Securitybeat Advisors LLC

Category: Uncategorized

  • Art of Security: Exploring the Current Threatscape

    Those that know me know that I love to listen and process the lessons learned and observations of my peers in the security industry.  I know and appreciate the art of our professional.  Individuals matter. 

    This past Wednesday, I had the awesome opportunity to channel the strengths of 7 distinguished “artists” from 7 of the top security brands of our industry at SecureWorld Boston during a lively panel discussion on the Current Threatscape.  The panelists were Bill Sweeney (BAE Systems), Jason Georgi (Zscaler), Victor Danevich (Infoblox), Meghan Diaz (Open DNS), Rob Sadowski (RSA), Ron Winward (Radware), and Ben Johnson (Carbon Black)

    We started by looking at how the threat landscape has changed in just the last year. One panelist thought we should break it down further since the change agent is so fluid.  If you’re not plugged in, you’d better be!  We proceeded to explore Ransomware, DNS, application-layer attacks, endpoints, nation state advisories, and threat operations.  An hour could have been spent on each area but all I had was an hour!

    Gauging from the audience all appeared intrigued with the painting that was unfolding.  The panelists did an awesome job filling in any cracks left from the answers proceeding before them.  It kind of felt like rapid fire with a fine concentration around my agenda bullseye.

    I obviously had too much to do to capture a picture of the final masterpiece.  If you attended the session, please comment on your main takeaways from the session!

    I’d like to personally thank Kerry Nelson and Shauna De La Mare from SecureWorld Expo for roping me into facilitating this panel!  Who would have thought a computer scientist could help shape a new piece of the art of security?

    References:

    1. https://events.secureworldexpo.com/agenda/boston-ma-2017/

  • Privacy needs Security

    Laymen often think that privacy principles are at odds with security.  This post explains why privacy needs security – at last the kind of security I endorse.

    Privacy is all about control over our personal information – guaranteed since 1791 by the 4th Amendment to the US Constitution.  Privacy protections exist in telephone conversations (1934), health records (1964), US mail (1971), education records (1974), financial records (1978), identity information (1982), cable communications (1984), electronic mail (1986), polygraphs (1988), license and motor vehicle records (1994), telecommunications (1996), and information about children (2000). 

    Security ensures that control of our personal information, or at least that what it’s supposed to do.  Reasonable efforts must be made to prevent the loss of collected information.  Individuals are also entitled to know when and what information is being collected and be able to opt out of such collection.

    The conflict comes with the other duty of security – the identification of violators and collection of the evidence needed to prosecute them.  Enter “Apple vs FBI”.  So, how can the two sides of the security coin exist in peace?

    The same framers which guaranteed privacy also established the process to which wrongdoings would be investigated and prosecuted.  Security must either establish probable cause – the belief that a search will discover criminal activity – or the consent of the accused to conduct a search.  If consent is not obtained, law enforcement must submit a warrant to search and receive written permission from a court of law.  Regardless of consent, property cannot be seized without a warrant. 

    So what about “Apple vs FBI”?  In this case, a warrant to search was approved but the appropriate evidence could not be seized due to the strong encryption.  Unlike previous cases involving telecommunication carriers, the accused has the encryption keys, not the technology company.  Does law also allow law enforcement to break security?  No.

    The debate goes a step further.  Imagine all authorized software having back door keys available for law enforcement.  What prevents criminals from using unauthorized, black market cryptography?  We’d have law abiding citizens with weaker security – not the criminals we are attempting to prosecute.   

  • Control System Maturity Through Quality Control

    This post is one in a series on Innovating Security Management practices.

    According to many standards for control systems, control activities involve proper business process design, information system design, and policy development.  Those same standards also suggest that each area be part of a broader and integrated architecture.  Auditors typically play outside the system providing feedback to management on their system and controls.  So where does “security” play?

    When the auditor identified a finding, it is given to the manager must responsible for the defective business practice.  The finding is not assigned to the CISO unless the CISO’s business unit was the subject of the audit.  Note no touch point yet for “security”.

    Those same frameworks also suggest that either Management or Personnel perform the control design and implementations.  In my experience, managers know how to manage people and budgets, and drive completion of their “functional” service activity.  Unless they are a CISO, they likely don’t know how to properly design their controls.  They assign the task to their staff to figure out. 

    It is no wonder that a recent survey suggests that a wide majority of executives and Board members don’t prioritize recruiting skilled “security” professionals.  They don’t use them.  Security is some other functional business process and activity, and doesn’t relate to risk management and control integrity, right?

    So who is at fault?  Someone has to be at fault for this broken control framework!

    Management is responsible to ensure that management decisions are based upon quality information and their actions evolve quality information and communication.  So bottom line, this is a “quality control” issue.  Time for a title change?

    When most reputable standards are fully implemented, information and communication must flow through security staff and certified technology.  Problem is, most organizations are not at that stage of maturity.  So how do we get there?

    In my opinion, it all comes down to maturity.  All key roles including Audit must recognize the maturity of the business and prioritize the appropriate entity level controls to:

    1. Establish a security-centric quality control SME
    2. Ensure they (and their respective organization) is plugged into the management decisions going forward. 

    References:

    1. http://www.esecurityplanet.com/network-security/75-percent-of-execs-board-members-dont-prioritize-recruiting-skilled-security-pros.html