risk management

Archived Posts from this Category

September 13, 2011

Breaking out of compliance management (part 1)

Posted by andyitguy under compliance, risk management
Leave a Comment 

After my last post on “Risk Management or Compliance Management” Martin Fisher and I talked about it on the SFS Podcast. It gave me an opportunity to “rant” more and as usual Martin has some good insight into things. Ranting is fine for a bit but if that is all there is then why bother to blog. There needs to be some actionable items to move things forward so here are some thoughts on getting back to Risk Management and away from “pure” compliance management.

I’m going to approach this from a generic angle because it will be different for each company due to many factors. This will probably work better for the SMB market due to the complexity of large enterprises but with some creative thinking you should be able to use this as a template for them as well. So if you are a security pro in and are tired of doing compliance management instead of risk management what do you do?

First you want to make a plan and prepare a strategy. Lay out the goals for for what you want to accomplish. Who do you need to influence?  Your boss, a business leader, company leadership?

A good place to start is with a good understanding of what you currently have. Do you know your environment? Do you have an asset list of all systems (Hardware, OS, applications, services, accounts, etc)? What patches do you have installed and what software updates do you currently have? What infrastructure components are in place? What are the various connections to the outside world? Do you have Extranets? Things such as this are key to the next step.

Do a Gap analysis to determine what you need to do to get from where you are to where you need to be. After that do a risk analysis on the gap. It doesn’t have to be fancy or even follow a particular methodology just as long as you are doing a through job and not just looking at things through the blood colored glasses of a security pro. Talk to others who are in the business and can give you insight. Ask questions of others in different roles to help you understand better and be able to view the “problem” from the security angle, the business angle, the user angle, the customer angle. These things will help you when you present your recommendations because you can anticipate questions and concerns ahead of time and have answers and alternatives prepared. Plus it really adds to your credibility because they see that you are serious about this and not just spouting off.

Next you will want to look at ways to close the gap. Don’t just think technology. What process changes can be made? You will be able to answer this because you took the time to talk to others and learn from them. Are there policies in place that address this and if so do they address it fully or are there areas that need to be shored up? What about current technology that is already in place can it be used to solve some problems? Then look at “new” technology that could be implemented. Also don’t forget awareness programs and other training that can reduce the likelihood that someone in the company will make a mistake due to lack of knowledge.

Now go back and look at what you can realistically do given resources available to you. Think about time, talent, money, etc… and build a case for doing what you can, but don’t stop there. Build the case for going beyond. Why is what you can do not enough? What risks will still be there that need to be addressed? Why do they need to be addressed and explain it in a way that the business managers and others that are not security focused will understand. I love this “nugget” from Mike Rothman’s “Pragmatic CSO”, put together different presentations for Plan A, B, and C. With A being getting everything on your list, C being the minimum you can get by with and B is somewhere in between.

Once you feel that you have built your case(s) then run them by others in the company who can help you refine them so that what you present to management is first class. After that practice your presentation many, many times and make sure that you have asked the right questions (those that management will ask) and have your answers prepared.

Now it’s up to Management how they respond but at the very least if you have done this well you will build credibility so that next time they listen to you more closely and value your input.

 

April 11, 2008

Proof of risk

Posted by awillingham under Andy ITGuy, information security, risk management
Leave a Comment 

Update: First I want to apologize for not linking to Alex’s site RiskAnalys.is in my original posting. I wrote this over 2 days and 4 different editing points and still failed to get all my ducks in a row. Secondly, even though the article was posted at RiskAnalys.is Alex wasn’t the one who wrote it (no wonder he didn’t remember writing it). It was written by JonesJ (whom I’m assuming is Jack Jones, based upon looking at the comments section).

I must say right off that Alex actually posted something similar to parts what I am going to say. I didn’t just think about this after reading his post but had been thinking this very thing from the moment that the news of the DRAM being frozen to find encryption keys story hit. Actually I have held this belief for a long time but recent stories have made it “front lobe” thinking of late.

Lots of people get paid good money and receive grants to do research on various things. I think that this research is important and often critical to helping us improve security and how we secure data. What usually happens is that the researchers release their findings and the IT/Security world (OK just a few who tend to be vocal) shout it from the roof tops and bemoan how any day now we are all going to fall victim to this very attack. The vendors jump on the band wagon and talk about how their product X will prevent or fix this or at the minimum (although they don’t admit that it’s a minimum) keep you in compliance with every possible regulation that the government can think up.

What has to be do by companies before panicking is to determine what the risk of this attack happening to your company really is. Not only what is the risk but what is the potential cost if this happens. Will you lose IP that will seriously hurt the company? Will you risk having financial or PII data stolen? Will this happening seriously affect how your employees work?

In most of these cases the biggest question is “How likely is it that this attack will actually happen to us?” Is it worth the cost of putting in controls that will mitigate it? Can it be handled in a different way with technology that you currently use? Can you teach your users how to protect against it?

Lately there have been 3 “attacks” that have been in the news that have garnered lots of attention in the press and lots of blogs. At least 2 of the 3 have exploits that have been released (I’m not sure about the biometric key logger) that I want to touch on briefly.

The first is the study that proves how you can capture encryption keys and other data from RAM after the system has been powered off. This has potential to be a big deal. If FDE keys can be found hanging around in RAM then obviously the bad guys can use this against us, or can they? Ask it this way. How likely is it that this will happen to my users? Wait, even before that lets ask just what is it that has to happen in order for this to be exploited? How long does the data stay resident in RAM after you power off the system? What does the hacker have to do in order to get to the data? It turns out that the data only sticks around for a couple of seconds and that in order to preserve it the memory has to be quickly frozen and remain sufficiently cold long enough for the memory to be either removed from the system or the system to be powered back up. Then they attacker has to have the tools to read the contents of memory and figure out what is in there and how they can use it. How likely is it that when you power off your system that a hacker is going to be hiding in the next cube ready to pounce? Obviously laptops are the big threat here but even still a few simple tips to your users can eliminate this.
First, tell them to turn their system off instead of putting it in standby or Hibernate.
Second, tell them to turn the laptop off and let it power down while they gather up the rest of their stuff. Then by the time they are ready to leave the laptop has been powered off long enough to allow the data in RAM to dissipate enough to prevent this from being a problem. There is more to this. There are ways that the bad guys have a bit of an advantage and more that you and the user can do but this covers 99% of the risk.

The second thing is the Biometric Key logger that has recently been developed. As far as I know this has not been released into the wild. A British researcher has come up with a way to sniff biometrics and recreate the image. Again this is not good news but it’s also not all bad. What has to happen in order for this to be a risk to your (or any) company? Besides the obvious that you have to be using Biometrics what other things have to happen in order for this to be worth an investment in time and money for your company? In my opinion this is a very low risk threat for most companies. In a few years when biometrics are more popular it may be a bigger risk but even for companies that use biometrics the risk of this happening is probably very low.

The last one I want to bring up is Winlockpwn This has potential to be a big problem for lots of companies now. Why? Because almost every computer and laptop in use today has a FireWire port that is active. This exploit allows you to connect a Linux system directly to the firewire port on a Windows system and get read/write access to memory. Can you say Total Pwnage? This one is not good news. There are lots of ways for hackers to get access to systems both in and out side your company walls. A few seconds is all it would take for malicious code to be loaded onto a system via this vulnerability. The good news is that most of us aren’t using our firewire ports and they can be disabled when not needed.

So there you have it. A tale of 3 vulnerabilities that are putting lots of fear into the hearts of security professionals all over the globe. But in my opinion the fear is unnecessary and the exploits can be easily mitigated for most of us. So what is the moral of this little story? When you hear of the latest vulnerability, exploit or hack don’t rush out and panic. Don’t go spend the rest of your budget on some technology that isn’t what you need. Don’t go rushing to management with FUD. Take a step back and do a quick risk assessment for your environment and then make a well informed decision. Also before you go spending money unnecessarily take a look at what you already have in house that can be used to reduce this issue and make your life much easier.

Risk is key!

 

April 6, 2007

The best laid plans….

Posted by awillingham under Andy ITGuy, incident response, information security, risk management
Leave a Comment 

I was talking to someone briefly the other day about the CIA triad and it got me to thinking. Most security books teach it and many security professionals will agree that it is foundational to Information Security. As you all know the 3 legs are Confidentiality, Integrity and Availability. We all work hard to ensure that our data stays confidential, that it’s integrity is maintained and that it is available to authorized users when it is needed.

What I want to talk about is Availability. What does it involve and what are we doing to ensure that data truly is available. Availability can be affected by the following (and more that I’m sure I will miss).

  • Denial of Service Attacks
  • Hardware failure
  • Improper device configuration
  • Man-in-the-middle attacks
  • Corruption of data
  • Removal/deletion of data (intentional and unintentional)
  • Route poisoning (ARP,DNS, etc)
  • Software bugs

These things affect Information Security yet are often looked at as either belonging to another group (Network, Servers, Firewall, etc) or not being a big deal. When this happens you are setting yourself up for failure.

The best way to assure the availability of information is to have a plan and to test it.

  • What is your plan to prevent MitM attacks, Route poisoning, DoS attacks? Do you test your systems to ensure that these types of attacks can be fended off? Do you have a plan to mitigate them? What about an incident response plan? Has it been tested and carefully thought through?
  • What about data corruption or deletion? You have backups but are they any good? When was the last time you did a test restore? What happens if your tape drive goes bad? Can you restore on a different model if necessary?
  • What steps are in place to ensure that devices are configured properly? Do you have procedures to ensure that they are configured and tested? Is the configuration backed up and documented in case of hardware failure? How quickly can you get the device back up and running or replaced? Say you lose a server with all your user files. You have a spare that you can restore to quickly, but what about ensuring that the users can connect to the new device. It likely has a different IP address and name than the original box. What are you procedures for uninstalling applications and patches that cause problems?

These are the types of things that can easily be over looked if you have not done your homework. You need to do a Risk Assessment and ensure that the basics are covered. You need to then put a plan in place and test, test, test. It’s not always the most fun thing to do, but in the process you will learn a lot about yourself, your network, your coworker and your company. It might even keep you out of the unemployment line.

_uacct = “UA-1509762-1″;
urchinTracker();

 

January 11, 2007

Something to think about

Posted by awillingham under information security, risk management
1 Comment 

One of my favorite books is “The Art of War” by Sun Tzu. I received a Page-A-Day desk calendar for Christmas that is based on this book. Today’s page really caught my eye and I think that it is very applicable to the life of a Security Professional.

“Generals in the field must already be acquainted with all the sciences of warfare before they can command their own soldiers and assess battle formations.”

We too must know security principles and what is out there that could bite us. If we don’t then we will never be able to adequately protect or networks and users. It’s Risk Management in a nut shell.

 

December 7, 2006

Compliance is NOT a driving factor

Posted by awillingham under compliance, information security, risk management
1 Comment 

I found a new blog (new for me) today when they linked to my Compliance posting. I know no harm was meant but I took offense to their accusation that I was letting the wrong thing drive my priorities. All that aside their blog looks to be interesting. I have added it to my feeds so I can keep up with what they have to say and learn from them.

Maybe a little clarification is in order. I think they misunderstood me. I’ve mentioned before about the major changes coming down the pike for my company. Part of that involves having to bring compliance issues in house that were being handled by a business partner. That means that like it or not, ready or not I have some catching up to do and I have to do it fast. I have to put some things in place to help me prove my compliance. True there were vendors there selling their hype but they are not what made me feel better. I’ve been doing this too long and dealing with vendors too long to buy into that. I spend roughly 35% of my time dealing with vendors. I know that they play games and I know how to play their games.

What made me feel better was talking to people who have been dealing with compliance issues for several years. They are the ones who gave me tips, hints and ideas that give me some hope in what looked to be an overwhelming task. I still have lots to do and will still have to spend lots of money. Not because spending money makes me compliant, but getting the pieces in place is not a cheap venture when you are starting from scratch.

Compliance is not driving my priorities. Security is driving my priorities. Compliance is just a piece of the puzzle that I have to put together. My priorities have always been a secure network and infrastructure whether or not I had to prove compliance. I practice the mantra “A secure network will almost always be compliant, but a compliant network will not always be secure”.

 

December 7, 2006

Feeling better about compliance

Posted by awillingham under compliance, information security, PCI, risk management
Leave a Comment 

On Tuesday I attended a day long seminar on Compliance the focused on Risk Management. It was put on by the guys at Tech Target and SearchSecurity.com. I wasn’t expecting much for several reasons. Primarily it was free (vendor sponsored) and it was only a day. What can they tell you in a day that you probably don’t already know? Actually more than I expected. It was a very well done seminar. There were 4 main speakers, a vendor Q&A session and of course the vendor arena.

With everything that is going on at work I almost decided not to go, but at the last minute decided that it may be worth it if for nothing else it would get me out of the office for a while so I didn’t have to think too much about all that I have to do. Also compliance is coming at me hard and fast and I wanted a “refresher” and hopefully a new perspective on what is coming. I was not disappointed in the least. The speakers were informational and entertaining. If you have done much in the field of compliance or risk management you know that they can be boring if left to themselves. Of course the best part of it was the peer networking that goes on at events such as this. The value of a good network can’t be overlooked.

What I brought away from the day was actually encouraging. Compliance is still looming over my head, but I actually feel pretty good about getting a handle on it. It will take a lot of work and a fair amount of money, but I don’t think it’s going to be the bear that I had imagined (knock on wood). I also found out that I am NOT subject to PCI!!!!!! I spoke with the Risk Manager and Information Security Officer for a large Financial Institution who is very well versed on PCI and it’s implications for various institutions. This was a difficult question to get a straight answer to. Every person that I talked to gave me different answers, but most of them qualified their answer with “I think” or “I believe”. The guy I spoke with is doing things the same way that we will be doing them and he said that they don’t even look at PCI except for the framework of it and the benefit that can be gained by that.

Well, it’s back to the grind. I’ve got to place my Cisco order today or I won’t have routers and switches to have my WAN in place in time. Not a good thought.

 

Follow

Get every new post delivered to your Inbox.