Tag Archives: IT Governance

The effectiveness of access controls

With all due respect to Varonis and access controls in general (Just the area of Sharepoint is a fertile market for data security), the problem of internally-launched attacks is that they are all done by the “right” people and / or by software agents who have the “right” access rights.

There are 3 general classes of internal attacks that are never going to be mitigated by access controls:

Trusted insider theft

A trivial example is a director of new technology development at a small high-tech startup who would have access to the entire company’s IP, the competitive analyses, patent applications and minutes of conversations with all the people who ever stopped in to talk about the startup’s technology. That same person has access by definition but when he takes his data and sucks it out the network using a back-door, a proxy, an HTTP GET or just a plain USB or Gmail account – there is no way an Active Directory access control will be able to detect that as “anomalous behavior”.

Social engineering

Collusion between insiders, gaming the system, taking advantage of friends and DHL messengers who go in and out of the office all the time with their bags.

Side channel attacks

Detecting data at a distance with acoustic or Tempest attacks – for example. or watching parking lot traffic patterns….

Tell your friends and colleagues about us. Thanks!
Share this

Learning about change and changing your security

Reading through the trade press, DLP vendor marketing collateral and various forums on information security,  the conventional wisdom is that the key threat to an organization is trusted insiders. This is arguable – since it depends on your organization, the size of the business and type of operation.   However –

This is certainly true at a national security level where trusted insiders that committed espionage have caused considerable damage.  MITRE Corporation – Detecting Insider Threat Behavior

There are three core and interrelated problem in modern data security:

  1. Systems are focussed on rule-breaking (IDS, DLP, firewalls, procedures) – yet malicious insider can engage in data theft and espionage without breaking one of the IDS/IPS/DLP rules.
  2. The rules are static (standards such as ISO 27001 or PCI DSS 1.x) or slow-moving at best (yearly IT Governance audit)
  3. Ignore collusion between insiders and malicious outsiders whether for espionage purposes (a handler who manipulates an employee) or for criminal purposes (stealing customer data for resale).

You may say – fine, let’s spend more time observing employee behavior and educate supervisors for tell-tale signs of change that may indicate impending involvement in a crime.

However – malicious outsiders (criminals, competitors, terrorists…) that may exploit employees in order to obtain confidential data is just another vulnerability in a whole line of business vulnerabilities.  Any vulnerability must be considered within the context of a threat model – the organization has assets that are damaged by threats that exploit vulnerabilities that are mitigated by countermeasures.   The organization needs to think literally  outside the box and at least attempt to identify new threats and vulnerabilities.

The issue is not that employees can be bought or manipulated, the issue is that government and other hierarchical organizations use a fixed system of security controls.  In reducing the organization’s security to passive executives of defense rules in their procedures and firewalls, we ignore the extreme ways in which attack patterns change over time. Any control policy that is presumed optimal today is likely to be obsolete tomorrow.  It is a fair assumption that an organization that doesn’t change data security procedures frequently – will provide an insider with  enough means, opportunity and social connectivity to game the system and once he or she has motivation – you have a crime.

Learning about change and changing your security systems must be at the heart of day-to-day security management.

Tell your friends and colleagues about us. Thanks!
Share this

Risk in IT

Dissonance between IT and securityDissonance between IT and security management.

Mark Brewer wrote a thoughtful post on Risk in IT – I liked his use of the  term “resilient organizations”, although I have been using the term “robust organizations”.   The semantic difference between robustness and resilience may be related to the difference between IT and security management world-views.

“Risk in IT”  derives from a fundamental dissonance between information technology and security –

IT management is about planning and executing predictable business processes. Security is about planning for the the unpredictable.

This fundamental dissonance often causes a cultural schism between IT/CIO and Security/CSO. In many organizations the dissonance is amplified by two additional factors – a) splitting of physical and information security into two separate operations silos and b) external regulatory compliance.

Compliance as it pertains to security, finance and IT is often conveniently boxed into politically safe silos. OP (organizational politics) is not a bad thing, but multiple risk silos results in multiple and usually redundant costs. In addition, compliance results in the management board adopting policies that are not organically their own – which is dangerous in its own right.

The short answer to these issues is that security needs to build into (not bolt onto) the business strategy and business process itself.

Tell your friends and colleagues about us. Thanks!
Share this

Who is the key person in your security organization

In the late 80’s I was a hyperactive programmer at a small VAX/VMS software house.

We were group of 5 programmers – we had some nice accounts – like Intel, and National Semiconductor, Hadassah Hospital and Amdocs, but I always felt intimidated by the big IT integrators. One day – my DEC account manager told me that we should hold our heads high – he figured that our largest competitor didn’t have more than 1 or 2 experts at our level.

Are data security specialists like programmers – where the rock stars have 3 orders of magnitude better productivity than the average guy or gal?

And should we try to have one of these folks on the staff and make sure they are happy?

Tell your friends and colleagues about us. Thanks!
Share this

USDA bans non IE browsers

The new Israeli administration has invited Microsoft to head a government IT steering comittee – the item caused a bit of a ruckus in the Israeli Open Source community a few months ago – although I personally feel that as the world’s largest software vendor – they have a lot to contribute.

Now I think we have reached a new level of Microsoft sycophancy with the Obama administration implementing a Bush decision to standardize IT but in a way that makes practically no sense at all – let’s ban all non IE browsers.  It’s really scary to what lengths the Obama administration will go undo Bush policy.

In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed.”

It does make sense to standardize on a browser – but why standardize on the most vulnerable browser and operating system?  Why not standardize on Ubuntu and FF 3 on the desktop or standardize on diskless workstations with Citrix or TightVNC?

The full item is here – USDA unit bans browsers other than Internet Explorer

Tell your friends and colleagues about us. Thanks!
Share this

Is security a washing machine?


Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle. It’s always a 4 step cycle, like Symantec’s DLP  “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s like a washing machine cycle that never stops, intent on keeping you from going home.  It’s also a sales cycle focussed on sustaining subscription revenue rather than protecting information.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools from companies like Qualys and Beyond Security are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches that increased nearly 50% in 2008, and security budgets that shrunk drastically in 2009 – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen we will host a free weekly online workshop on data security best practices every Thursday, 15:00 GMT, 16:00 Central European Time, starting Thursday September 3, 2009.

This series of workshops is designed to help you and your team take a leadership role in the board room instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.

Tell your friends and colleagues about us. Thanks!
Share this

Data security – is psychology more important than technology?

We had a discussion with a prospect for a DLP (data loss prevention) system) that started with discussing the pros and cons of various DLP solutions (Verdasys, Mcafee DLP, Websense, Fidelis Security) and finished with a drill-down into how they can build a business case to acquire and implement data security technology. After a very interesting session – the CIO asked me – “So why did you start with technology? we should have started with the business case?”  I replied – “Got your attention, didn’t I!”

Talking with clients we stress threat modeling and analysis and doing quantitative risk analysis but I believe that psychology may be more important than the technology. This is for several reasons:

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Network surveillance

Most companies have reasonable  perimeter security – i.e. a firewall and IDS (intrusion detection system) or IPS (intrusion prevention system).   Although  security people often view an IPS as the next generation of IDS; it’s important to distinguish between the roles of detection and prevention. Detection helps you understand what kind of attacks are being mounted (or potentially COULD be mounted on the network, and prevention (an IPS) is an access control security countermeasure – a way of keeping the bad guys off your network.

However, in my experience,  the same companies with well-managed firewall/IPS don’t have the foggiest notion of what’s leaving their network or what’s happening inside the network.

There is nothing like collecting data and validating the effectiveness of your security countermeasures.

This is why we need network surveillance.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this