Internetwork Defense

I want to take a different approach and focus on the human capital and legal side of the ‘DID’ security architecture.

The positive side of doing DID(Defense-In-Depth) from the legal perspective is that if the breach does occur with forthcoming lawsuit, I believe that an organization with a well implemented DID infrastructure will minimize their loss because they can show the court that they have done the due care and due diligence in thwarting attacks.

From the human capital perspective, once again, a well-implemented DID architecture, will support the control objective of “Separation of Duties”. This should remedy the “God-Complex Network Administrator” syndrome with access to everything.

Make sure you visit our main site.


Share This

To me, a bigger obstacle to a successful implementation of any security solution, standard or process, is the work required to define ‘real metrics’ so we can measure performance of the security program and process.

Without the data/number to measure the success, the risk, the financial impact, the budget and the resource, we are just shooting in the dark when we make our business proposition to our top management.   As we all know, Executives like to see empirical data such as risk/reward $$, cost improvement, productivity improvement and various other balance scorecards metrics.

I believe that real metrics should be ‘quantifiable’ and ‘verifiable’.  If one follows the COBIT taxonomy or ISO 27002 for example, for each domain/control objective, we need to come up with metrics to answer each of this control objective.

For example, one of the control objectives is “Are Security responsibilities included in job descriptions and assessed during performance reviews?”

Depends on who answers this question, a “YES” or “NO” may very well represent different data points.  As such, the data provided is subjective and qualitative. It is NOT ‘quantifiable’ nor ‘verifiable’ in my opinion.

A better way would be to define metrics such as:
- % of job descriptions with defined IS Roles/Responsibilities
- % of job performance reviews include IS responsibilities and compliance?
- % of personnel completed the security awareness training?

… so on and so forth.

Each organization can baseline their acceptable % but it is an empirical data nevertheless for measuring the effectiveness and efficiency of the security program and process.

Until IT world comes up with a standard list of ‘metrics’ for each of the control objectives, we will have to rely on IS practitioners to dive deeper into each framework and define what metrics matter to them and ‘quantify’ them.  At least we have a common control framework such as COBIT or NIST 800-x, and ISO 27002 as a starting point.

References:
1. http://www.securitymetrics.org/
2. http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981
3. http://www.itl.nist.gov/lab/specpubs/sp800.htm
4. http://www.iso27001security.com/html/27002.htm

Make sure you visit our main site.


Share This

I worked for a consulting company specializing in Security Training and Consulting practice for Fortune 100 companies. Our motto is “The Best Defense is Good Practice”. The old adage “practices make perfect” rings especially true in the security field. There are always going to be security vulnerabilities and exploits, we can never patch all the holes. However, if we have a well defined security process as the starting point (good practice), we can continue to practice and improve our security posture against new challenges (best defense).

Once we’ve recognized the need to integrate security process as part of the strategic IT goals, we need to ensure that we can break down that top level strategic goals into tactical and operational goals. These goals will need to be clearly defined and aligned to business goals. In my opinion, this is a CTQ (Six Sigma Concept – Critical To Quality) milestone because we need the ability to measure ROI on security process and security service delivery to our management and business units. This is where ITIL and other related frameworks can help. At minimal, these best practice guidelines have a defined process of enumerating metrics associated with delivering an IT service. After all, if we don’t know what we have and what processes are involved, how are we to measure and monitor our progress?

When we have defined the security metrics, we can measure and present ROI analysis more readily to the management. After all, companies are in the business of making money and having numbers and stats will significantly increased our chance of getting the C-level sponsorship and budget $$ we need to implement the security controls.

In my experience, to gain management buy-in/budget is often the longest phase of the security project life cycle. It is a daunting process and we (IT security practitioners) need to get better at making the business value proposition.

Once I’ve conquered the management buy-in/budget phase, I can be assured that I will have the appropriate resource to follow our defined security process and to implement the project the ‘right’ way. Otherwise, I often found myself and my team taking shortcuts in our own security process just to meet the resource constraint. In every project that I had worked on, I always remind myself and often repeat these four words: PLAN, DO, CHECK, ACT (The Deming Cycle).

The other benefits for getting the management buy-in as part of the security process is the accountability and cooperation. Once management has approved the project charter, they are ultimately accountable for the success of the project. It is at the best interest of the entire organization to see the project succeed. The motivation and cooperation for both IT and non-IT in this kind of environment is dramatically different when everyone cares about the project.

I’ve been in projects where everyone is excited about the new security process and the associated changes such as new record retention policy and log management requirements when we have the blessing and $$ to properly reward users for doing the right thing. On the flip side, the consequence for non-compliance is more effective coming from the top management team.

In conclusion, in my opinion, for an organization to assimilate security process as part of their corporate DNA will require security practitioners to spend more time in front of the board room than in the computer room.

Concepts mentioned & websites:

• CTQ Six Sigma http://www.isixsigma.com/dictionary/Critical_To_Quality_-_CTQ-216.htm

• ITIL: http://www.itil-officialsite.com/home/home.asp
  Deming Cycle : http://pdca.wordpress.com/2006/05/12/the-deming-cycle/

Make sure you visit our main site.


Share This

I have often brought up in my classes how information can be classified into four Boolean groups:

1) The things you know you know (true information – Boolean 11, true truths)
2) The things you know that you don’t know (limited information – Boolean 10, true false)
3) The things you don’t know that you don’t know (no information – Boolean 00, false false)
4) The things you think you know but turn out to be wrong (false information – Boolean 01, false truths)

I argue that the 4th class above is quite often overlooked and that most taxonomies end at “the things you don’t know that you don’t know” or what I will call class 3 threats. We have all likely been confronted with some proponent of how class 3 attacks are the most dangerous because of the lack of information about some threat leading to an exploit of such lack of knowledge. But I suspect it is the class 4 threats that cause more loss.

Using misinformation, a threat agent can cause a defender to place undue attention to some decoy attack, so the attacker has more time to attack with the real threat. To put this into simple martial arts terms, if the attacker can get you to stare at the right hand, the left is more likely to slip in under the radar. I typically demonstrate in my classes how a sucker punch works and why it is so effective. While having a well rounded martial arts background is good stuff, most street fights I argue are won by spoofing someone’s trust to get within an arms’ length and just hitting them upside the head. And the weapon can be a fist, beer mug or even a titanium thumb drive (I love my titanium drive)

This can be extrapolated into any organizational defense tactic, from military to corporate information security. There is an old saying; “if they can get you to ask the wrong question, answers don’t matter”. How many exploits are due to such misguided thinking? From social engineering, to SPAM and related phishing attacks, so frequently we read about defenders missing attacks that slipped in because of some spoofed identity. Not that all such attacks are bad. I do not harbor any harsh judgments against any hunter using a duck whistle. Class 4 attacks are a fundamental part of the information warfare game. I suspect many noble warriors have used decoys, fakes and other distraction techniques.

We see problems related to both deliberate misinformation (spoofing / masquerading / impersonation / counterfeiting) and accidental misinformation (misunderstood terms / poorly written or understood requirements, policies and procedures). I have heard from many security officers that their biggest exploits are due to “failure to follow procedures”.

So what is the defense against such problems? Well, it is my opinion that the best way to reduce the risks associated with misunderstandings is a consistent awareness program. Just as no one really masters a martial arts program and then can rest on laurels, a defender must constantly not only learn new things but challenge existing knowledge for accuracy and relevance.

I spent a good a part of a week this past December watching a Chinese TV serial adaptation of the Jin Yong novel “The Return of The Condor Heroes” produced by CCTV, 2006. I really hope to read the original novels someday as the basic premise revolved around misunderstandings. There were no real “good” or “bad” people per say, just people trying to survive in very challenging times, and through a series of misunderstandings, formed relationships that sometimes were quite threatening. All through the story we are introduced to people from different families, religions, ethnic groups and schools of thought. All were subject to making mistakes based on misunderstandings.

Today we live in very challenging times. And if Moore’s law continues to hold, this situation is likely to become only more so for the next decade and beyond. Armed with this assumption, a very useful skill to have to defend the common wealth against the harshest of class 4 attacks, is “understanding”. As the spread of information brings new threats to our wellbeing, there is another side of the coin and that is the wonderful opportunity to learn more about our Earthly (and celestial) neighbors.

From the Big Bang
Through the Blackest Holes
Peace & Victory for the Common Wealth

Make sure you visit our main site.


Share This