Archive | December 2011

Life or Death Decisions in Information Security

On Friday an Albany police officer shot and killed a 19-year old male when a routine traffic stop turned violent.

The suspect and deceased allegedly reached for the loaded .22 caliber handgun that he was carrying after the SUV he was driving was stopped for a traffic violation. Officers shot and killed the man, claiming self-defense.

A public press hearing was held which quickly became explosive, a chaotic scene high with emotions.

While it is difficult to draw analogies between a shooting and cybercrime, one can draw some parallels between the physical and cyber realms. It is often difficult to know the best course of action in either. And in both cases, there is rarely enough time or information to make good decisions.

There are no absolutes in our business.

One can draw many conclusions about the potential outcomes of not neutralizing an allegedly enraged and armed suspect on the streets of downtown Albany. We can also make some assumptions about the effects of negligent or absent security controls in the workplace. When it comes to making difficult decisions about what to do or not to do and when to do it, things become hazy real fast.

On the street it can get you killed. In the workplace the worst is usually termination of a different sort.

And sometimes it’s hard to know what side you’re on.

Stratfor, Comodo, RSA and HB Gary all make a living securing other organizations, yet became targets themselves over the past year. According to public opinion, each of them became targets because of who they were – yet they became victims because they didn’t practice what they preached.

On top of that, each made bad decisions while under duress, whether it was latent customer communications or weak security remediation.

Friday’s press release in Albany was chaotic for a number of reasons. First, neither side had all of the necessary information and assumptions were made by both sides about what had happened. We saw this happen to RSA and the other victims in the court of public opinion, as well. It’s tough to know who’s to blame.

What we do know is that a young man is dead. And intellectual property worth hundred of millions of dollars was compromised. These are indisputable facts. Despite lengthy investigations, this may be as close as we ever get to the honest truth in either case.

There are no absolutes in our business.

Those committed to providing honest, effective security will work tirelessly to perfect their fundamentals and plan for the unexpected. Like good public defenders, good security providers will posess strong situational awareness, true aim and flawless decision-making ability.

Great security providers will be able to do all of that while taking enemy fire.

Security Resolutions for 2012

When most people think of resolutions for the upcoming year, they think about gym memberships and Nicorette.

We think about advanced malware discovery.

Now to be completely honest, those of us at GreyCastle Security do think about things other than information security. We like Indian food. And a good drum solo. But when it comes to making meaningful changes for 2012, we’re all business.

Without doing a whole lot of bragging, 2011 has been a good year for us. But like any business, you must adapt or suffer the consequences. And in this industry, things change rapidly. Threats, vulnerabilities, budgets – even our clients and prospects.

So as December fades into January, or as we call it – Strategic Planning Season – we’re performing a little field surgery on GreyCastle Security. Some of it is cosmetic. Some of it is orthopedic. All of it will help us be even better in 2012 than we were in 2011.

Here’s a preview;

  1. We’re going to assess our services. Today we offer world-class services that deliver real results. The frameworks and methodologies that we utilize are effective and consistent, hardened and trued over the years by experts with decades of experience. This is our strength. And potentially our weakness. The world is changing, and so is the perception of information security. In 2012 we will develop ways to position and deliver our services that challenge the traditions that we lean on.
  2. We’re going to assess our pricing. Our current pricing is fair and balanced and provides clients with convenient options. But it may not accurately represent the value of the services that we deliver. Over the next few months we will revisit our pricing to ensure that both GreyCastle Security and our clients are experiencing maximum ROI.
  3. We’re going to assess our competition. Today we have no direct competitors. Tomorrow that advantage could vanish. National providers, IT VARs, independent consultants and others all see the opportunity in information security, and they want a piece of the rapidly growing pie. Our lead on these entities is substantial, but we must be strategic in our thinking and tactical in our advances if we are to maintain this lead.
  4. We’re going to assess the enemy. More accurately, enemies, some of which are working for the good guys. In this battle we are being flanked on all sides by hackers, malicious insiders, well-meaning employees, nation states, compliance requirements, security vendors, the government – the list is long. And we will keep our sights trained on the true enemy – risk – and continue to deliver services that effectively reduce risk for our clients.
  5. We’re going to assess our brand. Success requires many skills and attributes, none more important than trust and integrity. We will infuse these characteristics into everything we do. And the world will know we are GreyCastle Security.

We have seen countless predictions of what 2012 will bring; increases in mobile malware, a predilection for the cloud, the rise of targeted attacks and continued security unawareness.

For those who recognize the need for adequate protective measures these are simply challenges to be met by a solid business plan and security fundamentals.

For the rest of you, may I suggest an updated resume. 🙂

We wish you a healthy and prosperous New Year.

A Blast of Fresh Holiday Security Cheer

The holiday season is a great time of year, one of my favorites. Cookies and mistletoe, decorations and caroling, the festive spirit always brings out the best in people.

I’m kidding about the caroling, but the holidays definitely put me in a good mood. Everything looks brighter, and my attitude is more positive. I generally feel better about life, even if circumstances haven’t changed.

So I suppose it’s no surprise that I’m here to provide each of you with a fresh perspective on your information security headaches. Yes, I’m sure you’ve all had serious problems this year – technical, financial or operational – and you’re expecting more in 2012. But now is a time for reflection. A time for renewal. A time to forget old acquaintance, and auld lang syne.

Consider it my gift to you.

So get yourself a warm cookie and a chilled goblet of your favorite Christmas cheer, and grab a cozy in front of the fireplace while I attempt to make eggnog out of rotten security eggs.

  • You’re only as bad as your last fail – We’re all human, and we all have the same defensive mechanisms. This means that, in general people will only remember your last disaster. So cheer up! The SQL injection flaws you left exposed in April don’t matter anymore, all that matters today is the massive databreach from November. Tomorrow is a new day.
  • The good guys will always be behind – By definition, we will always be in reactive, defensive mode, but that’s OK! If you do the math you realize that they can’t get all of us. Also, we may be losing the race but there are only two runners so we’re guaranteed second place. That’s a silver medal in some contests.
  • There are no guarantees – There is no such thing as 100% secure – so find comfort in that fact. The day I gave up thinking I would ever dunk a basketball was a happy day, I just didn’t know it yet. Mediocrity can be invigorating if given a chance and approached with the right perspective. You’re as likely to secure your enterprise as I am to dunk a basketball. Enjoy.
  • It’s always going to be this bad – Things in the information security Universe are frighteningly bad, but it’s always been this way and it always will be. So relax – there’s no sense killing yourself over something you have little control over. Read a book. Go to lunch. Or even better, get your Law degree and save your career.
  • Everyone else has problems, too – If all of the above attempts to freshen your perspective have failed, rest easy – the bank across the street really has it bad. So does the hospital you go to. And the fast food chain where you had lunch today. Oh and don’t forget about your car dealer, your kids’ college and your church. And every other business within visible range. In fact, you’re probably no worse off than anyone else. So take a deep breath and revel in the fact that everyone sucks at security.

By now you’re probably ready to build a snowman and donate your bonus to charity, so I’ll let you get back to your holiday preparations. Just remember that there’s a bright side to information security and there’s no better time than the holidays to celebrate that fact.

I feel better already.


Information Security – How Much is Enough?

Any organization that is developing or managing an information security program will inevitably face the question – how much is enough?

Regardless of the size, industry or complexity of an organization, knowing how much of an investment to make in security can be a challenge. There is no shortage of headlines, hacks, vendor recommendations and budgetary constraints, but none of these will answer the following common questions:

  1. How secure am I?
  2. Am I more secure than I was last year?
  3. How much should I be spending on security?

Now some of you are probably already thinking, shouldn’t an effective Risk Management program give me these answers? The answer is yes and no.

Risk Management is critical to the maturation of any security program, and is an effective tool for determining the deficiencies – and thus priorities – of the organization. It can even provide, relatively speaking, a measure of each weakness as a function of the organization’s risk tolerance. It provides clear direction and prioritization for security efforts based on a deterministic system of measuring threats, vulnerabilities and controls. What it doesn’t provide is a tactical view of performance against those risks.

Enter security metrics.

Where Risk Management is the car, security metrics are the car’s navigation system. Risk Management provides a steering wheel for setting direction, and gas for setting urgency. The navigation system will tell you how long it’s taking you to get where you’re going, and compare that to how long it should have taken you. These metrics are important in answering the questions above, but are also helpful in measuring overall security performance.

Determining an appropriate set of security metrics isn’t as easy as it sounds. Charting out the number of blocked port scans at your edge is pretty much worthless these days, as is the percentage of spam e-mail. Unfortunately these are the numbers that are readily available.

To develop a measurement system that will be useful, you need to build metrics to address two audiences; 1. You. 2. Your CEO.

The first set is important because as they say, you can’t manage what you can’t measure. Having a set of metrics that makes your life easier will save you time and provide the evidence you need to support your critical initiatives. It will also help with daily operations, like forensics, tuning and monitoring.

The second set is important because at some point, your CEO is going to ask you the aforementioned questions. The better you can answer them, the more likely your budget will be approved.

Here are some metrics to consider:

  1. Risk Assessment Coverage – How many of my assets (people, documents, facilities, applications, networks, etc.) have been evaluated by Risk Management within the past 6 months? Past 12 months?
  2. Percent of Changes with Security Review – How many of the configuration changes in my environment have been reviewed by Information Security personnel? Of those changes that weren’t reviewed, how many resulted in downstream rework or were the root cause of security violations?
  3. Mean-Time to Incident Discovery (or Recovery) – Of the organizational incidents classified as security incidents, how many did we discover (versus our customers, partners or other third-parties) and how long did it take? Secondly, how long did it take to recover from critical incidents?
  4. Patch Policy Compliance – How often are we violating our patch policy for critical security patches?
  5. Percentage of Trained Employees – How many of our employees have received effective Security Awareness Training? Of the personnel that have not received training, what is the percentage that have been involved in avoidable security incidents?

The above metrics go far beyond a typical firewall report, which does more to describe active threats than actual performance. Once you start trending these over time, you start to get a much deeper sense of true security maturity, rather than just raw data. You’ll also get a sense of progress, one way or the other.

(For some other ideas, check out the CIS Consensus Information Security Metrics)

Someone once said that if you don’t know where you’re going, you can’t get lost. That strategy is perfectly fine for the retired, vacationers and Jamaicans, but if you’ve got somewhere to be you need a plan.

Get your metrics right and the next time your CEO asks “how secure am I” you can say.. “No worries mon.”

Security is a Myth

If you own a printer or a smartphone, you’ve probably done some rethinking about a few things over the past week or two. The recent rash of headlines to hit the mainstream media have produced much speculation, misinformation and meetings with Congress, but they have been successful in reaffirming one thing:

Security is a myth.

On the surface, the act of collecting semi-personal information about our calling habits and surreptitiously shipping this data off to mobile phone carriers is bad. At a minimum, having 140 million printers and multifunction scanners and faxes on our networks that are vulnerable to attack is bad.

But the real problems go much deeper.

Consider that our mobile phone carrier told us all about CarrerIQ, but we didn’t care. Yes, it’s right there in the fine print. Very fine. Our End User License Agreement told us that they were going to steal our personal information and use it to analyze our usage habits, and then we happily signed the paperwork. We had a chance to say no, but we either didn’t care, didn’t take the time to understand the security implications, or made the decision to trade our personal data for convenience.

We do it every day.

We should also consider that Angry Birds isn’t much different than CarrierIQ, and the information is going to a pretty-much-unknown-third-party. Our names, addresses, possibly even our GPS coordinates given the appropriate permissions. Yet we happily trade that information for a few minutes of enjoyment.

It’s bad that smartphones are shipping off our personal information, but it’s much worse that we said it’s OK.

And we introduce hardware and software to our work environments in the same manner. Hardware and software that was never designed to be secure. Sophisticated multifunction devices that host web servers and command shells that accept software updates and connections from anyone. These devices are like hacker outposts.

It may be bad that these devices are vulnerable, but it’s much worse that they have access to all of the other assets on our networks.

If you want to know what it’s like to attempt security in today’s world, try jumping into a pool without getting wet. The odds are the same. Everything around us is vulnerable, from our resumes to our Facebook walls, from our mailboxes to our personal interactions. The true saving graces are that there are always less secure entities than you and there are only 24 hours in a day.

Now if this sounds a bit cynical, please don’t misinterpret: I believe that good will always prevail over evil.

We just might get a little wet along the way.

%d bloggers like this: