Archive for February, 2010

Quick thought: RSA next week!

February 26th, 2010 1 comment

I have been insanely underwater for the last 2 weeks, so haven’t posted anything despite my best intentions. I am still buried, but wanted to post a short note about RSA next week. I will be there all week, and I’m looking forward to meeting up with everyone. I am still planning my agenda in terms of specific talks to attend, but at first glance there’s some awesomeness, and here’s what I want to check out just in terms of topics:

  • Data breach lessons learned: We need more “from the trenches” stories and data, and I personally will be looking for more of these.
  • Shifts in security technology: In particular, advances in DLP and movement toward application whitelisting and away from traditional “blacklist” AV.
  • Advances in virtualization and cloud: I would like to see some good, definitive solutions and thoughts here this year instead of mostly hype. I think I will, since I know things are progressing in the industry.
  • New directions in compliance and privacy/breach notification: Just to keep up, more than anything.

I’ll also be scouring the vendor area for good info, too – last year was wretched. Just nothing new or interesting that grabbed my attention, not to mention the lack of people at the conference in general.

See you there!

Categories: Musings Tags:

5 Reasons Your Security Program is a Failure

February 14th, 2010 3 comments

So, much like any other security consultant, I see a lot of the same things across organizations with regard to information security. Some good, some not so good, some horrifying. Here’s a succinct list of the top 5 things I see consistently which I believe contributes to infosec program suckage.

  1. Politics: If the security organization is impotent due to political issues, and has no a) budget, b) support from executives and business unit management, and c) plan, it is very likely doomed to failure.
  2. Lack of monitoring capabilities: We need more eyes and ears. From NIDS to HIDS to File Integrity Monitoring to Network Flow Analysis to Log Management, we need a better approach to what is happening in the environment. Not only that, but too many organizations buy stuff and forget about it – if you don’t have daily SOPs around your monitoring tools and capabilities, you will end up with shelfware, and that just sucks.
  3. Lack of technical skills: Way too many infosec folks are happy to slap that “CISSP” on their business cards or email signatures. Great. Can you actually DO anything though? I truly feel that a base skillset for anyone in infosec operations has to include some scripting, firewall and router ACL creation and management, a grasp on scanning and vulnerability management, patching and configuration management skills, reading and understanding packets, and responding to incidents. Sure, there are specialties. But who gives a $*@ about your cutting edge Appsec skills when no one on the team can even lock down a box appropriately? C’mon. And you managers who hide behind “policy” and “governance” and go to 10 meetings a day to keep looking busy? Heh – chances are you suck. The day is coming when you will, and should be, obsolete. Yeah, we’re all trying to be better “business people”, but you still need to have a technical skill set to even PRETEND to keep up with this game.
  4. Focus on the “cutting edge”: Got Web app firewalls? DLP? Awesome! But if you have no system hardening program, or lack a robust patch management process, you are really missing the boat. It’s been consistently proven that the basics like patching and config management, when implemented and maintained rigorously, could have stopped a vast percentage of data breaches. One exception – the time for whitelisting has come. Death to blacklist AV!
  5. Managing to compliance: Sad to say, but I have seen this really emerge in the last 3-4 years. Organizations are stopping at the check box. And that’s a tragedy, since we all know that compliance != security. I say that with a hint of sarcasm, since it’s pretty damn obvious that we all DON’T know this, or people wouldn’t be doing things this way.

Not a complete list, at all. Just the major things I see consistently across organizations in pretty much every vertical.

Categories: Information Security Tags:

Who Should Infosec Report To?

February 4th, 2010 5 comments

OrgChartI’ve been thinking about governance a lot lately, probably since I’ve been working with consulting clients at various stages of security dysfunction, and it has become OBVIOUS that governance plays a big role in how security “gets done”. This is not a new debate – most of us in the security industry have worked at a variety of organizations, some of which report to a genuine CISO or CSO, others who report to a VP of IT or CIO, some who just “float” in the IT department or elsewhere. Here’s my general feeling today, though, and it may come as a surprise to some:

Information Security should not report to IT.

Before the ever-cynical infosec crowd stops reading and throws this out the window, let me explain why I feel this way. Information security really has several key functions to perform – security operations (in whatever capacity that may take), security audit and analysis (could be related to compliance, but also ensuring policy is set and followed), and security-related governance, ie working with the entire organization to ensure information is protected with input from all business units and departments. Did you catch that last part? It’s important.

When infosec reports to IT, it is in essence, aligned with IT. It is tied to IT budgets, politics, reporting constraints, other priorities, etc. This is exactly wrong. With organizations’ data rapidly becoming the most important asset (behind their people, of course), the need to impartially manage the security and risk mitigation of that data should not be tied to IT…nor ANY ONE GROUP. What this means, in the most simple fashion, is that it is time for information security, with or without an official CISO or CSO, to report directly to the CEO and/or the board (preferably the latter). Here are a few common places I see infosec reporting into, and the most obvious pitfalls that relate to this governance/org structure:

  • CFO/Finance: This is not too common, but I’ve encountered it a few times. The benefit is that you don’t report to IT, so the organization likely recognizes the potential conflict and/or need to separate information security from the larger quagmire that is Information Technology in general. However, CFOs have their own agendas, and although they may align with the organization as a whole in most cases, not always. Sometimes, CFOs can’t see the forest for the trees, and become blindly focused on saving money at all costs. This doesn’t jive with the world of information security, where you may well need budget unexpectedly due to changing threat landscapes.
  • IT VP/Director/Manager: The most common case. I’ve already explained why this should change, but another point to consider is the mysteriously self-serving nature of IT organizations. Although they talk the talk about “supporting the business”, many IT professionals could honestly care less about business issues, and just want to play with the new toys. Bad, bad, bad for security in so many ways.
  • Internal Audit (VP/Director): This actually tends to be the most closely aligned with the CEO/BoD in quite a few cases, as the internal audit department usually has some degree of impartiality. However, there’s a big caveat. Many audit departments have compliance at the top of their list, and compliance != security, as we all know. The biggest pitfall here is shortchanging security initiatives when they’re halfway completed since the checkbox is already checked on the auditor’s list.

I’m not much of one for absolutes, in just about anything really, but I am 100% behind this one. We need to see this trend happen – CISOs and CSOs need complete severance from ANY one group in the organization, as they have to work with them all. Closely aligned with much of IT, yes. Under its thumb? Not just no, but hell no.

PS – For the most hilarious security org chart EVAH check this out:

Categories: Information Security Tags: