Information Security

02/24/2010

Secure Value by Understanding the Criminals in the Digital Neighborhood

Highland Park's Only Gated CommunityImage by waltarrrrr via Flickr

I just got a crack at reading Deloitte’s new Center for Security and Privacy Solutions' report titled Cyber Crime: A Clear and Present Danger.  It is a quick 16 page read and worth it for any entrepreneur or emerging business innovator, CEO or COO.

We are building business in a digital world.  Knowing the neighborhood, so to speak, is important.  Along with all the good things things about the neighborhood -- effeciency, effectiveness, new markets, new products and services, collaboration -- comes new forms of crime, new scams, new ways that our business dreams can be damaged or destroyed.

My business partner at Jacadis, Simon Herring, often speaks of our efforts as cyber security and risk professionals at protecting 10-foot walls againts 11-foot ladders.  The reports key finding "Threats posed to organizations by cyber crimes have increased faster than potential victims—or cyber security professionals—can cope with them, placing targeted organizations at significant risk.

In interpreting the survey responses Deloitte reports that "cyber crime constitutes a significantly more common and larger threat than respondents recognize."Bluntly cyber criminals are innovating in the digital marketplace just like the rest of us; only their innovation is outpacing what are traditionally considered best practices.

The report in Deloitte's words "is directed toward senior leaders including CIOs, CSOs, CROs, operational risk managers, government agency budgeting and procurement professionals, and other executives and professionals with decision-making roles in the security of their organization’s IT environment and of the assets within that environment.

It is a quick 16 page read and worth it for any entrepreneur or emerging business innovator, CEO or COO.  It is worth reading for those in the IT audit profession as well.

Some trends pointed out in the report:

  • Cyber attacks and security breaches are increasing in frequency and sophistication, with discovery usually occurring only after the fact, if at all.
  • Cyber criminals are targeting organizations and individuals with malware and anonymization techniques that can evade current security controls.
  • Current perimeter-intrusion detection, signature-based malware, and anti-virus solutions are providing little defense and are rapidly becoming obsolete—for instance, cyber criminals now use encryption technology to avoid detection.
  • Cyber criminals are leveraging innovation at a pace which many target organizations and security vendors cannot possibly match.
  • Effective deterrents to cyber crime are not known, available, or accessible to many practitioners, many of whom underestimate the scope and severity of the problem.
  • There is a likely nexus between cyber crime and a variety of other threats including terrorism, industrial espionage, and foreign intelligence services.
Or more simply put.  You lock your office, warehouse, storage, retail, etc. facility because leaving the door open would invite a criminal. 

Do you lock your digital doors?

Does your business design, operation, IT infrastructure invite criminals?

The report can be found at: http://www.cio.com/documents/whitepapers/CyberCrime.pdf.

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 10:56 PM in Competitive Advantage, Information Security, Information Security Basics, Innovation, Online Business, Secure Value, Threats | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , ,

|

02/18/2010

Secure Value By Managing for Social Media Security and Privacy

A round parachute constructed from gores of ma...Image via Wikipedia

The following question has been asked in several ways to me online and in the Q&A of speaking engagements I've recently done.  It is a question you should be asking if you are using social media to run and grow your business.

What issues are there with social media security and privacy? How are they resolved? What can I do to prevent or reduce problems especially with Facebook and Twitter? Should we jump into the social media world?

1. You'll need to be prepared to be protected from viruses, malware, worms and a whole slew of other nasty software threats. You should be protected from those issues regardless of whether you Facebook or Tweet. Just connecting to the internet will expose you to these threats. Facebook and Twitter are just another delivery channel for what we call malware in the security industry.

The solution is protecting the endpoints in your business (speaking English that means your computers and your cell phones). A good endpoint security package is going to include a personal firewall, anti virus, and anti spam. My company is a big fan of Sophos end point products as they are partners of ours.

2. Privacy is about control. Don't publish details you don't want to be out in the open. The obvious no no is over publishing personal information. Giving too much away, in regards to travel or equipment purchases, etc. can expose you. There are documented cases of people tweeting on vacation only to come back to stolen electronics. A coincidence? Or a follower?

Nobody knows for certain but there is no reason to expose yourself. Be careful of geo tagging for the same reasons.

3. Understand social engineering techniques. Social engineering is when people online use old cons to trick you to do things they want. Get rich quick schemes, emails from people you don't know (particularly with downloads) and the like are typical concerns. We've dealt with cases of social engineering where enough detail was given on Facebook, Twitter, etc. that the attack actually came over the phone with people pretending to be people known to the victim.

4. Back your systems up. IF you are attacked you don't want to lose all your hard work.

Scary? Probably. But so frightening you should stay away? Hardly.

My firm is an 11 person information security firm that cautiously and correctly uses social media to run and grow our business.

The security and privacy situation is constantly changing in regards to social media. Get involved in social networking but set aside some time to become familiar with the security and privacy features of these tools (and their weaknesses). Don't listen to people that advise you to stay away from them; embrace them wisely and grow your business!

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 11:31 PM in Information Security, Online Business, Secure Value, Small Business, Social Media | | Comments (0) | TrackBack (0)

|

02/17/2010

Secure Value by Identifying Information Assets and Their Owners

coins from bosnia, slovenia, hungary, denmark,...Image via Wikipedia

Information Owners -- those responsible for the viability and survivability of an information asset -- need to accountable to their role.  It is not enough to expet IT as custodians to understand their role in protecting the asset without an Information Owners involvement.

I am working on a data discovery and information asset profiling project for a client.  Essentially this client has agreed that they a). need to know where their critical assets are b). whether or not they are protected throughout the business life of the information and c). what compliance requirements must be met to stay in-line with regulations and contracts.

Your business has these same issues.  If your market is in the health care space you may have protected health information (PHI) and be expected to meet HIPAA requirements.  If you transact business using payment cards -- Visa, MasterCard, Amex and so on -- the Payment Card Industry (PCI) expects you to meet their Data Security Standard.  If you conduct business in most states you need to be compliant with data protection and notification laws that differ state to state.

Many businesses do an "ok" job of understanding what compliance requirements must be met but do a terrible job knowing where that protected data lies or flows within their business.

Which brings me to this client.  They are a services firm that through its normal business routine gathers, processes and stores a termendous amount of personally identifiable information.  They have a diligent and caring information technology department.  They have executive support for securing their information.  And like most firms the protected information in their business freely flows outside of protective boundaries creating a risk of exposure.

We were asked to do a data discovery to help find that exposed information and make recommendations for properly protecting it for both security and compliance purposes. 

The CERT Survivable Enterprise Management group at the Software Engineering Institute at Carnegie Mellon in Pittsburgh developed the Information Asset Profiling (IAP) process as a model.

Some key components of the model:

Information owners are those responsible for the viability and survivability of an information asset.  For all businesses that means that sales is responsible for account information, call center management responsible for the information in the customer relationship management toolset, engineering responsible for the "secret sauces" in the company product and so on.

Information custodians are those responsbile for protecting the information asset.  In most firms this means the information technology staff.  In most firm this is the group also given implied responsibility for viability and survivability.  Yet, IT doesn't have the necessary tools to value information and protect it outside of its existence in computer systems within the company.

Containers are a concept within the model that refers to the form factor that is used to store the information.  A file folder.  A filing cabinet.  A BlackBerry.  A laptop.  A server.  The computer network.  All these represent containers. 

In our experience which has been validated as this project continues organization's are concerned with protecting the computer assets but are unaware when data flows into containers that are then themselves exposed such as printed documents, file folders, faxes and the like.

The end result of this project is that our client will truly know where their critical data is, how the containers it resides in are exposed, and what can be done to lesson the risk of losses or compliance violations.

Do you know where your data is?

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 09:50 AM in Compliance, Information Security, Risk Management, Secure Value, Small Business | | Comments (0) | TrackBack (0)

|

10/16/2009

Do Business in Nevada? Secure Value by Complying with New Security Act

NevadaImage via Wikipedia

Does your company transmit, process or store payment card data about any individual who lives in the State of Nevada?

If so you need to be aware of the new Security of Personal Information Act passed into law in Nevada.  In a nutshell, data collectors or merchants who collect card data to do business will be required to be compliant with PCI DSS in order to legally conduct business in Nevada.

I'm not going to spend time writing something up if I find something insightful already available.  Read the write up on the Nevada Security of Personal Information Act at InfoSecCompliance.

Reblog this post [with Zemanta]

Posted at 09:53 AM in Compliance, Information Security, Online Business, PCI, Secure Value | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , ,

|

10/14/2009

Secure Value by Understanding Common Threats

DangerImage by zenonline via Flickr

Understand the common threats to your business and think about how to prevent them, detect them and respond to them before they occur

Threat models are commonly used in information security analysis to illustrate the potential for risks to impact an organization. The threat model is used to describe the characteristics of a given threat and the harm it could to do a vulnerable system. 

 If we do a project where we identify threats scenarios we’ll go into detail.  At a simple level we’ll identify the pieces of the threat scenarios including the actor (WHO), the action (HOW), the motivation (WHY), the vulnerability exploited (think WEAKNESS) and the potential impact (think DAMAGE). 

We do not address the probability of these events occurring which in most cases is impossible to predict accurately.

Over your morning coffee run through these common scenarios and ask yourself if you how they would impact you:

 A trusted employee decides to:

 ·         Download unauthorized software from the Internet which contains a Trojan horse or other malicious software. 

·         Disable antivirus scanning prior to the download of an emailed MS Office document.

·         Transfer information from a third-party computer to their work computer bringing in a virus or other malicious software into the company. 

·         With any number of portable memory devices data is copied from the network and is stolen undetected.

A disgruntled employee decides to retaliate against your company:

 ·         With knowledge of the backup tape courier routine the tape drop off is intercepted and the information contained on the tapes are used to attack your company’s reputation or are used for material gain.

·         With any number of portable memory devices data is copied from the network and is stolen undetected.

 A former employee decides to retaliate against your company:

 ·         With a haphazard termination process the former employee uses his/her still active network access and credentials to damage or steal information from an outside location.

·         With a haphazard termination process the former employee gains access to a company facility and uses his/her still active network credentials to damage or steal information from an outside location.

An authorized visitor or an unauthorized visitor or intruder penetrates one of your company’s facilities and:

 ·         Unchallenged as they walk the floors of the facility they exploit targets of opportunity such as unlocked, unattended systems, backup tapes set unsecured waiting for courier pickup, etc.

 A third party caretaker of your company information has a security incident.  While that incident may not impact your company network, your company has no controls to prevent that incident from impacting your company at a business level.

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 11:58 PM in Information Security, Secure Value, Threats | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , ,

|

09/15/2009

Secure Value by Protecting Yourself, Your Company, Your Customer

Secure PumpImage by david.nikonvscanon via Flickr

Understanding the Security Risks With Social Media for Business

We have taken the plunge as a firm and use Twitter, LinkedIn and Facebook to promote our personal brands, market our business and build community with customers and prospects.

While we've embraced the 2.0 world, we've done so with eyes wide open. As we use the technology to create benefits we also acknowlledge we create risks that must be identified, addressed and managed.

Most professionals, most firms using these new technologies are not "professional paranoids" like we us. 

If you are using Social Media and have concerns about the risks ... or if you have balked at adopting the technology because of your fears of those risks ... please join me for:

Understanding the Security Risks With Social Media for Business
September 21st, 2009
11:00 am — 1:00 pm

Register to join us.  We will discuss:

  • Privacy issues related to social media use
    • For yourself 
    • For your company 
    • For your customers 
  • Tactics to maintain privacy
  • Techniques to maintain security

You will certainly get a chance to network with other busy professionals.


Related articles by Zemanta

Reblog this post [with Zemanta]

Posted at 02:22 PM in Compliance, Information Security, Online Business, Policy, Privacy, Secure Value, Small Business, Social Media, Speaking Engagement | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , ,

|

09/04/2009

Secure Value by Testing Web Applications -- Lunch & Learn Announcement

Jacadis presenting lunch & learn on web application security with Platform Lab in Columbus

I wanted highlight an upcoming lunch and learn reviewing web application security that might be of benefit to you if your business develops and deploys web applications. The event is free and lunch will be provided. Please register below, and send this on to individuals in your organization who would benefit.

 

Jacadis, the company I work for, is putting the lunch and learn on with its non-profit partner the Platform Lab, part of Tech Columbus.

 

Presenter: Simon Herring, CISSP – Founder and CTO Jacadis, LLC.

Cost: Free

When: September 16th, 2009 11:00 am — 1:00 pm - Lunch will be provided

Location: Platform Lab/TechColumbus 1275 Kinnear Rd Columbus,OH 43212

 

 

Register here: http://www.surveymonkey.com/s.aspx?sm=nkZ9YHJyBqezQYQM5xDMmQ_3d_3d

 

Cyber thieves use automated scanners to find web security holes… Why don’t you?

 

Thousands of web applications have been developed by companies of every size and industry to support business growth, extend customer interactivity, and lower service delivery costs.  But how deliberate are you in evaluating the security of web applications throughout the application’s lifecycle, from inception to retirement? 

 

Consider the following:

  • Many web vulnerabilities exist due to limited knowledge of secure coding principles.  Catching these weaknesses before “go-live” can decreases costs related to post-deployment patching and the risks associate with a security break-in.

  • The sophistication of web hackers and data thieves continues to increase.  Just scanning during the development cycle assumes no new web application exploit techniques will be developed and shared in the Black Hat community. The “10 foot wall” you created last Fall won’t be able to withstand the “11 foot ladder” that cyber thieves throw-up this Summer.

  • In addition to being an established best practice for protecting general web servers, routine web application scanning can help you comply with federal, state, and industry regulations.  With little marketing effort, you can also build security into your brand and show your existing or potential clients that protecting sensitive data is important.  

The tools and processes are available to prevent the deployment of poorly coded and insecure web applications.  Perhaps you know the risks, but you don’t know how to manage them, or where to begin.  To answer these questions, we are hosting “Securing Web Applications using Acunetix WVS” to demonstrate how Acunetix Web Vulnerability Scanner (WVS) is an effective tool to add to your security routine. 

 

In this edJACADIS seminar, we will:

  • Examine the components of a successful web application development process

  • Discuss the role of web application vulnerability scanning in the overall security process

  • Explore how Acunetix Web Vulnerability Scanner (WVS) can be used by developers and security analysts alike, to perform automated or manual web vulnerability testing.

Reblog this post [with Zemanta]

Posted at 09:12 PM in Information Security, Secure Value, Secure Web Development, Small Business, Speaking Engagement | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

|

08/11/2009

Pain of Discipline vs. Pain of Regret

Franco Harris football helmetImage by afagen via Flickr

Secure Value by making decisions and investments to account for risks before they become real negative events.

Secure Value posts have slowed down the last two weeks.  I coach a 9 and 10 year old football team.  I have to confess that my blogging time has been spent getting 16 boys ready to play football.  Though I've been busy getting them ready to block and tackle my mind hasn't stopped thinking about the information security game or helping small and medium enterprises stay fit for their own battle.

Last night we were working through the details of a blocking drill.  As a coach we tell our kids that you can make a choice ... you can suffer the pain of discipline now or suffer the pain of regret later.

And I realized that information security is the same thing.  We don't want to spend the extra time to think up a stronger password, backup files, convene an information security committee meeting, write policy or invest in a firewall.  All those things are pain of discipline actions.  It will hurt a little bit now but help us avoid it hurting a lot later.

And hurting later includes the greater of the two pains, like the pain of regret.  Like when we lose the key proposal or a customer contract to a bad sector on a laptop or server.  Or when a client asks us to prove we have a security committee and follow whatever alphabet soup regulation they are accountable to.  Or when our weak password is easily guessed and your business penetrated.  Or when you have to terminate an employee for inappropriate behavior but can't produce the policy he violated. Or when ....

So take the time to hustle in practice and study your playbook at night ... Oh, sorry ..

Take the time to invest in your future and endure the pain of discipline by considering information security's role in your business and avoid the pain of regret that comes with the impact of a future predictable risk. 

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 12:55 PM in Information Security, Information Security Basics, Secure Value, Small Business | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

|

07/29/2009

Campus Technology Innovators Need to Secure Value as they Build New Learning Evironments

A tag cloud with terms related to Web 2.Image via Wikipedia

Sitting at a break in the action Campus Technology 09 thinking.

Comparing conference chatter from last year to this .. the pace of innovation has been rapid if the talk of all things 2.0 is any indication.  Just about anyone will quickly engage and share how they are using social networking or web 2.0 technologies in the classroom, in their business, in research and innovation projects or just in life.  But ask a question about security or privacy and it is obvious that the dive into the 2.0 pool hasn't included some basic thinking about security.

Innovation without security thinking simply sets the stage for bad things to happen in the future.  Too many security practioners lament the social network.  But stopping it is like trying to stop water from flowing downhill.  The trick is diverting it, channelling it, guiding it to go where you want it to go. 

Embrace these new technologies. As an entreprenuer I've already seen payoffs from being socially networked.  But embrace them thoughtfully with intentional security.


Reblog this post [with Zemanta]

Posted at 07:26 AM in #ct09, Information Security, Secure Web Development, Social Media | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

|

07/24/2009

SMB Security: Five Bright Ideas from CSOonline on How to Secure Value

I enjoy reading CSOonline.  Even if its articles are geared toward big company information security technical practioners there are always some solid (and entertaining) nuggets available.  This one might of use to the small and emerging business:

SMB Security: Five Bright Ideas by Lauren Gibbons Paul

The article identifies and lists five bright ideas for small businesses and medium enterprises looking to secure their business:

  1. Risk management should form the foundation of your security practices.
  2. The ongoing confluence of information security and physical security is good news for SMBs.
  3. Video surveillance and analytics are now within the reach of SMBs.
  4. Outsourcing is more popular than ever.
  5. Recognize that you can't take people out of the equation.

Number 3, video surveillance, might not be for everyone but the other 4 are definitely topics to be aware of when working to secure your small business environment.

 

 

 

 

 

Posted at 12:07 AM in Information Security, Small Business | | Comments (0) | TrackBack (0)

|

Next »
My Photo

About

TypePad Profile

Get updates on my activity. Follow me on my Profile.

Twitter Updates

    follow me on Twitter
    Subscribe to this blog's feed
    Blog powered by TypePad
    Creative Commons Attribution-ShareAlike 3.0 Unported