The Washington Post published a story last week about the rising threat of fraud against small business in the US. (Read) Brian Krebs does a good job of finding some examples of small businesses as well as government agencies like a school district which have been hit with financial fraud.
The FBI has begun to investigate cyber crime rings in Eastern Europe which are targeting US businesses. One of the concerns is the lack of data to support there is a problem. Many companies fear the bad publicity of announcing they are the victim of cyber crime. This creates a big dilemma. First, if not reported as a crime the company has few legal options in trying to recover any loses. Second, crime is investigated based on statistics. If nobody reports cyber crime, law enforcement agencies will never staff those investigative divisions appropriately and the waves will continue to roll.
Mr. Krebs' article included a quote from the controller of a small electronics calibration company in Louisiana. The company lost close to $98,000 in two attacks days apart. There real loss however was the investigation and recovery which is estimated to be 3 times their hard financial loss. That's nearly half a million dollars. This would effectively cripple most small businesses from a cash flow and operations perspective. Many of which might never recover.
If you own a small or medium business and think information security is an expenditure you can't afford, I beg you to reconsider. Not because I want your business, but because I BELIEVE in small business. It's the foundation of our economy. A risk assessment, vulnerability scan and some help with remediation efforts will most likely cost you between $20,000 and $50,000 when using a reputable and experienced consultant. That's no small chunk of change. But when compared with the staggering losses, both soft and hard, which are being felt by others it's really a drop in the bucket.
I can't guarantee you won't be a victim just because you spend some money on security. I can however assure you that you have reduced your risk of being a victim. That's what smart business people do on a daily basis, manage risk.
I don't like VPNs. I take that back. I like them a lot, I just don't trust them. Ever had a friend like that? They're fun to be around, are really helpful, always there when you need them, etc. For the most part you're great friends, but…they can't keep their mouth shut. You always have to watch what you say around them because you know it will be repeated. Probably multiple times to multiple parties. That's the view I have of VPNs.
I've been using some sort of VPN for probably a little more than a decade now. Not just remote access but truly secured communication channels. The goal of a VPN was to make location irrelevant in the computing equation. We've done that. You can login to an application or system remotely from just about any device with a processor and operating system, including mobile phones and PDAs.
We've gotten more secure in how we transport the data but for the most part continue to ignore the endpoint. This is my concern.
I've worked with several organizations which have implemented VPNs either in IPSec or SSL form. They go to great lengths to secure the communication channel but completely ignore the endpoint on the remote end. They rely on things like internet history scrubbers to "erase" the sensitive data from the remote machine. Who are they kidding?
There all sorts of rudimentary ways to defeat this. The easiest is to mirror a read only copy of an OS to a removable drive. Presto…scrubber defeated. Another is an application that places a hook into your video driver and captures screen prints every 10, 15 or 20 seconds then stores it to a file. Combine this with a keystroke logger and you have a pretty easy yet effective way to defeat a history scrubber.
The point is, when you lose control of any part of your communication system, you lose control of your data. I routinely recommend organizations restrict access to their VPN from only devices which they control. This ensures there are other protections, such as malware detection and firewalls, in place which help limit exposure on these devices.
The biggest complaint I hear when I recommend this solution is the cost of providing laptops or mobile devices to employees who will work remotely. I think this argument is very short sighted and usually the entire risk environment is not being evaluated. My suggestion in these cases is to consider the risk of data leakage or security and privacy attacks from VPN usage and then recalculate the ROI. Typically this changes the discussion points. Sometimes even re-evaluating who actually needs remote access can reduce the risk and costs simultaneously.
If nothing else, organizations must understand that once data leaves a system which is completely within their control, they lose control of that data. If this risk has been evaluated and either accepted or mitigated then by all means forge ahead. My concern is with the organizations which haven't considered this risk and therefore have a false sense of security. Anytime risk is unknown, hidden or ignored, catastrophe will be lurking in the shadows.
In my travels as an engineer, executive and now consultant I've seen many organizations of various sizes in a plethora of vertical markets. They all share one common element. Chaos.
In the smaller organizations the chaos is in the big picture. They typically don't know where to begin in developing or managing an information security program. They do little bits here and there but nothing is centralized and rarely does it tie back into business objectives. Audits in these environments typically uncover multiple gaps in risk assessments, documentation and IT controls.
For the larger organizations the chaos is in the details. They've got a great framework for how the security program is supposed to be implemented however it so complex it rarely works. The process and procedures work well for one business unit but may not scale well to the rest of the organization. This usually results in audits uncovering entire units and divisions which aren't following established process because it would kill their business.
Developing an enterprise wide security program is difficult. Trying to find something that works well for and is accepted by everyone isn't for the faint of heart. I know because I've done it at several organizations. My best advice to someone trying to tackle this is to consider picking one of the established frameworks and use it as a model for your program. Notice I said model. These may not fit your organization exactly and need modification or simplification. Unless you're trying to gain ISO certification you can pick and choose what portions of the standard apply to you.
Do some research to see if one of the common frameworks such as ISO 27001, COBIT, NIST or ITIL is commonly accepted in your industry. This will make it easier to find organizations with a similar structure in order to learn from their success or mistakes in adopting a similar program. You might also find it easier to use the same lingo in describing your program to an external auditor or finding new employees in your sector with experience in one program versus another.
Take it slow though. Don't tell yourself you're going to implement ISO 27001 this year. Approach it as a migration. You're going to migrate from complete and utter chaos, to structured chaos, to slight disorganization and finally in about 3-5 years reach a level of maturing that others drool over. Pick part of the framework to implement your first year. Find something that won't be too politically charged for the organization and will allow you a quick win. This will help build momentum and trust in the program which in turn leads to stakeholder buy-in and eventually funding. Starting off too strong is likely to doom your initiative before it ever has a chance to prove its worth.
There is no perfect one size fits all model for implementing a security management program. The models and standards based frameworks each have their own faults. They do however have exponentially more benefits than trying to develop something on your own.
Is anyone going through a current implementation? Which model or framework are you using and why? I'd love to hear what's working well or if there have been struggles. Please share your experiences.