Saturday, May 30, 2009

We Have A Cyber Czar, and He Has Spoken

I couldn't help it. I took a link from Bob Gourley's CTOVision blog where he tells the world that we ALREADY have a Cyber Czar. His name is Vladimir Putin!

http://ctovision.com/2009/05/white-house-cyber-policy-review-and-a-cyber-czar/

Bob tells it like it is, so there's no need for me to :)

Enjoy!

Jeff

Friday, May 29, 2009

eWeekNews: Discovery Features Make DLP Smarter... really?

Thursday, May 28, 2009

Study finds IT security pros cheat on audits --Is this a surprise?

In an article received on twitter yesterday, the author (Angela Moscaritolo, on May 27, 2009) discusses the fact that IT Security Pros cheat on Audits. The article may be seen at:

http://www.scmagazineus.com/Study-finds-IT-security-pros-cheat-on-audits/article/137546/

It should come as no surprise that corners get cut in audits. I wouldn't call it cheating per se, nor am I defending those who blatantly gundeck (a Navy term for cheating on assigned tasks) for a few reasons, but here are two:

1. In smaller/medium sized companies, resources generally don't exist to carry out the full scope of even the most basic audit frameworks (measuring against 800-53, ISO, etc.), thereby leaving gaps in the completed audit when compared to the plan.

2. In larger companies, the audit teams report to the board of directors, not the ISO or CFO as will the Risk team or Information Security team. Auditors get treated like every other auditor.. they get what they ask for -nothing more, nothing less. I've worked as an auditor, and worked with auditors several times in the past eight years and know the drill quite well. If an auditor is uninformed, they don't ask good questions, and as a result, get inaccurate information.

Tips for doing better audits?

1. Look for experience IT/Security people that can be taught auditing. Certifications are good, but not perfect. CISA is common among the large consulting organizations, but again, personal experience leads me to believe that not all CISAs are created equal.

2. Create an environment of cooperation between the audit team and the infosec/risk team. If an audit is going to happen at a certain location, why not leverage the audit team to perform a risk assessment at the same time. There's an opportunity for resource sharing if you can get legal to sign off.

3. Cross train and labor share. Use infosec people as auditors, and get auditors involved in sitting in the SOC. This makes everyone smarter, and eventually, the company better.

4. Find a good framework and stick to it. Measure the results location versus location, program against program, or division against division. It's not a report card but a score card that offers baseline, and hopefully upward trending.

Most importantly, remember, auditors get treated like auditors. They're outsiders and need to know what to ask, and whom to speak with to get the right information. They get this through bonding and familiarity in the organization. Train them well, get cooperation with infosec, and you'll see markedly better, and more consistent audit results.

Happy hunting!
Jeff

Wednesday, May 27, 2009

Podcast: More Targeted, Sophisticated Attacks: Where to Pay Attention

What timing! I just blogged about this this morning.

The conversation is 20 minutes long, but the piece with Marty talking about new issues --Social Engineering and (still) bad code is about 6. It's worth a listen. I'd love comments back. Thoughts? What other issues should we be concerned with during this period of adjustment to new threats?

More Targeted, Sophisticated Attacks: Where to Pay Attention
http://www.cert.org/podcast/show/20090526lindner.html

Featuring:
Marty Lindner - CERT Julia Allen

RSS: http://www.cert.org/podcast/exec_podcast.rss

Information Security Vendor hype?

It seems we're in an entrepreneurial dilemma... especially in the information security field.

Entrepreneurs/innovators/tech sales people create, commercialize and sell new, innovative tools, but it seems we've hit a plateau where the entrepreneurs don't understand the new market. In this down-turned economy how many infosec companies have failed? How many have been bought? I'd guess far fewer acquired than failed but then again, that's always been the case. Now it seems harder. It seems entrepreneurs are stuck in two areas that they just can't seem to find their way clear of:

1. New attack methods are not caught by old security tools! No matter how many signatures you stick into an IPS, it's not going to be able to stop a C2 channel heading out your door when it's buried inside of FTP! Don't tell me about Data Loss Prevention or losing the perimeter. I've had all the sales garbage that I can stand from the likes of Vontu and Verdisys. While both good ideas, DLP is not a solution for identifying and stopping badness inside your enterprise. The solutions stop 'not so smart' people from doing stupid things but do not stop smart people from stealing information from you.

2. Entrepreneurs are so busy selling (hyping) their products, and so busy with their noses pointed squarely at their keyboard (or financials), they've lost touch with what infosec practitioners really need... and the worst part is, they're not getting it from the trade magazines either! SC Magazine has gone from a robust magazine with good information to an ad rag full of expensive ads and very little content that will give entrepreneurs information to help them focus their product lines and strategy. So here's a bit of advice folks (from a guy who gets pitched more times than most), stop pitching. Leave your marketing materials at the door. Do your homework and be ready to answer hard questions. If I visit your company, I don't want to talk to your business development people. I want the techies. I want to see the results of your product on your company network, and I want to see the demonstrated ROI realized by you. I want to talk down and dirty tech. Tell me why it works. Show me that it does. Tell me it's current limits... then, and only then, will we have more to discuss.

3. Venture capitalists continue to push offshore development because the numbers make sense. You know what though? I won't buy it if there's no way to assure the security of the product, and EAL certification isn't it. Show me something that hits a product squarely with the newest attacks and handles it well. Base certification on that. Until then, VCs, you're limiting the ability of your portfolio companies to be able to sell to government and government contractors.

There, I said it. Want to know what the market looks like? Want to know what the market is going to look like? Want to know what kinds of threats your security tools need to be able to handle? Contact me. I'll tell you.

Jeff