SecureIT Observations: Why Most Awareness and Training Programs Fail

I recently came across an article that pronounced security awareness efforts to be a complete and total waste of time. The author insisted that awareness efforts have no real value and that the true path to information protection lies in the advancement of technical security controls. Needless to say, I vehemently disagree with this perspective.

While security awareness and training programs, as implemented today, do indeed meet with limited success, this does not invalidate their use. In fact, when one examines the key reasons why contemporary security awareness and training programs fail, it has more to do with the foundations they are built on and the manner in which they are carried out.

The Top 10 Reasons Security Awareness and Training Programs Fail:

1. Failure to engage executives in establishing risk tolerance levels: One thing I see time and time again is a security approach that is based on assumed levels of risk acceptance determined at a middle-management level, on some sort of idealistic ‘best practice’ model ; or worse yet – a strictly compliance-based program. The truth is, information security is a risk management issue that requires executive involvement. It is crucial that the executive team be engaged to determine the level of risk that is and/or is not acceptable to the company (more on this in an upcoming article).

2. Executive level visibility, support, and enforcement: There is a lot to this topic, but in essence it all boils down to setting the ‘tone from the top’ and leading by example. This is primarily an issue of corporate culture – of core values and beliefs (more in this below). It’s about changing patterns of behavior to be consistent with the security goals of the organization. If employees don’t see security being taken seriously by upper management, how can they be expected to take security matters seriously themselves?

3. Misalignment between business and security goals: I’d also add that misalignment between information security, privacy, compliancy, and general risk management goals are also at issue here. Some of this can be addressed by dealing with the issues identified above, but well-defined security goals and objectives should be an outcome of the executive engagement process and the involvement of senior leadership. These goals need to be consistent with what the business wants and needs, as well as the risk management portfolio of the organization. A security program that stands alone is doomed to fail.

4. Lack of a cohesive organizational security strategy: Information security is a strategic risk management issue for organizations of all types and sizes. Many times however, there is not a comprehensive, cohesive security strategy in place from which clarity and consistency can be drawn. Unless security awareness and training is considered as part of a more holistic defense-in-depth security model it will never have the legitimacy required for organizational adoption.

5. Poorly defined security policies and other written resources: This is a big one – and the one I see as the biggest failure of most organizations. In past articles I’ve spoken (both seriously and humorously) about adopting a ‘For Dummies’ approach to writing security policies. The main problem is, most security policies are written to read like legal documents and are more about keeping the company out of trouble than they are about providing information or influencing a change in behavior. By simplifying the policies, standards, guidelines, and procedures that we expect our users to follow; and making them more accessible to people, the more likely they are to actually read, understand, and apply them.

6. Poor availability of useful guidance, materials, and security support: I am a firm believer that most people want to do the right thing when it comes to information security. Often they just don’t know what the ‘right thing’ is in a given situation. Even if the policies are clear and useful, they need to be made available in an easy to use, on-line format, in a centralized manner. In addition to posting the core policies and other materials, generating short ‘how to’ documents, offering Q&A information, and including contact information are all essential. People need to know where to go – and who to talk to if they have questions or need help.

7. An organizational culture that does not emphasize the value of information: I’ve already alluded to this above, but it’s a topic of such importance that it needs repeating in a slightly different manner. An effective information security awareness and training program is all about ‘changing the hearts and minds’ of employees, business partners, customers, etc. This may sound a little over done, but the reality is, all good security programs have elements that are deeply embedded in the corporate culture of the organization. Information has value – and anyone coming into contact with that information must understand its value, why it is valuable, and why it must be protected. We want to create behaviors that are consistent with our security goals – this is done at a cultural level.

8. Deep emphasis on technical controls without considering the human factor: This goes back to the issue of having a holistic security strategy in place, but it’s also representative of systemic problem within the security community that we must address. In the article I mentioned in the introduction, I discussed the view that a heavy investment in security technologies is often presumed to be the be-all-end-all of security controls. This is a deeply flawed concept – and an extremely dangerous one for any organization to consider adopting (although it is sadly the standard model applied in many places). Security technologies cannot keep pace with attackers – this has been true for quite some time now. Relying solely on security technologies is also extremely costly – you’ll never have the funds to cover all of your bases – never!

9. Limited visibility into security metrics and measures to indicate success: Attributing the value of a protective control is often difficult to do. Especially when measuring the impact of security awareness and training initiatives. It’s even more difficult to do if you don’t have any mechanism in place for measuring success. Again, this is one of those things that very few organizations place any degree of emphasis on, but is vital to properly protecting and organization’s information assets. As a challenge to the article that inspired me to write this post – I’d like to see the data that advocates their position. It’s my experience that this data cannot be produced because it’s not actually being measured properly.

10. Failure to create an interesting and engaging security awareness experience: Most of the security awareness materials I see produced are sad at best. A few corporate e-mails, perhaps a slide deck, maybe even a cheesy video or on-line training tool. None of these things work because they fail to actively engage the participant. In order to create sustained patterns of desired behavior, it is essential that individuals be immersed in the material – not just your security expectations, but WHY those security expectations have been put in place to begin with. The why is far more important than the ‘what’ or the ‘how’ – without explaining the why, there is no interest, no ownership, no engagement. Knowing WHY also enables individuals to more selectively apply proper security controls based on their unique circumstances, rather than just ignoring inflexible requirement all-together… but that’s a different topic for another day.

There are many other issues that will influence the effectiveness of a security awareness and training program – like categorizing user groups, creating targeted materials, using effective training techniques, etc. But these are all secondary to the critical issue of having a solid security foundation in place to begin with. If you simply try to jump from ‘we sort of have a security program’ to ‘now let’s do this awareness thing by sending out a monthly e-mail’ then you shouldn’t be surprised that no one knows anything about security within your organization. No one cares because they have no reason to do so – no resources to enable them, and one to turn to when they need support.

Anyone who limits their concept of security awareness and training to things like posters, blanket e-mails, and cool looking mouse pads will most certainly fail. While these are common methods for encouraging awareness, they do nothing to actively engage the user constituency in the process of security. Active engagement and a well-built foundation are the keys to success.
To say that security awareness and training is a waste of time and money is simply untrue. It is actually the most effective and cost-effective security control you can put in place! And that is a simple fact!

SMART SecureIT: Advice on Hiring Information Security Professionals

Many organizations struggle with the challenges of information security on a pretty constant basis. Size, complexity, and market segment have little to do with most of these challenges, though certainly some sectors are bigger targets than others (government, banking, healthcare, etc). The greatest of these challenges isn’t about risk management or strategy, or any other traditional security concern per se – the number one challenge is in finding the right people to do the job!

A big part of this challenge stems from our own perceptions, beliefs, and biases though – and has little to do with the reality of the situation. Yes, we need more trained and experienced security professionals to meet the rising demands of organizations that are concerned with information security, cyber warfare, and the like. But there are already a number of extremely talented security professionals in the marketplace today who, because they don’t meet certain ‘standards’, are often passed over for consideration.

As an employer, HR professional, or hiring manager, it’s important to understand who and what security professionals really are – and what’s needed to be successful with security initiatives before diving into the hiring process. Security professionals are a rare breed. As I’m often fond of saying, “we’re paid to be paranoid”. It’s more than that though… Some of our dominant character traits include a degree of suspicion and pessimism, but they also include a desire to explore, to question, and to speak our minds.

We aren’t generally ‘normal’, 9 to 5 people who can just go in, work for a few hours , and head home without giving our professional responsibilities a second thought. Most of us have a tremendous amount of personal and professional pride in what we do – and we worry (constantly) about what might happen on our watch. We have a vested interest in the security outcomes we create or influence on a daily basis. Many of us are quite guilty of taking things personally as security professionals because to us, it IS personal!

These factors have both positive and negative consequences for many employers and hiring managers who may be used to dealing with the nuances of IT personnel in general, but who are a little taken aback when it comes to the increased level of ‘care and feeding’ that may be required when working with dedicated and outspoken security professionals. Or when meeting those of us who insist on crazy hairdos, beards, tattoos, etc., and may not show up at job interviews wearing a traditional ‘suit and tie’. We may also lack some of the social graces you may be accustomed to – but none of these initial reactions, perceptions, or biases should influence your decision making process…

Before I go any further with my line of thinking here, I want to point out that I am STILL a FIRM believer in taking a holistic approach to one’s own professional development – through a combination of training, education, certification, etc. I consider these to be signs of a well-rounded security professional who has put the time and effort into developing their portfolio and earning the moniker of being a professional in the field. What matter most though is the SKILLSET of the individual – a fact that is often overlooked when seeking someone to address an organization’s security needs.

There’s also the matter of aligning the right skillsets to each type of security role that exists. More often than not, organization’s try to find everything they are looking for in a single candidate (deep technical expertise, business acumen, communication skills, etc.), and are surprised or disappointed when they discover that there are VERY VERY FEW security professionals who can claim expertise or demonstrate character traits that are consistent with ALL of these expectations. In truth, you usually need more than one individual if you want to succeed. Diverse backgrounds, opinions, and areas of expertise are ABSOLUTELY ESSENTIAL to creating a protective security strategy that will actually work.

Yes, if you are a small business you may simply look to your one-deep IT manager to handle your security needs, but you’d still probably benefit by bringing in temporary help from time to time to make sure that you have the right controls in place (ones that are properly suited to your business needs). If you’re a bit larger and able to bring in a dedicated security professional – you might be able to find a candidate who has some balance of technical and business expertise, but it may take a while. If you can, your best bet is to have at least two people in place to help address your security needs – one with a strategic business focus to help drive the people and process side of things, and a more technically savvy security engineer who focuses on cyber security and systems management.

Even then, you may still find that the security field is SO BROAD that you need different skills sets and different people to address more granular needs. This is where diversity becomes increasingly important – and is often applicable in larger organizations that are big enough to warrant one or more security teams to address specific security issues. This is where things begin to get more complicated though, because now you’re talking about requirements for a dedicated CISO type, along with audit and compliance professionals, policy and program folks, architecture and engineering experts, and so on. The mission may even get sub-divided into operational, tactical, and strategic security aspects.

The bottom line here is that it can be hard for an organization to find that ‘one special person’ who can do it all – and still meet your definition of a ‘professional’. So how do you go about finding the right person for the job then? Especially when you are a one-deep shop, or don’t currently have a dedicated security professional or an experienced security opinion on hand? We’ll talk about that next time – for now… just be open minded, focus on skills, and be a little forgiving of our unique quirks.

SMART SecureIT: Making the Case for Managed Security Monitoring

In my daily security strategy conversations with clients I’m often asked “what’s the one thing I should really focus on?” Now that may seem like a pretty big question to ask, but when you consider how thinly spread most security functions are within many organizations (if they exist at all) it’s not a surprising one.

If you’ve worked with me or read my blogs at any point, you’ll know that I’m a pretty big proponent of building an underlying security framework that takes into account the unique security context of the organization; so there are a LOT of ways to answer this kind of a question. Do you start with executive support, risk definition, policies? What?

My usual response goes something like this: “You can spend weeks, months, or even years putting your security program in place, but an incident could happen tomorrow. If it did, how would you know and what would you do?” More often than not I get a blank, worried look as a reaction to my inquiry, followed by a conversation that essentially boils down to “I’m not sure”.

Now, there’s nothing wrong with this per se. Obviously admitting you have a problem is the first step towards solving it. The people sitting on the other side of the table are always smart, capable individuals who are usually a) unsure where to begin, b) overwhelmed by the enormity of the security conversation, c) under-budgeted and under-staffed, or d) all of the above. They just need a little help.

I’m not a fan of holding my audience captive waiting for ‘the big reveal’, so I’ll let you know up front that, personally, I think nearly ALL small to medium sized business (and most enterprises) are best served by what I define as an ‘outsourced tier-1 managed security monitoring service’; coupled with a simple incident response plan and a bit of awareness/training. Let me explain.

It is ABSOLUTELY ESSENTIAL that you have visibility into the security events occurring within your information ecosystem. If you aren’t keep an eye on what’s actually happening, then EVERYTHING else you do to address security within your organization will fail! That may sound harsh, but it’s true. You WILL NOT be successful in defending your information assets it you don’t know what’s happening to them.

Even if you DO have a reasonable level of visibility into security events occurring within your information ecosystem, the next part is just as important. Do you have a plan in place to deal with a suspected security incident WHEN (not if) it occurs? Do people know about the plan? Do they understand their role in it? Do they know what to do? It’s FAR better to create a plan in advance – not during an event.

I’ll deal with the incident planning and awareness/training pieces in a separate article. This post is really about the visibility side of the equation. It’s about coming up with the most comprehensive, most cost effective way of gaining insight into the security events happening within your information ecosystem so you can address them as they occur (instead of months later, AFTER the damage has been done).

First, let’s establish that visibility is made possible by event logging and log monitoring. Nearly every network device, operating system, application, etc. has some level of logging capability. In some cases security logs need to be turned on – or they need to be ‘tuned’ to get the kind of alerts that are important to you. Do you want to know about all failed login attempts (for instance), or just big issues?

Side note: Deciding what types of alerts should be generated is a topic in its own right. You need to make a lot of decisions about what you want monitored, why you want it monitored, what level of detail you want to achieve, how you want to see alerts generated, where you want them to go. And so on. Again, probably a topic for its own separate article later on.

As you can imagine – all of those log files being generated can be way way too much for a human being to get through (especially when you start talking about hundreds or even thousands of systems). It’s not uncommon for MILLIONS of alerts to be generated per week, day, hour, minute, or even second (depending on the size and complexity of your environment).

So how do you weed through all those alerts to identify the things that really need your time and attention? Well, some folks try to just focus on the event logs and alerts that come from their security devices – things like firewalls and intrusion detection/prevention systems. Sure, those are useful, but they aren’t going to catch everything – in fact, they are likely to miss a lot of important event data.

One of the most basic principles of security incident response is to have as much data as possible. If you are trying to piece together an attack against one of your key financial systems, chances are you’re going to want to know about it quickly, deal with it quickly, and understand how it was done so you can prevent it from happening again. A firewall alert may tell you there’s a problem, but is that enough?

Let’s talk briefly about the importance of understanding both the breadth and depth of a security event. If someone were to attack the financial system alluded to before, an alert at the firewall might signal the start of an event. If your IDS/IPS also flags it as suspicious, now you’ve got something more substantial to work with. If the target server also generates an alert, now you have a MUCH better idea of what’s going on.

When you have multiple event logging mechanisms working together in unison, you also decrease the chance of getting false positives (i.e. something suspicious looks like it may be happening, but it really isn’t) – or worse yet, false negatives (i.e. when something suspicious IS happening and no alerts are generated). In other words, you increase the effectiveness of your monitoring efforts overall.

Side note: If the idea of greater visibility and effectiveness doesn’t move you to agree how important this is, there’s also the compliance perspective to take into account. Almost EVERY compliance requirement and almost EVERY ‘best practices’ framework includes one or more specifications for log monitoring, event management, incident response, etc. There’s really NO getting away from it.

This increased effectiveness (and compliancy) comes at a price though – efficiency. If you are aggregating and correlating log files from multiple devices (and you are facing stacks and stacks of log files DAILY), how can you possibly hope to find that ‘needle in a haystack’? There are really just two answers here – you either do it yourself, or you get someone else to do it.

Because the term ‘outsourcing’ has become such a dirty word within the IT industry, and because people are increasingly conscientious of their long-term employment, and because many security professionals are ‘paid to be paranoid’, there’s a general perception that dealing with security monitoring in-house is preferable. I’d argue that this is a bit of a misnomer and actually creates more problems than it solves.

The #1 reason I tend to shy away from in-sourcing security monitoring is COST. Not just the up-front cost of investing in a few key technologies, but the TOTAL COST OF OWNERSHIP that comes with trying to do everything yourself. Reading log files, identifying security issues, analyzing suspicious activity, and dealing with incidents is a HIGHLY specialized skill set (which usually means expensive).

Not to mention you’ll need at least one dedicated, full-time employee who’s doing NOTHING but managing log files and investigating alerts. Now this may be okay for a larger organization, but I can’t think of too many small business owners who want to keep a 70k to 90k resource on staff that just does this stuff all day – ON TOP OF the half-a-million dollars it will take to put the tools in place.

Side note: Yes, it may be a slight over-exaggeration to say that you need all of this – but remember the basic premise here. If you don’t know what’s happening within your information ecosystem, you CAN NOT PROTECT IT. That visibility is essential, and you need to have the tools and the people in place to keep an eye on things. You may be able to get away with less – sure. Risk is a personal decision after all.

There’s a better option though – and one that I HIGHLY recommend for almost EVERYONE. There are a number of Managed Security Service Providers (MSSPs) in the marketplace who specialize in security monitoring. For an initial set-up fee and an annualized contract of some sort, you can have someone ELSE do all of the work – and for WAY WAY WAY less money (and effort).

Here’s how most of them work. The service provider will add one or more event collectors (i.e. a security device that collects all of the log files from all of the devices you identify) to your network. This box will take all of those log files, run a few basic algorithms, compress everything, and send it (via a secure connection) to the service provider for further analysis.

After that, your log data is fed into additional event correlation and analysis engines to filter through all of the events and identify the ones that look anomalous or suspicious in some way. This may take 10,000,000 alerts and drop them down to 500. At that point, a trained and qualified human being will look at the remaining 500 alerts to see if there’s anything to really worry about.

If the analyst does find that a suspected incident has occurred, there’s usually a classification and categorization process and a validation process. Then you get a phone call. Once you get called, and depending on the provider (and the service level you subscribed to), the provider will help you understand what’s occurred and provide recommendations on what should be done about it.

So, in essence, for far less money, less time, and less effort, you’ve had VERY qualified individuals use HIGHLY specialized tools to whittle through ALL of your log files, taking thousands or even millions of alerts per day and reducing them down to what could end up being one or two phone calls a week or so. These numbers are really just examples (because it’s a lot more complicated than this), but you get the idea – more [security] for less [money].

So again, when my client’s ask me what to focus on – my recommendation boils down to “let’s get someone in here to talk to you about a managed monitoring service. At the same time, we’ll start working on building that baseline incident response plan I mentioned (which is also greatly simplified if you have a managed services partner) and getting some basic awareness/training in place.”

As for WHO to get as your managed security services provider, that’s a different topic entirely and leads into a whole new series of articles on gathering technical requirements, establishing clear selection criteria, evaluating options, etc. If you want to learn more though – I’m always here to help. Just give me a call at SecureITExperts: 425.877.0919.

*NOTE: SecureITExperts is NOT an MSSP. We do NOT provide managed monitoring services. We offer a completely independent third-party perspective on the issues and challenges surrounding log monitoring and management (among a wide variety of other security topics). We can also recommend service providers and broker service arrangements – However, we value our independence and our objectivity above all else. Our focus will be on helping YOU find the right solution for YOUR business.

Company News Update: Expanding Services to Oregon and California

1 July 2013
SecureITExperts Service Offerings Now Available in Washington State, Oregon, and California.

One year ago today, it was announced that SecureITExpert Brad Bemis would be stepping down from his role as the CISO, Security Practice Manager, and Principal Security Consultant at Network Computing Architects (NCA) in order to establish his own information security consulting firm.

Since that time, SecureITExperts has been heavily engaged with a broad range of clients across the country; primarily delivering its highly valued Virtual CISO services. However, due to the presence of a previously signed non-compete agreement with NCA, SecureITExperts was unable to engage with clients in Washington, Oregon, and California. As of today, this is no longer the case.

SecureITExperts will now be offering its security expertise across the entirety of the Pacific Northwest region – and beyond. Over the course of the next month, a series of service updates will be released on the company’s website and made available to all those who have expressed an interest in the services being offered.

“It’s been an exciting year. It’s been a busy year. But it’s also been a definite challenge to remain apart and disconnected from my many professional colleagues and friends here in the local area”. Explains Brad Bemis, the energetic CEO and Principal Security Strategist. “We’ve been waiting for this day to come for some time now, and it’s finally here!”

“We’ve been using our time quite well though. In addition to the important work we’ve been doing with our remote clients, we’ve also been establishing our offices, developing our SMART+ security engagement methodologies, and building an unparalleled platform for the delivery of strategic security services. I’m extremely proud of what we’ve accomplished so far – and am truly eager to demonstrate our unique value here at home”

You can learn more by visiting, by sending an e-mail to, or by calling 425-877-0919.

A Call to Action: Security and Organizational Culture

Within an organizational environment, the cultural norms are what drive attitudes and behaviors. It matters little what corporate policies or employee handbooks have to say if the day-to-day ‘tone’ of the organization is inconsistent with its printed materials.

In many organizations, a complex set of “security policies” is used as a record – for the purposes of conformance – to document its formal expectations of employees and others. While policies are great in theory, they often exist solely for the purpose of satisfying external audit requirements.

The truth is; many organizations maintain a set of security policies that are archaic, ineffective, unreadable, unusable, and go unread! Yes, you can produce signed statements from employees that show they ‘read the policy’ upon hire and once annually, but if you stop someone in the hallways can they tell you anything at all about those policies?

So, if there’s a disconnect between what your policies say, and the cultural norms that exist within your organization (which there usually is), then what is actually informing peoples day to day decisions about how to handle information properly?
What drive’s MOST people’s understanding of security, within pretty much any-sized organization, is what they see in the media (including social media) or what they pick up from their friends and family members.

For the most part, every organization places its full faith and truth in the fact that ‘someone’ is taking care of that security stuff. People might see a training reminder or an e-mail notice about something security-related a few times a year, but that does little to dissuade the misinformation, misperception, and misapplication of security as it applies within YOUR unique organizational context.

When cyber attackers come looking for a way into your organization, it’s not going to be through the front door. It takes FAR less time, effort, and energy to use a social engineering exploit to gain an initial foothold than it does to attack a firewall head-on.

It’s what your people do, based on their ASSUMPTIONS about security that matter most; assumptions that are based on their extremely limited insight into the risks and proper decision-making criteria that should be applied when working with information; especially sensitive information like credit card data, health care records, or bank account details.

Make no mistake – people are the weakest link in the chain – IN EVERY SITUATION – when it comes to information security. It’s not because they don’t care though – it’s often that they just don’t have the right information – or the right set of principles to work from. Most people want to do the right thing. They just need to know what the right thing is…

We must begin to engage people in the process of information security on an every-day basis, not as a perception-driven and error-prone acceptance of risk, but as an informed instinct that helps reduce risks across the board.

At SecureITExperts we focus on eliminating the unnecessary clutter that’s in place today, simplifying the security process, and working to shift cultural norms to be in direct alignment with an organization’s DEFINED risk-tolerance thresholds.

We don’t deal with firewalls or other security products – we deal with the complexities of the human element. Are the humans in your organization the weakest link? If the answer is ‘no’, then the next question is “how are you so sure”?

If you can’t answer that question – we can help find an answer with you…

SecureIT Observations: Four Flavors of Risk Assessment

Risk is always an interesting topic of discussion within the infosec world. We have our own industry definitions for risk, and dozens of models to draw from when measuring or managing risk. One of the most intriguing aspects of risk-oriented work within this field is indeed how we measure risk – and how we use the results to help us make better decisions.

There are several different risk assessment frameworks and methodologies that we see being employed in companies of all types and sizes. However, we tend to isolate our thinking to the application of one or two approaches that we’ve become familiar with – making the problem fit the solution instead of the other way around.

Based on my experiences over the past 23 years, I see a particular need for four different ‘types’ of security assessments that are needed within most organizations:

Rapid Risk Assessment: We need at least one risk assessment tool that we can always keep in our pocket and use in meetings to illustrate a point… It’s also a way of analyzing risks quickly and easily; to give a general idea of what the level of risk MIGHT be. Remember – risk measurement is really all about decision making. You’re supporting the decision-making process with the output of your risk assessment – “do we or don’t we”? When you’re talking about quick and easy – a rapid risk assessment is like putting your finger up in the air to see if you can feel which way the wind is blowing. It’s not going to give you the kind of answers you’re going to need to make real decisions.

Detailed Risk Assessment: We need a whole new layer of abstraction when it comes to taking real risk measurements – ones that can inform the decision-making process in a meaningful way. Whereas the rapid risk approach will help you figure out which direction the wind is blowing in, a detailed risk assessment will also help you figure out just how hard that wind is blowing, how warm or cool it may be, whether or not it carries a scent, etc. Either way, we generally use rapid and detailed risk assessment methods when we’re talking about a well-defined process or technology boundary – a specific issue or specific system, application, etc.

Contextual Risk Assessment: Looking beyond a single process or technology boundary, we start to take a bigger picture look at security. We need an assessment approach ‘type’ that’s focused on a specific ‘context’. We might be applying it to a cloud security context, or a PCI compliance context, or a program or project context. However you look at it, there are a TON of specialized security ‘contexts’ that might apply in terms of risk. The focus here? We’re looking beyond a singular point of focus and finding a mechanism by which we can consider risk from a bird’s eye view – or within as broader but more specialized scope. That said, there may also be a need to connect one or more rapid or detailed risk assessments to a larger contextual one – perhaps using them as building blocks to draw a broader range of conclusions.

Organizational Risk Assessment: We also need a way to look at risk across the organization. We always say that it’s industry best practice to conduct an organization-wide risk assessment at least once a year. Some of us can push this envelope out to 18 month intervals – which is still fine. After 18 months things have likely changed SO MUCH that you really have no excuse whatsoever for blowing past that time frame to. When you’re talking about information security risk across an entire organization though, the process can be quite daunting. Organizational risk assessments are a special case unto the mselves that have very carefully laid out processes to help streamline activities while gathering the information you need; all while avoiding the common pitfalls that cause most large-scale risk assessments to fail in meeting their true intended purpose.

By presenting these ‘types’ of risk assessment approaches, I am not by any means suggesting that this is the ‘end of the rainbow’ so to speak. We still need quantified and qualified risk measurement variants, assessments that focus on networks, systems, applications, processes, etc., assessments that help us stay compliant or meet specific governance requirements, assessments that help us make good (or at least better, more informed) decisions in general.

For me, it’s all about having the right tool to perform that job at hand as efficiently and effectively as possible!

SecureIT Observations: Information Security and the Hero’s Inner Journey

Of late I’ve been doing a lot of study regarding visualization, imagery, and story as tools for communicating more effectively with key stakeholders, general user constituencies, and the like. You see, I consider myself a writer. I love to write. I’m pretty good at writing. And I can write quickly (all in all it only took about 15 minutes to write this entire article).

Here’s my problem though – we have to be pretty judicious with our time; focusing our efforts on what we can review, digest, and utilize as quickly as possible. There’s not a lot of time for minutia. As much as I might enjoy writing a 100-page thesis on the fundamentals of ‘outcome-based learning’ – not too many of us would prioritize it over, say, the current statistics on Advanced Persistent Threats. Hence my desire to take the age old phrase “a picture speaks a thousand words” a bit more literally than I have in the past (just not for this article – sorry).

And that’s how I stumbled across “The Hero’s Inner Journey”. Not for the first time of course (I’m fairly sure I remember some faint impression of it upon my memory harkening back to the AP English Literature class I took in High School). If you are not familiar with this classical story model drawn from the works of Carl Jung and Joseph Campbell, I expect the first thing you’ll notice is the overwhelmingly clear allegory for change represented within its structure.

Broken down into its constituent parts, the Hero’s Inner Journey consists of 12 ‘stages’ of character development that, in the end, fundamentally alter how the hero of the story comes to view the world. What struck me when I saw this image (below) the other day was “wow, this is the most realistic description of how we deal with inner change that I’ve seen to date”! No, it’s not the kind of thing you’d find in a typical MBA course-book, but perhaps it should be.

At the beginning of the hero’s journey, we find our protagonist possessing limited awareness of a problem (perhaps something like – “I think my information assets may be in jeopardy”). Over a short initial period of time, and due to a series of small events, the character begins to gain increased awareness of the problem (like – if you started reading about security issues, you’d find out that it’s actually much worse than you thought). At this point, our would-be hero shifts away from the truth and demonstrates a strong reluctance to change (like – “yeah, but if I try to do something about this whole security mess, it’d be a lot of hard work and cost a lot of money… maybe I won’t be targeted”).

Entering into the next stage of the journey, our protagonist is forced to overcome his reluctance after discussing the matter with a mentor or close friend (like – you just finished having lunch with Fred from over at XYZ and he told you they’d been attacked; suffering a major data breach as a result). So now the hero is really beginning to feel the urge to take some kind of action. That’s when reality hits and we cross a threshold that demands a commitment to change (like a week later, your own company is the victim of a security breach). It’s this crossing of the threshold that pushes our hero into direct and immediate action – experimenting with changes that can made to avoid future breaches.

After thinking about it for a while and playing with some options, our hero begins to prepare for making his first big meaningful change (like – perhaps implementing some sort of security information and event management system (SIEM) to get greater visibility into what’s really happening with the company’s information assets). So the change goes into effect – and we see what happens. The monitoring systems begin to explode with traffic – and our hero suddenly feels like the earth is crumbling out from beneath his feet. Not to be discouraged though, our protagonist continues to become more and more heroic, and starts dealing with the consequences of the big change (like – going back to the drawing board and figuring out that he’s not really equipped to do this by himself).

So the hero turns outward and rededicates himself to change – finding a partner and tackling the issue together (like – engaging a managed security monitoring service to aggregate and correlate all relevant event logs, providing tier-1 alert management on the events that actually need to be looked at). This enters us into the final stages of the journey, because now the hero makes his final attempt at the big change (like – completing the initial turn-up process with the managed security monitoring service and getting the first taste of a more manageable data stream). This leads us to the end of the story, whereby the hero is now truly heroic and has mastered the problem (like – now having a 24x7x365 managed view of his information ecosystem that provides amazing value for what little it really costs in the grand scheme of things).

So those are the 12 stages:
• Limited awareness of a problem
• Increased awareness
• Reluctance to change
• Overcoming reluctance
• Committing to change
• Experimenting with first change
• Preparing for a big change
• Attempting the big change
• Dealing with the consequences of the attempt
• A rededication to change
• A final attempt at the big change
• Final mastery of the problem

Is our hero now in a different place than he was when he began? Most certainly – which of course is likely to lead to a sequel – simply the next big change to come (like – perhaps now it’s time to move on to identity management). But what does all of this mean, and what does it have to do with information security? The truth is, the only truly effective way to implement a strong security program is to embed security into the organizational DNA of your company. This is no small task – some might even say it’s a monumentally difficult one. But then – that’s why you get to be the hero.

If you still think that security is about firewalls and anti-virus programs, then you my friend are still working under the banner of the opening credits (scene 1, act 1). Not only is it time to begin your own hero’s journey, but at the end of that journey you’re likely to become the mentor to a whole new generation of heroes. Because, if you’re doing it right, you are turning every single member of your user constituency into a hero. In turn, you are setting each and every one of them on their own journey; on their own path of transformation from the barely aware to the truly heroic. And so on and so forth, until we are a nation, a world, a universe of security heroes.

Is that too much to ask for? Well, maybe. It does indeed read like a hackneyed Hollywood script to some extent. But if you stop to think about it – to really think about it. Who doesn’t want to be the hero?

Smart SecureIT: Laptop Lockdown for the Roaming Professional

Over the past couple of years laptop computers have continued to lose ground to tablets and a broad range of other mobile devices; but they still play an important role in maximizing the productivity of many. While I rely heavily on my own mobile devices for certain activities, my laptop remains the centerpiece of my business. As a professional security consultant, it’s especially important to me that I protect the sensitive information entrusted to me by my clients. In fact, my clients often ask what types of steps I take to ensure that my laptop and data storage systems are ‘secure’.

This article is intended to outline a few options for locking down a laptop computer – primarily targeted at other solitary professionals who are responsible for protecting sensitive data. I say solitary, because if you are part of a larger organization, many of these issues may (or may not) be addressed for you already. These steps can also be taken by any security-conscious individual who just wants to keep from being a victim.

Let me first start by saying that a LOT of this is about personal preferences. There are a TON of options for how you might go about setting up a laptop. Many security professionals I know prefer to run Linux or Unix based operating systems, while others tend to prefer a Windows-based platform. For the purpose of this article I am going to begin from the perspective of a Windows machine; Windows 7 Professional still being my preferred OS for general productivity work. If Windows is your starting point, then hopefully you’ll find some useful information here…

Let’s dive in:

1) Situational Awareness and Physical Security: You can’t start any conversation about laptop security without pointing out the obvious. Laptops are small and easy to steal. They are also easy to unload – so they make sweet targets. Just be smart and you should avoid most physical security problems. If you’re on the road, make sure that you use a computer bag with a shoulder strap – preferably one that would make it difficult for someone to remove your laptop from your person without you noticing. When it’s not being carried, use a lock (there are even ones with alarms built in) or keep it in a safe (or some other secure location). Again, be smart and you’ll be fine in this area.

2) Physical Tracking and Shutdown Services: If you do manage to find yourself in a situation where you have one less laptop than you should have, there are a few great tools on the market that will allow you to track or trace the computer,and/ or to prevent it from even being booted. LowJack for Laptops is one example, but I use PCTheftDefense myself (it came with my Sony Vaio). You just setup an account on-line, add a passcode, and off you go. If your laptop is lost or stolen, you can go to the site and shutdown the device. If the laptop isn’t used for a few days (it misses its check-ins with the server for too long), you’ll have to enter your passcode to even boot the thing. While this may sound a little annoying, it’s actually a nice feature.

3) Locking Down the BIOS: The BIOS is your friend when it comes to laptop security. There aren’t too many things that you can actually do with it, but the couple of options you have here can make it nearly impossible to use the device (well, unless the BIOS is physically reset that is). Anyway, there are two quick and easy things you’ll want to do. First, enable a strong password for gaining access to the BIOS. After that, make your hard drive is the only bootable device. This will make it difficult to start the laptop with a CD or USB drive if it ever falls into the wrong hands.

4) Whole Disk Encryption for the Hard Drive: Now we start to get into the fun stuff. Encryption is a powerful tool when it comes to protecting your sensitive data on a mobile device (including laptops). There are many different options for encrypting data, but if you really start to dig into the Windows operating system, you’ll find that there are many caches and other little hidey-holes that your data can sneak into. It’s just easier, and safer, to encrypt the entire drive. One option here is the free (and awesome) TrueCrypt. Another (and the one I prefer) is PGP full disk encryption. You could also just use BitLocker (if you have the right version of Windows), but I prefer using a third party tool for encryption purposes. If your encrypted drive is removed, it can’t really be accessed.

5) Internet Security Suite: Assuming we’re now in a booted state with Windows up and running, the next thing you want to make sure you have in place is a strong security suite. This is where your anti-virus, anti-spyware, anti-spam, and general anti-bad stuff tools come into play. There are a number of good packages on the market – and you can choose from any one of them. Whatever you choose, make sure you do some reading, fully explore the features, and enable the functions that matter to you. I use BitDefender (and a second suite of tools I will not disclose here), which is a particularly strong security suite, but it’s a little less user friendly than some of the others. And, yes, there can be value in running two different security suites at the same time, but you need to fully understand what you are doing – otherwise you’ll run into a lot of issues.

6) System Maintenance Software: While this doesn’t usually fall under the heading of ‘security’ per se, I consider the use of a good system maintenance tool to be directly tied to good security practices. Again, there are several good options on the market, and some vendors even offer this kind of functionality as a part of their overall security suite. As for me, I use System Mechanic. I prefer to have a tool that is separate from my security suite, as it can perform some useful added functions and provide some redundancy. For instance, you can run a security check that will test if you are open to null session attacks, if you have the right patches installed, etc. There’s also a file shredding tool that you can use to permanently wipe sensitive files when deleting them. You can explore your startup processes and running processes in great detail, etc. Lastly, there’s something to be said for having a fully optimized laptop system.

7) Protecting the Browser: I won’t get into too much detail here, since the features and functions vary from browser to browser. Just be sure to fully explore the security options available to you and turn on the ones that make the most sense. Most browsers will also offer add-ons or plugins that can provide additional security layers. For instance, I tend to use FireFox quite a bit – and I always have the NoScript security tool installed. I also have a protected proxy server running, but that’s a little more of an advanced function. I’ll also call attention to another very interesting option (and one I use when I’m doing investigations or find myself ‘surfing’ in the danger zone). You can use a free virtualization suite (like VMPlayer or VirtualBox) and install an OS inside it that is JUST used for Internet access (Chrome OS, Splashtop, Browser Linux, the options are endless). That way nothing is persisted from your surfing experience – and everything disappears when you terminate the virtual session (without saving it of course).

8) Protecting the Mail Client: Sure Outlook dominates in this space, but Thunderbird is also a strong option. But then of course you could be one of those folks who uses Gmail for everything. My assumption is that you are security-minded though, so let’s also assume that cloud-based e-mail is not your cup of tea. One of the features that should be included in your security suite is an anti-spam, anti-fishing, anti-bad e-mail option. Personally I don’t find the anti-spam features of my security suites to be all that useful, so I also use SpamAssassin on my mail server and SpamBayes on my mail client. Plus my proxy server also does some filtering work on my behalf. But also be sure to consider the features and functions built into your mail program itself – like disabling images from being shown, viewing header details, etc. And, as with the browser options, there are also a number of security-based add-ons available for most mail clients. Do your research and see what’s available for your own needs. As a side note – PLEASE USE SSL for connecting to your mail server. Don’t toss your mail credentials and messages into the void by using open, cleartext mail services.

9) Protecting IM and Social Media Platforms: This topic gets a little stickier because it covers so much ground. As with anything else in the security realm, being smart will help you avoid 90% of the problems out there. Note that there are encryption options (both embedded and via third party tools) that are available for a number of IM chat clients. There are also scanning services that can be provided by your security suite to prevent you from clicking on malicious embedded links, or opening files that are shared with you through these types of channels. Overall, just do your research and look at which IM services and which social media platforms you actually use. Then decide which tools will meet your needs. The goal here is to keep yourself protected from accidental information disclosure, and from malicious code (viruses, spyware, etc.).

10) Protecting Your Passwords: These days we have a TON of passwords we have to remember (at least you should have a ton of passwords if you are doing security correctly). The problem is – how do you keep all of those passwords straight? Especially if you are adding the level of complexity you should be (at least 8 characters with upper and lower case, numbers, special characters, etc.; or better yet an actual passphrase that is a bit longer and uses some of the same character types). Anyway, you’ll likely need to store these passwords somewhere. No, adding them to an excel spreadsheet is NOT a good option. Instead, look into using one of the many encrypted password storage tools that are available. My favorite is PassWord Safe. Tools like this not only allow you to keep your passwords together in a secure location, they also offer features like copying and pasting (then deleting the cache) so you can punch your credentials directly into web pages, applications, etc. with just a few clicks of the mouse.

11) Going Deeper with Encryption: We already discussed full disk encryption; we’ve also discussed e-mail protection. Now I want to discuss encryption in terms of e-mail, and in terms of creating ‘encrypted volumes’. PGP is my go-to of choice here. You can install the OpenPGP solution, or you can buy the Symantec suite, but either way, PGP encryption is a veritable must for secure communications. As for encrypted volumes, this is a handy way of dealing with USB storage devices. Instead of just putting your data on the device, you can create a secure volume that you mount and unmount as needed (using a passphrase or a key). My recommendation is to combine these two functions – by removing your private keys from your laptop and storing them on an encrypted volume that is protected by a passphrase. Your private key is indeed the ‘key to the kingdom’ and should be protected from loss or harm. You can use encrypted volumes in a number of other creative ways – basically anytime you need to protect a particular subset of data with stronger controls (like if you were to store sensitive data to a cloud server or a network accessible storage device for instance).

12) Dealing with Remote Access: If you have certain files you like to have access to in a place other than your laptop, then you may need to get access to those files while you are on the road. My ‘for instance’ here is if you have a remote desktop on your home network that’s attached to a network access server. You might get better fail-safe data redundancy this way and it may be quite appealing. Don’t make the mistake of opening up your firewall to get access though. Use a VPN service instead. Whether you are using a wireless router that can support VPN connections, or you have a full-blown firewall in place, using an IPSec VPN, or using the OpenVPN client is definitely the better and far more secure option. Just be sure to have a strong passphrase and use a client-side certificate in order to access the VPN. You can also do some pretty cool things with a service like DynDNS if you are connecting to a home network that gets its IP address from an external DHCP server. This is obviously a more complex topic, so do your research to learn more.

13) Going Virtual for the ‘Real’ Work: This topic is far more relevant to security professionals and other IT folks, but the basic power of virtualization should NOT be overlooked, especially on a laptop. Granted, you need enough memory (at least 8gigs realistically) in order to fully leverage this option, but it’s worth it. I use VMPlayer in order to run a number of virtual systems on my laptop, especially when I am involved in penetration testing or forensic discovery work. Yes, you have the option of dual booting or running your laptop with an alternate, non-persistent OS images, but I prefer to continue running my Windows system, and use things like Kali linux (which used to be BackTrack) to do my testing on. It’s also nice to pit different virtual machines against one another so you can do training or perform validation testing. If you want to get REALLY crazy, you can even start nesting virtual systems (like running ESXI on VMPlayer with VMotion to move and test copies of production systems).

14) Of course, you can’t forget the basics. Things like setting automatic updates on your operating system, keeping your applications up to date (especially applications from Adobe), scanning downloads for malicious code and validating them using hash values, only installing the software you actually need, and so on and so forth. At this point though, we’ve gone WAY beyond the basics of laptop security and are now deep in the realm of good systems management.

There are, of course, other steps that you can take and other things you can do, but this list covers most of the basics, and most of the more advanced situations you might encounter. I’ll also clearly state that none of these steps is entirely foolproof, or 100% effective. In fact, there’s a way around pretty much every single one of these controls if the person who gets a hold of your laptop is particularly knowledgeable. The goal however is to create layers of security that dissuade, deter, and even misdirect would be villains – hopefully long enough for you to recover your lost or stolen property. If not though, these steps will indeed make it more difficult for less-gifted thieves to derive much of a benefit from your stolen system.

In the end, the exact steps you take, the tools you use, and the features you set up, are going to be uniquely suited to your own personal needs and preferences. This article is just the beginning.

Good luck…

Looking Forward: The Necessity of Contextual Relevance

The nature of the security game hasn’t changed much over the past 10 to 20 years. Sure, the tools and technologies, and the types of offensive and defensive strategies that are employed have changed, but we’re still challenged in many of the same ways that we’ve always been. We’re still engaging in a losing battle against an invisible enemy while trying to make the best possible use of what little human and financial capital we are granted to defend our information ecosystems; all while trying to advocate for more support, more money, and more people to do the job – despite a perceived lack of ‘tangible’ evidence that the work we do has any actual value.

If you’ve been tasked to take an active role in protecting your organization’s information assets, then you may have already experienced some of this for yourself. To make matters worse, we now live in a mobile, social, cloud-based world, where information exists in a completely untethered state and our existing information ecosystems are incapable of containing it. The complex systems that we work with just continue becoming more complex; as do the social and organizational cultures that influence (and constrain) our efforts to defend them. And, truthfully, no one really has a ‘silver bullet solution’ for how we handle this growing problem.

Rather than figuring out how to shift our current security paradigm, most of us are so busy, and so limited in the availability of finite resources, that we reach for the ‘easy’ answers, the ‘low-hanging fruit’; thinking that any action is better than no action. It’s not uncommon to turn towards the next latest and greatest technical security ‘solution’ offered by a favored vendor; especially when you consider the types of ‘promises’ being made. While the technologies required to limit the likelihood, breadth, and depth of a potential security incident are indeed essential to a holistic information security program; there are limits to the protective value that these technical controls can offer.

If it’s clear to us that a technology-centric approach isn’t the answer, then what is? Regulatory compliance certainly hasn’t addressed the issue – nor have any of the ‘best practices’ that are commonly held up as the way security should be done. In some cases, the compliance/best practice mindset so commonly adopted nowadays has actually distracted us from the things that matter most. Caught up in answering the question of “are we compliant?” we forget to ask the question “are we secure?” Even more importantly, we forget to ask the question “does my security program make sense for me?”

With our rampant adoption of commoditized security technologies, increased emphasis on compliance mandates, and continued use of outmoded ‘best practices’, somewhere along the way the importance of *context* has been lost. I’m not sure it’s possible to pinpoint the exact moment that everything began to shift, but more and more organizations these days are taking a ‘one-size-fits-all’ approach to the protection of their information assets; asking “what does everyone else do?” While it may be a fair question, it’s not the right question to be asking. Asking the right questions takes courage – the courage to challenge the status quo, and to focus on what works instead of what’s popular or convenient.

Over the next few months (during our ramp-up to fully operational status in July 2013*), SecureITExperts will be releasing a series of articles and papers on the topic of ‘Contextual Relevance’. The basic premise being that, for information security to function properly, it MUST take into account the unique organizational context that applies in any given situation. This fundamental concept is so crucial to the underlying fabric of a successful security program, that is pervades all aspects of the security function. While this isn’t necessarily a revolutionary idea – it’s most certainly an idea that’s received less attention than it should of late.

Amongst our many planned releases, we’ll be including detailed descriptions of how to incorporate contextual relevance into:
• Establishing the risk appetite of an organization
• Redefining how we measure and manage risks
• Building an overarching control framework
• Developing meaningful security policies
• Creating awareness and training plans
• Selecting appropriate technologies
• Dealing with incident response
• …and much more.

So be on the lookout for our first formal release later this month – and enjoy.

Thank you for your time and attention.

*Note: SecureITExperts remains under the legal limitations of a signed non-solicitation, non-compete agreement that will be expiring at the end of June 2013. These legal limitations prevent us from working with certain clients in the Washington, Oregon, and California regions. Please feel free to contact us at 425.877.0919 or e-mail us at if you are interested in our services, but are unsure as to whether or not you might fall under the conditions of our current legal constraints.