Tag Archive | GreyCastle Security

Force Multipliers and Why You Need Your Own Seal Team 6

The United States Military has spent a lot of time and money developing its Special Operations forces. These elite teams of security operatives are highly trained to shoot, move and communicate under duress, with little or no advance notice of their impending scenario. Most missions involve dynamic entry, assessment and neutralization of threats, all while achieving a primary objective.

Seal Team 6 is the most famous of all the Special Operations teams. These are the operatives that led the capture and termination of Osama bin Laden, the maritime rescue of American sailors on the Maersk and the recent recovery of foreign journalists held hostage by Al-Shabaab terrorists. The best of the best has handled the worst of the worst.

Imagine what you could get done if you had your own Seal Team 6.

Think it sounds crazy?

On the surface, this legendary team appears to have accomplished near-mythical tasks. Once you start to break their missions and objectives down into their most basic milestones, actions and counteractions, however, their methods become much simpler.

Like Seal Team 6, cybersecurity has become a household word and responding to security incidents has become a common occurrence. Intellectual property, sensitive data and bank accounts have never been more at risk, and detecting, containing and correcting security incidents requires planning, practice and grace under pressure. Once developed, your Computer Incident Response Team (CIRT), Special Operations Team (SOT) or whatever you call it (just don’t call it Seal Team 7, that’s taken) will give your organization a “force multiplier”.

Force multipliers are assets that give your organization a strategic advantage and increase the effectiveness and efficiency of overall operations. These assets, or teams multiply the force of your organization because they carry out tasks that would normally require much greater resources to accomplish. This is possible due to the highly trained and focused nature of the team.

And yes, you can have your own.

Here’s what you need:

  1. Find the right operatives – Incident responders are born, not made. This isn’t completely true, but it takes a certain mindset and attitude to gain situational awareness, remain calm and lead when an organization is under attack. These skills are tough to teach. You probably already know who your operatives are. If you don’t, stop here and look for a qualified security provider that already delivers Incident Response services.
  2. Select the right weapons – A good shooter can make a bad gun shoot well. You don’t need the most expensive security tools, but you do need to make what you’ve got work effectively. If you’re about to embark on a digital forensics mission, you better have the right tool in your bag. And carry a backup. Your tools should meet their requirements and work consistently.
  3. Train, train, train – Training is the most important of all, and it should incorporate the following:
    1. The basics – Every Navy Seal is required to qualify with a rifle every year, regardless of his or her rank. It’s part of being a Seal. The ability to shoot, move and communicate makes our Military the greatest on Earth. Your CIRT resources should understand the basics of threat modeling, analysis, communication and tool manipulation. No exceptions.
    2. Scenario drills – Your training should incorporate regular attack and counterattack simulations – these should be as real as possible. Good penetration testing is critical, but tabletop exercises and other drills are important parts of the program. Training should incorporate “unplanned” scenarios, performance assessments and any analysis that will help the team perform during a real situation.
    3. Bugout – Training should include handling worst-case scenarios, or what the Military calls SHTF. When things really get sideways, you need to know what to do, when to do it and who’s going to do it. Crisis Management should integrate with your Incident Response Plan.

Regardless of what industry you’re in or what size your company is, at some point you will become a statistic (if you haven’t already). A Special Operations team specifically trained and ready to handle incidents could mean the difference between an achieved objective and a botched mission.

You may not be hunting terrorists or saving foreign diplomats, but your CEO might just give you a Medal of Honor.

Advertisements

Tales From the (Unen)Crypt

Yesterday I was waiting in the lobby of one of our larger clients as I had arrived a bit early for a meeting. I was doing something really useful on my BlackBerry to kill time when a thirty-something year-old woman walked in and approached the receptionist. To protect the not-so-innocent, we’ll refer to her as Jane.

What I’m about to tell you is a true story.

Jane: “Hi, I’m here to see [name deleted] but I think I may be in the wrong building.”

Receptionist: “OK, where do you think you’re supposed to be?”

Jane: “Hold on let me call my office and I’ll find out.”

Jane now steps away from the receptionist desk, pulls her mobile phone from her purse and immediately begins dialing her office for information. She reaches someone who appears to be her assistant, given the following conversation. We’ll make some assumptions about the Assistant’s dialogue.

Jane: “Hi [name deleted] can you do me a favor? I need you to access my calendar to see where my meeting is this morning, I think I’m in the wrong building.”

Assistant: “No problem Jane! How do I get access to your calendar?”

Jane: “My password is ‘Password1’ with a capital ‘P’. Yeah I know it sucks.”

Assistant: “OK well I can’t get to your calendar from my PC.”

Jane: “Yeah you can use my PC, I never lock it.”

Cue Quentin Tarantino soundtrack, an ultra-closeup of highly polished men’s dress shoes as they one-by-one, shuffle towards a thirty-something woman in a black suit, the staccato click of their heels shattering the deafening silence now engulfing the steel and glass lobby, cut to a super-tight shot in slow-motion of a GreyCastle Security business card being drawn from inside suit pocket –

“Hey Reg! Sorry I’m late.”

As I’m snapped from that dreamscape carved straight from a Hollywood set, I realize that we can’t save everyone, and not everyone wants to be saved.

I hope Jane made it to her meeting on time. I hope she changed her password when she got back to the office and has started locking her PC. And her phone. I hope the title on her business card doesn’t say Comptroller. I hope Jane doesn’t have to learn the hard way that just a little bit of security can go a long way.

I hope.

What I Would Do if I Was Zappos

The Zappos hack this week made national headlines for a number of a reasons.

First, Zappos, a subsidiary of Amazon.com is a major brand recognized as a leading online footwear retailer. You don’t need to be female to know that Zappos sells just about every make and model of sandal, Skecher and pump known to man. And woman. And if you’re a woman there’s at least some chance that Zappos is your browser home page. I’ve seen it happen.

Second, the scale of the breach was massive. E-mail addresses, billing information, names and partial credit card numbers for an estimated 24 million individuals, making it one of the largest databreaches in recent history. The value of this data on the black market, using today’s cybercrime figures is in the tens of millions of dollars.

But in many ways the Zappos databreach isn’t unlike the countless other incidents we’ve witnessed lately. Which makes me wonder if we’re operationalizing information security this year any differently than we did last year. Or the year before that.

Of course history makes a great teacher, and this holds true for security, as well. And while they’re still grinding through the logs and other forensic evidence of this attack, there are some clear lessons to be learned here.

This is what I would do if I were Zappos:

  1. I would learn to be better at Public Relations – Because they expected a deluge of phone calls related to the hacking, Zappos said that they were temporarily turning off their phones, instead responding to inquiries by e-mail. “If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place,” the company’s e-mail to employees said. Now I’m no PR expert, but if I just pissed off 24 million of my customers by exposing them to identity theft, disabling their preferred mode of communication might not sound like a bright idea. Perhaps they missed the beating that RSA and Sony took for their PR guffaws.
  2. I would learn to be better at helping my customers during a crisis – Have you ever tried getting your organization of 150 people to change their password? Exactly. Now multiply that times 160,000. It’s the equivalent of sucking an Olympic size swimming pool through a McDonald’s straw. In this day and age, there should be a way to programmatically reset customer passwords, provide them a means for securely accessing the new password, or simply leaving the account disabled until such time that the customer wants to use the account again. I’m betting that a significant percentage of those 24 million accounts are inactive in the first place.
  3. I would learn to better protect sensitive information – Zappos was warned daily – possibly more frequently – by The NY Times, The Washington Post, the GreyCastle Security blog and other global media outlets that they were going to be hacked, but they proceeded to store names, billing addresses, e-mail addresses and partial credit card numbers together, in one database, potentially on one server, packaged neatly for the next disgruntled employee, hacker and other miscreant. I’m guessing that Zappos didn’t have the budget, the time or the resources to secure this information appropriately. It wasn’t a priority. Until it was too late.
  4. I would learn to be a security evangelist – Now that I’ve been owned by hacker(s) unknown, exposed my customers to incalculable risk and started racking up unnecessary Incident Response bills, I would help other companies avoid what just happened to me. “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident,” the company’s CEO said. The biggest problem in our industry is not a technical one, it’s a psychological one. As long as Company XYZ believes that they have nothing worth protecting, and that this can’t happen to them, we’ll continue to experience these issues.

It’s not fair to single out Zappos. This blog could be written about thousands of other organizations. But so far security hindsight continues to be nearsighted.

Maybe Zappos should start selling eyewear.

Life or Death Decisions in Information Security

On Friday an Albany police officer shot and killed a 19-year old male when a routine traffic stop turned violent.

The suspect and deceased allegedly reached for the loaded .22 caliber handgun that he was carrying after the SUV he was driving was stopped for a traffic violation. Officers shot and killed the man, claiming self-defense.

A public press hearing was held which quickly became explosive, a chaotic scene high with emotions.

While it is difficult to draw analogies between a shooting and cybercrime, one can draw some parallels between the physical and cyber realms. It is often difficult to know the best course of action in either. And in both cases, there is rarely enough time or information to make good decisions.

There are no absolutes in our business.

One can draw many conclusions about the potential outcomes of not neutralizing an allegedly enraged and armed suspect on the streets of downtown Albany. We can also make some assumptions about the effects of negligent or absent security controls in the workplace. When it comes to making difficult decisions about what to do or not to do and when to do it, things become hazy real fast.

On the street it can get you killed. In the workplace the worst is usually termination of a different sort.

And sometimes it’s hard to know what side you’re on.

Stratfor, Comodo, RSA and HB Gary all make a living securing other organizations, yet became targets themselves over the past year. According to public opinion, each of them became targets because of who they were – yet they became victims because they didn’t practice what they preached.

On top of that, each made bad decisions while under duress, whether it was latent customer communications or weak security remediation.

Friday’s press release in Albany was chaotic for a number of reasons. First, neither side had all of the necessary information and assumptions were made by both sides about what had happened. We saw this happen to RSA and the other victims in the court of public opinion, as well. It’s tough to know who’s to blame.

What we do know is that a young man is dead. And intellectual property worth hundred of millions of dollars was compromised. These are indisputable facts. Despite lengthy investigations, this may be as close as we ever get to the honest truth in either case.

There are no absolutes in our business.

Those committed to providing honest, effective security will work tirelessly to perfect their fundamentals and plan for the unexpected. Like good public defenders, good security providers will posess strong situational awareness, true aim and flawless decision-making ability.

Great security providers will be able to do all of that while taking enemy fire.

Security Resolutions for 2012

When most people think of resolutions for the upcoming year, they think about gym memberships and Nicorette.

We think about advanced malware discovery.

Now to be completely honest, those of us at GreyCastle Security do think about things other than information security. We like Indian food. And a good drum solo. But when it comes to making meaningful changes for 2012, we’re all business.

Without doing a whole lot of bragging, 2011 has been a good year for us. But like any business, you must adapt or suffer the consequences. And in this industry, things change rapidly. Threats, vulnerabilities, budgets – even our clients and prospects.

So as December fades into January, or as we call it – Strategic Planning Season – we’re performing a little field surgery on GreyCastle Security. Some of it is cosmetic. Some of it is orthopedic. All of it will help us be even better in 2012 than we were in 2011.

Here’s a preview;

  1. We’re going to assess our services. Today we offer world-class services that deliver real results. The frameworks and methodologies that we utilize are effective and consistent, hardened and trued over the years by experts with decades of experience. This is our strength. And potentially our weakness. The world is changing, and so is the perception of information security. In 2012 we will develop ways to position and deliver our services that challenge the traditions that we lean on.
  2. We’re going to assess our pricing. Our current pricing is fair and balanced and provides clients with convenient options. But it may not accurately represent the value of the services that we deliver. Over the next few months we will revisit our pricing to ensure that both GreyCastle Security and our clients are experiencing maximum ROI.
  3. We’re going to assess our competition. Today we have no direct competitors. Tomorrow that advantage could vanish. National providers, IT VARs, independent consultants and others all see the opportunity in information security, and they want a piece of the rapidly growing pie. Our lead on these entities is substantial, but we must be strategic in our thinking and tactical in our advances if we are to maintain this lead.
  4. We’re going to assess the enemy. More accurately, enemies, some of which are working for the good guys. In this battle we are being flanked on all sides by hackers, malicious insiders, well-meaning employees, nation states, compliance requirements, security vendors, the government – the list is long. And we will keep our sights trained on the true enemy – risk – and continue to deliver services that effectively reduce risk for our clients.
  5. We’re going to assess our brand. Success requires many skills and attributes, none more important than trust and integrity. We will infuse these characteristics into everything we do. And the world will know we are GreyCastle Security.

We have seen countless predictions of what 2012 will bring; increases in mobile malware, a predilection for the cloud, the rise of targeted attacks and continued security unawareness.

For those who recognize the need for adequate protective measures these are simply challenges to be met by a solid business plan and security fundamentals.

For the rest of you, may I suggest an updated resume. 🙂

We wish you a healthy and prosperous New Year.

A Blast of Fresh Holiday Security Cheer

The holiday season is a great time of year, one of my favorites. Cookies and mistletoe, decorations and caroling, the festive spirit always brings out the best in people.

I’m kidding about the caroling, but the holidays definitely put me in a good mood. Everything looks brighter, and my attitude is more positive. I generally feel better about life, even if circumstances haven’t changed.

So I suppose it’s no surprise that I’m here to provide each of you with a fresh perspective on your information security headaches. Yes, I’m sure you’ve all had serious problems this year – technical, financial or operational – and you’re expecting more in 2012. But now is a time for reflection. A time for renewal. A time to forget old acquaintance, and auld lang syne.

Consider it my gift to you.

So get yourself a warm cookie and a chilled goblet of your favorite Christmas cheer, and grab a cozy in front of the fireplace while I attempt to make eggnog out of rotten security eggs.

  • You’re only as bad as your last fail – We’re all human, and we all have the same defensive mechanisms. This means that, in general people will only remember your last disaster. So cheer up! The SQL injection flaws you left exposed in April don’t matter anymore, all that matters today is the massive databreach from November. Tomorrow is a new day.
  • The good guys will always be behind – By definition, we will always be in reactive, defensive mode, but that’s OK! If you do the math you realize that they can’t get all of us. Also, we may be losing the race but there are only two runners so we’re guaranteed second place. That’s a silver medal in some contests.
  • There are no guarantees – There is no such thing as 100% secure – so find comfort in that fact. The day I gave up thinking I would ever dunk a basketball was a happy day, I just didn’t know it yet. Mediocrity can be invigorating if given a chance and approached with the right perspective. You’re as likely to secure your enterprise as I am to dunk a basketball. Enjoy.
  • It’s always going to be this bad – Things in the information security Universe are frighteningly bad, but it’s always been this way and it always will be. So relax – there’s no sense killing yourself over something you have little control over. Read a book. Go to lunch. Or even better, get your Law degree and save your career.
  • Everyone else has problems, too – If all of the above attempts to freshen your perspective have failed, rest easy – the bank across the street really has it bad. So does the hospital you go to. And the fast food chain where you had lunch today. Oh and don’t forget about your car dealer, your kids’ college and your church. And every other business within visible range. In fact, you’re probably no worse off than anyone else. So take a deep breath and revel in the fact that everyone sucks at security.

By now you’re probably ready to build a snowman and donate your bonus to charity, so I’ll let you get back to your holiday preparations. Just remember that there’s a bright side to information security and there’s no better time than the holidays to celebrate that fact.

I feel better already.

 

Information Security – How Much is Enough?

Any organization that is developing or managing an information security program will inevitably face the question – how much is enough?

Regardless of the size, industry or complexity of an organization, knowing how much of an investment to make in security can be a challenge. There is no shortage of headlines, hacks, vendor recommendations and budgetary constraints, but none of these will answer the following common questions:

  1. How secure am I?
  2. Am I more secure than I was last year?
  3. How much should I be spending on security?

Now some of you are probably already thinking, shouldn’t an effective Risk Management program give me these answers? The answer is yes and no.

Risk Management is critical to the maturation of any security program, and is an effective tool for determining the deficiencies – and thus priorities – of the organization. It can even provide, relatively speaking, a measure of each weakness as a function of the organization’s risk tolerance. It provides clear direction and prioritization for security efforts based on a deterministic system of measuring threats, vulnerabilities and controls. What it doesn’t provide is a tactical view of performance against those risks.

Enter security metrics.

Where Risk Management is the car, security metrics are the car’s navigation system. Risk Management provides a steering wheel for setting direction, and gas for setting urgency. The navigation system will tell you how long it’s taking you to get where you’re going, and compare that to how long it should have taken you. These metrics are important in answering the questions above, but are also helpful in measuring overall security performance.

Determining an appropriate set of security metrics isn’t as easy as it sounds. Charting out the number of blocked port scans at your edge is pretty much worthless these days, as is the percentage of spam e-mail. Unfortunately these are the numbers that are readily available.

To develop a measurement system that will be useful, you need to build metrics to address two audiences; 1. You. 2. Your CEO.

The first set is important because as they say, you can’t manage what you can’t measure. Having a set of metrics that makes your life easier will save you time and provide the evidence you need to support your critical initiatives. It will also help with daily operations, like forensics, tuning and monitoring.

The second set is important because at some point, your CEO is going to ask you the aforementioned questions. The better you can answer them, the more likely your budget will be approved.

Here are some metrics to consider:

  1. Risk Assessment Coverage – How many of my assets (people, documents, facilities, applications, networks, etc.) have been evaluated by Risk Management within the past 6 months? Past 12 months?
  2. Percent of Changes with Security Review – How many of the configuration changes in my environment have been reviewed by Information Security personnel? Of those changes that weren’t reviewed, how many resulted in downstream rework or were the root cause of security violations?
  3. Mean-Time to Incident Discovery (or Recovery) – Of the organizational incidents classified as security incidents, how many did we discover (versus our customers, partners or other third-parties) and how long did it take? Secondly, how long did it take to recover from critical incidents?
  4. Patch Policy Compliance – How often are we violating our patch policy for critical security patches?
  5. Percentage of Trained Employees – How many of our employees have received effective Security Awareness Training? Of the personnel that have not received training, what is the percentage that have been involved in avoidable security incidents?

The above metrics go far beyond a typical firewall report, which does more to describe active threats than actual performance. Once you start trending these over time, you start to get a much deeper sense of true security maturity, rather than just raw data. You’ll also get a sense of progress, one way or the other.

(For some other ideas, check out the CIS Consensus Information Security Metrics)

Someone once said that if you don’t know where you’re going, you can’t get lost. That strategy is perfectly fine for the retired, vacationers and Jamaicans, but if you’ve got somewhere to be you need a plan.

Get your metrics right and the next time your CEO asks “how secure am I” you can say.. “No worries mon.”

Democrats, Republicans and CyberGods

This morning I exercised my true American right. I voted.

For some, voting is a delicate process that involves days of analysis, research and personal preference. For some, just having the ability to vote is more important than the outcome.

For some, however the election is a ruse. A rote, choreographed series of motions undermined by well-scripted television ads, slick marketing campaigns and overstated commitments.

For those who truly understand the global state of information security, it’s something altogether different.

In fact some believe that the new regime has already assumed power. This new guard isn’t a bunch of Harvard-educated attorneys and career politicians. They have no experience in legislative process, and they’ve never run a campaign. They are nameless and faceless. They’re 17 years old. They’re in their mid-thirties. They’re Russian, British and American.

And they control the world.

Using 100 million infected PCs globally, they can shut down power grids and cause financial chaos. Using weaponized software they can destroy intellectual property and control military networks. They own your credit card number and can listen to your mobile phone calls. They are CyberGods, and there are no term limits.

They have assumed control.

The world in which they operate is limited only by their imaginations, and their cyberwar is not bounded by rules of engagement. Their power is growing. Their reach is expanding. Their wealth is multiplying. Their armies have already overthrown nations in Africa and the Middle East. They are so much more than thieves. They are organized. They are evolving.

They are motivated.

On this Election Day, remember that the true ruling party – this legion – was not voted into power by throngs of rabid fans, they were implicitly elected by a movement of ignorance. An ethos of apathy.

Throughout history the people have risen up to unseat their oppressors, but not before tremendous hardship. A body in motion tends to stay in motion, as Newton once said, and geo-political movements have been no exception. Those in power will do their best to stay in power, and the cybercrimelords that are feasting on our negligence will find new, more deceptive ways to maintain their rule.

We have waited too long. Their momentum is too great. This global network of organized cybercriminals will not simply resign. The people will need to rise up. We will need to stand and fight.

It may take bloody revolution.

10 Tips to Avoiding a Ghastly Halloween

It’s Halloween again, and what better time than All Hallows’ Eve to offer safety tips to those brave souls who dare to endure the wicked, wretched and fiendish tricks that await them.

I’m not talking about trick-or-treating, I’m talking about Information Security. (Hooo-hoo-hoo-hoo-hoo-haa-haa-haa-haa-haa)

  1. Wear a well-fitting outfit – If your costume doesn’t fit, or if it makes you sweat or gives you a rash, you’re going to end up taking parts of it off. Then you’ll spend the rest of the night explaining what you are and possibly forfeiting bounty. There’s no point in getting into something that you’re not going to use, it wastes time, money and energy, and you pretty much get nothing out of it. Your security program should fit like a catsuit. Black.
  2. If you see something, say something – Too often we’re hesitant to make the call when we see something that’s out of place or just doesn’t feel right. As human beings we are programmed to not get involved, but done appropriately it can help prevent problems from occurring. It might be a ghost, it might be an intruder. Be safe, not sorry.
  3. Stay away from dark houses – In the best case you’re wasting your time, in the worst case you’ll end up wandering into a bad place. There’s plenty of low-hanging candy out there, don’t get distracted by the latest curiosity. We all know what curiosity did to the cat.
  4. Use sidewalks and driveways – If you’re cutting across lawns or jumping fences because you think you’re going to make better time, chances are decent that you’ll end up in an open septic tank. Or a drainage ditch. Or getting caught on a pole. Shortcuts rarely are, that’s why we have standards. Stick to lighted streets and pathways. And trust me on the septic tank thing.
  5. Know your route – Have a plan and stick to it, but remember that your plan should account for change. If the police have closed Lincoln Drive off because someone egged Mr. Goldman’s place, be prepared to take Washington. It may get messy out there and there are no guarantees. Review your plan regularly to maximize your progress.
  6. Don’t walk those streets alone – Strength comes in numbers. Find people to go with you on this harrowing journey, chances are they’ll know something about the streets you’re walking and they’ll help you avoid traps that you would have fallen into otherwise. It’ll be more fun, too. And don’t be afraid to call for help if you see trouble, there are experts out there that specialize in dealing with problems.
  7. Check your candy before eating it – This one seems obvious, but when something is given to us we’re usually so excited we just can’t wait to open it up. Once it’s opened it’s too late, and it usually ends up installing a rootkit and stealing our banking credentials. Or giving us a toothache. Don’t judge that candy by its wrapper, and don’t even take it if it’s not coming from a trusted source. The apple from Mrs. McGillicutty is probably fine, but I wouldn’t touch that popcorn-ball-thing you got from Old Man Haversham.
  8. Don’t talk to strangers – There are a lot of bad people out there, and they do bad things. They’ll take your candy. They’ll even take that popcorn-ball-thing you got from Old Man Haversham. Only get involved with people you trust. If you’re going to be spending time with them, you should know where they come from, what they do for a living and if they’ve had a vendor risk assessment from a trusted security provider.
  9. Pace yourself – Running from house to house will only wear you out, and chowing a bag full of Reese’s will make you sick. It’s going to be a long night, and the successful will recognize that this is a continuous process. Ring door bell, collect candy, run to next house, repeat. Master your pace, master your success. Stick to your security priorities. Do too  much at once and you’ll just end up exhausted and nauseous.
  10. Enjoy – Too many of us are heads down in the mission and we forget to stop and smell the candy corn. It’s not just about collecting the biggest bag of candy, it’s about the experience. Yes, we all have a serious job to do, but we won’t be able to take it seriously if we don’t love what we do. So love it. Eat it like candy.

Run for Your Lives

This past Saturday I woke up early and suddenly found myself running from bloody, muddy, brain-hungry zombies.

No, the world hadn’t suffered a raging viral infection. And no, I wasn’t a movie extra. It was the first annual Run for Your Lives Zombie 5K race near Baltimore, MD. There were thousands (OK maybe hundreds) of zombies to avoid, a dozen obstacles to overcome and endless fields of mud. There was blood. Whole pools of it. And there were several “teachable moments”.

Now in many ways, I feel like I’m better prepared than the next guy for the impending Zombie Apocalypse – my cardio level is above average, I prefer moving around at night and I love me some good baked beans. I also consider myself a bit of a survivalist, and I keep an ample supply of batteries, bleach and duct tape ready to go for when things get apocalyptic.

Yours Truly, Muddy and Bloody, but Alive

All that being said, this weekend’s events reminded me that there’s no way to prepare for everything. Despite the semi-lighthearted nature of the 3.1-mile obstacle course, I found myself surprised – even shocked – on several occasions. Midway through the race I found myself deciding between diving into a muddy lake filled with 55-degree water or being attacked by a crazed horde of killer undead. This particular teachable moment taught me that hypothermia may be for a while, but dead is for ever.

So what does all of this have to do with information security?

Just like the doomsday scenarios that scientists, religious zealots and Al Gore all predict for the human race, there is no way to prepare for everything in information security. In fact, the best preparation may be in preparing to be unprepared.

The harsh reality is, most businesses have already been compromised, whether they know it or not. Yesterday my company met with yet another organization who has been the victim of cybercrime. Not only did this business suffer major losses, but two months later they are still unsure if the money-stealing malware has been eradicated.

Having an Incident Response plan is an important part of running a successful business. Detection of malware and anomalies, containment of incidents and processes for forensics investigations and business resumption should be regular discussions for all management teams. If you haven’t already done so, add a chapter to your plan that accounts for the “unexpected”. Failing to plan is planning to fail.

Hindsight, as they say is 20/20. I’ve already thought of a few things that I’ll do differently to be better prepared for next year’s race. Luckily, it’ll only cost me $57 to learn from my mistakes.

If you’re a business without an Incident Response plan, it may be a little more expensive.

%d bloggers like this: