I’m not talking about trick-or-treating, I’m talking about Information Security. (Hooo-hoo-hoo-hoo-hoo-haa-haa-haa-haa-haa)
- Wear a well-fitting outfit – If your costume doesn’t fit, or if it makes you sweat or gives you a rash, you’re going to end up taking parts of it off. Then you’ll spend the rest of the night explaining what you are and possibly forfeiting bounty. There’s no point in getting into something that you’re not going to use, it wastes time, money and energy, and you pretty much get nothing out of it. Your security program should fit like a catsuit. Black.
- If you see something, say something – Too often we’re hesitant to make the call when we see something that’s out of place or just doesn’t feel right. As human beings we are programmed to not get involved, but done appropriately it can help prevent problems from occurring. It might be a ghost, it might be an intruder. Be safe, not sorry.
- Stay away from dark houses – In the best case you’re wasting your time, in the worst case you’ll end up wandering into a bad place. There’s plenty of low-hanging candy out there, don’t get distracted by the latest curiosity. We all know what curiosity did to the cat.
- Use sidewalks and driveways – If you’re cutting across lawns or jumping fences because you think you’re going to make better time, chances are decent that you’ll end up in an open septic tank. Or a drainage ditch. Or getting caught on a pole. Shortcuts rarely are, that’s why we have standards. Stick to lighted streets and pathways. And trust me on the septic tank thing.
- Know your route – Have a plan and stick to it, but remember that your plan should account for change. If the police have closed Lincoln Drive off because someone egged Mr. Goldman’s place, be prepared to take Washington. It may get messy out there and there are no guarantees. Review your plan regularly to maximize your progress.
- Don’t walk those streets alone – Strength comes in numbers. Find people to go with you on this harrowing journey, chances are they’ll know something about the streets you’re walking and they’ll help you avoid traps that you would have fallen into otherwise. It’ll be more fun, too. And don’t be afraid to call for help if you see trouble, there are experts out there that specialize in dealing with problems.
- Check your candy before eating it – This one seems obvious, but when something is given to us we’re usually so excited we just can’t wait to open it up. Once it’s opened it’s too late, and it usually ends up installing a rootkit and stealing our banking credentials. Or giving us a toothache. Don’t judge that candy by its wrapper, and don’t even take it if it’s not coming from a trusted source. The apple from Mrs. McGillicutty is probably fine, but I wouldn’t touch that popcorn-ball-thing you got from Old Man Haversham.
- Don’t talk to strangers – There are a lot of bad people out there, and they do bad things. They’ll take your candy. They’ll even take that popcorn-ball-thing you got from Old Man Haversham. Only get involved with people you trust. If you’re going to be spending time with them, you should know where they come from, what they do for a living and if they’ve had a vendor risk assessment from a trusted security provider.
- Pace yourself – Running from house to house will only wear you out, and chowing a bag full of Reese’s will make you sick. It’s going to be a long night, and the successful will recognize that this is a continuous process. Ring door bell, collect candy, run to next house, repeat. Master your pace, master your success. Stick to your security priorities. Do too much at once and you’ll just end up exhausted and nauseous.
- Enjoy – Too many of us are heads down in the mission and we forget to stop and smell the candy corn. It’s not just about collecting the biggest bag of candy, it’s about the experience. Yes, we all have a serious job to do, but we won’t be able to take it seriously if we don’t love what we do. So love it. Eat it like candy.
It is said that any threat with enough resources or motivation will eventually find a vulnerability in a system. As I watched the overflowing Hudson River decimate the park, marina and restaurant behind my office, that theory became a staggering reality.
On Sunday, Troy, NY experienced its worst flooding since 1977. With record rainfall from Hurricane Irene, many area dams were at risk of failure and creeks and rivers were over their banks. Homes were flooded and vehicles were destroyed. Boats were lost from marinas, washed down the river along with tons of trees, barrels and other debris. The crowds of people who had gathered in front of the now-underwater Dinosaur BBQ added to the chaos.
Today however, just hours after the event, our city is already getting back to normal. Walking through the areas hardest hit by the flooding, it’s clear that recovery is well underway. The crowds have dissipated, the police tape is slowly disappearing, and businesses are getting back to normal operations. This recovery is occurring in large part because the first responders, law enforcement, FEMA and DHS personnel that responded to the disaster were prepared.
No one could have anticipated that Upstate New York was to be hit by both an earthquake and a hurricane in the same week. In fact, we were probably more likely to see a unicorn. But a good Incident Response plan assumes that we won’t necessarily have all of the intelligence, resources or time that we need to counteract a threat. A good Incident Response plan can also mean the difference between a business returning to normal operations, and a total disaster.
Security incidents come in all shapes and sizes. One day you may be responding to a malware outbreak, the next day you may be responding to the $250,000 that has been siphoned out of your company’s bank account. Irrespective of the type of organization, a good Incident Response plan should address the following:
- Containment – Whether isolating the latest worm or preserving evidence of a databreach for litigation, your containment strategy will vary depending on the incident. The most important considerations in this step are minimizing damage and neutralizing the threat without affecting your downstream mitigation options. It is important to understand your threat before enacting a containment strategy – an active shooter requires different counteractions than a perimeter attack.
- Mitigation – Once the threat is contained, it should be addressed. Again an understanding of the threat is important. In many instances, expertise in evidence preservation and chain of custody is critical, particularly in situations where legal proceedings are anticipated.
- Recovery – Rebuilding systems, restoring from backups or providing counseling for employees are all essential steps in the Incident Response process. Effective recovery requires advance planning and preparation, but it will provide significant returns if done properly.
Lastly your Incident Response plan should be governed by policy and handled by a team specially trained in response procedures. It’s not unusual to outsource some of your incident handling efforts. In fact, asking an internal team to perform technical forensics tasks or to understand the intricacies of evidence preservation could be like asking the Pakistani Army to capture bin Laden – it could get very messy and leave you without the desired outcome.
I had lunch in downtown Troy today, and if I hadn’t witnessed the flooding firsthand I would’ve never guessed that large parts of the city were underground 24 hours prior. Thanks to preparation, a trained team and a good Incident Response plan, today’s pizza tasted just like any other day.
Cloud computing has become the hot technology du jour. While there may be many contrasting definitions of what cloud computing is, the fact remains that your organization, along with most of the Fortune 500, is likely investigating, implementing or already using some type of cloud-based service. From CRM and payroll to supply chain and collaboration the cloud has made great inroads to corporate America.
And why not?
The advantages of cloud computing are many. Access on-demand, pay-as-you-go, rapid deployment – cloud-based services solve many of the challenges that have fraught IT for decades. For companies that adopted the cloud early, the juice has been worth the squeeze.
But despite this success there has been one area of the cloud where businesses have been hesitant to go – security.
For those things that need to be secured, or for those things that do the securing, many organizations have felt that they should, or could do a better job. And after all, security is one of those things that you don’t outsource, right?
First, not all cloud security providers are created equal, and not all cloud providers go to the same lengths to protect your assets. Secondly, when there’s an incident at a cloud provider, it tends to be catastrophic. I read a great analogy somewhere comparing cloud security to flying in an airplane – there are very few failures, but when they happen they’re major disasters.
All that being said, there are natural characteristics of cloud and cloud security providers that give them fundamental advantages over on-premises solutions. Here are a few:
- Availability – In most cases, cloud providers have invested in infrastructure far beyond what your organization is will to develop. In many cases cloud providers are required by law to implement security controls beyond what a client would normally do due to the nature of their business.
- Isolation – A databreach, malware outbreak or other incident at your organization may have less impact because some of your assets are in the cloud. If your critical datastores all live on different networks, it becomes more difficult for incidents to span multiple repositories, and a local disaster won’t impact assets stored elsewhere.
- Specialization – Cloud security providers generally do one thing – security. You may suggest that your security team is in the same position, but I submit that they also go to meetings, work on projects and get sick once in a while. Your security resources are also most likely spread among many different security disciplines, or worse – spread among security and other IT groups. The right provider will be on 24x7x365 and will be doing one thing all the time.
- Transference – Not all risks are mitigated with hardware and software. A well written contract will give you even stronger controls over your assets than if they remained within your four walls. Ensuring contractual right-to-audit will give you peace of mind.
Whether you’re a fan of cloud computing or not, you probably will be. The early stumblings of SaaS and other like solutions are giving way to reliable providers with excellent Service Levels. Selecting the right provider still requires due diligence, but looking under the covers won’t be as nasty as it used to be.
And don’t forget that the first Savings Bank didn’t have armed guards or a vault, but it didn’t stop early Americans from putting their money in it. Go forward, and cloud.
Tuesday, July 5th, 2011 will be remembered by many as a day when the United States Justice system failed.
The Casey Anthony verdict, handed down in front of an estimated audience of 130 million television, radio and web viewers shocked a nation. After 33 days of testimony, 400 pieces of evidence and more than 90 witnesses, the State of Florida could not prove beyond a reasonable doubt that Casey Anthony was indeed the perpetrator in the case. The verdict has hit a nerve with many, frustrated with the notion that someone as “guilty” as Casey Anthony could now walk despite a mountain of circumstantial evidence.
In this great land we call America, we are innocent until proven guilty. Those on the wrong side of the law have learned to abuse this right, twisting it until its original intent is no longer recognizable. Like the highly-publicized Casey Anthony case, claimants from businesses of all types find themselves in court attempting to recover losses from malware attacks, reputation assassination and the $250,000 missing from their bank account. Those that find themselves prosecuting – CEOs of banks and credit unions, general managers of fast food chains, Provost’s of local colleges and other business leaders – beware. If you plan on recovering financial or legal losses from a security breach or incident, the burden of proof is yours.
Information security can be a dirty job. There have been many occasions where I’ve been called in to help new clients respond to and recover from databreaches and security incidents that they weren’t prepared for. As a security professional, these requests elicit a series of pre-programmed responses:
- Is the incident contained?
- What is the extent of the damage?
- Is the attacker or payload still resident?
- What recovery mechanisms are in place and will they work?
- What legal and regulatory reporting is necessary?
Whether you subscribe to NIST, ISO, ITIL or other standards, there are a number of steps to ensure successful incident handling. As was learned in the Casey Anthony case, none is more important than the proper collection and handling of evidence. The following are a number of recommendations that will keep you from making serious errors when performing any type of forensics activities:
- Have a plan – First, assume that you will experience a security incident. It will happen, I promise you that. That being the case, having a plan is the number one thing you can do to help your business respond to one. Identify the types of incidents that are possible, who will lead the response team and the basic steps you will take to recover. The previously named standards are an excellent resource for process frameworks, there’s no need to reinvent the wheel.
- Use certified professionals – Asking your team to completely, accurately and legally respond to a security incident is like asking the Pakistani Army to capture Osama bin Laden. It will be messy and you won’t get the desired outcome. Enlist professionals to assist with forensics, evidence collection, chain of custody and legal advice. The money spent here will be recovered in the court room.
- Minimize change – Until the professionals arrive, minimize change to the affected environment. Leave the PC, server, room, facility or any other asset exactly as it was following the event, if possible. In certain cases, this may not be possible if said assets are incurring further damage. Evidence preservation and incident containment need to balance.
- Minimized contact – If possible, minimize or eliminate human contact with the environment.
- Document everything – Keep a log of everything that occurs, beginning with the instantiation of the event. Take pictures, write logs, do whatever it takes to capture everything.
There are some in the security industry that will tell you that there’s little we can do to avoid being a victim of a security incident. While I believe that there are reasonable mechanisms for protecting your business, realistically speaking most of us will become a statistic. Those that are prepared will respond, recover and go on with business. Those that are not, will not.
By learning a few basic maneuvers, we can avoid becoming the next State of Florida. After all, there’s a difference between “Not Guilty” and “Innocent”.