Information Security Policies

Why Information Security Policies are Pointless

The title should be; Why YOUR Information Security Policies (ISP) are Pointless, but I figured this title was far more contentious/click-worthy.

If you’ve come this far, you’re in one of two groups:

  1. You’re horrified at my ignorance and want to rip me a new one (good for you by the way); or
  2. You’re thinking the equivalent of “I knew it!”, in which case you need this more than anyone.

When I say that your ISPs are pointless, it’s because in all likelihood they are. Assuming you even have a policy set (policies, standards and procedures), ~20 years of consulting experience has shown that they invariably:

  1. are not sponsored/supported/signed-off by the highest levels within and organisation – does anyone really care about something their bosses don’t visibly to care about?;
  2. are not managed by a governance function to ensure adherence to business goals / regulatory compliance / corporate responsibility etc – who else is going to do this? The CEO? A CXO by him/herself?;
  3. include no overarching framework policy that 1) spells out a commitment to security, 2) breaks down the responsibilities for everyone from the CEO to the interns, or 3) details the consequences for non-conformance – how well do buildings stand up without foundations?;
  4. are generic templates with zero attempt to fit them to the prevailing culture – sometimes the phrase “That’s not how we do things here!” is perfectly acceptable;
  5. are non-aspirational – it’s actually a good practice to set your policies above your current security capability, IF you have a comprehensive exception/variance process linked to a risk register / risk treatment plan as part of the framework;
  6. are not DIRECTLY linked to robust risk management processes to ensure full policy coverage and continuing suitability to the business – how do you know they’re right?, now and in the event of significant change?;
  7. are not part of an [annual] internal audit process to measure adherence – few companies even have an internal audit function, let alone one capable of assessing IT/IS policies;
  8. are not part of employee on-boarding and ongoing security awareness training programs – every role should have relevant policies assigned to it, and appropriate training should be continuous;
  9. are not maintained appropriately/consistently – you don’t need a librarian to do document management well, you just have to be organised; and
  10. are not distributed or made available to everyone whom they impact – “Policies, what policies?”

Bottom line is that I have never seen a policy set done well, and it’s not a coincidence that I’ve never seen security done well either. These two things go hand-in-hand and you absolutely cannot have one without the other.

Yes a decent policy set is ‘paperwork’, yes it’s bloody difficult and time consuming, and no, it’s not even remotely sexy, but don’t bother trying to get a security program in place without them. Seriously, don’t even bother, because it will fail.

Lego don’t send out a 4,000+ piece Death Star set without detailed build instructions, and that’s exactly what your policies, standards and procedures are; instructions on how to do security appropriately within your organisation.

So why don’t all security folks take this more seriously? Two main reasons; 1) they are so focused on technology that the processes fall to the wayside, and 2) they have tried over and over and finally gave up, electing to do what they can, knowing full well it will never be enough.

Sad, huh?

Security is about People, Process and Technology, in that order, because without a policy set you will have:

  • no understanding of the technology[ies] you will need – risk assessment;
  • no processes to run the technology properly – procedures;
  • no way to sustain the technologies moving forward – vulnerability management;
  • no understanding of what to do with technology output – incident response;
  • no-one who could perform the incident response even if you did – security awareness training.

A decent set of information security policies ties all of this together into a sustainable program, and if you still don’t think they are that important, you are simply not paying attention.

[If you liked this article, please share! Want more like it, subscribe!]

Ransomware

Ransomware, Stop Focusing on the Symptoms!

Once again, a ransomware outbreak (WannaCry) has dominated the media headlines, and cybersecurity vendors are scrambling to capitalise. At the time of this writing, the top 3 spots on Google to the search phrase ‘ransomware’ are 2 vendor ads, and one ad for cyber insurance. All but one thereafter on page 1 results are doom and gloom / blamestorming ‘news’ stories. The one exception? Good old Wikipedia.

This is the exact same thing that happened the last time there was a ransomware attack, and the time before, and is the exact same thing that will happen the next time. Because there will be a next time.

From the Press’s perspective, this is just what they do, and you’re never going to see headlines like; “NHS Goes 6 Months Without a Breach!”, or “NHS Blocks Their 1,000,000th Attempted Hack!”. Only bad stuff sells, and frankly no-one gives a damn about cybersecurity unless they’re a victim, or they can make money off it.

I have dedicated many blogs to the criticism of cybersecurity vendors for being little better than ambulance chasers. This blog is no different. So let’s be very clear;

Ransomware is NOT a TECHNOLOGY problem!!

If your organisation is the victim of an attack, 99 times out of 100 it’s entirely your fault. Either your people, your process, or a combination of both were inadequate. And I’m not talking about your security program not being cutting-edge/best of breed, I’m talking about it being wholly inappropriate for YOUR business. It does not matter what business you’re in, you have a duty of care to know enough about security to address the issues.

Yes, the bad guys are a$$holes, but we’ve had bad guys for millennia and they will always be part of the equation. Security is, and has always been, a cost of doing business, so sack-up and take responsibility. And if you aren’t even doing the security basics, not only will technology be unable to help, but you deserve what you get.

Harsh? Yes, absolutely, because they basics don’t bloody well cost anything! Not in capital terms anyway. It takes what I, and every other like-minded consultant out there have been preaching for decades;

Common sense!

  1. Don’t keep your important files on your computer –  Keep your data on external encrypted hard drives and/or cloud drives. If it’s not ON your system, you can’t lose it. In a perfect world you can Forget the Systems, Only the Data Matters.
    o
  2. Patching – Your systems would have been immune from WannaCry if you have installed a patch made available by Microsoft in MARCH! I could rant for hours about this one, but there’s no point. You know you should be patching your systems, and if you don’t know that, you are clearly not from this planet. Your laptop or you PC is just a means to manipulate the data. Ideally you should completely reinstall your PC/laptop every 6 months to ensure that you have only 1) the latest and greatest versions of everything, 2) no extraneous crap you no, longer use/need, and 2) no hidden malware.
    o
  3. Back-Ups – I don’t care how little you know about computers, if you have one and are online, you damned well know you should be backing up your data. And not just to one location, several locations. Everyone from your operating system, to your bank, to your grandkids have told you about back-ups, so there’s no excuse.  External hard drives are cheap, and the online Cloud drives are numerous. Use them all. Yes, I know this is different for a business, but not much.
    o
  4. Don’t open every attachment you get – I feel stupid even writing this one, and it’s not just me talking from a position as a security professional. This is me talking from the position of someone who can read.

So from an organisation’s security program perspective, if you’d had 4 basics in place, WannaCry would not have been an issue:

  1. Policies, Standards and Procedures – The dos, don’ts, how-tos, and what-withs of an organisation;
  2. Vulnerability Management – where patching sits;
  3. Incident response – where back-ups sit; and
  4. Security Awareness Training – self-explanatory

 

SOME technologies can make this stuff easier / more efficient, but fix the underlying processes and people issues first. That or get yourself a huge chunk of cyber insurance.

[If you liked this article, please share! Want more like it, subscribe!]

‘CEO Fraud’ Is The CEO’s Fault

Whichever way you look at it, the > $2Bn lost in ‘CEO Fraud’ is the CEO’s fault. Maybe not so much the first couple of cases (the ‘zero-day’ ones), but from that point forward, falling for such an obvious scam is indicative of broken processes that all point back to the CEO.

Even one of the most basic tenets of security; that of split-knowledge and dual-control, is all that was required to prevent these attacks! NO-ONE, including the CEO, should be able to authorise these transfers, and NO-ONE, not even the CFO, should be able to perform one.

Not for all transfers obviously, but when we’re talking hundreds of thousands to tens of millions, how was a single person able to proceed without sufficient checks and balances? For God’s sake, a simple CALL to the CEO’s mobile would have sufficed!

So, in the several thousand companies that have fallen for this scam, we can make several assumptions:

  1. The CEOs are above the processes of other employees – I have to believe that the transfer of [for the sake of argument] $100K requires the completion of a form of some kind. That form is then signed by the requestor, and forwarded on to finance for action. In every case where the fraud was successful, the process began with nothing more than an email.
    o
  2. The CEO is ‘God’ –  In this particular case, an accountant transferred $480K based on an email, then only became suspicious when asked for a subsequent $18 MILLION. Seriously? It didn’t occur to the accountant to call the CEO just to make sure? Is the CEO THAT unapproachable that s/he won’t take a 20 second phone call for $480K!?
    o
  3. There is zero oversight on the finance departments – As in the above case, there were clearly no checks and balances in place to confirm authorisation of a transfer, and no-one below the accountant thought to question their own actions based on largely undocumented request? Just following orders were they? What does THAT say about the company culture?
    o
  4. The Information / Cyber Security program is a shambles – Even the most basic Security Awareness & Training programs have sections on social engineering and fraud techniques, and no matter how well a thief did their homework, these emails should have been a huge red flag. How is it that people with such enormous impact on a business (i.e. finance) have no training in cyber security basics / essentials?
    o
  5. The organisations have zero ability to address the prevailing threat landscape – How easy would it be for the information / cyber security departments in these organisation to send out ‘mandatory-read’ emails to all-staff warning them of the ‘new’ threat? How do mitigation techniques not make their way into business process after a significant change in the threat landscape?

The saddest part of all this? This type of fraud is ON THE RISE!! Despite the significant press, despite > $2 BILLION in losses, organisations all over the world still haven’t taken appropriate action.

My most used phrase; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [enter any goal here], it’s the CEO’s fault, and no-one else’s.“.

In this case, replace “[enter any goal here]” with “immunity from email scams” and apply it the assumptions above. We can determine that;

  1. the CEO’s vision for the organisation does not include an appropriate security program – If they can’t even take care of their own MONEY, what is the chance they can take care of your sensitive data?
    o
  2. the CEOs put themselves above the company values – No company that I know of has ‘Do as I say not as I do.’ as a published value, but clearly the rules do not apply to these folks.
    o
  3. the direction of any organisation is towards its goals. Obviously. How does the loss of hundreds of thousands of €/£/$ and the sheer embarrassment of falling for this attack add to the company’s bottom line?
    o
  4. unfortunately security is up there with ethics when it comes to CEO priorities. They are a cost of doing business, not fundamental processes that add significant ROI when done properly.

The better CEOs who have been victims will look at the root cause of their incident, point their finger squarely in the mirror, and fix it. The rest will fire the finance person and leave themselves open for the next threat. The best CEOs led their company by example, and didn’t fall for the attack in the first place.

Which do you want to be?

[If you liked this article, please share! Want more like it, subscribe!]

Information Security Needs Teachers, Not Consultants

This blog could just as easily be titled “Information Security Needs Teachers, Not Technology”, but I’ll pick on technology vendors some other time. Then again, it could also be teachers vs. anything-else-you-care-you-mention, because there is nothing in security that cannot be made easier, better, cheaper, more sustainable etc by someone who passes on their skills to those who need them the most.

Their customer.

Teachers are rarely recent graduates of X University, or theoretical researchers at Y organisation (Gartner, Forester et al), and especially not a lot of PCI QSAs I’ve come across, teachers are the people who sit in front of their clients day in and day out trying to make themselves redundant. I use the phrase; “If you can’t do what I do at the end of this contract, I’ve failed.”

Even in 2016, information security expertise is a depressingly rare commodity, with few organisations able to afford the full, or even part-time retention of SMEs in-house. Instead, the vast majority of organisations hire consultants to help them through their security and/or compliance challenges. In and of itself this makes perfect sense, I have no issue with it, and have in fact made a career out of providing these services.

My issue is with those consultants who don’t teach their clients to do what the consultant was hired to do, perhaps with the assumption that the client will have no further need for the consultant’s input once the job is done. The fact is, if the client doesn’t renew the contract, it’s because either 1) they don’t care enough to accept the guidance given; 2) the consultant drained their available budget, or; c) the consultant didn’t know what the Hell s/he was doing.

In a previous blog (The 4 Consultant Types: Know Which You Are, Know Which to Ask For) I detailed the 4 consultant types:

  1. The ‘Auditor’: Extremely detail oriented, and can (and do) write massively detailed reports on exactly what you’re doing wrong. And that’s it.
  2. The ‘Assessor: Still very tied to the written instructions, but are better able to read the intent of the situation, and are subsequently better able to tell you why a things is not right. And that’s it.
  3. The ‘Consultant’: I reserve this title for people who are able to not only explain simply what you are doing wrong and why it’s wrong, but what you should be doing AND provide several options on how to fix it. That’s it for them too.
  4. The ‘Teacher’: These rare folks are able to enormously simplify the challenge at hand, and teach the client to fix it themselves. And not just once, whatever the solution was, the Teacher will show the client how to maintain the fix, and how to implement a cycle of continual improvement in line with business goals.

The silly thing is that a good security teacher will never be out of work, no matter how hard they try to pass on their skill-set. Whatever s/he was hired to do for the first contract is invariably just scratching the surface of the work that needs to be done. A consultant may be asked to come back to repeat a task, but a teacher will be invited to help the entire business move forward.

Every security teacher aspires to be invited to take part in an organisation’s Governance committee, where the IT side and the business side have real conversations. Some call this a Trusted Advisor, but frankly I’ve never seen one who was not a teacher first.

The Analogies Project, We Should ALL Be Involved

I’m sure that in an earlier blog I stated that I would never use this medium to promote a vendor or specific product. I cannot find that quote so it clearly didn’t happen, and seeing as this promo is for something that’s actually not-for-profit, I don’t feel like a complete sell-out.

An analogy is defined as; “a comparison between one thing and another, typically for the purpose of explanation or clarification.” and as such is an incredibly powerful tool to provide a necessary context to understand something for which we have limited knowledge or experience. For example, the immortal (well, except for his death and all that) Douglas Adams used what to me was the funniest analogy of all time;

The ships hung in the sky in much the same way that bricks don’t.

I have used analogies through my blogs and my career, and frankly, any ‘security expert’ who DOESN’T use them is likely a poor consultant, or just starting out. Too many of us are horribly guilty of the Curse of Knowledge, and end up blaming our clients for what, in the end, can only be our deficiencies.

In a conversation with Bruce Hallas, the founder and passionate driving force behind The Analogies Project, it was not surprising that two famous quotes from Einstein were used to perfectly summarise the issues faced by those giving, and those trying to receive, InfoSec services:

  1. Insanity: doing the same thing over and over again and expecting different results.”, and;
  2. If you can’t explain it simply, you don’t understand it well enough.”

And on further reflection, there’s this one that I have always loved by Alan Greenspan; “I know you think you understand what you thought I said, but I’m not sure you realize that what you heard is not what I meant.”

Any guidance we provide to our clients on information security is only as good as what is understood and retained. Imparted knowledge is meaningless without the listener’s understanding of it (knowledge = seeds, understanding = ploughed field, ooooh an analogy!!).  I have long maintained that the ultimate consultant is one who teaches, and there are no great teachers who do not take their audience’s individuality into account. You don’t explain where babies come from the same way to your 5 year old child as you would your teenager would you?

Yes, your client must WANT to learn in the first place, and the constant fight against the lack of security culture is not something we can fix by ourselves, but I firmly believe that a change in culture can only come with a true understanding of the benefits, and that will never be a one-size-fits-all, even within the same organisation.

This is where The Analogies Project could truly shine. Having an analogy for a risk assessment is one thing, but having a series of analogies for Receptionists, the C-level, and everyone one in between, broken down by personal interest or sector applicability and so on, will provide usable experience to everyone. Giver and receiver.

I am signing on as a contributor and will be mentioning The Analogies Project in all of my subsequent training or InfoSec presentations (ISC2, ISACA, ISSA etc.), I urge you to do the same;

Go here to begin; https://theanalogiesproject.org/contact-us/