Please check this interesting article about "Techies don't get security either".

The message of this article is compelling: pure security techies cannot progress beyond a point in their career hence folks who manage security in a company are most likely to have business background.

When I started acquiring business degree (MBA), it was more a "herd" mentality - hats off to tremendous _marketing_ from business schools. The business school marketing message is clear - get an MBA degree be a manager, director, entrepreneur, venture capitalist and so on..

In a company to manage risks it requires "business sense" which many security techies may not have - "business sense" involves communication skills, project management skills and political skills. Irrespective of my poor justification of entering an MBA program, on hindsight it turned out to be a good decision the program has given me some "business common sense".

I think security techies (or any techies) for that matter, acquiring "business sense" is a must to grow. Acquiring business degree is not the _only_ way to get business sense (which I was originally made to believe) - there are lot of good books - check out http://www.mypersonalmba.com

"I'd sit there and first I'd look through the comments, pick through the security holes, and then I'd see what the developer did to fix it because they'd always leave it well commented - thank you very much - and then I'd work back and figure out how I could write exploit code to exploit their vulnerabilities."

- Kevin Mitnick

Implement sound personnel practice - Benefit is company has a better chance of minimizing internal threats.

It is well known fact that majority of threats are internal. Company employees often knowingly or unknowingly leak proprietary information. Imagine for a moment - confidential data in the hands of a disgruntled employee, the ramifications are tremendous.

Sound personnel practice involve many things:

Job description - This is the first step in the hiring process. Make sure to classify the security level of the job i.e. whether the job warrants exposure to critical data.

Background checks - Make sure you hire good people by running background checks on them. Moreover, hire people who have appropriate security clearance with respect to job classification.

Roles and responsibilities - As soon as employees are on board, define roles and responsibilities clearly. Determine their data access profile based on roles and responsibilities. Don't grant them access to more data than what is necessary to get the work done.

Cross training and job rotation - Cross train employees so that there is no single point of reliance. By rotating jobs you can prevent collusion, information hiding and cheating.

Following sound personnel practice does not imply that we distrust employees, it rather implies that we are selective about whom we trust and that we believe in processes that can help expose the violation of trust.

Thought #9: Why is mandatory vacation for employees is a good idea?

"You have zero privacy anyway. Get over it."

-Scott McNealy

The "default" trust that users put on Firefox (by Mozilla Corporation) is being questioned. Multitude of my friends had told me, if you worry about browsing security - use Firefox. 

Recently, it has been noted that Firefox has a higher number of serious vulnerabilities  than Internet Explorer. Check out this article Mozilla's popularity stressing its security image

Firefox differentiated from Internet Explorer by its security. Is it not time for Mozilla Corporation to gain back the default trust?  Where is Firefox's fire in the belly?

Since I don't work for Skype, I was flabbergasted to hear that eBay bought Skype for a whopping $1.3 billion in cash and $1.3 billion in stock. It looks like eBay CEO Meg truly started having visions!

Here is a wonderful story about Skype's security concern by Scot Granneman.

I agree with Scot's view that there is no yardstick to size Skype's security since it is a proprietary technology. You have to trust Skype to a ridiculous extent to pay - billion twice over! 

Implement change control - Benefit is company has a trail of changes that has been effected on its configuration and also will minimize any bad ramifications on its infrastructure.

Security is a function of configuration. Configuration in simplistic terms is a snapshot of arrangement of various things in an infrastructure. In a collection of servers, if one of the servers is upgraded: the upgrade task, however simple it may be, could have far reaching ramifications - good and bad. The objective of change control mechanism is to minimize any bad ramifications. Change control mechanism not only keeps track of changes to the existing configuration, but also will enable a company to roll back the changes if there are any issues. 

Change control mechanism should keep track of: date/time of change, duration of change, description of change,  business owner of  change, resources needed to implement change, systems/application affected, roll back procedure, list of approvers for change, security ramifications,  and last but not the least. justification for change. There could be other things that change control mechanism can keep track of depending on company's needs.

Change control mechanism can be simplistically implemented as a web based application. It is a good idea to follow up the change control by a postmortem report. Any change that  bypasses the change control mechanism should be discouraged and dealt with appropriately.

Thought #7:  Which division head is a mandatory approver for the change contorl?

"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards."

Gene Spafford

"Hoaxes use weaknesses in human behaviour to ensure they are replicated and distributed. In other words, hoaxes prey on the Human Operating System." - Stewart Kirkpatrick

Document retention policy - Benefits are company has a valid legal defense against  accusation of willful destruction of document and helps to conform with one of the section 1519 of SOX requirements.

I decided to separate this policy from the other policies due to the  emphasis given to this policy under section 1519 of SOX. The term document is generic to include E-Documents such as e-mail and web pages.

Following are the key drivers for document retention and destruction policy:  

1. If a company does not have a schedule of document retention and destruction, the opposing party can accuse the company of selective, willful destruction of documents and hence evidence. The jury might even award the case against a company

2. A schedule of document retention and destruction can help prevent damaging documents becoming available in future litigation.

3. SOX 1519 imposes criminal penalties: "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title imprisoned not more than 20 years, or both."

These are the guidelines that can be followed before establishing document retention and destruction program:

Industry standards - Get inputs  from others in similar trade for inputs about the retention time frame

Governmental requirements - As an example IRS can audit tax records up to 7 years

Possible litigation - If a company foresees a possible litigation, documents relevant to those litigation should be preserved for a reasonable time period.

Cost of retention and destruction program - Weigh pros and cons of spending too much money on the program vs. risks if this is not done.

Thought #6: When you destroy a document, what additional step do you need to perform?

"You can't consider the problem of defense without first understanding the problem of attack."

Doug Tygar, a professor of computer science and information management at UC Berkeley

On-demand software is a software hosted by the vendor and made available over the web to customers for a fee.

salesforce.com is going great guns with their on-demand platform AppExchange. It is a terrific concept. In simple terms, if a company wants to on-demandify software product, they could do so by tweaking their applications to run on salesforce.com on-demand platform and make it available for salesforce.com customers via the AppExchange.

Application + salesforce.com on-demand platform => Application available on AppExchange

Think of a small software company which has terrific product, but does not have resources to market the product. If they get their applications on AppExchange platform, they can charge a fee and gain the potential to generate revenue stream right away. Imagine the leverage a small software player can get out of this!. Business Week calls AppExchange as an eBay for business software.

On-demand sounds too good, but what about security concerns? - customer's data, customer's customer's data and so on is in the hands of on-demand vendor.

On-demand customer: How do you trust your data with on-demand software vendor?

On-demand vendor: 1. How do you convince your customer about your security?

On-demand vendor: 2. How do you convince on-demand platform developers that your framework does not compromise their application's security?

I will address some of these issues in my upcoming posts.

Formulate security policy - Benefit is it provides security framework to implement security

One of the definitions of security policy from RFC 2196 is: "A security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide."

Now that you are aware of your objectives from the previous step, it is much easier to set a security policy within the framework of your needs. A good policy should make sense, should be easily understandable and should align with company's overall business goals. There are three types of policies: Regulatory - mandated by legal requirements, Advisory - Acceptable practices and consequences of violation, Informative - Not enforceable, provides information.

A good policy (some are borrowed from Cisco) should contain:

Statement of authority and scope

Acceptable use policy

Identification and authentication policy

Internet use policy

Corporate network access policy

Remote access policy

Incident handling policy

Policy is very powerful because it is a tool you can use to reduce the security cost!. As an example if the cost of implementing instant messaging security is too high, we could have policy disallowing the use of instant messaging which literally costs nothing.

Thought 5: Without policy, can a company be legally empowered to pursue a lawsuit against misuse?

My hometown is southern Indian city of Mysore. In terms of information technology (IT) it was considered a sleepy town. In the recent past, there are many IT developments which is changing Mysore's image. Infosys located its training institute in Mysore. IBM intends to do something in Mysore - it has acquired land in Mysore. A more interesting development is a company called  "WiFiyNet" has installed three access points (hotspots) in the city. WiFiyNet currently provides internet access for a flat rate of  Rs. 750 (about $17) a month. The speed is 128-Kbps. The state government IT department is encouraging deployment of such "Wi-Fi" hot spots across small towns. Already, another town Kushalnagar which 100 is Km away from Mysore has a Wi-Fi hotspot.

Interestingly the cellular phone service providers caused a revolution of "cell phone for the masses" in India. Cell phones have percolated even to the remotest rural areas and impacted on business and society, irreversibly, in many ways. Will Wi-Fi result in "internet access to the masses"? I would take a middle ground here. Use of cell phone and use of computer for internet access are not the same. The latter requires more resources, awareness and training. But, for those techies and computer literates this is a revolution to ride on - is it not wonderful to live in a clean city like Mysore and work for software companies in infrastructure-choked Bangalore? 

Before closing this post, I would like to visit my favorite theme security in Wi-Fi. There are two types of hotspot one is "open hotspot" and the other is "closed hotspot". Open hotspot are open for all wireless users. Closed hotspot use WEP (Wired Equivalent Privacy) key, in order to connect to it wireless user has to supply the shared WEP key.  WEP uses 40 bit and 128 bit encryption. Higher the key length it is harder to break. 

I am not sure if my hometown Wi-Fi users have started worrying about Wi-Fi security at this point, but at some point in the very near future they will have to.

Whenever we protect an IT asset, we factor in the cost of the hardware. As an example when we are protecting a computer, we are inclined to think why spend $50,000 in protecting a $1000 computer. We need to drill down and think:

1. What kind of information the computer has?

2. How relevant and valuable that information is for the business?

Based on 1 & 2 - $50,000 spent in protecting the business may be well worth it!

My security blog peer Rob pointed to an excellent link about Katrina: tough lesson in security.

Security Objectives - Benefit is company will set realistic objectives based on asset risk assessment within the estimated budget

Now that we have data from the security/compliance audit and  approximate security budget cost from the asset risk impact assessment, with these inputs, we are in a  strong position to set our security objectives realistically based on our security context and budget. Once the list of objectives are set, we also need to make a decision whether we need Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)

BCP involves assessment of risks, creation of policies, procedures to minimize impact of those risks on organization if the risks were realized. DRP outlines steps that organization executes to resume normal operation after disaster strikes.

BCP needs to be implemented to minimize the impact of those assets (which includes personnel) in asset impact assessment. Not all assets will need a BCP. It is for a company to question the criticality of an asset, whether it matters, and decide if it really needs BCP. By being selective about assets that need BCP, significant cost reduction can be achieved. Moreover, having too many items in the BCP results in scattered wasteful effort.

The next big question is whether a company needs disaster DRP. This is where most company's go wrong by overspending. The answer depends on the company's context.  The key answer here is "mean tolerable downtime". If a company can stay down for a month without significant impact - why spend money on a dedicated hot backup site? A prudent approach would be to have a reliable backup strategy of existing data and a plan to recover the data on duplicated servers within the specified time frame. There is no rule that every company needs a DRP. If a company is nimble enough they can always relocate to an area prone to less disasters if the cost of DRP is too high. Also, by staying focused on critical assets a company can realize significant cost savings in DRP. 

Thought #4 - Can DRP be considered as a part of BCP?

Wireless Fidelity (Wi-Fi) arena has its own set of technical terms and have gained acceptance over the past few years. Would like to share some:

Wardriving: trolling in vehicles with specialized gear in search of wireless nets.

Warflying: wardriving from the air

Warwalking: wardriving on foot using handheld pocket equipment.

Warchalking: marking buildings and sidewalks with wireless net designators.

<you_give_it_a_name>: stealing neighbors wireless bandwidth

Asset Risk Impact Assessment - Benefit is company will get to know ballpark budget figure plus will know how to allocate security budget wisely

This involves three parts: Asset Assessment, Risk Assessment and Impact Assessment

Asset Assessment  - In this phase the business unit leaders rank the priority of their business unit assets. They also estimate maximum tolerable downtime for each asset. Using this data from various business units a company wide asset priority table is created. Typically, this is arrived at by giving weight-age for different business units and normalizing the asset ranking across business units .

Risk Assessment - Risk is a possibility that threat will exploit vulnerability. The words risk and threat are used interchangeably. In this phase all the risks/threats that can affect our prioritized assets are identified.

Impact Assessment - This is a phase where we measure the likelihood of risk being realized on an asset. If the risk event is realized once, then the loss is Single Loss Expectancy (SLE). If the risk event occurs at an Annualized Rate of Occurrence (ARO), we can compute Annual Loss Expectancy (ALE). For a risk/threat event to happen vulnerability has to exist.  Safeguard is countermeasure which removes vulnerability and protects against one or more specific threats. The thumb rule is the annual cost of safeguard should not exceed the annual cost of asset loss!

There are five actions that we can take on a risk/threat:

Reduce - Implement safeguard to reduce risk

Assign - Buy insurance

Accept - Accept the consequences, make sure to document it!

Reject - Deny that risk exists

Transfer - Outsource the asset and hence risk

Please see the attached sample impact table in excel format  to arrive at the estimate of total cost to mitigate risk. This cost is a ballpark estimate about how much you should be willing to spend on security.  This is a phase where you can plan to squeeze the most out of your dollar. As an example, if analysis indicates that the cost of safeguards to the data-center is way too expensive, you could use a co-location facility where such safeguards exist and address your concerns needs by well defined SLA with co-location vendor.

I am extremely happy to share with you  that my ChangeThis manifesto proposal has been accepted.  The topic is "Simplified Security: 25 tips for a company to implement security." My intent of writing this manifesto is help to company of any size to implement information security in a simplified fashion. On one extreme, there are big companies who spend a lot on information security and don't get much out of it and on the other extreme there are small companies who think they cannot afford information security.  I want to reach out to both the extremes and advise them that by using simplified security methodology they can implement security in a prudent budget and not lured to needless spending, driven by buzzword driven marketing of security vendors. 

Please encourage me to write this manifesto by voting for my proposal at:

http://www.changethis.com/proposals/524

Your votes really count and will be a motivating factor for me to excel in writing this manifesto.

Last Thursday, I met with my past manager over lunch. We were talking about our good old experience at Excite@home. Here are some things that we wondered together about security:

Gone are those days, when we thought perimeter security was just a router access list.

Gone are those days, when we did not have anti-virus on our desktop and were not worried about the infection.

Gone are those days, when password expiry meant strong authentication.

Gone are those days, when you could telnet across systems and never worry about cleartext transmission.

Gone are those days, when you received couple of spams in few days.

Gone are those days, when there was no information security team even in companies of few thousand employees.

Gone are those days, when security was just an option not law.

Gone are those good old carefree days!

Perform security audit - Benefit is company will know where it stands in relation to security

Performing security audit even before setting security objective is rather a new concept. My point is: without knowing where we are right now, how can we make decision on where we want to go and what we want to become? Moreover, the results of the audit can provide "points to ponder" and can help us set near realistic objectives. 

It is a good idea to get audited by a third party. Also, combine compliance audit and security audit. By looking at the results of compliance audit and  security audit, we can align security audit items along the line of compliance in order to gain synergy.

Last but not the least, audit is a repeatable event. Audit should be performed at a frequency which is determined by the risk of a company. 

Thought #2 - Is risk the only determining factor for the frequency of audit? 

Web sites with Katrina names have sprung up and are relieving charity givers not only of their donation money but also of their credit credit card numbers. Domain names with "Help Katrina" theme are being auctioned on eBay and are selling like hot cakes!  To top this, there are numerous email scams in the name of Katrina, that mislead charity givers to bogus web sites. Before you donate, check out FEMA's web site for a list of reputable charity agencies that are trustworthy and has had reliable past track record.

.

Constitute a security team -  Benefit is single point of accountability 

Most of the start-ups do not have a security team. The rationale is if the company is small, there is no need for security: Contrastingly, smaller the company higher the risk of competitive threat due to loss of proprietary information. Smaller companies are ill equipped to handle security incidents which make them even more vulnerable. Companies, big or small need to have single point of accountability for security. It is a good idea to constitute a security team consisting of core team members whose job is full-time security and other cross-functional members. The security team should be headed by Chief Security Officer (CSO) who reports to CIO. CSO is accountable for security in the company. The other alternative is to make CSO report to CEO which can vest higher leverage to CSO and hence CSO can implement security without being biased by CIO's office.

Thought #1 - Should venture firms fund a start-up company without security team?

CIO's spend money to implement security. More money spent makes them feel more secure. The security world is filled with complex confusing product offerings. CIO's are often trapped to spend on products that bring little value. Moreover, it is very difficult to measure ROI of  a security budget and this leads to further confusion.  The strong basis of a security budget is risk reduction. Well, how much of money are you willing to spend on your car insurance? - An amount that justifies risk and not a penny more.

My good friend Rajesh Chairman of Cignex was my inspiration to write this series  on Simplified Security - 25 tips for a company to implement security - I have created a seperate blog section for this. The 25 tips are generic and can be drilled down to arrive at a fitting solution based on the company's context. I am fairly confident that these tips will form the basis for a cost effective and risk reducing security implementation.

I start this post with prayers for victims of hurricane Katrina.

Spam can be the vehicle which can carry viruses/malwares and they pose threat to corporate security. The current Bayesian spam engines/filters are very robust. Most of them can detect spam at over 97% accuracy. There are multitude of spam solutions. One solution is outsourced approach where the emails from outside world destined to the company goes to a outsourced spam processing facility and only genuine emails get through to you from there - disadvantage of this approach is company may not trust outside party with its emails - check out Postini. Another solution is appliance based where all the emails destined to the company gets filtered through this appliance - disadvantage of this approach is the cost of ownership  - check out Ironport. There are other solutions out there which are permutations of these solutions. It is necessary for a company to have spam filtered by one these solutions based on its need.

The other side of the equation in countering spam is educating the users about spam:

- Don't click on attachments from unknown sources.

- Don't send unsubscribe message to unknown lists at any cost.

- Use separate email accounts for personal emails and official emails

- Other trick that I use is a separate email account for address that is published on the Internet, for instance the "From:" email address that I use to send E-greeting cards  or one that I give out to register to web sites - this prevents personal and official email accounts being harvested by spammers. I have gotten rid of  good amount of the spam by this method.

Spam is unwanted emails. Spam can hurt productivity. If you receive thousands of spam and ten not-spam mails, you have to put effort to sift through the mails and delete the spam. Spam also are carriers of viruses, malware et. al. If a user inbox gets flooded with spam it can result in denial of service (DOS). Also,  IM is subjected to unwanted messages it is called spIM: another good jargon to be mindful of.

Interestingly, a paper by Bayes published posthumously in 1763 has formed the basis of spam filtering. Bayes theorem determines probability of an event x happening given that y has happened based on the past probabilities:

p(x/y)=p(x) * p(y/x) / p(y)  (this can be extended to a series of independent events)

Spam filtering uses Bayesian filtering. Email is broken into set of  tokens. Bayes theorem is used to arrive at another table of probabilities of each token being used in a spam or a non-spam message. When an email arrives 15 tokens with highest spam probability are used to classify if the message is spam or not based on some pre-determined threshold.  

After having bored you with spam math, let us get back to technology. We need spam filtering. Spam filtering at the user level is futile. We need to have a central spam processing engine. I will talk about the characteristics such an engine needs in my next post.