Being information security professionals, we have obligation to follow good e-mail practice, by this we can operate with due care in our profession and that will make us look good. In my earlier job, colleague of mine [a security expert] had sent me an e-mail describing how he broke the weak encryption of an application. Inadvertantly, in his e-mail, he had pasted his own encrypted password! I showed up at his office and presented this expert his own password. All I did was to follow his advice and write a trivial program to break the cipher. It is very important that we as security professionals should not  look or act stupid ;)

Check out this blog post from Marshall Goldsmith  "E-Mail Food for Thought". Excerpt from this blog:

"Managers need to worry not just about their own e-mail but also that of their employees. Email is permanent and searchable and can be forwarded as easily to a thousand people as to just one. And the results can range from embarrassing to costly to disastrous. All the goodwill you've built up over years or decades can be destroyed with one bad e-mail from anyone in your organization."

At the risk of sounding like a preacher, I would like to share this short story.   Many of us, ACT only when bad news hits the roof and  at the point we don’t ACT pragmatically since we did not plan for it!  We recently attended a friend’s daughter’s birthday party. Before heading to the party, I printed out the driving directions from the Internet. hit the freeway in the south direction, when the exit arrived found that the exit ramp was closed for repairs.  Using common sense, I traveled further south, and took another exit to head North on the same freeway, the exit arrived, but this was blocked too! We did not know how to get to the party and the cake cutting time was approaching. What are my plans for this incident? Luckily I had an AAA map in my glove compartment and I found our way right on time to the cake cutting time. In future I decided wherever I go I have to carry maps or buy a GPS or as a last option ask around.

Security incidents are sometimes a blessing in disguise. It compels you to act. There is a tendency among upper management to blame security team for security incidents.  Knee jerk reactions such as CIO firing the CSO or the CSO firing the security team members should be avoided. The facts around the event should be enumerated and the incident should be dealt with pragmatically  [refer Pragmatic CSO: Step #8 Contain the Problem]. Security incidents are  “breakdowns”.  When there is a nasty security incidents here are some facts:

1. There is a business cost associated with the incident.
2. There is a vulnerability that has been exploited by a threat agent.
3. The vulnerability could be:
• Unknown
• Known but accepted
• Known but Ignored
4. The incident needs to be handled with due care.
5. Either you have a well defined incident handling plan or you are shooting from your hips [remember P-CSO The Incident Playbook] .

Scenario 1: The vulnerability that resulted in the incident was known and was accepted. Remediation: Deal with the incident and then re-visit the rationale of why this was accepted in the first place.  This highlights the importance of documentation such as business risk acceptance form; this will help to cover your rear during security incidents. Make sure to get a business risk acceptance form signed by the business owner.  An example is a business owner signs a business risk acceptance form if there is no budget to mitigate the vulnerability.

Scenario 2: The vulnerability that resulted in the incident was an unknown. Remediation:  Deal with the incident and create a mitigation plan for this newly known vulnerability going forward.

Scenario 3: The vulnerability that resulted in the incident was ignored. Remediation: Deal with the incident and revisit why the vulnerability was chosen to be ignored in the first place.  It may be possible that you end up making a decision of not ignoring this vulnerability.

In all the above scenarios you have to deal with the security incident, this emphasizes the importance of a sound incident handling plan.  Putting an incident handling plan is fairly simple. Document what you need to do and whom to escalate to, then communicate the incident management plan to the relevant actors and stick to plan when incident does happen.

Here is simple example of what needs to be done for an Earthquake incident:

-             Identify a structurally safe place inside the home to take shelter or identify an open safe place near your house where you can rush

-             Decide on a family meeting place, where all family members get together

-             Enough food for a week

-             Two dozen water bottles etc...

Recently my 3 year old asked me a simple question - "Why do near by objects look big and farther objects look small?" This made me think about blindness that is created by obviousness in our thinking process. "Pride" that we [adults] know more than kids put an end to our constant questioning of our surroundings. "Pride" is one among the 7 deadly sins of Website Vulnerability Disclosure according to Jeremiah. Nice blog post Jeremiah.

I see a Maslow's heirarchy in the evolution of security posture of a company. Each posture is determined by the line of business [type of industry] and the size of business [start-up or mid-size or large publicly traded].

1. Don't Care for Security - These are early stage companies that don't have time for security since they are busy getting their product out. There are mid-size to large companies that demonstrate this posture [at their own risk]. Ironically, early stage or start-up companies should take utmost care in protecting their intellectual property [sensitive data] else they will loose their competitive advantage.

2. Security Exists - These are companies that acknowledge that security is important and realize that some reasonable measure needs to be taken to protect their intellectual property. Websites that have begun e-commerce transaction on their website realize the importance of security of their customers' data, belong to this category. There are companies that have realized the importance of security since customers have started demanding security in their products [Why would you buy a book from a small online book vendor vs. Amazon? A small online vendor has to work harder to convince customers about security]. These are the companies that are drafting a security architecture and working toward Basic Security posture.

3. Basic Security - These are companies that have the knowledge that "Security Exists" and have acted  to make sure that there is basic security to protect their intellectual property. These are mostly small to mid-size publicly traded companies. They use layered security approach: Firewall, IDP and Anti-Virus. These companies are not competent in handling security incidents  effectively. They have no plans for what if bad stuff happens.

4. Managed Security - These have incorporated dedicated staff to manage the lifecycle of security components. They have the well defined procedures to handle security incidents. There is a small budget allocated to the information security team, but management does not perceive the value of the team. Security is not viewed as a risk management framework for the business.

5. Constantly Improving Security - These are companies that recognize that security posture is a constantly moving target. Senior management is committed to the security program. Security is viewed as a holistic program to mitigate business risk due to information security breach. They have well defined security policies and security procedures. They have security awarenes program for employees. They audit their security practices against standards [such as ISO 27001, COBIT]. These are companies that are ISO 27001 compliant or heading in that direction. They routinely audit security practices, identify non-conformances and act on it to improve and this process goes on and on. These companies tend to be mid-size to large publicly traded companies. Financial institutions strive hard to be in this category. Moreover, companies that are concerned with running an efficient security program employs this model.

Here are some facts around these postures:

1. At the top of the pyramid is posture #5, there is no short-cut to it.

2. There is a cost involved in transitioning from lower posture to the next higher posture.

3. The cost of transitioning increases exponentially as as you advance through the postures. 

4. When #5  is attained there is efficiency and economies of scale hence reduces the cost of the security program and reduces business risk significantly at a low cost.