I haven't posted in a couple of weeks. But this little incident was enough to jump in the saddle real quick. I am working on a couple of other posts which will appear soon.

This incident ongoing in San Francisco is an excellent example for employing "checks and balances." There should never be a situation where one person holds the only set of keys to the data. Never. What should happen then?

Well, every company is going to have one or two "trusted" people. I may be going out on a limb here. At least the owner or executive in charge should fit that category. At any rate, the "trusted" person should set an enterprise level password. Then they should write down the password, seal it in an envelope and stash it in a safe deposit box. Wait, you're not done. The enterprise level account should then be used to create sub-accounts for those entrusted to do system admin work. That way, if one of them does something they shouldn't, like locking out everyone's access, the enterprise level admin can still get in.

Of course, there is no real 100% solution to ensuring this type of event doesn't happen. Heck, the executive in charge could decide they've had enough and lock down the systems. Somewhere along the line a human being has to be trusted to do the right thing.

Maybe then, they could have the real keys to the city.

---

Add this page to your favorite Social Bookmarking websites

People always seem to be afraid of Big Brother. They don't like to be watched or have the feeling they are being watched. I don't blame them. What is   interesting to me is how some supervisors and managers want to rely on it when it might suit their needs.

It amazes me how many times I've had to turn down requests from these "leaders" attempting to use Big Brother as a management tool. I've heard the whole list of explanations:

1. My direct reports are spending too much time surfing the web.

2. I think someone is going to web sites they shouldn't be.

3. Can you block these sites?

4. I think someone is using eBay a lot.

5. Can you give me a report of web history on so and so?

When these type of requests come in by email or in person, I shake my head. This is a time when I should encourage "leaders" to lead. Get in there and talk with your people face to face. You're in charge. It is up to the leader to teach people what is expected and what is appropriate. Once the expectations are set and you find your folks still ignoring the boundaries, then turn it up a notch. Point out what is already covered and remind them if they don't cease they will be on the road of peril. Verbal warnings, then written warnings, performance improvement plans, up to termination.

Don't get me wrong. There are legitimate times when technology can and should be used to manage your teams. But recognize they don't want Big Brother. They would rather have you in the trenches with them. If there is too much time on their hands, then redefine their position. Challenge them. You also must recognize some people may require differing types of supervision. You will only learn what works best when you get to know your folks. Really, if you can't provide that type of leadership then you need to reflect on why you are in a leadership position.

The flip side of all of this for a business is figuring out how to use Big Brother effectively. Look at the reports. Obviously look at the categories of sites being visited. Look at user times and keep in mind some users will have a spike now and then. You will spot some obvious time wasters over a period of time. You will also see some obvious bandwidth wasters such as Internet Radio/TV, music, and other streaming junk. Use these areas as first hits to block.

In the end, you will find the right balance between Big Brother and appropriate use. If you can't get comfortable with it, then remove the content filters or block Internet usage. It comes down to you...lead or get out of the way.

---

Add this page to your favorite Social Bookmarking websites

The Black Hat Conference has been going on for years. For me, I've always said I would like to get there some day. Instead, I've always opted for making it to the RSA conference because the companies I've worked for were willing to send me to one or the other each year.

I used to believe the Black Hat conference was on the forbidden list for those of us certified with CISSP. Maybe this was true. I did a quick scan of the ethics policy on www.isc2.org web. It touches on many points which could be argued for and against when deciding to attend conferences like the Black Hat. I would argue for attending because I've always believed I might actually learn something about tips and tricks I'm trying to protect against.

I also believed Black Hat was more technical in nature. As I continue in my career, where I've been managing for a good number of years, I drift further away from solid keyboard interactions. I did notice in this years track there are topics for folks like me. Even if I'm not a hard core hands on technical professional, it still is good to attend classes that are. For me it keeps me plugged in with how things work at that level, which helps me understand appropriate needs in managing security analysts.

Nowadays I don't worry as much about maintaining the status of my certifications. I always do my best to operate in an ethical manner and don't think attending venues, such as the Black Hat, would cause me to do something unethically.

At any rate, I am not planning to be there this year either. I've been to RSA. Perhaps next year, I'll opt for the Black Hat instead.

---

Add this page to your favorite Social Bookmarking websites

One of the things I've learned over time is how people deal with change. Introducing an INFOSEC program needs to take this into account. It is also one of the most important lessons I learned...the hard way.

When I retired from the navy and moved to the civilian sector I admit I carried a large navy attitude. I was a Chief when I left. A navy chief is used to looking at problems and getting them solved asap. We're trained to make do with what you have; lead and motivate your people; and cut thru the bullshit to reach the objective. It sounds a little arrogant. For the military, it works. In my new role as being the first Information Security Manager for a rural wireless carrier, it didn't work so well.

You see, I know what should be done for good INFOSEC. When setting up the program, I went for the easy, quick hits to get security rolling. Instead, I ran right smack into a brick wall. I wasn't the chief anymore. I also was getting nowhere fast. You see, the direct approach wasn't working. People would look at me and some asked, "Who are you?" and "Why should we care?" I also discovered folks were not too willing to accept some of the security initiatives because they thought they fit into the "Big Brother" category. Oh great, someone is here to look over our backs. The open environment was over, and I was the one bringing in the change, making me the CBB, or Chief Big Brother. Others called me different names, which I'll leave to your imagination.

A good chief petty officer, or good leader, should always step back when hitting the brick wall, and reevaluate tactics. I did this and regrouped on my approach, and my leadership style. Leaders need to have multiple styles in their tool bag anyway. Sometimes you need to run into the wall first to recognize that.

What I realized is this: there is a difference between Big Brother vs. Acceptable Balance. People know this and may often jump to the conclusion a new security program is going to mean "Big Brother." If the program is implemented poorly that is what may happen. The challenge is in rolling out a new INFOSEC program in such a way it is meeting the needs of the business without going to the extreme of Big Brother. Of course, there may be exceptions when a Big Brother approach is absolutely needed. We'll save that for another day.

Finding an acceptable balance can be done, I believe, if the INFOSEC program is looked at from start to finish. A business should know what the objectives are before jumping in with both feet. The executive management should understand the risks, and make appropriate decisions to accept them or mitigate them. Before implementing anything, the front line of defense should be prepared and educated. That front line is your employee base. Without them, your INFOSEC program will go nowhere.

Take the time to discuss the needs for INFOSEC in your business. Put it into terms and scenarios your employees can relate to. Keep in mind that INFOSEC is going to be a new aspect to their jobs. For some it won't be a big deal. Others will kick and scream. After all, they weren't hired to worry about security. They are there to do marketing, sales, or some other field of specialty. Don't worry, eventually they will come along. If they don't, then it may be time for them to seek opportunity elsewhere--if you are serious about security yourselves.

Sit back and think about this for awhile. Selling and obtaining buy-in to INFOSEC will be needed to move in the direction of achieving an acceptable balance. As your program matures you may discover some aspects of it that will require a Big Brother mentality to achieve appropriate risk mitigation. The nice thing is it may seem to be just another aspect of your acceptable balance goal.

You'll get there one day at a time. And if you feel stuck, don't be afraid to reconsider your leadership style and make adjustments. A good chief petty officer is always compelled to do that. So are good leaders. What's fun is when you get to make that style change multiple times in an hour.

When I look back on how I did in getting my program started, I feel pretty good about it and I wouldn't give up the experience.

Good luck!

---

Add this page to your favorite Social Bookmarking websites

I've often been asked from friends and relatives about why they should ensure their own personal data is protected. After all, it is only their home computer. What could anyone possibly want from that?

I read this interesting article today on Darkreading.com. It begins with the usual issues about stolen credit card numbers. The twist comes when an investigation has found other personal information. Such as, healthcare data, airlines, financial data, and on.

Information about ourselves may seem relatively benign. But, consider what someone can do with it when they piece it together bit by bit, or when they hit the data load, and find out all kinds of things about you. In effect, the more information on you, the easier it is to impersonate you. Especially in the digital world. Bruce Schneier recently posted an article discussing LifeLock and Identity Theft. In fact, a search of his blog using keyword of "identity" shows he has covered the topic quite a bit.

At any rate, protecting information is not a new thing. Governments and corporations have been doing it for some time. You decide if they have been effective at it. Data protection from the business or government sector is something each of us individuals should learn, and apply it to our own lives. Really, each individual is a small business. Perhaps we should mind our own for a change.

---

Add this page to your favorite Social Bookmarking websites

Simplicity in security is something that doesn't happen very often. I've been in this career field for quite some time through the military and commercial sectors. I even try to practice what I preach at home. Throughout these years one thing has become clear to me. Information security is over complicated.

There are many reasons for that. Technology is an obvious one. It's one that gets many professionals in trouble too. How many times can you recall being snowed under or had someone attempt to snow you under with technical jargon? I've encountered a few over time and recognize there are several types of professionals who do it. One type does it to build a power base. They know if they spew enough technology, many people will just wave their hands about their head and face, then tell them ok, ok; I give. Another kind of professional will convey technology with an attitude that it will all be over your head anyway. And yet another, will sound incredulous if you question them in any fashion.

Back to my point about INFOSEC being over complicated. I began using an open source network security gateway on my home network. The gateway software is published by a company called Untangle. This thing is simplicity and it works. Now don't get me wrong, I enjoy geeking out and have done so. Playing with various home routers, access points, etc. Sometimes I'll load an open source firmware on them so I can have more settings to control. Every time I do make tweaks or customizations to these things I often wonder what a normal person would do. Many just take them out of the box and plug them in. Default settings and all. They don't really care when NAT is occurring, or what if the firewall is stateful inspection or not. For them, it should just work.

I don't think vendors do enough to make home perimeter protection understandable enough. There still is a lot of "we know what is best" in their sales and you should just believe them. That's ok if the products worked. When I fired up my installation of Untangle it worked, mostly. I tweaked a little bit, mostly to tailor for my environment at home. The questions I had answered by poking around the forum and wiki areas. I don't expect the usual person to do that. Untangle is prepared for that too. They offer live professional support I've noticed on their site.

I'm certain the programming and concepts that drive the Untangle gateway are complicated. The nice thing is the user interface isn't. The reports automatically generated aren't either. A small business or extreme home user would find this gateway an excellent fit.

For the rest of us professionals, let's not forget we have a basic duty to keep things simple, yet secure. Not everyone is conversant in the technology fields. In fact, if you came at me with the jargon a plumber might use, I might develop a facial tic. Fortunately, most of the plumbers I've encountered understood it is in their best interest to communicate in a manner I might understand.

---

Add this page to your favorite Social Bookmarking websites

I first started talking about data here. Continuing the thought process, I think the aim should be to start out simply. Data classifications and data categories can be a rather daunting task. That is probably why many businesses don't do it all. But, if you are starting out in a new business, take some time to build it in.

Start with some obvious categories, naming them after each job function or planned department. Such as, HR, Sales, Accounting, Finance, Engineering, etc. Then think about the following questions:

1. What is the purpose of the data?

2. How does the data fit into business needs or requirements?

3. Does the data have any regulatory requirements?

4. Who will need access to the data?

5. How long should the data be kept?

6. Who will OWN the data throughout its life?

7. Where will it be stored?

8. When will it be backed up?

9. What happens if the data is accessed by the wrong people?

10. What happens if the data is lost?

The questions above may not be all inclusive, but it is a simple start.

The next trick will be training yourself to actually put keywords into the document properties. This will help in searching, organizing, etc.

I'll make the point again, once you understand what your data is you can make decisions on how to handle it while in transit and at rest. You can also decide what type of network, server, and desktop infrastructure should be created to support and manage the data.

My next thoughts will venture into building out a simple hardware infrastructure to do just that--manage and protect data.

If you are in an existing company, you could begin this process. However, I'd suggest starting out small. If you take too big of a bite, you might be scared off. It will be a lot to chew. In the end, though, it'll be better than not doing anything at all.

---

Add this page to your favorite Social Bookmarking websites

I remember when USB flash drives came out. It was the coolest thing and so easy. But do these things really help us transport data or hurt us? I came across a couple of articles recently I thought I would pass along...of course with commentary.

First, this one about HP shipping USB sticks with malware. This was an interesting attack vector, which seems isolated to a particular type of HP server. The question is were these USB drives infected inside HP, the manufacturer, or somewhere in between? What steps need to be considered to prevent this from happening again?

Another story reported the police recovering stolen USB device which contained health records on patients. The device was stolen from an employees office and a separate investigation is underway because its against policy to store this type of data unencrypted. Why would patient data need to be on a USB stick in the first place?

The whole issue comes around to ease of use for USB flash drives. They are small, easy to hide, easy to lose. Every computer has a USB port. It's nothing to copy something off a computer to the stick, then transport the stick. These things are given away as promotional items. I've read about people finding them outside their office. They pick them up, then plug them in to their work computers inside. A neat trick for hackers.

So what do we do? Well, technically, the USB ports can be disabled in an office. But then you have to keep track of devices that need to be plugged in for legitimate reasons. There are logical controls to use, but it could be expensive to own and maintain.

A more expensive option is to use a flash drive that encrypts data on the USB stick itself. Any data that touches it is encrypted. No way around it. The company that makes these is called IronKey. I'm actually testing these out right now for my company. I'm looking at the enterprise version of this which gives me the ability to remotely manage them. And if someone steals it, entering the wrong password more than a specified limit, causes the data and the device to self destruct. Sounds a little like Mission Impossible. At least if I lose it I won't worry about who might find it. Anything on it is safe.

I know, sounds like a sales pitch. But, when I look at the two stories earlier, finding a solution that doesn't require people to always do the right thing. Saving a file to an encrypted folder can be easy to forget when one is in a hurry. The cost of an all encrypted device is cheap considering it may keep your name out of the news.

---

Add this page to your favorite Social Bookmarking websites

Wow! Two back up tapes lost with customer information. The tapes were unencrypted. Follow this article for all the details. One detail I'm going to jump on is a comment made

"NY Bank ‘loses’ 4.5M unencrypted customer records by ZDNet's Michael Krigsman -- In yet another unbelievable story of data irresponsibility, the Bank of New York (BNY) Mellon lost two sets of unencrypted backup tapes containing private data belonging to 4.5 million individuals. Third-party vendors misplaced the tapes during transport to off-site locations."
 

The comment, reported in the above article, was made by the BNY Mellon's Chief Risk Officer, Todd Gibbons. He said the bank now plans to improve security related to backup tapes.

Another WOW! A financial institution such as this should know better. It would seem another improvement in security related to the bank should be firing of the CRO and the tape transport company. There are probably others in there too.

What really gets me is when a company waits to make improvements in security only after an incident. Think of the damage to the reputation of the company. How much does that cost? Think of the damage to the 4.5 million people. How much will that cost? I can think of times in my past when I pushed and pushed to implement new security processes. Two that come to mind were approved right after an incident occurred. The first incident was a virus/worm outbreak within the company. We recalled the entire IT staff to help contain and remediate. The other was an increase in strange activity out in the parking lot. Employee safety was the issue here and we received the funding for installation of a video surveillance system.

I understand the necessary balance between risk and cost. But come on. Just once, consider the incalcuable cost of an incident. Can your company absorb it? Just take the time to assess, train, implement, protect, lock, etc. It may save money in the long run.

Imagine yourself standing in front of the board explaining why you had unencrypted tapes leaving the building. You might wish those tapes left the building with Elvis.

---

Add this page to your favorite Social Bookmarking websites