Each year since 2005, SecurityDreamer blogger and industry analyst, Steve Hunt, conducts surveys of end user security executives, tracking trends related to the business of security. We cover physical security and IT security equally at SecurityDreamer, carving our unique niche in the industry. Here is a taste of our findings. Sorry, the complete findings are not available except to Steve Hunt’s consulting clients and participants in the research.
I find that narratives yield more insight and are more accurate than statistics. Therefore, the SecurityDreamer approach is to conduct dozens of personal interviews, by phone, email or in person. Each interview covers a subset of topics. Data gathered is generally qualitative and anecdotal, rather than quantitative.
Consultants, Use of
Identity & Access Management
Operational Best Practices
Physical Information Protection
Strategy & Planning
Technology Lifecycle Management
Approximately 50 companies participated in the survey, representing 11 industries.
Summary Findings from the SecurityDreamer Research
While operational security budgets saw little growth across all industries, spending for new projects increased steadily in Energy, Finance, High-Tech and Entertainment. New IT security and physical security projects most notably included
- Security operations centers
- Virtual command centers
- Security information management systems (SIEM, PSIM)
- Networked cameras and sensors at high-risk facilities
CSOs and CISOs complained that their greatest business challenge is metrics: Normal operational metrics, such as improved response time to security incidents, or numbers of malicious code detections are not compelling to business leaders. Security executives seek better ways to calculate ROI, justify purchases, and measure the success of deployments.
Most Surprising finding of 2012
Collecting Company Wisdom. Far more companies in more industries are documenting processes than we’ve seen in previous surveys. Continual Improvement (a la Baldrige, Kaizen, Six Sigma, etc) appears to be the primary motivation. Security executives realize that much of the know how of security operations resides in the heads of its local security managers. In a hope to benefit from the sharing of this business intelligence, companies are using a variety of techniques (surveys, performance reviews, online forms) to gather it.
Least Aware of This Threat
Physical threats to information rose to the top of the list of issues about which CISOs and CSOs know the least. Every security executive we interviewed had an understanding of physical threats to information (unauthorized visitors, dumpster diving, etc) but almost none had studied or measured the risks associated with physical threats to information, nor did they have in place thorough procedures to protect against it.
Least Prepared for This Threat
Two related concepts represent the threat for which nearly all security executives feel least prepared to address: Social engineering and physical penetration. Every security executive confessed that confidential company information was as risk of social engineer attacks (phony phone conversations, pre-texting, impersonation, spear-phishing, etc.). Physical penetrations were even more frightening to some executives who were certain that their confidential company information could be collected and conveyed out of the building (in the form of printed documents, photos, memory sticks, etc) by
- an unauthorized visitor tailgating into the building
- an attacker bypassing security controls at doors and fences
- rogue employees or contractors
- an internal attacker of any type
I hope you can catch me this week (September 19-23). Either attend a webinar on secure uses of the Cloud, or grab my lapel as I walk the show floor at ASIS in Orlando.
Here’s info on the webinar. Wednesday, Sept 22, 1-hour Webinar titled “Xerox and Cisco: Partnering in the Cloud”. I’ll be speaking along with Bill McGee from Cisco, and RG Conlee from ACS, a Xerox Company. I’ll explore the true benefits of using the cloud, understanding and mitigating the risks of the cloud, and how to best prepare for using the cloud. I hope you can join me.
At ASIS – the largest physical security professional conference in Orlando – this week I will be speaking at several private company events, but you can still find me on the floor. I’ll be excited to tell you the developments of the first venture-funded convergence consultancy I’m now heading.
Secure the Business!
SecurityDreamer Events are Back!
We bring together end-user executive decision-makers and influencers from important corporations and public organizations in cities around the world. Hunt Business Intelligence shares recent research findings and everyone learns and laughs together.
Did you miss SecurityDreamer at the Hard Rock Cafe in Atlanta? Did you miss the SecurityDreamer PSIM work group in DC? How about SecurityDreamer at the David Burke Restaurant in Vegas or at Margaritaville, The Botanic Gardens, Around the Coyote Art Gallery and many more interesting fun venues.
SIGN UP. If you are interested in attending our unusual, invitation-only events, tell me a little about yourself in an email steve (dot) hunt (at) huntbi (dot) com.
There is a problem with honesty in this security industry of ours. Far more of a problem in the physical/homeland security indsutry than IT/cyber security. the difference? Critics.
The IT/cyber security industry has dozens of knowledgeable, influential industry analysts constantly pushing end users, VARs and manufacturers, (vendors) to higher levels of performance, quality and customer service.
The physical security had none before I showed up on the scene when I directed my research team at Giga Information Group (later Forrester) to begin tracking trends in physical security in 2000. I kept thinking I would spark industry improvement in physical security and homeland security by inspiring dozens of industry analysts to cover the huge industry. Instead, vendors reacted with their panties in a bunch and most consultants I spoke to were chicken-shits, with not enough balls to tell Lenel or SoftwareHouse or Bosch when they smelled snake oil, or when product development aimed low.
So in 2005, I left my job as head of security research at Forrester and opened the first industry analyst firm in physical security – thinking for sure that THAT would start the trend.
I was partly right. A few “analysts” popped up afterwards. Forrester and Gartner dabbled in physical security half-heartedly for a few months after I left. Frost & Sullivan later beefed up their particular brand of analysis combned with their trademark (and dubious) “awards.” More on that another time. INS also started making noise.
Finally, some “serious” critics emerged. Jeff Kessler, the long-time Lehman analyst, brought intellectual rigor to financial critique of the entire industry and specific niches. And John Honovich carved a niche for himself becoming the preeminent critic of IP video solutions.
I am very grateful for John and Jeff. They largely validated my belief that the physical security industry had room for and could benefit from piercing, honest criticism. But I’m sad that there are only three of us. John critiques vendors in the IP video arena on his website, Jeff now works for Imperial Capital and focuses is on numbers, and I focus on best practices for end users. Three different niches, but it’s just crazy that a $170 bn industry supports only three guys doing real industry analysis.
I’ve criticized Frost & Sullivan and INS elsewhere, not to belabor the point here. The shortcomings of their analysis in this industry are obvious to any observer and I don’t need to harp on them. In a nutshell, I’m disappointed when any analyst relies on the word (or dollars) of manufacturers. It is an obvious conflict of interest, and the so-called analyst quickly becomes a shill for vendors, whether they intend to or not. (Hint: they usually intend to.)
If an analyst performs paid work for a vendor, it should be with the sole purpose of helping that vendor improve its products or solve specific customer problems. It should also be done privately.
For example, I’ll allow vendors to pay me to critique and plan their product development road map or marketing strategy – but I don’t write publically available white papers and will never publicly trade whatever I’ve discussed with vendor clients privately. I share my end user research findings with my end user- and investor-customers only.
Analysis should be derived from the analyst’s professional experience with the subject he is analyzing, or by analyzing the experiences of end users. I believe John touches or in some way directly interacts with with every product he writes about, and then bases what he writes on his highly technical knowledge. Jeff is similar. He performs primary research, writes his own analysis of his research based on his extensive knowledge and experience with financial and market analysis, and critiques secondary research. I talk to hundreds of end users each year and systematically analyze best practices (and worst practices) among the users of just about every kind of security technology.
I still think there is plenty of room for honest critique in the physical security industry. If only someone else with the guts would step up.
In honor of being at the RSA Conference in San Francisco this week, I figured I should at least post one IT security blog. Here is an excerpt from the “ship’s log” of my mentor Captain Phil Rosch:
I think the Security industry needs to be more proactive in terms of policing itself. I’ve spent way too much time over the past 6 months fixing machines for friends who got sucked in.
Fixing Charlie’s virus ridden computer wasn’t too hard. I found a detailed set of instructions on the Internet that fit his problem exactly so I just followed the yellow brick road. It’s easy to see how an error screen like the one crafted for the AVG 2011 could suck someone in. http://deletemalware.blogspot.com/2011/01/how-to-remove-fake-avg-antivirus-2011.html
After I blew off the virus, I downloaded Spybot Search & Destroy and Microsoft Security Essentials (both free). The Microsoft scan caught 2 Trojans and the S&D cleaned up all the spyware. The last job in the “tune-up” was to run SpinRite 6 to clean up the physical hard drive.
I really feel sorry for seniors who get sucked in by viruses and crap like you see on TV. Allen Harkleroad, a consumer advocate said “I am 100% skeptical of any advertisement that claims to be able to fix a computer online, and from the consumer complaints I have read online, in the case of DoubleMySpeed and MyCleanPC, it appears that my misgivings were completely warranted.” Allen built himself a new Windows 7 machine with nothing on it and ran all current maintenance.
Next he ran MycleanPC and it produced over 1,000 errors and took him to a page that demanded $89 for the product and wouldn’t let him lose the page.
Check out “DoubleMySpeed complaints” on Google, also MyCleanPC complaints and the CyberDefender Corporation complaints. It seems now CyberDefender is trying to hide who owns the domains they operate, however IP address/DNS lookups don’t lie. CyberDefender responded by sending a legal threat letter, claiming defamation, and demanding the removal of the original posts.
Think your company takes data protection seriously? You may need to give it the dumpster diving test. This big bank was pretty surprised what I came up with.
Here is a post written by an end user security professional who will be known here simply as Padded Arrow. I believe you will find his perspectives on IT, security, risk management, and technology to be enlightening. -sh
Mike Holmes is a Canadian building contractor whose popular TV show tag line is "Make it right". Not just a catchy phrase but rather his way of working. If you have watched his shows, one of the underlying messages is “Building codes are MINIMUM guidelines.” Often, the right way to do the job is not in the same league as "code." Mike prefers to "Make it right" rather than "make it code."
What does this have to do with IT and Security? Many regulatory requirements (SOX, GLBA, HIPAA, etc.) come from a need to "raise the bar" on the quality of IT construction, safety and security. Too often, IT projects are a knee-jerk reaction to the current challenges in the IT environment, both real and perceived (aka marketing hype). Sometimes, regulations (building codes) seem to have more influence to direct IT than what is the best course of action for the company. At what point does a company decide to plan its IT strategy with the business and long term survivability as a priority?
Instead of "Make it right", team up to "Make IT right".
The newly launched cyber security incubator launched by the Institute for Cyber Security at the University of Texas at San Antonio is the latest demonstration of the University’s efforts to establish itself and the city of San Antonio as one of the top breeding grounds for cyber security research, commercialization, and innovation.
The Institute is run by Dr Ravi Sandhu, widely acknowledged to be one of the top security researchers around, and one of the Institute’s founders was Dr Eugene “Spaff” Spafford of Purdue, whose multi-disciplinary approach to security has set the bar for University programs.
Drop me a note if you'd like more info. firstname.lastname@example.org
Here is a blog post from HuntBI associate, Jeffrey Stutzman, CISSP. His post makes me wonder how many corporate networks will be infiltrated by malware when Olympics visitors come home and plug back in. -sh
What happens in Vegas stays in Vegas right?
What happens in China won’t necessarily stay in China.
What do I mean by that? In the Navy there was a sea story. It went something like this…
We pulled into <name your favorite port>. When we pulled in, the Captain came over the 1MC (the general shipboard loudspeaker system) and gave us a country brief. He told us to be careful. He told us that if we got into a fight, to win, and to be careful with the women- always. Sexually transmitted diseases ran wild in many of the ‘sailor ports’. The story I remember talked about how the hospital corpsman onboard the ship would use a Sharpie to put the name of the sailor on the pair of syringes used to rid us of whatever we picked up. The syringes were then stuck into a dartboard in the Chief’s Mess. As the story goes, the dartboard was always full.
So here’s the deal….
Chinese cyber spies WILL steal your stuff! When you get to China and use your computers to access the Internet, you will be monitored, and will almost assuredly download, or be pushed, software that will execute on your computer. This software will sit quietly on your computer, will not be detected by anti-virus or intrusion detection/prevention software, and will likely ‘phone home’ –send your data back to intelligence collectors in China. When you return home, that software will likely spread automatically to other computers that you connect to or communicate with via email or through the web. You will be infected. Be ready for it.
The problem? Antivirus vendors don’t have the syringes to fix you. It’s a sad state, but the protections currently loaded on your computers are designed to protect from the common threats –those that infect everybody. When a specific group of users are targeted –Olympic visitors for example, or maybe Olympic visitors staying at a specific hotel, or maybe Olympic visitors who work for or represent certain governments or industries, the methods of infection are not always the same. Smart intelligence collection operators won’t use the same tools on everyone. You know why? They don’t WANT antivirus and intrusion prevention vendors to be able to keep up! Even if they are successful 10% of the time, the number of journalists, politicians, and business people entertaining others will easily afford the cyber spies small pieces of information that they can combine with other small pieces of information to eventually put together the pieces of the puzzle –the BIG piece of information.
You should expect this. It shouldn’t come as a surprise.
A recent interview on CNN disclosed publically (finally!) that over 3500 Chinese front companies exist in the US today solely for the purpose of collecting intelligence. It reported that cyber attacks on the Pentagon (and likely all of DoD) have increased 55% since 2007. References to other Chinese cyber attacks and information gathering run in the thousands on the Internet. A quick Google search for the words “Titan Rain”, the term coined by US Government officials to describe the coordinated information warfare being waged from Chinese sources, yields over four million hits.
Thousands (millions?) of influential people – business managers, politicians, journalists, you name it, have headed to China for the 2008 Summer Games. Don’t be a victim. Don’t allow your home/work networks to be victimized.
Here’s what you can do:
• Think like a spy…
o Leave your computer(s) at home. If you have to have one, take a clean one (one used only for surfing the web and sending emails).
o Use anonymous, encrypted email. The best spies never use computers to relay details of their exploits. If you must use a computer, create two anonymous accounts on an encrypted service such as Hushmail; an encrypted, web-based email service that scrambles your email. Use one account to send, and the other to receive. If you must send data to your company from China, give the second account to the intended recipient before leaving the country. Do not send the account and credentials by email. Kill, or abandon those accounts after you return.
o Do not under any circumstances divulge your identity in email, even when using encrypted communications. This is a sure-fire way to give others those “small pieces of information” that can later be used to target you when you return home.
o Never use HTML formatted email. All communications should be formatted as text only. Graphics and other fancy things that make your email sexy also make it very easy to hide viruses and Trojans in your email –those pieces of software that will later be used to send data back to China once you return home.
o Do not send email directly to a work address. Use the anonymous service. Software may get embedded in your outbound communications. That software will spread once opened by your intended recipient.
o When you do return home, expect to receive more junk e-mail. Spam, phishing, or spearphishing (targeted phishing) are easy ways to get you back into the collection network by embedding malicious software into HTML formatted messages.
o Never forward or respond directly to emails received. If you need to respond to something, start with a fresh email, and format it in text only.
o When you return home, do not, under any circumstances, plug these computers into ANY network without first having it professionally cleaned and reloaded with a fresh version of Windows, or your operating system of choice.
Be safe. Be smart. I really don’t want to hear your IT guy bragging about the number of syringes in his dartboard!
In primitive societies and cultures, there was a widely held belief that many of the forces controlling man’s fate were, well, outside of the control of man. The notion that we could control something akin to “risk” would have been considered pretty far-fetched indeed. Listening to a group of security industry professionals discussing the problem of how to control, or manage, risk in their industry at a recent conference in Silicon Valley, one could easily wonder whether the notion wasn’t as far-fetched as it might have seemed to a bunch of cave-dwellers huddled around a primeval campfire.
Holding back the hordes
To begin with—how does one manage risk in an age when all the risks have yet to be identified, and new ones are being created and dreamt up every day (if not every hour on the hour)? The hordes are truly at the gates. And it is our job, as security professionals, to keep those unrelenting hordes outside our employers’ gates, by continuing to secure networks and devices and the rest of the security apparatus—that is, by protecting not just the company’s data, but its vital information. And, my friends, they are not the same thing.
For the last 5–10 years, traditional thinking in IT security has held that securing the networks—controlling access to the data—was the key to maintaining the integrity and security of a business’s operations. That’s a job we have been doing well enough. (Or so we thought. Or were we just deluding ourselves? More on this later.) A decade, 15 years ago, we built the firewalls to keep out the three hackers down the road in Berkeley. In other words, we controlled and managed access to the company’s data from outsiders, and essentially sat back, thinking we’d succeeded in establishing and maintaining IT security. We felt we knew who the “bad guys” were, and how to stop them from stealing the company’s data. But we never really asked ourselves what the new threats to not just data, but information, security might look like a year down the line. Five years. Ten years.
In fact, few of us paused to ponder what difference(s), if any, there might be between data and information, and what the implications for our industry might be resulting from said difference(s). Neither did most of us address—at least, not in any comprehensive, strategic fashion, anyway—the risk, or threat (again, these are two different things) from those working within our own organizations with authorized access to the data and the information. As a result, a lot folks have been going home at night—each and every night—with some of their company’s invaluable information stashed away on their I-Pods (or other storage device of choice).
So what am I saying here? I am saying we have been deluding ourselves for quite a while now, thinking that our jobs securing data/information are done. So where does that leave us now? Where do we go from here?
Trust, but verify
I think trust is key. I’m not talking about naiveté. I’m just saying that bad things are going to happen, so let’s minimize the threat by nurturing mutual trust and confidence. In particular, you can educate your people as to the issues pertaining to information security, thus boosting awareness of those issues, and you can provide training and perform pre-employment background checks and the like. The point is, we can no longer afford, when planning, budgeting for, and implementing IT security, to think only in terms of protecting data networks, devices and assets. We will have to think increasingly in terms of how to monitor information usage. And this inevitably brings us right back to the notion of trust: there has to be some significant degree of trust in any business, a faith, if you will, that you can count on a certain minimum level of trust in how your employees handle the information and data to which they have access. What it comes down to, as one of the conference participants put it, is this: People (your employees) are either scum—information thieves—that need to be eliminated, or they are entities that need to be trusted. After all, you need trust in order to be able to make a business—any business—function.
Looking toward the future
Monitoring behavior and usage should prove to be a major part of doing IT security in the future. Intelligence gathering is another potentially very powerful tool that will be used increasingly to protect our infrastructures and to safeguard our businesses, as part of an appropriate risk management life cycle. In more general terms, we should try and be both proactive and reactive to the new threats that we know are coming our way, and which no doubt will continue to come our way. Having a more forward-looking threat assessment strategy may also prove key to our future success in improving and enhancing the safety and security of our businesses. That way we will not be mysterious workers of wonders or witch doctors, we will be advocates of the business with effective tools for promoting a productive business culture.