Archive for category Information Risk Management
Do 1st graders have all the answers? Convenience and risk considered.
Posted by Brian in Information Risk Management, Minds4IT, Mobile, Security on August 15, 2011
It wasn’t too long ago that installing an application took an IT professional. Now it’s so easy a first grader can do it. If you have an Android, iPhone, or Windows Phone 7 your first grader can search for an application in the marketplace or app store and install it. Not only is it easy it is also convenient. I know I’m not the first person to notice that convenience is a phenomenal sales tool. The more convenient something is the easier it is to make the sale. All companies are driven by revenue and not security. Vendors which offer a device you carry in your pocket have the ultimate convenience. On the flip side, SAP installs have been known to take years and require hundreds of IT people. This is the old model. The new model is to use a cloud solution with a web based interface which requires no install or a mobile app/web install. Floppy disks were replaced by CD/DVDs and CD/DVDs have been replaced by a connection to the internet.
The unfortunate truth about not requiring a disk (yes, I’m showing my age) to install software is it has possibly become too convenient. Ok, there’s no such thing as too convenient, but it helps me emphasize my point. One of the controls which IT savvy people have taught for years is to be careful what software you install. This helps prevent malware from making it onto your computer and is augmented by access control settings within the operating system which prompt before allowing installation. Primary examples are Windows 7 User Account Control (UAC) and OSx/Linux “sudo”. There are some differences between mobile devices and desktops and laptops. These differences primarily include the ability for location based information and additional access layers added by the platform vendors to isolate applications from the hardware.
The extreme convenience of application installation occurring under app store models is blurring the risk and leading to a change in the security model. Mobile device manufacturers are not providing root access by default, whereas desktop operating system vendors traditionally provide administrative access out of the box. Since people are tech savvy and they are used to having admin access on their laptops, they are requesting and even expecting to have it on their mobile devices. This is part of why the jailbreak and root/rom websites/blogs are proliferating. The mobile device vendors have the right idea in not granting root access to the user. It makes it much harder for malicious programs to infiltrate the device.
The question has always been one of trust. Who do you trust? The phone manufacturer or your operating system vendor? Do you trust the marketplace/app store owner? The application author? Device users may need to change their behavior to ensure they read the notifications regarding what information/hardware they are permitting the operating system, marketplace, or application to have access to.
I think we can agree the days of long setup and install times are gone. This is a great thing! Self-service and instant software acquisition is here to stay. However, the ability for users to install apps immediately using an app store is making IT departments across the globe look like they are not agile enough to meet their business’s needs. The ability for the business to execute an instant install is simultaneously increasing the risk tremendously.
To link back to the opening thoughts of this blog article… Do IT departments need to compete with 1st graders? If IT departments can’t create convenient secure installation scenarios to make tools available to business partners, then the business partners will go directly to cloud or mobile vendors. This is an opportunity. We as practitioners need to collaborate with our business partners, vendors and solution providers to create an educational feedback loop which allows the users to knowingly manage their trust relationships and security.
Opportunities
Posted by Brian in Information Risk Management, Minds4IT, Mobile on June 16, 2011
You have heard it before… “It’s not a challenge it’s an opportunity!”
What exactly does that mean?
How can this huge hurdle someone has placed in front of you be an opportunity? It’s going to be difficult, it’s going to cause change, it’s going to take a lot of time which I do not have! Time is a function of priorities. That is a discussion for another time. However, what I am going to focus on is the mobile device challenge… err opportunity. Mobile devices are part of most IT discussions, strategies, roadmaps, and challenges right now. I promise you, this is an opportunity.
If the business and/or executive management want Ipads, it’s the perfect time to ask for additional funding or additional people. Dealing with Android phones is going to require changing how smartphones are managed. Which means it’s an opportunity to request an opening of the purse strings. Your business is requesting new functionality from you. Are they willing to pay for this new functionality?
Are you the partner the business is reaching out to help solve their technology challenges? Should you be? That’s how “opportunities” happen. Your company needs you to help them enable their associates by securely implementing tablets. They do not know if the solution integrates easily or if it is running windows, and the technology probably is not a technology you are comfortable with and know well. Use this as an “opportunity” to explain these things to management and negotiate what you would need (people, money, equipment?) to meet the organization’s requirements and help them meet their goals.
Now, that’s an opportunity!
Embrace the technology, assist the business partner with defining their requirements, document the risks using good Information Risk Management, and then drive results!
This is why successful IT folks look at challenges as opportunities.
Figure Eight Feedback Loop
Posted by Brian in Information Risk Management, Minds4IT, Security on May 31, 2011
Two problems for detective and corrective security controls are education and false positives. Education refers to providing the appropriate knowledge required by users of the system or data being secured. Simply stated the people using the system or data need to know how to manage the security control to both enable the secure use and minimize the inconvenience of the control. False positives are the act of identifying risk(s) when there is no risk present. For example, identifying a legitimate Windows system file as a virus and quarantining it. Or incorrectly identifying a phone number as a social security number. They both start with three digits (XXX) and end in four digits (XXXX) and are separated by dashes.
One method of managing both of these security problems which is enabled by the IT savvy mind is what I call a Figure Eight Feedback Loop. The figure eight is created by two feedback loops next to each other which feed information to each other.
- Loop 1
- Action is triggered by automated identification of a risk. Event recorded
- System/data user is prompted, including specifics about what/what automated trigger occurred (Education)
- User is allowed to make a decision
- Decision is recorded
- Loop 2
- Automated identification and decision records from loop 1 are utilized.
- Review of identification and decision information by security resources
- Automated identification triggers are revised to reduce false positives
- New automation triggers included in loop 1
Let’s look at more concrete example to get a better grasp. As many of you know, it’s a Payment Card Industry (PCI) violation to send credit card information via unencrypted e-mail. This creates a problem if a customer sends their credit card number (CC#) in an e-mail to their financial institution. The customer service representative needs to be knowledgeable of the regulation and ensure they remove the CC# in the event they reply to the customer. To assist in resolving this problem the financial company can institute e-mail data loss prevention tools.
- Loop 1 – Host Data Loss Prevention (DLP) software on company computer scans e-mail for violations of information security policies
- E-mail DLP tool scans e-mail for credit card numbers when the user hits the Send button.
- If CC# is found prompt the user. “It looks like there is a credit card number(CC#) contained within this e-mail. It is against Payment Card Industry (PCI) – data security standards (DSS) to send CC# data via unencrypted communication. Please review the e-mail and make sure CC# is not present (No CC# present button) or hit (Cancel Sending) if you find CC# data. Thank you.”
- Decision by user after review of e-mail
- Record of possible event is recorded in system for review by security resources
- Loop 2 – Insider threat team reviews Host DLP log files to improve patterns used to identify credit card numbers
- Security team selects either samples or reviews all transactions as appropriate, to identify when associates continued to send CC#s (policy violation) and when the system falsely identified a number as a credit card number
- If policy violation then associate and associates manager are involved to understand risk to company and possibly warning or termination if severity violation warrants it
- If false positive, patterns used in identifying credit card numbers are refined to manage the situation
- New automation is loaded into loop 1
Hopefully, that example provides enough meat for us to discuss the benefits I laid out in the beginning.
- Education – The users of the system are informed what they did, why it was wrong, and how to correct it, before a violation of policy occurred. This proactive involvement in security decision making builds a positive image of security, educates the users of the system, and provides a foundation for other risk decisions.
- False positives – By educating and then utilizing the intimate knowledge of the user to determine if there is risk or not, the security resource has a much better understanding of the false positive. This enables a collection of false positives to be created and analyzed to come up with new automation methods. The control itself evolves and gets better over time.
This technique can be used for any detective or corrective control. You’ve probably already seen it and or used it, but didn’t have a name for it. Another simple example is password requirements. Most password change processes now refuse to accept characters which are forbidden by the federated systems being managed. The user is told to try again and presented a list of the possible characters they must use and are forbidden to use. This is the end state evolution of many years of figure eight feedback loops. As new creative controls are engineered these concepts need to be applied to best serve both the needs of the business partner and the Information Risk Management requirements of the security/risk organization.
Information Risk Management and Opportunities
Posted by Kelvin in Information Risk Management, Minds4IT on May 5, 2011
Within our earlier posts we have discussed how we need to focus on information security from the information risk management approach; but, now you are probably wondering how can Information Risk Management (IRM) work with my job requirements to ensure the organization’s security of information is appropriate and complete. An Information Risk Management approach gives you a strong foundation to build upon.
Maybe you are an organization that is dealing with a risk which potentially could cause the organization irreparable harm or even organizational failure. Maybe your organization has to comply with a variety of regulations from SOX to PCI DSS v2 and you are worried about the ever increasing costs of completing all of the audits. This is where Information Risk Management can not only increase the value of information security but also assist the organization in reducing the cost impact of meeting these regulations.
Let’s use the current discussion regarding mobile systems’ tracking of location information as one which could potentially cause irreparable harm to the organization. Through IRM we can determine the level of concern we have with respect to the real issue at play within our overall information security control structure. In effect we are using an information focused approach to determine where the organization needs to focus our controls and testing efforts. If we deem the mobile data a critical component of the business processes then we can implement appropriate security over our systems based on the information criticality. Our risk analysis should be ready to define the impact, the potential control failure/requirements and then finally the level of controls which should be implemented as an organization.
During the controls review there are several areas of concern which may be critical to demonstrating effective controls. Some control dynamics that come to mind are: the concept of corporate liable vs. individual liable ownership of the services and the hardware. Have you looked at the solution from the perspective of hardware independence? Have you investigated the solution from a perspective of software independence, ownership of device and what level of controls would be required with respect to the possible approaches to reducing the potential risks related to these various approaches. This is where the information security, internal auditing teams and business teams can integrate to provide real consulting approaches to reduce the risk impacts.
Does this risk management and the resulting development of appropriate controls process state that an organization should not allow these devices within their organization – no; but what it does provide is a foundation on which a management decision can be made with respect to the level of appropriate or inappropriate use of the technology within the enterprise.
Information Risk Management (IRM) can be the foundation for not only point in time management decisions; but, it can also be used to assist in the determination of what overall information controls are required to meet global control standards such as PCI, Sarbanes Oxley, ITIL, SSAE 16, etc.. Many of these standards while specific in their own right are also based on or derived from similar standards and through using the Risk Identification and Analysis approach. Management can define what controls are important to the various standards and further the level of import each of the controls. Using a control centered on the requirement to complete a Business Impact Analysis (BIA) and then the related Business Continuity Plan (BCP), we can see certain standards dictate this as a critical requirement as it drives to the ability of the organization to meet customer requirements and recover their systems within an effective timeframe. Other standards may look at the ability of the organization as a whole to recover and be a functioning entity in the event there is a situation requiring the enacting of the BCP plan. Here again we are using IRM to build the foundation necessary to allow a management decision around the level of control focus and impact of the control with respect to the intent of the standard(s) which the organization is measuring against.
Note that the ultimate goal of both scenarios discussed above is the development of support for a management decision and not an information security decision. In effect we are using Risk Management to drive our information security control solutions and through using a risk based approach we have minimized management’s typical negative approach toward Information Security. In effect we are providing a consultative approach to focus management support for the application of information security controls from the beginning of the solution to the end of the solution.
While I am certain many information security experts might look at these scenarios and say the issues are not decisions of management; but, decisions which are typically focused strictly under the purview of the information security umbrella and the organization must follow their guidance. Taking the information security only approach is a very short sighted approach and further provides additional justification for the development of a role focused upon Information Risk Management – the Chief Information Risk Officer (CIRO).
Finally, mainstream America knows about root access!
Posted by Brian in Information Risk Management, Mobile, Security on April 26, 2011
Ask the majority of the people you meet if they know what a Jailbroken iPhone is? Or a rooted Android phone? Most people have heard of these things and even the youngest users can complete the process. A good portion can also discuss the benefits of doing this to their devices. They can take a Jailbroken phone onto any network. (Technology supported that is. GSM or CDMA dependent on the phone) They can download any applications they want to their rooted phone. Isn’t life grand!
It scares the bejeezus out of me to think that providing root access to any computer has become mainstream. Yet, this is exactly what we’re talking about. They may have given it a cute name like JailBreak, but it’s still just root access. It’s up to us as security professionals to ensure our friends, associates, and the public at large understand the negatives and consequences of this dangerous technology. There are controls built in to Android, Windows Phone, and iPhone application stores. These controls are not present if they download an application via the web. Just like the early days of PCs, the technologists understood the ramifications of no change control (application conflict) or unknown security of applications (viruses). However, the public didn’t understand these things. Until…. viruses impacted their world! Today everyone knows to run anti-virus software today. They know they need a firewall. They know not to leave their wireless router open.
This is due to the diligence of professionals like you. It’s time for all of us to start educating on mobile security. Talk to your friends about how rooting their android device or jailbreaking their iPhone causes them risk. Recently there has been a lot of discussion around the GPS location data the iPhone is storing. Android is storing similar data, although they are not replicating it to your computer, and they are asking your permission to store it and transmit it back to Google. What they don’t make clear is that if someone has rooted their phone that data is accessible by any application.
You can tell from the title of this article that I am both excited and scared. It thrills me and speaks volumes about how technology centric the world has become, these concepts are in the Wall Street Journal and are known by the lay man. It also ups the ante for IT folks. We have to continually educate people on the other edge of this sword. The good news is, they speak our language. The public consciousness is ready to talk about it. So get it out in the open.
Another topic you may want to talk about is a setting in Android which allows installation of apps from unknown sources. The real kicker here is Amazon’s new app store instructs users to turn this on. Turning this on allows Amazon to load applications onto an Android device. Unfortunately it also removes any security features Google built in to their app load process. Granted I trust Amazon to both review their apps and remove apps which are identified as malicious or behaving outside their stated use. The problem is as a universal setting it doesn’t allow you to maintain which app stores are good and which are bad. Do I sense a reputation based product opportunity here? A product similar to SiteAdvisor for websites, but designed around an app store reputation?
THE CIRO ROLE
Posted by Kelvin in Information Risk Management on April 21, 2011
When we last spoke we were focused on Information Risk Management and I suggested that today’s Information Security professionals needed to change their focus from a purely technical focus and become more focused on the real concern area of information and the management of the risks surrounding the business focus of this issue. As I pondered my next posting, my mind went in a million different paths – I thought about how information security had to think about the growing trend of personally liable vs. corporate liable hardware solutions, the challenges of focusing the information security expertise on the business segments, how and what are we doing as information security resources, and what is the impact of multiple dynamic client interface platforms and the need to have secure methods related to the client interfaces, etc.. As I continued to think about where my next post would be headed, I stepped back and refocused my thoughts and focused on a discussion focused around “Information Risk Management”.
In my earlier posting I suggested that “Information Risk Management” (IRM) should be more of the driver for information security decisions. When you read this opinion, did you think ok, cool, finally somebody gets it and realizes that information security needs to be focused on the business risks and the customers or did you think sure information security should be focused on the technical solutions and the business users will just have to convert to security’s requirements, period or the solution will not be implemented. Did it appear that the best solution is information security with a mix of these concepts which are impacted by the Consumerization of IT (COIT) and the Consumerization of Information Management (COIM)?
While I mention it above, I am focused on the integrated concepts of Information Risk Management and how this impacts information security with respect of the impact of COIT and COIM upon the information risk management concepts. How has the COIT model impacted the security of the information retained on our expansively inter-connected network systems what kinds of RISKS do today’s CISO’s have to focus upon? Is it the traditional internal & external access points? Or is this focus becoming more of an issue where the entire enterprise including secure client interface to the internal employee interfaces must be focused upon?
Let’s use one area where this impact is probably most felt – today’s banking environments. Today’s banking CISO must keep their eyes on a wide variety of opportunities to integrate with the business and further to enable the business team to be agile yet continue to implement effective security systems and controls. What bank today is not feeling the impact of the desire to provide more and more online services to their customer base on a variety of platforms from mobile to desktops. Yet, at the same time the regulators are continuing to further increase the pressure to ensure all areas are addressed within the institution and effectively indicating that the bank is responsible to provide the customer the security needed to protect themselves from what they do not know or regard as potentially a risk. How can banks and financial organizations accomplish these goals; yet, retain the customer centric focus of the organization?
A key concept in the IRM model has been to identify the level of risk to the organization and then also to the customer. Through using this approach the CISO can better define not only the level of resources required to accomplish the specific goals, and the use of an Information Risk Management plan can assist the organization in developing business strategies, application strategies and customer retention and marketing strategies. If we further review this concept we begin to see the impact of the Consumerization of Information Technology (COIT) – today the consumer is driving the focus to ensure that the data retained by various business entities is appropriately secured. Yet the consumer continues to obtain various mediums and platforms and continue to expect the vendor will provide secure access to their data.
While the COIT impact is being felt from a customer perspective with this example, it can also be seen from the perspective of the consumer who is also accepting of the processes implemented by the vendor, in this case the bank, to protect their data. Previously, when information security went to the business unit to suggest the addition of a password or some other control to the customer interface the response was always the customer will never accept this and what can be done to simplify or eliminate this requirement. While there is still some push back it is much more muted as the business unit has a better understanding of the situation and through their interactions with other security requirements the customers are more accepting of controls designed to minimize the risk of information loss.
Are we like the coach who has won many titles, with the prospect of retirement and their approach no longer is winning the championships or are our information risk strategies more like the coach who is at the top of his game and realizes that in order to keep winning those championships there is a need to hire three new young gun offensive minds to run this new offense? My perspective of “Consumerization of Information Management” (COIM) is we should begin to focus our efforts on the secure management of the information today, along with focusing on the new offensive strategies which will be driving our future challenges. As such, I would propose we refocus the Information Security team and begin to focus on the term Information Risk Management (IRM) and the Chief Information Security Officer (CISO) should become the Chief Information Risk Officer (CIRO)!
I look forward to the next post!
Technology and Management of Risk
Posted by Kelvin in Information Risk Management, Minds4IT on April 12, 2011
Today’s world is full of risks and we all recognize that management of risks is a key component of everyday life. But in my experience I have found many of us in the technology field who do things just because someone has told them they should do it. Let’s take an example – how many of us in technology have applied an application patch because the vendor stated we should do it? Now many of you reading this article are probably saying, of course, I am applying the patch – the vendor says I should apply the patch.
So in thinking about your response, I would suggest to those of you who have this approach to step back and think about the situation from another perspective.
Let’s review the situation a little more in depth, the application you have applied the patch is a critical enterprise application which is critical to the organization’s daily business. Because the “vendor” says you should apply the patch you have applied
the patch to the organization’s production environment per the vendor’s recommendation without testing the patch in the test environment. And of course the patch has “broken” something else within the application which is critical to the use of the
application.
How many of us have done just this? You can count me in your answer – I have done this and now I know it is
not the best approach.
Why did I paint this picture? I painted this picture to get us all into the same frame of mind and to get each of you to think about this situation from the following perspective:
“What really is Information Risk Management and why we in technology need to continue to expand our approach and thoughts with respect to Information Risk Management.”
Many in the technology industry say the continual evolution of technology is creating a society which is devoid of anyone who does not have a technological perspective from birth and they will just understand the risks associated with technology and further our online society. I would counter that perspective to point out that as technology continues its evolution we as IT security experts should be ever more focused on the information risk management side of the coin and limit our focus on the technology side of the coin. Information risk management should be the foundation of all of our information security efforts. I purport that information risk management is the driver of all of our ultimate decisions.
Think about the scenario above and apply the foundation of information risk management – how would your approach change using information risk management to look at this scenario?
What’s your next move?
I look forward to our next discussion!