Category: Uncategorized

OUT: FUD FUD stands for fear, uncertainty and doubt, and it’s long been a crutch that security leaders lean on to get the budgets they need. Whether the Board seemed reluctant to spend money on firewalls or on surveillance cameras, the convenient solution was to scare them into funding everything by pulling out an anecdote about What Happened to the Company Down the Road. In the long run, however, the tactic of exploiting FUD almost always does more damage than good. Security executives and management experts agree that FUD ultimately destroys the security team’s credibility. “That [approach] may work once or twice in a true crisis situation where the bad guys have come over the back fence,” says Jim Mecsics, vice president of corporate security for Equifax. “But when you approach corporate officers with the tactics of fear, you’re walking into a trap. Somebody will eventually say, ‘OK, show me where the real [emergency] is,’ and then your credibility is shot.” FUD is a particularly common tactic in the lower ranks of a security organization, especially among those who haven’t learned how to make a data-driven risk management argument. A CSO who doesn’t stamp out FUD in his team creates as much of a problem as the CSO who uses it in personal conversations with senior executives.

Mecsics has the stories that prove the point. Just after 9/11, he was working with a government organization that decided it needed to radically increase its manpower to cope with the concerns over terrorist threats. The organization set up a conference, and hastily gathered input from all its field agents to take to the senior leadership. Instead of research and risk analysis, many of the agents’ arguments were based on guesswork and were rooted in the fear and uncertainty of Sept. 11. Mecsics says the organization’s management started asking questions and quickly saw through the panic the security personnel were creating. The net result was that the security team lost its credibility. In another organization, Mecsics says, senior executives were so frightened by the security group’s use of scare tactics that they became obsessed with concerns that the company would be irreparably harmed by a security event. In this case, they lost the ability to look at the issue rationally. “They got worked into such a frenzy that it was like a runaway train,” says Mecsics.

FUD also wastes money by not spending it well.

Here, the CISO is putting the responsibility on the CEO. “I’m not sure why IT tends to disregard these tools,” says Bob Jacobson, president of International Security Technology (IST), a private company that consults on matters of security risk assessment. Security is supposed to educate the business leaders about the threats the organization faces, about the likelihood and consequences of those threats, and about the costs and effectiveness of possible remedies.

Craig Granger, head of multinational security for the automotive company Delphi, offers a good case study in raising an organization’s security IQ. Part of the battle is fought in the field-pressing the flesh with execs, developing an omnipresent security policy and educating every employee on process management. At Nortel Networks, Vice President of Corporate Security and Systems Timothy Williams, tries to involve as many different functions in his security process as possible. Those forms of communication don’t fly in the boardroom.

As the old saying goes: It’s not just what you say, but how you say it.

As anyone who’s ever been to a security conference knows, speeches about security can be deadly dull. Faced with the challenge of having to communicate about security to large groups both inside and outside his company, Bill Hancock, CSO of Exodus (which later became the US base of Cable & Wireless), took the unusual step of enrolling himself in a stand-up comedy course to improve his communication skills. The final project for the class was a performance of an actual stand-up routine at The Improv, New York City’s renowned comedy club, on a Friday night. “It was one of the most horrifying experiences I think I’ve ever been through,” says Hancock. “You get up in front of an audience, half the people there are probably inebriated in some fashion, and you’ve got to communicate what you have to say very quickly, very succinctly and to a whole bunch of people that don’t know you from nobody.”

The lesson here is not that CSOs need to be honing their comic routines, but rather that life is full of tough audiences.

When dealing with a weighty topic like security, it’s important to focus on how you communicate as well as what you communicate. Building and maintaining strong relationships with business executives and their groups requires the CSO to assume a number of different guises: educator, strategist, negotiator, interpreter and, sometimes, disciplinarian. Oracle’s CSO Mary Ann Davidson has one last morsel of advice for CSOs interested in smoothing their way with other executives and the company at large. “People ought to be thanked for doing their job more often,” she says, noting that CSOs will find more cooperation if they ask for it politely and show their appreciation, instead of barking out orders and throwing their weight around. “It’s not being manipulative, it’s just that you catch more flies with honey.”

Information security in one stovepipe, corporate in another, audit staring suspiciously from across the hall, disaster recovery handled by the facilities group… Security functions have a history of fragmented organization. “Each of these departments’ main mission is ‘to protect company assets;’ however, each usually reports through a different hierarchy,” one privacy and IT security manager puts it. Historically, the greatest chasm – not just organizationally, but culturally as well – laid between information security folks and their corporate security counterparts. Each side has a list of perjorative ways to describe the other’s profession and professionals (propellerheads vs. knuckledraggers, etcetera). Disjointed management and lack of communication leads to a weaker security posture and wasted money due to duplicated efforts.

“The truly sophisticated companies are starting to look at a coordinated approach to physical security, information security and risk management,” says Lance Wright, principal at the Boyden Global Executive Search company. Business continuity Mike Hager, who helped get OppenheimerFunds up and running four hours after their offices and systems at the World Trade Center were destroyed on 9/11, puts it best: “Some companies have people who do information security, and people who do physical security, and people who do business continuity. The three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time, money and effort. It just simplifies the whole process and makes it more effective.”

Hiring and firing When an employee comes on board, she may need a number of assets and rights before she becomes productive… a building access card, a laptop, a network password with access to the right applications, a signed non-disclosure agreement, a business credit card, a company car. Some of these are physical and some are digital. In a company with a well-managed, holistic hiring process, that employee can be up to speed in a jiffy. And if the employee is abruptly terminated, the poorly managed company stands very little chance of recovering all its assets and disabling all necessary access rights in a timely manner.

Regulatory compliance Sarbanes-Oxley says the Board of Directors has a fiduciary responsibility to know what risks its business faces.

http://www.csoonline.com/fundamentals/abc_leadership.html?source=nlt_csocareer

Since the author’s cover story on PCI compliance ran last month, he has heard from a couple CISOs who maintain that PCI compliance was a cinch–because they already followed ISO 17799 or 2700. “This gave us the opportunity to easily adapt to other security standards such as PCI and others without much effort.”

You should be concerned about the maturity of a security practice at companies who take 2+ years to receive PCI certification. I don’t want my credit card in the hands of those companies….

Then, this morning, the author had a talk with Patrick A. Côté, information security officer of Houghton Mifflin, the venerable textbook publisher. He said, in not quite so many words, the same thing–that their PCI compliance was fairly painless because they already had the underlying processes in place.

http://blogs.csoonline.com/iso_2700_securitys_sleeper

At Citizens & Northern Bank, a $1.2 billion community bank headquartered in Pennsylvania, log management is a requirement for complying with information security regulations such as Gramm-Leach-Bliley and Sarbanes-Oxley. The auditors who review the bank’s systems interpret those laws to mean that it should be actively monitoring those logs. “As administrators responsible for various network devices and operating systems, we need to know what typical behavior is,” says Pete Boergermann, head of MIS at Citizens & Northern.

The FFIEC has stated that “log files are critical to the successful investigation and prosecution of security incidents and can potentially contain sensitive information.

While collecting and storing logs is important, it’s only a means to an end — knowing what is going on and responding to it. Network intrusion detection systems often produce false alarms of various kinds (“false positives”, etc.) leading to decreased reliability of their output and inability to act on it. Comprehensive correlation of network intrusion logs with other records such as firewalls logs, server audit trails allows companies to gain new detection capabilities from such correlation (such as real-time blocking and attack mitigation).

It’s also critical that logs be converted into a universal format which allows financial institutions to compare and correlate different log data sources.

http://www.bankinfosecurity.com/articles.php?art_id=242

Internal auditors at the Massachusetts Department of Revenue (MDOR) — which administers the tax and child support laws of the Commonwealth of Massachusetts — use a combination of automated and manual data surveillance techniques to proactively monitor, evaluate and test individual accesses of confidential financial information stored in databases. MDOR’s data surveillance function, referred to as “Transaction Tracking,” is a continuous process performed by the Office of Internal Audit’s Information Security Unit (INFOSEC), which is part of MDOR’s Inspectional Services Division.

Instead, the surveillance process must be structured, ongoing and proactive — similar to an audit program of continuous transaction testing and sampling. To be effective, surveillance programs must encompass policy and awareness; monitoring, detection and investigation; and a structured disciplinary process.

Set Clear Policies Before implementing a data surveillance program, it is critical that organizations establish a clear data access policy and notify all employees that violations will result in disciplinary action. Although most organizations currently have policies prohibiting the nonbusiness use of workplace technologies and systems, a separate policy is needed to address access of confidential information for personal reasons. The policy must set forth the prohibitions against accessing data for nonbusiness reasons, provide specific examples of accesses that are prohibited, and emphasize that violations will result in discipline, including termination and potential criminal prosecution.

During the orientation process at MDOR, each new employee is required to review the department’s confidentiality policy, sign an acknowledgment that they understand it, and view a “Protecting Privacy” video detailing the consequences of data access violations. Further, employees are reminded when they log into the network that their activities are being monitored and must be directly related to their official responsibilities.

A Blended Approach
In data surveillance programs, the monitoring process must be continuous and not used solely to respond to, or investigate, specific allegations of employee “browsing” of the database. All employees with access to confidential information must be subject to this monitoring, and the process must be structured and applied consistently. Although the process of monitoring database activity may appear to be highly technical, MDOR has implemented a blended approach that combines information technology (IT) strategies, audit sampling methods and traditional investigative techniques. If the employee is unable, or refuses, to provide a response for accessing a certain account, auditors refer the case to MDOR’s Office of Internal Affairs for further investigation.

http://www.technewsworld.com/rsstory/57211.html

With the announcement of a new release of the ITUP tool, IBM provides clients enhanced and expanded practical guidance in how to implement process integration, activity flows, clarified operational roles, and management tool strategies required for effective service management.

ITUP supports ITIL, COBIT, ISO IEC 20000, eTOM and includes detailed documentation of IBM’s Process Reference Model for the Business of IT.

“With complex compliance regulations looming, many organizations are seeking to implement a more consistent IT governance and risk management process,” said Susan Blocher, Director, Governance and Risk Management, IBM.

http://www.darkreading.com/document.asp?doc_id=121692&WT.svl=wire_2

OnStar is one of the various services that provides motorist assistance, including Global Positioning Satellite location data. If you report the car stolen, they can remotely turn the GPS on, track the car, and even turn the telephone inside the car on and listen into the thieves’ conversations. All of this occurs on the network the real owners own and it reveals information about your vehicle.

When it comes to network based investigations however, we cannot easily track where the computer went. Once we have the IP address, we would look up the network that was assigned that block of IP addresses. It might be an Internet café in Riga, Latvia, or a giant Internet Service Provider in Dulles, Virginia.

What we really want is subscriber identification information. That is, what subscriber was assigned that particular IP address at that particular instant. Now of course, a lot of this information may be spoofed, and it is usually less than trivial to piggyback on a legitimate network (such as, a hacker using an open or insufficiently secured WiFi network.) Nonetheless, tracking down physical location data or subscriber data from a raw IP addresses is the ultimate goal of the investigator.

This is where technology and the law intersect – and not in a good way for either of them. While you can do a traceroute or a WHOIS search in a couple of seconds, in order to get subscriber data from an ISP requires some form of legal process (usually). ISP privacy policies legitimately protect this data, but they generally contain a provision (and one would be implied by law even if it wasn’t in the policy) that the information may be disclosed if there is a “valid legal order.”

In extreme situations (imminent threat to health and safety) the promise of a later subpoena may be sufficient. In the United States, for example, they can also use various legal processes – a grand jury subpoena, a formal investigative demand, an administrative subpoena, a discovery order, a search warrant, a Title III wiretap order, an order issued by the Foreign Intelligence Surveillance Court. Or, as recently revealed in The New York Times, various agencies including the Department of Defense and the Central Intelligence Agency (and of course the FBI) can issue what is called a National Security Letter (NSL) on their own authority to get this information.

A subpoena generally requires very little level of proof that the information demanded is relevant to whatever you are looking for, or may lead to the discovery of relevant information. Most people think that subpoenas are issued by a court or a judge — that you apply for a subpoena to a court, show them that the information is relevant, and then get an order. You see, to issue a subpoena there has to be an investigation authorized by a grand jury: a group of citizens authorized by the court to investigate crimes.

To have a lawsuit pending, we have to have a “case or controversy” involving some violation or law or tort, which is capable of being heard in the court in which we have filed suit, which also has jurisdiction over the matter and the people involved. The legal discovery process, particularly for civil discovery, is slow, unwieldy and ungainly. Just some “John Doe” who did the bad act.

Oh yeah – getting wiretap or other orders for discovery related to national security, foreign intelligence and foreign terrorism under the Foreign Intelligence Surveillance Act (FISA.) The Bush administration has long argued that they were lawfully entitled to bypass the super-secret court set up under this law and demand records under what they later dubbed the “Terrorist Surveillance Network” because the FISA law was slow and cumbersome.

Imagine a standing court discovery order from an appropriate court that says the following: if a computer protected by this service is reported stolen, and it finds itself on a strange network, and “pings” home with its IP address, then and only then the owner or the provider of the LoJack services is entitled to an order of discovery from the ISP from which the IP address is associated, permitting discovery of the customer data associated with that IP address. The information may ONLY be used for the purposes of either filing a lawsuit against the perpetrator, or to turn over to law enforcement, or other reasonable purposes. The court might also appoint a “Special Master” responsible for overseeing the discovery process.

http://www.securityfocus.com/columnists/438?ref=rss