As a Security professional I've spent a lot of time considering security problems. Action plans I suppose are all about what you can do with those problems. This week I wrote an imaginary action plan. If you recall I've been working on developing plans for an imaginary company. This company has no polices or procedures which reference security. So I proposed some changes. I am not really going to rehash those changes in this post. I don't actually think that would be interesting to read. However, I do want to take a moment to talk about this process.
From my perspective companies are generally accepting of the way things are done. If a plan for something doesn't exists it means the leadership of the company hasn't acknowledge a need for it. As a security professional how do you convince a company to spend lots of money and time on solving problems they aren't concerned about? Obviously you can go to the stand by FUD, but there has to be a better way! Understanding the risks a business has and proposing solutions is not an IT practice. This is a business practice. My imaginary company only engaged services for its security problems after a breech. That is what it took for them to see the need. Wait though, we are back to FUD again. I mean I don't want to constantly try to convince people to do things because bad things can and have happened.
So, here is what I've learned from writing an imaginary action plan. As a professional, writing an action plan gives you an idea what must happen to solve problems. It means that you can clearly articulate what is wrong and how to fix it. Given the correct forum you can argue for the needed changes. I suppose the question is, how do you get someone to ask the question you have an answer for? I don't think this is something I can even get close to answering.
Sunday, July 28, 2013
Sunday, July 21, 2013
Threats, Vulnerabilities, and Risks, Oh MY!
While these terms don’t seem tragic of difficult on their
own they are often misunderstood. To be
honest I often use them interchangeably.
So what is the problem right? I
mean why do we have to be exact on this, is the name of the game
semantics?
The union of these three ideas are the threats, risks and vulnerabilities information security professionals should focus on. The problem is determining which things fall into which categories and why.
The reason these terms matter is because they are central to
mine and all security professionals understanding of how business, security,
and technology intersect.
Threats are things that you don’t want to happen. They are present in the world around us. There is a threat you may get into a car
accident on the way to work. There is
also a threat that someone may hack into a system at your office. Of course, there is also a threat a meteor
will wipe out your office. Not all
threats are credible. In other words all
decisions can’t be threat driven.
Vulnerabilities are problems which exist. The fact the breaks in your car may be out is
a vulnerability. The reality that you
don’t patch workstations and servers on a business network is vulnerability. Lastly, the fact that we only watch a small
fraction of the space surrounding earth is yet another vulnerability. Just as you can’t remove all the threats you
can’t remove all the vulnerabilities either.
Now enters risk. Risk
is the likelihood that a vulnerability will be realized. In other words will a threat take advantage
of an existing weakness? So will someone
force you to slam on your breaks thus taking advantage of the weakness in your
cars break? Or, will some worker click a
Facebook link taking advantage of the lack of patches on their system? Lastly will some meteor in the area of space
we weren’t observing smash into the earth?
So what do you do with this information? The goal of course is decision making. You look for the union of Threats, Risks, and
Vulnerabilities.
The union of these three ideas are the threats, risks and vulnerabilities information security professionals should focus on. The problem is determining which things fall into which categories and why.
Sunday, July 14, 2013
Imaginary Threat Analysis... Who knew it could be helpful.
So how do you analyze a threat from an imaginary company? That doesn't seem like something that people concern themselves with on a consistent basis. However, it was something I found myself doing this week.
The part of this I found interesting was after reading all the data from the company I had to come up with a likely scenario. See the imaginary company had been breached. They let client credit card numbers into the open. In my likely scenario, the were breached due to an e-mail scam. That scam then attached them to a bot net. Once that happened the people running the bot net were able to determine that CC data was present within the system. You see where this is going right? It got be think, how can an organization do anything about this?
In my opinion most security problems in companies boil down to one of three things.
1. A Policy problem
2. A People Problem
3. A technology problem
Policy Problems
So, my recommendations in the magic scenario mirrored this. Policies you see can be fixed if the will is present to do so. The real issue here is that they must originate from the top. They must explain the will of a corporation to the stakeholders and employees. A good example of this would be an acceptable use policy.
People problems
These types of problems are solved by hiring qualified candidates. This may mean background checks and extensive interviews. It will also mean continuous peer based review. In addition it will mean that people may need to be let go. This also takes into account people who mean to do an organization harm. Controls must be put in place to limit that harm. The policies should also reflect the reality of employees and harm seekers.
Technology Problems.
These problems are typically solved by people following policies. Sometimes a new piece of technology may be needed, but sometimes an old piece of technology must simply be utilized. In my imaginary company the issue here was lack of updates.
As IT and security professionals it is very easy to attempt to fix all problems with technology. While I am still deciding what I think about all of this, I am attempting to appreciate how difficult fixing security problems can be.
The part of this I found interesting was after reading all the data from the company I had to come up with a likely scenario. See the imaginary company had been breached. They let client credit card numbers into the open. In my likely scenario, the were breached due to an e-mail scam. That scam then attached them to a bot net. Once that happened the people running the bot net were able to determine that CC data was present within the system. You see where this is going right? It got be think, how can an organization do anything about this?
In my opinion most security problems in companies boil down to one of three things.
1. A Policy problem
2. A People Problem
3. A technology problem
Policy Problems
So, my recommendations in the magic scenario mirrored this. Policies you see can be fixed if the will is present to do so. The real issue here is that they must originate from the top. They must explain the will of a corporation to the stakeholders and employees. A good example of this would be an acceptable use policy.
People problems
These types of problems are solved by hiring qualified candidates. This may mean background checks and extensive interviews. It will also mean continuous peer based review. In addition it will mean that people may need to be let go. This also takes into account people who mean to do an organization harm. Controls must be put in place to limit that harm. The policies should also reflect the reality of employees and harm seekers.
Technology Problems.
These problems are typically solved by people following policies. Sometimes a new piece of technology may be needed, but sometimes an old piece of technology must simply be utilized. In my imaginary company the issue here was lack of updates.
As IT and security professionals it is very easy to attempt to fix all problems with technology. While I am still deciding what I think about all of this, I am attempting to appreciate how difficult fixing security problems can be.
Sunday, July 7, 2013
Threat Analysis Sources
I am currently taking a class on current trends in Cyber Security. One of the question's I’m being asked is to review a list of sources I created. This list of sources is intended to provide an overview of the numerous threats to the Confidentiality, Integrity, Availability, and Accountability of an information system. On June 21st of this year I created a post entitled, "Identifying Credible Resources, a how to!”. This is the list of resources I am currently drawing from. All of that sounds incredibly formal. In fact I simply check these sites and resources during the course of my day. So the question is, can I use these sources in a formal manner?
For the purpose of this post I will discuss my listed sources as they relate to an imaginary company. So, in this imaginary company I check Bruce Schnier’s cryptogram newsletter. It focuses heavily on the ongoing saga of Snowden. Interestingly enough, the Security Now podcast I watched did the same. This information re-iterates the need to do several things.
1. Train Employees, this ensures employees know the proper whistle blowing techniques. It also ensures they know what they should have access to.
2. Monitor Employees, Look, you can’t trust people. No matter how well trained they are they can decide to make confidential information public. This means you have to monitor them.
3. Communicate issues with lax access controls to management. They may decide they do not want to act on recommendations, but they must be informed.
So how does that relate to an imaginary company? Well in my scenario a company X shall we say needs to justify spending money on a IDS or DLP system. They have determined that the risk to lost data is high, and that the impact of the loss would be catastrophic. Reading this newsletter and listening to this blog help me articulate that.
This week I also reviewed Microsoft’s TechNet newsletter. It would appear that MS13-050 will be coming out this month. This update will interact with the print spooler. So, company X uses mostly Microsoft systems. These systems all print on a frequent basis. Due to this warning I am able to communicate with the local admin’s in company X about the possible disruption to printing services. In fact due to this update more extensive testing will be done. If you haven’t figured it out at this point, I’m obviously writing this post for an assignment. The reality of all the sources I listed on June 21st is that I use them frequently. My I believe however that the list could improve. As I review specific threats it is likely that I will build a keyword list of resources. This will enable me to research specific threats as they pertain to various topics.
Subscribe to:
Posts (Atom)