InfoReck

Successful Enterprise Information Security is about Progress

What does a successful information security program look like in an organization? The traditional answer would be something like, “Technology risks are kept to a level the organization is willing to accept.” That sounds pretty simple right? Find the places where risks are greater than we’re comfortable with, then fix it.

That type of thinking works for a point-in-time evaluation, but comes up lacking when we consider the dynamic nature of enterprise information security. Things change. New vulnerabilities are discovered, new types of technologies are implemented, and new business requirements arise. In reality, there is … Continue Reading

Black Hat’s Place in Enterprise Information Security

In general, Enterprise information security is planned and discussed in the hallways of high-rise buildings, conference rooms and closed-door meetings. These conversations usually involve men in button-down shirts and polos trying to find ways to use the limited resources available to mitigate the risks available across a huge threat surface. Phrases like “defense in depth,” “return on investment” and “acceptable risk” are the primary areas for conversation.

On occasion, the information security practitioners from these organizations decide to get together and hold much bigger meetings they call conferences. These conferences have basically the same elements. … Continue Reading

How’s Your Relationship with Internal Audit?

Want a quick and easy way to get an idea how well your organization’s risk management program works? Take a look at how the technical staff reacts to and interacts with the internal audit team.

The role of internal audit is to aggregate internal policies, regulatory requirements, and industry best practices and then observe the organization to see how the operational reality stacks up with those goals. This is the chance for us to see if we’re walking the walk or if all our risk management policies and systems are just for show.

When your team hears … Continue Reading

Security versus Security: When security requirements conflict

One of the topics I spend quite a bit discussing in this space is the conflict between security and functionality. Often we are forced to make a choice between them; if we allow people to post anonymous comments to our site giving more functionality to more people, but we run the risk of malicious users exploiting our site. That is the traditional security versus functionality dynamic. But sometimes security isn’t nearly so clear cut. I thought it would be fun to explore a situation where the conflict is security versus security.

Consider data in transit. … Continue Reading

Defense in depth is necessary, but not sufficient

or… How do we improve defense in depth?

On March 22nd I had the opportunity to participate in a workshop organized by the Special Cyber Operations Research and Engineering Committee (an interagency working group that coordinates cyber security research in support of national security systems). This was the first in a series of planned workshops which are intended to challenge long-held assumptions in the cyber security world. The focus of this first workshop was Defense in Depth (DiD). Click here to read the full write-up of the agenda of the meeting.

The meeting … Continue Reading

The Evolution of Hacking and Enterprise Information Security

Or, How Anonymous has changed us

This blog is about enterprise information security. (Just check the top of the page and you’ll see it right there in the tag line.) So I don’t often discuss current events. Generally, the things that grab news headlines are old news, or fluff security with little practical impact.

But the news stories lately surrounding Wikileaks, Anonymous and The Jester (th3j35t3r) are more than pop culture intersecting security. I believe these events reflect a shift in the nature of internet hackers. This shift has … Continue Reading

On being the “Department of No”

When we discuss metaphors for an information security department, we often talk about things like a traffic cop (giving out tickets for breaking the rules), or a referee (looking for those who play dirty). The problem with those examples is that we’re portraying security as something to be avoided, whose primary contribution is punishing negative behaviors. It’s precisely this type of implementation that has led so many information security departments to be thought of as the “Department of No.”

Being known as the “Department of No” is problematic. Once a reputation is established that information security … Continue Reading

Defense in depth: Security Strategy or Security Blanket

There is an interesting phenomenon in the sports world surrounding fans and trades. It goes something like this…

Giants Fan 1, “Man, that Albert Pujols is really something else. I sure would like to have him on our team.”

Giants Fan 2, “We should offer the Cardinals three of our mediocre players for him.”

Giants Fan 1, “That’ll never work, they won’t give him up for three mediocre players.”

Giants Fan 2, “Okay, we’ll give them 5 of them… heck give them 7 mediocre players!”

Giants Fan 1, “Yeah… this is starting to sound real good.” *

The fallacy … Continue Reading

Compliance versus Security 2
See previous article: Maturing from compliance to security

Proactive: Plan ahead, think through what issues may come up, and put in the effort on the front end to reduce unexpected issues. This allows fewer surprises down the road and higher quality product the first time. But the up-front work is more resource intensive. Proactive work requires planning and spending for things that may never happen.

Reactive: Create your product with only the features and functions that are required right now. This is faster and easier than proactive work. It’s much more cut and dried. … Continue Reading

Maturing from Compliance to Security

How IT’s compliance mindset would look in another setting:
“Waiter, there’s a fly in my soup!” – patron
“Let me take care of that for your sir” – waiter, as he reaches into the soup to remove the fly
“Well, the soup looks fine now. Thank you.” – patron, as he digs in

In the world of Information Security, compliance rules with an iron fist. For InfoSec professionals in the health care industry, data must be stored and secured according to HIPAA guidelines. For those in finance, GLBA rules. For those who handle credit card info, PCI-DSS … Continue Reading