If you were asked to throw a few million dollars out the window, would you do it?

If yes, let me know where and when – I’ll happily wait outside with my catcher’s mitt. More likely, the quick answer to this question is a resounding “NO”. Few circumstances would lead someone to literally throw millions of dollars out the window, down the drain, etc. Not a million dollars, not in a million years.

What about companies that, effectively, waste millions of dollars trying to implement identity management?

The sad reality is that many organizations trying to implement identity management do just that – waste big money – on the wrong technology, or even on the right technology that sits idle because it can’t be used as designed. Worse, some organizations look to even more technology to “fix the shortcomings” of their selected product. The end result is the identity management version of Frankenstein’s monster.

If you peruse the latest identity management articles from your favorite research company, you’ll find the same discussions over and over:  How do we justify the cost?  Why do so many companies stop at “single sign-on”?  Why do implementations take so long?  Why do implementations get halted mid-effort?  What’s the true benefit of identity management?  What’s the ROI?  You’ll also find the same tired answers – whether in printed form, or at one of the many IAM conferences across the country: IAM saves costs at the help desk. IAM can help with audit. IAM can reduce headcount in your access services department. Companies bite off more than they can chew, ROI takes too long, so they give up.

But what does it all mean?

Are we really doomed to these behemoth infrastructures that sit largely un-used, while we pay off consulting and software bills that often run into the millions (if not tens of millions)?

No, we’re not.

IAM is not a lost cause. It can lead to lower costs, easier audit processes, and a demonstrated postive return on investment (ROI). But it takes time – and discipline. As with many aspects of security, identity management is not about technology – it’s about people and process. The technologies are out there, and getting ever-more mature. But, IAM is NOT a Mac or an iPhone – you don’t just turn it on and it magically works. There is a lot of configuration and even custom development that needs to be done after you install your product suite of choice. Even before that, there is a TON of data cleanup, data modeling, and process design that needs to take place, and that is at the heart of this series:

Identity Management in 13 Easy Steps

Of course, the series title is a bit tongue-in-cheek. There’s nothing particularly easy about identity management. Then again, it’s not rocket science, either. It just takes a little thought and a lot of tedious effort – and did I mention discipline? The focus of this series is all on process and data. In fact, product selection is saved until the very last article. That’s right – if you can keep your instant-gratification urges at bay, I recommend that you don’t even bother buying anything until you’re ready to use it. Why spend all that money on a fancy technology if it’s going to sit there, idle, while you beat your head against the wall trying to clean up the data and processes that it needs to function?

An identity management implementation will only be as good as the data and processes feeding it, and that’s the problem many companies face today – most organizations buy a product and figure out after the fact that they have a ton of work to do to make it function. As a result, there is such a lag between the time of purchase and the time of ROI, most management teams lose patience and halt the effort. If you pave the way to implementation by first cleaning house, when you implement the technology its benefit will be seen quickly, which will encourage management to keep it going and try more.

There’s another critical aspect to this approach: gaining the needed experience to properly document requirements. Identity management is extremely complex. No one can just walk in and “get it” in one sitting. Even if the high-level concepts seem obvious, you have to live with the dirty details for a while to really understand the needs of your particular situation. The better that understanding, the better the requirements. The better the requirements, the better the product selection. Choose the right product, and you avoid tossing millions out the window.

Are you ready for this journey?  If so, let’s get started. Here is the series I have planned – one article per month. This may not seem like much, but unless your implementation will have a very small user base, it will take longer than a month to execute most of these steps anyway. Of course, the series may change along the way – I’m already concerned about the volume of information I’m trying to fit into some of the articles. I may find as we go that a few of these topics will require multi-part articles. We’ll deal with that when it arises.

For now, here’s the intended schedule:

December 2009: Identity Management 101 – an overview of the different components of an IAM suite, to make sure we’re all on the same page and speaking the same language.

January 2010: Identifying Systems Integrations – not all systems will integrate (directly or indirectly) with IAM. Determine which ones will feed the priority list for the data cleanups and process work.

February 2010: Data Cleanup Part 1 – before your identity management system can work, it needs to be populated with all userIDs, and those IDs have to be clean. The first cleanup is focused on the primary IDs such as AD/LDAP and other key systems.

March 2010: Data Cleanup Part 2 – a key benefit of identity management is the ability to link userIDs in multiple formats from a variety of systems to the user’s primary record. The second cleanup focuses on identifying which IDs belong to which users in preparation for proper linking.

April 2010: Preparing for Password Self-Service – password self-service is a key cost savings of IAM, but it’s harder than you might think. This article will help you prepare your policies and your users for the technology to come.

May 2010: HR as a Source of Record – the HR system is a primary source of record for employees. It can also be one of the primary sources of errors and limitations for identity management. This article will explain the issues that most companies experience when interfacing with HR technologies (and departments).

June 2010: Role- and Rule-Basing – in order for auto-provisioning and -deprovisioning to work, the roles and rules need to be defined. This article will teach you how to avoid turning this effort into a rat’s nest.

July 2010: Role Hierarchies – workflows cannot be enabled without proper approval processes. But approvers aren’t always line managers. This article describes the various role hierarchies that should be established, and the synergies that can be achieved between identity management and other sources of record (e.g., financial systems).

August 2010: Workflows – workflows are the key to automating many processes. This article discusses the considerations in setting up workflows to ensure that they function effectively.

September 2010: Termination and Transfer Gotchas – terminations and transfers are key control activities that are of great interest to auditors. Getting this right in identity management will save everyone a lot of work. Getting it wrong can be disastrous. Learn the pitfalls in this article.

October 2010: Password Self-Service – whereas the April article deals with the foundational aspects of password self-service, this article deals more with the implementation aspects: how to select challenge questions that make sense, exposing PSS outside of the corporate network, etc.

November 2010: Effective Business Cases – now that your house is in order and you have almost a year’s experience with your organization’s circumstances, it’s time to build a business case to buy a product. This article explores a number of value-added functions of identity management that will intrigue your management and encourage them to allocate budget.

December 2010: Requirements and Product Selection – you’ve cleaned your data, defined your processes, and secured a budget. It’s finally time to pick a product. This article will help you document and prioritize detailed requirements based on a year’s experience in the trenches, so that you can make the best product decision possible.

In “Playing Games”, I shared some lessons that I learned while playing chess with my son. Chess is a rich example of the need for, and challenge of, planning ahead. For those unfamiliar with this game of skill and strategy, the goal is simple: Capture your opponent’s king and force him into a position known as “checkmate.”

During the game, opponents take turns moving one piece at a time until a player is considered to be in “checkmate”, meaning he can no longer move his king. An interesting element is the need to notify an opponent when they are one move away from being captured by declaring “check.” This is a great game rich with strategy and nuance, with more details here.

So how does chess fit into my “plan ahead” strategy?

If a player simply moves pieces on the board without thought as to how her opponent will act, pieces will be captured easily, leaving her with a weaker offense and defense. Opponents must be evaluated on how they will move; offense must be based on anticipation of defense. Chess is a game where there are two opponents with an obvious adversary, and the less obvious self.  Those who properly anticipate the other player position themselves for maximum advantage.

The act of protecting information is similar to the practice of protecting the King. Those who seek to attack the protected information are opponents, and considered what they are doing as a game.  I’m not suggesting that what we treat it as a game as well; rather, what is important is the strategy required for both.

Understanding that we are at a disadvantage from the start is key to devising our strategy. Our opponent needs to remain undetected until they have what they need. If they are discovered too early, the chances of achieving their goal drops dramatically.

Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.

Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.

If we look back and remember how networking has evolved over the years, we will notice a pattern.  Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.

When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.

What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.

We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.

Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).

Whether you call it lay-offs, downsizing, rightsizing, redundancies, a reduction in force, or whatever, a reduction in staff stinks.  Downturns in the economy often translate to a reduced volume of business, resulting in a correlated reduction in staff.  One of the hardest jobs in Security is ensuring that those who are asked to leave no longer have access to the organization’s resources.  This is especially hard when you know those affected.  However it’s critical that this tough job be done.

The last thing you want or need is for an ex-employee to perform a malicious act as part of their departure.  The recent case with the Fannie Mae consultant is a great example of how a malcontent could potentially cause your organization grave damage.  Luckily, the Fannie Mae sys admin found the malicious script.

You shouldn’t depend on luck to protect your organization’s critical infrastructure during lay-offs. This article contains concrete steps for you to consider before, during, and after the dreaded layoffs.  [Note: the critical nature of these steps is, in actuality, job security for those who need to perform them. Maybe you can use them to justify your job and keep it off of the “chopping block.”]

Before the announcement

Just as in any project (and this is a project), planning and coordination are key.  Those managing or initiating the lay-offs (e.g., Human Resources) must have Security on-board early in the process.  Delays increase risk to the organization.  While secrecy is necessary to protect the process, trusted relationships must be established between all involved, including HR, Security, Legal, and Management.  Security needs to know who is affected in order to know what needs to be protected.  Security can also help properly protect the “list” prior to the official announcement.

Security personnel (both physical and information) need to ensure the protection of personnel and assets during the lay-offs.  On the physical side, you need to make sure that those announcing the lay-offs are protected should the employee(s) get upset or abusive.  Security officers should be trained and ready to handle potential conflicts and workplace violence.

Information security personnel should identify single points of (security) failure and high risk areas.  This includes administrators with expanded ability, authority or access.  Security should also determine if there are any single points of failure in the operations that would be affected by the lay-offs.  Management should address these critical points well before the announcement to prevent any unexpected denials of service.

Security personnel also need to develop processes to remove both physical and logical access as soon as the notification takes place.  This cannot occur too soon before the associate is notified, or else it might alert the associate, resulting in unexpected consequences.  (No one likes to find out that their position is eliminated by having their network or badge access disabled.)  Also, this cannot occur too long afterward, for obvious security reasons.  Ensuring the correct timing requires pre-planning.

As soon as the announcement is made that your organization is considering lay-offs, extend your monitoring efforts.  This could be before the actual lay-offs.  Rumors can spread, and associates might take these rumors as reason to start their preparation should their name be on “the list.”  Your efforts should include Data Leakage Protection (DLP) to ensure associates aren’t shipping critical company information (e.g., customer lists, intellectual property, or company employee data) to themselves or others.  This could occur on the network or off.  It’s very easy for an associate to sneak a USB drive filled with an encyclopedia of company data out the door. You also need to be cognizant of physical theft.

During the announcement

With your planning complete, it is now time to enact and follow those processes.  As soon as the associate is told that he or she is no longer employed by the organization, you need to disable the physical badge, logical network, and phone access.  The accounts should not be deleted, only disabled in case you need them in the future (e.g., rehires). It’s important that all access is also disabled for networks or assets that are externally accessible (e.g., VPN).  The time required for this activity will multiply if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, and security cards.

Occasionally, the manager will request that the separated associate’s email, phone, or voicemail remain available.  This is to maintain contact with clients or customers.  Security needs to have an exception process in place to handle these requests while making sure the separated employee no longer has access.  It needs to be reassigned to the responsible manager or his/her delegate.  Allowing permanent access is not a good idea.  There should be a set timeframe for this access to remain active before it is disabled.

Also, consider any shared accounts used by the separating employees.  Do they know the UNIX root or Windows administrator password?  Whether it’s that or any other password for a service account, make sure the password is changed ASAP.

Physical security personnel need to be watching and ready in case the affected people become upset.  Normally, you don’t need a physical security presence to escort them.  That can be accomplished by the manager and/or HR representative.  However, Security should be ready in case things turn ugly.  Additionally, they should be watching what property is leaving.

Part of your process should include the retrieval of any assets used by or assigned to the separating employee.  This includes: Computers (laptops), USB drives, two-factor authentication tokens, cell phones / PDAs / pagers, and paper documents.  When the employee is notified, the manager and HR representative should retrieve these items along with any other property of the organization.  Of course, the employee should be allowed to pack up personal belongings, but corporate assets should remain.

Lastly, while the separations occur, continue to monitor online access and activities.  You never know the mindset or attitude of those who depart.  The potential for malicious acts is increased, especially against any resources that can be seen from the outside (external web sites).  Your IDS/IPS should be watching those external network assets and you should be ready to take action.

After the separations

While the major threat may have passed when the laid-off employees have left, it is not completely gone.  There are specific post-separation activities that need to occur to ensure risks stay low.

One of the most critical activities is the inspection of online and paper files left behind by the employee.  Each manager is responsible for making sure this occurs, because he or she is in the best position to know what is and is not needed.  This can be time consuming and tedious, but it can’t be ignored.  The benefit is the freeing of storage space.

The manager or their delegate needs to inspect each piece to determine its disposition and whether or not it is still needed for the business.  This person also needs to determine the retention period for any material that needs to be kept.  This may require collaboration with the legal or compliance department as this material can be recalled for legal proceedings.

Another post-separation activity is inspecting online files for potentially malicious content.  This is especially important for any systems administrators who were let go.  There have been many stories of sysadmins leaving backdoors, Trojan horses, and time or logic bombs behind.  Remaining sysadmins need to inspect any scripts created by the associates along with any scheduled jobs.  Failure to take this step could be devastating for the firm.

Lastly, use this time to document what went right during the process and where you have room for improvement.  Take time to learn from the experience and enhance the process.

Conclusion

Staff reductions are a part of corporate life.  As painful as they are, they are often critical to keep the organization functioning at full capacity.  Security needs to be an active participant in the lay-off process to ensure the risks are kept low.   The removal of access is only one of the many areas requiring the attention of Security.  They also need to be actively monitoring both the physical and on-line activities of the separating associates.  This isn’t to be intrusive, but to ensure the continual protection of the organization.

Having a positive security model with validation and enforcement provides a deterrent to malicious behavior as well as the tools to quickly indentify and contain threats when needed. A positive security model includes: policies, procedures, detective and preventative technology, and proactive monitoring.  The tips in this article will aid you in the development of your security model so you are ready when the time comes.

Checklist of Security Items to Consider with Lay-Offs

Before
Planning / Establish processes
Disabling access
Communications
Establish trusted contacts
HR
Legal
Security
Management
Identify single points of (security) failure
Employees who pose a danger (to themselves or others)
Administrators
Associates with access to sensitive or confidential data
Identify risks
Intellectual property
Confidential data
Property

During
Disable regular individual access
Logical
Physical
Phone
Email
Remove access to shared accounts
Administrator accounts
Service accounts
Other shared passwords
Asset retrieval
Computers (laptops)
USB drives
2 Factor authentication
Cell phones / PDAs / pagers
Paper documents
Enhance monitoring
IDS/IPS
Logs
Physical surveillance

After
Continued vigilance
Review of assets “left behind”
Online documents, files, and shared storage
eMail
Papers
Check for backdoors, Trojan horses, logic bombs
Unix
Windows
Databases
Network devices
Lesson’s learned
What went right?
What could be done better?
Process improvements

by Jeff Kirsch

Recently, my son told me a story about how he played chess with a friend at school. In his story, he said his friend executed a certain move; my son then asked me if I had ever tried that move. I was a bit confused; I’ve played chess on and off for at least 20 years, but I’ve never heard of this play. My son asked if we could play, and more importantly, if I could teach him. Looking at the clock, I thought about how I needed to get his siblings into bed, and that he needed to read a book for school.

He promised to read his book while I put his siblings to bed. After the other kids were in bed, I got him from his room (where he had read a chapter of his book), and we headed downstairs for his lesson.

I explained the chess pieces and how they moved; he remembered this from the last time we played. We began the game and I watched him bring his plan to fruition. I didn’t start with very much instruction, because I kne

w that the best instruction comes when you are “deep in the weeds”, so to speak. I took a few of his pieces, and the teaching began.

For each of his moves I helped him see what my next moves could be and how that would affect what he should do. With each move, he needed less and less instruction, but his questions became more complex. Of course, like most novice chess players, he still needed help remembering how the pieces moved (especially the knight). Looking at the clock, I realized it was just a few minutes till his bedtime, so I finally made an exchange of pieces I had put off for most of the ga

me. A few moves later he was in checkmate. He looked at me with a huge smile on his face and gave me a big hug. “That was fun, Daddy,” he said as I squeezed him tight. “I can’t wait to play again.” That is when two thoughts struck me, which I shared with him, and which I’ll share with you now.

In losing, you win

We hear all the time that most successful people failed, sometimes more than once, before

being successful. Even after those people “made it”, they still face bumps in the road. What came out of my mouth first to my son was, “In losing, you win.” I went on to explain that you have to lose a lot of games of chess in order to learn how to play the game. This came out almost automatically, but then I started to reflect on what I had said. I realized that I wasn’t just talking about the game, I was talking about life and all the challenges we face.

In information security it is easy to become overwhelmed. We always feel like we are three steps behind. We put together teams, we focus on security and secure practices, and try to funnel everything down to a few points where we can protect our vulnerabilities, only to find that someone left the back door open. To add insult to injury, we get raked over the coals because the one thing we forgot compromised everything we were trying to protect. However, until the day you forget to lock one door, you have no real concept of the consequences that await when you do fail. In that moment of failure we have the ability to learn the most.

A plan is good, but plan flexibly

My son went into the game thinking there was a defense he could set up in the beginning that would win the game. What my son didn’t take into account was that I would have a turn, and that I could attack his defense – thus also keeping him from the offense he had planned. He immediately understood his mistake and explained to me why he should have paid attention to what I was doing. I was again hit with the realization that the lessons from this game were more than just lessons about a game. If we only plan to defend our systems from attack, we fail to see the most critical vulnerability and fail to account for a possible offense.

Flexibility is critical not just in information security, but in all aspects of our personal and professional lives. People who plan ahead certainly can start out of the gate faster, but when they get a few miles down the road and their tire goes flat, how do they sustain momentum? If you can adjust your strategy not only to account for defense, but also to incorporate an offense, you double your chances for success. In the end, you even the playing field by using your strengths and understanding your opponents’ weaknesses.

In a moment of just playing a game with my son, I re-awakened the magic of chess and learned some valuable lessons. There are plenty of people who make fun of the game and those who play it, but there are just as many (if not more) who play it and get it. When you realize that it is not simply a game, but that it also has many lessons to impart, you find that “losing” really isn’t losing. But just as in chess, you’ll encounter people who don’t get what you do or why it is important. Instead of discounting them, find a away to convey what it is and why they should care. You aren’t going to convince everyone and it won’t be easy, but giving up before you start says a lot about your character and reflects the quality of your work.

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 1: Breach: A Human Problem)

Chapter 1 defines the challenge of breach as a “human problem” and begins the journey to understand how and why we got where we are today. Michael reveals how reliance on technology has masked the true nature of the problem and explains how to re-think the way technology supports the needs of people. He also suggests that a focus on breach is too narrow, and that all information must be protected.

Update from Michael: the updated approach is to focus on the human paradox – introduced in this segment – that points out the unintentional, but systematic, disconnection of people from the consequences of their actions. This means “breach” and information protection is less a human problem than a paradox; my focus is on connecting people back to the consequences of their actions and presenting solutions that turn the cost of working with people into an investment.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Into the Breach: Why Companies Fail to Protect Data and What We Need to Do About It has been under development long enough! I have distilled the problem and presented a careful and easy-to-follow solution that will help companies improve their top line, protect their bottom lines and manage people, risk and information more efficiently. I am writing a book for business leaders to understand the fundamentals of how to unmask our human problem and take simple steps to reduce the chaos.

I’m ready to get this out there – and to share what I have learned and help more companies. So… I have decided to pack up the RV (it’s cold here in NY) and head down to Charlotte, NC. Why Charlotte? Why not. Seriously, though, my best friend lives in Charlotte – and he and some other good friends have suggested that we consider moving our base of operations to the Carolinas. The more the tell me about the region, the more I’m inclined to agree, so I decided it would be a good time to take 10-12 days to head down and check it out, while wrapping up the book.

I could use your help
If you live or do business in Charlotte – I would love to speak with you, or even meet with you in the next two weeks. I’m seriously considering moving our business there — and I’d like to learn about the business climate, partnership opportunities (or companies looking for a partner), family environment and the like. If you have a friend in Charlotte, perhaps an introduction would be possible?

Do you want a preview of the book?
I’m going to be hip-deep in finishing up the book. If you live in Charlotte and want to get a free preview – let me know and we can catch up. I’ll bring what I’m up to, and you can help me work through any rough spots while I get the manuscript finished off. I look forward to meeting you and working through the elements. This goes for business, personal… whatever. In fact… if you want to schedule some time with me and your team, I can share some of the keynote and strategies for success with you. I’ve been testing the book for the last year, and I know this works. I’m happy to share.

When you will get the book
I plan to have the galley copies out by the end of the month to my review team. I plan to have the entire project finished by the end of January and then it’s off to the printer!

If you can’t wait (for business or personal reasons)
I will be making a sample chapter available in the next few weeks. It’s seriously top priority for me. At that time, I’ll be able to accept pre-orders and take requests for autographed copies, too.

At the same time — you can book me right now for a dynamic keynote to prepare your organization now. In fact, we’re lining some up for December so that people can get this information before the new year! I promise I’ll do what I can to get this information to you and into the hands of decision makers as soon as I can.

I also am offering a limited number of my Information Protection Program to companies that want to implement the suggestions in the book to reduce the risk of breach, while reducing the cost of compliance. If you’re serious about changing the way people protect information, I’d like to have a conversation with you about how my program can help.

“You must be the change you wish to see in the world.”
-Mahatma Gandhi

In Part I of Change is Good, I gave you an overview of our developments at The Security Catalyst. This time I want to focus specifically on communications.

Our new website will be launched at the end of this month. It will offer useful resources for individuals and organizations along with information on our innovative toolkits, training and support such as the:

• Information Protection Toolkit
• ‘Speaking About Security’ training sessions for security professionals
• Catalyst Sessions for one-on-one and team support
• Presentations designed to engage, empower and enable your teams
• Catalyst Club – unique coaching, job-aids and the ability to practice and improve

The Security Catalyst blog and podcast will gain new energy thanks to the addition of two new team members. With their support, we are developing a production schedule which will allow me to share research, analysis and opinions with you on a more regular basis. Shortly, you will notice a new blog template. In a few weeks, you’ll noticea slight change to it’s location (it will be found at /blog). We all have a lot to share, and we’re looking forward to the change.

We are about to start rolling out the changes. You have already seen the new logo. Soon you will experience the new look, feel and functionality of our web-based services. We are excited to finally share these fruits of our labor.

Watch for ‘Change is Good: Part III’ next week.

Change your thoughts and you change your world.
— Norman Vincent Peale

It has been a year of change at The Security Catalyst.

First we changed our thinking about what our contribution to information protection should be. Then we changed our offerings. We invested in a solid foundation, built the infrastructure for delivery and now we’re rolling out the results. Over the next two months you will notice:

• new products and toolkits
• more online services
• adaptable, cost-saving bundles of our offerings
• a new website
• enriched blogging with more analysis, research, perspectives and updates on my training for the Iron Man (specifically as it relates to information protection).
• the work of new team members
Quite simply, our focus and research put us at the intersection where information becomes understanding and enables us to change the way people protect information.

Watch for ‘Change is Good: Part II’ next week.

Tomorrow, I’m moderating the September Security Round Table with a panel of experts, including: Martin McKeay, Rebecca Herold, Andrew Hay, Dr. Anton Chuvakin, Dan York

High Level Approach
Our focus is on exploring and addressing the questions of privacy. As we’re working on our outline, we’re preparing to address questions such as:

• Definition of privacy
• How have the attitudes of government and the populace changed privacy in the last decade?
• Does the average end user understand privacy?
• Online databases
• What can we do today and can we recover the privacy we’ve lost (or never had)?

Your Chance to be Involved
What questions do you have? What do you want us to try to answer tomorrow? Send me your ideas, questions and suggestions to: securitycatalyst@gmail.com
PS: Sorry for the late notice. We’ll have more lead time for October (awareness) and the upcoming programs.

This message is to update you on:

• Information Protection Assessment Toolkit (IPAT) – special offer deadline imminent
• September Events

Build Budgets, Awareness, Strategy… with IPAT
Special offer deadline

My plan for a guided, supported and realistic toolkit to help those responsible for security build a plan, budget and awareness program became real this summer. The Information Protection Assessment Toolkit (IPAT) and the IPAT preview program launched in July.

The special offer of a ½ day of my time to launch the program in your organization will soon end. As you can see from my schedule below, my hours are limited. Contact us to book your IPAT program before September 13th.

September events:.

The Protecting Information Workshop
Sponsored by: Albany, NY Tech Valley ISSA Chapter
Thursday, September 20th, 9am-3pm EST
MetLife facility, Rensselaer Technology Park, North Greenbush.
Thanks to their sponsorship, the fee is only $25 for non-members
Certificate: 5 Continuing Professional Education (CPE) credits
Registration: http://www.techvalleynyissa.org/

Security Solutions Virtual Tradeshow
Sponsored by: Ziff-Davis
Wednesday, September 26th, 11am -6pm EST
Registration: http://go.ziffdavisvts.com/securitysolutions

Into the Breach – Keynote Speaker
Sponsored by: CSO Breakfast club
Friday, September 28
Pittsburgh
Registration: http://www.csobreakfastclub.com/

Cutting Edge Conference
Sponsored by: Symantec Corporation (Internal event, closed to public)
October 2 & 3, 2007
Orlando, Florida.
Registration: closed

Enjoy a secure September.

Michael

Sorry for the inconvenience….

In the meantime, I posted the August Security Round Table this morning… and we’re already planning the next three shows! In August, we discuss the keys to your success in finding a new job, managing your career and well, the secret code word of the day. No not really – but you should listen to make sure.

Check it out here: http://www.securityroundtable.com/

Subscribe in iTunes here: http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=156964477

Have a great weekend!!

My quest for the fundamentals began initially considering the superstars of sports, and watching, then studying their routines. I’ve shared the fundamentals conversations with clients, friends and colleagues – and I love listening to the stories of how this applies to sports, to thing like teaching children match and science… all of the different ways we connect, consider and distill. It’s not a surprise to me that we’re collectively struggling to develop a clear list of the fundamental building blocks of information protection.

The current list
1. Confidentiality, Integrity and Availability
2. Defense-in-depth
3. Least Privilege
4. Simplicity

(and we’re currently discussing a few others)

It’s important to note that the discussion of fundamentals quickly veers into discussions of “how-to” – which is the next step. Many of us are entrenched in the day-to-day operations, and discussing the how-to is ABSOLUTELY NECESSARY for us to distill down to the fundamentals. I know the progress may seem slow, but it’s clear to me that we’re making progress, and this is only the beginning.

The Value of Fundamentals – through Triathlon
I am registered for Ironman 2008 in Lake Placid, NY (July 20, 2008). While the goal is a long way off, it also requires me to start training now, after several years of being away…

When I was younger, I was a competitive swimmer, swim instructor, cyclist and active triathlete – and was fortunate to have good coaching that drilled the fundamentals into me, whether I knew it or not. Looking back, I didn’t know it then, but I certainly appreciate having those fundamentals drilled into me. A few weeks into my training, I am finding that my “muscle memory” is surprising… and that allows me to both focus on building up my endurance base, but also to focus more deeply on the fundamentals so that I am even more efficient and effective. At the same time, I struggle with “what I used to be able to do” as I focus my time and energy on relearning and mastering the fundamentals. I firmly believe that a simple training plan based on proper application of the fundamentals will help me reach my goal.

As such, my approach to spend 8-10 weeks EXCLUSIVELY focused on fundamentals of swimming, cycling, running, nutrition and rest. The idea is to slowly introduce the right patterns and behavior that will guide the extended training and distance I will need to travel in the coming months (and years, since one certainly won’t be enough). I also am doing this while finishing my book, planning a campaign across america and launching some new assessment and awareness solutions — you guessed it — based on understanding and applying fundamentals.

I’m actually able to train in about 8-10 hours a week right now, which hasn’t impacted my business or my time with my children. In fact, I’m finding that I actually have MORE time and am more PRODUCTIVE in the time I do have. Weird, right?

So how does this relate to security and our quest for fundamentals? Well, I think studying other fields for their fundamentals is a brilliant and important approach. Not much new has been created, but there is plenty to learn from, adapt and expand on. I’m finding that by following the fundamentals in my tri training, I am able to be more effective with less risk. AH-HA!

If we want to be more effective with less risk, then we also have to make the time to learn, study and learn to apply the fundamentals. And we have to do this all the time. Even as my training progresses, I am seeking the advice and counsel of coaches, clinics and incorporating basic drills to help my body continually understand and apply the fundamentals. In the beginning, it sometimes feels slow – and that can be frustrating. As time goes on, we realize we can go further, faster – whether in physical pursuits, or in our careers.

The practice of security is no exception to this rule. I will continue to explore the parallels and will be writing about them, sharing them here and looking forward to learning from each of the contributors here … soon, we’ll have a compelling and impressive list. Don’t worry about the struggle… this isn’t designed to be a quick exercise. It’s going to take some time, but that will be an amazing pay-off.

I think in life, the measure of a person is how they address and handle mistakes. I think in business, the measure of a company is not whether a mistake/breach happens, but how the company handles an incident when it happens. We can split hairs over whether this constituted a breach or not. Regardless, customer information was at risk; customer information was disclosed. It’s not clear to me why that information would have been stored on the webserver, but I’m also not familiar with their architecture. Without question, on the scale of public outcry, this is and should be almost a non-issue. Almost.

While I suppose this isn’t exactly the type of event you want to incorporate on the front page of your website, the only public response I could find was in the computerworld article. From what I read in the Computerworld article – FaceTime acted quickly and even notified people impacted. Yet, I was bothered by this response:

However, Capri said no sensitive personal data such as credit card numbers, Social Security numbers or dates of birth was exposed because that information is not collected on the FaceTime Web site.

It’s a fair and valid statement to make. I supposed I would advise a client to make a similar statement, save one exception: I’d leave out the aspect of tying personal information to a limited set of data. I’m troubled by the concept that if it wasn’t a social security number, credit card number or something of the same that no personal information was disclosed. Information of any kind has value – and while this was probably a mistake, I would expect a security company to have taken a different attitude.

In February, I wrote Psychology of Fraud – Today’s Issues (http://www.securitycatalyst.com/2007/02/20/psychology-of-fraud-todays-issues/). It was an attempt to remind readers that no matter how well we lock down the technology, it only takes one human to corrupt the system. We need to understand the psychology of fraud and why humans do what they do in order to prevent it from occurring. It’s my way of educating our readers on what’s been said in the past to address today’s issues.

I’ve done some thinking on the subject since then and I’ve decided to revisit Cressey’s fraud triangle. To commit fraud or any other illegal / immoral action, a person needs three things: Access, Knowledge, and Intent. Without all three, intentional fraud will not occur. This is different than the Cressey’s triangle, which didn’t take into account today’s information technology.

Here’s my definition of each requirement:
- Access. Physical or logical ability to enter, touch, or reach a resource. In computers, this is often controlled by network rules and a user id and password.
- Knowledge. To be familiar or have experience with an object or resource. This means having the concepts and ability on what to do after you have accessed the resource.
- Intent. The purpose or an anticipated outcome that guides a person’s planned actions. Knowingly causing damage to the resource.

This example illustrates how the three requirements fit together:  I am given a login id and password to our Mainframe, therefore I have access.  Not only that, but I am given full adminstrator rights to it.  The problem is that I’m a neophyte on the Mainframe; I barely even know how to log on.  Plus, I like my organization and don’t want to cause them harm.  Therefore, I’m mission two of the three requirements for fraud: knowledge and intent.  Even though I have access, there is little risk of my causing harm.  Granted, the biggest risk in this scenario is my making a mistake, but that’s another issue.

This is where auditors and Sarbanes-Oxley have it wrong: You can’t audit against knowledge and intent.  You can only audit access rights.  So that’s what auditors do.  They make the wrong assumption equating access to equal potential fraud or abuse.  However, that’s not true.  Just because a certain user has access does not mean they know what they’re doing and that they will cause meaningful harm.

Auditors and security professionals need to understand this new fraud triangle and how it fits into the risk equation.  Using these concepts promote the proper balance of security within an organization, thereby reducing costs while improving security.

What do you think? Does this make sense? Is it something you can use?  Join us in the Security Catalyst forums to discuss this and other hot security topics.

By working together, we all become stronger.

Recently, the University of Texas, Pan American announced that a staff member lost an external hard drive containing names, address and Social Security numbers of around 1,200 UTPA staff. The good news for these individuals is that the hard drive was found by another UTPA staff member and there does not appear that any unauthorized individuals had access to staff information. However, reading over one of the initial news stories about this security incident brought a question to my mind.

In an article over at The Monitor, UTPA Vice President for Business Affairs, James Langabeer stressed that the loss of this external hard drive was only an “incident” and did not constitute a “breach” by an outside individual. According to Langabeer, “It is an incident, it’s not a breech. A breach is when someone takes something out of your computer and deliberately takes it from you. If you lose it, it’s an incident”

What I find so fascinating about this statement is that the distinction between incident and breach and that an “incident” should not be viewed in the same light as a “breach”. So I started thinking, is this distinction merely a semantic issue or are there some underlying assumption amongst the general public that an incident is an everyday, and perhaps less dangerous, occurrence then a breach. One of the words is a simple noun that brings to mind a singular event of some type that may or may not be harmful. The other word is more action oriented and brings to mind, at least to my mind, images of whales bursting through the surface of the water and other dynamic events. Given the very differences in these words, should they be used as interchangeably as they are in the Information Security arena?

I think that making a distinction between breach and incident in this manner is dangerous. While I believe there are indeed differences between breach and incident, I do not agree with the portrayal of each being separate from the other. Instead, a breach is a subset of the overall types of information security incidents that can affect an organization. Other types of incidents can include theft, loss, unauthorized disclosure, denial of service, mistakes, and a whole host of other issues that are too numerous to list. In the end, any occurrence that is contrary to current information security controls is, in effect, and incident. This means that any breach of information systems, past security controls, is in fact an incident.

One thing that we absolutely need to make clear as security individuals is that these “incidents” caused by internal employees are, at the very least, just as dangerous as “breaches” by external attackers. I have written a few times about the insider threat faced by organizations. Studies have continued to prove that internal employees cause a large majority of information security incidents. Yet, organizations still attempt to pass off employee misconduct as a lesser offense when in fact these are the very employees who both know where the information is and have direct access to this information.

However, in the end, whether caused by a “breach” or an “incident”, the loss and/or exposure of protected information is a signal to the organization that something is not working properly. This is what is important. We need to understand that it is not just about fixing the problem. Instead, it is about understanding why the problem occurred and creating controls to help prevent like occurrences in the future.

Unfortunately, it seems that more organizations are beginning to make this distinction in press releases surrounding security incidents.

At the Security Catalyst community, we’re working to form a more effective governance structure, migrate to a new server, incorporate more support resources and generally improve the services we are able to provide to you – whether you are new to security, a seasoned professional, a security blogger or even a podcaster.

Since this is a community that is designed to support the way you practice the protection of information, I wanted to take a moment to recap the approach and goals of our community:

We are a positively focused and supportive community that unites passionate professionals to achieve three goals:
(1) Create a community where it is acceptable to be vulnerable and ask for help when you need it
(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome – share what you have learned without fear.
(3) Create a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

After 6 months and nearly 400 members, I can tell you without question that those who contribute and make the effort reap the biggest rewards. I know we all hit patches where work gets insane; personally, we’re in the middle of launching some exciting new offerings, and I have had to cycle back on some of my more visible blogging, podcasting and community activity. It happens to everyone – so when it happens to you, no worries. But know this: you are always welcome here.

To make things a bit easier:
(1) You can subscribe to the forums of your choice through RSS. To be fair, it’s not the best RSS implementation I have ever experienced – and it requires some massaging to get it where it works for you. We had an extensive thread on making it work for you – so check it out if you are RSS inclined.
(2) You can set notifications “by email” to be able to keep track of new posts. This is the method I use to keep abreast of new topics.

If you have a question or challenge – especially when you feel way too busy, please take 5-10 minutes to share your question, frustration or challenge with your peers. If someone has already been through this, they can offer you support, some guidance or even schedule a call to save you time! That’s right – I have plenty of stories from members who reached out to help each other… and in the process, avoided the crisis and got their work done quicker (and arguably better).

When you are busy – please make an effort to check in once a week and find one post you can respond to. I know from experience I’m asking you to spend about 30 minutes each week contributing. Since there are no fees to participate, this is the currency of our community.

Offer help when you can, ask for advice when you need it.

Not a day goes by now that I don’t learn something new from this forum. I really look forward to meeting so many of you in person. Once I complete the launch of our new offerings and release my new book, I will be embarking on our Campaign Across America. We’re working to select cities now, but when we come to/near you, please don’t be shy – I’d love to raise a glass and say hello.

So welcome to the journey and thank you for being part of the community. As we continue to learn and grow together, I am confident that we all improve how we think about and practice information security. In the end, this is what will set us apart.

PS: I’ll have a few additional announcements in the coming weeks and months – the result of many months of focused work. I’m excited, and looking forward to sharing my passions and research with you. I’ll be slowly getting back to some regular podcasting and blogging. In fact, I’ll have some additional IPAT information for you available next week…

How well do you understand your users?  Are you aware of their needs, habits, and abilities?  Most security professionals understand the technology, but don’t have a clue about their user base.  All security professionals need user awareness training to ensure they understand their customers.

In the June 1, 2007 edition of CIO magazine, Publisher Gary Beach asks the question, “How social are you?” (http://www.cio.com/article/109302)  He references a new report by the Pew Research Center titled, “Typology of Information and Communication Technology Users” (found at http://www.pewinternet.org/pdfs/pip_ict_typology.pdf).  This report classifies Information and Communication Technology (ICT) Users.  Based on its findings, we in security can no longer assume that users are stupid.  From Mr. Beach’s column, “customers (users) are ‘wicked smart.’ They know what they want, they know how to get it, and they’re doing so by leveraging the poser of social networks to reach out to <others>.”

The report’s author, John Horrigan has classified ICT users in America into ten categories based on their ICT assets, actions, and attitudes.  The ten groups that emerge in the typology fit broadly into a “high end,” (31%) “medium users,” (20%) and “low-level adopters” (49%) framework. However, the groups within each broad category have their own particular characteristics, attitudes and usage patterns.

From the Report*,
  – 8% of Americans are deep users of the participatory Web and mobile applications;
  – Another 23% are heavy, pragmatic tech adopters – they use gadgets to keep up with social networks or be productive at work;
  – 10% rely on mobile devices for voice, texting, or entertainment;
  – 10% use information gadgets, but find it a hassle;
  – 49% of Americans only occasionally use modern gadgetry and many others bristle at electronic connectivity.

Do you know where your customers/users fit?  How about you?
You can take their on-line Internet Typology Test (http://www.pewinternet.org/quiz/) to see where you fit in the new typology of ICT users.  Once you know yourself, you can better understand your users/customers.

By understanding your users/customers, you can tailor you security program to fit their needs. The fear of the unknown is often the greatest fear amongst security professionals.  By having a little awareness training of your users, that fear will be lessened.

To paraphrase from Mr. Beach’s column, the big deal is this: As your firm continues to drive a growth-and-innovation agenda, your users and customers ultimately will determine the degree to which you succeed.  So CISOs need to ask themselves, “Is my infrastructure sufficiently robust to encourage and support the use of ICTs while protecting against the biggest and most prevalent risks brought on by these new technologies?”  CISOs should have an understanding and a vision of their users/customers to enable their business’ use of technology while protecting the critical assets.

What do you think?  Is the Pew Report accurate?  Respond either in the comments below on the Security Catalyst forums.

By helping each other, we all become stronger.

* Horrigan, John. A Typology of Information and Communication Technology Users. Pew Internet & American Life Project, May 6, 2007, http://www.pewinternet.org/PPF/r/213/report_display.asp, accessed on May 10.

I promised you a case study that demonstrates how the Information Protection Assessment Toolkit (IPAT) changes the way people protect information. In fact, I’m going to give you two case studies in one.

Harold Townley is a Funeral Director and business owner. He also sits on the board of the Town of Ballston. To prove the power of the IPAT, I ran town employees – including Harold – through the IPAT system earlier this year. The result was better protected information for the town and a new awareness about information protection in Harold’s business.

Like all municipalities, Ballston holds information that should not be in the public domain. While there had not been a security problem to date, with no plan in place to protect this information, it was a possibility. They needed the IPAT program.

In Week One I worked with a team of employees to identify what information was held in the organization, where it was held and how it was managed. The next four steps of IPAT involve processing what is learned, analyzing the results, developing an action plan and finally, generating reports. It was after only the first few steps that change was noticed. Involving all employees in IPAT “created an immediate shift in the mindset of town employees regarding information security” says Harold.

But for Harold, the change was extended further. He discovered that he wasn’t only thinking differently about information protection for the city – but for his business as well. At a meeting of funeral directors he encouraged participants to consider how they handle the personal data of deceased people. He wants his profession to consider carefully what is published in newspapers, how data is kept in the business and how requests for information are handled.

Harold doesn’t know that identity theft has occurred as a result of information provided by funeral homes but it is possible and he doesn’t want to be the source of a problem. “Just because we’ve done things one way in the past doesn’t mean we have to continue doing it that way,” he says. Thanks to IPAT, Harold looks at the information held by his funeral home differently. And the town of Ballston is well on its way to a proactive plan that engages all employees in information protection.

The Basics of IPAT
The Information Protection Assessment Toolkit is a process that helps you identify security issues and develop an information protection plan. It involves a set-up session, a toolkit and four coaching sessions. It can be scaled for large and small organizations, involves all employees and is the first step in protecting your organization from a breach.

Contact me (securitycatalyst@gmail.com) to learn more about our Special June Offer for the Information Protection Assessment Toolkit (IPAT).

I would like to issue this public statement to any company that already has or will in the future expose my personal information:

“Stop telling me there is no evidence of Identity Theft if it has only been one hour, day, or week since your organization suffered a breach!”

It is ridiculous that any organization would think that individuals would find comfort in announcing this fact. Of course there has been no evidence of ID Theft. Affected individuals had no reason to check for ID Theft before the incident. Simple, rational logic tells all of us that we will never find what we do not know to look for.

In addition, the danger of ID Theft persists for affected individuals long after the initial breach. Once records are exposed, there is no way possible to control the use of these records by the individual(s) that obtained them. Couple this with the fact that much of the personal information tied to ID Theft is information that does not change during the lifetime of an individual and the real danger of such exposures becomes evident. After all, there is very little value in telling anyone that there is no evidence of Social Security number misuse after only a short period of time when that same individual will most likely have that same SSN the rest of their life.

If companies really want to reach out to users and make amends after a breach, here are a few suggestions:

Admit responsibility for the incident and offer to pay for credit monitoring