Thursday, 20 October 2011
GAO Report on Information Security in Federal Government

Do you think your information is secure within the federal government?  You can make your own decision by reading the recent Information Security assessment by the Government Accountability Office (GAO).  Some observations by GAO are expected, others are disturbing.  Here are some statements that caught my attention:


1.  Growth in reported incidents from 2006 to 2010 of 650%.  Will the number of incidents simply overwhelm security staff?

2.  The GAO noted that the IRS has not yet fully implemented required components of its security program.  " and taxpayer information remain unnecessarily vulnerable to insider threats and at increased risk of unauthorized disclosure, modification, or destruction;  financial data are at increased risk of errors that result in misstatement;  and the agency's management decisions may  be based on unreliable or inaccurate financial information"  A private business operating under SOX compliance, for example, would not be able to survive this type of report.

3. Regarding the FDIC, "...the Federal Deposit Insurance Corporation did not have policies, procedures, and controls in place to ensure the appropriate segregation of incompatible duties, adequately manage the configuration of its financial information systems and update contingency plans."

4.  Regarding the National Archives and Records Administration, "..the agency did not always protect the boundaries of its networks by ....a firewall, enforce...use of complex passwords, limit users' access to systems to what was required for them to perform their official duties."


The most disturbing observation by the GAO was that no agency has fully implemented an agencywide security program.  In this case the GAO is referring to a security management program, including framework and activities for assessing risk, developing security procedures and monitoring effectiveness.  This is a basic security management gap, which should be addressed and without which security technology will not be effective.


To summarize the report, in the GAO's words:  "Persistent governmentwide weaknesses in information security controls threaten the confidentiality, integrity, and availability of the information and information systems supporting the operations and assets of federal agencies."

 It seems like we need better security leadership to address these problems, not better technology.



Posted on 10/20/2011 12:39 PM by Frederick Scholl
Monday, 17 October 2011
Lean Security

Earlier this year I published an ISSA Journal article (ISSA Journal, May 2011) advocating the use of lean management techniques to manage security.  This is just an observation that security needs to use business management methods to tie together people, process, technology and partners. 


Recently in the Harvard Business Review of October 2011 a good article appeared on the subject of lean:  "Lean Knowledge Work", by Professors Bradley Staats and David Upton.  They analyzed Wipro's adoption of lean into their software development process.  Here are their main points as applied to lean security:


1.  Eliminate Waste.  In manufacturing we are all familiar with waste:  overproduction;  unnecessary transportation, inventory and worker motion;  defects;  overprocessing;  waiting.  The same issues come up in knowledge work and can be applied to security processes.  For example, errors in implementing software changes will cause production outages.  Errors in implementing firewall rules can add security holes.  Poorly documented access management procedures or lack of automation will cause users to wait for application access.   Review your security processes to see what ideas you can come up with to reduce wasted time or efforts.


2. Specify the Work.  This translates to well documented security policies, procedures and standards.  Most companies have some type of security policy.  Fewer have working procedures or standards that are adhered to.  Absense of good procedures means more time training new employees and higher probability of security gaps being introduced whenever changes are implemented. 


3.  Structure Communications.  Much of security is built on good communications that involves everyone in the organization.  This includes awareness training for employees;  security event reporting from employees, contractors and vendors;  reporting security risks in business terms to management.  With a standard way of communicating for each of these stakeholders, results will be more predictable and security will be seen as a business function, not as an adhoc technical accessory.


4.  Address Problems Quickly.  Security breaches do get addressed quickly.  But too often security events are not analyzed for root cause and the cause eliminated.  Since we are stuck with highly flawed software and systems, it is critical to continually be improving those systems through effective problem resolution.


5.  Plan for an Incremental Journey.  Too often security is driven by compliance and compliance is seen as the end goal.  Real security requires a cultural change and must be put in place over time.  The best way to make this happen is to set up a simple metric that tracks the effectiveness of the security program and set up a plan to improve on that metric quarter over quarter, just as with other business functions.


In summary, manage security as a business process, not a disconnected set of technical controls.  Lean is a set of management tools to help do this.





Posted on 10/17/2011 6:44 PM by Frederick Scholl
Wednesday, 5 October 2011
Mitigate Your Social Engineering Vulnerabilities

Security managers spend significant amounts of time analyzing software vulnerabilities and patching the same.  I just looked at the Common Vulnerability and Exposure database (CVE) and see that it now has 47,555 vulnerabilities.  But how many security managers have analyzed or cataloged the social engineering vulnerabililties faced by their organizations?  I suspect few.  Virtually all security managers have a technical background and social engineering skills (for good or evil) do not come naturally for most.  Now however, we have Kevin Mitnick's new book, Ghost in the Wires, the practioner's handbook of social engineering.  I don't normally choose to purchase or recommend books written by convicted felons, but in this case I am making an exception.  Mitnick's story is full of specific examples of social engineering tricks.  This is such a common attack vector today this his book is valuable reading for all involved with protecting information.  From Ghost you can identify attack vectors that apply to your organization and make sure that mitigating controls are in place.

Some examples from Mitnick's experience.

1.  Reconnaissance--Mitnick was a master at researching his targets, learning their language and culture before calling anyone.  Today this is much easier with web sites and social networks.  You can't eliminate the web, but you need to periodically monitor  information that is on your web site and on social networks.  Do you really need the help desk number and process for resetting passwords published on your public facing web site?  I have seen this at more than one site.

2.  Tailgating--This is entering a building behind others.  Not a problem in small firms or large firms with professional security guards.  I have seen this in campus settings where the organization is distributed enough that people do not know each other, but the culture is relaxed.  If this is an issue at your site, make it part of regular awareness training.

3.  Impersonating Insiders--One of Mitnick's favorite hacks.  In most of his calls to "marks" he posed as a tech support person, help desk person or other insider.  Training is needed to remind employees that they must verify the identity of anyone asking them for sensitive information.  Phone numbers can be spoofed as can IP addresses and email addresses.  Trust but verify must be the mantra.

4.  Dumpster diving--Another of Mitnick's tricks.  Many businesses still have tons of paper data with sensitive information.  Do you have a process for disposing of it?  Usually it will be outsourced.  This hack is so common, that it is worthwhile going over the process in detail.  Do the same for disposing of electronic data contained on PC's, servers and other devices.


In summary, if you pay as much attention to social engineering vulnerabilities as to software and technical vulnerabilities, you stand a much better chance of staying out of the sequel to Mitnick's book.





Posted on 10/05/2011 1:54 PM by Frederick Scholl