The real 1 percenters….

There are a lot of vendors pushing their wares using zero-day exploits as a chief selling piece in their propaganda.  The problem is, the vast majority of servers are compromised by known vulnerabilities and a failure in the patching process.   It stands to reason that there is more bang-for-the-buck by addressing issues such as vulnerability and patch management, rogue IT (the pesky groups who stand up their own unprotected, poorly managed and vulnerable servers and workstations), and user behavior.  Simply put, Pareto’s principle is an effective technique in dealing with a big chunk of information security issues, especially when working with a slim budget.

Zero-day exploits aren’t hype but I’m afraid the term has been over-used as a sales technique designed to evoke an emotional response from executives.  Sales really is an emotional business.  Keep this in mind though… if you are ill-prepared to deal with the known you have little chance of protecting yourself against the unknown.  Does it make any business sense at all to apply resources to 1% of the problem while leaving 99% unattended to?   Of course not but, it’s just not as sexy or fun to play in the mundane and repetitive when the world of APT’s and Zero-Day’s are grabbing headline news.

By no means am I suggesting to ignore the evolving threats to information.  The dynamics of technology and growing demand for full-time access to information doesn’t allow for that kind of laissez-faire attitude.  The new problems we face and any solutions need to be viewed from an innovate and creative lens.  However, the need to constantly evolve a security program is no excuse for ignoring or forgetting about the known threats and vulnerabilities to information assets.

Photo credit: ddpavumba / FreeDigitalPhotos.net

Technical Tunnel Vision

I was recently reminded how easy one can become focused on a single, technical solution to a problem and completely miss process or people solutions.  With the pressure of a fast-paced environment and constantly changing priorities, technically oriented people will often fall back on their bread-and-butter to churn out a quick solution.  I’m guilty of this just like many others I’m sure.  This is unfortunate.

I’m convinced that the best solutions can only be found if all options are on the table and you can’t possibly understand all the options if you don’t gather information from affected business units and the people actually doing the work.  How dumb would I have been if I had suggested spending tens of thousands of dollars on a technical solution when a simple change in work flow or business process/procedure could solve the problem equally well?

Sometimes you have no choice but you owe it to yourself, your company or your client, to examine all possible options (within reason).  Explore the benefits and impacts of each.  Show the costs of each proposed solutions in dollars, resources, and reputation.  By all means, don’t think you can adequately come up with a solution sitting behind a desk and not talking with those affected.  Don’t let the pressure of deadlines and multiple priorities prevent you from tapping into the valuable resource of the folks performing the day to day work.

It’s easy to fall back into a comfort zone of technical solutions but to add value to your organization as a security professional, you must learn to provide a broad range of business solutions that encompass technology, people, and processes.

Identity Theft and Moral Hazard

Today in the Los Angeles Times – “Nearly 12 Million in U.S. were victims of identity theft, report says”

Not a surprising headline quite frankly.  Many people recognize that identity theft is a real problem in the U.S. and abroad but have the banks created a situation of moral hazard by covering losses?

From the article:

Three-quarters of victims said they suffered no out-of-pocket financial loss, presumably because their banks covered the loss, the report said.

Moral hazard, by definition, occurs when a party behaves differently because they are insulated from the risks.  In this case, identity theft victims are insulated from the risk of out-of-pocket financial loss.   So, are people more likely to engage in risky behavior with their personal information because the financial risk is mitigated?

I wonder if people would be more likely to practice behaviors that protects their personal information if the out-of-pocket risks were higher?  Would people think twice about responding to e-mail requesting bank account, social security number, and online userID and password if they knew they wouldn’t be reimbursed for losses?  What if businesses covered losses only if you could verify your PC was up to date with patches, anti-malware, and personal firewall protection?

I’m all for insulating those who take efforts to protect themselves and become true victims of identity theft through no fault of their own.  I become a bit skeptical when people engage in risky behavior merely because they know the consequences of their behavior will be covered by someone else.

“Jargon” follow-up: InfoSec and the MBA

Nomenclature is simply a way to name things that are used in communication.  Every profession has their own taxonomy that allows them to understand and identify “things” that are specific to their area of expertise.  This has a downside.  Those outside of “the club” have difficulty understanding the terms and principles that come naturally to the “initiated”.

For information security professionals working in business environments, the ability to translate InfoSec into terms understandable to other business professionals is essential to success.  The lack of this skill often leads to a misunderstanding of risk that essentially leads to an unnecessary exposure.

To overcome this, I have found it useful to set foot into the world of accounting, finance, economics, organizational behavior, marketing, and logistics by earning my MBA.  While certainly not an expert in any of the fields mentioned, I have been initiated into their ranks through education.  This at least provides an opportunity to build a bridge between security and business functions because I am able to communicate, at least partially, using their “language” rather than forcing them to learn mine.

So, “jargon” can be useful.  It certainly allows more efficient communication between peers.  Even more important, learning other “professional languages”  creates an opportunity to translate your terms and principles into something understandable to others.   I’m convinced that this skill provides value by creating more “aha” information security moments across multiple business disciplines.

I’d be remiss if I did not provide a plug for my alma mater.  The University of Nevada part-time MBA program was nationally ranked #21 by Business Week, and #5 in the West.  Go Pack!

InfoSec targeted for use of “jargon” – Blah!

Why is it that terms used in the information security profession is referred to as “gobbledegook” while in other professions it’s known as nomenclature.  Every profession has its own jargon so for “experts” to label this as something unique to information security is rather unfair.

“One problem is that computer “geeks” use jargon to cloak their work in scholarly mystique, resulting in a lack of clarity in everything from instruction manuals and systems design to professional training, the experts said.”

- Maclean, William, “Computer jargon baffles users, hinders security“, msnbc – Technology & Science, February 19, 2010.

This isn’t some malicious attempt to create a mystical club with secret words and handshakes.  Industry specific terminology helps those professionals within that industry communicate clearly with each other.  Isn’t this also true in finance, medicine, law, software design, architecture, etc?

Former U.S. Homeland Security Secretary Michael Chertoff had this to say:

Doctors and lawyers used to enjoy “a sense of mystified special knowledge,” Chertoff said. “But … once you empower people to understand what’s going on, doctors do a better job. So with cybersecurity the task is to make the architecture more user-friendly — and to teach people better.”

I don’t know about you but when a physician rattles off medical terminology I’m certainly not feeling empowered.  I do however trust that I’m being treated by someone trained in that particular field who understand the complexities and can communicate with peers (referrals) who also understand the “jargon”.  Isn’t this what they are paid for?  It’s no surprise that such a comment came from Chertoff who recently ran point for the miserably ineffective Cyber Shockwave simulation (aka propaganda) show.

Having “experts” come out and say things like “plain language is vital” is nothing new.  In any awareness or education campaign, the content of the message must be audience appropriate.  If you’re dealing with individuals with little experience in technology, then the awareness campaign has to incorporate examples and terms that are familiar with them in order to be effective.  That’s a no-brainer.

Perhaps next time these “experts” get together, someone should suggest they don’t need to tell us the completely obvious, the merely obvious will do.

Information Delivery vs. Information Security

A System Administrator and an Information Security Administrator were sitting in a room.  The question was asked “When you install a new server, what is the first two things you do?”

Both of them answer, “install the latest patches and updates and remove all unnecessary services”.  Good answers but the reasoning behind these answers are entirely different.

System Administrator: By applying the latest patches and removing unnecessary services, I  make sure that any known problems are fixed and improve the performance of the system by not tying up system resources on things I’m not using.

Information Security Administrator: By applying the latest patches I close known vulnerabilities that could potentially lead to a compromise.  By shutting off unnecessary services, I reduce the number of potential openings to my system, again, reducing the potential for compromise.

Why is this difference important as long as the work is getting done?

It’s about a mindset.   In mid-sized or large organizations where information security sits underneath the IT umbrella, the differences are usually very apparent.  The need to deliver information to customers and staff more often than not trumps the need to secure that information.  In an environment where resources compete with each other in the IT organization, when push comes to shove, delivery almost always wins even if it increases the risk.

This is why I believe the information security function has to be independent of IT, much like internal audit is independent of finance.   Information security needs to be positioned to provide unfiltered advice and recommendations.  When information security is funneled through an information delivery point of view, the message may unintentionally be diminished or lost.

Additionally, the acceptance of risk and the responsibility for consequences should rest with the data owner, not with IT or Information Security.  These are recommending bodies that should be working together to develop solutions that clearly describe functionality and risk so that data owners can make informed decisions.  The way information is used is a business decision, not a technology decision.  Information security leadership requires the ability to identify and clearly communicate risk.  Information technology leadership requires the ability to clearly communicate the functional delivery of information.   Both need to be able to provide this advice unobstructed by the different missions of these departments.

Both are distinct.  Both are important.  Being independent allows both functions to leverage their expertise by creating an information-intensive environment that leads to informed decision making.   Doesn’t your business deserve at least that much?

Evolving the Security Message

Richard Power wrote an article for CSO Online entitled  “Red Pill?  Blue Pill?  Ruminations on the Intersection of Inner Space and Cyber Space”.  It ties into the psychology of information security and how the shifting attitudes regarding privacy and security require a different approach to information security.   Power writes:

There is a generational shift in regard to security and privacy. The young workers of today have grown up in a world of failed security and vanishing privacy. If you try to reach these 21st Century psyches with a 20th Century security message — you will not reach them, and you will not be heard.

The way information security is addressed must evolve to keep up with the changing viewpoints of the “new workforce”.  If the change is not apparent, consider the way communication has changed over the last few decades.

Face-to-face meetings -> phone-calls -> e-mail -> text message -> social media

Different generations have different preferences in the way information is communicated to them.  While the way to get a message across has always depended on the audience, we seem to forget that concept in the information security world.  In an environment where adapting to change is essential to protecting information assets, it’s amazing that we seem rooted in the way we deliver the security message.  We must be better at communicating the value of security in terms and context that is important to the “receiver”.

The bottom line is information security is a collective effort.  We simply cannot afford to lose the message in transit because of a rigid approach to communication.

Be passionate.  Be open.  Be clear.  Be agile.

Data or Information??

Yesterday I had a conversation with a friend and the topic led to the label “data security” versus “information security” and which one I prefer.  For me, it’s not really a preference as it is a scope of work or definition of what it is I’m responsibile for protecting.  I couched my answer in this way.

Here are five numbers:  63, 71, 88, 92, 98.   Take these digits and place them in order of best to worst.   Many would assume the highest number is the best.  What if I put in the context of golf scores?  Oops.  Does it change the order?  The numbers are merely data, the context turns those numbers into information.

From a security point of view, the same philosophy applies.   Is there an obligation to protect a series of 9 digits or an obligation to protect social security numbers?  Does PCI apply to credit card numbers or any series of 16 digits?  Unless data is placed into context how are we to know exactly what regulations apply, assign value, or interpret threat.  We can’t protect PII if we don’t know what it is.

So, for me, the answer is simple.  Data security is protecting a series of numbers and letters which doesn’t add much value to an organization.  Information security protects data that has been put into meaningful context.  I know which arena I play in.  How about you?