Internetwork Defense

I accidentally stumbled upon this gentleman’s detailed journey in pursuit of his CISSP.  I am pleased (but not surprised) on his strong endorsement of his experience with Larry Greenblatt (our instructor) as we get a lot of affirmations on why Larry is our top instructor.  

I just loved how he described Larry:  ”..And my cyber Kung Fu Guru, Larry Greenblatt!!!!! You are a brilliant superhero-level esoteric security arts master. You and Kirk and Spock (and Daler Mehndi too) made preparation fun and easier than it would have been otherwise..” 

http://vidyashaker.spaces.live.com/blog/cns!AA9E404228D5B35!2385.entry - The CISSP Journey

Make sure you visit our main site.


Share This

In my opinion, it depends. Let me explain.

In the case of open WI-FI AP advertised as free (e.g. cafe houses, commercial areas), it is obviously legal and ethical to use it since it is advertised as such. However, in the case of unadvertised or unintentional open wi-fi AP such as your neighbor’s ap (because they don’t know how to lock-down their AP or etc.), it would be illegal and unethical to use their bandwidth without their knowledge and permission.

What would you do in this situation?

For me personally, I would abide by the “intent “ of the owner of the Wi-Fi access point. If they did not clearly advertised and permitted usage of their Wi-Fi Access Point, it should be assumed that it is illegal and unethical to piggyback off their wi-fi AP.

Make sure you visit our main site.


Share This

What aspects of operational security are important to focus on when attempting to detect and limit unauthorized access to the network, systems and facilities.

I think it is crucial to focus on operational security based on all three types of controls: preventive, detective and corrective.

Although detection to unauthorized access of systems and facilities is critical, ultimately in order to protect an organization’s information assets effectively, we must also implement preventive and corrective controls.

Preventive controls will attempt to instill good practices and behaviors in reducing the threats to your information assets. Examples of these type of controls are: security awareness training, operational procedures training, media access policy and procedures.

Detective controls will attempt to track, alert and triage potential breaches or violations. Examples of these controls are: IDS/IPS to detect or thwart malicious traffic, vulnerabilities analysis and scanning to detect weakness in password, access controls and etc.

Lastly, corrective controls will attempt to address lapses in operational controls may it be policies, behaviors, procedures, configurations and etc. Some examples of these are: enterprise virus protection, anti-spy ware solutions; internal or external auditing initiative to find gaps; or stronger Identify management solutions to combat access control problems.

Make sure you visit our main site.


Share This

Based on your professional experiences, what are some of the challenges, barriers and industry accepted practices of your organization’s BCP/DRP?

I’ve went through various BCP/DRP planning, implementation and testing activities during my career. The top challenges that I see are summarized below: 1. Buy-in/resource Constraint: Even if we can get the management group to buy-in and champion the criticality of having a BCP/DRP plan, it’s hard to get all business units to commit resources from each team to participate in the BCP/DRP planning. In my experience, the best way to get the resource committment is to include BCP/DRP activities as part of the performance review and/or job responsibilities. 2. Complexity: Keep In Simple in my motto. Convoluted plans made it difficult to do it right during a crisis or disaster mode. 3. Outdated Plans: I’ve seen BCP/DRP plans that have not been updated since 9/11 in many organizations. For example, many of the risk assumptions, contact information or emergency evacuation plans are no longer applicable nor relevant. 4. Lack of testing: For many organizations with BCP/DRP plans, they often fail to exercise their plans. Testing it regularly will ensure that the plans will function as expected and it will help organizations identify potential weakness in the plan. 5. Risk Assessment: A comprehensive risk assessment is the prerequisite for a functional BCP/DRP plans. Without it, an organization would not know what services, people and process are critical for the business if a disaster strikes. As such, it would not be possible to craft a workable BCP/DRP plans.

Make sure you visit our main site.


Share This

Within an existing enterprise, what are some of the contemporary obstacles and barriers to implementing a physical security policy or process ?

In my experience, the biggest obstacle in implementing physical security policy and process is overcoming the inherent human culture/behavior. Generally, it is human nature to trust people around work, school and home. Most people are not trained to challenge or question perceived authority. This is why no-tech social engineering has been so successful.

For example, the old ‘piggybacking’ or ‘tailgating’ techniques used by social engineers are still as effective today. Most employees in the company are not trained to challenge other people piggyback from entrances such as smoking area, warehouse entries not typically staffed by security guards. It’s very difficult to change employees’ behavior and asked them to challenge anybody who may seem suspicious and who is not wearing an ID.

For most companies, even if they have a strong physical policy or process, it is hard to change human behavior. The next best thing is to continue to train and educate people on the countermeasures against social engineers. Hopefully, with the help of technology and constant training, we can make it easier for employees to prevent, detect and report physical access violations.

Make sure you visit our main site.


Share This

From your experience, what are obvious indications of an ethical organization? Alternatively, provide examples of opportunities that allow for an unethical organization.

 For me, an ethical organization should have the following characteristics: 1.A culture of honesty and disclosure (especially from the top management). 2.A published code of ethics (or its equivalent terms such as company credo, value). 3.Ethics training for all employees. 4.A dedicated/trusted party to hear employee’s ethical dilemma or to report potential ethic violations (such as anonymous tip line/whistle blower protection). Also, in my experience, most people do not have problem reporting obvious ethic violations such as embezzlement, harassment or fraud. However, most people are reluctant to report minor ethical violations such as using company resources for personal gain or taking company supplies. In my opinion, each one of us needs to speak out on these seemly trivial acts because they are still unethical or in direct violations of the company’s code of ethics.

Make sure you visit our main site.


Share This

I think technology certainly amplified the effect of unethical decisions. Let us look at the biggest systemic ethical failure for this country – the financial market meltdown.

Technology has erased the geographical boundary for financial transactions. This globalization and the ability to move/transact money with greater speed has exacerbated the dangers and the impact of unethical investment decisions.

The subprime mortgage meltdown and the subsequent financial meltdown are not caused by one unethical behavior or by one single financial entity - it is a direct consequence of cumulative unethical behavior (greed) by buyers, brokers, bankers and financial entities.

The opportunities to make money (and bending lending rules) in a fast and furious electronic world coupled with failures in corporate and regulatory governance have created one of the biggest ethical failure of our time. The long road to recovery must include real ethics reforms in the financial industry.

Make sure you visit our main site.


Share This

I want to take a different approach and focus on the human capital and legal side of the ‘DID’ security architecture.

The positive side of doing DID(Defense-In-Depth) from the legal perspective is that if the breach does occur with forthcoming lawsuit, I believe that an organization with a well implemented DID infrastructure will minimize their loss because they can show the court that they have done the due care and due diligence in thwarting attacks.

From the human capital perspective, once again, a well-implemented DID architecture, will support the control objective of “Separation of Duties”. This should remedy the “God-Complex Network Administrator” syndrome with access to everything.

Make sure you visit our main site.


Share This

To me, a bigger obstacle to a successful implementation of any security solution, standard or process, is the work required to define ‘real metrics’ so we can measure performance of the security program and process.

Without the data/number to measure the success, the risk, the financial impact, the budget and the resource, we are just shooting in the dark when we make our business proposition to our top management.   As we all know, Executives like to see empirical data such as risk/reward $$, cost improvement, productivity improvement and various other balance scorecards metrics.

I believe that real metrics should be ‘quantifiable’ and ‘verifiable’.  If one follows the COBIT taxonomy or ISO 27002 for example, for each domain/control objective, we need to come up with metrics to answer each of this control objective.

For example, one of the control objectives is “Are Security responsibilities included in job descriptions and assessed during performance reviews?”

Depends on who answers this question, a “YES” or “NO” may very well represent different data points.  As such, the data provided is subjective and qualitative. It is NOT ‘quantifiable’ nor ‘verifiable’ in my opinion.

A better way would be to define metrics such as:
- % of job descriptions with defined IS Roles/Responsibilities
- % of job performance reviews include IS responsibilities and compliance?
- % of personnel completed the security awareness training?

… so on and so forth.

Each organization can baseline their acceptable % but it is an empirical data nevertheless for measuring the effectiveness and efficiency of the security program and process.

Until IT world comes up with a standard list of ‘metrics’ for each of the control objectives, we will have to rely on IS practitioners to dive deeper into each framework and define what metrics matter to them and ‘quantify’ them.  At least we have a common control framework such as COBIT or NIST 800-x, and ISO 27002 as a starting point.

References:
1. http://www.securitymetrics.org/
2. http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981
3. http://www.itl.nist.gov/lab/specpubs/sp800.htm
4. http://www.iso27001security.com/html/27002.htm

Make sure you visit our main site.


Share This

I worked for a consulting company specializing in Security Training and Consulting practice for Fortune 100 companies. Our motto is “The Best Defense is Good Practice”. The old adage “practices make perfect” rings especially true in the security field. There are always going to be security vulnerabilities and exploits, we can never patch all the holes. However, if we have a well defined security process as the starting point (good practice), we can continue to practice and improve our security posture against new challenges (best defense).

Once we’ve recognized the need to integrate security process as part of the strategic IT goals, we need to ensure that we can break down that top level strategic goals into tactical and operational goals. These goals will need to be clearly defined and aligned to business goals. In my opinion, this is a CTQ (Six Sigma Concept – Critical To Quality) milestone because we need the ability to measure ROI on security process and security service delivery to our management and business units. This is where ITIL and other related frameworks can help. At minimal, these best practice guidelines have a defined process of enumerating metrics associated with delivering an IT service. After all, if we don’t know what we have and what processes are involved, how are we to measure and monitor our progress?

When we have defined the security metrics, we can measure and present ROI analysis more readily to the management. After all, companies are in the business of making money and having numbers and stats will significantly increased our chance of getting the C-level sponsorship and budget $$ we need to implement the security controls.

In my experience, to gain management buy-in/budget is often the longest phase of the security project life cycle. It is a daunting process and we (IT security practitioners) need to get better at making the business value proposition.

Once I’ve conquered the management buy-in/budget phase, I can be assured that I will have the appropriate resource to follow our defined security process and to implement the project the ‘right’ way. Otherwise, I often found myself and my team taking shortcuts in our own security process just to meet the resource constraint. In every project that I had worked on, I always remind myself and often repeat these four words: PLAN, DO, CHECK, ACT (The Deming Cycle).

The other benefits for getting the management buy-in as part of the security process is the accountability and cooperation. Once management has approved the project charter, they are ultimately accountable for the success of the project. It is at the best interest of the entire organization to see the project succeed. The motivation and cooperation for both IT and non-IT in this kind of environment is dramatically different when everyone cares about the project.

I’ve been in projects where everyone is excited about the new security process and the associated changes such as new record retention policy and log management requirements when we have the blessing and $$ to properly reward users for doing the right thing. On the flip side, the consequence for non-compliance is more effective coming from the top management team.

In conclusion, in my opinion, for an organization to assimilate security process as part of their corporate DNA will require security practitioners to spend more time in front of the board room than in the computer room.

Concepts mentioned & websites:

• CTQ Six Sigma http://www.isixsigma.com/dictionary/Critical_To_Quality_-_CTQ-216.htm

• ITIL: http://www.itil-officialsite.com/home/home.asp
  Deming Cycle : http://pdca.wordpress.com/2006/05/12/the-deming-cycle/

Make sure you visit our main site.


Share This