The Security Catalyst» Adam Dodge

Another Research Idea Stolen

Adam Dodge — Thu, 16 Jul 2009 11:47:48 +0000

By Adam Dodge

Well, it has happened once again. Those folks over at the EDUCAUSE Center for Applied Research (ECAR) have stolen yet another of my research ideas straight from my head before I had a chance to move forward. As always is the case, the result of their mindreading theft is far beyond what I could have accomplished. This most recent case of cranial theft resulted in the ECAR occasional paper titled “The Career of the IT Security Officer in Higher Education”. I want to take a moment to issue a big thanks to Marilu Goodyear, Gail Salaway, Mark Nelson, Rodney Peterson and Shannon Portillo for taking the time and effort to author this amazing paper.

The paper itself is a collection of statistical information gathered from survey responses and follow-up interviews with individuals tasked with IT and Information Security within institutions of higher education. The paper looks at three main sets of issues around the IT Security Officer function at colleges and universities. These sets are: “The Position and the Person”, dealing with reporting lines, previous positions held and demographics; “Responsibilities, Skill Sets and Professional Development”, dealing with responsibilities, job announcement analysis and reaching out for advice; and “Authority, Challenges and Program Strategies”, dealing with authority within the institution, common challenges to authority, and security program strategies. While only 53 pages in length, there is too much information in the paper to fully cover here. Instead, I wanted to focus briefly on a few of the more interesting takeaways from each area.

The Position and the Person

One of the most interesting things I found in this section is that only 64.7% of IT Security/Information Security Officers (the two terms are used interchangeably in the paper) still report to CIOs within their organization. On its face this may not be interesting, but the next most common reporting line is the CTO, although granted, only 8.1% responded thusly. Given the inherent conflict that exists between operational IT (“We need this working and working now”) and IT security (“We need to take time to fully vet the system before production”), I find it odd that just under 1 in 10 (1 in 12.5 if you must) ISO/ITSOs still report to the individual responsible for technical operations. While this arrangement can work, it often does not as operational issues tend to take precedence over security concerns.

Another quick takeaway is that the typical ages of ITSOs/ISOs tend to be younger than I would have expected, with almost 19% of respondents ranging between 30 and 34 years old. Additionally, over half of the respondents reported to being in the ISO/ITSO role for three years or less.

Responsibilities, Skill Sets and Professional Development

Personally, I think that the largest potential shock for non-security professionals in the ECAR paper comes when looking at the average areas of responsibilities. Instead of being filled with a long list of highly technical areas, common responsibilities instead focus on management-level activities such as incident management, training/awareness, policy development/administration, risk assessment, regulatory compliance efforts, etc. In fact, when looking at technical security areas such as IAM, access controls, network security/firewall management, etc. the majority of respondents only listed that they had a “support” role. This is indeed an excellent development within the higher education field as it signals a much needed shift in thinking about IT/Information Security away from the “network security” box it has been in for far too long.

Other interesting takeaways include that despite what was said above, technical knowledge/expertise was listed as a critical need skill in 69.5% of the ITSO/ITO job positions wihtin higher education. Also, while only a minority of ISOs/ITSOs (41.8%) report having control over a dedicated security budget, these individuals cited this budget control as a key component in improving security at their institution.

Authority, Challenges and Program Strategies

Another positive trend shown in the ECAR paper is the fact that a vast majority of the respondents indicated that they have been vested with the authority necessary to perform their jobs. In fact, over 78% of the individuals surveyed responded they had the authority necessary to enforce policies and ensure policy compliance, monitor networks and systems, and authorize the removal of equipment and access rights if necessary. Hopefully, this marks the end of the dreaded cheerleader ITSO/ISO who has been given all the responsibilities for IT/Information Security but none of the requisite authority, and thus is doomed to wander the ivy halls of academia impotently shaking fingers at problems, and hoping against hope that this time the problem will be addressed.

A few more takeaways of note from this section include the fact that while faculty are the most common group on campus to challenge ISO/ITSO authority, such challenges only occur occasionally. Even better is that the single most common method deployed by ITSOs/ISOs when challenged is not pulling rank or blustering about, but is instead rational and reasonable discourse to explain the reasons behind the request.

Fortunately for everyone without an ECAR membership (myself included), this occasional paper has been released to the public. I urge everyone to take a short Internet trip to the ECAR site and give the full paper a read-through.

Letting the Horse Catch Up to the Cart

Adam Dodge — Thu, 18 Jun 2009 11:00:01 +0000

By Adam Dodge

I recently returned from yet another amazing time at the EDUCAUSE Security Professionals Conference. Out of all of the different security conferences that I have had the good fortune to attend, and out of all of the conferences that have taken pity and allowed me to talk, the SPC continues to be one of my favorite events. Not only does the SPC boast outstanding presentations, but the hallway conversations, informal roundtable discussions during meals, and Birds of a Feather gathers offer unparalleled opportunities to meet other security professionals in higher education and learn new, unique ways to address issues. I strongly urge all security professionals in higher education to beg, argue or barter for the funds needed to attend this yearly gathering.

The conference lineup this year was interesting. While there were the usual technically-focused talks, the majority of the talks did not center on specific technical topics. Instead, much of the conference was focused on building and maintaining a strategic information security program within higher education. There were sessions on building risk management programs, using frameworks to build information security policies and programs, creating standardized and measurable procedures, and even talks on how to leverage internal resources such as internal audits to help improve security posture.

Like many industries, information security grew up out of the IT departments at most colleges and universities. Unfortunately, many educational institutions still equate “network security” with “information security”, and information security is often still viewed as a technical issue. However, the presentations at this year’s conference clearly indicate that the viewpoint on information security is quickly changing at colleges and universities.

This shift in how information security is viewed within higher education speaks to the maturation of information security programs at many colleges and universities. Thankfully, the industry seems to be moving away from the misguided view that all institutions need is one staff member “doing security” to be secure. This type of growth and maturity of information security programs within higher education is a great sign that perhaps I will soon have nothing to report on Education Security Incidents.

Here, in no particular order, are the top three presentations out of the sessions I was able to attend. “An Auditor’s Perspective on Frameworks for Information System Security in Higher Education” by Erwin Carrow and Brian Markham were useful in teaching me that internal auditors can, in fact, be your friends. “Using the EnCase Field Intelligence Model in Assisting with Forensic Examinations” by Yu Chang, Tammy Clark, and William Monahan were useful in showing how Georgia State University handles requests for forensic investigation. “Mapping the Shifting Landscape” by Phillip Deneault and Brain Smith-Sweeney were useful in providing excellent quotes such as “Ready-Fire-Aim” and Brian’s poorly rendered yet still amazing image on the drivers and functions of an information security program.

Congratulations and thanks are in order for this year’s SCP program committee. These folks did an outstanding job.

Image used with permission from FreeDigitalPhotos.net

Open Request To Salespeople

Adam Dodge — Mon, 27 Apr 2009 11:00:51 +0000

by Adam Dodge

A few months ago, Andy IT Guy (here and here) and Alan Shimel (here and here) engaged in a blog-vs-blog debate on dealing with security product salespersons. Having just returned from a great time at Source Boston, I now find myself dealing with the ever present post-conference sales calls. Instead of rehashing the points that Andy and Alan brought up in their posts, I thought I would spend some time listing out a few requests to all sales people reading this post.

Request #1: Don’t approach our relationship as a sparring match

Let me start out by saying that I have no problem with salespeople and often welcome the information they provide. However, my time is not always my own at work. I have responsibilities that need to be attended to, meetings to attend and the occasional fire to put out. This means that there are days, and even weeks, when I am in and out of my office all day. If you call and receive my voicemail it is because I am busy, not because I am ducking your calls. Please feel free to leave a message or send me an email about your product. Whichever you choose, just make sure you do not keep calling over and over again without leaving a message. This type of behavior tends to sour my opinion of your company rather quickly.

Request #2: Respect what I tell you at a conference

Often at conferences I’ll see a company I am not familiar with or a product that looks interesting. Being a curious fellow, I often stop at these booths to find out more information. However, I am always upfront and honest as to whether or not I feel it would be a good fit in my environment or if there is a budget for this type of product. Please respect this and forward it to your sales staff. I understand that these conference booths exist to help generate sales leads and I respect that. When forwarding my information to your salespeople, do not tell them I am interested in your product unless this is what I have stated. My time is limited (see above) and I find it annoying to have the same conversations with salespeople over the phone as I did in person at the conference.

Request #3: Give me the data and let me decide

I understand the desire for salespeople and companies to highlight the major strengths of their products. After all, these strengths are exactly the reason I would want to purchase the product. However, if you are going to provide me with “proof” that your product is superior to the competition, I expect to be provided with the data behind these claims and the context for this data. If you do indeed have the better product, it should not be that hard to provide this information. Do not offer vague statements and unnamed sources and expect me to welcome your product with open arms. After all, if I am going to use my finite resources to purchase your product, I am going to do everything possible to ensure I get the best product possible for the money.

At the end of the day, I need security products to help monitor and manage my environment. I rely on salespeople to provide me with information on their products, get me in touch with individuals inside their companies to answer my questions and to keep me up-to-date on new products that might be of use. I understand that you are simply trying to do your job because that is all I am trying to do myself. There is no need for ours to be an adversarial relationship. However, if you choose to approach the relationship as such, I will happily take my business to a competitor if necessary.

Fail Better

Adam Dodge — Thu, 05 Mar 2009 15:50:39 +0000

By Adam Dodge

I have a not-so-secret secret to share with all of you today. I, Adam Dodge, tend to be a tad bit neurotic at times. Nothing very serious, mind you. I just have a tendency to obsess over the things I do. Afraid that I have somehow missed the glaringly obvious or that I have missed made a stupid mistake, I often read and research and then re-read and re-research. After this I start the process over again. My neurotic tendencies are never more obvious then when I am working on projects that will be shared with others.

For obvious reasons, I want my work product to be the highest quality possible, hence the obsession. I recognize the fact that, alas, I am not a perfect person and thus I will (and do) make mistakes. I jokingly refer to this as my “crushing lack of confidence brought on by being self aware.” However, whenever this happens something occurs to me.

It is okay for the work that I produce to contain imperfections at first. After all, if “security is a process and not a product”, then it is this ongoing refinement that allows you to overcome these imperfections. I feel the need to constantly remind myself of this fact, and it is one that I think it is important for us all to remember. Allow me to elaborate by explaining a project on which I am currently working.

I am working on creating training materials so that I can deliver annual training mandated by a regulation. Since this will be the first such training, I am faced with the task of creating most of the training from scratch. About halfway through developing the training, a thoughy struck me. This is some of the worst training material I have ever created!

It is not that there is a problem with the content. It is just that I cannot think of a way to present this information in an interesting or fun way. I am making several mistakes with this presentation: I am reading from slides. I have very little interaction with the audience. I have too many slides with too much information.

I am going to stand in front of a group of people and flash Powerpoint slides at them for 30 minutes. All the while I will be met with a room full of dead eyes staring at the clock waiting for me to be done. Okay, perhaps it will not be quite this bad, but you get the idea.

I have obsessed over this, agonized over how bad it will be until I remembered one little thing. It does not matter. This training will be held annually and it doesn’t have to be perfect out of the gate. I can gradually refine the material over time to address problems that I find, add additional material, and work to make things more interesting. Just because this training starts out bad, doesn’t mean that I have to allow it to continue to be bad in the future.

None of us should allow ourselves to become overwhelmed by the ideals of perfection. Nothing is perfect. Everything changes. Problems only become problems when we fail to do something about them. In the words of Samuel Beckett:

“Ever tried? Ever failed? No matter. Try again. Fail again. Fail better.”

P.S. If you are going to be at Source Boston, come see me and Dr. Kees Leune give a talk about Information Security in Higher Education!

Is This Helpful?

Adam Dodge — Wed, 04 Feb 2009 13:45:23 +0000

By Adam Dodge

On January 12, 2009, MITRE and SANS announced the release of the CWE/SANS Top 25 Most Dangerous Programming Errors list. Since the release of this list, there is been a lot of talk over whether or not this latest “Top XX” security list is useful. However, that is not the focus of this article. Instead, let’s take a look at the action of Will Pelgrin and CSCIC.

Announced at the same time as the list, CSCIC released “draft language” to help guide New York State procurement guidelines* to include provision for secure code. On the surface, this type of requirement is to be applauded. After all the goal is to require the development of secure coding and testing practices for all applications purchased by New York State agencies. However, this current draft still leaves several questions in my mind.

One of the first problems that comes to mind is that there is no mention of the increased costs associated with the tenets of the procurement guidelines. It goes without saying that the new requirements have the very real possibility of adding significant increases to both develop times and development costs. After all, activities such as mandatory background checks for developers, development vulnerability and risk assessments, and security control compliance customized per customer demand all have associated costs.

Should organizations eschew these secure coding practices in favor of faster products at a lower cost? Of course not, but this draft guideline should not ignore the fact that there will be an increase due to the requirements suggested. Interestingly enough, the OWASP Secure Software Contract Annex, off which the Application Security Procurement Language document is based heavily, does address this problem. In fact, OWASP encourages that such costs be negotiated as part of the procurement process, not ignored altogether.

Beyond actual coding practices, one requirement that the proposed procurement guideline calls for is increased documentation. Generally, more documentation is a great idea and the documentation called for in the procurement guideline (in most part thanks to the work by OWASP) will allow organizations to fully understand not only the security controls used during the software development process but also the proper security configurations to employ. However, none of these increased documentation mandates require that the purchasing organization actually understand all of this increased documentation.

Of course, such language would not be appropriate in a procurement guideline, but the simple fact is that no amount of documentation will help ensure secure operation of any software application if the individuals running the application do not understand what the documentation specifies. Organizations need to ensure that there are staff resources available internally to interpret the documentation provided by developers in order to properly ensure the controls included in the documentation meet organizational requirements.

The final section of the procurement guideline is probably one of the biggest problems with the document. The intent behind the language used in the Investigating Security Issues is clear. After all, if a security incident were to occur due to a problem with the software, then the vendor’s help with investigating the incident would be immeasurable. However, the wording used in the actual guideline simply ensures that very few - if any - procurement contracts will contain this incident investigation support requirement.

The problem is that the procurement guideline takes its intent from one of the OWASP stipulations, but ignores the importance of the supporting sections of the OWASP Annex. In short, OWASP calls for Developer support during incident investigations but allows for the fact that the incident may involve a wholly unique issue outside of either security requirements or “reasonable” security testing procedures. After all, complete security today does not ensure complete security tomorrow. Any secure coding requirement needs to allow for the fact that there will be unforeseen security incidents no matter how good the security requirements are and to allow for a good faith negotiation between developer and customer in such cases.

*Please note the links to the procurement guideline point to the online SANS mirror and not the PDF document on the CSCIC web site. This was done because the CSCIC PDF does not reference the OWASP Annex.

Editor: Join additional conversation on this topic in the Security Catalyst Community: New York drafts language demanding secure code

The Breach-Stamp Metric

Adam Dodge — Thu, 15 Jan 2009 15:35:16 +0000

By Adam Dodge

One of the most difficult tasks any information security practitioner faces is clearly communicating the need for information protect in terms of dollars lost. There are many obstacles that one must overcome depending on the culture of their organization, including false sense of security, truthiness, and false proof. The problem, however, is that many organizations are unwilling to increase budgets unless there is a clear reason to do so. Therefore, many security professionals are in a position where they have a need for increased budgets (or perhaps even obtaining an initial budget) and yet are at a loss for how to communicate this need in a manner the organization can understand.

Of all of the different methods available, none are more controversial then ROSI or Return on Security Investment. There has been much talk about the good/bad/ugly of ROSI already, so there is no need to go into it here. If interested in this topic, any search will return a wealth of resources.

Personally, I tend to avoid ROSI in all but a select few circumstances. The problem with ROSI calculations are that often there is not enough information available to accurately calculate the actual return expected. This problem could be overcome in time since more and more information on incident costs are being calculated, but that is a while off.

I do like to use ROSI when dealing with any security control that allows for automation and the saving of FTE work hours. This type of calculation can go a long way when dealing with management since it shows a direct reduction of cost to the organization based on a specific purchase. However, one standard note of caution. When using ROSI to compute FTE hours saved, one thing that must be avoided is inflating and/or exaggerating the current FTE hours being spent on the task. Nothing will ruin an ROSI argument faster then unrealistic cost figures.

In fact, cost figures do not have to be necessarily false to be unrealistic… at least in the eyes of management. Unless an organization has experienced a major monetary loss due to a security incident, talking to management about the fact that each record lost will cost almost $200 to the organization can quickly become unrealistic when dealing with tens of thousands of records. This is a clear case where perception bests reality.

One of my favorite ways to combat the perception vs. reality problem when explaining the costs associated with security problems is to use easy to understand concepts and ideas. (This is an idea that I stole… I mean borrowed from Michael Santarcangelo) The approach I’ve had the best luck with is one I borrowed from Matthew Dalton of Ohio University that I’ve nicknamed the Breach-Stamp metric. The setup to this is easy, simply look at the costs to the organization, department, group, etc. for postage if the group were to suffer a breach.

The beauty of the this approach is that it takes something that everyone is familiar with, postage stamps, and shows how even modest breaches can have dramatic financial impact. For example, at $0.41 per stamp, a breach involving 15,000 records equals almost $5,000 in postage stamps for notification letters alone. One great question to ask after explaining this is if the organization, group, department, etc has an extra $5,000 available for postage costs. The added bonus of using something so insignificant as postage is that many individuals view postage as a minor inconvenience and large postage costs can come as a shock that might just help get the point across.

The fact remains that no matter what happens, communicating the cost of not protecting information in dollars lost will likely remain very difficult for most security professionals. However, since such arguments are likely to be the best, if not only, way to obtain necessary budgets, we all must learn how to communicate such costs in a manner that management can understand.

Breaches Cost Companies Customers

Adam Dodge — Mon, 24 Nov 2008 13:36:24 +0000

By Adam Dodge

There has been a lot of discussion around the value of breach statistics and breach reporting. Personally, I feel that organizations can find a lot of value by monitoring reported breaches. By studying what breaches are being reported, especially within the same industry vertical. Organizations can get a feel for how common breaches are among like institutions. Leadership can gain insight into if the organization’s current security controls will help protect against commonly occurring breach patterns and discover areas of their current security programs that need improvement. Organizations can even gain a better understanding of what steps are taken by fellow institutions in response to the breach, since these common response will most likely be expected by customers should the organization itself suffer a breach.

However, the one area that breach reporting and most breach statistics fail to cover is what happens to the business after a breach. Questions remain surrounding the long term impact of data breaches on organizations in terms of increased regulatory oversight, loss of consumer confidence and difficulty attracting new business. After all, nothing makes the case for increased security quite as strongly as reductions in the bottom line and increased red tape.

Fortunately, two recent studies help shed some light on what exactly happens to consumer confidence in an organization after a data breach. In April, ID Experts and the Ponemon Institute released a study that looked at consumer response to data breach notices. (Please note for this post I am respecting the disclaimer of this study and will only use information available in the press release.) Two months later, Debix and Javelin Strategy & Research released the results of a consumer survey surrounding data breach notifications in June.

The topics and titles are not the only similarities between these two studies. Even though the methodologies cited in the studies were completely different (Pomemon used responses from a survey of 1,795 adult-aged respondents throughout the US while Javelin used an online survey of 400 data breach victims as well as in-depth interviews with two breached institutions) the numbers reported by both are shockingly similar. In fact, they are so similar that even as I write this I have this nagging feeling that somehow these might be the same report.

The results of the two reports (one report?!?) show that 55% (Javelin)/57% (Ponemon) of the individuals lost trust in the organization. Even worse, 30% (Javelin)/31% (Ponemon) of individuals notified of a breach terminate their relationship with that organization. Think about that for a second. Roughly 1 out of 2 customers will lose trust in an organization while 1 out of 3 will discontinue business with the organization following a data breach.

What do these numbers mean to us? Well, if you are in an organization that relies on continued customer revenue, these number mean a lot.

These numbers are a great starting point for computing the impact of breaches beyond clean-up and notification costs. Ignoring any security ROI proof of impossibility magic, the simple fact that 1 out of 3 individuals ends their relationship following a breach is something needs to be communicated to business leadership. These reports were not some academic exercise of what may happen. The reports looked at what real people did following breach notifications. Real people leaving real businesses can be a powerful selling point for professionals stressing the importance of security in their organizations.

If an organization does suffer a breach, this information is ideal to for helping leadership understand what is coming in the long run. Instead of simply running off guess work, gut feelings and “truthiness”, the organization can plan for an average reduction in repeat sales and use this information to develop compensating controls on how to cope with the loss. While the likelihood of suffering a loss of exactly 30% is low, it is a starting point to help business weather the post-breach storm.

With consumers quickly becoming aware of the importance of security, organizations have started using security as a selling point. Don’t believe me? Take a look at the Bank of America, Wells Faro and Citibank web sites. See those little locks signifying “secure” access to accounts? Why would these companies bother with this unless there was no benefit?

The general public is starting to gain an awareness of security in a way that did not exist a few years ago.* What this means is that if organizations start to become secure (real security not security theater), this selling point could be used to draw in those 30% of customers that leave competing organizations following a breach. How’s that for security enabling business?

*This excellent point was actually thought up by David Mortman over a recent dinner with Andy Willingham, Adrian Lane and myself.

If you haven’t already, I strongly urge to all of you to go read the full ID Experts/Ponemon and Debix/Javelin reports. Each report is full of great information that I didn’t touch on here such as do customers find breach notifications helpful, what do customers expect in terms of fraud protection and how soon do customers expect to be notified following a breach.

Vacuums and Security

Adam Dodge — Fri, 17 Oct 2008 10:52:48 +0000

By Adam Dodge

This weekend I finally did it. I was tired of the sub-par performance. Tired of being forced to redo the same job over and over again to get it right. Just plain tired of nothing working like it should. So I broke down. I had just had enough. This weekend I bought myself a new vacuum.

That’s right, yours truly is the proud owner of a fancy new vacuum cleaner and, believe me, it was well worth the purchase price. The amount of – let’s call it crud – crud that I pulled off my floor was downright sickening. Yet, it was also amazing. Here I thought that I was actually cleaning when vacuuming and all I was doing was tricking myself. Yes indeed, the vacuum was an excellent purchase. As an added bonus, I now have all these new attachments with which to play.

So what does all of this have to do with information security? Plenty. Anyone working in the information security field knows the pain of trying to institute necessary changes and running into the all to frequent wall called “I’ve been doing it this way for X years”. (This wall is also know as “Other organizations are doing it this way”.) Like me with my broken vacuum, people are comfortable with familiarity and often resist changing until absolutely necessary.

One of the tenets that gets tossed around when implementing any type of security controls is to make the process as transparent as possible to the target audience. Generally, we take this to mean that the controls should be hidden away from the end user as much as possible. However, there is a better way. Whenever possible, we need to improve security by implementing solutions that offer minimal differences in all aspects. In other words, replace the broken vacuum with a new one, not a mop.

However, simply because I replaced my old, broken vacuum with a shiny new one does not mean that I will be happy with the purchase. After all, if my new vacuum required complicated setup or extra operating steps (for example, constantly having to change a bag) I would by annoyed. Luckily this was not the case, two screws and an on-off switch equals a happy Adam. The same is true for any new security controls. Replacing a control with a better, yet familiar, control will only lead to frustration and avoidance of the new control.

Of course, new additions are not always a bad thing. For example, my vacuum came with a few attachments that I did not have before. Some of these attachments, like the upholstery cleaner, are welcome additions. (Long, white haired cat plus upholstery equals a chore!) However, other attachments, such as the “electro-static duster”, are not so useful.

The best part is that these additional components do not affect the main operation of the vacuum. The same should hold true for any security improvements we try to implement. Optional services need to be just that, optional. While these geegaws may add value, the main focus of the control needs to be the basic functionality of the control.

So there it is. Frustration with a bad vacuum cleaner leads to thoughts on how the best approach replacing outdate/non-functioning security controls. My mind works in mysterious ways. What are you still doing here? Go out and start selling vacuums at your organization.

On Reports (a perspective)…

Adam Dodge — Mon, 16 Jun 2008 21:22:20 +0000

By Adam Dodge

Lately, there has been a flurry of activity in the land of security breach reports with organizations such as Debix, Verizon, the Identity Theft Resource Center and the Department of Justice all releasing reports looking at security breaches, breach notification laws and the state of information security in general. As someone who has been in the world of tracking and monitoring breaches for two years now through Educational Security Incidents, I am excited over the increased attention and information that is coming forth and the lessons that can be learned from these breaches. However, it is important to remember that are inherent limitations on the applicability of breach statistics and therefore we all must be cautious about reading too deeply and arriving at conclusions that the information in these reports do not support.

Before we go any further, yes I do develop a similar report each year and yes my report is subject to the same limitations as all of these other reports. My point here is not that all other reports are wrong while the ESI YiR is the shining beacon of truth. The point is that the information delivered in these reports is simply that, information. It is up to the reader to interpret this information in a meaningful way. The problem, then, stems from misinterpretation and this

What do I mean by “misinterpretation”? Well a common problem with the statistics provided in these reports (remember, I’m including my own report as well) is that the numbers are based the sample set and the ability to apply these numbers depends a great deal upon the size of the sample and how randomly the sample was chosen from the total population. Alright, that might not be a good enough answer so allow me to explain further.

The Verizon report has made a big splash in the security world and for good reason. Verizon did an amazing job with this report. If you haven’t read it, go do so now. Seriously, stop reading this and go read the report. It is that good.

However, the report is based around 500 forensic investigations performed by Verzion’s Business RISK team between 2004 and 2007. These 500+ breaches that Verizon has analyzed for this report were not randomly chosen from all breaches that occurred. Instead, the information was mined from the investigations stemming from breaches that were serious enough for a company to reach out and contract with Verizon for assistance. This is a potential point of bias for this survey.

Most companies are not going spend money on investigations for small breaches or those that are easily explainable. Therefore, it is very likely that breaches of data such as information left in public, information accidently placed on a public web site, etc. are underrepresented in the sample Verizon used. It is also likely that smaller companies and non-profit organizations are underrepresented as well since these entities lack the funding that larger, for-profit organizations have at their disposal.

What does this sample bias mean for the validity of the Verizon report? Nothing. Nothing at all. There is no problem with the sample bias of the Verizon report. The simple fact is that all of security breach reports (again, including the ESI YiR) suffer from the same problem. Unfortunately, there is no go way around this problem yet. Everyone that I talk to involved with tracking breaches has the same complaint: There is no centralized reporting of breaches in the United States and those states that do require breach reporting to a central authority have different reporting requirements, litmus tests and public access to breach information.

So I am suggesting that everyone stop reading these reports? Absolutely not. It is not just self-preservation that makes me say this, however much I enjoy my work with ESI. These reports are an excellent way for information security practitioners to track the movement of threats and discover what types of security threats similar organizations are facing. The point of all of these is that each and every one of us (including the media) need to make sure that we are interpreting the data of these reports properly before we remove our firewall because the 2007 ESI YiR said that employee mistakes outnumber hackers as the cause of a breach 2:1 or before we discontinue our security awareness and training programs because the Verizon reports says that 73% of all breaches came from external sources.

How can these reports be so different and yet both be correct? Simple, look to the samples used to compile them.

Breach vs. Incident: Semantics or Something More?

Adam Dodge — Wed, 11 Jul 2007 07:22:54 +0000

By Adam Dodge

Recently, the University of Texas, Pan American announced that a staff member lost an external hard drive containing names, address and Social Security numbers of around 1,200 UTPA staff. The good news for these individuals is that the hard drive was found by another UTPA staff member and there does not appear that any unauthorized individuals had access to staff information. However, reading over one of the initial news stories about this security incident brought a question to my mind.

In an article over at The Monitor, UTPA Vice President for Business Affairs, James Langabeer stressed that the loss of this external hard drive was only an “incident” and did not constitute a “breach” by an outside individual. According to Langabeer, “It is an incident, it’s not a breech. A breach is when someone takes something out of your computer and deliberately takes it from you. If you lose it, it’s an incident”

What I find so fascinating about this statement is that the distinction between incident and breach and that an “incident” should not be viewed in the same light as a “breach”. So I started thinking, is this distinction merely a semantic issue or are there some underlying assumption amongst the general public that an incident is an everyday, and perhaps less dangerous, occurrence then a breach. One of the words is a simple noun that brings to mind a singular event of some type that may or may not be harmful. The other word is more action oriented and brings to mind, at least to my mind, images of whales bursting through the surface of the water and other dynamic events. Given the very differences in these words, should they be used as interchangeably as they are in the Information Security arena?

I think that making a distinction between breach and incident in this manner is dangerous. While I believe there are indeed differences between breach and incident, I do not agree with the portrayal of each being separate from the other. Instead, a breach is a subset of the overall types of information security incidents that can affect an organization. Other types of incidents can include theft, loss, unauthorized disclosure, denial of service, mistakes, and a whole host of other issues that are too numerous to list. In the end, any occurrence that is contrary to current information security controls is, in effect, and incident. This means that any breach of information systems, past security controls, is in fact an incident.

One thing that we absolutely need to make clear as security individuals is that these “incidents” caused by internal employees are, at the very least, just as dangerous as “breaches” by external attackers. I have written a few times about the insider threat faced by organizations. Studies have continued to prove that internal employees cause a large majority of information security incidents. Yet, organizations still attempt to pass off employee misconduct as a lesser offense when in fact these are the very employees who both know where the information is and have direct access to this information.

However, in the end, whether caused by a “breach” or an “incident”, the loss and/or exposure of protected information is a signal to the organization that something is not working properly. This is what is important. We need to understand that it is not just about fixing the problem. Instead, it is about understanding why the problem occurred and creating controls to help prevent like occurrences in the future.

Unfortunately, it seems that more organizations are beginning to make this distinction in press releases surrounding security incidents.

Stop Telling Me There Is No Evidence of Identity Theft

Adam Dodge — Thu, 24 May 2007 19:43:48 +0000

By Adam Dodge

I would like to issue this public statement to any company that already has or will in the future expose my personal information:

“Stop telling me there is no evidence of Identity Theft if it has only been one hour, day, or week since your organization suffered a breach!”

It is ridiculous that any organization would think that individuals would find comfort in announcing this fact. Of course there has been no evidence of ID Theft. Affected individuals had no reason to check for ID Theft before the incident. Simple, rational logic tells all of us that we will never find what we do not know to look for.

In addition, the danger of ID Theft persists for affected individuals long after the initial breach. Once records are exposed, there is no way possible to control the use of these records by the individual(s) that obtained them. Couple this with the fact that much of the personal information tied to ID Theft is information that does not change during the lifetime of an individual and the real danger of such exposures becomes evident. After all, there is very little value in telling anyone that there is no evidence of Social Security number misuse after only a short period of time when that same individual will most likely have that same SSN the rest of their life.

If companies really want to reach out to users and make amends after a breach, here are a few suggestions:

Admit responsibility for the incident and offer to pay for credit monitoring

When an information security incident occurs and customer information is exposed, the company is no longer the victim of this crime, the customers are. While this may not seem fair to the company, tough. Customers trust companies with their personal information in return for a service. When this same information is exposed to unauthorized individuals, companies invalidate this trust. Offering credit monitoring is a way for a company to help rebuild trust with customers. The good news here is that studies have shown only a small number of affected individuals ever take companies up on the offer of free credit monitoring so credit monitoring also becomes an inexpensive way to gain positive PR after a breach.

Do not use an employee as a straw man for why the breach occurred

It is somewhat disturbing when a company or organization is willing to throw an employee to the wolves as the sole individual responsible for a security breach. Not only does this show that the company places little value on its employees but also as a consumer, I simply do not buy this excuse. When a company places blame on employee “misconduct” the first thought that I have is not “Wow, what a bad employee.” Instead, my first thought is “Wow, I cannot believe that Company ABC has no internal controls that would have caught this employee misconduct before the breach.” After all, if the employee was truly acting against company policy, there is no reason to think that the company would not have caught this through internal control procedures.

Wait at least one month before telling customers there is no evidence of misuse

If companies truly wish to inform customers that there is no evidence of identity theft or misuse of customer information, wait at least one month after announcing the breach. While immediate proclamations of “No Identity Theft” send my rage-o-meter flying, I have no problem with such announcement per se. By waiting, watching and continually following-up with affected customers, a company prove that it has a commitment to its customers and, when coupled with free credit monitoring, a commitment to helping its customers deal with the effects of the breach. In other words, there is great value in following up with customers to ensure no identity information is being misused as long as companies wait for customers to check for signs of misuse first.

Note to Universities: Web Sites Providing A Security Breach Playground

Adam Dodge — Wed, 09 May 2007 14:22:05 +0000

By Adam Dodge

While I was compiling the Educational Security Incidents (ESI) Year in Review – 2006, I noticed something interesting. Of the 83 information security incidents in 2006 reported by colleges and universities, 20 such incidents were due to Unauthorized Disclosure. Unauthorized Disclosure on ESI is defined as incidents involving the release of information to unknown and/or unauthorized individuals. In other words, Unauthorized Disclosure tends to involve employee or organizational mistakes at some level.

Looking back then at the 2006 incidents, these 20 incidents exposed about 232,000 records, or roughly 8.6% of all information exposed by colleges and universities last year. However, these 20 incidents account for about 25% of the total number of reported incidents. Since Unauthorized Disclosure incidents correspond to mistakes, we have one quarter of all incidents reported being caused not by external attackers, malicious users or even a run-of-the-mill thieves but by simple, preventable mistakes.

As I begin to look over the incidents report 2007, I unfortunately see the same trend emerging. Of the 47 incidents thus far, 16 incidents, or 34% of all incidents reported, have been Unauthorized Disclosures. An added twist this year is that 69% of these Unauthorized Disclosures (11 of the 16 incidents) occurred when private and/or personal information was placed on publicly accessible Web sites. Worse still, some of these incidents span years of unauthorized disclosure. For example:

- City College of San Francisco had student information available to anyone on the Internet for seven years
- University of Nebraska-Lincoln had student and faculty information on a public Web page for two years
- University of Pittsburgh’s Medical Center found a presentation containing patient information online in 2005 and removed it, only to have the same presentation show up again earlier this month.

As an individual working in Higher Education, I find this to be an alarming trend. We see incidents cause by external attackers such as the Ohio University fiasco or the UCLA database breach as wakeup calls for action. Cries are raised to “Tighten security controls” and “Watch for those evil hackers”, but we are overlooking the damage we are doing to ourselves. While it is extremely difficult to find a “one size fits all” solution to Information Security, there are some general steps each institution can take to help reduce the risk accidentally exposing student, faculty and/or staff information on a Web site.

Remove all personal information that is not needed
Okay, this one might seem a bit obvious, but it will significantly help to reduce the impact of information accidentally placed on public Web sites. Even internally, there are many instances where personal information (for example Social Security numbers as a unique ID) remain attached to a file simply because it is part of the record used to generate the file. Many (alright, most) times this level of detail is not needed and is simply left attached because it was the way the file was generated. Removing this information, or better yet replacing it with an internal unique ID, will help to limit the impact should such information make its way to the Web.

Stop using the web as a “temporary” file transfer medium
At one time or another most of us have been guilty of do this. After all, there is a temptation to utilize Web space to transfer files. It is easy, requires few steps and is something with which we are all intimately familiar. However, too often such information is not removed from this “temporary” holding space and thus becomes a “permanent” addition to the organization’s Web site. Worse yet, if this information becomes part of an Internet cache (i.e. Google Cache or the Wayback Machine) such information will remain on the Internet long after the original file is removed.

Periodically check the organization’s Web site for such information
Despite all efforts, there is a very good chance that personal information will end up, at some point in the future, on a public Web site. The reason for this is simple. Mistakes happen. After all, “to err is human”. Therefore, it is important that each institution begin scanning Web sites of information such as Social Security and Credit Card numbers. The good news is that, since this information follows a standard format, scanning should not be all that difficult. In fact, there have been some good discussions of scanning for such information on the UNISOG and Educause mailing lists. The difficultly with scanning is determining how often such scans should occur. In the end, this discussion comes down what the institution feels is acceptable. If the institution has no problem with such information residing on the Web for a year, then annual scans will do. If a year is too long, then perhaps quarterly or monthly scans are in order.

In the end, we all need to be aware that simple employee errors cause a surprisingly large number of security breaches.

Compliance as a goal is a recipe for failure

Adam Dodge — Mon, 09 Apr 2007 12:53:06 +0000

By Adam Dodge

Did the title of this article surprise you? Given the ever-growing list of Federal and State regulations pertaining to the protection of information, this surprise is understandable. After all, at the very least any information security program should meet regulatory compliance goals for an organization. However, there are a few hidden dangers with this line of thought.

As I mentioned above, the list of Federal and State regulations continues to grow, sometimes overnight (or at least that is how it seems). I do not think that it would be too irresponsible or crazy for me to suggest this growth will continue into the future. Federal Breach Notification Law, anyone? Given this growth, pushing compliance as a goal seems to make a good bit of sense since it ensures continued support for the information assurance/security/protection program.
If we step back for a second and take a critical look at what continued growth means for compliance as a goal, we can see there is a problem. How many times can we go running to our organizations with dire warnings of new or upcoming regulations before they simply start to ignore us? If you answered “not that many”, I agree. If (or should I say when) the new or upcoming regulation forces the organization to change established procedures, it further compounds the problem.

This is the same problem as faced by the boy who cried wolf. Whether we are crying out “Wolf! Wolf!” or “SOX! GLBA! FISMA!”, after a while our tired shouts will be ignored. Many security professionals have already begun to run into this problem with HIPAA. At first, it was a powerful tool to enact change. Now it seems HIPAA has lost some of its power.

In addition, if we continue to push compliance as the goal, then the very best we will ever achieve is compliance. That is all. When we attempt to push for a control not required by current regulations, there is a very good chance we will fail to achieve support because the organization currently meets all regulatory goals. This problem becomes more significant when regulations lag behind the current threat landscape (as is inevitable).

Of course, I am not suggesting that we simply ignore Federal or State regulations. Instead, here is what I suggest:
1. Use regulations as a template, a baseline for the minimum controls for your organization’s information security program.
2. Spend some time researching frameworks to help map out additional controls and features. NIST, ISO, and ISF are good places to start.
3. Above all else, the goal of the information security program needs to be the protection of information and not regulatory compliance.
Seeking information security through compliance is a recipe for failure. The good news is that the reverse is not true. A well-designed information security program will help any organization meet compliance goals while understanding that the protection of information is the ultimate goal.

At The Top of Their Game and Making a Difference

Adam Dodge — Thu, 15 Mar 2007 15:00:35 +0000

Good Thursday Everyone!

I just wanted to send up this quick post about Mr. Michael Santarcangelo, The Bald Security Expert himself,(#15) and fellow Security Catalyst writer Ron Woerner (tied at #21), appearing on IT Security’s Top 59 Influencers in IT Security.

Congrats Santa and Ron!

Other individuals on this list include: Alan Shimel, Dr. Aton Chuvakin, Mike Rothman, Mitchell Ashley, Andy Willingham, Martin McKeay, Rebecca Harold, Michael Farnum, Mike Murray, Cutaway, Alex Hutton, Chris Harrington, Lori MacVitte, and Christopher Hoff.

What do all of these individuals have in common beside the fact that they have my undying admiration? They are all active members of the Security Catalyst Community! So if you are like me and swoon over the thought of basking in the unequaled excellence these individuals possess, head on over the to SCC Forums and sign up for an account!

In all seriousness, I want to wish everyone on the Top 59 Influencers in IT Security my most sincere congratulations. Each one of you is out there making the field a better place.

Security Friday Fast Fact: Communicating Effectively

Adam Dodge — Fri, 02 Feb 2007 11:37:17 +0000

By Adam Dodge

A large part of almost any information security job is communicating ideas, concepts and thoughts to other people. These professionals can find themselves making the case to change a company policy, writing a management report of weekly activities, or training staff on various information security topics. Therefore, security professionals must be adept at effectively communicating (written, verbal or otherwise) to individuals with varying degrees of knowledge and interest in the subject.

While each of us develops our own personal communications style, here are a few tips to think on this weekend that might help you become a better communicator:

Keep it short – People in your company are busy and they are not being paid to listen to you talk. You will have a much easier time reaching people if you limit yourself to keeping the message as short as possible. (P.S. This is the reasoning behind creating an Executive Summary and the “30-sec elevator pitch.”)

Keep it simple – Unless you are addressing other security professionals, nobody is going to pay attention to an in-depth analysis of the topic. Just highlight the important parts that help you prove your point.

Keep it on point – Nothing causes people to tune-out faster than someone who just rambles on and on ad nauseam. Have a list of topics you want to cover and stick with it. After all, you are trying to get a point across; not sitting with your friends at the corner bar.

Five Steps To Avoiding Compliance

Adam Dodge — Thu, 01 Feb 2007 11:09:58 +0000

By Adam Dodge

Lets face it. Regulations place a large burden on companies. Nowhere is this truer then with Information Security. Many of the Information Security regulations (HIPPA, GLB, SOX, etc) passed in the last few years place heavy burdens on companies by requiring the creating of new Info Sec projects and programs, if not entire departments. Worse, many companies have found themselves lacking staff with the appropriate skills and/or knowledge to effectively create and run such programs.

Of course, if a company can figure out a way in which it is no longer subject to these regulations then the problem of regulatory compliance simply vanishes. The problem, then, is how to determine the best course of action for proving the company is not subject to regulation in this matter. The good news is that such proof is only five simple steps away.

1. Make sure the company can avoid complying with federal, state or local regulations

Before embarking on a quest to absolve the company from regulatory compliance, the company needs to make sure that it actually can do this. Many of the newer regulations spell out in no uncertain terms exactly which industries must comply with what the regulation holds. For example, if the company is a financial institution, there is no getting around the Gramm-Leech-Bliley Act of 1999.

All is now lost however, as long as the company is willing to tweak operating environments to avoid a narrow interpretation of the law. For example, say the company provides medical services but wants to avoid HIPAA. Simple, change the operating environment so that the company offers only free medical services and these services are not the primary duty of the organization. After all, it’s not like the company is a hospital or anything like that.

2. Find hard evidence supporting the company’s belief that it is not subject to the regulation

Once the company is certain that there is wiggle room in the language of the regulation, it needs to do a little research to dig up hard evidence backing this belief. Given the large risk that attempting to avoid compliance goals, the company needs to be sure it is relying upon more then simply assumption and conjecture. The company can obtain hard evidence from legal proceedings, scholarly journals, legislative testimonials or any other legislative or judicial source where the overall message is that either (A) the regulation is defective in some way or (B) that the regulation does not apply to industry sector of the company.

3. Get a group of other companies in the same industry to buy into the idea that the regulation does not apply to them

Wiggle room and hard evidence will never be enough to ensure regulatory avoidance if similar companies within the same industry sector are happily complying with the regulation. Any questions raised about the validity of the company’s ability to avoid regulations will be answered by comparisons to what like companies are already doing. To help cement the argument that the company is not subject to regulation, it needs to gather together as many like companies as possible within the same industry and together stand against pressure for compliance.

Each of the companies in this group can each offer to host a meeting. Multiple meetings the companies a chance to better cement the non-compliance viewpoint. Discussion can include problems or success with the current non-compliance viewpoint. A side benefit is that everyone gets a little time out of the office, perhaps with a nice dinner and round of golf thrown in, on another company’s dime.

4. Constantly monitor the situation for changes that affect any of the first three steps

Even if the company is able to achieve success in the first three steps, it can quickly become a moot point if any of the circumstances change. A change in regulatory wording or the passage of new regulation, a court battle against compliance lost, or even a handful of like companies deciding to comply rather then risk sanction. Any one of these can quickly derail continued attempts to remain independent of regulatory compliance goals. Therefore, the company needs to constantly monitor the regulatory landscape for any sign that changes the circumstance surrounding the first three steps of this process.

5. Decide if all of this is worth it

After all is said and done, the company needs to step back and decided if all of this work is worth it. There are benefits in the form of decreased operating costs and increased operating flexibility. However, there are very significant downsides to this as well. The organization faces serious challenges going against the trend and can risk sanction and possible legal troubles. Worse still, there is the possibility that the public will view the company’s actions in a negative light resulting in bad feelings, bad press and, most likely, bad business.

Hopefully, the answer to “Is it worth it?” will always be a resounding “NO!”. The fact is that even going to these extreme lengths will not always guarantee a company that its attempts to avoid compliance goals will be successful. Therefore, instead of wasting time and money on avoiding regulations, companies need to devote those resources towards ensuring regulatory compliance and receive a much greater benefit.

The good news is that simply flipping these five steps around reveals five steps to ensuring regulatory compliance, or at least five steps to get a company started toward compliance, and here they are:

1. Review all federal, state and local regulations dealing with Information Security thoroughly to ensure that the company is aware of all of its regulatory obligations. A good place to start would be to check with corporate counsel or the company’s attorney on retainer. Beyond that, here are a few websites that list out many of the Information Security regulations that exist today:

(Please note: most of these links center around US regulations)
-   http://www.rsasecurity.com/node.asp?id=2911 – RSA Security – Regulations
-   http://www.securecomputing.com/index.cfm?sKey=1301 – Secure Computing
-   http://lp.findlaw.com – FindLaw

2. Research legal and administrative findings and opinions as well as trade journals and scholarly articles to help the company determine exactly what the compliance goals of the regulations are and what steps the company can take to meet these goals. Research of this type can be very difficult depending upon a companies access to Web site such as Lexis-Nexis or InfoTrac. However, here are some good places to start researching compliance issues:

-   Local library – Libraries often pay for access to research databases including Lexis-Nexis, WestLaw, InfoTrac and ABI/INFORM
-   Major newspapers – Online archives for major newspapers will contain news reports on compliance issues that have come up in the past

3. Network and interface with similar companies with the same industry to help establish what other companies are doing to help meet compliance goals and get a feel for what is considered “best practice”. Local security groups such as ISSA, InfraGuard and Educause are good places to find individuals from like companies in the area. In addition, online security e-mail discussion lists can also help companies build a list of contacts.

4. Constantly monitor the situation and make sure that the company is kept aware of any changes that might affect the company’s current Info Sec programs or compliance programs negatively. A strong network of contacts, established above, is a great way to keep abreast of what is going on within the company’s industry sector. Monitoring news sources, perhaps through rss feeds and alerts, is another way to make sure the company is not caught unaware by a recent regulatory mess. I personally use http://www.google.com/alerts for this purpose.

5. Take a deep breath and relax, the company is now a lot closer to regulatory compliance then it was five steps ago. However, it is important to understand that these five steps are simply a beginning, just a way to keep current on the changes to the regulatory landscape. Any changes that policy or procedural changes that the company needs to make require a completely different set of steps that will be covered by another post in the near future.

Please… No More Top Ten Lists!

Adam Dodge — Sat, 30 Dec 2006 17:21:37 +0000

By Adam Dodge

‘Tis that time of year when Top Ten lists abound to remind us of what we lived through only a few short months ago. Luckily, The Security Catalyst writers are above such seasonal sensationalism… or am I?

I am currently working to compile a “Year in Review” of sorts on all of the reported security incidents that have occurred in 2006 at institutions of higher education. This report will be based on my research of such news reports, found at Educational Security Incidents (ESI), and will hopefully be posted by mid-January. (Note: I admit this is a shameless plug, but you do not have to care about ESI. I promise I will not be offended.) As I review the past years incidents, I have noticed that a few of them have sort of stand out for one reason or another.

Mulling over these anomalies I have come to the conclusion that these incidents hold some significance that set them part from the other incidents. Some of them jump out because of the number of individuals affected, others jump out because of the type of incident that has occurred. Still more jump out because they result from circumstances that really should never have occurred. Without further ado, I bring you:

Adam’s Top Ten Most Significant Educational Security Incidents of 2006

(in chronological order)

Metropoloitan State College – March 3, 2006: A laptop containing 93,000 student records is stolen from an employee’s car. Why were so many records on the laptop? The employee was using them as part of their master’s degree research. This is one of those incidents that probably should have never occurred.

Georgetown University – March 6, 2003: The US Secret Service is called in to investigate the exposure of 41,000 records belonging to an Office of the Aging grant project at Georgetown. This incident emphasizes the fact that there is more then just student or staff information at colleges and universities we need to protect.

Ohio University – May 6, 2006: Two different breaches expose upwards of 300,000 records. This incident is important since it was one of the first large scale incidents to gain media attention.

California State University, Stanislaus – May 26, 2006: Google’s Google Cache service indexes and makes available student information that was accidentally put up on Stanislaus’ web site for a short period in October 2005. This incident is a great example of the difficulty of controlling information once a leak has occurred.

Univerity of Kentucky – June 22, 2006: A USB jump drive containing 18 years worth of student data (including grades, names and SSNs) is stolen after a professor left the drive in a classroom. This type of incident will only become more and more common unless controls and policies are implemented prohibiting the use of such devices to store personal and/or sensitive information.

Berry College – September 20, 2006: A contractor “misplaces” over 2,000 financial aid records at a local airport. This is an excellent example of why it is important for colleges and universities to make sure that contracted third parties take the protection of client information seriously and have safeguards in place to prevent this type of incident.

Sacred Heart University – September 27, 2006: Stacy Koblinski is notified that her information was exposed during a recent security breach even though Ms. Koblinski is not a Sacred Heart student. With the increased sharing of student information and the collection of non-student information, the effects of security incidents can be felt far outside the campus community.

St. Norbert College – October 28, 2006: St Norbert College notifies the campus community about a failed breach attempt and urged anyone that noticed unusual activity to alert the college. This incident is an amazing example of exactly what every educational institution should strive to do. Kudos to the staff at St Norbert College!

Nassau Community College – December 5, 2006: A printout of all 21,000 student records is stolen off the desk of an employee. This incident is a perfect example of how security incidents involve information and not technology.

University of California, Los Angeles – December 12, 2006: A database breach exposes 800,000 records. The shear number of records exposed in this incident automatically gives it a spot on this list.

Stop Thinking Hacker, Start Thinking Insider

Adam Dodge — Mon, 18 Dec 2006 13:00:22 +0000

By Adam Dodge

For this post, let’s ignore my thoughts (read: strong bias) that information security is about reducing the overall risk to information within an organization to acceptable levels (read: NOT about technology). Okay, perhaps that was a bit more like “announcing” my thoughts then “ignoring” them, but let’s just move along.

In The Daily Incite – November, 29 2006, Mike Rothamn mentions this question posted on Dr. Anton Chuvakin’s Personal Blog,”So, what do you think security is about: Fighting nefarious hackers or protecting information.” As you can tell from the opening paragraph, I personally lean toward Chuvakin’s option B.

However, many people that I talk to, both security professionals and non-security professionals, agree with Chuvakin’s option A. There are many valid reasons for holding this view. For example, unprotected computers tend to last mere minutes before compromise on the Internet and news reports are often filled with stories of nefarious hackers causing untold amounts of damage. Even the 2005 E-Crime Watch Survey seems to backup the choice of option A.

According to the survey findings, only 20% of attacks came from insiders while 80% came from external hackers. Normally, a discrepancy this large doesn’t require additional discussion. After all, a 4-to-1 ratio is simple enough to understand. However, looking at what attacks insiders launch versus what attacks hackers use against organizations, reveals a different picture altogether.

Here are a few of types of crimes that insiders were more likely to commit then external hackers:

Rouge Wireless Access Point (72%)

Theft of Intellectual Property (64%)

Exposure of Private or Sensitive Data (56%)

Theft of Other (proprietary) Information (55%)

In addition, insiders almost as likely as external hackers to commit Unauthorized Access to Information, Systems or Networks (54%).

Compare this with the crimes external hackers were most likely to commit:

Phishing (92%)

Web Site Defacement (92%)

Spyware (89%)

Illegal Generation of Spam E-mail (89%)

[This information can be found on page 19 of the 2005 E-Crime Watch Survey’s Summary of Findings]

While the sample size, around 550 organizations, for this survey is too small for specifics to be drawn, a few generalities become apparent when looking at the information above. Hacker attacks, according to these findings, seem to be aimed at computer users (with spam, phishing, spyware, etc.) and technical infrastructure (web site defacement). Insider attacks center almost exclusively on attacks to an organization’s information through theft, exposure and unauthorized access.

The problem with Dr. Chuvakin’s option A, then, is that it ignores the threats to organizational information posed by the very individuals that have authorized, unfettered access to the very information they are attacking. This authorized access to much of the organization’s information is exactly why malicious insiders are so dangerous to an organization. Unlike external hackers, insiders do not have to spend countless hours footprinting an organization to look for open ports that might lead to a way in; they simply need to enter their designated password. Insiders also do not need to delve through computer after computer hoping to find some valuable information; they already know where a good bit of critical or sensitive information is stored.

Insiders do not even need to be disgruntled or have ulterior motives. Valid access to vital information means that even simple mistakes by insiders can have serious impacts on an organization’s information assets. For example, here are just some of the accidental employee mistakes that can end up costing an organization: missing a decimal point in a spread sheet, storing critical files locally with no backup, or perhaps misplacing a laptop or PDA with critical and/or sensitive data.

None of this should be taken to mean that organizations should no longer worry about external hackers. Quite the contrary, external threats remain as valid as they ever have with computer systems. Instead, organizations need to understand that there are many threats to information coming from inside the organization. Insider threats can no longer be ignored simply because there is also an external threat.

Here are a few things organizations can begin to do to help protect against insider threats to information:
1. User training help organizations teach employees how to properly handle information assets. (See Joe Knape’s “What We Have Here… Is A Failure To Communicate” post on starting an effective user awareness training program)
2. Internal control programs help organizations create organizational policies and procedures dealing with approved ways to access, store, archive, and disseminate information.
3. Annual information audits help organizations identify where current employee behavior differs from established policy and procedures, exposing information to risk.

Security Breaches are not Singular Events

Adam Dodge — Thu, 07 Dec 2006 21:16:08 +0000

By Adam Dodge

We generally treat problems with information technology as singular events. If a hard drive fails, we replace it. If a port on a router stops working, we switch to another port (or replace the router if it is a large enough problem). In other words, when something with technology goes wrong we tend to simply replace or fix the problem without thinking about how the problem might have affected other parts of the organization.

Generally, this type of reactive response to a singular event is a good thing. It allows organizations to quickly recover from problems and get operations back up and running with a minimum of downtime. The problem is that, since Information Security has grown out of IT in many organizations, security incidents are also treated as singular events. Organizations tend to replace or repair a compromised machine quickly with the belief that it was the only machine affected.

The danger here, of course, is that once an unauthorized individual has access to a machine inside the network, this intruder can then launch attacks against any computer the compromised machines can access. Therefore, to assess the damage of the security breach to the organization fully, we must look at several things.

First, we need to look at the compromised machine. Look at what the computer was running, where it was vulnerable. This can help you find out how the breach occurred. Then we need to consider what information the computer contained. With many states enacting breach notification laws, it is important to make sure the organization is fully aware of what information is at risk.

One important point is to search for any “hacking” tools that might still be on the computer. This can not only help us understand how the intruder was able to gain unauthorized access, but also help us find out if any other computers are susceptible to the same tools. Most organizations today run one or perhaps two main operating systems across all computers. While a homogenous OS environment has many benefits, if a security vulnerability is left open, all of the organization’s computers might be at risk.

This brings us to the second factor we need to look at, what computer systems are network reachable by the compromised system. This question could yield as few as zero machines or as many as every system in the organization. It all depends on the network structure of the organization. However, once we have the list of reachable machines we can begin finding out how far the breach penetrated the organization.

While the size of the list of possibly compromised computers might vary, we can narrow this list even further by ruling out machines that most likely were not affected. To do this we should look at the tools or methods used to compromise the initial computer. Did this breach target a vulnerability in Windows? Were additional Windows “hacking” tools discovered on the computer? If so, it would be practical to limit the scope of the investigation to only those Windows computers in the organization that are affected by these tools and this vulnerability. Also, checking network/firewall/IDS logs, if they exist, can help us determine what traffic originated from the compromised machines and where this traffic was headed.

The last step in this process is to repeat steps one and two if any additional computers are found to have been compromised. Different computers can often be gateways to different parts of the organization’s network. If nothing else, each additional computer compromise found will mean additional information that might have been exposed to this unauthorized individual.

The drawback in the process is that it takes time. The beauty of fixing problems as if these problems are singular events is that the organization can fix the problem(s) and have things back to normal quickly. However, doing so with Information Security incidents overlooks the fact that a single security breach exposes much more than the computer initially compromised. Without looking into how deep the breach penetrates into the organization, we can never be sure that the risk has been mitigated even after the initial computer is patched.

To recap the steps:
1. Examine the initial computer to determine what information was exposed and how the breach occurred. (Including looking for “hacking” tools on the breached computer)
2. Determine what machines the breached computer can connect with and put together a list of machines that might have been affected as well.
3. For each of the machines on this list repeat the first two steps until the organization has a good understanding of the scope of the security breach.

Homeland Security Degree? Are you kidding me?

Adam Dodge — Wed, 29 Nov 2006 13:35:48 +0000

By Adam Dodge

Last week I had the pleasure of spending a Sunday afternoon watching football and eating pizza with Michael and his family. During one of our discussions, Michael mentioned a recent USA Today article he came across on new “Homeland Security” degrees that many colleges and universities now offer. Knowing that I am currently pursuing a Master’s Degree from Norwich University, Michael wondered what I thought about this new degree.

Let me state from the outset that, as someone with an excessive amount of education (one associates, two bachelor’s and an upcoming master’s degree), I believe that higher education is a good thing. However, the particulars of the “Homeland Security” major seem a bit off to me. According to the article, this new degree allows students to “do everything from create emergency management plans to design gas masks.” I will allow everyone a moment to let that last statement sink in.

Ignoring, for a moment, that designing gas masks and creating effective emergency management plans require an individual to have two completely different skill sets and aptitudes, is there any job in existence that requires a candidate to be fluent in both these areas? Yes, engineering, emergency management, language skills, cyber-security, international relations, and many more fields are all very important aspects of Homeland Security. However, it is unrealistic to believe that anyone would be able to master these diverse fields by the time they achieve their PhD with multiple years of work experience, let alone an undergraduate degree. The field itself is simply too broad.

So when organizations hire individuals with this type of training, these individuals might have a passing familiarity with most of the Homeland Security concept. At best this individual will have one or two areas of core strength and a shallow understanding of the rest of the field. While this is not necessarily a bad thing, wouldn’t this individual be better served by a bachelor’s degree in their area(s) of strength and perhaps a minor, concentration or certificate showing a base understanding in the area of Homeland Security? This way an individual with a public administration degree could still do emergency planning for Homeland Security, but would also have options should they choose pursue employment outside of emergency planning. The same goes for an engineering student that is fed up with designing gas masks.

In addition, the strength of Homeland Security, much like the strength in a good Information Security program, comes from the various viewpoints of those involved. A single individual’s viewpoint of a topic is just that, singular. No matter how hard they try, a single individual will never be able to see all aspects of an issue. This means that no matter what our education level, what our experiences, alone we will never see the whole picture.

However, by gathering a number of individuals that have different backgrounds in areas relevant to the topic at hand (Homeland Security), we can gain a much better understanding of the issues. For example, pulling together a team composed of engineers, emergency planners, border guards, intelligence individuals, etc, gives a Homeland Security team multiple viewpoints from multiple subject matter experts that have dedicated their lives to a single area of expertise and therefore bring a unique understanding to the team.

The need for this type of in-depth experience on a broad number of subject areas is why a degree in Homeland Security does not make sense. As the article points out, government agencies are looking to hire individuals in Homeland Security roles with expertise in technical areas as well. I find it very hard to believe that a student will gain this type of expertise in one of these new Homeland Security programs.

I understand the appeal these Homeland Security degrees have. After all, one single degree offers the allure of being able to make a difference, helping the country and studying current hot topic areas. However, I strongly urge any student interested in Homeland Security issues to take a more traditional major such as political science, international relation, engineering, computer science, information security, etc. and perhaps minor one of these “Homeland Security” programs if they wish.

Another option colleges and universities might wish to consider is creating concentrations in Homeland Security aspects for degree fields where there is a need. For example, a political science degree with a concentration in Homeland Security, or an engineering degree with a concentration in important areas to Homeland Security. This option allows students to gain a strong understanding of a career field while also learning how to apply this field of student to Homeland Security issues.

The added benefit to the students, again, is that these students have multiple job opportunities when they graduate. It is import for educational institutions to make sure that the student’s best interests are kept in mind with these new “Homeland Security” degrees and that it does simply become about gaining federal grant money. Incorporating Homeland Security concerns into more traditional degree fields or creating a minor in Homeland Security issues does just this. Not only will colleges and universities help arm students with the knowledge to better assist securing the country and ensuring the safety of its citizens, but they will be arming students with traditional degrees which translates into more job options then simply those involving Homeland Security.

Typos: Adding danger to annoyance?

Adam Dodge — Mon, 06 Nov 2006 11:58:34 +0000

By Adam Dodge

Anyone who has spoken with me online can attest to the fact that I am truly awful when it comes to spelling. This is something I have dealt with for as long as I can remember. I believe the fact that I was reading well before I started to learn phonetics has a lot to do with this. I was able to memorize entire words instead of having to sound them out, so I never really had to learn what letter combinations make what sounds. Therefore, I was never good at spelling words I could speak or speaking words I could read. To this day I still have trouble pronouncing words I do not recognize, but enough about my past.

This evening I decided to download the new Gmail Mobile Mail App that Google recently released and try it out. I have to say that I am impressed the application so far. However, something interesting happened when I was using it. I decided to send myself a test message at my gmail.com address, so I went into my contacts and selected what I thought was my e-mail address. However, it seems that I selected a preexisting contact that had a typo in it. Yes I am that lazy and I never deleted it. In fact, I still haven’t.

Instead of sending it to [myemail]@gmail.com I sent it to [myemail]@gamil.com. Of course I received a nice e-mail undeliverable bounce message from the gamil.com e-mail server. I found it interesting that Google didn’t jump on this typo domain as large companies often do. Curious, I visited gamil.com and found it to be a design and engineering company with a playful disclaimer about typos posted at the bottom of the main page.

However, this got me thinking about the potential abuses of e-mail that typo domains can facilitate. For example, say an individual sets up a typo domain for a major e-mail website like Gmail. This individual then sets up a program to monitor e-mail messages sent to this typo domain. An unethical individual would then be able to simply harvest both the sender and the receivers e-mail addresses from this e-mail and resell them to Spam companies at will. Spam issues aside, e-mail typo harvesting can expose an organization’s private and unpublished e-mail address as well.

As the title suggests, typos might just be more then an annoyance. Will this possible danger ever become a reality? Do we really care if it does? After all, most of us use some form of contact list. Typos are quickly found and removed (unless you are me). If typos do not occur frequently, harvesting these incorrectly addressed e-mail messages would most likely not be worth the effort. Unfortunately, I do not have any information on the number of e-mail typos that sites like gamil.com receive so I do not know how widespread the problem actually is.

After visiting the gamil.com web site and browsing around for a few moments, I have no doubt as to the good intentions of the fine people over at Gamil. However, next time I might not be so lucky…