coopers in conjunction with CIO magazine, demonstrated a growing concern over the risks associated with social networking.  While monitoring technologies can help within the company borders, access to social networking sites such as Facebook, Twitter, and Myspace fall clearly outside the watchful eye of security technology.

This then becomes a cultural issue tackled primarily with users education and security awareness programs that emphasize that information provided on social networks is in the public domain.

Bill Brenner, Senior Editor with CSO Magazine published the “Seven Deadly Sins of Social Networking Security” back in June of 2009.  Brenner lists these social networking sins as follows:

1.  Over-sharing company activities

2.  Mixing personal with professional

3.  Engaging in Tweet (or Facebook/LinkedIn/Myspace) rage

4.  Believing he/she who dies with the most connections wins

5.  Password sloth

6.  Trigger finger (clicking everything, especially on Facebook)

7.  Endangering yourself and others.

While social media is a fantastic method to share information and collaborate, it’s important to consider the content of what you’re posting to avoid risking your company and more importantly, yourself.   Remember the final 5 tweets of Harold Wigginbottom , Tech-Savvy CEO:

CSO Magazine, May 27, 2009

Help your employees.  Help yourself.

Richard Power wrote an article for CSO Online entitled  “Red Pill?  Blue Pill?  Ruminations on the Intersection of Inner Space and Cyber Space”.  It ties into the psychology of information security and how the shifting attitudes regarding privacy and security require a different approach to information security.   Power writes:

There is a generational shift in regard to security and privacy. The young workers of today have grown up in a world of failed security and vanishing privacy. If you try to reach these 21st Century psyches with a 20th Century security message — you will not reach them, and you will not be heard.

The way information security is addressed must evolve to keep up with the changing viewpoints of the “new workforce”.  If the change is not apparent, consider the way communication has changed over the last few decades.

Face-to-face meetings -> phone-calls -> e-mail -> text message -> social media

Different generations have different preferences in the way information is communicated to them.  While the way to get a message across has always depended on the audience, we seem to forget that concept in the information security world.  In an environment where adapting to change is essential to protecting information assets, it’s amazing that we seem rooted in the way we deliver the security message.  We must be better at communicating the value of security in terms and context that is important to the “receiver”.

The bottom line is information security is a collective effort.  We simply cannot afford to lose the message in transit because of a rigid approach to communication.

Be passionate.  Be open.  Be clear.  Be agile.