Image via Wikipedia
When companies come to me because they want to draft a security policy, the first question I ask them should be the most obvious: “Why?”
It may seem like a simple question, but more often than not it is met with confusion as if the answer was so obvious that it cannot be articulated. At other times, the answer is that they are simply compelled to have a security policy by law and regulations. But bandwagon mentality or compliance reasons will not generate a successful security policy. Starting with the “why” is the most important step when crafting a security policy, and the answer to “why?” comes from a risk assessment.
Risk assessment is an endeavor to find out why you need this policy and what it hopes to achieve. Risk assessment determines the magnitude of potential loss and the probability that the loss will occur. For security, this means classifying information into separate levels of sensitivity, then, discovering the possible risks, and the probability of those risks, that this information may be compromised.
It is not possible or sensible to protect all information, regardless of sensitivity, with the same maximum level of protection. And there is no cookie-cutter, one-size-fits-all approach to creating a security policy since every business has unique risks and places different values on different kinds of information. This is why an individual risk assessment must be performed. Once this has been determined, a security policy can be crafted based on protecting information based on its value and risk unique to that organization.
The problem is that too much policy work is driven by compliance rather than need. Without first identifying the need (the “why”) a security policy is destined to miss its mark and be nothing more than a symbol of intent rather than a useful procedure.
By relying simply on compliance to dominate a security policy, you may live up to laws and regulations but remain vulnerable. Compliance alone has not saved many companies from data breaches, including the credit card processor Heartland Payment Systems, who suffered an unauthorized disclosure of 100 million credit and debit card transactions while remaining compliant.
I am back from my week of trips, and ready to get back into the blogging routine. While travelling and talking with clients about security audits some thoughts came to me.
If all your security audits are involuntarily performed by external entities and you are simply struggling to survive them for fear of punitive recourse, then you probably don’t have the best attitude when it comes to security. A security audit should help your organization improve and grow – it is not something to be scared of.
I was reminded of the saying that no security is actually better than poor security. This is because with no security, at least you know how secure you are and won’t act in such a way that would put your data at risk. But with poor security, you might be fooled into a false sense of security that can put you in position for staggering losses when a breach does occur.
This is why security audits are so important; they inform you on the current level of your security. This knowledge empowers you to make informed decisions regarding data risk analysis. You should conduct your own security audits often and after implementing new security defenses.
Now I’m often asked if it’s better to conduct internal audits yourself or pay for outside security consultants to conduct external audits. Personally, I feel there are a few more advantages to outsourcing the audit.
1) Security consultants make security audits a core function of their business. They probably have more experience and a wider knowledge base to find more gaps than an internal audit.
2) Internal audits tend to be lax when it comes to identifying gaps. The focus shifts to checking check boxes rather than actively trying to break the system.
3) If something is missed in the security audit and a breach occurs – at least you have someone else to blame. You may even be able to hold your security consultant company accountable depending on the contract.
4) There is no reason you cannot perform an internal audit and then have an external one which you compare for accuracy and team skill set building.
I hope to see more security audits met with welcoming arms than with dread and uncertainty. Just remember, that security is never final and the audit is just a part in the continuous effort to improve your defenses.
As I contemplate purchasing a netbook (the HP Mini 2140 looks awesome) I saw a Computerworld.com article named a “Laptop Losers Hall of Shame” (http://www.computerworld.com.au/article/222142/laptop_losers_hall_shame) detailing the enormous security breaches that ensued when notebook computers were lost or stolen by employees of corporations, government agencies, or colleges. The hall of shame is both hilarious and frightening.
Smartphones are becoming the new laptops. ABI Research expects annual worldwide shipments of smartphones to exceed 334 million units by 2010, up from just more than 42 million units in 2005. With so many millions of devices carrying sensitive company data, it’s not hard to imagine what keeps security analysts up at night.
Mobile phones have evolved to a point where they equal the functionality of older notebook computers. I know that I can do pretty much every daily task I need too from my smartphone including RDPing or SSHing into servers. Like me and probably you, we use these smartphones to house critical information, such as notes, emails, and business contacts. If notebooks became such a huge security risk because they are portable, then smartphones are much worse. Brimming with insecure information, we carry these mobile devices with us at all times. For most of us, losing your mobile phone isn’t a possibility, it’s an inevitability. I have lost 2 phones with one being stolen in Vegas and the other being sucked into the ether somewhere.
Other than having more portability and ubiquity than notebooks, smartphones are also harder to control and manage because they are purchased by individual users and do double duty for work and personal use. Notebooks can be issued and centrally managed by the enterprise, but it cannot do the same for the mobile phones of every employee.
How can IT security professionals create a sound infrastructure to compensate for remote workers who are likely to be the unwitting bearers of major security threats?
As always, include the usage of mobile devices with company data in your security policy and create expectations for your company employees to follow.
I know this is basic stuff, but apparently we still need education on choosing a good password. It amazes me to know that if I ever wanted to log on to a client’s workstation, I can usually do this by entering their last name, their spouses name, their pet’s name, or just type “password1.” If these methods fail, I could just read the yellow sticky note attached to their computer or lying in their desk drawer.
Want to have something like this at your company? We will send you a free set of “Don’t write your Password on this” Post-It notes for FREE. Simply, contact us and we will ship them out!
Forget worrying about genius hackers with brilliant techniques for breaking into your system. Why would a hacker need to know how to break into a system when they could simply logon, and not even risk detection? No matter how strong your security is, it can always be trumped by a poorly chosen password that is easily susceptible to brute force attacks or social engineering. So let’s go over the rules again.
Your password should not be:
What your password could be:
One of my favorite activities we perform for clients is Social Engineering so I thought that a recent trend, disinformation, would be an interesting topic to discuss:
In 1943, British Intelligence dressed up a corpse, equipped it with fake operation plans, and floated it out to sea where Axis troops would eventually recover it. The ruse was designed to make the Germans believe that the Allies planned to invade Greece and Sardinia, instead of Sicily, their actual target.
“Operation Mincemeat” was a successful disinformation campaign. Also called “Black Propaganda,” Disinformation is the intention is to spread false or inaccurate information to damage or gain an upper-hand against an opponent. While it was often used in wartime throughout history, the new battleground for disinformation is cyberspace where hackers spread disinformation about a company through their own systems.
According to a study on hacking incidents and trends for the first quarter of 2009, “Disinformation” is now the second most common attack outcome by hacking (losing to “Information Leakage” by only 3%). This is a major jump since Disinformation was not even on the list in the previous study, falling somewhere below Phishing (3%). Defacement, which can be distinguished from Disinformation because it spreads obviously false information, is third on this list.
And if you don’t think Disinformation can cost your company money, just ask Steve Jobs who recently shared sentiments with Mark Twain – “reports of my death have been greatly exaggerated.”
A hacker that broke into the live Mac Rumors Feed to announce – in all capital letters –“STEVE JOBS JUST DIED.” It took three minutes before a retraction was given, “Steve did not die.” In another incident, someone uploaded photos to Wired magazine’s website with a detailed story describing Steve having a cardiac arrest. In this case, it wasn’t even a code flaw that allowed the disinformation to be publicized, but an obvious application design flaw. Wired’s public image viewing utility allows anyone to upload whatever images they wish which are then viewable on their public website.
Harmless pranks? The incidents caused Apple stock to plummet from the disinformation campaign. Considering Steve’s recent health problems made the disinformation so plausible and the same disinformation was used on multiple occasions, you can’t help but wonder if the culprit has a vested interest in seeing Apple stock drop.
Disinformation isn’t going away. Consider the rise of social network trends like Twitter. Social networks are very susceptible to hacking in the first place. Twitter allows news to be sent directly to thousands of users. This makes it a very powerful platform for information or disinformation.
When HIPAA was passed and made federal law by the Clinton administration in 1996, the fear of fines and even jail time sent the medical industry scrambling to beef up their patient data security by the 2003 deadline. However, for years afterwards, HIPAA remained a toothless tiger. Occasionally, it growled and violators were threatened to clean up their act. But it usually did not bite, as prosecutions were rare and usually mild.
Since no serious prosecutions have taken place since HIPAA went into effect in 2003, I and the medical industry have wondered if HIPAA is just a made-up boogeyman meant to frighten them into compliance.
All this changed on February 18 when the U.S. Department of Health and Human Services and the Federal Trade Commission issued a press release stating CVS had to pay $2.25 million to the U.S. government for HIPAA violations.
The HHS Office for Civil Rights (OCR) and the Federal Trade Commission caught the pharmacy chain red-handed disposing of empty pill bottles that contained patient data into dumpsters and trash containers outside select stores. Among other issues, CVS “failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and failed to adequately train employees on how to dispose of such information properly.”
CVS Caremark Corp., the parent company of the 6,000 store pharmacy chain, must implement a robust corrective action plan that requires Privacy Rule compliant policies and procedures for safeguarding patient information in addition to its fine. CVS must also submit to a biennial audit by a third party to show their compliance.
Is HHS trying to set an example with the steep penalty? Is CVS the sacrificial lamb intended to inspire other delinquent HIPAA violators to clean up their act?
While many medical industry companies may have gambling with HIPAA violations, at least CVS learned it isn’t worth the risk. Besides the possible penalties, compromising personal patient data is a strike against the reputation of a company. And this can be more costly than any fine by the HHS.
