It is said that any threat with enough resources or motivation will eventually find a vulnerability in a system. As I watched the overflowing Hudson River decimate the park, marina and restaurant behind my office, that theory became a staggering reality.
On Sunday, Troy, NY experienced its worst flooding since 1977. With record rainfall from Hurricane Irene, many area dams were at risk of failure and creeks and rivers were over their banks. Homes were flooded and vehicles were destroyed. Boats were lost from marinas, washed down the river along with tons of trees, barrels and other debris. The crowds of people who had gathered in front of the now-underwater Dinosaur BBQ added to the chaos.
Today however, just hours after the event, our city is already getting back to normal. Walking through the areas hardest hit by the flooding, it’s clear that recovery is well underway. The crowds have dissipated, the police tape is slowly disappearing, and businesses are getting back to normal operations. This recovery is occurring in large part because the first responders, law enforcement, FEMA and DHS personnel that responded to the disaster were prepared.
No one could have anticipated that Upstate New York was to be hit by both an earthquake and a hurricane in the same week. In fact, we were probably more likely to see a unicorn. But a good Incident Response plan assumes that we won’t necessarily have all of the intelligence, resources or time that we need to counteract a threat. A good Incident Response plan can also mean the difference between a business returning to normal operations, and a total disaster.
Security incidents come in all shapes and sizes. One day you may be responding to a malware outbreak, the next day you may be responding to the $250,000 that has been siphoned out of your company’s bank account. Irrespective of the type of organization, a good Incident Response plan should address the following:
- Containment – Whether isolating the latest worm or preserving evidence of a databreach for litigation, your containment strategy will vary depending on the incident. The most important considerations in this step are minimizing damage and neutralizing the threat without affecting your downstream mitigation options. It is important to understand your threat before enacting a containment strategy – an active shooter requires different counteractions than a perimeter attack.
- Mitigation – Once the threat is contained, it should be addressed. Again an understanding of the threat is important. In many instances, expertise in evidence preservation and chain of custody is critical, particularly in situations where legal proceedings are anticipated.
- Recovery – Rebuilding systems, restoring from backups or providing counseling for employees are all essential steps in the Incident Response process. Effective recovery requires advance planning and preparation, but it will provide significant returns if done properly.
Lastly your Incident Response plan should be governed by policy and handled by a team specially trained in response procedures. It’s not unusual to outsource some of your incident handling efforts. In fact, asking an internal team to perform technical forensics tasks or to understand the intricacies of evidence preservation could be like asking the Pakistani Army to capture bin Laden – it could get very messy and leave you without the desired outcome.
I had lunch in downtown Troy today, and if I hadn’t witnessed the flooding firsthand I would’ve never guessed that large parts of the city were underground 24 hours prior. Thanks to preparation, a trained team and a good Incident Response plan, today’s pizza tasted just like any other day.
This past Tuesday I spent the afternoon at a local college helping them work through their Risk Management process. In my opinion Risk Management is one of the least understood practices in information security, and subsequently one of the most miscast, overlooked and underperformed. But it makes me happy.
Given that this is the first time that this client is going through Risk Management, we’ve spent a considerable amount of time evaluating risk in a number of areas of security. The evaluation has been thorough and complete, a testament to the client’s committment. And caffeine load. It’s never easy the first time around.
Risk Management is misunderstood for many reasons, not the least of which is the calculation of risk itself. Evaluating risk has always been one of information security’s dark arts. The mathematical product of Likelihood and Impact, calculating risk can be difficult for a number of reasons. In most cases, asset owners and businesses are equipped to determine the impact of losses in confidentiality, integrity or availability of one or more assets. This is a reasonably simple process, even if estimated qualitatively. The difficulty arises when trying to establish likelihood.
Tuesday was a beautiful day. Sunny and warm with a slight breeze, it reminded me just how lucky we’ve been this summer, as the weather in these parts can suck year-round.
At approximately, 10 minutes before 2 PM ET, I noticed a mild wobbling occurring in the room. Being engrossed in a conversation about Access Control, I dismissed it thinking that perhaps someone had had a bit too much soda for lunch. After a few seconds the wobbling intensified, and several of us silently declared that something was amiss. The conversation trailed off and we each began inspecting each other, simultaneously looking for clues and confirmation that the building was indeed shaking, now uncontrollably. At that point we all stood up, enacted a mini-crisis management plan and headed for the door.
Now we all know that the likelihood of an earthquake occurring on the East coast is near nil, and even less so in Albany. Right?
As we returned to the room after experiencing one of the Northeast’s rarest disaster scenarios (most of the campus was evacuated for a period of time), we had a newfound perspective on what is possible in the realm of information security. Luckily on this day, all we needed to combat this crisis was a little extra sunscreen.
As the owner of an information security firm, I spend a lot of time promoting security awareness and encouraging organizations to adopt an appropriate level of operational security (OPSEC) in their businesses. It has been proven time and again that humans have been and continue to be the greatest weakness in an organization’s security chain, primarily because the humans in question haven’t been given the right tactics, techniques and procedures (TTPs) to defend themselves, nor have they had adequate adjustments in attitude to want to do so. Today’s human firewalls tend to be as flawed as the firewalls plugged into countless datacenters.
I had breakfast this morning with a friend of mine who has been employed in various law enforcement agencies for all of his adult life. A highly certified and accredited individual, my friend (who I shall refer to as Harry) has worked in counter-terrorism, forensics, explosives interdiction, corrections and firearms training, among other things. Harry and I met for breakfast to talk about business, but were inevitably sidetracked by the latest juicy gossip of police raids on terror cells, unpublicized databreaches and gangs using the Internet to auction illegal firearms.
Over a couple of breakfast sandwiches we continued to talk about the problems that citizens and local businesses were having with gangs, drugs and the illegal firearm trade that has become so active in the Capitol Region. I listened as Harry shared story after story of small businesses that were being increasingly terrorized by racist groups, crime and violence. For confidentiality purposes I can’t share specifics, but I can tell you that I was alarmed at the frequency and severity of the crimes that were occurring. As I processed all of this new information it occurred to me that if John Q. Public really knew what was going on in law enforcement, they would never leave their house.
And then it occurred to me – what if the same was true of information security?
I recently read an article that suggested that there should be more databreach notifications, rather than less. The idea behind the article was that with more notifications, we would learn more about current exploits and be better at addressing the threats and vulnerabilities behind them.
But imagine for a moment that the details of every databreach, malware outbreak and security incident were at once made public. One of two things would happen:
- With so much information made suddenly available, there would be no way to process it, and it would be useless. The number of databreaches and security incidents that go unreported is staggering, beyond comprehension in any meaningful way. The sheer volume of data would desensitize all but the most determined practitioner.
- The computing world as we know it would stop. I liken it to a mass, global outbreak of the AIDS virus – there’d be a whole lot less sex going on. Web properties like Amazon, eBay and Facebook would cease to exist, as would their trading partners. Credit cards would disappear. Banks would shutter and dissolve. Security is based on trust – when that trust is shattered, the systems that are built upon an implied system of security cannot survive.
The only way to prevent one of these two outcomes is to increase our awareness while improving our ability to identify and deal with our risks. Our very way of life relies on this.
And while it may seem far-fetched to think of our world recessing to a time before the Internet, before credit lines or before the first financial institutions, remember that there’s an ugly world going on out there. You just don’t know it yet.
As the owner of an information security firm, I am frequently faced with the challenge of figuring out who to deliver our message to. Most security practitioners would respond that security is everyone’s responsibility, and I don’t disagree. However when you’re in the business of marketing security services, and not just implementing, that shotgun mentality will just make a big, messy hole.
Yesterday I overheard my business partner on the phone with a prospect, a Compliance Officer for a large credit union. As my partner’s pitch raised to a crescendo, he was suddenly interrupted, replying “so that’s not your responsibility? So… I should talk to IT?” No matter how successful you are, you’re going to get your share of objections, rejections and denials. But deflections are different, particularly in security. Let me explain.
For a long time, information security was considered an IT problem. Why? Because the solutions – things like firewalls, antivirus software and access control lists – were only available from IT. This system worked for a while because the controls were well matched for the threats. But it created an unfortunate precedent, one that would eventually disarm businesses everywhere.
Fast forward to 2011. Today’s threats don’t look or act the way they did ten, five or even two years ago. And even though today’s threats are still rudimentary in nature, they cleverly outwit traditional security controls by avoiding them altogether. The firewalls and antivirus software that made IT synonymous with security are failing, and it’s causing a new problem – an identity problem. IT is not your security team. But if IT doesn’t do security, who does?
It’s not an easy answer, but if you can find the risk owners, you’re on the right track. Here are some suggestions, in order of greatest liability:
- At the highest level, business owners are responsible for the health and welfare of their employees, clients and businesses, and as such are implicitly accountable for ensuring the security of business assets. Whether it’s awareness training or data protection, the buck stops here. Of course, each business has unique risks, and every security program will, and should look different. Business owners are the primary risk owners.
- Next come asset owners. This is a term borrowed from ITIL and other organizational frameworks that seek to identify the chief decision makers for information and other systems. Asset owners, after business owners, are next in line for risk accountability, because they make decisions about business assets. The Human Resources Manager, the Comptroller, the Director of Development – these are all good examples of asset owners. This could be a large group of individuals, depending on the size of the organization.
- The next in line would come those involved with compliance or audit. After all, it is these individuals that are measuring how well regulatory, statutory, commercial and other legal requirements are being met.
- Last are the employees of the business. Each and every member of the organization has a role on the security team and is a cog in the security machine. It is the responsibility of each individual to understand their role and responsibilities and implement the required behaviors to the best of their ability. Employees are the organization’s biggest, brightest and most capable security control – when they fail, it becomes a major weakness.
So where does that leave IT? As a service provider, your Information Technology team is simply doing what they are asked to do. Whether your security program is strong and mature or non-existent, remember that it wasn’t (or shouldn’t be) IT that made it that way. IT’s job is to provide technology services that meet specific Service Levels to their clients – the departments, end users and asset owners in your business. They’ll be happy to secure your assets, but only after a business leader, asset owner or Compliance Officer has made the critical decision to do so.
So the next time someone calls you and asks if you’d like to talk about information security at your company, you know what to say.
It was roughly 6:30 AM ET when I rounded the last corner of my morning run, approaching the bridge over the Hudson River that would eventually lead me home. As I made the turn, I was headed East into the sunrise. I had less than one mile to go, and my playlist was a perfect concoction of Beastie Boys, MegaDeth and Foo Fighters. It was 60 degrees and a perfect morning for a run (if there is such a thing).
As I got to the foot of the bridge I noticed another runner coming towards me on the opposite side of the road. He was an older gentleman, probably in his late 50s or early 60s, tall and thin with grey hair. I’m always impressed when I see someone at that age out running, as it takes a feat of will to get me out the door some days, and I’m young enough to not be old.
As we approached each other, I began sizing him up as I assumed he did of me. Was I running faster than him? Was I in better shape? Was I running farther? As human beings we are programmed to be competitive by nature, if only to survive. It is instinctive to measure ourselves against one another, as our very ego depends on it.
Then it happened. As it nearly always does in these situations. As the elderly man passed me, he waved. And I waved back. Not just default, meaningless gestures, but a real momentary connection.
You see, regardless of egos or competitive spirit, we shared a common bond – the agony of the alarm clock, dehydration and fatigue. We were kindred spirits. Brothers in arms.
And then it occurred to me – why doesn’t this happen in the security industry?
In an environment where the agony is far greater than muscle cramps and much longer than 4 miles, why is it that competitors can’t share that same connection?
Perhaps it’s because money is involved. Some security companies are much more successful than others. This inequality can heighten rivalries, even if undue. Perhaps it’s because egos are involved. Just like athletes, everyone wants to feel like their firm is the best, even in the absence of real measurements. Perhaps it’s because security is a personal experience. It’s serious business, and people take it seriously.
If I had the answers I wouldn’t be writing this blog, I’d be fixing the problem. In any case, I, my partners, my team and all at GreyCastle Security are committed to sharing, partnering and promoting this industry by working together and not creating fiefdoms.
We’re not going to win this war if we’re fighting ourselves.