Tuesday, January 27

What Makes a Control Effective?

Wade Baker at the Verizon Business Security Blog posted on the definition of Effectiveness in relation to Security Controls.

I like his basic definition:

"If it does what it’s supposed to, to the degree it’s supposed to"
This highlights the need for a thorough analysis of what a control is supposed to do – and how well it's supposed to work. ...which I think sometimes gets missed among all the vendor sales and marketing materials that are designed to talk about the big picture (compliance, etc.) rather than actual functionality.

Wednesday, January 14

Bad Guy Scenario

Here's a perfect example of the insider "bad guy" threat scenario. An unhappy ex-employee came back in through an Internet-based system and put malicious code on the company's customers' servers. He installed the code on 1000 servers and crashed 25 out of the 1000. The company reports a cost of $49,000 to find and fix the problem. They also say it could have cost $4.25 million if all 1000 servers had crashed.

The Lessons:

  • Be diligent about monitoring – catching this early saved close to $4 Million
  • De-Provision (it's unclear whether the employee still had an account)
  • Include hosted and Internet systems in your de-provisioning process
  • Do security audits to find and fill holes
Although I don't think the "bad guy" scenario happens nearly as much as the "good guy" security breach scenario, it has the potential to get very expensive very quickly.

Tuesday, January 6

Data Breaches Up in 2008

The Washington Post reported today that Data Breaches were up 50% in 2008. There are probably lots of contributing factors to the increase in stats:

  • As the article points out, an increase in participation and sophistication of organized crime with regard to electronic crimes. I've heard this in multiple places.
  • Stricter adherence to regulations that require notification of breaches (as pointed out by Shannon McNaught on Twitter -- where I stumbled across the article)
  • Continued lack of deterrents for Crimes of Opportunity. Organizations have been slow to get serious about monitoring admin activity.
  • An increasing reliance on electronic forms of data - people and companies have increasingly become more trusting and more reliant on electronic media. This makes the data increasingly more valuable and therefore a bigger target.
  • Improved tools and sophistication that enables theft. A 16 GB USB key is an extremely effective way to quickly transfer large amounts of data without being detected. Improved technology and lower cost has introduced new and stronger threats.

The article also states that "The largest single cause of data breaches came from human error" once again affirming my proposal that by far most breaches are not malicious. I recently heard a genuine real-world story that an admin made an error on a windows drag-and-drop (as we all sometimes do) and an entire factory was brought to a standstill -- an OU was moved in AD.

It also points out that statistics "mask the extent of the problem" because many organizations fail to report data breaches. As I said before:

Nobody calls a forensics team when an admin opens up an HR doc containing a co-worker's salary. Or when an admin creates a new account and grants full system rights in order to get a new application up and running.

We all know the implications. If you've got sensitive data, understand your risk, know what your threats are, and be proactive before you become one of the stats.