Sunday, June 30, 2013

Three Reasons Why America's Security Model is Broken -- Counterpoint

Last Friday  CSO Online published and article by Craig Shumard entitled 3 Reasons Why America's Security is Broken.  In this article, Shumard -- the former CISO of CIGNA who survived the early days of HIPAA and HITECH legislations -- offers a three-pronged approach to fixing security in the US:  (a)  More detailed/prescriptive rules and regulations; (b) fixing the basics; and (c) more transparency regarding security implementations to our customers.  As security professionals, I think it's worth taking a look at each of these proposed remediation strategies in some detail.

1.  The regulatory environment.  Regulatory prescriptiveness in any arena is a matter of balance.  If you are too prescriptive you run the risk of imposing needless costs as well as hamstringing the ability to innovate and/or embrace new technologies.  Let's take, for instance, the use of antivirus software.  It seems to make sense to be prescriptive about the use of anti-virus, yes...until you realize that the percentage of malware attacks that AV systems (or many signature-based technologies these days) are capable of stopping is small and getting smaller.  Change the signature ever so slightly and the malware has a heightened opportunity of slipping through.  In the past, I and several colleagues have made the argument that heightened levels of access and permissioning further down the OSI stack combined with improved malware technologies can achieve a higher percentage of success than AV suites...yet the more-prescriptive regulations out there all mandate the use of antivirus software.

This problem is, of course, exacerbated by the pace of change for regulation and law.  By the time most regulations and laws get passed, technology has already begun the march into new territories which regulations do not address completely.  Imagine if, for instance, the PCI-DSS prescribed a specific algorithm and bit-length for encryption.  As technology advances and processing speeds change, meeting the prescribed standard actually might place the complying entity in a state of weakened security.

Of course, setting a prescriptive minimum requirement for security controls can eliminate this potential risk...but again, unless the minimum can move at a pace that keeps up with technological change then you still end up with the potential for prescribed weakness in controls.

I would argue that the thing that needs to be fixed in this area isn't the lack of specificity in regulations;  rather, it is the cessation of equating of compliance with security.  A secure framework meets all compliance standards...but a compliance framework will never meet all security needs. Attempting to prescribe security via regulation is a gesture in futility;  despite our legislators' belief that this is possible, as professionals we need to break the security = compliance equation.

2.  Fixing the basics.  I absolutely support Mr. Shumard's position here. To quote an earlier posting of mine, I truly wonder what the various data breach reports would look like if we:
  • Enforced heightened password complexity
  • Patched vigorously and rapidly (to include addressing aggregate risk via patching low-level vulnerabilities with regularity)
  • Cleaned up roles and access to systems, ensuring a least privilege model; and
  • Managed(and monitored) super user accounts and privileges aggressively throughout the environment.
Even more scary to contemplate is the impact of such basic blocking and tackling on the security industry and its never-ending race toward new tools.

3.  Transparency.  Again, I agree with Mr. Shumard's basic premise in this instance.  Creating a model of transparency re: what we are doing from a security perspective will help us more than hurt us by forcing those who are doing less than what is deemed prudent to leave the shadows.  The problem -- one which Mr. Shumard spends far too little time on -- is the determination of what is deemed "prudent."

When I build programs, I often tell folks that I can build them Fort Knox but Fort Knox mightn't be the proper solution for their business model.  The trick (or, if you prefer, the "art" portion of our professional "science") is determining what the right balance is for the environment and what that does to the overall risk calculus of the business.  Once again, the hindrance in this area is staring us in the mirror.

Two well trained, well educated security professionals with similar backgrounds and perspectives can walk into an organization and evaluate its security/risk postures and reach different conclusions.  On a 10-point scale, one professional will rate the organization as a 7 and another will rate it as an 8.  As the Mr. Shumard points out, we need to get to a state where we have some type of common best practices/risk-versus-control-implementation knowledge base that we can look towards as we implement programs.  Continuing the example above, if such a knowledge base existed we could agree as a profession that the evaluated organization is currently at a 7 on a 10-point scale...at which point, the discussion becomes one of whether a 7 is sufficient and appropriate for the assets being protected.

This is the hard and non-sexy work of our profession; it turns more of our "art" into "science" and that scares many folks in our field.  Until we complete this work, though, meaningful transparency isn't achievable...and sooner or later our constituents are going to become less enamored with security professionals continually stating that "it's complicated" or "it depends" versus explaining what we're doing and why we're doing it.

Conclusions.  Where Mr. Shumard states three reasons that our security model is broken, I offer three actions necessary for remediation:
  • Fix the basics.  It's past time we did so.
  • Stop looking toward regulation as the only expression of security value.  As a profession we made an egregious error in hanging our hats onto fledgling regulations at the turn of the century.  In doing so, we placed the power of determining appropriate security in the hands of those for whom legal sufficiency is a perfectly acceptable standard.  We don't need more prescriptive regulation; we need to express security value in terms not tied to regulation.
  • Create a standard.  It's time to spend serious cycles on driving down the art of security and focusing on the science.  Only by creating some level of professional normalization (forgive the double entendre :) ) can we avoid going the way of the VP of Telephony within our organizations.
For for thought!
Posted by at 1 comment:

Sunday, June 23, 2013

Random Thoughts on the Adaptive Mindset

As we approach the midpoint of 2013, I have begun to shift some of my thinking to strategic initiatives for 2014 and beyond.  As I begin this shift in focus -- and, admittedly, as I come off of vacation :) -- I have begun to spend time thinking about what I am calling the "adaptive mindset." A friend a colleague of mine refers to this same topic as the "Agile mindset," but this often gets closely intertwined with the Agile development methodology.  I believe the challenge I am referring to extends beyond Agile development, although we see this challenge most clearly manifested within Agile development environments. 

I have often preached that the job of a security team is to "make lemonade out for two apples, a grapefruit, and a kumquat and make it look easy while doing so."  The needs of the business can shift at an almost mercurial pace, and if security wishes to remain a supportive (and, therefore, a valued and relevant factor), security professionals need to be able to innovate secure approaches and solution on the fly and often without the benefit of exhaustive research time and/or ideal toolsets.  Think of the Movie Apollo 13 when the lead engineer dumps a pile of parts on the table and informs the team that they must develop a solution to the orbiter's problem utilizing only the items on the table.  Just another day in the life for a typical security guy :)

The problem -- or, at least, the thing that I perceive to be a problem -- is that we appear to be losing some of profession's inherent ability to innovate on the fly.  In the early days of security, we came from a wide variety of backgrounds;  many of my peers trained as mathematicians, musicians, accountants, and (in two cases that I know of) Jesuit priests.  As we have begun to create college programs centered around our information security, we have created a standardized group of people who understand The Way Things Ought To Be...but not necessarily how to get them there in less than a perfect methodology.

I first ran across this problem en masse during my studies for my Masters degree.  I was in a cohort-driven program and for each class we needed to engage in online discussion groups around questions posed by the professor.  I was to only sitting CSO (and had been for 3+ years) in my cohort, and I would often challenge the other students' answers with responses like "That makes sense and is leading practice, yes...but what happens when the situation is <X>?"  Invariably someone would chime in "well that would never happen," only to have me explain that I had to deal with such a situation just the month before.  This would lead to some stilted discussion as fifteen highly experienced and well educated personnel struggled to innovate a solution to a real world problem.

I see similar challenges as security shops attempt to work within an Agile development or project environment. Decisioning in such environments happens in small teams at the lowest level.  The security SME doesn't need to know everything...but he does need to be able to think critically at a fast pace; make decisions; and consult the appropriate knowledge repositories to drive new and innovative solutions rapidly.  Too often, security personnel struggle in these environments; in some cases, they mask their inability move and think rapidly by defending the need for security to follow a traditional waterfall model.

I am blessed to run a decent-sized security shop in an organization that truly values programmatic holistic security. My people are top notch with a true desire to do the right things as well as improve their personnal skills. As the security leader in such an organization, I find myself in a quandry.  How do I balance the need for security specialists who can dig into certain topics and areas with nimble-minded generalists who have a passably working knowledge of multiple topics as well as the ability (and confidence) to make decisions on the fly in a fast-moving organization? 

The first answer that comes to mind when I discuss this topic with many of my peers is "experience."  Yes, clearly a more tenured and seasoned individual has a greater ability to flex and maneuver than a new recruit...but this begs the real questions of (a) how do we actively train and prepare young security professionals to adopt a nimble mindset as well as (b) persuade young security professionals to eschew some of their 'specialist' chops in favor of a more holistic knowledge base.  Adding to this challenge, of course, is the young professional's resistance to knowledge transfer.  Security professionals are proud of their skills and knowledge...and they have a right to be.  Many of these younger professionals can feel threatened at the prospect of either sharing that knowledge with someone else (a la cross traiing) or placin that knowledge within some type of knowledge repository.  After all, if someone else has the knowledge doesnt that make them expendable?

No organization can afford to staff itself with only senior personnel (even if such personnel were available in large numbers).  Further, there is still a need for "screen jockeys" at some level to do the analysis on incoming events etc. Clearly an organization must find and strike a balance between the two - a balance that is partially driven by (a) training younger professionals on a broader range of skills; (b) encouraging critical thinking; (c) building knowledge repositories and documented security processes; and (d) automating as many routine processes as possible.    We must eschew the notion that a young security analyst needs to spend 3-5 years perfecting nothing but one specialty skill before they can branch out.  We must also encourage the notion that a well rounded, critical thinking professional is what is needed in order to drive transformation and value within an organization.  

Fostering the mindset for agility and adaptability will be critical to the future of any transformative security program. Figuring out the right skillset balance without jeopardizing the daily activities or ballooning the security organization to an unreasonably large number is the hard work that accompanies that easy declaration. As I begin to put solution for adaptive mindset within my organization, I will share my approach and thoughts on this blog.  All comments and inputs are welcome :)

Posted by at No comments:

Sunday, June 9, 2013

Random Thoughts on the Recent NSA Scandal

Last week, the news broke that the National Security Agency (NSA) had been secretly collecting phone records of Verizon customers in the U.S.  Since the story broke the commentary from pundits, politicians, and the Great American Public alike has bordered on cacophonous.  

My thoughts on the scandal are wide ranging and somewhat disjointed, but they might bear some consideration. Here goes...
  1. We had to go overseas to find out what's happening at home.  It's somewhat disturbing to me that we needed to rely on a newspaper published in the UK to get information about actions occurring on our home soil.  Only after the story broke in The Guardian did US new media outlets grab the story and start speading it like wildfire.
  2. Someone is leaking like a sieve.  The original newspaper article allegedly* contained excerpts from a classified PowerPoint presentation as well as the original court order from the Foreign Intelligence Surveillance (FISA) Court. The documents in questions bear several classification markings including the term NOFORN -- which means "not releasable to foreign nationals."  (*Personal note:  I used the term "allegedly" to describe the documents as I personally make it a point not to review classified information released inappropriately into the wild.  As a former holder of high government clearances I consider it a violation of my oath and commitment to protect such information.  You are welcome to check out the documents yourselves and form your own opinions.)
  3. Why are we so surprised?  Title II of the USA PATRIOT Act broadly amends the FISA act and gives tremendous latitude to the FISA Court in pursuit of combatting terrorism.  In the furor of FUD (fear, uncertainty, and doubt) that followed the 9/11 tragedy, we as a nation made the willing determination that sacrificing some of our freedoms to a governmental entity in the name of security was the appropriate thing to do;  now that we find out our government is actually utilizing the authority which we surrendered to them, we cloak ourselves in outrage and suspicion?   Admittedly, part of my incredulity here comes from some of the folks who are expressing their outrage to me. I remember having conversations about this topic in the early 2000's and the dangers of governmental excess in this space.  Many people said to me back then that they saw nothing wrong with the government having such broad sweeping powers as "only criminals and terrorists and people with something to hide" should be concerned.  Now those same individuals are the ones emailing me and calling me to express their outrage and ask for my advice re: if they should cancel their Verizon accounts.
  4. What are we going to do about it?  Righteous indignation, Facebook campaigns, Internet memes and (yes) blog posts feel good and give us a chance to express our concerns in a public forum...but if we are truly concerned about this situation we need to take more postive, impactful actions such as:
    • Supporting privacy advocacy groups
    • Writing your local congressperson to express your concern -- and asking them for their positions on such issues.
    • Voting for candidates that agree with your position on this issue
    • Educating yourselves on proposed laws and acts which may further limit your rights to privacy online and over the airwaves.  While stalled in the Senate, earlier this year the House of Representatives resurrected and passed the Cyber Intelligence Sharing and Protection Act (CISPA).  Most Americans remain unaware of CISPA, the broadness of its reach, or its continued one-sided approach to information sharing and protection.  The fact that CISPA passed one of the chambers of Congress yet the nation remains indignant at the current NSA scandal is yet another reflection of the importance of becoming (and remaining) an informed citizenry re: these issues.   
I don't want people reading this blog to be left with the impression that I am anti-government or anti anything.  I love my country, and am extremely proud my service to it and its people.  That being said, I also believe that security professionals must understand and respect the need for appropriate balance and controls to prevent excesses and abuse which would tarnish that which makes us the Greatest Nation in the world. President Obama was correct when he stated that security and privacy are concepts that require the sacrifice of each in order to respect the other. Mayhap it is time, though, to relook at that balance and ensure that we haven't allowed FUD to (continue to?) skew where we draw certain lines.

Posted by at 1 comment:

Friday, June 7, 2013

Full Extent of FIS Breach Comes to Light; Worse Than Reported

In a report released in late May to Fidelity National Information Services (FIS) customers, the FDIC disclosed FIS breach in 2011 was worse than originally reported. Among the items revealed, the report disclosed that
  • vulnerability scan reports from November 2012 still showed 18,747 network vulnerabilities and over 291 application vulnerabilities as past due.  
  • While financial losses were low, the attackers obtained technological information that could present a significant risk to other organizations and may be linked to recent pre-paid ATM cash-out frauds. 
  • “From review of the previous investigation reports, along with other documentation provided by FIS, examiners and payment card industry experts identified over 2,000 touch points that indicated a broad exposure of internal FIS systems and client related data,”
Since the breach, FIS invested $100M in improving security at the institution. Investigators probing the breach at FIS may have been denied key clues about the source of the intrusion because FIS incident response personnel wiped many of the compromised systems and put them back on the network before the machines could be properly examined.

Of particular interest is the manner in which the FDIC relesed these findings.  The organization released its report directly to FIS customers with a cover letter that began with the message, “We are sending you this report for your evaluation and consideration in managing your vendor relationship with FIS.”

Brian Krebs provides a phenomenal overview of the report and the current situation at FIS.  You can read his blog entry here.  Meanwhile, I would expect other financial institutions to receive more questions about vulnerability, patch management, and other basic security blocking and tackling practices
Posted by at No comments:
Subscribe to: Posts (Atom)