Pratum Blog

In my travels as an engineer, executive and now consultant I've seen many organizations of various sizes in a plethora of vertical markets. They all share one common element. Chaos.

In the smaller organizations the chaos is in the big picture. They typically don't know where to begin in developing or managing an information security program. They do little bits here and there but nothing is centralized and rarely does it tie back into business objectives. Audits in these environments typically uncover multiple gaps in risk assessments, documentation and IT controls.

For the larger organizations the chaos is in the details. They've got a great framework for how the security program is supposed to be implemented however it so complex it rarely works. The process and procedures work well for one business unit but may not scale well to the rest of the organization. This usually results in audits uncovering entire units and divisions which aren't following established process because it would kill their business.

Developing an enterprise wide security program is difficult. Trying to find something that works well for and is accepted by everyone isn't for the faint of heart. I know because I've done it at several organizations. My best advice to someone trying to tackle this is to consider picking one of the established frameworks and use it as a model for your program. Notice I said model. These may not fit your organization exactly and need modification or simplification. Unless you're trying to gain ISO certification you can pick and choose what portions of the standard apply to you.

Do some research to see if one of the common frameworks such as ISO 27001, COBIT, NIST or ITIL is commonly accepted in your industry. This will make it easier to find organizations with a similar structure in order to learn from their success or mistakes in adopting a similar program. You might also find it easier to use the same lingo in describing your program to an external auditor or finding new employees in your sector with experience in one program versus another.

Take it slow though. Don't tell yourself you're going to implement ISO 27001 this year. Approach it as a migration. You're going to migrate from complete and utter chaos, to structured chaos, to slight disorganization and finally in about 3-5 years reach a level of maturing that others drool over. Pick part of the framework to implement your first year. Find something that won't be too politically charged for the organization and will allow you a quick win. This will help build momentum and trust in the program which in turn leads to stakeholder buy-in and eventually funding. Starting off too strong is likely to doom your initiative before it ever has a chance to prove its worth.

There is no perfect one size fits all model for implementing a security management program. The models and standards based frameworks each have their own faults. They do however have exponentially more benefits than trying to develop something on your own.

Is anyone going through a current implementation? Which model or framework are you using and why? I'd love to hear what's working well or if there have been struggles. Please share your experiences.

I presented a session at the Nebraska Cert Conference yesterday about working with IT auditors. It was quite funny to watch the facial expressions of people in the room as the session progressed. At the beginning I asked for a show of hands to see if any IT auditors where present. About half a dozen in the crowd of around 30 raised their hand.

The basic premise of my presentation was that IT management needs to be more involved in the IT audit process. As the session progressed I saw lots of smiles and head nods from the auditors. The rest of the group nodded their heads in agreement, but it wasn't the same. It almost looked like a football team that was defeated before they even hit the field. They knew they needed to play the game but had resigned themselves to the inevitable outcome before the first snap.

This tells me something about our current climate. As the frequency and depth of IT audits are increasing due to the ever changing regulatory environment, tensions are running a little high. IT groups know they are under the gun. With every new regulation comes more work and an eventual audit. This can be quite a pressure cooker to operate in on a daily basis.

I place responsibility squarely on IT management to change this culture. My company's name is Integrity. In essence it's about doing the right thing even when nobody's looking. IT managers need to change the culture in their organizations. Not that anyone is doing a bad job but sometimes we let things slide when nobody's looking over our shoulder. Log analysis or documentation get put aside when you've got network outages or development bugs to fix. Then when an audit is announced the tension runs high because everyone knows there are some things that were shelved and never picked back up.

IT management needs to do a better job of making sure their teams are provided ample opportunity to do the job correctly and completely. They should even go so far as to require it. Make it a part of performance reviews if needed. When management takes the details seriously, so will their teams.

My guess is that once we start to sweat the details in IT, audits won't be so stressful. And when audits are so stressful, we might actually begin to appreciate what they tell us about our organizations.

Here we go again. Another record setting case involving identity theft. Fox News is reporting that Albert Gonzalez is responsible for the theft of 130 million credit and debit card numbers. Funny thing is…Gonzalez is already due to stand trial later in 2009 AND 2010 for two other data thefts. Maybe you heard about one of them…TJ Maxx?

Obviously details are just emerging but some intel suggests the accused and his co-conspirators were able to breach the systems using SQL injection attacks. If that's the case I think the organizations that fell victim should be held liable for criminal negligence. Here's my argument for why.

SQL injection is the technique hackers use to insert SQL statements, queries and commands into web-based systems in order to view or extract data which normally wouldn't be visible to the end user. This stems from input which is not validated.

When you enter a term into a search field to find products by name for example, the application takes your input and creates a SQL query which it send to the database. In a normal query, your search term is passed to the database as just that, a search term. Malicious users however will put in valid SQL statements into those search boxes that are then passed to the database. It could be a command such as "Send back the table of credit card numbers". The database sees this as a valid command and sends back the full table of credit card numbers. If this input isn't checked by the application, the "search term" will be sent over to the database and it will be processed for what it is. A database execution statement, not a search term.

The sad part is that this type of malicious activity is completely avoidable. There are tools which will check each one of your input variable to ensure they cannot be manipulated in this fashion. Oh…and these tools are automated. Sure they cost money (some of them) but the risk to the confidentiality, integrity and availability of a database system open to public intrusion is just too great to ignore. This is why I say find those responsible and charge them with criminal negligence.

Now…before you go hog wild on me, I know there are some legal issues to work through here. My point is, until the system owners have some real skin in the game this will continue.

So…give me your thoughts on this. Should system owners (business owners) and administrators (IT departments) have some sort of criminal penalty applied when proper risk mitigation techniques are not followed?

 

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.