I am putting the finishing touches on an executive presention for a client. Our finding, after a series of technical tests, a review of their policies and their security administrative compents was that they are generally proactive on securty from a technical perspective but any additional maturation or improvement of their program requires management involvement.
I am going to present this to senior management team that has already informed me they don't want to hear that message.
This isn't the first time Jacadis has encountered such a situation.
Why should senior management be involved in security decisions?
At some level security decisions are really risk management decisions and not just technical, information security decisions. Even the strongest technical team can't know the risks, obligations, contracts and mission priorities that senior management brings to the table.
Sorry, managers but this isn't just geeky stuff.
Here is a quick list of five questions that my client's technical team needs senior management input, involvement and or leadership on:
Are we obligated by law or contract to HIPAA?
Are we obligated to PCI? Are we exposed in the way we handle crtedit card data?
How long can your business operate with reduced computer facilities? Which facilities are most important to the mission?
How will we respond to illegal activity on our network? Attacks from outside? In the event of a breach?
What are our employees permitted to do with social media outside of work hours on their own computers?
Are you putting your technical team in a spot where you expect them to protect your business but don't share with them critical information or involve yourself in their decision making process? If you are in a business that is data driven (and which business today isn't) your lack of involvement will likely ensure a high technical team turnover, raise the possibility that you will have security issues interfere with your business, decrease the resiliency of your business and potentially put at risk vendor and client relationship while also opening your business (and perhaps yourself personally) to legal and regulatory liability.
After operating my own business for 10-plus years I often get asked by new entreprenuers starting out what things I think are most important to someone starting up a new business.
1. Focus on your craft, but become an expert at sales. When I started I thought that I needed to be the best I could be at what we do (information security, privacy, risk management) and how we do it (project management, professional services management). I have found over the years though that if you don't understand the sales process and excel as a participant in it you can lose sales to firms that don't know the craft as well as you and you can miss customer expectations. Truly every project begins with sales.
2. Find a good lawyer. Find a good accountant. I have had a good accountant almost from day one, John Davidson (no relation, really) from Kyles Hill. John's taught me a lot about the financial side of business, sat beside me in negotiations as our CFO and given me a different perpsective that has helped me and Jacadis grow. We have had good legal work done but no attorney has given us th depth of the effort that John brought us on the accounting side. That, I believe, was a weakness in our formative years.
3. Take the time to write a simple business plan. Spend your time searching for a good simple business plan outline. Take the time to work through it. Focus on the directional issues. Why does your business exist? What does it do? Why do people need it? Who are your customers? Where do you find them? What do you need to do your work successfully? Can your idea scale? What do you need to scale? A solid business plan can be written in a weekend. Don't put it on the shelf. I pull ours out every quarter to check our direction. Sometimes I adjust the plan with input from senior staff. Sometimes I adjust the work effort or activities. Regardless we make course corrections every quarter because the plan is a living guide for who we are, what we do and who we serve.
4. Design the business with security and privacy in mind. Really. We run our businesses off the fuel of information. Too often we have seen small businesses fail or struggle because they have lost the confidentiality of key information, lost access to key information or found that it became contaiminated and unusable. Larger businesses can absorb more damage. Many of them by virture of their size have these covered. Small businesses can't absorb much damage. In the rush to focus on sales and craft many entrepreneurs forget the basics and leave their networks open to the outside, key customer data exposed or simply opt to save a few bucks and not back up their information. There are stories in the news regularly about business failures that were planning failures because business starters didn't think about security and privacy at startup.
With so much focus these days on data privacy and individual identities much of the conversation within the security community and from the security community to the business community skips over other critical information types that need to be protected.
This is a list of information that you should also work to protect:
1. Information about your systems and networks. When I backpack I don't do very well if I have to go off trail and I don't have a map. The same is true for someone trying to break into your information systems. If you fail to protect the information describing your systems and networks (network maps, configuration files, etc.) then you may just be providing a map to someone who wants to explore your network and find more valuable information. Are you making your network an outside explorers paradise?
2. Your company's secret sauce. You may not have a secret sauce made of "11 herbs and spices". Or your business may not depend on the mysteries of an ancient chinese secret (Remember the Calgon commercials?) but all of us in small business have our secret sauces. For Jacadis, it is the unique way we deliver many of our services. For a printing client of mine, it is the unique steps that they have created to protect confidential data transmitted to them from larger customers. That process has helped them win business because other printers aren't doing it. Years ago we did work for a company that made a unique material used in the florist business. They were the only company in the world that could produce the material at quantity and had factories world wide that did it. Their key asset was the chemical formula and process to produce that material. Are you protecting your secret sauces?
3. Work. Think of the endless hours that you spent putting together that killer sales presentation. Should it be corrupted or removed from your computer you’ll have to redo the work. The same is true for data entry, etc. The work itself might not be “secret” but should you lose it you’ll really be losing time and value. As I sit here typing most of my work is electronic collections of media (words, video, slide presentations, papers, articles, Secure-Value, jacadis.com). For your business your work may be many other things. My sales team would tell me that their biggest collection of work is the information they have on clients. A friend of mine has a laser cutting business. Unique programs are written to consistently and repeatedly cut 3D designs into different materials. These programs are his work. Another friend has a much lower tech manufacturing business, an old sand mold foundary. His forms and molds breaking means he has to redo them just as my more high tech laser cutting friend would have to do should those laser programs get lost or corrupted. In the end the loss of work means the loss of time or information. You'll have to invest time to recreate the information. In some cases you may not be able to recreate it. Are you protecting your work?
4. Personal information about your executives, leaders and key employees. Again, to explore something you need a map. To attack a target you need a map. Freely and without thought sharing personal information on your executives, leaders and key employees may just be providing a map. This is a tricky subject though. I won't do business with a company if I can't see some information about its ownership. Most people do business with people so a company that completely hides the details of their key players doesn't earn my trust. Likewise, though, a firm that freely shares contact information, addresses, personal information, etc. about its members opens itself up. On a simple level, executive emails sprinkled all over a web site invite spam. On a more complicated level, in some businesses, travel plans and other locational information improperly shared invites more nefarious attacks. Are you protecting your key people? Are you protecting all of your people?
5. Personal, though non-protected, information about your customers and prospects. Again, protect the map. Customer lists, detailed information about your customer's pains and challenges, and the other sort of information that fuels a personal realationship between your business and your clients should be protected regardless of whether or not the informaiton is consdiered private, confidential or in some way protected by law or regulation. Protecting your customers information promotes trust. Are you promoting trust with your customers?
What types of information that must be protected did I miss?
This is a marketing message we put out to our customers and prospects. It seems like it is the time of the year for the annual pen test. Did you know Jacadis did them? If you need to have a pen test as part of your annual audit process, for compliance purposes or just because it is a best practice activity and it has been awhile, we'd love to know how we can help.
Do you know your attack surface? Do cybercriminals know?
Unethical hackers are motivated, skilled, and equipped to steal from your company -- regardless of staff, budget, or industry. JACADIS can help your organization understand your attack surface, as well as teach you how to protect it.
Prevention is not enough
Firewalls, IPS, antivirus, and web application firewalls are no match for organized, highly sophisticated criminals. If your company is in their cross-hairs, they will break-in. When they do, will you know?
... levels the playing field by safely emulating the tactics of cybercriminals -- not just to penetrate your network, but also to identify blind spots in your detection and response mechanisms. In addition to finding and exploiting weaknesses, we run a series of "what-if" scenarios that assume the break-in is a foregone conclusion.
JACADIS will...
Evaluate your corporate awareness regarding social engineering attacks;
Optimize your incident response processes to account for sophisticated attackers and insider abuse;
Find your security gaps and blind spots, then provide guidance on tuning your IPS/SIEM;
Educate your staff regarding threat models, illustrating traffic and attack paths to and from the Internet, mission critical systems, and end users;
Report details on who clicked what, and what was "visible" from their system;
Generate a detailed report for technical personnel and executive management;
Provide a road map of prioritized risk-based "next actions" to remediate the most critical vulnerabilities first.
If you need a quality Penetration Test we'd love to have the opportunity to help. Contact our sales team at sales@jacadis.com or http://www.jacadis.com/About/ContactUs/tabid/83/Default.aspx.
We had a unique call come in yesterday, one I wish we had more of, but we don't.
A small business owner with a brokerage of sorts wanted to develop a website that would allow the producers and the buyers to post information, in some cases highly personal information, review non-confidential subsets of the data about the other and keep the whole thing secured from the outside.
She asked if we could help and provide "small business pricing quotes."
In fact, I don't think many security firms get those calls.
Most of our calls are after the fact either after the app or system has been developed or just after it has been breached.
She called us asking questions because she didn't have any answers. I think that approach serves us well in many endeavors.
We can help her. We offered to help her develop a list of functions and safeguards she needed in her application, help her manage the procurement process and then to test the application for security before she accepted it from her developer.
In 10 years of business that was a first.
Most web applications, particularly web applications are built with out much thought to information security, customer privacy or regulations covering the information.
Truthfully no application is 100% secure. But an application that has been designed and developed with careful consideration for its information security, user privacy and regulatory requirements stands a great defensive chance once it has been launched. Testing that application before launch further raises the defensive posture. Regular testing and a proper operational routine after it has been released to production even further raises that posture.
Again, our experience has been that most businesses, particularly small business, design and develop applications, release them to production and then through some event realize that security is a concern. There is a breach or a break-in. The site is knocked off line by a denial of service attack and revenue streams are interrupted. The invoice from the payment card processor is higher than they want to pay and they find it is because of non-compliance with PCI. And so on.
This occurs because two things don’t happen up front:
Security just isn’t talked about as part of the deisgn process. It must be!
An assumption is made that developer and hosting providers on the project will handle security. In most cases they won’t unless you demand it of them and back the demand up with contracts and tests.
Here is a list of non-technical questions you need to consider as part of your design conversation. Getting technical on some of these issues may require a member of your IT staff or an outside consultant. But any small business owner should be able to answer these questions if they are trying to build a business using technology:
What is the sensitivity of the data on our planned site? Is it regulated data?
Who regulates the information or audience that uses our site? What are your obligations to protect it? What are your obligations to maintain user privacy? Does your privacy policy match that obligation? Will the site be developed with the guidance of a privacy policy?
How long can the site be offline before it negatively impacts our business? When will customers usually visit the site to transact business? If we are off line an hour of peak traffic time how much revenue will we lose? Profit?
What do our customer’s expect from us in regard to protecting their privacy?
Will you have user forums or accounts on the site? How will you verify those signed up are really customers? Or really people?! Does that matter? Will you allow any and all comments in your forums? Do you need to edit them or block them?
How does the developer ensure the web application is secure? The database?
How does the hosting provider help secure your application? How will you know they are doing their job?
You then need to make sure that your development partner builds the site to meet the requirements these questions should raise to the surface.
That site must be deployed in a technical environment that is at minimum protected by:
Proper and verified operating system and application hardening procedures
Separation of the development (where you’ll continue to create and innovate as well as test) and production
We then recommend you test the site against your requirements to make sure they were met (best to do that before that last check goes to the developer!). We also suggest you conduct a vulnerability scan against the site to make sure that it wasn’t developed with technical weaknesses a hacker could use to create havoc for you.
And then finally we recommend that you, as a matter of routine, continue running those tests to make sure the sight maintains the secure posture you paid for in the first place.
This originally appeared in Jacadis' customer newsletter. Given all the recent breach announcements everybody at some level is a little more exposed. It is a good time to think about protecting your users. Are your users immune to social engineering?
But I have yet to see a technical product capable of preventing our end users from sharing credentials with someone impersonating a help desk employee or clicking on a link in an email from a total stranger.
So what can we do to protect those users from social engineering attacks?
Realize that most people just want to be helpful. That said, the information security team should deploy and maintain a core set of technical controls to protect users from themselves.
Phishing emails will attempt to lure users into visiting websites hosting malicious content, or perhaps prompting users for their login credentials. By implementing the layered controls outlined in the checklist above, you can significantly reduce the likelihood of a successful exploit.
Most importantly however, EDUCATE YOUR USERS.
Annual security awareness training, combined with recurring reminders (e.g., security emails, newsletters, or posters) can go a long way toward determining whether or not your user clicks on that link or hangs up on that impostor and contacts the security team.
Finally, validate your efforts. Perform social engineering tests throughout the year to gauge the effectiveness of your technical controls and training efforts. Don’t leave anything to chance.
Let me know if you need help answering the question.
This article by Jerod Brennan first appeared in Jacadis' quarterly newsletter. It created quite a few conversations with our customers. I thought it was useful to share here as well.
Smartphones and tablet devices are making their way into the workplace. Unfortunately, the decision to connect these devices to the corporate network is often made without first consulting the IT department. The worst part is that the information security team is frequently kept in the dark for fear that they would tell the business no.
But does security really need to say no to this request?
Of course not! The security team should be helping the business find a way to do what they need to do securely. Companies that embrace mobile technology in a safe and secure manner will reap the benefits that come from the increased connectivity and mobility. The key to avoiding a security incident or data breach related to these devices is in the security details.
A few questions that the security team needs to ask the business:
• What information do we need to include in that policy?
• How are we going to keep track of these devices?
• What steps do we need to take to secure devices before they connect?
Permitting mobile devices in the workplace should be a business decision based on a clear business need. Before that decision has been made, engage the security experts in order to ensure that you deploy those devices safely. You need to involve the right players from the very beginning if you want to securely integrate mobile technology into your business processes.
Remember: It’s better to end up in the news for a record-setting quarter, and not for a security incident that could have easily been avoided.
Jacadis helps businesses prepare and respond to security questionnaires and audit requests from their usually larger customers. We also are the audit and assessment team for some firms who choose to use external resources to review their key vendors' security.
Frankly, as breaches Epsilon isn't a big of deal. No protected information, just names and email addresses were taken. And more sophisticated attacks have come and gone in the press largely unnoticed.
Epsilon has received more attention than the more impactful breaches in part because it touched so many people. Non techies are talking about it. We believe that buzz is going to find its way into the executive suites and audit teams of big companies and boost the rigor and frequency with which larger firms test, prod, and assess their supply partners.
Experts suggest that companies that outsource technology services take some of the following steps:
Make sure the vendor has a recognized certification for information security, such as ISO 27001 or SAS 70 Type 2, granted by an accredited auditing organization such as the International Standards Organization;
Sign agreements that oblige vendors to undergo regular audits by third parties, at least annually. Auditors should test software (especially software that can be accessed via the Internet) and hardware as well as people, to ensure that vendors’ employees themselves don’t fall prey to scams;
Make sure vendors assume liability for breaches that affect customers and end users; and
Make contingency plans with the vendor so that neither is caught by surprise in the event of a security breach.
Management consultants and corporate governance experts are providing similar advice to their Fortune 2000 and similarly sized customers. These recommendations have been around for several years, however, the buzz from Epsilon has the potential to fuel the recommendations to reality.
This will impact you if you answer yes to any of the questions below:
Your business is part of the supply or services chain for larger regulated firms. We see most of the third party verification activity from firms that have regulatory obligations to HIPAA; PCI, GLBA or other financial privacy rules, or Sarbanes-Oxley. We have seen these type of firms apply the highest security and privacy standards to their vendors even if their vendors don’t process confidential or protected information. Do you provide services to these types of firms?
Your business provides a service that includes considerably volatile information. If, for instance, you process non-protected personal information but it is somehow seen as critical to your client’s business or it’s relationship with its customers this might apply. Or, if, for another instance, you process company confidential information such as trade secret related information. Do you provide services to these types of firms?
Firms in the supply chain stack. You may not be doing business with a regulated firm, but you may be providing services to firms that provide goods or services to firms that provide services to regulated businesses. You know what they say about it rolling downhill. Are you at the bottom of a supply chain?
Take action
If you answered yes to any of those questions we suggest the following:
1. Look at your customer agreements with firms in the categories above.
Do any of those agreements place obligations on your company to protect your client’s information in a certain way?
Do they have the right to audit?
Have you told your IT team about these obligations?
Are you prepared to meet these obligations?
2. Sit down with your technical leadership and discuss:
Are we secure? Vulnerable? Do we follow a best practices approach to information security? Which one?
Do we routinely check through tests, assessments, and/or audits our answers to the questions above?
If we got an auditing letter from an existing customer would we be ready for the audit in a week? a month? 3 months?
When the auditor arrives do we have documentation that defines our security programs values (policies), details the routines we follow to meet those values (processes), shows that those routines are being followed (logs, action reports, scorecards, etc.) and that our staff is aware of their obligations (awareness training)?
If we committed during the sales process with a new customer to do certain things to secure their data did IT and the others in the company responsible for delivering on that obligation have a hand in the answer? Are we overcommitting?
Are we managing security well enough that we can create a competitive advantage over other firms in our class? Can we use that advantage to build new business?
If your business provides business to regulated businesses upstream in your market we recommend you keep asking these questions until you feel comfortable with the answers.
Does your application security plan take into account the OWASP Top 10 Web Application Security Risks?
Since 2004, organizations have steadily adopted the OWASP (Open Web Application Security Project) standard as a way to evaluate not only their own applications, but also those designed by third parties. While many developers and security professional are familiar with the OWASP Top 10, most do not understand the mechanics of the vulnerabilities and how to prevent them. If your firm develops customer facing web applications or uses internally facing web applications that collect or process protected information OWASP's practices are a concept your technical teams should adopt.
By popular request, Jacadis is offering a two-hour, instructor-led interactive class designed to introduce developers, designers, architects, managers, and organizations to the OWASP Top 10, and to educate them about the consequences of the most important web application security weaknesses. This class is taught by certified security consultants that routinely perform PCI, HIPAA, and OWASP penetration tests and vulnerability assessments.
Secure Application Development – Best Practices - OWASP Top 10 March 31, 2011 @ Tech Columbus 11:00 am — 1:30 pm - Lunch will be provided
Does your business process customer data? Show your business to business customers that your firm handles their information in a secure fashion and you may win new business.
Jacadis works with emerging firms (those in start up mode or those in high growth arcs) that suddenly find themselves with information security and privacy concerns. Usually, they have been so focused on building business features and functions that security has been an afterthought. Customers raise concerns about how information is handled, many times because the customer is regulated and is expecting our client to properly handle their data. By the time Jacadis gets involved these concerns are creating barriers to new markets or have become minimum requirements to win new business or retain existing business.
Our mantra is that if you can show yourcustomers, particularly your regulated business-to-business customers you operate in a manner that you can be trusted you have the potential to create competitive advantage and win new business.
And it is true.
Yesterday, we got word from a client that our efforts in implementing a security program for them had translated into a higher level trusted relationship with a key client AND a new $200,000 order. The joy the sales manager had in telling me reminded me of the excitement my 8-year old has when he comes home from a great day at school.
Being secure does create competitive advantage.
Do you have those same concerns?
One tool we used was QualysGuard. We used it to measure the vulnerabilities (fancy security jargon word meaning weaknesses) to attack that their technical infrastructure. We used it initially to create a prioritized list of corrective steps for our client to take and now use it to maintain the current security levels and show the client's customers they are attending to security properly.
