Blogs / Podcasts / Articles » Free Articles

Scott Wright's Security Views (ScottWright)
Blog Entry

What Do Security Practitioners Argue About When Nobody is Watching?

Wednesday, June 22nd 2011 @ 9:50 AM (not yet rated)    post viewed 28895 times

Martin McKeay, who hosts the Network Security Podcast (and one of the originals who inspired me to get into blogging and podcasting) hosted an interesting round-table discussion on June 7, 2011, on the topic of “Which is easier: teaching security guys about the business issues, or teaching business people how to do security?”

The knock-em-down-drag-em-out panel included:


Rafal Los (click HERE for his White Rabbit blog)


Boris Sverdlik (click HERE for his Jaded Security blog)


Mark Nunnikhoven (click HERE for his blog)


Damien Tommasino (click HERE for his Security Nut blog); and of course

Martin McKeay (click HERE for Martin's blog; and HERE for the Network Security Podcast)


This discussion illustrates exactly how security guys like to argue. I was really impressed that these guys each brought a slightly different viewpoint to the discussion. The most encouraging things about this 1-hour podcast are that it’s begging for more cross-pollination between business executive management and security professionals. The discussion included topics such as:

  • “Return on Security Investment”, and how recent breaches are starting to provide us with some kind of useful data
  • Pondering certifications for the business side of security practice
  • The issues with “bolting security onto the System Development Lifecycle”
  • The need for a Chief Risk Officer
  • The right and wrong kinds of Fear, Uncertainty and Doubt (FUD) to spread
  • The issues of how a small business deals with security versus business objectives

There were many other very insightful comments that should be of interest to anyone concerned about security and risk within their organization.  I found myself wanting to jump in, at times, to add my two cents worth. But of course, I couldn’t. So, I’ll add my comments here.

Scott's Comments

Mature security professionals often seem to have a healthy, burning need to ensure that the business management ranks in their organization understand: (1) What they have at risk,  (2) What’s being done about it, and (3) Why.

I think continued effort in this area is the key to making progress in the short term. There were some good suggestions in the panel regarding things we’d like to see happen across the industry to address the root causes of our security deficiencies. But one of the most effective ways to get the business part of an organization on side with security is to start a mature, high level discussion with executives about business risks. This can be done in the short term, in any organization. I'm a bit surprised that this idea wasn't mentioned in the panel discussion.

This kind of high level conversation with an executive is not something a brand new CISSP certified security professional can easily do.  You have to have experience in at least a few relevant projects, and you have to understand the business impacts of current vulnerabilities.

Credible Conversations With Executives

Credibility is critical. You have to be able to offer something like the following wisdom to an executive when you have them alone in a room: “We have a weakness in our customer identity management security. A similar kind of vulnerability has led to catastrophic breaches at , and it could happen here. What many organizations are doing to mitigate this kind of risk, as well as future, unforeseen risks, is to have a comprehensive risk management plan…” 

This is just an example of such a starter conversation with an executive. Being able to connect the dots and translate the issue into business risks and relevant consequences implies that we need seasoned security professionals in key roles. I don't think it's really a matter of certifications. Believe it or not, executives like to listen to people who’ve made mistakes in relevant areas before (or at better yet, worked with people who have made those mistakes). In a small organization, there may be nobody who is willing or able to have this conversation. But you can get help from  security consultants with business to do this.

Two-in-a-Box

Another suggestion I have for getting security and business organizations to work together within an enterprise is that, for larger organizations, a two-in-a-box approach can work very well. I’ve seen this work well within the Government of Canada. Typically, on the IT side of a department, there is a security professional who reviews all project deliverables and looks for impacts on risk. This is what we call the “System Security Engineer”. On the business side, the key business manager might have a delegate who is responsible for Enterprise Risk Management. This is somebody who knows how to communicate risk issues to the executive, and to whom the executive will listen.

All security risks that are important, by definition, must have an impact on enterprise risk. So, a close, constant dialogue between business risk management and IT security risk management allows for faster response to threats, as well as more appropriate security safeguards for the organization’s business processes.

Awareness at Two Levels

Of course, education and awareness is also a key enabler of security and business communication. In my view there are two kinds of awareness that should be addressed. The first is the executive awareness of high level risks to the business, such as I described above. The second is the more traditional security awareness education for staff at two levels: general awareness and workflow-based awareness. These are areas in which I’ve worked for both public and private sector organizations.

With respect to the high level risk awareness issue, it’s not until this awareness of relevant business risks happens that management will commit any real support for investment in a security or risk management program. This is the time when I’ve seen that a little bit of FUD – appropriately sanitized and fed to executives – can help to grease the wheels. But there are a few real dangers to be aware of in making this kind of awareness pitch:

  1. You can’t make anyone look foolish for not being aware of these issues before
  2. You can’t allow a witch hunt to be launched when internal examples or data are used to make a point about current vulnerabilities
  3. You must constantly repeat that security risk management is a continuous business process that will help management become more pro-active.

There are other critical success factors, for sure. But these are the ones I’ve seen that are super-important to consider.

Let's Talk More

I’d love to be involved in these kinds of round-table discussions in future. So, if you are holding one, or just want to have a facilitated session between management, IT security and user representatives, please let me know. I’d be happy to participate.

Share

 

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.

 

Site Meter

Comments

LPamelaA
Personal
LPamelaA said on Wednesday, June 22nd 2011 @ 1:29 PM:

Very interesting analysis Scott, and your point about security professionals needing to interact more regularly and effectively with the business side of the house is dead on. My company, Symantec, works with our customers’ CISOs, internal IT staff and channel partners to help them foster a culture of security awareness with everyone in the company. Too often, employees don’t hear from the CISO or the IT department until after the organization has been hit by an attack or suffered a breach.


ScottWright
Group Administrator
ScottWright said on Wednesday, June 22nd 2011 @ 2:41 PM:

Thanks for the comment, Pamela. Welcome to the Streetwise Security Zone.

That's a good point about your team working with clients. Businesses in the security industry must really consider how to educate clients without scaring them away, or using up their entire security budget on a single part of the security environment. It's similar to what I described, but maybe even more sensitive, if you want to have a long-term relationship with the client organization. Whether it's an internal or external relationship, your credibility will determine how successful you are with having those conversations.

I'm looking forward to seeing more insights from you here in the future.


DavidB
Personal
DavidB said on Thursday, June 23rd 2011 @ 12:09 PM:

I've spent most of my working life in engineering and have come into contact with many companies who have taken different approaches towards SAFETY with differing results.

The most successful make safety a "culture", not just an add-on.

I see security in exactly the same light. People make far better decisions if those decisions are "informed", and we make decisions on a regular basis in our normal use of computers that could impact security.

The more people are engaged in the subject, the better they are informed, the better the results.

Blog Entry

A great site for testing your phishing knowledge from Verisign

Thursday, June 16th 2011 @ 6:34 AM (not yet rated)    post viewed 26147 times

One of the biggest risks I'm seeing across all industries is Phishing - that is, luring computer users to dangerous websites that attempt to infect your system or steal your identity. It's really getting much harder to recognize not only the links that take you to these sites when you encounter them in emails or on web pages, but what these pages might look like, if you actually end up at one. The sooner you leave the site, the better. But how do you know what they look like?

Verisign has created a great 10 question phishing test that uses side-by-side examples of legitimate vs. phishing sites. You have to look closely to see the sneaky things hackers will do to mimic legitimate websites and trick you into clicking on something in the site, or entering sensitive information like your password - it took me at least 2 minutes to find one of the fakes in the test. So, it's challenging, but very educational.

You can find the site at: https://www.phish-no-phish.com/default.aspx

I highly recommend trying this test yourself, and send your friends, family and co-workers to it, so they can learn about what can tip you off that you're on a fake site.

In the end, Verisign uses the site in a clever way to send a marketing message to visitors. Security folks will be able to guess how, but I think it is quite effective.

Let us know what you think about this test. Did they miss any important tips on how to recognize phishing sites?

 

Share

 

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.

 

Site Meter

Comments

DavidB
Personal
DavidB said on Thursday, June 16th 2011 @ 11:14 AM:

Thanks Scott,

a very good test. I found them all but I have to admit I spent more time looking than I would typically spend checking out a site.

One piece of advice that I give people ..... use bookmarks. Once you are on a site that you are comfortable with, bookmark it. I believe that the bookmark saves the IP address so that even if the crooks poison the DNS, you will still end up in the right place.

If you get an email asking you to (for instance) go to your banking page, use your bookmarked (saved) site, not the link they send you - that's if you feel the need to go look at all. Banks typically won't send out that kind of email anyway.

Also, for anyone that's still using IE6 ..... DONT !!!!

It's not safe enough  - Microsoft will tell you the same thing.

Blog Entry

How to easily create a much stronger password than you need to thwart a brute force attack

Tuesday, June 7th 2011 @ 8:14 PM (not yet rated)    post viewed 29505 times

If you have been struggling with the problem of how to keep passwords strong, yet memorable, we may have a simple answer for you. In the Security Now Podcast (episode 303) this week, Steve Gibson presents a very interesting analysis on what makes a good password these days. He calls it Password Haystacks, and there is a pretty simple solution to having to remember strong passwords.

Steve's conclusions are very compatible with my usual prefered strategy for choosing passwords - like using the first characters from a song or movie quote, and adding some special characters and numbers. But his advice is interesting about how simple the basic password root can be, and how to easily make it much stronger. It's pretty cool and simple.

The bottom line is that by adding length to a good, short password (regardless of whether or not they are repeated characters or patterns) you will massively improve resistance to a brute force attack. This is because today's attacker doesn't know how long the password is, for sure, and will always start with the easy dictionary words and patterns, and then they will move to the shortest possible character combinations in a brute force attack, followed by the next shortest combinations, and so on... 

As an example, using this logic, a 23 character random password is not "usefully" stronger than a 3 character random password with 21 repeated characters. 

There are some minor caveats in using this approach, to keep the passwords strong, such as having at least one lower, one upper case, one number and one special character in the root of the password. The rest of the characters don't really matter, as long as you don't reveal what pattern you use in the repeated characters or patterns.

For example "..B.o.B.........." is a pretty good password, since it would take at least 2 billion centuries with massive cracking array scenario to go through all combinations. So, you don't need a very long song title or movie phrase. You simply need to keep your simple pattern or strategy a secret.

The Security Now podcast episode (in text or audio format) where the rationale for this approach is described is at the following link:

http://www.grc.com/securitynow.htm (look for Episode 303)

Steve also has a web page that analyzes passwords in terms of how long a given password can be expected to stand up to various brute force attacks. You don't have to enter your real password, but try entering something that has the same length, and number of upper, lower case, numbers and special characters as your real password, and see how long it would take an attacker to try all combinations using a brute force approach.

http://www.grc.com/haystack.htm

If you aren't convinced, or if you want to learn more, post a question or comment below.

Something to ponder...

- Scott

Share

 

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.

 

Site Meter

Comments

Copyright 2012. Security Perspectives Inc. All Rights Reserved.