Security Ripcord

I’ve been doing a little running lately getting ready for the Corpus Christi Beach to Bay Relay. Today, instead of our usual four mile run, we decided to work on some sprints. We ran a mile and then started a series of 100 yard sprints with a 100 yard walk in between. Needless to say that the walking reset was filled full of huffing and puffing. At one point I noticed that I was hanging my head like most people do when they are tired. When I realized this I did what I always do, what I taught myself in the Marines after long runs and forced marches, I raised my head and started looking around. I use to do this because whenever you are the most tired is when you are the most vulnerable. You are not paying attention, you are breathing heavy, and you are doing everything you can just to take a break for a minute or two. Fortunately, the repercussions of me doing this now are not the same as they were back then.

All of this got me thinking about how we react to situations as a whole. I started thinking about how through training and effort we can begin to overcome hardships. I started thinking about how diligent practice can instill good habits and create muscle memory in any individual. Muscle memory is a condition where a body reacts without, or more precisely with only a little, thinking. You can see this by reviewing Rich Mogull’s posts on how he handled several car accidents after being out of the paramedics for a while. Rich did what came natural to him. He just reacted and, I’m sure, did a great job and a service.

“Yes, yes,” you are thinking to yourself right now. We have heard this all before. Practice makes perfect. Practice your incident response. Practice your backup procedures. Practice your disaster recovery. Practice makes perfect. Practice, Practice, Practice. Blah, blah, blah. Yes, I am tell you that. But what I want to emphasize is that you can train yourselves all day long and still make mistakes.

Running with my head down took me back to the days of running through the hills of Camp Pendleton and training myself to keep my head up and aware of my surroundings no matter how tired I was at the time. But what it really got me thinking about was being in the stack. Not the stack you are use to hearing about, the stack of Marines that are just about to enter a building or room that may contain hostiles. It didn’t matter where we were, once people started lining up and getting ready to move to action, their heads dropped. Not because they were tired or lazy, but because they were focused and waiting. Like a spring ready to uncoil all of its power. This occurred so often that it was not surprising to hear, “Keep your heads up in the stack!” whispered over the radio. Or have someone give you a quick rap on the helmet as a reminder. Everybody did it, everybody got sucked into it, and everybody was aware of it and watched out for their buddy, because that person was watching out for them.

So, how does this apply to us? Well, security professionals have a lot to accomplish on any given day. Logs to review, servers to patch, incidents to respond to, training to develop and give (and that is just the short list). Let’s face it. We are swamped with responsibility and duties. Everybody groans when we walk into a room but everybody notices when our duties start falling behind because it directly affects their business. With all of this activity, with all of this responsibility, it is very easy to get set into a common routine or mode. It is very easy for our heads to drop into our computers, logs, management consoles, spreadsheets, etc. We are doing our jobs and we are getting it done, but are we aware of our surroundings. Are we aware of the common sights and sounds of the office environment and server room. Are we listening to people talk when they need our guidance, input, or for us to listen for listening’s sake?

If you are, then good on you. Now look around and see who is not. Please, tap them on the head and tell them, “Keep your head up in the stack!”

Go forth and do good things,

Don C. Weber

Work has been quite an experience over the last couple of months. I have spent my time in the usual security professional mode - Firefighter. It is especially aggravating when much of that firefighting is documentation for certification and accreditation of a system (that could be quickly improved with the same level of effort) or collecting information through what could be considered broken processes. Security Blog readers hear about both of those concerns all of the time as they peruse the Security Blogscape. Security professionals wishing that they could make a difference within their organization. Wishing that the managers of the system and network administrators would just listen and implement. Hoping that the executive management will empower the security professionals within their organization by conveying to the rest of the company the importance of secure operations. Let’s face though, when we start talking about security within our different organizations the majority of what we want is for our organizations to follow good business practices. Companies who have a firm grasp on how their technology operates and have a process for change through open communications are much more secure that the companies that buy security products to act as stop gaps and try to prove or give the illusion of compliance.

The next generation of security professionals need to recognize this fact. Certainly we train them to know that their companies should be following industry standards like ISO 27001:2005 as I have already pointed out. But have we really started providing them with the abilities to integrate this into ITIL or CMMI. No, that is because for a business to achieve these standard they need to have business professionals to guide them through the process. Unfortunately, these business professionals have not been trained on how the security frameworks will fit into the organization and their compliance efforts. So, there is a gap. And when there is a gap that people don’t understand they tend to do one of two things:

• Ignore it.
• Throw money at it until they wish they had gone with the other method.

We’ll let me let all of you in on a little secret. It is something that you can take back to your organization and begin to implement immediately and it will not affect anybody outside of the security group, at first. Are you ready???? You might just hate this answer, so stop reading if you cannot handle it. Okay, I want you to “Document Your Processes!” *Gasps are heard around the world* Yes, documentation will get you over the hump. I’m not talking long, drawn out documentation that makes you stop everything that you are doing. No, I am talking about quickly documenting the steps you take to address any issue you devote time to repeatedly. I am also talking about creating process flow diagrams that show where and how tasks touch other departments within your organization. Don’t spend a lot of time on it at first. Just get it written down and saved into a location that all of your team members can access it. Then print them out and put them in a binder that will become your Standard Operating Procedures (dang, how did SOP slip in there?). As this binder starts to fill up, make copies and deliver a a copy to your boss and the other managers of the departments you deal with on a regular basis.

Now the ITIL and CMMI experts are ready to jump in here and tell us, “This is not enough to be compliant.” They would be correct. But each of them will have to admit that it is one way to start down the path. It is a necessary step that they will be looking for as they go down their checklists. See, a few of the things that they want to see from you and your department are:

• Does your department have documented processes and procedures?
• Does your department control their efforts through some type of program or project management method?
• Does your department have methods to analyze and improve the processes and procedures?
• Does your department make these process and procedures available to other departments within the organization?

By documenting how you approach each one of your department’s responsibilities you will start down a path that can be successfully integrated into the organization’s business processes. Managers will be able to start looking at your productivity and perform metrics on your duties which will help them determine many things, such as your value to the whole organization or whether your department is short handed. And what does it do for your department as a whole? You become more effective and efficient because you start doing things the same way every time (until it does not make sense to). You have opened communications to the rest of the organization and provided them with a method to take your example and some of your ideas and turn them into their own ideas (oh, the power of suggestion). All of this documentation you will help you and other members of your department quickly determine where your processes need improvement. Process documentation is an excellent tool when it comes time to point out issues to the members of your department. It drives straight to the heart of the problem in a manner that is easy for them to understand and provides them with the opportunity to make visible and fulfilling improvements.

Is all of this enough to “fill the gap” that I spoke of earlier? Of course not. It is just a start. One of the things that I am starting to consider are classes and certifications in program/process management. For this I have been pointed to the Program Management Institute by several security professionals and bloggers. I really don’t think it is going to hurt any security professional if they add PgMP, PMP, or CAPM to their alphabet soup. In fact, as individuals begin to progress through their careers these or similar education may become necessary. Many of our technical Brethern (who are still reading) are shifting uncomfortably in their seats because dreams of management duties are starting to fill their heads. Those, at least, that don’t come from a structured software or hardware development background. And they shouldn’t. Because these are the skill sets that are also necessary for technical engineers to improve how they do their business as much as it is a means for the managers to improve the department or organization.

Open communications is one of the things that we promote within our organizations. If your organization is “open communications challenged” then you must first start looking at yourself before you start pointing fingers or stomping feet. You must set the example. Live the lifestyle you preach. Hopefully it will make a difference. If it does not, well, then at least you have improved yourself and your department. The people around you will be more prepared for the next thing that comes along.

Go forth and do good things,

Don C. Weber

There is an interesting conversation in the Security Catalyst Community with the title “vmware bridge vs. NAT“. It started as a discussion about developers utilizing VMware for development on their local machines. The initial issue was whether to allow the developers to configure their systems so that the guest communicated through the host via NAT or to require that all guests be assigned an IP address on the network.

The thread has already gone through a spiral of recommendations and additional questions. I will not hash those out here. But what I found interesting is that this all comes back to a question of policy. The current policy, at this company, “stats [sic] that no workstation should route traffic.” One respondent pointed out that although the implementation of VMware might be a concern, perhaps the problem is actually the way that the policy has been written.

The way that policy is written should never get in the way of the desired goal for which the policy has been instated. What I mean by that is that the requirement that ‘no workstation should route traffic’ is a means, and not a goal. What you probably want is that no workstation should be able to connect networks in a way that they were not designed to.

Very sage advice.

All of this brings the risk of unauthorized network extension to the forefront. What I mean by network extension is any hardware or software configuration that permits other systems to utilize the network. What I mean by unauthorized is anything that has not gone through the proper approval channels to be placed on the network. We see examples of this all the time in most work places. Somebody attaches a network hub or switch so that they can have a desktop and a laptop. Another person bridges their network interfaces through their handy-dandy Microsoft XP configuration capabilities. And the one that everybody knows best, wireless, wireless, wireless. All of these scenarios can increase the risk to any environment. Not only do you have unauthorized systems on the network, but there is no telling how they have been configured, what software and hardware has been installed, or what the administrative passwords may be. Just to name a few.

So, how do we combat the extension of our network. Well, at my last job at the university, they started with (yup, you guessed it) policy. And despite a few rough encounters that occurred while confiscating equipment, I believe that they handled it quite well. First they started with an over-arching policy to start the control effort. (I have changed a few of the position and department titles to be more universal and understandable.)

All University data, video, wireless, and voice telephone network connectivity, including but not limited to active data net-attached lines, hubs, switches, telephones, wireless and extenders, must be approved by the Chief Technology Officer. Such connectivity must be coordinated and supervised by IT Department. Any installation not approved may be disconnected.

Next they developed policies with more detail that provided the users with information about the policy’s scope, applicability, terms, implementation, and consequences. They made it very clear that ownership and operation of the campus’ network would be handled by a specific department and that all approvals for connectivity would have to be processed by that department. They provided very clear wording to ensure that all users understood that this included any instances where the network was extended.

All hardware and software configured to extend or re-transmit the university network and telecommunications infrastructure, including all wireless technologies, must be approved by the Chief Technology Officer prior to acquisition and deployment. All systems, devices, and software capable of extending this infrastructure must adhere to configuration standards developed and maintained by the IT Department.

Finally, they very specifically stated what would occur if the policy was violated and the devices extending the network were located.

Any device, system, or software found in violation of this procedure may be confiscated and temporarily stored by the Chief Technology Officer or a representative of the office.

Of course these are all just snippets from several policies that combine into a proactive security stance for the University. But I believe they state very clearly the organization’s stance on network extension and may help those of you who have not considered these types of policies.

Now, where does this all get us with the original issue of permitting NATed VMware instances. I believe that it leaves it open to interpretation. It allows the IT personnel, developers, and Chief Technology Officer to negotiate an agreement by looking at the risks and implementing controls. The policies are flexible enough to permitted this type of configuration with prior approval, while also empowering the IT department should a high risk situation arise.

Go forth and do good things,

Don C. Weber

SCC, policy, management, university, security, Security Ripcord, network extension

I’ll have to say, moving from an organization that pushes back on change and external recommendations to one that embraces, analyzes, and implements recommendations and initiatives has certainly challenged me mentally. It is definitely time for me to “Put Up or Shut Up” when it comes to implementing a enterprise level security framework that integrates with the processes and procedures of the IT and development departments. Lucky for me the Department of Defense already recognizes the importance of information security and they have mandated many aspects of ISO 17799:2005. It is documenting the procedures and bringing them together so that each aspect augments the other that has proven an interesting, but so far not difficult, challenge.

For the last two months I have been working every minute at work. My blog reading has really suffered and it definitely makes me feel “out of the loop” on a lot of issues. Part of it is because by the time I get home I am done looking at a computer and ready to unwind. The most I usually bring myself to do is catch up on my emails to see if any of the other projects I am working on require attention. And even those projects have suffered a bit as you can see from my one month blog hiatus.

It is also a little difficult for me to break down what I want to write about. I have often started thinking about writing a post only to realize that after time a picture of security within my organization could be built by bits and pieces of my posts. The software we are using, steps we are taking, methods we have employed. Although initially seemingly innocuous could lead to “the death of a thousand cuts.” Another problem has been the fact that most of what I do is management. I provide leadership and guidance, get the ball rolling in certain directions, collect all of the information to try to find trends and determine cost, and act as the “face of security.” I even broke down last night and purchased a copy of Security Metrics which just reminded me that I have not been reading my feed list as I completely forgot about the SecurityMetrics blog.

All in all I just wanted to get something out there to let you all know that my one month blogging vacation is over. I am going to make a concerted effort to weed out the things I feel comfortable speaking about. This probably means that I’ll be moving away from some of my technical stuff and more towards developing and implementing processes and metrics. Such is my life.

Go forth and do good things,

Don C. Weber

security, metrics, process, Security Ripcord, Security Metrics, ISO 17799:2005

I have to concede to Chris on several points of his latest post. I do so because:

1. He definitely has more experience, than I, deploying a variety controls in a variety of environments of varying size.
2. He definitely has more experience, than I, speaking to the capabilities of these controls and providing comprehensive and understandable analogies and examples.
3. He definitely has more time, than I, to correlate and integrate, free and expensive, disparate and concise literature and case studies to fuel his analogies and examples and employ them in a variety of circumstances.

After all, it is what he does for a living. And he is very good at it. That is why he is listed in my blogroll and the majority of the blogroll’s associated with my daily information security firehose. Hell, it is why he can list articles in many hard and soft copy information security publications.

Me, on the other hand, I am a security professional wielding my experiences and knowledge to the best of my ability to provide my employers and customers with the same level of service Chris provides despite my limitations due to time in service. I use my experiences with technology, interactions, and introspection to form my conclusions and present them as the very best solution for the situation. I will personally guarantee the deployment of every one of my recommendations and the provide mitigation suggestions when it is, as we know it will be, circumvented, exploited, outdated, outclassed, obsolesced, ineffective, unmanageable, flappable, overly expensive, or just plain wrong. In other words, I am confident and I am willing to make mistakes because I can fix them and the majority of the time I will not make them again.

I truly think that this whole blogging interaction started because of my attempt to be flamboyant about the topic to draw attention to it. Unfortunately, as most gussied up topics do, the central point of the discussion was lost for a while. Luckily, in his last post, Chris brought it back around. Let me try to talk about my point in very plain English.

I have a problem with vendors who are developing products that provide many security controls on one system (not UTMs, I’m talking firewalls performing a combination of spam detection, anti-virus, protocol analysis, data evaluation, and whatever else the vendor thinks will sell) and selling it as the ultimate solution for the perimeter of a company’s infrastructure. I have a problem with these solutions because the technologies they are combining on one system are not simple applications. They are robust technologies with a lot of complexity and I am afraid that the vendors will not take the interoperability of these technologies into considerations before they push them to market. I would much rather recommend to my employers and customers that we limit the utilization of such technologies to select portions of the internal network where they can provide the most value with the least concern. I feel much better placing tried and true simple, relatively speaking, controls at the locations associated with high risk. I don’t have full proof examples. I don’t have case studies to back up my hypothesis. I have my feelings and opinions. And, actually, since I am not dealing with Fortune 500 CEOs, CTOs, CISOs, and patent producing PHD weilding end users, I don’t really need it. In the realm of the small, limited budget, network, my feelings and opinions have been, to this point, sufficient.

Next, I don’t think I have a problem with purchasing a UTM to provide a combination of spam detection, anti-virus, protocol analysis, data evaluation, and whatever else the vendor thinks will sell because I believe that UTM developers have taken the complex nature of these technologies into consideration. I was hoping that somebody I know would respond by telling my, and their, readers whether or not UTM solutions are better than the “all-in-one” firewall solution advertised in the DarkReading article, and why. If I had to guess, because of my aforementioned lack of UTM experience, I would think that UTMs separate the responsibilities in much the same manner as role-based control.

Can anybody answer this question for me? It is all I really wanted out of the whole conversation.

So, Chris, I lay my King down so that we may reset the board and start the next conversation fresh. I think you are correct when you say that I need to provide more clarifying evidence during my conversations. I will take it to heart as much as I can in my day to day security related duties. I’ll even attempt to do so in my blogging. But, as my blog is more for personal edification, education, and venting I have a feeling that a few misguided and ill-informed opinions will slip in from time to time.

Go forth and do good things,

Don C. Weber

UTM, security, complexity, Security Ripcord, Chris Hoff

I had a good comment from Tarek on the original Quit Complicating Our Controls post.

In fact, firewall were made to protect the different network segments or zones from each other by controlling who is supposed to talk to who using which protocol or application.

But later one, applications such as FTP, SIP, etc. started to open dynamic ports, and firewalls were forced to evolve and become more application aware. On the other hand Proxy Firewalls such as MS ISA - I know it’s a piece of crap - but such firewalls were able to see the application layer, add rules to prevent people from downloading ZIP and MP3 files, Inspect SMTP for spam, etc. So firewall vendors were forced to compete with them in this, especially that such Proxy Firewalls are popular in SOHO and SMB networks. And I think this is when UTM came to life. Vendors also competed with each other and each vendor wanted to have more features in his data-sheet, and I think were are going to see vendors announcing that their firewalls are the first to market with built in Coffee Makers.

I can agree with what you wrote here sometimes. For an ISP’s Data Centre or a Large Multinational Company this can be true. Having an all in one box is not the best choice. But when it comes to normal mid-range enterprises they can have a UTM, and in such case having two layers of clustered UTM’s from different vendors can protect them when complexity lead to a vulnerability in one box.

I wanted to cover this because UTM is actually a different animal then what I was originally addressing. Although I do not have any experience with Unified Threat Management, as a blogger I don’t feel ashamed jumping into it. I am sure that Chris Hoff, Rich Mogull, Lori MacVittie, Andy Willingham, or Alan Shimel will correct me if I am misguided.

Application firewalls have their own unique places. True, they definitely should not be lumped onto the controls you are using to separate your environments. But, the applications firewalls serve a purpose of, to use the terms loosely, deep-packet inspection and correlation directly associated with that specific application. These controls should be deployed directly in front of the application or application farm so that it can provide the most protection.

Now, as I mentioned UTMs are a different animal. They are taking the controls we are talking about separating and, although placing them on one device, keeping them separate. I imagine that when deployed correctly no one component of the system has the administrative access to the complete system. UTMs should be deployed so that while working the controls in parallel they are also passing the information off to controls that operate within their role with lesser privileges than the central system. So, technically, in the spirit of my original arguement, UTMs are acting correctly. Although we do get back to the whole, single point of failure issue, but that can be addressed by high availability.

Tarek, I think the real trap you are falling into is expanding the cost of your security controls by recommending separate UTMs within the same environment. Now, I do agree that having two would help reduce some risk, but not enough to offset the cost of the system, its installation, the training of employees, documentation of configuration, and many other things involved with deploying a solution. I image that deploying a UTM is in and of itself a very complicate task and organizations will have their hands full implementing one. Adding a second would just be cruel. Actually, by making this recommendation, you may be burning your bridges with your management. Remember, your management is going to be evaluating risk to reward and cost as well. If you are making recommendations that SIGNIFICANTLY increase cost and complexity without reducing risk SIGNIFICANTLY, you are running the risk of your management labeling your security group as a liability rather than an asset. Although this may not be true to your organization, I would think twice before making the dual UTM recommendation.

Go forth and do good things,
Don C. Weber

UTM, firewalls, Tarek, Security Ripcord, application firewalls

After reading LonerVamp’s take on the application aware firewall, I started to wonder why people constantly want to consolidate their controls. This is not a new debate and DarkReading’s article Firewalls Ready for Evolutionary Shift is not ground breaking as the integration of firewalls and other security technologies has been bouncing around for years. Indeed, here we see Marcus J. Ranum talking about it on “Date: Fri, 29 Mar 2002 12:00:29 -0500″:

I suspect you are referring to “intrusion prevention” - which is a hot new marketing term but basically everything that’s being billed
as “intrusion prevention” is just firewalling + antivirus with a bit of fresh paint on it.

I’m willing to bet he has changed his tune a little bit since then but the evolution of firewalls with additional integrated controls has been going on since 2002 at least.

Of course I can see why people desire to integrate the technologies.

• It is more cost effective to have two or more technologies on one piece of hardware.
• You only have to manage one box.
• The controls can augment each other more effectively and efficiently (according to the advertising on the box).
• Firewalls usually represent a choke point to external and potentially hostile environments.
• Vendors can market it as the Silver Bullet (no relation to Gary McGraw’s podcast) of controls.
• “The next-generation firewall will have greater blocking and visibility into types of protocols,” says Greg Young, research vice president for Gartner.
• etc

Well, I have a problem with all of this. Why are we making our controls more complex? Complexity leads to vulnerabilities. Vulnerabilities lead to exploits. Exploits lead to compromises. Compromises lead to loss.

Certainly, everything has vulnerabilities. But that is my problem with placing multiple controls on one system. Fine, if my firewall has a vulnerability then it can be bypassed and my organization is screwed until we can respond. But I would prefer that my firewall was not bypassed because of a vulnerability in another control like a protocol analyzer or an intrusion detection system. Oh wait, these will be newer technologies with better software development practices so there should not be any additional vulnerabilities that allow for exploitation of the system or bypass of the controls……RIGHT!!!!

Don’t get me wrong. I am all for developing new technologies that will allow organizations to analyze their traffic so that they get a better picture of what is traversing and exiting their networks. I just think they will be more effective if they are deployed so that they augment each other’s control measures instead of threatening them by increasing the risk through complexity. Controls should reduce risk, not increase it.

So, when considering how to protect your data please do not cut corners. Evaluate your data distribution and dissemination, consider your architecture, determine which controls will increase efficiency while increasing security, and then deploy those controls so that they augment each other effectively.

Go forth and do good things,
Cutaway

LonerVamp, firewalls, IDS, controls, security, DarkReading, Security Ripcord

In an attempt to understand the business process better I have recently been working on a business plan for an information security consultancy.  I have based the plan I am working on around a sample business plan I found through Bplans.com titled Computer Consulting Business Plan.  This is a business plan for an actual IT business and modifying most of the sections has not been very difficult.  That is until I came to the Market Analysis Summary section.  It was quickly apparent that I would not be able to cut, paste, and modify the information provided as it did not represent what comes to my mind when I thing about the information security market.

After a little looking around, however, I determined that there is not much information available concerning information security consultancies.  The closest thing that I could find were articles written about Managed Security Service Providers.  Although the customers and services are close there is still several differences between the MSSPs and a consultancy that need to be taken into consideration.

According to the business plan that I am following, a Market Analysis Summary is performed by analyzing Market Segmentation, Target Market Segment Strategy, and Service Business Analysis.  If I am reading into this correctly the basic gist of a Market Analysis Summary is to help determine who the business will target, what services they will provide to these targets, and identify who are the competitors that will be offering similar services to the targets.  In an effort to determine if I am correct, and to provide more information online, the following is what I have written to satisfy the Market Segmentation and Target Market Segment Strategy.  I am hoping that people will comment and let me know if I have forgotten something, misinterpreted something, wandered off the path, or completely misunderstood the goal.

I.  Market Segmentation

• Individuals - Many people are concerned about how they are
  affected by hackers and identity thieves. But outside of training and
  user awareness this is probably not the most lucrative group. Although
  some individuals may be worth taking on as clients usually these will
  fall into the Home Office group. Barring allowing people to come to
  group training sessions this groups should be avoided unless absolutely
  necessary.
• Home Office Businesses - The largest and fastest growing
  segment, this segment is obviously defined as small businesses that are
  based primarily out of the owner’s home. This is not the same as simple
  home computer users. Small quick resources should be developed to
  facilitate plug-in-go solutions such as Linux Linksys Wireless Routers,
  pfSense firewalls, secure desktop builds, etc. This group would benefit
  from weekly and monthly email alerts. Baselining and external
  assessment is a possibility but not likely.
• Small Businesses - Defined by the government as businesses
  with 1 to 99 employees. This group could also benefit from the
  plug-in-go setups mentioned for the Home Office group. Larger
  organizations may require more advanced solutions such as central
  logging, IDS, email servers, SPAM filters, more advanced network
  design, etc. Larger organizations may also require policy development.
  This group could also benefit from training and customized email
  alerts. Baselining and external assessment may be feasible on a monthly
  or yearly basis.
• Medium Businesses - 100 to 499 employees. Same as Small
  Business only more likely to be dealing with administrative personnel.
  These will most likely lean toward baselining and assessments after
  review and mitigation. Possibility for pentesting. Possibility for more
  advanced and frequent training.
• Large Businesses - 500 or more employees. Same as Medium Businesses.

II.  Target Market Segment Strategy

The following image (the original image has been split for display purposes) is an attempt to break down the different types of businesses and the security services they might require. Each color is significant in that they bring the two lists together. The color of each business, or actually regulatory requirement, is linked via color to the services that the business subsection is most likely to purchase. This definitely different from the services that regulations say they are required to do in order to be compliant.

Market Needs

The list of security related services can be broken down into a specific list of business needs.

• Training for technical and nontechnical staff.
• Implementation of business and security related technologies.
• Assessments for determining state.
• Auditing to determine/ensure compliance with policies and regulations.
• Development of policies.
• Development and implementation of incident response.
• Research into the security of current and future technologies.

Market Trends

Drivers of the Security Market Place in order of importance to a small security consultant company.

1. Increase in consequences for technological and non-technological breaches.
   • Identity Theft
     • This issue will drive the development of new or the modification of current regulations.
     • Changes will increase individual responsibility in the form of monetary and criminal penalties.
   • Theft of Intellectual Property
     • Affected by the dynamic technological growth in third world countries.
       • Increased the flow of money in and out of these countries.
       • Allowed for cost effective education to reach remote locations.
       • Expanded the level of connectivity to remote locations.
       • Raised the need for rapid technological advancement to keep pace with more advanced companies.
     • Affected by differences in societal belief systems.
       • Military espionage is usually only illegal when it is
         occurring against the victim. Politics always provide plausible
         deniability.
       • Some countries believe that business espionage is a part of the game and therefore acceptable.
   • Service Availability
     • Customers want a product or service “right now.”
     • Customers will most often go some place else if the product or services is unavailable even for a short period of time.
     • It is fairly easy to adversely and unanimously affect online availability.
2. Security evolving into a part of job descriptions and duties.
   • The funding for security related projects are funded infrequently or not at all in small and medium businesses.
   • Administrators and managers are increasingly expected to be
     responsible for security considerations thereby negating the necessity
     for extra personnel.
   • Outside help in the form of consultants, MSSPs, or Value
     Added Resellers (VARs) are brought in for development and deployment or
     when necessary for very specific projects such as regulatory auditing.
3. Rapid Growth of Technology
   • Number of non-security and security related products.
     • Difficult to send people to training on each and every product.
     • Understanding a product does not necessarily mean the person understands how it fits into the overall deployment.
     • Often lack sufficient security evaluations.
   • Need for advanced web applications
     • These are great for online businesses.
     • Are often complex.
     • Often have been rushed to market and lack sufficient security evaluations.
   • Diversity has increased attack vectors.
     • Each product has individual and often unique considerations.
     • This has caused the rapid increase in software and hardware analysis tools that are used by good and bad guys.
4. Growth of Managed Security Service Providers.
   • Provide businesses with the option to outsource all or part of their security solutions.
   • A medium and large MSSP can pull from a pool of experienced professionals and then tailor to the specific needs of a business.
   • Medium and large MSSP are willing to pay for security research as a service to customers and for marketing purposes.
5. Government security driven by the security of commercial solutions. I marked this low because of my lack of experience in security research or this might have been placed as high as #2.
   • This will have to be addressed at some point.
   • May mean network separation from the Internet but this will have a bigger affect for telecom consulting firms.
   • Will mean an increase in code and product review and analysis.
   • Will generate business for large firms and MSSPs.
     • These companies will have to augment by purchasing or hiring smaller consultant firms.
   • Vulnerabilities in products may start to affect payments and bonuses to vendors and resellers.
     • This will drive vendors to increase code and product review and analysis.

Market Growth

Although there is not much to find referencing growth in information security consulting there are several references to the increase in businesses turning to MSSPs for solutions.

• Managed Security Service Providers - http://www.isp-planet.com/technology/mssp/2006/mssp1a.html
• Managed Security Services Ready For Growth - http://www.crn.com/managed-services/183701326
• Managed security services set for growth - http://www.networkworld.com/newsletters/vpn/2006/0710vpn1.html

Helpful Links

• Market Segment Definition - http://en.wikipedia.org/wiki/Market_segment2006,
• Security Management Trends in Review - http://blogs.csoonline.com/2006_security_management_trends_in_review
• Competing Effectively in the Information Security Market - http://www.csoonline.com/analyst/report2227.html
• The IT Security Market Is Not What It Used To Be - http://www.csoonline.com/analyst/report1323.html

Technorati Tags: Security Ripcord, business plan, information security, Bplans, Market Analysis Summary

Powered by ScribeFire.

I have been very challenged lately to come up with good ideas for articles.  A recent project to control sensitive information has forced me to set aside technological endeavors and concentrate on interacting with executives, administrators, and end-users.  Although I am sure that some of you would be interested in how we are moving forward with this effort I have to say that I am very bored with the process and I find it hard to write about.  Sure, every once in a while I get an interesting conversation, but generally I find myself repeating the same things over and over for most of the day.

• “This is a new process and we are aware of that issue already.  We will address it in the near future.” 
• “Please call the help desk.  They can walk you threw the installation.”
• “Please read the documentation provided by the software vendor.”
• “We are in the process of developing additional guides and documentation associated with the recommended software.”
• “Only you can determine if the file contains sensitive information and if it is necessary for you to maintain a physical or electronic copy.”
• “Yes, I understand the compliance date is inconvenient and you will have a hard time meeting the deadline.  You will have to take that up with your supervisor so the information can be passed up the chain of command.”
• “Yes, the search tool is subject to false positives and false negatives.  This is common behavior and we are aware of it.  Please take this into consideration when you are using the tool and reviewing your files.”
• “If you think it is a system file please do not delete it.  Most likely
  it is a false positive and if you delete it without confirming that it
  contains sensitive information that you no longer need your system
  might become unstable and you may loose everything you have not backed
  up.”
• “This is a process issue and not a IT issue.  Please be sure to review your processes for collecting, sending, storing, and destroying sensitive information.”
• “Please check with your manager before encrypting any data.  You will also want to consider how you are going to protect the password or passphrase you use.  If you forget the password then you will no be able to access the information, ever.”
• “Department managers have to take responsibility for the processes within their departments.  The people using the processes on a daily basis will continue to do their jobs as they have been told and trained.  They will not initiate change.  Only the managers can initiate change.”

I know that this is just a part of the process.  Heck, I think the boredom comes from the whole thing running fairly smoothly.  I guess the biggest pain is the fact that there are other things I would like to start working on but spending time on the questions or getting information online really takes a bite out of the day.  Patience is the key.  Monitoring the process while it runs its course is just as important as initiating it and wrapping it up. 

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, sensitive information, end-users, administrators, executives

Powered by ScribeFire.

One of the things that I don’t understand is how people can justify not taking responsibility for their actions or the people who work for them. Here is an excerpt of a conversation I had at my job the other day. The story behind the lead up to this conversation is the beginning of an initiative to locate and identify the necessity for social security numbers distributed throughout the organization. The leader of the organization (let’s call him the CEO) had sent a list, to all employees, of things that were going to be done to help control sensitive information. Following this email I sent out a form employees needed to sign saying that they understood their responsibilities related to sensitive information, a permission form to identify storage areas containing this information, and a list of softwares that could be used to locate, store, and remove this information. This initiative was in response to the first item on the CEO’s list.

This is not verbatim. I am recreating the conversation from memory.

Department IT Person: Why didn’t this initiative come from the CEO.

Cutaway: Well, it did, this was the first item on the list he sent out.

Department IT Person: Yes, but it what you send didn’t have his name on it. This is came from your office. It didn’t come from the CEO.

Cutaway: Yes, he stated it would be coming from IT which I am a part of.

Department IT Person: I know, but it didn’t come from his email address.

Cutaway: Yes, but I began the email with his name and I pointed to the original list.

Department IT Person: But it didn’t come from his office. How do you expect me to get anybody to want to do this?

Cutaway: That is not my problem. This is an organization wide initiative. You are responsible for implementing it within your department.

Department IT Person: But it didn’t come from the CEO.

Cutaway: Your perception is not my problem.

Department IT Person: But don’t you think it would be more effective if it come from him directly.

Cutaway: This is how we have decided to respond to his first item. He cannot be expected to do everything. This is me doing my job. I cannot help how you perceive my office or respond to this initivative. But this is how the organization is moving forward with protecting sensitive information.

Department IT Person: Well, what are the consequences if somebody doesn’t do this? You don’t list any consequences.

Cutaway: The consequences are spelled out in the organization policy.

Department IT Person: Yes, but you don’t state it on any of this documentation.

Cutaway: The consequences are already spelled out in the policy. We don’t like to reprint them to avoid contradictory statements.

Department IT Person: So, what are the consequences.

Cutaway: They are spelled out in the policy.

Department IT Person: What are they?

Cutaway: Well, I guess ultimately you can get fired.

Department IT Person: So, if somebody doesn’t sign the document they will immediately be fired?

Cutaway: No.

Department IT Person: I don’t understand.

Cutaway: Well, if somebody doesn’t sign the document then they will be forbidden from interacting with sensitive information and possibly any information resources. This could potentially mean that they cannot do their job. What would your department do with a person who could not perform their duties.

Department IT Person: *does not respond*

Cutaway: Well, I image that you would fire the person.

Department IT Person: So, who is responsible for implementing the consequences?

Cutaway: Your department.

Department IT Person: My department?

Cutaway: Yes, your management is responsible for managing itself.

Department IT Person: I don’t understand.

*At this point I could only think of one thing to say.*

Cutaway: I’m sorry, that is not my problem.

Was that the best way to leave this conversation? Probably not. But, I was getting a little frustrated. It was obvious that this person just did not want to accept that fact that their department was going to be held accountable for managing their information or personnel. This is a very common perspective in the university environment that I find hard to understand because of my military background. I would expect a different attitude, especially with all of the universities that become news due to information disclosure.

Fortunately for me the organization I work for has recently experienced an information disclosure so the majority of the personnel are extremely receptive and grateful that control and responsibility requirements are being implemented. I am actually very impressed that this has been the only push back that I have received thus far in association with this initiative.

What is the lesson to be learned from this conversation? Well, some people are just not going to understand or want to understand. The old way of doing things is, to them, the best way of doing things. Security professionals need to understand this when they are contemplating their responses. At the same time I don’t think that people should be coddled. Most people respect straight forward and consistent responses. That is what I was actually trying to accomplish here. I pointed out the history of the event. I pointed out that individuals and departments are responsible for accepting responsibility. And I didn’t back-peddle when confronted on the issue. I didn’t make my statements in a confrontational or uncaring way. I maintained my tact throughout the conversation. One thing I could have done is try to end the conversation on a more positive point. I could have complimented the person on having the conversation and being opened to new ideas and initiatives.

Go forth and do good things,
Cutaway

responsibility, ESI, Security Ripcord