security

We, are the enemy…..

cybersecurity, security, technology, Uncategorized
EDIT: Much has changed from 2016 and yet, remains the same. While this was originally written in response to the Snapchat employee breach we can see continued successful attacks against organizations utilizing basic attack vectors and failings to human error.

I’m often asked as a Cybersecurity, Governance, and Risk Management expert….what keeps you up at night?

It’s people, it’s always been, people.

Properly deployed technology doesn’t need a vacation, come to work feeling awful due to being sick or a severe cold impeding performance. Your cloud deployments, brick-and-mortar approach to a firewall, IDS/IPS, and router deployments that you spend millions on mean zero and zilch if Joe Smiley in supply is not security-aware and educated enough not to open and or respond to a phishing email as an example.

People ultimately are the cause of many and most breaches. Lack of effort and lack of performance. We design and implement the process and procedures. We deploy the technology.

We have met the enemy and he is us.

Security Awareness isn’t cutting edge nor is it sexy for many security professionals and it continues to lag behind the effort placed into the latest widget. Security Awareness goes a long way in establishing a long-held theory on my part that an Information Security department of 40 could quickly become a virtual department of 40k strong ……with the right training and the right incentive.

Pogo Earth Day strip-8x6

When did the bank vault door, become more important than what the vault is protecting?

cybersecurity, security, technology

 

Tool Fixation

“Tool fixation” is a common occurrence in the cybersecurity realm and plagues everyone from the CEO right down to the mail clerk. “That silver bullet piece of technology will cure all our ills and make us the company we were always meant to be!”

Sound like a pipe dream? Well, it is.

One of my favorite quotes is attributed to one of the most ingenious American forefathers, Benjamin Franklin….

“If you fail to plan, you are planning to fail!”

Reaching End State, have a Plan

A plan is the foundation of any successful enterprise and understanding what we are attempting to protect (or restrict access to) may sound simplistic but it goes a long way in addressing our objectives as cybersecurity practitioners. This in turn breeds clear line of sight back to business requirements creating a plan that fits best the mission and business strategy at hand. From a framework standpoint, see the CERT Resilience Management Model and appropriate topic, Technology Management. For those unfamiliar with CERT-RMM, CERT-RMM is a maturity model that promotes the convergence of security, business continuity, and IT operations activities to help organizations manage operational resilience and risk.

TM_Capture

Tools and technology are important tools in any organizations toolbox but utilizing the right tool for the job effectively, is key. Just ask Sony, Anthem, Target or Home Depot.

 

Having a tool or technology does not equate to appropriate utilization.

 

Once solid business requirements and a plan have been created, tool selection becomes a cinch. Proof of Concepts, establishing what our selected candidates and toolsets can actually address. Proof positive that the tool or tool suite can actually accomplish what the enterprise set out to accomplish.

Late to the party? Very little is “unfix-able”

I’ve lost count of the clients I have had the privilege in assisting who inherited or were saddled with a product that just wasn’t a great fit. By hook or crook, it ended up in their enterprise. A product bought for a unique widget and tragically under utilized or bolted onto several other products in an attempt to address the overall mission. Being a glass half full type of personality, I consider this a step up from the budget battle and getting products approved and an opportunity to properly field and utilize what the organization already owns and has.

 

The three legged stool, balance it. People, process and technology.

The House of No….

cybersecurity, security, technology

2014-04-28_11-54-01

“The House of No” was a humorous term I heard used  to describe the general consensus of Joe User Public when referencing their Information Security Department.  Not exactly a flattering term but one Cybersecurity Practitioners should consider potent and worth considering as they go about doing the business that is protecting their respective organizations and clients.

While “The House of No” stands at one end of the spectrum, the other end is occupied by the Sun Tzu promoter of agile business.  A practitioner focused on addressing and applying just enough protection as to address the major compliance and regulatory requirements at hand while giving our business people the ability to do their jobs effectively and secure.  It’s a balancing act that requires effort and dedication on the practitioners part and a real desire to effect change and growth as a thought leader rather than behaving like “law enforcement.”

Creativity is not a cornered market of musicians and painters. Cybersecurity architects must utilize the same kind of thinking when approaching a problem and issue needing resolution and applying the right amount of security.

  •  Exceptions – This is a vital area in addressing that shift in thought process for the residents of “The House of No.” There are always exception to the rule. Establishing acceptable risk levels the organization is willing to consider and choosing wisely, areas where it makes the most sense to make exceptions, following documented process for doing so and gaining approvals at appropriate levels within the business. When the exception becomes the norm, it’s no longer an exception. It’s a broken business process.
  • Chicken or the Egg – So which comes first, the business requirements or the security requirements? This should be a no brainer but “The House of No” struggles with this mindset blinded with the pursuit of protection first and foremost. Whether the organizations primary business is selling potato chips or processors, their “business” is revenue generation. Our every move as practitioners and solution designers should begin with, not end with enabling the business to conduct its activities as fluid as possible.
  • The Messenger – Shakespeare in Henry IV, part 2 said it best, “Don’t shoot the messenger.” As practitioners our message should always seek the collaborative air of a business enabler not a stumbling block to the pursuits of our peers and clients in winning business and addressing our current customers. Security is ever important in our eternally increasing digital world.
  • The Scale of Risk and Priorities – The practice of risk assessment and measurement is a business effort, not secluded to any one department by any stretch. As a business, identify risk, develop assessment criteria, assess risk, assess risk interactions, prioritize risk and respond accordingly.  Just as much as we want to convey and practice an enablers mindset with our peers, we require their support and collaboration in the pursuit of business security and risk management.

Enable the business with creative and thoughtful security.

tai

Building Castles….

cybersecurity, security, technology

Today’s cybersecurity personnel come in all shapes and sizes and in many respects, their past experiences and effort play significant roles in their today and tomorrow.

What immediately comes to mind is the history of …..barbed wire.

Life in the American West was reshaped by a series of patents for a simple tool that helped ranchers tame the land: barbed wire. Nine patents for improvements to wire fencing were granted by the U.S. Patent Office to American inventors, beginning with Michael Kelly in November 1868 and ending with Joseph Glidden in November 1874. In much the same way, perimeter security technology fenced us in. Making us “secure” in our various Fortress of Solitude’s. Or as I like to call it Castle Building.

Forward thinking and agile organizations are quickly coming to the conclusion that in order to function effectively in today’s digital age, those long gone tried and true methods need to see revisions of a significant nature in order to address “border-less” work environments and technologies. Terms such as cloud, SaaS and PaaS either frighten them to no end, or they cinch their pants up and tackle the new and unknown.

As a consultant its one of the aspects of the job I enjoy most, demonstrating proven strategies that fit the requirements. Security should always seek to enable the business and frankly I find high enjoyment in fitting the puzzle together using the tools at hand to build something that works well. To that end…..

  1. Stop Castle Build – The day and age of physical containment via tech is no longer viable in a highly mobile digital society and requires forward thinking on an architects part.
  2. Requirements, requirements….did I mention requirements? – Requirements are a tricky business and its a cybersecurity practitioners goal to account for both business needs and security needs all in one well-balanced strategy.  While security might want everything under lock and key and protected by dragons, this makes business agility near impossible if not extremely unfeasible.
  3. Security should ENABLE business – This is just as hard an adjustment for cybersecurity practitioners as Castle Building, but we need to apply just enough protection as to address the major compliance and regulatory requirements at hand while giving our business people the ability to do their jobs. Humans by nature will find the easiest way possible to get things done. Working with our vested business partners within an organization gives cybersecurity people a far better understanding of the daily aches and pains and the knowledge to be creative in protection of our organizations.
  4. Be Creative – Meld the old with the new. The hammer is still a viable tool used in construction for a reason, it works. Work with what you have at hand and add tech, people and process where applicable and makes the most sense. Sure, new technology can be exciting and shiny but don’t forget to consider carefully what you already have on hand in playing a major role in your “border-less” revisions.

It’s a new frontier out there!

EDIT: Timely? Yes, yes it is. Considering this original was posted over a year ago.

Is security really stuck in the Dark Ages?

“As advances are made by the good guys, the enemy will re-evaluate and re-deploy capabilities in a way that can circumvent their attack or defensive postures. The challenge with the cyberworld focus is that the battle moves much more quickly, and is even more multi-dimensional.”

But he agrees with Yoran that there is still too much reliance on defending perimeters. “Many organizations are still locked into the concept that the castle walls will protect the bad guys from getting in,” he said. “Most are not thinking about those who climbed over or tunneled under those walls.

tinyurl.com/kjwg5b7