jump to navigation

Traveling Naked (digitally) to avoid Cyberespionage February 25, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , ,
1 comment so far

There is a very good article written by Nichole Perlroth of the New York Times that discusses the dangers of cyberespionage.  I have written this subject in this blog, as well.  It is always interesting when you talk with people about cyberespionage and get the “brush off” or some comment about “james bond” and fantasy.  Unfortunately, cyberespionage is very real, and very dangerous for companies.  Intellectual property and trade secrets are in high demand for certain governments and competitors.  As stated by top counterintelligence official, Joel F. Brenner: “If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated,(more…)

“Slicing the Pie”; Risk Management 101 February 11, 2012

Posted by Chris Mark in Risk & Risk Management.
Tags: , , , , , , , , ,
add a comment

This is a followup to “Risk 101: an Introduction to Risk” Security, and Risk are interesting topics that lend themselves to endless debate (and the occasional argument).  They are concepts that are bandied about quite frequently but, in my experience, are often not well understood by those using the terms.  I have been asked by clients to describe risk management and security in business terms.  At the risk of over simplifying the concepts, I will explain the concepts in this post.  Security can be described rather simply as the implementation of controls to counter address a vulnerability or address a threat.  Consider your house as an example.  If you install a lock on the front door, you are implementing a control (the lock) to address a vulnerability (an unlocked door) and a threat (that an unauthorized person will enter).

Risk can be described as the function of the likelihood of an event occurring and the impact should it occur.  Risk can be quantified using a simple formula (R=P% x I$) or expressed qualitatively.  In the scenario used above, there is a risk that your house will be burglarized.  Depending upon where you live, and other factors, the likelihood (expressed in terms of probability) will vary from unlikely to more likely to very likely.  The impact of the burglary will be determined by, among other things, the value of the assets that can be stolen.  So how does this relate to security?  The concepts are (or should be) inextricably entwined.

Controls should be implemented commensurate with the identified risk.

This is a very important concept.  Consider the following scenario.  If I were to offer you $1,000 to either 1) install a burglar alarm in your house or 2) install a fence to keep lions out of your yard, which option would you choose?  Likely most readers would respond with the statement; “it depends upon where I live”.  This demonstrates the example of security and risk management.  There are two risks we are considering in this scenario.  First, is the risk of burglary and second is the risk of lion attacks.  If you live in the Kenyan bush, you may be more concerned about Lions as the probability is likely higher of a lion entering the yard then of a burglar.  If you live in New York City you are likely more concerned about burglaries than lions as lions are not found in NYC (at least not legally).    The controls you are considering are either a lock (to address the issues described previously) or a fence to address the threat of a lion entering the yard.  Additionally, when we talk about ‘commensurate with the risk’ it means that the controls should be enough to address the risk but not too great.  You would not put a $1,000 alarm system on a $500 car.  It simply does not make sense and is an inefficient use of your limited resources.

With those topics covered very briefly, how do we discuss risk management from business terms?  Easy.  Consider that the risks to which you or your business are exposed are infinite.  You may not believe there is a risk of being hit by a meteorite but I can assure you that as infinitesimally small as the chance may be, there is a chance (probability) and the impact is likely not very good (injury or death).   If you question the example, read about the Sylacaugqa Meteorite here.

Now consider that the resources at your disposal (man hours, money, expertise, technology, information) is finite.  You may have a huge budget, and world class expertise but the fact remains that you have finite resources to address infinite risks.  The goal of risk management is to slice the pie of resources in a manner that allows you to address the greatest risks in the most efficient and effective manner possible.  There are four primary methods of risk mitigation; Avoidance, Reduction, Sharing, and Retention or Acceptance. Using the burglary example.

Avoidance– You can ensure you don’t own anything that could be stolen. Or you could live in an isolated area where nobody else lives.

Reduction– You can reduce the risk (by reducing probability or impact) by installing locks or using a safe to protect your assets.

Sharing– You can get insurance for your assets to reimburse you if they are stolen.

Acceptance– you can simply accept the fact that burglary is a possibility but one you are willing to accept if the likelihood is remote or you have no assets to steal.

The idea is to allocate the pieces of pie (which represents your finite resources) in a manner to address as much of the risk as possible.  It should be noted that there will always be residual risk and the possibility of Black Swan events.

InfoSec 101: Technology doesn’t fail, People do… January 27, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , ,
add a comment

As research indicates that pirates are beginning to engage the services of data thieves to steal data from shipping companies, it is important that the maritime industry begin looking at securing not only their vessels but their data assets, as well. In my past life as a data security professional, I have had the opportunity to work with some very, large complex organizations.  As a consultant I was often involved in the remediation and after action of companies that had experienced a data theft or major compromise (hack).   After reviewing about 3,000 data compromise cases I can say with confidence that it is not the technology that fails in data compromises, it is the people.  I have yet to ever see a firewall decide to stay home from work or decide to change its own ruleset to open a port.  I have seen a number of instances where a firewall administrator forgot to close a port or bypassed the firewall for “just a minute” and forgot about the change.  I have never seen an intrusion detection system (IDS) decide to turn itself off because it was tired, I have seen many instances where the IDS was tuned incorrectly, or where it was turned off because it was sending too many alerts.  The scenario repeats over, and over.  Technology doesn’t get tired, it rarely fails (statistically modern airliners are as reliable as toaster ovens)  and it doesn’t complain, or make mistakes.

Human beings aren’t so fortunate.  We are lazy by nature.  I say this because we all will take the path of least resistance in everything we do.  We are also fallible, which means we make mistakes.  It is simply human nature.  Unfortunately, in security this characteristic is why security breaches occur.  A guard falls asleep.  A firewall admin opens a port and forgets to close it.  A janitor doesn’t lock a door after leaving a building. An employee forgets one step in a calculation.  The list goes on and on.   So how do we minimize the mistakes and mitigate the risk associated with human nature?  The answer is simple but the implementation is difficult.  Established processes and procedures documented in policy and…here is the hard part….. enforced.

I cannot tell you how many clients when asked if they have a security policy will say: “Well, we don’t have a documented policy…but we have an ‘informal policy’.”  Wrong answer!  If it is not formalized and approved by the appropriate authority (CIO, BOD, etc.) then it is NOT a policy…it is an informal practice.  When I hear this answer I always ask: “How confident are you that the informal policy you describe is being followed?”  The answer is inevitably: “well…probably not as frequently as it should be.”   This describes the vast majority of companies I have worked with.  Why?  The answer is again simple.  First, policies are difficult and time consuming to develop and implement.  Second, we don’t like to step on other people’s toes.  We want to trust our co-workers and employees.  By establishing an onerous policy we are saying to them: “you are not trusted.”  Lets call a spade a spade.  None of us like being told we can or can’t do something or being treated like we are not trusted.  Unfortunately in security it is absolutely imperative that we establish and enforce policies.  Defined policies which are effectively enforced give us the only confidence that tasks are being conducted: “consistently, and repeatedly.”  This is the key.

How do you develop policies and procedures?  That topic is much to deep for this blog post but here is a high level process to follow.

1) Take an inventory of assets and prioritize those assets. (intellectual property, human resources records, financial data).  You need to know what it is you are trying to protect before you can find a way to protect it.

2) Identify the who, what, where, why, when, and how of data access. Using the access control reports/system (Windows Active Directory, LDAP, etc.) and application information, identify the following: Who has access to the data (include applications, services and people), what data they can access, where the data is stored, why they have access (and whether they actually need access), when they have the ability to access (and whether it should be restricted) and how they access the data (direct SQL queries, applications, etc.)  Develop a matrix with all info included.

3) Develop a dataflow diagram.  Using the matrix above, and an existing logical network diagram, create a diagram that logically shows where all sensitive data (as identified in #1) is located and how it flows through the network (including all applications and devices).  This process will be enlightening.  Experiences suggests there will be a number of ‘ahaa’ moments where you find that people with no business need have access to very sensitive data.

4) Develop a ‘data control policy’ using model of least privilege and ‘need to know’.  This is the first policy.  Classify the types of data and decide who (people, applications, services) should be able to access which type of data, under what conditions (time, location, etc.) and provide a justification.  This should be based on a ‘need to know’. For example, a system administrator (system level access) should not have access to the financial accounting database nor be able to see financial accounting data unless his/her job requires.

5) Update your access control mechanism to reflect the data control policy.  Update user privileges and rights in Active Directory, or LDAP to reflect the data control policy.  The Access Control Policy is another step that will be covered in another blog post.

By using the 5 steps above, you will be well on your way to controlling and protecting your sensitive data assets.  Remember, policies are simply paper documents unless they are documented, approved by management, disseminated, and enforced.  Although enforcement is often difficult, employees need to understand that violating information security policies can be met with punishment up to, and including, termination, OR prosecution.

Privacy, Discrimination, and Facebook September 15, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , , ,
add a comment

This post is going to deviate from maritime security.  I was asked today by a person on Facebook whether someone should provide their Facebook login to a potential employer who asks.  In short, a person is applying for a job and the potential employer has asked for the person’s Facebook credentials to view their Facebook account.  Let me preface my answer with some background.  For the past 10 years I have worked extensively in data security and privacy.

The US, Canada, EU, Japan and most other industrialized nations have laws that prohibit discrimination based upon various aspects such as race, creed, religion, disability, political views, etc.  The US is about 10 years behind Europe when it comes to data security laws and privacy laws.  An employer that is asking for your Facebook login is exposing themselves to potential liability and is likely infringing upon your rights.  Many, if not most people, post private information in their Facebook accounts.  Sexuality, marriage status, family, religion, political views, associations which could divulge private information are all commonly posted on Facebook.  By asking you for your login, the employer is doing a few things incorrectly.  First, they are asking you to violate Facebook policy by providing your personal login to the account.  Second, they are placing themselves in a precarious position by removing the non-repudiation from your account.  Consider an example where an employer logs into an account and reads something that their employee wrote that is deleterious to the company.  Who is to say that the employer did not actually write the post?  Since there is a single login there is no way to state definitively that it was the employer.  Additionally, by asking for the login, the employer may be given access to personal private information that could expose them to risk should your employment end.  If a person is gay, or disabled, or an anarchist, or planning on having children, this is their own business and the company has no right to ask about this information and it is a violation of various laws to discriminate based upon such facts.  The US has the Equal Employment Opportunity Commission (EEOC) and the Americans with Disabilities Act (ADA), as well as other laws that protect individual rights.  The UK has, among other things, the Disability and Equality Act; 2010, and the EU has the EU Anti Discrimination Law, among others, that protect employees.

The long and short is that if you are asked to provide your Facebook login, you may want to politely inform the potential employer that 1) You have a public facebook profile that they are free to peruse and 2) There is private information in your Facebook account that the employer has no right to ask to see.  Their asking may, in itself, be a violation of the privacy laws.  Finally, make sure that if you have strong opinions, or lewd photographs, or you curse like a sailor that you don’t post it on your public profile 😉