Archive for the ‘Enterprise Security’ Category
Paul and John talk about Security Policies and Procedures. They discuss the most fundamental parts of policies and procedures. It is the most difficult to implement, but the most important to structure of the enterprise. Full Show NotesVisit http://securityweekly.com/esw for all the latest episodes!
The post Security Policies and Procedures – Enterprise Security Weekly #56 appeared first on Security Weekly.
Recent corporate breaches have taught us something important — the average enterprise user is spectacularly bad at choosing good passwords.
As modern enterprise is becoming a hybrid organization with infrastructure spread across on-premises data centers as well as in the cloud, security of information, applications, and assets has become a paramount concern.
Cyber security is no longer an
Posted in best password manager, Cyber Attack, enterprise password manager, Enterprise Security, ManageEngine Password Manager Pro, password manager, Password Manager for Enterprise, password security | Comments (0)
In my last blog post, I posed the concept of Cyber Risk Appetite as something that all organizations need to consider today. I used the analogy of a balanced diet of risk – taking some risks to keep the business growing while avoiding so much risk that the business becomes bloated. The objective is to maintain a healthy business. If I may, I would like to take the analogy one step further. One factor to consider when you look at your own appetite – or intake of food – is how much energy you expend on a daily basis. If you have a tremendous appetite, you can counteract the amount of calories you ingest with a balance of physical activity. Yes, I am talking about exercise. This analogy is a helpful illustration to discuss the “cyber risk appetite” equivalent of exercise.
As your organization implements new technologies, extends to new markets or launches revolutionary business processes, risks will be inherently present. It is unavoidable. Based on your appetite and your risk tolerances, you then determine what you need to do to manage that risk – implement security technologies, modify processes, assign ownership, etc. Your cyber risk appetite will directly impact how much you will need to think through controls. In other words, BIG risk appetite = BIG exercise plans.
The conversation with the business – described in my previous blog – on how technology propels business strategies and what level of cyber risk is tolerable should be followed up with the exercise discussion. Meaning – when the business states we have a big appetite (“we want to move fast and will accept risks”), the response must be then what is your exercise plan? Exercise requires commitment, time, energy, will power and typically some type of equipment. You may not go out and sign up for daily boot camp classes but a willy-nilly exercise plan is not going to cut it if you let your appetite run rampant.
In today’s hyper fast market, the business may need to go down a path that make the traditional, risk adverse GRC or security teams cringe. First, that reaction is natural. But more importantly, that instinct is necessary. Without that automatic response, a company can overextend its risks and head down a dangerous path. But once that innate aversion to risk subsides, an organization that understands it takes the effort of exercise to balance out the market drivers driving toward risk can focus on what is prudent to manage that risk and proceed with caution – but proceed nonetheless.
Just like maintaining a balanced diet of risk is necessary to maintain a healthy business, a disciplined exercise strategy is critical for the business to stay fit. Risk and security strategies that result in a coordinated, consistent application of controls throughout the enterprise will ensure that even if the business falls off the wagon and munches on an occasional snack food, there is a safety net of exercise to offset those extra calories.
In his January 2016 Cryptogram newsletter, Bruce Schneier reprinted an essay on “normalization of deviance”: the process of divergence from defined policies and procedures into increasingly risky practices. Explored in detail by Dr. Diane Vaughan, as well as by other researchers and practitioners seeking to explain catastrophic failure events, it bears great relevance on cyber security; “The point is that normalization of deviance is a gradual process that leads to a situation where unacceptable practices or standards become acceptable, and flagrant violations of procedure become normal — despite that fact that everyone involved knows better…. As long as the organizational culture turns a blind eye to these practices, the predictable result is insecurity.”
Normalization of deviance is part of a larger dynamic called the “drift into failure” that has been explored most fully in a recent book of that name by Sidney Dekker. As RSA president Amit Yoran called out in his RSA Conference keynote a few weeks ago, the cyber security industry has drifted into failure, not only because of the innovation dilemma that I wrote about earlier this year, but also because of the normalization of deviance in security that Schneier highlights. As preventive measures became less effective, lower expectations regarding their effectiveness were accepted. “We stop every attack” became “we stop 80%”, then 50%, then 30%. As a result, organizations continue to pursue the same failed technologies and strategies.
Acknowledging that a drift to failure has occurred enables us to embrace an initiative to re-think our approaches and priorities, empowering organizations to make the shift to a new security mindset, to new security processes and technologies, to new areas of knowledge and innovation. In the course of this shift, we must be cognizant that the drift into failure can occur again, and we must guard against it.
How do we reverse that drift? An approach was suggested by Dr. Nancy Leveson in her early article on the STAMP methodology that I’ve written about a number of times. This methodology views the drift into failure, including the normalization of deviance, as a systems issue. Reversing the drift into failure is not like fixing a broken component (in this case, us fallible and unpredictable humans!) It is not a question of more training or more oversight, even though those are the kinds of solutions we all tend to think of. As I’ve suggested in earlier blogs, a more effective approach is to address the issue in terms of the system dynamics that underlie and reinforce the unproductive behavior.
At the core of a systems strategy for security is a shift of focus: a shift away from a focus on analyzing, predicting and preventing individual component failures to a focus on the discernible impacts that can occur, and the methods that reduce the likelihood and severity of such impacts. In Smart Grid security, for example, the explosion of a substation, such as happened in Miami in 1992, can certainly occur because of broken sensors and faults in arc-suppression control systems. But it can also happen because a cyber attacker has disabled those substation sensors remotely, as happened in the attack on the Ukraine electric grid in December 2015. Focusing narrowly on preventing the failure of the sensor and controller can blind you to other systemic activity that can result in the same damage to the substation, as well as the cascading effects that such damage can have.
A systems approach to reversing the drift into failure entails more than fixing organizational policies and employee awareness. It requires thinking about organizational culture, organizational management processes, independent oversight, and regulatory policies and procedures. Leveson described this in terms of the drift into failure for safety: “Instead of defining safety management in terms of preventing component failure events, it is defined as a continuous control task to impose the constraints necessary to limit system behavior to safe changes and adaptations.” The same point applies to the drift into failure for security.
Like safety, cyber security is complex and dynamic. Security cannot be achieved just by making and enforcing rules. If we want to reverse the drift into failure in security, we have to start by being clear about our expectations regarding security. Even though we cannot prevent cyber attacks, even though we cannot expect to prevent targeted attacks from getting through even the best preventive defenses, we must succeed in effectively detecting and responding to those attacks. We cannot expect less than this. In achieving security, failure is not an option. This mindset will enable us to adopt the new, more effective approaches to today’s changing security paradigms.
I spoke recently at a workshop organized by the Alan Turing Institute in London to identify areas related to cyber security in which major research is needed. Though I focused on security analytics, I also talked about the need to develop more effective models for understanding and managing risk, citing the work that my colleagues in the EU-funded SPARKS project and I are doing in the STAMP/STPA methodologies and the recent developments in operational risk management, including the support for loss-event models in RSA Archer 6.0. On the flight back to Switzerland, as I reviewed what we had accomplished in the workshop, I saw a general consensus regarding the need for a research focus on security analytics. This included areas such as simplified ingestion of widely disparate data stores, on-going development of algorithms for pattern discovery and anomaly detection, and improvements in visualization, assembling context, evaluation of criticality and other areas that contribute to an effective human augmentation model. But there was far less recognition of the equally large need for a research focus on risk.
This struck me even at the very beginning of the workshop, in a presentation about cyber security in the pharmaceutical industry. In that presentation risk management, in particular in terms of an asset-value methodology that reflects a core concern in that industry with theft of intellectual property, was taken as a mature, established body of knowledge. This evaluation of risk was shown in an example of a probability/impact graph used to prioritize which information assets to focus on. But it struck me immediately that focusing on asset-value ignored other aspects of risk that should also be considered, in particular the disruption or destruction of production facilities, the integrity of operational data, the availability of essential services and other concerns whose impact is related not to the value of an information asset but to the magnitude of a loss, especially of operational capabilities. In the SPARKS project, we have seen that risk related to disruption and destruction of capability – not only in Smart Grid, but in energy in general, as well as in manufacturing, telecommunication, financial services, e-government and many other areas – has to be a major concern. The recent DDOS attack on the thirteen internet root name servers that slowed down network traffic world-wide is just the latest example of such attacks that have included oil production in the Middle East, electric power in Pakistan, and steel manufacturing in Germany.
(Image from a YouTube video posted by Johnny Adams on the report of a German steel mill cyberattack)
Later in the day, another speaker touched briefly on risk, calling out the importance of identifying root causes. But he spoke only about technological issues such as vulnerabilities. Even if one looks for root causes in other areas, such as analyzing attacker strategy and motivation in terms of the value they get from an attack, the difficulty of attack, the risk of discovery, as well as social and psychological drivers, such an analysis tends to suffer from what Peter Senge identified twenty-five years ago as the problem of looking at events and actions linearly: “Reality is made up of circles but we see straight lines….Our habitual ways of seeing the world produce fragmented views and counterproductive actions.” (The Fifth Discipline, p. 73)
(Senge, The Fifth Discipline, p.393)
It is one of the great strengths of loss-event methodologies, such as the STAMP/STPA methodology championed by Dr. Nancy Leveson of MIT that it looks for the broadest possible set of causes for risk in a particular loss-event scenario. In Engineering a Safer World, Dr. Leveson discusses a pharmaceutical example at length (drawing on an analysis by Matthieu Couturier): the financial and reputational loss that Merck incurred with the introduction and withdrawal of Vioxx. (p. 239) The recall of Vioxx was not the result of technological issues or attacker manipulation of information or processes. Rather, the analysis showed the interrelationship between drug safety control structures, system safety requirements and constraints, the events that occurred and the system dynamics that together resulted in the suppression of drug trial data, misleading marketing information and vilification attacks on individuals that eventually caused the FDA to require recall of the drug.
There is still significant work to be done in developing more effective risk methodologies. It was very important to have the opportunity to speak about this at the Turing Institute. My SPARKS colleagues and I are looking forward to continuing the conversation at the MIT STAMP Workshop in March 2016.
Marty walked into the executive conference room and felt he had passed through a portal of luxury. No battered pizza boxes in the trash cans. No empty soda cans littering the table. No crazy mess of networking cables running across the floor. He was used to that type of working environment. Instead, he saw an opulent mahogany conference table polished to a mirror like surface dominating a room dripping with managerial authority. A stainless steel cappuccino machine in the corner of the room gleamed. The chairs were upholstered in leather. Marty surveyed the room trying to decide where to sit. After a minute of contemplation, he plopped himself into a seat on the outskirts of the room in a chair against the wall.
In a rush of activity, a parade of executives marched in the room, gabbing and squawking like a row of ducks. That’s not nice, Marty thought to himself. He actually liked the executive suite at MagnaCorp. Sure, a few were pretty hardnosed but they made MagnaCorp hum like a recently defragged hard drive. He mused to himself as he took inventory of the newly arrived trio.
There was Vincent Chang, executive in charge of the massive partner ecosystem, in his dapper three piece suit. Dave Reinhart, Marty’s boss, gave him a quick nod and sipped from his coffee engrossed in a discussion with Robert Griswald, the company’s Chief Financial Officer. The CFO controlled the purse strings of MagnaCorp and was a stickler for numbers. His favorite catch phrase “Show me the money” made an appearance at almost every meeting. His meticulous watch over the bottom line and finances of MagnaCorp was one of the main reasons the stock price had continued to rise. Robert’s attire, a snappy blue blazer/khaki slacks combo, was adorned with the head accountant’s favorite flair – wild and crazy socks. Today’s choice: bright pink and neon blue striped socks.
The execs settled into the cushy chairs around the table without a moment of consideration and the chatter stopped immediately. Down to business. Vincent kicked off the meeting with a quick recap:
“The legal negotiations with our new alliance partner vNextGen are wrapping up. We have gotten through all of the detailed talks with their legal team and our general counsel is pleased with the discussions. I believe we should reach an accord shortly. We have also captured an inventory of vNextGen’s contractors – our 4th parties as it is. We are still vetting a few of them but they generally check out. Robert, can you give us a rundown of the financial assessments?”
“Sure.” The CFO swiped his iPad. A colorful dashboard with pie charts and trend reports flashed on the screen. “We ran through their numbers as part of our Financial Viability assessment. They have been tracking well and I was pleased they were as transparent as they were. We have also been running numbers on the potential new revenue streams from the alliance. Very promising… Very.” The last phrase was emphasized with a large smile and a raised eyebrow.
Vincent interjected. “That’s what we were hoping.”
“You know what I always say..” Robert said, pausing and spreading his arms out in front of him.
Marty grimaced and waited. He knew what was coming.
“Show me the money.” The CFO beamed.
The other two executives chuckled.
Vincent reined the topic back in. “Dave, how’s the security review going?”
Dave cleared his throat. “The security reviews are underway. Marty has been digging in with their team…”
The Hunter stood on a hill hidden in the shade of a massive oak tree overlooking a wide road. His keen eyes followed a convoy of wagons slowly approaching the Frontier station, a stocky stone building set a few paces off the road. As the wagons drew nearer, a group of the King’s Guards emerged and formed a ragged line across the well-worn, rutted lane. The Hunter grunted. The guards had a lackadaisical manner that belied their awareness of the situation. Each guard knew that a convoy of this size and importance was ripe pickings for a bandit raid. In addition, the possibility of a stowaway or illegal goods buried in the parcels, barrels, chests and strongboxes in the cargo was always high.
A rotund man stood up on the lead wagon and raised his arm. His voice blasted a single command and the convoy stopped. The convoy’s protectors, armed with variety of swords, bows and pikes, jumped off the wagons and took positions relative to the King’s Guards. From his vantage point, the Hunter could see most of the security force from the trading party. He began to make mental notes on armaments, attitude, placement, awareness – all indicators of the training and competence of the caravan’s security.
The convoy’s trade boss struggled down from the lead wagon and strode towards the sergeant of the King’s Guards with a packet of papers. The two met, shook hands and engaged in what the Hunter expected as small talk about the weather, the road conditions or some other meaningless topic. The trade boss handed the sergeant of the guard the packet of papers. The sergeant paged through the parchments slowly while the trade boss struck a match and lit a large wooden pipe. A cloud of smoke escaped from the thicket of the man’s burly beard. The sergeant waved at the encroaching veil of tobacco fog and marched towards the string of wagons for the inspection. The trade boss, smoke trailing him like a shroud, followed.
The Hunter silently stepped through the foliage to join them.
After the Hunter’s examination of the trade party’s entrance into the Kingdom, he quickly made his way back to the castle. He had a few hours before he was to report back to the Wizard, the Trade Master and the Jewel Keeper and wanted to gather his thoughts. The Jewel Keeper was a close advisor of the King and occupied the enviable position of managing the large cache of gold and jewels gathered from across the Kingdom. He was a very influential person in the inner circle of the King and an audience with him warranted preparation.
The Hunter now stood before the three high ranking members of the King’s Council. After the Trade Master and Jewel Keeper articulated their assessment of the progress of the alliance agreement, they directed the floor to the Wizard. The Wizard quickly turned over the conversation to the Hunter who offered a detailed description of the exchange he observed at the Frontier station. He itemized the convoy’s security team, their preparation and capabilities.
The Jewel Keeper paused from taking notes on a scroll. He raised his quill, a great diamond ring glittering on his finger, and interjected, “What do you think of their overall capabilities? We are relying on this new alliance to yield us some significant new revenue sources.”
The Hunter nodded. “I was impressed with their professionalism. I realize they come from a Realm that is considerably less wealthy and extensive than our own Kingdom. Their armaments were solid. The team was small – I probably would like a few more resources on these larger convoys. But they have sound training.”
Satisfied, the Jewel Keeper nodded, straightened his rich royal blue cloak with his hand and turned to the Trade Master to close out the discussion.
Come back on Tuesday for the next episode!
Posted in Advanced Persistent Threats, Cloud security, Defend the Kingdom, Enterprise Security, governance, GRC, Home, Risk & Compliance (GRC), risk management, security management, security short stories, third party risk | Comments (0)