Category Archives: IT Controls

What do major developments in big data, cloud, mobile, and social media mean? A CISO perspective..

Screen Shot 2013-02-26 at 6.52.56 PM

Tuesday afternoon the CISO-T18 – Mega-Trends in Information Risk Management for 2013 and Beyond: CISO Views session as presented focused on the results of a survey sponsored by RSA (link below).  It provided a back drop for some good conversation, but more so it gave me a nice environment to elaborate on some personal observations and ideas.  The first tweet I sent, hammered the main slide:

“Major developments with Big Data, Cloud, Mobile, and Social media” – the context and reality here is cavernous.. “

My analysis and near-random break down of this tweet are as follows with quotes pulled from the panel.

First off – be aware that these key phrases / buzz words mean different things to different departments and from each level (strategic executives through tactical teams). Big Data analytics may not be a backend operational pursuit, but a revenue generating front end activity (such as executed by WalMart). These different instantiations are likely happening at different levels with varied visibility across the organization.

Owning” the IT infrastructure is not a control to prevent the different groups from launching to these other ‘Major developments’.

The cost effectiveness of the platforms designed to serve businesses (i.e., Heroku, Puppet Labs, AWS, etc…) is what is defining the new cost structure. CIO and CISO must

>The cloud is not cheaper if it does have any controls. This creates a risk of the data being lost due to “no controls” – highlighted by Melanie from the panel.  <– I don’t believe this statement is generally true and generally FUD.

Specifically – There is a service level expectation by cloud service providers to compensate for the lack of audit ability those “controls”. There are motions to provide a level of assurance to these cloud providers beyond the ancient method established through ‘right to audit‘.

A method of approaching these challenging trends, specifically Big Data, below as highlighted by one of the CISO (apologies missed his name) w/ my additions:

  • Data flow mapping is a key to providing efficient and positive ‘build it’ product development. It helps understand what matters (to support and have it operational), but also see if anything is breaking as a result.
  • Breaking = violating a contract, breaking a compliance requirement, or negatively effecting other systems and user requirements.

Getting things Done – the CISO 

Two observations impacting the CISO and information technology organization include:

  1. The Board is starting to become aware and seeking to see how information security is woven within ERM
  2. Budgets are not getting bigger, and likely shrinking due to expectations of productivity gains / efficiency / cloud / etc…

Rationalization on direction, controls, security responses, must be be fast for making decisions and executing…

Your ability to get things done has little do with YOU doing things, but getting others to do things. Enabling, partnering, and teaming is what makes the business move. CIO and CISO must create positive build-it inertia.

Support and partner with the “middle management” the API of the business if you will.

  • We to often focus on “getting to the board” and deploying / securing the “end points” .. Those end points are the USERS and between them and the Board are your API to achieving your personal objectives.

Vendor Management vs procurement of yester-year

Acquiring the technology and services must be done through a renewed and redeveloped vendor management program. The current procurement team’s competencies are inadequate and lacking the toolsets to ensure these providers are meeting the existing threats. To be a risk adaptive organization you must tackle these vendors with renewed. Buying the cheapest parts and service today does not mean what it meant 10 years ago. Today the copied Cisco router alternative that was reverse engineered lacks an impressive amount of problems immediately after acquisition. Buying is easy – it is the operational continuance that is difficult. This is highlighted by the 10,000+ vulnerabilities that exist with networked devices that will never be updated within corporations that must have their risks mitigated, at a very high and constant cost.

Panel referenced the following report:
http://www.emc.com/microsites/rsa/security-for-business-innovation-council.htm

Thank you to the panel for helping create a space to think and seek answers, or at least more questions!

James DeLuccia IV

Information Security executives … is responsibility being abdicated?

Is “it is your decision not ours” statement and philosophy a cop-out within the Information Security sphere?

This is a common refrain and frustration I hear across the world of information security and information technology.  Is this true?  Is it the result of personality types that are attracted to these roles?  Is it operational and reporting structure?

In Audit it is required for independence and given visibility. Does not the business (the CIO) and the subject expertise (CISO) not have that visibility possess a requirement of due care to MAKE it work?

The perfect analogy is the legal department – they NEVER give in and walk away with a mumble, they present their case until all the facts are known and a mutual understanding is reached. Balance happens but it happens with understanding.

This point is so important to me, that it warranted a specific sharing of the thought.  I hope we can reframe our approach, and to follow a presentation off TED – focus on the WHY.  (need to find link…sorry)   These individuals in these roles provide the backbone and customer facing layer of EVERY business.

Thoughts and realizations made from stumbling around our community and today during RSA resulting from the presentations with underlying tones.

Always seek,

James DeLuccia

Passwords are Dead, Part II 2nd False Premise – a collaborative research effort, being presented at RSA 2013

The advent of user created, managed and handled passwords as the sole means of authenticating is coming to an end. The utility of these was defined in an era based on assumptions of brute force capability, system computing power and pro-active security teams.   – After much debate and analysis … there is the thesis

Screen Shot 2013-02-12 at 9.58.14 AM

This is Part II of the topic being explored and discussed at my Wednesday session at the RSA Conference in San Francisco (2013).  To see the first thesis and False Premise 1, please see the original post.  Jumping right in – looking forward to more feedback (thanks for a generous emails, but don’t be shy at the comment field below)!

————————————————————————

FALSE PREMISE TWO: Password strength should transcend devices – mobile, tablets (iPad, surface) [Updated 2/12/2013]

MOBILE devices:
What is the intent of the password? To stop high CPU encryption cracking systems .. or prevent inadvertent strangers from accessing the data?  Today we wrap in mobile (BYOD type if that suits you) systems into the corporate password requirement sphere, and in some cases are being more creative than other platforms.

For instance, it is recommended on a popular Apple iOS device site to use “accent characters for creating a super strong password“. Agreed these are more difficult to guess, but is that the threat we are seeking to mitigate?  In the space of X character spaces how creative must we get?

What are the risks to these mobile devices:

  • Theft
  • Data leakage violating regulatory, contractual, or privacy expectations of customers

If we consider the two threats – Theft is not mitigated by the password, as the device will simply be wiped.

[Updated 2/09/13] Data leakage is only possible if the device is ON and the password guessed before it locks itself permanently.  A feature readily available and easily implemented by the end-user, even more robust with corporate implementation technologies.

  • So in this case, the password only needs to not be one of the top 10 most common phone passwords.  At that point the device locks and can self wipe.
  • Another scenario is that the password was gleaned through recording / shoulder surfing / or simply left unlocked.  Each case the password strength was not an issue.  Other situations?

As we move into an ever mobile, data everywhere, and always connected scenario an interesting ecosystem of access & authentication appears, that requires continued serious challenge against the assumptions of our security and assurance programs.

Diving in …

Data is mobile – what role does a single password play in accessing sensitive data? Data stored on device (Cloud storage we can address on the integration point below) is at risk to a number of threats:

  • The device can be attacked directly (similar to any other computing device with IP addresses and Ports) wirelessly, but typically requires physical proximity (simplest) which is reserved for either random or very targeted attackers.
  • The device can be stolen, and if no OS passwords, than the Data itself is attacked/accessed directly. An unlocked device introduces risk mitigation techniques that are harder, so password is EASIEST. A password on the data within an application is a worthless without some form of self-destruct functionality similar to that of the OS level safeguards.

>> Why are passwords WORTHLESS at the application level in this situation?

>>> If the attacker is ON the device (physically or remotely) and our Use Case is an encrypted database – the attacker can copy that encrypted database to their system for local attacking (easy and zero user awareness), or they can access the database locally via brute force until they get in.

The data is at risk regardless without some form of self-destruct and tremendous levels of assurance related to the encryption of the data(base) itself.

  • Other thoughts here?
  • What is missing?

Passwords plays a significant role at certain tollgates upon the data (when stored on the device), and less the more “access” the attacker gets to the underlying system. A common refrain of attackers is – with “physical” access I can break into anything. We must today deal with ALL ACCESS is PHYSICAL when the data is mobile.

Plethora of devices – Today data is accessed from many devices, some owned by corporations, by end-users, or nobody – kiosks. Single passwords entered into systems allowing single thread authentication where NO assurance is understood of the underlying system and no situational awareness of the User presence seeking authentication results in failed security.

  • The reuse of passwords across devices threatens the confidentiality of the password itself (as much as that matters).
  • The multitude of devices increases the need to redefine what is “access” and the functions of authorization (I used “functions” instead of “rules” intentionally to draw attention on the necessity for a broader approach to solving this constraint)

Integration with third party service providers – [to be expanded…]

—————————-

Conclusion – a preview:

  1. Stationarity, is defined as a quality of a process in which the statistical parameters (mean and standard deviation) of the process do not change with time.” – Challis and Kitney November 1991
  2. Offline Data level authentication – Offline in an ‘always connected’ world

[Disclaimer: First off this is my research and not anyone else’s. Second, the examples above are meant to illustrate technical realities in a reasonably understood presentation. Lets focus on the problem .. identify weaknesses in the argument; and introduce the mitigation so greatly required in our online world.

I share and seek these answers for the preservation and enhancement for our way of life… as simple as that and I appreciate you being a part of my journey]

Always seek, everything…

James DeLuccia

Twitter: @jdeluccia

Top 3 attributes for businesses to benefit from Data Analytics – an Information Security & Business process perspective

Screen Shot 2013-01-30 at 4.08.18 PMBig Data introduces an opportunity that organizations see when merging silo product operations together forming a service layer or an enhanced hybrid product. Big Data also requires exceptional enterprise intelligence from the perspective of establishing the scaffolding for enterprise grwoth. That scaffolding requires advanced information technology system and business process matrix visibility.  My thesis … let me elaborate below on a single thread here given this is a subject I have been developing on recently…

In order for Big Data to work it requires abundant access to systems, data repositories, and the merging and tweaking of data beyond original data owner expectations or comprehension. The enterprise that balances the advantage of Big Data analytics with superior scaffolding will appreciate higher run rates and profitability without unfunded cost centers and above trend OpEx generally. The opportunity of Big Data without this business intelligence will be squandered and the benefits not realized as a direct result.

The CIO has this ownership and it is the purview of the Audit Committee to ensure that these risks are understood and tackled. The Board of Directors have proven to value equally the aggressiveness of Data Analytics with the ongoing revaluation of the risk tolerance and acceptance points of the business. As one can imagine, this is a familiar yet distinct activity within the executive structure, but three key attributes / activities that indicate a successful approach are as follows:

  1. Vertical awareness – product awareness, strategy, and full line of sight for each major revenue center
  2. Scrum topical teams – risk assessments and activities linked to the product market research initiatives
  3. Senior strategy alignment – what does the Board seek in this DA movement; What does the CEO/CIO envision on these product expansions; What is the audit committee observations (meaning that they must have visibility and mindfulness to the impact)

Think Big Data is not huge business? … consider these figures:

  • Gartner: Big Data Market is Worth $3.7 Trillion, Generating Over 4 Million Jobs by 2015 – article
  • Good short presentation on value of pattern based strategies, by Gartner
  • $29B will be spent on big data throughout 2012 by IT departments.  Of this figure (Forbes)

Or a classic business case example:

“The cornerstone of his [Sam Walton’s] company’s success ultimately lay in selling goods at the lowest possible price, something he was able to do by pushing aside the middlemen and directly haggling with manufacturers to bring costs down. The idea to “buy it low, stack it high, and sell it cheap” became a sustainable business model largely because Walton, at the behest of David Glass, his eventual successor, heavily invested in software that could track consumer behavior in real time from the bar codes read at Wal-Mart’s checkout counters.

“He shared the real-time data with suppliers to create partnerships that allowed Wal-Mart to exert significant pressure on manufacturers to improve their productivity and become ever more efficient. As Wal-Mart’s influence grew, so did its power to nearly dictate the price, volume, delivery, packaging, and quality of many of its suppliers’ products. The upshot: Walton flipped the supplier-retailer relationship upside down.”Changing The Industry Balance of Power

A good (no paywall) article on Forbes here breaks down the IT spent related directly to Big Data and compares against prior years up to 2012 & by industry.  

Also check out this MIT Sloan article co-developed with IBM entitled Big Data, Analytics and the path from Insight to Value  – most interesting for me was page 23 relating to Analytics trumping intuition.  This relates to EVERY business process, product, sales opportunity, accounting, fraud detection, compliance initiative, security analytics, defense and response capabilities, power management, etc …  A worthwhile read for each executive.

Think strategically act vertically and influence horizontally – scale!

James DeLuccia IV

*See me speak at RSA 2013 on the topic – Passwords are Dead

A call to reflect on your Risk Management & Security Program: UPnP vulnerabilities identified by Rapid7

The Rapid7 folks ran scans for 5+ months searching for and finding systems vulnerable to 3 different types of vulnerabilities that relate to UPnP.  The sheer volume, accessibility, diversity of vendor, and age of some of these systems is most interesting from an operational business standpoint.  First a few statistics from the report:

  • 23 million IPs are vulnerable to remote code execution through a single UDP packet
  • At least 6,900 product versions vulnerable through UPnP.
  • List encompasses over 1,500 vendors
  • 1 UDP packet can exploit any one of 8 vulnerabilities to libupnp
  • Some vulnerabilities were 2+ years old, yet 300+ products still are using insecure version 

A great write-up is available here by Darlene at ComputerWorld (chock full of links to additional facts & CERT) and of course all comments and feedback should be directed to HD Moore’s blog.  The report was worth the read, and while the technical details are important, I would challenge the executives reading this paper to consider operationally how they would seek to manage the vulnerable systems in their organizations and how their internal processes are designed to ensure such similar technical (symptoms) vulnerabilities across different types of products do no recur.  Or at least, devising a methodology to mitigate the risk to technology such as this that cannot be patched (vendor is gone; management tools non-existent, etc…) or addressed directly on the same system.

As our business processes further rely on network connected devices, the age and velocity of the industry is a risk that we must manage.  Acquisitions, businesses going under, kickstarters coming & going, and simply protocols losing support in the dev environments ALL are mitigated by governance and risk assessment methodologies.

  • How is your strategic program designed; is it effective to these shifts in business; how can it be enhanced?
  • How is the partnership with procurement, M&A, and business relations teams?   >> Consider the inputs as well as enhancing your program.

Thanks to Rapid7 for the research and raising this broader risk.

James DeLuccia

*See me at RSA 2013 speaking on – Passwords are Dead

The Enterprise Compliance and Security Game board

Questions that must be managed by the COO and CIO of every business relates to dedicating finite resources across the company. The products and services sold the by the business are developed and delivered to market as rapidly as possible in a race to be competitive. In the startup realm the concept of building in security, compliance, and privacy elements is very low priority. In most cases startups (and skunkworks within larger enterprises) depend upon the security of the libraries (ruby on rails, java libraries, etc…) and product components (UL Certified) to deliver security. Unfortunately depending upon the security and safety of the individual pieces is insufficient and inadequate when the elements (from here forward meant to refer to technology code and physical product components) are brought together in a new and non-obvious way. The emergence of these new products and services introduces dependencies, communication channels, new operating environments, and custom elements that reduce or eliminate the security-compliance-privacy elements that existed individually.

Leadership must then prioritize as immediately possible to introduce security-compliance-privacy. Companies certainly benefit by building these natively within the products and services at the Design & Build stage, as it is cheaper to build once then to re-design / re-code to meet the market expectation of security-compliance-privacy. The case when the organization must review its existing portfolio and decide what should be done, is the focus of this article. An analysis is necessary to evaluate the landscape of necessary and appropriate security-compliance-privacy requirements, and which products or services should be updated.

Or stated another way …

Where on the game board do the services and products of our company get prioritized to receive compliance, security, and privacy ‘attention’?

Such an analysis should at least include:

  1. Listing of all required regulations and business best practices
  2. Listing of all legal and contractual obligations
  3. Discovery of similar product / services in the market and list any requirements outlined resulting from litigation and similar government agency enforcement actions
  4. Strategic roadmap review – identify any likely near term requirements
  5. Listing of all requirements the individual products & services will be subject to from the customer’s perspective

At this point a robust listing exists on what the products and services should support. A cross-map of these requirements should then be produced for optimized adoption and sustained operation. The cross map will also provide the design specifications that will contribute to the use cases and product development life cycle.  An example of such is below:

Screen Shot 2013-01-09 at 4.01.26 PM

The above then (in sequence 1 to 5) are placed on your product / services game board and prioritization and risk management are possible. This is a process I designed in 2008 and have enhanced based on experience and client feedback building global security and compliance programs. Your program may need to consider additional facts and realities. I would love to hear your thoughts to enhance and challenge this method.

Best,

James DeLuccia

Latest report shows top attacking companies, 60x increases in attack intensity..

Latest report shows significant changes in the scale and type of attacks being executed, as recorded by one of the largest internet  infrastructure companies that includes additional data sources.  Akamai published their quarterly report today (January 23, 2013) and I am nearly through it … a few striking details that shift how I will recommend clients to identify; consider; and mitigate risks.  The top two items that are significant (one obvious) and important include:

  • China held its spot as the #1 source of observed attack traffic at 33%, with the United States at #2 at 13% (Not a huge surprise but an affirmation for many)
  • The amount of attack traffic that was seen during the activist (Operation Ababil) DDoS attacks was ~60x larger than the greatest amount of traffic that it had seen before for similar activist-related attacks (The volume, intensity, and strategy of the attacks is important as most do not consider a SIXTY TIMES in factor in risk mitigation calculations)

About the Akamai State of the Internet report 
Each quarter, Akamai publishes a “State of the Internet” report. This report includes data gathered from across the Akamai Intelligent Platform about attack traffic, broadband adoption, mobile connectivity and other relevant topics concerning the Internet and its usage, as well as trends seen in this data over time. Please visit www.akamai.com/stateoftheinternet

You can request access to (registration) the report here, and the individual images from the report available here.  There is also a great set of write-ups coming out here and here.

Senior leadership (board of directors, audit committee members, CIO, COO) must ensure these realities are absorbed into the organization’s business processes.  Leadership and strategy shifts required to tackle these evolutions remains an executive responsibility.

Best,

James DeLuccia IV

*See me speak at RSA 2013 in February on – The Death of Passwords