Compliance does not Equal Security

When I read items like this:

Agarwal said NoMoreRack is now in the process of certifying itself this time as a Tier-1 merchant, even though the number of credit and debit cards it processed in 2013 placed it squarely in the Tier-2 range.

I get frustrated.  While I understand that Compliance is necessary and is important companies still need to understand that being compliant does not mean you are secure! There is more to it than that.  In too many cases Compliance is just a check box that makes senior management feel better about the overall state of organizational security.

Posted in Uncategorized | Tagged , , , | Leave a comment

Excelsior National Cyber Security Institute

In December 2013 I was named a fellow for the Excelsior National Cyber Security Institute.

http://www.nationalcybersecurityinstitute.org/fellows/

 

Posted in Uncategorized | Tagged , , , , | Leave a comment

Short ISO Presentation

Posted in Uncategorized | Tagged , , , | Leave a comment

Fun Story about UC Cyber Warfare Game

Ok, so I wasn’t going to share this but I sort of think its
pretty neat. My friend Quinn and I started an urban legend story at
the University of Cincinnati from my classes first cyber warfare
event years ago. One of my current students just posted the following item in a class I am teaching. This is a story that is really about the first
Cyber Wargame that I ran at UC as part of my Information Security
Course. Quinn was the defender and I believe Karl Hart was the
attacker – it was a great event. What is even greater is that is
has now taken on UC “legendary” status. 🙂
============================================

I am reminded of a story my Computer Networking teacher, Mr. Tom Moore, gave to us one day in class. He spoke of a game they played, I dont remember whether it was at UC or his workplace, but he said that they would divide IT professionals into 2 teams, one “hackers” and one that
protected data. He was on the hackers team. Well the protectors
were allowed a certain amount of time to design security for the
system they were trying to protect, and there after the hackers got
their shot. Well the hackers tried and tried to break the security
through their hardware but to no avail. Finally, Mr Moore was on a
break and happened to walk by the room the protectors were in (they
were set up in different rooms of a building) and realized no one
was in there. He tried the door but it was locked. However, another
faculty member, unaware of what was going on, walked by and Mr.
Moore asked her to unlock the door. She did and he notified his
team who came and stole all the equipment they had. They then broke
into the machine, got the data, and won. He used the Bill Gates
quote “if I can get access to your computer I will own everything
that is on it” and it stuck with me. This story is a prime example
of having physical controls in place, and not just one. It is
important to make sure your equipment and data are both safe from
harm.

Posted in Uncategorized | Tagged , , , | Leave a comment

Department of Homeland Security, Fusion Centers & the Cyber Security Liaison Program: A sharing of intelligence

 

Department of Homeland Security, Fusion Centers & the Cyber Security Liaison Program: A sharing of intelligence

By:  Kevin L. McLaughlin

March 9, 2013

 

The amount of data available through electronic means is hard to wrap your mind around and even more daunting is trying to figure out how to gather and collect the disparate pieces of data that exists in organizations that have suffered a cyber attack or that have suffered a negative cyber event.  The reality of the internet and its associated connectivity is that if one organization is experiencing a certain type of cyber event so are a lot of others.  The puzzle associated with how to share attack information with others and, more importantly, receive actionable information about attacks other organizations are receiving is one that we need to solve if we want to be able to successfully mitigate or reduce cyber attacks being launched against our organization to a manageable level.  An issue felt by private corporations is that they do not perceive that a safe harbor for their sharing of information that may be of interest to the intelligence communities exist. There are some private sector partners who are heavily involved in a program of information sharing such as the National Counsel of ISACS (http://www.isaccouncil.org), National Initiative for Cyber Security Education (NICE), the NIST National Security Cyber Security center of excellence and the DHS National Cybersecurity and Communications Integration Center (NCCIC) all of which are good starting points for reaching out to and providing private sector Information Assurance professionals with avenues into the Cyber Security information reporting pipeline.  One of the primary issues with most of the programs is that they are, even if inadvertently, almost exclusively focused on critical infrastructure partners.  This focus on critical infrastructure, most likely prompted by the Cyber security Act of 2010 which is in place to increase collaboration between the public and the private sector on cyber security issues, (Jilani, 2011) leaves other private organizations wondering what they should do with the myriad of data that is captured by their security alerting infrastructure. “What can businesses and Uncle Sam do, together, to reverse this dangerous trend? There must be three areas of immediate focus. First, the public and private sectors need to share more information – more parties must be included and new platforms used (Bataller, 2011; Newbill, 2008)”. Items such as large scale data loss going to a foreign country are often remediated and no mention of the event is made outside of the corporate walls. 

The U.S. government Department of Homeland Security (DHS) has established Fusion centers across the country in order to collect, analyze, and share information to assist in preventing, protecting against, and responding to crime and terrorism. These Fusion Centers often work in coordination and partnership with urban or regional Terrorist Early Warning Groups (TEWGs) so that relevant terrorism information can be processed, analyzed and shared quickly.   Often times the fusion centers work closely with the US-CERT (http://www.us-cert.gov/) to share information about Cyber incidents and relevant data but once again the majority of education and use surrounding this partnership and the usage there-of is primarily focused on federal agencies and private sector critical infrastructure partners.   

On a daily basis we hear about a major negative cyber event (Denial of Service against the CIA website, Denial of Service against the U.S. Treasury website, the U.S. Census Bureau being hacked, China has stolen yet another item of sensitive data, Wiki leaks, etc.) that was experienced by a U.S. Federal, State, Local, Private or Non-Profit institution and the significant negative impact caused by that Cyber event.  With the Cyber threat being espoused by many Senior U.S. government officials as one of the most significant threats to the homeland it is understandable why cyber crime and negative cyber events are items of great interest to DHS and the Fusion Centers.  Unfortunately, in the author’s experience as a private sector partner who was tightly involved with regional and state fusion centers, there is a limited structure outside of the Federal Government and law enforcement agencies for passing information along to these regional fusion centers and an even more limited structure for the fusion centers to pass actionable warning and cyber event data to the non-government agencies in their area of responsibility (AOR).  Even if a structure for bi-directional information sharing was in place the private organizational sector WIIFM (what’s in it for me) factor still needs to be determined; without an incentive for taking the time to fill out a basic event information report and send it to their local Fusion Center very few cyber security professionals will take the time to do so.  Further, it is difficult for private sector resources to get the clearances necessary for them to receive effective and relevant information from their fusion center partners. 

In early 2011 the University of Cincinnati’s (UC) Office of Information Security (OIS) in partnership with their state of Ohio and Federal DHS liaisons came up with a plan and program to make it simple for the private and educational sector to share negative cyber event data with their regional Fusion center.  The UC model poses that every organization, not just a critical infrastructure partner,  that has a cyber security person or team provides a Cyber Liaison Officer (CLO – pronounced See-Low – name credited to Greg Seipelt, ISO at UC, 2011) to attend quarterly CLO group meetings with their regional Fusion center liaison.  These meetings will be used to share information and build strong working relationships and understanding as to why the cyber events within their organizations are of tremendous value as intelligence to their brethren across the U.S. and to educate each other on the concept that knowledge is understanding and that the sharing of cyber event knowledge will allow them to design more effective defenses and protection for their organization’s cyber infrastructure and its associated data. 

The CLO program can be used to establish the private sector web reporting infrastructure that allows each identified CLO to create a Cyber Event Report (CER) quickly and easily and then with one push of a button submit that report to their Regional or State Fusion center for analysis and, if appropriate, further dissemination.  Two types of actionable reports could then be created by the Fusion center, classified and unclassified; the unclassified reports can then be sent broadly across the CLO community.  Theoretically, a broad based dissemination to the CLO community can be sent from the Fusion centers to their CLO partners.  The creation of this type of Cyber event information can be focused on providing actionable intelligence to the CLO partners. 

An example of how this concept works can be seen in the following hypothetical story.  

The day was proving to be an exciting one for team Havoc, the ACME Company’s cyber Red Team, as the cyber attack they had launched against ACME’s premier web application pwnd it and provided deep access to the information in ACME’s core research database.  Glacier, the Red Team leader was evaluating the successful compromise and figuring out how ACME was going to be able to best remediate the vulnerabilities his team had just found when he noticed an abnormality in the data stream he was analyzing. 

“Hey Blackout come over here”, Blackout was the team’s best data stream analyst.  “What’s up boss man?”  “Take a look at this streaming data; it looks like it’s already outbound for a foreign IP address.  I’m thinking we’ve already been hacked and have a serious issue here.  What do you think?”  “Whoa boss man, that’s one pretty little hack job and yea, it looks like we just lost all the research data on project X.”  

Glacier notifies ACME’s Cyber Incident Response Team (CIRT) briefs them on the incident and sits down to write his internal report.  Glacier, being ACME’s CLO for the local Fusion Center then opens up his web browser after finishing his internal report, goes to the Fusion Center’s reporting application and then provides an ACME approved sanitized version of the Project X hack that includes all the detail on the attacker and the type of attack used but more generic information about the attack vector and what may have been compromised.  Glacier knows and understands that his Fusion Center contacts don’t really care about any of the ACME proprietary information, employee names or anything like that; they just want enough information to understand the hack and provide information to the rest of the U.S. CLO community to enable them to establish proper prevention measures against the hack, or to be able to detect whether their organization was suffering from the same negative cyber event. 

            The upside to the private CISO community is that they now get relevant and verified data from across the country and the DHS can cover the WIIFM for their private CLOs by providing their qualified security resources, many of whom had Secret and Top Secret clearances in the past, with updated and reactivated clearances.  Yes, there is a cost to the Government agency to do the clearance checks but this is a commodity that no one else can provide the X-Special Agents, X-military, etc. who have moved into the private sector and the draw of maintaining one’s clearance level seems to continuously be undervalued by Federal agencies who remain puzzled as to why they can’t get enough interest in their programs.  Those of us who have proudly served, who are strong patriots and who now find ourselves working Cyber Security operations in the private sector are ready to continue serving but we need to show and demonstrate a clear value add to our corporate leaders and to ourselves.  

 

 

 

 

 

Bataller, Erik. (2011). Cyber Partnerships. InformationWeek(1295), 21-24.

Jilani, Salman Shah. (2011). Cyber Security. Southasia, 15, 51-52.

Newbill, Raymond. (2008). Intelligence sharing, fusion centers and homeland security. DTIC Online.

Conceptual assistance rendered in conversations with my friend and colleague Greg Seipelt, University of Cincinnati Student and Cyber Security Professional and with my University of Cincinnati students who participated in all of our Red vs Blue Team Cyber Security events.

 

© Kevin L. McLaughlin – properly cited use is encouraged

 

 

Posted in Uncategorized | Tagged , , , , | 1 Comment

Why Is It?

Why is it that Internet Crime statistics continue to show that for the criminally inclined internet crime is a very viable and fast growing field?

Why is it that millions of dollars are stolen from end users who simply fail to pay attention to the basics of Information Security like strong pass-phrases and “don’t click the link”?

Why is it that in March of 2010 there was a breach of University student’s personally identifiable information (PII) that numbered over 3.3 million identities being stolen?

Why is it that in 2012 there was a breach of over 6 million IDs from the state of South Carolina IT Infrastructure?

Why is it that online banking theft is at an all time high with thefts against mid size business and metropolitan areas taking center stage?

Why is it that even though unheard amounts of information is being stolen daily that non-cyber security professionals are still very vocal in explaining to experts in the field of cyber security why passwords, pass-phrases, encryption and other basic controls don’t work and are too cumbersome?

  •  Yet in most breach cases if basic information security controls and best practices like defense in depth would have been in place and followed the breach would not have occurred

Why is it that the non- Cyber Security professional’s opinions on what Cyber Security controls are important are often given more weight than the Cyber Security professional’s opinions within an organization?

Why is it that Senior IT and Business managers within an organization still won’t listen to the Cyber Security professionals they employ when it comes to building and maintaining an effective security and control infrastructure?

Why is it that Cyber Security professionals still don’t have the voice they need within most corporations (Government, Public and Private) to actually protect the organization’s data?

Why is it that blame for failure to protect corporate data is quick to be placed on the shoulders of Cyber Security professionals who weren’t listened to in the first place?

Why is it that as experts we really do have the knowledge and ability to protect sensitive corporate data but in most organizations we are not given the power to do so?

Why is it that rhetorical questions are not answered?

© Kevin L. McLaughlin – properly cited use is encouraged

Posted in Uncategorized | Tagged , , , , , | Leave a comment

The Talent Within

11/8/2012

In his book “Topgrading: How leading companies win by hiring, coaching and keeping the best people” (2005) Dr. Smart talks about how important it is for a company to not only hire A level talent but then keep and retain them through the years.  I have had the good fortune to work for a company that was very good at this and not only did they hire and retain A players they had a very good internal training program to make sure that the A players they hired were trained and taught the new roles they moved into in order to lessen the knowledge gap and learning curve for the new position.  In this environment efficiency, streamlining, being agile, having solid and well followed processes were the norm.  Needless to say this is a good environment for a talented knowledge professional to work and grow in.  The basic idea was to hire and surround yourself with great and talented A performers and then allow them to make decisions and drive systemic change ongoing.   To me this process of hiring smart and talented people and then promoting them as next step openings become available makes a lot of sense.

Unfortunately, throughout my professional travels what I have often observed is that even in companies with great training programs and who espouse the philosophy of growing talent from within there is a strong psychological tendency to seek outside for the next professional with a briefcase (J  that’s an old joke about how your own company or organization never views you as an expert or qualified candidate, even if the rest of the nation views you that way),  and bypass their internal talent pool.

What a lot of the VPs and directors who are hiring do not realize is that if you have an A player on your staff who is one level lower than the position you are filling they will succeed if you put them in the position, even if they have some knowledge gaps, that is pretty much what A players do.     I know, a lot of you who are reading this are scratching your heads and thinking about all the times a resource is promoted beyond their ability and wondering how that fits in.  The answer is simple, they weren’t an A player or they were an A player who, inherited all B and C players and wouldn’t aggressively cull the herd.

Both competent B and lower level C performers, especially ones that are non-performing destroy any possibility of creating a high performing team.  These lower talented professionals don’t create this less than successful environment on purpose, it is just that they really don’t understand the higher level connections and thought process of the A player and they end up being more of a hindrance and distractor to overall success than they are a key component to the accomplishment of overall success.

There is research study after research study that shows if you have 90+% A players in your management ranks you will be extremely successful in your team and corporate endeavors.  That being said I continue to scratch my head when I see organizations with A level talent who are available to move into a next tier open position go out on a public search to fill the position.  A level talent is very hard to find, and to think that you are going to be able to search outside and find it more readily than you can identify and find it in the work force that has been with you for an extended period of time is simply naive.  What typically happens is that an experienced director or VP is brought in from the outside and they end up after a short amount of time showing that they are a B or low level C talent.  Even more mind boggling to me is that none of the people who were responsible for bringing this less than high end performer into the organization want to admit to making a bad hire so they live with the impact an under talented manager brings to their organization.    The outcome of such a decision is that their true A players are driven from the organization and they take their talents to a competitor, where they are typically extremely successful working and managing at a level their previous employer would not promote them into.

Organizations really need to take a good look at their talent retention programs and give them more than just lip service and they also need to come to the realization that all forced ranking systems do is allow for the B and C players  figure out sly ways to sabotage their talent pool of A players.  Like Ken Blanchard says, organizations should help all of their “employees earn a grade of an A”,  in my opinion the Blanchard approach to talent management will more readily allow you to identify and distinguish between the A, B and C players in your talent pool.

© Kevin L. McLaughlin, probably cited re-use is acceptable

Posted in Uncategorized | Tagged , , , , , , , | Leave a comment

In Cyber Crisis

We are a country in crisis in regards to adopting adequate Information Security practices.   I am not an alarmist but when I review the Cyber Security update that my team compiles and sends out a couple of times per week and see multiple breaches in every update and when I see reports like the one conducted by Adam Dodge or the Verizon Report that show steady amounts of information security breaches every year I have come to believe that we are a country in Cyber crisis.

Puzzling to me is that for some reason we, as a society have decided that the safeguarding of personal information should be a soft skill that is done by committee instead of by the certified and trained professionals we hire into Information Security roles.  Interesting enough the members who are sitting on the committees making Information Security and data protection decisions are often times not Information Security professionals.   To use an analogy – it seems that instead of deferring to our qualified “pilots” we are allowing the passengers to fly the airplane without providing them flight instructions first.  If we really want to protect our corporate data then we cannot  keep making Information Security decisions, such as should Personally Identifiable Information (PII) be encrypted, by consensus.  We also need to see the cost benefit with hiring Information Security professionals and then listening to their advice. Due to a large data breach the State of South Carolina recently ended up paying $12 million that could have been put to better use; they could have asked any of us Information Security professionals if the data they lost should have been encrypted at rest and in transit to save $12 million.  Instead (and this is pure conjecture on my part) they probably made the decision not to do so by a consensus of the CIO and other IT professionals, none of whom were trained Information Security professionals.

In my personal life I refrain from telling my accountant how to complete my taxes or from telling my surgeon where and how to make her surgical cuts.  It is time, if we truly want to protect our data or the data we are entrusted to safeguard, for our communities to start adapting the course of action that Information Security Professionals and Information Security Standards advise. If we don’t start allowing our certified and trained professionals to specifically mandate how organizational PII, Intellectual Property, e-PHI, collectively referred to as restricted data, should be protected we will continue to allow this data to be lost or stolen.

While there is no silver bullet that will prevent 100% of this type of data loss most experienced and certified information security professionals know that there are many controls and safeguards we can put in place, if allowed to do so,  that will minimize the loss of restricted data.

Note – my use of the words Information Security is synonymous with Information Assurance.

© Kevin L. McLaughlin, probably cited re-use is acceptable

Posted in Uncategorized | Tagged , , , , , | Leave a comment

A Myth of Information Security: All data needs to be protected!

When you think about the total amount of data that goes across an organization on a daily basis protecting all of it becomes a daunting, if not impossible, task. It is hard to wrap one’s mind around how much a gigabyte of data is, let alone trying to conceptually understand what a terabyte of data is! It seems that current regulatory requirements and Information Security professionals are saying that all this data needs to be protected? Not true… that is a myth generated to scare the masses! For most business units and organizations the reality is that only 5-10% of the data that transverses their infrastructure or sits within electronic and physical filing cabinets is sensitive enough to need protection.

How do we differentiate between data that needs to be protected and data that does not need protected? One answer is for us to embrace an enterprise wide data classification scheme that allows the owner of the data to decide which of their data should be treated as:

  • Highly Restricted
  • Sensitive
  • Public

Once data owners classify their data they can then make smart choices about which data to protect very tightly and which data not to protect as well. This also allows the site data owners to save money by purchasing tools or establishing business processes that protect the 5-10% of data that requires extra protection vs. trying to protect 100% of the data flowing through their work areas.

By focusing on the small amount (5-10%) of data that truly needs to be protected we can lessen the complexity and obtrusiveness of data protection and regulatory compliance while reducing the cost of people, time and dollars. This reduced focus and scope is beneficial to the organization’s bottom line.

Yes, there is certain data that we are legally required to protect and secure and doing so can require small sacrifices and inconveniences on our part, similar to having to wear a seat belt when driving a car.  However, if we focus our attention and tightened security on the small percentage of data that needs to be protected we might actually find out that there really is such a thing as a cost effective Information Security program.

© Kevin L. McLaughlin, probably cited re-use is acceptable

Posted in Uncategorized | Tagged , , , , , , | Leave a comment

Common Sense Requires No Policy

As a Senior Information Security professional I am often asked if we should have a policy that requires our Business Community members to do “X”.  In many of these cases the person is asking for a policy to be written that says things like: Business Community members will adhere to the laws surrounding the safeguarding of regulated data or that Business Community members will not disclose a person’s private medical information to 3rd parties.   Now, when asked a question that consists of what people in common would agree on, such as do I really have to follow the federal and state laws while at work, I have to wonder why we would want to implement a policy to tell people to follow their common sense.  Really, shouldn’t a person’s common sense kick in and make them very aware that they are not allowed to break a law just because they are at work.

I am not saying we don’t need good solid security policies as I strongly believe that policies are absolutely necessary and required as a way to share with our community the behaviors expected of them in the protection of organizational data but these policies should:

  • Cover topics and areas that are “gray” and that without a policy would require people to guess at the right thing to do
  • Be written in such a manner that helps define what steps are necessary for our community members to show they are in  compliance and showing due diligence in meeting the intent of applicable laws
  • Be enforceable and worthy of being enforced

It is important for Business Community members to follow their common sense in fulfilling their every day duties and tasks, if they do so the courts have ruled that they are most likely not going to be held personally liable for security breaches or security issues that occur.  In the InfoSec field we call this safety net the principles of “due diligence” or being “prudent” both of which are just other ways of saying making reasonable and common sense decisions.   However, the courts have also ruled that failure to use common sense in the protection of data and the securing of an IT infrastructure is grounds for holding a person personally liable.

Companies are firing IT staff that have failed to use common sense decisions in the protection of data and securing the IT infrastructure they are responsible for.  This makes it critical that in areas where it is not clear what approach constitutes common sense we protect our Business Community members by having policies in place that provide Business Community members with clear and concise instructions on what actions and activities they should or should not be doing.  For example:  If State Law requires that we protect SSNs we do not need a policy that says we have to protect SSN, the law already says that, but we may need a policy that describes ways of protecting SSNs such as using disk or file encryption, using a different type of identifier, database encryption of the field which stores the SSN, not storing or using an SSN in places where it is really not necessary to do so, etcetera.

Said another way, we should write policies that help non-security Business Community members understand what the common sense ways of protecting and safeguarding  data look like.  That’s just good Common Sense.

© Kevin L. McLaughlin, probably cited re-use is acceptable

Posted in Uncategorized | Tagged , , , , , , | Leave a comment