by Ioana Justus

If you were asked to throw a few million dollars out the window, would you do it?

If yes, let me know where and when – I’ll happily wait outside with my catcher’s mitt. More likely, the quick answer to this question is a resounding “NO”. Few circumstances would lead someone to literally throw millions of dollars out the window, down the drain, etc. Not a million dollars, not in a million years.

What about companies that, effectively, waste millions of dollars trying to implement identity management?

The sad reality is that many organizations trying to implement identity management do just that – waste big money – on the wrong technology, or even on the right technology that sits idle because it can’t be used as designed. Worse, some organizations look to even more technology to “fix the shortcomings” of their selected product. The end result is the identity management version of Frankenstein’s monster.

If you peruse the latest identity management articles from your favorite research company, you’ll find the same discussions over and over:  How do we justify the cost?  Why do so many companies stop at “single sign-on”?  Why do implementations take so long?  Why do implementations get halted mid-effort?  What’s the true benefit of identity management?  What’s the ROI?  You’ll also find the same tired answers – whether in printed form, or at one of the many IAM conferences across the country: IAM saves costs at the help desk. IAM can help with audit. IAM can reduce headcount in your access services department. Companies bite off more than they can chew, ROI takes too long, so they give up.

But what does it all mean?

Are we really doomed to these behemoth infrastructures that sit largely un-used, while we pay off consulting and software bills that often run into the millions (if not tens of millions)?

No, we’re not.

IAM is not a lost cause. It can lead to lower costs, easier audit processes, and a demonstrated postive return on investment (ROI). But it takes time – and discipline. As with many aspects of security, identity management is not about technology – it’s about people and process. The technologies are out there, and getting ever-more mature. But, IAM is NOT a Mac or an iPhone – you don’t just turn it on and it magically works. There is a lot of configuration and even custom development that needs to be done after you install your product suite of choice. Even before that, there is a TON of data cleanup, data modeling, and process design that needs to take place, and that is at the heart of this series:

Identity Management in 13 Easy Steps

Of course, the series title is a bit tongue-in-cheek. There’s nothing particularly easy about identity management. Then again, it’s not rocket science, either. It just takes a little thought and a lot of tedious effort – and did I mention discipline? The focus of this series is all on process and data. In fact, product selection is saved until the very last article. That’s right – if you can keep your instant-gratification urges at bay, I recommend that you don’t even bother buying anything until you’re ready to use it. Why spend all that money on a fancy technology if it’s going to sit there, idle, while you beat your head against the wall trying to clean up the data and processes that it needs to function?

An identity management implementation will only be as good as the data and processes feeding it, and that’s the problem many companies face today – most organizations buy a product and figure out after the fact that they have a ton of work to do to make it function. As a result, there is such a lag between the time of purchase and the time of ROI, most management teams lose patience and halt the effort. If you pave the way to implementation by first cleaning house, when you implement the technology its benefit will be seen quickly, which will encourage management to keep it going and try more.

There’s another critical aspect to this approach: gaining the needed experience to properly document requirements. Identity management is extremely complex. No one can just walk in and “get it” in one sitting. Even if the high-level concepts seem obvious, you have to live with the dirty details for a while to really understand the needs of your particular situation. The better that understanding, the better the requirements. The better the requirements, the better the product selection. Choose the right product, and you avoid tossing millions out the window.

Are you ready for this journey?  If so, let’s get started. Here is the series I have planned – one article per month. This may not seem like much, but unless your implementation will have a very small user base, it will take longer than a month to execute most of these steps anyway. Of course, the series may change along the way – I’m already concerned about the volume of information I’m trying to fit into some of the articles. I may find as we go that a few of these topics will require multi-part articles. We’ll deal with that when it arises.

For now, here’s the intended schedule:

December 2009: Identity Management 101 – an overview of the different components of an IAM suite, to make sure we’re all on the same page and speaking the same language.

January 2010: Identifying Systems Integrations – not all systems will integrate (directly or indirectly) with IAM. Determine which ones will feed the priority list for the data cleanups and process work.

February 2010: Data Cleanup Part 1 – before your identity management system can work, it needs to be populated with all userIDs, and those IDs have to be clean. The first cleanup is focused on the primary IDs such as AD/LDAP and other key systems.

March 2010: Data Cleanup Part 2 – a key benefit of identity management is the ability to link userIDs in multiple formats from a variety of systems to the user’s primary record. The second cleanup focuses on identifying which IDs belong to which users in preparation for proper linking.

April 2010: Preparing for Password Self-Service – password self-service is a key cost savings of IAM, but it’s harder than you might think. This article will help you prepare your policies and your users for the technology to come.

May 2010: HR as a Source of Record – the HR system is a primary source of record for employees. It can also be one of the primary sources of errors and limitations for identity management. This article will explain the issues that most companies experience when interfacing with HR technologies (and departments).

June 2010: Role- and Rule-Basing – in order for auto-provisioning and -deprovisioning to work, the roles and rules need to be defined. This article will teach you how to avoid turning this effort into a rat’s nest.

July 2010: Role Hierarchies – workflows cannot be enabled without proper approval processes. But approvers aren’t always line managers. This article describes the various role hierarchies that should be established, and the synergies that can be achieved between identity management and other sources of record (e.g., financial systems).

August 2010: Workflows – workflows are the key to automating many processes. This article discusses the considerations in setting up workflows to ensure that they function effectively.

September 2010: Termination and Transfer Gotchas – terminations and transfers are key control activities that are of great interest to auditors. Getting this right in identity management will save everyone a lot of work. Getting it wrong can be disastrous. Learn the pitfalls in this article.

October 2010: Password Self-Service – whereas the April article deals with the foundational aspects of password self-service, this article deals more with the implementation aspects: how to select challenge questions that make sense, exposing PSS outside of the corporate network, etc.

November 2010: Effective Business Cases – now that your house is in order and you have almost a year’s experience with your organization’s circumstances, it’s time to build a business case to buy a product. This article explores a number of value-added functions of identity management that will intrigue your management and encourage them to allocate budget.

December 2010: Requirements and Product Selection – you’ve cleaned your data, defined your processes, and secured a budget. It’s finally time to pick a product. This article will help you document and prioritize detailed requirements based on a year’s experience in the trenches, so that you can make the best product decision possible.

by Jeff Kirsch

In “Playing Games”, I shared some lessons that I learned while playing chess with my son. Chess is a rich example of the need for, and challenge of, planning ahead. For those unfamiliar with this game of skill and strategy, the goal is simple: Capture your opponent’s king and force him into a position known as “checkmate.”

During the game, opponents take turns moving one piece at a time until a player is considered to be in “checkmate”, meaning he can no longer move his king. An interesting element is the need to notify an opponent when they are one move away from being captured by declaring “check.” This is a great game rich with strategy and nuance, with more details here.

So how does chess fit into my “plan ahead” strategy?

If a player simply moves pieces on the board without thought as to how her opponent will act, pieces will be captured easily, leaving her with a weaker offense and defense. Opponents must be evaluated on how they will move; offense must be based on anticipation of defense. Chess is a game where there are two opponents with an obvious adversary, and the less obvious self.  Those who properly anticipate the other player position themselves for maximum advantage.

The act of protecting information is similar to the practice of protecting the King. Those who seek to attack the protected information are opponents, and considered what they are doing as a game.  I’m not suggesting that what we treat it as a game as well; rather, what is important is the strategy required for both.

Understanding that we are at a disadvantage from the start is key to devising our strategy. Our opponent needs to remain undetected until they have what they need. If they are discovered too early, the chances of achieving their goal drops dramatically.

by Carl Anctil

Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.

Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.

If we look back and remember how networking has evolved over the years, we will notice a pattern.  Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.

When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.

What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.

We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.

Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).

by Ron Woerner

Whether you call it lay-offs, downsizing, rightsizing, redundancies, a reduction in force, or whatever, a reduction in staff stinks.  Downturns in the economy often translate to a reduced volume of business, resulting in a correlated reduction in staff.  One of the hardest jobs in Security is ensuring that those who are asked to leave no longer have access to the organization’s resources.  This is especially hard when you know those affected.  However it’s critical that this tough job be done.

The last thing you want or need is for an ex-employee to perform a malicious act as part of their departure.  The recent case with the Fannie Mae consultant is a great example of how a malcontent could potentially cause your organization grave damage.  Luckily, the Fannie Mae sys admin found the malicious script.

You shouldn’t depend on luck to protect your organization’s critical infrastructure during lay-offs. This article contains concrete steps for you to consider before, during, and after the dreaded layoffs.  [Note: the critical nature of these steps is, in actuality, job security for those who need to perform them. Maybe you can use them to justify your job and keep it off of the “chopping block.”]

Before the announcement

Just as in any project (and this is a project), planning and coordination are key.  Those managing or initiating the lay-offs (e.g., Human Resources) must have Security on-board early in the process.  Delays increase risk to the organization.  While secrecy is necessary to protect the process, trusted relationships must be established between all involved, including HR, Security, Legal, and Management.  Security needs to know who is affected in order to know what needs to be protected.  Security can also help properly protect the “list” prior to the official announcement.

Security personnel (both physical and information) need to ensure the protection of personnel and assets during the lay-offs.  On the physical side, you need to make sure that those announcing the lay-offs are protected should the employee(s) get upset or abusive.  Security officers should be trained and ready to handle potential conflicts and workplace violence.

Information security personnel should identify single points of (security) failure and high risk areas.  This includes administrators with expanded ability, authority or access.  Security should also determine if there are any single points of failure in the operations that would be affected by the lay-offs.  Management should address these critical points well before the announcement to prevent any unexpected denials of service.

Security personnel also need to develop processes to remove both physical and logical access as soon as the notification takes place.  This cannot occur too soon before the associate is notified, or else it might alert the associate, resulting in unexpected consequences.  (No one likes to find out that their position is eliminated by having their network or badge access disabled.)  Also, this cannot occur too long afterward, for obvious security reasons.  Ensuring the correct timing requires pre-planning.

As soon as the announcement is made that your organization is considering lay-offs, extend your monitoring efforts.  This could be before the actual lay-offs.  Rumors can spread, and associates might take these rumors as reason to start their preparation should their name be on “the list.”  Your efforts should include Data Leakage Protection (DLP) to ensure associates aren’t shipping critical company information (e.g., customer lists, intellectual property, or company employee data) to themselves or others.  This could occur on the network or off.  It’s very easy for an associate to sneak a USB drive filled with an encyclopedia of company data out the door. You also need to be cognizant of physical theft.

During the announcement

With your planning complete, it is now time to enact and follow those processes.  As soon as the associate is told that he or she is no longer employed by the organization, you need to disable the physical badge, logical network, and phone access.  The accounts should not be deleted, only disabled in case you need them in the future (e.g., rehires). It’s important that all access is also disabled for networks or assets that are externally accessible (e.g., VPN).  The time required for this activity will multiply if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, and security cards.

Occasionally, the manager will request that the separated associate’s email, phone, or voicemail remain available.  This is to maintain contact with clients or customers.  Security needs to have an exception process in place to handle these requests while making sure the separated employee no longer has access.  It needs to be reassigned to the responsible manager or his/her delegate.  Allowing permanent access is not a good idea.  There should be a set timeframe for this access to remain active before it is disabled.

Also, consider any shared accounts used by the separating employees.  Do they know the UNIX root or Windows administrator password?  Whether it’s that or any other password for a service account, make sure the password is changed ASAP.

Physical security personnel need to be watching and ready in case the affected people become upset.  Normally, you don’t need a physical security presence to escort them.  That can be accomplished by the manager and/or HR representative.  However, Security should be ready in case things turn ugly.  Additionally, they should be watching what property is leaving.

Part of your process should include the retrieval of any assets used by or assigned to the separating employee.  This includes: Computers (laptops), USB drives, two-factor authentication tokens, cell phones / PDAs / pagers, and paper documents.  When the employee is notified, the manager and HR representative should retrieve these items along with any other property of the organization.  Of course, the employee should be allowed to pack up personal belongings, but corporate assets should remain.

Lastly, while the separations occur, continue to monitor online access and activities.  You never know the mindset or attitude of those who depart.  The potential for malicious acts is increased, especially against any resources that can be seen from the outside (external web sites).  Your IDS/IPS should be watching those external network assets and you should be ready to take action.

After the separations

While the major threat may have passed when the laid-off employees have left, it is not completely gone.  There are specific post-separation activities that need to occur to ensure risks stay low.

One of the most critical activities is the inspection of online and paper files left behind by the employee.  Each manager is responsible for making sure this occurs, because he or she is in the best position to know what is and is not needed.  This can be time consuming and tedious, but it can’t be ignored.  The benefit is the freeing of storage space.

The manager or their delegate needs to inspect each piece to determine its disposition and whether or not it is still needed for the business.  This person also needs to determine the retention period for any material that needs to be kept.  This may require collaboration with the legal or compliance department as this material can be recalled for legal proceedings.

Another post-separation activity is inspecting online files for potentially malicious content.  This is especially important for any systems administrators who were let go.  There have been many stories of sysadmins leaving backdoors, Trojan horses, and time or logic bombs behind.  Remaining sysadmins need to inspect any scripts created by the associates along with any scheduled jobs.  Failure to take this step could be devastating for the firm.

Lastly, use this time to document what went right during the process and where you have room for improvement.  Take time to learn from the experience and enhance the process.

Conclusion

Staff reductions are a part of corporate life.  As painful as they are, they are often critical to keep the organization functioning at full capacity.  Security needs to be an active participant in the lay-off process to ensure the risks are kept low.   The removal of access is only one of the many areas requiring the attention of Security.  They also need to be actively monitoring both the physical and on-line activities of the separating associates.  This isn’t to be intrusive, but to ensure the continual protection of the organization.

Having a positive security model with validation and enforcement provides a deterrent to malicious behavior as well as the tools to quickly indentify and contain threats when needed. A positive security model includes: policies, procedures, detective and preventative technology, and proactive monitoring.  The tips in this article will aid you in the development of your security model so you are ready when the time comes.

Checklist of Security Items to Consider with Lay-Offs

Before
Planning / Establish processes
Disabling access
Communications
Establish trusted contacts
HR
Legal
Security
Management
Identify single points of (security) failure
Employees who pose a danger (to themselves or others)
Administrators
Associates with access to sensitive or confidential data
Identify risks
Intellectual property
Confidential data
Property

During
Disable regular individual access
Logical
Physical
Phone
Email
Remove access to shared accounts
Administrator accounts
Service accounts
Other shared passwords
Asset retrieval
Computers (laptops)
USB drives
2 Factor authentication
Cell phones / PDAs / pagers
Paper documents
Enhance monitoring
IDS/IPS
Logs
Physical surveillance

After
Continued vigilance
Review of assets “left behind”
Online documents, files, and shared storage
eMail
Papers
Check for backdoors, Trojan horses, logic bombs
Unix
Windows
Databases
Network devices
Lesson’s learned
What went right?
What could be done better?
Process improvements

by Jeff Kirsch

Recently, my son told me a story about how he played chess with a friend at school. In his story, he said his friend executed a certain move; my son then asked me if I had ever tried that move. I was a bit confused; I’ve played chess on and off for at least 20 years, but I’ve never heard of this play. My son asked if we could play, and more importantly, if I could teach him. Looking at the clock, I thought about how I needed to get his siblings into bed, and that he needed to read a book for school.

He promised to read his book while I put his siblings to bed. After the other kids were in bed, I got him from his room (where he had read a chapter of his book), and we headed downstairs for his lesson.

I explained the chess pieces and how they moved; he remembered this from the last time we played. We began the game and I watched him bring his plan to fruition. I didn’t start with very much instruction, because I kne

w that the best instruction comes when you are “deep in the weeds”, so to speak. I took a few of his pieces, and the teaching began.

For each of his moves I helped him see what my next moves could be and how that would affect what he should do. With each move, he needed less and less instruction, but his questions became more complex. Of course, like most novice chess players, he still needed help remembering how the pieces moved (especially the knight). Looking at the clock, I realized it was just a few minutes till his bedtime, so I finally made an exchange of pieces I had put off for most of the ga

me. A few moves later he was in checkmate. He looked at me with a huge smile on his face and gave me a big hug. “That was fun, Daddy,” he said as I squeezed him tight. “I can’t wait to play again.” That is when two thoughts struck me, which I shared with him, and which I’ll share with you now.

In losing, you win

We hear all the time that most successful people failed, sometimes more than once, before

being successful. Even after those people “made it”, they still face bumps in the road. What came out of my mouth first to my son was, “In losing, you win.” I went on to explain that you have to lose a lot of games of chess in order to learn how to play the game. This came out almost automatically, but then I started to reflect on what I had said. I realized that I wasn’t just talking about the game, I was talking about life and all the challenges we face.

In information security it is easy to become overwhelmed. We always feel like we are three steps behind. We put together teams, we focus on security and secure practices, and try to funnel everything down to a few points where we can protect our vulnerabilities, only to find that someone left the back door open. To add insult to injury, we get raked over the coals because the one thing we forgot compromised everything we were trying to protect. However, until the day you forget to lock one door, you have no real concept of the consequences that await when you do fail. In that moment of failure we have the ability to learn the most.

A plan is good, but plan flexibly

My son went into the game thinking there was a defense he could set up in the beginning that would win the game. What my son didn’t take into account was that I would have a turn, and that I could attack his defense – thus also keeping him from the offense he had planned. He immediately understood his mistake and explained to me why he should have paid attention to what I was doing. I was again hit with the realization that the lessons from this game were more than just lessons about a game. If we only plan to defend our systems from attack, we fail to see the most critical vulnerability and fail to account for a possible offense.

Flexibility is critical not just in information security, but in all aspects of our personal and professional lives. People who plan ahead certainly can start out of the gate faster, but when they get a few miles down the road and their tire goes flat, how do they sustain momentum? If you can adjust your strategy not only to account for defense, but also to incorporate an offense, you double your chances for success. In the end, you even the playing field by using your strengths and understanding your opponents’ weaknesses.

In a moment of just playing a game with my son, I re-awakened the magic of chess and learned some valuable lessons. There are plenty of people who make fun of the game and those who play it, but there are just as many (if not more) who play it and get it. When you realize that it is not simply a game, but that it also has many lessons to impart, you find that “losing” really isn’t losing. But just as in chess, you’ll encounter people who don’t get what you do or why it is important. Instead of discounting them, find a away to convey what it is and why they should care. You aren’t going to convince everyone and it won’t be easy, but giving up before you start says a lot about your character and reflects the quality of your work.

by Dennis Kuntz

There was a little bit of a buzz recently regarding an article on Slate called, “Unchain the Office Computers! Why corporate IT should let us browse any way we want”. It’s basically a litany of complaints about how the IT department, “that class of interoffice Brahmans,” decides “ridiculously and capriciously, how people should work”. Very clearly it wasn’t going to win a bunch of fans from the Security Twits lurking around on Twitter’s infosec community.

The author’s rants run the gamut from legitimate beefs to notions that would make the most incompetent infosec employee cough up a hairball. He also seems to be completely unaware of the myriad legal, HR, and compliance bogeymen that serve as drivers of so many security policy restrictions. All of that coupled that with what seems to be a disrespect (or at the very least a disregard) for the skills, responsibilities, and intentions of your friendly IT worker would certainly make him a difficult customer.Who wants to deal with that?

A lot of the reactions to the author’s opinion were expected and understandable. If I recall correctly, “clueless” and “dangerous” were at least two of the words used to describe it. I don’t necessarily disagree with this either. The point of this post is more about what comes next: Do we, as those “interoffice Brahmans” simply thumb our noses at a very rash and simplistic view of the whys and hows of security-and-policy-minded restrictions, and tell the author to get the USB key that he found in the parking lot out of his PC and get back to work so that we can get back to saving the world from the l33t h4x0rs whilst doing the Dew? While not everyone would take that tack, let me suggest a different approach anyway.

The author, Farhad Manjoo, represents reality. He’s a real person who uses real technology in the real world. And he’s frustrated. He also represents a pretty wide view. In a Cisco-commissioned study on leakage prevention (get the papers here, and a decent summary here), it was discovered that:

“The majority of employees in eight of the 10 countries surveyed indicated that they believed their company’s security policy was unfair or impeded their ability to do their job. Employees with more access to collaborative Web 2.0 applications and social networking sites, video and mobile devices, expressed that they increasingly used these technologies in the workplace but were frustrated with rigid or outdated IT security policies that limited their use. “

With that, we need to accept that he and people like him are our customers. Rather than slough off Mr. Manjoo’s opinion as just being one of the uneducated masses, I contend that it’s our job to listen to his opinion and address it appropriately:

• If the reasons for a particular policy are draconian or reactionary, they should at least be reviewed, if not changed/updated or eliminated.
• If the reasons are justified (“justified” here does not mean “because we, the Brahmans, said so”; it means a very real, pragmatic justification for which there is not a reasonable alternative in order to protect the data/assets), then they need at the very least to be explained. Education and continued relationship- and awareness-building would be even better.
• If the policies really cause them to not be able to do their jobs (which does indeed happen), our job – and one of the aspects of it that makes what we do so cool, challenging, and fun – is to think creatively of how to allow them to do their jobs while keeping the data/assets safe.

I say let’s bump things up a notch: Make it a point to seek our your own personal Mr. Manjoos, embrace them, and convert them. Difficult customers, once converted, can become some of your greatest supporters. They might even spring for the Dew.

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 1: Breach: A Human Problem)

Chapter 1 defines the challenge of breach as a “human problem” and begins the journey to understand how and why we got where we are today. Michael reveals how reliance on technology has masked the true nature of the problem and explains how to re-think the way technology supports the needs of people. He also suggests that a focus on breach is too narrow, and that all information must be protected.

Update from Michael: the updated approach is to focus on the human paradox – introduced in this segment – that points out the unintentional, but systematic, disconnection of people from the consequences of their actions. This means “breach” and information protection is less a human problem than a paradox; my focus is on connecting people back to the consequences of their actions and presenting solutions that turn the cost of working with people into an investment.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

I’ve heard other authors exclaim that at the end of the writing process, it felt as if they were ready to give birth — and couldn’t wait for this labor of love to be done. Well, I’ve been the husband/father side of pregnancy, and it was smooth sailing for me. Now that I’m nearing the home stretch of this book, I’m starting to understand…

Into the Breach: Why Companies Fail to Protect Data and What We Need to Do About It has been under development long enough! I have distilled the problem and presented a careful and easy-to-follow solution that will help companies improve their top line, protect their bottom lines and manage people, risk and information more efficiently. I am writing a book for business leaders to understand the fundamentals of how to unmask our human problem and take simple steps to reduce the chaos.

I’m ready to get this out there – and to share what I have learned and help more companies. So… I have decided to pack up the RV (it’s cold here in NY) and head down to Charlotte, NC. Why Charlotte? Why not. Seriously, though, my best friend lives in Charlotte – and he and some other good friends have suggested that we consider moving our base of operations to the Carolinas. The more the tell me about the region, the more I’m inclined to agree, so I decided it would be a good time to take 10-12 days to head down and check it out, while wrapping up the book.

I could use your help
If you live or do business in Charlotte – I would love to speak with you, or even meet with you in the next two weeks. I’m seriously considering moving our business there — and I’d like to learn about the business climate, partnership opportunities (or companies looking for a partner), family environment and the like. If you have a friend in Charlotte, perhaps an introduction would be possible?

Do you want a preview of the book?
I’m going to be hip-deep in finishing up the book. If you live in Charlotte and want to get a free preview – let me know and we can catch up. I’ll bring what I’m up to, and you can help me work through any rough spots while I get the manuscript finished off. I look forward to meeting you and working through the elements. This goes for business, personal… whatever. In fact… if you want to schedule some time with me and your team, I can share some of the keynote and strategies for success with you. I’ve been testing the book for the last year, and I know this works. I’m happy to share.

When you will get the book
I plan to have the galley copies out by the end of the month to my review team. I plan to have the entire project finished by the end of January and then it’s off to the printer!

If you can’t wait (for business or personal reasons)
I will be making a sample chapter available in the next few weeks. It’s seriously top priority for me. At that time, I’ll be able to accept pre-orders and take requests for autographed copies, too.

At the same time — you can book me right now for a dynamic keynote to prepare your organization now. In fact, we’re lining some up for December so that people can get this information before the new year! I promise I’ll do what I can to get this information to you and into the hands of decision makers as soon as I can.

I also am offering a limited number of my Information Protection Program to companies that want to implement the suggestions in the book to reduce the risk of breach, while reducing the cost of compliance. If you’re serious about changing the way people protect information, I’d like to have a conversation with you about how my program can help.

As we near the end of the year, I’m advising friends and clients on successful strategies to address their current challenges around improving their security programs, how to reduce the cost of compliance, and engage their people in security awareness programs that get results!

Several of my clients have started to book my keynotes and training programs using end of year budget; they view this as the perfect way to kick-start their programs next year. Obviously, I’m biased – but I happen to think this is a good idea.

Engaging me now for a keynote or day-long program brings you my experience, passion, energy and allows you to benefit from the research and effort that has gone into writing the book (http://www.intothebreach.com/into_the_breach.htm).

If you’re ready to engage your people, I’m ready to help you. You can call me at 800.996.8351 and ask for Ffion (FEE-ON). She’ll be more than happy to help you and arrange a time when we can speak.

What do people have to say about my programs?
I take great pride in being able to bring everything I have to each and every engagement. If you’ve worked with me in the past, you’ve experienced my passion and contagious energy. You can read some really appreciated endorsements of my efforts on my profile at http://www.linkedin.com/in/securitycatalyst

“Michael is a rarity in today’s world. He is a fountain of personal energy and knowledge that shows no sign of drying out. Even better than that, his sincere desire is to help others understand information protection concepts for their own personal betterment and for the betterment of the security community as a whole. Michael’s communication style is unabashedly straight-forward – cutting through the mess, and getting right to the point. This makes him a great presenter, coach, or sounding board. I truly appreciate Michael’s contribution to the security community and am grateful he is out there actually *doing* what so many of us talk about, but never seem to actually attempt.”
Mr. Carpenter
Information Security Manager

What are the most requested topics I speak on?
As a professional speaker and member of the National Speaker’s Association, I work with you to customize a program that meets the precise needs of your audience and delivers the results you need. I bring over a decade of in-the-trenches experience, combined with the breadth and depth I demonstrated as a top CISSP instructor and deliver it in an engaging, entertaining and simple to understand way.

Each of these programs can be tailored for your audience. Call me to explore how I can help you solve your information protection challenges or for program summaries.

Mind the Gap
Journey Into the breach, protect Information and reduce the cost of compliance

Speak with impact!
Communicate security so they really get it

Awareness with Attitude
Developing the mindset for protecting information

Punching Above Your Weight
Get executives to care without peddling fear

Staying Safe (Without Wires)
Protect your information, your identity and your children

Training workshops
I have developed these training programs based on my experience in providing opportunities to engage, understand and practice. If you are looking for clear results from a training session, I invite you to consider:

Results-driven Information Protection Through Leadership(one-day program)
Learn the process-driven approach to improved security, lower costs and higher value

Speaking About Security (two-day program)
Communicate effectively and engage your audience in information protection

Engage. Empower. Enable. (one-day program)
Develop effective awareness programs that connect with your colleagues

See me in action (Video Demonstration)
Actually, the video I currently have is pre-triathlon training; while it shows my passion and energy, it’s time for an update. This means an opportunity for you. I’ve already reached out to some clients about a barter deal in return for high-quality video capture.

If you have the ability to record my keynote or training session this year, then we can make a deal!

What does it mean to be a professional speaker?
First and foremost, it means that I have met the requirements to join the National Speaker’s Association as a professional member, and I abide by their code of conduct and ethics. Being a member of NSA is not required to be a professional speaker, of course, but it does demonstrate I have achieved a level of success in this pursuit.

As a member of the National Speakers Association, I have the privilege to work with and learn from some of the best and most gifted communicators in the world. All of that learning, practice, feedback and insight goes back into the efforts I bring to you.

As a professional speaker, I actively study the elements of successful communication. I focus on how information becomes understanding – and specifically on how to guide understanding into action. This is a true passion of mine, and I have developed the Security Salon as a direct result. I’ll share more about the salon with you in the coming months.

When you engage me to work with your team or audience, I leverage my skills and experiences in a way that delivers you a program focused on your success.

Each and every engagement – speaking or training – receives extensive preparation and planning. Each message is tailored to your group and crafted to connect with the audience. Depending on the audience, I prepare customized materials and handouts or structure hands-on opportunities to work with the information and experience I am sharing.

When you hire me as a speaker – you get my insights, my passion, my experience and I always bring my contagious energy and can-do spirit.

Products & Services

“Without change, something sleeps inside us, and seldom awakens. The sleeper must awaken.”
-Frank Herbert

By now you’re getting a sense of what we are doing. With a new interpretation of our role in the information security community, a larger team, more consistent communications and new products and services, we are providing a comprehensive resource for individuals and organizations concerned about protecting data.

It is important that you understand that the change to The Security Catalyst is not cosmetic. While we have updated our marketing, our real investment has gone into developing toolkits, web-based services, new presentations, and bundles of services so that we can deliver what you need – whether you are technically inclined or not. Our new offerings includ• e:

• The Information Protection Toolkit (IPT)

• ‘Speaking About Security’ training sessions for security professionals

• The Privacy and Awareness Toolkit

• Keynote speeches and workshops designed to engage, empower and enable your teams

• Catalyst Sessions – dedicated and private support that blends coaching, consulting, and facilitation with deep industry experience.

We’ve been testing our solutions over the last few months, and I am now excited to offer them with confidence – to help you improve your practice of information protection. We’re putting the final touches on our website so we can share more details with you in the coming days.
Visit our website or contact me for more information.

Communications

“You must be the change you wish to see in the world.”
-Mahatma Gandhi

In Part I of Change is Good, I gave you an overview of our developments at The Security Catalyst. This time I want to focus specifically on communications.

Our new website will be launched at the end of this month. It will offer useful resources for individuals and organizations along with information on our innovative toolkits, training and support such as the:

• Information Protection Toolkit
• ‘Speaking About Security’ training sessions for security professionals
• Catalyst Sessions for one-on-one and team support
• Presentations designed to engage, empower and enable your teams
• Catalyst Club – unique coaching, job-aids and the ability to practice and improve

The Security Catalyst blog and podcast will gain new energy thanks to the addition of two new team members. With their support, we are developing a production schedule which will allow me to share research, analysis and opinions with you on a more regular basis. Shortly, you will notice a new blog template. In a few weeks, you’ll noticea slight change to it’s location (it will be found at /blog). We all have a lot to share, and we’re looking forward to the change.

We are about to start rolling out the changes. You have already seen the new logo. Soon you will experience the new look, feel and functionality of our web-based services. We are excited to finally share these fruits of our labor.

Watch for ‘Change is Good: Part III’ next week.

Overview

Change your thoughts and you change your world.
— Norman Vincent Peale

It has been a year of change at The Security Catalyst.

First we changed our thinking about what our contribution to information protection should be. Then we changed our offerings. We invested in a solid foundation, built the infrastructure for delivery and now we’re rolling out the results. Over the next two months you will notice:

• new products and toolkits
• more online services
• adaptable, cost-saving bundles of our offerings
• a new website
• enriched blogging with more analysis, research, perspectives and updates on my training for the Iron Man (specifically as it relates to information protection).
• the work of new team members
Quite simply, our focus and research put us at the intersection where information becomes understanding and enables us to change the way people protect information.

Watch for ‘Change is Good: Part II’ next week.

As we continue to deal with breaches, compliance, privacy initiatives and awareness… we are still vexed by the nagging concern, “Do we have privacy anymore?”

Tomorrow, I’m moderating the September Security Round Table with a panel of experts, including: Martin McKeay, Rebecca Herold, Andrew Hay, Dr. Anton Chuvakin, Dan York

High Level Approach
Our focus is on exploring and addressing the questions of privacy. As we’re working on our outline, we’re preparing to address questions such as:

• Definition of privacy
• How have the attitudes of government and the populace changed privacy in the last decade?
• Does the average end user understand privacy?
• Online databases
• What can we do today and can we recover the privacy we’ve lost (or never had)?

Your Chance to be Involved
What questions do you have? What do you want us to try to answer tomorrow? Send me your ideas, questions and suggestions to: securitycatalyst@gmail.com
PS: Sorry for the late notice. We’ll have more lead time for October (awareness) and the upcoming programs.

By Tricia Santarcangelo

I walked through the World Trade Center at 8:20 a.m. on September 11, 2001. I had done this almost every day for a year. Despite being married to Mr. Security, I never noticed if there were emergency exits, stairs, or other paths to travel. I walked like a member of the flock the same way every day.

When the second plane hit the towers, Michael begged me to get out of the city. I stayed, not because they told me to, not because I was curious and wanted to watch what was happen, but simply because the only way I knew how to get off the island was blocked by two huge towers that were on fire.

Like many people the events of 9/11 changed me, but not in ways I expected. Now when I go anywhere I note where all the exits are, where the fire extinguishers are, and who is around me. I am amazed by how many people are not aware of what is around them.

I believe we have lost our sense of situational awareness and until we find it again, the practice of information protection will continue to struggle.

So today on the anniversary of the day I became aware I challenge you to look around and take it all in, you might be surprised at what you see. Maybe today is your day to become aware.

– Tricia penned this yesterday as we reflected and remembered and wanted to share it with you. Hopefully we can encourage her to offer us more on her perspective of forming the “security mindset.” — Michael

The Security Catalyst Community has been successful migrated to a new server and a new URL.

Please update your bookmarks and join us at:

http://www.securitycatalyst.org/

Why the migration
This is the first of many planned improvements. At this stage, we have elected an interim board to manage the growth and operation of the community. We’re working to establish our mission, vision and a tactical plan to roll out more functionality in the community.

We would love your input and look forward to continued growth.

Regards,
Michael Santarcangelo
Founder and Chief Security Catalyst

http://www.securitycatalyst.org/index.php

PS: We have about 150 active professionals (of nearly 400 users) improving their careers every week. Thanks for your contributions to a successful community!

Internship Opportunities Available with Dynamic, Growth-Oriented Company
Breaches, compliance, privacy and identity theft are major concerns of corporate and public America. Join this dynamic young company focused on information protection and data security. In addition to working with the Security Catalyst team, you will be mentored by Michael Santarcangelo, a highly energetic entrepreneur and professional speaker.

Apply your education and gain valuable business experience. The Media/Production and Research/Writer positions will each receive a stipend. The Sales position is paid on commission.

Audio Producer / Engineer15 to 20 hours per week

Michael Santarcangelo produces regular podcasts and audio programs for general and client use. This position allows you to develop hands-on skills producing and engineering audio programs on a regular broadcast schedule. The selected producer/engineer will work to develop a production schedule and process and be responsible for working with Michael and other talent to record, produce and distribute informative and engaging programming. Credit as a producer/engineer will be given on published audio programs.

Researcher/Writer 15 – 20 hours per week

New legislation, announcements of breaches, innovative strategies… change in information protection happens quickly. Michael Santarcangelo’s blog analyzes and interprets current information protection issues and advocates for a more secure future. The selected Researcher/Writer will work closely with Michael identifying topics for blogging and other outlets, researching the topics and drafting the piece for Michael’s review. Credit as a contributing researcher/writer will be given on published pieces.

Marketing / Sales20 hours per week

This position requires a hunter/closer of intangible products – someone who thrives on working a database and the telephone to systematically develop prospects and close the business. There will be some list development required however, the majority of time will be spent on warm leads. Value of the products ranges from $5000 to $25,000. 5% commission is paid with a bonus once monthly target is reached.

Interested? Send me an email at securitycatalyst@gmail.com to explore next steps.

Regardless of what the calendar says, the new year really begins in September. After a summer of obstacles to productivity, in September, we jump into gear.

This message is to update you on:

• Information Protection Assessment Toolkit (IPAT) – special offer deadline imminent
• September Events

Build Budgets, Awareness, Strategy… with IPAT
Special offer deadline

My plan for a guided, supported and realistic toolkit to help those responsible for security build a plan, budget and awareness program became real this summer. The Information Protection Assessment Toolkit (IPAT) and the IPAT preview program launched in July.

The special offer of a ½ day of my time to launch the program in your organization will soon end. As you can see from my schedule below, my hours are limited. Contact us to book your IPAT program before September 13th.

September events:.

The Protecting Information Workshop
Sponsored by: Albany, NY Tech Valley ISSA Chapter
Thursday, September 20th, 9am-3pm EST
MetLife facility, Rensselaer Technology Park, North Greenbush.
Thanks to their sponsorship, the fee is only $25 for non-members
Certificate: 5 Continuing Professional Education (CPE) credits
Registration: http://www.techvalleynyissa.org/

Security Solutions Virtual Tradeshow
Sponsored by: Ziff-Davis
Wednesday, September 26th, 11am -6pm EST
Registration: http://go.ziffdavisvts.com/securitysolutions

Into the Breach – Keynote Speaker
Sponsored by: CSO Breakfast club
Friday, September 28
Pittsburgh
Registration: http://www.csobreakfastclub.com/

Cutting Edge Conference
Sponsored by: Symantec Corporation (Internal event, closed to public)
October 2 & 3, 2007
Orlando, Florida.
Registration: closed

Enjoy a secure September.

Michael

I hope you got off to a great start this week – you deserve it. I was able to correct the podcast feed issues (which seem to be related to some sort of update in the latest version of wordpress). You should be able to again download and listen to Security Catalyst Podcasts…

I’m actually working on a podcast now, explaining why I don’t accept “but we have a policy” as a credible excuse when a company that has has a breach/disclosure of information looks to blame someone else. It’s becoming the next round of excuses, and I’ll be sharing some of my thoughts on what I’d like to see instead, and what you can do to make sure you don’t need to use that lame excuse (of course, pre-ordering Into the Breach is a good plan, too). Look for that this week, along with my weekly update.

I’m also lining up some public opportunities for us to explore how to protect information together. Once those are firmed up, I’ll let you know about the time and dates, since this will be a low-cost and very limited engagement until we kick-start the Campaign Across America. I’m also up late working on The Catalyst Club – a way to allow you to improve your career (and make more money, get the girl, drive a fast car) by engaging and working with the information we write and talk about. I’m planning to share it with you in September – but might offer a preview to readers/listeners in the next few days.

For those tracking it, the fundamentals thread in the community continues to grow and explore our fundamentals. These are the very keys that will enable your success across the board – and we’ll be exploring them for our mutual benefit as we continue this process.

Lots of exciting things going on — have a great week!

I just got a heads up that my podcast feed is suddenly not working. I can verify it’s not working – and since today is my birthday and I’m heading out, I can further verify I won’t fix it until sometime this weekend.

Sorry for the inconvenience….

In the meantime, I posted the August Security Round Table this morning… and we’re already planning the next three shows! In August, we discuss the keys to your success in finding a new job, managing your career and well, the secret code word of the day. No not really – but you should listen to make sure.

Check it out here: http://www.securityroundtable.com/

Subscribe in iTunes here: http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=156964477

Have a great weekend!!

I’ve been really impressed by the exploration and resulting discussion of the fundamentals taking place in the Security Catalyst Community. Join the discussion: What are your “fundamentals” for security?

My quest for the fundamentals began initially considering the superstars of sports, and watching, then studying their routines. I’ve shared the fundamentals conversations with clients, friends and colleagues – and I love listening to the stories of how this applies to sports, to thing like teaching children match and science… all of the different ways we connect, consider and distill. It’s not a surprise to me that we’re collectively struggling to develop a clear list of the fundamental building blocks of information protection.

The current list
1. Confidentiality, Integrity and Availability
2. Defense-in-depth
3. Least Privilege
4. Simplicity

(and we’re currently discussing a few others)

It’s important to note that the discussion of fundamentals quickly veers into discussions of “how-to” – which is the next step. Many of us are entrenched in the day-to-day operations, and discussing the how-to is ABSOLUTELY NECESSARY for us to distill down to the fundamentals. I know the progress may seem slow, but it’s clear to me that we’re making progress, and this is only the beginning.

The Value of Fundamentals – through Triathlon
I am registered for Ironman 2008 in Lake Placid, NY (July 20, 2008). While the goal is a long way off, it also requires me to start training now, after several years of being away…

When I was younger, I was a competitive swimmer, swim instructor, cyclist and active triathlete – and was fortunate to have good coaching that drilled the fundamentals into me, whether I knew it or not. Looking back, I didn’t know it then, but I certainly appreciate having those fundamentals drilled into me. A few weeks into my training, I am finding that my “muscle memory” is surprising… and that allows me to both focus on building up my endurance base, but also to focus more deeply on the fundamentals so that I am even more efficient and effective. At the same time, I struggle with “what I used to be able to do” as I focus my time and energy on relearning and mastering the fundamentals. I firmly believe that a simple training plan based on proper application of the fundamentals will help me reach my goal.

As such, my approach to spend 8-10 weeks EXCLUSIVELY focused on fundamentals of swimming, cycling, running, nutrition and rest. The idea is to slowly introduce the right patterns and behavior that will guide the extended training and distance I will need to travel in the coming months (and years, since one certainly won’t be enough). I also am doing this while finishing my book, planning a campaign across america and launching some new assessment and awareness solutions — you guessed it — based on understanding and applying fundamentals.

I’m actually able to train in about 8-10 hours a week right now, which hasn’t impacted my business or my time with my children. In fact, I’m finding that I actually have MORE time and am more PRODUCTIVE in the time I do have. Weird, right?

So how does this relate to security and our quest for fundamentals? Well, I think studying other fields for their fundamentals is a brilliant and important approach. Not much new has been created, but there is plenty to learn from, adapt and expand on. I’m finding that by following the fundamentals in my tri training, I am able to be more effective with less risk. AH-HA!

If we want to be more effective with less risk, then we also have to make the time to learn, study and learn to apply the fundamentals. And we have to do this all the time. Even as my training progresses, I am seeking the advice and counsel of coaches, clinics and incorporating basic drills to help my body continually understand and apply the fundamentals. In the beginning, it sometimes feels slow – and that can be frustrating. As time goes on, we realize we can go further, faster – whether in physical pursuits, or in our careers.

The practice of security is no exception to this rule. I will continue to explore the parallels and will be writing about them, sharing them here and looking forward to learning from each of the contributors here … soon, we’ll have a compelling and impressive list. Don’t worry about the struggle… this isn’t designed to be a quick exercise. It’s going to take some time, but that will be an amazing pay-off.

Maybe it’s because I’m more engaged (in the forums – I’m happily married, thank you)recently… Maybe it’s the triathlon training I started back into… Maybe it’s the moon…

Whatever it is, the discussions taking place in the Security Catalyst Community have been nothing short of spectacular recently. The more I study how we learn (and therefore how we grow & improve our practice of security), the more convinced I am that we need “safe havens” in which we can engage in conversations – conversations that allow us to negotiate new meanings and applications of our many and different experiences. Our fellow professionals are sharing their ideas, their time, their talents – with each other. Amazing. Engaging. Reassuring.

It’s happening – and if you’re not engaging in the conversations, you’re missing out. Membership has no cost – your participation is your currency. The only requirement we have is that you need to register using your real name – Firstname.Lastname is our format. We are building a community of passionate professionals. True professionals. You are invited!

Here is a sample of the exciting conversations taking place right now – jump in today!

Security heretics needed?
…In the past, those with heretical opinions have often triggered a vast change in what were orthodox techniques…

how often should I get involved?
… As a newer security person how often should I get involved with projects? I see alot of projects around me getting started that involve some level of security and I don’t even hear about them until the project is at near end or already deployed…

Looking for publicly available logs
…I’ve developed a new open-source tool to sift through logs and intend to publish it soon…

UTM Devices
…I am looking for some advice on the current range of UTM devices available. My company hosts a low volume application service provider environment for some of our clients situated on DMZs off our firewalls. These existing firewalls are due for imminent replacement and we are considering going the UTM route for the future…

Looking for people who have tried OSSEC
…we have a budding author looking for those with experience with OSSEC…

Spinning up a Security Consult Business
…This thread is simply amazing… I almost feel like this is a MUST READ!

Cost per seat for awareness
…So my initial question remains: how much are people allocating for awareness PER PERSON, per year? Security is not a seasonal event, so we have to invest properly to make a difference. The smaller your company, the more per person you’re likely to spend. The larger, the more likely you’re able to gain economy of scale….

The conversations taking place in the SCC are truly engaging – and I’ll briefly round up some of the top conversations in a while. Meantime, here is the current list of active members of the SCC, and the blogs and podcasts they maintain.

As a community designed to support the profession coming together, I’m thrilled to have so many outspoken and well-spoken members of the community. We now have an interim leadership board in place, and we’re working through some details on how to improve and expand the efforts of our community. Good times lie ahead!

The Security Catalyst (Michael Santarcangelo) | http://www.securitycatalyst.com
The Network Security Blog and Podcast (Martin McKeay) | http://www.mckeay.net
Security Ripcord Blog and Podcast | http://blog.cutawaysecurity.com
Education Security Incidents (Adam Dodge) | http://www.adamdodge.com/esi
An Information Security Place (Michael Farnum) | http://infosecplace.com/blog
Andy, IT Guy (Andy Willingham) | http://andyitguy.blogspot.com/
Andrew Hay | http://www.andrewhay.ca/
Security Views | http://www.securityviews.com
Security Renaissance | http://securityrenaissance.com/
Marcin Wielgoszewski | http://www.tssci-security.com
Aditya Kuppa | http://rumblingsofaconfusedmind.blogspot.com
Sam Masiello | http://www.mxlogic.com/threat_center
Still Secure After All These Years (Alan Shimel) | http://www.stillsecureafteralltheseyears.com
John Biasi | http://www.john-biasi.com
Security Incite (Mike Rothman) | http://securityincite.com/blog/mike-rothman
Eric McMillen | http://www.mcmillengroup.com/blog/
Chris Hoff | http://rationalsecurity.typepad.com
RioSec Security WebLog (Chris Byrd) | http://www.riosec.com
James Costello | http://genesyswave.bloggerteam.com/
Harlan Carvey, CISSP | http://windowsir.blogspot.com
SecThis.com Security Podcast (Gene Naftulyev, CISSP) | www.secthis.com
Jon Robinson | www.jonsnetwork.com
The IT Security Guy (Joel Dubin) | http://www.theitsecurityguy.com
Augusto Paes de Barros, CISSP | http://www.paesdebarros.com.br/english & http://www.paesdebarros.com.br/indexpb.html
Chris Harrington | www.infosecpodcast.com
John Gerber | http://www.securitymonks.com
Steve Mullen | http://skmullen.wordpress.com
Rory McCune | http://www.mccune.org.uk/
Nick Owen | http://www.wikidsystems.com/WiKIDBlog
Rebecca Herold | http://www.realtime-itcompliance.com & podcasts at http://www.realtime-itcompliance.com/podcast/
Randy Armknecht | http://www.rarmknecht.net
Gary Hinson | http://www.NoticeBored.com
Daniel Miessler | http://dmiessler.com/ | http://dmiessler.com/study/
Didier Stevens, CISSP | https://DidierStevens.com
Lester Nichols, MCP | http://virtualmindshare.blogspot.com/
Amrit Williams | http://techbuddha.wordpress.com
Ken Camp | http://www.ipadventures.com/
Liudvikas Bukys | http://L.Bukys.org
David D Bergert, CISSP, CISA | http://www.infosecblurb.com
Justin Clarke | http://www.justinclarke.com
Garrett Gee | http://ggee.org
Andrew Storms | http://blog.ncircle.com/blogs/sync
Lori MacVittie | http://devcentral.f5.com/weblogs/macvittie/
Rob Newby | http://robnewby.blogspot.com
Andrew Mason | http://infosecandpcifromscratch.blogspot.com
Andy Steingruebl | http://securityretentive.blogspot.com/
Security Thoughts (Allen Baranov) | http://securethink.blogspot.com
Jeff Stebelton | http://jeffsoh.blogspot.com

My good friend Andy Willingham today celebrated one year of blogging. Andy, thanks for a year of sharing ideas, insights and your passions! If you’re not currently reading Andy’s Blog – you’re absolutely missing out. To celebrate a year, he pointed out that FaceTime recently experienced an unpleasant situation where customer information was disclosed. I think many of us realize that no one, and therefore no company is perfect. FaceTime has proven that – and I think Andy presented a balanced view of the situation.

I think in life, the measure of a person is how they address and handle mistakes. I think in business, the measure of a company is not whether a mistake/breach happens, but how the company handles an incident when it happens. We can split hairs over whether this constituted a breach or not. Regardless, customer information was at risk; customer information was disclosed. It’s not clear to me why that information would have been stored on the webserver, but I’m also not familiar with their architecture. Without question, on the scale of public outcry, this is and should be almost a non-issue. Almost.

While I suppose this isn’t exactly the type of event you want to incorporate on the front page of your website, the only public response I could find was in the computerworld article. From what I read in the Computerworld article – FaceTime acted quickly and even notified people impacted. Yet, I was bothered by this response:

However, Capri said no sensitive personal data such as credit card numbers, Social Security numbers or dates of birth was exposed because that information is not collected on the FaceTime Web site.

It’s a fair and valid statement to make. I supposed I would advise a client to make a similar statement, save one exception: I’d leave out the aspect of tying personal information to a limited set of data. I’m troubled by the concept that if it wasn’t a social security number, credit card number or something of the same that no personal information was disclosed. Information of any kind has value – and while this was probably a mistake, I would expect a security company to have taken a different attitude.

I hope you are having a great summer and enjoying the opportunity to soak in the sunshine and spend time with the people you care about. After a client visit this week (in the RV), I managed to surprise the family and stop at Hershey Park yesterday afternoon for some “fun in the sun.” As I have shared with you, having the RV allows me the benefit of traveling to my clients with flexibility and freedom – and lately – at a COST SAVINGS from some of the airfare and hotel prices. On a personal level, it allows me to travel with my family and explore new areas – learning, teaching, and sharing. In the end, that works out to the benefit of my client, too.

Windshield Time & The Value of Fundamentals
Driving the RV allows me to work when inspired and provides plenty of “windshield time” to think. In the last week, I have spent a lot of time thinking. In specific, I have been really focused on WHY so many of us are in a state of constant REACTION. Seriously – I’m bothered about the state and health of our industry. Too many people are on-edge, look exhausted (and in many cases, defeated) and are making poor decisions. I really believe that we collectively need to get back to the basics. We need to focus on fundamentals and master them if we truly wish to be successful.

I walked back into the office today and caught up on the amazing conversation taking place in the Security Catalyst Community about fundamentals. I just spent a few days working with a valued client focusing on a tactical program to build security awareness. The theme we agreed on was that “security is a dialogue, not a directive.” I’ve firmly believed that for a few years now – and we have to design structures and opportunities for people to engage with us in conversations. Through these conversations, we are able to “negotiate” the meanings. Now, this doesn’t mean we change the meaning of principles and approaches. It means we engage in a conversation that allows us to come to a more complete and thorough understanding.

What I realized today is that we have to do the SAME THING as security professionals. The thread on fundamentals is giving us an opportunity to engage in a conversation of our own. When you join in our conversation, you’ll notice that we are sharing ideas, concepts, principles and asking questions – designed to help each of us find the common understanding. As a result, we are building an important list of fundamentals that each of us needs to:

• Know
• Explain
• Apply

The Importance of this Effort
Once we have a decent list of fundamentals, our opportunity then becomes one of exploring how to apply them in a way that makes our jobs easier. “Knowing” the fundamentals is important, but not a terminal step. We have to be able to then explain them to others and practice (continually) how to apply them. The more we study and explore the fundamentals, without question, the stronger we become. This is a key to my quest to help our profession break the cycle of reaction.

From the thread:

The point I was making is that security is not fundamentally different than it has been for centuries. The tools may be different, but the approach is still the same. You build barriers, monitor those barriers, and attack the intruder if they get through. Castles were still open to the general public, but could be quickly shut off in times of conflict. While the castle was open, the towers were not and had differing levels of protection based on the value of an asset and its use. For example the courtyard of a castle was open for commerce, but the open area was controlled by those watching from up above on the castle wall.

This came after a discussion that lead to adding “Defense-in-Depth” to the list.

The current list of Fundamentals
1. Confidentiality, Integrity and Availability
2. Defense-in-depth
3. Least Privilege

We’re currently exploring some tried and true principles and approaches and distilling them down to fundamentals. You are invited to participate (and benefit). Here is the discussion: http://community.securitycatalyst.com/forums/index.php/topic,523.0.html

To join the Catalyst Community – go to http://community.securitycatalyst.com/forums/index.php – and register using your full name, separated by a period. For example, my username is michael.santarcangelo.

We all look forward to learning from you!!

I hope you are having a great summer and enjoying the opportunity to soak in the sunshine and spend time with the people you care about. After a client visit this week (in the RV), I managed to surprise the family and stop at Hershey Park yesterday afternoon for some “fun in the sun.” As I have shared with you, having the RV allows me the benefit of traveling to my clients with flexibility and freedom – and lately – at a COST SAVINGS from some of the airfare and hotel prices. On a personal level, it allows me to travel with my family and explore new areas – learning, teaching, and sharing. In the end, that works out to the benefit of my client, too.

Windshield Time & The Value of Fundamentals
Driving the RV allows me to work when inspired and provides plenty of “windshield time” to think. In the last week, I have spent a lot of time thinking. In specific, I have been really focused on WHY so many of us are in a state of constant REACTION. Seriously – I’m bothered about the state and health of our industry. Too many people are on-edge, look exhausted (and in many cases, defeated) and are making poor decisions. I really believe that we collectively need to get back to the basics. We need to focus on fundamentals and master them if we truly wish to be successful.

I walked back into the office today and caught up on the amazing conversation taking place in the Security Catalyst Community about fundamentals. I just spent a few days working with a valued client focusing on a tactical program to build security awareness. The theme we agreed on was that “security is a dialogue, not a directive.” I’ve firmly believed that for a few years now – and we have to design structures and opportunities for people to engage with us in conversations. Through these conversations, we are able to “negotiate” the meanings. Now, this doesn’t mean we change the meaning of principles and approaches. It means we engage in a conversation that allows us to come to a more complete and thorough understanding.

What I realized today is that we have to do the SAME THING as security professionals. The thread on fundamentals is giving us an opportunity to engage in a conversation of our own. When you join in our conversation, you’ll notice that we are sharing ideas, concepts, principles and asking questions – designed to help each of us find the common understanding. As a result, we are building an important list of fundamentals that each of us needs to:

• Know
• Explain
• Apply

The Importance of this Effort
Once we have a decent list of fundamentals, our opportunity then becomes one of exploring how to apply them in a way that makes our jobs easier. “Knowing” the fundamentals is important, but not a terminal step. We have to be able to then explain them to others and practice (continually) how to apply them. The more we study and explore the fundamentals, without question, the stronger we become. This is a key to my quest to help our profession break the cycle of reaction.

From the thread:

The point I was making is that security is not fundamentally different than it has been for centuries. The tools may be different, but the approach is still the same. You build barriers, monitor those barriers, and attack the intruder if they get through. Castles were still open to the general public, but could be quickly shut off in times of conflict. While the castle was open, the towers were not and had differing levels of protection based on the value of an asset and its use. For example the courtyard of a castle was open for commerce, but the open area was controlled by those watching from up above on the castle wall.

This came after a discussion that lead to adding “Defense-in-Depth” to the list.

The current list of Fundamentals
1. Confidentiality, Integrity and Availability
2. Defense-in-depth
3. Least Privilege

We’re currently exploring some tried and true principles and approaches and distilling them down to fundamentals. You are invited to participate (and benefit). Here is the discussion: http://community.securitycatalyst.com/forums/index.php/topic,523.0.html

To join the Catalyst Community – go to http://community.securitycatalyst.com/forums/index.php – and register using your full name, separated by a period. For example, my username is michael.santarcangelo.

We all look forward to learning from you!!

In my recent podcast, I focused on the value of the fundamentals. I purposefully didn’t list out what I though the fundamentals were – since I wanted to take some time to work with you to flesh out a smarter list. Eventually, this is the sort of approach that is well-suited by a wiki and an effort we can make public. But instead of thinking and dreaming big about what we can do in the future… what are the fundamentals that *you* think everyone practicing security should know and be familiar with? To me, being a professional means that you are not only able to rattle off a list of fundamentals, but that you can explain them to others and possess the ability to _apply_ them. Being able to apply the fundamentals requires us to take the time to think, plan and then practice. Practice of the fundamentals is key…If you follow sports, you can easily see every superstar spends HOURS each DAY working on the fundamentals. There is a lesson to be learned there… In order for us to better understand the fundamentals we need to consider and practice, we have to start with a simple list. Once we have a list that we agree upon, it’s short work to build it out and expand it. I’ve got a few different ideas on how we can best do this, but it all comes down to needing a list.I’ll start by adding CIA to the top of the list. For me, Confidentiality, Integrity and Availability (CIA) are without question the starting place for fundamentals. Without these, we don’t really have much else. In our Protecting Information Workshop, we actually guide people through a hands-on exercise to define and then work with these three basics. I am amazed at the number of people who hold a CISSP, CISM or similar that CANNOT define these terms, let alone apply them. I’m not suggesting anything beyond the simple observation that many of us “know” the fundamentals — in that they exist — but fail to continue to study and apply them.Test it OutTake five minutes right now.Go write down on a piece of paper how you define Confidentiality, Integrity and Availability. Could you explain that to someone else? How would you develop a set of requirements around those fundamental concepts? Go ahead, I’ll wait. Okay, so what did you come up with? Either way – by taking even 5 minutes to think about a fundamental concept, write it down and consider how to apply it – you have improved. Today has already been a great day!! Keep on your roll, and share with the entire Security Catalyst Community (free registration required using your full and proper name) what other topics you believe need to be included in the list of fundamentals. When you contribute to the thread, I’m also curious why you think it should be included.You may notice that comments are turned off for this thread.That’s because we need to track the conversation here: http://community.securitycatalyst.com/forums/index.php/topic,523.0.htmlI will work to update the listing so we have a master list at the top, too. When the list gets built out a bit (and I encourage some healthy and positive debate), we’ll explore the fundamentals in an upcoming Security Round Table podcast, in my podcast, this blog and perhaps even in the security salon!It’s time to start making a difference… and I look forward to learning from you!The Fundamentals1. Confidentiality, Integrity and Availability

In addition to getting to break things in order to help our customers prevent assorted miscreants from doing so, one of the many hats I wear at QuietMove is the amorphous responsibility of ‘business development.’ In English, that means I identify organizations that could benefit from our services, sometimes travel to visit them, often buy them lunch, and explore ways we can help them. Though my background is technical, it’s something I’ve really grown to enjoy because I find it interesting to learn about different industries and business models and their unique security challenges.

That said, I’m often surprised by some of the organizations I visit – it’s shocking that some of the largest organizations in critical economic sectors don’t have security organizations, don’t have security programs, and don’t even have a single person for whom ‘security’ is part of their job description. In other cases, there’s a single ‘security’ person with no budget, staff, or authority. I’ve been that guy, so if that’s you, I feel your pain. I’d like to share an anecdote with you about a large company I visited last week who is in the former category – no security organization at all. If your organization has no security-focused staff, or if you’re the one guy or gal whose shoulders it all falls on, I’m also going to share a strategy for moving your organization in the right direction.

The Meeting

It was a pretty exciting morning – I was heading to an initial face-to-face meeting with a potential customer, one of the largest mining companies in the world. My initial contact was with a gentleman who managed their server environment. At my urging he also invited their application and network team. The meeting was scheduled to discuss assessment activities – something they haven’t been doing, and didn’t have the expertise or tools to do in-house. I asked him to invite the other managers because it was important to get their buy-in, and also because our customers get the best value when we test all attackable surface areas.

What I heard during the meeting was one of the variations on a common theme – each group ‘owned security’ for their sphere of responsibility, but there were no overarching standards, and minimal to no coordination. These guys were all professionals – the problem was organizational. Their company didn’t see a need for dedicated security resources.

Well OK, almost all professionals. One of them questioned what they had that was worth someone breaking in to steal. The look from his colleagues was as if he said his company possessed nothing of value, which is more or less what he said.

I pointed out a few things – they’re a mining company, so the list of what sites they are considering buying or leasing because their geological analysis said it would be a good spot was definitely worth something to their international competitors. Also valuable are their supplier lists, customer lists, and employee information, not to mention their reputation.

If it’s Everybody’s Job, it’s Nobody’s Job

Those who know me well, know I have a tendency to devolve a conversation into pedantic comparisons to obscure philosophical and/or historical topics. Lucky for you, Dear Readers, I’m too much of a lazy typist to inflict this habit on you – for too long.

The attitude at the mining company I visited was that security was “everyone’s” job. That may be, but without guidance from an accountable party, there is no incentive for anyone to perform something that they aren’t being measured against.

I’d like to paint a comparison to the relative physical security of a shopping mall vs. a public street. Shopping malls have a financial incentive to police their premises. After all, most people wouldn’t visit a mall after being mugged at spork-point in the food court after the first time, forget about the second. As a result, mall owners will set stricter codes of acceptable behavior on their premises than you’d see on a city street. Meanwhile people will litter the ground with cigarette butts, soda cans, and chewing gum in public places with a frequency you’d never see in their own home.

This is an important side effect of the concept of private property – with ownership comes responsibility. We see the same attitude in the workplace – when security is the responsibility of ‘everyone,’ it’s really owned by no one. People are measured on the performance of their primary job responsibility – meeting development deadlines, system uptime, etc. There is no central coordination of standards, no one who ‘owns’ testing controls, no security metrics, and ultimately little to no security.

Create a Security Team for $4.95, Plus Tax

That’s about the going rate for a dozen donuts. Yes, it’s that easy.

Back to the mining company – I realized that they had a long way to go. Since they didn’t have enough management buy-in for security to form a security organization, had no budget, and no ownership of responsibility, I shared a strategy whereby they could create one using the resources they have available now – themselves.

My suggestion was to pick trusted, interested persons as Single Points of Contact (SPOC) from key parts of their organization, schedule a conference room plus a dial-in conference bridge number for those at different locations, and invite them all to an informal monthly brown-bag lunch.

Pick out a news story related to a security incident or breach at another company from the news – a good place to look is the SC Magazine Breach Blog – and email it to everyone ahead of time. The purpose of the monthly lunch is to do some tabletop war gaming. What you’ll want to discuss is, if a similar incident affected your organization, how would you respond? What controls are in place to detect it? Who would be notified? What actions would be taken?

There are three goals for your Computer Incident Response Team (CIRT) meeting:

1. Identify a Single Point of Contact (SPOC) and backup contact for each part of the organization that should be involved in an incident or breach. In addition to identifying a contact and backup from system administration and network teams, don’t forget to pick points of contact from groups like telecom, finance, human resources, public relations, physical plant security, and any other towers you think you can pull in. Make a phone list, including cell phone numbers, and distribute it to all members.

2. Build an ad-hoc team that can respond to incidents, by building rapport and familiarity. This is an important point – a phone tree does not a team make. The team will learn to work together, and learn what roles they can play in incident response.

3. When (not if) an incident affects your organization, you will have already run through similar scenarios in your tabletop wargaming exercises. You’ll have a response team consisting of members of each part of your organization that might be affected. Most importantly, you’ll have the resources to effect a coordinated response.

Don’t forget the donuts.

I’ve decided that Sarbanes-Oxley Auditors have it wrong. After 4 years, they look for the wrong things, often costing companies millions of dollars. Their focus is often on minutia leaving the lowest hanging fruit untouched.
Why did this happen? Because they haven’t learned from history and they don’t understand the root cause of it all: corrupted humans.

In February, I wrote Psychology of Fraud – Today’s Issues (http://www.securitycatalyst.com/2007/02/20/psychology-of-fraud-todays-issues/). It was an attempt to remind readers that no matter how well we lock down the technology, it only takes one human to corrupt the system. We need to understand the psychology of fraud and why humans do what they do in order to prevent it from occurring. It’s my way of educating our readers on what’s been said in the past to address today’s issues.

I’ve done some thinking on the subject since then and I’ve decided to revisit Cressey’s fraud triangle. To commit fraud or any other illegal / immoral action, a person needs three things: Access, Knowledge, and Intent. Without all three, intentional fraud will not occur. This is different than the Cressey’s triangle, which didn’t take into account today’s information technology.

Here’s my definition of each requirement:
- Access. Physical or logical ability to enter, touch, or reach a resource. In computers, this is often controlled by network rules and a user id and password.
- Knowledge. To be familiar or have experience with an object or resource. This means having the concepts and ability on what to do after you have accessed the resource.
- Intent. The purpose or an anticipated outcome that guides a person’s planned actions. Knowingly causing damage to the resource.

This example illustrates how the three requirements fit together:  I am given a login id and password to our Mainframe, therefore I have access.  Not only that, but I am given full adminstrator rights to it.  The problem is that I’m a neophyte on the Mainframe; I barely even know how to log on.  Plus, I like my organization and don’t want to cause them harm.  Therefore, I’m mission two of the three requirements for fraud: knowledge and intent.  Even though I have access, there is little risk of my causing harm.  Granted, the biggest risk in this scenario is my making a mistake, but that’s another issue.

This is where auditors and Sarbanes-Oxley have it wrong: You can’t audit against knowledge and intent.  You can only audit access rights.  So that’s what auditors do.  They make the wrong assumption equating access to equal potential fraud or abuse.  However, that’s not true.  Just because a certain user has access does not mean they know what they’re doing and that they will cause meaningful harm.

Auditors and security professionals need to understand this new fraud triangle and how it fits into the risk equation.  Using these concepts promote the proper balance of security within an organization, thereby reducing costs while improving security.

What do you think? Does this make sense? Is it something you can use?  Join us in the Security Catalyst forums to discuss this and other hot security topics.

By working together, we all become stronger.

By Adam Dodge

Recently, the University of Texas, Pan American announced that a staff member lost an external hard drive containing names, address and Social Security numbers of around 1,200 UTPA staff. The good news for these individuals is that the hard drive was found by another UTPA staff member and there does not appear that any unauthorized individuals had access to staff information. However, reading over one of the initial news stories about this security incident brought a question to my mind.

In an article over at The Monitor, UTPA Vice President for Business Affairs, James Langabeer stressed that the loss of this external hard drive was only an “incident” and did not constitute a “breach” by an outside individual. According to Langabeer, “It is an incident, it’s not a breech. A breach is when someone takes something out of your computer and deliberately takes it from you. If you lose it, it’s an incident”

What I find so fascinating about this statement is that the distinction between incident and breach and that an “incident” should not be viewed in the same light as a “breach”. So I started thinking, is this distinction merely a semantic issue or are there some underlying assumption amongst the general public that an incident is an everyday, and perhaps less dangerous, occurrence then a breach. One of the words is a simple noun that brings to mind a singular event of some type that may or may not be harmful. The other word is more action oriented and brings to mind, at least to my mind, images of whales bursting through the surface of the water and other dynamic events. Given the very differences in these words, should they be used as interchangeably as they are in the Information Security arena?

I think that making a distinction between breach and incident in this manner is dangerous. While I believe there are indeed differences between breach and incident, I do not agree with the portrayal of each being separate from the other. Instead, a breach is a subset of the overall types of information security incidents that can affect an organization. Other types of incidents can include theft, loss, unauthorized disclosure, denial of service, mistakes, and a whole host of other issues that are too numerous to list. In the end, any occurrence that is contrary to current information security controls is, in effect, and incident. This means that any breach of information systems, past security controls, is in fact an incident.

One thing that we absolutely need to make clear as security individuals is that these “incidents” caused by internal employees are, at the very least, just as dangerous as “breaches” by external attackers. I have written a few times about the insider threat faced by organizations. Studies have continued to prove that internal employees cause a large majority of information security incidents. Yet, organizations still attempt to pass off employee misconduct as a lesser offense when in fact these are the very employees who both know where the information is and have direct access to this information.

However, in the end, whether caused by a “breach” or an “incident”, the loss and/or exposure of protected information is a signal to the organization that something is not working properly. This is what is important. We need to understand that it is not just about fixing the problem. Instead, it is about understanding why the problem occurred and creating controls to help prevent like occurrences in the future.

Unfortunately, it seems that more organizations are beginning to make this distinction in press releases surrounding security incidents.

For some, the summer signals a chance to slow down, kick back, take some vacations and prepare for a busy fall. I hope you are able to step away and get some much-needed relaxation this summer.

At the Security Catalyst community, we’re working to form a more effective governance structure, migrate to a new server, incorporate more support resources and generally improve the services we are able to provide to you – whether you are new to security, a seasoned professional, a security blogger or even a podcaster.

Since this is a community that is designed to support the way you practice the protection of information, I wanted to take a moment to recap the approach and goals of our community:

We are a positively focused and supportive community that unites passionate professionals to achieve three goals:
(1) Create a community where it is acceptable to be vulnerable and ask for help when you need it
(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome – share what you have learned without fear.
(3) Create a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

After 6 months and nearly 400 members, I can tell you without question that those who contribute and make the effort reap the biggest rewards. I know we all hit patches where work gets insane; personally, we’re in the middle of launching some exciting new offerings, and I have had to cycle back on some of my more visible blogging, podcasting and community activity. It happens to everyone – so when it happens to you, no worries. But know this: you are always welcome here.

To make things a bit easier:
(1) You can subscribe to the forums of your choice through RSS. To be fair, it’s not the best RSS implementation I have ever experienced – and it requires some massaging to get it where it works for you. We had an extensive thread on making it work for you – so check it out if you are RSS inclined.
(2) You can set notifications “by email” to be able to keep track of new posts. This is the method I use to keep abreast of new topics.

If you have a question or challenge – especially when you feel way too busy, please take 5-10 minutes to share your question, frustration or challenge with your peers. If someone has already been through this, they can offer you support, some guidance or even schedule a call to save you time! That’s right – I have plenty of stories from members who reached out to help each other… and in the process, avoided the crisis and got their work done quicker (and arguably better).

When you are busy – please make an effort to check in once a week and find one post you can respond to. I know from experience I’m asking you to spend about 30 minutes each week contributing. Since there are no fees to participate, this is the currency of our community.

Offer help when you can, ask for advice when you need it.

Not a day goes by now that I don’t learn something new from this forum. I really look forward to meeting so many of you in person. Once I complete the launch of our new offerings and release my new book, I will be embarking on our Campaign Across America. We’re working to select cities now, but when we come to/near you, please don’t be shy – I’d love to raise a glass and say hello.

So welcome to the journey and thank you for being part of the community. As we continue to learn and grow together, I am confident that we all improve how we think about and practice information security. In the end, this is what will set us apart.

PS: I’ll have a few additional announcements in the coming weeks and months – the result of many months of focused work. I’m excited, and looking forward to sharing my passions and research with you. I’ll be slowly getting back to some regular podcasting and blogging. In fact, I’ll have some additional IPAT information for you available next week…

Security has a bad name. Whenever I say I work in security, people get paranoid assuming that my job is to block whatever good work they are doing in the name of security. Plus, in many organizations, security is a one way street. Information goes in, but never comes out. There’s no information sharing because neither side wants to discluse their “secrets.” It’s time to change this negative connotation for security.

For my entire security career, I’ve been exploring ways to improve the image and effectiveness of security. Also throughout my professional career, I’ve been studying leadership. Recently it dawned on me (while reading Seth Godin’s The Dip) to put the two together. One of my favorite leadership books is The One Minute Manager by Ken Blanchard, Ph.D. and Spencer Johnson, MD. There is no reason why we can’t use the ideas in The One Minute Manager to improve our security practices.

1. Set Goals – What are you trying to protect? What is your security program trying to accomplish? You can’t protect everything, so you need to pick your battles. In my goals setting, I use the risk equation of risk=impact X probability (see Risky Business post). This helps me determine the lowest hanging fruit that has either the highest impact or is most likely to be affected by a security issue. Write and publish your goals. This lets others see what you’re up to. Also, take a minute every once in a while to read and re-read each goal to determine your progress.

2. Praise Good Security – Praise people immediately to their face (if possible) telling them and others how they improved security for themselves or your organization. Be specific and let them know how good you feel about what they did right and how it helps the organization. Encourage them to do more of the same. This is where we in security often fall short. We only see the bad, where security is lacking and are not catching people doing things right. That’s only half of the picture. This also helps put the overall security of the organization in perspective. In one of my first security jobs, my VP said, “Our security sucks.” I responded, “No sir, we have good security, in pockets. Our challenge is to make it consistent across the company.” By praising good behavior, we are encouraging more of it.

3. Explain opportunities for improvement – We all sometimes fall short of our expectations and goals and need to be reminded of them. In the book, this is referred to as the Reprimand. Security professionals and auditors often fail here and don’t do it right. We either don’t find the root cause, don’t address the right people, or don’t collaborate on solutions. The way to do it is: (a) make sure you have the right people who are responsible for the problem. Sometimes we misplace blame or don’t tell the real person responsible. (b) Tell them immediately, specifically where they fell short. (c) Brainstorm with them on ideas and suggestions for improvement. Don’t tell them how to do it, but collaborate on the opportunities for improvement. (d) Reaffirm how important they are to the security of the organization. It’s critical here to make sure that you are addressing the problem and not the person. Also, you should be working with the people to ensure the correct solution is in place.

Taking these three steps should increase the credibility of your security services and reduce the negative feelings. It will promote collaboration that provides buy-in from critical resources improving the security practices of your entire organization. Of course, I’ve only scratched the surface of The One Minute Manager. All security professionals should read the book and use its techniques to better manage your security program. Lastly, continue to use the SecurityCatalyst forums to share your ideas.

By working together, we all become stronger.

While my recent business focus has kept me consumed, I have remained committed to participation in the Security Catalyst Community. In fact, now that we have launched the IPAT (more details and special offers to follow), I expect to start to slowly regain some time in my schedule. Last week, another member of the forum posted a “call to arms” message (link below) that raised some exciting and interesting points to start a discussion about how to effectively and ‘smartly’ grow our community. I penned a brief response yesterday and have decided to move the conversation to a public area (for community members) and share my response here:

The goal of the community is to provide a dedicated and centralized resource that would meet the needs of the security community in general, and the many security bloggers and podcasters in specific. There is no monetary cost to join, but your currency is your participation inside or outside of the community. While growth is good, “smart” growth of quality conversations will enhance the value of the community.

The Value within the Forums
No bluffing when I tell you that I am amazed every time I read the value that is contained in the forums. We are at a place where you may not be able to keep up with every new post. This is good! We have a search function that works surprisingly well, and I use it all the time. The conversations continue to expand and improve. If you have questions, comments, solutions, ideas – this is the place to come and share. I find the more you engage, the deeper and more useful the connections you will develop and the more impact you will realize. This directly translates into making your job easier!

Becoming a Member
If you are not yet a member, please consider joining us today. There is no cost beyond your participation. PLEASE NOTE: we enforce our naming standard – and you will need to create an account using your real name in the format of Firstname.Lastname. We welcome you to the conversation and look forward to sharing with you and learning from you.

Recent Conversations of Interest
Here are some of the current conversations that I find interesting, exciting and waiting for you! In fact, I realized I have a few I need to go back and comment on. My pledge is to find one hour each week to engage. I learned a lot on my last spin through the forums!

Call to Arms

The ABSOLUTE First Step

how often should I get involved?

Password Policy

Non-search engine news sources

PCI DSS Compliance

How to jump start security awareness training?

Thoughts on Computer Forensics and magazines

How did you get your start? (I still owe mine. It’s in progress, I swear)

Gauging Security Awareness Effectiveness

Free, Fair Elections Worldwide — *** This is a personal favorite of mine, and I love seeing others get engaged on this one!!

Cisco ASA vs Juniper SSG 20

Fortinet and Modern Bill

Yoggie – Fact or Fiction – would you buy or recommend one?

SANS mentoring

In our (new) School Security Forums:

All-in-ones or Best of Breeds

Teachers taking laptops home for the summer

Wow, so it’s been a while since I really walked through the forums. There is a lot of information there, and a lot of opportunity for you to engage and contribute. See you there!!

According to many, user education is one of the best methods of ensuring adequate protection of your information assets.  It’s been eternally touted as one of the requirements of a viable information security program.  This article is not about that, though.  It’s about knowing your users/customers.  Yes, Mr. & Ms. Security Professional, your users are also your customers.  You are here to serve them; not vice-versa.

How well do you understand your users?  Are you aware of their needs, habits, and abilities?  Most security professionals understand the technology, but don’t have a clue about their user base.  All security professionals need user awareness training to ensure they understand their customers.

In the June 1, 2007 edition of CIO magazine, Publisher Gary Beach asks the question, “How social are you?” (http://www.cio.com/article/109302)  He references a new report by the Pew Research Center titled, “Typology of Information and Communication Technology Users” (found at http://www.pewinternet.org/pdfs/pip_ict_typology.pdf).  This report classifies Information and Communication Technology (ICT) Users.  Based on its findings, we in security can no longer assume that users are stupid.  From Mr. Beach’s column, “customers (users) are ‘wicked smart.’ They know what they want, they know how to get it, and they’re doing so by leveraging the poser of social networks to reach out to <others>.”

The report’s author, John Horrigan has classified ICT users in America into ten categories based on their ICT assets, actions, and attitudes.  The ten groups that emerge in the typology fit broadly into a “high end,” (31%) “medium users,” (20%) and “low-level adopters” (49%) framework. However, the groups within each broad category have their own particular characteristics, attitudes and usage patterns.

From the Report*,
  – 8% of Americans are deep users of the participatory Web and mobile applications;
  – Another 23% are heavy, pragmatic tech adopters – they use gadgets to keep up with social networks or be productive at work;
  – 10% rely on mobile devices for voice, texting, or entertainment;
  – 10% use information gadgets, but find it a hassle;
  – 49% of Americans only occasionally use modern gadgetry and many others bristle at electronic connectivity.

Do you know where your customers/users fit?  How about you?
You can take their on-line Internet Typology Test (http://www.pewinternet.org/quiz/) to see where you fit in the new typology of ICT users.  Once you know yourself, you can better understand your users/customers.

By understanding your users/customers, you can tailor you security program to fit their needs. The fear of the unknown is often the greatest fear amongst security professionals.  By having a little awareness training of your users, that fear will be lessened.

To paraphrase from Mr. Beach’s column, the big deal is this: As your firm continues to drive a growth-and-innovation agenda, your users and customers ultimately will determine the degree to which you succeed.  So CISOs need to ask themselves, “Is my infrastructure sufficiently robust to encourage and support the use of ICTs while protecting against the biggest and most prevalent risks brought on by these new technologies?”  CISOs should have an understanding and a vision of their users/customers to enable their business’ use of technology while protecting the critical assets.

What do you think?  Is the Pew Report accurate?  Respond either in the comments below on the Security Catalyst forums.

By helping each other, we all become stronger.

* Horrigan, John. A Typology of Information and Communication Technology Users. Pew Internet & American Life Project, May 6, 2007, http://www.pewinternet.org/PPF/r/213/report_display.asp, accessed on May 10.

Information Protection Assessment Toolkit (IPAT)

I promised you a case study that demonstrates how the Information Protection Assessment Toolkit (IPAT) changes the way people protect information. In fact, I’m going to give you two case studies in one.

Harold Townley is a Funeral Director and business owner. He also sits on the board of the Town of Ballston. To prove the power of the IPAT, I ran town employees – including Harold – through the IPAT system earlier this year. The result was better protected information for the town and a new awareness about information protection in Harold’s business.

Like all municipalities, Ballston holds information that should not be in the public domain. While there had not been a security problem to date, with no plan in place to protect this information, it was a possibility. They needed the IPAT program.

In Week One I worked with a team of employees to identify what information was held in the organization, where it was held and how it was managed. The next four steps of IPAT involve processing what is learned, analyzing the results, developing an action plan and finally, generating reports. It was after only the first few steps that change was noticed. Involving all employees in IPAT “created an immediate shift in the mindset of town employees regarding information security” says Harold.

But for Harold, the change was extended further. He discovered that he wasn’t only thinking differently about information protection for the city – but for his business as well. At a meeting of funeral directors he encouraged participants to consider how they handle the personal data of deceased people. He wants his profession to consider carefully what is published in newspapers, how data is kept in the business and how requests for information are handled.

Harold doesn’t know that identity theft has occurred as a result of information provided by funeral homes but it is possible and he doesn’t want to be the source of a problem. “Just because we’ve done things one way in the past doesn’t mean we have to continue doing it that way,” he says. Thanks to IPAT, Harold looks at the information held by his funeral home differently. And the town of Ballston is well on its way to a proactive plan that engages all employees in information protection.

The Basics of IPAT
The Information Protection Assessment Toolkit is a process that helps you identify security issues and develop an information protection plan. It involves a set-up session, a toolkit and four coaching sessions. It can be scaled for large and small organizations, involves all employees and is the first step in protecting your organization from a breach.

Contact me (securitycatalyst@gmail.com) to learn more about our Special June Offer for the Information Protection Assessment Toolkit (IPAT).

I just posted this to the community, but for those of you who are not yet members (and really – why aren’t you part of a growing, positively focused security community?), I need some help. If you have experience with VoIP, especially with hosted-solutions for small business, read on.
As my company grows, it’s time to get a more professional and feature-capable telephone system. As we grow, we’re going to have people located in different parts of the country, so VoIP in a “virtual office” arrangement seems to be the best fit for price/performance. Currently, we have the need for two extensions, based in the same physical location. We’d like to have an attendant that would direct calls to the right places, roll incoming calls and even forward to cell phones, if needed. As we grow, we will have multiple extensions geographically disbursed, as well as some who are mobile.

I’m looking for some feedback and experience with different providers, hardware and solutions. I toyed with asterisk, but I want to focus on my business and not building and maintaining a solution. I want something that is simple, reliable and effective. If I sound like I’m on a tin-can, or like I’m max headroom, it won’t work.

Any ideas, experience, companies to consider, etc. are greatly appreciated!

Initial Needs

• Toll Free Number
• Single number presented for outbound calls
• Single number for inbound calls, automatically routed
• DID for specific people; non-extension
• Ability to send and receive fax communications
• Ability to transfer calls to cell phones
• Virtual Extension, with DID, for “friends and family”

Growth Considerations

• ability to add new extensions, independent of where someone is located and have them included in our system
• effective central management
• call detail reporting (then again,maybe I don’t really care)

Travel Considerations

• ability to travel with telephone and hook in through different networks (yeah, I understand potential risks)
• wireless options/considerations – for example, is there a wireless handset that could be used when I’m traveling?
• ability to bring system in RV and use on network powered by EVDO-RevA (for what it’s worth, I’m considering the Sonicwall TZ190 for the RV, and if that works, for the home network)

We are also interested in understanding

• quality and service guarantees
• equipment used and supported
• number portability
• security of network (then again, I feel like I have to ask, but I don’t ask Verizon that question today)

Additional Features of Interest

• voicemail saved as audio files and submitted to email
• ability to conduct conference calls
• ability to call into the system and then make outbound calls (allowing me to hide my cell phone, or to call Canada, etc.)

Potential Providers

• http://www.packet8.net/business_services/
• http://www.aptela.com/
• http://www.zingotel.com/online/en/business/ ** I understand this is a hardware solution I probably don’t want

Who else should we be considering? Feel free to hit me with an email: securitycatalyst@gmail.com

The thread is here if you care to comment: Small Business VoIP Solutions – hosted provider experience?

Thanks in advance for your ideas, insights and experiences…

This article is based on a talk I gave at the Phoenix OWASP chapter on May 10^th.My intention is to summarize the methods used to assess the security of web applications, identify what they are good and not so good at finding, and outline their varying strengths and weaknesses. If you’ll indulge me, I’d like to spend some time building up to that with some background material.

What’s the big deal, anyway?

I am very pleased about the about the growing awareness surrounding web application security threats. Several organizations have been formed to promote the issue, such as OWASP and the Web Application Security Consortium, and for good reason: it is currently the most prolific attack vector. In fact, Gartner estimates that 75% of all attacks now come at the application layer.

The reason why is no mystery. Whereas in the 90’s, system configuration, buffer overflow, and other platform level type flaws were all the rage, these have become increasingly easy to manage. Economies of scale have given ubiquity and commodity status to packet-filtering firewalls, multi-platform patch management systems, vulnerability scanners, and intrusion prevention systems. The kinds of attacks most often prevented by these technologies are now considered ‘low hanging fruit.

At the same time, the population of attackers has vastly increased. The maxim goes that a security system is only as strong as its weakest link, so that’s what attackers look for. Attacks have moved both up and down the stack. By this I mean, up to the application and even client level, and down to the system internals and driver level. Blue Pill, a virtual machine malware platform, is one such example that takes advantage of hardware features at the bottom level, while at the top level you have the world of web application attacks, where web applications are used as proxies to attack the integrity of the application as well as its architectural dependencies, and Javascript attacks, which are used to attack the softest target of all – the end user. At the Javascript / client attack level, state of the art is represented by PDP’s AttackAPI.

Custom web application security is different than platform security, to say the least. There are no vendor advisories or patches. Attackers like web applications because they have built in, exposed mechanisms that must have connectivity to the data the attacker is after. The attacker thinks, why compromise an entire system when you can manipulate the application into coughing up what you’re looking for? Most protection is at the network, not application layer, so the chances of getting caught are much lower. Application attacks are much harder to catch and prevent at the network layer, because the network components don’t understand the application, it’s logic, or which resources should be accessed and by which user roles. Web Application Firewalls (WAF) are an incomplete solution, often being network layer devices. The WEBAPPSEC mailing list has a great thread on this topic going on, right now. (See the May/June 2007 thread called “PCI 6.6 Questions) I’m not even certain WAF should be called a “firewall,” since they’re more of an Application layer Intrusion Prevention System, only they typically operate at the network layer, having no visibility into application internals. Fortify Defender is a notable exception. I’m starting to stray – this should probably be the subject of a future blog article…

As a result, it is incumbent upon organizations to understand the attackable surface area represented by web applications, particularly those that store and process confidential personal or payment card data.

Integrating Web Application Security Testing Approaches

One of the many hats I wear at QuietMove is to create our testing methodologies such that they maximize the efficiency and effectiveness of the time scoped for a particular assessment activity. I tackle this in two ways. One is by identifying the most comprehensive automated tools. I am a big proponent of automation – computers are good at automating things in a repeatable, measurable way. The second is in accounting for the fact that there are many classes of vulnerabilities which automated tools have serious trouble finding. This is partly a function of the perspective from which the tool operates, such as Source Code Analysis vs Fault Injection (more on this later), as well as the state of the art of each of these evolving technologies. Therefore, the second way recognizes that it’s critical we understand what automated tools can and can’t find, and develop other methods for identifying the “false negatives” – vulnerabilities that exist, but were missed.

The two main approaches that exist at present for web application testing are “Fault Injection” and “Source Code Analysis.” There are also two more philosophical approaches, “white box,” and “black box.” The results gained from a test are in no small way closely related to the assessment approach taken.

I’m going to define four terms that are key to this discussion:

White Box – a “full knowledge” approach to an assessment. This includes access to things like functional specifications and other design documents, network architecture, and source code.

Black Box – a “zero knowledge” approach to an assessment. The assessor starts off with no advance knowledge of the application. This is typically performed using automated fault injection tools, a web browser, and an HTTP proxy like Paros, Burp Proxy, or one of their many equivalents.

Fault Injection – interactive testing of a website that includes spidering, querying for known vulnerable scripts or components, testing for conditions like forceful browsing, directory traversal, and using the results of spidering to identify all points of user input to test for flaws like SQL injection, XSS, CSRF, command execution, etc. Typically a combination of fuzzing and injection of strings known to cause error conditions are used.

Static Code Analysis – is also often known as “Source Code Analysis.” This is often employs a mix of techniques such as searching for strings, identifying user input vectors, tracing the flow of data through the application, and mapping execution paths. Depending on the tool, it’s employed against source code or binaries.

Awareness is growing for a different technique often referred to as “Grey Box assessment,” which integrates the approaches described above. This approach combines static and fault injection testing techniques, in order to compensate for their different detection capabilities, and also integrates elements of white and black box methodologies. In practice, my observation is that the most comprehensive results are achieved through an iterative process involving an initial “white box” fault injection assessment, followed by static code analysis. The results of the static/source code analysis assessment are then fed back into further “fault injection” testing to validate the code analysis results and better inform the tester about the application architecture and areas to examine for further vulnerabilities using hands-on techniques. In my experience, this is the most comprehensive methodology, though for obvious reasons it’s also the most time consuming.

The following matrix was developed to present a high level view of the strengths and weaknesses of each approach. Suggestions for additional strengths and weaknesses would be welcomed.

The matrix view demonstrates some of the trade-offs at play: Detection capability, expense, and time. It visualizes a common theme of public talks I give about web application security, specifically how the testing methodology chosen impacts the results that will be achieved. It brings to mind the old engineering maxim. “Good, cheap, fast: Pick any two.” It demonstrates t

This is the first of several blog posts I’ll be posting at Security Catalyst about web application security testing. The next will be about several different approaches to planning test scenarios, and the relative strengths and weaknesses of each.

Please confirm your participation by June 12th

You probably thought I decided to stay in Key West. But, in fact, over the last few weeks I have focused on bringing the Information Protect Assessment Toolkit (IPAT) from testing to reality.
It’s ready and I’m ready to help you protect your organization by taking important steps to gain control of your information and reduce the likelihood of a breach.

What is IPAT?
The Information Protection Assessment Toolkit is a process that helps you identify security issues and develop an information protection plan. It is the first step in protecting your organization from a breach. The launch program begins June 19th.

IPAT is unique in that it includes every member of your organization in the process of protecting information. Many of us already understand that we need to do this but struggle as to how. IPAT shows you how. Through the IPAT process you will more accurately identify key details about your information and clarify where it exists in your organization. It involves every person and prepares them to be more receptive to awareness training. The results are transformative. I’ll share a story with you next week.

Who is IPAT for?

IPAT can be scaled for any size organization. We initially designed IPAT for smaller organizations – the so-called “one man shops” – with lots of work, little budget and the need for a supported process that works. In development we realized that IPAT is flexible and scalable. We mentioned it to others and we are now in discussions to implement this approach in Fortune 50 organizations. We’ll be sharing more details next week. In the meantime, I’ll quickly explain a few details

The IPAT System
IPAT is a system – not a one-time event – that takes a multi-disciplinary approach to protecting information. It guides you through an assessment and planning process in five weeks and then supports your protection efforts for the entire year. It includes:

• a set-up session where we review the elements with your facilitator(s) – to make sure that IPAT is clearly matched to your needs
• a toolkit (templates, guides, presentations, audio and other support resources) designed for the dominant learning styles.
• four coaching sessions (3 seats). We encourage you to spread them out over the course of a year – but they are yours to use without restriction.
• Most importantly, the Security Salon! With the Salon, you receive monthly teleseminars, weekly “office hours” with text-based chatting, a repository of more information, resources and ways to improve how you assess and protect information.

Five weeks of Roll-out coaching
IPAT Roll-out Coaching is a series of 75 minute teleseminars delivered over five weeks to keep you on track with the IPAT program. This is normally an option with an additional cost. I’m including it for free for the June 19th program.

This is a proven program already in practice
We tested the individual pieces of the system over 18 months then rolled it all into a simple, but effective program. IPAT is now ready – and we’re rolling it out for you. Those who join us for our launch will receive the optional, Roll-out Coaching, free.

Investment
While hiring us to perform an information protection assessment can easily cost tens of thousands of dollars, we have designed IPAT so that you have the tools and guidance to do the assessment yourself with our support for $5000. This solution is affordable for organizations of all sizes.

This is a program, designed from the ground up, to get you the information you need, when you need it; it supports you when you need support; and lets you focus on the business of your organization.

The Benefits of Starting Now
The materials and process of IPAT are proven. I’m now looking for a few organizations that are ready to get serious about protecting information. I am ready to support you with the Information Protection Assessment Toolkit. As a thanks for helping me tweak the program before full implementation, I’m offering the Roll-out Coaching for free. Space is limited to the first 25 people – and we will begin on June 19th.

I’ll have more details available next week.

By Adam Dodge

I would like to issue this public statement to any company that already has or will in the future expose my personal information:

“Stop telling me there is no evidence of Identity Theft if it has only been one hour, day, or week since your organization suffered a breach!”

It is ridiculous that any organization would think that individuals would find comfort in announcing this fact. Of course there has been no evidence of ID Theft. Affected individuals had no reason to check for ID Theft before the incident. Simple, rational logic tells all of us that we will never find what we do not know to look for.

In addition, the danger of ID Theft persists for affected individuals long after the initial breach. Once records are exposed, there is no way possible to control the use of these records by the individual(s) that obtained them. Couple this with the fact that much of the personal information tied to ID Theft is information that does not change during the lifetime of an individual and the real danger of such exposures becomes evident. After all, there is very little value in telling anyone that there is no evidence of Social Security number misuse after only a short period of time when that same individual will most likely have that same SSN the rest of their life.

If companies really want to reach out to users and make amends after a breach, here are a few suggestions:

Admit responsibility for the incident and offer to pay for credit monitoring

When an information security incident occurs and customer information is exposed, the company is no longer the victim of this crime, the customers are. While this may not seem fair to the company, tough. Customers trust companies with their personal information in return for a service. When this same information is exposed to unauthorized individuals, companies invalidate this trust. Offering credit monitoring is a way for a company to help rebuild trust with customers. The good news here is that studies have shown only a small number of affected individuals ever take companies up on the offer of free credit monitoring so credit monitoring also becomes an inexpensive way to gain positive PR after a breach.

Do not use an employee as a straw man for why the breach occurred

It is somewhat disturbing when a company or organization is willing to throw an employee to the wolves as the sole individual responsible for a security breach. Not only does this show that the company places little value on its employees but also as a consumer, I simply do not buy this excuse. When a company places blame on employee “misconduct” the first thought that I have is not “Wow, what a bad employee.” Instead, my first thought is “Wow, I cannot believe that Company ABC has no internal controls that would have caught this employee misconduct before the breach.” After all, if the employee was truly acting against company policy, there is no reason to think that the company would not have caught this through internal control procedures.

Wait at least one month before telling customers there is no evidence of misuse

If companies truly wish to inform customers that there is no evidence of identity theft or misuse of customer information, wait at least one month after announcing the breach. While immediate proclamations of “No Identity Theft” send my rage-o-meter flying, I have no problem with such announcement per se. By waiting, watching and continually following-up with affected customers, a company prove that it has a commitment to its customers and, when coupled with free credit monitoring, a commitment to helping its customers deal with the effects of the breach. In other words, there is great value in following up with customers to ensure no identity information is being misused as long as companies wait for customers to check for signs of misuse first.

]]>