Wednesday, December 26, 2012

Maintain the Combat Stance

Miyamoto Musashi was a great Samurai - born in 1584, he lived in the prime age of the Samurai warrior class.  Musashi was a ronin, a master-less warrior, who wandered the country, trained, fought other warriors and was undefeated in over 60 duels.  

In his old age, Musashi retired to the hills as some Samurai were known to do, and composed poetry and other works of literature and art.  Musashi had mastered the art of combat - he composed a book called "The Book of Five Rings" - it is a treatise on combat.  The book is widely admired today in both martial arts circles and in business, as a way to know your enemy and improve your own tactics and strategy in war.

In this book, Musashi writes "The Way is in training. Become acquainted with every art." - This wise advice applies directly to our mission in Information Security.  We are faced with the constant threat of attack, just as Musashi was while walking the Japanese countryside.  Musashi advises us to know our enemy - know his skill.  Understand the threats.  

When I was studying for my CISSP, I had to either learn or become reacquainted with ten domains of information security.  Even though I may not use it on a daily basis, the CISSP exam would test me on my knowledge and understanding of all areas - I didn't need to be an expert but I needed to be acquainted with every art.  

Musashi lived a life of constant training - working to improve his physical skill and mental preparedness.  He learned to assess the opponent's skill and capabilities - in security we also must learn about the risks.  We scan for any vulnerabilities, we strive to understand the threats which might exploit those vulnerabilities, and we look for ways to plug those holes, remediate those risks - like Musashi we constantly try to improve, training and educating ourselves to the potential dangers to our data and learning to battle the attackers.

We must seek to constantly improve our skills and our defenses - tighten up our security while also increasing our ability to be alerted for anything which might be out of the ordinary. We never know how small of a clue we will get, if any at all, that an attack is coming.  We must learn the tools and tricks of our opponents so that we may understand what we need to defend against.  And we must use strategy to drive our stance - as Musashi also writes - "In all forms of strategy, it is necessary to maintain the combat stance in everyday life and to make your everyday stance your combat stance. You must research this well."

Musashi's words are very appropriate for us - how do we maintain the combat stance in our networks?  And what does he mean by - make your everyday stance your combat stance?  If we understand the threats and prepare our defenses well, we maintain a combat stance, ready to repel any attackers or be notified of a battle underway.  We must have our plan in place and ready to go - our security operations should be buzzing and our incident response program will be standing by.

Just don't go running out of your office with a headband, a samurai sword, yelling "BANZAI"!!!  HR would probably frown on that.

Monday, December 17, 2012

All Aboard

Years ago, I worked for a large Fortune 500 healthcare company.  Obviously this company was concerned about it's requirements under HIPAA - at the time cell phones were being used but they were not the same as today.  Some had cameras, but many phones were simple flip phones without cameras.  Because a camera is a way in which you can gather, capture and move data, the company was rightly concerned about the new "camera-phones" and instituted a policy restricting their use and/or possession on company grounds.

Can you imagine what the compliance rate would be on that policy today?  I'm not certain you can purchase a new phone today without a camera.  We may have to revert to the vintage electronics section of eBay to find such a dinosaur of technology.  In today's healthcare environment, you have every single employee, from the doctor to the janitor, carrying not only one smart device, complete with camera, WIFI and the capability to instantly post the latest thought or photograph to Facebook, but it's likely some of these people have an iPad, some other tablet or small form factor laptop in their shirt pocket.  

We can no longer dictate that no one have these devices.  We have no effective administrative control that we can use to limit or restrict the presence of these devices - policies prohibiting something which has become woven into the very fabric of our culture would only be ignored.  It's like prohibiting them from bringing in their shoes or wallet.  The key point here -  a large risk has become assimilated into the culture, so much so that we've crossed the point of prohibition.  We only stand in front of this fast-moving train at our peril.  If we are to be effective, we must learn how to jump on board this thing as it's moving and at least find some room in the driver's car to figure out a way of putting some controls in place.

As with anything else, our usual template of Information Security will suffice - we need a well-conceived set of administrative and technical controls - our policy, while still acknowledging that every living creature on the planet is organically attached to a smart device, must dictate that the user will follow the policy at risk of termination and permanent smart-phone-ectomy.  This policy sets the table firmly for other controls - but why is this piece so important?

I have a tool that I am permanently attached to, that I take home with me, I use in the car, in the bathroom, it's my alarm clock, the way I check the news and the weather, the way I talk to my 14-year old, the thing that tells me when my favorite cigar goes on sale and lets me take notes or dictate.  This list really can go on forever - just look through the app store and you'll find just about anything to meet your needs and help you make your day more efficient.

Because of the fact that this device is our constant companion, we tend to be more lax with it - we don't treat it like a work device.  So we must force users to understand the importance of turning on their brains with respect to using the device.  We must educate users on the risk of using the device and their responsibility to use it wisely.  And we must put in some common sense controls which, while not prohibiting the usage of these devices, controls exactly what we want to control.

Today's solution to this problem is mobile security- some tool or agent which is installed on the device and phones home - the console can force a passcode (which means forcing encryption of the device), it can alert on devices which are out of compliance, let me know when the devices moves from place to place.  It's a happy compromise - I can't prohibit it but I can restrict certain things and wipe the device if it's lost or stolen.  I can force the thing to encrypt the data.  And I can "sort-of" disable the device's camera.

As a security guy in charge of infosec for a hospital, that's really what I care most about.  We cannot stop the train of mobile devices - we have to learn to get on-board and help steer away from our most critical asset - patient data.

Monday, December 3, 2012

Risky Business

In the broad spectrum of activities which might be called Information Security, we must always first and foremost implement, execute and follow through with risk management.  Risk management is the backbone or foundation of any good information security program.

Risk management is really just going around, taking a look at the way things are set up, processes, policies, from what ports are open on the firewall to what rules are set on your antivirus client.  Risk management is a process of inventorying the existence or state of things, reviewing all this against your knowledge, expertise, research and maybe even some tools, to determine if we're doing things the right way or not.

Even if we're going along with best practices, we must understand that we still have some risk.  There is no such thing as 100% security  - the best practice in the world doesn't remove all risk - unless we want to unplug our infrastructures from the public Internet and never allow anyone to access anything.  This scenario basically shuts down our business - that means we must balance risk management with running the business.  This caveat should be posted on every security professional's desk to review constantly, as they attempt to implement or manage security controls.

We must define our existing controls and determine the gaps - then we define the present risk for it all.  Once this is done, we can begin to prioritize that risk - figure out strategies to reduce risk based on the priority or criticality of the asset or data or service or other resource we're trying to protect.  We can close unnecessary ports, change our A/V policy to restrict more, add language to our policies - we find ways to reduce that risk through the controls we have or the controls we implement based on our risk assessments and determination.

This strategy isn't new - I didn't invent it.  But in my experience many organizations have never heard of risk management, at least from an IT perspective.  We don't have to go down the rat hole and hire an accountant to calculate the ARO or SLE, but we should be familiar with these terms - with what they represent.  This makes us more prepared, so that when we identify a risk and need to implement a control, we can intelligently discuss the problem in terms the business understands - dollars.  

We learn to protect the business, not because we know how to SSH into a firewall and set up an access control list, but by providing expert counsel, by understanding what the business is trying to accomplish, by understanding the risks inherent in technology, and by offering wise solutions based on actual, prioritized risk and not Fear, Uncertainty and Doubt (FUD).  

If we can build our security programs upon a foundation of proper Risk Management, we have the groundwork for policy, process, technology - we can build teams dedicated to the correct task and eliminate or minimize time wasted on non-essential activity.  We can operate our security program as a function of risk management - prioritized to be laser-focused on the most critical maintaining a low risk profile for the organization's IT infrastructure.  

When I talk to many information security people about Risk Management, I see the deer in the headlights.  As an industry we must be able to walk in both worlds, technology and business.  Risk management is a language understood and appropriate for both.