Proactive verse Reactive week 9

 We talk about visibility and the need to know yourself and looking past the horizon. IT security is about setting up controls to find indicators and be proactive toward those indicators. most organizations are reactive instead proactive causing them to fall behind eight ball every time there is an incident. I am not talking about reacting to every indicator cause different organizations have different volume of incidents. What I am addressing is the ability to have the information to accurately predict events, and taking proactive steps to alleviate the outcome.

There are many ways an organization can be proactive without hindering employee productivity. Security managers must walk a sticky tight rope between risk, productivity and protection. Most organizations would love to have a proactive approach toward risk management. Being able to identify the indicators and alleviate incidents before they happen.

Knowing your enemy is hard cause there are internet drive byes everyday. You must know yourself and think like an attacker. You should educate personnel instead of berating them when security issues occur. Violations of policies happen cause there was a change or the policy was never enforced by middle management. Educating personnel on what to look for and what not to do is a lot helpful than berating them. Remaining calm when problems arise is a good way not overcompensate. Organizations like to overcompensate when something happens to make sure you ready for the next threat. Remaining calm and not over reacting will allow you to analyze the problem and figure out a solution. When you over react and the overcompensate you can make your systems more vulnerable.

Pulling the plug on the internet and all systems is the only way to ensure complete security. This is not option cause the daily business operations rely on the internet and these systems to function. The best way to be proactive and react to indicators is to be an enable not an inhibitor. Working with the organization to come up with secure solutions that do not require blocking the whole system. Will help put security in a positive light and employees will mostly likely follow protocol. 

A checkbox mentality week 8

Last blogg I spoke about federal regulations and if they were good or bad for security. In this blogg I go further into why these regulations are bad for security. Risk Management is not only about knowing your enemy, and knowing yourself. Looking into the horizon at your enemy, setting controls and policies to redirect your enemy. Sometimes the controls are not based on your needs but merely just checking off a box on an audit. When we accept a checkbox mentality you are accepting an industry norm or average bar that may not work for your organization. You will model your security based upon what is required and not what is needed. The checkbox mentality is what drives the "so what factor" upper management is forced to budget security to meet federal regulations. To change this checkbox mentality and raise the bar up from the minimum we must present a case based upon needs and not industry norm.

The federal regulations for security is a blanket or foundation to build risk management on. Many organizations fail to build upon those checkboxes and leave the company praying they get the threat before the threat gets them. With over 500 different government and industry related regulations in existence. Most organizations are forced to follow at least 100 or more of these regulations based on industry. They also have their own security policies to follow, and since federal regulations not only differ from policy it can sometimes contradict depending on geographical borders.

The ideal security mentality is checking the boxes off and still protecting the organizations assets. This comes to visibility and looking past the horizon and seeing everything that contributes to risk management, threats, asset criticality, vulnerabilities and in-place countermeasures. Once your organization has visibility they can understand the risk and optimize controls to mitigate it. Most organizations do not reach this level, cause of the checkbox mentality of IT managers, the "so what factor" of upper management and the failure to build upon the foundation of federal regulations. 

Why do we gamble with security week 7

We all the person in the office we call post-it. The type of person that has to right down everything on a post-it for conveince. This person must right down every new password on a post-it and stick it to their computer to remember it. Imagine having this person running your companies data security. What a nightmare especially if your company has to deal with regulations like HIPPA that don't really need ot exist but that is for another blogg. Back to gambling with data security and trying to take every platform, application, ecryption keys, and certifications and piecemeal a deployment. While the effective management is neglected and the piecemeal security is deployed across systems without audit or controls.

With managment neglected and a frustrated overburden IT security department. Individuals like our post-it guy will stick to there own methods. How do we fix this issue while trying to stay in regulations. We would not want HIPPA to fine the company for loss of service or security breaches. We come up with most logical solution hire more personnel that always seems to fix everything, we can have HR post a job for a post-it remover person. But wait with the neglected management we are now adding more personal so that managment can let more individuals fail to follow security processess.

The way to stop gambling with security is to leverage your existing solutions and automate process based on your security policies. 

Is Cyberspace a battlefield week 6

When we talk military operations and battles, we always think terrain and Knowing the enemy. What if cyberspace was the battlefield would you know the terrain and would you know your enemy? When it comes to cyber intelligence you must know yourself and he enemy. How many organizations can say they know all their vulnerabilities of all their systems, ports, protocols, operating systems, ext.? Most organizations have network and system administrators that manage and run their infrastructure. Do they understand the infrastructure where their critical data is going and the key elements and core business functions of their infrastructure? Understanding your support lines, products, vendors, service providers and partners is an important element in cyber intelligence.

When we talk about a companies horizon we are discussing the view out of site. Cyberspace horizon changes with regards to your controls and organizational services. Most organizations will have a push service that does not look into the horizon to see what is coming. When organization changes their view and looks further out past the horizon they can deny or confirm your enemies course of action.

Organizations must remember if you defend against everything you defend against nothing. You must know the threats against you and design your security to battle those threats. Determining what is critical to your business operations and what systems can be expendable and not essential to ensure the critical systems are protected. 

The business of Information Security week 5

Most security personnel do not get the respect they deserve from business professionals. The "what have you done for me now" attitude that business professionals have toward IT. Most business professionals consider security a necessary evil cause they know the cost of not having security is greater than paying for it. To most business executives security is a black box that stuff goes in and solutions come out, what happens inside the box they don't care.

Most executives see security as a budgetary expenditure that is a mystery, that must be tied into business and strategic plans. As security personnel we must understand that most business people are not technical they see the world through dollars and bottom lines. When you make a case for security operations and enhancing the function of preexisting security operations. We must leave out technical terms and speak in dollars showing only benefits that justify the money.

• Credit card fraud 
• prevent theft and client information 
• detect and respond to breaches and theft to minimize the damage to the organization

Most security personnel talk about beating the same drum and no one listens. Well sometimes you have to beat the drum to a different tune so they can understand. 

http://www.securityweek.com/so-what-factor-information-security

Incident Response week 4

9/30 - Incident response

We talk about the new age of information and how easy and fast gathering information is. Many companies live on the big data mentality focusing on volume instead of value. When it comes to incident response it about value not volume. In todays world there no shortage on information, seminars, conferences based on information security. The over hyped trend toward big data can be a security risk in own its right. Sometimes to much data has to little value to security operations or incidents. Organizations think the best way to tackle security is to get access to everything data source they think is important, and warehousing the data. The issue is the volume and value of the data being warehoused. Some data has significant value and little volume and other data has no value with a lot of volume.

How can you effectively use big data to your advantage and is big data data right for your organization? The first thing organizations need to do is get rid of the "let's store and analyze everything we can get our hands on" mentality. Organizations are so scared of missing something that they waste resources analyzing everything. To much data creates confusion, inconsistent analysis and inefficiency when finding answers to the correct questions regarding security and incident response. Some would say more data would give more complete answers and more information to validate the answer. They may be the correct in assuming more volume means more validation, what if you can not get the data you need in a timely manner cause of the volume of data. This is a problem amongst the organizations with the big data mentality information can not be retrieved in a timely manner. the reason for the delay is storage is consumed by large volumes of data that have value, and thus creating issues when an incident happens that has a historical background or been around a while. retrieving the information can be difficult cause of storage issues reducing the retention time.

If big data mentality is the option I would suggest a conservative approach to big data. This might sound contradicting but if you can collect big data and store the value instead of volume you may be able to benefit form a conservative approach. Identifying and validating efficient collection points and determining logging and visibility needs will help reduce the amount volume and increase the amour value in the data stored.

http://www.securityweek.com/incident-response-focus-big-value-not-big-data