Human Resources

Human Resources, the Missing Piece From Every Security Program

Like a ‘service on the Internet’ – which we’ve had for decades – is now called The Cloud, Human Resources is now known by more touchy-feely names. Talent, People, Employee Success, all sound great, but they don’t represent a fundamental shift in the functions they perform. Or even HOW they perform those function from what I’ve seen.

Regardless of what the department is called, I’ve never seen one take an active part in their organisation’s security program. Not one, in the better part of 20 years, and as I hope to demonstrate, this a significant loss to everyone concerned.

HR are usually the very first people in an organisation that you talk to, often even before the interview process begins. They are first ones who can instill the security culture in new candidates from the get-go. Anyone who has tried to implement a security awareness program knows that the loss of this ‘first impression’ makes the task exceedingly difficult. Unnecessarily so. If the joiners had just been told how important security is, AND received appropriate training, they would just accept it as a fact of life. Try and force it on them after they have already learned the bad behaviours and your impact is enormously reduced.

But there are 5 fundamental areas in security, that with HR’s help, would be significantly more effective:

o

  1. Onboarding – As I have already stated above, HR are the first people with whom new employees have interaction. The onboarding process is the perfect time to get everything out on the table. From Acceptable Use Policy / Code of Conduct, to security awareness training, security can be instilled from the very beginning. Now imagine if the CEO had a welcome letter prepared that emphasised the importance of data protection / privacy. Imagine further that this letter detailed what is expected them, and to take this aspect of their jobs seriously. There is ZERO cost associated with any of this, yet the positive impact of the security culture is immeasurable.
    o
  2. Role Based Access Control – The hint is in the title; ROLE based. If HR broke the org chart into specific roles, granting appropriate access to all joiners, movers , and leavers would be that much simpler. In theory, everyone gets what I call ‘base access’, usually consisting of email address and domain access. A role could then receive everything they need to perform their basic job functions automatically. Then, an individual could apply for any additional access they require. Everything is now recorded appropriately, allowing for not only a demonstrable access control process, but the raw material for all access reviews. Especially those with elevated privileges.
    o
  3. Policies, Standards, and Procedures – If you accept that policies represent the distillation of the corporate culture, standards are the baselines of ‘known good’ configurations, and procedures are the sum of all corporate knowledge, why aren’t these distributed at the beginning? First, most organisations don’t even HAVE these documents in place, at least not in a condition to meet the above criteria anyway. Second, even if they did exist, HR take no part in their distribution. Why not? If they assisted with RBAC per 2. above, surely it’s a simple step to have the relevant department heads which documents should be attributed to a specific role? Can you imagine it, every new employee knows 1) what they should and should not do, 2) how to do it, and 3) what to do it with!
    o
  4. Security Awareness Training – OK, so HR are not security experts and will take very little part in developing the SAT content, but they should be involved in HOW it’s delivered. HR are the people experts, IT and IS professions are usually quite the opposite. Training written by me would suit technical people, who’s going to write it for everyone else? After all, it’s usually the ‘everyone else’ who are the cause of most of the issues. HR should also be tracking the annual SAT program and flagging any issues to the employee’s supervisor etc.
    o
  5. Role Specific Procedures – This one is a bit of a stretch, but I can’t just have 4 bullet points. The concept is that part of everyone’s job description is to document every one of their repeatable tasks. If the procedure already exists, they could be challenged to improve it. In almost every job I’ve had there was a 3 month probation period. This review, and every performance review from that point forward could include a procedure section where failure to develop appropriate content has negative repercussions. Or, for the glass-half-full folks, great documentation has rewards attached to it. Imagine how nice it would be is every new starter just moved forward and didn’t have to waste time re-inventing the wheel.

The fact is most HR departments are not geared to perform any of the above functions. They are simply not trained to do so. I can’t help thinking this is a terrible waste.

I’d actually love to hear from some HR folks, even if you’re gonna tell me I’m way out of line! 🙂

[If you liked this article, please share! Want more like it, subscribe!]

Ransomware

Ransomware, Stop Focusing on the Symptoms!

Once again, a ransomware outbreak (WannaCry) has dominated the media headlines, and cybersecurity vendors are scrambling to capitalise. At the time of this writing, the top 3 spots on Google to the search phrase ‘ransomware’ are 2 vendor ads, and one ad for cyber insurance. All but one thereafter on page 1 results are doom and gloom / blamestorming ‘news’ stories. The one exception? Good old Wikipedia.

This is the exact same thing that happened the last time there was a ransomware attack, and the time before, and is the exact same thing that will happen the next time. Because there will be a next time.

From the Press’s perspective, this is just what they do, and you’re never going to see headlines like; “NHS Goes 6 Months Without a Breach!”, or “NHS Blocks Their 1,000,000th Attempted Hack!”. Only bad stuff sells, and frankly no-one gives a damn about cybersecurity unless they’re a victim, or they can make money off it.

I have dedicated many blogs to the criticism of cybersecurity vendors for being little better than ambulance chasers. This blog is no different. So let’s be very clear;

Ransomware is NOT a TECHNOLOGY problem!!

If your organisation is the victim of an attack, 99 times out of 100 it’s entirely your fault. Either your people, your process, or a combination of both were inadequate. And I’m not talking about your security program not being cutting-edge/best of breed, I’m talking about it being wholly inappropriate for YOUR business. It does not matter what business you’re in, you have a duty of care to know enough about security to address the issues.

Yes, the bad guys are a$$holes, but we’ve had bad guys for millennia and they will always be part of the equation. Security is, and has always been, a cost of doing business, so sack-up and take responsibility. And if you aren’t even doing the security basics, not only will technology be unable to help, but you deserve what you get.

Harsh? Yes, absolutely, because they basics don’t bloody well cost anything! Not in capital terms anyway. It takes what I, and every other like-minded consultant out there have been preaching for decades;

Common sense!

  1. Don’t keep your important files on your computer –  Keep your data on external encrypted hard drives and/or cloud drives. If it’s not ON your system, you can’t lose it. In a perfect world you can Forget the Systems, Only the Data Matters.
    o
  2. Patching – Your systems would have been immune from WannaCry if you have installed a patch made available by Microsoft in MARCH! I could rant for hours about this one, but there’s no point. You know you should be patching your systems, and if you don’t know that, you are clearly not from this planet. Your laptop or you PC is just a means to manipulate the data. Ideally you should completely reinstall your PC/laptop every 6 months to ensure that you have only 1) the latest and greatest versions of everything, 2) no extraneous crap you no, longer use/need, and 2) no hidden malware.
    o
  3. Back-Ups – I don’t care how little you know about computers, if you have one and are online, you damned well know you should be backing up your data. And not just to one location, several locations. Everyone from your operating system, to your bank, to your grandkids have told you about back-ups, so there’s no excuse.  External hard drives are cheap, and the online Cloud drives are numerous. Use them all. Yes, I know this is different for a business, but not much.
    o
  4. Don’t open every attachment you get – I feel stupid even writing this one, and it’s not just me talking from a position as a security professional. This is me talking from the position of someone who can read.

So from an organisation’s security program perspective, if you’d had 4 basics in place, WannaCry would not have been an issue:

  1. Policies, Standards and Procedures – The dos, don’ts, how-tos, and what-withs of an organisation;
  2. Vulnerability Management – where patching sits;
  3. Incident response – where back-ups sit; and
  4. Security Awareness Training – self-explanatory

 

SOME technologies can make this stuff easier / more efficient, but fix the underlying processes and people issues first. That or get yourself a huge chunk of cyber insurance.

[If you liked this article, please share! Want more like it, subscribe!]

PCI – Going Beyond the Standard: Part 19, Security Awareness Training (SAT)

I really should give up being surprised when the most basic of information security fundamentals are performed poorly, but this one constantly amazes me. I guess it’s no different than a doctor being surprised at smokers, or the police surprised at repeat offenders, we can accept as common sense what others perceive as new concepts.

Education and Training is so important that I have listed it as one of The 4 Foundations of Security, along with Management Buy-In, Policies and Procedures, and Governance. The fact is that education is the best and cheapest way for an organisation to implement the desired organisational culture, and distribute the policies and procedures in a manner where they actually understood and followed.

The intent of PCI DSS Requirement 12.6.x is to ensure all employees are trained in their security responsibilities as they relate to the protection of cardholder data. That’s it, just cardholder data, so you can obviously ignore every other form of sensitive data in you environment, right? What about your financial data, or intellectual property, or personal data? Unfortunately you cannot go above and beyond in PCI unless it relates to the protection of cardholder data, so with the exception of perhaps frequency of training, there’s not a lot you can do here.

That’s for PCI though, for your BUSINESS it’s a very different matter, and there is a lot you can do to add true benefit across the organisation. Not just in terms of security either.

The mistake most organisations make is the assumption that security education and training only refers to things like keeping your passwords secret, or not lending out your swipe cards. Yes, training includes these things, but it starts with a thorough coverage of all relevant policies and procedures. I say relevant, because you’re not – for example – going to train your sale team on the proper implementation of firewall configuration standards.

Training is not just some paperwork exercise during on-boarding, then an annual obligation thereafter, it’s the way you bring someone into your organisation and have them up to speed and productive in the fastest time possible. It’s also how you begin to instil the corporate culture (i.e. your policies), and how you ensure that they are performing their duties in-line with standard practices (i.e. your procedures).

Once they have the basics, you can move on to role specific training, and then, if you’re REALLY doing this properly, you will have the individual job specifications detailed to the point where anyone being on-boarded can step straight into the leavers’ shoes with barely a backwards step.

That’s really the whole point; security awareness training is NOT just a compliance obligation, it’s an integral part of your business continuity and knowledge management processes. It can be the difference between a constant reinvention of the wheel every time you have a mover or leaver, and uninterrupted growth. You may argue that this is more than just security awareness education and training, but I will counter that without proper knowledge, there IS no security.

While I agree that every time there is a staff change, the training itself should be reviewed and revamped as appropriate (preferably by the person bringing the new pair of eyes to it), NO-ONE who is just starting should have to work out anything for themselves on how to perform the function to which they have been assigned. At least to a minimum standard. Unless of course it’s a brand new role, in which case they will be responsible to develop and document everything necessary to replace themselves in time.

Too often this is seen as making yourself replaceable, but if you can’t be replaced, how can you move up, or even across?

To perform security awareness and training properly, follow these steps:

1. Like access control, the best way to begin developing a good training program is to properly define the requirements, first at a ‘corporate’ level (everyone), then at a more granular ‘role’ level (sales, systems admins. etc.), and finally at an ‘individual’ level.

2. Once this matrix is complete, combine this ‘paperwork’ into an online delivery mechanism which is a combination Document Management System (DMS) and distribution method. That’s really all online training software is; content management.

3. Run everyone through the program, regardless of tenure, and regardless of when they last took it. Track all ‘signatures’ (an online ‘I Accept’ will suffice).

4. Run training again at a minimum annually, but preferably every 6 months. A good balance is full course annually, and Top 10 Things to Remember at the 6 month mark.

5. Throughout the year, use this distribution method to announce major changes to policies and procedures, as well as ‘zero day’ threats (new phishing techniques for example), for significant changes to relevant compliance regulations or laws, and any ad hoc matter for which you require – for liability purposes – a written confirmation of acceptance.

 6. Provide a robust feedback loop and standardised forms for all personnel to request policy / procedures changes, or to create new ones.

I’ve not touched here on the actual content of the security training, it’s too organisation / sector specific, but there are certainly some basics (101 stuff as the Americans would say). However, the development of a comprehensive and sustainable training program requires specialist skills and experience, so make the effort and expense, there’s not one investment you can make that has a greater ROI.

Policies and Procedures

Want REAL Information Security? Start With Your Policies.

I am constantly surprised and disappointed that policies and procedures aren’t taken more seriously. They are the blueprint of your corporate culture, the single most important aspect of your security program, and by far the easiest and cheapest things to put together (in terms of capital costs anyway).

Even a ‘controls only’ standard like the PCI DSS is roughly 40%  ‘paperwork’, but, with the possible exception of the risk assessment, remains the most common tick-in-the-box exercise of them all. Which is a shame really, as it should be enough that thieves want to steal your data, why make things worse by not preventing your own employees from virtually giving it away?

Policies and procedures generally consist of 4 main types:

  1. Policies – the dos-and-don’ts of your entire organisation and use language like will / must / shall. e.g. Your password policy states that you MUST use strong authentication for access to systems containing data above a certain classification;
    o
  2. Procedures – describe HOW you implement the policies in YOUR organisation. They are detailed, ‘living’ documents that prevent the constant re-inventing of the wheel when faced with performing standard functions. e.g. this is how you implement strong authentication for all relevant systems / applications etc.;
    o
  3. Standards – A very detailed document that explains exactly HOW something is to be configured. From operating system hardening guides to firewall rulesets. e.g. the details the actual password elements that constitute ‘strong’ (7 characters, alpha-numeric, change every 90 days etc.).; and
    o
  4. Guidelines – The only non-mandatory element of the policy and procedure framework, and provide good-practice guidance on how to implement a policy requirement. e.g. Don’t use birthdays, don’t use names of children, consider a pass-phrase as opposed to a password etc.

However, you can have the most polished documentation ever, and still completely miss the mark. It’s not about the paperwork itself, it’s about the enforcement of what’s IN the paperwork. A policy is only ever as good as the understanding of it, and the adherence to it.

Unfortunately, this is where most organisation fall down, and one or most of the following challenges apply:

  1. Policies not in-line with corporate culture or day-to-day business process – Policies should be owned, and even written BY the CEO / BoD, who else is responsible for the culture, direction, and future of an organisation more than them? Too often this is delegated to departments or individuals without the necessary authority or experience to perform the function properly. A document coordinator MUST be a subject matter expert.
    o
  2. Undocumented procedures result in numerous (usually unintentional) breaches in policy outside of formal exception/variance processes – Just because a policy is in place, does not mean anyone knows how to implement it. Every department in an organisation is responsible to describe how each and every task is accomplished. Without procedures and standards, policies can become unenforceable, and every new employee has to reinvent the wheel every time they want to accomplish what should be a standard task.
    o
  3. Policies are undistributed, unenforced, or mis-understood – Just because you HAVE policies, or even procedures, if no-one knows where they are, what they mean, or how to measure against them, they are just pieces of paper. Security Awareness Training programs should start with a comprehensive look at corporate policies.
    o
  4. Poor document management or lack of integration with formalised training mechanisms – Without a robust document management system, it’s very difficult to both maintain the integrity of the policy and procedure documentation, and very difficult to distribute and enforce them.
    o
  5. No feedback or measurement processes – Per the old misquoted cliche; you can’t manage what you can’t measure, and unless policies are seen as living documents with company wide feedback mechanisms in place, they can rapidly become obsolete.

I do not use the word ‘recommend’ lightly, but I HIGHLY recommend that before you implement ANY aspect of your security or compliance program, you get your policies in place. At the VERY least do this in parallel with a risk assessment and business process mapping exercise.

While most high profile breaches focus on what went wrong technically, I can almost guarantee the original failure was one of education in the most basic of all security foundations; policies, standards and procedures.

[If you liked this article, please share! Want more like it, subscribe!]

Stop Confusing PCI Compliance With Actual Security

To this day, people are surprised when an organisation is breached after having achieved PCI compliance.

Why?

The SSC has never claimed that PCI compliance ensured the protection of cardholder data, especially when you consider most organisations don’t DO PCI compliance for security, they do it to get their acquiring banks off their backs.  All the SSC have ever claimed is that it helps, and it does.

Security is not about being impenetrable, that’s impossible, it’s about knowing your two main enemies; thieves and ignorance.

Thieves are lazy. In fact, I’d go as far as to say that laziness, more than a desire to be bad, is the leading driver behind computer crime.  This drives them to steal first what is most easily available; the so called low hanging fruit.  So to avoid thieves, just have YOUR fruit higher up the tree.  That’s what PCI compliance does, and that’s all.

As for ignorance, my absolute favourite phrase right now is;

“You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant.”
― Harlan Ellison

Information Security Policies and Security Awareness Training are SUPPOSED to cure all employees of their ignorance as it relates to the protection of data in their possession, and they would if they were taken seriously. They are not.  Policies provide the dos-and-don’ts, training provides the why and wherefores, neither of which are given due care and attention.

Now combine those 2 and you can see why achieving PCI compliance means little to nothing if it’s not done PROPERLY! Even then, it will always fall short.

I have stated several times in my blogs that ALL compliance would automatically spit out the back end of a security program done well, and I have even defined what that is in my Security Core Concept series.  The 5 people who actually read them will understand the following, but for the rest, here’s 4 reasons why PCI compliance does not mean security;

  1. It does not start with a risk assessment relevant to YOUR organisation.  The controls of the Data Security Standard ARE the risk assessment.  Even if you were to perform your own at the beginning of your compliance project, you still have to do everything the DSS says as there is no ‘residual risk acceptance’ in PCI.
    It is FAR more difficult to implement the PCI DSS controls as stated, than it is to implement the controls relevant to your business.  Which is why it is never done properly.
  2. The focus of the DSS policies and procedures requirements is the paperwork, and not the enforcement OF those policies.  Having polices is meaningless if they are not read, understood, and followed.
  3. Once a YEAR validation of compliance is as pointless as hub-caps on a tractor.  Yes you are responsible to maintain your compliance throughout the year, and yes the DSS includes change control as a requirement (barely), but how exactly do you maintain compliance when the DSS provides no context or framework for a sustainable security program?
  4. Let’s take an actual control, logging; There is no PCI requirement for centralised logging (10.5.3 – “or media that is difficult to alter.”) meaning a daily retrieval will suffice for the daily review (10.6.X), which in turn can be manually performed. Show me how you can possibly perform adequate incident response in an environment that does not real-time stream logs to a centralised location that then performs the following automatically, and I’ll wash the crow down with a healthy serving of humble pie:- Real-time alerts based on ‘never-see’ events from every system component.
    – Real-time alerts based on violations of ‘threshold’ events baselined from every system component.
    – Alerts based on violation of ‘trending’ patterns (you have a year’s worth (10.7.X), use them).

    Logging is the core of incident response, which is the only way of preventing a security event from becoming a business crippling disaster. Logging is not just a collection of events to be used for in a forensic investigation.

Bottom line; PCI compliance is nothing more than an attempt to protect cardholder data better than it was done so previously, and in that it has only succeeded in the organisations who focused on security not compliance.

Everyone else threw good money after bad and kept the thieves from having to find their next low fruit.