State Of Security Podcast Episode 4

We are proud to announce the release of State Of Security, the podcast, Episode 4. This time around I am hosting John Davis, who riffs on policy development for modern users, crowdsourcing policy and process management, rational risk assessment and a bit of history.

Give it a listen and let us know what you think!

Thanks for supporting the podcast!

The Need for an Incident Recovery Policy (IRP)

Organizations have been preparing for information security issues for a number of years now and many, if not most, have embraced the need for an incident response policy and process. However, given the recent spate of breaches and compromises that we have analyzed and been involved in over the last year, we have seen an emerging need for organizations to now embrace a new kind of policy – a security incident RECOVERY policy.
 
This policy should extend from the incident response policy and create a decision framework, methodology and taxonomy for managing the aftermath of a security incident. Once the proverbial “fire has been put out”, how do we clean up the mess, recreate the records we lost, return to business as usual and analyze the impacts all of this had on our operations and long term bottom line? As a part of this process, we need to identify what was stolen, who the likely benefactors are, what conversion events have taken place or may occur in the future, how the losses impact our R&D, operational state, market position, etc. We also need to establish a good working model for communicating the fallout, identified issues, mitigations, insurance claims, discoveries and lessons learned to stakeholders, management, customers, business partners and shareholders – in addition to the insurance companies, regulators and law enforcement.
 
As you can imagine, this can be a very resource intensive process and since post-incident pressues are likely to remain high, stress levels can be approaching critical mass and politics can be rampant, having a decision framework and pre-developed methodology to work from can be a life saver. We suggest following the same policy development process, update timeframes and review/practice schedules as you do for your incident response policy.
 
If your organization would like assistance developing such a policy, or would like to work through a training exercise/practice session with an experienced team, please feel free to work with your account executive to schedule such an engagement. We also have policy templates, work sheets and other materials available to help with best practice-based approaches and policy creation/reviews.

Tips for Writing Security Policy

Almost all organizations dread writing security policies. When I ask people why this process is so intimidating, the answer I get most often is that the task just seems overwhelming and they dont know where to start. But this chore does not have to be as onerous or difficult as most people think. The key is pre-planning and taking one step at a time.

First you should outline all the policies you are going to need for your particular organization. Now this step itself is what I think intimidates people most. How are they supposed to ensure that they have all the policies they should have without going overboard and burdening the organization with too many and too restrictive policies? There are a few steps you can take to answer these questions:

  • Examine existing information security policies used by other, similar organizations and open source information security policy templates such as those available at SANS. You can find these easily online. However, you should resist simply copying such policies and adopting them as your own. Just use them for ideas. Every organization is unique and security policies should always reflect the culture of the organization and be pertinent, usable and enforceable across the board.
  • In reality, you should have information security policies for all of the business processes, facilities and equipment used by the organization. A good way to find out what these are is to look at the organizations business impact analysis (BIA). This most valuable of risk management studies will include all essential business processes and equipment needed to maintain business continuity. If the organization does not have a current BIA, you may have to interview personnel from all of the different business departments to get this information.
  • If the organization is subject to information security or privacy regulation, such as financial institutions or health care concerns, you can easily download all of the information security policies mandated by these regulations and ensure that you include them in the organizations security policy.
  • You should also familiarize yourself with the available information security guidance such as ISO 27002, NIST 800-35, the Critical Security Controls for Effective Cyber Defense, etc. This guidance will give you a pool of available security controls that you can apply to fit your particular security needs and organizational culture.
 

Once you have the outline of your security needs in front of you it is time to start writing. You should begin with broad brush stroke, high level policies first and then add detail as you go along. Remember information security policyreally includes policies, standards, guidelines and procedures. Ive found it a very good idea to write policyin just that order.

Remember to constantly refer back to your outline and to consult with the business departments and users as you go along. It will take some adjustments and rewrites to make your policy complete and useable. Once you reach that stage, however, it is just a matter of keeping your policy current. Review and amend your security policy regularly to ensure it remains useable and enforceable. That way you wont have to go through the whole process again! 

This post by John Davis.

Tips for Writing Good Security Policies

Almost all organizations dread writing security policies. When I ask people why this process is so intimidating, the answer I get most often is that the task just seems overwhelming and they don’t know where to start. But this chore does not have to be as onerous or difficult as most people think. The key is pre-planning and taking one step at a time.

First you should outline all the policies you are going to need for your particular organization. Now this step itself is what I think intimidates people most. How are they supposed to ensure that they have all the policies they should have without going overboard and burdening the organization with too many and too restrictive policies? There are a few steps you can take to answer these questions:

  • Examine existing information security policies used by other, similar organizations and open source information security policy templates such as those available at SANS. You can find these easily online. However, you should resist simply copying such policies and adopting them as your own. Just use them for ideas. Every organization is unique and security policies should always reflect the culture of the organization and be pertinent, usable and enforceable across the board.
  • In reality, you should have information security policies for all of the business processes, facilities and equipment used by the organization. A good way to find out what these are is to look at the organizations business impact analysis (BIA). This most valuable of risk management studies will include all essential business processes and equipment needed to maintain business continuity. If the organization does not have a current BIA, you may have to interview personnel from all of the different business departments to get this information. 
  • If the organization is subject to information security or privacy regulation, such as financial institutions or health care concerns, you can easily download all of the information security policies mandated by these regulations and ensure that you include them in the organization’s security policy. 
  • You should also familiarize yourself with the available information security guidance such as ISO 27002, NIST 800-35, the Critical Security Controls for Effective Cyber Defense, etc. This guidance will give you a pool of available security controls that you can apply to fit your particular security needs and organizational culture.

Once you have the outline of your security needs in front of you it is time to start writing. You should begin with broad brush stroke, high level policies first and then add detail as you go along. Remember information security “policy” really includes policies, standards, guidelines and procedures. I’ve found it a very good idea to write “policy” in just that order.

Remember to constantly refer back to your outline and to consult with the business departments and users as you go along. It will take some adjustments and rewrites to make your policy complete and useable. Once you reach that stage, however, it is just a matter of keeping your policy current. Review and amend your security policy regularly to ensure it remains useable and enforceable. That way you won’t have to go through the whole process again!

Thanks to John Davis for this post.

Touchdown Task for August – Change Management Audit

This month, we urge all infosec teams to engage in a quick 30 minute audit of your change management processes.

Here are some quick win questions to ask of the change management team:

  • How often does the change management team meet & what is the time frame for turning around a change order?
  • What percentage of actual changes to the environment went through the change process in the last 12 months?
  • Where can we locate the documents that specifically describe the change management process and when were they last revised?
  • Please describe how exceptions to the change management process are handled.
  • How are changes to the environment audited against what was provided to the change management team?
  • What happens if a change is identified that did NOT go through the change management process?

There are plenty of online guidance sources for additional questions and audit processes, but these quick wins will get you started. As always, thanks for reading and keep working on your monthly touchdown tasks. Be sure to touch base with us on Twitter (@microsolved) should you have any questions about the work plans.

Guest Post: More on BYOD

As the world of computers, mobile devices, and technology in general, continue to exponentially evolve, so too must our need and desire to secure our communications, our data, and to that end our privacy. There is hardly a day that goes by anymore that we don’t hear of some major security breach of a large corporation, but this also directly impacts the individual. We have to make a concerted effort to protect our information – particularly on our mobile devices. Our mobile devices are inherently difficult to secure because they send their data over WiFi, which is susceptible to man-in-the middle attacks. We must pursue the security of our data on our mobile devices passionately. People nowadays carry so much private and more importantly valuable information on them that we just absolutely have to protect it. Particularly in this age of BYOD (bring your own device) to work. An even more difficult realm for the infosecurity folks trying to protect their networks. How does one protect a device on a network from malicious intent? How does one keep viruses, Trojans and worms off of the networks when everyone seems to be plugged in to their devices? This article intends to describe some steps that one can take to protect their mobile device both locally by encrypting the mobile device itself and also by utilizing apps that help to secure their email and telemobile device conversations from malevolence.  

 

As noted on the previous article on State of Security released on June 17, 2014, Brent recently discussed 3 tips for BYOD, which were to get these devices off of the production networks, teach people about mobile device security, and finally use what you already have to your advantage when it comes to your own architecture when developing BYOD policies and processes.

 

There are numerous steps that the IT folks can take to help secure their networks in this age of BYOD as mentioned in our previous article, but there are also some very simple and usefultips that we can all follow that will help us in protecting our mobile devices too.

 

Every company should have policies in place regarding the use and misuse of BYOD devices. This must include encryption of the data and remote wiping of the data if the device is lost or stolen, (such as Find my iMobile device, Android Lost, Mobile Security, and Autowipe,). Assuming the BYOD device is under the company’s control.  If not then as  mentioned in the previous article getting these devices off of the production network is a must. Every  company should at least require authentication and hopefully two-factor authentication of the device.  This would allow the organization some degree of control when it comes to resetting passwords, locking the device when it’s not in use, logging, etc. If it’s not, then asking employees to adhere and sign a code of conduct with regard to their device is a must, as well as periodic employee education. A quick Google search will reveal apps that can help with two-factor authentication too. Such as RSA Secure Alternative, SMS passcode, and Duosecurity.

 

The next step is to encrypt the mobile device itself upon ending your session. Thereby protecting your information from even the apps that you currently having running on the mobile device itself. All apps go through an approval process where they are tested, validated and checked for security, but there have been times where an app passed through such a process and still contained malicious code that sent back stolen personal information to the attacker. This is a particular issue in the Android market. Companies such as Cryptanium and Arxan offer integrity protection, jailbreak detection, anti-debug detection and reverse engineering protection. So if a attacker does manage to get ahold of your device it makes it much more tamper resistant. 

 

Apps that offer encrypted communication such as voice, video, text and/or file transfers are also a consideration. Silent Circle, Redmobile device and Whisper Systems offer such encrypted communication for a fee. Wickr and Cryptocat do this too, but are free. If you are just interested in encrypted text messages (SMS) then perhaps Babel, Whisper, or Akario is for you.

 

In today’s mobile device market there are a plethora of apps many of which do what they describe when it comes to helping to protect our information. Yet as with anything else if there is a will, there is a way, this is particularly true for those that mean to steal our information. If they have a desire to acquire your information they will make a concerted effort to try to extract it from your device. It is up to us to make it as difficult as possible for them to ever get it. For now there does’t seem to be a lot of apps that actually encrypt all of your information locally to the mobile device. Or if it does offer some degree of encryption then it does so over a potentially vulnerable, networked platform. In short there is no single magic bullet that will encrypt all of your mobile devices data and communications for free, but there are some out there for a fee will offer to do so. The other issue that arises is if you use said company do they have access to the information that you were trying to protect in the first place. What’s to keep a rogue employee from accessing your data? All of this can make your head spin. The moral of the story is to make good choices, use your common sense and don’t put anything on a mobile device that you aren’t willing to share with others. Be safe out there.

 

About Preston:

Preston Kershner is new to the info-security family, where he has a variety of lateral interests in topics such as cybersecurity, information security, incident handling and response, computer forensics and malware analysis. Preston has been in the medical field for over 20 years and is currently transitioning into the infosec community. When not being an information junkie, Preston enoys spending time with his family. He also enjoys learning everything he can about astrobiology (the search for exoplanets that have a potential to habour life). You can follow Preston as he continues to expand his knowledge and experience in these realms at http://www.linkedin.com/pub/preston-kershner/3a/493/965/ & follow him on Twitter (@redman7373).

 

About Brent:

Brent Huston is the Security Evangelist and CEO of MicroSolved, Inc. He spends a LOT of time breaking things, including the tools/techniques and actors of crime. When he is not focusing his energies on chaos & entropy, he sets his mind to the order side of the universe where he helps organizations create better security processes, policies and technologies. He is a well recognized author, surfer, inventor, sailor, trickster, entrepreneur and international speaker. He has spent the last 20+ years dedicated to information security on a global scale. He likes honeypots, obscure vulnerabilities, a touch of code & a wealth of data. He also does a lot of things that start with the letter “s”. You can learn more about his professional background here: http://www.linkedin.com/in/lbhuston & follow him on Twitter (@lbhuston).

 

Disclaimer:

It should be noted that some of the apps are free, some apps are cloud-based, some are open source and some are at a cost to the consumer. In no way do we endorse the applications in this article. 


Code of Conduct Research

We have begun working on another project around helping organizations better protect their information assets and the reputations of both their employees and their firms at large. As part of that project, we would like to solicit some feedback from the readership of the blog. 

Does your organization have a code of conduct for employees? Does is have a written code of conduct for management, board members and/or public relations campaigns? 

Is it a living code of conduct or is it a stagnant piece of policy? How often is it updated? Does it cover social media presence, community engagement and/or public perception of the firm or individual?

Who audits the code of conduct and how is it monitored for violations? 

Please feel free to give us your thoughts on the code of conduct and which industry you are in. We are taking responses via email (info <at> microsolved <dot> com) or via Twitter (@lbhuston). 

Thanks for responding. Responses will be entered into a random drawing for a Starbucks gift card, so respond for a chance to win some java goodness. 🙂

September TouchDown Task: Policy Quick Review

This month’s touchdown task is to review your information security related policies and procedures. Whether you, your team, or human resources are responsible for updating and maintaining information security policies, we suggest you review these documents every quarter, or at least every six months to ensure your policies keep pace with legislation, pertinent guidance and ever-changing technology. Even if your organization utilizes a company wide revision process, we suggest you carve out a few hours this month to begin to review the infosec policies.

Start by reading all the policies related to information security. Note those that require significant updates.
Next, research changes in legislation or technology that might affect your policies. Note the pertinent changes.
Seek feedback from your colleagues and managers.
Using the information gained, revise the necessary policies or document your suggestions for the company-wide revision process.
Either obtain necessary approvals for your updates or provide your draft revisions to those responsible for maintaining updated policies and procedures.
Until next month, stay safe out there!

Special Thanks to Teresa West for the help on this one! — Brent

Ask The Security Experts: Mobile Policy

This time around, the experts offer insights on this question:

Q: “Dear Experts, what are the key things I need to keep in mind when I write my company’s mobile security policy?” — MK

John Davis starts us off with:

I would say the most important thing is to actually write your own policy; don’t just copy a generic mobile security policy from the Internet and adopt it as your own. For a mobile security policy to be effective, it needs to be tailored to meet your organizations particular information security requirements and also needs to reflect the reality of mobile device use at your organization. It won’t do you much good to forbid using mobile devices for business purposes if you have no mechanisms in place to prevent or detect such uses. Effective information security policy, like effective statute law, is both practical and enforceable.

Adam Hostetler added:

Keep in mind what kind of current security policies you have, and try to apply that to the mobile sphere. Users need to understand that they are connecting an additional computer to the network, and not just a “phone”. Keep in mind also what kind of deployment you are using. Is it bring your own device, or is it company provided? There will be different policies and procedures for each method and possible user backlash depending on how you are doing this.

As always, thanks to the experts for weighing in, and to the readers for the questions. Keep them coming!

How Cloud Computing Will Leak Into Your Enterprise

“Consumer use of the cloud”; in a phrase, is how the cloud will leak into your enterprise, whether you like it or not. Already, IT is struggling with how to manage the consumer use of devices and services in the enterprise. Skype/VoIP and WIFI were the warning shots, but the BlackBerry, iPhone, iPad and other consumer devices are the death nail for centralized IT (and IS) control.

Consumer electronics, backed by a wide array of free or low cost cloud services, are a new frontier for your organization. Services like MobileMe, DropBox, various file sharing tools and remote access services like GoToMyPC, et al. have arrived. Likely, they are in use in your environment today. Consumers use and leverage these services as a part of their increasingly de-centralized online life. Even with sites like Twitter and FaceBook growing in capability and attention, consumers grow their use, both personally and professionally of services “in the cloud”. Make no mistake, despite your controls at the corporate firewalls, consumers are using their mobile and pocket devices and a variety of these services. Unless you are searching them at the door and blocking cell phone use in your business, they are there.

This might not be “the cloud” that your server admins are worrying about. It might not represent all of the off-site system, database and other hosting tools they are focused on right now, but make no mistake, this consumer version of the cloud has all, if not more, of the same issues and concerns. Questions about your data is managed, secured and maintained all abound.

Given the “gadget posture” of most organizations and their user communities, this is not likely to be something that technical controls can adequately respond to. The consumer cloud services are too dynamic and widespread for black listing approaches to contain them. Plus, they obviously lack centralized choke points like in the old days of “network perimeter security”. The new solution, however, is familiar. Organizations must embrace policies and processes to cover these technologies and their issues. They also have to embrace education and awareness training around these topics with their user base. Those who think that denial and black listing can solve this problem are gravely mistaken. The backdoor cloud consumer movement into your organization is already present, strong and embedded. Teaching users to be focused on safe use of these services will hopefully reduce your risk, and theirs.