infosec-rusch

  A Risk Based Approach

In the movie “Under Siege 2″ (not a great movie I know) their is a scene where the lead bad guy asked one of his subordinates if Steven Segal’s character is dead, the subordinate replies “Yes he’s dead”. The lead bad guy replies “Did you see the body”, the subordinate replies “No, I assumed . . . . . . “, the lead bad guy interrupts and says “Assumption is The Muther of all F*&#Up’s”. Later as the movie goes on Segal knocks off the bad guys one by one and ultimately foils their plans.

The moral of the story being simple, DON’T EVER ASSUME!

After I watched this movie years ago, I sat down and thought about the things in my life, both personally and professionally that have not gone as I had planned and/or blown up in my face, I quickly realized that the vast majority of them were caused by an assumption I made that didn’t turn out to be true. Now in my defense I can say as I have gotten older that I try to narrow my assumptions to ones that seem to be no brainers, but even those things many times have blowup.

Making assumptions is a human trait and required to move through the many decisions that we must deal with on a daily basis. However, their is a process one should apply in determining when to make an assumption and on managing the risks involved when making these assumptions.

1. Impact Analysis; The most important thing to first determine is the impact of the assumption you made not coming true. Its not a question of the likelihood of the bomb going off, its the damage created if it does. You need to define and understand what the impact of the assumption not being correct.
   …
2. Incident Response Plan; If the impact is critical, can cause irreparable damage, or will cause an unpredictable domino affect, you need to identify this and you need to have 2-3 backup plans documented and ready. One thing that causes me allot of frustration is not when someone comes to me telling me XYZ didn’t work out as planned. Its when I ask them what contingency plans or at least ideas they have to deal with the situation and they respond “I Don’t Know” or “I Don’t Have Any”.

I guess the moral of the story is not to be a glass half empty person, but to understand that when making assumptions, think things through carefully and always apply a risk based approach to everything . . . . . . . . . . . . including “Assumptions”!

  Fighting & Scratching For Security Controls

I know all the regulations we must all abide to (PCI, SOX, GLBA, HIPAA, whatever) are all flawed, and if controls are put in place badly or your paired with a bad auditor that does not know how to apply the regulations in real world environments, then yes they can be a nightmare. HOWEVER, having come from a hands on I.T. security admin background, scratching/fighting to get security controls in place for YEARS,  if it wasn’t for most of the security  regulations, 60% or more of the security controls etc. etc that have gone into place the last 5-8 years wouldn’t be in place.

  Project Management for Info-sec Professionals

So I was finally was able to attend my first SANS, after over 12 years I.T. security its about time. First I like to thank and shoot out MASSIVE kudos to my directors for authorizing the expense, these things aren’t cheap, thanks for letting me go Wendy.

OK it was great, networked with a lot of people and the course was great. The thing that made it one of the best classes for me was Jeff Frisk, his energy, enthusiasm and in-depth knowledge made it a must go for directors and managers in the info-sec field. Be prepared for the fire hose treatment.

MANAGEMENT 525 - Project Management and Effective Communications for Security Professionals and Managers

  The Never Ending Story

1000 names and Social Security numbers of employees stolen from employee’s car

Why I am posting this specific data exposure incident is beyond me, when you have to consider this happens 100’s of times per day around the country, most no one ever knows about, the others are never disclosed. First off this is not a data breach, breach implies something was broken into, this was not the case here.

Most data exposure incidents are not hacks, they are incidents where some dumb*** was sloppy and the data was left in a file cabinet set on the curve for Goodwill pickup, or some dummy that copied sensitive data to his laptop (unprotected of course, I’m talking about encryption here) and it got stolen by some thief.

A friend once asked me, why cant they stop this? My answer, until they criminalize the exposure of sensitive information, where a person and/ or company knowingly (knowingly being the key word here) handles sensitive information in a irresponsible way, where fines and/ or prison time is awarded, its not going to stop.

  How I Communicate PCI Awareness

Question on LinkedIn PCI message board; What challenges members are currently facing in achieving or sustaining levels of Employee Awareness required for PCI DSS and the solutions they are employing.

Awareness has to be mandatory and it has to be short, in plain English and you have to try to add value to it, that way the audience feels like actually listening to it. Hook up with marketing for help in that area.

Since PCI requires this (no Gray area here) I split my awareness into 2 separate buckets. What I did was manage corporate users (most of which all use computers) and retail/restaurant staff (which do not use computers excluding management) separately.

For corporate, I first partnered with marketing to create a online presentation with both audio and video that spoke to our our corporate policy regarding approved and prohibited credit card information management (Do’s and Dont’s). After that I then partnered with my HR department to add this presentation to their annual corporate polices and procedures awareness program.

This program requires all corporate employees to watch a online video presentation about corporate policies, and requires management sign-off. My presentation is roughly 2 minutes long, in english common Joe blow language, not compliance or I.T. geek language.

For staff in the field, wait staff, management, I used my corporate “Credit Card Information Management” policy and required them to sign the policy annually. This covered 2 PCI requirements in one shot. I would like to note that I require all staff, even kitchen staff, that way I don’t miss anyone,also they may transfer job roles.

I also had my HR add it to there new hire paperwork, so that all new employees wherever they may be sign it upon hiring.

  Maybe The Bad Guys Wont See Us

We all have different points of view on information security subjects, and varying levels of how we define, manage and accept risks. First off let me say that one of my strongest suits that I have been told and the one key thing I understand is that security exists to serve operations and thus the business. As a I.T. risk, compliance and security professional I understand that in many ways I am here to support the engineers, developers and administrators with their efforts to secure their systems, manage compliance for them and in essence watch their back.

My approach is to make sure they feel I offer more assistance, solutions and value, then bringing problems, work load and just silly compliance got to do’s lists, at least that’s my approach. I think many in the security compliance world don’t seem to always understand that the business and a critical process that support it just sometimes have to win out over security at times. You have to handle each unique situation differently but sometimes that’s the way it is. Now I prefer to believe that with enough effort you can always manage a risk to acceptable levels and add controls/monitoring around a certain process to make any risk tolerable, maybe I’m just the glass is always half full guy.

Anyway a buddy of of mine that is working as a consultant asked me for some help putting togther a project plan for a Vulnerability Management Program. After a few discussions with him and the client decided to review a clients vulnerability management programs for gaps, and wanted to improve the processes around discovery, review and remediation. And I have to say I got 2 of the ^&$#%#$& responses I think I have ever gotten on the subject.

When I explained to the engineer that we needed to improve these processes and that I had found significant gaps in them, his first response was “Why are you bringing me and my guys all this dumb work”. I then explained to him that I found many critical vulnerabilities that existed for an extended periods of time, and that system owners were not aware of them. I also explained to him that a more formal, automated and less adhoc approach to how these vulnerabilities are managed (discovered, communicated, assessed, remediation/risk acceptance) needs to be created and formalized.

Now his second response I think was the one I think I won’t ever forget and really took the cake, “For years we haven’t done this or worried about it and never had problems or been hacked, why should we start now” . . . . . . WHAT did he just say? uummmm okay, to me that’s lets saying since no one has ever tried to walk into my house, I’m just not going to not lock the doors anymore, when I’m gone, or when I’m sleeping, why, no one’s going to walk in . . . . .right, so why lock them!

Now I have owned and/ or managed vulnerability and patch management many times in the past, I understand how challenging it is to maintain in reality, but . . . . . . . . . ok never mind . . . . . . . . . . . . . . . . . . . . . . . .  I’m just going to stop here because I don’t think there’s any more to say that the title doesn’t already!