Thursday, December 16, 2010

Compliance or Information Security

Some in the information security field argue that compliance requirements like PCI and SOX are ultimately harmful to true information security, since it places so much of the focus on just meeting the requirements, rather than on really being secure.

While this may be true for a limited number of organizations, I am convinced that that most companies that only take a "checkoff" approach to these regulations would not have strong overall information security efforts even if the compliance requirements did not exist. In fact, I suspect that many of them would be doing much less in the area of information security.

I did have someone state that PCI worked against true security at one point, though I can't remember the precise argument now. I wasn't convinced then nor am I now. Some of the specific requirements may be squirrely, but the overall direction is great.

I do believe an organization with a strong information security practice would not have problems meeting related regulations. They may have to do a few more things, but strong information security will already be dealing with the related concerns.

I am not sure such an organization exists though, so this may just be a pipe dream!

Tuesday, November 30, 2010

Defense Has Value

It is quite common to here "defense is dead" when thinking of information security today. This trite phrase has some truth, but is also off target in some ways.

The idea of defending a single point and being "secure" is definitely dead, though it was really never alive in the first place.

The idea of improving defenses to the point that your network or enterprise is harder than others to attack is a worthwhile effort and remains quite alive.

Work on improving your defenses. Don't stop because a vendor promises a tool that is a "completely new approach". Solomon really was right, even when applied to information security. "There is nothing new under the sun." :)

Brad

Are the Threats Really Different?

I am currently watching a webinar about the current Internet threats. One thing that immediately jumps out to me is that it doesn't really seem all that different, just more of the same. We aren't watching actions on the systems with sensitive data sufficiently.

Everyone still wants a silver bullet, a single chokepoint where we can put defenses and relax. While this would be a great thing to have, it doesn't exist and we need to clue in and realize that.

This truth has been around for a long time, we are just now realizing it. It is quite common to hear "perimeter defense doesn't work anymore," but I am not sure it ever really did. It just blocked some low-level threats, which "worked" without really solving the problem. The low-hanging fruit is always going to be the simplest and easiest. What we consider "low-hanging" varies over time. Thus we will always be strengthening things, but it ultimately comes back to the same thing: Protecting systems with access to sensitive data. The methods will get better over time, Avoid mere vendor hype, realize this is a fact of our lives in the information security field.

Tuesday, November 23, 2010

Getting People to Think Securely

One of the most enjoyable parts of my previous work for a large airline was working on the security awareness efforts. While it was not as large as I would like, I did get to write up a monthly mini-article/hint/tip and I enjoyed finding ways to use real-life things to help readers be more secure in the things they did.

This did take more time than I think many realized and writing effective communications is often more like creating art than performing an engineering task. Finding the proper "muse" to express a meaningful point in the allowed space is a major challenge.

I would encourage all organizations that do not have any awareness efforts to at least start copying or creating some basic awareness articles. SANS has some great tips as do other sources.

Even small tips helping employees be safe in their own computer use can flow over to the workplace and make everyone more secure!

Brad

Sunday, August 1, 2010

Viewing Information as an Asset

One of the most important principles underlying effective information security is to get those involved to see information as a valuable item. Even those of us who know this have to actively work to keep ourselves properly focused on this basic fact.

It is easy to get caught up with the methods and practices and forget the reason for what we are doing. The methods and practices are very good and necessary, but we need to make sure they are properly scaled (effort/cost/etc.) to the information they are aimed at protecting!

Saturday, May 15, 2010

Learning Security and the iPad

I just purchased an iPad. You can see some quick comments in my companion blog here, but I wanted to comment in this blog about the interesting potential the iPad has for me as a learning tool, including in the field of information security. Its form factor makes it much easier to take with you or view in places a traditional computer or even laptop would not be as comfortable. I hope to be producing some tools, videos and other neat stuff in this area in the future. :)

Brad

Thursday, March 18, 2010

The Value of Certifications

I see two basic camps in the security realm when it comes to certifications.

The first would include those with an alphabet soup behind their name. CISSP, CISM, CISA, GSEC, GIAC, GSE, CEH, CCNA, CCIE, etc. I suspect I could keep typing for days and not list them all. Organizations that promote these will definitely push that they add value and validate that the holder knows something of value to an organization and is worth more. This may or may not be true, but certifying organizations do make a substantial income on people maintaining their certifications, so they definitely have a vested interest in believing that certifications are valuable and promoting them.

I would note that I am not convinced that certifications are always a cash machine, but they do fund the employment of many people, so the amounts are significant. Those people are probably needed for solid certification programs. This means that large sums are involved in the process, whether or not those involved make a lot of money personally.

The other end of the spectrum argues that certifications are completely worthless and work experience is all that matters. They often look in disdain on those with certifications. They tend to view certifications as creating "paper tigers," people who can pass a test, but who don't really know much practically. I suspect having a certification is a bad thing if one of these people is in charge of the hiring process.

What spurred me thinking on this again was an OWASP podcast with Mark Curphy. (Yeah, I am a little behind - the show was from last July.) He expressed the second view and seemed to disdain certifications in general.

I am more in the middle of both camps and see merit in both positions. I have personally acquired many certifications because I felt like it, not because I wanted some letters to add to my name. Even though experience is still more valuable, I would rate my M.S. in C.S. from Illinois as more valuable than them all (along with a B.S. in C.S. from their Engineering College) as far more valuable, since it laid a firm groundwork for all the many things I have dug into.

That said, my certifications, especially the SANS ones I hold (GSEC, GCFW, GCIH, GCIA, GPCI) helped me really master the material in this area. My background is more in programming/development than system administration, so having to have studied the material for those courses has helped me absorb a lot more than I would have with just reading a book. Of course I need to put things to practice, but that is true of anything.

My main point would be to not worship certifications, but don't disparage them out of hand either. Don't get any if you don't see the need, but don't automatically assume someone with several is really incompetent either!

The Insider Threat to Drivers

This article shows that the human factor is always going to be a major factor in any overall security stance. A disgruntled downsized employee used a former coworker's account to access a system for tracking and disabling cars that they now use frequently at "buy here, pay here" auto sales places. A bunch of people had unworking cars until they reserved this. It kind of makes you concerned for what the future could hold as we place more and more computerized control devices in cars and other electronic equipment.

http://www.dailytech.com/Disgruntled+Former+Employee+Wirelessly+Bricks+100+Cars+in+Texas/article17918.htm

I am reminded of a recent Onstar commercial where they remotely disable a stolen car so the police can catch it. While that sounds great, what would happen if a disgruntled employee got access to that system? It is very important that we make sure companies with that kind of control have very secure development processes. In this case, making it harder for a single employee to disable so many vehicles so quickly would have been a reasonable development limitation and would have limited the possible damage in a case like this.

Saturday, February 6, 2010

Sausage and Security Standards

Most of us have heard the statement that you never want to see 2 things being made: sausage or laws. Both are quite revolting when you get a close insight into the process.

I would probably add security standards to that list. I got to spend most of this week working with a standards group that was doing just that. This was my second time attending their meetings and while I found it very interesting, it is definitely a messy process.

People can very easily get on each others nerves in such an atmosphere, though I did find everyone remarkably cordial overall. Much of the week was outside my direct area of interest and the part that really fit my background seemed to get a bit bogged down in issues I was not as passionate about.

That said, I am still planning on attending the next meeting. I am working with a friend toward a valuable goal in this area and think it is both worth my time to go and a good part of my own learning process.

I do hope to be even more informed before my next meeting, though others have told me this is the normal pattern. The first few meetings you just listen and learn. Then, as you get more comfortable and can put more of the pieces together, you can be more involved in the debate/discussion/coordination.

Worth checking out if you are interested, but I will warn you that it can be boring! It can also be scary if you think of who the many good standards we have must have been made.... :)

Brad

Tuesday, January 26, 2010

More Secure with Age?

I was reading a column from CIO Insight magazine last night that made a very good point. The context was testing, but it applies to security as well. In Testing, Testing, John Parkinson discusses how complex systems are today and that this means that testing can never cover the entire system in the time allowed. His main point was that good practices up front are far more important than trying to find problems later.

This certainly applies to secure development as well. It is much better if we actively design systems to be secure than if we go through it later and try to test for all possible security vulnerabilities. Getting to this state is much harder than it sounds though, since most developers primarily focus on getting things to work, not giving much thought to making them secure, since that is often not even covered in the requirements. Developers will aim at what they are testing on and companies are only at the start of doing a good job integrating secure functionality as part of the requirements of new systems.

So far so good. This is the common message of those working in the secure development area today and it is even starting to take hold, though we have a long ways to go.

He made one good point that jumped out at me. He noted that we commonly think that code that has been around a long time is often more robust, since no problems have been found. This attitude is wrong though! Older code gets patched repeatedly during its life and those patches can have unexpected impacts on the system. Testing rarely covers as much of the system for changes than for a brand new system. Thus the older system is much more likely to have undiscovered problems.

The same is true with security. We think systems that have been around a long time and that have not been breached are secure, but all the ongoing changes are more likely to have caused security vulnerabilities we don't know about. Older systems are not necessarily more secure, even if we haven't found the problems yet!

This is certainly not a comforting thought, though it makes a lot of sense.

Brad

Thursday, January 7, 2010

Making Security a Game

One of the things I enjoy doing is playing Euro games. These are games like The Settlers of Catan and Ticket to Ride (though the get more complex). These are generally fairly easy to learn, with rules closer to Monopoly than the older more complicated wargames I grew up with (from Avalon Hill, SPI and such). These games also almost always have good fiddly bits that make playing an enjoyable tactile as well as mental experience.

I have been thinking that this would be a great format to teach people about information security, especially the basic principles. While I have not had the dedicated time to think about this beyond some basic thought, figuring out how to make it fun an interesting, while keeping it accurate, is a big challenge.

I realize that someone else could take this and make their own game, but that would be great for me. If it is any good, I would be sure to buy it!

Otherwise, I am going to keep thinking about this and seeing what I can think up. Having experience with a many of the games on the site I linked to should give me some ideas on mechanics that might work, so I should just have to figure out how to put it all in a fun format that accomplishes my learning goal, hopefully without people realizing that is even a goal!

Brad

Wednesday, January 6, 2010

What Does It Mean to Be Secure?

That is a key question we must address in our attempts to seek security for the information we work with. Knowing where you are going or at least having a good idea what you are aiming at is an important part of knowing when you are there.

How many really have an idea of what they are aiming for in their information security programs? Of course "compliance" or "meeting outside requirements" is a powerful driver in some form for many. I haven't seen many, outside of information security professionals, who wanted to make things secure "because it was the right thing to do."

If that is the goal, then information security will be pushed aside once management thinks they have reached the checkoff. Even if the checkoff is not a spoken goal, other needs will push the priority of other actions, making the checkoff the goal in effect.

A better approach is to raise awareness, especially in management, of the value and therefore desirability for secure operations. While this will still not be a "get there and rest" goal, it will help keep the motivation for work up over the long run, rather than just lasting long enough to reach the compliance doorknob.

Yes, information security is a process, not a goal, but we all work toward goals, not processes. We need to make sure everyone has a better goal in mind if we want to keep the process going.