As you’ve probably heard or read in the news, there was a recent leak of some extremely sensitive Congressional documents through a file sharing service.  This leak highlights some of the inherent risks in the use of such services for moving data between users. In the past, email has been the primary form of communication between users, however, email has it’s limits. The explosion of data and email traffic has forced many corporate email administrators to significantly reduce the size of email boxes and attachments that can be sent through the corporate email system. This has forced employees to find alternative ways of moving data.

File sharing services, such as Kazaa and Gnutella, have been used for nearly a decade to share music and other non-essential files between computers.  These have been well documented as a potential security risk.

More recently, services such as Google Docs, Apple’s iDisk, and dozens more have started file sharing services.   The value of these services lies in users’ ability to easily share data from anywhere in the world to anywhere in the world.  That same ability makes these services as dangerous as some of the p2p file sharing services. If security is not set properly or mistakes are made in sharing the right files/directories, users can expose sensitive data to virtually anyone.  Additional data exposures can also occur to those sharing computing resources such as hotel kiosks, family computers, and multi-user business machines.

How do we prevent these types of exposures?  Let’s look at some of the options available:

Thou shalt not share data!
One of the first options considered is to not allow the sharing of sensitive data.  To determine if this is the best option for your company, there are some questions you should ask:

• Has your company defined a classification for sensitive or confidential data?
• Has your company defined what data can and cannot be shared outside your organization?
• Has your company provided tools for you to share that data with others?

If the answer to any of those questions is NO, you should evaluate your policy and/or toolsets.  It is important in today’s virtual “corporation” to share data with others, whether they are employees, contractors, or clients.    Policies and tools should to be reviewed to ensure that you can meet the goals of your company so that you can support those needs without forcing your employees to seek a solution outside your company.

Stupid Users

Ask any Information Technology Security professional where their biggest risk is and you will find one universal answer: USERS! In most corporate cultures today, high productivity is valued and information security is viewed as a hindrance to that productivity. As a result, the highest producing users will almost always take the path of least resistance to problem solving, thereby presenting an increased security risk.
File sharing services are a perfect example of one of those paths.  Technically savvy users are far less likely to turn to the IT Department to provide a service, but will simply use the same tools they use for sharing their personal files on the web to perform business functions in order to quickly and inexpensively share files with consultants, contractors, or other users.

While being solutions oriented and thinking outside the box is a prized trait in our most productive users, without an effective set of tools and services readily available from your IT Department, users will present an increased data security risk. Always keep in mind that the end user will not adhere to policies that are slow, inefficient, and detrimental to their productivity levels. The goal of any Information Security policy should be to keep the company’s data as secure as possible, while providing the tools necessary for your users to get their work done effectively and efficiently.

Digital Rights Management

DRM has been around for several years. Many felt that DRM was the panacea for all data security risks. The use of DRM in securing data does eliminate the problem with having confidential or private data from being “leaked.” DRM is quickly becoming the next security management nightmare, right behind PKI.

The complexity of managing DRM and the severe limitations that DRM has placed on media companies and data owners have forced all parties to re-evaluate the technology as practical. As a technology, DRM can help to control the availability of sensitive data, but the cost of managing that data is extremely high and just isn’t cost effective for most organizations.

DRM Lite aka Identity Based Encryption?

A new form of DRM is emerging.  This form allows sensitive data to be transferred securely, and authenticated by the user receiving that data.  That data is encrypted unless you have the authentication credentials.  Think of storing a password with the data. This type of encryption is sometimes referred to as Identity Based Encryption (IBE).   IBE allows any user to send data encrypted via an email. In the email are instructions for the recipient to retrieve or decode the message using a variety of different methods.   In more automated environments, passwords can be generated based upon well known facts based upon information the sender already has such as address or zip code.  While this isn’t PERFECT security, it does eliminate many of the risks for data being accidentally shared and viewed by those who shouldn’t have access.

Take a look in your environment? Review your policies; conduct a web audit on whether or not your employees are using file sharing services. Is your company supporting tools that allow users to send data securely? If not, they will find a way to do it increasing your corporate risk.

• Flight 1549: A Blueprint for handling Security Incidents I was watching the 60 Minutes interview with Captain Sullenberger and his flight crew on...
• Security Posture Assessment - Key to a successful security program What is a Security Posture Assessment anyway? To put it simply, a Security Posture Assessment...
• Cheapest, Easiest and Most Effective Security - Security Awareness Training In my career I have been asked hundreds of times what single item is the...

• The Upcoming of Internet Telephony
• Home Network Security
• Hosted Virtual PBX Phone System - Perfect For Companies With 5 - 50 Employees

Cloud Computing

Cloud computing and Software as a Service (Saas) are quickly replacing software vendors in today’s marketplace.    Industry veterans such as Gartner are saying that over 25% of new software purchases will be using SaaS and not the traditional model.  The power of communications, support, cost and deployment ensure this into the future.

How does this affect the information security professional?  Substantially, but not necessarily in a bad way.   What does all of this mean to the security expert?   It means that we had better be prepared EARLY in the process of choosing of the SaaS vendor and not as an afterthought.   To accomplish this task, let’s take a look at the Top 8 items to ensure that your SaaS vendor has appropriate security:

• Security is a process not technology or checklists.

  
  

John Sawyer had it right in his article in DarkReading, security IS a process and not a checklist.    Make sure that the SaaS vendor’spolicies clearly articulate
this.  It is not simply a check box stating that they PCI DSS compliant, or Verisign Compliant.  It is a process and a procedure for all to follow.

• Does Service Level Agreement (SLA) include Security

SaaS SLA’s offer you, the client, a financial recourse if there are any availability issues surrounding their service.  Do those include security breaches?  If your SaaS vendor loses a tape containing your client data, do you have recourse against them?  Make sure that security is included in the SLA that you sign with them.

• Disaster Recovery TESTING

Many companies, especially SaaS companies have a clearly designed and documented Disaster Recovery policy and procedure.  If they do not, then I wouldn’t even CONSIDER doing business with that company.  However, the real issue in any disaster is not whether or not they backed data up, but how fast can they put YOUR data and software back online.  You are now tied to their success.  Make sure that they provide clear evidence that they TEST their procedure and know that it will work and more importantly, how fast can they recover.

• Encryption and Compartmentalization of Customer Data

Ensure that your SaaS vendor has clear policies and technologies to ensure that data that should be encrypted is and effectively encrypted.  Simple hash algorithms for a record or row in a data table are not sufficient.

• Auditing vs Technical Controls

According to Eric Maiwald of the Burton Group, technical controls, such as for content or rights management, typically don’t work as well in an outsourced environment. When you entrust your data to SaaS, “audit replaces your day-to-day management controls and technical controls,” he asserts.  Ensure that your vendor has appropriate auditing from application to network vulnerability.  Audit is your key to ensuring security with your vendor.

• Secure Software Development Life Cycle (SDLC)

Does your SaaS vendor follow a standard practice for developing secure code?  Your data is only as safe as the code itself.  If your SaaS vendor does not subscribe to secure coding practices and standards, it is only a matter of time before data is compromised.  Take a look at the following two standards from Microsoft and the Department of Defense as examples of Secure Software Development Life Cycle:

o       Department of Defense Information Analysis Center’s  Secure Software Development Life Cycle

o       Microsoft Trustworthy Computing Security Development Lifecycle

• Can I get it Back?

So you have taken the plunge, and started using SaaS to handle your aspects of your business?  What happens if they go away?   What happens if you chose the wrong vendor and they constantly miss their SLA’s?  Does your contract stipulate the ability to extract your data back from the SaaS vendor so that you can use it elsewhere?  Work with your legal department to ensure that your contracts include appropriate language to retrieve your data given these and other scenarios.

• Transparency

Does your SaaS vendor provide transparency in security, availability and performance?  The SaaS vendors that do well and succeed do already.  Look at SalesForce.com and their rollout of the Trust Platform.  Salesforce.com realizes that transparency in security, performance and availability is an essential component to a SaaS vendor.  Pressure your vendors to ensure that you have access to this data, since their business is servicing YOUR data, afterall.

As you can see, it is important for the Information Security team to be involved early in the process when reviewing potential SaaS partners.  A great relationship with your legal team is also helpful.    The proper balance of security and the financial savings of the SaaS vendor can really be a great asset to many companies during these turbulent times.  Don’t get caught left behind when reviewing your SaaS vendors, ensure that you are leading from the front.

Do you have an opinion?   Did I miss any of YOUR top SaaS security issues? I’d love to hear it!

• Cheapest, Easiest and Most Effective Security - Security Awareness Training In my career I have been asked hundreds of times what single item is the...
• The risks of SHARING! As you've probably heard or read in the news, there was a recent leak of...
• Security Posture Assessment - Key to a successful security program What is a Security Posture Assessment anyway? To put it simply, a Security Posture Assessment...

• What is a Service Level Agreement (An Example)
• Software As a Service (SaaS) Software on Demand - Using SaaS the Smart Way
• Rapid Growth in Telecom & VoIP Employment Opportunities

Introduction

As today’s companies become leaner and meaner, I see the use of performance metrics being used by many corporations to ensure that their productivity remains high and that the company’s employees are properly compensated.  One of the biggest challenges that I have faced as a security executive was to prove my organizations value to the business.  I was asked to objectively measure my success as a security organization.   Honestly, I was stumped for quite a while.  How do you measure success for a CISO?    Information Security can be difficult to explain to executive management.   How can we do a better job as a profession to demonstrate our business value to our companies?

Concept 1:  Vulnerability Management

The first concept was to measure the number of vulnerabilities in my environment and to demonstrate that the reduction in the number of vulnerabilities means that security has been improved.  This can be a very successful way to measure the success of your organization.  Better tracking, remediation and management of your vulnerabilities demonstrates to management that security as a process is being followed, that policies are being adhered and that the IT and Security organizations are working together to reduce risk.  What is the downside to measuring your success only by vulnerability management?  Well, legacy applications, new applications, new servers and M&A activities create an environment that is difficult to measure and trend to the positive side.  The measurement of vulnerabilities will always increase and decrease based upon these and other factors.  These swings are difficult to explain to management since they tend to want to see nice steady improvements, not violent shifts.   Make sure you can identify the spikes when using this tool.  What has your success been using vulnerability management to measure your organizations security value?

Concept 2:  Security Information Management

A few years ago, the security industry spent a lot of money and resources working with a set of products called security information management tools (SIM).  These tools promised the ability to correlate complex environments and reduce the amount of information for security related data.  SIM tools delivered for the most part.  They correlated vast amounts of data and provided useful information for the security organization.  Reports from these tools provided management with actionable information and clearly demonstrated the success of security organizations from many standpoints:

• User and Role based controls
• Virus Integration
• Firewalls and IPS Logging
• VPN/User Reporting
• System and DB availability

The challenge with these tools for many companies was the complexity of integrating the tool inside the company while creating usable reports.   The truly successful companies that implement SIM tools also implement a team of people that understand the business needs and can provide reports that are useful for the organization, not just security or IT. Deployment of a SIM tool does not guarantee success.  How successful have you been using SIM reports as the sole measurement of organizations performance?

Concept 3:  Risk Management

After working on several tools including SIM and Vulnerability reports, I developed a tool that measured broad risk across many fronts including vulnerability and SIM.  The nice thing about the broad view is that I could strategically look at spheres of influence outside of pure security and measure those as well.  Development is an example.  By developing a risk model, I could now begin to look at security processes across the entire enterprise and include them in the process.  This allowed me to work more closely with some of the other business units within the company building value.  Most executives DO want to do the right thing; they just need to understand what those issues are.  The risk tool helps many business line managers to understand how security can impact them and how they impact a corporation’s risk.   The risk model turned into the Security Posture Assessment, a nearly 900 question tool for measure broad risk in an organization.  The tool allowed one to plan where resources, whether people or money for tools, needed to be invested across the organization.  The tool provided a very easy to understand metric for executives to understand where we stood and what are game plan was to improve.    Have you used a risk tool at your company to measure the value of security?  If so, how did it work?

Conclusion

What is the right way to measure the value of security?  There is no right answer.  The best method to use is the one that works for you and your organization.  Remember, the security wheel…security is a process, not a destination.   I would love to hear back from you!   What ways did you use at your organization to measure that success?

Do you have an opinion?  I’d love to hear it!

• Security Posture Assessment - Key to a successful security program What is a Security Posture Assessment anyway? To put it simply, a Security Posture Assessment...
• Cheapest, Easiest and Most Effective Security - Security Awareness Training In my career I have been asked hundreds of times what single item is the...
• The risks of SHARING! As you've probably heard or read in the news, there was a recent leak of...

• Home Network Security
• Guide to Measuring and Marking Tools pt 5
• Twelve Key Questions You Need to Ask About Your Computer Security for Your Home or Business

I was watching the 60 Minutes interview with Captain Sullenberger and his flight crew on Sunday.  If you haven’t seen it, please take a few minutes to watch the interview below:

CBS 60 Min Interview with Capt. Sullenberger

Introduction

I was struck by the professionalism and the calmness of the flight crew and especially Capt. Sullenberger. During the interview, I kept thinking about how this could be applied to the information security industry, and especially to my CISO counterparts. What are some lessons for handling our emergencies, security incidents, that we should learn from this near tragedy?

No matter how well designed the Airbus A320 that was used by US Air Flight 1549, problems can arise that are outside of the control of the plane designers and their flight crew. In Flight 1549’s case, these problems were not design flaws but a flock of birds. Equate that to our world of information security. We have designed networks. We have purchased firewalls, intrusion prevention systems, and various other types of technologies to secure the companies that employ us. Yet there are times that we still have security breaches. How can we take the lessons of Capt. Sullenberger and his crew and apply them to our industry?

Training

The first thing that I noticed from the interview was how Capt. Sullenberger immediately took over the plane’s climb out from Jeffrey B. Skiles, his First Officer. There was an obvious protocol for transition. The flight team’s training was obvious. They immediately began checking down through various protocols, attempting to restart the engines, calling an emergency all the while attempting to glide the disabled plane to safety.

Is there a clear and defined process for handling your security incidents at your company? Have ALL of your IT and information security employees been trained on those procedures and know their responsibilities? If your organization does not have a documented Incident Response policy and procedures, you should immediately develop one. I would say that many companies do have an Incident Response Policy and Procedures. However, most companies do not provide adequate training for those procedures. Make sure that your IT and Security staff are not only aware of the Incident Response policy and procedures but have yearly training so that they are familiar with them.

Testing

When listening to Capt. Sullenberger describe his background, his experience in handling emergency procedures was clear. Capt. Sullenberger obviously had used simulators and role playing in his safety consulting practice and accident investigations.

Training and clearly written procedures are absolutely critical in the handling of security incidents. One of the most obvious omissions is the TESTING of those procedures. Running a periodic test of the incident handling procedures not only provides a training vehicle, but also helps refine the process for when the real emergency occurs. Test your Incident Procedures at least yearly to ensure this process works smoothly when you need it.

Teamwork

During the interview you heard Capt. Sullenberger say several times that he trusted in his flight crew as professionals. He mentioned that he heard the flight attendants in the main cabin quickly understand and prepare the cabin with his very terse phrase, “Brace for impact,” while he and First Officer Skiles were gliding the plane and quickly assessing a landing area. Capt. Sullenberger had faith that his crew knew what to do and didn’t second guess them. His crew had faith in Capt. Sullenberger and that he would keep them safe.

Ensuring that we have the right members of the Incident Response team is critical. Do we have a PR person identified? Can we retrieve emergency backups if necessary? All these team members are critical to a successful incident response procedure. Ensure that your team is in place and is prepared.

Calmness

Finally, I noticed that during the entire 3.5 minutes that Capt. Sullenberger had to land that airplane, his demeanor was always professional and calm. The entire crew and even the passengers noticed that trait.

I have seen many IT and security organizations panic when an incident is identified. It interrupts daily operations, business and can take away focus from other important items in a company. Keeping calm in an emergency can help focus your team. It keeps your co-executives from being uneasy and helps to ensure your success.

Remember these lessons from the Captain Sullenberger and his crew. His lessons are very useful for us all. From my heart and the families of the passengers of Flight 1549:

Thank You!

Do you have an opinion?  I’d love to hear it!

• Security Posture Assessment - Key to a successful security program What is a Security Posture Assessment anyway? To put it simply, a Security Posture Assessment...
• The risks of SHARING! As you've probably heard or read in the news, there was a recent leak of...
• Ensuring your SaaS Vendor is Secure /caption] Cloud computing and Software as a Service (Saas) are quickly replacing software vendors in...

• Blogger Obtains Loan Using Social Capital
• More details surrounding suspected Airplane Terrorist: Umar Farouk Abdulmutallab
• Dutch to use full body scans for U.S. flights

In my career I have been asked hundreds of times what single item is the holy grail of security.  Is it a firewall?  Is it an Intrusion Prevention System (IPS)?  Perhaps it is a Single Sign-On Tool (SSO)?  No, contrary to what most vendors say, the cheapest, easiest and most effective security component of any corporation is NOT a firewall, an IPS nor is it ANY technology.    So what is it?

The old axiom is true…security is only as good as its weakest link.  What is your company’s weakest link?  In the vast majority of companies, that link is it’s…. PEOPLE!   All the technology in the world can’t stop an employee circumventing that technology to make his or her job easier.

While technologies such as firewalls, IPS and the myriad of other tools are needed and useful, they alone do not address the issues of people. How do we address this issue? What is that low cost way for ensuring that your company’s security posture improves? It is quite simple…one of the most overlooked tools in a security providers kit, Security Awareness Training.

Training is a simple and inexpensive way to increase your company’s security posture. The effort put into training your employees can greatly increase your security coverage. Think of it as the security geometric curve of effectiveness. Training allows all your employees to cover more areas with vigilance.

What are the steps to creating better security awareness at your company?

• Security Awareness is a campaign and not a class.

While a power point presentation on security can have effect it is not an effective campaign, just a component of one. Periodic security reminders are very useful in keeping vigilant in this day and age.

• Compliance

Compliance is a dirty word of today’s corporate environment. But in reality, many compliance initiatives require some sort of awareness training (HIPAA/PCI). Leverage those corporate initiatives to help educate your employees. This may be a way to find some budget for your awareness program.

• Help your employees at home and they will help you at work

One of the best ways to educate your employees is to teach them how to secure their own privacy data and home computers. This teaches them the importance of security as it relates to their own resources, not just the companies. Most employees take this to heart and will begin to see how they can utilize those same practices with the corporate assets and your customer data.

• Reward

If one of your associates sees a security issue and notifies you, play it up! A great tool for helping create awareness is to give awards when people do the right thing. Take them to lunch; write them up in your company newsletter. These little things reinforce great behavior.

• Don’t be Chicken Little

Think about the last time you paid attention to the Homeland security threat level? What is it today? Do you know? We, in the security industry have done a great disservice to many of our users. We have said the “sky is falling” so many times that people have stopped listening. Be positive in your security training. Talk about effective techniques for creating passwords, not just telling users to not use their names for passwords.

• Utilize your corporate training tools

There are many tools you can utilize to help keep this campaign going:

• Intranet/Internet – Leverage your collaboration or internal sites. Put up a weekly/daily security highlight. Link to various internet resources. Set up Security FAQ. These are all great tools to help keep that awareness high.

• Newsletters – Does your company have a newsletter? Leverage a column in that newsletter? If not, create your own quarterly security newsletter. What are the best topics…use topics that will help educate your employees on how to secure themselves AT HOME? At Home? Yes, at home. The more aware they are on security and privacy issues with their home computers, the more aware they are of the risks to your company and your customer’s private data.

• Emails – Leverage periodic emails for emergencies patches/releases. This not only affects your corporate environment, but again, it helps to educate home users. An ever increasing amount of home computers are being used to connect to corporate environments using VPN’s. Keeping your employees home computers secure is also important.

• Learning Management Systems – Does your company utilize learning management tools and training tools. Great security content works very well with many corporate LMS systems. Many larger corporations have a training department that will help you develop content.

A good training program can really increase a company’s security posture at a fraction of the cost of technology. Leverage these tools in YOUR Company to make a lasting effect.

• Using Analytics to Measure InfoSec Success Introduction As today's companies become leaner and meaner, I see the use of performance metrics...
• Security Posture Assessment - Key to a successful security program What is a Security Posture Assessment anyway? To put it simply, a Security Posture Assessment...
• Flight 1549: A Blueprint for handling Security Incidents I was watching the 60 Minutes interview with Captain Sullenberger and his flight crew on...

• Microsoft MCSA-MCSE Computer Training Examined
• Giving incentives to employees..it's not just the salary!
• Home Telephone Technology

I will do a post in more detail on Virtualization Security later.  In the mean time, please take a look at my good friend Josh Corman at IBM/ISS  and his take on Virtualization Security.

Internet Evolution – Internet Evolution’s Virtualization Security Tutorial.

• Flight 1549: A Blueprint for handling Security Incidents I was watching the 60 Minutes interview with Captain Sullenberger and his flight crew on...
• Using Analytics to Measure InfoSec Success Introduction As today's companies become leaner and meaner, I see the use of performance metrics...
• Cheapest, Easiest and Most Effective Security - Security Awareness Training In my career I have been asked hundreds of times what single item is the...

• Twelve Key Questions You Need to Ask About Your Computer Security for Your Home or Business
• Why Blog? I'll Tell You Why!
• Cybercrime: How online crooks put us all at risk

What is a Security Posture Assessment anyway?

To put it simply, a Security Posture Assessment (SPA) is a tool that contains over 850 measurable independent data points, used to objectively measure the current state of your company’s security risks.

Why use DMS Consulting to handle your SPA?

We’ve developed a unique Security Posture Assessment that measures where your company’s security risks are, what you need to do to address those risks, and the costs associated with achieving the necessary results and presents your data in an easy to read scorecard format.  Use this tool to plan and measure for your company’s compliance needs such as HIPAA, SOX, GLBA or PCI Compliance.

The SPA measures the following areas of risk:

• Access Controls
• System Integrity Controls
• Cryptography Controls
• Audit and Monitoring Controls
• Configuration Management and Assurance
• Security Processes and Policies
• Application Security Standards and Policies
• Privacy Policy and Controls
• Emerging Risks

For more information, feel free to review the Slideshow below.

Uploaded on authorSTREAM by mdavidson58

• The risks of SHARING! As you've probably heard or read in the news, there was a recent leak of...
• Using Analytics to Measure InfoSec Success Introduction As today's companies become leaner and meaner, I see the use of performance metrics...
• Flight 1549: A Blueprint for handling Security Incidents I was watching the 60 Minutes interview with Captain Sullenberger and his flight crew on...

• How to Encrypt Your VoIP Network For a Secure Connection
• The 3 W's (Wares) in Security Management
• Apple’s New Tablet To Be Baptized iSlate? Let’s Dig A Little Deeper