I was perusing the blogosphere and came across a post written by Sam Dekay over at BlogInfoSec.com.  Apparently it was sparked by the recent laying off of a friend.  The post focused on where Information Security fits within the grand scheme of any organization.  In the case of Mr. Dekay’s friend, that company was reassigning information security functions across several existing areas rather than have them assigned in one area.  The Office of the Chief Security Officer was to no longer exist. 

Apparently the company didn’t see the value in having the responsibility for security residing within a single department or person.  As information security professionals we want to make sure that everyone in an organization realizes that they share in the responsibility to use and protect information appropriately but this protection needs to be coordinated in order for it to be effective.

I’ve touched briefly on where security should fit into the organizational structure in Nomenclature and Where should the CSO or Network Security Reside within the Corporate Structure?.   This problem also seems to exist across all industries (See The Guerilla CISO Blog: Needed Agency CSOS), so the question is now becomes why. 

Many of the business drivers associated with information security are negative drivers.  Compliance issues or responding to a security incident are reactive in nature not proactive.  Somehow we have developed an approach that is fed by negative incidents rather than positive incidents.  We spend so much time just trying to stabilize what we are doing that we can’t seem to move forward and as such are seen as a drain on a company rather than an asset to be utilized.  This is all part of what I call the Silver Bullet Mentality.

The Silver Bullet Mentality involves the mindset that security issues can be solved by technology.  “If only we could find that product that does X our problems would be solved.”  This mindset has typically resulted in declining revenues (information security is commonly an overhead function which eats into the overall profit margin).   Since security is seen as a technological issue our value as trusted advisors is limited to technology.  That has relegated us to overhead status that can be cut when the company tightens its belt. 

One of the reasons that I like the term Information Risk Management is that it implies that information, and the protection thereof, needs to be managed.  It incorporates the concept that the appropriate protection of information involves people, process, and technology. 

We first must understand the people part of the equation.  This includes understanding the nature of the business and the people involved with that business (both employees and customers).  From people we move on to the processes involved in meeting business needs and demands and finally on to the technology which can be defined as the tools used to facilitate the processes.  This type of model has been used in many different ways and is no way unique to Information Risk Management. 

The difference is that instead of using negative drivers in an effort to drive security, we are using security to drive business.  The arguments that we, as an industry, have been using (we need to do this or we’ll be hacked, or we’ll fail the compliance audit, etc) just don’t work anymore (if they ever truly did).  The executive level isn’t motivated by fear, their motivated by achieving a goal.  We need to show how we can not only support business but how we can contribute to improving how our organizations do business.  It is in that way that we move from being seen as an impediment to being seen as an asset. 

I was talking with Abe Chen, a friend and former cohort member in Norwich University’s MSIA program, about the successes he has had in redefining the value of information risk management to the executive level of his company.  “Make friends with Sales and Marketing” he said.  “They know what is resonating with customers and partners.”

“I decided to reach out to Sales and Marketing while working on a particular project.  When I did they (Sales and Marketing) immediately saw the benefit that information security could bring to how they portrayed the company to new customers and partners.  They knew they could use it as a market differentiator.”    

This isn’t a one way street either.  Sales and Marketing can give you valuable insights into what makes your company competitive thus giving you the insight and information on where you can to contribute to business improvement.  

“The added benefit to reaching out to Sales and Marketing was that as soon as they realized the benefit my project (and information security) would provide, they were able to sell it to management.”    Abe relayed. 

How much more powerful would your next budget request be if you had a profit generating department in your corner with you; making the case for you? 

Going back to the BlogInfoSec.com post, it is unfortunate that Mr. Dekay’s friend was laid off.  While I don’t know the specifics of why his department was made redundant, I can only speculate that his management didn’t fully appreciate the value information security brought to the company.  We should let it serve as a lesson to all of us that we need to either learn the language of business or risk being made redundant ourselves. 

A recent blog post on the Emergent Chaos Blog caught my eye.  This post was about Ethics and seeing as how we had a pretty good discussion here recently on that subject I thought I’d take a look see.  The article cited another blog post by Chris Soghoian concerning some research conducted at the University of Colorado and the University of Washington on the Tor anonymous proxy network.   

Apparently these researchers conducted their research in two phases.  The first phase constituted capturing the first 150 bytes of each packet that transverse their server to analyze what kind of traffic it was.  The second phase examined the source IP address to determine the country of origin.  The research can be found at this link and it was presented at the Privacy Enhancing Technologies Symposium  held on Wednesday (23 July 2008) in Leuven Belgium.

The questions raised in both of these blogs was whether the research was ethical and legal.   Apparently it may be a violation of the U.S. Wiretap Act .  Now I’m not a lawyer and in no way can give legal advice on the interpretation of the act.  I have read the law and it appears to me that Title 18, Part 1, Chapter 119 §2511 (2)(g) which says:

It shall not be unlawful under this chapter or chapter 121 of this title for any person-(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;

May either provide relief to the researchers or condemn them depending upon how the courts have interpreted it.  On one hand servers on the Tor Network are open to the public but for the intent to anonymize a Tor user’s communication as well as their physical location.  If the communication system is public but the communication itself is not does that apply?  I can see an argument if the communication is in some way encrypted but what if it is sent in the open? 

What impact could that have on research?  Is this type of research ethical? 

Any thoughts?

I had tried from direct commenting on the Terry Childs/San Francisco Network incident that has been in the news this past week or so.  I knew that so many other people out there would be commenting about the incident in their blogs so what good would one more do.  Now that the incident appears to be over for the most part I’ll say a few words.  I’ll still leave the particulars of the incident to those other blogs.  What I want to comment on is what I consider the underlying factor here which is Trust and Ethical Behavior. 

While I had strong feelings about this case, what really set me off was a piece in Info World where the author was communicating with a confidential source within the San Francisco technology department.   The author was attempting to bring more light to the subject but in the end the article essentially boiled down to: “What he did was wrong but…” 

It’s the “but” that I have a problem with. 

Now I’m typically the guy who answers “it depends” when asked a general question.  I run down the situation and the variables that need to be considered in order to get the information I need for a more precise answer.  I don’t automatically assume the worst in people.  I often try to give the benefit of the doubt to everyone – a practice that has gotten me in trouble before.  I honestly believe that all of these are good traits.  I do however acknowledge that there are situations where there is no middle ground and where the choices are truly binary (either a 0 or a 1; on or off). 

In these cases I believe that it is imperative that we, as information security professionals, strongly come down on one side or the other without conceding the middle ground.  By taking a stand on one side of this issue and rejecting the arguments or justifications contained in the “but” we can use this example to help our companies and our clients. 

The simple fact is that there is no way to prevent a situation like this.  Organizations delegate responsibility to trusted personnel to accomplish the tasks needed for a business to operate: they do not abdicate responsibility.  They have to; there is no way that any company can succeed with the constant oversight of every employee.  It is too large of a drain on company overhead.  They place a trust in us and we hold a duty to that trust.   

In the Terry Childs/San Francisco Network incident too many things were not done or handled in the right way.  The incident didn’t start with Childs either.  It started well before that.   Decisions and omissions made by City of San Francisco’s IT Department undoubtedly played a big part in the lead up to this incident.  That said I don’t believe that these factor into what has happened.  It has all come up to the point where one individual had to decide what he was going to do.  That decision was to either respect the trust that was placed in him or to violate that trust.   It appears as if he violated that trust and no amount of “but” can alter that fact. 

As with any business situation there is a risk and the risk must be managed.  Organizations can insist upon proper documentation and backups for all systems to ensure knowledge retention in the event a trusted person leaves the company or cannot fulfill their duties.  Organizations can put in place access log monitoring software and institute periodic third party reviews as the situation or area of criticality warrants.  At the end of the day though these measures only see to reduce the risk to acceptable levels.  A risk still remains however reduced. 

My apologies in advance for this being such a long post. 

I’ve held off commenting on the case of a disgruntled San Francisco administrator who was jailed for launching his own denial of service attack on his employer.  Initially the reason was that I didn’t want to make a post that simply repeated what everyone else was saying.   You see the Insider Threat is one that is personal to me.  My wife lost her job as a result of what was very likely the work of a malicious insider.  I’m interested in what motivates this type of individual, the patterns of behavior, and what companies can do to reduce the likelihood that a malicious insider can impact their business. 

I’ve spend the week or so since I’ve heard of this most recent case reflecting on the insider threat and reviewing some research material that I’ve come across over the years.  I started a project a few years ago during my master program but have let it sit around since I graduated.  Now may be the time to dust off the research and revisit the topic.  This will be the first post in a multi-part series on the insider threat and possible how it can be managed within an organization.  But first my story:

When I first started in this business, my wife was able to get me a job with her company in the network support group.  We worked for a medium sized company in the Washington D.C. suburbs.  The support department was pretty small; only five people doing everything from answering the phone and running desktop support calls to server and infrastructure administration.  We were it so we did it all.  This is where I cut my teeth. 

Since no one else wanted the responsibility, I took over the firewalls, routers, and the security aspects of the company DMZ.  I learned a lot in those days and ended up getting a GIAC certification to fill in some of the gaps in my knowledge.  Things went well and when the company decided to migrate from Novell to Windows 2000 I was asked to prepare a security briefing for the IT steering committee.   My boss and I worked on a strategy to segregate the company’s information and control access via least privilege.  (Pretty standard really)  The problem is that we were shot down. 

The division heads wanted the free flow of information so that people could “collaborate.”  Everyone in their respective divisions could access any of the other work going on within the division and at times across divisions.  As work on various projects would ebb and flow, resources were transferred from one project to another and back again necessitating the need to access different types of information.  The division heads did not want to disrupt their ability to do this. 

We explained that this situation was normal and that while our plan would restrict access it wouldn’t hamper anyone’s ability to do their work.  A request for a change in access could be responded to within one business day in most cases, two days in rare circumstances.   We were still denied – nothing should interfere with the work being done.   In hindsight I also think that they were uncomfortable with the fact that we could audit and track what was being done with their information.  This was an organization that grew up from a “mom and pop” type beginning and grew organically.  Everyone was trusted and any threat was perceived to be from outside. 

About four months prior to these discussions someone new showed up at work.  This was an individual who had worked as a subcontractor for the company on one short term project and was known to a division head.  He just started showing up every morning, got someone to let him in, and squatted in an office.  Since the office wasn’t being used at the time he received permission to use that office.  They liked having him around “in case” work requiring his skills be required.   Let’s call him “Joe.”

“Joe” was a very nice older gentleman.  He was soft spoken and apparently well liked among the staff on that floor.  We found out that he wasn’t an employee when he called in a trouble ticket for his computer not being able to print.  The problem was that he didn’t have a log in thus he wasn’t able to map the print queue.  We reported this to our boss and when he went upstairs to investigate the division head, a vice president, said we shouldn’t worry about it.  She apparently liked having staff that didn’t impact her overhead when they didn’t have work.  So we documented this and moved on.  “Joe” figured out how to map the printer directly so his issue was solved.  (We were running Windows 98 workstations that allowed guest access and any device with an internal IP could surf the web.  Yup, we lost those battles too.  Again this was against corporate culture.)

Within a year “Joe” was hired on full time and worked on some projects in the same division as my wife.  As work would ebb and flow, he tried to get onto a few projects but apparently he had worn out his welcome because some projects preferred to work shorthanded rather than take him on.  Nothing much was thought about “Joe” really and I had all but forgotten about him.  After a few years I had progressed as far as I could and although I knew I’d miss my colleagues and the company it was time to move on.  I moved on to a systems integrator across town to start my new life as a consultant. 

A few months after I left my wife and I found out that we were expecting our first born.  We were excited and began planning on the future.  My wife still worked at my former company.  She was the Deputy Project Manager for a multi-million dollar government contract.  The company was very family friendly and since the project was set up to pretty much run itself they agreed that it would be alright for her to step back from the project for a year and then come back.  We were overjoyed.  We trimmed our budget to the bare minimum so that we could save her paycheck.  We needed to have some savings if she was going to stay at home to raise our son the first year.  We made it eleven months as our son decided to show up a month early.

While my wife was home with our son, the contract she was working for came up for its normal recomplete.  The government had already awarded all of its option years and by law had to recomplete it.  No one was concerned.  Everyone at the government agency loved the work that was being done as well as the people working on the project.  Everyone working with the federal government at the state and local level loved the work that was being done.  The company went into this recomplete about as strong as any company could. 

Little did they know about what “Joe” was doing.  You see “Joe” was apparently upset that he wasn’t allowed to work on certain projects and that he wasn’t promoted into a senior management position.  He shared his frustration with management but when his concerns went unanswered he kept his feelings to himself. 

About the time the Request for Proposals (RFP) was released by the government, “Joe” resigned and went to work for another company in the next county.   Surprisingly enough, this same company bid against my wife’s company on the RFP although they had no previous experience doing that sort of work or working for this government agency.  Apparently they had the right answers because they were able to successfully win the RFP with a slightly lower bid.  Oh yeah, and while “Joe” wasn’t named on their proposal response.  He ended up having a senior position on that account.  (According to unofficial sources from the government agency.)

Coincidence?  Perhaps but experience tells me that it was unlikely.  The resulting aftermath was that most of the people that worked on that project were laid off.  Had my wife still officially been on maternity leave they would have had to find something for her to do but she had changed that status two months previously to “on-call” for a reason that escapes me right now.  Subsequently she was also laid off. 

Did “Joe” take valuable project information to his new company?  Honestly, no one will ever be able to prove it.  The principle of least privilege wasn’t followed when setting up access.  Everyone was pretty much given access to everything within the company.   The network group wasn’t allowed the resources to audit access to critical information.  There are any number of plausible scenarios but the one that has “Joe” copying all the proprietary information on the project then leaving for a position with a competitor who ended up being awarded the work is the most plausible. 

What triggers this sort of behavior?  I’m not sure anyone can say for sure but in the coming weeks I’ll explore this concept.  In Part Two I’m going to look at some research that has been conducted into the insider threat as well as how people act and learn in groups in an attempt to build a basis for Part Three which will deal with how these concepts can be applied to help an organization properly manage the insider threat.

This is another question that I have received via email.  As with many questions, there are no generic answers.  My answer is typically “It depends.” So much depends on the organization and its corporate culture.  That said, here is my attempt to generically answer the question. 

As I am sure everyone involved with this discussion will argue, at least on even par with the CIO. I agree with that argument whole-heartedly but the sad reality is that all too often the CSO or Network Security group is an element of the IT department under the CIO. The line of thinking that places us there is that since the devices we oversee are IT assets, that is the most appropriate place for us.

Ideally the CSO should answer directly to the CEO or COO and be on the same level or above the CIO. That said, not many of our colleagues sitting in these positions find themselves so positioned. The trick becomes how to be effective from a disadvantageous position.

Network Security should enable business, not hinder it. Why not leverage this to push our agenda. As an enabler, we need to facilitate change through sound business practices and by becoming the ultimate team player. That does not mean compromising our ethics with regard to security. In my opinion, anyone who finds himself in a position where they need to compromise their ethics probably was ineffective in delivering or framing their argument for security.

A good leader is also a good listener. Listening to the needs of business and formulating ways to meet the business need while being secure is the key to success in the CSO position. Granted, there will be times where we may find ourselves up against roadblocks and we cannot win every battle. An occasional roadblock or defeat can be dealt with but if we are faced with a systematic disregard for security then we need to ask ourselves two questions: Why did the company really create this position and why do I really want to stay here if I am not being effective?

I like beer (bear with me here – I’ll tie back into the topic). I use to have a girlfriend back before I got married who hated beer. While she didn’t have a problem with me having a few cold one’s occasionally, she kept asking me why I liked beer. She just couldn’t understand how anyone could like the taste. I told her that she just hadn’t had a beer she liked yet but that there were hundreds of different varieties. She of course didn’t believe me until I cooked dinner for her one night. At dinner, I served a Raspberry Lambic (beer). She commented on how wonderful the dinner was (I went to Culinary School after college, classically French trained) and how wonderful the Raspberry Champagne was, wherever did I find it. Imagine her astonishment when I told her that it wasn’t champagne but beer.

The point is that my ex-girlfriend thought she didn’t like beer but in reality she just hadn’t tried a beer she liked yet. Information Security is a lot like that.  If you keep serving up the same old beer time and time again when you know that your boss doesn’t like it then you deserve to have it thrown back in your face. By switching tactics and attempting to give your boss something that they think they want and then tell them that not only does it taste good but it something that they thought they didn’t want in the first place will probably be met with a different outcome.

We need to be educators.  We need to deliver our message in such a way that we keep our audience receptive to what we are saying and educate them in why this should be important to them. If we are “organizationally challenged,” that does not mean that we cannot be effective; the job is definitely harder but nothing worthwhile is easy.

Often the org-charts place security where the organization feels it best fits. This is sometimes indicative of the importance the organization places on Information Security (and sometimes it is just where it is without any meaning whatsoever). Our jobs are to change that perception, relate what we do to our business’s mission, and show that by adopting secure practices business, the mission will become more effective.  In short – our jobs are to educate.