Defense Rests

Unethical Security Professional is a contradiction in terms

2011-02-11T21:36:00.004-05:00

This is a post I never thought I would write. That I never thought I would have to write. Let me start with a quote from the CISSP Code of Ethics

Code of Ethics Canons:

Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.

Rather than walk you through the tale, you can read about how three so-called security companies proposed to engage in activity ranging from the unethical to the illegal to "take down" WikiLeaks. Don't take my word for it, don't even take The Tech Herald's word for it, read the proposal that so-called security firms HBGary, Palantr, and Berico Technologies delivered to Bank of America to attempt to "deal" with WikiLeaks through disinformation and "cyber attack."

But don't stop there, this gets better. And by better, I mean disgusting. Read the e-mail by HBGary CEO Aaron Barr in which he attempts to show his Mad Hacker Skills by collecting information on the registrar of www.fixtheuschamber.org, including the "Jewish Church" he attends and information regarding his children.

There's more, but I think you get the idea.

I do not believe it is possible for me to overstate this: the activities proposed by these three companies are not things in which ethical human beings, let alone ethical security professionals engage.

This may not be a joke, but there's a punchline: once word got out that Mr. Barr was representing himself as having "infiltrated" Anonymous, Anonymous hacked into HBGary's network, put this announcement up on their web page, and obtained several dozen thousand e-mails... that they uploaded to WikiLeaks.

Shortly after word about this got out, Palantr and Berico have both cut their ties to HBGary, and issued public statements that they didn't know the firm was planning to use their products and services for the ends outlined in the proposal, even though their trademarked symbols appear in the document. I reserve judgement. I'd be more impressed by the press releases if they were accompanied by letters from attorneys regarding the dim view they take of unauthorized use of their brand marks.

I do not have such reservations about HBGary. Their statements to date have made vague assertions that some of the documents now circulating are forged. Their statements to date are not categorical denials that they would ever dream of engaging in such conduct. I can only conclude that HBGary as an institution and Aaron Barr as an individual do not subscribe to the most common principals of my profession.

I think Palantr and Berico have the right idea, and I'm following suit, pre-emptively to some degree. Full disclosure: I have in the past had discussions with HBGary regarding employment. That is now off the table: I am a professional and will only work with reputable, ethical companies. I strongly recommend my colleagues closely examine their relations with HBGary and ask themselves if that's a name they want on their resumes, or if Mr. Barr is someone they would be comfortable listing as a reference.

Mr. Barr and his company are welcome to rebut my conclusion, but as things stand I sure wouldn't.

Time flies...

2010-11-18T13:55:00.002-05:00

It's hard to believe I haven't updated this in over six months! You might wonder why that is, though I suspect most people who read this read my personal blogs and already know about the whirlwind that is latter-2010.

If you pay attention to things like author bios, you will have noticed that mine changed in July: I have a new job. I'm now the guy hiring the consultants to perform assessments rather than the consulting auditor, and there have been a million things to learn about my new environment. There have also been a million things happening in my personal life -- nearly all good -- that have also required my attention.

I'm not saying things are stabilizing, but I am saying I have been doing more writing of late, and if I can I'll be picking things back up, here. In the meantime, if you're a newcomer, why not read through the past articles? I've tried to choose topics that will take some time to go stale.

Something different: An information security parable

2010-05-02T11:46:00.003-04:00

Usually, when we write about risk management, we talk about money. Lots of risk has to do with money, so that makes sense. But there's something lost, as well. This occurred to me this morning:

Death is the only promise we have in this life. Many religions make promises about life after, but I'm talking about this life, death is the only promise we have in this life. Some say taxes are promised, but even governments fall. I tell you three times: Death is the only promise we have in this life. To paraphrase Freddy Mercury, "Who dares to love, when love must die?"

And yet, who does not love?

As terrible as the price of love is, the price of not loving is greater still. That, my friends, is also risk management.

This, incidentally, touches on why my posting here has slowed a bit of late -- work's picked up a bit, and that time has to come from somewhere. Part of my risk management is taking as little of that time from my loved ones as possible.

I hope you enjoyed your Beltane or May Day or what have you as much as I've enjoyed mine.

Spycamgate Update: Getting worse and worse

2010-04-22T18:50:00.004-04:00

Some time has passed since the last time I mentioned Spycamgate, the case of the rural Pennsylvania school at which an assistant principal was secretly activating the cameras built into the school-distributed laptops and watching kids in their bedrooms at home.
Security Mangement magazine is reporting that it’s worse than initially thought. It seems that on discovery during the civil suit already underway, over 400 images of one student have been found on the vice principal’s computer. These out of what appear to be thousands of photos of several students. Some show these children sleeping.

Some show these children changing clothes.

E-mails regarding the practice of spying on children between the vice principal and others have come to light. Someone told her that it’s like watching a soap opera. Her response? “I know. I love it!"

They’re currently contacting other parents to tell them that a vice principal has been using their kids school-issued laptops as a personal peep show. There may be a class action suit shortly thereafter, and there is still a criminal investigation being considered.

PCI III: Addressing the Criticisms of the PCI DSS – Scope of Protection

2010-04-06T14:42:00.004-04:00

In Part II of my PCI series, I listed the criticisms of the PCI DSS I’ve heard to date and asked for readers to add to the list. Nothing’s been added to date, so I’m going to address the list I have. If more criticisms are raised later, I’ll address them at that time.

Criticism: Achieving PCI DSS compliance will does not protect all private information from all threats.

I don’t think this is a valid criticism. It’s an absolutely true statement, but it’s not a valid criticism. It’s also a true statement that a Kevlar vest won’t protect you from drowning, but that’s not a valid criticism of Kevlar vests. Kevlar is designed to mitigate the risk of getting shot, not every single thing that can kill you. If Kevlar was designed to prevent drowning, it’d look a lot less like Kevlar and a lot more like a life vest. Similarly, PCI only mitigates the risk of credit card number theft, not every single thing that you can have stolen. Few people are likely to require you to wear Kevlar when they should be telling you to wear a life vest, and a good thing!

A problem arises, however, when a company subject to PCI DSS compliance figures they can cut some corners and achieve broad security goals through the application of a narrowly designed standard. It’s an approach doomed from the start because the PCI DSS is only concerned about the merchant’s/service provider’s risk insofar as the merchant has a liability to the card brands if they don’t adhere to the standard. As I wrote before, PCI is about mitigating the card brand’s’ and the consumer’s risk associated with permitting that merchant or service provider to handle credit cards. Square peg in a round hole, ugly duckling is a beautiful swan, brings a knife to a gunfight, pick the metaphor of your choice this bus simply doesn’t go to that station.

It can, however, get you on your way, and I do know someone who survived bringing a knife to a gunfight. A PCI-DSS compliant set of people, process, and product can be leveraged to protect other information assets. I do know someone who survived bringing a knife to a gunfight. Likewise, a comprehensive information security program can provide PCI DSS compliance with a minimal amount of tweaking – if you happen to have one of those in place. A disturbing number of companies spent decades ignoring warnings to mitigate their risks and now chickens are coming home to roost. (I don’t think I have enough metaphors in this one…)

I think this criticism is more properly addressed to those who see PCI DSS as the latest Answer To All Their Prayers… and to those vendors who position it that way in order to sell something. I’m not going to name names at this time, but if you’ve got some maybe we can start a hall of shame.

My readership may be small, but it’s diverse. Do you see this sort of thing in your personal and professional lives? What are some examples of successfully using one tool for many purposes? What horror stories arise from trying to use a screwdriver as a hammer or vice versa? Think I’ve missed something about this criticism? I’d love to hear about it.

Governance Part 4: Standards

2010-03-30T15:14:00.007-04:00

We’ve covered how management uses policies to govern an undertaking, whether that’s a business, a household, or one’s career. Today we’ll continue the Governance series with a look at standards and how they bridge the gap between executive ideals and technical practicality.

The relationship between a policy and a standard is similar to the relationship between a vision and a mission: Policies rarely translate directly into specific instructionsStandards are management’s requirements for conducting business in a way that complies with policy. Being high level documents, policies rarely translate directly into specific instructions on how to perform specific tasks. This is as it should be. After all, policy statements come from executive management. Do you want to have to get the Mayor of your city to sign off every time you try a different light bulb, or do you want to be able to just swap light bulbs as long as they fit in the socket and won’t short-circuit your house?

A standard bridges that gap. A well written policy will specify whose role has the responsibility of setting and updating the standard. That’ll generally be someone in middle management who either has the technical expertise to set the standard, or has those people reporting to them. Frequently, that’s a simple task for the middle manager, as they can point to an industry standard and say, “Our standard is to meet that standard. As a result, you don’t have to rewire your lamps every time you move from one city to another. It’s also why you need a special adapter when you go to Europe.

There are many technical standards, but they are not the only standards. There are ethical standards, moral standards, and professional standards. They are as important as the technical ones, and much harder to define and implement, as world history shows.

When I audit governance processes, standards are part of what I look at. Standards are not only for technologyThere are several things an auditor checks to see, so it makes sense for you to check as well. Are the standards complete, meaning does every policy have a standard that supports it? Do the standards correctly reflect the policies they support? Are they consistent with one another, and if not has management indicated which prevails? Leaving that decision to middle management is a Bad Thing.

I hope this has been a helpful explanation of standards, why they’re important, and what makes them good. What standards do you have in your life or business? Do they ever come into conflict with one another? If so, how do you resolve them?

PCI II: Criticisms of the PCI DSS

2010-03-22T17:02:00.004-04:00

Having given a very brief explanation of the PCI DSS standard and how the credit card industry manages it’s risk by requiring merchants who want to use credit cards adhere to it, I’m going to continue this series by discussing the controversy surrounding the standard.

Let me begin by stating the position I intend to defend in this blog: I believe the requirement that merchants and service providers adhere to the standard is an appropriate means of mitigating the credit card company’s risk – to say nothing of consumers. I believe that PCI DSS compliance benefits credit card companies, consumers, merchants, and service providers. In every PCI DSS engagement I’ve been involved in, becoming compliant has directly resulted in the merchant or service provider mitigating their own risk. This is not to say that the standard is perfect – the PCI council recognizes that and the standard evolves as a result.

Finally, if a business can’t afford to be PCI compliant, they can’t afford to possess credit card information and the penalties of PCI DSS noncompliance correctly highlight this fact. There are ways for such businesses to accept credit cards from customers without posing an undue risk to their customers, and it behooves them to avail themselves of those methods and services.

I want to be sure that I’m addressing all the criticisms of the standard, so I’m listing the ones I’ve picked up to date:

Achieving PCI DSS compliance will does not protect all private information from all threats.
PCI DSS compliance has commanded resources that might have otherwise been spent on projects of more importance to a given company’s Infosec department.
The cost of achieving PCI DSS compliance puts it beyond the reach of small merchants, exposing them to fines and liabilities that could well be rapidly ruinous to their businesses.
The assertion that “None of the merchants that have been compromised are PCI DSS compliant” is a tautology because vagueness in the standard permits the Council to retroactively declare any merchant who has been compromised non-compliant.

If you have or have seen another one, please comment and let me know.

Compliance: PCI in a very small nutshell

2010-03-19T15:16:00.008-04:00

Disclosure
I am certified as a Payment Card Industry (PCI) Qualified Security Assesor (QSA). I am frequently paid to perform PCI audits, to advise people on how to fill out their Self Assessment Questionnaire (SAQ), and how to identify and remedy gaps in security that would prevent them from complying.

Previously, I’ve written about identifying risks and handling them. I’ve asserted, indeed my fundamental thesis in this blog, is that risk management is something everyone does; and that if done mindfully and consciously we live happier and better lives personally and professionally. That never means there aren’t complications and challenges to face, and today I’m writing about one of them.

It should come as no surprise that if everyone evaluates their own risks, different people come up with different risks and ideas about how to manage them. A cost may be acceptable to one person, but not another. Worse, the price one person may be willing to pay to mitigate a threat may itself be the threat someone else is trying to manage. For example, there have been plenty of people willing to sacrifice some amount of their civil liberties in order to mitigate the risks associated with terrorism, drugs, what-have-you; while others see “We might lose some civil rights” as a great big threat. Obviously, different people’s risk management interact with one another, and that interaction has to be mediated. As a society, we have developed a number of tools for this purpose – government for one. Compliance is another.

Compliance is a how someone requires someone else to manage risk to their satisfaction. The regulating body defines a standard that the regulated body must meet in order to avoid some penalty. If the regulating body is a government, that penalty may be a fine, jail time, revocation of business license. In the U.S., it can also be loss of access to other government regulated bodies, such as stock markets. With the PCI DSS, the penalty is being on the business end of a great big risk assignment and the right to take credit cards – a pretty compelling case to any business that needs to accept credit cards in order to have customers.

You may recall that there have been quite a few credit cards stolen from online businesses over the last decade or so. Generally, this has been possible because the business’s security program didn’t provide enough protection to credit card numbers. Every time that happened, banks were impacted because they had to cut a mighty big check in order to replace all the compromised credit cards, keep on the lookout for fraudulent card use, etc. The PCI Data Security Standard (DSS) is how credit card companies manage their risk. Worse, every time that happened, the public’s confidence in credit cards got a little shakier. I’m sure you remember a time when you wouldn’t have dreamed of using your credit card to buy something on the Internet. If you’ve been the victim of identity theft, you may well still feel a twinge of lingering pain when you use your new card – if you’re willing to use it online at all. Banks only make money on credit cards if people have them and use them, so this rapidly became a huge risk. The PCI Data Security Standard (DSS) is how credit card companies manage their risk. It tells anyone who handles their customer’s credit card data what they must do to protect it. The incentive to meet that standard is to avoid fines, avoid losing the right to accept credit cards, and avoid being assigned all the costs associated with that information getting stolen – if a merchant or service provider is compliant and the bad guys still make off with the card information the banks agree to eat it. All the merchant or service provider has to do is comply and they’re home free. This should be an easy call when the merchant or service provider does its risk management: The impact of a fine that doubles every month is big, the risk of losing the right to take credit cards might mean someone closes down tonight, and TJX has pad to pay upwards of a quarter billion-with-a-b dollars for their breach. Compliance is an easy call, right?

You knew better than that. Several years later, there’s be quite a bit of controversy about the standard within the security industry. Compliance isn’t cheap, and that cost can be just a big a threat to a small business as the risk that’s just been assigned to them as part of the card merchant agreement if they don’t comply. It’s shifted the risk analysis the merchant or service provider is doing. Worse, in this economy infosec budgets are shrinking anyway. That means that this expensive compliance effort might just soak up the entire budget that the CISO had been hoping to use to mitigate another risk. Nor do compliance requirements generally let IT executives off the hook to their bosses to spend their finite time and effort on projects that actually generate revenue.

These are real concerns, and they’re just the tip of the iceberg. But they needn’t send businesses running back to taking cash and checks only. IT and InfoSec people can also use these concerns, and the road by which so many companies have come to the horns of this dilemma, as an opportunity. It’s largely a matter of understanding what PCI is and isn’t , of making sure the boss understands it, and welcoming it as an opportunity to live more mindfully rather than a wound in need of a band-aid. Next time, I’ll talk the risks of PCI compliance and how to avoid them.

Have you encountered PCI in your work life? What are your experiences? What headaches did you find and how did you handle them? I’d love to hear about it.

Managing Risk Through Acceptance and Assignment

2010-03-15T15:41:00.003-04:00

Last week, we looked at risk mitigation. If you do something to reduce your vulnerability to a threat, or the impact of that threat, the risk goes down. Your personal firewall, your anti-virus system, the lock on your front door, and the umbrella you carry when it looks cloudy out are all examples of risk mitigation. It’s a very popular way to manage risk, and literal billions of dollars of the economy are people the world over mitigating trillions of dollars of risk. Mitigation very nearly always costs money, and frequently it’s the most cost effective way to manage one’s risk, but there are others. Today we’ll take a short look at two of them: Acceptance and Assignment.

Risk Acceptance is simply saying, “I can live with that.” It’s a perfectly valid choice to make, as long as you actually can live with it. One of the most common errors in business and in life is telling yourself “I can live with that” when you really mean “I don’t think this’ll actually happen to me.” If you think you can accept a hundred dollar loss, have three hundred in the bank.That’s not risk management; it’s ignoring one’s own risk assessment. It’s not even gambling: gamblers know the odds. It’s such a common pitfall that my sister was able to write her PhD thesis on how that error that gets lots of people into worlds of trouble. My advice is that if you think you can accept one hundred dollar loss per year, have three hundred dollars in the bank that you weren’t doing anything else with.

Risk Assignment reduces the impact of a threat by getting someone else to be impacted by it. When you buy insurance, the theory is that in exchange for a monthly payment the insurance company agrees to have certain of your risks assigned to them. If you buy auto insurance and get into a car accident, and they pay for the damages. If you were drunk when you got into the accident, they don’t pay because driving drunk is more risk than they agreed to accept. Unsurprisingly, risk assignment poses its own risks, as amply illustrated throughout the current national health care debate we’re having in the U.S.
Insurance isn’t the only form of risk assignment. In contract law there’s indemnification, where you agree to “hold someone harmless” – a fancy way of saying you’ll pay for any damages that arise. Of course, indemnification has its limits: You can’t do someone’s jail term for them. In business there’s also the principle of “externalization.” You may have heard the term “externality.” An externality is a cost that someone else has to pay. For example, credit card companies assign the risk that someone will use a stolen credit card fraudulently to buy merchandise by requiring merchants to agree to suffer the loss rather than the credit card company or the cardholder.

Are you using all these approaches to manage your risk today, whether you think about it or not? I bet so. How else do you manage your risks? Do you think you’ve got the right balance between the three approaches? What risks have you decided to accept? I’d love to hear about it.

Risk Management: Risk Mitigation

2010-03-09T17:04:00.008-05:00

Last week, I started talking about risk management by talking about how it relates to something as mundane as forgetting your car keys. I’m going to stick with that analogy as we discuss how to use risk assessment to understand whether you’re happy with the risk you have or if it’s worth spending some money to mitigate that risk.

Recall that we expressed the risk a lockout poses in dollars (or perhaps a dollar estimate), largely based on the cost of waiting around for a locksmith to let you into your car. Now suppose I offer you a service: I’ll keep a copy of your car key, and at any time of day or night if you lock yourself out of your car I’ll come bring you the spare. That would reduce the vulnerability to zero, and therefore the risk as well. How much would you pay for this service? It depends on your risk – if I charge $1000 a year for this service, you’d be foolish to eliminate a $5 risk (or even a $100 risk) by paying me. If I charge $150, it’d make sense if you have a $200 risk, but not a $5 risk.

Suppose I’ll only bring you the key if you lock yourself out of your car in the daytime. I’m no longer eliminating your risk, I’m merely mitigating it. Because the solution only works half the time, it’s reducing your vulnerability from .5 to .25. That turns a $200 risk into a $100 risk, and a $5 risk into a $2.50 risk. I think you can do the math to figure out how much you’d pay for this service in these cases.

That’s it! Risk management is figuring out what can go wrong, what will happen if it does go wrong, how likely it is to happen, and how well defended you are against it. If you know all that, you know what it makes sense to spend time and money on in the name of safety.
In the financial industry, it gets a lot more complex than that. People who trade options measure the risk of every single thing that can happen to change the value of a given option, and that’s calculus. For most people, what I’ve outlined here can get you through the day.

I’ve kept the example simple, but it’s important to take the time to understand everything that goes into calculating impact. For example, we based the impact of getting locked out of the car based on the charge for a locksmith. Take the time to understand everything that goes into calculating impact. Suppose the locksmith is going to take an hour to get to you? How much is your time worth? If I promise to get to you in fifteen minutes, that might make my service the better deal even if I cost more than the locksmith does. In business, hidden costs like this often lead to security costing more than people expected it to.

What happens if you figure wrong about one of these numbers? You’ll find out about it when the incident costs you more or less than you thought it would, update your risk analysis, and get on with life. But the risk of an incorrect risk analysis is one of the threats you’re thinking about, right?

Where are you already doing risk mitigation? Do run and maintain security software on your computer? If not, did you decide you’d rather live with the risk of infection, or that the cost of recovery is cheaper than the cost in time and money on an anti-virus package? Would you rethink that if I told you that you could have an anti-virus package for free? Does thinking about and understanding the risks you face in live, and knowing how you’ll handle them ease your mind? Let me know!

Governance Part 3: Policies

2010-03-05T14:58:00.016-05:00

In Part 2, we discussed the Missions, Visions, and Charters, which define a task, lay out an overall strategy for accomplishing that task, and authorize someone to do it. Today, we’ll discuss how policies tell everyone to execute the charter to accomplish the mission that realizes the vision. (If I can make this into a spoof of The Court of King Caractacus, why not?).

Humor aside, a policy is a high level statement from senior management to the enterprise describing how it expects everyone to conduct business. Consider this example:
“We minimize risk of inefficiency and data theft by possessing only the data we need must. Data owners keep records for as long as we need them for our business purposes or to satisfy regulatory requirements then destroy them. Business Unit owners determine retention times for business purposes. The Compliance Officer determines which regulatory requirements are applicable. The Information Security Officer ensures data is destroyed in a timely fashion.” is a policy. The elements of the policy are:

Define a specific strategy for doing something, in this case managing risk by not keeping data around once it’s not needed.
Defines roles required for carrying out the policy. Here, the roles are Data Owner, Business Owner, Compliance Officer, and Information Security Officer.
Identifies the responsibilities of each role.

I’m sure you’ve seen very few policies worded that simply. Sometimes, that’s because policy is poorly crafted, but often it’s because management has as part of its culture specific ideas about what should be in a policy. There are perfectly valid reasons for this – when to have a policy is something specific to a culture. Consider the difference between the Air Force, where an officer who encounters a situation not currently covered by a policy is under standing orders to establish a policy; and the Navy, where anything not forbidden by policy is permitted. Who’s got the thicker policy manual? A million dollar loss because the policy wasn't there... limits complaining about how big the policy manual is. Who’s officers spend more time reading policies and therefore less time doing other things? Note that I’m not criticizing either service’s approach – they fill different roles, so it makes sense they’d do business differently. In the business world, consider one electronics manufacturer I know of that includes with each and every policy text describing an example of how the company lost a million dollars because the policy wasn’t there previously. That probably limits the amount of complaining about how big their policy manual is. On the other hand, a small start-up would be right out of business if the CEO spent even a tenth of their time writing policies.

Some policies contain specific enforcement clauses, words to the effect that if you don’t follow the policy you’ll get fired. Others simply point to an enforcement policy, so the threat only has to be made once. Either’s valid.

One benefit to having policies is that everyone understands the rules. There’s no saying, “I thought you wanted me to keep the data forever” at a company with the policy I describe above. “I thought that person over there was supposed to destroy the data” does not fly if you’ve been told that’s part of your job as Information Security Officer. Another is that when you start getting new data from a new business drive, no one has to waste time trying to decide what to do about data retention and destruction. All there is to do is identify the four role holders and make sure they know there’s data to handle. If your company has a corporate compliance officer and information security officer, then there’s only two people to identify and two people to notify.

This works in our own lives as well. If we have defined the rules we live by, we don’t have to reinvent the wheel every time something new comes our way. I don’t have to stay up all night trying to decide if I’m willing to take a job for which I’d have to relocate to the middle of nowhere, I have a policy that I only want to live in places that meet certain qualifications. Of course, if someone offered me a million dollar salary, I’ll be putting on the coffee because policies are not inflexible – one important policy is the exception policy, which defines how to go about deciding whether to make exceptions to all the other policies; and if so how to do so while still meeting management’s expectations.

I hope this discussion of policy has been helpful, but it’s by no means complete. Next time, I’ll write about some of the common policy traps I’ve encountered, and how to avoid them. In the meantime, what sort of policy culture do you have where you work? Do you find it stifling, does it leave you with no meaningful guidance, or did they strike a good balance? What policies have you defined for your life? How do they help you achieve your mission and vision for yourself? I’d love to hear about it.

Risk management example: my tire

2010-03-03T15:11:00.003-05:00

I was going continue the governance series today by writing about policies, but I had the idea to use my last few days to show how theory turns into practice. In particular, how I think about and do risk management in day-to-day life. I’m sure you do the same thing, but call it by a different name. “Thinking things through,” perhaps. The really cool thing about it is that it takes longer to describe than to actually do – and if it’s that reflexive for some things, it can become reflexive for everything.

The other day, I hit a pothole while driving and got a flat. Upon fixing the flat, I discovered that the sidewall had a chunk missing as if someone had taken a melon baller to it. It would have to be replaced. Because that’s not bad enough, my wife and I are planning to visit my inlaws -- that means I either have a deadline to get the tire replaced, or I have to postpone the trip. Let me put that into risk management terms:

Threat: Driving between cities on a “donut” spare tire might lead to an accident. Call it a medium probability, so 2 – I don’t need to be very precise for this type of analysis.
Impact: Variable, but could reasonably equal the value of my car, or physical damage up to and including death for my wife and I. My personal risk management policy defines impacts as “high” at least an order of magnitude below the value of my car, let alone death. What’s more, death is inconsistent with my mission to maximize the time I spend interacting with my wife. So high, or if one likes, “Very High.” So, 4.
Vulnerability: As things stand, I’m very vulnerable – there’s not a lot to protect you when you’re driving on a donut. Again, High, or 3.
Risk: 2 x 4 x 3 = 24!!! Far riskier than I’m willing to live with.

There are several options I could take to handle this.

I could mitigate the threat by driving on local roads instead of the highway at a cost of several hours of time. Running at a slower speed might take my threat down from a 2 to a 1, but that’s still a risk of 12, and the impact is still too darn high. That’s a bad decision. Security is about making good decisions, so no.

I could take the car to the dealer and get the tire replaced. Alas, the dealer doesn’t keep the tire in stock and it’s 5 days to order it, so the cost of this solution is having to postpone the trip. The threat would drop to 0, so the risk would drop to 0, at a cost of a ridiculously overinflated (you should pardon the expression) price, travel and waiting time at the dealer, and significant disappointment to my wife and I – contrary to popular stereotypes, I get along great with the Tweeds and love visiting. A good decision, but not a great one.

I could take the car to the fellow who can offer me a tire for the cheapest rate soonest. The cheapest tire is a used tire, and you never really know what you’re getting there. The threat drops from, say 2 to 1 again, or maybe we can call it .5 because I’m not afraid of decimal math. (While I might do this in a pinch, if I did so after a while I might reassess the threat as the tire proves itself.) But I don’t know the guy, so I don’t a basis to be confident that he’ll do a good job. A so-so decision.

I could take the car to the body shop I’ve been dealing with for years – mostly on my last car. He’s a few dollars more expensive than the cheap guy, but two thirds of what the dealer costs. I have a basis for trusting him because I know that he won’t try to sell me work I don’t need – he’s passed up plenty of opportunities and even come right out and told me when I was better off junking my old car instead of fixing it. Once again, the threat drops to 0, the price is reasonable, and I can travel when I planned to with confidence in the work. That’s the best decision I’m going to come up with, so that’s what I did earlier this afternoon.

Of course, I can afford a new tire because a while ago I did a risk assessment in which “There is a risk that my car will need repair” was mitigated by “I have savings for unforeseen emergencies.”

What threats have impacted you in the last few weeks? How did you handle them, and how did you think about it? Did knowing you had a plan and a path forward help avoid fear and therefore a bad decision? Does it fit into the model I’ve described, and if so does that help? I’d love to hear about it.

Meta: Comments now hosted at Intense Debate

2010-03-03T10:45:00.004-05:00

I've set up the comments to use the Intense Debate system. This will add threading, a degree of cross-site identity continuity, and a number of other features to the system.

Risk Management: YOU Are a risk manager!

2010-03-01T15:06:00.004-05:00

Risk management. Assessment, Vulnerabilities, threats, and impact. Mitigation, assignment, acceptance. If you don’t do security for a living, or do it as a purely technical activity, these can sound like terms from some arcane art practiced by Wizards, Sorcerers, Actuaries, and Mutual Fund managers. Today we start taking the mystique out of it and showing that it’s something nearly everyone does every day. Let’s start talking about risk assessment by defining some terms:

A threat is a bad thing that can happen. It’s measured as a percent chance per unit time (if you’re likely to lock yourself out of your car once every 10 years, it’s a 10% per year threat, or “.1 threat” for short. If you do it every 6 months, it’s a “2 threat”.)
Impact is the cost of the threat happening. It’s usually measured in dollars or time – and time is money. (If it costs you $100 to have locksmith key you into your car, it’s a $100 impact.) I say usually because not every impact is measurable. If you lock yourself out of your car and your Significant Other is annoyed because now you’ll be late, how much money is that annoyance?

Vulnerability is how likely you are to be affected by the threat. (If your Significant Other also has a car key, you’re only locked out if you forget your key when they’re not around. If you’re only with them half the time, you’re 50% vulnerable.)

Risk is the product of those three numbers: threat x vulnerability x impact. In our example:
Risk = .1 (10% threat) x .5 (50% vulnerability) x $100 = $5 Risk. On the other hand, if you forget your keys twice a year, it’s a $100 risk. ( 2 x .5 x 100).

That’s it! If you can figure out the numbers for a threat, its impact, and your vulnerability to it, you’ve assessed the risk. The biggest trick to this is figuring out what all the threats are ahead of time.

Of course, there’s math involved. For some reason, lots of people have been taught that math is hard, much too hard for them to do, and that can make this look daunting. Don’t be daunted, or if you’re finding yourself daunted, let me help you get past that – fear of numbers is part of the tears we're doing away.

The nice thing about the numbers in the risk assessment most people have to do in our lives is that we don’t have to be very precise. Does it really matter if I lose my car keys once every 9 years or 10? Does it really matter if the locksmith will charge me $100 or $99.95 plus tax? Rarely. If it’s hard to get exact figures, round it off. If it’s even hard to get precise figures, define your notions of small, medium, and large for threat, impact, and vulnerability, and use ‘1’ for small, ‘2’ for medium, and ‘3’ for large, which will give you risk rankings from 0-9. Trust me – lots of multi-billion dollar businesses do it this way. I know of at least two that define “small” risk as a multi-million dollars per year, and think of spending time doing risk analysis on a mere hundred-thousand-dollar per year risks as a threat in and of itself.

If you've ever asked yourself "What are the odds?" you've assessed risk.

What are some of the threats in your life? As I said, the hardest part of this is figuring out what they are, so perhaps we can all come away with something if we pool notes on what’s out there.

Next time, I’ll write about risk mitigation, which is how you reduce your risk – usually by reducing your vulnerability, but not always.

Spycamgate followup

2010-02-26T13:13:00.002-05:00

I’ve written previously about “Spycamgate,” wherein a school administrator tried to hold a student accountable for perceived behavior at home based on images taken from a camera on the student’s school-issued laptop. The school’s defense is that the webcams are a security feature to track down lost or stolen machines. If so, the school is illustrating how not to do security. In this instance, doing security wrong consists of doing security in a way that is disrespectful of other people’s security. The case for the importance of meticulously respecting other people’s security is simple to make: there are civil and criminal laws against disrespecting other people’s security:

The FBI’s gotten involved, because wiretapping’s a federal felony if you don’t follow the rules. A grand jury as issued a subpoena for the school’s records about how the system was set up and operated. The local DA’s looking into it as well. The class action suit is underway.

I’m skeptical of the school’s claim that this is all a grave misunderstanding and they acted in good, if bumbling, faith. The school is protesting it’s innocence, but they’ve got a lot of work ahead of them to explain how a school administrator was in a position to confuse Mike and Ikes with narcotics if only two specifically authorized personnel ever activated the cameras, and they only did so when computers were reported as lost or stolen. The administrator was not one of the two people, the computer was not reported as lost or stolen.

They’ve also got a lot of work ahead of them explaining why a systems administrator were telling students that the camera light turning on was simply a glitch. Stryde has plenty more about this, including a good technical discussion and potentially damning links to the system administrator’s blog about how to disable the camera for a user but still let administrators get to it remotely.

As the consequences mount for Spycam School, let’s take a moment to examine the lessons already learned:

When you do something to enhance your security, you have to examine what impact it might have on other people’s security.
When you do something that might impact other people’s security, it’s a really good idea to make sure they understand that signing on to what you’re doing poses a risk to them, so that they can manage that risk for themselves.
When you do something that might impact other people’s security, it’s a really good idea to make sure you take as many steps as possible to prevent “might” from becoming “does.”
When you do something that does impact other people’s security, it’s a really bad idea to lie to them about it.
When doing all of this, having rules to follow will not protect you in the eyes of the law or the public if you do not follow them.

What lessons do you see here? How do you apply those lessons to your business, your personal computing, your offline lives?

Security Without Tears or Apology

2010-02-24T14:35:00.004-05:00

In plugging this blog, for which I’m grateful, Avedon Carol mentioned that my subtitle “Security without apology or tears” doesn’t necessarily make immediate sense. I thought I’d spend some time talking about that.

Every time I tell someone I do information security for a living, I get an awestruck, impressed kind of look as if I had told them that Gandalf passed me his staff and asked me to keep an eye on things while he went West. Often, I’m reassured of my intelligence or employability. Frequently, I’m regaled with tales of some security incident that happened at someone’s workplace – almost always because someone made an easily avoided mistake. Commonly, I’m asked in hushed tones about the latest virus or vulnerability, and if they’re safe from it – or what to do about the virus that just infected their computer.

Professionally, very big companies have me inspect millions of dollars worth of security protecting billions of dollars worth of assets. Often they want to know if I can break in. Often the answer is yes, and rarely because I’m such a smart guy. Almost always, it’s because someone didn’t do something – one of those easily avoided mistakes I mentioned. Often, those mistakes happen because whoever’s job it is to not make those mistakes didn’t know what not to do. Or they were too busy not to make the mistake. Or they didn’t think it was really that big a deal.

That’s the tears. It doesn’t have to be like this.

I’ve also been paid to write memos begging CEOs not to insist on passwords so short that they’re the equivalent of 15-th century locks because they didn’t want to have to remember anything longer, and the CISO needed an expert to back him up in saying there was a risk to that. I’ve had proposals to spend fifteen thousand dollars on an anti-virus system turned down one in April only to have it approved in May after a virus causes a hundred thousand dollars in lost productivity because fifty computers had to be cleaned and rebuilt while fifty users sat around getting paid to do nothing. I’ve worked out how to soft-pedal adopting security measures to someone so out of touch with modern technology that he still thought being the IT director meant he “ran the computer” and couldn’t believe there’s any real danger from hackers, virii, or internal users bent on fraud.

That’s the apology. It doesn’t have to be like this, either.

Being secure isn’t any different on a computer or with information than it is in any other part of your life. If lock your door, you do security. If you don’t lock your door because your neighbor might need to get in, you still do security – you’ve assessed your risks and decided which to accept and which to mitigate. But no one decides they need to lock their door and then tapes the key to the knocker. People don’t spend much energy on deciding not to do that, either. On that level, doing security is reflexive, even unconscious.
There’s got to be a way to bridge that gap.

Often, people who sell security use FUD – Fear, Uncertainty, and Doubt – to do it. They do so because in the short term it works, but in the long term it has left people with a wildly distorted notion of what they have to protect and from whom. Worse, when you peddle fear, you get frightened people. Frightened people rarely make good decisions. Time and again, FUD comes back to haunt us.

Fear is no way to live one’s life, with computers or anything else, nor is ignorance. There are risks to using computers just as there are with anything else. Knowing how to identify those risks, deciding how to handle those risks, and doing all that before the risks come leads to a well-founded confidence – just like in any other area of life. This blog is about taking the mystique out of what I do, and putting it into everyone’s reach as simply part of how we live our lives day to day.

School Principal Spys on Children at Home via Laptop Camera

2010-02-19T15:41:00.005-05:00

Whichever side of the infosec coin one is on, a jargon we use to refer to the control of a system is ownership. We refer to a system as “compromised” or “owned” or “pwned” if the person who owns it isn’t also the person who owns it in the legal sense of the term. Most information security practice is concerned with preventing and detecting inappropriate changes in ownership-with-a-p. (I try not to write “pwn” and associated formulations very often, but it’s a temporarily useful distinction to draw out.)

So you own your computer, and do all the right things to make sure no one pwns it, but what about when you’re using a system you don’t own? Many of us have the legal use of a computer in our home that we don’t actually own. Your employer may have issued it to you so that you can do your job. Your school may have issued it to you so that you can do your schoolwork. A friend may have lent you a spare because yours is broken. Some companies insist that its employees work on asset machines to ensure control of company information is never outside company hands.

Privacy on these machines doesn’t work quite the way privacy on your own system works. If you have a computer from your employer, you likely signed something that says you recognize you have no expectation of privacy over that computer. The policy is probably that the company’s staff has the right to look at everything on that computer whenever they like. This just got a bit hairier.

Via Gizmodo, A Principal of a Philadelphia school had the IT staff spying on students at home using the cameras on their school-issued laptops. This came to light in two ways.

First, students noticed as early as 2008 that the light on the camera was turning on at random times. That light is a security feature. The reason cameras on laptops have lights is to alert the person being viewed that the camera is operational. The children who observed the alert did the right thing and called the IT department to report the matter. Unfortunately, the IT department appears to have been on it and told them nothing was wrong.

Second, the Principal had the temerity to discipline a child for “improper behavior in his home,” and produced a photograph taken from the camera to document the incident.

Students are now suing the school and principal, and that’s a good start. There should also be a criminal investigation of the Principal, the IT staff, and anyone else who knew this was going on. Did the children’s parents sign a document indicating that they understood and approved this surveillance? If not, a federal law has been broken. Did anyone with access to these cameras use the images captured for additional criminal purposes, such as extortion or child pornography? We need to know, and it is not merely a civil matter.

The question remains, what to do about the computers in your home that you don’t own? This is the first incident of this type of illegal surveillance I’ve seen hit the news, but we’vetalking about the possibility since the 1990s. In a future article, I’ll talk about the risk management process of deciding how much effort to spend safeguarding yourself and your family from this threat and some practical steps to reduce the risk.

Governance Part 2: Charters, Visions, and Missions

2010-02-17T14:07:00.004-05:00

In my Introduction I listed charters, visions, and missions as the documents that state what you’re trying to accomplish when you set out to do security. I’m going to expand on that here.

In information security, a charter is a statement from management to whatever body it is that is tasked with providing and assuring security. It grants authority and mandates performance. This could be from a CEO to a CISO, a CISO to an architecture group, or two parents agreeing that one of them will make sure that the kids aren’t cruising age-inappropriate sites. This agreement might be written or verbal, though in business as a general rule it’s really the sort of thing that should be written down for later reference. Come to think of it, writing down agreements like this probably has significant benefits to one’s domestic tranquility – the time and effort will pay for itself the first time you avoid an argument about who’s turn it is to do the dishes. (Yes, doing the dishes is a security task. It mitigates the risk that someone will catch a food-borne illness, the risk that the home will smell unpleasantly, and the risk of pest infestation. )

By affirmatively granting specific authority, it also sets boundaries around that authority. For example, does the CEO want the CISO to set policies, advise the CEO regarding which policies to set, simply administer and enforce policies the CEO sets? Is the CISO in charge of physical security for the whole enterprise or just the data center? Some places consider building security someone else’s responsibility. Does the CISO’s team run the firewalls, or does a network group handle that while the CISO’s team monitors and responds to incidents?

A well-written charter lays these matters out clearly and affirmatively.

The benefit, of course, is that if you’re providing security, looking at the charter tells you what you do and don’t have to think about. It reduces the chance that a team of highly paid professionals will spin their wheels doing something that could reasonably be considered part of information security but management has decided to organize differently. It lets you show people like me that you're not making it up as you go along when we're auditing your governance controls.

Visions and missions in this context are similar to a charter, but a statement from the group to the enterprise about its intentions rather than a top-down grant and mandate. It lays out what it is you want to accomplish and (at a very high level) how you want to accomplish it. One might describe the relationship between the two by saying that one’s mission is to accomplish one’s vision. An ambitious acquaintance of mine listed in an online mini-biography that he wanted to achieve financial independence by age 40. That’s a vision. One might infer that his mission was to work a series of very highly paid jobs so that he could achieve financial independence by age 40. Or, depending on circumstances, the mission could have been to avoid antagonizing a wealthy and aged relative so as to be favorably remembered in the will. The mission could even have been to maintain a standard of living far below his earnings.

You can see that having both a mission and a vision provide more clarity than having only one. A mission tells you what you’re doing, a vision tells you why. Most people don’t write either down – I haven’t, though my spouse and I discuss both regularly. A shocking number of businesses think they’re done when they’ve written one.

Many people balk at the idea of even formulating a mission or vision for their lives, and I used to be one of them. As I’ve grown, I’ve come to see the benefit of clearer personal strategy, even if I haven’t yet taken the plunge and written it. For example, my vision is to spend as much quality time with my aforementioned spouse as possible; and my mission is to live a life in which I balance work and leisure so that I can achieve that vision.

Consequently, I have a policy not to accept jobs that take me out of my home over a certain number of hours per week – whether it be to the office or to remote locations. But policies are for the next installment in this series.

Have you established your vision and mission? Is there a charter that governs authority in your life? I bet there is, and I’d love to have you talk about it. If they’re too personal to share, how did you come to them? Who were the stakeholders that had to negotiate what went into them? Have you seen a benefit to coming to these agreements, or even writing them down?

Introduction to Governance, First of a Series

2010-02-15T17:39:00.003-05:00

Governance is the foundation that effective security is built on. It’s a big word for a common-sense idea: things work better if you know what you’re trying to do and how you’re willing to do it than if life is an endless flailing reaction of whatever the latest situation drops in your lap. Boy Scouts have been telling people to “be prepared” for a long time.

If it’s such an easy idea, why do so many people get wrong, in their personal lives and in business? I’m not sure – maybe the root-word “govern” is intimidating. Maybe people don’t like admitting that bad things may happen to them. Maybe there’s always a short term priority – getting the latest update to market, watching the latest TV show, catching up on my infosec blog… OK, maybe not the last. But you get the idea: setting aside some time to plan ahead just doesn’t seem like a lot of fun if you’re not into this stuff and there’s something else you could be doing that’s bright and shiny and it’s even easy to see how it pays off now.

Nothing new there, people don’t write wills and don’t back up data files for the same reasons. People probably also don’t know that they already do governance, and all that would be different is writing down what you already think and might even say.

In the governance-related posts, I’ll discuss several things we call governance collectively in a bit more detail. In the meantime, which of these things do you already think about, talk about, and write down in your personal and professional life:

Mission/Vision/Charter – An overall statement of what you’re trying to accomplish.
Policy – A broad statement of how you intend to accomplish your mission/vision.
Standard – A specific statement of how you intend to make your policy a reality.
Guideline – A specific statement of advice on how to adhere to your standard.
Procedure – A specific list of steps to perform in order to accomplish a task in a way that fulfills your policies, standards, and guidelines.

The lights come on, the set is down, the curtains float away...

2010-02-15T01:54:00.002-05:00

People already blog about information security – just look at my short but growing blog roll. Does the world really need one more? I think so, and my inaugural post is to make the case for it.

Information Security is big business. The U.S. federal government alone spent 7.1 billion dollars on it in 2009, and private industry dropped a pretty penny on it as well. The headlines regularly show the cost of not getting it right, literally and figuratively. Companies appoint executives, staff departments, allocate budgets, and do all the other things that businesses do in order to secure their computing. I should know – it’s kept me employed full time for most of my adult life.

And yet, the headlines keep coming.

It’s not just business. Home users have their identities stolen; lose years worth of writing, photography, and other work to computer virii. Their computers get enlisted in zombie armies and slow to a creep, which can look just like a machine getting old – leading to a new computer before its time. There’s a whole information security industry selling to the home market, and it’s not small.

And yet, people at parties still ask me if their computer can be saved from the latest infection with a combination of trepidation and hope generally reserved for an oncologist’s office.

People like me have careers, consulting firms have revenue lines, vendors have entire product and service lines, and governments pass legislation dedicated to solving the problem of how to let people compute safely.

Yet security programs fail, one after another.

Clearly, trying something new is called for. I've had front row seats for most of my career. I've seen security suceed and fail many times. I've examined the people, products, and processes time and again.

This blog will be about what I've found. Ultimately that means it will be a blog about people, because people are what make security work or fail. Products just do what people tell them to; processes are just people telling people what to do. Meaning that the famous mantra "people, process, product" is really just a complicated way of saying "people, people, people."

I want this blog to be useful. Not just to my colleagues, who may agree with my ramblings -- or not. I don't want this to just be a place to geek out. Nor do I just want businesspeople -- my clientele -- to see this simply as a vehicle by which I credentialize myself. I want people who don't normally think about security to come and read so that they can think about it with less difficulty afterward. If I can communicate nothing else, I want to get this across: security is easy, if one lets it be.

I want this blog to be entertaining. I do what I do because I have fun doing it, even when I’m doing the boring bits that every job has. I want to share that sense of fun.

I’m going to try to make a post at least once a week. If I can’t post something of substance, I’ll give a quick explanation of why; perhaps a bit of off-topic nicety to round things out.

I intend to encourage informed, spirited, and civil discussion and debate. I ask that those who feel moved to comment do so in a way that is respectful of the broad range of viewpoints I hope readers will bring to this space.

I request that you, the reader, participate. That invitation stands whether do security professionally, as an interested amateur, out of self-defense, what-have-you. Bring your knowledge, but also bring your questions. This is a space to learn, and I’ll learn as much as anyone else.

I hope that’s enough of a reason to load this page every so often, add me to the RSS reader of your choice, or otherwise check out what I’ve got to say.

I have not yet monetized this blog, but I reserve the right to do so. If I do, I promise to make every effort to do it in a way that is respectful of your privacy and intelligence.

In the next post, or perhaps the one after that, I’ll talk about the fundamental security process that drives all the others: governance. Developing the charter and policies that guide how one’s security practice works. This post is a good jumping-off point for that, because a business case, charter and some policies is pretty much what I've written.