Aligning Risk with Security Solutions

IT organizations almost never conduct a risk assessment before they implement security. How smart is that? Well, not very. The standard practice in, say, configuring a firewall is to see what traffic comes through and then configure it to block that traffic. Wait for and block the next set of traffic to come and then repeat this process until satisfied.

Think about securing your house in the same manner: Well, people walk in front of the building so you put locks on the front door. People walk by and look in the windows so you lock the front windows. The garage door is left open at times and people walk by, so you lock the door from the garage to the house. Let's say that is the extent of traffic for about a week. Is your house secure? Hardly...and neither are IT systems, and for the very same reason.

I actively advocate having physical security people work with IT people in conducting risk assessments. Physical security people have risk-based assessments etched into their DNA. They can provide a lot of guidance to IT people when it comes to securing IT systems.

I like to think of this as one step in integrating physical and data security: This is also call convergence in security circles. I exhort my clients to integrate the two organizations, physical and data security, before they try to integrate systems such as access controls. IT learned many years ago that automating a bad procedure only makes the matter worse: Integrating the IT systems of physical and data systems before the organizations are working together will also make the system worse.

In addition to conducting risk-based assessments, I encourage my clients to have physical security provide guidance in development enforceable policies for IT change controls and to provide third-party oversight when those change procedures are being performed. Collaboration in these three areas represents a satisfactory prerequisite to integrating various access control systems.

Securing the Corporation

Ask most data security professionals how to secure the assets of a company: They will talk about operational security. They will discuss firewalls; intrusion prevention and the like. They wrongly focus on the loss of data and other operational security matters. Yet, they will also tell you that they can never be 100% security. At the same time, they nearly always fail to also discuss the biggest risk for a corporation...and that is often the legal aftermath of a data loss. The legal entanglements will often result in far more financial loss than the actual damages, especially a loss of data. I think this is a holdover from physical security when the actual loss was often the majority of the material damages. This is simply not the case in today's world of data loss. So, how do you protect against this?

I like to distinguish operational security from organizational security. Securing a corporation requires both operational security and organizational security. At the minimum, organizational security is comprised of: i) Some kind of oversight or governance; ii) A formal security plan; and, iii) Progress against than plan. While the devil is indeed in the details, these three elements typically protect a corporation from its greatest risk. Moreover, it can be implemented often within 30 to 60 days. I often call it the fast track to compliance. With an active oversight program, companies can actually extend their remediation efforts and be more systematic and therefore economical in deploying their operational security.

I strongly advocate organizational and operational security programs as joint initiatives.

Integrating Physical and Data Security for Money

I continue to bang the drum for integrating physical and data security. It makes too much sense not to. Not only does it dramatically improve security, make electronic crime much more difficult to perpetrate, it is even inexpensive. Think of the situation in this way:

A company with 3,000 employees in three buildings has to issue changes orders for every new employee, every departing employee and every employee who relocates in the buildings. This means HR must document the changes, physical security must update its various (one for each building) access control lists, and IT must modify the server configuration. This 300 change requests times three, 900 per month, assuming 10% of the employees have change monthly. By the way, I hear that Cisco has 10,000 change requests a day! They manage those requests with 5 people. You know how: They have integrated their systems.

Integrating physical access control and computer accounts for our hypothetical corporation will provide a full return on its investment (estimated at $160,000) in 16 months, based on compensation levels in Los Angeles circa 2004.

Why isn't this being done across all corporations? I maintain that the obstacle is simply the cultural gap between physical security organizations and the information technology organizations. I spend a good deal of my professional time explaining and showing physical security personnel how to bridge the gap with IT. I identify and describe how to integrate with IT even before the access control systems are integrated.

Integrating access control systems and the computer network will produce tremendous gains in both security and productivity. If Cisco can process 10,000 change requests a day with five people then certainly access control can become the low-level administrative task it should be.

Identity or Transaction

Identity management is one of the most obvious places to focus security attention, but it may not be the most economical. This is especially true for a large corporation that needs to protect shareholder value and may be the object of attack from dozens of unknown sources. Having said that, identity management has experienced a number of improvements in recent years.

I was in the middle of these developments two years ago when I was advising the president of a company that secures communication between the White House and the DOD. This was during the transition between "PKI is too hard to use" and the new approach which is "wrapped PKI in a registration authority software interface". Now, there are a number of identify management solutions that make the process of administering PKI-level identify management as easy as email account administration.

Returning to my first point, there two things to remember: You can never have perfect knowledge of your users' identities, so this will always remain a vulnerability even if it is reduced; and You could have near perfect identity management and still not reduce your company's largest risk. These two facts of life in today's world, suggest identity management is not, as I stated at the outset, the most economical security focus.

So, what is? I continue to believe the it is best to keep the focus on two places and keep it there until it cannot be implemented any better: One, secure the point of the transaction; and two, optimize the three-point implementation of i) maintaining a formal security plan, ii) providing formal governance over that plan, and iii) show progress against that plan. These two points of focus easily provide the greatest security (especially when cost is considered) a corporation can obtain.

Disaster Recovery Begs a Context

It is a fact of corporate life in America that a company's biggest risk derives not from the direct impact of a disaster but from the litigation that follows. Emergency management provides the proper framework for planning disaster recovery and business continuity (DR/BC). This framework defines the continuity from the first instance of an emergency and continuing until the emergency has fully passed and normalcy is restored. Too often disaster recovery is combined with business continuity as though they represent a complete entity.

A company should build its DR/BC plan in a framework for distinguishing incidents (breaches in service to the customer) disasters (breaches in service that require replacement of facilities and/or equipment) and crisis (breaches that become the focus of the news media). As these different emergencies are distinguished different emergency response teams are activated.

Similarly, the emergency response plan should exist within a governance program. It requires both of these layers: governance and an emergency response plan (including DR/BC) to truly mitigate a company's liability.

When is your IT department an obstacle to security?

It may seem like a funny question, but the IT department is an obstacle to security when they operate under the myth that a high thick wall keeps the bad guys out. This is a myth because 60 to 80% of all corporate crimes have an insider element: This element can be unwitting or witting.

So how do you know if your IT department believes in this myth? Simply listen when an executive asks them: Are we secure? If they answer by saying something along the lines of "Yes, we have a firewall, intrusion detection and virus protection" then indeed they do believe the myth.

An electronic crime does not occur as a simple event. It evolves. It begins with the bad guy collecting information form unsuspecting sources. He (or she) then uses that information to create traffic that looks to your firewall, intrusion systems or perhaps your virus scanners, every bit like valid traffic. Electronic crime sneaks past the barrier of the "high, thick wall."

Integrating Physical and Data Security

Over 15,000 physical access control systems have been sold and installed in US corporations. These systems fully support integration of access control in both physical and logical space: Yet, less than a dozen companies have completed this integration. Despite the existence of these systems, the place to start the integration is with the people. Physical security personnel hold many of the key skills. Here is what I recommend:
1. Have physical security lead the risk based assessment of the company's computer systems. This skill is in their DNA. IT folks almost never conduct risk based assessments.
2. Have physical security write enforceable policies for change management within IT. IT seldom writes such policies for themselves...and when they do they seldom do them so they are readily enforceable.
3. Have physical security provide third party oversight when key change procedures are performed. This of data as cash: digital cash. Doing so highlights the need for third party oversight.
Integrating these three functions is the forerunner of integrating the access control systems. It follows the old IT adage: Do not automate broken processes.

eCrime or Security

I use eCrime because it is a conversation starter. It leads to more questions, more dialog. When the term security is used people often rely on their image of ex-cops, fences, dogs, kiosks, etc. It stops conversation and questioning. eCrime is a conversation starter. It invites such questions as: How is electronic crime different than physical crime; Why is electronic crime on the rise and physical crime at a plateau; How physical crime (security) people interact with electronic crime people? These questions are addressed throughout this blog and in Tatum's eCrime practice.

Cyberbust!

This was the allure that got me into this business:

Five thirty on a dark Saturday morning, I led an experienced team in a court-ordered break in to investigate a number of companies allegedly linked to illegal operations taking place in a single building south of Los Angeles. In this concrete-slab tilt-up building so typical of California industrial parks were slightly less than a dozen companies providing credit card and bounced check processing services. These companies were spawned from a single company that the State Court had just recently judged to be stolen, in its entirety, two years before. Two employees with minority shareholdings, it seems, hijacked the hard drive from the server leaving bogus drives as replacements, thereby taking the clients, the vendors and all future transactions. The majority owner of the original company was left with the existing cash, which was not much, the lease to the building, furniture and little else. He pursued the thieves in the courts for two years, finally receiving a judgment for $24 million and a court order to seize the business to collect evidence of the commingling of assets between the companies. The seizure was foiled because the defendants placed the stolen company into bankruptcy, thereby forcing a change in venue from state to federal court. This bankruptcy was filed, of course, after the most valuable assets were transferred from the bankrupted company to the other legal entities, leaving the owner with a bankrupt company worth far less than his $24 million judgment. This crime is one example of how difficult it is to catch up with cunning thieves who understand the subtleties of electronic forms of data and the law.

Where is the leadership?

What happens if Bob does not badge in and then someone else accesses Bob's computer and data? Answer: Nothing. It is not even a security event or alert. This scenario illustrates the fact that there is no connection between physical security and data security in corporations. Here is the punch line: Over 15,000 systems have already been sold and installed in corporations in America that enable the integration of physical and data security. Why the disconnect?

I believe it is a failure of leadership. There is nothing to prevent physical security people and data security people working together except for: i) a cultural gap; and ii) the lack of leadership to bridge that gap.

When Tatum's eCrime practice is operating at its highest level, we provide that leadership. Our goal is increase the amount of time we spend operating at that level. In the meantime, we devote ourselves to the blocking and tackling of compliance and operational security.

Making Money with Financial Identities

Here is an example of how fianancial identities are used in scams to make money for the bad guys:
1. Bad Guy Bob buys 2,000 financial identities for $2 apiece. So, here one person makes $4,000 for a product (the financial identities) that he gets to sell over and over again.
2. Bob then uses one of the identities to get a credit account at Circuit City where he buys 10 digital cameras for $500 each. This charge of course is against someone else, not Bob.
3. Bob has the cameras shipped to one of his re-mailers. He got the re-mailer by posting an advertisement on a telephone pole saying, "Work at home, make $20 per hour."
4. Bob opens a store on eBay advertising brand new, still under warranty cameras, still in the packaging, for sale for only $350. Bob will get a lot of orders for these cameras.
5. Bob sends ten of the orders to his re-mailer and says, " Open the box from Circuit City and send one camera for each of these orders. Bob pays the re-mailer, say, $40 for this work.

Let's do the math. Bob make $3,500 for his $2 investment when he used one of the 2,000 financial identities he had purchased earlier. If he does this same routine 1,999 more times he will gross $700,000. By the way, Bob could execute this entire scam from outside of the U.S. He could also move the operation (the re-mailers and the Circuit City store) from city to city each month.

This scam is a very difficult one to catch up with. It is very lucrative and very low risk. The point of all of this is that with such easy gain and low risk, there is a high level of motivation for bad guys to steal identities. You can bet that the pressure on financial identities will increase for many years to come.

Information Tatum - Joel Rakow, Ed.D. - December 2005

Here's a first. A prominent computer security expert claims that the proceeds derived from electronic crime exceeded, for the first time this year, the proceeds derived from illegal drug trafficking: $105B. This statement could simply be a case of an expert with a self interest is making a dramatic statement to draw attention to himself. Nonetheless, it shows how rampant eCrime has become in the ten years since the Internet became a mainstream tool.

The holiday season inspired me to select my three favorite news bites as Hot Topics. One illustrates how companies are attacking their competitors web properties, using regulatory acts. The second presents new progress in blocking SPAM, and the third discusses the new strategy and sensitivities regarding protecting the corporate network the point of user workstations through the new "lockdown" technologies. I hope you enjoy this month's selection. Best wishes for the
****************************************
Joel's Activities:
1. At the Conference Board in New York, Joel Presented to approximately 120 security executives of America's top corporations including WalMart, FedEx, Bell South, Genetech, Cisco, etc.
2. Tatum's Denver office and Joel will prepare a global security plan for that area's largest beverage company. 3. As part of the World Shoe Association's relocation of corporate headquarters, Joel lead the relocation and re-staffing of the IT operations, including the implementation of a new tradeshow production system and back office system. 4. Joel chaired the first three IT Steering Committee meetings after developing and obtaining approvals on the charter and operating plan for Bidz.com's governance program.
***************************************
HOT TOPICS
WEB ATTACKS USING REGULATIONS
--Study of Take-Down Notices Under DMCA Section 512 Finds Potential for Abuse (28 November 2005) Researchers at the University of California at Berkeley and the University of Southern California looked at 876 takedown requests made to web sites and search engines under the section 512 Digital Millennium Copyright Act (DMCA). Section 512 requires that hosting and search providers take down content and links to content to be exempt from copyright lawsuits. The notice needs no judicial review of whether or not a copyright has been infringed upon. The researchers found that more than half of the requests were made by companies against competitors, and that 30 percent of the requests were the ones in which it was questionable as to whether or not copyright had been infringed upon. There were only seven cases among those studied in which the questioned content was reinstated on web sites. http://www.vnunet.com/vnunet/news/2146807/dmca-hindrance-help
http://www.securityfocus.com/brief/62
http://lawweb.usc.edu/news/dmca.html
http://mylaw.usc.edu/documents/512Rep-ExecSum_out.pdf
[Editor's Note (Pescatore):The DMCA is a pretty good example of how legislation aimed at technology usually has more wacky side effects than any actual positive effect. That said, it is pretty straightforward to file a counter-notification if someone has used DMCA improperly to cause legitimate content to be removed - the Electronic Frontier Foundation and a number of universities sponsor a site that provides information and templates on how to do so: http://www.chillingeffects.org/
(Schultz): The DMCA has been a proverbial can of worms ever since the day it went into law. Studies such as the ones at UC Berkeley and USC provide empirical evidence of some of the DMCA-related abuses that occur. The big question, however, is whether legislators will respond appropriately or whether they will continue to blindly support the industries that so strongly lobbied for this legislation.
(Hoepman): A similar study in the Netherlands found that the vast majority of ISP's, when presented with a take-down notice, prefer to err on the safe side and comply without checking the validity of the claim at all.]

SPAM BLOCKS
--FTC: Spam Blocking Technology is Getting Better
(28 November 2005)
A study conducted by the US Federal Trade Commission (FTC) indicates that Internet service providers (ISPs) are improving their spam blocking techniques. In a test, the FTC found that two unnamed web-based email service providers effectively blocked 96 percent of spam messages. However, the onus of filtering the bad messages from the good still falls to the ISPs. Spammers collect email addresses by "scraping," or using automated programs that look for the "@" sign present in all email addresses. The FTC recommends that if people need to post their email addresses on the Internet, they do so in an alternate syntax in order to avoid having their addresses added to spammers' lists. http://today.reuters.com/news/NewsArticle.aspx?type=internetNews Note (Schmidt): From a personal perspective, using ISP tools with a "near free" toolbar, I have not had a single SPAM or Phising email in any of my 7 different email inboxes in going on 10 months. Progress is being made and the tools are there if people would just use them.
(Honan): Filtering Spam at the ISP level makes good business sense for the ISPs. It reduces the network overhead on their links while at the same time making for happier customers. A win win solution, except for the spammers.]

LOCKING IT DOWN
System Lockdown an Effective Tool Against Malware
(28 November 2005)
IT managers should look not only at products to protect their systems from malware, but also at the possibility of locking down end-user computers. With system lockdown, users have limited abilities to compromise their systems. Most malware comes in the form of applications, most of which require some user interaction to gain a foothold within systems. http://www.thechannelinsider.com/print_article2/0,1217,a=166172,00.asp
[Editor's Note (Schmidt): There once was a time where this would create huge push back but given the wide use of broadband at home and use of mobile devices to stay connected there are many other options then using work machines. This may be more palatable as many that are successful at enterprise security have used configuration management around security to get there.]

Hot Topics is adapted from SANS Newsbites for Tatum Partners.