Securing the Toughest Times
by Ron Woerner
Whether you call it lay-offs, downsizing, rightsizing, redundancies, a reduction in force, or whatever, a reduction in staff stinks. Downturns in the economy often translate to a reduced volume of business, resulting in a correlated reduction in staff. One of the hardest jobs in Security is ensuring that those who are asked to leave no longer have access to the organization’s resources. This is especially hard when you know those affected. However it’s critical that this tough job be done.
The last thing you want or need is for an ex-employee to perform a malicious act as part of their departure. The recent case with the Fannie Mae consultant is a great example of how a malcontent could potentially cause your organization grave damage. Luckily, the Fannie Mae sys admin found the malicious script.
You shouldn’t depend on luck to protect your organization’s critical infrastructure during lay-offs. This article contains concrete steps for you to consider before, during, and after the dreaded layoffs. [Note: the critical nature of these steps is, in actuality, job security for those who need to perform them. Maybe you can use them to justify your job and keep it off of the “chopping block.”]
Before the announcement
Just as in any project (and this is a project), planning and coordination are key. Those managing or initiating the lay-offs (e.g., Human Resources) must have Security on-board early in the process. Delays increase risk to the organization. While secrecy is necessary to protect the process, trusted relationships must be established between all involved, including HR, Security, Legal, and Management. Security needs to know who is affected in order to know what needs to be protected. Security can also help properly protect the “list” prior to the official announcement.
Security personnel (both physical and information) need to ensure the protection of personnel and assets during the lay-offs. On the physical side, you need to make sure that those announcing the lay-offs are protected should the employee(s) get upset or abusive. Security officers should be trained and ready to handle potential conflicts and workplace violence.
Information security personnel should identify single points of (security) failure and high risk areas. This includes administrators with expanded ability, authority or access. Security should also determine if there are any single points of failure in the operations that would be affected by the lay-offs. Management should address these critical points well before the announcement to prevent any unexpected denials of service.
Security personnel also need to develop processes to remove both physical and logical access as soon as the notification takes place. This cannot occur too soon before the associate is notified, or else it might alert the associate, resulting in unexpected consequences. (No one likes to find out that their position is eliminated by having their network or badge access disabled.) Also, this cannot occur too long afterward, for obvious security reasons. Ensuring the correct timing requires pre-planning.
As soon as the announcement is made that your organization is considering lay-offs, extend your monitoring efforts. This could be before the actual lay-offs. Rumors can spread, and associates might take these rumors as reason to start their preparation should their name be on “the list.” Your efforts should include Data Leakage Protection (DLP) to ensure associates aren’t shipping critical company information (e.g., customer lists, intellectual property, or company employee data) to themselves or others. This could occur on the network or off. It’s very easy for an associate to sneak a USB drive filled with an encyclopedia of company data out the door. You also need to be cognizant of physical theft.
During the announcement
With your planning complete, it is now time to enact and follow those processes. As soon as the associate is told that he or she is no longer employed by the organization, you need to disable the physical badge, logical network, and phone access. The accounts should not be deleted, only disabled in case you need them in the future (e.g., rehires). It’s important that all access is also disabled for networks or assets that are externally accessible (e.g., VPN). The time required for this activity will multiply if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, and security cards.
Occasionally, the manager will request that the separated associate’s email, phone, or voicemail remain available. This is to maintain contact with clients or customers. Security needs to have an exception process in place to handle these requests while making sure the separated employee no longer has access. It needs to be reassigned to the responsible manager or his/her delegate. Allowing permanent access is not a good idea. There should be a set timeframe for this access to remain active before it is disabled.
Also, consider any shared accounts used by the separating employees. Do they know the UNIX root or Windows administrator password? Whether it’s that or any other password for a service account, make sure the password is changed ASAP.
Physical security personnel need to be watching and ready in case the affected people become upset. Normally, you don’t need a physical security presence to escort them. That can be accomplished by the manager and/or HR representative. However, Security should be ready in case things turn ugly. Additionally, they should be watching what property is leaving.
Part of your process should include the retrieval of any assets used by or assigned to the separating employee. This includes: Computers (laptops), USB drives, two-factor authentication tokens, cell phones / PDAs / pagers, and paper documents. When the employee is notified, the manager and HR representative should retrieve these items along with any other property of the organization. Of course, the employee should be allowed to pack up personal belongings, but corporate assets should remain.
Lastly, while the separations occur, continue to monitor online access and activities. You never know the mindset or attitude of those who depart. The potential for malicious acts is increased, especially against any resources that can be seen from the outside (external web sites). Your IDS/IPS should be watching those external network assets and you should be ready to take action.
After the separations
While the major threat may have passed when the laid-off employees have left, it is not completely gone. There are specific post-separation activities that need to occur to ensure risks stay low.
One of the most critical activities is the inspection of online and paper files left behind by the employee. Each manager is responsible for making sure this occurs, because he or she is in the best position to know what is and is not needed. This can be time consuming and tedious, but it can’t be ignored. The benefit is the freeing of storage space.
The manager or their delegate needs to inspect each piece to determine its disposition and whether or not it is still needed for the business. This person also needs to determine the retention period for any material that needs to be kept. This may require collaboration with the legal or compliance department as this material can be recalled for legal proceedings.
Another post-separation activity is inspecting online files for potentially malicious content. This is especially important for any systems administrators who were let go. There have been many stories of sysadmins leaving backdoors, Trojan horses, and time or logic bombs behind. Remaining sysadmins need to inspect any scripts created by the associates along with any scheduled jobs. Failure to take this step could be devastating for the firm.
Lastly, use this time to document what went right during the process and where you have room for improvement. Take time to learn from the experience and enhance the process.
Conclusion
Staff reductions are a part of corporate life. As painful as they are, they are often critical to keep the organization functioning at full capacity. Security needs to be an active participant in the lay-off process to ensure the risks are kept low. The removal of access is only one of the many areas requiring the attention of Security. They also need to be actively monitoring both the physical and on-line activities of the separating associates. This isn’t to be intrusive, but to ensure the continual protection of the organization.
Having a positive security model with validation and enforcement provides a deterrent to malicious behavior as well as the tools to quickly indentify and contain threats when needed. A positive security model includes: policies, procedures, detective and preventative technology, and proactive monitoring. The tips in this article will aid you in the development of your security model so you are ready when the time comes.
Checklist of Security Items to Consider with Lay-Offs
Before
Planning / Establish processes
Disabling access
Communications
Establish trusted contacts
HR
Legal
Security
Management
Identify single points of (security) failure
Employees who pose a danger (to themselves or others)
Administrators
Associates with access to sensitive or confidential data
Identify risks
Intellectual property
Confidential data
Property
During
Disable regular individual access
Logical
Physical
Phone
Email
Remove access to shared accounts
Administrator accounts
Service accounts
Other shared passwords
Asset retrieval
Computers (laptops)
USB drives
2 Factor authentication
Cell phones / PDAs / pagers
Paper documents
Enhance monitoring
IDS/IPS
Logs
Physical surveillance
After
Continued vigilance
Review of assets “left behind”
Online documents, files, and shared storage
eMail
Papers
Check for backdoors, Trojan horses, logic bombs
Unix
Windows
Databases
Network devices
Lesson’s learned
What went right?
What could be done better?
Process improvements
Justification for Security Policy / Awareness Position
by Ron Woerner
Recently, I had to justify a vacant opening for a security analyst responsible for policy and awareness. This article is the position paper from that effort. Feel free to use it if you ever need to justify this position.
“The position of Security Policy & Awareness is the key to the success of the Security program at [our company]. This employee sets the policies and standards for security across the enterprise. They ensure those responsible for enacting or following them know of their existence. The role facilitates multiple groups to ensure the policies developed are rational, affective, and visible in order to protect our employees, clients, and shareholders. It establishes the expectations of behavior for employees and the establishment of controls to ensure the confidentiality, integrity and availability of company assets.
We need an employee who can focus on ensuring our policies are well-written, up to date, and have been coordinated across the enterprise. If this position where not filled, then the chances are high that our Policies would stagnate with very little improvement. In addition, it would be much more difficult to develop new Polices, therefore leaving potentially critical gaps. This would potentially increase our security and compliance risks.
We also need an employee to promote Security’s Policies, Standards, and best practices. We cannot leave it up to employees, Managers, or anyone impacted to find the security policies and to follow expected secure behavior without someone leading the way. Without a person dedicated to Security Awareness, our employees will not be able to follow not only policies, but also the best practices that keep us all secure thereby greatly increasing the risk of a security breach.
If it is in the best interest of the Company to continue without this position, much of the activities will be delegated to the affected parties (IT, HR, Compliance, Legal, and the Business Units). The Security team will continue to lead many of the functions, but will be forced to take a minimalist approach and will only be able to accomplish the most critical tasks. The current Security manager could perform some of the duties of a Policy and Awareness Analyst, but many of the functions would be left incomplete.
Most organizations the size and breadth of [our Company] in our sector have at least one employee dedicated to the activities of Security Policy and Awareness. Security pundits across the globe have spoken out for this need as well. This is because the lack of this position creates a gap in the whole security program that cannot be fulfilled any other way. Lastly, without this position, we are in danger of violating laws and regulations established for the protection of personal information (See Attachment 1).
It is my recommendation that [our Company] allow us to fill the position of Security Policy & Awareness Analyst. It’s in the best interest of all involved including Security, our employees, and our business partners.
Attachment 1 Laws, regulations, and industry best practices stating the need for Policy & Awareness position:
Payment Card Industry (PCI) Data Security Standard (DSS) Requirement 12, “Maintain a policy that addresses information security for employees and contractors.”
ISO/IEC 27002
All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
Operating procedures should be documented, maintained, and made available to all users who need them.
COBiT v4.1
Define and communicate how all policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training. Assign responsibilities for each of these activities and, at appropriate times, review whether they are executed correctly. Ensure that the policies, plans and procedures are accessible, correct, understood and up to date.
ID Theft Red Flag rule
Section 114 of the FACT Act directs the Agencies to prescribe joint regulations requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines, to identify possible risks to account holders or customers or to the safety and soundness of the institution or ‘‘customer.’
The regulations also enumerate certain steps that financial institutions and creditors must take to administer the Program. These steps include obtaining approval of the initial written Program by the board of directors or a committee of the board, ensuring oversight of the development, implementation and administration of the Program, training staff, and overseeing service provider arrangements.
FFIEC Information Security Handbook
Institutions are required to establish an information security program that meets the requirements of the 501(b) guidelines. Information security polices and procedures are some of the institution’s measures and means by which the objectives of the information security program are achieved.
Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and strengthen compliance with security policies, standards, and procedures. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management.
HIPAA
An overall requirement to implement policies and procedures to prevent, detect, contain, and correct security violations.
A security awareness and training program for the entire workforce must be developed and implemented.
The GOAL of Security
by Ron Woerner
Do you know THE Goal of your organization? Why does it exist? What’s its purpose?
Even if you work for a “security company,” its main goal is not security (or at least it shouldn’t be). I know that this sounds like sacrilege, but its not. The main goal of most private sector companies is to make money. In most companies, providing security doesn’t make money. It’s an operational expense or an investment.
I’m currently reading The Goal, A Process of Ongoing Improvement by Eliyahu M. Goldratt. It has reminded me of the importance of knowing the goals of your company. All activities of the company should be moving it toward its goals of being profitable. “If the company doesn’t make money by producing and selling products (or services), or by maintenance contracts, or by selling some of its assets, or by some other means … the company is finished… an action that moves us (the company) toward making money is productive. And an action that takes away from making money is non-productive.”
My impression is that many security professionals lose sight of their company’s goals. It’s happened to me. I’ve gone through the motions of securing stuff without realizing how it moves the company toward making money. In my enthusiasm for security, I’ve been guilty of non-productive activities that could harm my company.
Security professionals live in a world of paradox. Too much protection and our people can’t be productive. Not enough and the business takes too much risk, which can also cause non-productivity. With the right balance, we can move the company toward profitability. The challenge is determining that balance.
Here are three tips for maintaining a balanced security program that will meet your organization’s goals:
- Know your organization’s goals. You need to collaborate and ask questions to determine what makes your organization tick. Understand how it makes money. For public or non-profit organizations, find out the reason for its being. If you don’t understand your organization, then how can you properly secure it?
- Know your organization’s risk appetite. This next step is to understand the amount of risk your organization is willing to take. This is a business decision, not a security decision, and should be based on the organization’s goals. If your organization is in the manufacturing sector, they very well may be willing to take many more risks. On the other hand, financial sector businesses with an Internet presence may have a very low tolerance for risks. The only way to determine this is to ask
- Create a security program based on the organization’s goals and risk appetite. Your security program should move the organization toward productivity and making money, not away from it. The protections you recommend, implement, and maintain should always be driving the organization toward its goals. They should also be in-line with their risk appetite.
In everything you do, ask yourself, “Is this moving us toward or away from our goals?” If it’s away, then reconsider your actions. The security protections you have may be appropriate in your mind, but are they really right for the organization? This can be a humbling experience, but it can also win you a lot of respect when you’re willing to compromise.
If you remember The Goal, your security program will go far.
And remember, “By working together, we all become stronger.”
Staying off of the suspect list
by Ron Woerner
Often, we’re our own worst enemy. We do things that make us a likely target for blame. In other words, we’re on the suspect list. We receive the blame when something goes wrong because of our actions or the access we maintain.
The best strategy is to keep yourself and other off of that list. First of all, it disrupts the investigation into finding the true source of the problem. Second, it causes others to distrust those on the suspect list, even if they’re innocent. The best way to prove innocence is to have a clear name from the onset.
Often security professionals and IT managers have access to many systems, applications, or facilities. They believe it’s required because of their position or responsibilities. The problem is that having access often puts them automatically on the suspect list. Many times I’ve been accused of involvement when there were network issues. “Were you running one of your security scans again?” is a common question aimed at me just because I have the ability to run scans, not because I necessarily did.
Often, other activities may add us to the “suspect list”, such as browsing the Internet, transferring documents from home to work and vice versa, clicking on links in email, or installing freeware or shareware applications on a work computer. While they’re not always bad activities in and of themselves, these actions do have potentially dangerous consequences.
Here are five things you need to do to keep yourself off of the suspect list:
1. Limit your access. This is the concept of least privilege. If you don’t need it or don’t use it every day, disable or delete your access to it.
2. Only use administrator privileges when you administer the system. If you’re always logged in as an admin, then you’re just asking for trouble.
3. Freeware isn’t always free and shareware may mean you’re sharing more than the program. Finding programs on the Internet may save money in the short run, but they occasionally contain hidden malware than can take down your system.
4. Think before you click. Be aware of where you go on the Internet.
5. Keep your secrets secret. If you allow others to use your login id or badge, then that person is you and you’ll be on the suspect list if something goes wrong. Badges and passwords are like kleenex; it’s not cool to share.
Security’s objective is to keep people off of the suspect list. We know that the great majority of our work force wants to do what’s right. We want to help you. Like the police, our objective isn’t to get you into trouble, but to keep you out of trouble. Consider what you should do to keep yourself and others off the suspect list. It will make your life much easier.
Pet Risks – A New View of Risk Management
by Ron Woerner
“Seven out of ten companies overspend on IT expenses without improving security or becoming compliant.” Computerworld
What causes this phenomenon? One would think that overspending on security would be a good thing. It’s not. Overspending in some areas causes underspending in others that may have greater value to the business. This practice often detracts from focusing on those risks that are really the greatest for an organization.
One of the causes is the introduction and promotion of “pet risks” by decision makers. A pet risk is a threat, vulnerability, or solution that solves an apparent problem in the minds of IT or Security managers. It’s their favorite risk, which is the center of their attention and therefore is allocated an overabundance of resources. It’s like a person who’s so fearful of having their car stolen, they spend hundreds of dollars on an anti-theft system even though they’re driving a ‘96 Ford Contour. The cost of mitigation is out of balance with either the asset value or the real risk.
It’s a common occurrence in many large organizations, where decision makers decide that they need a specific solution to prevent an apparent risk. IT and Security leaders in the organization spend many dollars and staff hours to address their pet risks. However, the Return on Security Investment (ROSI) isn’t readily apparent and often, the expense isn’t worth the apparent risk.
The decision maker has the position and influence to make it happen. He or she is able to get the funding and personnel to address their pet risks. They are a danger for many organizations because they cause an imbalance in the risk equation and often cause undue spending on risk mitigation. Whether those risks are critical for the organization is debatable.
An example is data leakage protection (DLP). The risk is that employees could place company information on a USB drive or CD and it could be stolen or lost. Management may be convinced that they need to stop this at all costs. They look for a DLP solution to prevent employees from using USB drives or CD burners. In this case, the pet risk is data leakage. While it may be an issue, data leakage may not be the organization’s biggest problem. It may be a pet risk of a decision maker and therefore one that’s addressed ahead of others.
How do you solve the problems caused by pet risks? The solution isn’t a product or service that you can buy. What you need is an honest assessment of risk. Addressing and quantifying risks allows for their ranking and prioritization based on the needs of the business. Collaborating on the risk analysis also reduces the possibility of pet risks eating critical resources without increasing security or providing compliance.
Three ways to prevent pet risks from causing you to bark up the wrong “security tree” are:
Conduct a risk assessment;
Collaborate on the results with all stakeholders;
Be open and honest on the best ways to protect the business.
In the DLP case above, decision makers should look at all of their risks and determine where data leakage occurs. They should address the potential impact and probability of data leakage. Is it an irritant or could it be a major issue? How likely is it that critical data can and will leak out of the organization? They need to collaborate with others on their risk assessment to see how it affects the business.
Pet risks are an irritant caused by closed-mindedness. Open your mind to address all possible risks to your organization. Talk to others to get their honest opinion. Get outside help when needed. Don’t be the owner of a pet risk.
By working together, we all become stronger.
Pet Risks – A New View of Risk Management
by Ron Woerner
“7 out of 10 companies overspend on IT expenses without improving security or becoming compliant.” Computerworld
What causes this phenomenon? One would think that overspending on security would be a good thing. It’s not. Overspending in some areas causes underspending in others that may have greater value to the business. This practice often detracts from focusing on those risks that are really the greatest for an organization.
One of the causes is the introduction and promotion of “pet risks” by decision makers. A pet risk is a threat, vulnerability, or solution that solves an apparent problem in the minds of IT or Security managers. It’s their favorite risk, which is the center of their attention and therefore is allocated an overabundance of resources. It’s like a person who’s so fearful of having their car stolen, they spend hundreds of dollars on an anti-theft system even though they’re driving a ‘96 Ford Contour. The cost of mitigation is out of balance with either the asset value or the real risk.
It’s a common occurrence in many large organizations, where decision makers decide that they need a specific solution to prevent an apparent risk. IT and Security leaders in the organization spend many dollars and staff hours to address their pet risks. However, the Return on Security Investment (ROSI) isn’t readily apparent and often, the expense isn’t worth the apparent risk.
The decision maker has the position and influence to make it happen. He or she is able to get the funding and personnel to address their pet risks. They are a danger for many organizations because they cause an imbalance in the risk equation and often cause undue spending on risk mitigation. Whether those risks are critical for the organization is debatable.
An example is data leakage protection (DLP). The risk is that employees could place company information on a USB drive or CD and it could be stolen or lost. Management may be convinced that they need to stop this at all costs. They look for a DLP solution to prevent employees from using USB drives or CD burners. In this case, the pet risk is data leakage. While it may be an issue, data leakage may not be the organization’s biggest problem. It may be a pet risk of a decision maker and therefore one that’s addressed ahead of others.
How do you solve the problems caused by pet risks? The solution isn’t a product or service that you can buy. What you need is an honest assessment of risk. Addressing and quantifying risks allows for their ranking and prioritization based on the needs of the business. Collaborating on the risk analysis also reduces the possibility of pet risks eating critical resources without increasing security or providing compliance.
Three ways to prevent pet risks from causing you to bark up the wrong “security tree” are:
Conduct a risk assessment;
Collaborate on the results with all stakeholders;
Be open and honest on the best ways to protect the business.
In the DLP case above, decision makers should look at all of their risks and determine where data leakage occurs. They should address the potential impact and probability of data leakage. Is it an irritant or could it be a major issue? How likely is it that critical data can and will leak out of the organization? They need to collaborate with others on their risk assessment to see how it affects the business.
Pet risks are an irritant caused by closed-mindedness. Open your mind to address all possible risks to your organization. Talk to others to get their honest opinion. Get outside help when needed. Don’t be the owner of a pet risk.
By working together, we all become stronger.
The Psychology of Fraud – Revisited
I’ve decided that Sarbanes-Oxley Auditors have it wrong. After 4 years, they look for the wrong things, often costing companies millions of dollars. Their focus is often on minutia leaving the lowest hanging fruit untouched.
Why did this happen? Because they haven’t learned from history and they don’t understand the root cause of it all: corrupted humans.
In February, I wrote Psychology of Fraud – Today’s Issues (http://www.securitycatalyst.com/2007/02/20/psychology-of-fraud-todays-issues/). It was an attempt to remind readers that no matter how well we lock down the technology, it only takes one human to corrupt the system. We need to understand the psychology of fraud and why humans do what they do in order to prevent it from occurring. It’s my way of educating our readers on what’s been said in the past to address today’s issues.
I’ve done some thinking on the subject since then and I’ve decided to revisit Cressey’s fraud triangle. To commit fraud or any other illegal / immoral action, a person needs three things: Access, Knowledge, and Intent. Without all three, intentional fraud will not occur. This is different than the Cressey’s triangle, which didn’t take into account today’s information technology.
Here’s my definition of each requirement:
- Access. Physical or logical ability to enter, touch, or reach a resource. In computers, this is often controlled by network rules and a user id and password.
- Knowledge. To be familiar or have experience with an object or resource. This means having the concepts and ability on what to do after you have accessed the resource.
- Intent. The purpose or an anticipated outcome that guides a person’s planned actions. Knowingly causing damage to the resource.
This example illustrates how the three requirements fit together: I am given a login id and password to our Mainframe, therefore I have access. Not only that, but I am given full adminstrator rights to it. The problem is that I’m a neophyte on the Mainframe; I barely even know how to log on. Plus, I like my organization and don’t want to cause them harm. Therefore, I’m mission two of the three requirements for fraud: knowledge and intent. Even though I have access, there is little risk of my causing harm. Granted, the biggest risk in this scenario is my making a mistake, but that’s another issue.
This is where auditors and Sarbanes-Oxley have it wrong: You can’t audit against knowledge and intent. You can only audit access rights. So that’s what auditors do. They make the wrong assumption equating access to equal potential fraud or abuse. However, that’s not true. Just because a certain user has access does not mean they know what they’re doing and that they will cause meaningful harm.
Auditors and security professionals need to understand this new fraud triangle and how it fits into the risk equation. Using these concepts promote the proper balance of security within an organization, thereby reducing costs while improving security.
What do you think? Does this make sense? Is it something you can use? Join us in the Security Catalyst forums to discuss this and other hot security topics.
By working together, we all become stronger.
The One Minute Security Manager
Security has a bad name. Whenever I say I work in security, people get paranoid assuming that my job is to block whatever good work they are doing in the name of security. Plus, in many organizations, security is a one way street. Information goes in, but never comes out. There’s no information sharing because neither side wants to discluse their “secrets.” It’s time to change this negative connotation for security.
For my entire security career, I’ve been exploring ways to improve the image and effectiveness of security. Also throughout my professional career, I’ve been studying leadership. Recently it dawned on me (while reading Seth Godin’s The Dip) to put the two together. One of my favorite leadership books is The One Minute Manager by Ken Blanchard, Ph.D. and Spencer Johnson, MD. There is no reason why we can’t use the ideas in The One Minute Manager to improve our security practices.
1. Set Goals – What are you trying to protect? What is your security program trying to accomplish? You can’t protect everything, so you need to pick your battles. In my goals setting, I use the risk equation of risk=impact X probability (see Risky Business post). This helps me determine the lowest hanging fruit that has either the highest impact or is most likely to be affected by a security issue. Write and publish your goals. This lets others see what you’re up to. Also, take a minute every once in a while to read and re-read each goal to determine your progress.
2. Praise Good Security – Praise people immediately to their face (if possible) telling them and others how they improved security for themselves or your organization. Be specific and let them know how good you feel about what they did right and how it helps the organization. Encourage them to do more of the same. This is where we in security often fall short. We only see the bad, where security is lacking and are not catching people doing things right. That’s only half of the picture. This also helps put the overall security of the organization in perspective. In one of my first security jobs, my VP said, “Our security sucks.” I responded, “No sir, we have good security, in pockets. Our challenge is to make it consistent across the company.” By praising good behavior, we are encouraging more of it.
3. Explain opportunities for improvement – We all sometimes fall short of our expectations and goals and need to be reminded of them. In the book, this is referred to as the Reprimand. Security professionals and auditors often fail here and don’t do it right. We either don’t find the root cause, don’t address the right people, or don’t collaborate on solutions. The way to do it is: (a) make sure you have the right people who are responsible for the problem. Sometimes we misplace blame or don’t tell the real person responsible. (b) Tell them immediately, specifically where they fell short. (c) Brainstorm with them on ideas and suggestions for improvement. Don’t tell them how to do it, but collaborate on the opportunities for improvement. (d) Reaffirm how important they are to the security of the organization. It’s critical here to make sure that you are addressing the problem and not the person. Also, you should be working with the people to ensure the correct solution is in place.
Taking these three steps should increase the credibility of your security services and reduce the negative feelings. It will promote collaboration that provides buy-in from critical resources improving the security practices of your entire organization. Of course, I’ve only scratched the surface of The One Minute Manager. All security professionals should read the book and use its techniques to better manage your security program. Lastly, continue to use the SecurityCatalyst forums to share your ideas.
By working together, we all become stronger.
User Awareness Training
According to many, user education is one of the best methods of ensuring adequate protection of your information assets. It’s been eternally touted as one of the requirements of a viable information security program. This article is not about that, though. It’s about knowing your users/customers. Yes, Mr. & Ms. Security Professional, your users are also your customers. You are here to serve them; not vice-versa.
How well do you understand your users? Are you aware of their needs, habits, and abilities? Most security professionals understand the technology, but don’t have a clue about their user base. All security professionals need user awareness training to ensure they understand their customers.
In the June 1, 2007 edition of CIO magazine, Publisher Gary Beach asks the question, “How social are you?” (http://www.cio.com/article/109302) He references a new report by the Pew Research Center titled, “Typology of Information and Communication Technology Users” (found at http://www.pewinternet.org/pdfs/pip_ict_typology.pdf). This report classifies Information and Communication Technology (ICT) Users. Based on its findings, we in security can no longer assume that users are stupid. From Mr. Beach’s column, “customers (users) are ‘wicked smart.’ They know what they want, they know how to get it, and they’re doing so by leveraging the poser of social networks to reach out to <others>.”
The report’s author, John Horrigan has classified ICT users in America into ten categories based on their ICT assets, actions, and attitudes. The ten groups that emerge in the typology fit broadly into a “high end,” (31%) “medium users,” (20%) and “low-level adopters” (49%) framework. However, the groups within each broad category have their own particular characteristics, attitudes and usage patterns.
From the Report*,
– 8% of Americans are deep users of the participatory Web and mobile applications;
– Another 23% are heavy, pragmatic tech adopters – they use gadgets to keep up with social networks or be productive at work;
– 10% rely on mobile devices for voice, texting, or entertainment;
– 10% use information gadgets, but find it a hassle;
– 49% of Americans only occasionally use modern gadgetry and many others bristle at electronic connectivity.
Do you know where your customers/users fit? How about you?
You can take their on-line Internet Typology Test (http://www.pewinternet.org/quiz/) to see where you fit in the new typology of ICT users. Once you know yourself, you can better understand your users/customers.
By understanding your users/customers, you can tailor you security program to fit their needs. The fear of the unknown is often the greatest fear amongst security professionals. By having a little awareness training of your users, that fear will be lessened.
To paraphrase from Mr. Beach’s column, the big deal is this: As your firm continues to drive a growth-and-innovation agenda, your users and customers ultimately will determine the degree to which you succeed. So CISOs need to ask themselves, “Is my infrastructure sufficiently robust to encourage and support the use of ICTs while protecting against the biggest and most prevalent risks brought on by these new technologies?” CISOs should have an understanding and a vision of their users/customers to enable their business’ use of technology while protecting the critical assets.
What do you think? Is the Pew Report accurate? Respond either in the comments below on the Security Catalyst forums.
By helping each other, we all become stronger.
* Horrigan, John. A Typology of Information and Communication Technology Users. Pew Internet & American Life Project, May 6, 2007, http://www.pewinternet.org/PPF/r/213/report_display.asp, accessed on May 10.
Be Prepared
You should be familiar with the phrase, “Be Prepared.” It’s been used by millions of Boy & Girl Scouts around the world since 1907 [1]. Boy and girl scouts are trained to be in a state of readiness in mind and body, so that you know the right thing to do at the right moment and are willing and able to do it.
As security professionals, shouldn’t we also “Be Prepared?” We need to have a “tool bag of knowledge” that we can open whenever an event occurs. This is a set of resources, instructions or processes that you can use when responding to a security event. An organized and careful reaction to an incident can mean the difference between complete recovery and total disaster.
One of the “security triangles” is protection, detection, & reaction. Our response to an incident is just as important as how we protect key assets and detect anomalies. An incident doesn’t have to be related to computers; it can be almost any unexpected event. Also, your response should be a process that uses available tools, techniques, and technologies to address the most common risks.
The following are basic, high-level steps that prepare you for incident response:
1. Risk Identification. No one person or organization can prepare for everything that may possibly happen. It just doesn’t make sense. We in the Midwest are not prepared for a tsunami, nor should we be. But we are ready for tornados, especially this time of year. You need to take the same approach in preparing your incident response. Ask yourself, “What’s the worst that can happen?” What threats are most likely to occur and have the greatest impact? Identifying the greatest risks will help you prepare an incident response plan that covers the most likely events.
2. Get support. You cannot possibly know nor do everything. You need to have a support group ready to help when the time comes. The group you will need depends on the threats and the incidents identified in step 1.
3. Practice. The only way to get good at something is to just do it. Realistically, this isn’t always possible when responding to an incident. At the very least, you should conduct a paper exercise where you and your support team discuss the incident and your response. As you practice, document what you do, what works and what doesn’t work.
Note: these steps are not computer specific. They will work for any type of incident: technical or not; business or personal. In researching this topic, I searched on “incident response steps.” It’s interesting is that the top results all have to do with Computer Security. Incident response is not and should not be unique to computers. The basic, high-level preparation steps are the same, whether you’re responding to a shooting or a computer intruder.
Louis Pasteur said, “Chance favors a prepared mind.” Improve your chances of success by being prepared. You can join a discussion of Incident Response on the Security Catalyst forums: http://community.securitycatalyst.com/forums/index.php/topic,366.0.html. Let us know how you prepare.
By helping each other, we all become stronger.
Engage with Michael
-
Journey Into the Breach
