May 2009 Archives

President Obama presented the Cyberspace Policy Review today. The document reports on a changing direction of US cyber security policy under the new Administration. It is less about governance and more about "getting stuff done". The new policy has the potential to bring upon security practitioners interesting times of attention for our trade, acknowledgment of the necessity of our skills and maybe even the odd job opportunity here and there.

Much will depend on the person who will be chosen to fulfill the role of national cybersecurity coordinator and his ability to obtain true buy-in and commitment of the different government organizations. 

Quotes like the following are encouraging to read:

"The architecture of the Nation's digital infrastructure, based largely upon the Internet, is not secure or resilient.

[...]

Research on new approaches to achieving security and resiliency in information and communication infrastructure is insufficient. The government needs to increase investment in research that will help address cybersecurity vulnerabilities while also meeting our economic needs and national security requirements.

[...]

International norms are critical to establishing a secure and thriving digital infrastructure.

[...]

Only by working with international partners can the United States best address these challenges, enhance cybersecurity, and reap the full benefits of the digital age"

The plan acknowledges that our networks are not secure, and that this inherent level of insecurity must be addressed by increasing efforts (read: spending) to conduct true fundamental research that is not limited to national boundaries. This is a vision that I can support and which makes me look to the future with a sense of anticipation.

Other writeups worth reading:

• Andrew Jacquith's  view over at The Forrester Blog for Security & Risk Professionals
• Amrit William's view over at his blog.
  

I am heading over to Jersey City tonight to attend an meeting on Cloud Security, organized by IOActive. Despite Hoff's best efforts, cloud security confuses me. I understand information security and I understand "The Cloud" as well as most other people do (which isn't saying all that much), but I fail to see how combining the two suddenly make a completely new field that is worthy of all the buzz it gets.

We have been dealing with outsourced business functions for a long time and most organizations are used to doing it; some have even gotten quite good at it.

Reading the Cloud Security Alliance's document titled Security Guidance for Critical Areas of Focus in Cloud Computing. If you have not read that document yet, go do it now. If anything, the architectural framework defined in it is very worth while and I hope it will bring the Cloud playing field to adopt similar terminology when talking about identical things.

Keeping in mind Hoff's distinction between the three architectural layers (Infrastructure as a Service, Platform as a Service, and Software as a Service) clearly helps in shaping our perception of risks associated with outsourcing a business function, and it will support defining our responsibilities as an outsourcing organization.

The document provides guidance on how to direct existing efforts to facilitate Cloudification. There isn't all that much in there that is truly new.

The fact that we are struggeling with this shows once more that our field is young and emerging, and that we haven't really even reached adolesence. It is a fun time, but as with all new things, stepping back every now and then to reflect what's going on should also be a priority.

As information security officer, my role is to ensure that my organization's information resources are not exposed to unwanted risks. One tool that is commonly used is to commission an external (independent) entity to assess how well resources are protected from a technology point of view.

Unfortunately, all too often, an external assessment, or even a penetration test, will yield results that were mostly predictable. While having an independent entity confirm issues may bring a higher sense of urgency and grants the claim more credibility, it is still unsatisfactory to be spending a lot of money on a test of which you were able to anticipate the results. Of course, independent auditors tend to have easier access to people higher in an organization, and using an auditor to further your own goals is an acceptable tactic to get things done.

One disadvantage of having external groups conduct vulnerability assessments or penetration tests is that they will only provide you with a snapshot in time. The many issues revolving around PCI-compliance have clearly demonstrated that compliance on a certain day does not lead to continued compliance.

Lately, I have started to look around to see what service providers are out there that offer a "solution" (as much as I despise the word) that provides full-time (or on-demand) assessments against a fixed and predictable rate.

Whether that assessment is done through manual scanning, automatic scanning, or by installing agents on end-points is really not so much of a concern to me. If I can obtain a (near) real-time overview of certain aspects in my infrastructure, provided by a credible and knowledgeable outside provider, why not research that further?

More than likely, I will be able to lower security costs by reducing the scope of annual vulnerability assessments (or pentests), drop the frequency at which those engagements take place, and concentrate on improving processes and procedures, rather than bring in more technology that brings with it more security concerns.

At the moment, I am evaluating several offerings, and depending on how much vendors are willing (and able) to work on price, I may be very interested.

Ron W posted a comment to one of Andy's blog posts that gets to the reality of being an information security officer so well that it deserves its own post. Here it is:

Often, we in Security need to deal with
C - Criticism
R - Rejection
A - A$$h0l3s
P - Pressure

The keys are perseverance, attitude, and the realization that you're not alone.

Criticism is the corner stone of progress, as long as it is delivered in a constructive fashion. I am a firm believer in peer-review and stakeholder-buy-in.

Rejection is something that happens everywhere, but it is also not always a bad thing. Our role as information security officers is to point out risks to business owners and leave the final decision up to them. If they disagree with our recommendations, we can start looking to reduce the risk somewhere else in our organization and mitigate the exposure some other way.

A$$h0l3s are everywhere

Pressure is a good tool, but it must be used very, very cautiously. Once pressure is applied, it is very hard to let go without losing control.

Realizing you're not alone is paramount. Information security is an extremely young discipline, and as a result, we must always be reaching out to our peers to learn from them. Visit conferences, local chapter meetings, training, etc. Although it may momentarily distract you from your "real work", it will pay off down the road when you can just pick up a phone and call a colleague to ask for advice.