8 October 2009 by Jeff Hayes.

As an adjunct instructor at ITT Technical Institute for the past four years, I enjoy introducing a new topic to the newer students and then to see them a year or two later and see how far they have come.

For most, the concept of policy and more specifically, security policy, is foreign. I think they must get tired of hearing me answer:  “it all depends” or “what is the policy and why does it exist that way?”

Joan Goodchild, Senior Editor of CSO magazine, wrote a recent article, The Seven Deadly Sins of Security Policy. Here are her security policy deadly sins: 

1. Failing to do a risk assessment before crafting a policy
2. Having a ‘one-size-fits-all’ mentality
3. Failing to have a standard template
4. Having policies that only look good on paper
5. Failing to get management to buy in to the policy
6. Writing policy after a system is deployed
7. Lack of follow up

It is my experience that the biggest issue is lack of buy in from the top. Without top level buy in, why should any one read, follow or believe the policies are enforceable?

For many organizations, security is viewed as the “business prevention department.” The challenge security professionals have the world over is justifying the associated expenses. Security is an expense but for many organizations, it might be absolutely necessary, even an item that be be used to differentiate it from its competition, attract employees, and have a positive impact the bottom line.

There are many deadly sins with respect to security, and the worst is something many organizations are guilty of (not being one of the seven):  they have no formal security policies.

Posted in Security Policy | Print | No Comments »

6 October 2009 by Jeff Hayes.

The U.S. Department of Homeland Security, as part of its National Cyber Security Awareness Month, has created a list of fourteen things home users can do to bolster cyber security.

1. Use a suite of automatically updating security tools that includes anti-Spyware, firewall and anti-virus software.
2. Be sure your operating system and Web browser are set to automatically update.
3. Use long, complex passwords for both your computer and your wireless network that include numbers, symbols and letters, and change them every 90 days.
4. Maintain vigilance online and be skeptical about giving up personal information.
5. Turn off your computer when you are not using it.
6. Employ the same online safety behaviors when “surfing” on a mobile device.
7. Be on the lookout for signs of an infected computer including slower processing times, unwanted pop-up ads and increased spam.
8. Talk to your kids about good online safety and security habits, including protecting their personal information and their reputation.
9. Know what sites your children are visiting online, and check their social networking regularly.
10. Regularly back up your files either online or to an external hard drive (and store in a secure location).
11. Post cyber security tips on your favorite community Listserv.
12. Go to your favorite search engine and search by your name and other family members to see what is on the web about you.
13. Make sure your children know that they can come to you if something online makes them uncomfortable, including what others are posting about them, unwanted contacts, and questions they have about staying safe online.
14. Learn more at www.staysafeonline.org.

Good list? Yes.

What about business? The best checklist I have found for good cyber security for the average business is from the Payment Card Industry within its Data Security Standard:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.

Simple? No. But is a great list to build a security plan upon.

Posted in Security Policy, Personal Security, Homeland Security | Print | No Comments »

2 October 2009 by Jeff Hayes.

October is National Cyber Security Awareness Month, as proclaimed by the U.S. DHS. The premise behind this is good: create awareness for cyber security. The DHS’s campaign will seek to: 

• Raise awareness of cybersecurity risks, consequences and available resources to a broad universe
  of information technology stakeholders  
• Reinforce shared responsibilities and provide a call to action to all computer users
• Direct stakeholders to tools, products and services they can use to protect their part of cyberspace
• Leverage Awareness Month events and activities to build a common culture of shared priorities
  across the full range of cybersecurity stakeholders
• Encourage interest of students in the cybersecurity field and help develop the next generation of
  cybersecurity professionals
• Promote the Cyber Security Awareness Volunteer Education Program (C-SAVE)

Security professionals the world over need all the help they can get to create awareness of their craft. For the most part, security measures, be they physical or cyber, are business expenses. The challenge security professionals have is to justify those expenses in a manner that helps improve the overall business appeal from the prospectives of the customers, partners, employees and investors.

For most of us working in the cyber security profession, we are viewed a smart but our value is questioned. “We pay this guy how much for doing what exactly?” “If we did not do ‘this’, what would be the impact?” “Do we really need to jump through all of these hoops?” “Do we really need to buy all of these security tools, applications and appliances?” “Wasn’t our security policy just updated?”

Some things are just hard. Cyber security is one of those hard things. It is tough to see, quantify and qualify. The better we are at creating reasonable awareness of the issues confronting or business and industry, the better and more effective we will all be at performing our security jobs.

Posted in Security Policy, Homeland Security | Print | No Comments »

8 September 2009 by Jeff Hayes.

There are things that we should fear and there are things we should not fear. Lost data due to poor backup procedures, not safeguarding core intellectual property, and security policies with no enforcement teeth are things we should fear. Terrorism (unless you are DHS or are a high-value target) is one that we ought to put low on our list of concerns.

Joan Goodchild, Senior Editor, CSO magazine wrote the Seven Deadly Sins of Building Security:

1. Creating post orders without advanced analysis
2. Placing aesthetics over security
3. Neglecting to properly secure certain entrances
4. Allowing management to ignore security rules
5. Failing to take time to understand your technology
6. Failing to secure important rooms inside the building
7. Overdoing security

This list is a solid list based on the prudent man principle of information security: Those with responsibility to invest money in order to secure the operations should act with prudence, discretion, intelligence, and regard for the safety of capital as well as the desired and resulting level of information security.

There are all types of security people — and we need them all — from the firewall/IDS/network security specialist and physical security specialist to the policy writers and auditors. However, we need a manager that sees and understands all of the key parts of organizational security and can map them to coincide with the organizational goals.

The key is to make a regular and complete assessment, implement accurate and quality processes, procedures and technology solutions, and to manage and monitor it continuously. Then stay at it, doing it over and over. Boring yes, but good security was never designed to be exciting. It needs to be in place when it is needed.

Finding one that can balance between what is good and financially in-line for the organization and what a security purist hopes for is where you will find the prudent man (or woman) of information security

Posted in Security Management, Security Policy | Print | No Comments »

31 July 2009 by Jeff Hayes.

P2P legislation talk is rearing its head again.

House Oversight and Government Reform Chairman Edolphus Towns today is expected to blame the Bush administration for having a laissez-faire attitude that has allowed privacy and security problems posed by peer-to-peer networks to persist online. At a hearing on the topic, he is likely to call for legislation to guard against inadvertent file-sharing, heightened FCC involvement and the creation of a public awareness campaign to inform people about the dangers of P2P software.

Making a law outlawing P2P software is not the answer, policy enforcement is. It is not P2P service providers fault that enterprise users elect to load and use P2P software for access to images, programs, and entertainment.

P2P software is something found on just about every home computer where there is a user under 30 years of age. They see the direct benefits of “free” music, TV shows and movies. Most have never experienced negatives:  no police knocking at their door or security incidents rending their computers into boat anchors. Most have no idea what the risks are.

Using P2P software and public services on business or organizational networks raises a whole series of issues. Copyright infringement, unlicensed software and security issues galore from Trojan and bots to offensive materials can make their way throughout the network, not to mention the bandwidth usage and productivity issues.

If P2P software is found withing the enterprise, then there is either poor education, weak policies, poor enforcement or a combination of all three. A law will still require education and enforcement. Solid policy and associated enforcement is better medicine than Congressional actions.

Posted in Security Policy, Infrastructure Security | Print | 1 Comment »