What is Information Security and How Does it Help?

March 28, 2009

A peer recently pointed me to a discussion about information security as a “business enabler.” Daniel Miessler argued that:

‘Security isn’t an “enabler”; that line can hurt us. Security is about NOT doing things wrong, as part of overall quality.’

and later in his essay that

“In a CEO’s big picture, there’s no difference between a web application firewall and a fire alarm and sprinkler system. Ultimately they both reduce to one thing: an operating expense.”

There followed a number of thoughtful comments, and dialog.

The same day, Jeremiah Grossman [WhiteHat Security] wrote an essay about selling application security. He offered that application security should enable:

“solutions to be implemented in the time and place that maximizes return, demonstrates success, and by extension justifies the investment to the business in the language they understand.”

He linked to a number of other’s writing about the topic and argued that one of the critical goals must be to help CIOs and CSOs “understand the relevant issues.” He appears to have worked with the Web Application Security Consortium (WASC) and The SANS Institute to initiate a joint open community project to build out a “risk-based enterprise website security strategy.” Mr. Grossman’s essay was followed by more thoughtful commenting and discussion.

After reading a number of the links and thinking about these two threads, I think that both have value. Any rant about sales “lines” that get repeated without a thought is a good thing in-and-of-itself. I think that both writers express frustration at the difficulty of motivating senior corporate leaders to part with their money for “security-related” investments. That is understandable. “Investment” funding is difficult for everyone today. I am working in financial services — where trillions of dollars of assets that we depended upon have simply disappeared. Money is very tight here. I understand why product and services vendors have been increasingly manic, frantic, and sometimes even bullying in the messages they email and leave on my phone.

So, what do I have to offer?

As a bumper sticker, “security as a business enabler” is just more vacuous blather. But if it is used as part of a more serious attempt to get at the problems of taking business-appropriate risks, or performing risk-appropriate business, then work like that proposed for “risk-based enterprise website security strategy” might be useful. I believe that the most effective information and technology operations risk management decision-making today happens because of the joint efforts of serious information security professionals and leaders (formal and informal) across the various organizations that make up modern corporations in most fields today. Depending on the given corporate culture, this is less or more process-driven.

  • Sometimes it is strictly a matter of personal relationships (a risk-elevating situation).
  • In other situations, project processes link these communities for long enough to work out understandings and plans that can facilitate effectively dealing with risks.
  • Some organizations have broad and deep formalization of their organizational relationships, and the processes and information flows to maintain a shared understanding of threats, risks, controls & mitigations, current state, etc.

I believe that the first two situations above dominate, and that the third is an exception. As a result, what ever we do to support creation of a “risk-based enterprise website security strategy” or to find a new broad description of what information security is valuable, it needs to be useful in those organizations that depend heavily on cross-domain relationships between serious professionals to prioritize risk management investments. This is not meant to imply that information and application security specialists are not valuable. They are critical to the success of most organizations. I am responding to the focus on “selling.” Successful sales will require connecting with and delivering an effective message to those who can pay, or can materially influence those who can pay. My experience has been that this is an increasingly-small population.

For a number of years, I was intermittently called upon to assist a large corporate merger & acquisition team. We would review the target infrastructure, its operations, and the staff in the context of that target requiring quick and efficient on-boarding. There appeared to be a pattern, where the “best” IT, information security, and risk management teams were most tightly integrated into the broader corporate business operations. They viewed themselves as an integral member of the team — the only team, the one that served customers, partners, and investors. Sure, that is difficult in large, diversified corporations. It just didn’t stop some individuals, orother groups of IT and security professionals. A couple years ago, Gunnar Peterson wrote that

“The role of the security architecture is not to steer the business away from risk, but rather to educate their business partners about the risks they are taking and provide countermeasures that enable the business to take as much risk as suits their goals.”

This seems like a good description of a small slice of what I saw at those few M&A targets where there was a minimum of cultural separation between executive management, marketing, sales, product development, logistics, support, security, and the IT organization’s technical specialists who kept the “plumbing” humming so that it all worked. All this is not to imply that everybody needed to know everything. Decision-makers of all kinds understood that they needed a threshold understanding of short and long term goals along many of the specialty-dimensions that were required to operate in their field.

None of that excluded the kind of data-rich analytical work proposed recently by Ron Charette. His notion of collecting specific buckets of “strongly-typed” information about application security to support analysis and reporting — essential for making informed decisions, makes a lot of sense.

It seems, though, that in many corporate environments, it requires data, along with individuals having a critical mass of professional risk management experience and what I will abbreviate as “adult business behaviors,” to effectively join teams of leaders (at all levels) to deal with risk in a manner that expresses a time-product-and-location-bound risk tolerances. That professional and “adult” combination is still a barrier for too many, and no new strategy will break through that barrier.

There is little, and shrinking room for techno-centric (“geek”) information security pros in the business communities where serious information or technology infrastructure operations risk decision-making takes place. Similarly, there appears to be dwindling room for experience-light or even experience-free “professional leaders.” Some career security team members engage all their work-life energy in the details, technologies, and operations of what is a modern information security organization, and then attempt to apply what they know to the various projects that come their way. They serve a valuable purpose, but they require constant management attention. They will tend to be of little assistance when we need to help translate pools of valuable data into a material resource for business decision-making, and even less when we have only a fine mist of information available.

A serious, expert, security professional is not only the holder of a credential. They need to have worked through at least a decade (see: “The Making of an Expert.” HBR 1 Jul 2007) of intense practice and dedicated coaching, constantly pushing themselves beyond their comfort zones to understand enough of the history, theory, craft, and rigorous intellectual practices that support risk management in a modern diversified corporate environment. A key component of that professionalization is learning how to share with and learn from leaders (formal and informal) throughout a business. In a highly dynamic business environment, they need to be able to synthesize new knowledge from their learning and experiences. Some are able to “simply” join that broader business environment. Others need to help construct more formalized processes, even new organizations to facilitate the level of cross-domain interaction required to effectively align risk decision-making and implementations with the other business dimensions essential for success in the marketplace. In either situation, this is what I meant by “adult business behaviors” above. Get a new model for “selling” information security as an enabler, or a new enterprise website security strategy into their hands, and I believe that you will begin to get traction.

— References —
The Problem With Selling Information Security as a “Business Enabler” By Daniel Miessler on March 26th, 2009: http://dmiessler.com/blog/the-problem-with-selling-information-security-as-a-business-enabler

“Website security needs a strategy.” By Jeremiah Grossman, Thursday, March 26, 2009: http://jeremiahgrossman.blogspot.com/2009/03/website-security-needs-strategy.html

“Security Architecture Blueprint.” By Gunnar Peterson: http://arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf and http://1raindrop.typepad.com/1_raindrop/2007/05/security_archit.html

“Proposal of Web Application Security Metric Framework to Compliance/Configuration Management Vendors.” By Ron Charette: http://roncharette.blogspot.com/2009/03/proposal-of-web-application-security_26.html

“The Making of an Expert.” HBR 1 Jul 2007, By K. Anders Ericsson, Michael J. Prietula, and Edward T. Cokely (requires login or purchase to access most of the article): http://hbr.harvardbusiness.org/2007/07/the-making-of-an-expert/ar/1


Partial Knowledge is Extraordinarily Dangerous

March 22, 2009

“Partial knowledge is extraordinarily dangerous.”

I am sometimes asked about how to evaluate the information security and risk management needs of a given organization.  Other times a similar issue comes up, where a leader wants to understand what it would take to have some of their people become “security” experts.  In either situation, I am somewhat uncomfortable with my capabilities in the area of learning, and of the types of measurements that might help identify who is prepared to deal with material information security and risk management issues in diversified corporate environments, and why.  I currently have no formulaic response, no elevator speech.  I could use your input on this topic.

I was reading earlier this weekend.  CSPAN was on in the background.  And at some point, I heard Justice David Souter (U.S.Supreme Court) respond to a question about the scope about the value of Humanities education in a way that may help a little with the puzzle I posed above.

Justice Souter said that, “If I were attempting to develop a strategy (in support of Humanities), it would be based on the assumption that ‘A little learning is a dangerous thing… and an analog to that is that partial learning is a dangerous thing.'”  He went on:

“We have a number of examples of partial learning thrust on us over the last few years.  We know a lot more about military defense than we do about the divisions among the Muslim world.  We have a State Department that I have read, frequently, does not have very many Arabic speakers in it.  And one could go on with examples in the arena of what could be publicly-serviceable knowledge, and I think that if I have to have a starting point, I think that it would be that ‘Partial knowledge is extraordinarily dangerous.'” [this was around 1:16 into the program]

Later [around 1:36 into the program] Carolyn Brown, Director – Office of Scholarly Programs, Library of Congress, asked a question about defining with greater precision what the panelists mean by “Habits of mind?” and what should we do with it?

In response, Justice Souter summarized part of a speech by

“Howard Mumford Jones, where, after suggesting that ‘all Harvard graduates are illiterate, and committed to remaining illiterate,’ and he was sort of gently berating his audience by analyzing a day down to where there were, I don’t know… only 18 minutes left free, and then he asked: what should you do with it? — there was a pause — and answered (with passion) ‘You could read a book!'”

Souter went on to say that at some point one will “find a book so familiar that when there is a moment, one will open it.”  “Opening enough of those books,” he said “results in a lesson best described by Judge Learnard Hand, ‘who once said that if he could have his way, he would have engraved over every library, school, statehouse, and courthouse all over the the United States, a quote by Oliver Cromwell: ‘Consider that yea may be wrong…””  He concluded his thought with, “The habit of mind which characterizes the liberal arts, the habit of mind that opens the book, is also the habit which teaches us that lesson of Oliver Cromwell.  One is a physical habit, and the other is a habit of judgment that is likely to follow from it.”

Soon after, Patricia Q. Stonesifer, Chairwoman, Smithsonian Institution, cautioned of “The enormous danger of anyone living in a state of certainty…”  And she asked us to “Develop a state of uncertainty and combine it with a habit of real learning…”  Then she concluded with “One of habits of the mind is staying open to uncertainty.”

I think that there is some wisdom in these quotes for anyone attempting to assess their information risk management needs in a large corporate organization, or for anyone attempting to design an information security curriculum for individuals and groups who, until recently (or possibly until some point in the future) had never really thought about the topic.  Information security and risk management in a large, diversified, infrastructure-heavy corporate environment requires some of the breadth and specialization found in the university-level Humanities.  The differences between information security staff who can do what they are told, and those who can lead, involve a range of dimensions, but they are all dependent upon judgment.  I believe that there is a relatively healthy connection between the “habits of the mind” that Justice Souter and the other panelists discussed, and the type of judgment required for leaders in the information security field today.

What do you think?

— References —

American Academy of Arts and Sciences Symposium – Washington, DC
“The Humanities in a Civil Society.”
Recorded on Monday, March 9, 2009, at George Washington University.
Moderator: Leslie Berlowitz, Chief Executive Officer, American Academy
Speakers:

  • Edward L. Ayers, President, University of Richmond
  • Don Michael Randel, President, The Mellon Foundation
  • David Souter, Associate Justice, United States Supreme Court
  • Patricia Q. Stonesifer, Chairwoman, Smithsonian Institution

http://www.amacad.org/events/recent.aspx

Watch C-SPAN’s coverage of this Symposium: http://www.c-span.org/Watch/watch.aspx?MediaId=HP-A-16159

Justice David Souter: http://en.wikipedia.org/wiki/David_Souter and his official bio at http://www.supremecourtus.gov/about/biographiescurrent.pdf

Carolyn Brown: http://www.loc.gov/loc/lcib/0605/staff.html

Howard Mumford Jones: http://en.wikipedia.org/wiki/Howard_Mumford_Jones

Learned Hand: http://en.wikipedia.org/wiki/Learned_Hand

Oliver Cromwell: http://en.wikipedia.org/wiki/Oliver_Cromwell or for more in-depth material see http://www.olivercromwell.org/


Analysis of a Credit Card Theft Scam

March 20, 2009

It is easy to build mental models of cyber-criminals.  My experience is that it seems to help many individuals to find some sort of work-life balance, and to offer comfort that “high-tech” criminals are a world-apart from the rest of us.  They are alien, and easily identifiable in the first person (of course, most will never have knowing, real-time, first-person interaction with an active cyber-criminal or credit card fraudster).   Building these images and living in comfort, though, does not mean that those images are even remotely factual or relevant in any way to what is going on in the information security and fraud fields today.  Assuming that the world matches what we wish it to be is a relatively common cognitive trap — one that has no place in information security and risk management professions.

In that vein, Jacob Apelbaum offers a valuable and interesting overview and analysis of a credit card theft scam operation.

He received a couple credit card scam calls lasting only a relatively short time, but he listened carefully, collected data, and shares with us an illuminating tale.

As the result of this experience, he wrote,

“My mental image of the on-line fraudster has changed irrevocably.  Whereas before I viewed fraud as an opportunistic low tech effort executed by crafty individuals, I now view it as an commercial operation, in many ways similar to a legitimate telemarketing niche industry.  It employs a well trained workforce, cutting edge BI and telecom technology and a large database of would be “customers”.”

He concluded that:

“At its core, fraud is propagated via subtle means and recognizing it requires the aggregation of many nuances which individually may appear inconsequential.”

Mr. Apelbaum outlines some of the more interesting elements of his experience:

  1. Psychological Usage of Ambient Sound–likely a recording simulating a response hot-line designed to create the illusion of a busy call center…
  2. Call Traceability and Legitimacy–When asked, the “call center representative” said that her call center was located in a state corresponded to the area code appearing on his caller ID.  When tested, the number rang and then rolled to a voice mail system saying that “due to the high call valume I have reached a mail box and should leave a message”…
  3. Well Scripted Dialogs–During the conversation, the “call center representative” responded in a consistent manner to his questions, emphasizing the positive, and assuring him that any risks were covered…
  4. Plausibility–Whenever the conversation drifted away from “call center representative’s” primary objective (i.e. getting his credit card and other personal information), they eloquently and skillfully navigated him back to the same spot…
  5. Professional Composure and Manners–The “call center representative” remained polite and composed, always maintaining a businesslike demeanor and projecting a image of a legitimacy.
  6. Effective Use of Higher Authority–Brought in the “supervisor” when requested.

My bullets above are only abbreviations of his descriptions, which I highly recommend to everyone involved in information security and financial services risk management.

— References —

“An Afternoon with a Fraudster.” http://apelbaum.wordpress.com/2009/03/20/an-afternoon-with-a-fraudster/

Jacob Apelbaum: http://www.linkedin.com/in/japelbaum


Measuring Security Program Value

March 12, 2009

I recently read an essay by Matthew Rosenquist titled: “Top Techniques for Measuring Security Value.”  The content was from a class he taught periodically.  In this section, he was attempting to teach “how to think critically while calculating information security value.”  He presents a list of “methods to show value.”  He makes it clear that they are presented as “archetypes” of measuring techniques along with his quick summary of strengths, weaknesses, and applicability for each.

I recommend the list to security professionals.  It leaves me uncomfortable, and wondering “what next.”  Each of the archetypes are proposed periodically by individuals I work with, by writers in trade publications, by industry experts, by consultants, by pre-sales engineers working for the great, global “security” firms.  Too often they are, to me, the noise attempting to fill the space that is senior management desire for a simple story.  None are easy.  All have serious implementation issues.  And when I read quickly through the eight metrics, they ring hollow.

It is not entirely clear to me, but it seems like they do for Matthew Rosenquist as well.  He sums up his essay with, “Let common sense prevail.  If the value must be understood to compare to other options, articulate security posture, or justify spending, then do an assessment.  Otherwise, ask yourself if it is really needed.”  He offers that it is OK “to not measure the value of a security program.”

I hope that Mr. Rosenquist has the opportunity to build out his argument and rationale.  The mass of effort devoted to outlining the archetypes, and the quick proposal that they can be ignored is supremely unsatisfying.  This is rich territory.  There are such vast economic forces behind the application of one or more of his archetypes, and historical momentum [at least in my experience] tends to exaggerate their mass — it is difficult to imagine that senior leaders will come around to the “Let common sense prevail” approach.

There is some risk, though, that one individual’s common sense is an absurdity to another.  Professionalism, experience, and a drive to become an expert in risk management matter.  The opinions of a novice, or an “outsider” may have their place in corporate information, infrastructure, and technology operations risk management, but they bring with them a risk rich challenge.  I’ll save a discussion on that topic for another day.

Read Mr. Rosenquist’s essay and let me know what you think.

— References —

Matthew Rosenquist: http://communities.intel.com/people/MatthewRosenquist

“Top Techniques for Measuring Security Value.” http://communities.intel.com/openport/community/openportit/it/blog/2009/03/02/top-techniques-for-measuring-security-value


Phishing, Pharming, and Trojan Attacks Rise

March 7, 2009

The RSA Anti-Fraud Command Center’s (AFCC) 6-page “2008 Phishing Trends Report” is quick read and its content should be part of every financial services CISO’s elevator speech about current threats.
The RSA AFCC is a 24×7 organization that attempts to detect, monitor, track and shut down phishing, pharming and Trojan attacks against more than 300 institutions worldwide.

I’ll try to summarize the report:
Online fraud continues to evolve.  Phishing and pharming remain a leading expression of sophisticated, organized and innovative tech-rich crime waves faced by online businesses.  New tools help criminals adapt more rapidly than ever. [page 1]

In 2008, the RSA AFCC detected 135,426 phishing attacks in 2008 compared to just over 90,000 in 2007 — a 66% increase.  [pages 1-2]

Financial brands within the U.S. suffered 68% of the total number of brand attacks, ten times higher than the number of brands attacked within the U.K. – which ranked a distant second on the  list.   The rate of attacks against brands within every other country on the list fell between 1% and 6% of the total amount.  The financial services industry was the most targeted industry by far in 2008. [page 2]

Although the number of attacked brands in the U.S. was far higher than others, the U.K. led in terms of total volume of attacks because of numerous attacks against a small number of U.K. financial institutions during 2008.  Phishing attacks in Latin America and Asia Pacific countries also supplied a material portion of the overall number of phishing attacks. [page 3]

The RSA AFCC reported that their monitoring found that the number of financial institutions and other brands attacked varied from a low of 167 in October to a high of 225 in April 2008.  Across the year, AFCC monitoring identified an average number of 194 brands were attacked each month. [page 4]

62% of these attacks were sourced from the United States.  The U.S. was followed by France (9%), South Korea (6%), Germany (5%), and then U.K., China, Pakistan, Canada, & Russia all at approximately 3% each. [page 5]

The distribution of attacks against nationwide banks, regional banks, and credit unions in the U.S. changed throughout the year.  The distribution was 26%, 29%, and 45% respectively in January.  It had changed to 23%, 57%, and 20% respectively by December. [page 6]

Everyone in financial services organizations needs to be trained, and to understand that they must not click, or open anything unexpected, or anything that does not meet their understanding of “normal.”  For many of us, the threat is great enough that we employ sophisticated, multi-layered, email analysis and “sanitizing” infrastructure.  Some also use external (cloud) services to help reduce phishing threats directed against a corporate workforce and it leaders.

But what about our customers and partners?  There is still a lot of room for positive evolution there.  I am a customer of a financial services empire that promises never to send links or requests for personal or account information via email.  That may significantly simplify the customer equation, criminals still find ways to game them.  The “no links” approach will not work for every corporation.  I am curious to learn what has been working for you?
— References —

“2008 Phishing Trends Report” by the RSA Anti-Fraud Command Center: http://www.rsa.com/solutions/consumer_authentication/intelreport/FRARPT_DS_1208.pdf

Also:

“Invisible, hi-tech crime world of fraudsters.” http://news.ciol.com/News/News-Reports/Invisible,-hi-tech-crime-world-of-fraudsters/6309116924/0/


Social Networks are a Global Malicious Code Channel

March 4, 2009

If you are not familiar with the user-base in the social networking sites identified in my last post, you might think that all of them retain a North American focus, and then that this might be a North American problem.  It isn’t.  For example, two recent reports by Finjan identify analogous problems on the livedoor.jp and yaplog.jp social networking sites.  Both systems were infected via malicious iFrames and ActiveX applications designed to take advantage of a range of Windows vulnerabilities and then compromise the local environment and download additional malicious code, including a trojan that steals the user’s credentials.

The Finjan team does a good job outlining their position concerning a key risk of Web2.0 — that is “giving users the power to add code also gives them the power to add malicious code.”  Finjan promotes real-time content inspection.  That approach may buy time, but comprehensive and effective input validation and output encoding still seem like the only approach that will ultimately be successful.

How does your organization approach this issue?

— References —
“Cyber Sino-Japanese War?” MCRC Blog, Feb 26, 2009 http://www.finjan.com/MCRCblog.aspx?EntryId=2197
“Malware and the rising sun website” MCRC Blog, Feb 24, 2009 http://www.finjan.com/MCRCblog.aspx?EntryId=2195


Worm in Social Networks Again

March 2, 2009

Social networking sites have been a favorite for malicious code and injection attacks.

A worm that hit Facebook last year has resurfaced and is now hijacking user accounts — not only for that social networking service, but also for MySpace, Friendster, LiveJournal and others.

The Koobface worm is again hijacking user accounts on Facebook bebo.com, Friendster, fubar.com, hi5.com, LiveJournal, MySpace, myYearbook, Netlog and Tagged.

Trend Micro named it “Koobface.az,” and said that the worm, rifles through a compromised PC, sniffs out browser cookies associated with 10 different social networking sites, uses the usernames and passwords within those cookies to log on to each service, searches for the infected user’s friends, and then sends those people messages that include a link to the worm.

Many businesses appear to want to inject themselves into the fabric of social networking sites in order to better connect with their customers.  This should be a reminder that these sites represent a risk profile not usually found in corporate environments.

— References —

More at: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9128842&taxonomyId=17&intsrc=kc_top

and TrendMicro http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KOOBFACE.AZ&VSect=T


%d bloggers like this: