The Security Catalyst

When we launched the Security Catalyst Community, the hope was that by supporting one another, eventually we would find a project or some synergy that really makes a difference. As the community continues to grow publicly, we’ve found our first opportunity (and we’ll have more announcements in the coming weeks, too)!

During my last trip (sorta a pre-campaign warm-up), we stopped in Baltimore. I took the opportunity to catch up with Bill Sieglein, a good friend and fellow passionate professional. Bill created a group called the CSO Breakfast Club - and we talked about how to work together –> so expect to see more in the future. Meantime, if you’re available for one of these events, I’m confident it will be time well invested. You can learn more at the CSO Breakfast Club website: http://www.csobreakfastclub.com/

Bill also revealed to me that he’s working on a book titled Building and Maintaining an IT Security Program.

Book Description
Compliance is the hottest buzz word throughout the business world today and therefore ensuring the security of IT systems has become a prime focus for all companies conducting business in any electronic fashion. This book presents a set of practical guidelines and operating procedures that will clarify the relationship between information security management and compliance. Written by an expert with 25 years of IT security experience, this comprehensive guide will assist companies in assessing the risks inherent in conducting business, understanding which industry standards and practices are available to them, and in implementing successful and cost-effective information security programs.

This week, Bill called me, fully in the spirit of the community, and asked if would be possible to open the project to the community members. This allows us to blend the ideas and experiences of the members of our community in a book about how-to. We also then talked about providing some coaching and using this as a chance to bring some of the members together. I’m entirely for it - and if you want the opportunity to participate, you can learn more here: Opportunity to be a contributing author to my new book!

By David Stern

We often focus our discussions on the pervasive inadequacies of information security programs in business, government, and education. Detracting factors include ignorance, lack of budget, and misplaced priorities of management. In this article, I would like to observe the other end of the spectrum.

Information security has become ubiquitous enough that many organizations now struggle with making security work for them. Organizations finally have hard-won elements of headcount, tools, process, and compliance drivers, but they continue to struggle with making it work. Trying to align best practices with internal business processes can sometimes become a greater problem for information security management than the vulnerabilities that they are trying to defend against.

For example, I have seen security organizations fight hard for, and win management support to put a vulnerability management program in place. The overall goal is to integrate a scanning tool with an internal remediation process to find and clean up security vulnerabilities. It can start off innocent, but soon the project is off track, developing hardening standards and risk matrices that map to ISO17799 and display on a custom-built web dashboard. While these are fantastic ideas, they keep the most basic goals from being achieved.

The challenge is simple; how do we strike a balance between growing a mature information security program and making security work day to day? To gain some perspective, I suggest that we look to chess. Ted Phelps used the same analogy in a wonderful 3-Part article in November 2006 (http://www.securitycatalyst.com/2006/11/16/guest-blogger-information-security-practice-as-a-game-of-chess-part-1-of-3/).

The foundation of the game is the chess board. The board can be compared to the business itself, with alternating colored boxes, some black and some white representing elements and challenges of the business. Rows and columns can be divisions or groups as well as levels of management and project silos. The capabilities of the pieces contrast nicely with the personality types found in management. Rooks can move straight up a vertical, taking a bottom up or a top down approach. Bishops can move diagonally across silos, touching upon varying verticals and management levels. Knights are the often coveted consultants, jumping between silos and levels in an attempt to address everyone and everything. Finally, King and Queen are two great examples of security leadership. The King is all-powerful, but chooses to stay within his local area, while the Queen moves all around.

These positions address the bigger picture. However, when an information security group with limited resources spends too much time building top heavy organizations, insecure applications and weak architectures slip through the cracks. It has been my experience that the pawn’s gradual, forward movement is what makes security work in the trenches. Assessment frameworks and complicated review processes work great, but sometimes, it is the basic approach that needs to be developed first. I have developed a simple, four step process that I use every day to manage the tidal wave of security decisions that flood my inbox.

Look at the Big Picture Literally. Do you have a diagram that shows the servers, network connections, ports, application flows, and host names of the system that you are trying to assess? You cannot make an informed risk assessment without understanding the moving parts. This step should be a show-stopper.

Architecture: Every organization has policies and rules (even if they are unwritten) that describe how systems or applications need to interact with the Enterprise architecture. If a DMZ exists, then an externally facing system must be placed there. If there are core functions such as Active Directory, LDAP, TACACS, or RADIUS, a system should not use an internal, proprietary database for credential storage. If the system is being developed outside of common design practices, the business drivers must be clearly articulated and signed off by management.

Data Sensitivity: If the system interacts with or stores any personally identifiable information (PII) or personal health information (PHI), then all intersystem communications must be encrypted. Period. Modern application delivery platforms support SSL encapsulation, which makes implementation of this requirement a no-brainer.

Vulnerability Scans: While vulnerability scanners cannot provide in-depth views of system security, they are capable of expediently uncovering the most common security issues. An application with verified HIGH or MEDIUM severity issues cannot move into production. If an organization has application security scanning tools such as Appscan from Watchfire, this should also be included as a prerequisite.

Developing a successful information security program is like learning to ride a bike. Every kid starts out with training wheels. They keep the bike standing, while the child learns the basic functions. Most importantly, they let the child go places and gain their confidence. At some point a parent removes the training wheels and starts the more complicated ordeal of learning balance. Without the training wheels, there wouldn’t be many riders. Similarly, developing a comprehensive security program is the ultimate goal for any security practitioner, but during the course of this development, day to day security decisions must still be made.

The Introduction to Identity Management series authored by David Stern has been converted to PDF and is posted in the Security Catalyst Community here: An Introduction to Identity Management

We are in the process of setting up a repository of resources and even exploring the pathway to rolling out a wiki of key information - all designed to make your jobs easier. If you have something that you would like to have published or share with your fellow security professionals - please send me an email: securitycatalyst@gmail.com.

As we continue to grow, I envision a community where you are able to draw on a diverse set of resources that will allow you to do more, improve your quality and spend less time doing it. You can help by contributing documents and resources that you have developed.

Have a great week!

We now have over 300 supportive and passionate security professionals active in the Security Catalyst Community. As I have been traveling the East Coast, I have had the opportunity to meet members of the community and have appreciated getting to know people better. Another benefit of coming together to support the growth of our profession.

I’m also excited that we have started to map out the process to continue the growth of the community - including an online chatting capability, a wiki and a document repository. We’re working to form an executive committee and improve the underlying structure and amount of content available to support our efforts as security professionals. As this takes shape, I’ll be providing more information - but we are engaging in some exciting conversations and fantastic times!
Relaxing for a bit today in Baltimore, I spent some time in the forums this morning - and aside from the general amazement I have at the sheer volume of great insights and information, I’m entirely energized and jazzed up about what we do and how our community continues to grow.

The best part? We are only beginning!!

Here are some of the hot and interesting topics of the last week (or so). As always, we would benefit greatly from your ideas, passions and insights… if you are not currently a member, you are officially invited to join us (note: we enforce a naming standard of firstname.lastname).

Fun/different awareness activities

Getting Started With Active Directory

have you got the HIDS?

Hiding Your IP Address (An Explanation For Beginners)

Gmail feeding spambots (speed vs security)

If you could only buy one security book, and that is all you could ever buy…

Scanned penned signatures on emails.

Information Security Program in Local Government

Security for an ISP

Corporate Policy on Blogging

Auditing An Indian Outsourcing Firm

ISM3

ISO/IEC 27001:2005

By David Stern

Meta Directories and Federation

Mergers and acquisitions tend to grow IT organizations horizontally. Companies such as Johnson and Johnson or Proctor and Gamble may have dozens of divisions that developed as the result of such activity. The challenge of integrating processes and personnel is big enough without trying to force a common directory environment. In these cases, the Meta Directory shines. As we mentioned early, today’s LDAP products are incredibly flexible in their ability to synchronize with AD, Novell, and other LDAP directories. By leveraging this capability, an organization can maintain a common Meta Directory that contains information from every business unit, without ever changing the way that business unit operates. Something as simple as a company Whitepages can scale very easily to include new divisions using this method.

The Meta Directory also plays a leading role in the ever widening use business partner connections. An uncontrolled laughing fit results when one organization suggests that a partner organization share access to their AD. The security model is weak at best, and no CIO will stake his job on this working. In most cases, partner access requirements results in a manual process of creating common logins and building virtual private networks. The administrative costs can sap some of the value of the partnership.

Meta Directories can solve this problem through a methodology known as Federation. Just as LDAP can be used to synchronize with diverse internal directories, it can do the same thing for external directories. LDAP’s implementation is widely understood, has been vetted for over a decade, and its security model is clean and robust. When compared to Active Directory, establishing an LDAP to LDAP connection is trivial, and carries none of the security stigma of AD. Outside of an LDAP Federation framework, partner access to external or internal applications requires a workflow to handle provisioning and de-provisioning of local AD accounts. Inside of an LDAP Federation framework, the external partner would identify which of its users should have access to the applications, and that information is passed through the IDM infrastructure.

Conclusion

Identity Management and Directory Services are probably one of the least understood pieces of the IT technology puzzle. The solutions can be complicated and are always expensive. But when the cost of administrative overhead, compliance issues, and business drivers are added to the technology price tag, the case for IDM becomes compelling. Hopefully the information that we covered here will prompt the reader to ask new questions and look at new solutions for some of the most common enterprise challenges.

By Adam Dodge

While I was compiling the Educational Security Incidents (ESI) Year in Review – 2006, I noticed something interesting. Of the 83 information security incidents in 2006 reported by colleges and universities, 20 such incidents were due to Unauthorized Disclosure. Unauthorized Disclosure on ESI is defined as incidents involving the release of information to unknown and/or unauthorized individuals. In other words, Unauthorized Disclosure tends to involve employee or organizational mistakes at some level.

Looking back then at the 2006 incidents, these 20 incidents exposed about 232,000 records, or roughly 8.6% of all information exposed by colleges and universities last year. However, these 20 incidents account for about 25% of the total number of reported incidents. Since Unauthorized Disclosure incidents correspond to mistakes, we have one quarter of all incidents reported being caused not by external attackers, malicious users or even a run-of-the-mill thieves but by simple, preventable mistakes.

As I begin to look over the incidents report 2007, I unfortunately see the same trend emerging. Of the 47 incidents thus far, 16 incidents, or 34% of all incidents reported, have been Unauthorized Disclosures. An added twist this year is that 69% of these Unauthorized Disclosures (11 of the 16 incidents) occurred when private and/or personal information was placed on publicly accessible Web sites. Worse still, some of these incidents span years of unauthorized disclosure. For example:

- City College of San Francisco had student information available to anyone on the Internet for seven years
- University of Nebraska-Lincoln had student and faculty information on a public Web page for two years
- University of Pittsburgh’s Medical Center found a presentation containing patient information online in 2005 and removed it, only to have the same presentation show up again earlier this month.

As an individual working in Higher Education, I find this to be an alarming trend. We see incidents cause by external attackers such as the Ohio University fiasco or the UCLA database breach as wakeup calls for action. Cries are raised to “Tighten security controls” and “Watch for those evil hackers”, but we are overlooking the damage we are doing to ourselves. While it is extremely difficult to find a “one size fits all” solution to Information Security, there are some general steps each institution can take to help reduce the risk accidentally exposing student, faculty and/or staff information on a Web site.

Remove all personal information that is not needed
Okay, this one might seem a bit obvious, but it will significantly help to reduce the impact of information accidentally placed on public Web sites. Even internally, there are many instances where personal information (for example Social Security numbers as a unique ID) remain attached to a file simply because it is part of the record used to generate the file. Many (alright, most) times this level of detail is not needed and is simply left attached because it was the way the file was generated. Removing this information, or better yet replacing it with an internal unique ID, will help to limit the impact should such information make its way to the Web.

Stop using the web as a “temporary” file transfer medium
At one time or another most of us have been guilty of do this. After all, there is a temptation to utilize Web space to transfer files. It is easy, requires few steps and is something with which we are all intimately familiar. However, too often such information is not removed from this “temporary” holding space and thus becomes a “permanent” addition to the organization’s Web site. Worse yet, if this information becomes part of an Internet cache (i.e. Google Cache or the Wayback Machine) such information will remain on the Internet long after the original file is removed.

Periodically check the organization’s Web site for such information
Despite all efforts, there is a very good chance that personal information will end up, at some point in the future, on a public Web site. The reason for this is simple. Mistakes happen. After all, “to err is human”. Therefore, it is important that each institution begin scanning Web sites of information such as Social Security and Credit Card numbers. The good news is that, since this information follows a standard format, scanning should not be all that difficult. In fact, there have been some good discussions of scanning for such information on the UNISOG and Educause mailing lists. The difficultly with scanning is determining how often such scans should occur. In the end, this discussion comes down what the institution feels is acceptable. If the institution has no problem with such information residing on the Web for a year, then annual scans will do. If a year is too long, then perhaps quarterly or monthly scans are in order.

In the end, we all need to be aware that simple employee errors cause a surprisingly large number of security breaches.

We recently conducted a brief “5 minute survey” on messaging security. I want to thank each of you who participated – you provided valuable insights and information. As promised, Josh Jabs, of Roth Capital Partners (and a member of the Security Catalyst Community) extended his insights by developing a four-page overview of our collective findings.

This report is solid gold if you are working to develop your budget, approach or to validate your current messaging actions. It’s always nice to know what your peers are doing and who the players in your market are.

This report is free for Security Catalyst Community members. You can download your copy here: http://community.securitycatalyst.com/forums/index.php/topic,381.0.html

NOTE: Joining the Catalyst Community is no-charge. The currency of our community is your participation. If you have not yet checked out what we have to offer, I encourage you to come and sign-up. Please know that we enforce a strict naming standard of Firstname.Lastname (the period counts, too).

Why is this valuable?
This is a document that provides you insights, but also backs up assertions with hard statistics and information. This guidance is useful when you are validating decisions already made. It’s obviously useful if you are working on messaging security in your current efforts.

Will we do this again?
Part of the goal of the security catalyst community is to come together, leverage our collective insights and talents and improve the way we practice information security. I was really impressed with the quality of this research and am grateful to Josh Jabs for helping to pull this together.

I found this to be incredibly valuable. As a result, I’d like to be able to offer this again and continue to build a stable of resources that support your efforts to improve the way we think about and practice security. You can support my desire to support you by sending me an email with the topics that you would like us to assess for you. Shoot me a note to: securitycatalyst@gmail.com.

Last night I took the opportunity to celebrate another (Key West) sunset. Ironically, it was the sunset I have been searching to capture on camera for a while - and yet it eluded my lens. Regardless, I drank it in, felt some stress slip away and then took in a “show.” The street performers of the Sunset Celebration in Key West are some of the most entertaining and practiced I have seen. When you visit and take the time to celebrate, do plan to stick around and be entertained.

Yesterday I had the opportunity to see the Great Rondini, an escape artist, dazzle and entertain the crowd. What I enjoyed (as much as the performance itself) is how he built the crowd, got the energy going and then put on a show - and in the end, he escaped his bonds. In addition to his humor and well-practiced quips, he stopped at least once, commanded our attention and issued a heartfelt thanks for supporting him. No, not the pitch for money… a true thank you for rewarding his efforts with our attention and applause. It was an honest emotional connection with the audience.

(I tried to insert a picture here, but my software bombed out - maybe soon!)

Beyond his excellent performance, I noticed that he held the attention of my children for the entire time (I also don’t recall any cell phone conversations or people using blackberries!). Better yet, when he was done, he came and thanked each child that came by - and rewarded them with a glow-stick style bracelet. It was genuine and classy.

On the walk back, I started thinking about how we could apply what I just experienced to our practice of security and how we protect information….

Rondini worked his timing, built interest, got people engaged and then put on a show. He waited until the sun went down (and people were less focused on finding the “right” spot. He waited patiently until the tight rope act was done, and then quietly stood on a chair and then blew a whistle. A bright orange get-your-attention whistle. SHOWTIME! He immediately engaged those standing right near him (including me) to form up at his line. He even said - look like you’re a crowd (to some laughs). He has a line for each of us as he invited us to participate. He threw out some practiced lines to get you to laugh… which is immediately disarming… and slowly, the crowd grew. When the crowd was right, he selected volunteers - got the crowd to support them and started the show.

It was clear that he was a professional. He’s practiced at his craft - and yet the show was different than I have seen in the past (so he’s still improving, changing and growing). Think about it for a second - how do you brief people? How do you explain what you do? How do you approach security?

Rondini smiled. He engaged. His passion for performing came through. As a security professional, this is an approach we need to follow. Rondini only gets paid when he puts on a good show. The larger the audience, the better the involvement and the stronger his performance, the more tips (and larger tips) he will be able to collect. He is motivated to improve and to perform. Most of us are lucky - the paycheck shows up no matter how well we do. Take a moment, though, and imagine ALL of your compensation based entirely on how you connected, engaged and entertained?

I don’t think it makes sense to tell people security is hard, complex heavy and something they _have_ to do. We can all learn something from the Sunset Celebration Performers - and bring a bit of entertainment to our efforts to make a difference. I am confident you will reap rewards from this approach.
Here is what I learned from Rondini - and how I think we can all benefit with our practice of security:

1. Choose the right time to perform (or deliver your message)
2. Engage your supporters and build them up (we need to find and build security champions)
3. Bring the audience into the performance and reward them (we need others to engage - but they have to be encouraged and rewarded)
4. Rehearse, rehearse, rehearse - so you seem practiced, smooth, confident - and really entertaining! (we *all* need more of this. period.)
5. Show sincere thanks and remain genuine and classy

Need help - shoot me an email: securitycatalyst@gmail.com. When this works, share your success with me!