Where governance is concerned, virtualization brings about changes in separation of duties and policy definition.

In traditional IT environments, distinct teams with specialized skill sets manage and operate various pieces of the infrastructure. Network engineering and administration teams manage routers and switches, Windows systems admins manage Windows servers, etc. With virtualization technologies, all of these functions are collapsed into a generally cohesive management structure, such as VMware’s vCenter Server.

This leads invariably to challenges with “who manages what” – many IT shops tend to put the burden of managing VMware solutions on Windows admins, for example. These admins now manage the virtual machines, the underlying hypervisor platforms, the virtual networks, storage connections, etc. All of these can be regarded as separate disciplines, and having one team manage them all flies in the face of proper separation of duties.

Along with this problem comes the definition of policies governing the use and oversight of these technologies – who drafts the policies, and which teams are the policy owners?

The overall risk landscape changes dramatically with virtualization, too.

Many of the risks are similar to those we understand today, but are present in a somewhat different form. The lack of proper change management and configuration management programs are still viable risks that can lead to innumerable security issues, but they’re compounded by the operational nuances of virtualization technologies themselves. For example, the act of creating and provisioning systems is simplified immensely – keep a template, generate a new virtual machine from it, move the VM to a host platform, and flip the switch.

Without ensuring that a) the template configuration is patched and up to date, and b) the VM provisioning has gone through change control, the risk of having a new system online that has OS or application-specific vulnerabilities is exponentially higher. Threat vectors change, too – if the hypervisor platform is compromised by an attacker, the entire group of virtual machines hosted on that platform is immediately at risk, which tells us that new risks inherent in hypervisors hold much greater impacts than single-system risks that we’ve managed before this, potentially.

On the compliance front, there is a considerable amount of grey area around how virtualization plays a role. On the one hand, most compliance mandates (SOX, HIPAA, GLBA) are vague enough to leave the interpretation open to both auditors and auditees alike. Herein the issue lies, however – compliance mandates open to subjective interpretation are bad, since potentially unsafe practices may be considered acceptable by different auditors and organizations who don’t understand the risks, technologies, or both.

Even more prescriptive regulations like the PCI DSS don’t specifically address virtualization, which has led to a number of issues around interpretation. For example, PCI DSS section 2.2.1 mandates that all servers involved with payment card data should only have a single function, such as a dedicated Web server or database server. What about virtualization hosts like VMware ESX, though? It’s a single server, but runs VMs that perform a variety of different functions. Although a Virtualization Special Interest Group (SIG) has worked on this, there’s no clear timeframe for integrating their work into the standard. In addition, many auditors just don’t understand virtualization technology, and default to the most restrictive possible implementation methods “just to be safe” – any “knee jerk” reactions of this type are probably a bad thing, in either direction.

Virtualization can help organizations reduce operating costs, and many feel that it’s a key component to “Green IT” strategies aimed at reducing energy consumption. However, despite popular belief, it actually makes the IT environment more rather than less complex, and a number of new processes and approaches are needed to ensure that security and risk management keep pace with its adoption.

Dave Shackleford, Director of Security Assessments and Risk & Compliance at Sword & Shield Enterprise Security, is also a SANS Analyst, instructor, course author and GIAC technical director. He has consulted with hundreds of organizations in the areas of regulatory compliance, security, and network architecture and engineering. He’s worked as CSO for Configuresoft, CTO for the Center for Internet Security, and has also worked as a security architect, analyst, and manager for several Fortune 500 companies.

What you’ll find in this episode (Chapter

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, drop me an email). The key considerations for a pilot shared – and now it is time to measure success.

So how do you measure what matters so you can communicate what counts?

In this chapter, “Measuring Success,” Michael draws on his background of social science and economics to explain a powerful approach to measuring success. Learn how to use the right mix of qualitative and quantitative measurements to get the feedback necessary for success.

Learn how to measure what matters and communicate what counts.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

What is the most important job/function of a leader?

• Inspire the team?
• Use resources effectively?
• Make tough decisions?
• Set an example?
• Develop others?

All of these are good answers and are important things for a leader to be sure they are accomplishing in an organization.

But none of these is the most important answer.

The number one job of a leader – the reasons leaders exist – is to bring change to organizations.

“That’s silly!” – is a common reply I hear when I make the statement.

“Leaders only bring change if change is what the organization needs. They assess the situation, analyze their resources, and only make changes if there is a reasonable chance of the change improving the organization.”

My response to that, in the words of my teenaged daughter, is  “Pssh!”.

Change:  If you aren’t doing it, you’re doing Leadership wrong.

Effective leaders are never satisfied with the status quo.

Of course, leaders will continue to celebrate good performances, boast the capabilities of their team, and value the circumstances they find themselves in. But more, a leader has the ability to see and accept the organization as it is and form a clear vision for how the organization can (and should) be.

Leadership, a friend once told me, is the where the science of the possible meets the art of the dream.

Leadership is the nuanced ability to see what could be and come up with the plan to create it out of what is already in existence. Effective leaders almost instinctively realize that slow and incremental change is a prison and that the only escape is dramatic and disruptive change.

Leadership is “Disruptive change?”

That’s crazy talk!

Look at all the people who lost or almost lost everything to disruptive change: New Coke…Webvan…the Pontiac Aztek…Hooters Air…

Only a fool or a liar would say there is no risk to disruptive change. But there are things you can do to minimize that risk:

Think, Rethink, and Rethink Again

The leader has to be completely honest with themselves about the environment they operate in, the resources available, and the chances of the disruptive change actually taking effect.

This thinking must be complete, honest, and is not done until the leader understands the environment completely.

The leader then needs to find a small group of trusted other leaders that they can toss the idea to with the intent of these other leaders shooting it so full of holes that almost nothing remains.

Whatever is left — whatever survives the onslaught —  forms the base of the next round of thinking. Once the thinking is done the thoughts have to be able to be put into simple and actionable statements:

• Changing the organizational structure? Then create a org chart to talk to and demonstrate.
• Changing processes?  Then show a picture that details before and after with the benefits.
• Changing the mission? Then create a succinct mission statement and show what is being changed and why.

Whatever the change, come up with a picture (1 slide, please, not a full deck – that’s for later) that can be used to explain the “why and how” of the change.

Talk the Team Through The Change

The worst thing to do once the thinking is done (you think) and the picture is ready is to simply dump the change on the team.

One of the biggest (and, sadly, most common) mistakes leaders make is to forget that, while the leader has been thinking through this change for weeks, the team just got told of the change and needs time to process and unpack it. They deserve the chance to see what the change is, how it impacts them, ask questions, and get answers.

The effective leader is able to effectively communicate the change to the team.

Using the picture of the “how and why” to show the team how the change will impact them and how it helps getting team goals accomplished.

Then step back, listen, and engage in the conversation. Remember – the team knows the system and might reveal something to tweak the change. In fact, this could be the difference between success and failure.

“That sounds an awful lot like sales! If I wanted to do sales I’d of taken that job with my cousin at the furniture store!”

Is it like sales?

Well, if “sales” means influencing people to see things from different perspectives – then yes.

But I prefer to think of it as “Casting A Vision” – which is what we’ll talk about next time.

by Dennis Kuntz

“Individual commitment to a group effort — that is what makes a team work, a company work, a society work, a civilization work.” – Vince Lombardi

When faced with creating a new security program – Building Security from Scratch – it can be like George Taylor in The Planet of the Apes: you awaken to find your ship has crashed and you have little more than the clothes on your back. You have to figure things out and make use of what’s around you.

When in this situation, it is important to establish your bearings quickly. There are a lot of things to digest in order to start making a difference. As fate would have it, this seems to be a specialty of mine; I have accepted the challenge of creating a new role at least a half-dozen times in my career.

In my new position I have the honor and challenge of building a security program from scratch (hence the name of this column). Over the next year, I am going to share my plans, insights, and lessons-learned to contribute to a dialogue where we all can improve the way we protect our organizations.

Based on my experience, there are three steps to take when starting from scratch:

1. Getting Together: Who’s on Your Team?

The first question focuses on the team: “What will my team look like?” This is key whether you’re a “one man band” or you have (or get to build) a team. Understanding who is “on the team” puts you on a path to create a plan to determine how to be most effective tactically, and how to achieve strategic success. And the answer is more than just having people report directly to you.

This is not set in stone – more time generally yields a clearer picture, but starting with a picture is key.

2. Assess the Situation: How Will this Work?

With a snapshot of the team in place, it is time to assess the resources. This includes existing resources (personnel as well as software, etc.) and potential resources (budgeted items, management’s flexibility for unplanned spending, etc.).

As you identify resources – and the gaps between them – you’ll start to get a vision of your current situation, and your company’s overall posture. As this picture develops, you will more easily be able to map out how to address the gaps using those resources.

3. Get to know the family

Just as important though, is to figure out who the right people are in your “sister” departments, such as Human Resources, Legal, and as you might guess, IT.

Human Resources is essential because it manages the relationship between a company and its employees. While there are many non-risk functions an HR department performs, one of the most important is in managing situations involving employee misconduct, terminations, and other delicate issues. There will often be an overlap between HR’s responsibilities regarding any kind of internal employee issue and Information Security’s role in protecting internal assets. You will definitely need HR’s help in proceeding in any kind of internal investigations as it relates to employees, and they can definitely benefit from your expertise when addressing certain kinds of employee issues – and they may not even know it.

The Legal team in an organization normally helps to protect company assets by dealing with anything from relationships with external entities (via contracts, NDA’s, etc.), alongside HR with internal employee matters, managing the company’s posture when dealing with legal issues/requests that arise from “outside” the company (discovery requests for pending litigation, law enforcement requests, etc.), as well as compliance matters (PCI-DSS, HIPAA, SOX, etc.).

As an information security professional, you probably already have at least some familiarity with the functions of both of these groups. It should be pretty easy to see how cultivating relationships with these departments – and those like them, such as Document Management and Compliance departments – can help in your efforts to build your program. And that’s whether it’s a tip-to-tail effort, or something more concentrated like penetration testing. Less likely and possibly more beneficial to you, is that these departments may not be fully aware of the benefits you bring to their efforts.

Turning the One Man Band into a Symphony

Information Security is about managing risk.

In creating a security program, it pays to realize that even when alone, it requires a team. Showing other groups how their jobs can be easier while helping to manage risk and protect the company’s assets can effectively extend the security “team” beyond whatever may be listed on paper.

What are you doing as a one-man-band to make a difference? What challenges are you tackling? Drop a note in the comments and we’ll take it from there…

The resulting crunch and pressure on employees combines with the global financial situation (with very deep individual impact) and unrealistic corporate expectations to form the perfect storm – for fraud.

I know the analogy for “perfect storms” has lost favor, but that does not dimish the reality that many organizations are and will continue to experience. This storm will crush organizations with the speed and randomness similar to Godzilla’s stomp through Tokyo.

The reality is clear: fraud is thriving in today’s turbulent economic climate. The Association of Certified Fraud Examiners (ACFE) 2008 Report to the Nation confirms this revealing that in 2008 $994 billion was lost to fraudulent activities..

To put this in perspective:

Dear Santa,

I want eight International Space Stations and fifty – yes, fifty — Space Shuttles. I plan to launch each shuttle 275 times  (since it only costs a mere $450,000,000).

P.S. The costs for this “gift” is less than the money wasted through fraudulent activities in 2008.

Silly, right?

Sadly, this is more reality than fiction. Consider the recent headlines: Baltimore mayor convicted on fraud charge, Fla. lawyer charged with $1B investment fraud Death Sentence for ₤35m Fraud Woman.The challenge we face is that this amount of fraud is only beginning. But it’s not too late to take actions now to weather this (and future) fraud storm(s) and come out the other side intact.

Want to head off fraud and improve the bottom line?

The time to act is now.

Prevention is possible and relatively simple to implement. Over the course of the next year, I am going to share insights and simple practices for a successful, proactive and achievable approach to fraud prevention.

The Flapping Wings of Fraud

Organizations impacted by fraud experience far-reaching effects, sometimes distressing the local community and even the world economy. Edward Lorenz’s butterfly effect is extremely relevant to fraud when taken in context of Bear Stearns, Lehman Brothers or even Bernie Madoff .

What may seem like a small indiscretion — the kind that causes no harm to any person — could actually be contributing to some thing much larger.

From tiny acorns massive oak trees grow. Left unattended that acorn will grow and grow.

Just like acorns, fraud thrives until someone takes action and removes the seed.

The key is to prevent the seed from germinating. This, in essence, changes the flap of the butterfly’s wings.

Understanding Fraud Leads to Effective Prevention

Fraud is the intentional or deliberate misrepresentation or concealment of material facts to deprive another of property or money.

Three elements must be present in order for fraud to occur:

• Pressure/Motive
• Opportunity
• Rationalization

Removing just one of these factors reduces the likelihood of fraud and increases the opportunity to improve the bottom line.

Reducing Fraud: With Half the Budget and Half the Team

No not mission impossible! The following three simple steps allow any organization to build a stronger and more profitable future no matter how limited the resources.

Step 1: Elimination Pressure/Motive

Employees who are sufficiently challenged, rewarded and cared about are more likely to stay with an organization and contribute to its long-term success.

Short term gains through cutting incentives and setting unrealistic goals will not contribute to the long-term organizational success. Associate turnover increases – which actually increases expenses (hiring new people is costly and labor intensive). More, this creates feelings of hardship and negativity that ultimately encourage fraud.

The first step is to actively reduce the pressure and motives for fraud through improved and consistent communication. We will work together on this in the coming year — but start today by asking questions, listening to the answers and engaging often.

Step 2: Elimination of Rationalization

When fraud occurs the perpetrator always has an interesting explanation.

Associates who steal client information often justify their actions with the falsehood that the organization will not be hurt significantly because they only took a small amount of information. They may even convince themselves that they are entitled to that money because the organization has them doing the work of three people and not increased their salary accordingly.

They further rationalize that the victim will not suffer financial loss as someone else will cover the costs.

While this can be a bit more involved, get started by stepping back and consider the culture of the organization: is a change in order?

Step 3: Eliminate Opportunity

What do employees do and how are they doing it?

In the coming year, we will explore common practices that also help reduce fraud, like segregation of duties and job rotation. A benefit to consider of these and other actions is the ability to increase the knowledge of associates and connect them back to the consequences of their actions. (Michael’s book, Into the Breach, nails this – and is a required read for anyone who wants to really make some changes in 2010).

Fraud occurs where oversight or accountability is lacking. Fostering a culture of openness and accountability helps prevent fraud – and actually increases long-term profitability.

Challenge For the New Year

As most people disengage for a few weeks, the time is right to consider fraud prevention for next year.

Start simple: between now and the New Year, modify just one behavior within the organization.

Take the first step towards creating a positive environment, which is more resilient to fraud. ‘Tis the season for giving — no better gift (in business) than the gift of hope for a long and profitable future.

Share your ideas and suggestions for the one thing you will change in the comments.

Working together, we can all make a difference!

In “Playing Games”, I shared some lessons that I learned while playing chess with my son. Chess is a rich example of the need for, and challenge of, planning ahead. For those unfamiliar with this game of skill and strategy, the goal is simple: Capture your opponent’s king and force him into a position known as “checkmate.”

During the game, opponents take turns moving one piece at a time until a player is considered to be in “checkmate”, meaning he can no longer move his king. An interesting element is the need to notify an opponent when they are one move away from being captured by declaring “check.” This is a great game rich with strategy and nuance, with more details here.

So how does chess fit into my “plan ahead” strategy?

If a player simply moves pieces on the board without thought as to how her opponent will act, pieces will be captured easily, leaving her with a weaker offense and defense. Opponents must be evaluated on how they will move; offense must be based on anticipation of defense. Chess is a game where there are two opponents with an obvious adversary, and the less obvious self.  Those who properly anticipate the other player position themselves for maximum advantage.

The act of protecting information is similar to the practice of protecting the King. Those who seek to attack the protected information are opponents, and considered what they are doing as a game.  I’m not suggesting that what we treat it as a game as well; rather, what is important is the strategy required for both.

Understanding that we are at a disadvantage from the start is key to devising our strategy. Our opponent needs to remain undetected until they have what they need. If they are discovered too early, the chances of achieving their goal drops dramatically.

Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.

Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.

If we look back and remember how networking has evolved over the years, we will notice a pattern.  Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.

When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.

What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.

We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.

Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).

The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009.

The FTC press release emphasizes that under the new rules, “both advertisers and endorsers may be liable for… failure to disclose material connections between [them].” Material connections include payments or free products, which must be disclosed in a “clear and conspicuous” manner. Both bloggers and advertisers may face FTC sanctions without proper disclosure, even if the advertiser contracts with an ad agency.

Here’s the bottom line: Bloggers– Clearly disclose whether you received payment or a free product when giving endorsements. Advertisers– Make sure social media marketing plans require your ad agencies and paid bloggers to disclose whether an endorsement is paid.

But bloggers shouldn’t worry too much. Simply saying something good about a product is not enough to break the new rules. Instead, there must be a “material connection” between the advertiser and endorser. This is generally understood to mean that the advertiser 1. provides consideration (ie, payment or free product), 2. in exchange for an endorsement. When this happens, the editorial independence of the endorser becomes questionable, and the relationship between the advertiser and blogger must be disclosed.

Simply blogging about a free sample will not break the FTC rules. For example, blogging positively about a free product you received from a coupon or free store sample is OK because the article is completely independent and outside the control of the advertiser. In contrast, that same blogger who receives a free product in exchange for a product review must clearly state that he or she has been compensated for their opinion.

The FTC has indicated that they plan to enforce the provisions primarily against advertisers, rather than bloggers. This creates interesting challenges for advertisers, many of whom are already reeling from social media overload. Purely consumer-generated reviews will not create liability for advertisers. However, if the advertiser initiated the process that led to consumer endorsements (for example, by providing free products to bloggers or enrolling word-of-mouth marketing programs), then the advertiser might be liable for whatever those consumers say.

In addition, simply using an ad agency doesn’t break the chain of liability. Unless advertisers are careful, they may incur liability if their advertising agency gives a free product to a blogger, who then fails to disclose the gift. Advertisers should remember that paid bloggers can now incur liability on advertisers, and in this sense, they should treat paid bloggers just like any other employee or company agent.

Tips for Advertisers:

1. Tell Your Bloggers: Always require bloggers to include standard language such as “PAID ADVERTISEMENT,” “PAID PRODUCT REVIEW,” or similar conspicuous and unambiguous language in their posts whenever you send them free products.
2. Watch Your Bloggers: Advertisers will be liable for misleading statements from paid bloggers. However, you may mitigate liability if you “advise [paid bloggers] of their responsibilities and… monitor their online behavior.”
3. Tell Your Advertising Agency: In your advertising agency contract, require them to insist that bloggers disclose gifts.
4. Ask for Indemnity: Require indemnity from your advertising agency, should they fail to notify the blogger, and treat paid bloggers like employees for liability purposes.

Tips for Advertising Agencies (especially Social Media):

1. Market Your Knowledge: Advertisers will appreciate that you know about this new regulation. Let advertisers know that your knowledge puts you in a position to decrease their liability.
2. Tell Your Bloggers: See above.
3. Watch Your Bloggers: See above.

Tips for Bloggers:

1. Be Clear: If you got paid, or if you got a free product, disclose it up front. There are no magic words. You may use plain English to describe your relationship with the advertiser in your article. If you would rather opt for the legalese-disclaimer approach, try something catchy like “I shamelessly took a free widget from Acme Co. in exchange for this review,” or “I have sold my soul and this review to Acme Co. And all I got in exchange was a free widget.” The good standby, “Paid Product Review,” should work fine (if you have no personality).
2. Be Conspicuous: If you choose to take the legalese-disclaimer approach, your disclosure should be somewhere readers can easily see it, such as the top of the page, or before the first sentence of the article. While all-caps or bold words may not be necessary in every circumstance, they may aid in making the text stand out.
3. Don’t Worry Too Much: First, ethical bloggers already disclose their connections with advertisers. Second, you won’t incur liability unless you are actually acting on behalf of a company when you write a product review. As a truly independent blogger, you can still write anything you want about any product you want (within the limits of the law). Now you just have to disclose whether you got paid for your opinion.

It will be interesting to see how Twitter advertisers react to this new regulation. Perhaps a shorthand for “Paid Product Review” will develop in the Twittersphere, much like “RT” for Retweet. May I be the first to suggest, “PPR,” “Paid,” or my favorite, “:-$”

Note: The author received no free products or services from the FTC (or anyone else, for that matter) in exchange for this blog article.

Whether you call it lay-offs, downsizing, rightsizing, redundancies, a reduction in force, or whatever, a reduction in staff stinks.  Downturns in the economy often translate to a reduced volume of business, resulting in a correlated reduction in staff.  One of the hardest jobs in Security is ensuring that those who are asked to leave no longer have access to the organization’s resources.  This is especially hard when you know those affected.  However it’s critical that this tough job be done.

The last thing you want or need is for an ex-employee to perform a malicious act as part of their departure.  The recent case with the Fannie Mae consultant is a great example of how a malcontent could potentially cause your organization grave damage.  Luckily, the Fannie Mae sys admin found the malicious script.

You shouldn’t depend on luck to protect your organization’s critical infrastructure during lay-offs. This article contains concrete steps for you to consider before, during, and after the dreaded layoffs.  [Note: the critical nature of these steps is, in actuality, job security for those who need to perform them. Maybe you can use them to justify your job and keep it off of the “chopping block.”]

Before the announcement

Just as in any project (and this is a project), planning and coordination are key.  Those managing or initiating the lay-offs (e.g., Human Resources) must have Security on-board early in the process.  Delays increase risk to the organization.  While secrecy is necessary to protect the process, trusted relationships must be established between all involved, including HR, Security, Legal, and Management.  Security needs to know who is affected in order to know what needs to be protected.  Security can also help properly protect the “list” prior to the official announcement.

Security personnel (both physical and information) need to ensure the protection of personnel and assets during the lay-offs.  On the physical side, you need to make sure that those announcing the lay-offs are protected should the employee(s) get upset or abusive.  Security officers should be trained and ready to handle potential conflicts and workplace violence.

Information security personnel should identify single points of (security) failure and high risk areas.  This includes administrators with expanded ability, authority or access.  Security should also determine if there are any single points of failure in the operations that would be affected by the lay-offs.  Management should address these critical points well before the announcement to prevent any unexpected denials of service.

Security personnel also need to develop processes to remove both physical and logical access as soon as the notification takes place.  This cannot occur too soon before the associate is notified, or else it might alert the associate, resulting in unexpected consequences.  (No one likes to find out that their position is eliminated by having their network or badge access disabled.)  Also, this cannot occur too long afterward, for obvious security reasons.  Ensuring the correct timing requires pre-planning.

As soon as the announcement is made that your organization is considering lay-offs, extend your monitoring efforts.  This could be before the actual lay-offs.  Rumors can spread, and associates might take these rumors as reason to start their preparation should their name be on “the list.”  Your efforts should include Data Leakage Protection (DLP) to ensure associates aren’t shipping critical company information (e.g., customer lists, intellectual property, or company employee data) to themselves or others.  This could occur on the network or off.  It’s very easy for an associate to sneak a USB drive filled with an encyclopedia of company data out the door. You also need to be cognizant of physical theft.

During the announcement

With your planning complete, it is now time to enact and follow those processes.  As soon as the associate is told that he or she is no longer employed by the organization, you need to disable the physical badge, logical network, and phone access.  The accounts should not be deleted, only disabled in case you need them in the future (e.g., rehires). It’s important that all access is also disabled for networks or assets that are externally accessible (e.g., VPN).  The time required for this activity will multiply if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, and security cards.

Occasionally, the manager will request that the separated associate’s email, phone, or voicemail remain available.  This is to maintain contact with clients or customers.  Security needs to have an exception process in place to handle these requests while making sure the separated employee no longer has access.  It needs to be reassigned to the responsible manager or his/her delegate.  Allowing permanent access is not a good idea.  There should be a set timeframe for this access to remain active before it is disabled.

Also, consider any shared accounts used by the separating employees.  Do they know the UNIX root or Windows administrator password?  Whether it’s that or any other password for a service account, make sure the password is changed ASAP.

Physical security personnel need to be watching and ready in case the affected people become upset.  Normally, you don’t need a physical security presence to escort them.  That can be accomplished by the manager and/or HR representative.  However, Security should be ready in case things turn ugly.  Additionally, they should be watching what property is leaving.

Part of your process should include the retrieval of any assets used by or assigned to the separating employee.  This includes: Computers (laptops), USB drives, two-factor authentication tokens, cell phones / PDAs / pagers, and paper documents.  When the employee is notified, the manager and HR representative should retrieve these items along with any other property of the organization.  Of course, the employee should be allowed to pack up personal belongings, but corporate assets should remain.

Lastly, while the separations occur, continue to monitor online access and activities.  You never know the mindset or attitude of those who depart.  The potential for malicious acts is increased, especially against any resources that can be seen from the outside (external web sites).  Your IDS/IPS should be watching those external network assets and you should be ready to take action.

After the separations

While the major threat may have passed when the laid-off employees have left, it is not completely gone.  There are specific post-separation activities that need to occur to ensure risks stay low.

One of the most critical activities is the inspection of online and paper files left behind by the employee.  Each manager is responsible for making sure this occurs, because he or she is in the best position to know what is and is not needed.  This can be time consuming and tedious, but it can’t be ignored.  The benefit is the freeing of storage space.

The manager or their delegate needs to inspect each piece to determine its disposition and whether or not it is still needed for the business.  This person also needs to determine the retention period for any material that needs to be kept.  This may require collaboration with the legal or compliance department as this material can be recalled for legal proceedings.

Another post-separation activity is inspecting online files for potentially malicious content.  This is especially important for any systems administrators who were let go.  There have been many stories of sysadmins leaving backdoors, Trojan horses, and time or logic bombs behind.  Remaining sysadmins need to inspect any scripts created by the associates along with any scheduled jobs.  Failure to take this step could be devastating for the firm.

Lastly, use this time to document what went right during the process and where you have room for improvement.  Take time to learn from the experience and enhance the process.

Conclusion

Staff reductions are a part of corporate life.  As painful as they are, they are often critical to keep the organization functioning at full capacity.  Security needs to be an active participant in the lay-off process to ensure the risks are kept low.   The removal of access is only one of the many areas requiring the attention of Security.  They also need to be actively monitoring both the physical and on-line activities of the separating associates.  This isn’t to be intrusive, but to ensure the continual protection of the organization.

Having a positive security model with validation and enforcement provides a deterrent to malicious behavior as well as the tools to quickly indentify and contain threats when needed. A positive security model includes: policies, procedures, detective and preventative technology, and proactive monitoring.  The tips in this article will aid you in the development of your security model so you are ready when the time comes.

Checklist of Security Items to Consider with Lay-Offs

Before
Planning / Establish processes
Disabling access
Communications
Establish trusted contacts
HR
Legal
Security
Management
Identify single points of (security) failure
Employees who pose a danger (to themselves or others)
Administrators
Associates with access to sensitive or confidential data
Identify risks
Intellectual property
Confidential data
Property

During
Disable regular individual access
Logical
Physical
Phone
Email
Remove access to shared accounts
Administrator accounts
Service accounts
Other shared passwords
Asset retrieval
Computers (laptops)
USB drives
2 Factor authentication
Cell phones / PDAs / pagers
Paper documents
Enhance monitoring
IDS/IPS
Logs
Physical surveillance

After
Continued vigilance
Review of assets “left behind”
Online documents, files, and shared storage
eMail
Papers
Check for backdoors, Trojan horses, logic bombs
Unix
Windows
Databases
Network devices
Lesson’s learned
What went right?
What could be done better?
Process improvements

by Dennis Kuntz

The government spends billions in research every year. Quite often the goal of that research is to create more effective fighting machines and mechanisms, better survival techniques, better gear for soldiers, etc. The array of researched technologies is huge, and wartime in particulate can spur a ton of research.

Also quite often, the results of that technology end up being used for civilian purposes. Researchers and scientists in World War II alone created and/or had significant impact in the areas of radar, jet engines, computers, synthetic rubber – the list goes on and on. It’s obvious today how those technologies, invested in by the military and the government primarily for the sake of the war, have been applied to our civilian lives.

Another thing to note about all of this is that the benefits of those government/military technologies have not been limited to the countries in which they were created. As peacetime would creep in, and alliances form where hostility once reigned, technology would be shared. Not to mention that even when those alliances didn’t form, the opposing sides would still have access to enemy technology (captured vehicles, interrogation, etc.) to get a foothold in implementing those technologies themselves.

This brings me to a question about malware. Malware is bad – hence its name. The folks who create it and apply it (as opposed to security researchers that create it for purposes of research) are at the very least not the most scrupulous bunch. There are legions of anti-malware researchers and malware analysts digging into these rogue pieces of software, poking and prodding at them, and figuring out how they work.

This piqued my curiosity: What technology (or use thereof) resulting from malware/anti-malware research has hit the “mainstream civilian” computing world? And no, I don’t mean Sony’s rootkit. I mean application of what has been learned – in obfuscation, more efficient coding techniques, remote distribution applications, etc. – in a way that is useful, but not necessarily matching its intended “wartime” purpose (you cannot make me say the “c—-war” word).

The closest thing I could find – yes, aside from Sony’s blunder – was a paper by Microsoft researchers discussing a “friendly worm” in terms of patch delivery. This is generalized by Bruce Schneier as “benevolent worms”, and which he calls a “stupid idea”.

Despite their ethics, the malware writers are very, very smart. The anti-malware researchers and the malware analysts are also very, very smart. So I pose the question to all of you – what useful applications of what has been learned in the battle against malware are waiting to be used?

Do you know THE Goal of your organization?  Why does it exist? What’s its purpose?

Even if you work for a “security company,” its main goal is not security (or at least it shouldn’t be).  I know that this sounds like sacrilege, but its not.   The main goal of most private sector companies is to make money.  In most companies, providing security doesn’t make money.  It’s an operational expense or an investment.

I’m currently reading The Goal, A Process of Ongoing Improvement by Eliyahu M. Goldratt.  It has reminded me of the importance of knowing the goals of your company.  All activities of the company should be moving it toward its goals of being profitable.  “If the company doesn’t make money by producing and selling products (or services), or by maintenance contracts, or by selling some of its assets, or by some other means … the company is finished… an action that moves us (the company) toward making money is productive.  And an action that takes away from making money is non-productive.”

My impression is that many security professionals lose sight of their company’s goals.  It’s happened to me. I’ve gone through the motions of securing stuff without realizing how it moves the company toward making money.  In my enthusiasm for security, I’ve been guilty of non-productive activities that could harm my company.

Security professionals live in a world of paradox.  Too much protection and our people can’t be productive.  Not enough and the business takes too much risk, which can also cause non-productivity.  With the right balance, we can move the company toward profitability.  The challenge is determining that balance.

Here are three tips for maintaining a balanced security program that will meet your organization’s goals:

1. Know your organization’s goals.  You need to collaborate and ask questions to determine what makes your organization tick.  Understand how it makes money.  For public or non-profit organizations, find out the reason for its being.  If you don’t understand your organization, then how can you properly secure it?
2. Know your organization’s risk appetite.  This next step is to understand the amount of risk your organization is willing to take.  This is a business decision, not a security decision, and should be based on the organization’s goals.  If your organization is in the manufacturing sector, they very well may be willing to take many more risks.  On the other hand, financial sector businesses with an Internet presence may have a very low tolerance for risks.   The only way to determine this is to ask
3. Create a security program based on the organization’s goals and risk appetite.  Your security program should move the organization toward productivity and making money, not away from it.  The protections you recommend, implement, and maintain should always be driving the organization toward its goals.  They should also be in-line with their risk appetite.

In everything you do, ask yourself, “Is this moving us toward or away from our goals?”  If it’s away, then reconsider your actions. The security protections you have may be appropriate in your mind, but are they really right for the organization?  This can be a humbling experience, but it can also win you a lot of respect when you’re willing to compromise.

If you remember The Goal, your security program will go far.

And remember, “By working together, we all become stronger.”

It was a dark and stormy…

All right, it was a sunny morning in April when the first event to inspire this article occurred. I was walking back to my car after dropping off my daughter at school. As I walked around to the driver side I noticed a battered USB thumb drive sitting on the ground behind one of my tires

My first thought was “Oh, great. I dropped mine and it got run over.” I quickly realized that dropping it and running over it was nearly impossible and that it was not even one of the brands that I use. So I had four options:
1. Leave it were it was
2. Take it back into the school and leave it in the front office
3. Take it with me and try to determine the owner so that I could return it to them.
4. Throw it away.

The first option didn’t sit well with me; the next person to come along might do something malicious with it. The second option only works when the office is open (which it wasn’t, as my daughter was attending day camp during spring break). That left me with options 3 and 4. I decided to combine 3 and 4 into option 5:
5. Take the drive with me and throw it away later.

Fast forward in time three weeks…

I am once again in the parking lot of my daughter’s school staring at a smashed USB thumb drive of the same brand as the prior unit. Repeat thought process above. I was a bit suspicious and a bit curious. Two similar drives in the same parking lot. Was someone just very unlucky and lost two drives? Were there possibly two such unlucky individuals? Was someone trying to use the USB keys as a means to penetrate the school district system?

I decided that I would take a look at the new drive when I got home that evening, but I was going to take precautions. Plugging it into my computer could expose me to viruses, malware, and pictures of an inappropriate nature. What could I do to protect myself and my computers while looking at this drive?

1. Boot of BackTrack CD and mount the drive and look at it there
Advantage – lives in memory, low chance of infecting my hard drive
Drawback – this might not be a recommendation for others

2. Launch a VM on my computer and connect to the drive
Advantage – no need to reboot my hardware, I already have the VMs in place
Drawback – there could be malware that breaks through that VM software and infects my host system.

3. Boot a separate system that I do not mind rebuilding
Advantage – system can be rebuilt if there is malware on the drive
Drawback – not everyone has spare systems lying around to do this.

I chose to use an older Toshiba laptop to look at the drive because it runs Linux (lower chance of infection) and it has a USB 1.0 connector on it (older, slower, and not likely to run U3). Fortunately (or unfortunately) this drive was too damaged to operate, so it followed its predecessor into the electronic recycling bin.

Then I got to thinking. What if that drive was mine? Do I keep any data on a USB drive that, if I lost, could be used to steal my identity or perform credit card fraud? Would I want someone else going through it to find out if it was mine?

So what can you do to protect yourself losing your thumb drive and your data?

Keep physical control of your thumb drive, by keeping it on a key chain,  on a lanyard around your neck, or at home. Protect the data on the drive, via encryption (there is a mobile version of TrueCrypt that works on USB drives). Alternately, don’t put anything on your drive you wouldn’t share with your neighbor, such as tax data, your social security number, your date of birth, or your mother’s maiden name. Don’t share your drive with anyone else, and don’t carry your data with you. You can leave it at home and email any information you need to yourself using your company’s mail system (not from your home account, but through webmail) if that is allowed by your company. Make sure you find out what your employer’s policy is for USB drives before you bring them in.

This “case “ was fairly interesting for me, and I hope you found it interesting, dear reader. The next time you come across a thumb drive laying around, think of this story and my thoughts. Now go out there and be safe.

As adults we like to have some sense of order. We get into a routine; get up at the same time, take the same route to and from work, eat our meals, and head to bed all on a schedule. Sure, we like to think we add some randomness to our lives by not going to eat at the same place each day, but we go to eat at those “different” places at the same time every day. It’s not bad to have a routine; that is what gives you a sense of control in what sometimes seems like a chaotic world. The question is, how much tolerance do we have for randomness?

Me vs. Random

I have a morning routine that helps me get the kids ready so I can leave on time. Part of that morning routine is feeding my daughter. Recently she decided she likes to eat bananas. She also prefers to have the banana cut in half, and this is what turns out to be my demise. I go through the rest of the morning routine and lean over my daughter’s high chair tray to give her a kiss goodbye. I give a kiss, hug, and high five to my sons, and then I am off to work. A few hours into work, I push back from my desk and happen to look down to find a giant banana stain on my shirt. I came to work and walked around the office with this very noticeable stain on my shirt, without ever having realized the spot was there. As I wash the stain off my shirt I contemplate my options to avoid this situation in the future.

A few days later, my daughter was again eating her banana. As I leaned in to kiss her, I bent in a way that ensured she couldn’t get me with her banana.  I gave a kiss, hug, and high five to my sons, then I went off to work. As I walked into my office building, I noticed my reflection in the window. Lo and behold, there was something on my pants around knee level.  I looked down to find a nice banana stain just above the knee. I let out a sigh and headed up to the office, making a quick stop at the restroom to wash off my pants. I realized my strategy has not worked, so I began to reformulate a plan to ensure I didn’t continue showing up with stains on my clothes.

A week later I gave my daughter her morning banana, but this time I cut it up into small pieces. My thinking was, if I give it to her in small pieces she can’t jab me with it, and if she throws it I’ll notice. I went through the routine thinking I won this round – even though my daughter has already won the first two rounds. I saw she was done and walked over to get her out of her highchair to get her dressed, and that’s when it happened. First, let me tell you that the last thing I do before leaving for work is to put my socks and shoes on. I can’t say why that ends my morning routine, but it does. So as I walked over to my daughter in my bare feet, I stepped right into a minefield of banana pieces my daughter had thrown on the floor. Game, set, match. My one-year old just beat me three games to none.

Ordered Randomness

As IT professionals, we spend our time planning for the random event that could take down our critical systems. We design our systems and find order in a mostly random world, but we always know there is still the unknown. So it all comes down to how well we handle the response. By designing a program that balances order and randomness we prepare for suprises. If our first response to random events is to be disorderly, our designed responses will fail. However, if we maintain order while responding to random events, the chances of containing the event and minimizing the potential loss increases. My response to the situation presented by my daughter was meant to add order to the randomness. Perhaps the better response would have been to check my clothes before I left for work. Detecting random events early, maintaining order, and executing the response is how we avoid the banana minefields.

“Seven out of ten companies overspend on IT expenses without improving security or becoming compliant.”  Computerworld

What causes this phenomenon? One would think that overspending on security would be a good thing.  It’s not.  Overspending in some areas causes underspending in others that may have greater value to the business.  This practice often detracts from focusing on those risks that are really the greatest for an organization.

One of the causes is the introduction and promotion of “pet risks” by decision makers.  A pet risk is a threat, vulnerability, or solution that solves an apparent problem in the minds of IT or Security managers.  It’s their favorite risk, which is the center of their attention and therefore is allocated an overabundance of resources.  It’s like a person who’s so fearful of having their car stolen, they spend hundreds of dollars on an anti-theft system even though they’re driving a ’96 Ford Contour.   The cost of mitigation is out of balance with either the asset value or the real risk.

It’s a common occurrence in many large organizations, where decision makers decide that they need a specific solution to prevent an apparent risk.  IT and Security leaders in the organization spend many dollars and staff hours to address their pet risks.  However, the Return on Security Investment (ROSI) isn’t readily apparent and often, the expense isn’t worth the apparent risk.

The decision maker has the position and influence to make it happen.  He or she is able to get the funding and personnel to address their pet risks.  They are a danger for many organizations because they cause an imbalance in the risk equation and often cause undue spending on risk mitigation.  Whether those risks are critical for the organization is debatable.

An example is data leakage protection (DLP).  The risk is that employees could place company information on a USB drive or CD and it could be stolen or lost.  Management may be convinced that they need to stop this at all costs.  They look for a DLP solution to prevent employees from using USB drives or CD burners. In this case, the pet risk is data leakage.   While it may be an issue, data leakage may not be the organization’s biggest problem.  It may be a pet risk of a decision maker and therefore one that’s addressed ahead of others.

How do you solve the problems caused by pet risks? The solution isn’t a product or service that you can buy.  What you need is an honest assessment of risk.  Addressing and quantifying risks allows for their ranking and prioritization based on the needs of the business.  Collaborating on the risk analysis also reduces the possibility of pet risks eating critical resources without increasing security or providing compliance.

Three ways to prevent pet risks from causing you to bark up the wrong “security tree” are:
Conduct a risk assessment;
Collaborate on the results with all stakeholders;
Be open and honest on the best ways to protect the business.

In the DLP case above, decision makers should look at all of their risks and determine where data leakage occurs.  They should address the potential impact and probability of data leakage.  Is it an irritant or could it be a major issue?  How likely is it that critical data can and will leak out of the organization?  They need to collaborate with others on their risk assessment to see how it affects the business.

Pet risks are an irritant caused by closed-mindedness.  Open your mind to address all possible risks to your organization.  Talk to others to get their honest opinion.  Get outside help when needed.  Don’t be the owner of a pet risk.

By working together, we all become stronger.

by Ron Woerner

What causes this phenomenon? One would think that overspending on security would be a good thing.  It’s not.  Overspending in some areas causes underspending in others that may have greater value to the business.  This practice often detracts from focusing on those risks that are really the greatest for an organization.

One of the causes is the introduction and promotion of “pet risks” by decision makers.  A pet risk is a threat, vulnerability, or solution that solves an apparent problem in the minds of IT or Security managers.  It’s their favorite risk, which is the center of their attention and therefore is allocated an overabundance of resources.  It’s like a person who’s so fearful of having their car stolen, they spend hundreds of dollars on an anti-theft system even though they’re driving a ’96 Ford Contour.   The cost of mitigation is out of balance with either the asset value or the real risk.

It’s a common occurrence in many large organizations, where decision makers decide that they need a specific solution to prevent an apparent risk.  IT and Security leaders in the organization spend many dollars and staff hours to address their pet risks.  However, the Return on Security Investment (ROSI) isn’t readily apparent and often, the expense isn’t worth the apparent risk.

The decision maker has the position and influence to make it happen.  He or she is able to get the funding and personnel to address their pet risks.  They are a danger for many organizations because they cause an imbalance in the risk equation and often cause undue spending on risk mitigation.  Whether those risks are critical for the organization is debatable.

An example is data leakage protection (DLP).  The risk is that employees could place company information on a USB drive or CD and it could be stolen or lost.  Management may be convinced that they need to stop this at all costs.  They look for a DLP solution to prevent employees from using USB drives or CD burners. In this case, the pet risk is data leakage.   While it may be an issue, data leakage may not be the organization’s biggest problem.  It may be a pet risk of a decision maker and therefore one that’s addressed ahead of others.

How do you solve the problems caused by pet risks? The solution isn’t a product or service that you can buy.  What you need is an honest assessment of risk.  Addressing and quantifying risks allows for their ranking and prioritization based on the needs of the business.  Collaborating on the risk analysis also reduces the possibility of pet risks eating critical resources without increasing security or providing compliance.

Three ways to prevent pet risks from causing you to bark up the wrong “security tree” are:
Conduct a risk assessment;
Collaborate on the results with all stakeholders;
Be open and honest on the best ways to protect the business.

In the DLP case above, decision makers should look at all of their risks and determine where data leakage occurs.  They should address the potential impact and probability of data leakage.  Is it an irritant or could it be a major issue?  How likely is it that critical data can and will leak out of the organization?  They need to collaborate with others on their risk assessment to see how it affects the business.

Pet risks are an irritant caused by closed-mindedness.  Open your mind to address all possible risks to your organization.  Talk to others to get their honest opinion.  Get outside help when needed.  Don’t be the owner of a pet risk.

By working together, we all become stronger.

Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this second segment, Michael continues the explanation of the steps businesses must take to protect information, then reveals how the Catalyst Method(tm) explained in his book allows businesses to reduce costs and even increase revenue!

Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this segment, Michael discusses the impact of security breaches, the hidden damages and explains his personal experience in how these events can happen to anyone. The segment ends with Michael outlining 5 steps every business must take to protect information.

By Trish Smith

The recent activity in the economy has brought to the public’s attention some controversial issues regarding how organizations change (or in this case, how they don’t). The 700 billion dollar bailout (just for a start) of the financial and automotive industries has focused the spotlight on a very specific issue in the arena of organizational change management: externally directed change vs. internally directed change.

Every day, in industries around the world – financial, manufacturing, health, education, IT – change efforts are initiated. One of the most critical factors determining the success or failure of these efforts is whether the change was initiated from outside the organization (government agencies and legislative bodies) or from within (Boards of Directors, departments within an organization, or individuals). Unfortunately, significant change is often initiated from without, despite the fact that experience shows us that change from within is more effective, longer lasting, and more efficiently implemented.

Why drive change from within?

Why are internally driven change efforts more successful than externally driven change efforts? There are several reasons for this. The most important is the fact that nearly every organization, even one in need of major change, has the resources, knowledge, creativity, and drive needed to successfully implement a change effort. Failing to tap into those resources is not only wasteful, but communicates to the members of the organization that their abilities and knowledge are not valued.

Additionally, when change is driven from within by those at the upper levels of the organization, employees feel a connection with the change effort at every level of the organization. Their perception that there is buy-in on the initiative by those at the highest levels will lead to them committing to it more fully. Conversely, if employees feel that the “head honchos” are not fully committed to the effort, they will not fully commit to it themselves, and the initiative will fail.

Finally, for change to be truly persistent, it must be rooted within the culture of the organization. Organizational culture determines how people within the organization do everything from handling customer complaints to celebrating birthdays. The reality is that whether the culture is positive or negative, healthy or unhealthy, it will drive the manner and methods of everything that is done within the organization. Any change that is not connected to the organization’s values, beliefs, and behaviors will not succeed. A significant change initiative must, therefore, be solidly connected and in sync with the culture for it to succeed.

Three reason to initiate change internally?

1. To profit from employees’ skills, creativity, and resources.

2. To ensure a sense of buy-in at every level of the organization, which leads to employee commitment to the change.

3. To connect change on the deepest level with the culture of the organization, helping to ensure the success of the effort.

Successful change must be directed from within. Other factors also impact the effectiveness of a change effort, but without an internally-driven endeavor, such efforts cannot succeed, and valuable time and resources will be wasted. Perhaps this is a lesson that Citibank and GM could bear to learn.