Security's Everyman

Security's Everyman

Friday, May 30, 2008

Are they never going to learn?

Another day and another company loses unencrypted personal information on their customers. When are companies going to learn? When are they going to finally get serious about protecting their customers information?

ComputerWorld reports that the Bank of New York Mellon Corp lost back up tapes with PII on 4.5 million customers. The PII includes names, social security numbers, birth dates and other information on their customers. All the good things that a hacker needs to steal an identity or commit financial crimes in the name of innocent people.

Things such as encryption of backup tapes should not be an issue in today's world. Especially when you are dealing with peoples personal information. There is no excuse for this continuing to happen time and again. What is it going to take for companies to take this kind of thing seriously? Obviously the pain that they experience isn't enough to make them take note. The "myth" that a breach cost companies close to $200 per record can't be true or companies would stand up and do something proactive to prevent this. 4.5 million time $200 is  900 million dollars. If this is really what it would cost the bank do you think that they would still be shipping unencrypted tapes? No they wouldn't.

They made a decision to not adequately secure their customers information based on a risk assessment that they had done (formally or informally). They decided that the cost of the technology wasn't worth it to them because they knew that if something happened it wouldn't cost them enough to hurt. In my opinion this is irresponsible and negligent. If I were the law I'd even say criminally negligent. They aren't too concerned about the fact that their carelessness may cost a family lots of money, time and pain in trying to put the pieces of their stolen lives back together. And this bit about giving them a free year of credit monitoring is STUPID!

What makes this even worse is the fact that they waited 3 months to notify the customers. What good is a years worth of credit monitoring if your name and information has been used in the last 3 months to buy who knows what. By this time it could be too late! This is by far the most negligent part of this whole fiasco. UNBELIEVABLE!

I don't care how you've always done it

Martin Mckeay makes a great point on a PCI mail list. A question was asked about the need to keep full credit card numbers for the purpose of refunds. The questionnaires account group says that they must have the full number. The questionnaire has heard differently and wants clarification. What Martin said is that it's up to the acquiring bank to make the determination as to what is required for a refund. Now the company can make a business risk decision to still maintain the full credit card number for it's own reasons but they don't make the rules as to what is required for the bank to issue a refund.

What Martin said next is the really good part.

The accountants can say whatever they want about the process, but I'm willing to hazard a guess that they haven't talked to your acquiring bank about refunds in a long time, if ever.

This probably holds true for a lot on network and security groups. How long has it been since they've taken a long, hard look at what they are doing, how they are doing it and why they are doing it? Are they continuing to throw good money at a technology that no longer meets their needs? Are they using the technology in the way that best fits for them?

We need to step back from time to time and evaluate what we are doing to determine if it still makes sense. We need to stay up to date with not only new technologies but also with what the bad guys are doing. This way we can better assess if what we are doing is going to continue to be effective for us. It may be time to remove or replace a layer of security with something else that will work better for us. It may be time to change how we do something that will give us better information on what is going on on our network. It may be that we discover that a particular event is happening that is exposing our network to dangers that we were unaware of.

We also need to be constantly evaluating how we monitor things. Logs are great (OK, they suck, but they do provide useful information) but if we aren't collecting the right logs or correlating them with other logs, or looking at them (shame on you) then they don't do us any good. But what about other ways to see what is going on. Internal network scans and vulnerability assessments are a great way to learn more about your environment.

It used to be that we configured our firewalls to only allow specific traffic in and anything out. We've since learned that doing that isn't the best thing. It's the easiest because the users can do what they need but it also allows the bad guys to do what they need. Reconfiguring your firewall to only allow specific traffic out can stop lots of potential issues. You have to be VERY careful with this one because no matter how careful you are you will break something so be prepared to react quickly when that user yells with a legitimate issue.

I think I'm starting to sound like a broken record but I just see this too often. We have to be willing to change to keep our information protected. We can't rely on the fact that we've never had a breach (or just don't know about it), we can't rely on the fact that what we're doing has worked for us so far. We have to think ahead and think proactively.

Monday, May 26, 2008

Until They All Come Home

I just wanted to take a minute and say THANKS to all those who have served or are serving in the US Military. Today is Memorial Day here in the US. A time when we stop to remember those who died while serving our Country. It's also a day when we should be reminded of the sacrifice that is made every day by those who server in the military and their families.

It's a job that often goes without the thanks that is deserved. The work is often hard and dirty and the pay is no where near what is should be. Often they put their lives on the line to ensure that they are ready at a moments notice to answer the call. If they are in a combat zone then they are constantly on alert while in miserable conditions. Family members spend their days wondering if they will see them again. Yet life has to go on. Children are born while dad is away. Birthdays are missed, holidays are celebrated without them. Husbands, wifes, kids, parents all go through the day with a heavy heart waiting on the return of their loved ones.

I know because I have a close relative who is in a combat zone. He's there because he believes in freedom for all no matter the cost. He doesn't like being there but he is and he's doing what he has to do. Growing up I often thought that he was selfish but all of that is erased now. He proved his unselfishness by making the decision to put his life on the line for the freedom of those he doesn't even know.

I've always gotten a little choked up when I hear a patriotic song or think about the sacrifice that is made by those in the military but this year it's a little different. This time it's close to home and personal.

So to all of you who have served, who are serving or who have a family member serving I say THANKS!!! Thanks for the sacrifice that you are making. If you see a member of the military don't just walk by them stop and say Thanks. If you know someone who has a family member who is serving in the military let them know that you appreciate their special sacrifice. You'd be surprised at how appreciative they are at knowing that we notice what they are doing. Even if you don't support the war, SUPPORT OUR TROOPS AND THEIR FAMILIES!

Friday, May 23, 2008

It's Twitteriffic!

I'm on Twitter. I don't use it much. It's mostly a novelty. I use it to converse a little and to see what others are talking about that may be of interest. Sometimes I find good things to talk about in regards to Information Security. This is the main reason that I joined Twitter. A few of my friends from the Security Catalyst Community had accounts and so I thought I'd see what all the buzz was about. Soon after that Jennifer Leggio (MediaPhyter) created a "Twit List" of Security Professionals. It's lovingly called "Security Twits".

I've noticed that the level of participation varies from person to person. Some twit almost constantly. Some twit rarely. Some twit from work, home, school, conferences, birthing rooms, cars, airports, just about any where you can imagine. Some use the web interface while others use IM clients, Twitter clients, or their mobile phone/PDA. The twittering varies also in content. It might be a "I'm currently doing <fill in the blank>. Sometimes it's asking questions, posting links, making comments. Talking about sports, work, anything and everything.

What I've noticed though is that some people tell a little too much information. They seem to forget a couple of things.

  1. There could be lots and lots of people following them who do nothing but "lurk". They don't twit back. They just sit and listen. Who are they? What are the listening for? I know that I've had people "follow" me who are following thousands of people. There is NO way that they can be keeping up with all the conversations. So what are they doing? Are they harvesting all you say for some other reason? Research, information gathering about your company, looking for a way to discredit you, blackmail?
  2. Some people who are at work twit a lot about what they are doing and it's not work. Sure it may be a slow day and maybe the company doesn't mind you doing non-work related things from time to time, but then again, maybe they do.
  3. It's still the Internet which means that once you put it out there it's out there to stay. Remember there is NO privacy on the Internet.

So, my fellow "Tweeples" (as Kevin Riggins likes to say) be careful out there.

You can use any vendor you want as long as it's Cisco

Henry Ford's famous quote "The customer can have any color he wants so long as it's black." is echoed by many a network and security manager across the world. "Sure, get me a quote from Vendor X, Vendor Y and Cisco. Then they choose Cisco. Don't get me wrong. I like Cisco but they aren't the best for everything.

This article from Leadership Wired "The Challenge of Change" by John Maxwell. http://www.injoy.com/newsletters/leadership/content/issues/11_8/default.htm#1  spurred my thought process. How many times have you seen a similar situation played out in IT and Security?

In Ford's mind, producing multiple colors was foolhardy since black paint dried the fastest and could be used most efficiently. Amazingly, Ford did not comprehend the human preference for variety. Customers flocked en masse to other producers who catered to their color preferences, and Ford Motor Company never regained its grip on the market.

For so long, Henry Ford had focused on moving from inefficiency to efficiency that he refused to move in the opposite direction - from efficiency to inefficiency - even when doing so would have been wise and profitable. Ford's genius in sparking change had catapulted him to the pinnacle of American commerce, but later, his inability to change cost him dearly.

Often we get so caught up in the mind set that because it's Cisco (I don't mean to pick on them but they are the one that I've experienced this with the most) then it's the answer.

So how do we stay out of this trap and ensure that we are making the best choices for our business. First, we have to (this is getting redundant) know our environment, know our business, know our risk acceptance level, know our technical knowledge level, know what we are trying to protect and from who, know our budgetary limits. Once we have answered those questions then we can start to look at solutions. Evaluate them and make a choice based on what works best for you. If you don't answer these questions and just pick a solution based on who the vendor is, what it cost, it's the "industry standard", or how easy it is to deploy and maintain then you are not solving a problem, you're just wasting money.

It's our job and responsibility to make decisions based on what is best for the company. It's kind of like raising kids. Just because it's on the Disney Channel or Cartoon Network doesn't mean that it's what our kids need to watch. What is appropriate for a 12 year old isn't appropriate for a 5 year old and just because it's animated doesn't mean that it's good for any child to watch. The same goes for what we choose to secure our networks. Just because it's considered 'industry standard' or it's made by a big company doesn't mean it's good for us.

So if you've fallen into this trap step back and take a long, hard look at your selection process and refine it to best meet your needs. If it turns out that you still choose Cisco or whoever you would have chosen by "default" then that's great. However, if you discover that there are other vendors who can meet you needs better then you have a feather to put in your hat.

Did I do that?

That's the question that often needs to be asked.

I'm not responsible for physical security at my company. It is spread out over various departments depending on what it is that you are securing. One of those areas is building access. We have gates that you must go through to enter our headquarters building, a security guard at the front desk and a key card is required for entry.

When I started this position a year and 2 days ago I was issued a card with an expiration date of one year even though my contract was just 6 months. The 6 months came and went and shortly there after I became a permanent contract employee. At that time I was to be issued a new ID card given an employee number and sent on my merry way.

I did get a employee number but nothing was ever said about getting my new ID (with the employee number) and having my key card access updated. I mentioned this to my boss a few days ago and she said to wait and see what happens when it expires. We've heard "rumors" of some cards continuing to work well after the expiration date. So yesterday at 10:37 am my ID and Key Card expired. I went to leave the building and it wouldn't let me out. Good. This also meant that I should not be able to get back in this morning without being cleared by security.


This is where the problem comes in. Security is rotated regularly but it is always one of about 5 or 6 people. So after a while they recognize you. When I got here this morning my card didn't work (yeah!) so security just pushed a button and let me in. WHAT? He didn't ask to see my ID. He didn't check the terminal screen to see WHY my card wasn't working. He didn't call up to see if I was still employed here. He just let me in. Not good.

This is a perfect example of how a good system and process can be foiled by people not following procedures. All the technology in the world is useless if people mess it up.

Thursday, May 22, 2008

My standards aren't your standards

Something that I hear all the time that gets my goat is "What is the industry standard for that?". What I want to say is "What does it matter?". Very few of the companies in my industry have a network or environment anywhere close to what we have. Most of them run much smaller companies, networks and less complex environments. So what is standard for them is not standard for us. I understand what the intent of the question is but intent doesn't help us in this. What will help us is for us to quit trying to look like any other company out there and do what is best for us.

If we choose to go with a completely different architecture, technology or philosophy than anyone else that is fine as long as it is what works for us and what makes the most sense for our business model and processes. Industry standards, best practices and such are a great place to start but don't use them as the apex of your program. Just as PCI is a good baseline for securing your network that doesn't mean that it will ensure a secure network. You have to know your environment and what will work for you. That is YOUR industry standard. Your company and your environment are your industry. Not what another insurance office, manufacturing plant or real estate office is doing. It's not what SANS, NIST or any other organization says. It's what secures your company according to your level of risk acceptance, network environment, and company culture.

I Like You. I Just Don't Trust You

Here's a real world example of how trust can be misused from the most unlikely sources.

I received a phone call yesterday from a close friend who was VERY upset with her mother. It seems that she had trusted her mother with her MySpace username and Password for some reason. The mother was on it a few days back and was looking at some other profiles. There was one in particular of a girl who the mother isn't overly fond of and she left her a message under my friends name. Needless to say the message wasn't something that my friend would have said. Her mom did qualify by saying "(not friends name)" at the end but that hardly makes it any better.

You expect this from a kid but not from an adult.

Tuesday, May 20, 2008

GRC is NOT dead and it also NOT a Tool.

There is a debate going on involving the validity of GRC and whether it's living, dead or was every around. You can find some of the discussions here, here, here, here and here. I'm here to tell you that GRC isn't dead. It's alive and well and living in a business near you. At the same time it also was never a viable option for a business to buy. If we look at GRC as a tool then we are missing the point of GRC.

One of the biggest problems in Information Security is that we try to throw a tool at everything. Being technology geek's we seems to think that the answer to everything is technology oriented. There is no technology that can do any of these things for you. Technology can assist you in maintaining a secure and compliant environment but they can't do it for you.

Let's look at each of the three pieces of GRC individually and talk about how we can make them work within the business. This is not intended to be an exhaustive look at GRC or any one part of it. It's a common sense look at how each piece can work for you.

Governance basically means that IT is not driving the business but is working in conjunction with the business to meet the needs. How does process help out here? It starts with an understanding throughout the business that IT has to be involved in the process of finding a solution to a problem or need. That means that IT doesn't tell the business what the solution will be but it also means that the business doesn't drop something in IT's lap and then say "Make it work and keep it running". The process involves an understanding between all parties that they have to work together to reach a solution that meets the needs of the business while fitting into the infrastructure and design of the IT program. That is the easy part. The hard part is convincing the business that this is the best way to work. I can't help you with that much. That's a fight you have to fight on your own. I've got my own battles to win. :)

Risk is looking at your environment, the threats to it and how likely you are to have some of the threats realized. This involves knowing what you have, where it's at, what's wrong with it (vulnerabilities), who has access to it, who may be able to gain access to it, do they want it and what you can do to keep your risk at bay. Now there are all kinds of technologies that will help you with this but the key to it is having the right policies in place and the ability to enforce them. Knowing your environment is vital to maintaining a successful risk program. I can't tell you the number of companies that I've worked at, seen or talked to that don't have a clue as to what they really have nor where it's at. I'm not only referring to data but even technology and systems. Servers that were deployed without being added to the server management matrix, new switches that were put in but never noted. Changes to the flow of information that doesn't get documented. Get the point? You can't manage your risk if you don't know what the risks are. The technology required to manage this is expensive to buy and can be complex to maintain so that puts it out of range for lots of companies. So having policy and process in place is necessary to try and keep control over this.

Compliance is meeting the requirements set forth by various rules, regulations and laws. People will try to sell you all sorts of tools and technologies to make you compliant. The problem there is that none of them will make you compliant. I won't spend much time on this because it's been blogged to death. The key to compliance is just good security. When you have a good security program in place then you will only have to make minor changes to ensure that you are compliant with most of the regulations that affect you. There are few regulations that get so involved that they will require you to make major changes to a good security program.

So GRC isn't dead we just have to look at it from the right perspective. If we focus on it being a technology solution then if it's not dead we need to kill it. If we look at it from a policy, process and common sense perspective then it is alive and well and will thrive for years to come.

Wednesday, May 14, 2008

Life through the eyes of a security geek

I had dinner tonight with a vendor. They wanted to meet to talk about some of the challenges that I'm facing at work. We've had meetings before about what they can do for me and for my company to ease the pain of developing a security program and getting some of my initiatives off the ground and into production. As we talked about some the pains and the pain points (aka management and others who don't always understand security) one of the guys made a comment that struck home. He said that we look at the world through different eyes than network guys, server guys, application guys, etc.... How true.

That's why we can sit in a meeting and listen to someone from another IT discipline talk about a project and pick security vulnerabilities and issues out of thin air. These guys have been working on this for weeks or months and trying to avoid the very things that we see but still miss them. We have conditioned ourselves to not only look for potential security issues but also to look for ways to make it work in spite of the problems. We look for ways to enable business not hinder it. We look for ways to make things happen in a manner that secures the environment while allowing the user to do his/her job with minimal disruption.

I've said it before and I'm sure I'll say it again. IT is one of the first departments that needs to get a real clue as to how security works. IT needs to go beyond knowing how to secure their devices and environment but they need to understand security and how it affects the business as a whole. They need to understand how security fits into the business and not just how to secure. When you have one without the other you chance causing unnecessary disruptions, spending more money than necessary to secure the environment and deploying technologies that don't fit into the "big" picture.

So if you are in IT (or even if you aren't) take the time to learn what you can about how security works and why it works. It will give you a better understanding of why the Security department does some of what it does and it will allow you to deploy devices, applications and networks that are secure. They will be secure and they will be more likely to be secure in a way that fits into the big picture and in a way that fits into the business need.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.