IT@Intel Blog : Tags : corporate

Fortune Cookie Security Advice - May 2009

1 Comments Permalink Tags: concern, analysis, value, optimal, rosenquist, threat, security, matthew_rosenquist, information, fear, corporate_security, metric, measure, model, matthew, risk

0

Fortune Cookie Security Advice - No Royal Road to Security - July 2009

Posted by Matthew Rosenquist Jul 31, 2009

There is no Royal Road to understanding and achieving information security

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

The key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for July, 2009:

There is no Royal Road to understanding and achieving information security

Taking a line of thought from Euclid, there is no easy route to understand the ever changing complexities of information security.

We exist in an era where information security is both exciting and complex.

The rapid evolution of information technology, increasing number of targets, and the explosive development of creative tools attackers employ all contribute to a dynamic environment where a continual struggle between aggressors and defenders shifts the balance on a daily basis. Only through hard work can security professionals effectively pursue achieving an optimal level of security which manages the tradeoffs of cost against controlling impacts and effectiveness of attacks. Achieving information security is an exercise in hard work, diligence, consistency, and flexibility to adapt technology and behaviors in meeting the challenge.

Fortune Cookie Security Advice - Strategic Compettive Secure - June 2009

Fortune Cookie Security Advice - May 2009

0 Comments Permalink Tags: value, concern, matthew, corporate_security, analysis, security, information, optimal, model, matthew_rosenquist, rosenquist, threat, risk, fear, measure

0

Fortune Cookie Security Advice – Strategic Competitive Secure - June 2009

Posted by Matthew Rosenquist Jun 16, 2009

Think strategic. Act competitive. Be secure.

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

The key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for June, 2009:

Think strategic. Act competitive. Be secure.

Security is a sustaining commitment where long term planning provides a distinct advantage. Threats are derived from intelligent adversaries. Success requires maneuvering in a competitive manner to remain secure.

Fortune Cookie Security Advice - May 2009

0 Comments Permalink Tags: security, it@intel, analysis, secure, matthew_rosenquist, information_security, openportpromo, model, threat, optimal_security, it, value, rosenquist, strategy, measure, corporate_security, intel_it, risk

0

Strategy for Sustaining Optimal Security

Posted by Matthew Rosenquist Jun 12, 2009

Optimal security must not only be attained, but also sustained over time. A good security strategy must be forward thinking to understand how intervention and continual maintenance will be needed, then implement those capabilities as part of a complete service deployment.

'Optimal Security' is the right balance of security spending and losses prevented where business acceptable losses are achieved. It changes often and likely maintains different targets for the dissimilar parts of the entity.

Organizations are likely to mandate security expectations which typically manifests in a set of configurations, specifications, and operating standards. The risk is these security controls may be relatively static and entrenched.

Establishing a baseline security is a good practice, but in order to remain effective it must adapt to changes in the environment by remaining dynamic to keep in lock-step with rapidly changing threats, vulnerabilities, and resulting exposures. It must be a fluid posture, able to rapidly change based upon different internal priorities and external changes. Sustaining business structure must be designed to continually predict areas needing modification and support design and deployment of those changes. Rigid security postures lack the ability to remain effective over time and are likely derived by an equally rigid infrastructure which will struggle to adapt to new threats and changes within the organization. Design security to be flexible and you enable the service to keep up with the continual changes in the information branch of security.

I recently spoke with an organization who had established a security posture which relied heavily on a hardened OS and application build for their systems. At the time, they deployed a platform which took into consideration all the best configurations for hardening. They were so confident they had satisfied security requirements they considered the problem solved. They integrated the security design into their normal platform refresh cycle of system replacement every few years. They never comprehended the fact they would need to continually update the build to compensate for changes in threats, new vulnerabilities and malware, and evolving business usage models.

The platform’s security, which initially was strong, began to quickly erode. With no internal mechanism to identify when changes needed to be made, nor the testing and distribution capability, they soon found themselves in a situation where they were responding to individual incidents and changing systems one at a time based upon particular end-user needs. This created inconsistencies in the builds which was more difficult to support. Without proper forethought, the security team turned themselves into a firefighting organization, losing the initiative in the war of security.

This is one simple technical example. The same holds true for the expanse of automated solutions and behavioral security controls as well. Highly effective and efficient security strategies are forward thinking and understand how intervention and continual maintenance will be needed, then implement those capabilities as part of a complete service deployment. Overall, the concept of ‘optimal security’ is one of fluid adaptations of controls to meet an ever changing target for risk acceptance.

0 Comments Permalink Tags: openportpromo, it, it@intel, strategy, model, rosi, matthew_rosenquist, information_security, corporate_security, intel_it, optimal_security, roi, security, value, risk, rosenquist

0

Fortune Cookie Security Advice - May 2009

Posted by Matthew Rosenquist May 26, 2009

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense
I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for May:

Fear and anxiety will lead to poor risk analysis conclusions

Stay focused on the available facts, use a dose of reality to fill in the gaps, and trust reliable risk models to generate analytical conclusions.

Excerpt from the Traps of Measuring Security Blog: In our world of information security, we must take a step back from the limitations and biases we possess and stay true to proper forms of analysis in order to see the truth. It is far too easy for us to slip backwards and inaccurately measure risk of situations we don’t understand. Let’s continue to remind each other of this fact and challenge risk assessments, especially in situations where concern is more prevalent than fact.

So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

0 Comments Permalink Tags: fear, corporate_security, information_security, measure, optimal_security, matthew_rosenquist, openportpromo, risk, model, analysis, threat, it, value, concern, it@intel, rosenquist, intel_it, security

0

Fortune Cookie Security Advice - April 2009

Posted by Matthew Rosenquist May 12, 2009

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense
I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for April:

Capability, intent, and focus are the defining aspects to quickly prioritize threats.

The world of information security threats is vast. We can easily be overwhelmed with different components, processes, impacts, and concerns. Quickly identifying the benign from the urgent is a competitive advantage. In order to organize and prioritize, we must have a consistent method to judge criteria.

I submit the three most compelling aspects are related to the attacker who is committing the violation. Their capability to do harm, defines the likelihood of a successful attack. The intent of the attacker has significant implications for the likelihood to detect activity and the persistence of continuing attempts. Lastly, the focus of the attack, whether it is targeting you specifically or just looking for opportunistic victims, completes the overlapping picture to understand the precision of activities.

Given these three aspects, a quick evaluation can be made to determine the severity of the threat and attacks. Of course this is just the first step necessary for triage, while a full evaluation should be conducted for the areas which rise to the top of the severity list.

0 Comments Permalink Tags: it@intel, model, intel_it, information_security, openportpromo, it, security, rosenquist, strategy, corporate_security, threat, attack, attacker, matthew_rosenquist, risk, optimal_security

0

Fortune Cookie Security Advice - March 2009

Posted by Matthew Rosenquist Mar 18, 2009

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense
I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for March:

The most successful civilizations rose to power, not by ignoring security, rather they ensured greatness through strategy and achievement.

For this month’s advice, you are a victim of eye-candy. I created this slide for a recent presentation, to capture the audience’s attention and rouse some brain juices flowing.

The general message does hold true. Security strategy is the long term endeavor to protect an organization’s future. If the war is fought thinking exclusively about one battle at a time, you will lose the tide of initiative and ultimately spend most of resources responding to your opponent’s attacks. If however, we keep in mind the end goals and manage to a state of optimal security, we can progress towards an advantageous and sustainable level of security.

We don’t have to win every fight, lock every door, and close every exposure. Instead, we are in a position to selectively choose our victories to maximize our capabilities. Our victory is finding the right balance of risk and costs. Thinking strategically, in concert with tactical actions, will drive clarity for the desired end-state of security.

In practical terms:

Have a plan and communicate it
Understand the business need for security
Prioritize security initiatives based upon their value
Develop an overall defense-in-depth capability, with interlocking services
Characterize the most severe threats and identify the most likely and impactful exposures
Know what you are protecting
Be cognizant of when you need more, have enough, or too much security

My moment of enlightenment is over. It is time to get back to the grind of the security firefights. But my strategy is never far from my mind. It defines the boundaries and guides my tactical decisions.

0 Comments Permalink Tags: matthew_rosenquist, security, rosenquist, strategy, threat, value, corporate_security, information_security, optimal_security, model, risk

0

Fortune Cookie Security Advice - February 2009

Posted by Matthew Rosenquist Feb 20, 2009

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense

I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for February:

A worthless metric is one which fails to drive decisions, even when the metric result radically changes.

The world of information security is full of metrics. Sadly, many are worthless. A valuable metric is one which drives decisions. Unfortunately, our industry also persists in publishing metrics which may nicely fill graphs and catch attention with flash, but in the end are meaningless. The true test: can it facilitate change.

One of my favorite metrics to pick on is a graphic which shows the percentage of internet attacks by country. Provided every year, this metric presentation is visually stunning, usually consisting of a background of the globe with offending countries in vibrant colors. It is clear, attention grabbing, and even interesting in a sublime way. Media outlets love the eye candy. But at the end of the day, the data is meaningless. It does not really matter where attacks initiate from. Organizations will not change their course of security if the numbers shifted drastically over time. The proximity and country of origin simply does not matter. The number and types of attacks are far more relevant, but not the division of origin based upon international borders.

Whenever we are presented with metrics, we must think critically to understand their value. Don’t get caught up in beautiful graphics or catchy titles. Challenge everything. Would you do something differently in your approach to securing your environment if the data changed radically? If not, then move along, nothing here to see.

0 Comments Permalink Tags: optimal_security, rosenquist, metric, risk, value, matthew_rosenquist, threat, data, corporate_security, security, information_security, model

1

Fortune Cookie Security Advice - January 2009

Posted by Matthew Rosenquist Feb 2, 2009

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense

I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for January:

Insider threats will always outpace external threats.

Insiders, those people you trust at some level, represent a significantly greater risk than outsiders. External threats may have a numerical advantage, but insiders have the access to cause staggering losses. They possess the permissions, system and process knowledge, authority, visibility to critical systems and valuable resources, and can more easily circumvent existing behavioral controls. Overall, insiders are tougher to detect, investigate, interdict, and prosecute. Security organizations may inadvertently reinforce this disproportional risk by focusing on thwarting external threats, leaving insiders more latitude to conduct undesired activities.

It is a frustrating problem for security to address. There are complex political, business, technical, legal, and behavioral aspects which plague efforts. Due to their nature, insiders have an advantage, can be stealthier, and easily overlooked. Security organizations may discount this slippery threat or lose sight of this aspect and exclusively focus on more noisy external threats. I believe insiders represent the greatest challenge in the security industry.

Every security organization should purposely put in mechanisms to keep the ‘insider threat’ in the equation. Regularly talk about it. Do an annual risk assessment for senior staff. If it makes sense, launch projects to manage the risk. Anything! Just don’t let it slip from memory. Don’t overlook the risks. The challenge is tough and may appear insurmountable, but that is not just cause to ignore the problem. This is a battle worthy of fighting.

1 Comments Permalink Tags: rosenquist, model, information_security, risk, matthew_rosenquist, security, insider, threat, optimal_security, corporate_security

0

Fortune Cookie Security Advice - December 2008

Posted by Matthew Rosenquist Dec 24, 2008

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense

I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for December:

Be mindful of the security message you deliver to your customers and how it is interpreted

Rallying your populace to be security savvy is a worthwhile investment and must be approached with the appropriate diligence. It is not enough to haphazardly deliver security information and walk away. If it is perceived as ‘junk-mail’, it will be treated as such. Information security must be understood and applied in order to make a difference. This embrace will only occur if the audience understands not only the message, but also why it is important and the overall context. Every good communication program draws in the audience by letting them know how it applies and benefits them.

If we want to be successful, we have an obligation to understand what is being absorbed and how it is being interpreted.

Andy, ITGuy has a great post (check out the picture for a good laugh).

“How we communicate our security plans has to be in a way that the user will understand and that will make them want to work with us”. This is key, as ultimately it is a partnership between dedicated security folks and the organization they protect.

Additionally, Mike Rothman has some great follow-up comments which I think nails the right perspective:

“effective communication is based upon the perception of the person on the other end”. Sounds basic, but how often do we ignore this fundamental principle in our rush to deliver our message?

If you are interested in good security insights, consider subscribing to Andy,ITGuy and Mike Rothman’s blogs. They mix perspective, humor, to timely issues.

So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.