Friday, October 26, 2007

TJX - Who suffers?

Just a quick break from the 7 habits. They take awhile to think out and I need to post something..

All the signs are pointing that TJX has suffered a text book case hack attempt and so all the Security Chicken Littles were salivating because this would be the "I told you so" opportunity of a lifetime.

And it didn't happen. I blogged about it here and here.

So, what happened? My personal feeling is that this was just the first punch in the fight. Consumers have taken the knock and have felt a bit upset by it but they can deal with it.

In the back of their minds though they have decreased the amount that they like both TJX and credit cards and maybe their bank ever so slightly depending on how much this breach has impacted them.

TJX is lucky in that if their service levels are up to scratch and if they have no more major breaches then over time their image will be improved and their customers will be happy once more.

For the credit card companies it will be a bit harder. If someone now suffers a breach at another store it won't impact TJX but the consumer may feel a bit less trusting of the whole credit card process.

This is problematic in the same way my swimming pool theory is bad for networks. Every store only suffers a bit of the problem but the whole credit card process suffers the most. Perhaps this is why the PCI members (Visa, Mastercard, etc) are working hard to get the stores to implement the PCI DSS security standard. They may find consumers start to give up using credit cards as much or at all ever.

Maybe the answer is actually for the whole process to be scrapped and redone.

Tuesday, October 9, 2007

Seven Habits of Highly Effective Security Plans [Part 4]

Friday, September 21, 2007
Seven Habits of Highly Effective Security Plans [Part 3]

In this post we deal with habit 2: Begin with the End in Mind

Please first read the Seven Habits of Highly Effective Security Plans [Part 1]
Please first read the Seven Habits of Highly Effective Security Plans [Part 2]
Please first read the Seven Habits of Highly Effective Security Plans [Part 3]

This is based on Stephen Covey's book The Seven Habits of Highly Effective People and this topic was the one I wanted to get to as fast as possible because I think that it is the most important one for Security Plan development.

If you have read the book this blog post is based on then you'll know that each habit builds on the ones before them. The last one was being proactive and making sure that you define your environment and how you will handle Information Security.

In the past Information Security was a matter of having whatever the box of the day was - firewall, anti-virus, IDS, etc etc. It was also having audits done and responding to their negative findings. And it was about hopefully detecting incidents and preventing the same incidents in the future. Reactive.

Now, what is happening and should be happening is that Information Security is becoming more proactive as per habit 1. We are looking rather at what we are protecting and trying to understand why it needs to be protected and how best to do so.

But once you realise that you have work to do, you need to know what to do. You need a plan - a long term plan. You probably already have one of those - a policy.

I know of a company (not the one I work for) that was told by their holding company to get Policy documents. And they got the boilerplates, filled in their company name and - voila- policy documents. But they missed the point.

The documents are not there for the auditors. ("Yeah, we got some policies." [Tick]). They are a living document of the Company's plan for Information Security. They are an excellent opportunity for the Company to define their end goal and work towards it.

It makes life a lot easier for everyone too when they know their goal and it makes deciding on what is important and what isn't very much easier.

A boilerplate is a good start if you haven't got any idea where to start. The risks to most companies are the same, the technology is similar too. Most of the techniques can be applied to all different organisations. But a lot of work needs to be done to the Policy to get it just right for the organisation.

Another good place to start is with the people who own the information. And these are not IT. These are the people who make decisions based on Information, they guys who would pack up and go home if there was no information for them to work with. they know what it is important to the business and where it is. I will write a lot more on this in later posts but for now just realise that Information Security must start with the end in mind and the end is "protect all important information so business can operate".

Friday, October 5, 2007

Symantec - "We don't (just) sell anti-virus".

I went to a Symantec presentation today to learn about their new End Point Protection and to take a sip of their Kool-Aid.

They took great pains to make sure that the audience was aware that they do not sell anti-virus software anymore - they sell "end point protection". Which, really, is anti-virus with other stuff.

The point is that even according to Symantec's reports viruses are dying out. (By virus I mean a program that self replicates - not a trojan, spyware, rootkit or worm). Trojans and worms and rootkits are becoming easier to modify and deploy and signature lists (against which these uglies are compared and blocked) are becoming too slow.

The moral of the story - viruses are (pretty much) dead... they have been replaced with new threats. Symantec painted a picture of their protection product as the silver bullet that will protect a PC against all the new threats. It looks good but I'm not 100% sold. I'd recommend the product but I'd back it up with a lot of other Information Security goodies.

The Conscious Competence Security Model

A while back I learned of the Conscious Competence Learning Model (we'll get to exactly what it is) and I knew I had to blog about it and then I forgot but I was reminded of it again when I read this article by Richard Bejtlich.

He in turn is discussing CIO Magazine's Fifth Annual Global State of Information Security which is worth a read especially if you are in the Information Security field.

It was these two quotes that reminded me of the Learning Model -

You're undergoing a shift from a somewhat blissful ignorance of the serious flaws in computer security to a largely depressing knowledge of them.

As [Ron] Woerner puts it, "When you gain visibility, you see that you can't see all the potential problems. You see that maybe you were spending money securing the wrong things. You see that a good employee with good intentions who wants to take work home can become a security incident when he loses his laptop or puts data on his home computer. There's so much out there, it's overwhelming."
This sounds very depressing and sounds like we should just throw in the towel but I think it is more positive then that.

The Conscious Competence Learning Model has many different names and versions but the concept is as follows:

  1. At first you are blissfully unaware of how much you don't know.
  2. Then you start learning and get overwhelmed once you learn just how much you don't know.
  3. Then you learn some more and you struggle along learning all the time.
  4. Then you become a professional and know everything without having to think very much.

My Information Security spin on this is:
  1. At first you have firewalls and antivirus and you feel safe. You don't know what is really happening on your network but you are sure that everything is fine.
  2. Then, for some reason you take Information Security seriously and spend some more money on what is really important. You realise just how unsafe your network and information really is.
  3. You work at it, struggling all the time to get a proper plan in place and back it up with all the good stuff you can such as technological solutions, training, awareness, processes etc all the time refining and updating the process to get more secure. At the same time new projects have security built in from day 1. All the time you are finding new issues to fix but these are getting less and less and you know that you are getting more secure.
  4. All your systems are secured as much as they need to be. All new threats have action plans in place. New projects, users, systems all have procedures that make them as secure as possible. All risks are dealt with in the way Business expects them to be. There may be incidents but there are no surprises.
From the CSO article and Richard's blog post I think that most companies in the survey are at step number 2 moving (hopefully) to step 3.

My feeling is that most companies are at stage 1 with a resistance to move to stage 2. Companies that are at stage 1 would (probably) not be a part of the CSO magazine community. I think that very few companies would be at step 4 but many companies would be battling along at step 3.

Obviously the size of the company and what sector the company is in would help determine what step they are on. As well as the amount of leadership the Top Brass have and the enthusiasm of the Security Department.