It seems you can’t make it through any IT related article or meeting these days without a discussion of “the cloud.” Every CEO wants to know how the cloud can improve innovation and productivity, and every CFO wants to know when we’re going to move to the cloud to dramatically cut the costs of doing business. Most CISOs are just scared to think about all that data sitting outside our firewalls.

In the security arena our job is to help identify and quantify the risks associated with such a move. The risks of an internally hosted application are well-understood, and more organizations have an established procedure to handle them. Information security controls such as firewalls, intrusion prevention systems (IPS), data loss protection (DLP), anti-virus, and vulnerability management programs are implemented to protect the organization and keep risk exposure at a certain level. A centralized authentication system (such as LDAP or Active Directory) is used to ensure users have access only to those systems to which they are authorized.

In an outsourced environment, the corporation loses control over the implementation of security controls. The outsourced vendor provides the security controls they deem appropriate, according to their own risk tolerance. Depending on the industry, this may or may not meet the needs of your organization.

Information security must not be the roadblock that prevents cloud adoption

While the scope of the security implications change based on the particular project, below is a list of questions to help you start evaluating the risk involved with moving your data outside the organization’s boundaries.

What kind of data will your vendor be hosting?

Look very closely at any associated regulation. HIPAA, PCI, GBLA and safe harbor can all be concerns for the data your vendor will store. Ensure not only that the vendor’s security is adequate, but that they can prove it for your regulators.

Who will have access to the data at the vendor’s facility? Are they renting space from a data center company?

If so that organization’s employees may have access to your data as well, requiring yet another level of due diligence.

How are your employees going to connect to the outsourced system?

Leased line VPN? VPN over the internet? Will the system be sitting on the public net? Each of these connection strategies has their own risks.

If a leased line is used for VPN connectivity care must be taken to understand the reliance on the ISP to provide access. If the circuit fails, access to the outsourced system will be unavailable and at the mercy of the ISP’s service department.

If a site-to-site VPN is utilized, care will need to be taken to ensure that the scope of access granted to the vendor it understood and accepted. Opening a VPN tunnel allows for the possibility of data and malware moving between the organizations. Restrict the access to the smallest scope possible.

Is the system created with appropriate application security in place? Are proper steps taken to reduce risk of issues like cross-site scripting, SQL injection, and cross-site forgery attempts?

These issues are especially critical if the application will be available over the internet. Factor in the cost of running (or contracting with a third party to run) penetration tests against the vendor’s environment if necessary.

How are user accounts created and disabled?

If the organization’s central authentication system is not used, how can you ensure that users are not able to access the data once they have been terminated? Many outsourced systems will contain data that would be damaging in the hands of a recently terminated employee.

The cloud offers tangible boosts to productivity, flexibility, and scalability and does so while providing the means to reduce IT spend. Information security must not be the roadblock that prevents the adoption of such technology. By thinking ahead about the kinds of risks that outsourcing our systems will involve, we can be ready to quickly and securely lead our organization into the cloud.

A penetration test is a method of evaluating the security of computer systems or networks using manual or automated tools. Basically, we set some experienced folks out with the instruction to figure out a way to break the security of our own systems. This will usually come with some rules of engagement (no testing during business hours, don’t corrupt any of our production data, etc).

I’ve been a part of numerous penetration tests. It seems that every organization has them these days. For the purposes of this article, I am limiting us to internal penetration testing, not tests performed by customers or other third parties.

The reception testing receives varies wildly from department to department or person to person. Joe the network admin is eager to get the results of the test and see how his security measures hold up against an experienced penetration tester. However, Jan the server admin hears that a test is coming and starts shutting down services she knows are vulnerable. In reality, I see a lot more Jan’s than Joe’s. As a general rule, the response to a penetration test is a barely-covered groan, and gritted teeth.

So, why is there such a negative response to our penetration testing efforts? The primary issue isn’t that these technical folks want to hide from the truth. These are well-intentioned, competent professionals who truly want to create world-class information systems. Their reluctance to undergo a penetration test is directly related to how the results are relayed to them.

Oftentimes penetration testing becomes a ‘gotcha’ game:

• “You told us that there were no systems running telnet… GOTCHA.”
• “All your email servers are supposed to use TLS… GOTCHA.”
• “I found a Windows box still vulnerable to this old vulnerability… GOTCHA.”

When we get deep into the weeds of any penetration test, the results are not going to be pretty. Some systems don’t get patched like they should. Some servers get stood up outside the proper change controls. These types of exceptions cause penetration test findings and look bad. They are gotchas.

But is that why we’re performing penetration testing? Yes, there is value in documenting the exceptions so they can be fixed. But my take on penetration testing is that our goal is less about finding those specific failures than it is about tracking our technical risk trend. Are we becoming more secure or less? If we have more unpatched systems, this shows us that our enterprise patching process needs some tweaking (or maybe complete reworking).

Penetration testing is simply one way to measure progress over time

Before we can change the way our IT departments will react to our penetration testing, we must change the way we view, conduct and report them. No penetration test is ever going to come back clean. As the security department delivering the results, it’s important that we set the proper expectations. We are not performing this test to give a long list of To Do’s. We’re providing this as a snapshot of how risk mitigation is going, and where we should apply more emphasis going forward.

What do we do with the results of the test? If we’re simply handing them to IT and walking away, we’re missing a critical opportunity. When we deliver these results, we should schedule time to meet with the stakeholders, discuss the findings, and give meaningful, actionable steps for remediation. Just providing the findings will be seen as handing off the issue. We can become partners by working toward a solution that will satisfy both the security, resource and business requirements.

Remember, the goal of security is progress. Penetration testing is simply one way to measure progress over time. We support the business by showing them how they can improve within their constraints. Penetration testing may never be the most popular activity for IT, but if we stop saying, ‘gotcha’ and start providing meaningful solutions to real problems, it can be a more welcome event.

I can’t believe it’s already been a year since I wrote my last Resolutions post. Overall, I believe those resolutions hold up pretty well. I’ve taken a few minutes to think back over 2011 and see how I did at achieving my resolutions… I am reminded that this ride isn’t a simple pass/fail endeavor. With that in mind, here are my 2012 Enterprise Information Security Resolutions.

1. Successful information security is about making progress. It’s not reasonable or sustainable to expect all risks to be remediated as soon as they are discovered. Instead, my goal for 2012 will be to establish a positive trend, working toward improving security consistently and manageably.
2. Become an expert in the business. Yes, being the expert in information security is critical to my success, but formulating effective security strategies requires more than just knowing security, it requires knowing how my company works, inside and out. What will be the effects of making that security change? Which business functions are most critical to the company’s success?
3. Don’t trust technologies to fix security problems. All too often we are presented with technologies that can ‘fix’ our security issues. While we absolutely must have those innovative technologies, they are seldom going to be the fix root issue, and they will NEVER fix it without the proper support, analysis and scoping to make the technology work.
4. Be a positive change agent in my organization. Security can often be seen as a road-block or impediment to progress. I must go into every project meeting, and hear every new technology request, not with a mind toward how hard it will be to secure, but toward how I can insert security into the process to make it better and safer for the business. My immediate response will be ‘how can I accommodate that?’
5. Learn from cross-functional experts. Security doesn’t really exist as its own discipline. Information security is really a subset of application security, network security, email security, and many others. This resolution is more about a mind-set than anything else. I want to ensure that I view security as a part of a bigger picture within each of these disciplines and leverage those functional experts to understand context.

2012 is going to be a great year.

-Robb

What does a successful information security program look like in an organization? The traditional answer would be something like, “Technology risks are kept to a level the organization is willing to accept.” That sounds pretty simple right? Find the places where risks are greater than we’re comfortable with, then fix it.

That type of thinking works for a point-in-time evaluation, but comes up lacking when we consider the dynamic nature of enterprise information security. Things change. New vulnerabilities are discovered, new types of technologies are implemented, and new business requirements arise. In reality, there is never a point in time at which we have adequately addressed all of our technological risks. The rate of exploit discovery and the lifecycle for fixing vulnerabilities ensures that we will always have open issues.

With that reality in mind, we need to reconsider what makes a successful security program. Security should focus not on an end goal of “good enough” but on an end goal of sustained improvement.

Security can often come across as a demanding, RIGHT NOW discipline. And there are some good reasons for it. We know that hackers could break into the network right this moment, and that gives us real urgency.  The newest hacks from researchers show that even most trusted systems are vulnerable to exploit. The reasonable first response to this is to jump into action and immediately fix the issue.

But when we work with the business, the reality is much bigger than just security. Our partners in the business have to worry about losing customers because they don’t delivery our products on time, competitors out-innovating us, risks of financing falling apart, and many other business issues that could damage the business just as much (or more in many cases) as a security incident could. In the background of all these competing interests, a security manager who continues to insist that our vulnerabilities are the number 1 priority is going to get tuned out, or worse.

As soon as we stop enabling the business to produce better and faster, we become a liability.

What we can do instead is collaborate with the business to come up with a long-term plan for implementing security that does not inhibit innovation and progress by the business, and shows sensitivity to the overwhelming demands that they are often under. Yes, the plan we agree on must take the organization to a level of acceptable risk. But we can do so over months and years instead of days and weeks, show improved security over time, and develop trusted partners within the business.

Enterprise security is a service function. We exist to enable the business to do their jobs without being crippled by cyber-attacks and unreliable systems or losing their trade-secrets to competitors. As soon as we stop enabling the business to produce better and faster, we become a liability.

“You don’t have to floss all your teeth, just the ones you want to keep.”

I remember, as a child, going to the dentist and seeing that slogan on a poster on the wall. Between that and the serious questions about my brushing and flossing habits during the appointment, it would have been impossible to walk out of the dentist’s office without a full understanding of the importance of consistent oral hygiene. I would leave the dentist’s office (greatly relieved to be free) but without any commitment to adding flossing to my plans. I just didn’t want to do it, no matter how many posters suggested I needed to.

As an adult, I try to make it to the doctor every year or so. The doctor will ask about my exercise habits (not enough), and my diet (not the best choices) and then go on to explain to me the importance of improving those habits. Then we do some blood work and call it a year. I’ve been fortunate enough that my tests have always been normal, and no cause for alarm. So I would figure, “The test results are okay, the diet and exercise must not be all that important for me. I’m good for another year.”

As much as I trust my dentists and my doctors, I take what they have to say with a grain of salt. It’s their JOB to tell me to focus more on their stuff. Of course they are going to give me a little lecture, it’s pretty much expected. And if my teeth were ever to fall out, or I was to ever develop a medical condition because I hadn’t followed their directions, I certainly wouldn’t blame them. It would be nobody’s fault but my own.

Does this sound familiar to anyone? Aren’t we, in information security, playing exactly the same role in our organizations that our doctor’s play in our healthcare? We in information security evaluate, diagnose, and treat our patients, just like our doctors do for us.

Our evaluations are often called risk assessments instead of checkups. And just like patients at the doctor’s office, our customers will skirt the truth, try to reduce the scope, and may outright lie to us to make themselves seem healthy. The perception persists that security exists to punish or inhibit rather than to help the enterprise better achieve its goals.

Just like the doctor’s recommendations, our patients are only going to follow our advice when it’s easy for them

Our treatments involve implementing controls to bring down the risk. Instead of prescribing a better diet, more exercise or the newest drug, we prescribe documented processes, improved configurations, additional training or technical systems. And just like the doctor’s recommendations, our patients are only going to follow our advice when it’s easy for them. Many doctors default to prescribing a drug because they know it’s the only thing most of their patients will comply with. In the same way, in information security we can get a business unit to implement a new IPS or DLP, but trying to get them to make a ‘lifestyle change’ (more secure processes, implementing security earlier in the SDLC, ongoing security training) it too much change to be easily accepted.

In the end, security only provides value when feedback is heard, accepted and integrated. We cannot force the business to eat their carrots and do their pushups, but it’s our job to keep reminding them.

See previous posts for more thoughts about getting the organization to buy in to the mission of security.

Tip of the cap to HackerOutfit for starting this conversation.

In general, Enterprise information security is planned and discussed in the hallways of high-rise buildings, conference rooms and closed-door meetings. These conversations usually involve men in button-down shirts and polos trying to find ways to use the limited resources available to mitigate the risks available across a huge threat surface. Phrases like “defense in depth,” “return on investment” and “acceptable risk” are the primary areas for conversation.

On occasion, the information security practitioners from these organizations decide to get together and hold much bigger meetings they call conferences. These conferences have basically the same elements. RSA conference is a great example. Instead of a 3-4 of us sitting in a conference room discussing how to secure our organization, we get 300-400 of us in a bigger conference room talking about how to secure all of our respective organizations. We get high quality speakers to share their knowledge and we go back to our offices with some new ideas.

No wonder RSA is so comfortable; it’s just a bigger version of the same meetings we participate in 40 hours a week.

If you go to the Black Hat conference expecting the same experience, you’re going to be greatly surprised. This was my first year attending Black Hat. It’s anything but ‘just another security conference.’

The nature of the attendees and speakers is different. Gone are the folks in business casual. They are replaced by swarms of people sporting infosec t-shirts and scruffy beards. Most of us are well warned that we should have our phones turned off before getting anywhere near the convention area. (Something I’ve never had to worry about at a local ISSA meeting.)

And throughout the Black Hat briefings I attended, I didn’t once hear the words “defense in depth” or “return on investment.” What I got instead is a steady stream of examples of exactly how the bad guys are going to break into specific systems. Black Hat doesn’t have a management track in their briefings; the focus is on the practical, hands-on attack and compromise of information systems.

Black Hat will draw our attention right back to the bad guys, in a dramatic style.

In our Enterprise information security world, our focus is more about getting real buy-in by the business than in actively engaging hackers.  We can spend so much time working with system administrators and developers creating security implementation plans and time-lines that our eyes drift away from the actual threats the hackers present. Spending a couple of days at Black Hat will draw our attention right back to the bad guys, in a dramatic style.

Black Hat offers dozens of very specific examples of how the systems we count on are vulnerable to exploit. Seeing highly skilled hackers cut through systems that you know are currently deployed in your organization transforms information security from a meeting topic to a critically important consideration.

Black Hat is the other side of information security, the stuff that many of us security managers don’t see enough of. It shows us a clear picture of the front line battle that sometimes gets lost as we think about the larger war. The RSA Conference will always have its place as a tool for making security programs better, but Black Hat’s unique perspective on system exploits gives a peek into a scene that’s far too often overlooked.

While there I was fortunate to speak to the managing editor of infosecisland.com, and he told me about the training deals they offer over there. Sounds like a pretty good deal to me, so I thought I’d pass it along. This may be something that offers significant value to my enterprise readers.

The ISLAND TRADEWINDS program is designed to offer IT and security training and certification opportunities at significantly discounted rates which are offered exclusively to Infosec Island’s registered members.

If you are planning to enroll in training from Global Knowledge, Career Acedemy, Infosec Institute, or SANS and would like to receive discounts up to $500 off then go the link below to learn how:

https://www.infosecisland.com/blogview/15568-Tradewinds-Discounts-on-Infosec-Training-and-Certification.html

A few weeks ago we looked at Trustwave’s 2011 Global Security Report. This week I want to point out a few of the critical points in Verizon’s 2011 Data Breach report.

I want to start by saying that these lessons are not easy, but they are simple. It’s not easy to ensure that every system in your environment is accounted for, and you know what data is being held where. But it is simple; to ensure that your systems are being properly secured you must know what and where they are. It’s not easy to go through every system in our environment and ensure that remote administration is turned off where it can be and closely monitored where it cannot, but it is simple; if you don’t know where the doors into your data are, you can’t defend them.

Our job in information security is not easy, but it is simple. It’s our job as information security practitioners to take the simple requirements (understand your environment, enforce least privilege) and turn them into practical, tactical game plans that our teams can implement.

With that out of the way, let’s take a look at a few of the interesting findings from Verizon’s report.

1. Verizon found a dramatic drop in the number of records compromised this year. 2008: 361m, 2009: 144m, 2010: 4m. At this pace we should expect to see the criminals not steal any records in 2011, but actually give back a 100 million or so. <Pause for hearty laugh> What’s really happening here is probably that the criminals are becoming much more discerning in their targets. As the black market value of PII goes down (due to oversupply) there’s less incentive to find that data. So criminals are now focusing their efforts on the less plentiful, but more valuable data. Trade secrets, military intelligence, confidential information… those are where the money is. I believe that criminals will focus less on large smash and grab campaigns looking for large caches of user info, and more on silent attacks where they seek to gather corporate, government and military information for larger political or financial impact.

As the value for PII goes down criminals focus more on high value corporate, government and military secrets

2. 49% of breaches incorporated the use of malware. Trustwave’s report showed 76% of attacks involved malware. The message between these two reports is pretty clear, a very significant number of attacks are perpetrated using malicious software as a jumping off point. This may be a Trojan designed to spread as far as possible on the internet (think Zeus), or it could be a carefully crafted application designed to infiltrate one company (think Google’s China hack). In either case it’s more important now than ever follow safe browsing guidelines and avoid connecting potentially compromised machines into protected networks.
3. Last year I commented on external threats being higher than anticipated (where it was 70% of attacks in 2010) and this year it’s dramatically higher. A full 92% of attacks stemmed from external agents. It may be time for us in information security to consider anew where to allocate our resources. Is it heresy to suggest that spending more time and money on external penetration testing and less on internal security awareness training? I’m not sure what the right balance is, but apparently it’s those outsiders who are once again our biggest threat.
4. 83% of victims were targets of opportunity. It goes back to the old idea that your house doesn’t need to be totally secure, just more secure than your neighbors’ houses. Or as the joke goes something like this…

Two men are walking in a forest. They see a bear with children, so they start running, and the bear follows them. One man stops and starts putting on running shoes. The other guy asks him: “Do you really think that running shoes will make you run faster than the bear?” and the first guy answers “No, but it should make me faster than you!”

5. 89% of victims that were supposed to be PCI-DSS compliant were not. Last year this number was 79%. Combine this with the fact that most of the victims were targets of opportunity, and the message is very clear: Spend the time and money to meet a minimum baseline of security and your odds of being breached go down drastically.

The reality of the business world is the truth of resource scarcity. We simply can’t afford to continue doing all of the security measures we’ve done in the past, and keep adding on more and more new ones. The administrative, licensing and maintenance load becomes unbearable. Something has to give. By studying these kinds of reports over years, and finding where the real threats exist we can consider which new technologies make sense to add, and which old safeguards might not be worth their expense now.

Thanks again to the team at Verizon for sharing this excellent data with the community at large. We are in your debt.

Want a quick and easy way to get an idea how well your organization’s risk management program works? Take a look at how the technical staff reacts to and interacts with the internal audit team.

The role of internal audit is to aggregate internal policies, regulatory requirements, and industry best practices and then observe the organization to see how the operational reality stacks up with those goals. This is the chance for us to see if we’re walking the walk or if all our risk management policies and systems are just for show.

When your team hears that the internal auditors are going to be coming, what is the response? No, not everyone will be thrilled to spend a day or week sitting with auditors discussing business practices, and showing proof of what they do. Schedules are tight, and fitting in audit work alongside a full schedule can be a challenge. But aside from scheduling, this should not be a gruesome task. If your employees are overly concerned about the audit process, it may be that they are not properly educated about the policies and procedures required to do their job.

In a well-functioning team the opportunity for a different set of eyes to evaluate and offer feedback is invaluable. They can show us where our documentation is lacking (because the people who do it every day can naturally fill in those gaps), where our separation of duties is inadequate, or where cross-training is needed. Joe might be the best firewall administrator in the world, but letting him do all of the firewall work means that when he finally goes on vacation or gets a new job, your organization will be scrambling to fill in his position.

The biggest key to creating a positive relationship with audit, and successfully undergoing audits, is remembering that internal audit and security risk management are on the same team. We are both looking to handle risks. Our job in security is to identify and implement effective mitigating controls, and audit’s job is to flag those risks which have not yet been properly mitigated, so that management is well aware of them, and can make appropriate business decisions. If they identify a finding in your area, it’s not the end of the world. It’s an opportunity for you to improve your environment and make things better.

Security and Audit should make each other better

Information Security and Internal Audit can be extremely effective partners. Chances are that the folks in the security team are more technically savvy and more intricately familiar with the details of the corporate information systems. As such, during an audit, security can provide assistance to internal audit in guiding through the technical-speak and confusing network diagrams to determine all kinds of great information. Including what data is sitting where, what it’s doing, and what protections are in place. By being a technical consultant, the security team can provide valuable assistance to audit and make the audit findings more detailed and impactful.

On the flip side, audit can be an important ally for security. How often does your security team find a risk, bring it up to technical leaders, and have that risk ignored because of time or money scarcity? It’s an ongoing balance to figure out which risks need to be addressed. Security’s concerns are usually heard, but often cannot be immediately implemented. But when an item is made an audit finding it gains significant weight. Those audit findings will make their way up the chain, to the desk of the president and the board itself. Senior leadership is directly responsible for addressing and implementing audit findings. Getting audit to include the risks that security identifies can be a great way that audit can assist security.

For the most part, the difference between security and internal audit is slight, but significant. We are both looking to address risk, but security is considered a part of the business, and audit must be an impartial third party. By working together both teams can become better at what they do.

If you haven’t already, go take an auditor out to lunch. Ask about what they do, and how you can help. It’s a relationship that you both will enjoy.

As is my wont, I will be highlighting a few points that I found especially comment-worthy from a security report. Today I’m reviewing the 2011 Trustwave Global Security Report. These may or may not be the highlights of the report, but they seemed worth my attention, and hopefully worth yours as well.

1. More PCI theft came from point of sale (POS) systems than from online shopping. Isn’t this exactly the opposite of what most of us assume? When I enter my credit card information into a website I’m much more diligent about looking for potential security issues and doing research. When I walk into a store that accepts credit cards I usually just take it on faith that they’re protecting my data. Apparently I’ve got things backwards.
2. The majority of ATM breaches weren’t caused by add-on hardware; but by installed malware or a physically connected USB drive. This is another scary fact. I’ve always felt pretty confident that by visually and physically inspecting an ATM I would be able to detect if it had been compromised. You know, look around for cameras, and see if there’s a skimmer on it. But now we need to worry that the compromise is completely invisible to us as the customer. The best thing we can do here is to avoid using third-party ATMs at gas stations and convenience stores, and use ATMs that are installed directly into the side of a bank. They are much harder to physically alter and more likely to be noticed quickly if it is.
3. 88% of breaches were performed on systems that were being managed by a third party. How does that make you feel about your out-sourcing strategy? I’ll tell you how it makes me feel… ‘Yuck.’ We bring in these third party vendors because we trust that they have all the experience and knowledge with a given security product. And that’s probably true. But they are missing a critical piece; the experience with and knowledge of our systems. No technology solution is complete and ideal for every environment out of the box. It needs to be tweaked and altered to fit each company and, just as importantly, they need to be consistently maintained and updated. When we work with third party vendors we suffer from issues in both of these areas… we don’t initially provide them the time and resources to get to know our environment fully, and then we don’t continue the engagement for long enough, or with a thorough enough definition around the level of on-going maintenance we expect.  This doesn’t mean that we need to bring all services in-house, but we do need to understand these risks and continually keep them top of mind to ensure we properly address them.
4. 55% of breaches were accomplished using a remote access protocol. You know all those helpful utilities that allow us to manage our servers without having to sit right in front of the console? Those tools of convenience not only provide us access to our servers, but are commonly used by our adversaries to get illicit access. We get so comfortable with the assumption that any traffic within the gooey center of our network is safe that we don’t put in the time and thought to ensure that those protocols are secured from eavesdrop and attack. Implementing strong encryption and multi-factor authentication can be used to let us keep these utilities in our tool-belt while taking them away from the bad guys.
5. 5. Data-harvesting malware was used in 76% of breaches. Think your antivirus will keep you safe from malware that’s out to steal your company, banking and email credentials? Don’t count on it. Criminals use file-sharing sites, malvertising (advertising on a legitimate site that contains malware), social networking, drive-by-downloads, and other tricky strategies to get their software onto your computer, and then leave it there as long as possible without you noticing. This brave new cyber-world requires smart web-browsing, continual diligence and a bit of luck to get off without catching a virus.
6. The vast majority of breached companies were not compliant with PCI requirements. What does this mean? It certainly does not mean that PCI compliance is a magic bullet that can prevent breaches. The flaws in the PCI-DSS are well known and we won’t go into those here. This fact reinforces the well-known trend that a little bit of prevention goes a long way. We security guys will never get rid of all risks, but when we go through the process of identifying our outstanding risks we will not only achieve compliance, but will prevent the vast majority of attacks, including just about all of the unfocused threats that are out there. PCI compliance is a baseline that tells the outside world, “Yeah, we take security seriously.” If you aren’t even doing that, breaches are a lot more likely to occur and have a lot more serious consequences.

Thanks to Trustwave for sharing their experience with the security community. The more we know the better we can become, and the more secure we can make our environments.