Archive

Posts Tagged ‘infosec risk’

Infosec Management Tip: Business Is About Taking Risks

August 23, 2012 Comments off

Business is About Taking Risks

One of the fundamental things that drives our economy is risk-taking. That’s the natural inclination of the most successful business people I’ve met. There’s risk in both going in a new direction – what you might call “venture risk” – that separates the promising businesses from the failing.

Let’s look at an example to better illustrate the point. Suppose we have two otherwise identical chair makers, making identical chairs. One day they overhear someone mentioning that having a cup holder built into the chair would be a good thing. That’s never been done before, so there’s a risk in making something different. Now one maker takes a venture risk and builds his next line of chairs with a cup holder and it’s a hit, selling twice as many as before and even commanding a premium. The risk-averse chair maker sticks with the old design and sees a drop off in sales. The venture risk-seeking businessman wins. Enough of these successful venture risk decisions and he drives the other chair maker out of business.

(By the way, this is a principal criticism of  the labor theory of value popularized by Karl Marx and which underpins Socialism. Also for more on risk-averse behavior check out the awesome TED presentation where Laurie Santos shows our behavior can be just as irrational as Capuchin monkeys.)

But thinking back on the same situation, it’s possible to see that the risk-averse chair maker is also taking a risk. His risk is that failure to innovate will drive his company out of business. Now, his is actually what we would see traditionally as the safer bet. But expanding on the scenario just a little bit it’s possible to show that the status-quo is actually riskier. All you have to do is assume that some day a better chair will be created and put into production. This virtual certainty also virtually guarantees that the risk-averse chair maker will eventually go broke.

Most businesses today are a far cry from this idealized chair maker – even the chair making industry. But the vignette translates well to the highly risk-averse attitudes of many CISOs and other information security professionals today. They try to eliminate all security risk, but in doing so they virtually doom the enterprise to certain failure. That’s why they’re often perceived as ineffective. Instead, CISOs should help their companies make smart decisions and help protect against security, privacy and compliance threats when taking venture risks.

Hat tip to Andy Ellis, CISO of Akamai, whose keynote at Hack In The Box Amsterdam partially inspired this post. You’re a smart man, Andy.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Prioritize Based on the Business

July 23, 2012 Comments off

Prioritize Based on the Business

A lot of data isn’t worth what we spend to protect it. What’s worth protecting and what’s just not? That’s not a decision IT and IT Security should be making. Instead, count on the business to help you prioritize. This goes along with our tip to cultivate understanding between the business and Infosec. Prioritize security controls that play into what the business needs and leave the others for later. (And document this decision for the auditors!)

Example: If you’re working for Coca-Cola and you say to your Chief Taste Magician (or whatever his title would be) that you want to help him protect the secret formula he probably won’t care. Anybody with access to a mass spectrometer and a basic understanding of how to read the printout can figure out the formula. But he is going to care about patenting the technology they’re developing to get the soda fountain mouth-feel into a plastic bottle. That’s his priority for the Taste Lab and it should be yours too.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Beware Security Fads

July 20, 2012 Comments off

Tools are a Means, Not an End
One of the biggest shames of our industry right now is that “silver bullet” tools have such a hold on media and mind share. Organizations typically try to deploy the latest product in isolation, without understanding what’s causing the issues they’re seeing. But tools used this way are bound to fail, raid the corporate budget, tie up valuable resources and just obscure the symptoms of the problem for a while longer. Organizations can only fix what’s broken by understanding the problems clearly and developing a solution using proven methods that fixes them. Only then should you start thinking about what tool fits into the solution.

Example: A lot of companies have asked about “tuning” their latest flashy box that’s not working right. But when you get talking to them, you find that the problem isn’t with the product it’s somewhere else. Even if the product was at 100% efficiency, you still wouldn’t be able to solve the problem. One company had spent tens of millions of dollars on SIEM and other tools, but were using business school interns to run the SOC and didn’t have any plan for handling incidents! Another company had a DLP device that sat on the shelf for 2 years, and they hadn’t even clearly defined what data they cared about or where it should and shouldn’t be. Tuning in those situations would only be an expensive way of buying false assurance.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Cultivate Understanding

July 16, 2012 Comments off

Cultivate Understanding
This is the opposite of running around trying to inform everybody of what you think is the biggest problem. It means getting with them to understand what their problems are, where their risk prioritization is and then find out where your concerns fit in there. Maybe they’re already aware of the threat and aren’t concerned; or maybe they have a way to mitigate it you hadn’t thought of; or maybe they need to listen, but don’t trust Infosec yet. By bringing the business into the Infosec decision making process, there’s more trust, more chance they’ll listen when you talk, more chance you’ll have the right answer for their needs and usually that all means more budget, plus more willingness to go along with what you want!

Example: I know of a company that was going into China to open R&D centers. The CISO was trying to say “no we shouldn’t, it’s too risky because somebody could steal our IP.” But the business knew this – their strategy around it was to lean on other assets like brand reputation (which is actually fairly well protected in China) to prevent against that. In other words, lost IP wouldn’t necessarily translate into lost revenue or profits. In another company the BOD wanted to have their updates and formal reports delivered to an iPad. The CISO worked with Finance to say yes because the costs of securing the digital distribution were less and results better than securing the hard copies. IT and Security helped save money, reduce risk and got a high visibility win for the company.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with companies large and small. If you like what you read, come back for more!

Preventing Security Issues from Acquisitions

July 13, 2012 Comments off

Yahoo Voices – a 2010 acquisition by the search company – was breached, and an attacker compromised 450,000 accounts, including email addresses and passwords. This is the latest in a series of similar breaches, affecting eHarmony, LinkedIn and last.fm. However, unlike these companies, Yahoo Voices was using poor security practices when storing the data at rest. How did this 2010 acquisition cause security problems for the Internet giant, and how can you avoid having the same thing happen?

Over the last month, several online companies have suffered account credential breaches. And these companies were chastised for practicing poor web application security, as well as poor data protection. In most of the previous cases, the passwords were stored encrypted, but in a way that most passwords could be deciphered within a matter of hours. Exceptionally strong passwords, such as those recommended by most security practitioners, however remained relatively safe because the time to decipher them would be a matter of months. So people whose accounts were compromised have time to change them before any abuse can take place. In the case of Yahoo Voices, passwords were stored in plaintext, without any encryption. This means that even strong passwords have been compromised.

But the Yahoo Voices breach is interesting for a number of reasons. Analysis of the compromised accounts reveals that only 30% use Yahoo email addresses, and Yahoo reports that only 5% of the passwords for those corresponding email accounts are correct. This is a lower than expected number in both cases. In a Yahoo service, you’d expect to see nearly all accounts linked to Yahoo email addresses. And people don’t tend to change their personal email passwords very often, so you’d expect that the number of valid credentials would be much higher, as well. Yahoo themselves say the data is old. My guess is that the data is from pre-acquisition, was no longer used and may even have been somewhat corrupted.

That makes me wonder what pre and post acquisition assessments Yahoo did. Acquisitions can be a weak link in a security program for many reasons, even if the acquired company has an equivalent level of security. The Yahoo Voices problem could have been identified by talking to the developers, reading over policy documents and performing assessments on the company’s technical and data security. Any weaknesses would be identified and could be tracked until remediated.

So how could Yahoo have prevented this situation, and how can you avoid the same problem?

  • Use and enforce strong encryption practices for data at rest. Yahoo says this is their policy and that the Voices incident was an outlier. Always use strong password protection mechanisms, such as salted hashes or methods better yet, use something like bcrypt.
  • Use good data retention and destruction practices. If this was old and unused data, it should have been purged. Old data should be cleaned up properly and quickly.
  • Practice good data security diligence before, during and after an acquisition. Most organizations are coming to realize that potential information security issues can affect the diligence process. And although these issues should rarely halt an acquisition, foreknowledge of them certainly helps set expectations efforts to integrate new groups in a secure manner. That saves money and reduces risk, which is what the diligence process is all about.