Righteous Rant on Security Policies (by Francisco Artes)
Author Profile - Francisco (Frank) Artes is a leading regional and national security expert and recognized InfoSec top executive. Mr. Artes currently is serving as the CTO/CSO of Club E Network. He has a distinguished 15-year background; implementing and securing some of the largest and most widely known networks in the world. As Information Security Manager for Electronic Arts, Francisco was responsible for all information security solutions and policies to protect the intellectual property, e-commerce and on-line gaming networks of the $3.4 Billion, Fortune 100 organization. For more information, please visit his personal blog, netassassin.com.
Let’s all pretend we are commanders of a submarine. It’s the last day in dock, and we are about to head out to sea for many months on end. The biggest fear in a submarine, fires. So we ensure we have plenty of the latest state-of-the-art fire fighting and detecting equipment on the planet. We then ensure we have people who at least know where to find the equipment and probably how it might work as they saw a demo of it. We have no real policy on how to use it, when to use what, or who is responsible for making sure it is checked for functionality or for that matter deploying it. Off we go to sea, and bam wouldn’t you know it there is a fire! People scramble about as our air is depleted, panic strikes; no one knows quite how to use the extinguishers let alone any of the more advanced things. Most everyone dies, and the submarine is scrap metal. A sad day to say the least, and most certainly the last day you are commanding a rubber dingy let alone a submarine.
Now who would do this? It’s an odd story to say the least, but let’s replace the words “submarine” with “corporate network”, “fire” with “security breach” and leave the words like policy and procedures in tack. Funny, now we went from something that is ridicules to a more common place reality. That being, we all seem to like buying all the best gismos and gadgets for our network security but we lack any policies, procedures, continuing training and education, or for that matter testing of the systems.
We all know the phrase “your backups are only as good as your last restore.” I mean, how many of us learned the hard way to test backups to ensure there are actually useful… and for that matter be able to articulate how long it would take to restore systems in the event we would have to employ our continuity plan. And that may be the problem, so many of us had to learn this lesson the hard way. Likewise, very few people actually take the time to plan, train, and prepare for incidences in the security field. I might argue it is human nature to only react with such preparedness after an incident arises whereby we learn how poorly prepared we were. But come on now, why watch people repeatedly fall into a hole only to walk up to the edge and toss yourself right in with them? Anyone up for a game of “Lemmings?”
But there are other aspects to remember. Let’s say you decide to monitor an employee’s chat or email conversations. You show up in civil or criminal court with your logs and transcripts. The defense, or possibly prosecution depending on your own reason for being there, points out that your company has a privacy policy (or your employee was located in a country or state with mandated privacy) and you failed to follow prescribed procedures prior to monitoring and collecting the data you did. Now you are in a great pickle aren’t you?! Your prior employee wins the case for wrongful termination, you get fined for privacy violations, and any punitive damages assessed by the court at this or a later time are going to definitely hit the bottom line in a big way. Brilliant! You had all the fantastic monitoring technology necessary to capture the person red-handed, but fell on your face due to not looking into and planning the use of such technologies.
While we are on that topic, consider this… misuse of monitoring and security systems. “What?!” you say! But it is true. We all will preach about segregation of duties, and true delineation between IT Administrators and Security Practitioners. But what happens when your monitoring system is completely controlled by your security team, with no policy on granting them one-time rights to review data. Or for that matter no policy preventing the system administrators from accessing the system and reviewing the data. In all cases your information security group, especially when faced with European Union (EU) privacy laws, must be the only group that may look at application level (Layer 7) logs. And much like your security policies outline what behavior and use of the corporate resources is acceptable by your other employees, you need to outline when, who, where can review your monitors. Let’s face it, with EU law dictating that review of employee email, chat and so forth must take place by someone on EU soil… well, you might want to ensure that is in a policy before you find yourself answering for some invasion of privacy or human rights claim in the EU court.
Here is another fun use of policy: You scan relentlessly for vulnerabilities new and old. Your savvy scanning system makes an amazing catalog in a database of all your systems, daemons, etc. You “know” you are secure because everything is patched. But what is that scanner really looking for? Headers that indicate version and make of a service and then it checks a database to see if it is “bad” or not. How about scanning to ensure that your policy, because now you are thinking about making some, relating to how a financial server should be setup is in compliance with the footprint of say your financial servers. You may just learn that TCP 6667, Internet Relay Chat Service, should stand out as a security issue even though the IRC daemon being run currently lacks any known vulnerability. Wow… policy compliance checking as a means to ensure security posture, go figure.
Your CFO is traveling to a conference in New York City. Saving money, the way the CFO always does, he or she opts to take a Yellow Cab from the airport to their hotel. While looking through their laptop bag they deposit their cell phone on the seat. Upon check in at the hotel the CFO realizes their cell phone just drove away and is now the property of the next patron of the taxi cab. The CFO, realizing there is corporate email containing the sales and final market numbers for your publicly traded company on their phone calls your Help Desk to find out if the data on the phone can be remotely destroyed. But sadly there is no process control, policy, or practice for doing so. Compounding issues is that no one has tested that system, and it is a crap-shoot if it is even going to work. In the mean time the guy who has possession of the phone is selling the information he has to the highest bidder, buying or shorting your stock and telling all his friends, etc. Farfetched? More than 85,000 cell phones and 21,000 PDAs and PocketPCs were left in Chicago cabs during just a six-month period in 2004, according to a survey released by mobile security company Pointsec. That was 2004 when the two items were just that, two separate items. Now… the phone has VPN, email, documents, calendars, etc. Can you say “inference”, “social engineering” and “falling stock prices?” I knew you could.
And now for my last example about lack of planning and training. You have the Vice President, Firing People and Ruining Careers, standing you office. He is irate, as is normal for him, about something. You are franticly barking at your staff to pull together information from your state-of-the-art IPS system and you want to correlate data from that with something from your centralized log aggregator. But um… yea no one has done this before, and while the sales guy said it might be in version 2.13 of the software no one has been back to training since 0.13a. Good job with the training, see you don’t always need to send people to CISSP boot camp… you might want to invest time and money into documenting process, procedures and for that matter continuing training and testing with your in-house technologies.
So policies seem to help not have the following real life examples of woe:
- August 2007, Lack of well thought out Privacy Policy with regard to presenting customer information to 3rd parties (say like the police) costs $4.5Million
- Lack of Cell Phone Security Policies estimated to cost companies $137,000 to $1+Million per incident.
< /RANT >
Continue reading other "NetAssassin" posts by Francisco Artes »
Recent Comments