The US Government is getting ready to pass the Cybersecurity Act of 2012.
In this 205-page bill is legislation mandating that entities deemed “critical infrastructure” meet security standards set by the government, including the Department of Homeland Security. The proposed law “is the product of three years of hearings, consultations, and negotiations,” the intent of which is to secure systems which “if commandeered or destroyed by a cyber attack, could cause mass deaths, evacuations, disruptions to life-sustaining services, or catastrophic damage to the economy or national security.”
Like all other compliance mandates, it will fail.
Now let me first say that I am in no way anti-government (except in April), nor would I like our electrical grid, nuclear plants or water distribution facilities left exposed. However, government mandates are unlikely to solve the problem.
- Compliance Mandates are Latent – By definition, compliance regulations are developed and implemented after a threat has been identified. Add to this inherent issue the time it takes for a bureaucrat to understand and measure risk, hire analysts to author a bill and weave it’s perceived benefit into their re-election strategy, we’ve left any potential legislation years behind its need. Compliance is not timely, nor can it be.
- Compliance Mandates are Optional – For compliance requirements to be truly successful, all entities subject to regulations would be complying in some way. Unfortunately this isn’t the case, nor is it realistic. Asking the Government to audit all organizations would require armies of people and even bigger piles of money. Some regulations have introduced self-assessments to ease this burden, which has only led to inconsistency in reporting and implementation. Ever heard of anyone going to jail for HIPAA violations? Compliance is not mandatory, nor can it be.
- Compliance Mandates are Vague – Anyone who has read the HIPAA Administrative Simplification or FFIEC Guidance knows that the Government is good at telling you what to do, but not how. And honestly, they really can’t be. How could such a broad technical standard be developed for so many different organizations? It might feel a little Draconian if the Feds told you exactly what directory services to use for authentication. Add to this challenge differing interpretations, language and changes in technology. Compliance is not prescriptive, nor can it be.
Despite its good intentions, compliance does not bring security. In fact, it may be having the exact opposite effect. In a recent survey, security administrators found themselves spending between 25 and 100 percent of their time on compliance efforts, all while databreaches were increasing at their organizations.
So what’s the answer?
Let’s trade compliance for security. Rather than penalizing those that aren’t in compliance, how about rewarding those that are secure? If we took the billions that the government spends every year on HIPAA, FISMA, SSAE16, FFIEC, SEC, FIPS, DHS, TSA and the thousands of other regulatory bodies, their audits, personnel and other perfunctory functions and instead spent that on real security education for the right people, we’d be far ahead of where we are today.
If they wanted to go the extra mile, Lieberman and Company could help organizations implement metrics to tell how well they were performing against their security programs. If they wanted to get real fancy the Government could subsidize real risk assessments for organizations in “critical infrastructure”. They’d probably still have money left over for tracking terrorist hashtags on social media.
For most of us, compliance is here to stay. The question is – just how far from real security will it diverge?
Just ask TJX, Heartland or Sony.
Any organization that is developing or managing an information security program will inevitably face the question – how much is enough?
Regardless of the size, industry or complexity of an organization, knowing how much of an investment to make in security can be a challenge. There is no shortage of headlines, hacks, vendor recommendations and budgetary constraints, but none of these will answer the following common questions:
- How secure am I?
- Am I more secure than I was last year?
- How much should I be spending on security?
Now some of you are probably already thinking, shouldn’t an effective Risk Management program give me these answers? The answer is yes and no.
Risk Management is critical to the maturation of any security program, and is an effective tool for determining the deficiencies – and thus priorities – of the organization. It can even provide, relatively speaking, a measure of each weakness as a function of the organization’s risk tolerance. It provides clear direction and prioritization for security efforts based on a deterministic system of measuring threats, vulnerabilities and controls. What it doesn’t provide is a tactical view of performance against those risks.
Enter security metrics.
Where Risk Management is the car, security metrics are the car’s navigation system. Risk Management provides a steering wheel for setting direction, and gas for setting urgency. The navigation system will tell you how long it’s taking you to get where you’re going, and compare that to how long it should have taken you. These metrics are important in answering the questions above, but are also helpful in measuring overall security performance.
Determining an appropriate set of security metrics isn’t as easy as it sounds. Charting out the number of blocked port scans at your edge is pretty much worthless these days, as is the percentage of spam e-mail. Unfortunately these are the numbers that are readily available.
To develop a measurement system that will be useful, you need to build metrics to address two audiences; 1. You. 2. Your CEO.
The first set is important because as they say, you can’t manage what you can’t measure. Having a set of metrics that makes your life easier will save you time and provide the evidence you need to support your critical initiatives. It will also help with daily operations, like forensics, tuning and monitoring.
The second set is important because at some point, your CEO is going to ask you the aforementioned questions. The better you can answer them, the more likely your budget will be approved.
Here are some metrics to consider:
- Risk Assessment Coverage – How many of my assets (people, documents, facilities, applications, networks, etc.) have been evaluated by Risk Management within the past 6 months? Past 12 months?
- Percent of Changes with Security Review – How many of the configuration changes in my environment have been reviewed by Information Security personnel? Of those changes that weren’t reviewed, how many resulted in downstream rework or were the root cause of security violations?
- Mean-Time to Incident Discovery (or Recovery) – Of the organizational incidents classified as security incidents, how many did we discover (versus our customers, partners or other third-parties) and how long did it take? Secondly, how long did it take to recover from critical incidents?
- Patch Policy Compliance – How often are we violating our patch policy for critical security patches?
- Percentage of Trained Employees – How many of our employees have received effective Security Awareness Training? Of the personnel that have not received training, what is the percentage that have been involved in avoidable security incidents?
The above metrics go far beyond a typical firewall report, which does more to describe active threats than actual performance. Once you start trending these over time, you start to get a much deeper sense of true security maturity, rather than just raw data. You’ll also get a sense of progress, one way or the other.
(For some other ideas, check out the CIS Consensus Information Security Metrics)
Someone once said that if you don’t know where you’re going, you can’t get lost. That strategy is perfectly fine for the retired, vacationers and Jamaicans, but if you’ve got somewhere to be you need a plan.
Get your metrics right and the next time your CEO asks “how secure am I” you can say.. “No worries mon.”
Last week’s SC Congress in New York City was short and sweet. The one-day security conference focused on emerging threats and case studies, including Barnes and Noble, Tyco and HSBC. There were several hundred in attendance. The multi-grain tunafish box lunch was delightful.
Among my favorite presenters was Mark Clancey, the CISO for the Depository Trust and Clearing Corporation (DTCC). You’ve never heard of this organization, but you use them every day. In fact, we all do. DTCC provides clearing and settlement for equities, bonds and securities for the US and 121 other countries. In 2009, DTCC settled more than $1.48 quadrillion in securities transactions. Yes folks, that was not a misprint. The number is so big that they had to make up a name for it.
In his talk he described the information security challenges they face, which are understandably different from most. Asked what he considered to be his greatest security hurdle, he responded “information sharing”. He went on to describe DTCC’s relationship with the FBI, the FS-ISAC and other information sharing organizations, and the difficulties they face. We’ve seen this problem cited countless times before, including its roots in 9-11. He closed by saying that “hackers communicate better than we do”.
But is this why we’re losing the war on cybercrime? As I wandered off, deep in thought it occurred to me that there may be other areas where hackers are outperforming us. Perhaps it wasn’t their cunning, but rather their ability to understand business, strategy and process that was their advantage? Sitting and waiting for the coffee break I came up with the following possibilities:
- Hackers don’t burden themselves with compliance – It may sound silly, but there are entire industries causing victimized organizations to become distracted from the real goal. Compliance regulations have good intentions, but applied in the wrong context or culture they can be counter-productive. Hackers get the job done in the most efficient and cost-effective way, without cycles spent on annual reporting or scans.
- Hackers don’t rely on technology – The tools in use by today’s hackers are simple and effective and are geared towards ROI. While no doubt a successful attack my require a reliable rootkit, if the one they’re currently using doesn’t work, they’re not afraid to move to an alternative. Technology is a means to an end, not a religion. And it’s generally inexpensive to make and support.
- Hackers know their risks – Whether you’re a hacker, hacktivist or corporate spy, the priority is not getting caught and they put lots of wood behind this arrowhead. The numbers speak for themselves; today there are roughly three million people incarcerated in the US (it typically runs at 1% of the population). In 2011, the FBI caught (not convicted) but 17 US citizens for computer-related crimes (the total is a measly 35 globally). The value of banks being robbed by gun is dwarfed by the value of banks being robbed by computer. You do the math.
- Hackers don’t use default passwords – While I remember only bits and pieces of this story, the morale still rings true. The FBI, along with their foreign counterparts in Estonia were working to extradite an alleged cybercriminal, his laptops and other computer equipment. The suspect, after being worked over for weeks by the Federali, finally handed his laptop encryption password over – it was a passphrase nearly 300 characters long.
- Hackers don’t have sensitive data – Sure it’s true that they have an asset that they’re generally trying to protect, but if they lose it or it’s stolen they know where to get more. Besides, is it really sensitive if it’s not even theirs? In addition, there are no HR databases. No credit card transactions (not on their own cards, at least). Hackers could teach us CISSPs a thing or two about reducing our attack surface.
- Hackers don’t trust – Aliases. Onion routing. Offline couriers. Money mules. There is no trust in hacking. This is essential to their survival.
Now this list shouldn’t imply that there aren’t idiot hackers out there throwing up pictures of their new Porsche (complete with Russian license plates and geotags) on torrents once in a while, but we don’t hear about those incidents all that often. The reality is, when it comes to Operational Security (OPSEC), hackers are beating us like a барабанчик.
We often recommend to clients that they “think like hackers” when developing their security programs. The idea comes from Sun Tzu – in knowing their attacker, they can best develop their security measures.
Perhaps we should also suggest that clients look to hackers when developing their business plan.
Early Christians were an organized bunch.
While other religions were floundering in banal castings of “good” and “evil”, Catholics were taking things to a whole ‘nother level. Although they didn’t become popular until the early 14th century, the 7 Deadly Sins proved to be a useful tool for theologians of the time. With such a variety of vices from which to choose, clergymen could condemn miscreants for anything from excesses to laziness. Who would have guessed that these same labels would have information security applications thousands of years later?
Now, I feel that I should clarify one point. While I did go to Sunday School as a child, I am not a religious individual. In fact, the last time I stepped foot into a church I was there to admire the architecture. My next visit should be along the lines of a bake sale.
All that being said, I too tend to be an organized person and categorizing things helps reduce the chatter in my mind. I also find that the 7 Deadly Sins have a rightful place in information security, as we find so regularly that businesses, practitioners and risk owners commit these “things that His soul detesteth”.
Without further ado:
- Lust – It continues to be proven time and time again that technology does not solve security challenges, yet there are individuals who find that shiny new piece of technology irresistible. It is the people and processes around your hardware and software that will determine how effective they are, regardless of what miracles they claim. It was not the sandals that allowed Jesus to walk on water.
- Gluttony – Some security practitioners and business owners do get it. In fact they get too much of it, and their employees pay the price. Your security controls should match your risks. And although we appreciate the intent of these enthusiastic individuals, please stop. You’re giving us a bad name. Security can be inconvenient for employees even when it’s done well, when it’s overdone it can be downright painful.
- Greed – Businesses will often claim that they can’t afford to spend money on security services. To this I reference the countless statistics demonstrating breached businesses that were unable to recover. The losses caused by cybercrime are increasing at a staggering rate. If you’ve got confirmation from a reliable source that it’s going to rain for forty days and nights, don’t build your Ark out of straw.
- Sloth – Inaction on the surface of a business may in reality be a symptom of other things, including lack of resources, lack of direction or lack of motivation. A healthy dose of awareness and education is typically needed at these organization, followed closely by good leadership. Executives should be setting the security “tone at the top”, and an effective Risk Management process should be defining security priorities. Information security is like religion, it’s a journey not a destination.
- Wrath – To be honest, I couldn’t come up with a good analogy for this one, but I can get a little feisty when Dunkin’ Donuts is out of hot chocolate. I confess.
- Envy – Information security is no place for blind faith. The business across the street may look like yours, but that doesn’t mean you have the same risks. And it doesn’t mean you should be implementing the same security controls. Understanding your own risks is the only proven method for protecting your business. Amen.
- Pride – “We’re well along with our security program, gentlemen.” “We’re audited all the time and we’re compliant.” “We’ve got that security thing under control.” The words of false prophets, these can be the most devious of all. Not only do these individuals deprive their people and organizations of objective assessment, advice and relief, their messages convey a false sense of security. These are the proverbial wolves in sheep’s clothing.
I was baptised at a relatively early age. Rocking a bowl cut and leisure suit, I even made Communion. And then through a little bit of hard work I learned that some assets are sensitive and need special security controls. It didn’t take an act of God.
If you are a business owner, a CFO or a security practitioner, or just know one of these individuals, I encourage you to re-read this list of mortal sins. If necessary, etch them into a stone tablet and carry them to the top of the nearest mountain.
It may just help you avoid the Apocalypse.
As the owner of an information security firm, I am frequently faced with the challenge of figuring out who to deliver our message to. Most security practitioners would respond that security is everyone’s responsibility, and I don’t disagree. However when you’re in the business of marketing security services, and not just implementing, that shotgun mentality will just make a big, messy hole.
Yesterday I overheard my business partner on the phone with a prospect, a Compliance Officer for a large credit union. As my partner’s pitch raised to a crescendo, he was suddenly interrupted, replying “so that’s not your responsibility? So… I should talk to IT?” No matter how successful you are, you’re going to get your share of objections, rejections and denials. But deflections are different, particularly in security. Let me explain.
For a long time, information security was considered an IT problem. Why? Because the solutions – things like firewalls, antivirus software and access control lists – were only available from IT. This system worked for a while because the controls were well matched for the threats. But it created an unfortunate precedent, one that would eventually disarm businesses everywhere.
Fast forward to 2011. Today’s threats don’t look or act the way they did ten, five or even two years ago. And even though today’s threats are still rudimentary in nature, they cleverly outwit traditional security controls by avoiding them altogether. The firewalls and antivirus software that made IT synonymous with security are failing, and it’s causing a new problem – an identity problem. IT is not your security team. But if IT doesn’t do security, who does?
It’s not an easy answer, but if you can find the risk owners, you’re on the right track. Here are some suggestions, in order of greatest liability:
- At the highest level, business owners are responsible for the health and welfare of their employees, clients and businesses, and as such are implicitly accountable for ensuring the security of business assets. Whether it’s awareness training or data protection, the buck stops here. Of course, each business has unique risks, and every security program will, and should look different. Business owners are the primary risk owners.
- Next come asset owners. This is a term borrowed from ITIL and other organizational frameworks that seek to identify the chief decision makers for information and other systems. Asset owners, after business owners, are next in line for risk accountability, because they make decisions about business assets. The Human Resources Manager, the Comptroller, the Director of Development – these are all good examples of asset owners. This could be a large group of individuals, depending on the size of the organization.
- The next in line would come those involved with compliance or audit. After all, it is these individuals that are measuring how well regulatory, statutory, commercial and other legal requirements are being met.
- Last are the employees of the business. Each and every member of the organization has a role on the security team and is a cog in the security machine. It is the responsibility of each individual to understand their role and responsibilities and implement the required behaviors to the best of their ability. Employees are the organization’s biggest, brightest and most capable security control – when they fail, it becomes a major weakness.
So where does that leave IT? As a service provider, your Information Technology team is simply doing what they are asked to do. Whether your security program is strong and mature or non-existent, remember that it wasn’t (or shouldn’t be) IT that made it that way. IT’s job is to provide technology services that meet specific Service Levels to their clients – the departments, end users and asset owners in your business. They’ll be happy to secure your assets, but only after a business leader, asset owner or Compliance Officer has made the critical decision to do so.
So the next time someone calls you and asks if you’d like to talk about information security at your company, you know what to say.