Friday, September 21, 2007

Seven Habits of Highly Effective Security Plans [Part 3]

In this post we deal with habit 1: Be Proactive

Please first read The Seven Habits of Highly Effective Security Plans [Part 1]
Please first read the Seven Habits of Highly Effective Security Plans [Part 2]

This is based on Stephen Covey's book The Seven Habits of Highly Effective People and in this post we look at how being proactive can help raise the general security of an organisation. This is applicable from a micro 1 person business to a multi-national company.

Being proactive really translates into taking ownership. There is a general feeling that Information Security is someone else's problem - usually IT. The thing is that even IT shelve the responsibility onto technology such as Firewalls, Antivirus and IDS boxes.

It has taken legislation in the United States and Europe (not so much in South Africa yet) to put Information Security risk back where it should be - the Business and by "Business" I mean non-IT people. Is this fair? Sure, it is their data and they must protect it from getting lost. Security is there to help and IT is there to make sure that the technology is there but at the end of the day if a spreadsheet with financial information goes missing - it is the department that owns the spreadsheet that is going to suffer.

Of course, all the three camps can be proactive. InfoSec can, should, must promote awareness of Security. They need Business and IT to understand what the dangers are and what is expected from a regulatory point of view. Posters, education, emails, etc etc can all be done.

IT can help by telling InfoSec of incidents that they may find, by making systems secure from the start, from being enthusiastic about patching and hardening servers and helping out with standards that are secure.

Business can be aware that it is information they use everyday that IT and InfoSec are protecting and the protection is for them so they can do their work more effectively which is what business is all about. They should strive to understand the tools that they use and how to use them securely. Strong passwords, clean desk policy, locking workstations, locking offices, thinking twice before opening strange files are all things that can be done for free and together are far more effective than anti virus, firewalls and NAC.

It is difficult to get the inertia going and people are reluctant to change but it is important to at least start working on a culture where information is seen as an important asset is protected as such.

I think this is lot more productive than playing each part of the business off against each other.

Thursday, September 20, 2007

Backups are like parachutes only realize that you need them when its too late.

This morning there was a story in the Pretoria News about a rapper from the US who had his laptop stolen. Welcome to Joburg.

He is now offering a R50 000 ($7000) reward for the return of his laptop because according to him he has lost 12 years of his work. R50 000 is not a lot of money for 12 years of work but assuming that his laptop is insured against theft then the R50 000 is basically how much the information is worth to him.

Now most of what you find on a laptop hard drive is junk - downloaded jokes, movies, etc etc. and also software which is either very easy to replace or comes bundled with the laptop anyhow. Just how big is your My Documents folder anyhow.. so lets assume that the rapper had just under 12 Gigs of vitally important, irreplaceable stuff on his laptop - that is 3 DVDs worth.

An external CD writer is just under R800. Add on a box of 50 DVDs for just over R130 and you are looking at a backup solution costing about R1000 ($140).

This sounds like a better deal than R50 000. Of course the technology is not going to save you on its own.. you need to actually use the technology. It takes about 5 minutes to burn a DVD but maybe 30 minutes to set the burn image up.

But it is very worth it, yo.

Friday, September 14, 2007

The Seven Habits of Highly Effective Security Plans [Part 2]

Please read The Seven Habits of Highly Effective Security Plans [Part 1] first.

Stephen starts his book with the idea of a paradigm and goes to great efforts to explain what it is and why one needs to understand it.

In terms of Information Security I think that the paradigm shift has been forced upon us on July 13, 2001 but it has taken until now for us to be able to understand and deal with the new understanding.

That was the date that the Code Red Worm struck. The darling of Security at the time - the firewall was no match for this worm and anti-virus was infective too.

Today the worm would be very much less effective because we now have more defenses. We have proper patch management, IDSs, deep packet inspection firewalls and application security. These were all around in the time of the Code Red Worm, they were just not being used effectively. We had the technology but the mind set was not right.

When the SQL Slammer Worm arrived it proved that we still hadn't learned our lesson. The paradigm shift had not happened yet but we are slowly getting there.

The fact that new worms are coming out all the time but we haven't had a global epidemic of Slammer proportions means that we are learning our lesson. The fact that the Storm worm is still being successful means that there is still some way to go.

Our first paradigm shift was from realising that:
  1. security has to be done all the time
  2. technology alone will not save us
I think the next one is that we can't tack on security. We need to think security from the beginning even if it means somethings need to be redesigned or abandoned totally.

To Be Continued.

Friday, September 7, 2007

The Seven Habits of Highly Effective Security Plans [Part 1]

I've been thinking about doing this for a while. I admire Stephen Covey and his book The Seven Habits of Highly Effective People. I have seen the book being used to manage huge companies and I think that the principals in the book are broad enough to be applied to pretty much anything including Information Security.

I think that the 7 Habits are already built into "Best Practice" already in most cases but this should allow us insight into why we need to do what we already do.

Do I run a highly effective Information Security Plan? I like to think that I am working on it. I also think I won't ever finish but going back to first principals is always a good idea.

I don't aim to rewrite the entire book, that would be pointless and quite illegal. I aim to use it merely as a guide.

Wednesday, September 5, 2007


Brother Andy sums up nicely the debate that has been happening on the Security Bloggers Network (see right column) about CISSP.

He also sums up most of what I think of the Cert:

  • It shows that the person is serious about security.
  • It opens doors. Even Australian immigration.
  • It is easy for headhunters to spot. And match up with.
  • The ISC2 is a problematic organisation.
  • CISSP is not for everyone.
Of course, I have my bit to add:

Terry Pratchett writes amazing stories with some deep concepts. One word he created (or at least a Witch of his Disk World created) is headology. Basically, a witch will never be caught without her hat because once the hat is on anything the witch does, magic or not, will be seen to have been done through the use of magic.

I believe the CISSP is our headology. For security people to be taken seriously we need the tools to make people we are serious and that includes (for better or worse) a professional organisation such as the ISC2 and a certificate of membership - the CISSP.

Having a CISSP doesn't make me very more knowledgeable about Information Security than the me before the exam but it does show that I am serious about Information Security and want to be seen as an Information Security Professional.

It also helps in Information Security debates to sign the extra little letters with a flourish. Headology.

The Thin Blue Line

On the 2nd September 2007 the South African Police Service held a commemoration day service to remember the 108 police officers killed in the line of duty in the past year.

Having been a reservist police officer for a short period I understand exactly what these police have faced and what the police continue to face on a daily basis.

In honor of that I dedicate some time and some space on my blog to remembering the heroes in blue who paid the ultimate price to protect the families of South Africa and to those who continue to protect us with the knowledge that they may be the next to die.

- Anonymous

When I start my tour of duty God,
Wherever crime may be,
as I walk the darkened streets alone,
Let me be close to thee.

Please give me understanding with both the young and old.
Let me listen with attention until their story's told.
Let me never make a judgment in a rash or callous way,
but let me hold my patience let each man have his say.

Lord if some dark and dreary night,
I must give my life,
Lord, with your everlasting love
protect my children and my wife.

"I am the Officer"
- Anonymous

I have been where you fear to be,
I have seen what you fear to see,
I have done what you fear to do -
All these things I have done for you.

I am the person you lean upon,
The one you cast your scorn upon,
The one you bring your troubles to -
All these people I've been for you.

The one you ask to stand apart,
The one you feel should have no heart,
The one you call "The Officer in Blue,"
But I'm just a person, just like you.

And through the years I've come to see,
That I am not always what you ask of me;
So, take this badge ... take this gun ...
Will you take it ... will anyone?

And when you watch a person die
And hear a battered baby cry,
Then do you think that you can be
All these things you ask of me?