1,600 Security Badges Missing From ATL Airport in 2 yr period – NBC News

While not a complicated or strategic topic that I would normally highlight, this one bit of news is from my home airport and personally meaningful.

Basically the report shows that 1,600 badges were lost or stolen in a 2 year period. This seems like a big number (2.6%), but this is a control that should (and not highlighted in broadcast) secondary supportive controls, such as:

• Key card access review logs to prevent duplicate entries (i.e., same person cannot badge in 2x)
• Analytics on badge entries against the work shifts of the person assigned
• Access to areas not zoned for that worker
• Termination of employees who don’t report in 12 hours on lost/missing badge

There are safeguards highlighted in broadcast that are good, but easily modified to the point of not being any value, and include:

• Pin (can be easily observed due to tones and no covering)
• Picture (every movie ever shows how easy this is done)
• An old badge could be re-programmed and be a duplicate of another higher ranking / alternate security zone

Bottom line is organizations, especially those tasked with safety of human life, must have the primary and secondary controls in place. Hopefully the remarks of a minor risk are based on their security assessments with the considerations above (and more perhaps).

Article:
Hundreds of ID badges that let airport workers roam the nation’s busiest hub have been stolen or lost in the last two years, an NBC News investigation has found.

While experts say the missing tags are a source of concern because they could fall into the wrong hands, officials at Hartsfield-Jackson Atlanta International Airport insist they don’t pose “a significant security threat.”

via Hundreds of Security Badges Missing From Atlanta Airport – NBC News.com.

Also thanks to the new new aggregator (competitor to AllTops) Inside on Security or the clean new interface.

Best,

James

 

Review – Fmr. CIA Dir. Jim Woolsey warns of existential EMP threat to America

I have been studying First World worst case scenarios where Cyber and life intertwine, and was recommended to review this session.  It is a panel discussion that included former CIA Director on the threat of EMP on the U.S. national infrastructure.

Mr. Woolsey takes roughly the first 10 minutes to set the stage and it is worth listening to help anchor why the NERC/FERC CIP, Executive Order, and the betterment initiatives led by private industry are so important.

A bit of an extreme and not something many ‘concern themselves’ on, but it is important to start translating what information security and cyber mean in a tangible fashion. To often we deal only in probabilities and numbers and forget all else.

Fmr. CIA Dir. Jim Woolsey warns of existential EMP threat to America – YouTube.

How to determine how much money to spend on security…

A question that many organizations struggle with is how much is the appropriate money to spend annually per user, per year on information security. While balancing security, privacy, usability, profitability, compliance, and sustainability is an art organization's have a new data point to consider.

Balancing – information security and compliance operations

The ideal approach that businesses take must always be based on internal and external factors that are weighted against the risks to their assets (assets in this case is generally inclusive of customers, staff, technology, data, and physical-environmental). An annual review identifying and quantifying the importance of these assets is a key regular exercise with product leadership, and then an analysis of the factors that influence those assets can be completed.

Internal and external factors include a number of possibilities, but key ones that rise to importance for business typically include:

1. Contractual committments to customers, partners, vendors, and operating region governments (regulation)
2. Market demands (activities necessary to match the market expectations to be competitive)

At the aggregate and distributed based upon the quantitative analysis above, safeguards and practices may be deployed, adjusted, and removed. Understanding the economic impact of the assets and the tributary assets/business functions that enable the business to deliver services & product to market allows for a deeper analysis. I find the rate of these adjustments depend on the business industry, product cycle, and influenced by operating events. At the most relaxed cadence, these would happen over a three year cycle with annual minor analysis conducted across the business.

Mature organization's would continue a cycle of improvement (note – improvement does not mean more $$ or more security / regulation, but is improvement based on the internal and external factors and I certainly see it ebbing and flowing)

Court settlement that impacts the analysis and balance for information security & compliance:

Organization's historically had to rely on surveys and reading of the tea leaf financial reports where costs of data breaches and FTC penalties were detailed. These collections of figures showed the cost of a data breach anywhere between $90-$190 per user. Depending on the need, other organizations would baseline costing figures against peers (i.e., do we all have the same # of security on staff; how much of a % of revenue is spent, etc…).

As a result of a recent court case, I envision the below figures to be joined in the above analysis. It is important to consider a few factors here:

1. The data was considered sensitive (which could be easily argued across general Personally Identifiable Information or PII)
2. There was a commitment to secure the data by the provider (a common statement in many businesses today)
3. The customers paid a fee to be with service provider (premiums, annual credit card fees, etc.. all seem very similar to this case)
4. Those that had damages and those that did not were included within the settlement

The details of the court case:

The parties' dispute dates back to December 2010, when Curry and Moore sued AvMed in the wake of the 2009 theft of two unencrypted laptops containing the names, health information and Social Security numbers of as many as 1.2 million AvMed members.

The plaintiffs alleged the company's failure to implement and follow “basic security procedures” led to plaintiffs' sensitive information falling “in the hands of thieves.” – Law360

A settlement at the end of 2013, a new fresh input:

“Class members who bought health insurance from AvMed can make claims from the settlement fund for $10 for each year they bought insurance, up to a $30 cap, according to the motion. Those who suffered identify theft will be able to make claims to recover their losses.”

For businesses conducting their regular analysis this settlement is important as the math applied here:

$10 x (# of years a client) x client = damages .. PLUS all of the upgrades required and the actual damages impacting the customers.

Finally

Businesses should update their financial analysis with the figures and situational factors of this court case. This will in some cases reduce budgets, but others where service providers have similar models/data the need for better security will be needed.

As always, the key is regular analysis against the internal & external factors to be nimble and adaptive to the ever changing environment. While balancing these external factors, extra vigilance needs to ensure the internal asset needs are being satisfied and remain correct (as businesses shift to cloud service providers and through partnering, the asset assumption changes .. frequently .. and without any TPS memo).

Best,

James

 

Posted with Blogsy

Tactical Issue: How to handle Executive Assistants and #infosec

Problem Statement: How have you seen companies handle executive assistant's access to C-level and VP accounts? Our executives heavily rely on their admins but don't realize the risk when we go to single sign on.

How does this apply to you?

As organizations grow and expand there is a sensitivity of access to data, and especially if businesses are in an M&A mode, there is much higher sensitivity at the executive level. Data protection and limitaiton of access is dependent upon the specific instance.

If an organization, such as the question above, allows (and most do) admins / executive assistants to access senior leadership files then what do you do?

1. Trust explicity, same credentials and access as the executives they represent
2. Trust per instance, same credentials but institute specific 'special handling protocols' for items that are too sensitive
3. No trust.. this is unlikely to succeed unless there are no admins, given the sneaker-net still works beyond many other cultural and personnel inherent issues at large here

Solution Concepts:

there are many ways to approach this problem statement, but a few responses to each of the above (I'll reference each bullet number above for simplicity)

1. Admins/executive assistants go through the same background security vetting as their assigned executives, and the systems themselves have escalated monitoring. Essentially deep background checks, ongoing personnel monitoring, and better system security for the end-user devices.
2. By far the easiest – special handling protocols for executives would be the initiation of secure platforms, encrypted containers, electronic document handling authenticated to specific systems, even project code names, etc ..
3. These do happen, but definitely require the culture to accept the extreme firewalling (socially) of discussions and work. Not appropriate for many organizations today.

Final Thoughts:

I spend most of my time designing, implementing, and operating global security programs for businesses… so this tactical question was fun to receive. Working in the details is where life happens, and is proof point for many innovations. Smashing together technology, process, and people is an art .. a journey .. and always unique.

Hope this helps.

James

Posted with Blogsy

Dedication .. in your pursuits and profession

What is dedication… how do you define it? How are you better for it?

To often people try to raise dedication to a level that seems impossible to achieve, but that is not necessary. Dedication to your passions, pursuits, and life are simple enough. Dedication should not have soft edges, but should happen at intervals.

I find that dedication to training for instance can be achieved when rest days, variety in events, and fun are brought into a sometimes realistically “boring” or mundane and repetitive set of activities. For instance when pursuing Ironman Events the training typically involves 6-8 months of training 16 hours of a week across each skill. Needless to say this can lead to a bit of mental fatigue, but adding short / fun swim, run, and rides can provide the sufficient gap necessary to allow for dedication to continue with stronger mental stamina to raise to the next level.

This concept of interval training is well tested in physical athletes, and I have sought to apply it in my life generally.

Consider how you would apply it in the following areas:

1. Making moments in your life beautiful
2. Living life (feeling like you are in a rut and there is nothing new/exciting?) > seek out new adventure! (I recently, thanks to the Olympics) have been re-introduced to my love for ice skating, and gymnastics thanks to my daughter)
3. Work – variety is the spice of life, inject hands on hard core with cerebral program and management functions (don't lose touch of how the tire meets the road or you'll either lose the rhythm of the industry or have unrealistic expectations across your teams and business.. pretty simple)

How does this relate to business.. well the same as it does for our personal ventures, since the personal venture and dedication of our people is what makes up our business. Without these fundamental pieces there is no business that can succeed.

Information Security, like other fields, requires this type of dedication given the sheer complexity and dependency placed upon these efforts by the individuals behind them. I would challenge you to answer the above questions for yourself personally, and then consider how they apply to your sphere of influence. When you are satisfied, seek out your colleagues and team members .. are they, and if not how can you help them move forward?

Sometimes the most technical aspect of our field of business, technology, and information security is the people themselves.

Best,

James

 

Posted with Blogsy