BD&F Information Security

In motor racing, they say you could go as fast as you can
afford and that the best drivers win races as slow as they can.

This apparent paradox has its parallels in the approach to
securing information. While the mantra of “Security must be good enough!” lies
at the basis of any strategic approach to building a defence around an
information system, it is often trumped by the idea that more is better.

Information Security students often propose a double
encryption solution as the best protection for data. Of course they choose the
two strongest ciphers they can find. I always have to point out the costs of
this, the energy and time it takes to encrypt and decrypt each time. I also ask
why will there ever be a need to make a near unreadable piece of information
only slightly more unreadable.

The promise of top encryption algorithms are that it will
take too long to guess the key that decrypts the information and therefore make
the effort worthless. Criminals do cost-benefit analysis too. If I have to send
sensitive information over the Internet, I will encrypt it and, if possible, use
a secure channel such as SSL. While in transit the data will be double encrypted
but my main reason for the first encryption was to protect the data at rest, when
it crosses to the other network and has to be treated discretely. There it can
only be read by those to whom I’ve given the key.

Information Security as a practice should see itself as a risk
enabler. Almost all companies that pay attention to InfoSec will have policies
that prescribe best practices for data protection. Most for example will set a
standard for transmission and SSL will be one of them.

Does this mean that when a piece of information is encrypted
at rest, it cannot be transmitted on a non-secure medium such as HTTP? There
may be other risks that come with HTTP that have to be considered but from a
privacy point of view, why not?

And if the answer is that there is no difference, what
should be InfoSec’s response? Should the policy take priority over the fact
that there is an alternative cheaper medium that is secure enough for the business?

Last few weeks have been hectic. We moved to a new house,
just about a mile away from the old one where we have been for the last eight
years. For those who have never done this, multiply all your expectations in
every aspect by ten!!

We are still straddled between houses. The old one has been
repainted to return to the landlord. It is serving as a laundrette and a
holding bay for stuff that is earmarked for the new attic. In the new house,
there is some plumbing that had to be upgraded, access to the attic is more
basic than before and the many workarounds practised by the previous owners are
still invisible to us so many things are still a decision to spend to suit us or not spend
and learn the correct modus operandi.

One huge task that we have only addressed (hint) where we
have had to is the updating of our profile details with everyone we do business
with. We started with an ambitious list made up in one sitting that included
the obvious stuff like the Borough Council, our banks, Amazon(!), and the two
main utilities.

The rest of the list is a mix of the obvious and the few
seldom remembered organisations that we deal with. Last night I remembered
Companies House and today my CISSP reminder to update my credits came so that
got added to the list. I think I will buy a six month redirect at the Post
Office and hope that acts as a catch-all for all snail mail that I need to
update.

The forth principle of the DPA states: Personal data shall
be accurate and, where necessary, kept up to date.

I consider it my duty to update my records with all firms in
order to avoid any mistakes in the future. It also serves to cut down on
possible fraud that can take advantage of using my name along with an address
that I no longer occupy. Did I mention my bank?!

Recently I gave a presentation at the InfoSec Exec
Summit UK. This was the third time I have been invited to the conference,
held at the wonderful Richmond Hill Hotel and organised by Tech:Touchstone.
They were recently acquired by the 451 Group so there was a celebratory mood
throughout. My talk was about automating information security governance.

My presentation reported on a project that analysed the
functions on an Information Security help desk. One of those processes recorded
the review of external data links. It was another Triplicate process and in
need of streamlining. The solution had to provide a central portal reporting
one version of the truth to the entire organisation.

The time savings seemed obvious, the accuracy seemed obvious
and the ease of reporting seemed obvious. What I did not anticipate was how
much of an impact a change like this can possibly have on an organisation.

One of the slides in the presentation showed a four tier description
of the InfoSec approach in an organisation. The tiers are as follows:

Tactic – What is done to achieve a goal; e.g. securely linking with a 3^rd party supplier of a needed service.

Task – How that activity is carried out; management, documentation and audit of the process

Habit – when is the task done; how often, how easy

Culture – what tactics are we willing to employ and how do we govern them

A friend at work showed great interest in this slide and
asked me what I meant by Culture. I said it was the way the people behave when
it comes to InfoSec in their daily business activity. I had an example from
home where my wife and I always double check with each other that the house
keys are outside whenever we step out.

We once had to pay the locksmith and from then on we have
been in overkill mode. I don’t think it was the best explanation of what I mean
when I say Culture and I need to work on this some more. I will be posting more
on this!

My next conference presentation is coming up on the 26^th
March and I am talking about the DOs and DON’Ts of using Cloud services. Next
week I will write more about that and when that is done, we can get back to
Culture. 

My daughter is at the drawing age. At pre-school she does these pieces of art and brings them home for us to adore and if they are truly adorable, they are hung up for display. She can now compare her work to her older brother’s and seems chuffed when hers is placed next to his.

I’ve lived off painting for many years and still think it is an enjoyable way to make a living so I do what I can to encourage them to practise as often as possible. From friends and family we get a lot of art material for them to work with. One of the most frequent gifts is the sketch book. It is not the most popular though because they seem to pile up remaining empty while the loose A4s get all the mileage.

I now collect scrap paper wherever I go and place them conveniently around the house for whenever they feel the urge to express themselves. It seems like opening a scrap book is a step too far when compared to grabbing a loose sheet and feeling free to orient it however they wish. They have forgone the discipline of creating an archive for the informal convenience of drawing on scraps.

If middle level managers can find it just as easy to perform the governance of InfoSec, they can become champions of the cultural changes needed to make securing company information part of doing business.

Many of the governance tasks are tedious and built into applications that require too many authentication points. If these applications are brought under central control perhaps with single sign-on, it means that to run a governance task will no longer require minutes to get to the file.

Many of the applications require specialised knowledge to ‘operate’. When a spreadsheet is custom built it can also mean custom operate. Skills for maintaining the ‘Starters Leavers’ workbook might be different from those needed for the ‘BYOD Register’. Having to update these two workbooks within one morning can weigh heavily on the mind of a busy person. This can lead to Subjective Productive Procrastination!

In the 70s Trinidad expanded its road infrastructure by building motorways between the three main towns of Port of Spain, San Fernando and Arima. Arima was 20 miles from the capitol, Port of Spain, and a morning commute was usually two hours. That decade of road building had a major impact on the types of cars Trinidadians bought.

It was common to drive a stick shift before then. They were the norm and in some cases seen as sporty and an advantage to adventurous drivers. When the traffic jams reached epic proportions, drivers opted for the automatics to avoid the constant changing among the lower gears to match the lunges and halts of the daily procession. By the 90s a manual was very rare and had to be specially ordered and it was of course, pricier.

The Information Security governance traffic jam is reaching similar conditions. Managers are becoming aware of the importance of InfoSec and engage with InfoSec more readily. Each project adds more governance tasks from the basic Plan Do Check Act cycle maintenance to particular efforts such as tracking third party data transfers.

The processes to govern what is happening to the company’s information will benefit from automation. Much of the work is repetitive and regular, Triplicate! MS Excel is still the lingua franca of record keeping and reporting and there are heroic efforts where spreadsheets are near enough operating as databases with GUIs.

When the number of processing functions increases so too does the complexity of working in Excel. The user will have an easier time if the tasks are presented in a Tonka-like manner. Much like an automatic gear. You want to drive, choose drive.

Custom built web applications can make a difference. The access and subsequent screens can be role based, limiting the information to only what is needed. The automation will be logical, event driven and human decision where needed. The application will be designed to save time by presenting the information in the format required without users having to ‘cook’ from one stage to another.

With automation there can be easier scheduling. The key functions are initiated and the results are returned within a predictable time frame. The user is free to focus on outcomes and use that information to maintain the InfoSec effort.

Spending two man days to navigate through Excel to extract a piece of knowledge and update a weekly report is so 90s!!

When offices were entirely paper based there was a process of copying documents in triplicate. You had two sheets of carbon paper placed equally between three A4s. These were placed in a typewriter to record the information. The A4 at the bottom was kept for record while the other two copies will go out into the world to serve their purpose.

Receipt books worked like that also with blue copying paper to create the company’s record while the customer kept the ‘original’. These systems worked well for their time. I still consider some of the old office processes to be ingenious and some are still valued today.

With the advent of information technology those systems were digitised to gain speed. That has been a success and allowed an increase in the volume of information produced and processed across all aspects of life. The approach to information processing is still influenced by those old office practices and this cross threading of ideas and technologies is proving costly.

Most companies maintain external network links with suppliers in order to exchange information. These collaborations are increasing as Cloud offerings become specialised, easy to adopt and cost efficient. There are three main types of links; send, receive and remote access.

These links into the company’s network must be recorded when they are set up and tracked until they are no longer needed. This record keeping is often handled in Excel. If there is a governance regime in place where the links have to be vetted via an iterative process, Excel begins to resemble a triplicate process that will not scale.

Here is a real world example: A team requests and fills out a form giving information on a proposed third party link; what type and class of information, who is responsible and how long it is needed, among other questions. The form requires access to the company’s policies and standards. Some of the standards are classified so users have to request a copy.

The governance team reviews the form and either approves immediately or enters into an interview via email, telephone or meetings. Email is the preferred method as it documents the discussion. This usually concludes with the link being approved whereby the applicant and the team responsible for installing the link are informed, via email.

The link form is entered into a database where the form’s information is copied into a header table to allow search.

The process is designed to allow information to be gathered via a dialogue and this is successful because the initial questions can sometimes lead to peculiar discussions as the nature of the project is explained. The email exchanges to a widening audience and the pulling together of multiple sourced data is where a costly bottleneck is formed. The classified standards are also exposed.

This is a problem that can be fixed by making better use of IT’s capability to mimic repetitive tasks, limit access, control versions of a document, broadcast a single version of the truth, act on events, schedule events and make information available when needed, how needed.

I ran my textile design business from my home for over 15yrs. The house was a modern ruin. It was built in the late 60s with fundamental flaws which plagued its life. By the 90s it was back to bare essentials. The yard was well maintained, the front gate worked, there were locks on two of the five outer doors. Sunlight and Moonlight streamed through the holes in the roof.

I will travel singly with goods to different parts of the Caribbean. I had a PomPek named Woogie as a guard dog. Friends looked after her and the house when I was away. That place was regularly stocked with raw material worth a lot of money and essential for the business to continue.

My mother once shouted back to the empty house “Sean, remember to turn off the oven!” when she spotted a group of strangers walking the street as she was leaving home. A neighbour once told me they knew when I came home on evenings because that was when the house lights went out. It was one of my tactics to avoid being a victim in a country where crime was rapidly increasing.

The house was burgled once, a friend, an insider job! Some primary school children threw a rock through the front window, thinking the house was already abandoned. I learnt a lesson from both incidents. I sectioned off the business from the living area and I kept the garden in top condition. When the lights went out at night, the music started.

Security does not have to be expensive. Camouflage can be effective enough to form another layer of defence. Hiding an asset buys time when someone is determined to find it and eliminates the threat of opportunists? Steganography is the technique for hiding data in images but that is not what’s being discussed.

An electronic staff card is an example. It is best to leave the company unidentified. The layout of your premises will also go a long way to protect your assets. The ISO 27001 standard layers start at the building’s perimeter and closes in to the data hosted on the internal systems. It’s a great standard to base security efforts but it must not remain as the final say on security in your organisation.

Understand the threats, add simple, easy to maintain hurdles and hold a unique security culture.

Returned to Gatwick on Sunday morning greeted by genuine winter weather. The deicers were preparing a plane for taxiing, the jetty for our flight was stuck and the old skool steps were iced over. A cold punctual train took us to a warm taxi, soon after, home.

The view that afternoon was exciting. Real snow piled higher than most times and set to last for days. The light was changing rapidly and the traffic died down to leave a twilight quiet street.  I started to think about the New Year and what changes I wanted for BD&F in 2013.

Last year I started designing InfoSec governance solutions, automated to help line managers with governing InfoSec compliance. These applications presented users with aggregated interfaces triggered by events translated from legacy functions.

I worked with in-house developers and small budgets to produce, host and deploy these programs to the benefit of all staff involved with the targeted processes. My contribution was my InfoSec knowledge and the analysis of the work flows.

This year I will learn to program in .NET as I think it will broaden my skill set and give me the capability to be more hands on in the development process. I used Reporting Services years ago and enjoyed it.

It is a commitment I debated for some time, weighing up pros and cons of spending the time to learn to code. I thought about focusing on design and project management but figured that coding will inform my practice in those areas including how I communicate with fellow developers.

Looking out on the street Sunday evening I decided to commit to this because the holiday trip was seen as the hand over point for plans that were earmarked for action this year. I was thinking a change was as good as a rest.

In Standard 3, Mr Howard and I had a deal. He’d delivery 6 lashes to my palm and I will forsake all homework. That worked out happily for me as I got the freedom on afternoons to play until the sun went down and after a short while there was no major pain from the morning ritual.

My school work suffered of course but my reasoning was that remaining in the A stream was a good enough result for the all the fun I had during the term. I spent my afternoons playing cricket, climbing trees, pitching marbles, going to funerals as my school was next to a church, playing at other friends’ houses and on the whole having a blast of a time.

I ignored the initial ignominy of doing something that was considered a breach in order to gain a reward that I considered important. After some time Mr Howard just did not bother with the lashes and I continued to enjoy my schools days.

If that perspective is applied to business and Information Security, there will be an assessment of the penalty for breaching a law/standard against a commercial gain. The cost of losing customer data might be high in terms of trust, reputation and goodwill but the cost of a fine for not putting a control in place might be affordable.

The resolving of risk vs. reward comes up often in the discussion of Cloud services. Hosting information in a supplier’s network can seem full of risks. There are the laws and standards to consider where obligatory prescriptive controls can have punitive actions attached. There are risks to the information’s Confidentiality, Integrity and Availability from the systems’ architecture, suppliers’ InfoSec cultures and the paucity of contracts.

Cloud services provide a menu of functions that many businesses are not willing to fund in house. Getting an analysis of the demographic information contained in records of your customers’ purchases can lead to higher profits. The protection of that data during exchange is prescribed but a business might decide that a costly level of encryption might be overkill and accept the risk of fines when viewed against the commercial advantage of outsourcing.

Companies must recognise they have a duty of care towards their customers as data in the wrong hands can be dangerous. Businesses are always seeking advantages to enhance profits and are quick to accept technology that supports that effort. When laws and standards lag behind innovation, organisations must keep their customers safety paramount while exercising judgement on ‘good enough’ security practices.

Time flies like an arrow.  This is the first part of two statements that illustrate the challenge to get computers to grasp context. If decision systems are to be fully automated, programs will have to grasp the meaning of words in situ.

Fruit flies like a banana. The second part, throws out all the previous peculiarities and you have to start building the meanings again. To make decisions where the desired result depends on context, a program will have to read between the lines as we do when supplied data. Without this ability the risk of miscalculation is higher.

Information Security Governance will benefit from automation tools that can handle the discrete tasks such as audits for access, server patching and 3^rd Party links. There are many more functions that can be analysed and described in formal languages and executed automatically. This will give InfoSec more time to spend at the initiation of projects to have a greater impact.

Automation will also help with the communication needed across the organisation with event driven procedures. When an application is submitted it can signal the start of template correspondences, schedules and reports which will require human intervention to various degrees.

The level of human involvement will depend on the reach and accuracy of the systems deployed. There are many methodologies for managing such projects where an operation is studied and then automated. There is also a lot of technology available to IT consumers that will deliver gains in time and consistency for tasks that are recognisably repetitious.

Macros for example can be built to help with almost any tasks regularly handled in spread sheets. The quality assurance has to be high because once built these programs are often left to run without regular exposure to criticism. If the function fails because of an unusual event, the mistake becomes a potential threat.

Automate what is easily understood, keep analysing the process, and allow for human veto.