Blog Posts From Open Port IT Community Tagged With rosi

Enterprises Security Choices and Tradeoffs for BYOD

webadmin@intel.com — Mon, 13 May 2013 19:34:26 GMT

Bring Your Own Devices (BYOD) continues to gain momentum as users bring devices into work environments by the droves. Enterprises must make tricky security decisions to balance the tradeoffs of costs, user productivity, and security.

BYOD is effecting organizations both large and small. In our highly connected world, workers bring in familiar and favored smartphones, tablets, and other compute devices into work and expect to leverage them for convenience and to improve productivity. It can have a great positive effect on the business but also raises security concerns. Management can’t hide from taking a position, establishing boundaries, and understanding the tradeoffs.

In today’s responsible corporate environment, enterprises realize the danger of uncontrolled devices on their network and accessing business data. It introduces chaos to security and IT manageability, driving up risks and expenses. Organizations want to enable productivity of employees but must maintain a level of acceptable risks and keep costs flat, or at the very least justifiable. It is a tough balancing act between risks, costs, and user productivity.

Management has a number of high level choices, each with pro/cons and other tradeoffs. Before committing to a particular path, leaders must understand these options in order to select the best direction to set for their organization:

1. No personal devices allowed. Forbid personal smartphones, tablets, and non-managed computers from accessing work systems, networks, and data.
Pro: This stratagem manages security risks and keeps costs relatively flat. It has been the traditional solution.
Con: Not practical for 99.9% of the world. It’s like trying to hold back a tidal wave with a paper cup. Workers, starting with the tech savvy, will bring in devices and connect them, soon to be followed by the rest of the staff. Most likely they and the less technical community has already been doing this for some time. It starts with email forwarding, access to work calendars, meeting logistics, file sharing, instant messaging, etc. Implementing such a policy ignores the opportunity for significant worker productivity gains and stifles flexibility which is so desired by everyone. When employees have convenient access to such data, they are more effective, efficient, and happy.

2. Company provides mobile devices. Providing corporate managed devices in lieu of employees’ personal devices, allows vetting of systems before they access work networks and data.
Pro: Security standards, selective deployment, and the ability to enforce controls, allows the organization to manage risks and costs.
Con: Upfront expenses are high, user happiness tends to be low, and manageability costs slowly creeps up over time. The out-of-pocket equipment and service costs can be very expensive. To control costs, most organizations will not provide everyone a company device. So there emerges a “have” and “have-not’s” class system which spawns resentment. Those who are provided devices must manage their personal devices in addition to the company provided ones. If you have ever been forced to carry two phones, you know how much of a pain this becomes.

Even in a perfect environment with happy users, a different problem emerges. The comingling of personal and private data on employer managed devices. This can be a nightmare, fraught with legal and ethical pitfalls.

Each class, brand, and even model must be configured and secured. IT departments must support users trying to access services and data. The more types of devices, the more complex and expensive the support becomes. One of the keys to managing support costs is scalability. So, it is normal for an organization to settle on one or two to start. Which will not make everyone happy as people have their own preferences. Demand can grow to expand the list of supported configurations, especially as new options become available in the marketplace. Expanded support is great for users, but a nightmare for IT as it increases the legacy support of older configurations which are still in use. Over time the cost to support will steadily increase and the cost of refreshing old and damaged devices will be ever present.

From a productivity perspective, users get an initial boost from the latest equipment and software, but will soon see a degradation as the organization cannot keep up with the latest features coming to market.

3. BYOD of Any Device. All devices welcome with open arms! Users are able to bring in, connect, and use their favorite devices. Security controls are usually network based or via containerization technology on the device itself.
Pro: Initial hardware costs are very low for the organization, as the user absorbs initial out-of-pocket costs for the device. Productivity remains high, as users will continually install latest applications and refresh to current hardware as they see fit.
Con: Expensive to manage and secure. Costs skyrocket to provide and maintain security controls and connectivity support over a wide swath of different devices and applications. Security solutions, many with a high per-seat cost, is required. Not all devices are created or configured equally, adding to the cost and frustration of IT and security departments. The expenses continue to increase and never plateau as users follow the non-stop march of evolving technology, applications, and shiny devices

Challenges with co-mingling of users private data with enterprise oversight can still persist depending upon controls and access configurations

4. BYOD of Certain Devices. The middle ground, allowing users to front the initial costs and enterprises can focus on security and management of a much smaller subset of devices. Network, cloud, and device containerization technology provide security.
Pro: Low initial costs as users purchase the devices. It is a flexible model where the optimal balance of cost, productivity, and security can be adjusted as needed.
Con: Still costly, as the enterprise must invest in security solutions for allowed devices, but policy will limit the number of configurations and therefore help keep costs and risks more manageable. As new devices are supported costs will rise due to legacy support and other complexities. Security is managed based upon the vetting and controls mandated for approved configurations.

Productivity varies based upon the breadth and timeliness of support for new technologies. Satisfaction and productivity also follow this curve. The more devices and applications supported in a timely manner, the happier and more productive the users, but the costs skyrocket accordingly.

Sadly, the pesky problem of data comingling is still present.

There is no universal winning choice. It really depends on the organization, risk appetite, budget, worker productivity needs, and the sway of the most vocal users. A very small number of organizations can disallow all personal devices, mostly government types. Only companies willing to spend a tremendous amount of money on hardware or those which already have a strong caste systems to support a limited distribution will be interested in providing workers with such devices in addition to primary work PC’s. Organizations which have little need for confidentiality, integrity, and availability aspects of security might be able to live with openly connecting any BYOD their users may bring into the office. Although a significant number of organizations may try to dabble in this area before realizing the rapidly growing support costs and security issues before changing to a different strategy. In the end, I believe the majority of organizations will choose to embrace the last option of supporting only certain BYOD devices. They will select a mix of devices, software, and controls which satisfy a broad community while keeping costs and risks predictable. This is no small feat as these solutions are not yet mature.

Every organization must find their own path. They must consider the options and tradeoffs of costs, productivity, and risk. No perfect solution exists, but with forethought, collaboration with users, and solid execution, a manageable solution might be within grasp.

The paper can be found here.

Daniel Geer is one of the most well respected security metrics expert in the industry. But I just can't follow this line of analysis...

I think it is dangerous to distill the value of security based only upon the expenditure. Although an obvious relationship exists between security spending and controlling loss, I doubt it is linear. Increasing the TSA budget by 300% to $24B will not equate to 3x the level of security people feel or benefit from when boarding a plane. Will 3x more terrorists be caught or hijackings will be reduced to 1/3 current levels? Doubtful. Spending more does not mean security will improve at the same rate.

The attackers likely don't see it as an economic problem either. Cost may be a limitation, establishing boundaries on what attacks can be attempted. But I have not seen any evidence attackers make strategic decisions based upon a ratio of spending-to-attacker or target. If anything, I suspect they evaluate the spending in relation to the likely return. In my humble opinion, this probably holds true for financial, political, and even social attacks.

I would rather see this turn into a return-on-investment analysis, rather than a comparison on who is willing to spend more.

The question in the paper asks "Are you smarter than the TSA?". I would judge any organization which can achieve and manage to the same or better level of risk (risk of loss) in a similar environment, while spending less, as being "smarter than the TSA".

Is Security Spending a Necessary Evil?

Explaining the value of security spending - video

The Problem of Measuring Information Security

Cyber Security: The Doctor Will See You Now

webadmin@intel.com — Mon, 04 Jun 2012 16:27:20 GMT

Cyber security organizations can benefit from the rich historical lessons and gained insights of the medical industry. The medical community has evolved to manage risks similar to those in the computer security world. It is time we learn from the valuable experiences to identify opportunities and effective strategies in protecting systems and data, while avoiding painful hazards and ineffective approaches.

Computer security has many similarities to the healthcare and medical industry. Both disciplines are driven to protect the well-being and quality-of-life of their relative participant communities. Our bodies are complex and constantly changing ecosystems which challenge the medical profession, similar to how security must work to protect sophisticated and evolving computing environments. We want our bodies to perform, achieve tasks, adapt to new challenges, and thrive over time. The same is true with our devices and compute environments. Both aspire to avoid catastrophic failures but also want to operate within an acceptable risk envelope. Nobody wants to live in a bubble, just as users and organizations need to take risks in the pursuit of enjoyment, productivity, and gains. Expectations for cyber security and healthcare are similar, as are the complex set of risks which continually challenge both industries.

Successful health management is about good planning to promote long term overall health. In some cases tactical actions are required for immediate relief. But it is preferable to be healthy and periodically suffer from a minor illness or injury. The overall objective is to establish and maintain a healthy and well balanced body. Knowing minor issues will eventually arise, the benefits of a good general condition will contribute to an ease in handling such situations and give the best opportunity to return to a healthy state to promote longevity. This is far more effective than living unhealthy and relying solely on tactical interventions at the point of crisis.

The value of strategic versus tactical planning continues to manifest great benefits and holds true in computer security as well. It is important to establish and be executing to a long term plan of good security management instead of relying only on crisis response functions. Maintaining a high level of general security posture and practices allows for efficient management of resources and a better position across the spectrum of potential threats.

Thinking strategically affords the ability to deal with incidents from a position of health, rather than suffering from a weak condition which lends itself to foster a continuous stream of problems and leads to living day-by-day in a tactical manner, putting out one fire only to move on to the next.

Tactical security solutions are well suited to resolve short term problems. Symptoms. Have a spam problem, integrate a spam filter device. Viruses running rampant on clients, invest in anti-malware software. Insecure employee remote access giving you heartache, start with a VPN solution. Problems with hiring unsavory workers, institute a background vetting process for applicants. Terminated employees still accessing the network, implement a robust last-day-office program to eliminate accounts. These are all good tactical responses to immediate problems. Although they provide relief, they unto themselves do not establish a good overall state of health. It takes more.

Modern healthcare industry has evolved over time to predict, prevent, detect and respond to conditions. Medical research is conducted to understand causes, identify future trends, and how to better deal with problems. Robust preventative care reduces many issues before they can manifest. Early detection mechanisms provide better chances of successful treatment before conditions become too serious. Advances in emergency care allow for effective response to crises where immediate and timely response is critical. This overall strategy represents a successful overlapping approach to medical care.

Cyber security can also reap great benefits in applying a similar defense-in-depth strategy. Research into technology, threat agents, attack methods, vulnerabilities, and impacts allows for insights to predict likely events and better capabilities in dealing with them. Such research can give the necessary insights to help understand where and how attacks will manifest. This in turn creates opportunities to efficiently and effectively manage the risks of loss. Prediction gives insights to where, when, and what types of attacks are most probable. This can bolster avoidance, detection, and proper response.

Preventative controls are the lifeblood of computer security. Exercise, eating well, and refraining from caustic activities such chronic smoking, obesity, or overexposure to the sun and other carcinogens is important for preventing known health maladies. Keeping computer systems updated, applications patched, running anti-malware software, and insuring the user acts in a common-sense way are the best preventative controls to protect them. More advanced organizations take a proactive look at likely threat agents, their motivation, and methods to align controls for maximum effect.

For attacks which undermine established controls, it is important to quickly detect the breach. Only then can a proper response begin. Visiting a primary care physician periodically for check-ups is part of a good health regimen. The simple act of having a professional evaluate, consult, apply finely honed skills to detect problems is invaluable. To maintain an effective cyber security, regular analysis is also needed. For individuals, much of this can be accomplished within host intrusion detection and anti-malware software. For enterprises, network and host surveillance structures are typical, sometimes supplemented with system audits, honeypots, or penetration systems for advanced reconnaissance. They persistently look for telltale signs of unwanted acts, stealthy access, and system compromise.

These detective controls are very important to complex environments where prevention of all potential attacks is too cost prohibitive or technically impossible. Instead, such organizations rely on detecting those outliers and rapidly responding. It affords a desired trade-off for some situations. This can be a very cost effective solution for rare but potentially expensive events.

No security is perfect. In finding the right balance, it must be accepted critical situations will arise. Cyber security requires the equivalent of emergency rooms for localized emergencies and large enterprises maintain the FEMA/CDC type response capabilities. The key is to respond in a rapid manner with the right actions for a given situation. Intelligence and empowerment is the key to success. Even in the event of a critical failure a rapid and effective response can minimize the impact to an acceptable level. The medical community has embraced emergency care for centuries. It is the last line of defense and should never be neglected regardless of how strong preventative care appears.

Thinking and acting strategically is the key. Tactical thinking, although important, is inefficient and limited in overall effectiveness. No drug, pill, or treatment will erase a lifetime of poor health and destructive lifestyle. Security too, is not achieved in a day. Investing in healthy long term policies, technologies, practices, and behaviors generates the best return.

Computer and information security requires a long term vision and a plan must be in place to give direction to establish good operational foundations. Security professionals should treat the systems under their care like patients. Tactical response will play its crucial part, but should not lead the effort. Awareness of the challenges and goals, an understanding of factors which contribute to risk, and commitment to invest and execute to the right combination of behaviors and controls will lead to the path of risk management longevity and sustainability.

The Cyber-Security doctor is in. What questions will you have for your security team?

Information Security Defense In Depth Whitepaper is Now Available

VIDEO: Defense In Depth Strategy Optimizes Security

How do you “SELL” security?

webadmin@intel.com — Tue, 27 Mar 2012 00:46:34 GMT

Security is a tough and elusive nut to sell. Everyone wants to be secure, but few can articulate what they want. It is almost like buying insurance, but not quite. It can be technical and behavioral. It exists, but only in a transitive state. It can be measured, but mostly in a relative way. History has shown using fear is not the right strategy to sell security. Customers may not even accept the need for it, if they have never had a security breach. So how do you sell security?

The answer sounds simple, but it is not. - Make it ‘Meaningful’.

In order for security to be meaningful, a problem must be recognized by customers, they must be in the ‘action’ state of mind, the solution must be effective to a desired level, and the economics need to be right.

If you are struggling, you are in good company. Right now, the entire industry has problems in all of these areas.

Making security meaningful to customers:
1. Recognizing a problem exists: Most people don’t recognize the problem, until they feel the pain. This was true for the longest time in the medical and dental industries. People only went to the doctor/dentist when they felt pain. Over time we have embraced preventative medicine. Security is in the same early stages with people begrudgingly investing when they feel the pain or believe it is imminent. Basically “security is not relevant, until it fails”.

Recommendation: Timely education and awareness, without propagating false fears, is key.

2. Action state of mind: We are creatures of habit. We rarely diverge from our mental framework of choices. In order to make a change, our brains must reach a tipping point to decide a different path. Here is a great article about key life events which drive changes in consumer spending and how the retail industry targets these moments in our lives to sell products. In security, the same holds true. We must be in a proper state of mind to invest in security. In most cases, it is when we become a victim or are forced to change due to external requirements.

Recommendation: Be in the minds of people at the point when they move into the ‘action’ zone.

3. Effective solution: There is no single ‘fix’ to security, it is a gradient. Any solution may provide a better level of security to some aspects, but will not solve all potential problems. In a cost/benefit analysis, it is important to know the benefits. This is difficult as the threats, environments, and customer expectations are difficult to quantify and will likely change over time. The key for the user is achieving whatever they believe is the right level of security.

Recommendation: Have a well thought out solution, coupled with accurate/realistic and clear messages of the benefits to users. Design and sustain with a defense-in-depth model for longevity.

4. Positive Economics: Security costs. In one way or another, the customer will pay. It may be money, time, system performance, annoyance, or any combination thereof. On the positive side, it also provides some level of benefit, which may include better confidentiality, integrity and availability. This can lead to a better emotional state and satisfaction. Measuring the benefit and costs are extremely difficult and as a multitude of factors which contribute are constantly changing in radical and unpredictable ways. Just because you institute a protection mechanism, it does not mean you would ever be attacked in that manner. Investing in strong security against one threat, may seem a waste when attacks come from a different direction. Even if a control does a spectacular job at preventing loss, will you know? It is hard to measure something which does not occur. Instituting a security control may make you feel strong today and less so tomorrow. Right now, the industry does not have a standard for measuring Return on Security Investment (ROSI). This becomes a difficulty for consumers who want to know they are getting a good value for the cost(s).

Recommendation: Leverage one of many different methods to determine security value. Use the best model for the specific security capabilities and user environment/expectations. Make it real for the consumer, in terms they understand and cherish.

One Word to Describe the Biggest Challenge of Information Security?

webadmin@intel.com — Tue, 27 Mar 2012 00:09:38 GMT

Can you use ONE WORD to describe the biggest challenge facing information security today?

I was asked this very question this morning. After a few minutes of pondering the vast possibilities with coffee in hand, filtering out inappropriate language choices, and digging deep to find a constructive perspective, I declared my one word which depicts the current challenges in the security industry.

Ambiguity. In one word it states the grand breadth of the challenges and great diversity of perspectives for those involved. What security is, what it encompasses (i.e. emotions, beliefs, states, events), what it is trying to deliver (no, not invulnerability), how to achieve it (e.g. technical, behavioral, process), maintain/sustain it, what drives it (threat agents, losses, opportunities, fears, etc.), how to measure it (Risk Assessments, ROI/ROSI, compliance, value across tangible/intangible losses, etc.), who is involved (attackers, defenders, victims, and bystanders) and how/why the landscape and equation changes so drastically over time (complexities of factors which create the ever changing fabric of security)?

There exists both a lack of understanding as well as an overabundance of inconsistent concepts of the above items.

Defining the problem is the first hurdle.

IT security will spend more in 2012, but will they spend smarter?

webadmin@intel.com — Fri, 27 Jan 2012 17:59:29 GMT

According to a study and blog by Enterprise Strategy Group, over half the organizations surveyed will increase their security budgets in 2012. Spending more does not equate to spending smarter. There is not a guaranteed relationship between security spending and risk reduction. Investment is an important indicator that infers organizations are not satisfied with their current or future stance on security and risk management. But it is just as important to wisely spend those dollars for a meaningful benefit.

Organizations should ensure they have a solid security strategy, are tracking effectiveness by measuring tangible results, and focused on maintaining an optimal level of security, one which achieves the right balance of spending and risk reduction resulting in an acceptable level of residual risk.

According to the report, some will increase security budgets by 8% or more. This can be a significant windfall to strapped security departments, but will likely come with lofty expectations. Before committing to a long term resource increase, executives should review the security strategy. Ask the tough questions. Here is a good start.

Security practitioners will need to justify the spending and more importantly show results. Metrics, although difficult in the security world, are necessary and should be focused on tangible improvements. Here are a few measurement methods which may be considered. For those using the Threat Agent Risk Assessment (TARA) methodology, show how spending will reduce risks of loss for the most critical threat agents and be sure to update your baselines accordingly. This will help in determining the positive cascade affects in other risk assessments.

Lastly, it is a good time to remind security teams and especially senior management that the goal of security is not to be impervious to loss. Rather it is to achieve and maintain an optimal balance of security to manage the risk of loss to an acceptable level. Be forewarned, at some point before the end of the year, don’t be shocked if management comes calling to scrutinize how the investment will pay dividends. Expect some iteration of the dreaded four dirty security value questions and be prepared with sound answers for next year's justification of budget.

Is Security Spending a Necessary Evil?

Low Budget for Information Security?…Part 2

webadmin@intel.com — Tue, 01 Nov 2011 17:16:54 GMT

In my last blog Part 1, I provided some details of ways to improve Information Security when working with a low budget. One main area of my focus was on ensuring sound security policy and integrating security awareness training into other processes within an organization. There are many other opportunities to integrate information security best practices that increase awareness and build on the information security posture for the organization. Here are a couple more ideas:

Find ways to integrate information security risk assessments into already existing processes so as to identify risks at early stages of product or solution development. This can allow the organization to evaluate the best mitigating controls which could be more expensive to add on at deployment. At the forefront of defining the budget for a new solution or product roll out, the security management, technical and physical controls that are required should be considered ahead of time so that there are no surprises after implementation.
Evaluation of the organization’s purchasing process. If technical controls are required in a security policy or risk assessment and purchases are made from the budget of a project, there may be an opportunity for justification of funds for deploying security control at an organizational level. It may be just a checkpoint during the procurement phase to evaluate whether there are several different deployments of similar solutions. If so, there may not be the consistency needed to ensure quality standards are met. Additionally, negotiation with the vendor for licenses or hardware might be more beneficial on a larger scale to save a significant amount of money. One other benefit to discussing security with the purchasing representatives are the relationships that can be developed with the information security group which can help significantly in understanding how the business justification of costs work within the organization.

During the effort to integrate security within other processes, the security staff should know about common misperceptions such as being a “road block” or trying to paint a picture that the “sky is falling”. A positive attitude can help with encouragement of open discussion on risk and acknowledgement of good catches made. I’m sure there are other ideas for improving the security posture of an organization on a tight budget that others may want to share.

Low Budget for Information Security?…Part 1

webadmin@intel.com — Sat, 22 Oct 2011 06:10:23 GMT

Justification for Information Security expense can be difficult in today’s economic environment. Oftentimes it takes creativity and communication skills to clarify the importance of forming a reasonable balance in the cost of information security controls. This balance is relating to the acceptable risk in order to effectively protect an organization’s information assets. Sadly, with many organizations there is a disconnect on this balance and there is no information security budget.

A good basis for understanding of security controls should be established with distinction between administrative, technical, or physical with the most important being administrative. Yes that is correct, if there is expenditures for technical security solutions it should be described as a requirement in the security policy or a mitigating control of a risk identified during a risk assessment. Technical security controls are commonly used to automate what cannot be done sufficiently with manual effort. The physical part should be the basic premise of locking the door to the data center and preventing unauthorized physical system access. Reporting structure should be a common method for justification of security control expense which will show how well a tool is working and that it is being evaluated on a regular basis.

But on a low to no budget for security, how can it become a bigger priority? It may be good to find opportunities to integrating security into other already existing processes. Opportunities may include:.

Security awareness training - this is one area that should not be taken lightly. It is the opportunity to inform the users on how to protect the corporate information assets and what is described in the security policy, why it exists and how to gain further information whenever needed. If this effort does not currently exist, consider an effort to integrate it into the new employee orientation first. Then, after some success can be demonstrated, the training could be provided through WBT’s on an annual or biannual basis. The success may be shown in surveys to users who have taken the training.
Another opportunity for communication about security is a bulletin area such as the corporate intranet site or a monthly newsletter distributed throughout the organization. Including some common threats and techniques for avoidance of being a victim is a good way to remind users that their activity plays a factor in the vulnerability equation.

Without security awareness training, the users may consider security controls as an obstruction to getting their work done and increases the possibility that a work around will be used to bypass the controls. Additionally, users are the front line of defense to security as most events can be witnessed by the user and reported appropriately through the corporate help desk or through the security group. If there is already security awareness training offered, there may be opportunities for improvements of content that are not very costly to the organization. In my next blog, I’ll expand into some other business processes where it may be possible to integrating security practices. Maybe there are other creative ideas for improvements on a tight budget that others can share.

IT Security Common Misconceptions

webadmin@intel.com — Wed, 27 Jul 2011 20:34:24 GMT

The IT Security industry specializes in the protection of information processed, transferred or somehow controlled on computer systems. Yet there are several aspects of computer security that are misconstrued by those who just casually interact with computers to even those in the computer profession. With a topic so broad, it’s difficult to summarize in just a few short words. We could simply inform everyone to ensure their anti-virus software is scanning for malware or be careful as to where you enter sensitive information. These are important considerations but it’s only by understanding risks of computer systems and the information collectively, that we can comprehend the challenge.

In a video blog by Intel’s CISO Malcolm Harkins, he describes a common misperception of risk when it comes to information people are willing to share to the world through social media. For me, this brought up other parts to IT Security that are also misunderstood and compels us as information security professionals to share what we can whenever possible in order to help communicate that security is everyone’s job in an organization, and important knowledge for any computer user.

One area that presents many misconceptions is computer and network security. The computing environment does play major part of the risk equation because we need to verify it has the capability to provide a level of security required for its location. But a common misconception here is that by using a firewall to block unwanted external traffic or running antivirus software, all malicious traffic or software will be prevented from entering. In addition, having all computer systems protected with the same level of security throughout the infrastructure regardless of its purpose creates a one size fits all security model that is much more costly to maintain.

Another misconception is in the area of data classification and compliance. The concepts used to evaluate risk should not be based on the type of information alone but also where it resides, who needs access to it and what technology can be used to protect it. The scenario that evaluates the data alone may give the misconception that compliance is security. Compliance by itself is not security and may lead to a false sense that security can be achieved by following a checklist. The classification of information along with how it will be accessed is an important consideration for the risk equation because it allows for an evaluation of possible threats specific to that data, but it is also equally important to consider the computing environment by which it will be protected.

Perimeters that are protected with a firewall are no longer sufficient alone against more sophisticated targeted attacks. It’s important for constant re-evaluation of the security posture for any organization because of the growing list of factors to consider for securing information stored or processed on computer systems. Expanding on the security-in-depth strategy, the White Paper titled “Rethinking Information Security to Improve Business Agility”, leading information security experts at Intel IT describe a strategy for evaluating risk based on the location of the information along with the requesting user’s location and referred to these locations as “security zones”. Some of these zones can be considered trusted based on a score that evaluates the source of the request and destination of the data. Depending on the score, even a legitimate user might end up with only limited access to data due to factors such as trust level of the user’s current location. This new paradigm for information security is designed to meet a broad range of evolving protection requirements that include the assessment of new usage models and threats. Additionally, the expectation that preventative controls such as firewalls are good enough for security; detective and corrective controls are also a very important part of an information security process as well as evaluating each for their effectiveness on an ongoing basis.

For these reasons, I believe that one of the most common misconceptions is that computer security is not a “set it and forget about it” list of security options but rather an ongoing process that evaluates risk based on both the type of information and the computing environment being used. Just as the bad guys are going through the same process to try and circumvent mitigating controls, we must continue to evaluate whether the appropriate countermeasures are in place. Information security is an ever changing challenge and the industry must constantly prepare for technology changes in order to prepare for the next wave of vulnerabilities and associated risks. The important thing is that we are now more commonly asking the questions about security implications for any new computing technology. Using cloud computing as an example; there is a greater concern about sensitive information being placed on uncontrolled or non-trusted computers systems than ever before. We can only hope that trend will continue.

Information Security in Cloud Computing Could Be Better

webadmin@intel.com — Wed, 18 May 2011 17:23:06 GMT

It seems that you can’t go anywhere these days without hearing talks about cloud computing and how this new paradigm shift is going to change the use of the Internet in the coming years. But you can also hear that one of the biggest concerns is information security and privacy for information being passed around on this new way of using the Internet. But could it be true that Information Security might be better in Cloud Computing? The answer to this question for cloud based architectures involving Software as a Service (SAAS) will most commonly precede with “it depends”. As always, it mostly depends on the decisions made during the (hopeful) use of processes for application security development being adhered to during the SDLC. Coming to the conclusion that an external cloud based service is better for a computing solution should only be done after careful analysis of all options for a given solution and therefore, external cloud architecture should not be predetermined. This meaning the use of cloud based computing should not be forced but considered as an option in the design and architecture phases for a solution.

The “cloud” type services have actually been in use for some time now but more recently the focus to how these services can be more defined and beneficial for service providers and consumers. For years now, organizations have hosted services like web, e-commerce, and email to service providers only to name a few. Additionally, routers and DNS services have been in use since the beginning of the Internet sending our email and web traffic from customers to partners without SLA’s for every path each bit traverses. Where the data security is concerned, security capabilities like PKI trust models and encryption technology have been added on to keep that data secure over insecure environments. Much will be the same as we move to cloud based architectures but the greatest part for the sake of security is that many related concerns can be raised in the beginning and at the design and architecture levels addressing security concerns ahead of time rather than adding security on top of existing solutions.

With cloud based architectures among the options for providing a solution, misconceptions are common as manufacturer’s market products for the cloud. Benefits being presented will include reduced total cost of ownership, lower initial costs for deployments, disaster recovery services, security control capabilities like system patch management and updates, and scalability as the need for more throughput arises. These benefits will be especially great for organizations deploying solutions with minimal internal capabilities to provide these services. Having a strategy and plan that includes cloud computing could allow for the most lucrative benefits. For more information on the direction of cloud computing at Intel, you can review the Enterprise Private Cloud Architecture and Implementation Roadmap or the Cloud Security related topics on Intel’s IT Center.

The shift to cloud computing should not change the need for baked in security requirements from the start. The hope is that security and privacy concerns can be at the forefront of requirements for any solution being deployed with public or private cloud based architecture. On one hand, the service providers will be reaching out for business and on the other, companies will be carefully evaluating whether to take the leap. For the larger organization, moving to cloud centric computing will most likely require the decoupling of many existing solutions for careful scrutiny and understanding of the threat landscape. This could even bring to light some needed mitigation for such threats that may not have been thought of before. The challenge for the cloud is that it is not just the technical aspect for there are other legal agreements and trust ramifications to consider. Organizations should consider a private cloud before migrating to public cloud (service provider) so that evaluation of security ramifications can become more prevalent over time and only move to the public cloud that which makes sense. The evaluation can provide more opportunity for security at the forefront of the technology, or the decision to use public cloud architectures can be avoided altogether. Not to say that every solution that becomes more cloud centric will be more secure but that many of the concepts for mitigations of common threats will likely be proactively offered as standards by service providers in external cloud services.

Cloud computing will bring about a change in the physical boundaries of data and moving that data between trusted partners securely and reliably. This capability will require encryption and trust models being constantly evaluated to ensure the latest security capabilities are being used properly. This capability may be enhanced by using the right service provider in the external cloud. It will be important that service providers use cloud based computing architects that understand the capabilities in technology like Intel® Trusted Execution Technology (Intel® TXT) and the impact of the latest Intel based Xeon Processors integrated Intel AES New Instructions (AES-NI) to achieve accelerated encryption and decryption. Cloud computing consumers will soon have greater access to the latest technology for security and performance because of the shared cost associated with cloud based architectures. Additionally, technology must continue to advance in the capability to protect data which may be easier implemented by the service provider that specializes in the protection of data in the external (public) cloud. So if risk and security conserns are at the forefront of discussions for moving to a cloud based architecture, information security in the cloud could be better.

Attacks, Threat Agents, and Vulnerabilities are the Key to Prioritizing Security

webadmin@intel.com — Wed, 11 May 2011 16:53:26 GMT

In a recent Dark Reading article, a number of experts gave their perspectives on where the focus should be in order to prioritize security effort.

Focusing on attacks and not vulnerabilities can help companies prioritize their defensive efforts, says Dino Dai Zovi, a well-known independent security researcher.

And…

Security consultant Daniel Guido stated "We can step back and study these things that are coming after us, and we can build more informed defenses that are more effective against those particular threats and that are less costly than not having done this process to begin with,"

The industry has traditionally focused on vulnerabilities as the primary way to prioritize security efforts. Momentum is gaining to move away from this practice and put more focus on the attacks themselves as well as the threat agents who initiate them. I have to say I am in the "know your enemy and know yourself..." camp. What can I say, I am a fan of Sun Tzu's "Art of War". When trying to interdict the enemy, I believe it is far more important to know what is likely, versus what is theoretically possible.

I say let Occam's razor, the law of economy, path of least resistance, and common sense rule. Given a large number of paths to success, people tend to choose the most convenient, less risky, and most cost effective options. The others are ignored. The sheer volume of vulnerabilities is overwhelming. History shows only a small number are regularly exploited. In large or complex environments, knowing and attempting to close every possible vulnerability is an expensive and never-ending exercise in futility. Better to make informed decisions based upon what is likely. Understanding vulnerabilities is a valuable and necessary exercise as part of the decision process, but does not deliver optimal security prioritization alone.

I refer back to an older Fortune Cookie Security Advice blog:

In information security, like in sports, knowing your adversary is far more important than knowing the condition of the field.

I think the industry is starting to delineate between threat agents, the 'attackers', and the methods to use, the 'attacks', to exploit known vulnerabilities. It may be why I am getting more and more inquires about the Threat Agent Risk Assessment (TARA) whitepaper I published back in 2010.

The underlying concept for the Threat Agent Risk Assessment (TARA) methodology is to narrow down the focus by taking into consideration the people behind the attacks. Knowing your attacker, their objectives, and the likely methods they will employ, gives a tremendously powerful picture of what should be prioritized, based upon known vulnerabilities, controls, and exposures.

How Information Security expense can provide IT Business Value

webadmin@intel.com — Wed, 02 Mar 2011 18:45:15 GMT

One of the most challenging aspects of information security is right sizing the budget for such expenses in proportion to the overall IT budget for a company. That is, estimating the appropriate budget related to the level of risk that an organization is prepared to accept. Some company’s may believe that comparing the percentage of IT security expense used by their competitors or organizations within their business sector is a good way to estimate their own IT Security expense in terms of percentage of an IT budget. This type of pursuit can bring about a disconnect between the perceived level of risk to information security exposure an organization is under and what is reality. Many options exist for calculating the appropriate security expense with regard to risk. There is the Annual Loss Expectancy (ALE) which is calculated using the Annual Rate of Occurrence (ARO) multiplied by the Single Loss Expectancy (SLE), or the Return on Security Investment (ROSI) can be used along with the Total Cost of Ownership (TCO) calculation. Chief Information Security Officers (CISO’s) may need the values of these calculations to feel more comfortable with their security investments. Which brings up my challenging question of the day: is information security really an investment?

We should not forget that information security is a process which includes technology and, most importantly, people. For that reason, it is possible to consider the improvements of an IT Security program by evaluating the maturity level for an organization using a scale of measurement like Common Maturity Model Integration (CMMI) which provides different Capability Levels (0-Incomplete, 1-Performed, 2-Managed, and 3-Defined) and Maturity Levels (1-Initial, 2-Managed, 3-Defined, 4-Quantitatively Managed, and 5-Optimized)). We can also consider using common business improvement strategies like Six Sigma, which can be used to identify improvement possibilities using measured results to justify the cost of IT Security. Six Sigma involves the use of those valuable boxes connected with arrows to define how things are currently being done and how improvements can be made. The strategy provides steps that include Define, Measure, Analyze, Improve and Control. The first step in any improvement strategy is to define the metrics for which to collect, measure and analyze the current measurement for a baseline, and then improve and control meaning that the new processes should be implemented with ongoing analysis as needed. But there needs to be metric to monitor and analyze in order to determine improvement capability. Even if that metric to be measured is time to complete the process, it could be an important metric on establishing a current baseline on which to improve upon.

Another challenge in an information security program is collecting metrics that can be monitored for how well the program is working. If there is no Information security program for which to collect metrics, then establishing this should be a priority so that the focus can be on the right options for which to improve. It can start simply with the collection of number of systems being infected by a virus or worm (malware). In my opinion, if no metrics are collected and reported to upper management, there is no security program. These metrics are important part of determining options for improvement and allow for the appropriate justification of information security expenditures.

One good example of measured improvement can be found from one of Intel’s very well written White Papers on the subject of Security Investment or (ROSI) here: Measuring the Return on IT Security Investments.

Many countermeasures can be put in place at once in order to establish a good defense in depth strategy for the IT Security program. But if IT business value proposition is important, an approach that allows implementation of security countermeasures (or improvements) one by one can allow measurements to be taken and proper value to the organization can be assessed. Whether it’s CMMI to show increased maturity level in handling a security event, Six Sigma for improvements on the process, or ROSI that shows return on the initial security investment, all can be very beneficial to cost justification as they provide indicators on just how much improvement was achieved based on the metrics collected.

The truth, in my humble opinion, is that even though all of the calculations providing justification to information security investment have some subjectivity, they are very meaningful and necessary in allowing the appropriate communication to take place about risk mitigation. An organization’s obligation to protect its information assets is considered due diligence, and in some cases IT security controls are mandated under regulatory compliance. But unfortunately, many organizations are forced into a security program with the only purpose of satisfying regulatory compliance making it very difficult to measure business value. Security audits should only be used to verify security controls are in place and working properly, not to control the direction of a security program. Information security should be created with a defense in depth strategy in mind and the consideration of the data classification that needs to be protected. The organization’s culture plays a huge role in making strides with this and implementation of standards like ISO 17799/27002, NIST-800 series, and COBIT can also help in this strategy.

A strategy that focuses on IT Security improvements can be measured to show that it is an investment in the organization’s capability and maturity or that it is an improvement on the protection of information assets. As with any process, there is always room for improvement in IT Security. The IT Security program should be created to protect the organization and by determining the indicators for success, information security expenditures can not only be justified but can also be an investment in IT Business Value.

Why Behavioral Security is a Critical Component of Information Security

webadmin@intel.com — Thu, 23 Dec 2010 19:41:44 GMT

The debate continues to rage between those who believe information security is purely a technical discipline and those who believe success must include both behavioral as well as technical components. If you read my blogs, you already know I am a firm believer in the latter.

Information security professionals typically deal with a complex ecosystem which includes technology and people. Whereas computer systems follow rigid and clearly defined rules, people do not. Purists tend to approach security problems by establishing a number of technology based controls. This tact works well for electronic devices, but not so well for people. These controls are most applicable in environments where actions are understood, limited in scope, and consistent. Best suited to situations where specific inputs result in predictable outcomes. People can be unpredictable ‘wild cards’, driven by individual motivations and bounded by few limitations. We expect them to follow the rules based upon our version of ‘common sense’ even in the absence of proper training. Technical controls can restrict some activities, but due to the tremendous latitude and flexibility, it is common for such barriers to be sidestepped by people without much thought or effort.

We can see this play out in a number of related fields. Take for example the thousands of new automobile drivers in California who hit the road every month. These high risk teenage drivers push insurance rates up due to their historically elevated rate of accidents.

Currently, we employ a combination technical and behavioral approach to provide security for all drivers on the road. The behavioral measures include mandatory drivers’ education, co-pilot experience, driver testing, financial investment, and both positive as well as negative social reinforcement.

But what if we took a different approach and eliminated the behavioral controls in lieu of stronger and more comprehensive technical controls? We could install more guard rails, speed bumps, stop signs, street lights, fix potholes and lower the speed limits on every street. Every vehicle could be required to install top-speed and acceleration inhibitors, anti-lock brakes, high visibility lights, 8-way airbags, oversized sized mirrors, location tracking and collision detection systems, and be subject to yearly safety inspections. A huge financial and resource expenditure to establish and sustain, but such technology would make both the roads and vehicles safer.

But to what result? Because the most prevalent factor in accidents would remain unaddressed, the element of poor human judgment, I believe this strategy would not achieve the desired results. In fact, I am confident the elimination of behavioral controls will greatly overwhelm all the benefits of the new technical controls, resulting in a skyrocketing accident rate. In the end, technical controls cannot overcome poor decisions of drivers, and ultimately would fail to reduce accident rates, while incurring significantly higher costs.

Instead, thankfully, the modern solution is to train and educate new drivers in addition to modest technical controls. They still have the worst driving records, but it is far better than the alternative. We should apply these concepts to the world of Information Security as well. Reliance on only technical controls is not sufficient given the dependencies on people within the ecosystem.

I firmly believe success can only be accomplished with a combined effort of technological and behavior controls. Only then can an optimal solution for security be achieved.

Fortune Cookie Security Advice – Relevance of Metrics - Feb 2010

webadmin@intel.com — Mon, 08 Feb 2010 23:29:46 GMT

Metrics Show the Relevance of Information Security

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment. The key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for February, 2010:

Metrics Show the Relevance of Information Security

Although not easy, metrics show the relevance of information security programs or the lack thereof. Internal security does not generate revenue, it is a cost center. The value of such initiatives is derived by the amount of loss they prevent. Metrics can show this relationship and represent the value. Sounds simple, but in fact it has been one of the long-standing challenges in the security industry.

Security metrics are immature. No pervasive standards exist and organizations continuously struggle to independently show value. Advances are being made, but we are not at a stable point of comfort and confidence. More research is needed. A recent Department of Homeland Security report ranks metrics as #2 of top security research areas.

Some metrics do exist, but organizations are currently faced with an awful decision: meaningful or accurate; pick one. Vague metrics are possible but lack tangible results which can be compared or quantified. A flashing red light does not speak to dollars saved, how systems can be improved, or the future outlook. Nor do simple metrics accurately reflect true causality correlations. More accurate metrics are very difficult or in many cases impossible to deliver. The industry has not settled on provable and reliable methodologies which scale with any confidence. What can be produced with high accuracy typically provides little substance and not much assistance when making complex decisions. Although specific metrics can provide dollar savings for small environments, they are likely to lack accuracy and can easily be challenged. Such false predictions may be cause for overall loss of confidence in a security organization. A risk many groups don’t want to take. Security metrics still have a long road to travel, though their role is undeniable in showing the relevance of security.

Fortune Cookie Security Advice - Confusing Security Measures and Metrics - September 200p

Fortune Cookie Security Advice - No Royal Road to Security - July 2008

Fortune Cookie Security Advice - Strategic Compettive Secure - June 2009

Fortune Cookie Security Advice - May 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - December 2008

Fortune Cookie Security Advice - January 2009

Fortune Cookie Security Advice - February 2009

Fortune Cookie Security Advice - March 2009