Information Class Warfare part V

Information Security Process: Repeat

August 30, 2013

Information Security like all relationships requires time and effort. I use a security management system which works well for the companies I have secured and maintained. Classify, Secure, Audit, Educate, Repeat. Not a memorable acronym, but a very valuable path to cycle through. Each iteration has made my companies better prepared for the inevitable attacks and recovery easier and faster.

Repeat, yes, more than just to keep you as a security professional relevant to your employer, but also, repeat at sporadic intervals.

Perhaps this is the most important step, but all of the previous steps should be repeated.

Classification: Revisit your information classification document at least annually to verify that types of information can be added or removed. I have found that the levels of security and access rarely change, more likely that some services have been added or removed in the past year, so the information associated with those products needs to be added to the scope of your security planning or removed.

Securing Devices: These documents should be revisited more often, a scheduled review should be done at least every six months, but they should also be revisited every time a new vulnerability is released for the various systems or networks to verify that adequate controls are in place to mitigate a loss and that security is still at the same levels before the vulnerability was known.

Auditing procedures are generally an ongoing activity, but the guidelines and tools should be reviewed at least annually to see if there are better ways to make the job of auditing easier.

Education for each employee should be part of the on-boarding process, with static links pointing them to useful information specific to their job and a time should e set aside to visit each team at least once a year to see if they have any new issues they wish to address. Short fifteen minute meetings do not impact productivity and longer detailed questions can be answered outside of the meeting scope.

I hope this short series of articles was of use to you, these are some general principles that I use every day as an information security professional.

.wdnii.

© 2013 Norris Proprietaries Inc.

Information Class Warfare part IV

Information Security Process: Security Education

August 29, 2013

Information Security like all relationships requires time and effort. I use a security management system which works well for the companies I have secured and maintained. Classify, Secure, Audit, Educate, Repeat. Not a memorable acronym, but a very valuable path to cycle through. Each iteration has made my companies better prepared for the inevitable attacks and recovery easier and faster.

Security Education is always an interesting topic for me to espouse. This can be done in large meetings with power points, white boards and boring speeches, just to show that you have exposed every employee to the magic of security. Another alternative are the various online materials which employees can use on their own, the more interesting piece is that your employees can refer back to these materials when they are actually useful.

Another way to avoid the large auditoriums and conference rooms full of employees who would rather be working and helping the company keep and create new revenue is to hold small short meetings with the various teams and if there needs to be longer discussions break those into several small 15 minute meetings. Getting directly to the specific points, flaws and how they can best keep your company information accessible, correct and private. This of course requires you as a security professional to spend many more hours preparing different presentations and holding many more meetings, spending much more time talking than the standard several hour big speech which usually causes more confusion and glazed expressions than a better security posture for your company. This method also lets your coworkers know that you are available if they have any issues, or questions.

The educational points on which I like to focus are that security is each persons responsibility, and as they say in New York "If you see something, say something". These general speaking points can be tailored into relevance for almost every group. I also try to let them describe what they feel are the relevant security issues in their departments, doing this twice once at the beginning of the presentation and then at the end after they have had a chance to hear why you think the various pieces of their job are important.

A few don'ts about your presentation, don't try to prove you are an expert in their field, don't try to be their friend, and don't over simplify your requirements.

I hope this is helpful, just a few tricks that I use every day when I do my various roles as a security professional.

.wdnii.

© 2013 Norris Proprietaries Inc.

Information Class Warfare part III

Information Security Process: Internal Auditing

August 28, 2013

Information Security like all relationships requires time and effort. I use a security management system which works well for the companies I have secured and maintained. Classify, Secure, Audit, Educate, Repeat. Not a memorable acronym, but a very valuable path to cycle through. Each iteration has made my companies better prepared for the inevitable attacks and business recovery easier and faster.

I cover auditing of the various security policies in this short article. Perhaps one of the driest piece of this repetitive puzzle, unless you decide to make this a game.

Continuous scanning, is one of the best methods to secure internal and external networks. These will detect poorly configured servers before external auditors, or hackers, and alert you to each device someone attempts to slip onto your network. Using a log consolidation system, helps identify threats and attacks, but can also be used for auditing. Attack each server with one of the various vulnerability frameworks and rotate through those only during maintenance windows or when agreed by the product owner. The logs will help indicate if there are any additional vulnerabilities that can be exploited, along with the framework reporting.

The game I generally see security professionals play is to attack servers and try to determine vulnerabilities before the System or Network Engineers are able to patch those servers, this always encourages poor cooperation between these teams, which succeed or fail only with each others help. A more interesting way is to hire outside auditors to test your site security or internal corporate security, and then run your own internal tests to see if you can find more vulnerabilities than they did. This is always more rewarding and rarely incurs the wrath of those on your own team.

Internal Auditing is a crucial piece of the the security puzzle, and must be regularly executed to maintain a working and thorough knowledge of your networks, perimeters and the success of your policies.

.wdnii.

© 2013 Norris Proprietaries Inc.

Information Class Warfare part II

Information Security Process: Securing (policies)

August 8, 2013

Information Security like all relationships requires time and effort. I use a security management system which works well for the companies I have secured and maintained. Classify, Secure, Audit, Educate, Repeat. Not a memorable acronym, but a very valuable path to cycle through. Each iteration has made my companies better prepared for the inevitable attacks and recovery easier and faster.

I cover securing information devices and paths in this article in a general way, though I can provide more specific resources.

Securing is a multi-part process, first is taking the original classification of critical systems and information paths and using those to derive specific security policies for each type of device. A security policy should state why it exists, and which pieces of the organization it is trying to secure. Also, and while seeming trivial a date, revision history and revision number is useful.

Each security policy should list the types of networks, devices and data that are included and excluded. For example, a machine which runs DNS (Domain Name Service) externally will most likely have different restrictions from a machine which runs DNS internally. The same with routers, internal routers may have different types of restrictions and required processes than internal routers.

A security policy should list the roles and responsibilities of the system, the information and/or the people who administer and use that system and/or data located on that device. Some systems are critical and the business will fail if those systems are impacted either with a security breach or natural disaster, so some security policies require a business recovery plan for those systems to be back online. This can be done via an active / active solution so the system and data recovery will be without interruption. A hot standby solution provides usually a short interruption which is usually considered not to impact any revenue generation. A cold standby site is another solution, where a copy of the data is kept and depending on the requirements usually the site can be back online in minutes to hours. The least expensive solution is to have off-site backups, where an entire site can be rebuilt from scratch, but the downtime can be quite extensive.

A security policy should list the authoritative documentation for the systems and information being secured, such as any relevant technical books, Internet RFCs, and vendor documentation. You should also reference other relevant security policies and mention that they should also be used. This is the easiest section to write.

My security policies include examples of configuration files and which sections of those files are required to be used, how the program should be run, such as the user and group designations, the user and group ID numbers and even the location on the file system where the programs should be located.

Finally, a section stating which audit procedures will be used and what type of external controls will be used around this type of system. Again for a DNS server this can mandate where the log files are written and how often the system is audited.

Overall though, my philosophy of security is that the information provided needs to be available and accurate when needed. So, a clear link from the data or information categorization needs to be linked to the consumers that use each resource and how these security procedures allow those consumers access to the correct information, but do not allow the information to become corrupt, or allow the consumers to become compromised or allow the consumers to compromise the data for any valid use.

.wdnii.

© 2013 Norris Proprietaries Inc.

Information Class Warfare part I

Information Security Process: Classification

August 1, 2013

Information Security like all relationships takes time and effort. I use a security management system which works well for the companies I have secured and maintained. Classify, Secure, Audit, Educate, Repeat. Not a memorable acronym, but a very valuable path to cycle through. Each iteration has made my companies better prepared for the inevitable attacks and recovery easier and faster.

I only cover Information Classification in this article; it is the most ethereal of the process. Every other step's effectiveness can be measured quantitatively, but classification is qualitative.

I first identify the pieces of information vital to the company's survival, vital to their growth and then protect against losing any company secrets. This protects the company’s present, their future and their advantages over their competition. I label this information confidential and apply that tag to any device that has control, such as routers, switches, servers, laptops, cell phones, desks, offices, secretaries, conference rooms, and the corporate phone system, for examples. All of these provide a way for this information to be compromised, to fall into the wrong hands, or be lost which could be even worse.

How valuable is something? Information is an abstract concept, but represents tangible assets in my corporate world. I came up with a few rules on how to determine the value of various corporate assets and information. First, how valuable is it to the company? How valuable will it be tomorrow? How valuable will it be 5 years from now? Second, how valuable is it to a department in the company, and how valuable is that department? And finally, how valuable would this be to a competitor?

Creating this inventory of information locations and which pieces of technology they traverse on a given day gives a decent idea of what needs to be secured. For the smaller companies I generally find every piece of technology needs to be secured and maintained, because high value information passed through multiple times a day. For larger companies this list has been more granular.

While coming up with this classification matrix is necessary, generally most servers, routers, switches, laptops have the same or a similar configuration. But this is not the case with every environment, and especially with Bring  Your Own Device.

While this view may seem over protective and intrusive, this is just to bring to the company’s attention where their highest level vulnerabilities are,. Securing is a separate issue and can usually does not have to disrupt current business practices.

.wdnii.

© 2013 Norris Proprietaries Inc.