paulmudgett.com

I was recently reminded how easy one can become focused on a single, technical solution to a problem and completely miss process or people solutions.  With the pressure of a fast-paced environment and constantly changing priorities, technically oriented people will often fall back on their bread-and-butter to churn out a quick solution.  I’m guilty of this just like many others I’m sure.  This is unfortunate.

I’m convinced that the best solutions can only be found if all options are on the table and you can’t possibly understand all the options if you don’t gather information from affected business units and the people actually doing the work.  How dumb would I have been if I had suggested spending tens of thousands of dollars on a technical solution when a simple change in work flow or business process/procedure could solve the problem equally well?

Sometimes you have no choice but you owe it to yourself, your company or your client, to examine all possible options (within reason).  Explore the benefits and impacts of each.  Show the costs of each proposed solutions in dollars, resources, and reputation.  By all means, don’t think you can adequately come up with a solution sitting behind a desk and not talking with those affected.  Don’t let the pressure of deadlines and multiple priorities prevent you from tapping into the valuable resource of the folks performing the day to day work.

It’s easy to fall back into a comfort zone of technical solutions but to add value to your organization as a security professional, you must learn to provide a broad range of business solutions that encompass technology, people, and processes.

A June 8 Bloomberg Businessweek article noted that publicly traded companies have started including the “material risk” of computer attacks in their SEC filings.  It’s interesting to see the admission of some major companies that the threat of targeted attacks can impact the bottom line.

In what will undoubtedly become the trend in risk reporting to shareholders in annual reports there should be a corresponding effort to take actions to counter the threat.  Perhaps the increased visibility into the advanced persistent threat will spur organizations out from behind their Cyber-Maginot lines and into more agile defenses.

I guess that headline wouldn’t sell too many papers but in most cases this is the reality that drives many decisions related to information security investment.  For most executives, the sky isn’t always falling and a security team that tries to operate under that premise is soon thought of as the Boy Who Cried Wolf.  This is exactly why pushing security investment through FUD (Fear, Uncertainty and Doubt) is ineffective as a strategy.

There is a fine line between being vigilant defenders of information and being alarmists.  The need for information security has never been more important.  Surveys suggest that executives understand this so now is not the time to be lighting the warning beacons of Gondor.  Keep the focus on the business when proposing new security investments.

I’m not a fan of using predictive models such as “Annualized Loss Expectancy” (ALE), which pretty much takes a guess and multiplies it by another guess, to make a case for security investment.  ROI?  What is your return on something that doesn’t generate revenue?  Again, using this type of tool in a security sense leaves too much guesswork to provide any real benefit.

It’s important to take the time to build a case using solid metrics and be able to clearly articulate the need from a business perspective.  Some points to remember:

• Knowing how information is used, where it is stored, how it is processed, and where and how it is transmitted is a vital requirement when proposing new security investments.  It is surprising how many organizations can’t meet this requirement but you simply can’t protect what you don’t know.
• Leverage what you already have.  Show that you can maximize the value of currently deployed security tools.
• Demonstrate how the threat applies to your specific infrastructure and business environment.
• Use regulatory compliance to compliment the proposal, not BE the only argument for the proposed solution.

Remember, information security is driven by the needs of the business, the value of information, and the validity of the threat to both.  Being able to articulate the message in these terms helps make the case for security investments when things are otherwise uneventful.

I just read an article “Basic security measures do wonders” and it drove home a point that seems to have been lost with the inundation of terms such as “CyberWar” and “Advanced Persistent Threat”.  While we spend a lot of time implementing new technologies or applying frameworks, we sometimes forget that applying basics and using our current tools more effectively can go a long way to improving the security posture of our organizations.

I’m not implying that we be stagnant in our approach to securing our information from changing threats.  It’s vitally important that we be agile in our defenses else we create the Cyber-Maginot line I’ve discussed earlier.  That said, we sometimes fail to tighten our current infrastructure in our pursuit of the latest headlines and buzzwords.

The article mentioned some basics that are worth repeating:

• Turn logging on and monitor files but be careful that you don’t inundate yourself with irrelevant messages.
• Examine network traffic patterns.  Learn what is normal traffic so that you can better identify abnormal patterns.
• Access control to make sure employees have access to what they need to do their jobs but nothing else.
• Enforcing security policies.
• Having a consistent process for patching systems.
• Know where your data is!

I would imagine most security professionals reading this will say “duh”.  I’d also be willing to bet that many organizations fail to apply all of these basic principles. Why?  Wouldn’t it be dumb to deploy the latest and greatest security technology only to be breached through an unpatched workstation?  It happens all the time.

Now, especially during an economic downturn, is a great time to re-evaluate your current tools to see where you can improve their effectiveness.  Can you improve your user provisioning/de-provisioning process?  Can you leverage scanning tools and results to improve a vulnerability remediation program?  Can you tighten up audit logs and alerts?  Can you create an inventory of sensitive information?  Can you engage business units to build a stronger relationship with security?  Can you develop an awareness campaign that is engaging and informative?

It seems to me improving what you have creates a stronger security program than having a huge number of half implemented tools and processes.  Tell me.  What areas can you improve today?

The Google “Aurora” incident illustrates an ongoing problem with the “media motivated” approach many organization take in regards to information security.  A major event happens and there is a short-lived window of opportunity to ride the “it can happen to us” wave to secure some funding for the latest toy or gadget.  Unfortunately, some executives are unable to step out of the headline grabbing world of FUD (Fear, Uncertainty, and Doubt) and that is the only way security efforts ever show up on their radar.  That is unfortunate but shouldn’t convince information security professionals to operate entirely in that realm.

Threats are constantly evolving.  “Aurora’ today will be something else tomorrow.  Constantly jumping from one fire to the next unfortunately takes us out of the process improvement mode of operation.  Certainly there is some lessons learned from this incident that should be applied but ultimately, information security should be an evolving proactive process, not a panic stricken FUD game.

1. Vulnerability management is a process that requires checks and balances.  How do you know that all your systems are patched?  This goes beyond O/S patches but applications as well.
2. Do you know what your users are installing?  Software deployment and management is part of an overall strategy to protect your systems.
3. How do you know your systems have the latest anti-virus updates and signatures?  Obviously, anti-virus is a reactionary tool that typically fares poorly in detecting new malware but keeping out the old stuff is important too.
4. Do you actively look for compromised systems?  How do you manage event information?  Do logs come in to a centralized location that can be indexed and analyzed or do you really believe an analyst is manually looking through millions of log events each day?
5. Understand where your attacks are coming from and take action.  Look for weaknesses in your defenses and fix them or provide some type of compensating controls.  Learn from compromised systems and the information already available to you from IDS, SEIM, logs, etc.

Show that information security provides value without resorting to scare tactics else you become the “boy who cried wolf” and ineffective in your long term efforts.

A System Administrator and an Information Security Administrator were sitting in a room.  The question was asked “When you install a new server, what is the first two things you do?”

Both of them answer, “install the latest patches and updates and remove all unnecessary services”.  Good answers but the reasoning behind these answers are entirely different.

System Administrator: By applying the latest patches and removing unnecessary services, I  make sure that any known problems are fixed and improve the performance of the system by not tying up system resources on things I’m not using.

Information Security Administrator: By applying the latest patches I close known vulnerabilities that could potentially lead to a compromise.  By shutting off unnecessary services, I reduce the number of potential openings to my system, again, reducing the potential for compromise.

Why is this difference important as long as the work is getting done?

It’s about a mindset.   In mid-sized or large organizations where information security sits underneath the IT umbrella, the differences are usually very apparent.  The need to deliver information to customers and staff more often than not trumps the need to secure that information.  In an environment where resources compete with each other in the IT organization, when push comes to shove, delivery almost always wins even if it increases the risk.

This is why I believe the information security function has to be independent of IT, much like internal audit is independent of finance.   Information security needs to be positioned to provide unfiltered advice and recommendations.  When information security is funneled through an information delivery point of view, the message may unintentionally be diminished or lost.

Additionally, the acceptance of risk and the responsibility for consequences should rest with the data owner, not with IT or Information Security.  These are recommending bodies that should be working together to develop solutions that clearly describe functionality and risk so that data owners can make informed decisions.  The way information is used is a business decision, not a technology decision.  Information security leadership requires the ability to identify and clearly communicate risk.  Information technology leadership requires the ability to clearly communicate the functional delivery of information.   Both need to be able to provide this advice unobstructed by the different missions of these departments.

Both are distinct.  Both are important.  Being independent allows both functions to leverage their expertise by creating an information-intensive environment that leads to informed decision making.   Doesn’t your business deserve at least that much?

Finally!  The U.S. makes a conscious decision to consider the digital roadways that carry the information of citizens, business, and government as a “strategic national asset”.  Acknowledging the importance is certainly a step, albeit a late one, in the right direction.  Let there be no mistake, it’s a difficult task to defend a nation in the modern day wild west and quite frankly, as a nation we’ve been asleep at the wheel as criminal activity runs rampant across this unprotected thoroughfare.

As if it were scripted,  right after the announcement of a new White House cyber security position, a document with information about our nuclear facilities was inappropriately disclosed to the public.  This provides empahsis to the sad but true statement that technology doesn’t cure dumb.  Never has, never will.  This is why security must be built around the triad of people, process and technology.  One without the others is fairly useless.