Bring Your Own Device - what's the big deal?

So Alice went out and bought herself an iPad for her birthday and now she wants to connect it to the network.   Employees will continue to bring their own devices to work and they want to connect them to the corporate LAN.   Don’t try to ignore it and bury your head in the sand because it isn’t going away.

If you haven’t done so yet, you better get some procedures developed or you will be playing catch up.  First, you need to decide what the Bring Your Own Device (BYOD) means in your environment.  Does it include only tablets and/or Smartphones?  Or are you going to allow laptops?   Just remember the line between tablets and laptops from a year ago is not the same line and is getting blurrier as I type this blog.    What data are you going to allow access to…email only or access to backend systems?   These are the decisions that need to be made and implemented via your policy with very few (preferably none) exceptions.

If you are going to allow tablets and smartphones access to data other that email, how are you going to manage the devices?  If your users want access to the data, they will need to give up some of their “ownership” of their devices.  You will want to be able to ensure password protection, remote wipe, certificates, and some sort of encryption on their device.  If they don’t agree to these requirements, don’t let them on the network. 

Another option, especially if you are going to allow BYOD laptops is to utilize virtualization.  Creation of virtual desktops for these users and allow the device to connect to a virtual desktop environment.  Most are configurable to control which services are or aren’t available…i.e. USB, drive mapping, etc…

You must also make the decision on what level of support your organization is going to provide.  If they parameters are identified up front, a lot of “un-forecasted” man-hours could be spent on troubleshooting user issues.  Also identify what operating systems will be acceptable and allowed to connect to the network.   For example, do you allow IOS devices, Android, Blackberry, and Windows Phones, or do you limited it to a smaller subset of devices?  What about laptops…Windows (all versions or just Win7), Mac, Linux?  

As you can see there are many decisions that need to be made and you must have management agreement.   One thing to remember is don’t back yourself into a corner that will force you to accept additional, unneeded risk in the future.  For example, make sure the controls you implement will adequately protect your most sensitive data because whatever your backend systems are, you can bet that the vendor is going to develop an app that will allow access to that system. 

~Skeeter

How welcome are your guests?

When Joe the salesman from Pete’s Software Palace shows up at the guard desk (because I know you have one) and is signed into the system and is asked to have a seat until you come to get him.  Is there a wired network connection in the lobby that would allow Joe to sniff your network?   If there is, you should probably disable the port for that specific jack.

After you come and get Joe and you go meet several other people in a conference room.  Joe says he needs Internet access; is his only option a wired network or do you have a guest wireless network?   The preferred option should be a wireless guest network, segregated from the corporate wireless network.   Additional controls could include a daily, rotating password that only employees have access to, thus requiring a vendor or contractor to get the password from an employee.   This ensures that someone at your company will know that they are connected to your guest wireless network.

If your company has fast, reliable corporate wireless network, another sound practice is disable unused wired ports in conference rooms.   Many times a vendor or contractor will be left alone in a conference room; the disabling of excess ports will help reduce the risk to the network.  

I will leave you this week with a couple of wireless network thoughts….what type of authentication to you require for your laptops to connect to the corporate wireless network?   If you are not requiring some type of machine authentication, you are at risk for access point spoofing.   How do you handle the ad-hoc networks your corporate laptops have previously connected to?  These are usually from traveling (i.e. hotel, airports, etc….) and they will continuously send out a signal looking for their respective network.  Another opportunity for access spoofing. Finally, How far does your wireless network extend outside of your building?

~Skeeter

How do Information Security and Internal Audit play nice?

What is the relationship between your Information Security department and the Internal Audit?  Is it a friendly work together relationship or is there resentment between the two teams?

Both the Information Security and IT Internal Audit teams have similar goals.  Make sure the company’s data is properly protected from inadvertent disclosure, modification, or inappropriate access.  However the attitudes displayed by each of the teams and their members can go a long way to helping build a constructive, working relationship. 

Since I have worked both sides in the same company…moving from Internal Audit to the Information Security team, I can provide some information of this subject.   Clear lines need to be drawn as to the responsibility of each team when the areas might start to come together.   For example, if a project for an upgrade of an application that falls under the Sarbanes-Oxley (SOX) umbrella. Both teams are going to interested in it…Information Security will probably be more interest in the details of a set of criteria for new applications, while Internal Audit is probably more interested only in those controls pertaining to SOX.   However, a lack of understand as to the other team’s responsibilities could lead to ill thoughts about the other team.

I believe each team can provide some level of assistance to the other team, there needs to be a defined separation of duties and each team member of both teams needs to understand where their responsibilities begin and, more importantly where their responsibilities end.

~Skeeter

How do you measure your risk?

If you ask 10 security professionals that perform risk evaluations how that measure risk and what is important, you will probably get 9 different answers.   There is a slim change that 2 might agree.  Below are three possible approaches to risk evaluation:

(1) Do you use a well defined methodology such as the NITST SP 800-30, Risk Management for Information Technology Systems?   You follow it religiously never wavering from the formula and the living by the numbers.  If it comes out at the top of the list, then you address it first without fail.

(2) Or do you use a “fly by the seat of your pants”, “this is how it feels” system?   Maybe you read about an exploit for the same vulnerability, so it is at the top of the list.   No scientific approach, not a repeatable process (at least not one that works the same way every time).  Maybe that application has little value in your mind or the application owner pissed you off once, so you make it painful for them.   This is not the recommended approach to risk management.

(3) Maybe you are using a combination of the two, where you incorporate some level of structure around the vulnerability, but reserve the ability to adjust based on your gut feeling after many years of Information Security practice? 

Option 3 is the option I feel currently works best for my situation.   For applications, systems, and projects/initiatives,   I have criteria based on vulnerability scan, type of data, how users will access the data, whether system is considered critical to the company.   Additionally, there is a set of questions based on a set of standard IT controls, and based on how these are answered; they get entered on a risk matrix.  Here is where the gut feel comes in…when answering impact and likelihood of these vulnerabilities.  IT controls directly implemented for this system, enterprise controls, and manual controls, etc… are all considered when making these evaluations.  This system is repeatable with the ability to make some judgment based the specific factors around the system being evaluated.

If you need a new risk evaluations methodology…probably only the 1^st or 3^rd options above are recommended.  If choose the 2^nd option, good luck. 

~Skeeter

Standards are like Rules...Made to be Broken

Standards are the preferred; however, as we all know, not everything fits into the same box.   How does your company handle the exception to the standard? 

Let’s say your company has a password standard of 8 characters, to include at least one lower case, one capital letter, one number, and one special character.  You also require account locking after 3 invalid tries and limit password reuse of last 10 passwords. If a department, say marketing, finds an application they say would greatly increase the company’s presence on the Internet and has a great Return on Investment (ROI); however, the application doesn’t require account locking after 3 invalid attempts.  Although the information stored in the application doesn’t include any company confidential information, do you allow the application?   If so, do you document it, along with the reasoning behind the decision?  

Now, if that same scenario is for a HR application that has sensitive employee data, do you make the same decision?  Maybe, maybe not.  You need to make the decision based on your organizations appetite for risk and what other controls are in place that might help mitigate the risk?  For example, if the HR application does checking to validate that the user is in a certain group, maybe a HR managers’ group, then maybe the decision is made to allow it.  However if you have loose controls around software installation on desktops and laptops and this HR application doesn’t do any group membership checking (or other compensating controls), then you might not want to allow it; this is the prime situation for a insider data breach. 

There is nothing wrong with deviating from the standards as long as you document the deviation and reasoning and you must also evaluate the risk associate with the situation. 

~Skeeter

Information Security Leader…where do you live?

Where does the leader of your information security function fit into the corporate structure?   Whether you have a Chief Information Security Officer, the function is handled by your Chief Information Officer (CIO), or this function falls to a Director in the IT organization, does the function have the proper authority to carry out its assigned duties?

If you your security leader falls  somewhere in the middle of your IT organization you are probably dealing issue revolving around competing with other IT teams for resources, such as funding, personnel, and equipment.  Also, sometimes you might suffer from an identity crisis, where business people think you are just like every other IT support team and don’t associate you with doing security functions.   However, you do have some advantages; it is easier to get a seat at the table on important IT initiatives and to become involved in application implementation earlier in the process.   

If your Information Security Leader is the CIO, he or she probably has many other responsibilities and you are competing for attention and resources.  Additionally, if this falls on the outskirts of the IT organization, you will be seen as the “red-headed, step-child” and won’t be involved in the initial, important discussions.  

The CISO scenario has several variables.  If your CISO is completely outside the IT organization you will also experience the outsider treatment for the IT organization.  However, this can be somewhat reduced if the CISO is moved inside the IT group and having the CISO report to the CIO with a “dotted line” to a senior executive outside of IT.   Additionally, the CISO should be on the same level as any senior IT executives (i.e. Vice President).   This will help ensure an equal voice when it comes to budget, personnel, and input on IT issues that involve security.

Where ever the Senior Security Leader is placed in the organization, the security team must build a relationship of trust with all levels, from VP to system administrator for the Information Security program to be successful.   Once this relationship is developed, and information security isn’t seen as the “No” team, then they will be invited to the table and everyone will win.

~Skeeter

Another Star for Texas

 Another week, another breach…and I didn’t have to spend a week on vacation to read about this one.   Off we go to the Lone Star State where yes, everything is bigger in Texas…3.5 million.   That is a lot of records to be involved in a single data breach.   If one were to use a cost of $200 per record, well…you can do the math and it is a BIG number.  However at this time, the State of Texas hasn’t offered any free credit monitoring services, but they have set up an informational website.  The story goes that the personal information was on a public facing website.   The information was names, addresses, social security numbers, driver license numbers, etc… the kind of information that shouldn’t be on a public website.  http://www.txsafeguard.org/

In most organizations the people that have access to that kind of information work for Human Resources (HR) and I will assume that is the case with the State of Texas also.   So one of two things happened; (1) HR personnel has privileges to post information on a public website or (2) IT personnel, say maybe the web support team, had access to HR data and downloaded it and posted it on the website.  For now, let us assume #1; although both scenarios lead to the same root cause.

Why does the HR person have access to post information to a website?  I could understand an internal human resources SharePoint site but not a public facing website.  I would have to consider this inappropriate access and it should have been identified during a periodic review of accesses or during an audit.  If neither of these reviews is performed on a recurring basis, then the State of Texas probably has lot bigger problems waiting to be identified.   It is also reported that a number of people have been fired over the incident.   If departments involved haven’t been audited then the wrong people have been fired.  If they have been audited recently, then the State of Texas needs to find different auditors. 

This is just another example of the importance of implementing an access review process, monitoring of privileged accesses, and have a 3^rd party come in once in a while and verify that everything is being done the way it should be.

~Skeeter

Data Breaches---Where are you?

I spent a few days in New York City on a vacation (and with only going online three times in five days) and started reviewing some on my favorite blogs and websites to see what happened in the information security world during my hiatus.  Low and behold, we have had a couple of more data breaches disclosed.   The biggest is the disclosure by Epsilon, who is used by a large number of companies for marketing (Epsilon data breach).   While only it would appear only email address where involved in the data breach, it does lead to some questions.

What kind of service level agreement (SLA) did the companies involved have with Epsilon?  How does your company evaluate the security controls of 3^rd party vendors (hopefully, prior to signing of the contract)?  Recently I have been reviewing the security controls and data privacy policies for several 3^rd party vendors that my company is looking at contracting for specific services.   While security controls might be in place and evaluated by a 3^rd party, some of the privacy policies leave something to be desired. 

One of the privacy policies only said that the vendor would only share the personal data (name, email, company, etc...) with their affiliated companies.  What the heck does that mean?  Is that companies that are only involve with the specific product we are looking at or does that mean any affiliated company on any project, product, or services they might contract for?   That could lead to dozens and dozens of companies that could potentially have access to data of my company’s employees.    What kind of privacy policy do all these other companies have?  What happens when one of these 3^rd or 4^th “generation” companies has a data breach?   My company will never get notified that the email addresses of our employee’s have been potentially involved in a data breach.   

The moral of the story, when you are reviewing the security controls of potential vendors, make sure you know the privacy policy of those vendors and ensure that the notification process is documented in the contract, including timeframes, who makes notifications and to whom those notifications are made.

~Skeeter

Security Education…Removing the dread

We can all admit that security education isn’t ever going to at the top of the user’s

super-happy-fun time list, but we can make it a little less painful.  And maybe, just maybe, they will find it useful and tolerable.  However, before you send out or conduct your next training, take a little time to evaluate you user education program.  

Have you defined the goals of your training program, other than to provide training to users?   Identify what areas you need to educate users on and if necessary, define classes of users and the training needed for each group.   For example, you will probably have general users (probably will include all users) that you will want to provide the basics…passwords controls, screen lock, phishing emails, etc…   What about those users that might need specialized training, HR, Legal, and Finance personnel?  Depending on your business sector, you might need to provide additional training to these groups.  Once you have determined the training needs, how do you deliver it?

There are several different ways that you can deliver training.  The first is the mandatory, formal training that everyone has grown to dread.   But if you are developing your own formal training (vs. outsourcing) here are a couple of helpful tips:

·         Don’t just use a slideshow / presentation.  Mix it up, include videos or other motion tools

·         Find someone that has a nice, pleasing voice to do the voice over.  Don’t let the monotone guy do it again.

·         Consider conducting group training vs. delivering over the computer.  In a group setting, make it fun…ask questions with small prizes for answers (right or wrong)

·         Work with other teams that deliver training to incorporate security into their training.  For example, if you are training on a new HR system, have a 15 minute session on protecting Personally Identifiable Information.

Once you have the formal training out of the way, users once in awhile need a gentle reminder of security procedures / precautions.   I call this Tidbit Training.   A couple of sentences or maybe a couple of short paragraphs on the company portal or in an email (let the email support guys know first).   If you relate this to things that might happen to the users at home, will give more punch.   For example, if you relate clicking on phishing emails training to an email you received, chances are the users have also received one (probably the same one).  Then you can relate the dangers of their personal information stolen to company data being stolen.  

Another successful method is the use of a Security Blog on your internal network.  This can be a touchy area with some companies as your management might want approval prior to publishing articles.   If that is the case, it might not be worth the hassle.  However, if you have free reign, then it can be a very powerful tool as long you keep it to information the general user population can relate to. 

 

Every time I start working on a user education article, I think back to my Air Force days and Safety Training.  Everyone hated Safety training, but there was a weekly report from the Navy Safety Office (I know…I can’t believe I typed it) that had a humorous spin on stupid things Sailors and Marines had done.   It didn’t seem like safety training, but that is exactly what it accomplished.  So remember, make your users a little less dreadful when you are developing Security training.

~Skeeter

One Stop Shopping --- Health Care and Credit Monitoring

For the 2nd time in less that 2 years, Health Net has lost a copy of the medical records of their customers (Infoweek.com article).  This time it is nearly 2 million records.  In 2009, they were fined and ordered to pay for 2 years of credit monitoring (must have been about time to renew the credit monitoring subscription).

You have to begin to doubt the company when they say "Protecting the privacy of our members is extremely important to us," Health Net said. "We apologize for any inconvenience or concern this may cause our members."   The article also said "Health Net's statement suggested that the drives may have been misplaced, not stolen. A spokesman called them "unaccounted-for server drives." The company said it was continuing to investigate, and "out of an abundance of caution" it decided to notify "the individuals whose information is on the drives." "

The company recently outsourced their complete IT operations to IBM. This incident highlights the importance, as company look for ways to reduce costs by outsourcing, of make sure all the security policies and procedures are review and meet your companies standards.   Make sure the security breach notification procedures are outlines as to which company has responsibility for specific tasks.  Having the Information Security involved early in the Request for Proposal (RFP) process can only help address some of the issues that might have been avoided by Health Net.

~Skeeter

Posting Your Life on Social Networking Sites

I have always considered myself somewhat of a logical thinker when it comes to what should be posted on social networking sites.  To clarify...I have a facebook page but I haven't posted anything to it; I only created the page so that I could monitor what my kids, nieces, nephews, friends kids, etc... were doing online (I feel that is part of my responsibility as a security professional).  There has been several times that I have contacted my facebook friends and informed them of the risks of some of the information they have posted on their site. 

For example, we had some friends come and visit us recently.  I happened to be on facebook the morning they were driving to our house.  I noticed their 14 year old daughter Amy had posted they were coming to visit us and was giving an up every couple of hours on the drive.   When they arrived, I told Amy that if I needed a TV and lived in their town, I would be visiting their house because I know they were going to be gone for 4 days.

Many times I have told my own kids, that for the most part, the only people that care about the information they post on facebook is those people without the best of intentions (except for Mom and Dad of course : )

Today's Thought:  Spend a few minutes each week and monitor the online activity of those people in your life and take the opportunity to educate them about the risks of online activity.

Until next time...Skeeter

Post #1

Why Skeeter Spray?   Information Security issues, problems,  and /or incidents (whatever you call them in your company) can be like those pesky little bugs.   There are many ways to deal with them:

1.  You can fog the whole yard and know that you will kill some.   Just as you can send out mass user education and hope some of it sticks with some of the users.
2.  You can light up a cigar and use the smoke to keep them away and the heck with the 2nd hand smoke.  Much like you create a policy that addresses a problem without concern for how it affects other business processes.
3.  You can spray some deet-based repellent and effectively keep the mosquitoes from biting you; however you must re-apply in several hours.  You can create an effective information security policy; however you must review on a recurring basis to make sure it is still performing as intended and if necessary rework the policy and reapply it.
4.  You can do nothing and swat at each one.  In the security world you go from one problem to another and usually don't end up fixing any of them...maybe (if you are lucky), you apply a band-aid.
5.  Or you can go in the house and ignore the mosquitoes.   Much in the same way you can ignore the security issue and hope it goes away.  Hint---unusually it doesn't go away...it gets worse.

Take the time to teach someone something about securing their personnel information.
Skeeter