May 22, 2013

Posts Comments

You are here: Home / Archives for government

Plugging Breaches with Bureaucrats

July 19, 2011 by Leave a Comment
The Paperwork Makes Your Interwebz Secure.
The Paperwork Makes Your Interwebz Secure.

Filling Out These Forms Will Make You Secure....Really.

Breaches within the Sony’s and Epsilon’s networks  in recent months has shone a light on a very real concern in the Age of Stolen Information.  The government believes that more legislation and regulation will solve the security problems that plague our interconnected networks and systems.

One only has to take a quick glance the latest regulations from the Food and Drug Administration (FDA) on Medical Device Data Systems (MDDS) or the new Cyberwarfare Doctrine from the Pentagon to see the trend toward greater regulation.

But rules dictated by government fiat always lags far behind technological advances and creates a “security by compliance” culture.  So what is the solution?

In my opinion, additional Federal legislation on the subject of information security breaches is unnecessary.  Currently there are multiple industry regulatory regimes that cover information security best practices.  At a high level here are a few:

I have recently contributed to three  articles that tie into my opinion on security by regulation.  One was for the Chicago Tribune entitled “Security Breaches Highlight Need for Consumer Vigilance.  It covered the impact of the Walgreens, McDonald’s, Gawker security breach.  Another was published for PCWorld on the Playstation Network security breach.  The title of the article was “Experts on the PSN Hack: Sony Could Have Done More.  Finally, a piece just ran in InfoWorld entitled “10 Hard Truths IT Must Learn to Accept” where I discuss the security by compliance issue and how the pursuit of 100 percent compliance and security is a folly.

Legislation will not address enterprise security problems.  However, if you look at what caused the PSN security breach, there were multiple issues that lead to the compromise.  The chief cause appears to be that Sony was lax about routine maintenance of the infrastructure and the complete lack of internal and external communication.  This includes:

  • Server patching and hardening
  • Monitoring the network and servers for suspicious activity
  • Disjointed or missing breach response procedures
  • Lack of security leadership in the organization
  • Lack of breach communication plan
If We Hit it Harder It Might Fit!

Government Regulations at Work.

The best way to minimize the risk of a breach for an organization is to stay on top of standard maintenance and monitoring procedures.  Keep the organizations servers patched and make sure they are hardened before putting them on the production network.

Ensure there is a security breach response plan that has been tested and communicated to the highest levels of the company.  Have a single point of contact that directs communication regarding the breach to the appropriate parties.  Also, ensure that the breach plan includes a robust communication plan for potentially effected customers.

Finally, there is always going to be a risk for a security breach or data loss.  Systems and software are designed by humans and there will be flaws that can be exploited.  Plus, social engineering will always provide a path to compromising the most secure systems due to the fallibility of the human element.  Legislation will not address these factors.

Security practitioners understand that there is always a risk for a security breach.  Therefore, risk assessment and risk management are a key component of a security professional’s job.  Identify the most critical systems and data and implement the most robust safeguards around them.  Focus monitoring efforts on these critical areas and ensure the organization’s senior leadership understands the risks, mitigation strategies and internal/external communication plans.

In my experience, compliance with multiple frameworks and regulations creates a belief in security by compliance. Organizational leadership buys into the mindset that if they have all the check-boxes marked, then they are secure and additional policies, programs and monitoring are wasted efforts.  This is a critical mistake in an age when your adversaries can turn on a time and exploit your inflexibility.

Filed Under: Consulting, Security Tagged With: , , , , , , , , , , , , , , , , , , , , , ,

How to Weather the Outsourcing Storm

November 27, 2010 by 6 Comments
Outsourcing Hurricane
Outsourcing Hurricane

IT has been hit long ago. How will you adapt and thrive?

Before the Great Recession of 2007, which is still ongoing no matter what the pundits say, IT employment had already suffered setbacks.   The IT profession started taking on water after the Dotcom implosion and a few more bulkheads were blown in 2007.  Those of us who have consulted across the industry have seen demoralized workforces whose compensation has fallen dramatically.  What opportunities exist is mostly short term contract work that is shoveled out by dubious staff augmentation firms.  From there the IT contractor goes through the “Burn & Churn” cycle of three to six month contracts, always on the hunt for another gig.  I wrote about this trend back in June in my “IT Job Market in Limbo” piece. [Read more...]

Filed Under: Jobs, Marketing Tagged With: , , , , , , , , , , , , , , , ,

RSA March 2010 Intelligence Report

March 30, 2010 by Leave a Comment
March 2010 RSA Intelligence Report
March 2010 RSA Intelligence Report

Cue the Generic Computer map!

 

I’ve been ramping up with client projects over the last month so I haven’t been schedule some serious writing time. Excuses aside, I’m being lame it seems. 

However, the latest RSA Intelligence Report has crossed my virtual desk. I’m posting it on the Box.net widget and inserting it in this post for good measure. It has timely info for security professionals and the businesses they are protecting 

For those folks in the financial community, it would behoove you to read this report and take note that U.S. Regional Banks are still target number one for the black hat community. Also, the Rock Phish gang has been exclusively targeting financials via various schemes for the past quarter. 

As always, the US is the top target for attacks. But the US remains the top perpetrator for hosting phishing attacks. 

RSA_March_2010_Intel_Report

Filed Under: Security Tagged With: , , , , , , , , , ,

Part III: Fed Guidelines for Social Media Review

February 25, 2010 by Leave a Comment
An Easy Guide to Government Regulations
An Easy Guide to Government Regulations

Ah Government. 72 Easy Steps for Compliance.

In my previous post,  we had reviewed the rationale behind the Federal CIO Council release of secure social media usage guidelines.  This was primarily tied back to President Obama’s memorandum on Transparency and Open Government and the growing popularity of social media (Web 2.0) in the workplace.  We also touched on the lack of concrete implementation advice by the guidelines for social media within the document. 

The guidelines abruptly switch over to outlining the current use of social media within government.  But not before mentioning two researchers at the National Defense University, Dr. Mark Drepeau and Dr. Linton Wells.  They are quoted as to the government’s definition of social media and the four specific types of uses within the Federal Government.  What is more interesting is that these gentlemen wrote a research paper for the Feds that is a large component for the Social Media Guidelines.  The name of the document is Social Software and National Security: An Initial Net Assessment.  I highly recommend those individuals that are charged with the responsibility or implementation of social media within their agency read that document.  It is highly informative and has copious footnotes to other research that will provide a better view of the social media landscape with the Federal Government and abroad.  Also, it has been my experience that these footnoted sources can then be used as supportive documentation when an agency’s own policy is crafted, since they have been used in other official guidelines. [Read more...]

Filed Under: government, Project Managment, Security, Social Media Tagged With: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Fraud as a Service

January 25, 2010 by Leave a Comment
Internet Fraud
Internet Fraud

Excellent ROI Potential!

In working with various clients on the topic of security, a common theme has emerged.  Management and employees still labor under the perception that fraud is still the purview of unorganized individuals with an axe to grind against a specific company.  Another popular opinion is that the company or individuals that are experiencing fraud are the unfortunate victims caught in the blast of some hacker’s scatter shot attempt to make money.  While this can sometimes be the case, the more likely explanation is far more disturbing and organized.

Fraud as a service or FaaS for the acronym collectors, has been a topic of concern for security professionals since 2008.  RSA and others showcased this new trend emerging from the underground economy around November of that year.  The acronym itself was coined from the Software as a Service (SaaS) term. [Read more...]

Filed Under: government, Security Tagged With: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Part II: Fed Guidelines for Social Media Review

January 5, 2010 by 2 Comments
What?--Federal Bureaucracy Diagram. Now with extra annoyance!
What?--Federal Bureaucracy Diagram. Now with extra annoyance!

Streamlined For Your Confusion...

I promised in my last post to walk you through the various supporting documents that are tied to the Feds’ Social Media Guidelines.  Also, I will act as translator for all the corporate/government  speak.   This way lies madness, abandon all hope ye who enter, etc.

One of the linchpins of the document is the President’s Memorandum on Transparency and Open Government to the various government agency heads.  Basically, it boils down to government needs to be transparent, participatory and collaborative to the public.  Now the day this actually happens, I’ll eat my hat.  But, this has been the general statement of government leadership since the 90′s, at least in Virginia.   Some may claim this goes all the way back to the Enlightenment, which actually makes sense if one is familiar with the speed of government initiatives. [Read more...]

Filed Under: government, Project Managment, Security, Social Media Tagged With: , , , , , , , , , , , , ,

Fed Guidelines for Social Media Review

December 14, 2009 by Leave a Comment
All Your Paperwork Belong to Us...
All Your Paperwork Belong to Us...

All Your Paperwork Belong to Us...

In my last post, I referenced the relatively new (Sept 09) federal guidelines for Social Media security by the federal government.  I went ahead and put the guidelines in the  online storage widget for anyone to access.  I’m going to discuss my own findings and try to make sense of all the bureaucrat/corporate  speak in the document.

Let’s start from the top shall we?  The document’s executive summary rightly categorizes the decision to move to social media as a risk-based decision.  The technology behind it all is really no where near as important.  As was discussed in the previous post the “why” is far more important than the “how”.  The Feds are a huge target for every known and unknown type of malcontent so they include a quite extensive section on risk mitigation, which we’ll get into later. [Read more...]

Filed Under: government, Security, Social Media Tagged With: , , , , , , , , , , , , , , , , , ,

Project: FAIL

March 22, 2009 by Leave a Comment
Where's the Project Manager!
Where's the Project Manager!

Where's the Project Manager!

As a consultant I’ve been thrust into my share of failing projects.  One particularly notable one involved a CIO and their pet DBA.  The project was over a year behind schedule and the DBA was the project manager, system architect and general nuisance.  This DBA had convinced the CIO that they were the Alpha and Omega, Yin and Yang of technology and project management with all others viewed as imposters to their throne.

[Read more...]

Filed Under: Project Managment Tagged With: , , , ,