Don't assume people will read the security policy!

Just because the policy is posted, does not mean everyone will read it.

Listen to the Audiocast:Information Security policy must be marketed to employees

Policy, like any other communication, must be marketed.  It is the role of the security professional to show the end-users the value and how it helps them.   Make it personal.

References: SANS.org blog: How to Suck at Information Security

Most security programs show value by either reducing the number of incident occurrences or reducing the impact of those incidents.Understanding where a program draws its value and how it fits in a defense-in-depth strategy, gives insights to where it can be maximized for optimal benefit and raise flags when expectations are mismatched with function.

Occurrence and Impact

Simply put, security incidents happen and they cause discomfort. Effective programs will either affect the number of times they occur and/or will lessen the negative impact. These aspects of Occurrence and Impact are important when we look at the complexities of measuring security value in the real world. It is a basic first step, but this type of framing establishes boundaries and clarifies expectations.

Once understood, it may be possible to measure the effectiveness to a level which determines general value and applicability. It can paint an important piece of the picture showing how the collection of security programs provides coverage to the landscape of attacks. Additionally, the big picture can identify inefficient duplications of security services.

Do all security programs manifest value in this way? No. Some efforts are tailored to meet regulatory, ethical, or emotional needs. For those types of initiatives, this general framework has limited applicability to measure value.

Intersection of Defense-in-Depth

The diagram below is an overlay of the Occurrence/Impact domains with the Defense-in-Depth categories as they intersect a typical attack lifecycle.Mapping security capabilities, tools, and services will show coverage and gaps for different types of attacks.

Defense in Depth Information Security Strategy

Information Security Defense In Depth Whitepaper is Now Available

We know that privacy does not exist in the Internet age. But what that “meant” at one time is not what it means now. Then information was available but hidden. Now it is all on the surface, aggregated, and correlated.

People protect themselves from the implications of no privacy in different ways. Some protect themselves by being extremely circumspect. I know of a person who though professionally distinguished has but one search engine hit and that comes from a bibliography. How did he/she do that? (I am not going to disturb this carefully protected profile by attributing a gender to it. If I could plausibly claim it was a space alien I would.) Others protect themselves by “not caring”. But what we don’t care about changes as we find new settings to play in and as new capabilities emerge.

I just did an Internet search on my name. I had not done this in maybe a year. I was happy to find repeat hits for proceedings volumes I edited with others. And I was surprised to find that those proceedings are for sale on several sites. I think I have about 50 books to sell unless I threw them out already. There was a time when you couldn’t or wouldn’t sell all the extra stuff in your house on the Internet. Those books are being offered for $185 each! I can beat that price if I can find the books.

But let's get on to the disturbing part. In the late 80s I dashed off an invited paper for a special issue of an obscure regional academic journal. That was when I was one of a tiny handful of (X Academic degree holders) working in (X Field). I was not working in research when I wrote the paper. I wrote in a chatty bloggish fashionahead of my timeand filled the paper with silly metaphors and cute turns of phrase. I hate that paper.

To make matters worse, someone at the low-cost self-publisher of this journal retyped the manuscript and turned my silly paper into an illiterate paper. The rights are apparently now owned by a major academic publisher. I accept silly as a side-effect of spontaneity. But I fancy that I do know how to write in English, and am particular about English words. I had consoled myself that very few people would ever find this paper due to its low print volume and being regional, applied, low topic interest, etc. Now it is prominent in my search results, possibly due to the prestige of the new copyright holder. Get it? The context is all switched around. The non-digital becomes digital, the low profile gets acquired by a higher profile.

“Freak!”

I have been careful in the past not to flame (public) distribution lists and to avoid posting irresponsible digital content under my name. But now that things are being scanned in from the printed pages of prehistory, and who knows, the entire contents of (Former Employers) backup server archives???.... It’s not skeletons in the closet; it is zombies that will keep me up at night.

There are so many new considerations now. One of my search hits lists my political contributions, with a map to my house! Both of those things ought to be public knowledge, but also in theory, they ought to have been hard to find and they would have been in separate files. Someone would have to deliberately look for them; but no, not now. Now this information is a published portrait.

I read in today's New York Times that the entering administration is asking cabinet candidates to include their Internet nicknames on their background applications. http://www.nytimes.com/2008/11/13/us/politics/13apply.html?nl=pol&emc=pola1 Think of the intemperate things you may have said behind the supposition of anonymity, just in the area of opinions, letters to your representatives. Sure, you tried to frame them reasonably, but admit it—for about half of us those opinions may have a careless statement or two in them.

We have sensed that privacy was dead for a long time. But I didn’t really think I was a particular person whose privacy was dead. I thought I was too obscure, like that journal. I thought I could manage my public persona. That was an illusion.

The experience makes me want to hide forever behind the firewall of Intel with my Information Security friends in black hats standing guard around my cube. In addition to keeping me compliant, they would make sure I don’t say anything stupid. Word to the wise...you do know that your face is a pattern that can be searched anywhere, don't you? http://news.nationalgeographic.com/news/2007/01/070105-photo-search.html For most of us it is too late to take that pattern back from the public domain.

I didn't intend to sign up for the “I don’t care” club. I do care. But I did sign up, a long time ago. The meek shall indeed inherit the earth, by not having said anything. Now I know what "meek" means and why they will inherit the earth.

Everyone wants information security to be easy. Wouldn't it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don't try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense

I think the key to fortune cookie advice is ‘common sense' in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Here is my Fortune Cookie advice for September:

In information security, like in sports, knowing your adversary is far more important than knowing the condition of the field.

Information security is an adversarial pursuit. It all begins with threat agents, those people who will negatively affect your organization. Some are malicious, others are not. The key is they are living, breathing opponents whose motivations drive actions which cause loss. They learn, adapt, and change as they seek their objectives.

Know your threats. This is an important first step. Knowing all your vulnerabilities is fine, but secondary in importance.

For those who are malicious, understand what they target and the likely methods they will employ. Only then can the vulnerabilities be narrowed to show the most probable exposures. This prediction gives the security professional a focus on what to protect, how best to monitor, and preparations necessary to respond when needed.

So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - May 2008

Deconstructing Cyber Security Attacks - Threat Model

Defense in Depth Information Security Strategy

Recently, security expert Bruce Schneier expounded security ROI figures were meaningless! Is it true? Well, yes and no.

The brutal truth.

Well respected information security expert Bruce Schneier recently provided a stark opinion regarding the value of ROI's.

Follow this link to see the story:

http://www.zdnetasia.com/news/security/0,39044215,62037905,00.htm

In brief, Bruce stated security because numbers can be manipulated to justify anything.

He explained that the amount spent on a product can change significantly by simply playing with the equation.
"If the chance of you being attacked is one in a million and I change it to one in two million... I have halved the amount of money you should spend.
"I can make an ROI model say whatever I want. I could justify or not justify anything based on these very, very rare and very, very damaging events," he said.

Tell me it is not true!

I believe Bruce is both right and is delivering a message which is a little incomplete. His general message is accurate and shocking enough to garner the right level of attention. Most of the information security ROI's I have read were speculative, could not be validated, were impossible to reproduce, and had great latitude to provide results which benefit the desires of the author. Nowadays audiences are being provided ‘information' under the auspices of ‘fact', when in reality they are more of an opinion. Such valuation assessments are based on qualitative data versus quantitative metrics.

I blogged about the The Problem of Measuring Information Security back in August 2007

Awareness must be raised. I applaud Bruce in helping to make this happen. His message, as brutal as it sounds, is bringing to light a shadowy area in our industry. I think the follow-up message for audiences is to scrutinize and apply common sense to any ROI they come across. Understand the methodology and if it makes sense in their context. Lifting the curtain can quickly reveal a puppet master pulling the strings to artificially show value.

Like Bruce, I too have a jaded perspective. I have seen some WILD ROI's. Much of what I have read from security vendors is pure folly. However, just because most are fiction, it does not mean all methodologies are without merit.

Intel published a Whitepaper - Measuring the Return on IT Security Investments which is applicable to some situations. This method, far from being a silver-bullet, is a good start and has proven its truthfulness.

For any method, the accuracy should be scrutinized. Can it be validated, repeated? Was the method exclusively developed solely for self serving purposes from someone trying to sell something shiny? Does it make sense? These are the questions I ask myself.

On the bright side, many bright sharp people are working very hard to make the industry better and develop more rigid processes to insure both accuracy and confidence.

In the end, there is much work to be done in the information security valuation space. In the meanwhile, savvy consumers should be aware of the challenges and dive deeper into prospective ROI's and determine if they are ‘meaningless'.

I was recently asked to pull together a quick list of key information security learning's for Mergers & Acquisitions (M&A). This year I assumed responsibility for information security of Intel's M&A programs. M&A work is typically frantic, unpredictable, and ambiguous, involving the brightest engineering and integration management talent. It demands great flexibility and willingness to rapidly adapt creatively to emerging problems. This work is basically a recipe dreaded by us entrenched security types, who like the controllability of consistent, predicable, and structured activities. It can press the boundaries of good security practices and test the mettle of the strongest security organizations.

Top 5 Key Learning's for M&A Information Security

1. Security does not happen by default. As the complexities of divestitures emerge, smart people aggressively move to solve problems and security is likely not a consideration. Information Security must be involved both at the early planning stages and stay engaged until the last tactical maneuver is completed

2. Profiling the data is key. Knowing what data is involved, it's sensitivity, who has logical/physical access, and where it is physically located is necessary. It will be needed to insure regulatory, legal, and IP confidentiality protection

3. Technical and Behavioral considerations must be incorporated to prevail. Neither must be ignored, and in most cases the combination must be applied to every issue where information security is at risk. A security savvy M&A team is the first step to highly effective results

4. Logical and physical security aspects cannot be separated. Information security professionals can easily overlook the physical security factors which can jeopardize the confidentiality, integrity, and availability of the business just as logical based threats

5. Great attention must be paid to data retention, transfer, and destruction. ‘Deal data' can be a vague and changingconcept which may be interpreted differently over time, especially in larger deals. Understanding the scope, expectations, and commitments is a necessity

After reviewing the list, I had an interesting observation. It occurred to me there was a glaring omission. The unwavering support of information security by management is absolutely crucial. To be honest, I left it out as I am spoiled. The Intel culture and chain of management is very supportive of information security. So for those of you less fortunate, add it to the list.

Feeling a little M&A&D...or, blogging on IT aspects of Intel's mergers, acquisitions and divestitures programs

Measuring the value of information security programs is difficult and a problem for the entire industry. In the second of the three part series, Intel discusses a practical approach to determine value of information security initiatives. Intel security professionals Tim Casey, Enrique Herrera, and Matthew Rosenquist discussed the success of Intel’s security value methodology outlined in the Whitepaper - Measuring the Return on IT Security Investments

Listen to how Intel utilizes this strategy as one means to measure the value of security programs. The whitepaper is available for download.

The 30 minute discussion can be replayed here:

The last of the three part series, Future State of Security Measurement, will occur on Wednsday June 4th. Everyone is welcome to participate or just listen in. Details can be found here:

http://communities.intel.com/openport/blogs/it/2008/05/12/how-do-you-measure-something-that-doesnt-happen

Good security conversations benefit all involved. The more we share, discuss, and challenge each other, the more we advance our industry. Thankfully, I have the benefit of working closely with a brigade of information security professionals and we banter at every opportunity, for the sheer pleasure and insights. In that same spirit, we hosted our first Blog-Talk radio session. This was a general discussion of the problems of measuring security.

The 30 minute discussion can be replayed here

Two other internet chats are planned. Everyone is welcome to participate or just listen in. Details can be found here.