paulmudgett.com

I was recently reminded how easy one can become focused on a single, technical solution to a problem and completely miss process or people solutions.  With the pressure of a fast-paced environment and constantly changing priorities, technically oriented people will often fall back on their bread-and-butter to churn out a quick solution.  I’m guilty of this just like many others I’m sure.  This is unfortunate.

I’m convinced that the best solutions can only be found if all options are on the table and you can’t possibly understand all the options if you don’t gather information from affected business units and the people actually doing the work.  How dumb would I have been if I had suggested spending tens of thousands of dollars on a technical solution when a simple change in work flow or business process/procedure could solve the problem equally well?

Sometimes you have no choice but you owe it to yourself, your company or your client, to examine all possible options (within reason).  Explore the benefits and impacts of each.  Show the costs of each proposed solutions in dollars, resources, and reputation.  By all means, don’t think you can adequately come up with a solution sitting behind a desk and not talking with those affected.  Don’t let the pressure of deadlines and multiple priorities prevent you from tapping into the valuable resource of the folks performing the day to day work.

It’s easy to fall back into a comfort zone of technical solutions but to add value to your organization as a security professional, you must learn to provide a broad range of business solutions that encompass technology, people, and processes.

A recent eWeek article “Cyber-security Hurts Federal Government Productivity, Survey Says” clearly demonstrates the significant security issues related to perception and communication.   There seems to be a significant disconnect between what is thought to be needed to perform an agency’s mission and doing so without compromising computer systems.

“Surveyed federal executives believe that cyber-security policies and procedures should be modified to provide more emphasis on the importance of allowing federal managers to achieve their agency’s mission,” said Bryan Klopack, GBC’s director of research.

I get a two-for-one with this comment.  First, it is apparent that federal managers don’t understand that a compromise of their agency’s computer systems will prevent them from delivering or performing their mission.  Second, it seems as though policies and procedures are written in a vacuum without discussion with those the policy impacts.

There is no doubt that over-restrictive policies exist when it comes to web-site and e-mail access.  Knee-jerk reaction usually leads to common sense being thrown out the window.   That said, the threatscape has changed and there is real potential for systems to be compromised because of “choice failure” with e-mail and website use.   Some system-wide protections simply need to be in place and inconvenience, by itself, is not a good enough reason to abandon good security practices.

In an editors note in SANS NewsBites, John Pescatore put it into perspective:

The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity.

The problem seems to stem from an over-reaction to a Presidential “mandate”.

President Obama signaled early in his administration that cyber-security in the federal government, especially in communications, and coordination, was a priority. “This status quo is no longer acceptable—not when there’s so much at stake. We can and we must do better,” he said.

Various agencies have responded to Obama’s mandate with their own rules.

Unilateral response to a “do better” mandate usually generates bad outcomes for everybody.   This is what appears to have happened here.  No communication.  No requirements definition.  Just a policy that is enforced through technology.  Damn the torpedoes… full speed ahead!

What should be happening here?

First, business leaders (aka management) need to step up and gain some understanding that the threats they face could essentially grind productivity, and subsequently their mission, to a halt.   It is no longer okay to say “this is the security group’s problem” and then walk away.  Participation, horizontally and vertically throughout an organization, is required.  Second, the security team needs to understand how people work, what they need to get their job done, and then work with them to find solutions.

It’s easier said than done but the status quo is indeed unacceptable.  There is no such thing as 100% secure.  There is, however, the potential to reduce risk while providing for business (or agency) needs.   Without business, there is no need for security.  Without security, business will fall victim to attack and fail.   Contribution and collaboration is required to bridge this gap.

Based on this survey, I’m afraid we’re trying to cross Alaska’s Bridge to Nowhere.

Once again I find myself liking White House Cybersecurity Coordinator Howard Schmidt’s approach even if I think his position is weakened based on placement, authority, etc.  In a Bill Brenner article today on CSOonline, Schmidt points to the defense against the wide range of threats, including coordinated attacks, to be best lead from the private sector.

“You guys have been carrying the water,” Schmidt told attendees at CSO Perspectives 2010 Tuesday. The government can do a lot to improve the nation’s cyber defenses. But ultimately, he said, the key to warding off attacks like the one Google experienced remains private-sector vigilance.

The information security community cannot expect a government bailout when it comes to defending infrastructure and information.  The private sector not only is the key to defense but also is the problem.  Too many organizations have created a Cyber-Maginot line that merely creates the illusion of security while the more agile attackers circumvent stale and slow moving defensive positions.  The private sector needs to participate in an active defense against multiple threats and have a solid response plan should the defenses fail.

Schmidt is right.  The threats and motivations for attacks are varied and we must be in a position to defend against them all.  This is a day-to-day fight.

But the lack of state-against-state warfare shouldn’t keep IT security practitioners from serious concern, Schmidt said. The attacks undermine global infrastructure and endanger our way of life, he said, adding that this is a battle every IT security professional must fight from the foxholes.

What have you done today to improve security for your organization?  Are you an agile defender or are you hunkered down behind your own cyber-Maginot line using the “hope” method as a security strategy?

Anti-virus software is based on signatures of known viruses.  It’s a reactive product by nature and it should be known by now that these products are ineffective against new viruses and new variants.    That said, why test AV products against attacks they haven’t seen and then make a stink about it in a ComputerWorld article?  Isn’t that like standing out in a rain storm to test if you’ll get wet and then writing an article about your finding?

While the testing part of the story was silly, the real point of the story is we need to think differently about the way we defend against the changing threatscape.  We need to be “Agile Defenders” who are capable of aligning and re-aligning resources against a constantly shifting threat while maintaining a solid foundation.  It’s hard work and I don’t believe it is understood by leadership in most organizations.

That said, we can’t protect against the new threats if we fail to apply basics.   If you don’t believe that organizations get burned because of basic security failures check out this story out of New Zealand.  What is funny here is they blame a Conficker-infected USB thumb drive for shutting down the company instead of their failure to keep their systems patched.   That is misdirection worthy of a master politician.

Bottom-line:  Businesses cannot rely on AV or single layers of defenses.  Protecting information against a constantly moving adversary requires more than static thinking to be effective.  If you’re responsible for securing your organization, be an Agile Defender, not a stationary target.

I just read an article “Basic security measures do wonders” and it drove home a point that seems to have been lost with the inundation of terms such as “CyberWar” and “Advanced Persistent Threat”.  While we spend a lot of time implementing new technologies or applying frameworks, we sometimes forget that applying basics and using our current tools more effectively can go a long way to improving the security posture of our organizations.

I’m not implying that we be stagnant in our approach to securing our information from changing threats.  It’s vitally important that we be agile in our defenses else we create the Cyber-Maginot line I’ve discussed earlier.  That said, we sometimes fail to tighten our current infrastructure in our pursuit of the latest headlines and buzzwords.

The article mentioned some basics that are worth repeating:

• Turn logging on and monitor files but be careful that you don’t inundate yourself with irrelevant messages.
• Examine network traffic patterns.  Learn what is normal traffic so that you can better identify abnormal patterns.
• Access control to make sure employees have access to what they need to do their jobs but nothing else.
• Enforcing security policies.
• Having a consistent process for patching systems.
• Know where your data is!

I would imagine most security professionals reading this will say “duh”.  I’d also be willing to bet that many organizations fail to apply all of these basic principles. Why?  Wouldn’t it be dumb to deploy the latest and greatest security technology only to be breached through an unpatched workstation?  It happens all the time.

Now, especially during an economic downturn, is a great time to re-evaluate your current tools to see where you can improve their effectiveness.  Can you improve your user provisioning/de-provisioning process?  Can you leverage scanning tools and results to improve a vulnerability remediation program?  Can you tighten up audit logs and alerts?  Can you create an inventory of sensitive information?  Can you engage business units to build a stronger relationship with security?  Can you develop an awareness campaign that is engaging and informative?

It seems to me improving what you have creates a stronger security program than having a huge number of half implemented tools and processes.  Tell me.  What areas can you improve today?

How do you even start protecting your information assets if you don’t have an understanding of the risk to them?  I would venture to say… you don’t.  It’s difficult for some to get started down this path because they quickly get overwhelmed with the task at hand.  Many times, a good effort gets set aside because the level of detail gets too cumbersome to reach the finish line.  Perhaps this can help.

Organizational assets

You have to know what you have but it doesn’t have to be a lonely road to get the information.  Start with a network scanning tool to detect the systems on your network and try to understand the type of data being stored on each.  However, don’t try to perform a risk assessment on each individual system.  Group them into sensible categories based on type of data (customer, HR, financial), application type (web, database, app) or business function (web, e-mail, accounting/finance).

Find out who “owns” this data.  A department head, Director, VP, whoever is ultimately responsible for the data.  Remember, determining risk is a business responsibility and it is up to Information Security to adequately illustrate the risk and controls so that informed decisions can be made.

The Risk Rating Matrix

There are many ways that this can be done and even sample matrices you can use online.  Take your pick.   Some assign rankings for Threats, Vulnerabilities, and Impacts for each part of the security triad (Confidentiality, Integrity, Availability).  Some take into account compensating controls.    Some use liklihood of an event happening.  Some multiply their risk rating by how easy it is to detect an issue to get an overall score.

Regardless of what method works for you any method should take these suggestions into consideration:

• If you are assigning scores in your rankings of threats, vulnerabilities, impact, etc. make sure you use an even numbered scale like 1-6.  This eliminates the “middle of the road” pick and forces one to fall on the high side or the low side.
• Make sure each ranking number is labeled so that it is easy to understand what a 2 means versus a 5.
• Provide an overall ranking that can be used to compare risks and prioritize them for clearer decision making.
• Doing something is better than doing nothing.  Don’t expect perfection the first time out.

Take Action

With your rankings and priorities established in collaboration with the data owner you are in a better position to implement controls that provide value.  The acceptance of risk should be firmly in the hands of the data owner (and signed off on).   When budgets are tight, you now have the opportunity to address the biggest risks because you have taken the time to identify them.

There is no such thing as 100% security.  Reducing your risk profile by applying a measured approach to risk management is however, entirely possible.  Doing nothing is a bad choice.  Where do you want to be?

Organizations can quickly become overwhelmed when trying to implement a comprehensive information security program.  There are many barriers.  Cost.  Time.  Competency.   As I’ve posted before, security is an ongoing process and needs to be in order to deal with the changing business environment and evolving threat landscape.  Instead of implementing the very best (and most expensive) solutions for every security issue, I suggest a tiered approach that covers multiple areas and sets the stage for continuous improvement.

Barriers

Cost

If we buy the very top solutions for all of our security problems we will quickly run out of cash.  Throwing money at one or two issues leaves many other areas uncovered.   It may be better, especially early on in the implementation of an information security program, to spread the money around.  Provide coverage in all areas and then build up those controls that provide the most bang for the buck.

Time

The top solutions usually take more time to implement.  You need to ask yourself how great of an exposure do you have during the implementation?  Do you create a greater risk than by implementing a “lower end” solution?

Competency

I’ve seen it more than once.  An organization purchases and installs a high end and expensive solution that nobody on their staff knows how to use.  The great solution is subsequently ignored.   If nobody knows why a new process is being used or how a new product works, it’s pretty difficult to get the results you’re after.

Baby Steps

Continuous process improvement can apply to information security.  If you’re trying to implement a framework that calls for multiple controls such as ISO 27001/27002, using a multi-level approach may help reduce the paralysis that often accompanies such a large undertaking.   I suggest using a 3-tier approach.  Tier-1 is easiest to implement but is usually least effective.  Tier-3 is hardest but most effective.

It would be ideal if we could apply Tier-3 solutions to every problem right out of the chute but that simply isn’t feasible for most businesses.   Doing nothing is also a bad choice.  Applying Tier-1 and Tier-2 solutions at least gets the program moving and then process improvement can gradually improve the overall security posture of the business over time.

As an example, let’s look at dealing with security logs.

Tier-1

Administrators review server logs.  This is instituted through policy that requires the administrators to “regularly” review their logs.  We all know that manual review of logs is seldom done however, applying the policy at least sets the tone and expectation.  It can even start to adjust the administration culture toward reviewing logs if they don’t already do so.

Tier-2

Centralized log aggregation with automated reports.  This starts to automate the process.  Logs from systems and devices are pushed or pulled to a central logging system and now administrators review logs in this single location rather than across multiple servers.  Some scripting can be applied to automate reports.  This certainly increases the effectiveness of the log review process.

Tier-3

Commercial log analysis tool with near real-time alerts for anomalies.  This is a heavy-duty log aggregation, correlation, analysis, and reporting tool that has advanced capabilities.  It is much more expensive than a central log repository in Tier-2.  It is more complex to manage but the feature set allows for greater effectiveness.

Word of Warning

Implementing Tier-1 “just-for-now” solutions does not mean we can be lackadaisical in our information security practices.  Even basic security solutions need to incorporate good security principles.   If our business practices easily circumvent security controls then we can never be successful.   Starting small still has to be done right.

It it a young lady or an old woman?  Is it both?

The potential for information security to enable business often gets lost on our own scotomas.  We get so locked into our world of information protection that we fail to see alternatives and opportunities.   The inability to see more than one option is the experience scotoma we all suffer from time to time and for some, more often than not.  We only see the “old lady” and therefore that is all we can act upon.  In order to see options and alternatives, we have to break our scotomas and communicate in a way that breaks the experience scotomas of others.

Only by breaking down the psychological barriers that prevent us from seeing the whole picture will we be able to apply business-focused security solutions.  That is where the business-value of security comes in.   Don’t just see the young lady.  Don’t just see the old lady.  See both.