Home
|
Tuesday, 19 August 2008 11:06 |
|
It's been awhile longer than I like to admit for posting. I suspect I've been befallen like many others...staying up late night to watch the Olympics. I've enjoyed them more this year for some reason than in years past. Maybe I have a greater appreciation for the amount of work it takes these athletes to prepare for competition. And it's heart breaking when they make a mistake and know it. They continue on even when they recognize their dream of medals is over. I think INFOSEC could be like the Olympics. In fact, I wish we had a national day, week, or month for conducting security checks or furthering awareness. Maybe I'll take that up. I know I've been involved in preparing our company for meeting PCI compliance, though not as involved as many others. That is like getting ready for an Olympics. There will be many personal rewards and I'm sure some frustration. Yet, when I sit back and think about INFOSEC and realize it is something I take for granted. But how can we get other people to start believing in security to the point it is second nature as part of their jobs? I heard of a story today that astounded me. A project team has been moving along on their work. When their documents were reviewed it was noticed that security was not mentioned. When asked about it their response was, "Security is not in the scope of this project!" Wow. How do you respond to that? It startles my imagination to think this mentality still exists out there. I just want to scream, "COME ON PEOPLE, GET IN THE GAME. SECURITY IS HERE TO STAY!" In fact, security may actually help the project succeed. Especially when there won't be any launching delays for the project to retool security measures into it. Information Security can be a value-add to any project. Yet there are people who don't understand security and continue to see it as an impediment to time, resources, and cost. If security professionals are involved during the life of the project, architecture details may be caught and resolved right then and there. Why would that be a hindrance? In the end, I'll keep plugging along and doing my best to educate, educate, educate. But, just imagine if our proud gymnast Olympians had said daily exercise wasn't in the scope of their training. |
|
Wednesday, 06 August 2008 05:59 |
|
Here's an example of borderless, worldwide crime. Remember the TJ Maxx data breach? More details are coming out. A couple details it brings to the top: 1. Location, location, location. Meaningless with digital crime. A worldwide reach is possible right to your backyard. 2. Wireless is a threat. Configure it properly. When done right it can work. Haphazardly...watch out. Be smart people...from the Mom and Pop shops all the way up to the huge corporations. It doesn't matter. Secure it. |
|
Monday, 04 August 2008 03:54 |
|
When do politics come into play with regard to good security? And will politics be a contributor or detractor to information security? These are two important questions I've encountered over my career. The answers can be rather nebulous and will differ from organization to organization. The short answer is yes...to a point. Two definitions of politics is: 6. use of intrigue or strategy in obtaining any position of power or control, as in business, university, etc. 8b. play politics. to deal with people in an opportunistic, manipulative, or devious way, as for job advancement. I would love to believe information security could be devoid of politics (I'd be naïve if I did believe that). Really, who wouldn't want to ensure their business data and customer data is kept safe? Everyone will tell you they agree with that statement, but I think the realities are quite the opposite. When the door closes, the business decision makers will be looking to keep every penny in the bank. Why wouldn't they? It's their job to ensure the business is profitable and quite simply, decide if the risk is worth accepting or ignoring. That is where security professionals have to put on their "political" hat and work to building the risk case and selling it to their management. Even after hearing the risk assessment reports, many in management will indicate they understand the risk and still choose to ignore. And it is sad to say, even after seeing reports, almost daily, about incidents in the news. Information security is continuing to mature and maybe some day it will reach the status of marketing or sales. I mean, you wouldn't sell a product or service without a marketing or sales department would you? Until INFOSEC reaches that level it will be a political leverage. From both sides of the battle. For security professionals, how many have used regulatory drivers as justification to push changes across the enterprise? How many have been swinging the "PCI Compliance" hammer around to push security projects? Though the concept of issues is commendable in PCI, we shouldn't have to use that to smack people in the head to drive security projects through. Just like we shouldn't have to implement new security projects post "security incident." Sometimes it can't be helped. But, more often than not, the incident was predicted to happen. The dark side of politics is when business managers use security as tools to build their empire. As I write this, I can think of situations where security professionals have done that too. Regardless, it can be frustrating when managers hold up timing and/or funding for security projects because it will build them up better--forgetting the simple rules of "play nice," we're all working for the same company. In the end, all we can do as leaders in security or otherwise, is to do what I often have to repeat in my mind (sometimes repeatedly), "Maintain the high ground." Don't let the situation drag you down to levels where you might compromise your own integrity or ethics. Even when you could lose your job. Just "Maintain the high ground," play politics fairly, and remember nothing is worth losing yourself in the process. |
|
Thursday, 24 July 2008 20:11 |
|
Every now and then I'll see something in the news talking about what employees can expect for privacy. It's always funny to me when this occurs because I don't understand where people get the idea their work computers are theirs, and not the company's. Where does this line of thinking come from? There are typically two schools of thought out there concerning employee privacy. One end of the spectrum is the company stating, in policy, no personal use of computer resources. The other end is the employee thinking the work computer is private.
It really isn't private if the company owns the computer. The trick is finding a way to balance the approach. We don't necessarily want to create an environment of big brother; nor do we want to create an environment that permits employee to take advantage of the business.
At one company I was in a position to figure out the balance point between the two extremes. I thought this to be important. I wanted to create an environment that fosters a level of trust between the boss and the employee. I do believe most people want to do the right thing and I also recognize people will use the work computer to check their personal mail and jump out to a website. This is considered incidental use and isn't a big deal to me. I explained to the employees we did not spend our time looking over their shoulders.
Yet, there were occassions when an employee's computer habits needed to be explored. I didn't take these requests for investigation lightly. A supervisor would need to submit a formal request in writing, documenting the circumstances and supporting details. I would take the request before a privacy committee for approval. The privacy committee was comprised of myself (InfoSec Manager), the HR Director, the Legal Director, the CIO, and the VP of the department the suspected employee belonged to. We would discuss the case. Everyone would have to agree on the merits of the case. Agreement was provided by signing. A signed form indicated a "Letter of Authorization" to search. Our process was documented and we had good success with the program.
It takes time and money to conduct an investigation and I didn't like having scarce administrators or security personnel running off to chase a ghost in the machine. The process also made it clear to administrators we took the "unauthorized" access issues seriously. If an admin has domain rights, it doesn't constitute them wandering around the file systems into areas they don't belong; unless they had a need in their troubleshooting efforts.
At the end of the day, the entire process of looking thru information to find evidence of inappropriate employee activity is not a lot of fun. There are times when it is necessary and times when it needs to be done yesterday. If I could show our company went through the same process each time, and documented information along the way, then I was successful. Good documentation stands on its own and makes it easier to support inquiries after a termination.
Oh, I also included a good awareness tip to new hires...the computer is owned by the company and is always open to search by the company. Also, don't use your personal computer on the company network. That can be searched too in many cases.
|
|
Thursday, 17 July 2008 03:05 |
|
I haven't posted in a couple of weeks. But this little incident was enough to jump in the saddle real quick. I am working on a couple of other posts which will appear soon. This incident ongoing in San Francisco is an excellent example for employing "checks and balances." There should never be a situation where one person holds the only set of keys to the data. Never. What should happen then? Well, every company is going to have one or two "trusted" people. I may be going out on a limb here. At least the owner or executive in charge should fit that category. At any rate, the "trusted" person should set an enterprise level password. Then they should write down the password, seal it in an envelope and stash it in a safe deposit box. Wait, you're not done. The enterprise level account should then be used to create sub-accounts for those entrusted to do system admin work. That way, if one of them does something they shouldn't, like locking out everyone's access, the enterprise level admin can still get in. Of course, there is no real 100% solution to ensuring this type of event doesn't happen. Heck, the executive in charge could decide they've had enough and lock down the systems. Somewhere along the line a human being has to be trusted to do the right thing. Maybe then, they could have the real keys to the city. |
|
Saturday, 28 June 2008 07:09 |
|
People always seem to be afraid of Big Brother. They don't like to be watched or have the feeling they are being watched. I don't blame them. What is interesting to me is how some supervisors and managers want to rely on it when it might suit their needs. It amazes me how many times I've had to turn down requests from these "leaders" attempting to use Big Brother as a management tool. I've heard the whole list of explanations: 1. My direct reports are spending too much time surfing the web. 2. I think someone is going to web sites they shouldn't be. 3. Can you block these sites? 4. I think someone is using eBay a lot. 5. Can you give me a report of web history on so and so? When these type of requests come in by email or in person, I shake my head. This is a time when I should encourage "leaders" to lead. Get in there and talk with your people face to face. You're in charge. It is up to the leader to teach people what is expected and what is appropriate. Once the expectations are set and you find your folks still ignoring the boundaries, then turn it up a notch. Point out what is already covered and remind them if they don't cease they will be on the road of peril. Verbal warnings, then written warnings, performance improvement plans, up to termination. Don't get me wrong. There are legitimate times when technology can and should be used to manage your teams. But recognize they don't want Big Brother. They would rather have you in the trenches with them. If there is too much time on their hands, then redefine their position. Challenge them. You also must recognize some people may require differing types of supervision. You will only learn what works best when you get to know your folks. Really, if you can't provide that type of leadership then you need to reflect on why you are in a leadership position. The flip side of all of this for a business is figuring out how to use Big Brother effectively. Look at the reports. Obviously look at the categories of sites being visited. Look at user times and keep in mind some users will have a spike now and then. You will spot some obvious time wasters over a period of time. You will also see some obvious bandwidth wasters such as Internet Radio/TV, music, and other streaming junk. Use these areas as first hits to block. In the end, you will find the right balance between Big Brother and appropriate use. If you can't get comfortable with it, then remove the content filters or block Internet usage. It comes down to you...lead or get out of the way. |
|
Thursday, 26 June 2008 01:32 |
|
 The Black Hat Conference has been going on for years. For me, I've always said I would like to get there some day. Instead, I've always opted for making it to the RSA conference because the companies I've worked for were willing to send me to one or the other each year.
I used to believe the Black Hat conference was on the forbidden list for those of us certified with CISSP. Maybe this was true. I did a quick scan of the ethics policy on www.isc2.org web. It touches on many points which could be argued for and against when deciding to attend conferences like the Black Hat. I would argue for attending because I've always believed I might actually learn something about tips and tricks I'm trying to protect against.
I also believed Black Hat was more technical in nature. As I continue in my career, where I've been managing for a good number of years, I drift further away from solid keyboard interactions. I did notice in this years track there are topics for folks like me. Even if I'm not a hard core hands on technical professional, it still is good to attend classes that are. For me it keeps me plugged in with how things work at that level, which helps me understand appropriate needs in managing security analysts.
Nowadays I don't worry as much about maintaining the status of my certifications. I always do my best to operate in an ethical manner and don't think attending venues, such as the Black Hat, would cause me to do something unethically.
At any rate, I am not planning to be there this year either. I've been to RSA. Perhaps next year, I'll opt for the Black Hat instead. |
|
Sunday, 22 June 2008 13:17 |
|
One of the things I've learned over time is how people deal with change. Introducing an INFOSEC program needs to take this into account. It is also one of the most important lessons I learned...the hard way. When I retired from the navy and moved to the civilian sector I admit I carried a large navy attitude. I was a Chief when I left. A navy chief is used to looking at problems and getting them solved asap. We're trained to make do with what you have; lead and motivate your people; and cut thru the bullshit to reach the objective. It sounds a little arrogant. For the military, it works. In my new role as being the first Information Security Manager for a rural wireless carrier, it didn't work so well. You see, I know what should be done for good INFOSEC. When setting up the program, I went for the easy, quick hits to get security rolling. Instead, I ran right smack into a brick wall. I wasn't the chief anymore. I also was getting nowhere fast. You see, the direct approach wasn't working. People would look at me and some asked, "Who are you?" and "Why should we care?" I also discovered folks were not too willing to accept some of the security initiatives because they thought they fit into the "Big Brother" category. Oh great, someone is here to look over our backs. The open environment was over, and I was the one bringing in the change, making me the CBB, or Chief Big Brother. Others called me different names, which I'll leave to your imagination. A good chief petty officer, or good leader, should always step back when hitting the brick wall, and reevaluate tactics. I did this and regrouped on my approach, and my leadership style. Leaders need to have multiple styles in their tool bag anyway. Sometimes you need to run into the wall first to recognize that. What I realized is this: there is a difference between Big Brother vs. Acceptable Balance. People know this and may often jump to the conclusion a new security program is going to mean "Big Brother." If the program is implemented poorly that is what may happen. The challenge is in rolling out a new INFOSEC program in such a way it is meeting the needs of the business without going to the extreme of Big Brother. Of course, there may be exceptions when a Big Brother approach is absolutely needed. We'll save that for another day. Finding an acceptable balance can be done, I believe, if the INFOSEC program is looked at from start to finish. A business should know what the objectives are before jumping in with both feet. The executive management should understand the risks, and make appropriate decisions to accept them or mitigate them. Before implementing anything, the front line of defense should be prepared and educated. That front line is your employee base. Without them, your INFOSEC program will go nowhere. Take the time to discuss the needs for INFOSEC in your business. Put it into terms and scenarios your employees can relate to. Keep in mind that INFOSEC is going to be a new aspect to their jobs. For some it won't be a big deal. Others will kick and scream. After all, they weren't hired to worry about security. They are there to do marketing, sales, or some other field of specialty. Don't worry, eventually they will come along. If they don't, then it may be time for them to seek opportunity elsewhere--if you are serious about security yourselves. Sit back and think about this for awhile. Selling and obtaining buy-in to INFOSEC will be needed to move in the direction of achieving an acceptable balance. As your program matures you may discover some aspects of it that will require a Big Brother mentality to achieve appropriate risk mitigation. The nice thing is it may seem to be just another aspect of your acceptable balance goal. You'll get there one day at a time. And if you feel stuck, don't be afraid to reconsider your leadership style and make adjustments. A good chief petty officer is always compelled to do that. So are good leaders. What's fun is when you get to make that style change multiple times in an hour. When I look back on how I did in getting my program started, I feel pretty good about it and I wouldn't give up the experience. Good luck! |
|
Thursday, 19 June 2008 05:27 |
|
I've often been asked from friends and relatives about why they should ensure their own personal data is protected. After all, it is only their home computer. What could anyone possibly want from that? I read this interesting article today on Darkreading.com. It begins with the usual issues about stolen credit card numbers. The twist comes when an investigation has found other personal information. Such as, healthcare data, airlines, financial data, and on. Information about ourselves may seem relatively benign. But, consider what someone can do with it when they piece it together bit by bit, or when they hit the data load, and find out all kinds of things about you. In effect, the more information on you, the easier it is to impersonate you. Especially in the digital world. Bruce Schneier recently posted an article discussing LifeLock and Identity Theft. In fact, a search of his blog using keyword of "identity" shows he has covered the topic quite a bit. At any rate, protecting information is not a new thing. Governments and corporations have been doing it for some time. You decide if they have been effective at it. Data protection from the business or government sector is something each of us individuals should learn, and apply it to our own lives. Really, each individual is a small business. Perhaps we should mind our own for a change. |
|
Sunday, 15 June 2008 11:45 |
|
Simplicity in security is something that doesn't happen very often. I've been in this career field for quite some time through the military and commercial sectors. I even try to practice what I preach at home. Throughout these years one thing has become clear to me. Information security is over complicated. There are many reasons for that. Technology is an obvious one. It's one that gets many professionals in trouble too. How many times can you recall being snowed under or had someone attempt to snow you under with technical jargon? I've encountered a few over time and recognize there are several types of professionals who do it. One type does it to build a power base. They know if they spew enough technology, many people will just wave their hands about their head and face, then tell them ok, ok; I give. Another kind of professional will convey technology with an attitude that it will all be over your head anyway. And yet another, will sound incredulous if you question them in any fashion. Back to my point about INFOSEC being over complicated. I began using an open source network security gateway on my home network. The gateway software is published by a company called Untangle. This thing is simplicity and it works. Now don't get me wrong, I enjoy geeking out and have done so. Playing with various home routers, access points, etc. Sometimes I'll load an open source firmware on them so I can have more settings to control. Every time I do make tweaks or customizations to these things I often wonder what a normal person would do. Many just take them out of the box and plug them in. Default settings and all. They don't really care when NAT is occurring, or what if the firewall is stateful inspection or not. For them, it should just work. I don't think vendors do enough to make home perimeter protection understandable enough. There still is a lot of "we know what is best" in their sales and you should just believe them. That's ok if the products worked. When I fired up my installation of Untangle it worked, mostly. I tweaked a little bit, mostly to tailor for my environment at home. The questions I had answered by poking around the forum and wiki areas. I don't expect the usual person to do that. Untangle is prepared for that too. They offer live professional support I've noticed on their site. I'm certain the programming and concepts that drive the Untangle gateway are complicated. The nice thing is the user interface isn't. The reports automatically generated aren't either. A small business or extreme home user would find this gateway an excellent fit. For the rest of us professionals, let's not forget we have a basic duty to keep things simple, yet secure. Not everyone is conversant in the technology fields. In fact, if you came at me with the jargon a plumber might use, I might develop a facial tic. Fortunately, most of the plumbers I've encountered understood it is in their best interest to communicate in a manner I might understand. | | |
