Maybe some progress at last.....

Well, well.... Maybe we’re getting somewhere. If you’ve read my previous posts you’ll know that there isn’t much support at my company for InfoSec in general let alone any specific requirements and I’ve been trying to find alternative ways of getting educating people. It looks like some of it has struck home.

The HR bod in charge of the company’s weekly newsletter has asked me to write a piece on “that InfoSec stuff you keep going on about” for the newsletter. I’ve agreed (obviously) and have said I’ll do a personal profile as well. Most of the directors have written profiles in the last few weeks so I’m jumping on that bandwagon!!!

Next, the company recently employed a Service Delivery Manager (SDM) to work within the IT department. This was a major step in the right direction as far as I was concerned as under the previous IT Director, there was no understanding of “service” at all. In the past, the IT department appeared to have an attitude of “we’re allowing you to work” rather than “we’re enabling you to work”. The SDM have been making quite a number of good changes not least of which was the identification (after a little prompting from me) that our corporate data had no owners. Network directories and folders were used and abused by anyone and everyone. People were added to email distribution lists and given access to “restricted” folders etc. etc. without any sort or authorisation process.

So, the SDM has kicked off a process to review the way access permissions are requested, authorised and granted and has invited me and the Support Manager to a meeting to discuss it.

This is progress. Hurrahh!!

I just wonder why people have accepted his statements that such measure are necessary but rejected my previous statements along the same lines. I’m not going to complain about it, it just interests me why the difference in response.

I suspect it’s a question of him being on the “inside” of IT and me being on the “outside”. If that’s the case, I just have to find other “insiders” to educate with a view to them raising issues for me, without them realising it, of course.

My head's above the parapet now!!

I’ve been invited to contribute to the PCI Answers postings on their site which is quite an ego boost. The only thing is, this means I’m going to have to think of decent things to say!!!!

Oh well, bang goes the instantaneous ramblings approach to writing comments. I guess I had better engage that part of my brain that rarely sees daylight and actually consider what I’m writing beforehand.

Oh, and use a spell checker more often!!! :-)

The "maintaining compliance" issue

There’s an interesting discussion over on PCI Compliance Demystified about maintaining compliance after you have initially achieved the “tick in the box”. The discussion is primarily about PCI DSS compliance but could be had about any compliance requirement.

To paraphrase, the question was raised: “how is compliance maintained?” which has developed into a “what’s being done about maintaining compliance?” question.

I find this interesting because when we first started looking at PCI DSS Compliance at my company I made more emphasis of the “maintaining compliance” requirement than the “achieving compliance” requirement. It was a hard sell, and not fully accepted as yet.

PCI DSS requires that you achieve compliance and continue to remain compliant from then on. If your company suffers a security breach and the investigators are sent in by the card schemes, they will not just assess your compliance when they turn up. What they will do is investigate the state of compliance for as long as the security breach occurred and even prior to that to identify whether a failure in maintaining compliance contributed to the breach. If it did, big money fines are on their way.

Take the TJX situation for example. Initially TJX reported that the security breach happened “over a period of a few months at the end of 2006”. After the investigators went in they found that the hack had been on going for a period of a couple of years. This being the case, the investigators will be assessing whether TJX was compliant for the whole of that time. From reports it appears they were not.

My company has accepted the “maintaining compliance” requirement to the extent where they have agreed to completely redesign the payment processing platform from the old legacy system (which was difficult to support and maintain) to a nice shiny new compliant and maintainable platform. Good news. However, the question of compliance management thereafter is still being discussed.

Without the compliance management process existing, the initial achievement of compliance is fairly pointless. 2 days after you tick the box, a new member of staff joins and unwittingly blows your achievements away by introducing a new business practice that ignores some fundamental PCI DSS requirement. Worse still are the creeping changes which in isolation are perfectly fine and compliant. However, over time, one thing leads to another and bang, a vulnerability slides in which “no one could possibly have foreseen….”

Compliance management is a functional process and requires not only resources but also an agreed corporate approach. Perhaps this is the issue, no one wants the responsibility monkey on their back.

The difference between business people and InfoSec people

OK, so TJX’s Q1 results apparently show “no noticeable decline in customer numbers” since the data breach. In this article an analyst from Avondale Partners is quoted as saying:-


"It still looks like there has been no meaningful fallout from the data systems breach as it relates to customer traffic," said Patrick McKeever, an analyst with Avondale Partners. "They did pretty well, all things considered."


The “they did pretty well” approach is a real problem in the InfoSec arena in my opinion. Short sighted and blinkered views of the “hear and now” are the domain of business people. They look at “today’s” results with “today’s” profits and “today’s” performance. InfoSec looks at “tomorrow’s” vulnerabilities, “tomorrow’s” threats and “tomorrow’s” attacks.

Basically, business people look at what IS happening, InfoSec people look at what MIGHT happen.

Maybe this is one of the fundamental reasons why business and InfoSec rarely see eye to eye without a very enlightened business person and a very enlightened InfoSec person at either end.

Data ownership

I read Rob Newby's post about "data classification" with interest as the implementation of such a process has been on my "to do" list for a while. To paraphase my comment to him, "I think Data Classification is one of the fundamental first steps in a good InfoSec programme". The point is, until you know how important the data is, how long it needs protecting for and who should have access to it it is impossible to get the data security environment set up correctly.

And therefore, protect your data adequately.

So, on to my particular issue. I have discussed data classification schemes in the past within The Company and not had much interest. Despite using the obvious scare mongering tactics and some pretty internally high profile snafus, no one really gave a preverbial.

So, how do I make people take notice?

Well, a while ago, I found out that our directory access control settings were all over the place. People had access to stuff they didn't need and in some cases, didn't even know about. After investigation, it appears that to be given access permissions to a certain directory, you just had to "fill in a form". The process of authorisation didn't really exist.

Although strictly speaking this isn't "data classification", it is linked.

It sparked a debate where I suggested that the IT department should review the process of assiging access permissions and improve it. They misunderstood and said it was not their responsibility to decide who has access to what. Of course it isn't, but they have a responsibility to ensure that the requests are properly authorised and that the environment is maintained correctly.

So, where are we now? Well, The Service Delivery Manager is involved and we have agreed to raise it at the next IT User Group Meeting with a view to getting buy-in from the business.

Here lies the core issue. In previous discussions, it's been a case of "it's not my responsibility" from both IT and the business units. The process of breaking that down is one of enlightenment. Once both "sides" understand where they fit into the whole picture, they "should" agree to take ownership a lot easier.

Now to the link between "data classification" and "access control". Once the business units have accepted responsibility for specifying who can access what directories / folders, it should be a far easier "sell" to get them to accept responsibility for determining who should see what specific data. That being true, the subject of "data classification" springs up, as if by magic!!!!

Why, oh why, oh wireless…..

OK, so enough of bleating about how bad things are, on to some more topical issues.

This news item on Security Focus amused me. Basically, if true, it appears that a wireless network secured with WEP only encryption was the access channel for the TJX hackers.

The thing is, I have had a discussion with people here about wireless and the levels of protection used and suffice to say, I think they could be improved. The arguments against it have ranged from the “it’s good enough as it is” and “we haven’t got enough resources to change it” through to “well, even if they crack the code they can’t do anything anyway”.

From my previous posts, you will see a theme developing here.

OK, so, how do I use the TJX case to convince the naysayers that improvements are necessary? Well, in the past I would have sent the link with a summary and expected them to understand. That doesn’t work.

So, after a few more days to allow for any further information to come out on this particular aspect I will send the link, but with a far more descriptive summary and also liken it to our own situation. I will also then schedule a meeting with relevant parties to discuss.

I also need to have my arguments ready for the “yes but if they get in, they still can’t log on” response which will inevitably come.

As I said, it’s hard to work at this level where absolutely everything needs to be explained but if it’s necessary to make progress, so be it.

I'll let you know how it goes.

I lied!!

OK, the previous post said that it was the last (for now) in the “Things I’ve done wrong” series. It wasn’t, this one is.

There are other things I have learned but those are a good starter for 10. For now, I think it is safe to say that having learned the lessons I'm better equipped to start making the sort of progress I want and the company needs.

From the above experiences, I looked for a publication that could provide guidance on the "from scratch" aspect of the role. I read "A Practical Guide To Managing Information Security" by Steve Purser which was a little vague in places but had a lot of good ideas. I've also bought a copy of "The Pragmatic CSO" by Mike Rothman of Security Incite (http://securityincite.com/blog/mike-rothman/the-pragmatic-cso-is-here) and having read the first section, it seems promising. I'm not sure it's going to teach me anything I hadn't already thought of but it is definitely reinforcing some ideas I have regarding getting buy-in and cooperation from others in the company. This can only be a good thing!!

In the previous post I said that it was demoralising to think that EVERYTHING needed to be explained. I have to get over this. I need to start thinking about this as a battle between good ideas and bad ideas. Like all battles, the side who is better prepared usually wins. So, I need to improve my preparedness and deliver the relevant information in a way that helps the opposition select the best way forward.

Basically, I’ve got to stop being lazy and start doing my job.

It’s a good idea, trust me, I’m a gynaecologist

Last (currently) in the “Things I’ve done wrong” process.

To a certain extent, this is linked to expecting people to understand “why”.

In the past, I have explained the details of an Info Sec related issue and then the possible remedial actions available to the company and then assumed that the correct decision would be made. How naïve can you be?!?!?!

Unfortunately, it would appear that the "correct" decision is not reached based on sound assessment and analysis. Mostly, it is made against a "what's cheapest / quickest / most like what we do currently” process and this is not sound decision making.

I’ve underestimated the human ability to take the easy option and this means that when faced with the “right” decision versus the “cheap / quick / less resource consuming / more like we do currently” decision, one of the latter is opted for.

You’ll notice the second “option” is in fact a list of options. Realising this has enlightened me. I always knew that there were infinitely more ways to do something wrong than to do it right. However, I hadn’t appreciated how easy it was to choose to do something wrong.

So, the remedy? Interesting question. I might expand on this in future blogs but for now, these are my thoughts. It’s necessary to do the hard work on everything, every decision that needs making has to be supported by argument. All possible decisions related to a particular issue need analysis and “pros” and “cons” debated. Then a recommendation needs to be made.

This is hard work and demoralising. I mean, as an example, imagine having to explain that WEP only encryption is a bad idea. And I mean really explain it. Explain about the ability to set up rogue APs, then explain about the ability to intercept traffic, then explain about the ability to capture user IDs and passwords, then explain about the ability to create rogue user accounts, then explain about the ability to log in as a rogue user and download data.

Oh…. Erm…. Hang on…. I seem to remember that this may have been covered in a recent TJX related article……..

No follow up

Continuing "Things I've done wrong".

After designing and agreeing an Info Sec Management approach with the board another element of “Getting Distracted” happened and I never went back and followed it up. I could bleat about how “it wasn’t my fault because…” or “I meant to but this or that stopped me” but basically I should have persevered but didn’t. I allowed myself to get involved in other stuff that just wasn’t productive for the InfoSec environment. It was incredibly constructive for the company but that doesn’t improve InfoSec or earn me a bonus.

A point learned is that the executives will say "yes" to whatever you ask them and then do nothing about it thereafter. That is, unless you keep shoving it under their noses at every opportunity.

The trick is to get the “yes” from them, then continuously hit them with actions. Keep the work visible, report regularly (but bare in mind the format must fit the target audience).

It’s also necessary to identify what makes people tick, what are they interested in? It may not be as obvious as you think. So, some donkey work in the offing for me is to get a better understanding of what they ultimately want from the job. Only when I understand how to talk to them can I start to increase awareness.

Repetition is key, but it must be productive repetition, not just shoving inane data at them and expecting them to take it in and understand it.

What am I doing here?

More on the “Things I’ve done wrong”

Within the first week after being given the job, I sent a draft job description to my boss (the Group FD) and scheduled a meeting to discuss. Then, an element of “distraction” came along and we never had the meeting. Due to numerous “distraction” issues thereafter, it just got sidelined.

This has led to little to no authority within the company to actually get anything done. People have not understood what the Info Sec Manager's job is all about and have largely ignored it. Therefore, I've been playing catch up ever since, fighting for recognition and acceptance. This has to stop. I need to be proactive and I need to get people coming to me with issues and not me having to track them down.

So what to do? Well, I’ve kicked the process off again, sent the job description to the boss and had an initial meeting to discuss. He and I have also agreed to meet with the IS Director (who has been reluctant to accept anything I say) and discuss the JD with him as well.

The latest point is an important aspect. I’m not sure why the IS Director has a problem with me (or with the job I’m trying to do) but it needs to be thrashed out. No progress will be made if he ignores the work I’m doing. I’ll let you know how the discussion goes.

Don't just take my word for it

Continuing the "Things I've done wrong" series

The next error I made was expecting people to understand why something is either a good idea or necessary. An extreme example follows:-

Imagine a discussion where you have to explain in finite detail "why" a company should implement a firewall solution at all. I don't mean a certain type of firewall, I mean any firewall.

Things aren't quite that bad here (we have a firewall solution!) but almost. I have not done the donkey work and educated the target audience as to why InfoSec is a good idea. I've done the easy stuff, published reports, emailed links to InfoSec in the news etc. but this has not delivered the message in the way the audience can understand. Therefore, in effect, it's been wasted effort.

What I should have done is delivered the information in the way the target audience will appreciate. The FD will want to know different information to the IS Director. The CEO will want different information from the Marketing Director. Yet all these people and more need to be convinced of the need before signoff will be gained and priority assigned.

It isn’t enough to know yourself that WEP only encryption on wireless access points is a bad idea. You need to sell the “why” it’s a bad idea in a way that the target audience will understand and that means a different approach for different people.

Once they gain the understanding, you get buy-in. Once you get the buy-in, you get the signoff. Once you get the signoff, you get the job scheduled. Once you get the job scheduled, you get the job done.

If only it were that easy…….

Getting distracted is a killer

First part of the "things I've done wrong" theme is "Getting distracted".

This is the main reason for lack of progress. The Company I work for is primarily an online entertainment provider (no, not that sort of “entertainment”!!) and focuses heavily on new initiatives and new markets. This means a lot of "drop that, do this" type meetings. Not conducive to long term planning, unfortunately.

The result has been a lot of involvement in numerous projects that I would not call "core InfoSec" related. Knock on effect is a lack of any real focus or awareness regarding InfoSec and this coupled with the other issues listed in the previous post means a lack of progress in general.

On the PCI DSS Compliance front, a similar situation has occurred with the compliance project being postponed several times due to resource reassignment to other business related projects. For that read "revenue generating". Despite all the protestations and declarations that PCI DSS Compliance was "revenue protecting", it doesn't wash.

So, I have learned that it is vital to remain focussed. Draw up the plan and stick to it, not blindly, you have to adapt the plan. But the plan is the plan, the end result is key, that must be your focus. The other thing I changed is to make smaller targets. Forget designing and delivering a full InfoSec Awareness Training Programme because it will be too big and cumbersome. Go the "baby steps" route. Get out and about and get known, make sure people understand what you are and what you are trying to do.

Maybe, just maybe, with that sort of approach, trouble will come looking for you instead of you having to go search it out.

Things I've done wrong

Right then, first real post. I thought I'd start off by listing out the things I'd done wrong since persuading the company to generate the position of Information Security Manager and giving me the job. That all happened about 6 months ago and to be honest, I don't feel like I've made a lot of progress since. So, first is a list of titles in no particular order, I'll comment against each over the next few days.

1. Getting distracted
2. Expecting people to just understand "why"
3. No agreed job description
4. No follow up
5. Trusting people to do "the right thing"
   

There are other things I have learned but these are a good starter for 10. For now, I think it is safe to say that having learned the lessons, I'm better equipped to start making the sort of progress I want.

So, the next post will be about the dangers of "Getting distracted" and why that must be avoided at all costs.

1st Post

So, after reading and commenting on various Information Security and PCI DSS related posts and blogs over the past few months I have decided to start blogging on the subject.

This is the first post and therefore not that interesting.

My intention is to post my thoughts about my current situation which is setting up an Information Security Management environment and directing a PCI DSS compliance project from scratch. All this is being done within an information security ignorant and risk accepting environment of a PCI DSS Level 2 merchant. So, to say it is interesting is a bit of an understatement.

So that's it for the first post, a sort of declaration of interest type thing. More to come, as and when I have something far more interesting to say.