Saturday, May 31, 2014

Lessons from the U.S. Veterans Administration

Government run healthcare is suffering from the stiff stench of reality this week as the Veterans Administration emplodes in a wide scale corruption probe in over 46 different facilities - defining systematic corruption which has infected the entire bureaucracy.  What can we learn?

Audits tell part of the story and so does strong management which not only holds those accountable but is in fact in trenches leadership.  Take a hard look at, "Undercover Boss" and ask yourself if the leadership of the VA had been in the trenches could things have been any different.  Clearly the Administrator of the VA was fighting an uphill battle of liars, cheats, and more.  But "Undercover Boss" makes the point: get out of the office and get into the trenches for a reality check.  Now let's see if our USDOJ follows the Veterans Administration IG's report and starts the most necessary criminal investigations to clean the VA once and for all so that our war heros finally get what they deserve - the best health care known to man.

We talk much in this blog about management and boards of directors.  As we should.  Organizations depend on these fine men and women to do the impossible, to be supermen and women.  But the days of hands off management are long gone.  Whether you are in government or the private sector if you haven't gotten that message its high time you did.  Get out of the office and learn the reality of what is going on in the workplace.

We heard much this week about out dated technology and "scheduling".   We worry, is this a sign of times to come in government run healthcare?  Well, those of us in technology know all too well that technology does a backflip and ten steps forward about every 60-90 days.  So if you're thinking of saving money and leveraging your entire corporation and/or government run agency on shoestring that has a one time techology budget - in the immortal words from Brooklyn, NY - forget about it.

Technology is in the worst case an infant, with an appetite that rivals most young U.S. Marines in boot camp.  Belly up to the table because this infant is going to need your undying attention, your understanding and your coddling every single day of the week.  Budgeting and planning for the unexpected are just another great aspect which many who are so quick to adopt technology and outsourcing with an expectation of saving millions may want to slow down and take a deep breath.  Technology implementations are expensive and those seeking to cut to shortcuts are only doing a royal disservice to their companies and agencies and fooling themselves.  While the passing of timely and accurate information is exciting and used correctly can help you turn on a dime....it comes with a fairly large investment and huge reality check on expectations - but not on the information delivered, but on the intense care and ongoing maintainence to systems, controls and people.

Take a hard look at the Veterans Administration of today and ask yourself Mr/Mrs CEO or Agency head...could this be me?  Do I even have a clue?  We hope this as in any number of cases we bring to your attention help you focus not just on security but the fundermentals of leadership and management.

If you need a trusted source and friendly but well grounded reality check give us a call.  We would like your business, but we're not willing to suffer our reputation just to make a buck.

Trust is at the core of Integris Security. We can be counted upon to provide you with the services and intelligence to keep your information, systems and institution secure. Call us and let's get to work on improving your security/risk posture.






Friday, May 30, 2014

Accountablity: Have you heard the call from Target yet?

At some point Industry across America will face a tipping point.  A point at which lying to the U.S. Congress, failure to comprehend risk,  pointing the finger to someone else just isn't going to cut it.  Those in the front office will be held accountable at some point.  Enter TARGET.

Leadership Failure:
Have you heard the call from Target yet?  Perhaps you should.  The CEO - gone.  The CISO - gone.  The Board of Directors - now facing election could be gone as well.  As they should be for failing the stockholders and trustees for the lack of interest, utter malfeasance of office.  For bringing incompetenance into the forefront this board and others need to tossed.

http://www.computerworld.com/s/article/9248631/Advisory_firm_urges_ouster_of_majority_of_Target_board_members_over_breach_

IT Certification - a farce and failure?
(ISC)2 code of ethics cannons state:

1. Protect society, the commonwealth, and the infrastructure
- Promote and preserve public trust and confidence in information systems
- Promote the understanding and acceptance of prudent information security measures
- Preserve and strengthen the integrity of the public infrastructure

2. Act honorably, honestly, justly, responsibly and legally
- Tell the truth; make all stakeholders aware of your actions on a timely basis
- Observe all contracts and agreements, express or implied
- Treat all constituents fairly.  In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order
- Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort.  Take care to be truthful, objective, cautious, and within your competence
- When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you rend your service

3. Provide diligent and competent service to principals
- Preserve the value of their systems, applications and information
- Respect their trust and the privileges that they grant you
- Avoid conflicts of interest or the appearance thereof
- Render only those services for which you are fully competent and qualified

4. Advance and protect the profession
- Sponsor for professional advancement those best qualified.  All other things equal, prefer those who are certified and who adhere to these cannons
- Avoid professional association with those whose practices or reputation might diminish the profession
- Take care not to injure the reputation of other professionals through malice or indifference
- Maintain your competence; keep your skills and knowledge current.  Give generously of your time and knowledge in training others

Can we honestly believe that (ISC)2 is holding its certified membership to account for its own ethics cannons?   Is this industry grist mill collecting money and not policing its own people?  After ten years of continually failing grades in breaches from every corner of the world one has to ask, is the (ISC)2 operation real, is it accountable?

As industry raced to bring down costs and adopted many Information Technology practices, sought greater input about its clients, its prospects, it internal operations a CISSP or other similarly disignated security professional has been behind the wheel.  Are these people being held accountable?

Securing systems is for sure both an art and science and not to be taken lightly.  Nor is their a silver bullet or magic wand to wave to make things right.  However, CEO's will have to lead, Security will have to be rounded touted by, adopted by, insisted upon by all top management executives.  Audits will have to be conducted to constructively explore where the problems are and when found aptly addressed. Function can take place, perhaps a little slower to give the security personnel the opportunity to explain the risk, so that management personnel can bring it into full view for the board of directors.  These board of directors then have the full responsibility to guide Chief Executives as well protect shareholders from weak operations.  IT systems are difficult, solutions are not always forthcoming.  But clearly in breaches for the past ten years industry has failed the public over and over again.  With no accountability until maybe now.

Thursday, May 29, 2014

eBay: How could you?

Step up eBay, the world's largest online marketplace and the next in a line of the Corporations who may have flaunted the very fact they too are capable of security failure.  eBay is not just another big box retailer, e-retailer, etc...they personify e-commerce, set the standard and are in every predictable way NOT a brick and motor business gone wild for everything online.  eBay is the very house that the internet era caused to be built and was ushered in by the demand for anything, anywhere at any time.

Fast forward to the breach runway from TJ Max, ... Target this year, the runway is littered with one company after the next who mistook market position and financial viability as a surety that they could hide from the reality.   One company, one agency after the next has shown that client data is just not secure, not safe and that the path forward is very uncertain.

To be certain, eBay does a great job of protecting applications.  Today, on a industry conference call (InfraGard: www.nym-infragard.us) known as the Thursday Call application protection was discussed and general agreement that eBay has done an admirable job in application security.  One senior security professional said eBay's problem is simply the M&M syndrome.   A very hard outer shell Vs a soft mushy inside.  Thus you have very predictable outcomes when separation of duties, multi-factor authentication, scaling privilege to those with a need to know and demanding credentials for insiders which should at the very least match those admitted in from the outside.  Ambivalence can not be tolerated when you are in class beyond all others in the online marketplace.  eBay now is set to walk the runway of shame, knowing full well all of this could have been avoidable.

As the walk of shame befalls eBay, responsibility will be fixed upon who?  The Board of Directors who should have been monitoring the effectiveness of operations, audits, etc....most certainly they deserve the lions share of credit....stockholders beware who you vote for and put on the boards of companies who depend on the online marketplace.  Step in the regulators, Connecticut, Florida, etc...UK authorities....eBay just bought itself more lawsuits and official inquiries then it ever would have cost them to to the right thing, the first time.

CEO, COO, CTO, CIO, CFO, CSO, CRO....for sure avoiding the media and taking full responsibility could become downright hostile from the inside.  But each of these people owns a part of 145 million records of their clients being exposed.   As these creatures of the front office prepare to circle the wagons we must comment on the security staff who's job it is to keep the data secure and the fact that only passwords were encrypted.  Thus dates of birth, home addresses and more were left in the open. So how many CISSP's were on staff at Target, TJ Max, others and now eBay?  Will their certifications be revolked?  What liability will they have in failing to do what they swore they would take care of?  Do no harm??

Angry?  Perhaps, not because of any one individuals actions or inactions, but for ten years VERIZON has been publishing the DBIR and has listed over and over again the same recommendations.  Failure to do X will give you Y.  Its not like this is a well kept industry secret and no one knows.  Everyone knows.  Q1 this year was Target, Q2 this year is eBay, next up?

Before Q3 hits call in a security company and get a health check up.  Batten down the hatches and understand the world's wolves are gunning for you.  Make no mistake, size doesn't matter.

LINKS:

http://www.cnet.com/news/ebay-to-face-formal-investigations-over-data-breach/
http://www.scmagazine.com/states-probe-ebay-after-breach-affects-all-its-users/article/348422/
http://www.bbc.com/news/technology-27539799
http://www.theregister.co.uk/2014/05/23/ebay_security_breach_investigations/

Tuesday, May 27, 2014

DBIR 2014 significance?

Hello everyone,

Just a short post on the Verizon Data Breach Investigation Report 2014.  Verizon has done an exceptional job at improving the overall content of their report from the volume side of the house and make no exception the report captures client and other added cohort details.

So what pressing in Verizon's 2014 report?  Why read it, why bother and what's the significance.  The report is chock filled with numerous charts of the garden variety trying to tell the breach story and what some may say is the "same old story".  Just more Verizon investigation numbers added to the base.  

If you just landed on earth and were concerned about security and then focused in on cyber security you might want to scratch your head.  Why?  Well, frankly Verizon has been publishing what some say is in theory the same report year over year (different numbers, greater volume, prettier charts, greater diversity)  but all in all, the same report.

At the end of the day we turned to the recommendations of the report and find that if we looked back five or ten ago nothing much has changed.  

So for 2014 our advice is to look back at the 2009 or 2004 reports and follow the security advice....if for some reason you can't follow the advice, wait another five to ten years and trust me, you'll be hearing the same thing all over again.

For 2014 a ho hum report, pretty cover, nice charts but significance is lost unless your head has been buried in the sand.  In that case, its time to wake up - read and follow the recommendations.  Here are   some classic recommendations, if you see something new and astonishing let me know:


The DBIR is packed with more detailed information and recommendations. But seven common themes are clear:
Be vigilant.  Organizations often only find out about security
breaches when they get a call from the police or a customer. Log
files and change management systems can give you early warning.
  • Make your people your first line of defense.Teach staff about the
    importance of security, how to spot the signs of an attack, and
    what to do when they see something suspicious.
  • Keep data on a‘need to know basis’. Limit access to the systems
    staff need to do their jobs. And make sure that you have processes
    in place to revoke access when people change role or leave.
  • Patch promptly. Attackers often gain access using the simplest
    attack methods, ones that you could guard against simply with a
    well-configured IT environment and up-to-date anti-virus.
  • Encrypt sensitive data.Then if data is lost or stolen, it’s much
    harder for a criminal to use.
  • Use two-factor authentication.  This won’t reduce the risk of
    passwords being stolen, but it can limit the damage that can be
    done with lost or stolen credentials.
  • Don’t forget physical security.  Not all data thefts happen online.
    Criminals will tamper with computers or payment terminals or steal boxes of printouts. 
Let me know your thoughts, but it seems like nothing much has changed and next years we'll be reading about more breaches.

More reading>>>>>>>

http://www.csoonline.com/article/2157453/data-protection/needed-detection-correction.html