In Cyber Crisis

Posted on November 6, 2012 by mclaukl

We are a country in crisis in regards to adopting adequate Information Security practices.   I am not an alarmist but when I review the Cyber Security update that my team compiles and sends out a couple of times per week and see multiple breaches in every update and when I see reports like the one conducted by Adam Dodge or the Verizon Report that show steady amounts of information security breaches every year I have come to believe that we are a country in Cyber crisis.

Puzzling to me is that for some reason we, as a society have decided that the safeguarding of personal information should be a soft skill that is done by committee instead of by the certified and trained professionals we hire into Information Security roles.  Interesting enough the members who are sitting on the committees making Information Security and data protection decisions are often times not Information Security professionals.   To use an analogy – it seems that instead of deferring to our qualified “pilots” we are allowing the passengers to fly the airplane without providing them flight instructions first.  If we really want to protect our corporate data then we cannot  keep making Information Security decisions, such as should Personally Identifiable Information (PII) be encrypted, by consensus.  We also need to see the cost benefit with hiring Information Security professionals and then listening to their advice. Due to a large data breach the State of South Carolina recently ended up paying $12 million that could have been put to better use; they could have asked any of us Information Security professionals if the data they lost should have been encrypted at rest and in transit to save $12 million.  Instead (and this is pure conjecture on my part) they probably made the decision not to do so by a consensus of the CIO and other IT professionals, none of whom were trained Information Security professionals.

In my personal life I refrain from telling my accountant how to complete my taxes or from telling my surgeon where and how to make her surgical cuts.  It is time, if we truly want to protect our data or the data we are entrusted to safeguard, for our communities to start adapting the course of action that Information Security Professionals and Information Security Standards advise. If we don’t start allowing our certified and trained professionals to specifically mandate how organizational PII, Intellectual Property, e-PHI, collectively referred to as restricted data, should be protected we will continue to allow this data to be lost or stolen.

While there is no silver bullet that will prevent 100% of this type of data loss most experienced and certified information security professionals know that there are many controls and safeguards we can put in place, if allowed to do so,  that will minimize the loss of restricted data.

Note – my use of the words Information Security is synonymous with Information Assurance.

© Kevin L. McLaughlin, probably cited re-use is acceptable

Posted in Uncategorized | Tagged , , , , , | Leave a comment

A Myth of Information Security: All data needs to be protected!

Posted on November 2, 2012 by mclaukl

When you think about the total amount of data that goes across an organization on a daily basis protecting all of it becomes a daunting, if not impossible, task. It is hard to wrap one’s mind around how much a gigabyte of data is, let alone trying to conceptually understand what a terabyte of data is! It seems that current regulatory requirements and Information Security professionals are saying that all this data needs to be protected? Not true… that is a myth generated to scare the masses! For most business units and organizations the reality is that only 5-10% of the data that transverses their infrastructure or sits within electronic and physical filing cabinets is sensitive enough to need protection.

How do we differentiate between data that needs to be protected and data that does not need protected? One answer is for us to embrace an enterprise wide data classification scheme that allows the owner of the data to decide which of their data should be treated as:

  • Highly Restricted
  • Sensitive
  • Public

Once data owners classify their data they can then make smart choices about which data to protect very tightly and which data not to protect as well. This also allows the site data owners to save money by purchasing tools or establishing business processes that protect the 5-10% of data that requires extra protection vs. trying to protect 100% of the data flowing through their work areas.

By focusing on the small amount (5-10%) of data that truly needs to be protected we can lessen the complexity and obtrusiveness of data protection and regulatory compliance while reducing the cost of people, time and dollars. This reduced focus and scope is beneficial to the organization’s bottom line.

Yes, there is certain data that we are legally required to protect and secure and doing so can require small sacrifices and inconveniences on our part, similar to having to wear a seat belt when driving a car.  However, if we focus our attention and tightened security on the small percentage of data that needs to be protected we might actually find out that there really is such a thing as a cost effective Information Security program.

© Kevin L. McLaughlin, probably cited re-use is acceptable

Posted in Uncategorized | Tagged , , , , , , | Leave a comment

Common Sense Requires No Policy

Posted on October 28, 2012 by mclaukl

As a Senior Information Security professional I am often asked if we should have a policy that requires our Business Community members to do “X”.  In many of these cases the person is asking for a policy to be written that says things like: Business Community members will adhere to the laws surrounding the safeguarding of regulated data or that Business Community members will not disclose a person’s private medical information to 3rd parties.   Now, when asked a question that consists of what people in common would agree on, such as do I really have to follow the federal and state laws while at work, I have to wonder why we would want to implement a policy to tell people to follow their common sense.  Really, shouldn’t a person’s common sense kick in and make them very aware that they are not allowed to break a law just because they are at work.

I am not saying we don’t need good solid security policies as I strongly believe that policies are absolutely necessary and required as a way to share with our community the behaviors expected of them in the protection of organizational data but these policies should:

  • Cover topics and areas that are “gray” and that without a policy would require people to guess at the right thing to do
  • Be written in such a manner that helps define what steps are necessary for our community members to show they are in  compliance and showing due diligence in meeting the intent of applicable laws
  • Be enforceable and worthy of being enforced

It is important for Business Community members to follow their common sense in fulfilling their every day duties and tasks, if they do so the courts have ruled that they are most likely not going to be held personally liable for security breaches or security issues that occur.  In the InfoSec field we call this safety net the principles of “due diligence” or being “prudent” both of which are just other ways of saying making reasonable and common sense decisions.   However, the courts have also ruled that failure to use common sense in the protection of data and the securing of an IT infrastructure is grounds for holding a person personally liable.

Companies are firing IT staff that have failed to use common sense decisions in the protection of data and securing the IT infrastructure they are responsible for.  This makes it critical that in areas where it is not clear what approach constitutes common sense we protect our Business Community members by having policies in place that provide Business Community members with clear and concise instructions on what actions and activities they should or should not be doing.  For example:  If State Law requires that we protect SSNs we do not need a policy that says we have to protect SSN, the law already says that, but we may need a policy that describes ways of protecting SSNs such as using disk or file encryption, using a different type of identifier, database encryption of the field which stores the SSN, not storing or using an SSN in places where it is really not necessary to do so, etcetera.

Said another way, we should write policies that help non-security Business Community members understand what the common sense ways of protecting and safeguarding  data look like.  That’s just good Common Sense.

© Kevin L. McLaughlin, probably cited re-use is acceptable

Posted in Uncategorized | Tagged , , , , , , | Leave a comment

Action, Not Inaction is What Being a Leader is All About

Posted on October 25, 2012 by mclaukl

In Model-Netics methodology by Main Event Management you are taken through a management course that makes use of standard and what some would call common sense management rules to demonstrate and teach how to handle a lot of the items that come a leaders’ way during the course of a normal work day.  Two of the Model-Netics rules that I feel need to be used more widely by Information Security leaders are the Action T.N.T rule and the Eighty Percent Rule.  A lot of you are already familiar with the eighty percent rule but even though familiar it is seldom followed.

The Action T.N.T rule stands for Take Action Today not Tomorrow and encourages leaders to take action as soon as they have sufficient information to decide a reasonable course of action and not wait in paralysis until they have absolutely every bit of information that it is possible to have before moving forward.  For example:  I once worked on a project that had a project lead who was one of these paralyzed type of individuals and after 16 months we were still in the planning phase and talking about the implementation of a technology that was leading edge when the project started but that was quickly becoming outdated.  He finally recommended cancelling the project as the technology was no longer viable and he was able to show how successful he was by not “allowing” a technology that was old to have dollars wasted on its deployment.  He almost got by with that until one of the more astute executives asked him what the 5 million dollars he was given was used for and what the 20 resources assigned to the project for the past 16 months had been doing.

The Eighty percent rule, which is also known as the 80-20 rule or Pareto’s Principle is similar to the Action T.N.T method as it strongly recommends that leaders make a decision and start a course of action when they feel they have 80% of the information or 80% of the design completed and not wait for the remaining 20% before starting.  There are many right ways to complete a task and neither the T.N.T. or 80-20 methodology suggest that adequate planning not take place before making a decision but that action is taken in lieu of collecting more and more and more data that really has little impact on the leader’s overall decision.  When I lead my team(s) on projects and work items I do not allow more than 3 weeks planning to take place on even major projects, this ensures that once the planning is complete action actually takes place that ends up in completion of the final goal.   This doesn’t mean that adequate planning is not completed – it just means that we’re kept pretty busy during the planning stage.

Have I been successful in that approach and with implementation of infrastructure, enhancements, etc. using this approach – yes I have. It works, it is effective and IMO it is a leaders and managers job to make a decision and move in the direction of accomplishing your business goals.

© Kevin L. McLaughlin, probably cited re-use is acceptable

Posted in Uncategorized | Tagged , , , , | Leave a comment

Building the Information Assurance Program

Posted on October 21, 2012 by mclaukl

In 1948 in his book “The Seven Story Mountain”, Thomas Merton wrote “Success – the logic of worldly success rests on a fallacy:  the strange error that our perfection depends on the thought and opinions and applause of other men.”

Within the Information Security profession we must agree with Thomas Merton that the early definition of success is not one that fits our world.  Not many of us in the profession receive the applause of other men or women during the course of our duties.  Think about it for a moment, if you write a “Tough” Policy that forces people to do something that they are resistant to do then do you really think that the applause is going to start rolling in?  The opinions will so at least we’d be half way to the fallacy of “worldly success”.

Yet, as Information Security Professionals, we know that having Policies based on International Standards, best practices, etc. combined with a mechanism to enforce compliance with those policies is a critical component to having a successful program.

So, if we buy into the belief that success isn’t about counting on the applause of your community members than what does success look like for an Information Security department, or an information security professional?  The definition of success can be different for each Information Security department based on their self identified mission and vision.  One Information Security department I worked with decided to follow a modified version of Roger Allen’s formula for success, as explained in his book “Winnie the Pooh on Success,” in which Winnie and the gang discuss the formula for being successful.  The Key Success factors in Allen’s book are:

  • Select your Information Security Vision
  • Use your Information Security Vision to set your Team Goals
  • Create an Information Security plan
  • Consider resources
  • Enhance Skills and Abilities as necessary – I have found SANs training good for this
  • Spend Time Wisely
  • Start! Get Organized and Go

While it is challenging to meet your Information Security success criteria I encourage you to continue to move forward in the belief that small systemic improvements over a long period of time will ultimately lead to both yours and your team’s success.

Said another way – focus on getting your wins where and when you can with the understanding that each win will move you closer to your goals and the fullfillment of your vision.  Do not worry or overly fret about the things you can cannot accomplish, focus your time and energy on those items that you can accomplish.

© Kevin L. McLaughlin, probably cited re-use is acceptable

Posted in Uncategorized | Tagged , , , , | Leave a comment

Non-Expiring Passwords for C Level Employees. Really?

Posted on October 21, 2012 by mclaukl

So, the other day while teaching my Online Course in Computer Security for the University of Advancing technologies I had a student ask me what they should do if their CFO asked to have an unexpiring password in a publicly traded fortune 500 company.  I responded that in today’s age of heavy SEC and regulatory oversight I didn’t see that really being a problem.  I jokingly said that maybe 10-15 years ago it wouldn’t have been a problem either because most of us weren’t expiring passwords regularly.

The student came back with “No, I am serious I was just asked to please set our CFO up with a non-expiring password and the request came from my CIO directly to me, which as low as I am on the totem pole that just about never happens” –  my thoughts were all jumbled up for a minute as I thought we had surely gotten past this mind set with the news articles and all the coverage about regulatory compliance, internal controls, etc.  C’mon I mean really?  We are talking about the CFO – the Chief Financial Officer, the person with access to corporate funds, bank accounts, etc.  and they really don’t want to change their password because it is too much of an inconvienience?   When I asked more questions I wasn’t surprised to find out that the company does not have any sort of two factor authentication for their Executives as that is too cumbersome as well.

Why is it that Internal Audit, External Audit and others in that profession continue to miss items like that.  Is it because they are so far down in the minutia of systems that they have forgotten that in Enron it wasn’t the little folks in the organization like me and other IT Operations folks that caused the issue it was the corporations senior executives.  Things like Sarbane’s Oxley are supposed to manage and control the C level executives behaviors because no one that works for them is in a position to do so.  So, my call out in today’s rant is for the internal controls folks to pay more attention to the Corporate executives and what they are or are not doing and a bit less attention to the folks down in the trenches.

Oh, wait a minute ….. whether it is an internal or external auditor their pay still comes from the same executives that no one else in the company can challenge without fear of not being paid….  hmmmm… guess we won’t be seeing that type of oversight anytime soon.

Oh, and since this is my first posting don’t think I am anti-auditor,  I’m pro-auditor.  I just think that this is an area that we currently lack an answer for.

One last item,  please don’t comment on how lame you think passwords are and how they don’t do anything or provide any controls – please, if you are a security professional you should know they are simply one part of an effective defense-in-depth architecture.  btw – If you don’t believe in defense-in-depth you probably are reading the wrong blost….

© Kevin L. McLaughlin, probably cited re-use is acceptable

Posted in Uncategorized | Tagged , , , , | Leave a comment

My own webpage, who would have ever thought it?  I know back in the 8th grade when they gave us some sort of “here’s what you have the ability to be in your life” test and mine came back that I would be a fine ditch digger (really, that is what I was told by my 8th grade teachers) that not many of that crowd would have thought I’d be able to get to where I am professionaly and personally.

I am going to use this venue to talk mostly about Leadership in the area of Cyber and Information Security and the trials and tribulations associated with that profession.  The comments on these pages will be mine and are not meant to represent the beliefs or opinions of any of the companies I work with and for.

While I will do my best to focus on Cyber Security leadership I may have moments when my musings take me into mentoring, leadership and just life according to Kevin – but mostly the posts will focus on Cyber security.   The stories and musings will all be true but they won’t all be based on my own personal direct experiences – nor will I tell you which ones are based on my direct experiences as I do not want to embarrass any present or past employers.

Posted on October 21, 2012 by mclaukl | Leave a comment