Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘cyber security’

Need A Job? Try Information Security

Monday, December 20th, 2010

If you are an out-of-work IT person looking for your next challenge, I have a suggestion: Go study information security and pursue some sort of certification like a CISSP.

According to ESG Research, 22% of mid-market (i.e., 500-1000 employees) and enterprise (i.e., 1000 employees or more) believe that they have a problematic shortage of information security skills within their IT organizations. Furthermore, of those organizations planning on hiring new IT staff positions in 2011, 35% plan to hire for information security positions.

This data doesn’t surprise me one bit. Security professionals are always in demand, even during the depths of the recent global recession. Combine today’s malicious threat landscape, multiple security vulnerabilities, and IT complexity, and we need all the security help we can get.

WikiLeaks and Cyber Security

Thursday, December 16th, 2010

There’s been a lot written about WikiLeaks over the past few weeks–some of it fair and some a bit off base. No question that there was a security breach related to classified documents ending up on WikiLeaks but it is important to dig a bit further to define what may have gone wrong.

Here are the elements of security involved and where a breakdown may have occurred:

  1. Data classification. Every organization creates a lot of data but not all data has the same value. To distinguish between pedestrian and top secret data, many organizations employ some type of taxonomy for data classification. This should create a hierarchy of data, from public to top secret, where each type of data has different access policies and security controls. This is what should happen but it often doesn’t. In a 2009 ESG Research survey, 33% of the security professionals surveyed rated their enterprise organization as either “fair” or “poor” at classifying and tracking confidential data. The point here is that most organizations have sensitive data around that is not treated as such.
  2. Access control. Access to sensitive data should adhere to the principle of least privilege which means that the data should only be accessible by users who need to see it to do their jobs. Easier said than done. If data is too restricted, workers complain, and there is a general feeling that data visibility leads to creativity and productivity. It is likely that people who shouldn’t have had access to the WikiLeaks documents did.
  3. Acceptable use policy. These policies define what employees can and can’t do with sensitive data. Everyone has them but few organizations make sure that users read them, understand them, and know the ramifications of a policy violation.
  4. User behavior monitoring. I know this one sounds Orwellian and to some extent it is but there has to be an audit trail indicating who accessed which sensitive documents. Some organizations go further and either restrict what users can do with these documents (i.e., digital rights management or enterprise rights management), or at least monitor what they actually do when they access sensitive documents (i.e., email them, print them, save them to a USB drive, etc.). Again, this isn’t easy to do and in my opinion many organizations either don’t monitor user behavior at all or don’t do it very well.
  5. Insider attacks. Most large organizations have their fair share of alienated employees willing to expose or steal sensitive data. This is especially problematic if these malcontents work in IT or have especially high security privileges. Obviously, the problem gets worse if alienated employees work at organizations with poor security controls, weak policies, AND lots of sensitive data.

It’s easy to point fingers at the State Department or Federal Government but any security professional can tell you that these problems are fairly pervasive. In fact, see the recent ESG Research Report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the US Critical Infrastructure,” for more alarming data about how vulnerable we are (the report can be downloaded at www.enterprisestrategygroup.com).

The sooner we realize and address these cyber security vulnerabilities, the better. This won’t eliminate breaches like the embarrassing WikiLeaks events, but it will lower the risk.

Apple and Google Make the Department of Defense Jump Through Hoops for Mobile Device Security

Thursday, December 9th, 2010

Despite the unseasonably cold weather, I participated in a mobile security event yesterday at the historic Willard hotel in Washington DC. I set the stage and presented a bunch of ESG Research data on mobile device use, security, and management. Other organizations presenting included the Defense Information Systems Agency (DISA), the (NRC), the US Patent and Trademark Office, and Juniper Networks.

It turns out that DISA is doing some very interesting things around mobile computing. For example, members of the US military can access an information portal called Defense Knowledge Online from their mobile phones. DISA also talked about a program called Go Mobile meant to provide numerous communications, training, and collaboration applications to mobile soldiers.

Since we are talking about the US Department of Defense, mobile device security is a critical requirement for this program so Go Mobile includes user authentication, secure data storage and transfer, secure device management, etc.

Initially Go Mobile was built for Blackberry devices but DISA is now adding support for Apple iPhones and Android phones because of high demand from users. Unfortunately, adding iPhone and Android support is more difficult than DISA anticipated. Why? Because both Apple and Google refuse to give DISA access to their security APIs so DISA had to do a series of workarounds to meet its security requirements. For example, DISA had to add an external Bluetooth device to provide secure personal networking capabilities because Apple wouldn’t provide API access to its iPhone security stack.

Hold the phone here! Apple and Google aren’t willing to provide additional technical support to the United States Department of Defense? Nope. One person I spoke with from DOD said that Apple flat out refused to play ball, telling DOD to “talk to our integrators and carriers.”

I understand that Apple and Google want to control their technology. If Citi or GE asked for API access, perhaps it would make technical sense to refuse but we are talking about the Department of Defense here.

Apple and Google have a market advantage and they know it — Androids and iPhones are so popular that Apple and Google can thumb their noses at DOD. In most cases, DOD would exercise cyber supply chain security best practice and refuse to purchase insecure Androids or iPhones at all. The fact that DOD is going the extra mile and developing workarounds demonstrates that it is willing to do the right thing for American troops in spite of this lack of industry cooperation.

It seems to me that Apple and Google are making self-centered bad decisions here that won’t play well with the American public. Clearly, Apple and Google should re-think these myopic and selfish policies. Providing API access to DOD is the patriotic and moral thing to do, especially since DOD is opening the door to lots of sales opportunities for both companies.

WikiLeaks, Critical Infrastructure, and Cyber Security

Tuesday, December 7th, 2010

The world is up in arms about the WikiLeaks release of a secret cable written in 2009 revealing over 100 facilities that the United States considers Critical Infrastructure and Key Resources (CIKR). The list includes undersea communications cables, hydroelectric plants, pharmaceutical facilities, and chemical manufacturing plants.

Yes, exposing specific facilities is a problem but it would be relatively easy for a diligent adversary to go through publicly-available information and piece together a similar list. WikiLeaks made this task easier but these critical infrastructure organizations and segments weren’t the best kept secret before the documents were posted.

Aside from focusing on these leaks, we must also ask ourselves an important related question: Are these critical infrastructure facilities vulnerable to attack?

I leave the question of physical vulnerability to the military, intelligence, and law enforcement community but I will comment on critical infrastructure vulnerability as it relates to cyber security. According to the recently published ESG Research Report, “Assessing Cyber Supply Chain Vulnerabilities in the U.S. Critical Infrastructure,” 20% of the critical infrastructure organizations surveyed said that their existing security policies, processes, and technology safeguards were “fair” or “poor.” (Note: The entire report is available for download on the ESG website, www.enterprisestrategygroup.com). Additionally, the research indicated that the health care sector tended to be less secure than other industries, which is particularly troubling in light of the WikiLeaks documents.

If I were the CISO at the pharmaceutical facilities identified in France and Denmark, I’d be doing emergency vulnerability assessments and making risk management decisions as a result of WikiLeaks. The ESG data indicates that this type of cyber security behavior shouldn’t be limited to facilities identified on WikiLeaks, however–rather it should be persistent across all critical infrastructure organizations.

Are Critical Infrastructure Organizations Unaware of Security Incidents?

Monday, December 6th, 2010

According to the recently published ESG Research Report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure,” 68% of the critical infrastructure organizations surveyed had suffered at least one security breach over the past 24 months.

As if this wasn’t bad enough, the data reveals another alarming trend — organizations with the strongest levels of security are also the ones reporting the highest number of security incidents. Based upon survey responses about cyber supply chain security, ESG created a segmentation model with three groups: 1) Strong cyber supply chain security, 2) Marginal cyber supply chain security, and 3) Weak cyber supply chain security. As expected, organizations with strong cyber supply chain security had superior overall security as well.

Here is how the data breaks out when analyzed against the ESG cyber supply chain security taxonomy:

  • 79% of “strong cyber supply chain security” organizations suffered at least 1 security breach in the last 24 months
  • 73% of “marginal cyber supply chain security” organizations suffered at least 1 security breach in the last 24 months
  • 53% of “weak cyber supply chain security” organizations suffered at least 1 security breach in the last 24 months

It could certainly be the case that the most secure organizations are the one under attack most often but there is another possible — and more frightening thesis — organizations with weak security may be unaware that they are under attack. After all, if you have weak processes, tools, controls, and security skills, it might be difficult to spot some of the more sophisticated malicious code or insider attacks.

If this is true, weak security at critical infrastructure organizations threatens national security and thus must be addressed.

Corporate Executives Remain Lukewarm on Cyber Security

Thursday, December 2nd, 2010

What’s needed for strong cyber security? Good security policies, processes, and technology safeguards, of course, but highly-secure organizations also integrate security into their corporate culture — from new employees to the corner office. Since the proverbial buck stops at the CEO’s desk, cyber security-conscious and proactive CEOs are a security professional’s best friend.

In its recent research report, “Assessing Cyber Supply Chain Vulnerabilities Within The US Critical Infrastructure” (Note: The report is available for download at www.enterprisestrategygroup.com), ESG Research asked security professionals working at critical infrastructure organizations (i.e., electric power, financial services, health care, etc.) to respond to the following question: “How would you rate your organization’s management team on its willingness to invest in and support cyber security initiatives?” The responses were as follows:

  • 25% selected: “Excellent, executive management is providing an optimal level of investment and support”
  • 49% selected: “Good, executive management is providing an adequate level of investment and support but we could use more”
  • 21% selected: “Fair, executive management is providing some level of investment and support but we could use much more”
  • 2% selected: “Poor, executive management is providing little to no investment and support”
  • 3% selected: “Don’t know/No opinion”

Obviously, executives need to sort through a maze of costs and spend shareholder dollars judiciously. Furthermore, security professionals are paid to be paranoid and will usually want more funding. That said, nearly one-fourth of respondents rated executive management support for cyber security as “fair” or “poor.” Remember too that we are talking about critical infrastructure here — our money, our power, our food, our health care, etc. Yikes! Even more frightening, 38% of survey respondents working at telecommunications companies rated their executive management’s support for cyber security initiatives as “fair” or “poor.” If your cell phone stops working soon, don’t be surprised.

I believe there are several problems here:

  1. Executive management doesn’t understand the risks and thus simply eschews cyber security investment.
  2. Security professionals speak in a geeky dialect that executives can’t understand, creating a communications gap.
  3. Many executives believe that a security incident would result in an inconvenience and slap on the wrist rather than a major service outage

It’s time to address these issues. Business managers must realize that automation, digitization, and new applications come with a cyber security cost — period. Security professionals need better communications skills and tools to translate nerdy technospeak into more pedestrian language. Legislators need carrots and sticks to entice technically-challenged 60 year old CEOs to invest in cyber security. It’s that simple. Either we do these things or we wake up one day to darkness. It is our choice.

Are IT Vendors Getting a “Free Pass” On Cyber Security?

Wednesday, December 1st, 2010

Before buying an old house, most people do a thorough home inspection to make sure that plumbing, heating, and electricity infrastructure is safe and stable. When purchasing a car for a new driver, many parents check the vehicle’s crash test rating. These actions are simply common sense due diligence since we want to make sure that our homes and children are safe.

Along the same line of reasoning, one would assume that critical infrastructure organizations (i.e., electric utilities, financial services, health care, food processing/agriculture, etc.) do the same type of due diligence on IT equipment and their IT vendors. After all, these IT systems are the underpinning of their services and thus the backbone of the critical infrastructure at large. One would assume that critical infrastructure organizations do this type of security due diligence, but unfortunately this is usually not true.

According to the new ESG Research Report, “Assessing Cyber Supply Chain Security Within the US Critical Infrastructure” (the report is available for free download at www.enterprisestrategygroup.com), IT product and vendor security audits are performed in a random and haphazard fashion. For example:

  1. Only 31% of the critical infrastructure organizations surveyed always audit the security processes of their strategic software vendors (i.e., business applications, productivity applications, databases, operating systems, etc.). As bad as this is, even fewer organizations always audit their strategic infrastructure vendors (i.e., servers, storage, networking, security devices, etc.), professional services vendors, or VARS/distributors.
  2. When critical infrastructure organizations do conduct security audits, the audits tend to vary by vendor. Only 33% say that “all vendor security audits follow the same standard processes and procedures.” This means that some vendors get put through the proverbial grinder while others get a superficial inspection.
  3. In many cases, vendor audits seem to be a “check box” activity rather than a true security requirement. Forty-seven percent of critical organizations say that they “prioritize vendors that achieve a desired security profile but still may buy from other vendors.” In other words, a secure product/vendor may be pushed aside and substituted with an insecure alternative.

Why are many vendors getting a security free pass? I’m not sure. It may be that vendor and product security was no big deal in the past when cyber security was composed of network firewalls and desktop antivirus software. It could be that vendors wow their customers with speeds, feeds, and functionality to keep them from digging into geeky security issues. Perhaps they schmooze customers with sporting event tickets and golf outings to take their minds off of product security.

In any case, this behavior should be unacceptable henceforth. The threat landscape is getting more and more sophisticated each day, so each product’s security must stand out on its own.

Note to critical infrastructure organizations: Many IT vendors virtually ignore security in their product design and development. You should be doing a heck of a lot more security due diligence on IT products, vendors, and services, and institute procurement rules that mandate specific security metrics. Vendors should no longer have security–or insecurity–carte blanche.

Critical Infrastructure Organizations Want Cyber Security Help From the Government

Tuesday, November 30th, 2010

ESG Recently Published a new Research Report titled “Cyber Supply Chain Security Vulnerabilities Within The U.S. Critical Infrastructure.” The report can be downloaded here.

As part of the survey, we asked respondents whether the U.S. Federal Government should be more active with cyber security strategies and defenses. Most respondents believe that the answer is “yes;” 31% said that the U.S. Federal Government should be “significantly more active with cyber security strategies and defenses” while 40% believe that the feds should be “somewhat more active with cyber security strategies and defenses.”

Okay, but what exactly should the government do? ESG asked this question as well–here are the results:

  • 42% said, “create and publicize a ‘black list’ of vendors with poor product security”
  • 42% said, “create better ways to share security information with the private sector”
  • 39% said, “enact more stringent cyber security legislation along the lines of PCI”
  • 39% said, “provide incentives (i.e., tax breaks, matching funds, etc.) to organizations that improve cyber security”
  • 36% said, “amend existing laws to hold IT vendors liable for security problems associated with their products”
  • 32% said, “enact legislation with higher fines for data breaches”
  • 26% said, “limit government IT purchases to vendors that demonstrate a superior level of security in their products and processes”
  • 23% said, “promote the use of FIPS-140 and common criteria certified products in the private sector”
  • 23% said, “provide funding for cyber security funding and education”
  • 22% said, “adopt and fund a public service campaign around cyber security education”

Interesting mix of carrot and stick suggestions. I don’t think the IT industry would be too thrilled with “black lists” or changes in liability laws, so expect lobbyists to push for federal incentives and programs.

One other interesting note here: Heavily regulated critical infrastructure organizations with the highest levels of security were most likely to push for more stringent regulations. It appears that something is lacking in current cyber security legislation that heavily regulated organizations recognize and want to change.

New ESG Research Report Points To Security Vulnerabilities In the US Critical Infrastructure

Monday, November 29th, 2010

In 1998, then President Bill Clinton recognized that the United States was especially vulnerable to a cyber attack to its critical infrastructure. Clinton addressed Critical Infrastructure Protection (CIP) by issuing Presidential Directive 63 (PDD-63).

Soon after PDD-63, Deputy Defense Secretary John Harme cautioned the US Congress about the importance of CIP by warning of a potential “cyber Pearl Harbor.” Harme stated that a devastating cyber attack “is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.”

It’s been 12 years since this dire warning and the general consensus is that US cyber security vulnerabilities are worse, not better. Barack Obama recognized this problem as a candidate and then as President. Upon taking the oath of office, the President called for a 60-day security review, and then addressed the media in May 2009. The President stated, “it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation. . . we’re not as prepared as we should be, as a government or as a country.”

The fundamental assumption here is that the US critical infrastructure is vulnerable to a cyber attack, but is this truly the case or just empty Washington rhetoric? Unfortunately, a recently published ESG Research Report reveals that the US critical infrastructure is vulnerable today and could become more vulnerable in the future without decisive near-term action.

ESG surveyed 285 security professionals working at organizations considered as “Critical Infrastructure and Key Resources” (CIKR) by the US Department of Homeland Security. Here are some key research findings:

  1. Sixty-eight percent of the CIKR organizations surveyed suffered at least 1 security breach in the last 24 months. Alarmingly, the organizations with the strongest security policies, procedures, and defenses suffered the highest number of security breaches. It is possible that security-challenged CIKR organizations are under attack but lack the security skills and tools to remediate security incidents.
  2. Twenty percent of those surveyed rated their CIKR organization’s security policies, procedures, and technology safeguards as “fair” or “poor.”
  3. Seventy-one percent of survey respondents believe that the threat landscape will get worse in the next 24-36 months (26% believe it will be “much worse”).
  4. Almost one-third of respondents (31%) believe that the US Federal Government “should be significantly more active with cyber security strategies and defenses.”

Most of the report focused on cyber supply chain security. Simply stated, cyber supply chain security extends cyber security policies, processes, and controls to all parties that touch IT–technology vendors, software developers, business partners, etc. Most CIKR organizations are way behind here. Technology vendor security gets little oversight. Secure software development processes are immature. External IT relationships are secured through informal agreements and security data sharing.

In aggregate, the report provides real data quantifying these and other cyber security issues. The entire report is available for free download here.

Critical infrastructure protection and cyber security have been part of the lexicon in Washington since at least 1998. It is about time for less talk or more action. Hopefully, this report helps accelerate this activity.

Server Virtualization Security: A Lot More Work Is Needed

Monday, October 25th, 2010

If you attended VMworld in late August, you know that virtualization security was featured extensively. Ditto for VMworld Europe where VMware CEO Paul Maritz included a few security slides in his keynote presentation. Maritz and VMware get it–virtualization security has been somewhat neglected until recently. If server virtualization is truly to become next-generation cloud infrastructure, security must be integrated throughout the technology.

VMware vShield and partner products are a great start toward bridging this virtualization security gap. Unfortunately, security technology is only part of the problem. ESG recently surveyed 463 large mid-market (i.e., 500-1000 employees) and enterprise (i.e., more than 1000 employees) organizations in North America, to gauge how they were using server virtualization technology. The goal was to understand current use, future plans, successes, and challenges. It turns out that security problems are pretty persistent. For example:

  1. Security is often an afterthought. You know the “throw it over the wall” IT story? It happens here with security. Server virtualization projects are often well along the way before the security team gets involved. In these cases, server virtualization infrastructure adds security risk from the get-go.
  2. Security professionals lack server virtualization skills. When the security team gets called into the project, they aren’t really qualified to help. Since projects tend to continue, server virtualization security risks increase while the security team gets up to speed.
  3. There are no best practices. This may be changing but security professionals complain that server virtualization security doesn’t fit neatly into existing security frameworks and operating models.

In aggregate, there is a people problem (i.e., security skills), an organizational problem (i.e., project management/cooperation), and a process problem (i.e., no best practices). Yes, these issues do ease over time but it is clear to me that they never go away. At some point, highly-regulated organizations are likely to slow down server virtualization projects to address these security gaps. When this happens, server virtualization/cloud vendors will see sales slow to a crawl.

VMware is a technology company so it is doing what comes naturally–addressing security holes with new products and industry relationships. Nevertheless, VMware needs additional help from standards bodies, IT and security professional organizations, and professional services firms. The ESG Research clearly illustrates that server virtualization is a paradigm-shifting technology that changes IT organizations and processes. The real revolutionary potential of server virtualization won’t occur until IT organization and process changes become as pervasive as hypervisors.

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site