Archive

Archive for the ‘Security’ Category

Enterprise Security: Cheating on Your IT Security Audits

Darknet
Image by Computer Science Geek via Flickr

I recently read a good article regarding IT Security Audits which I thought many readers would be interested in.   Cheating on IT Audits by IT staffs is not unheard of to most of us in the auditing business.   However, it is a taboo subject that rarely gets any media attention and few ever discuss in public.   When ever we Auditors perform an audit, all the information provided to us is accurate, never doctored, performed within the time frame or scope of the audit and properly authorized by management (if you believe this you may be on drugs).  Cheating on audits, on purpose or out of ignorance is common, and this is one of the reasons we have to verify the authenticity and relevancy of  the samples and evidence provided to us before we can accept them.

The article points out that 20% of the 151 IT Security professionals recently polled at a major InfoSecurity conference admitted to cheating on IT Security Audits of firewalls.   Although, this sounds like a high figure and I have never investigated this in any formal way, I will venture to say that in the “field” the number is probably higher than 20%.   Here is an excerpt from the eWeek Security Watch article, which you can read in its entirety by clicking the link at the bottom of the post:

“An audit isn’t worth much if the people doing it are cutting corners. Unfortunately, a survey by the folks at Tufin Technologies suggests many IT pros may be doing exactly that.

The survey, which was conducted at the InfoSecurity Europe 2009 Conference in April, took opinions from 151 IT security pros. The aim was to determine companies’ approach to firewall auditing and management.

What Tufin turned up was that 20 percent of the respondents admitted they or a colleague had cheated on an audit to get it passed. The company did not ask specifically how they cheated, citing time constraints. But if applied generally, it could be there are many networks operating a false sense of their own security posture.

Going deeper, 9 percent of the respondents admitted that they never bother to check and audit their firewalls at all….”

To continue reading this interesting story, please click the link below:

What do you think.   Am I stretching it here by thinking that the real figure may be higher than 20% ?   Leave a comment (anonymously if you like).

Enhanced by Zemanta
Advertisements

Auditing Career: Traveling to Dangerous Places

Regional offices and regions of the WHO:      ...
Image via Wikipedia

So, you’re now sitting pretty working for a big Fortune 500 company with the enviable task of auditing subsidiary divisions in three continents, and you’re only 27 years old.   If your friends back in Mumbai could only see you now!

This is not an unusual situation in many internal audit departments in large organizations where fresh young auditors are recruited with the understanding that they are to travel 50 to 75% of the time to places few of them knew existed on the map.   The natural inquisitiveness of youth, the romantic appeal of traveling the world, the pay, the superman complex, the arrogance and the lack of common sense we all have at that age makes us perfect to accept challenges others with more experience would probably turn down.  And, this sometimes occurs when young auditors  and consultants accept without much thought, assignments in dangerous places.

In America, knowledge about geography, international politics, cultural, ethnic, religious and criminal activities in the rest of the world is weak.   There are many well educated Americans who believe that the power of the US Constitution somehow extends beyond our borders, or in some unknown fashion is respected by most foreign countries.   There is also a belief that the US version of “the rule of law” is accepted everywhere else in the world.   And, that in a worse case scenario, if one is in trouble overseas, a lawyer just like in the USA will save the day.   This is a dangerous misconception.

On December 10, 2008, my cousin Felix Batista, one of the world’s most respected and experienced international security consultants was kidnapped in Mexico while giving a conference on anti-kidnapping strategies.   To this day, Felix’s whereabouts are unknown and many presume him dead.   The plight of his wife and children and our family to bring closure to this ordeal can be understood by visiting the Felix Batista media blog, setup to track coverage of his disappearance.   I shared an interest in Crisis Management with Felix, except I chose the technology route and he the international security one.   I will share with you a few items you should keep in mind when considering a foreign assignment to places you are not familiar with, or if you are a new employee still unfamiliar with your organization.    I hope you do not consider these too radical or old fashioned, especially if you’re relatively new in the field:

1. Understand that your company’s image overseas is likely to be different than what it is in the USA.   You need to research this from various sources and understand that you may be putting yourself at high risk by simply identifying yourself as an employee visiting from the USA.

2. Understand that the behaviors, expectations, values and views of a person who earns a yearly income of less than 20 or 25% of what you make, will be very different than yours.  Be aware that your US based ethics, morals and values come back on the plane with you, and they do not feed that persons’ hungry children who are left behind.

3. Understand that in many countries the “law” and the criminals are the same guys.   And, that includes the lawyers.   You need to research this and determine before hand what to do in case you are the victim of a setup or involved in an accident.  Ending up in a foreign jail is not nice!

4. Understand that in many countries and cultures physical violence is the first step taken in addressing a dispute or misunderstanding.   If you’re lucky, you’ll get a chance to talk later.

5. Understand that your actions, innocent in the USA, may jeopardize the lives of locals.   Meeting someone in a restaurant for example, may brand them as a spy for the company or worse off, an informer for the CIA.

6. Understand the capabilities and limitations of your company’s security department.   Do not assume that the V.P. or Director of Security, sitting at corporate knows much about the foreign risks you may face.  A good number do not.  Ask around to see if anyone has ever met a V.P. or Director of Security who has admitted to not knowing about important risks to low level employees?

7. Understand that in the USA you may be a miserable Junior Auditor, but in many places your earnings put you at the top of the food chain, and you may be feared the same as if you where a member of the Board of Directors.

8. Understand that its OK to dress like a cool dude, a Southampton beach bum, a ghetto boy or a spoiled Princess in your spare time, in the USA.   Doing so in many places around the world is an invitation to be robbed, sexually molested and even beaten.

With these things in mind, you should also ask the Audit Director or your Manager the questions below.   If you are uncomfortable with anything, say so because in the end you will be the one responsible for your life, not someone in an air conditioned office 3,000 miles away:

  • Are there any World Health Organization (WHO) travel restrictions or vaccine requirements in effect for the country in question.  If so, is the company getting you vaccinated?
  • Is the country or region on any CIA or State Department warning list for US citizens?
  • If your company has been doing business in the country in question for some time, does it have a bi-lingual and/or bi-cultural staff in place to assist you.  If not, why not?
  • Has your project lead managed previous  projects in the country in question and if not, why was he/she selected to lead this project.  Is he/she qualified, someone’s favorite pet or simply the only one available?
  • Is there an official report or area analysis assessing the region’s geography, politics, cultural, ethnic, religious and criminal activities so company personnel can obtain a quick education and know what to expect when they arrive?
  • Have you been, or will you be briefed on how to handle instances of political unrest, terrorism and natural disasters at the places you are expected to work?
  • Is there a properly documented and authorized company policy for foreign travel and work?
  • What is the official company policy in the event an employee is kidnapped and held for ransom, in light of Foreign Corrupt Practices Act (FCPA) restrictions?
  • Is there a Crisis Management Plan in place that can be executed, in the event there is a problem with an employee working overseas.   And, if there is one, who is on the crisis management team and when was the plan last tested or exercised?
  • If you are killed while working overseas, what is the process in place to handle the legal, transportation, funeral, family and financial issues that will have to be dealt with.   Who will pay for your funeral?
  • If you are held hostage for a significant period of time, what is the company’s policy regarding your compensation.  Will they make payments to a family member and for how long?
  • If your company holds an insurance policy on you, (Special Risks) which pays them as beneficiaries in case you die or are injured while working, does it cover your work overseas?   If so, find out the history of this practice and details of any deaths and payouts.   Does the practice indicate anything of concern?
  • Do you have a Will in place that deals with the possibility of dying overseas.  Do you have a Living Will that deals with the possibility of being in a critical condition at a foreign hospital?
  • Do you have a medical and dental “dossier” on record with the company (respecting all HIPPA regulations), or with a close family member, which can be easily referenced by foreign and domestic medical personnel in the event you are hospitalized or your body needs to be identified?
  • If you need medical attention while at the foreign location, has the company provided you with information on obtaining it from local doctors, hospitals or clinics?
  • Have you been given information about the US Embassy and Consulates in the country where you will be working, and who and how to contact in case of an emergency?
  • Will the company let you opt out of a particular trip if you are uncomfortable with the safety conditions at the destination and the type of security provided by the company.   If not, what is the rationale and what are the guarantees provided to ease your concerns?

If you work for a company that has these things in place, and is experienced in sending people to work overseas, you’re in good shape.   But, regardless of your company’s maturity level on this issue, it is your responsibility to make sure you do not put yourself in undue danger.  Assume nothing and do not be shy about asking questions.

Many places around the world do not require excessive planning or precautions for “the worst case scenario,” but you need to be aware of the good places as well as the bad ones.   Experienced international workers do not assume that all foreign engagements will be without challenges, surprises or risks.   And, they do not wait until they are in danger to wonder how their companies will react, or if they can react at all.

Going through this type of exercise may seem unpleasant and uncalled for, especially if you hold the belief that most people are good, that all Americans are loved around the world, that there is no threat of terrorism, that the violence attributed to drug cartels is over rated, and that the disparity between rich and poor is a myth.   If you hold these beliefs, I wish you the best and hope you are able to hold them for as long as possible, without reaching any life threatening situations.

For the young auditors and young consultants out there, excited about the travel and the life of an “expense account junkie,” I say go for it.   Work hard and play hard, but do it with your eyes open and as safely as possible.   And, always give yourself the option of not going if you sense the risks are too high or those tasked with protecting you are clueless, incompetent or irresponsible.

What do you think?   Leave us some “Comments” regarding your views on this matter and perhaps some personal experiences as well.

Enhanced by Zemanta

A Painful Lack of Security Jobs

Beautiful Day at the Golden Gate Bridge - Día ...
Image by worldsurfer via Flickr

I just read this excellent article from SCO Security and Risks magazine online, regarding the state of the job market for top level IT Security professionals, and I decided to share it with you because my sense is that we have been experiencing a similar situation in the IT Audit field.

The economic downturn has forced many companies to cut corners, and get rid of many folks at senior management levels (including many CISO’s and IT Audit Directors), creating serious hardships for a layer of individuals who are by all standards, the most qualified, best certified and experienced in the industry.    These individuals are not finding work because they are poorly qualified, but because companies no longer want to, or can not, pay them for having reached these high levels of expertise and professionalism.   The typical company in today’s environment is looking to hire a lower level (lower paid) “Analyst” with mid-level technical skills over a well seasoned IT Security professional.    From my discussions with peers in IT Audit, the same is happening with folks holding multiple certifications, CISA-CFE- CISSP or CISA- CBCP-ARP, which would have been insane or close to impossible just two years ago.   This sort of thing is happening all over the country as the article points out, and will have long term negative impacts on both companies and the individuals experiencing these hardships.   Below is an excerpt from the SCO Security and Risks magazine article, which you can read in its entirety by clicking the link at the bottom of the post:

“An IT security pro’s personal tale of a long and bloody job hunt and what it says about the industry’s current state of affairs.

We can blame it all on this dastardly economy, but even in good periods, qualified individuals find it difficult to land a job as an executive.

Just recently, I applied for a job as a director of information security. The position reported directly to the company’s hiring manager (CIO). It was widely advertised at the company so many of my friends and colleagues knew who the hiring manager was. I had already contacted the CIO directly — and had subsequently been introduced to him and recommended by other CIOs who knew him well, so the hiring manager immediately e-mailed me to say to contact the HR director for an initial phone interview and to call him later that same day.

Both interviews went extremely well, with conversations lasting well over an hour. We covered their challenges that I could address and gravitated to small talk on our past experiences. We clicked and had long, enjoyable conversations. The CIO said he would bring me in for a face-to-face meeting the following week once he had a chance to interview other candidates.

Deep down I was overly cautious, having been burned in the past, as I explained to another candidate who had applied. I said, “It would appear to you I’m a natural shoe-in or on the CIO’s short list by knowing so many people and from the work I do. But it is getting to the point that it no longer matters who and what you know, not even if you’re a close friend of the hiring manager.”

Being well-known in the industry and the local IT community, I knew who these other candidates were, and we shared much information. It is a small world.

In the weeks that passed, I sent the CIO two follow-up e-mails, I also e-mailed the HR director in California. All three were met with silence. I also left the CIO two voice mail messages — one on his office line, the other on his personal cell phone — and neither was returned. After three weeks, I received a phone call from the HR director telling me the CIO was unsure about the position. He was contemplating diminishing the role to a lesser grade and I was, of course, overqualified, and so were the other candidates…..”

To continue reading this interesting story, please click the link below:

What do you think?  Are you a high level person experiencing something similar in today’s economy.  Please share by leaving a “Comment.”

Enhanced by Zemanta

Tools for Quantifying Risk Exposure are Few

Risk Matrix
Image by Martin Burns via Flickr

I found this excellent article from Information Security Resources on the availability of tools for quantifying risk exposures.   I thought those of you involved in Risk Management and Risk Analysis will find it informative.  Below is an excerpt from the story.  You can read the entire story by following the link at the bottom if this post:

“In recent months, with the continued growth in highly public data breach incidents, we began looking at how organizations assess their level of exposure to data breach risk.

I suspect if you ask the CEO of most public companies or public sector organizations about their level of risk, that they would tell you that they are “highly secure” and maintain excellent practices to prevent the misappropriation of personal information of their customers, patients, employees, students and other affiliates.

For many firms, they have to meet security and compliance requirements that are necessities in their industry, such as PCI for those that handle credit card information and HIPAA for healthcare organizations.

Historically I think that they felt such rigorous compliance requirements could ensure their safety from the risks of data breach.

However, the recent past demonstrates that no organization is really immune to a potential data breach incident.

The very visible Heartland Payment Systems breach affected many millions of Americans who’s credit cards were processed by Heartland, an organization that had to adhere to very strict security standards set for the financial industry and their payment processors.

This seeming inconsistency between a perception of being immune from data breach risks with the rapid growth in data breach incidents, led us to think about whether organizations can “quantify” their level of data breach risk.

We were somewhat surprised that there isn’t much available to organizations to help them in measuring and scoring their level of data breach risk.

Given this situation, we began to look at how we could model and quantify risks specific to the breach of personally identifiable information (PII) and personal health information (PHI), since it is the unauthorized release of this information that is regulated by state and now federal laws.”

To read the rest of the story, from Information Security Resources, please click the link below:

Shared via AddThis

Enhanced by Zemanta

5 Security Lessons From Real-World Data Breaches

Syntho Saur
Image by david via Flickr

I think everyone involved in IT Security knows that the majority of IT Security incidents are not reported outside the organizations in which they occur.   This excerpt from an article published in InformationWeek.com should be of interest to IT Security folks as well as CIO’s.   To read the full article follow the link at the bottom of the post:

“The unwritten rule among companies is that the less said about security breaches, the better. For every public revelation of stolen data there are dozens of breaches that don’t make the news.

This code of silence might avoid angering partners and customers, and sidestep a public relations mess, but it makes it harder for the industry as a whole to learn from mistakes and improve information security and risk management practices. That’s why this article draws on direct observations from real-world security breaches on which we’ve performed forensic investigations, to help companies understand how breaches happen and what to do about them.”

The full article from InformationWeek.com is in the link below:

Shared via AddThis

If you haven’t been able to figure it out yet, the photo above is of the famous Japanese Sumo wrestler Kami Nobugama disguised as a toy Godzilla, when he was attempting to break into a Department of Defense apparatus on September 10, 2001.   This formerly classified photo was sent to us by Mr. M. Icon using secure Steganography.

Enhanced by Zemanta

FBI offers advice during new National Cyber Security Awareness Month

The Coffee-Serving Security Guard
Image by Qole Pejorian via Flickr

Another initiative from the FBI to increase public awareness of the Cyber Crime problem.   This excerpt from Betanews.com lets us know (in case we didn’t).   This may be the sort of information we pass on to persons who need to know how our tax dollars are spent, children or Rip van Winkle.  Here is the excerpt:

“This October has been declared National Cyber Security Awareness Month, a month in which Americans are encouraged to learn more about the “national security priority” that is the US communications infrastructure.

“Cyber attacks and their viral ability to infect networks, devices, and software must be the concern of all Americans,” President Barack Obama said yesterday. “This month, we highlight the responsibility of individuals, businesses, and governments to work together to improve their own cybersecurity and that of our Nation. We all must practice safe computing to avoid attacks. A key measure of our success will be the degree to which all Americans educate themselves about the risks they face and the actions they can take to protect themselves and our Nation’s digital infrastructure.” “

To read the rest of this story, from Betanews.com follow the link below:

Shared via AddThis

Seriously, we must all practice “safe computing,” otherwise we will be deemed promiscuous and will  get ugly freckles in our faces.

Enhanced by Zemanta
Categories: Humor, Security Tags:

Help Wanted: Homeland Security Seeks Cybersecurity Pros

Reenactment of a Roman legion attack.
Image via Wikipedia

I think everyone agrees that America’s IT Security posture needs improvement.  This initiative from the Obama administration, in my opinion will help us harden our vital communications infrastructure making life harder for future Cyber attackers.  It is also a great way to stimulate the economy by spending money on hiring some of the young sharp CISSP’s I see loitering around in NYC IT Security conferences.    Below is the excerpt from InformationWeek.com:

“The Obama administration has given Department of Homeland Security the go-ahead to hire up to 1,000 new cybersecurity pros over the next three years, secretary Janet Napolitano said today.

The new hiring authority will let DHS, a key agency in the nation’s cybersecurity strategy, fill positions in risk and strategic analysis, incident response, vulnerability detection, intelligence, investigation, and network and systems engineering.”

To read the rest of the report follow the link below:

Shared via AddThis

The guys in the photo above are CISSP candidates in training, at a state of the art training facility on 34th Street in NYC.

Enhanced by Zemanta