Bang for Bucks Security – 7 Reasons why Businesses are Insecure (Drazen Drazic CEO)

If we had to pick what the most frequently asked question is that we get asked by CEOs, CIOs, CSOs and other senior IT Management, it would be; what is the quickest way to find out what security risks and exposures their company has. We all know that it’s not that simple but to be fair, it’s a good question if you are starting from a base of nothing.

But you can’t get an decent answer to such a question unless you have decided that you are serious about protecting your information assets. Unless you have these “basics” in place.

Back in 2007 I wrote the post “The 7 Reasons why Businesses are Insecure” on Beast or Buddha. (http://beastorbuddha.com/2007/11/10/the-7-reasons-why-businesses-are-insecure/index.html)

I have rehashed today, as pertinent and timely as ever as it comes to attention this month in our newsletter “Bang for Bucks Security”.

______________________

Bang for Bucks Security

I won’t start by saying that implementing a strong framework is going to solve all business IT security problems. It won’t, but with one, at least you have one big advantage over now – you have a better picture and understanding of where your problems may lie and you’re less likely to be taken by surprise.

At present, most organisations have little understanding of the risks they face – where they are exposed, what they are exposed to and how these exposures could impact the business! So what are the problems?
1. Management and Governance – If the CEO and Senior Officers of the business do not ultimately own the responsibility and accountability for the security of the business, then it just does not get the appropriate attention. When we do “State of Security” reviews for our clients, we pretty much have 90% of our report written after the first hour if we find this layer of the framework not in place. ie; you can be guaranteed that if there is not an effective and ongoing management and governance layer in place, overall security within the organisation is weak. Matt Jonkman in a previous interviews with me  iexplains it well;

“Security is the CEO’s problem. The security engineers are the tools the CEO should be employing. CEOs should be directly involved in the risk decisions far more than I see on average. They need to know not exactly what technically is going on, but exactly what risk is being introduced or mitigated. It’s security 101. They should be involved from the ground all the way to incident response. It is NOT the security engineer’s decision whether to spend money to mitigate a risk based on what the impact might be. It’s the CEO that should know what that impact would mean in dollars, and how many dollars are available to be expended. I think these things are far too often delegated from officers of a company to managers without the proper oversight and long term involvement.”

2. Environment Awareness – It never ceases to amaze me how many organisations will promote being secure and having strong IT security practices and controls in place, yet not have a clear understanding of their environment. How can you say you are secure if you don’t know what it is that you supposedly protect? Most organisations have little idea about what they own – ie; IP address ranges, networks, systems and applications. Few have assigned data and system owners to all parts of the environment.

3. Policies and Standards – Most companies now have security policies and standards but are they of much value? If you don’t have an effective management and governance layer in place to own, manage, maintain and enforce good practice and if you have gaps in awareness of what makes up the corporate environment, how good are they?

4. Policy Compliance and Awareness – Policies and standards are all good and well but if you’re not doing what you say you should be doing, the security program is useless. Stating the obvious I know, but this is the story more often than not from our experience.

5 . Assurance Program – Few organisations “test” to confirm they are doing what they say they should be doing. ie; testing the effectiveness of the above mentioned layers of the framework. An ongoing assurance program helps to identify issues arising from the deployment of new technologies and problems from weak practices in existing technologies. Few organisations do:

1. Ongoing environmental scoping – mapping and keeping up to date records of what their environment is.
2. Ongoing vulnerability assessment and management – a proactive VA program helps identify issues before they become a problem.
3. Regular security testing of key systems and applications, including penetration testing and application reviews.
4. Security review of new systems before they go into testing and production. 90% of newly deployed web applications in our experience have critical security issues yet organisations still trust that their developers understand security and don’t test….scary!
5. Review of the their policies and standards – are they relevant, up to date and cover the scope of the complete business environment?
6. Review of the effectiveness of the compliance program(s). Testing to see if what the organisation says should be done is being done.

6. Incident Management and Response – If any of the above fails and an incident occurs. (Assuming the organisation knows an incident has actually taken place, and take the tip, most companies have no idea unless it’s one that has walked right up to them and slapped them in the face). Most organisations have little or nothing in the way of documented and tested response plans. (Lets add DR to this also). How can an organisation quickly and effectively respond to something if there is no plan?

7. Strategy and Performance Assessment – In any strategic planning cycle, performance and strategy re-assessments are a vital component in keeping a strategy effective and up to date. Few organisations take a holistic view when assessing the effectiveness of their IT security strategy. I know “metrics” and performance assessment in the IT security industry has been debated since day 1, but lets not confuse systems and detection metrics, as a couple of examples, with “strategy” level review.

An IT Security strategy should encompass a set of metrics that include benchmarks across the various phases and sub-phases of the strategy. The goal of the metrics is to help; define the strategy framework, communicate the strategy (by specifying performance measures), track performance (by collecting valuable information pertinent to the phase of strategy), increase accountability (by linking metrics to performance appraisals and business plans) and to align objectives of individuals, teams and the organisation itself. In most cases this is easier said than done but investigation should still be undertaken into the creation of a metrics and strategy re-assessment process that covers at a minimum;

1. Articulation of the Security Strategy.
2. Translating Strategy into Desired Outcomes.
3. Devising Metrics.
4. Linking Metrics to Leading and Lagging Indicators.
5. Calculating Current and Target Performance.
(based on work done by Rayport and Jaworski, eCommerce)

The 7 layers above form the Strategic Security Management Framework (SSMF). It’s a framework we developed some time ago to assess the effectiveness of IT Security practices in an organisation. It’s a framework that we still use today. It’s a framework that many of our clients now adopt.

By nature of doing business electronically, an organisation cannot remain secure without a proactive plan / strategy that takes a holistic and enterprise view of the risks the organisation faces.

A strategic framework is vital in the field of security management because it provides a structure to help analyse the complex requirements and highlights the dimensions of importance. An effective strategic security management framework is vital in describing the business’ short and long term plans to; secure its environment, what its goals are, how it plans to achieve those goals and how it will continue to achieve new goals required to keep pace with evolving security challenges. It should be linked to other strategies within the business such as relevant components of the overall corporate strategy and the IT strategy and functional strategies that will evolve from the security strategy itself.

As I said, managing security around a framework will not in itself solve all the problems but it is the start. Without one, organisations will continue to flounder around a bunch of disjointed practices, rarely relating to other practices and with little context to the overall objectives of securing a whole business environment.

This is where busineses are failing today.

Regulation and Compliance – It’s all relative and what you are used to…

This old Beast or Buddha post from 2009, our CEO, Drazen Drazic looked at regulation and compliance. It’s worth reviewing again and seeing where we stand in 2013 as the Government starts to follow the likes of the US now in terms of assessing whether more regulation and compliance is needed.

http://beastorbuddha.com/2009/04/14/regulating-it-security-practices-pci-dss-tough-it-could-be-worse-or-betterdepends-how-you-look-at-it/index.html

We welcome your thoughts and comments….

Continue reading →

Mandatory Data Breach Notification

With the discussion again starting about Australia’s position on Mandatory Data Breach Disclosure (http://bit.ly/1avVg7H), we presented the following to the government in 2012 when RFC was opened in regards to this potential legislation. What are your thoughts?

—————————————————-

The following are our [Securus Global] thoughts on Mandatory Data Breach Notification, in response to the Discussion Paper: Australian Privacy Breach Notification (Oct, 2012).

Organisations most likely to be affected by the introduction of such laws also tend to already have better information security and privacy policies in place.

Where we are coming from: If you have good practices and controls in place, you’re probably also more likely to detect a breach and would, under these new laws, have to openly disclose. (Fair enough).

Continue reading →

State of Information: Annual Report – Are you publishing one?

Updated from Beast or Buddha (August, 2010).

As a CISO/CSO/Security Manager, you were hired by your organisation to perform a role. How many people go back to the advertisement they responded to and check-off what you are actually doing now, versus what the original role description stated the role would/should be?

I know talking with many people out there that this is one of their biggest issues in their role today – either the role not being as it was promoted/advertised and/or you not having the support to perform the role your were hired to do.

It’s made cynics of so many people in our industry and in a weird way, has also kept people, albeit unhappy in organisations longer, given the fact that there’s a belief that wherever security people go, it will be much of the same… so at least, “better the devil you know”. Many in our industry have a continual battle trying to do their job and fighting every step of the way for even small gains. It’s always been like this. Continue reading →

LinkedIn – (In)Security by Design – Drazen Drazic

The reactions to the recent LinkedIn hacking “scandal” were interesting.

On one side, and rightly so, there were serious questions asked of LinkedIn and their security practices. Certainly the consensus was that their practices in regards to passwords left a lot to be desired. Furthermore, a large company of this size, in terms of the number of users it has should be taking the security of those users’ data more seriously – this type of breach just should not be happening.

Taking aside the technical security issues now, I put to you the question; Does a hacked LinkedIn present much more risk to an individual and the company they work in than a non-hacked LinkedIn?

Looking at the consequences of the current security breach as reported, what has been the impact to an individual LinkedIn user? LinkedIn by nature of its business model is the sharing of “personal” information. That information is there already to one degree or another and what isn’t directly accessible, can be, with a few clicks to “connect”. Continue reading →

Lulzsec member indicted for part in 2011 cyber attacks

A 19-year-old Essex man has been indicted by a federal grand jury in the United States for his part in the Lulzsec hacking group, which claimed responsibility for a number of attacks on media and video game websites last year.

Ryan Cleary was arrested in June 2011 and charged with violating the Computer Misuse Act and the Criminal Law Act 1977.

Now the Los Angeles Times has released a copy of the indictment, which claims Cleary “developed software for, and maintained and controlled a large botnet” which he used to “conduct DDOS attacks against various corporate and government entities”.

The papers also accuse Cleary of renting out his botnet to other cybercriminals.

Lulzsec first came to attention in May 2011 when they claimed to have hacked the Fox Entertainment website, taking responsibility for leaking employee information and user passwords as well as a database of applicants for TV talent show X Factor.

An offshoot of hacktivist group Anonymous, the group then went on to attack public television provider PBS, Sony Pictures Entertainment and the online game League of Legends amongst others. Crimes varied from simply bringing down websites to stealing and releasing confidential user data.

In a blog post for PC World, freelance technology writer Ian Paul pointed out that while the group probably didn’t have any particularly sinister motives, their actions were still putting users at risk.

“As its name suggests, LulzSec claims to be interested in mocking and embarrassing companies by exposing security flaws rather than stealing data for criminal purposes,” Paul wrote on June 3 2011.

“But that doesn’t mean others won’t capitalize on security flaws exposed by the online pranksters.”

Cyber-attacks like the ones perpetrated by Lulzsec can have major impacts on businesses. Often a red cell assessment can be the best way to defend your business against an attack, by simulating a legitimate security penetration attempt.

PCI compliance in cloud services

With all the hype surrounding the delivery of services through cloud providers, it is little wonder that some enterprises may be wary of stepping into the new realm of business opportunities unprepared.

In essence, external providers are taking the information and operations outside of the physical premises controlled by the firm in question – leading to questions about how safe and secure the systems really are.

This is especially true for businesses that are aware of their obligations with regard to potentially sensitive information collected from clients and stakeholders.

Because these details are given to the enterprise with the understanding that they will be kept safe from misappropriation or theft, security is often a prime concern for the staff members in charge of information storage.

When it comes to the payment card industry (PCI), there are strict guidelines that govern how client information is to be processed and archived.

With new technologies such as cloud storage, the same requirements would apply to these solutions as with in-house systems – requiring the assistance of qualified PCI compliance testers.

These experienced professionals will be able to ascertain if an external provider is suited to the task of storing or processing sensitive card payment information – as well as providing additional advice on how to improve existing frameworks.

Dr David Ross delivered a presentation to the attendants of AusCERT 2012 convention, stating that while extra care was needed, it could be possible to make use of these systems while maintaining PCI compliance.

According to an article published by ZDNet on May 17, Dr Ross said that while cloud providers can offer compliant products and services, the onus still lies with the primary company.

Some of the products mentioned by the presenter were known to also provide in-depth guides that help clients to deliver services that are in line with the data security standards laid out by the payment card industry, but he was quick to warn that this still did not automatically make the solutions certifiably compliant.

While the shared nature of some cloud services makes it difficult to get a clear picture of just what information is visible to third parties, a team of qualified assessors can provide managers with an in-depth review of the pros and cons of a particular service.

This allows decision makers to make informed choices based on the particular details provided by a neutral third party – removing issues of bias and proprietary control issues from the equation.

We are not enemies. Do not be afraid.

It’s a natural reaction. You receive a security test report only to find that there are security issues with your system. You immediately start plotting ways to cover them up, smooth them over, and remove them from record. Stop!

Every security consultant has experienced this reaction and every security consultant worth a damn has told their client that it’s okay. Just like functional bugs, security issues are a fact, a certainty of complex software, and the best way to deal with them is out in the open.

It’s not your fault

As the person responsible for a system, whether management, operations, development or testing, it’s easy to be defensive and shift blame. The reality is it’s almost never important whose fault a security issue is, and even when it is, it’s unlikely to be your fault alone. And even then, it’s just not productive. Continue reading →

One size does not fit all with PCI DSS

One of the most pervasive laws that governs business success is diversity – with each firm striving to differentiate itself and its offerings from their competitors.

This can take place over many different strategic areas, including product quality, service levels, price and feedback opportunities.

Operationally, this means that every enterprise is going to have internal systems that differ from those utilised by their peers – in terms of standard protocols and physical hardware.

When it comes to meeting the compliance requirements of the payment card industry data security standard, each and every single firm will need to have manual reviews conducted on a regular basis to ensure that their defences are up to the task.

Essentially, a ‘blanket’ security measure may not be enough to cover all the bases, as the specific needs of the business may not be covered.

Instead, it is often a much better idea to have the security measures examined and assessed by a professional compliance provider who can provide additional advice on how to meet these evolving requirements.

This provides a level of cover to enterprises that takes into account their unique makeup and choices of systems – an essential service that blanket solutions just cannot replicate.

CIO’s Security and Roadblocks

If you’re a CIO and you’re not reporting state of risk and security on a regular basis to your CEO and/or Board, you not only are putting your organisation at greater risk but looking at the bigger picture, also business partners, shareholders and everyone else associated with that business? We’re in 2012 now, not 1999, where ignorance of basic security could still be forgiven (somewhat).

Read more on Drazen Drazic ‘s latest contribution on the CSO Online CSO Bloggers.

http://www.cso.com.au/blog/cso-bloggers/2012/05/30/get-cio-out-reporting-line-security/

Security Management Frameworks

In case you have not seen them, other CSO Online Posts from Drazen Drazic are:

• Security as a Competitive Advantage  http://www.cso.com.au/blog/cso-bloggers/2012/03/22/security-competitive-advantage/
• Data Breach Disclosure Laws – Who’s going to feel the pain ? http://www.cso.com.au/blog/cso-bloggers/2012/03/07/data-breach-disclosure-laws-whos-going-feel-pain/