jump to navigation

“These are not the droids you are looking for” – Using “geek speak” to confuse and confound January 31, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
add a comment

In reading through various companies’ websites, I often take a look at their security statements to see what, if anything, is being said about security.  More often than not these statements are little more than “geek speak” written to give consumers and others a peace of mind yet don’t really provide any information on the security posture of the company.  In the vast majority of cases the statements are ‘marketing fluff’ and provide little value.  Here are some of the more common and interesting statements I have come across:

-”We use industry leading encryption, including SSL, to protect your data as it is transmitted to us.”  Encrypting transmission of credit card data is not only required by the card brands and the PCI DSS, it is also required by a number of laws and is simply good practice!  The fact that a company feels compelled to state that they are using SSL to protect transmitted data leads to more questions.  It doesn’t say anything about how your data is used (privacy discussion) or whether the stored data is adequately protected by encryption or other technologies.  SSL is a very small piece of the puzzle.

-”We use multi-tiered firewall controls to protect sensitive data.” Again, multi-tiered network architectures are required by the Payment Card Industry Data Security Standard (PCI DSS)  and being that we are now in the year 2012, operating without a multi-tiered network would be irresponsible at best.  This statement only states that the company has implemented firewalls between various segments of their network and suggests that they are not operating a ‘flat’ network in which every system can touch every other system (very 2003).  It does not state anything about whether the devices are configured correctly nor does it differentiate between application layer and network layer firewalls. (more geek speak to confuse and confound)

-”All customer data is housed in our secure data centers.” For those unfamiliar with the term, a “data center” is nothing more than a building that is used to house computer servers typically for a number of different clients.  Data centers are designed with safety, physical security, and redundancy in mind.  The fact that data is housed in a 4th generation data ceneter does not provide any information on the technical security controls implemented to protect customer data.  It simply means that if someone wanted to physically steal the computer they would be challenged.

-”we use robust encryption and change the encryption key at least annually.”  The use of ecryption technology is a good step but encryption is only as good as the algorythms used and the key management employed.  This statement simply says that once again, the company is following industry accepted controls.  While changing encryption keys periodically is good practice, it doesn’t say anything about how the keys are managed in the intervening periods nor does it say anything about what data is encrypted or what access controls are in place.

When evaluating a company with which to do business, it is suggested that you take the time to really ask the difficult questions about security.  Simply reading website information will not provide you with the assurance that the company is protecting your data.  In some cases the information provided is not simply irrelevant but may provide a false sense of security the the buyer.  By using ‘geek speak’ it is easy to convince a non-techie that they are doing the right things.  If you are not confident in your own technical skills to evaluate a vendor, it is worth taking the time to find a consultant or some other trusted party to support you in your evaluation.

InfoSec 101: Technology doesn’t fail, People do… January 27, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , ,
add a comment

As research indicates that pirates are beginning to engage the services of data thieves to steal data from shipping companies, it is important that the maritime industry begin looking at securing not only their vessels but their data assets, as well. In my past life as a data security professional, I have had the opportunity to work with some very, large complex organizations.  As a consultant I was often involved in the remediation and after action of companies that had experienced a data theft or major compromise (hack).   After reviewing about 3,000 data compromise cases I can say with confidence that it is not the technology that fails in data compromises, it is the people.  I have yet to ever see a firewall decide to stay home from work or decide to change its own ruleset to open a port.  I have seen a number of instances where a firewall administrator forgot to close a port or bypassed the firewall for “just a minute” and forgot about the change.  I have never seen an intrusion detection system (IDS) decide to turn itself off because it was tired, I have seen many instances where the IDS was tuned incorrectly, or where it was turned off because it was sending too many alerts.  The scenario repeats over, and over.  Technology doesn’t get tired, it rarely fails (statistically modern airliners are as reliable as toaster ovens)  and it doesn’t complain, or make mistakes.

Human beings aren’t so fortunate.  We are lazy by nature.  I say this because we all will take the path of least resistance in everything we do.  We are also fallible, which means we make mistakes.  It is simply human nature.  Unfortunately, in security this characteristic is why security breaches occur.  A guard falls asleep.  A firewall admin opens a port and forgets to close it.  A janitor doesn’t lock a door after leaving a building. An employee forgets one step in a calculation.  The list goes on and on.   So how do we minimize the mistakes and mitigate the risk associated with human nature?  The answer is simple but the implementation is difficult.  Established processes and procedures documented in policy and…here is the hard part….. enforced.

I cannot tell you how many clients when asked if they have a security policy will say: “Well, we don’t have a documented policy…but we have an ‘informal policy’.”  Wrong answer!  If it is not formalized and approved by the appropriate authority (CIO, BOD, etc.) then it is NOT a policy…it is an informal practice.  When I hear this answer I always ask: “How confident are you that the informal policy you describe is being followed?”  The answer is inevitably: “well…probably not as frequently as it should be.”   This describes the vast majority of companies I have worked with.  Why?  The answer is again simple.  First, policies are difficult and time consuming to develop and implement.  Second, we don’t like to step on other people’s toes.  We want to trust our co-workers and employees.  By establishing an onerous policy we are saying to them: “you are not trusted.”  Lets call a spade a spade.  None of us like being told we can or can’t do something or being treated like we are not trusted.  Unfortunately in security it is absolutely imperative that we establish and enforce policies.  Defined policies which are effectively enforced give us the only confidence that tasks are being conducted: “consistently, and repeatedly.”  This is the key.

How do you develop policies and procedures?  That topic is much to deep for this blog post but here is a high level process to follow.

1) Take an inventory of assets and prioritize those assets. (intellectual property, human resources records, financial data).  You need to know what it is you are trying to protect before you can find a way to protect it.

2) Identify the who, what, where, why, when, and how of data access. Using the access control reports/system (Windows Active Directory, LDAP, etc.) and application information, identify the following: Who has access to the data (include applications, services and people), what data they can access, where the data is stored, why they have access (and whether they actually need access), when they have the ability to access (and whether it should be restricted) and how they access the data (direct SQL queries, applications, etc.)  Develop a matrix with all info included.

3) Develop a dataflow diagram.  Using the matrix above, and an existing logical network diagram, create a diagram that logically shows where all sensitive data (as identified in #1) is located and how it flows through the network (including all applications and devices).  This process will be enlightening.  Experiences suggests there will be a number of ‘ahaa’ moments where you find that people with no business need have access to very sensitive data.

4) Develop a ‘data control policy’ using model of least privilege and ‘need to know’.  This is the first policy.  Classify the types of data and decide who (people, applications, services) should be able to access which type of data, under what conditions (time, location, etc.) and provide a justification.  This should be based on a ‘need to know’. For example, a system administrator (system level access) should not have access to the financial accounting database nor be able to see financial accounting data unless his/her job requires.

5) Update your access control mechanism to reflect the data control policy.  Update user privileges and rights in Active Directory, or LDAP to reflect the data control policy.  The Access Control Policy is another step that will be covered in another blog post.

By using the 5 steps above, you will be well on your way to controlling and protecting your sensitive data assets.  Remember, policies are simply paper documents unless they are documented, approved by management, disseminated, and enforced.  Although enforcement is often difficult, employees need to understand that violating information security policies can be met with punishment up to, and including, termination, OR prosecution.

Roque Wave; Secure Payments Article January 11, 2012

Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , , , , , , ,
add a comment

This is an excerpt from an article I wrote a couple of years ago called “The Rogue Wave”.  It discusses a high level overview of Doctrine, Tactics and Strategy and applying PCI DSS as doctrine…You can read the full article here.

“Recent data compromises have continued to illustrate the challenges of securing data in an increasingly hostile environment.  Companies are faced with securing and protecting their valuable information form a growing number of increasingly sophisticated and organized groups determined to steal valuable data.  Historically, the response to data compromises has been to pass and enforce increasingly strict standards, regulations, and laws detailing the specific steps companies must take to protect data and the required disclosure should data be compromised.  Those companies that are the unfortunate victims of data thieves are criticized and vilified for “losing data”.  In spite of the efforts being focused upon compliance with the various laws and standards, data compromises continue in their steep upward trend seemingly unabated…”

Two Leaders Lost; Reflecting on Vaclav Havel and Kim Jong Il December 19, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
add a comment

In the past few days the world has lost two leaders who could not have more profoundly different.  As leaders of countries have a profound impact on global risk, it seemed appropriate to discuss these two leaders and their differences.

Vaclav Havel (1936-2011) was a Czech writer, dramatist and politician.  He is largely responsible for the Czech revolution which peacefully defeated communism and implemented democracy in Czechoslovakia in what is know known as the Velvet Revolution or Velvet Divorce.  He was the last president of Czechoslovakia and first president of the Czech Republic.  Vaclav was a prolific writer who changed peoples’ perspectives on politics, life, and economics.  One of his quotes is: “We had all become used to the totalitarian system and accepted it as an unchangeable fact and thus helped to perpetuate it”.  You can read more about Vaclav here.

Kim Jong Il, or the “Dear Leader” (1941-2011 ) was the dictator of the Democratic People’s Republic of Korea (DPRK).  This is more commonly known as North Korea.  While many believe, and it is put forth that North Korea is Communist, in truth only their economic system is Communist.  They are a dictatorship.  Preceding Kim Jong Il was his father Kim Il Sung (the Great Leader), and proceding his reign is his son, Kim Jon Un (the Great Successor).  Compare the words of Vaclav Havel above, with those of Kim Jong-Il in the song: “There is no motherland without you”.   You can read more about Kim Jong Il here.

“You pushed away the severe storm.
You made us believe, Comrade Kim Jong-il.
We cannot live without you.
Our country cannot exist without you!”

Vaclav Havel fought his entire life for the values of Democracy, freedom, and prosperity for his people.  He lead the only violent free revolution which resulted in two countries being formed- the Czech Republic and Slovakia.  He was revered throughout the world and will certainly be missed.  Kim Jong Il fought his entire life to maintain an iron clad grip on power by oppressing and imprisoning those who dare speak against him.  North Korea is one of the poorest countries on Earth yet they pursue nuclear weapons with a passion.  He was universally reviled and will only be missed because it is unclear what his successor brings.  Sometimes “The Devil You Know is Better Than The Devil You Don’t.”

Vaclav you will be missed.  Kim Jong Il, God help us if you are missed.

Updated Whitepaper- Deterrence Theory & Modern Piracy December 19, 2011

Posted by Chris Mark in Piracy & Maritime Security, Uncategorized.
Tags: , , , , , , ,
add a comment

I spoke on this topic at the Piracy Week event in London this past October.  It was a well received presentation so I thought I would repost the whitepaper with a few updates.  Deterrence theory plays a part in crime prevention, security and even dealing with teenagers ;).  You can download the paper here.

Understanding how people respond to deterrents as well as the rational actor model will help develop strategies for dealing with piracy and other crimes.  It should be noted that deterrence theory really goes out the window once someone is taking action for ideological purposes.  (that is my disclaimer)…pic was taken from johnbsheldon.com