Maintain the Combat Stance

Miyamoto Musashi was a great Samurai - born in 1584, he lived in the prime age of the Samurai warrior class.  Musashi was a ronin, a master-less warrior, who wandered the country, trained, fought other warriors and was undefeated in over 60 duels.  

In his old age, Musashi retired to the hills as some Samurai were known to do, and composed poetry and other works of literature and art.  Musashi had mastered the art of combat - he composed a book called "The Book of Five Rings" - it is a treatise on combat.  The book is widely admired today in both martial arts circles and in business, as a way to know your enemy and improve your own tactics and strategy in war.

In this book, Musashi writes "The Way is in training. Become acquainted with every art." - This wise advice applies directly to our mission in Information Security.  We are faced with the constant threat of attack, just as Musashi was while walking the Japanese countryside.  Musashi advises us to know our enemy - know his skill.  Understand the threats.  

When I was studying for my CISSP, I had to either learn or become reacquainted with ten domains of information security.  Even though I may not use it on a daily basis, the CISSP exam would test me on my knowledge and understanding of all areas - I didn't need to be an expert but I needed to be acquainted with every art.  

Musashi lived a life of constant training - working to improve his physical skill and mental preparedness.  He learned to assess the opponent's skill and capabilities - in security we also must learn about the risks.  We scan for any vulnerabilities, we strive to understand the threats which might exploit those vulnerabilities, and we look for ways to plug those holes, remediate those risks - like Musashi we constantly try to improve, training and educating ourselves to the potential dangers to our data and learning to battle the attackers.

We must seek to constantly improve our skills and our defenses - tighten up our security while also increasing our ability to be alerted for anything which might be out of the ordinary. We never know how small of a clue we will get, if any at all, that an attack is coming.  We must learn the tools and tricks of our opponents so that we may understand what we need to defend against.  And we must use strategy to drive our stance - as Musashi also writes - "In all forms of strategy, it is necessary to maintain the combat stance in everyday life and to make your everyday stance your combat stance. You must research this well."

Musashi's words are very appropriate for us - how do we maintain the combat stance in our networks?  And what does he mean by - make your everyday stance your combat stance?  If we understand the threats and prepare our defenses well, we maintain a combat stance, ready to repel any attackers or be notified of a battle underway.  We must have our plan in place and ready to go - our security operations should be buzzing and our incident response program will be standing by.

Just don't go running out of your office with a headband, a samurai sword, yelling "BANZAI"!!!  HR would probably frown on that.

All Aboard

Years ago, I worked for a large Fortune 500 healthcare company.  Obviously this company was concerned about it's requirements under HIPAA - at the time cell phones were being used but they were not the same as today.  Some had cameras, but many phones were simple flip phones without cameras.  Because a camera is a way in which you can gather, capture and move data, the company was rightly concerned about the new "camera-phones" and instituted a policy restricting their use and/or possession on company grounds.

Can you imagine what the compliance rate would be on that policy today?  I'm not certain you can purchase a new phone today without a camera.  We may have to revert to the vintage electronics section of eBay to find such a dinosaur of technology.  In today's healthcare environment, you have every single employee, from the doctor to the janitor, carrying not only one smart device, complete with camera, WIFI and the capability to instantly post the latest thought or photograph to Facebook, but it's likely some of these people have an iPad, some other tablet or small form factor laptop in their shirt pocket.  

We can no longer dictate that no one have these devices.  We have no effective administrative control that we can use to limit or restrict the presence of these devices - policies prohibiting something which has become woven into the very fabric of our culture would only be ignored.  It's like prohibiting them from bringing in their shoes or wallet.  The key point here -  a large risk has become assimilated into the culture, so much so that we've crossed the point of prohibition.  We only stand in front of this fast-moving train at our peril.  If we are to be effective, we must learn how to jump on board this thing as it's moving and at least find some room in the driver's car to figure out a way of putting some controls in place.

As with anything else, our usual template of Information Security will suffice - we need a well-conceived set of administrative and technical controls - our policy, while still acknowledging that every living creature on the planet is organically attached to a smart device, must dictate that the user will follow the policy at risk of termination and permanent smart-phone-ectomy.  This policy sets the table firmly for other controls - but why is this piece so important?

I have a tool that I am permanently attached to, that I take home with me, I use in the car, in the bathroom, it's my alarm clock, the way I check the news and the weather, the way I talk to my 14-year old, the thing that tells me when my favorite cigar goes on sale and lets me take notes or dictate.  This list really can go on forever - just look through the app store and you'll find just about anything to meet your needs and help you make your day more efficient.

Because of the fact that this device is our constant companion, we tend to be more lax with it - we don't treat it like a work device.  So we must force users to understand the importance of turning on their brains with respect to using the device.  We must educate users on the risk of using the device and their responsibility to use it wisely.  And we must put in some common sense controls which, while not prohibiting the usage of these devices, controls exactly what we want to control.

Today's solution to this problem is mobile security- some tool or agent which is installed on the device and phones home - the console can force a passcode (which means forcing encryption of the device), it can alert on devices which are out of compliance, let me know when the devices moves from place to place.  It's a happy compromise - I can't prohibit it but I can restrict certain things and wipe the device if it's lost or stolen.  I can force the thing to encrypt the data.  And I can "sort-of" disable the device's camera.

As a security guy in charge of infosec for a hospital, that's really what I care most about.  We cannot stop the train of mobile devices - we have to learn to get on-board and help steer away from our most critical asset - patient data.

Risky Business

In the broad spectrum of activities which might be called Information Security, we must always first and foremost implement, execute and follow through with risk management.  Risk management is the backbone or foundation of any good information security program.

Risk management is really just going around, taking a look at the way things are set up, processes, policies, from what ports are open on the firewall to what rules are set on your antivirus client.  Risk management is a process of inventorying the existence or state of things, reviewing all this against your knowledge, expertise, research and maybe even some tools, to determine if we're doing things the right way or not.

Even if we're going along with best practices, we must understand that we still have some risk.  There is no such thing as 100% security  - the best practice in the world doesn't remove all risk - unless we want to unplug our infrastructures from the public Internet and never allow anyone to access anything.  This scenario basically shuts down our business - that means we must balance risk management with running the business.  This caveat should be posted on every security professional's desk to review constantly, as they attempt to implement or manage security controls.

We must define our existing controls and determine the gaps - then we define the present risk for it all.  Once this is done, we can begin to prioritize that risk - figure out strategies to reduce risk based on the priority or criticality of the asset or data or service or other resource we're trying to protect.  We can close unnecessary ports, change our A/V policy to restrict more, add language to our policies - we find ways to reduce that risk through the controls we have or the controls we implement based on our risk assessments and determination.

This strategy isn't new - I didn't invent it.  But in my experience many organizations have never heard of risk management, at least from an IT perspective.  We don't have to go down the rat hole and hire an accountant to calculate the ARO or SLE, but we should be familiar with these terms - with what they represent.  This makes us more prepared, so that when we identify a risk and need to implement a control, we can intelligently discuss the problem in terms the business understands - dollars.  

We learn to protect the business, not because we know how to SSH into a firewall and set up an access control list, but by providing expert counsel, by understanding what the business is trying to accomplish, by understanding the risks inherent in technology, and by offering wise solutions based on actual, prioritized risk and not Fear, Uncertainty and Doubt (FUD).  

If we can build our security programs upon a foundation of proper Risk Management, we have the groundwork for policy, process, technology - we can build teams dedicated to the correct task and eliminate or minimize time wasted on non-essential activity.  We can operate our security program as a function of risk management - prioritized to be laser-focused on the most critical maintaining a low risk profile for the organization's IT infrastructure.  

When I talk to many information security people about Risk Management, I see the deer in the headlights.  As an industry we must be able to walk in both worlds, technology and business.  Risk management is a language understood and appropriate for both.

The Best in Practice

If we are charged with designing, architecting, implementing, deploying, integrating, training and supporting security technology, processes and policies within our organization, we might discover that this work is really an art more than a science.

Anyone can go out and purchase a solution to provide anything from firewalls to antivirus.  Once those solutions are installed we might be tempted to sit back and be overwhelmed with a sense of security, knowing we've locked out all the potential intruders.  But I would caution anyone who might feel this way, and offer additional advice on how to best practice information security in your organization.

First of all, we can never be satisfied or comfortable with any one technology.  A firewall is simply a port-blocker.  If source-destination-allow-deny-port-whatever.  The firewall will either allow traffic on a port or block it.  If it's open, a standard firewall makes no further inquiry into the traffic - it's considered trusted at that point in your infrastructure.  

So if I allow inbound port 80 traffic to a web server, my firewall is basically opening the door from the Internet to my web server on that port.  All traffic is inspected - if it's knocking on the port-80 door it gets to come in, just like a visitor who knocks on my door - I just let them in.  I don't frisk them, I don't check their pockets, I don't ask them what they have in their bag or what intention they have.  I just let them walk right in.

The firewall does the exact same thing - so it might be "trusted" from the firewall's perspective however we must realize that "trusted" traffic through the firewall can also be malicious traffic.  Nothing says an attacker can't use port 80 to attack you - it happens all the time.  The point is that this isn't the job of the standard firewall - to determine if that traffic is malicious or not.  It is just a port-blocker - port 80 is open or closed.  That's all the firewall does.

When I give presentations to new hires at my organization, I ask them what information security is.  Many times someone will say - having a firewall.  The perception is that if you put a firewall in place, you're secure. That's as false as saying if I put a lock on my front door, no one can break in my house.  

What we must do is understand the function and purpose of our tools and solutions, understand the risks, and then fill in the blanks.  We must fully understand what a firewall is, what a firewall does and what it does not do, understand what sort of risks we are facing, then put other pieces in place to supplement that basic level of security - that front-line of protection.  We might implement an Intrusion Detection/Prevention solution to inspect the "trusted" traffic coming across port 80 into our network - the firewall's job is to allow it - malicious or not.  Then the IPS tries to determine if that "trusted" traffic is just web server traffic or a signature or behavior which indicates a high possibility that the traffic, while trusted, shouldn't be allowed.  Therefore the traffic will either be blocked and/or alerted on.

Once we get this holistic view of the threats and ways to protect our organization, the practice of information security goes all the way to the endpoints.  That is, we find ways to integrate all of our solutions into one organic concept.  Like layers of an onion, I don't look at my security infrastructure as 15 different pieces.  I look at it as a whole, a complex but interacting web of layers, each of which have a purpose in the big picture.  I might be able to see a botnet from my antivirus logs, my web filter logs, my intrusion detection logs - if I have everything set up correctly I will know about this sort of risky traffic, be able to respond in a timely manner and safely restrict or block that traffic without any disruptions.  

This is sort of an introductory piece - we can go so much deeper.  However I wanted to set the table properly - I would love comments on creative and effective ways you utilize your infrastructure to protect your organization.

Securing the C-Level - Michael Peters

I posted a review on Amazon.com but wanted to republish here.

After reading Securing the C Level, by Michael D. Peters, I found I could hardly put it down. This book is like a gold mine - like finding a little gold nugget after years of searching for some good advice, like having a private lunch with someone on that upper echelon and picking their brain about the ins and outs of how to get a job like that. Not only is it very insightful into the preparations needed to get to that level, but it also offers insight to anyone in a management position. Michael gives sage advice on navigating the cultural waters, how to spend your first 100 days for maximum benefit, how to groom your personal brand, and many other interesting and invaluable tidbits about achieving and maintaining that life at the top of the corporate ladder.

Parts of the book I found most interesting were dealing with planning your career - Michael provides some awesome and creative tips to chart the waters of executive career planning - especially if your career benefits from the achievement of credentials. Michael also talks in-depth about life as a C-level executive, the sometimes-treacherous waters, and how to successfully navigate them. As an MBA and a JD, Michael's background and experience allows him to provide a wealth of practical and insightful advice, advice which anyone can and should be following if they want to follow someone like Michael's footsteps.

Highly recommended book for career planning - a very interesting and actionable read!

If you aren't familiar with Michael Peters, have a look at his background and his blog.  He's a monster!  He sailed through the BS, MBA and now eJD degrees - he's a CISO, a member of the ISSA Hall of Fame, and he's one of our Keynote Speakers at the 10th Annual Louisville Metro InfoSec Conference!

Hey Fellow

I was recently honored and humbled to be notified of my acceptance and appointment as an ISSA Fellow.  

The ISSA rewards a small number of members each year with the Fellow designation - the ISSA Fellow is someone who has at least 8 years of ISSA Membership with 3 of those years spent as leaders - Board members, officers or President.  An ISSA Fellow has also demonstrated at least 5 years of noteworthy performance as an Information Security professional.

Of the 137 international chapters and over 10,000 members worldwide, ISSA Fellows number about 35 - less than 1% of the member population.  

As an ISSA Fellow, I would like to continue to participate, not only at the local level, but nationally and internationally, with the ISSA.  As a Fellow I plan on further facilitating educational and networking opportunities for Information Security professionals through the ISSA, ISACA, Infragard, OWASP and other related organizations and activities.

The ISSA is a fantastic organization for Information Security professionals and the companies they serve.  This organization provides direct support for local chapters - the chapters are the key.  When you join an ISSA chapter, you will likely be able to attend planned meetings, where interesting and informative speakers provide an educational presentation.  You may also be able to attend conferences, like the ISSA Kentuckiana Chapter's annual "Louisville Metro InfoSec Conference".  The chapters facilitate educational and networking opportunities for their members.  

I can tell you, from over 8 years as a member of the ISSA, that my career would not be what it is today, without my membership AND participation in my chapter.  I have met so many amazing people, learned a great deal, and have been exposed to many opportunities - both job opportunities and leadership opportunities.  If you are able and willing, you will have the opportunity to shine by volunteering with your local ISSA Chapter.  I wholeheartedly recommend it.

So as a newly minted ISSA Fellow, let me stand up and cheer for the ISSA - it's one of the best investments and activities you can make in yourself and your career.

Mind Your Data

As I sit and ponder what else to write about, it dawns on me that we are living in a world of technology.  If we look around our life, we would be hard-pressed to find an area that isn't affected by technology.  Technology has become so interwoven into the fabric of our lives that we hardly notice it any longer.

Consider your house - you probably make sure your doors and windows are locked.  You might have installed an alarm system to alert if a burglary or fire is happening.  You may own a firearm with the purpose of protecting your family in the event of emergency.  You install fire detectors in each room, and you may own a dog for both companionship and for it's deterrent value.

We also take similar precautions, if we're smart, outside of the home.  We generally lock our vehicle to prevent or deter theft.  We may have learned to keep our keys in our hands while we walk to the car, especially at night.  We are familiar with the fire exits at work, and we likely go through multiple security protocols throughout our day, from toll roads to access badges to locks on our desks.

The problem, I believe, is in the proliferation of technology in our lives.  We always have our cell phone on our belt, in our pocket or in a purse.  We might carry a laptop or tablet - we certainly have a PC at home and likely utilize one at work.  Our TV can now access the Internet, and even our fitness machines and refrigerators soon will be connected to the "Net".  This connectivity is very convenient but I think we have become unaware of the risks.

Any of these devices, connected to a network or the Internet, could present your personal information in ways you are not aware of.  Your credit card information, social security number, and a host of other interesting and useful bits of information could be seeping out the cracks in your technological collection.  There are many ways of helping to reduce the risk, however most people aren't even aware of the risks, not to mention the ways of reducing that risk.

It is imperative that we, as technology consumers and users, become aware of just how much of our personal information we're sharing, how much we're letting leak out.  It's fine if you know about it and are fine with sharing it.  The real concern happens when you don't know.  The number of Information Security professionals, sites, and books available is vast - make sure you are taking advantage of these resources, learning just what the risks are, and taking the necessary steps to help minimize the risks to your personal information, finances, health records, and anything else you wouldn't want to share with the world.

You lock your door each night - make sure you have a lock on your data also.

In the beginning...

Welcome to my new blog.

My name is Randall and I'm an InfoSec guy.  I am a CISSP, an ISSA Fellow, and have been working in the InfoSec field for a decade now.  I've always been a security guy - I started in private security, became a deputy sheriff, then went into IT and eventually InfoSec.

I am interested in all things security - computer security, personal security, risk management.

With this blog, I will collect my thoughts, put down insights, talk about funny and not-so-funny things that happen in my world, and share all the information I can on securing your business and also securing your life. One day it might be how to set up a firewall and the next it might be how to set up your home to be more secure.

I will propagate this blog via the wonderful social networking sites out there - including LinkedIN, Twitter, and maybe, someday....  dare I say it....  Facebook...

Drop me a comment if you're so inclined.  Stay tuned and I'll try to keep it interesting and informative.