The Security Catalyst

In my recent podcast, I focused on the value of the fundamentals. I purposefully didn’t list out what I though the fundamentals were - since I wanted to take some time to work with you to flesh out a smarter list. Eventually, this is the sort of approach that is well-suited by a wiki and an effort we can make public. But instead of thinking and dreaming big about what we can do in the future… what are the fundamentals that *you* think everyone practicing security should know and be familiar with? To me, being a professional means that you are not only able to rattle off a list of fundamentals, but that you can explain them to others and possess the ability to _apply_ them. Being able to apply the fundamentals requires us to take the time to think, plan and then practice. Practice of the fundamentals is key…If you follow sports, you can easily see every superstar spends HOURS each DAY working on the fundamentals. There is a lesson to be learned there… In order for us to better understand the fundamentals we need to consider and practice, we have to start with a simple list. Once we have a list that we agree upon, it’s short work to build it out and expand it. I’ve got a few different ideas on how we can best do this, but it all comes down to needing a list.I’ll start by adding CIA to the top of the list. For me, Confidentiality, Integrity and Availability (CIA) are without question the starting place for fundamentals. Without these, we don’t really have much else. In our Protecting Information Workshop, we actually guide people through a hands-on exercise to define and then work with these three basics. I am amazed at the number of people who hold a CISSP, CISM or similar that CANNOT define these terms, let alone apply them. I’m not suggesting anything beyond the simple observation that many of us “know” the fundamentals — in that they exist — but fail to continue to study and apply them.Test it OutTake five minutes right now.Go write down on a piece of paper how you define Confidentiality, Integrity and Availability. Could you explain that to someone else? How would you develop a set of requirements around those fundamental concepts? Go ahead, I’ll wait. Okay, so what did you come up with? Either way - by taking even 5 minutes to think about a fundamental concept, write it down and consider how to apply it - you have improved. Today has already been a great day!! Keep on your roll, and share with the entire Security Catalyst Community (free registration required using your full and proper name) what other topics you believe need to be included in the list of fundamentals. When you contribute to the thread, I’m also curious why you think it should be included.You may notice that comments are turned off for this thread.That’s because we need to track the conversation here: http://community.securitycatalyst.com/forums/index.php/topic,523.0.htmlI will work to update the listing so we have a master list at the top, too. When the list gets built out a bit (and I encourage some healthy and positive debate), we’ll explore the fundamentals in an upcoming Security Round Table podcast, in my podcast, this blog and perhaps even in the security salon!It’s time to start making a difference… and I look forward to learning from you!The Fundamentals1. Confidentiality, Integrity and Availability

In addition to getting to break things in order to help our customers prevent assorted miscreants from doing so, one of the many hats I wear at QuietMove is the amorphous responsibility of ‘business development.’ In English, that means I identify organizations that could benefit from our services, sometimes travel to visit them, often buy them lunch, and explore ways we can help them. Though my background is technical, it’s something I’ve really grown to enjoy because I find it interesting to learn about different industries and business models and their unique security challenges.

That said, I’m often surprised by some of the organizations I visit – it’s shocking that some of the largest organizations in critical economic sectors don’t have security organizations, don’t have security programs, and don’t even have a single person for whom ‘security’ is part of their job description. In other cases, there’s a single ‘security’ person with no budget, staff, or authority. I’ve been that guy, so if that’s you, I feel your pain. I’d like to share an anecdote with you about a large company I visited last week who is in the former category – no security organization at all. If your organization has no security-focused staff, or if you’re the one guy or gal whose shoulders it all falls on, I’m also going to share a strategy for moving your organization in the right direction.

The Meeting

It was a pretty exciting morning – I was heading to an initial face-to-face meeting with a potential customer, one of the largest mining companies in the world. My initial contact was with a gentleman who managed their server environment. At my urging he also invited their application and network team. The meeting was scheduled to discuss assessment activities – something they haven’t been doing, and didn’t have the expertise or tools to do in-house. I asked him to invite the other managers because it was important to get their buy-in, and also because our customers get the best value when we test all attackable surface areas.

What I heard during the meeting was one of the variations on a common theme - each group ‘owned security’ for their sphere of responsibility, but there were no overarching standards, and minimal to no coordination. These guys were all professionals – the problem was organizational. Their company didn’t see a need for dedicated security resources.

Well OK, almost all professionals. One of them questioned what they had that was worth someone breaking in to steal. The look from his colleagues was as if he said his company possessed nothing of value, which is more or less what he said.

I pointed out a few things – they’re a mining company, so the list of what sites they are considering buying or leasing because their geological analysis said it would be a good spot was definitely worth something to their international competitors. Also valuable are their supplier lists, customer lists, and employee information, not to mention their reputation.

If it’s Everybody’s Job, it’s Nobody’s Job

Those who know me well, know I have a tendency to devolve a conversation into pedantic comparisons to obscure philosophical and/or historical topics. Lucky for you, Dear Readers, I’m too much of a lazy typist to inflict this habit on you – for too long.

The attitude at the mining company I visited was that security was “everyone’s” job. That may be, but without guidance from an accountable party, there is no incentive for anyone to perform something that they aren’t being measured against.

I’d like to paint a comparison to the relative physical security of a shopping mall vs. a public street. Shopping malls have a financial incentive to police their premises. After all, most people wouldn’t visit a mall after being mugged at spork-point in the food court after the first time, forget about the second. As a result, mall owners will set stricter codes of acceptable behavior on their premises than you’d see on a city street. Meanwhile people will litter the ground with cigarette butts, soda cans, and chewing gum in public places with a frequency you’d never see in their own home.

This is an important side effect of the concept of private property – with ownership comes responsibility. We see the same attitude in the workplace – when security is the responsibility of ‘everyone,’ it’s really owned by no one. People are measured on the performance of their primary job responsibility – meeting development deadlines, system uptime, etc. There is no central coordination of standards, no one who ‘owns’ testing controls, no security metrics, and ultimately little to no security.

Create a Security Team for $4.95, Plus Tax

That’s about the going rate for a dozen donuts. Yes, it’s that easy.

Back to the mining company – I realized that they had a long way to go. Since they didn’t have enough management buy-in for security to form a security organization, had no budget, and no ownership of responsibility, I shared a strategy whereby they could create one using the resources they have available now – themselves.

My suggestion was to pick trusted, interested persons as Single Points of Contact (SPOC) from key parts of their organization, schedule a conference room plus a dial-in conference bridge number for those at different locations, and invite them all to an informal monthly brown-bag lunch.

Pick out a news story related to a security incident or breach at another company from the news - a good place to look is the SC Magazine Breach Blog - and email it to everyone ahead of time. The purpose of the monthly lunch is to do some tabletop war gaming. What you’ll want to discuss is, if a similar incident affected your organization, how would you respond? What controls are in place to detect it? Who would be notified? What actions would be taken?

There are three goals for your Computer Incident Response Team (CIRT) meeting:

1. Identify a Single Point of Contact (SPOC) and backup contact for each part of the organization that should be involved in an incident or breach. In addition to identifying a contact and backup from system administration and network teams, don’t forget to pick points of contact from groups like telecom, finance, human resources, public relations, physical plant security, and any other towers you think you can pull in. Make a phone list, including cell phone numbers, and distribute it to all members.

2. Build an ad-hoc team that can respond to incidents, by building rapport and familiarity. This is an important point – a phone tree does not a team make. The team will learn to work together, and learn what roles they can play in incident response.

3. When (not if) an incident affects your organization, you will have already run through similar scenarios in your tabletop wargaming exercises. You’ll have a response team consisting of members of each part of your organization that might be affected. Most importantly, you’ll have the resources to effect a coordinated response.

Don’t forget the donuts.

I’ve decided that Sarbanes-Oxley Auditors have it wrong. After 4 years, they look for the wrong things, often costing companies millions of dollars. Their focus is often on minutia leaving the lowest hanging fruit untouched.
Why did this happen? Because they haven’t learned from history and they don’t understand the root cause of it all: corrupted humans.

In February, I wrote Psychology of Fraud - Today’s Issues (http://www.securitycatalyst.com/2007/02/20/psychology-of-fraud-todays-issues/). It was an attempt to remind readers that no matter how well we lock down the technology, it only takes one human to corrupt the system. We need to understand the psychology of fraud and why humans do what they do in order to prevent it from occurring. It’s my way of educating our readers on what’s been said in the past to address today’s issues.

I’ve done some thinking on the subject since then and I’ve decided to revisit Cressey’s fraud triangle. To commit fraud or any other illegal / immoral action, a person needs three things: Access, Knowledge, and Intent. Without all three, intentional fraud will not occur. This is different than the Cressey’s triangle, which didn’t take into account today’s information technology.

Here’s my definition of each requirement:
- Access. Physical or logical ability to enter, touch, or reach a resource. In computers, this is often controlled by network rules and a user id and password.
- Knowledge. To be familiar or have experience with an object or resource. This means having the concepts and ability on what to do after you have accessed the resource.
- Intent. The purpose or an anticipated outcome that guides a person’s planned actions. Knowingly causing damage to the resource.

This example illustrates how the three requirements fit together:  I am given a login id and password to our Mainframe, therefore I have access.  Not only that, but I am given full adminstrator rights to it.  The problem is that I’m a neophyte on the Mainframe; I barely even know how to log on.  Plus, I like my organization and don’t want to cause them harm.  Therefore, I’m mission two of the three requirements for fraud: knowledge and intent.  Even though I have access, there is little risk of my causing harm.  Granted, the biggest risk in this scenario is my making a mistake, but that’s another issue.

This is where auditors and Sarbanes-Oxley have it wrong: You can’t audit against knowledge and intent.  You can only audit access rights.  So that’s what auditors do.  They make the wrong assumption equating access to equal potential fraud or abuse.  However, that’s not true.  Just because a certain user has access does not mean they know what they’re doing and that they will cause meaningful harm.

Auditors and security professionals need to understand this new fraud triangle and how it fits into the risk equation.  Using these concepts promote the proper balance of security within an organization, thereby reducing costs while improving security.

What do you think? Does this make sense? Is it something you can use?  Join us in the Security Catalyst forums to discuss this and other hot security topics.

By working together, we all become stronger.

I’m back, baby! I know I’ve been remiss in sharing some ideas and observations - but I’ve been really focused. As I continue to focus on changing how people protect information, I have come to appreciate the value of the fundamentals. I share some insights in this long overdue podcast.  Things you will learn by listening to this podcast:

• I am a yankees fan
• Three lessons I took away from watching professionals and legends
• How to have more fun at work

I also share some updates on the Information Protection Assessment Toolkit, make a special offer and update some of my travel plans.  It’s nice to be back. We have an SRT coming up, and I have a lot I hope to share… more to come…  If you enjoy this, let me know. If not, let me know how I can make your job easier and improve the quality of your podcast experience. 

 

 Security Catalyst - The Value of Fundamentals [19:49m]: Play Now | Play in Popup | Download (2999)

By Adam Dodge

Recently, the University of Texas, Pan American announced that a staff member lost an external hard drive containing names, address and Social Security numbers of around 1,200 UTPA staff. The good news for these individuals is that the hard drive was found by another UTPA staff member and there does not appear that any unauthorized individuals had access to staff information. However, reading over one of the initial news stories about this security incident brought a question to my mind.

In an article over at The Monitor, UTPA Vice President for Business Affairs, James Langabeer stressed that the loss of this external hard drive was only an “incident” and did not constitute a “breach” by an outside individual. According to Langabeer, “It is an incident, it’s not a breech. A breach is when someone takes something out of your computer and deliberately takes it from you. If you lose it, it’s an incident”

What I find so fascinating about this statement is that the distinction between incident and breach and that an “incident” should not be viewed in the same light as a “breach”. So I started thinking, is this distinction merely a semantic issue or are there some underlying assumption amongst the general public that an incident is an everyday, and perhaps less dangerous, occurrence then a breach. One of the words is a simple noun that brings to mind a singular event of some type that may or may not be harmful. The other word is more action oriented and brings to mind, at least to my mind, images of whales bursting through the surface of the water and other dynamic events. Given the very differences in these words, should they be used as interchangeably as they are in the Information Security arena?

I think that making a distinction between breach and incident in this manner is dangerous. While I believe there are indeed differences between breach and incident, I do not agree with the portrayal of each being separate from the other. Instead, a breach is a subset of the overall types of information security incidents that can affect an organization. Other types of incidents can include theft, loss, unauthorized disclosure, denial of service, mistakes, and a whole host of other issues that are too numerous to list. In the end, any occurrence that is contrary to current information security controls is, in effect, and incident. This means that any breach of information systems, past security controls, is in fact an incident.

One thing that we absolutely need to make clear as security individuals is that these “incidents” caused by internal employees are, at the very least, just as dangerous as “breaches” by external attackers. I have written a few times about the insider threat faced by organizations. Studies have continued to prove that internal employees cause a large majority of information security incidents. Yet, organizations still attempt to pass off employee misconduct as a lesser offense when in fact these are the very employees who both know where the information is and have direct access to this information.

However, in the end, whether caused by a “breach” or an “incident”, the loss and/or exposure of protected information is a signal to the organization that something is not working properly. This is what is important. We need to understand that it is not just about fixing the problem. Instead, it is about understanding why the problem occurred and creating controls to help prevent like occurrences in the future.

Unfortunately, it seems that more organizations are beginning to make this distinction in press releases surrounding security incidents.

For some, the summer signals a chance to slow down, kick back, take some vacations and prepare for a busy fall. I hope you are able to step away and get some much-needed relaxation this summer.

At the Security Catalyst community, we’re working to form a more effective governance structure, migrate to a new server, incorporate more support resources and generally improve the services we are able to provide to you – whether you are new to security, a seasoned professional, a security blogger or even a podcaster.

Since this is a community that is designed to support the way you practice the protection of information, I wanted to take a moment to recap the approach and goals of our community:

We are a positively focused and supportive community that unites passionate professionals to achieve three goals:
(1) Create a community where it is acceptable to be vulnerable and ask for help when you need it
(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome – share what you have learned without fear.
(3) Create a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

After 6 months and nearly 400 members, I can tell you without question that those who contribute and make the effort reap the biggest rewards. I know we all hit patches where work gets insane; personally, we’re in the middle of launching some exciting new offerings, and I have had to cycle back on some of my more visible blogging, podcasting and community activity. It happens to everyone - so when it happens to you, no worries. But know this: you are always welcome here.

To make things a bit easier:
(1) You can subscribe to the forums of your choice through RSS. To be fair, it’s not the best RSS implementation I have ever experienced – and it requires some massaging to get it where it works for you. We had an extensive thread on making it work for you – so check it out if you are RSS inclined.
(2) You can set notifications “by email” to be able to keep track of new posts. This is the method I use to keep abreast of new topics.

If you have a question or challenge – especially when you feel way too busy, please take 5-10 minutes to share your question, frustration or challenge with your peers. If someone has already been through this, they can offer you support, some guidance or even schedule a call to save you time! That’s right – I have plenty of stories from members who reached out to help each other… and in the process, avoided the crisis and got their work done quicker (and arguably better).

When you are busy – please make an effort to check in once a week and find one post you can respond to. I know from experience I’m asking you to spend about 30 minutes each week contributing. Since there are no fees to participate, this is the currency of our community.

Offer help when you can, ask for advice when you need it.

Not a day goes by now that I don’t learn something new from this forum. I really look forward to meeting so many of you in person. Once I complete the launch of our new offerings and release my new book, I will be embarking on our Campaign Across America. We’re working to select cities now, but when we come to/near you, please don’t be shy – I’d love to raise a glass and say hello.

So welcome to the journey and thank you for being part of the community. As we continue to learn and grow together, I am confident that we all improve how we think about and practice information security. In the end, this is what will set us apart.

PS: I’ll have a few additional announcements in the coming weeks and months - the result of many months of focused work. I’m excited, and looking forward to sharing my passions and research with you. I’ll be slowly getting back to some regular podcasting and blogging. In fact, I’ll have some additional IPAT information for you available next week…

Security has a bad name. Whenever I say I work in security, people get paranoid assuming that my job is to block whatever good work they are doing in the name of security. Plus, in many organizations, security is a one way street. Information goes in, but never comes out. There’s no information sharing because neither side wants to discluse their “secrets.” It’s time to change this negative connotation for security.

For my entire security career, I’ve been exploring ways to improve the image and effectiveness of security. Also throughout my professional career, I’ve been studying leadership. Recently it dawned on me (while reading Seth Godin’s The Dip) to put the two together. One of my favorite leadership books is The One Minute Manager by Ken Blanchard, Ph.D. and Spencer Johnson, MD. There is no reason why we can’t use the ideas in The One Minute Manager to improve our security practices.

1. Set Goals – What are you trying to protect? What is your security program trying to accomplish? You can’t protect everything, so you need to pick your battles. In my goals setting, I use the risk equation of risk=impact X probability (see Risky Business post). This helps me determine the lowest hanging fruit that has either the highest impact or is most likely to be affected by a security issue. Write and publish your goals. This lets others see what you’re up to. Also, take a minute every once in a while to read and re-read each goal to determine your progress.

2. Praise Good Security – Praise people immediately to their face (if possible) telling them and others how they improved security for themselves or your organization. Be specific and let them know how good you feel about what they did right and how it helps the organization. Encourage them to do more of the same. This is where we in security often fall short. We only see the bad, where security is lacking and are not catching people doing things right. That’s only half of the picture. This also helps put the overall security of the organization in perspective. In one of my first security jobs, my VP said, “Our security sucks.” I responded, “No sir, we have good security, in pockets. Our challenge is to make it consistent across the company.” By praising good behavior, we are encouraging more of it.

3. Explain opportunities for improvement – We all sometimes fall short of our expectations and goals and need to be reminded of them. In the book, this is referred to as the Reprimand. Security professionals and auditors often fail here and don’t do it right. We either don’t find the root cause, don’t address the right people, or don’t collaborate on solutions. The way to do it is: (a) make sure you have the right people who are responsible for the problem. Sometimes we misplace blame or don’t tell the real person responsible. (b) Tell them immediately, specifically where they fell short. (c) Brainstorm with them on ideas and suggestions for improvement. Don’t tell them how to do it, but collaborate on the opportunities for improvement. (d) Reaffirm how important they are to the security of the organization. It’s critical here to make sure that you are addressing the problem and not the person. Also, you should be working with the people to ensure the correct solution is in place.

Taking these three steps should increase the credibility of your security services and reduce the negative feelings. It will promote collaboration that provides buy-in from critical resources improving the security practices of your entire organization. Of course, I’ve only scratched the surface of The One Minute Manager. All security professionals should read the book and use its techniques to better manage your security program. Lastly, continue to use the SecurityCatalyst forums to share your ideas.

By working together, we all become stronger.