Archive

Archive for the ‘Uncategorized’ Category

Unusual Data Breaches, and other posts

I am a guest blogger at a number of other sites. Here is a sampling a some of my recent posts.

The greatest threat to data is also the least studied

Physical loss of information was difficult to quantify, so said the editors of the 2014 Verizon Data Breach Investigations Report (DBIR2014) that came out this month. That imprecision is why your cyber security precautions mean squat against the gargantuan physical risk you face.Verizon DBIR

The report, anxiously awaited each Spring, this year included a summary of ten years of breach data. Among the findings is a section on Physical theft and loss. The editors described physical loss of information not sexy and “cyber-y,” and the numbers about this type of information leakage a little iffy. However, they rightly point out that physical loss is among the most common causes of data loss/exposure.

In short, they claim that one of the most common types of information loss is also the least measurable.  Read it here

 

Balanced Scorecard for Security

Security executives who’ve used the Balanced Scorecard over the years, set their IT budgets by first determining the strategic role that security will play in the organization, then established a companywide funding level that enables security programs to fulfill that objective. Since the first step in implementing a Balanced Scorecard starts with strategy, it follows that this can be an effective method for aligning security with that strategy. Read it here.

 

 

 

 

Categories: Uncategorized

New CISO at Target

Photo Courtesy of Target

Photo Courtesy of Target

Target named its new CISO today. Brad Maiorino will fill a newly created post called senior vice president and chief information security officer. When the Target search began, I shared the comment with several other security analysts wondering who would want that job. Apparently, Mr. Maiorino, who comes from General Motors and General Electric where he held similar positions, wants it. I imagine he feels excited about the opportunity to rebuild a security program with a substantial budget and likely a wide latitude. Plus, any breaches occuring in the first six months or so could easily be blamed on the previous administration. That gives him a year of smooth sailing and liberal spending. After that, the rubber hits the road and he will be on trial more than most CISOs.

The Snowden conversation we are all having in one way or another…

Edward Snowden (source Wikipedia)

Edward Snowden (source Wikipedia)

Edward Snowden did one important thing: He made an important conversation on security and ethics popular and international.

One one hand, he told us something we always knew: Spies spy. That is, stealthily gathering secrets, usually associated with times of war or matters of national security, is the third(?) oldest profession.  :-)
Spying on specific national interests is assumed, expected, and probably universal, which is why the feigned indignation of global leaders is laughable.
However, spying on a populous is extreme. Spying is normal when its targets are decision makers, influencers and information handlers. Regular citizens, though, don’t qualify for surveillance unless they are associated in some other way with a security threat.
  • Surveillance of a high crime street corner is appropriate
  • Surveillance of a shoplifting-prone market is appropriate
  • Surveillance of military leaders engaged in assault on national interests is expected
  • Yet, combing private communications, collecting information that may someday be factored as a risk – destroys the fabric of trust between a people and its government. 
Therefore, surveillance in itself is morally neutral, neither good nor bad. Sometimes it’s downright necessary for security or loss prevention. It’s a simple formula: Analyze meta data, identify risks, manage risks.
This surveillance and spying conversation, however, sends shivers down the backs of security managers and executives.
My recent informal research shows that security executives are Least Aware of physical threats to information. Every security executive we’ve interviewed had an understanding of physical threats to information (unauthorized visitors, dumpster diving, etc) but almost none had studied or measured the risks associated with physical threats to information, nor did they have in place thorough procedures to protect against it.
…and Least Prepared for Social engineering and physical penetration.  Every security executive confessed that confidential company information was as risk of social engineer attacks (phony phone conversations, pre-texting, impersonation, spear-phishing, etc.).  Physical penetrations were even more frightening to some executives who were certain that their confidential company information could be collected and conveyed out of the building (in the form of printed documents, photos, memory sticks, etc) by
  • an unauthorized visitor tailgating into the building
  • an attacker bypassing security controls at doors and fences
  • rogue employees or contractors (a la Snowden)
  • an internal attacker of any type
We are all in this discussion now, public and private organizations, data and physical infrastructures. Now tell me your opinion. Do you think the “Snowden affair” is relevant to your organization?  Is it a physical security issue? A cybersecurity issue? Both? Something different?
(Published by Steve Hunt previously on SecurityCurrent.com)
(Photo credit: Wikipedia)

Reinventing the security perimeter

It’s time to register for my upcoming GigaOm Research webinar. The Modern Perimeter & More – countering Advanced Security Threats.

http://research.gigaom.com/webinar/the-modern-perimeter-and-more-countering-advanced-security-threats/

Categories: Uncategorized

How Spring Cleaning May Create New Information Risks

Categories: Uncategorized

Security is not the point!

February 5, 2013 17 comments

Articulating the Value of Security…

It’s an uphill battle to convince the decision-makers in any business that they need to invest in security. Why? Because deep down, all professional businesspeople think security is an annoying layer of cost and inconvenience.

If you walk in and tell them, “We need more security,” they hear, “We need a more annoying layer of cost and inconvenience.”

Getting the buy-in for security products and services today means understanding what drives your company’s security purchase decisions—basically, what is going on in the mind of your bosses. Fear, uncertainty and doubt are not the cleverest tools to use anymore. The security industry is undergoing changes as it adjusts to the convergence of IT with physical security, and businesses are changing, too. Now businesses want something that sometimes seems like a foreign concept to the security profession: value. If you don’t adapt and start answering the questions your business is really interested in, you’ll never get the green light on new projects and upgrades.

Remember, nobody wants security; they want the benefits of security. That means that the housewife doesn’t want the finest deadbolt on the front door because of the excellence of its engineering or its impact resistance. She wants a comfortable, happy place to raise her family.

Businesses also want something other than security. If a bank manager has a mandate to reduce expenses related to bank tellers, she has a couple of options. She could fire all the tellers and lock up all the bank branches, but then the bank would have no interface with its customers. Or she could take all the money, put it in piles on the street corner under a clipboard that says, “Take what you want, but write it down so we may balance your account.” That wouldn’t work either, obviously.

The best solution for reducing teller expenses is to take the money, put in on the street corner locked in a box with a computer attached, and give customers a plastic card for authentication and auditing.

Security was never the point. The bank had a business objective and achieved it by using some security. That is how we all should think of security: as a way of helping our companies achieve the goals or value they seek.

Business managers, especially executives at the highest levels of an organization, have a very simple view of security: It is a tool in the corporate toolbox for enabling business. But they don’t even think of it as security.

The manager responsible for an online ecommerce business wants a few things. He wants to know who is using his Web site. He wants to ensure that each one can do everything on that site they need to do. He has a lot of people doing a lot of things, so he needs an easy way to manage it. And at the end of the day or the end of the quarter, he needs a report that tells him what has happened so he can improve customer satisfaction, reduce errors and increase profits.

In that example we have all four fundamental categories of security—authentication, authorization, administration and audit—but the manager doesn’t think of security once! That’s because security is not the point.

Focus on Value

I have suggested many times that, whenever possible, security professionals should purge the word “security” from their vocabulary. Instead, answer the questions inside your boss’s head, and don’t simply spout the ways security keeps bad things from happening.

Your upper management thinks in terms of money, not security. What people will be needed? What headcount can we reduce? How much will it cost? How much will we save? What new revenue can we earn as a result of this investment? And they think not in terms of security risks, but in terms of credit risk, market risks and operational risks. That’s where you can shine.

One U.S. company spent $35 million on physical security upgrades after 9-11, and $4 million on IT security upgrades. Last fall they failed their Sarbanes-Oxley audit because of poor security. How? Visitors were given a badge for the day, but they could still walk unescorted past cubicles with unattended computers logged into financial systems. At that moment the audit no longer had confidence in the integrity of the numbers. Anyone could have moved a decimal point or added a zero.

If you know your facilities need more security, tell your managers how it will help them measure or achieve compliance to regulations like Sarbanes-Oxley: You audit employee behavior, or lock up financial systems, or shred financial documents, or do background checks, or secure backup tapes. For any business problem, you should be prepared to help your management identify the ways that the authentication, authorization, administration or audit solutions you’re proposing will solve their problem, or help customers make the gains they hope for.

Remember, it is not our job to secure the building. Our job is to secure the business. 

Categories: Uncategorized

Getting your head around the “Mobile” discussion

The last time business managers were worked into a tizzy about “Mobile,” we called it Mobile Computing or Mobility and we talked about remote workers, laptop computers and USB memory sticks (thumb drives).  Organizations routinely provisioned employees with both, and employees routinely wanted to use their personal laptops and USB sticks for business use. Therefore, companies had to deal with a mix of business and personal mobile computing devices.  In those days Neohapsis recommended that its clients create strong “personal use” policies, promote awareness of the risks, and deploy technology measures to mitigate some those risks. Today’s mobile discussion is similar in theme but quite different in details.

Mobile no longer merely means mobile computing or mobile workforce.  Its common use now includes social networking, mobile websites, mobile apps, new messaging and communication platforms, photos, crowd sourcing, and videos used for personal and business reasons on a vast range of technologies including home PCs, corporate workstations, laptops, smartphones and tablets on the business network, the home Internet connection and in the Cloud.

The technology eco-system of Mobile is vast. Phones, cameras, PDAs (like the iPod Touch©), portable storage devices (external storage, iPods, memory sticks) and tablets are all included, but so are computers, servers and entire data centers.  The glue that connects all of these systems in the Mobile conversation is simply one thing: the Internet.  Mobile touches nearly every aspect of your IT environment.

So what does a business manager need to know in order to approach Mobile with reasonable security?  That is the subject of Neohapsis Labs’ newest paper: The Secure Mobile Enterprise. Download it here.

Categories: Uncategorized

Becoming a Thought Leader in 2012 – Now you can do it too

December 21, 2011 1 comment

Being a thought leader is a really hard job. I’ve been doing it for so long it’s second nature.  But for those of you who wish to know the secrets of thought leadership, check out this video by Chris Eng, and maybe you can become as cool as me.

 

Categories: Uncategorized

Smart phone / Tablet gift guide for the security-aware

December 14, 2011 1 comment

My colleague, fellow Neohapsis researcher Michael Pearce, wrote a great article about smart phone platforms (iPhone, Android, Blackberry). He argues that you should give the platform appropriate for the security-savvy-ness of the recipient. I love that.

He writes, “Security and control are some of the main selling points of Blackberry, with the ability to completely encrypt data, tightly control what is done with the device, restrict what individual applications can and cannot do, require tunneling of any and all internet traffic through the company’s servers, control apps and much more. The downside is that this control comes at a cost, and the ease of management to keep your device secure can be time consuming for a non-enterprise user.”

See the rest of his comments about Blackberry and iPhone and Android in the full article.

Categories: Uncategorized

Neohapsis shares the dream

I’m so excited to announce that Neohapsis has asked me to lead their expansion into the physical security and IT convergence domains.  For 15 years, Neohapsis has been one of the most advanced IT security consulting firms, providing geeky services like penetration testing, “white hat” product hacking, vulnerability assessments and governance and risk management consulting.

In recent years the company has been doing more in the physical security arena, such as assessing the security robustness and durability of physical security products, like electronic locks, IP video cameras and other physical security devices.

Now, my team will be able to do much more, including coordinated physical logical attack simulations, physical and logical penetration testing of facilities and networks, and hacking and durability assessments of many more products.  We still evaluate products and give best practice guidance on security operations and enterprise risk management.

The name Neohapsis means “New Combination.”  I like to think that it now refers to the new combination of physical and cyber security.  Please drop me a note if you would like to chat about Neohapsis services, the security industry, or my sailing adventures on Lake Michigan.  steve dot hunt at neohapsis dot com

Categories: Uncategorized
Follow

Get every new post delivered to your Inbox.