Into the Breach – Audio Series – Chapter 8 (Measuring Success)
Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).
What you’ll find in this episode (Chapter 
The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, drop me an email). The key considerations for a pilot shared – and now it is time to measure success.
So how do you measure what matters so you can communicate what counts?
In this chapter, “Measuring Success,” Michael draws on his background of social science and economics to explain a powerful approach to measuring success. Learn how to use the right mix of qualitative and quantitative measurements to get the feedback necessary for success.
Learn how to measure what matters and communicate what counts.
You want more, so after listening…
After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by
- Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
- Subscribing to The Security Catalyst podcast & blog to get more insights
- Learn more about The Catalyst Foundation Series – proven success for security initiatives to excite, ignite and turn insiders into allies who reduce business risk!
Go deeper Into the Breach with Michael Santarcangelo with EMC
Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks. Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.
Podcast: Play in new window | Download (10.6MB)
Leading from the Front: Bringing Planned Disruption To The Organization
By Martin Fisher
What is the most important job/function of a leader?
- Inspire the team?
- Use resources effectively?
- Make tough decisions?
- Set an example?
- Develop others?
All of these are good answers and are important things for a leader to be sure they are accomplishing in an organization.
But none of these is the most important answer.
The number one job of a leader – the reasons leaders exist – is to bring change to organizations.
“That’s silly!” – is a common reply I hear when I make the statement.
“Leaders only bring change if change is what the organization needs. They assess the situation, analyze their resources, and only make changes if there is a reasonable chance of the change improving the organization.”
My response to that, in the words of my teenaged daughter, is “Pssh!”.
Change: If you aren’t doing it, you’re doing Leadership wrong.
Effective leaders are never satisfied with the status quo.
Of course, leaders will continue to celebrate good performances, boast the capabilities of their team, and value the circumstances they find themselves in. But more, a leader has the ability to see and accept the organization as it is and form a clear vision for how the organization can (and should) be.
Leadership, a friend once told me, is the where the science of the possible meets the art of the dream.
Leadership is the nuanced ability to see what could be and come up with the plan to create it out of what is already in existence. Effective leaders almost instinctively realize that slow and incremental change is a prison and that the only escape is dramatic and disruptive change.
Leadership is “Disruptive change?”
That’s crazy talk!
Look at all the people who lost or almost lost everything to disruptive change: New Coke…Webvan…the Pontiac Aztek…Hooters Air…
Only a fool or a liar would say there is no risk to disruptive change. But there are things you can do to minimize that risk:
Think, Rethink, and Rethink Again
The leader has to be completely honest with themselves about the environment they operate in, the resources available, and the chances of the disruptive change actually taking effect.
This thinking must be complete, honest, and is not done until the leader understands the environment completely.
The leader then needs to find a small group of trusted other leaders that they can toss the idea to with the intent of these other leaders shooting it so full of holes that almost nothing remains.
Whatever is left — whatever survives the onslaught — forms the base of the next round of thinking. Once the thinking is done the thoughts have to be able to be put into simple and actionable statements:
- Changing the organizational structure? Then create a org chart to talk to and demonstrate.
- Changing processes? Then show a picture that details before and after with the benefits.
- Changing the mission? Then create a succinct mission statement and show what is being changed and why.
Whatever the change, come up with a picture (1 slide, please, not a full deck – that’s for later) that can be used to explain the “why and how” of the change.
Talk the Team Through The Change
The worst thing to do once the thinking is done (you think) and the picture is ready is to simply dump the change on the team.
One of the biggest (and, sadly, most common) mistakes leaders make is to forget that, while the leader has been thinking through this change for weeks, the team just got told of the change and needs time to process and unpack it. They deserve the chance to see what the change is, how it impacts them, ask questions, and get answers.
The effective leader is able to effectively communicate the change to the team.
Using the picture of the “how and why” to show the team how the change will impact them and how it helps getting team goals accomplished.
Then step back, listen, and engage in the conversation. Remember – the team knows the system and might reveal something to tweak the change. In fact, this could be the difference between success and failure.
“That sounds an awful lot like sales! If I wanted to do sales I’d of taken that job with my cousin at the furniture store!”
Is it like sales?
Well, if “sales” means influencing people to see things from different perspectives – then yes.
But I prefer to think of it as “Casting A Vision” – which is what we’ll talk about next time.
On tap at The Security Catalyst for February
Greetings from Myrtle Beach!
February at the Security Catalyst Online
We did it.
The house is rented. We packed, sold or donated most of our “stuff.” We loaded up the RV and headed south.
More important, we are liberated. I feel grounded, connected and free.
The purpose of this change is to live simply and engage with more people – to seek experiences over “stuff.” Part of our focus on learning and living deliberately allows me more time to focus on the programming and content we provide through the Security Catalyst Online Experience.
In addition to our contributors powerful insights forged in the trenches (more below), this month we welcome some guest voices (and topics).
On tap for February
Our contributors have some great insights to share, including:
- The key to effective communication and overall success when working with others from Trish
- Martin explains how disruptive change, when well planned, crisply executed, and continually adjusted can enable organizations to “jump the curve” and function well above where they were previously
- Why we need more attention focused on the consequences of actions with a challenge to help prevent and reduce fraud from Sharon
- Using compliance to your advantage without doing damage; as a result – decision makers may be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts from Dennis
- Aaron shares how to avoid legal 500 error with privacy policies
And I’ll be climbing back into the writing saddle – and sharing my focus for the year with the awareness that works™ column.
Guest Voices
Craig Nelson – a good friend from the beginning of my career – chimes in with his insights on how businesses can determine if “the cloud” is right for them.
We might sneak in another guest voice or two (and try to convince them to stick around for the balance of the year!).
Engagement is the key to success
I invite you to read, consider and engage: likes, dislikes and constructive challenges are welcomed!
Connecting and engaging in person is a rich experience, indeed.
To that end, we’ll be leaving Myrtle Beach in the middle of February and traveling to San Franciso with stops planned in Atlanta, Dallas, and Phoenix.
Are you along the way?
If so, I’d love to explore how we work together.
Strike Up the Band: Building Security from Scratch
by Dennis Kuntz
“Individual commitment to a group effort — that is what makes a team work, a company work, a society work, a civilization work.” – Vince Lombardi
When faced with creating a new security program – Building Security from Scratch – it can be like George Taylor in The Planet of the Apes: you awaken to find your ship has crashed and you have little more than the clothes on your back. You have to figure things out and make use of what’s around you.
When in this situation, it is important to establish your bearings quickly. There are a lot of things to digest in order to start making a difference. As fate would have it, this seems to be a specialty of mine; I have accepted the challenge of creating a new role at least a half-dozen times in my career.
In my new position I have the honor and challenge of building a security program from scratch (hence the name of this column). Over the next year, I am going to share my plans, insights, and lessons-learned to contribute to a dialogue where we all can improve the way we protect our organizations.
Based on my experience, there are three steps to take when starting from scratch:
1. Getting Together: Who’s on Your Team?
The first question focuses on the team: “What will my team look like?” This is key whether you’re a “one man band” or you have (or get to build) a team. Understanding who is “on the team” puts you on a path to create a plan to determine how to be most effective tactically, and how to achieve strategic success. And the answer is more than just having people report directly to you.
This is not set in stone – more time generally yields a clearer picture, but starting with a picture is key.
2. Assess the Situation: How Will this Work?
With a snapshot of the team in place, it is time to assess the resources. This includes existing resources (personnel as well as software, etc.) and potential resources (budgeted items, management’s flexibility for unplanned spending, etc.).
As you identify resources – and the gaps between them – you’ll start to get a vision of your current situation, and your company’s overall posture. As this picture develops, you will more easily be able to map out how to address the gaps using those resources.
3. Get to know the family
Just as important though, is to figure out who the right people are in your “sister” departments, such as Human Resources, Legal, and as you might guess, IT.
Human Resources is essential because it manages the relationship between a company and its employees. While there are many non-risk functions an HR department performs, one of the most important is in managing situations involving employee misconduct, terminations, and other delicate issues. There will often be an overlap between HR’s responsibilities regarding any kind of internal employee issue and Information Security’s role in protecting internal assets. You will definitely need HR’s help in proceeding in any kind of internal investigations as it relates to employees, and they can definitely benefit from your expertise when addressing certain kinds of employee issues – and they may not even know it.
The Legal team in an organization normally helps to protect company assets by dealing with anything from relationships with external entities (via contracts, NDA’s, etc.), alongside HR with internal employee matters, managing the company’s posture when dealing with legal issues/requests that arise from “outside” the company (discovery requests for pending litigation, law enforcement requests, etc.), as well as compliance matters (PCI-DSS, HIPAA, SOX, etc.).
As an information security professional, you probably already have at least some familiarity with the functions of both of these groups. It should be pretty easy to see how cultivating relationships with these departments – and those like them, such as Document Management and Compliance departments – can help in your efforts to build your program. And that’s whether it’s a tip-to-tail effort, or something more concentrated like penetration testing. Less likely and possibly more beneficial to you, is that these departments may not be fully aware of the benefits you bring to their efforts.
Turning the One Man Band into a Symphony
Information Security is about managing risk.
In creating a security program, it pays to realize that even when alone, it requires a team. Showing other groups how their jobs can be easier while helping to manage risk and protect the company’s assets can effectively extend the security “team” beyond whatever may be listed on paper.
What are you doing as a one-man-band to make a difference? What challenges are you tackling? Drop a note in the comments and we’ll take it from there…
Prevent Fraud And Increase The Bottom Line with These Three Steps
Across the globe organizations are forced to preserve limited resources, work with tighter budgets and somehow produce profits that are as realistic as Freddy Kruger presenting the Mickey Mouse Club.
The resulting crunch and pressure on employees combines with the global financial situation (with very deep individual impact) and unrealistic corporate expectations to form the perfect storm – for fraud.
I know the analogy for “perfect storms” has lost favor, but that does not dimish the reality that many organizations are and will continue to experience. This storm will crush organizations with the speed and randomness similar to Godzilla’s stomp through Tokyo.
The reality is clear: fraud is thriving in today’s turbulent economic climate. The Association of Certified Fraud Examiners (ACFE) 2008 Report to the Nation confirms this revealing that in 2008 $994 billion was lost to fraudulent activities..
To put this in perspective:
Dear Santa,
I want eight International Space Stations and fifty – yes, fifty — Space Shuttles. I plan to launch each shuttle 275 times (since it only costs a mere $450,000,000).
P.S. The costs for this “gift” is less than the money wasted through fraudulent activities in 2008.
Silly, right?
Sadly, this is more reality than fiction. Consider the recent headlines: Baltimore mayor convicted on fraud charge, Fla. lawyer charged with $1B investment fraud Death Sentence for ₤35m Fraud Woman.The challenge we face is that this amount of fraud is only beginning. But it’s not too late to take actions now to weather this (and future) fraud storm(s) and come out the other side intact.
Want to head off fraud and improve the bottom line?
The time to act is now.
Prevention is possible and relatively simple to implement. Over the course of the next year, I am going to share insights and simple practices for a successful, proactive and achievable approach to fraud prevention.
The Flapping Wings of Fraud
Organizations impacted by fraud experience far-reaching effects, sometimes distressing the local community and even the world economy. Edward Lorenz’s butterfly effect is extremely relevant to fraud when taken in context of Bear Stearns, Lehman Brothers or even Bernie Madoff .
What may seem like a small indiscretion — the kind that causes no harm to any person — could actually be contributing to some thing much larger.
From tiny acorns massive oak trees grow. Left unattended that acorn will grow and grow.
Just like acorns, fraud thrives until someone takes action and removes the seed.
The key is to prevent the seed from germinating. This, in essence, changes the flap of the butterfly’s wings.
Understanding Fraud Leads to Effective Prevention
Fraud is the intentional or deliberate misrepresentation or concealment of material facts to deprive another of property or money.
Three elements must be present in order for fraud to occur:
- Pressure/Motive
- Opportunity
- Rationalization
Removing just one of these factors reduces the likelihood of fraud and increases the opportunity to improve the bottom line.
Reducing Fraud: With Half the Budget and Half the Team
No not mission impossible! The following three simple steps allow any organization to build a stronger and more profitable future no matter how limited the resources.
Step 1: Elimination Pressure/Motive
Employees who are sufficiently challenged, rewarded and cared about are more likely to stay with an organization and contribute to its long-term success.
Short term gains through cutting incentives and setting unrealistic goals will not contribute to the long-term organizational success. Associate turnover increases – which actually increases expenses (hiring new people is costly and labor intensive). More, this creates feelings of hardship and negativity that ultimately encourage fraud.
The first step is to actively reduce the pressure and motives for fraud through improved and consistent communication. We will work together on this in the coming year — but start today by asking questions, listening to the answers and engaging often.
Step 2: Elimination of Rationalization
When fraud occurs the perpetrator always has an interesting explanation.
Associates who steal client information often justify their actions with the falsehood that the organization will not be hurt significantly because they only took a small amount of information. They may even convince themselves that they are entitled to that money because the organization has them doing the work of three people and not increased their salary accordingly.
They further rationalize that the victim will not suffer financial loss as someone else will cover the costs.
While this can be a bit more involved, get started by stepping back and consider the culture of the organization: is a change in order?
Step 3: Eliminate Opportunity
What do employees do and how are they doing it?
In the coming year, we will explore common practices that also help reduce fraud, like segregation of duties and job rotation. A benefit to consider of these and other actions is the ability to increase the knowledge of associates and connect them back to the consequences of their actions. (Michael’s book, Into the Breach, nails this – and is a required read for anyone who wants to really make some changes in 2010).
Fraud occurs where oversight or accountability is lacking. Fostering a culture of openness and accountability helps prevent fraud – and actually increases long-term profitability.
Challenge For the New Year
As most people disengage for a few weeks, the time is right to consider fraud prevention for next year.
Start simple: between now and the New Year, modify just one behavior within the organization.
Take the first step towards creating a positive environment, which is more resilient to fraud. ‘Tis the season for giving — no better gift (in business) than the gift of hope for a long and profitable future.
Share your ideas and suggestions for the one thing you will change in the comments.
Working together, we can all make a difference!
Continue Playing
by Jeff Kirsch
In “Playing Games”, I shared some lessons that I learned while playing chess with my son. Chess is a rich example of the need for, and challenge of, planning ahead. For those unfamiliar with this game of skill and strategy, the goal is simple: Capture your opponent’s king and force him into a position known as “checkmate.”
During the game, opponents take turns moving one piece at a time until a player is considered to be in “checkmate”, meaning he can no longer move his king. An interesting element is the need to notify an opponent when they are one move away from being captured by declaring “check.” This is a great game rich with strategy and nuance, with more details here.
So how does chess fit into my “plan ahead” strategy?
If a player simply moves pieces on the board without thought as to how her opponent will act, pieces will be captured easily, leaving her with a weaker offense and defense. Opponents must be evaluated on how they will move; offense must be based on anticipation of defense. Chess is a game where there are two opponents with an obvious adversary, and the less obvious self. Those who properly anticipate the other player position themselves for maximum advantage.
The act of protecting information is similar to the practice of protecting the King. Those who seek to attack the protected information are opponents, and considered what they are doing as a game. I’m not suggesting that what we treat it as a game as well; rather, what is important is the strategy required for both.
Understanding that we are at a disadvantage from the start is key to devising our strategy. Our opponent needs to remain undetected until they have what they need. If they are discovered too early, the chances of achieving their goal drops dramatically.
Firefox Patch Tuesday
by Carl Anctil
Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.
Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.
If we look back and remember how networking has evolved over the years, we will notice a pattern. Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.
When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.
What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.
We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.
Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).
FTC Says Bloggers Must Disclose Freebies
by Aaron Titus
The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009.
Securing the Toughest Times
by Ron Woerner
Whether you call it lay-offs, downsizing, rightsizing, redundancies, a reduction in force, or whatever, a reduction in staff stinks. Downturns in the economy often translate to a reduced volume of business, resulting in a correlated reduction in staff. One of the hardest jobs in Security is ensuring that those who are asked to leave no longer have access to the organization’s resources. This is especially hard when you know those affected. However it’s critical that this tough job be done.
The last thing you want or need is for an ex-employee to perform a malicious act as part of their departure. The recent case with the Fannie Mae consultant is a great example of how a malcontent could potentially cause your organization grave damage. Luckily, the Fannie Mae sys admin found the malicious script.
You shouldn’t depend on luck to protect your organization’s critical infrastructure during lay-offs. This article contains concrete steps for you to consider before, during, and after the dreaded layoffs. [Note: the critical nature of these steps is, in actuality, job security for those who need to perform them. Maybe you can use them to justify your job and keep it off of the “chopping block.”]
Before the announcement
Just as in any project (and this is a project), planning and coordination are key. Those managing or initiating the lay-offs (e.g., Human Resources) must have Security on-board early in the process. Delays increase risk to the organization. While secrecy is necessary to protect the process, trusted relationships must be established between all involved, including HR, Security, Legal, and Management. Security needs to know who is affected in order to know what needs to be protected. Security can also help properly protect the “list” prior to the official announcement.
Security personnel (both physical and information) need to ensure the protection of personnel and assets during the lay-offs. On the physical side, you need to make sure that those announcing the lay-offs are protected should the employee(s) get upset or abusive. Security officers should be trained and ready to handle potential conflicts and workplace violence.
Information security personnel should identify single points of (security) failure and high risk areas. This includes administrators with expanded ability, authority or access. Security should also determine if there are any single points of failure in the operations that would be affected by the lay-offs. Management should address these critical points well before the announcement to prevent any unexpected denials of service.
Security personnel also need to develop processes to remove both physical and logical access as soon as the notification takes place. This cannot occur too soon before the associate is notified, or else it might alert the associate, resulting in unexpected consequences. (No one likes to find out that their position is eliminated by having their network or badge access disabled.) Also, this cannot occur too long afterward, for obvious security reasons. Ensuring the correct timing requires pre-planning.
As soon as the announcement is made that your organization is considering lay-offs, extend your monitoring efforts. This could be before the actual lay-offs. Rumors can spread, and associates might take these rumors as reason to start their preparation should their name be on “the list.” Your efforts should include Data Leakage Protection (DLP) to ensure associates aren’t shipping critical company information (e.g., customer lists, intellectual property, or company employee data) to themselves or others. This could occur on the network or off. It’s very easy for an associate to sneak a USB drive filled with an encyclopedia of company data out the door. You also need to be cognizant of physical theft.
During the announcement
With your planning complete, it is now time to enact and follow those processes. As soon as the associate is told that he or she is no longer employed by the organization, you need to disable the physical badge, logical network, and phone access. The accounts should not be deleted, only disabled in case you need them in the future (e.g., rehires). It’s important that all access is also disabled for networks or assets that are externally accessible (e.g., VPN). The time required for this activity will multiply if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, and security cards.
Occasionally, the manager will request that the separated associate’s email, phone, or voicemail remain available. This is to maintain contact with clients or customers. Security needs to have an exception process in place to handle these requests while making sure the separated employee no longer has access. It needs to be reassigned to the responsible manager or his/her delegate. Allowing permanent access is not a good idea. There should be a set timeframe for this access to remain active before it is disabled.
Also, consider any shared accounts used by the separating employees. Do they know the UNIX root or Windows administrator password? Whether it’s that or any other password for a service account, make sure the password is changed ASAP.
Physical security personnel need to be watching and ready in case the affected people become upset. Normally, you don’t need a physical security presence to escort them. That can be accomplished by the manager and/or HR representative. However, Security should be ready in case things turn ugly. Additionally, they should be watching what property is leaving.
Part of your process should include the retrieval of any assets used by or assigned to the separating employee. This includes: Computers (laptops), USB drives, two-factor authentication tokens, cell phones / PDAs / pagers, and paper documents. When the employee is notified, the manager and HR representative should retrieve these items along with any other property of the organization. Of course, the employee should be allowed to pack up personal belongings, but corporate assets should remain.
Lastly, while the separations occur, continue to monitor online access and activities. You never know the mindset or attitude of those who depart. The potential for malicious acts is increased, especially against any resources that can be seen from the outside (external web sites). Your IDS/IPS should be watching those external network assets and you should be ready to take action.
After the separations
While the major threat may have passed when the laid-off employees have left, it is not completely gone. There are specific post-separation activities that need to occur to ensure risks stay low.
One of the most critical activities is the inspection of online and paper files left behind by the employee. Each manager is responsible for making sure this occurs, because he or she is in the best position to know what is and is not needed. This can be time consuming and tedious, but it can’t be ignored. The benefit is the freeing of storage space.
The manager or their delegate needs to inspect each piece to determine its disposition and whether or not it is still needed for the business. This person also needs to determine the retention period for any material that needs to be kept. This may require collaboration with the legal or compliance department as this material can be recalled for legal proceedings.
Another post-separation activity is inspecting online files for potentially malicious content. This is especially important for any systems administrators who were let go. There have been many stories of sysadmins leaving backdoors, Trojan horses, and time or logic bombs behind. Remaining sysadmins need to inspect any scripts created by the associates along with any scheduled jobs. Failure to take this step could be devastating for the firm.
Lastly, use this time to document what went right during the process and where you have room for improvement. Take time to learn from the experience and enhance the process.
Conclusion
Staff reductions are a part of corporate life. As painful as they are, they are often critical to keep the organization functioning at full capacity. Security needs to be an active participant in the lay-off process to ensure the risks are kept low. The removal of access is only one of the many areas requiring the attention of Security. They also need to be actively monitoring both the physical and on-line activities of the separating associates. This isn’t to be intrusive, but to ensure the continual protection of the organization.
Having a positive security model with validation and enforcement provides a deterrent to malicious behavior as well as the tools to quickly indentify and contain threats when needed. A positive security model includes: policies, procedures, detective and preventative technology, and proactive monitoring. The tips in this article will aid you in the development of your security model so you are ready when the time comes.
Checklist of Security Items to Consider with Lay-Offs
Before
Planning / Establish processes
Disabling access
Communications
Establish trusted contacts
HR
Legal
Security
Management
Identify single points of (security) failure
Employees who pose a danger (to themselves or others)
Administrators
Associates with access to sensitive or confidential data
Identify risks
Intellectual property
Confidential data
Property
During
Disable regular individual access
Logical
Physical
Phone
Email
Remove access to shared accounts
Administrator accounts
Service accounts
Other shared passwords
Asset retrieval
Computers (laptops)
USB drives
2 Factor authentication
Cell phones / PDAs / pagers
Paper documents
Enhance monitoring
IDS/IPS
Logs
Physical surveillance
After
Continued vigilance
Review of assets “left behind”
Online documents, files, and shared storage
eMail
Papers
Check for backdoors, Trojan horses, logic bombs
Unix
Windows
Databases
Network devices
Lesson’s learned
What went right?
What could be done better?
Process improvements
“Civilian” Use of Malware Technology?
by Dennis Kuntz
The government spends billions in research every year. Quite often the goal of that research is to create more effective fighting machines and mechanisms, better survival techniques, better gear for soldiers, etc. The array of researched technologies is huge, and wartime in particulate can spur a ton of research.
Also quite often, the results of that technology end up being used for civilian purposes. Researchers and scientists in World War II alone created and/or had significant impact in the areas of radar, jet engines, computers, synthetic rubber – the list goes on and on. It’s obvious today how those technologies, invested in by the military and the government primarily for the sake of the war, have been applied to our civilian lives.
Another thing to note about all of this is that the benefits of those government/military technologies have not been limited to the countries in which they were created. As peacetime would creep in, and alliances form where hostility once reigned, technology would be shared. Not to mention that even when those alliances didn’t form, the opposing sides would still have access to enemy technology (captured vehicles, interrogation, etc.) to get a foothold in implementing those technologies themselves.
This brings me to a question about malware. Malware is bad – hence its name. The folks who create it and apply it (as opposed to security researchers that create it for purposes of research) are at the very least not the most scrupulous bunch. There are legions of anti-malware researchers and malware analysts digging into these rogue pieces of software, poking and prodding at them, and figuring out how they work.
This piqued my curiosity: What technology (or use thereof) resulting from malware/anti-malware research has hit the “mainstream civilian” computing world? And no, I don’t mean Sony’s rootkit. I mean application of what has been learned – in obfuscation, more efficient coding techniques, remote distribution applications, etc. – in a way that is useful, but not necessarily matching its intended “wartime” purpose (you cannot make me say the “c—-war” word).
The closest thing I could find – yes, aside from Sony’s blunder – was a paper by Microsoft researchers discussing a “friendly worm” in terms of patch delivery. This is generalized by Bruce Schneier as “benevolent worms”, and which he calls a “stupid idea”.
Despite their ethics, the malware writers are very, very smart. The anti-malware researchers and the malware analysts are also very, very smart. So I pose the question to all of you – what useful applications of what has been learned in the battle against malware are waiting to be used?
Engage with Michael
-
Journey Into the Breach
