paulmudgett.com

A June 8 Bloomberg Businessweek article noted that publicly traded companies have started including the “material risk” of computer attacks in their SEC filings.  It’s interesting to see the admission of some major companies that the threat of targeted attacks can impact the bottom line.

In what will undoubtedly become the trend in risk reporting to shareholders in annual reports there should be a corresponding effort to take actions to counter the threat.  Perhaps the increased visibility into the advanced persistent threat will spur organizations out from behind their Cyber-Maginot lines and into more agile defenses.

Once again I find myself liking White House Cybersecurity Coordinator Howard Schmidt’s approach even if I think his position is weakened based on placement, authority, etc.  In a Bill Brenner article today on CSOonline, Schmidt points to the defense against the wide range of threats, including coordinated attacks, to be best lead from the private sector.

“You guys have been carrying the water,” Schmidt told attendees at CSO Perspectives 2010 Tuesday. The government can do a lot to improve the nation’s cyber defenses. But ultimately, he said, the key to warding off attacks like the one Google experienced remains private-sector vigilance.

The information security community cannot expect a government bailout when it comes to defending infrastructure and information.  The private sector not only is the key to defense but also is the problem.  Too many organizations have created a Cyber-Maginot line that merely creates the illusion of security while the more agile attackers circumvent stale and slow moving defensive positions.  The private sector needs to participate in an active defense against multiple threats and have a solid response plan should the defenses fail.

Schmidt is right.  The threats and motivations for attacks are varied and we must be in a position to defend against them all.  This is a day-to-day fight.

But the lack of state-against-state warfare shouldn’t keep IT security practitioners from serious concern, Schmidt said. The attacks undermine global infrastructure and endanger our way of life, he said, adding that this is a battle every IT security professional must fight from the foxholes.

What have you done today to improve security for your organization?  Are you an agile defender or are you hunkered down behind your own cyber-Maginot line using the “hope” method as a security strategy?

Anti-virus software is based on signatures of known viruses.  It’s a reactive product by nature and it should be known by now that these products are ineffective against new viruses and new variants.    That said, why test AV products against attacks they haven’t seen and then make a stink about it in a ComputerWorld article?  Isn’t that like standing out in a rain storm to test if you’ll get wet and then writing an article about your finding?

While the testing part of the story was silly, the real point of the story is we need to think differently about the way we defend against the changing threatscape.  We need to be “Agile Defenders” who are capable of aligning and re-aligning resources against a constantly shifting threat while maintaining a solid foundation.  It’s hard work and I don’t believe it is understood by leadership in most organizations.

That said, we can’t protect against the new threats if we fail to apply basics.   If you don’t believe that organizations get burned because of basic security failures check out this story out of New Zealand.  What is funny here is they blame a Conficker-infected USB thumb drive for shutting down the company instead of their failure to keep their systems patched.   That is misdirection worthy of a master politician.

Bottom-line:  Businesses cannot rely on AV or single layers of defenses.  Protecting information against a constantly moving adversary requires more than static thinking to be effective.  If you’re responsible for securing your organization, be an Agile Defender, not a stationary target.

Between 1930 and 1940, France built a massive system  of defenses known as the Maginot Line.  Designed to stop a German invasion, history illustrates its failure.  The 1940 German invasion of France skirted the defensive Maginot Line as they swiftly penetrated through the Ardennes by way of Belgium.  I’m not a historian and there are many facts that played into this but clearly the fate of France was at least partly determined by a false sense of security rooted in the Maginot Line.

Have modern day corporations and public entities created their own version of Maginot Line when it comes to the protection of sensitive information?  I think the answer is clearly yes.  William J. Lynn III, the deputy defense secretary who oversaw a recent attack simulation pointed this out in “In Digital Combat, U.S. Finds No Easy Deterrent“.  An over-reliance on firewalls and anti-virus programs has created a false sense of security among those who store, transmit, and process sensitive information in the normal course of business.  The changing threatscape, such as the new complex zero-day exploits and state-sponsored targeted attacks, are sometimes ignored much like the French failed to take action when Belgium declared itself a neutral country severing their previous alliance with France.

Consider this comment made in a recent story:

“The new type of attack involves custom-made spyware that is virtually undetectable by antivirus and other electronic defenses traditionally used by corporations.”  US oil industry hit by cyberattacks:  Was China Involved? CS Monitor, January 25, 2010

We are not prepared.  The attackers have become more nimble, motivated, and tenacious while we have become slow moving and complacent.  Many organizations have been lulled to sleep.  We’ve already seen changes in the way attacks are organized and the creativity being designed into their exploits.  Collectively, we need to examine the new threatscape and actively develop new tactics that match the agility being demonstrated by the “bad guys”.

Let’s learn from the Maginot Line.  Let’s not get caught sitting behind our old walls hoping that we can sustain a direct assault when the real threat is making an end run.

I may as well get on the 2010 prediction bandwagon.

1.  With the rush to get into the “cloud” businesses will sacrifice security for the promise of efficiencies.  Attacks will be focused on the applications placed in the cloud, not necessarily the underlying OS infrastructure.  I predict there will be a large compromise of information stored in the cloud this year that will disrupt business processes for several businesses.

2.  The big talk about “cybersecurity” that comes from the Obama administration will be nothing more than talk.  Action taken will have little impact as the new Cybersecurity Czar/Coordinator has little authority to implement necessary changes in national information security.  This is most likely because of the pure volume of important “initiatives” being taken on by this Administration that will result in some areas, cybersecurity in this case, receiving less attention than required.  This isn’t a dig on the Administration, merely an observation that issues in terrorism, healthcare, economy, etc. will take precedence over fixing the cybersecurity issues facing the U.S.

3.  I predict there will be an even larger breach than what we saw with Heartland Payment Systems last year.  The financial motivations and organization surrounding cybercrime makes this type of criminal activity very profitable.  Attacks are being perfected while the resources to defend against such attacks continue to be too thin in most organizations.

4.  Mobile platforms will be the target of attacks this year.  The proliferation of iPhone/Blackberry and availability of mobile applications will prove a fertile environment for malware writers.  As more of these mobile devices are integrated into both business and personal worlds, the target will simply get too big to pass up.  Expect 2010 to be a big year for mobile attacks.

5.    With major attacks taking place in 2010 and hopefully and improving economy, the investment in information security will improve.  Specifically, there will be some growth in the need for both skilled technical staff and leadership positions where the ability to understand the business environment are emphasized.

I’ll be interested in seeing the twists and turns that are inevitable in the cybersecurity world and how organizations adapt to such a dynamic environment to protect sensitive information.  Good luck in 2010.

Organizations can quickly become overwhelmed when trying to implement a comprehensive information security program.  There are many barriers.  Cost.  Time.  Competency.   As I’ve posted before, security is an ongoing process and needs to be in order to deal with the changing business environment and evolving threat landscape.  Instead of implementing the very best (and most expensive) solutions for every security issue, I suggest a tiered approach that covers multiple areas and sets the stage for continuous improvement.

Barriers

Cost

If we buy the very top solutions for all of our security problems we will quickly run out of cash.  Throwing money at one or two issues leaves many other areas uncovered.   It may be better, especially early on in the implementation of an information security program, to spread the money around.  Provide coverage in all areas and then build up those controls that provide the most bang for the buck.

Time

The top solutions usually take more time to implement.  You need to ask yourself how great of an exposure do you have during the implementation?  Do you create a greater risk than by implementing a “lower end” solution?

Competency

I’ve seen it more than once.  An organization purchases and installs a high end and expensive solution that nobody on their staff knows how to use.  The great solution is subsequently ignored.   If nobody knows why a new process is being used or how a new product works, it’s pretty difficult to get the results you’re after.

Baby Steps

Continuous process improvement can apply to information security.  If you’re trying to implement a framework that calls for multiple controls such as ISO 27001/27002, using a multi-level approach may help reduce the paralysis that often accompanies such a large undertaking.   I suggest using a 3-tier approach.  Tier-1 is easiest to implement but is usually least effective.  Tier-3 is hardest but most effective.

It would be ideal if we could apply Tier-3 solutions to every problem right out of the chute but that simply isn’t feasible for most businesses.   Doing nothing is also a bad choice.  Applying Tier-1 and Tier-2 solutions at least gets the program moving and then process improvement can gradually improve the overall security posture of the business over time.

As an example, let’s look at dealing with security logs.

Tier-1

Administrators review server logs.  This is instituted through policy that requires the administrators to “regularly” review their logs.  We all know that manual review of logs is seldom done however, applying the policy at least sets the tone and expectation.  It can even start to adjust the administration culture toward reviewing logs if they don’t already do so.

Tier-2

Centralized log aggregation with automated reports.  This starts to automate the process.  Logs from systems and devices are pushed or pulled to a central logging system and now administrators review logs in this single location rather than across multiple servers.  Some scripting can be applied to automate reports.  This certainly increases the effectiveness of the log review process.

Tier-3

Commercial log analysis tool with near real-time alerts for anomalies.  This is a heavy-duty log aggregation, correlation, analysis, and reporting tool that has advanced capabilities.  It is much more expensive than a central log repository in Tier-2.  It is more complex to manage but the feature set allows for greater effectiveness.

Word of Warning

Implementing Tier-1 “just-for-now” solutions does not mean we can be lackadaisical in our information security practices.  Even basic security solutions need to incorporate good security principles.   If our business practices easily circumvent security controls then we can never be successful.   Starting small still has to be done right.

Richard Power wrote an article for CSO Online entitled  “Red Pill?  Blue Pill?  Ruminations on the Intersection of Inner Space and Cyber Space”.  It ties into the psychology of information security and how the shifting attitudes regarding privacy and security require a different approach to information security.   Power writes:

There is a generational shift in regard to security and privacy. The young workers of today have grown up in a world of failed security and vanishing privacy. If you try to reach these 21st Century psyches with a 20th Century security message — you will not reach them, and you will not be heard.

The way information security is addressed must evolve to keep up with the changing viewpoints of the “new workforce”.  If the change is not apparent, consider the way communication has changed over the last few decades.

Face-to-face meetings -> phone-calls -> e-mail -> text message -> social media

Different generations have different preferences in the way information is communicated to them.  While the way to get a message across has always depended on the audience, we seem to forget that concept in the information security world.  In an environment where adapting to change is essential to protecting information assets, it’s amazing that we seem rooted in the way we deliver the security message.  We must be better at communicating the value of security in terms and context that is important to the “receiver”.

The bottom line is information security is a collective effort.  We simply cannot afford to lose the message in transit because of a rigid approach to communication.

Be passionate.  Be open.  Be clear.  Be agile.

It it a young lady or an old woman?  Is it both?

The potential for information security to enable business often gets lost on our own scotomas.  We get so locked into our world of information protection that we fail to see alternatives and opportunities.   The inability to see more than one option is the experience scotoma we all suffer from time to time and for some, more often than not.  We only see the “old lady” and therefore that is all we can act upon.  In order to see options and alternatives, we have to break our scotomas and communicate in a way that breaks the experience scotomas of others.

Only by breaking down the psychological barriers that prevent us from seeing the whole picture will we be able to apply business-focused security solutions.  That is where the business-value of security comes in.   Don’t just see the young lady.  Don’t just see the old lady.  See both.