Practical Information Security

Being compliant with a regulation (industry, government, etc.) should not give an organization a sense of security (false or deserved). If you have a good (meaningful, mature, risk based, etc.) security program your journey to compliance will be much less difficult. On the other hand if you are are trying to use a compliance requirement checklist as a security program, you will not be successful.

Just like fashion or what TV shows are interesting it seems technology and security also have fads, trends, things that are in, and things are are out. Ten years or so ago risk management was very new, untested, and frankly most organizations didn't do it, didn't want to be bothered by it, etc. They just wanted to get on the Internet and make some big gobs of money. If there was a security team (or individual) they were likely a system administrator who was identified as being "the security guy" as well. Not a full time responsibility and 80-90% technical (virus fire fighting, firewall rule management, maybe some high level policies). With a more compliance driven world the rise of professionals who took security to the next level arose. Those individuals started maybe as auditors, system admins, or other IT roles - but then they were asked to work with Audit to map out the open audit issues and plan for "managing" the risks or managing the residual ...

Just read a little about the reported CITI bank compromise. It seems the attackers were able to Authenticate (assuming they used compromised credentials) and then modify the account number in the URL to be able to access other accounts. The fact that a major bank had this type of vulnerability in one of there main customer facing systems is shocking. This type of vulnerability is one of the standard things that a security assessment team should have found, documented, and resolved (hopefully before the application was ever allowed to be turned on to face the public). This isn't a sophisticated SQL injection attack or obscure software vulnerability that required hours of coding to be able to detect and then exploit. If you happen to be someone who works on external facing web sites, or an Information Security professional - please check the OWASP web site. The OWASP project (Open Web Application Security Project) has been around for a while and has a lot of very good resour...

I saw this article via a list I am on: http://jadedsecurity.net/2011/06/13/you-cant-buy-dlp/ I think the author makes a very important point. Often most of your information security challenges will require more than deploying a single off the shelf solution to solve. At the least you will need to figure out how this new tool will mesh with your policies and procedures (assuming they exist) and what controls will be changed or established by a tool, and how to measure the success of the controls. At the worst case the organization would have to go through all of the steps mentioned in the article (data classification, identify the things that need to be protected, deploy compensating controls such as encryption, communicate to users how to handle data of various classification levels, monitor the systems and network appropriately to verify compliance and to detect any misuse, and constantly assess the systems and networks to improve your security level). Even then there is real...

So I recently participated in a web cast regarding the emerging GRC (Governance, Risk, and Compliance) landscape, and how we should all be aware of it as Information Security professionals. I was hoping that the web cast might cover some of the new compliance drivers out there (such as changes in the rules of civil procedure, or the new federal information security guidelines, or maybe even possible federal breach disclosure legislation). Instead the web cast focused on some very fundamental topics (which while important are items I considered to be well established and understood parts of creating a function and comprehensive security program). 1 - You can't succeed without key executive sponsorship. If you have to spend all of your time trying to justify why you need to spend time/money on security controls or creating a policy, etc. then you may not have the appropriate level of executive sponsorship. Sr. Management must be aware of the program (which should be based on t...