Author Archive

What’s our Policy on That?

Companies of all sizes continue to struggle with information security policies or other rules designed to help protect their information. In 30 years of information security practice some issues come up time and time again that contribute to the problem of inadequate information security policies. While few would argue the need to have actual policies about information security, often that’s where agreement stops. The concept of having policies, defining policies and enforcing them is often more than a little controversial for many companies.

Most information security policies evolved out of the old familiar “do’s and don’ts” set of rules.  Often times the do’s and don’ts were the least controversial of policies and included such things as guidance on what not to say in an e-mail, how to handle confidential company information, what usage of the Internet is permissible, and so forth. Too often the do’s and don’ts policy was a clone of a year’s earlier article in an HR manager journal and has received almost no attention since then.  Companies often lack the resolve to use the do’s and don’ts policy as a basis for disciplinary measures of any kind, let alone as the basis for termination.  However, the one thing the do’s and don’ts policy did enable everyone to do was to righteously claim, “yes, Boss, we do have an information security policy.”

Read more…

Categories: Uncategorized Tags:

RIM or Precipice

News of RIM’s apologies concerning the multiple-day outage of its services beginning Saturday morning October 8 illustrates a very important point. At the retail level it may be okay to remain silent or mumble about the circumstances of an outage (as my cell provider did in this case).  However, when dealing with enterprises which purchase services in mass quantities as part of a broader strategy of delivering services to their customers through a well-equipped employee base the reverse is true.  RIM had remained silent for five days about the details, causes – and most importantly – the estimates for remediation of this outage. This is inexcusable for anyone offering an enterprise class product. Read more…

Categories: Uncategorized Tags:

The Morgan Stanley Data Breach Smear

News today of a data breach at Morgan Stanley has followed the usual pattern. Some self-appointed expert writes a blog and gets on the news to highlight the apparent negligence of a large and respected company in the handling of its customers information. Followed by carefully worded statements from “spokesmen” for both the company and other parties to the debacle. In this case the other party was the New York State Department of Taxation and Finance. Then dozens of news outlets pile on after doing no digging whatsoever to confirm the facts.

Morgan Stanley claims they have information or evidence that shows that a package they sent to the New York State Department of taxation arrived at its destination “intact.” How they know this has not been discussed publicly. Regardless, the CDs are now unaccounted for. The New York department of taxation stated, according to the website, “if Morgan Stanley had bothered to encrypt the CDs before sending them, none of this would have happened.” This implies that Morgan Stanley followed poor practices when securing the data send. But later in the same article is revealed that “while the Department of Taxation and Finance does now have a secure pipeline that allows for encrypted data transmissions, they didn’t ask Morgan Stanley to use the application because the software ‘was not fully implemented until after the request for annual data was sent.’ ” [emphasis is mine] These statements are attributed to New York Department of Taxation and Finance spokesperson Susan Burns. In fairness, did not use quotation marks around the “if Morgan Stanley had bothered…” comment so that bit of editorial confusion may have been cooked up by to spice up their story.

In general, when private companies send data to the state they are compelled to do so. The format, timing, and security or lack thereof is all part of the state’s command to send data. For example, if data were to be encrypted, then an agreed upon scheme to protect the keys and transmit the keys for decryption would have to be agreed upon. This would be explicitly true for the use of, say, AES 256 encryption using WinZip or other encrypting program. Or this would be implicitly true for the use of TLS encryption and an encrypted channel over the Internet. Either way, the state makes the rules. If Morgan Stanley used, say, Microsoft Office Excel password protection to secure the data, that was most likely because that’s what the New York State Department of Taxation and Finance insisted upon. This is probably why the commentary coming from New York State has been relatively mild and has not unequivocally pointed the finger of blame at Morgan Stanley. After all, it appears that at least some of the data sent to the NY State Department of Taxation and Finance has not been secured according to NY statute for at least five years. Probably budgetary pressures.

In this case the law in question is the New York Information Security Breach and Notification act (ISBN A). It appears that both Morgan Stanley and the New York State Department of Taxation and Finance are in fact covered by the ISBNA, which was originally enacted in late 2005. However, upon review of the New York State Technology Law Section 208 (the part of ISBNA that pertains to state agencies), it appears that what happened to the CDs from Morgan Stanley was not, in the eyes of New York State, a “data breach”. Here is the definition of “breach of security system” contained in state technology Law section 208: “Breach of the security system means an ‘unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. Good faith acquisition of personal information by an employee or agent of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.’ ” So the breach was not a breach and it appears that Morgan Stanley and, reluctantly, New York State Department of Taxation and Finance, have decided to notify taxpayers in New York out of an abundance of caution. Please note that no one is congratulating Morgan Stanley for taking the high road in its ongoing compliance with New York State law. It didn’t have to notify its customers but it chose to anyway.

The moral of this sad story is that when it comes to suspected data breaches, companies are damned if they do and damned if they don’t. A company like Morgan Stanley, which has excellent technology infrastructure and a reasonably good track record when it comes to protecting information, will be tarred with the same brush used on companies like Sony and others who arguably turned a blind eye to the protection of information in their care. You have a good reputation until you don’t. That time for good reputation expiration is chosen by people you never met who have only sketchy access to the facts and who then twist those facts to their own advantage. Welcome to data breach notification, United States style.

[Author’s Note: I have no inside information concerning this incident and have not included any proprietary information in this blog.]

Categories: Uncategorized Tags:

Remove “Risk” from Your Writings, Part 1

Five months ago I wrote in these pages a blog entitled “The Death of Risk.” It was a rant against the recent developments in banking which have featured fat cat bankers up to their ankles in the “moral hazard” miasma and happily getting their bailouts and bonuses from the overburdened taxpayers. The “mortgage meltdown” combined with the subsequent “credit crisis” happened mostly because a few bankers knew their firms were “too big to fail” and took advantage of this insight. I called it “the death of risk” because one of the things we all count on in information security is that the inadvisability of taking inappropriate risk is an almost universally accepted principle. It is not good to “bet the company” because that is usually an inappropriate risk. Some companies have gone out of business because their security was inadequate. But when Lehman Brothers or Bear Stearns went down, it was because somebody else bet the company and then got surprised when they didn’t get bailed out. Risk is everywhere, and coping with it is a major preoccupation of a legion of analysts from economists to CISSPs.

Now comes Donn Parker, one of the preeminent researchers and thinkers in information security, who may have taken the idea of the death of risk a little bit too far. Parker writes in a recent journal article,

“Think of security as a necessary overhead cost of doing business just as are facilities management, legal, audit, human resources, payroll, and accounting, and like the other overheads, it does not produce a return on investment (The return of savings from expenditures for security is unknown since the incidents that would have caused the savings did not occur.) I suggest that you gradually limit the extent of your risk assessments and reporting to meet only the minimum requirements of the law and regulations and remove the word “risk” from your writings, job titles, and job descriptions.”

[emphasis mine] Aaaaaaacckk! (that was me running screaming from the room!).
The article appeared in last month’s issue of The ISSA Journal, volume 8 – issue 7, page 12, entitled “Our Excessively Simplistic Information Security Model and How to Fix it.” The main point of the article is Parker’s proposal to expand our traditional “CIA” model (confidentiality, integrity and availability) to the new “Parkerian Hexad” in which he introduces three additional attributes or objectives of security, utility, authenticity and possession, explains why these three new attributes cover things that weren’t covered before and how they complete the model of information security. Parker also adds many new types of controls (yes, Virginia, prevention, detection and correction are not enough anymore). And he also proposes new objectives for information security, including: avoidance of negligence; an orderly & protected society; compliance with laws, regulations, and audits; ethical conduct; and successful commerce; and competition. The problem is, these new objectives replace risk reduction. Unfortunately, “removing risk” from the definitional model of information security is impossible and absurd and to advocate it throws our whole profession on its ear.

There are many things in Parker’s article that I agree with. The three new attributes he proposes can be shown to relate to “CIA” in a very complementary way. As the velocity of information through our systems and networks continues to accelerate, we will very likely see more instances in which a breach in possession occurs when confidentiality is unaffected; availability will be fine but utility will be in the impaired, and integrity will be intact but authenticity will be revealed to be bad. Parker’s point here is we have oversimplified the things we are striving for, and in so doing have missed important elements. However, Parker’s arguments against risk are themselves simplistic and rhetorically throw the baby out with the bathwater. He mostly rails against the calculation of aggregate risk for a company or organization and notes, quite correctly, that the actual risks from disparate and ostensibly independent threats may be in many cases highly correlated yet we have no idea exactly how they interrelate.
Parker correctly exposes the computation of aggregate risk for a company – or, for that matter the combination of precise risk results from uncharacteristic threats (say, the sum of the ALEs from airplane disasters and earthquakes) – as at best intellectual adventures or, worse, dangerous illusions. But “remove risk from your writings”? No way does that make sense.

In the late 1970s Alfred Kahn, an economist from Cornell University, once intemperately referred to a potential outcome of unwise policy as likely to lead to a recession, or a deep depression. White House advisors to President Carter objected and thereafter Kahn promised never to refer to a “recession” by name. He later jokingly said to reporters that while he could not comment on the likelihood of an economic downturn, he could talk about a “banana.” Later, he changed the fruit to a kumquat after a large banana company complained (I’m not making this up…). What are we to do without “risk” to talk about? The ideas of active acceptance of risk, residual risk, and inappropriate risk that we have worked so diligently to nurture, are good and we benefit from that common language. Risk is important…no, it is crucial. Without it we are simply mumbling about the abstruse. If I start talking about an orderly society and ethics, as Donn Parker argues in his article, I’ll use up all of my boardroom time slot explaining terms, then my controls proposal will get voted down because no one will have a clue what I’m talking about. In the movie “Ghostbusters” Egon describes the elevated amount of psychokentic energy in New York as a, “Twinkie 35 feet long weighing approximately 600 pounds.” When your latest pen test report discloses multiple severity one exposures and shocking unpatched vulnerabilities, instead of referring to this as inappropriate risk, you can quote Winston Zeddemore from the movie,

“That’s a big Twinkie.”

In part 2 of this blog, I’ll talk about why I think Risk has an undeservedly bad name, what problems have emerged by a careless use of risk terms and how to deal with all of this in a way that helps your program. If you are busy “removing risk” from your writings, at least turn “Track Changes” on so you can get it back later…

Categories: Uncategorized Tags:

Tylenol Redux — Institutional Amnesia

in 1982 a crazy person put cyanide laced capsules in several bottles of Tylenol painkiller and put them back on the shelves of drugstores for sale. Several people died or became ill as a result. I’ve often talked about this case primarily to highlight the wisdom of dealing with crises proactively to minimize the potential damage. In 1982, we had not yet had a case where toxic chemicals were placed into over-the-counter bottles with such dramatic effect. There was no precedent; no one knew what to do. But the McNeil company, makers of Tylenol (now subsidiary of Johnson & Johnson) didn’t let that stop them from mounting what in retrospect still appears to be one of the most adroit crisis response efforts ever mounted by a company in response to a crisis that threatened its very existence. Read more…

Categories: Uncategorized Tags:

Archive Everything Forever, Part 2

In part one of this blog, we explored how clueless regulators levied an almost ridiculous standard of control on securities firms over 15 years ago in an effort to get ahead of the curve on the rapidly growing phenomenon of Internet communication.  At the time, they told securities firms to “archive everything forever” which of course at the time no one had any idea how to do.  In part one of this blog, we discussed how regulators had been essentially behind the curve on monitoring of electronic communications and how this has led to what could be perceived as an overcorrection by regulators to try to get a handle on communications by people involved in the securities industry.

No one really disputes that there is a legitimate government role in monitoring securities markets for inappropriate activity that could indicate an illegal breach of insider trading and other arcane securities laws.  Problem is, with the multitude of communications channels now available to every employee and every relative of every employee of every securities firm, firms and regulators face a daunting task in monitoring of communications.  When I started my employ at a Wall Street firm, one of the things I had to do was register all of the open securities accounts in my name.  Six weeks later, I was called into the office of one of the compliance officers of the firm and asked to explain why I had omitted a particular account.   Surprised by the existence of this account, I explained that apparently it was an account created by an overzealous commodities account rep hoping that I would become an active commodities trader.  The balance in the account was $.62 in a gold fund.  Despite the small amount of the account balance, it was a dead serious meeting with the compliance officer.  Basically, he had grounds to fire me for misrepresenting my list of registered security accounts.  Only when I offered a lame excuse that I did not know the account had been opened up on my behalf and that there was no activity in the account whatsoever other than the opening balance, was I let off the hook with a warning.  At that firm, as is true with most securities firms, one may only have an account which resides at the firm and which is subject to the intense oversight of firm compliance officers who regularly check for activity in sensitive securities. For example, say I decide to buy 100 shares of Cisco.  For an employee at the firm, a few days might elapse and then a call might come from the compliance department saying “you know that trade in Cisco last week?  Well, that trade never happened.”  This would be a sign that there was likely some transaction involving Cisco being managed by the firm for which any activity by a firm employee in Cisco could be viewed as suspect.  No one grateful for their paycheck at a securities firm really argues about this kind of enforcement. Read more…

Categories: Uncategorized Tags:

Tips to approve Security Business Projects – James Anderson at RSA 2010

At RSA 2010 James Anderson, Executive security consultant at Emagined Security, gives me insight into his session: Security Business cases – Fact and fiction in selling security.  More specifically, we talk about the following:

  • Steps to walk through in creating a security business case to get approval for your security project and hard versus soft benefits
  • [3:43] Tips on creating the business case
  • [5:43] Key flaws in logic when people present their business case
  • Where security risk analysis plays a good role to build your case
  • [9:14] Examples of where security can be tied to revenue
  • [12:28] Examples of security adding value which don’t fall directly into the hard or soft benefit categories
  • [15:35] Recommended resources for learning more on these topic areas and where he would like to see the industry go.  How you can tell a CISO is good.
Categories: Uncategorized Tags:

The Death of Risk

My friend and colleague Donn Parker, security consultant and researcher par excellence, gives an RSA session entitled “Alternatives to Security Risk Management” (RSA P2P 204A Weds at 1pm Burgundy 222) in which he attempts once more to debunk the myth that “risk can be managed” in information security.  Donn has been on the forefront of thinking about information security since the 1970s and he is used to being ignored by all types of people who either don’t get it or haven’t figured out a way to exploit an idea for profit yet.  Sometimes his rants can seem quixotic but almost always look prescient after-the-fact.  Here is an example.  Donn is not saying that “risk doesn’t matter” (although read below for more on this notion), but he is saying that the idea that an organization can use quantitative techniques analyzing detailed risk profiles around data and controls to make decisions about information security is pure bunkum.  I agree…mostly. Read more…

Categories: Uncategorized Tags:

Archive Everything Forever, Part 1

What do the Chinese Communist Party and FINRA (Financial Industry Regulatory Authority) have in common? They both want to control and/or censor all communications by their communities. In the case of the Red Chinese, of course, this affects things like whether Tiananmen Square gets sprayed with machine gun fire or Google gets to do business in China without shame. In the case of FINRA in the US, this affects whether registered representatives and their financial firm employers can use social media unfettered. Free speech? What free speech?
Recently, FINRA announced that financial firms are responsible for “monitoring” and “archiving” all communications on social media sites such as Facebook and Twitter by people in their employ, mostly targeting registered representatives, those authorized to trade securities for their firms, their clients, or who advise individuals about securities and financial markets.  In fairness, FINRA’s guidance sounds pretty reasonable: “supervise the use of social networking sites to ensure that recommendations are suitable and their customers are not misled.” And they also state that, “FINRA does not endorse any particular technology to keep such records, nor are we certain that adequate technology currently exists.” OK fair enough. But what to do?
This reminds me of deliberations I participated in back in the mid-1990s in which the security and operations people in regulated financial firms were told to “archive everything forever,” as a kind of “shot across the bow” by regulators frozen in the headlights of the exponentially growing phenomenon called The Internet. No known technology then satisfied “archive everything forever.” But that didn’t stop the regulators. There has always been a requirement to archive communications made on paper. Later, it was realized that a lot of faxed communications might be bypassing postal mail-based controls. Later still, recorded phone lines were required (creating kind of a “hot line” class of phones within trading rooms – if you needed to make a personal call, better use a pay phone or a big, clunky cell phone like the ones used by the “LowScore Band” in those commercials) which generated lots of coping behavior among those who needed to communicate regarding non-firm business. Trouble is, as was well-documented in the original “Wall Street” movie (Oliver Stone plans to release the sequel to the 1987 classic this year) fraudsters also could still escape monitoring by using the same coping mechanisms. Remember Charlie Sheen breathing into his phone, “Blue Horseshoe loves Anacot Steel”?
This also evokes memories of a case I worked on early in my Wall Street career. A young trader had posted a comment on a Yankees bulletin board (now there’s and arcane term for you in 2010…) in response to an inappropriate posting of a credit card offer on the same board. The credit card offer was not in any way illegal, but it so angered the young trader that he posted an expletive laced rant about how “this board is for Yankees fans,” etc. etc. from his firm email account. We got five or six sternly worded complaints from people, some of whose children were users of the Yankee-fan board site themselves, who were worried that our firm would tolerate such language. OK, personal speech by a trader on his lunch time. But: using a firm-provided and firm-identified email origin. This damaged the firm’s reputation. The young trader even said to us, “I knew I should have waited until I was home,” to make the angry post. He was not surprised to be fired. Fast forward to today, though. The distinction between personal and firm identified email is way fuzzier. Could someone have researched the IP address used for a typical HTTP session and linked the firm with the bad language in the same way? Maybe. Would the firm arrive at the same conclusion about perceived damage to reputation? Seriously open to question. This vivifies the problem regulators face today though it has nothing to do with fraud.
“Archive everything forever” was a great example of the kind of clueless regulation securities professionals have faced for a long long time. Remember, this statement came at a time when Bernie Madoff was probably into his second decade of his little scheme, and the SEC had already conducted its first investigation of Madoff Securities and found nothing untoward. The problem really is, in today’s climate of “get the greedy bankers,” it is likely that regulation designed to prevent fraud will get more draconian and less effective. What’s called for is banks and securities firms to take the initiative and provide tools to their employees and agents to help keep everybody out of trouble.
The answer, I think, is found in emergent information technologies today. Information security has reached a great watershed in its evolution from preventive, inwardly focused tools to externally focused, product and value enhancing tools. I foresee a day when it will truly be possible to differentiate firms by the security they demonstrate, not just dubious self-assertions. In Part 2 of this blog, we’ll develop this idea more completely.

Categories: Uncategorized Tags:

What We Learned About Security in 2009

2009 was a tumultuous year for the country, the economy, and for many information security programs and professionals.  Although Forrester’s Andy Jacquith (Twitter @arj) surveyed security practitioners in March and came to the conclusion that three out of four programs had not been cut, my own experience talking with colleagues and clients over the year has been different.  Many organizations have severely cut back, decided not to fill open positions, or otherwise limited financial resources that might otherwise have been available to information security functions.  There’s nothing wrong with this; organizations and economies ebb and flow and practitioners and leaders in information security need to be ready for the inevitable cutbacks, just as they prepare for and advocate for the important new initiatives.

But we did learn something very important about information security in 2009.  How firms and their senior leaders internalize risk and make decisions about risk was in many important ways laid open to public view in 2009 in a way that has never before been possible.  When discussing risk management programs in the past, I’ve always pointed to the financial industry with its chief risk officers, chief investment officers (the other “CIO”) and generally sober and serious approach to all things risk including audit and compliance, as the paradigm for risk management.  But in 2009 we found out that was not necessarily true.  Senior managers throughout the financial industry made risky decisions, “bet the farm,” and otherwise increased their firm’s exposure way beyond the levels of risk typically underwritten by information security departments, and did so in the face of clear evidence (now me with 20/20 hindsight, I admit) that a crushing downturn was coming.  Several senior leaders are no longer in their positions now in part because of the fallout of these decisions and the general leadership style that ignored or winked at this risky orientation. And all of this against a backdrop of what has been argued are unjustifiable compensation packages given the poor performance of many financial institutions (car companies, too) and the resultant taxpayer bailouts that took place.

What wisdom should we take from this?  I believe information security professionals have been given some of the best data points yet available about how firms and senior executives are likely to internalize risk that affects their organizations and their organizations major stakeholders.  This should influence how we communicate about information security risks and other risks inherent in the information technology function.  Many senior executives were paid for taking too much risk – and paid very very well for it.  The upshot of the mortgage meltdown, credit crisis, and resultant economic malaise is that unless organizations change dramatically, a risk-based approach to persuading business leaders about the advisability of implementing new information security controls and tools is less relevant and less likely to succeed than ever before. In short, it’s not enough to frighten them about the implications of the big breach or the potential expense of a forced remedial compliance effort after some other security incident.  How well senior leaders behave on security and other technology risks – which are far more esoteric and difficult to estimate than the kinds of financial risks that have brought down some of Wall Street’s biggest names — is likely to be even more freewheeling with corporate resources than ever before. I reiterate that this conclusion depends on a general continuation of the trend toward more aggressive risk-taking with company resources. If something happens to change the culture of how organizations view risk and accept risk on behalf of the firm, its shareholders and other major stakeholder groups, this could turn out to be an incorrect conclusion.  However, there is no evidence whatsoever that the incentives for taking excessive risk have lessened nor do we see increases in the penalties and disincentives for taking too much risk or for bearing the inevitable losses that will take place with too much risk.  No, it will become easier – not harder —  for managers to say “we can’t afford that level of security,” or to say, “We’ll run noncompliant for another year and see what happens,” after you present the implications of not being compliant with PCI again this year.  There is simply nothing to counterbalance the tendency for organizations to take too much risk and let others underwrite the losses.  In fact, what used to be “career limiting decisions” in the vein of accepting too much risk are now clearly in the realm of “moral hazard.” Top executives make so much money today that if something bad happens on their watch, they simply retire and go into consulting.  Or maybe someone will bail them out, too.  The millions they’ve been paid in cash and options will more than easily sustain a comfortable retirement even for the yachting crowd.  And about those “clawbacks” (of excessive compensation) we’ve heard about, the inevitable litigation will likely be almost as painful and the losses themselves, so we won’t see many of those either.

As a profession, information security must get better at defining and quantifying the risks inherent in not attending to information risk management. Simultaneously, we must continue to shift the emphasis from a risk-based justification for info security to a revenue-based justification. If the 1990s were years of “information security enabling the business,” then the decade just completed has been about learning that enablement wasn’t enough.  And the decade to come will be the one in which information security managers will be forced to take their place among those who generate revenue for the business and in so doing closely align information security with the products, services and customers of the company.

I’ve always advocated that information security managers keep a fresh copy of their resume at home. This is less humorous than it used to be.  Information security managers are increasingly the “designated scapegoats,” for the kinds of breaches and losses that are all too frequently occurring in IT today.  But if there continue to be no real barriers to the moral hazards of accepting too much risk on behalf of shareholders, and senior executives continued to be paid handsomely for short-term revenue, profits, and stock price objectives, then selling security based on risk alone will become “old hat” this year.

Here’s to a new year filled with new assurances that the vital information we manage is well protected against the increasing threats to it.  With that I know we’ll all have a very Happy New Year in 2010.

Categories: Uncategorized Tags: