I know a lot of people are thinking, “great I agree with you but how do I justify this to my management?” There are numerous ways to tackle this challenge; however, every technique centers around calculating risks. How you go about identifying, demonstrating, or socializing risks within your organization depends on the culture. You may need to demonstrate it through Penetration Testing, or you may need a cooperative and comprehensive review of your strategy with a Governance Assessment, or perhaps you need a traditional and rigid NIST or ISO-style Risk Assessment.

No matter how you approach this challenge, the results should provide you with the necessary information to do what is necessary for your organization, investing and focusing in the areas of greatest risk and surpassing your peers’ lackluster approach to securing their information. Here at BTB we work with you to understand the nuances of your organization and formulate an approach that meets those needs. In other words, one size does not fit all.

Share/Bookmark

We can talk about our services and tools, create fancy marketing material to catch your eye, but when it comes down to it….you are buying our mindset and experience. This is something that we stress to our customers, and an actual recommendation we give to all potential clients when they are shopping for a security assessor – challenge the people you’re entrusting to assess your security by making them think outside of the box on their feet. We’ve had customers throw riddles at us, create manufactured scenarios, and sometimes even talk only about strategy games like chess.

Here’s a secret, we love it….because this is where we shine. We’re not button pushers or widget manufacturers; we’re the people that spend more time worried about your security than you do. We know how to get in, what techniques your technology and people are susceptible to, and can also translate that into business terms.

Share/Bookmark

Hopefully you’re wondering where I’m going with this and are on the edge of your seat. It’s quite simple, define a solid information security standard that can be applied anywhere – maybe even use a good one that is out there … say, how about ISO 2700x? Next, define your Data Classification policy and associated control standards that dictate how to protect data at each level. Finally, implement those controls and you have the foundation to take on any data set by mapping that data set into one of your classification levels. Sure, there may be some minor variations that can be handled by moving the data to a higher classification level, updating your control standards, or making some special provisions. Though, I would argue that if it is built properly you won’t have to do that.

See how easy security can be when we take a step back and think rationally? It’s too bad that the people assembling these new standards and regulations didn’t do a little bit of research and creative thinking before wasting time reinventing that wheel that doesn’t perform any better.

Share/Bookmark

So, where does the problem lie? We can’t point the finger at a single group here – there are guilty parties throughout the entire ecosystem -

• from the PCI Security Standards Council who is unable to truly monitor (or dare I say, audit) all of the assessment companies;
• to the assessment companies who are competing for business, putting under-qualified assessors on projects, and want to please their client since they’re paying the bill;
• to processors/merchants who want a checkbox that says they’re compliant;
• and finally, to at least one card brand that is deeply entrenched with an assessment company who manages their paperwork and is recommended as if they are the only option (can you say “conflict of interest?”)

By the way, this problem isn’t isolated to PCI – we could almost directly substitute GLBA, SOX, HIPAA, HITECH, and any other regulatory/standard acronym in here.

Now getting back to the title of this post – here at BTB we hold our value system in high regard and know that it is in everyone’s best interest that we tell our clients what they need to hear, even if it isn’t what they want to hear. The PCI DSS is a decent baseline for information security controls when followed properly and with an open mind – there is certainly more that organizations can and should do as their information security programs mature. Make sure you’re choosing a vendor that understands this and will work in your best interest from a financial and leading practice approach.

Some related reading – enjoy!

• Over-regulated America

Share/Bookmark

Case-in-point is the recent Microsoft Windows Remote Desktop Protocol (RDP) vulnerability described in the MS12-020  security bulletin. I was having a meeting with a client after their assessment was completed. Our client had RDP open via the Internet, and while we advised against doing so, the risk was classified as medium. The report was issued before the MS12-020 vulnerability was announced. Because of the new vulnerability, we advised the client about an increase in risk because of the new vulnerability and to patch. We also reiterated our recommendation to move this service inside the firewall.

Share/Bookmark

But enough of this. This post is about the consumers protecting themselves. As I mentioned about companies above, there is no 100% sure fire way. If you shop online, your information is at risk. The goal here is to identify practices that REDUCE that risk. First and foremost is to look for an encrypted connection. This is pretty basic, and something most people do, but a pop-up saying that a security certificate cannot be validated or is out of date should be a big red flag. This can happen for various reasons. One of which is that you typed the website URL in wrong. Criminals sometimes register common typos for companies and set up shop there. They hope you ignore the certificate warning and create a logon, or enter your credit card information. If a warning pops up, step back and ask yourself why it is occurring. Check the URL, and if you typed it in correctly you may want to step away from that site. There could be an attack in progress.

Passwords are also a big issue. People put WAY too much trust into how companies protect their information. It is bad practice to reuse the same password across sites, but even more so those with whom you conduct financial transactions. Any time you use a credit card, or it is a financial site (stock / investments, bank, etc) use a different password. There are tools like KeePass, Password Keeper and password tools for iPhone and Android that help you manage your passwords in a secure manner.

One thing I do after signing up for a site is to use the “forgot password” function of their site. Click the link and follow the instructions. What happens when you initiated that process? If the site emails you your current password, you know that they aren’t properly encrypting your password. They either store it in the database in clear-text without using any encryption, or store it with reversible encryption. If the company can read it, so can a site attacker. If the company sends a reset link, this is better. They could still be using poor password storage practices, but it is a better gauge of the company’s awareness.

Lastly consider how purchases are processed with the site. Does the site give you an option to save the credit card information? What is the cost of convenience for you? I recommend not storing the information. It’s a minor inconvenience to type it in again the next time you make a purchase, but at least you have some control over the storage of your credit card information. You should also consider using a card dedicated to online purchasing, ideally with a small limit, or use virtual credit card numbers.

Just remember these tips, and use some common sense when shopping!

Share/Bookmark

Nearly a month apart, I found snippets of two profiles that I found very compelling and relevant to how we view security and BTB. One section, entitled “Decision I wish I could do over” on the profile of Steve Haindl, Sr. VP and CIO, Automotive Resources International caught my attention in February. It reads:

Early in my career, I didn’t recognize the plus side of failure. If I made a mistake, I’d either ignore it or, even worse, hide it. Now I stress the importance of learning from mistakes. On a weekly basis, my teams holds an incident and problem management team meeting to identify areas where we can improve.

Our services are all focused on finding the “mistakes” and identifying areas to improve. We point out the technical vulnerabilities, misconfigurations, process breakdowns, and organizational short-comings that put companies at risk. While we are very passionate about what we do, we are equally as compassionate when it comes to delivering the “mistakes”. We don’t just slap together fixes for vulnerabilities but are experienced in giving direction to provide realistic solutions to those mistakes, and helping people move on from them. BTB Security may not always tell you what you want to hear, but we will tell you what you need to hear.

The other snippet was on the section entitled “Business-related pet peeve” on the profile of Tim Theriault, Senior VP and CIO of Walgreens. It reads:

Arrogance by senior leaders, because everyone’s success is built with the help of others.

One of the reasons that we built BTB Security is because no matter how small or large the organization, we truly can help. Every company would like to believe that they can completely service themselves in many respects, but nobody can afford to do everything. Our expertise is very specifically focused in information security and digital forensics, and our goal is to ensure 100% satisfaction and to help your company succeed in meeting it’s goals.

I could go on and on about our core values and why we built BTB Security, but to summarize, it is nice to see CIOs featured that share the same values, and solidify our reasoning for sticking to ours through our years of existence.

Share/Bookmark

All too often I find that organizations are simply focused on the wrong things with respect the exalted CIA Triad (confidentiality, integrity, and availability). One area gets more attention than others, and then within that area some single pain point gets zeroed in on with laser focus. Take, for example, an organization that I worked with recently that had implemented a power system with uninterruptible power supplies and multiple generators. I commend them for this effort and noted it as a really strong control. As I continued on in my discovery I was shocked to find out that the organization’s data backup capabilities were nearly non-existent. They could avoid any power interruption for weeks, but a single drive failure could render a business process unrecoverable; or, even worse, a location-based interruption could put them out of business, or at least offline for an extended timeframe.

The point I’m trying to make is that we, as humans, tend to want to oil the squeaky wheel and move on – it feels good to solve a problem; but, does the wheel need a self-oiler that is maintained daily by an oil supply company (i.e., overkill)? Meanwhile, we may be overlooking the fact that the wheel is no longer round or the rest of the cart is nearly rusted away. Why not take a step back and look at the big picture? Why not take a risk-based approach to making those decisions and help ensure time, energy, and budget are spent in the right areas? By identifying threats, their likelihood of occurrence and their impact (financial, reputational, or otherwise), we can quickly prioritize our efforts into the right places and be sure not to neglect areas that need our attention. Let’s try not to lose traction on those strategic objectives the next time something new crops up – determine how to deal with the problem at hand and then prioritize further efforts on it into your list.

Share/Bookmark

The long and short of it is that ISPs will implement a graduated set of responses based on reports of subscriber activity that may be infringing on copyrighted material. These graduated responses include a slap on the wrist for the first offense and culminate in account termination.

As illustrated in the EFF article, one of the biggest issues with these policies is that it shifts the burden of proof from the accuser to the accused. An accusation of piracy is all that is needed to launch the ISP response where the accused is then given ten days to defend themselves. Furthermore, that “defense” comes in the form of six canned responses that the accused can choose from…hardly a defense at all. How that defense is weighed against the accusation is anyone’s guess at this point since it’s entirely up to the ISP. 

Why bother involving the government and legislation (SOPA) to target individuals when you can simply partner with another big corporation to enforce your own private form of justice. This “guilty until proven innocent” approach is unacceptable in my opinion and threatens an individual’s right to access the Internet, something that many believe, including the United Nations, to be a basic human right.

If this is something that bothers you, I’d encourage you to write to your ISP and let them know how you feel on the subject. Right now, the major ISPs, AT&T, Verizon, Comcast, Cablevision, and Time Warner Cable are all on board with these policies.

Share/Bookmark

Anyway, he unleashed hellish fury about Google, calling them a “piracy leader”
saying that they are “plain stealing”. Now let me back up a bit. He did also say
some nice things about Google and what they do, but overall, he was blasting
them for not doing enough to block piracy sites from its search results. I’m
wondering if he took the time (or one of his staff took the time) to understand
what Google does to make a profit, and what their efforts entail in taking down
search results that lead to piracy sites? My guess is that he did not, just as
large masses have not, and don’t really understand how to deal with the larger
problem at hand. Or, maybe it’s just because he owns News Corp., which owns 20th
Century Fox and many other media outlets….that he’s just blindly lashing out
at Google because it could be a quick fix. Whichever.

I know there has been tons of effort in trying to devise technical means of
protecting copyrighted material, countless hours spent hunting down infringing
sites or distributors, and enormous efforts in lobbying, drafting and debating
legislation. But, where has it left us? I’d contend that we are very slightly
better off in terms of technical protections, but we’re treading in dangerous
waters putting our eggs in the legislation basket. The movie and music
industries lose money, how much is determined by counterfactual assumptions, but
they are being ripped off. Instead of pushing harder on legislation that would
have teeth that would bite in the wrong direction (censorship), we should be
pushing harder and harder to solve the problem by innovating how
distribution is done. The industries contend that up to $250 Billion, and
750,000 jobs are lost due to piracy. So, let’s flip the table….spend 30% of
what your contended losses would be ($75 Billion) and hire 30% of what you
say we’re losing in jobs (225,000). I’m sure the means to distribute copyright
protected data could be figured out with a budget about 4 times as much as NASA
in 2011, and an employee count to rival it!

The truth is, the losses are over-inflated, probably more like $58 Billion
according to the Institute for Policy Innovation, but still, a larger
reinvestment should be made in innovating their distribution, partnerships and
ease of consumption, instead of pushing half-baked legislation or technical
controls.

Share/Bookmark