Security and Risk Management Strategies Blog

We've moved!

2010-05-25T15:51:34-04:00

As part of the acquisition by Gartner, all Burton Group analyst blogging has moved to the Gartner Blog Network.

For starters you can now find two familiar voices from the SRMS team on their shiny, new, individual blogs:

Dan Blum
Ramon Krikken

Please do hop on over to the Gartner Blog Network and keep the conversations going!

Expanding Security Coverage in Europe

2010-03-30T18:56:42-04:00

Blogger: Phil Schacter

With an expanding base of clients in Europe, the team of Burton Group analysts within Gartner is hiring a senior level analyst (see specifics below), with a strong background in security and risk management. Please submit information on your interest and qualifications, as directed, and reach out to any contacts you may have within the Burton team to start this conversation.

-----

Title: Senior Analyst – Security/Risk Management Strategies

Location: Europe (preferably UK, Netherlands, Scandinavia)

About Us

Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. We deliver the technology-related insight necessary for our clients to make the right decisions, every day.

In January 2010, Gartner completed the acquisition of Burton Group, a leading research and advisory firm that focuses on providing practical, technically in-depth advice to front-line IT professionals.

The Opportunity

Together, our complimentary services will focus on the entire spectrum of the Technology market from IT leaders to front-line IT professionals. We are now embarking on a growth period of Burton Group’s service offering in EMEA with the recruitment of a Senior Analyst to join our Security & Risk Management Strategies team as part of global team focusing on this topic.

The jobholder of this exciting opportunity will be responsible for creating high quality, in-depth research documents or architecture positions in the fields of Information Security, Application Security, Infrastructure Security and related topics followed by exceptional client engagements/dialogue resulting in actionable advice to Burton Group’s clients.

In addition, the Senior Analyst will be responsible for speaking as a subject expert at Burton Group events/conferences, consulting engagements, as well as supporting sales and marketing activities.

Your Background, Experience & Skills;

The successful candidate will possess the following background and experience;

At least 10 years of progressively senior experience gained in an end user function, Consulting and/or Research roles as a technical expert in the following topics;

Infrastructure security for networks, computing, and storage systems
Designing, developing, and validating secure applications
Vulnerability and threat management
Endpoint and mobile device and OS security mechanisms
Securing information and information systems
Security management processes and tools

Excellent writing and research skills coupled with strong analytical skills
Excellent presentation skills, including large audiences (500+ people)
Bachelors degree in Computer Science, or related area
Ability to take a position, based on facts, and support that position to clients, both external and internal, with clear analysis
Broad knowledge of industry trends and emerging technologies
Ability to identify how changing technologies will impact technology choices in architectural decisions
Ability to travel approximately 20% of their time, mostly within the EU but some international

This is an unrivalled opportunity to join the prestigious workforce of Burton Group/Gartner as we begin our unique and exciting collaboration. To apply, please forward your CV and covering letter to peter.fay@gartner.com or visit www.gartner.com for more information.

Exploring the Myths and Challenges of Assessing IT Risk

2010-03-24T18:19:16-04:00

Blooger: Phil Schacter

Over the past several months, I’ve been working with fellow analysts Eric Maiwald, Ramon Krikken, and Trent Henry on a major research effort to understand how IT risk programs are conducted, what inhouse and industry risk assessment methodologies are being used, and what challenges security and risk professionals are facing. This research started with interviewing 19 IT risk program managers and specialists representing over a dozen client organizations. Next, each analyst focused on a specific methodology to understand its capabilities, strengths, and weaknesses. The first four methodologies we examined were: Carnegie-Mellon University OCTAVE, Information Security Forum IRAM, ISACA’s Risk IT Framework, and NIST SP 800-30. Documents covering each of these methodologies, a comparison of the four, and a summary of the risk assessment practices for the interviewed organizations will publish for Burton subscribers over the next couple of months. This research will also be featured in half day sessions at Catalyst in Prague, April 19-22, and Catalyst in San Diego, July 26-30.

The Catalyst experience is unlike any other technology conference, with full days of exceptional presentations spread over four or five rooms. Each half day or full day topic combines the perspective of analyst expert, customer architect/implementer, and industry solution providers. A conversation develops over the linked sessions in the topic track, to build on what’s been said previously, and drive towards some set of conclusions to close out the topic. These conversations continue into the breaks, as IT professionals from other organizations with similar challenges share their experience.

For this year’s Catalyst topic track on risk management, the program kicks off with an entertaining and informative investigation into the myths and realities of risk management, co-presented by Eric Maiwald and Trent Henry. This session also showcases the highlights from the research conducted over the last several months. The next presentation features another Burton expert, Bob Smock, sharing a specific example of using risk score cards. In Prague, representatives from HSBC and Munich ReInsurance will separately present their perspectives on IT risk assessment. Customer speakers for San Diego are still in the selection process. Finally, the topic wraps up with Burton’s Jack Santos sharing his insights into how to communicate with executives about risk.

There’s still time to signup to attend either of these upcoming Catalyst events and I hope to see you there. For more information see the Burton Catalyst site.

Exit process: Don't let the door hit you on the way out!

2010-03-14T19:31:38-04:00

Blogger: Dan Blum

According to The Register artticle TSA worker tried to sabotage terror database, feds say a contractor was caught planting malware in an important terrorist screening database. That this almost-disaster should happen to the TSA, part of a superpower’s Department of Homeland Security, has to make you stop and think.

On a few occasions when it was in scope for my document I’ve recommended that organizations always “walk out” off-boarding staff immediately (both logically and physically). But I have to admit that isn’t recommendation I realistically thought my clients would follow. Yet incident after incident proves it’s actually best practice.

Why’s it so hard? Well, most people are taught to value trust and reciprocity from an early age and they bring those values and ethics into the workplace. Communities can’t function well without these values (dare I call them “goodness”?) – John Clippinger argues as much eloquently in “A Crowd of One: The Future of Individual Identity.” In the case of the TSA, the cultural values of trust and reciprocity are institutionalized by civilian government labor law and employment practices.

How do we reconcile trust, reciprocity with some of harsher best practices for organizations and communities? Not very well. As kids we’re also taught to be wary of strangers and to distrust. But educating kids (and employees!) to “trust yet distrust” is a practical necessity. How might we do a better job of contextualizing knowledge, awareness, education, and process both in the young and in the organization is part of that critical “human factor” of security.

So how might one implement the best practice of walking employees out? First might decompose why it’s so difficult to follow: 1) we trust the person, 2) we need the person to “keep flying the airplane” until knowledge is transferred, projects finished, 3) we don’t want to create a cold, distrustful, or uncaring organizational climate. These are all valid concerns.

Then contextualize the knowledge and awareness process that is part of the implementation of the “walk out” policy to address the objections to it. Since understanding and accepting why a policy applies improves human compliance dramatically, one might explain it as follows:

“We have the walk out policy because it’s necessary to protect the security of associates, customers, or citizens. We follow it for all employees and it isn’t a negative reflection on anyone. We have HR guidelines to make it a kind and gentle, though quick and immediate exit process. If you still need the associate’s help on projects we can arrange short term consulting and provide guidelines for remote working, escorted site visits, or use of audited temporary accounts and escorted/observed sessions.”

A separate issue remains: What if an associate anticipates being part of layoff perceived as unfair or discovers, senses, or imagines that he in particular is no longer wanted and will be fired? This is a psychological as well as a confidentiality problem and must be addressed through knowledge and awareness of psychology as well as other elements of the security program.

Security in Context – Take 2

2010-02-26T11:47:16-05:00

Blogger: Eric Maiwald

Back in November, I put up a blog post on Security in Context. I want to revisit that concept in light of a client question I received today. The client was asking about securing employee access to data – access anytime, anywhere, from any device. Clearly this is a problem that will only increase as enterprises move to the consumerization of client devices.

This is clearly a business issue – the business wants employees to be able to work wherever they are and when the employees want or need to work. At the same time, the data that the employees need to access is sensitive and needs to be protected. Just saying “no, you cannot access the data” will not work. So how can the risk to the information be managed?

There are options but all have disadvantages. Remote desktops could be used but that requires good, solid connectivity. If the business wants employees to be able to work on airplanes, remote desktops probably will not work. Enterprise rights management could be used to allow only authorized users to access data or perform only authorized activities. The choice of ERM solutions depends on the format of the data, how the files will be created, and the actions the user may want to take on the files. Client-side virtualization might be something the enterprise should look at in the future but the use of client-side virtualization may require some type of trusted hypervisor on the endpoints.

While it may seem that there is no real solution here, the fact is that there are potential solutions but these need to be evaluated within the context of the business problem. In this case, the problem is that sensitive information needs to be accessed by employees who are using unmanaged devices. A more detailed discussion needs to take place between security, IT, and the business to see which option offers the best solution to the problem.

Security in Context is the theme for security and risk management at Catalyst this year. Please join us April 19-22 in Prague or July 26-30 in San Diego for a discussion of Security in Context. If you are coming to Prague, you can use the promotion code “INSIDER” when you register for a discounted price of €995.

Beyond the Tipping Point: Responding to Operation Aurora

2010-02-19T17:20:41-05:00

Blogger: Dan Blum

Hack attacks referred to as “Operation Aurora” by the multiple groups of Chinese hackers that reportedly perpetrated them from 2006 onwards hit at least 34 companies in the technology, financial and defense sectors.

Ladies and gentlemen of the jury, let me remind you that in this court of public opinion we do not have legal jurisdiction over the Government of China. We do not have to prove beyond reasonable doubt that said government is guilty of conducting a massive and continuing cyberwar linked in nefarious ways with an international world of cybercrime. Our life of information security is a civil life. Our response to Operation Aurora is a civil action.

So do not ask me, as someone did during my “Threat Assessment in Dangerous Times” telebriefing (client access required) yesterday whether I can “prove” China was behind Operation Aurora. To reach a verdict in the civil court of life we don’t have the same standard or proof you saw required at the OJ Simpson trial, for example. We only need a preponderance of the evidence. We only need to be 51% sure, not 100% sure. Myself, and a lot of people, are well past 99% sure. Hillary Clinton, who spoke for the U.S. in officially denouncing the attacks, would not do so lightly, and would probably agree with me.

Get past the confusion about how we prove origin of incidents that begin with a threat behind smokescreens of onion routers and proxies in uncooperative jurisdictions. That is not the issue. Individuals and organizations, cast off your paralysis. Respond to Operation Aurora.

But respond how? Google must have calculated it had less to lose in a China syndrome of continuing intellectual property theft and brand erosion. Google went public. But many other organizations export (or hope to export) to China. They fear the repercussions of standing up to China, even if they think (or know) that the government is perpetrating, supporting, or tolerating cyberattacks against them.

http://commons.wikimedia.org/wiki/File:IllegalFlowerTribute1.jpg

Commercial organizations may be in a quandary, but their publics and their governments will respond. To paraphrase what one panelist from a leading threat intelligence company said during my telebriefing: “We’ve blown past the tipping point where traditional protection paradigms apply. We’re in the third wave of electronic information protection. From worms and cyber pranks beginning in the 1970s we escalated to widespread cybercrime beginning in the 1990s and recently to cyberwar. Just think about the Estonia, Georgia, and Operation Aurora incidents. Governments are responding. Massive amounts of money will be thrown at the problem and for the next few years no one will know who is in charge.”

Government response is necessary because no individual and few organizations can resist the related juggernauts of China cyberwar and worldwide cybercrime. But government response is also dangerous and could make cyberwar worse. In my opinion, however, that risk is less than the risk of not responding to an unacceptable status quo.

So my final editorial comment and advice is that if your organization thinks or knows it’s been attacked, try not to roll over and play dead. Go public like Google if you can or if you dare. The more companies and individuals speak out, the less any one of us will face repercussions, and the sooner we’ll see positive change.

But if you can’t go public, at least advocate among your peers for a discreet report of the incident either to law enforcement or to information sharing groups. Our public response to Operation Aurora and what will surely be ongoing problems of international cyberwar and cybercrime is going to require the best factual information about incidents, the best deliberations, and the best lobbying, diplomacy, legal, economic, and infrastructure responses possible.

An Introduction to Data aliasing, AKA “tokenization” and “pseudonymization”

2010-02-12T18:11:26-05:00

Blogger: Ramon Krikken

I recently finished a set of documents on what we now call data aliasing. If nothing else, the issue of terminology proved to be a challenge, with different industries having their own terms to describe this process of reversibly transforming confidential data into an alias that maintains, or is similar to, the original data format. In health informatics this transform is called pseudonymization, which allows private health information (PHI) to be de-identified for certain uses. In the world of payment systems it is called tokenization, and applies – perhaps obviously – to reduce the amount of sensitive card information subject to PCI-DSS regulation. To use a generalized term, data aliasing (as subset of data masking) it is.

At the surface the concept is simple, but the devil – as usual – is in the details. There are different aliasing algorithms (randomization versus encryption), aliasing service architectures (interfacing, and location of databases), and application architectures (where is the aliasing performed). The choice of what to use, in today’s environment where product choices are limited, is not trivial. Luckily, as products mature we should see more flexible solutions that are conducive to supporting many of these options, and proper architectural planning can go a long way.

However, the enterprise should not jump on the product bandwagon without considering the big picture. The business and IT should work together to decide on whether to suppress, redact, anonymize, or alias information in order to protect it (and consider not only the security pros and cons, but also those related to usability, availability, etc.) As I discussed in “Will 2010 be "the year of the data?" an information-centric security strategy is vital … perhaps we can use the current buzz around data aliasing, mostly in the form of data tokenization for PCI-DSS, as a way to focus on information as being the core asset.

This is only the beginning of an ongoing thread on data management and data security. Joe Bugajski from out Data Management Strategies team and I will lead off the information-centric security track of our Catalyst Europe conference, discussing how trends in data management and security interact and drive the needs and solutions in the enterprise. And at the RSA 2010 conference I will be on a panel to discuss tokenization in the payment industry. Hope to see you at these conferences, and stay tuned for more.

Electronic Discovery and Privacy: Puzzling

2010-02-05T18:06:30-05:00

I was in Germany last week giving a talk on Unified Communication (UC) Security. UC involves the convergence of lots of different types of communication over IP (and thus, the Internet): voice, video, email, instant messaging, and so forth. It also creates new types of interesting sensitive data, such as presence—where users are located, what types of devices they use and their capabilities, and online status. Clearly, security teams need to think about the security implications of UC, including protecting the confidentiality and integrity of these channels.

They also have to think very carefully about the electronic discovery of information that flows through these channels. In the past, instant messages and voicemail were considered short-lived. They were rarely saved for a significant period of time and weren’t treated as essential records for doing business. In the world of UC—where many different types of communication can be sent, saved, forwarded, archived, and otherwise be endlessly manipulated—suddenly these assumptions change. Executive voicemail messages with terms of a pending merger may be forwarded via email; customer service interactions with clients may be recorded over instant messages; a videoconference with the new sales manager may be saved on the corporate portal. Each of these may be construed as critical business communications, and under U.S. law may need to be preserved for evidence in court. (Certain regulated industries may have already recognized such messages as business communication and taken steps for retention and protection.)

The problem is a fundamental conflict between the data preservation requirements of electronic discovery and the privacy protection requirements of EU laws. Speaking with a German audience, we all nodded in agreement about the dizzying array of Scandinavian, French, German, Swiss, and other privacy requirements surrounding business data. To comply with privacy law, many organizations choose to de-identify personal information in some way: mask, anonymize, alias, redact, or otherwise obscure data records to ensure that personal details can’t be linked to specific users (whether customers or employees). Often this applies to metadata—logs, message envelopes, etc.—rather than the content of a message, although it could be either. Generally, de-identification satisfies privacy requirements, but it raises all sorts of interesting complications for discovery. Once records or messages have been saved in this modified state—with many details changed or removed—what’s their status as evidence in court? Can the records be submitted to opposing counsel “as-is” (de-identified)? Must they be reconstructed to include private details? Or do they have to be originally saved in an unaltered state (re-introducing the privacy problems we tried to avoid in the first place)?

The Sedona Conference (www.thesedonaconference.org) is working on this problem. There’s acknowledgement in the legal community of the issues, but there’s not enough precedent for security teams to know how to proceed at this point.

What’s the next step? I shall fall back on the last refuge of a security scoundrel with this advice: talk to your lawyers. However, some of these issues were discussed at the 2009 Conference on Cross Border Data Flows, Data Protection and Privacy. A panel discussion on Cross-Border Discovery Conflicts highlights some practical steps that organizations can take to tackle the problem. The Georgetown E-Discovery Law Blog nicely summarizes at www.law.georgetown.edu.

Operation Aurora Points Out the Need for Better Threat Assessment Process

2010-01-28T16:14:22-05:00

Blogger: Dan Blum

The debate is ongoing about whether the Chinese government is behind the Operation Aurora cyberattacks. Certainly Google believes China launched the Hydraq trojan used to breached its defenses and compromise intellectual property. And it was that determination, plus an apparently principled decision to resist Internet censorship, that motivated Google’s strong response, in which the company publicly threatened to quit China.

One can agree or disagree with this response. But let’s suppose the allegations are probably correct. If so, an attack by a nation state requires a different response than one by an external hacker, an insider, or other parties. And organizations with valuable intellectual property for the taking need to think about how they might deter, prevent, or respond to such attacks.

In my research on the threat landscape and threat assessment, I’ve found that security vendors and IT security staff spend too little time focusing on the “people” or “political” aspects of the threat. Threat reports from the vendors cover malware and vulnerabilities, but they don’t always discuss the threat’s capabilities and intents, nor why one type of organization is targeted and another goes free. Ignoring these factors may create a significant blind spot.

On February 17 at 2:00 ET and again on February 18 at 9:00 AM my “Threat Assessment in Dangerous Times” telebriefing will discuss my findings that organizations need to do a better job of assessing threats and developing defensive strategies. I’ll provide guidance on developing a threat assessment strategy and factoring threat intelligence into protection programs to avoid common mistakes and gain ground against adversaries.

I’ll also convene a small panel of experts to discuss threat assessment and the recent "Operation Aurora" attacks.

Time to refocus on security context, behavior, and accountability

2009-12-30T16:47:34-05:00

Blogger: Phil Schacter

For many years I’ve been a strong proponent of investing in identity infrastructure as the basis for enforcing strict access control policies. Many organizations now have mature identity systems that support such preventative identity-based access controls, although other organizations still struggle with provisioning and de-provisioning identity and entitlements. I haven’t changed my mind about the importance of identity and identity-based controls, but now recognize that it’s not enough. There are too many cases where identity cannot be strongly established, due to the nature of the relationship, the potential for credentials to be compromised, and the uncertainty whether the accessing device is in the possession of the authorized user. Equally or perhaps more important than identity is the security context in which the request to access the protected resource or system is made.

Security context is a set of determinable factors concerning the request and the requesting user/device. These factors could include network location, geographic location, device identity and characteristics, chronological time context (i.e. relative to normal business hours), nature of the activity, and any special circumstances or unusual aspects to the request. Similar contextual and behavioral information is already used by financial systems to detect likely instances of credit card fraud. As organizations adapt to externalization, consumerization, and democratization of IT there is less likelihood that the user/device accessing an IT system is an employee using an IT-managed device owned by the organization. Many non-employees will require access to specific business and IT services, hosted in a mix of private and shared data centers, from a variety of devices and locations.

Security systems need to monitor and learn what behaviors and access patterns are normal, and which are more likely to involve compromised devices, co-opted credentials, or fraudulent activity by individuals with a direct or indirect relationship to the organization. The learned patterns of behavior then must be reviewed, internalized, and subsequently applied when making access decisions. Complementing this increased application of security context information are the logging and post-event analysis systems that ensure that criminal activity is identified and sufficient forensics information is available to support prosecution or civil litigation. In other words, establish accountability for actions as a deterrent.