Drafting Policies for Fun

Not many people think writing policy is fun. Or procedures. Or standards. Or any documentation, really. But policy and documentation can be fun, and more importantly, if done well, contributes directly to the security and safety of the organization, so it’s worth spending time on.

OK, but how can it possibly be fun? Because when you understand what you’re building, how it is like a set of block like toys that click together to create a structure capable of supporting an entire company, then it’s more like a puzzle. And if you don’t like puzzles, anything around the legal industry is probably not for you, and you should get someone else to do it for you. Like Liticode *cough*.

Policy, and all documentation, really, is a support structure. And just like any support structure, requires engineering. Wordsmithing, not metalsmithing, but still, craft that requires study. If you throw something together without adequate understanding and skill, you end up with more problems than before you made the policy. Like a bad bridge, it will collapse at the worst possible time, probably taking careers with it.

A more visually correct representation is a house of cards, because we’re dealing with documents, and most of them are flimsy things that collapse under the faintest pressure.  But we’re going to fix that problem by building using better cards.  Cards made of reinforced concrete and steel, architected not cobbled together.

Policy is the roof. Why not the foundation? Because policy is the first line of defense. It’s what takes the first hits when you’re under attack by hostile lawyers or other nefarious entities, including your own personnel who just want to do things differently. Policy is the shield from stuff falling on the business.

The walls are the procedures and standards that support the policy. Can’t have a policy without process and standards, or it’s a useless policy. For example, if you have a policy that says no personal use of company assets, but you don’t have a process to detect it, or a standard of configuration for the business computers being used, your policy is going to be impossible to support.

So what’s the foundation? That is your charters, bylaws, explanatory documentation, authorities, and anything else that doesn’t count as part of the super structure.  A simplistic example is the criminal laws against theft.  They aren’t part of your policy or your procedures, but they provide the cause that your HR termination policy uses to support a dismissal.  You rely on them, just like you rely on manufacturer’s documentation, government standards, industry standards, and job descriptions, to direct the business.

So, just like building a complex house of cards, your policy in one area might be the foundation in another layer. The procedures of one layer are the foundation of another. The point to internalize being that all these documents are a) tangible, meaning they exist and you can put your hands on them to produce in court, and b) fit together like a puzzle, reinforcing and supporting each other, so that removing one piece in the bottom layer doesn’t cause the entire thing to collapse.  That last part is important.  They interlock and reinforce each other.

Which brings up the other fun part of the policy game. Who has ever performed a red team analysis of policy? Nobody, other than Liticode. We’re the only company that will look at your documentation and game it with our legal teams and provide you a risk analysis of your policy structure and documentation. And that’s just as important as your penetration testing of your network. The evil hackers might get your database, but the lawsuits that come after are what’s going to destroy the company and careers. We help you prepare with our policy analysis, but we want you first and foremost to have people that grasp the concept of the policy structure and how it is critical to your corporate defense.  Defense in depth includes the legal activities side.  Most (all?) risk assessments simplistically check off boxes indicating policy is present, but don’t evaluate the content.  That will get you blindsided, and we can help avoid that.

So enjoy building policy. Call us if you’re short handed or want an additional set of eyes. Call us later if you want to test it and see if you have any unexplored risks in your structure. Our staff has the skill and experience to turn your house of cards into a fortress.

Security, Cycles, and Management

Organizations frequently have some sort of cyclical systems improvement program in place, yet when we assist with incident response,  we routinely see gaps where different departments have isolated some or all of their systems from the overall picture.

Big picture thinking and management is difficult, so it is easy for these lapses in judgement to creep in. But without a unified systems view of the organization, it is impossible to properly manage risk, and at some point that will create a problem. For example, the IT department may have air-tight policy and practices, but if HR is letting the business hire criminals, those policies won’t matter.

Every department and all business aspects are tied together. The business is a unit, it is not silo’s of independent compliance. That’s why we have the “unified scorecard” approach.  So when we see compliance programs that assign responsibility downward, we know where to start looking for gaps. All the process improvement in the world won’t help if you don’t have a unified model and consistent performance across the business. We like to engage with clients and help them knit together a unified program so that they are better protected and fully risk aware. Nobody wants to find a blind spot hiding in plain site. Our development of management models to provide this unified front is what helps our clients avoid surprises, so they can go about their business without needing our incident response services.

Cycles, frameworks, metrics, scorecards, visibility.  These are things that keep an organization healthy and incident free.  No matter which approach you take, make sure its unified.

If you want to stop having unmitigated incidents, call us for a free evaluation.  We want to help your business be incident free.

Congratulations

to the big man himself for passing the HCISSP exam on the first try! Liticode considers the HCISSP a necessary standard for working on HIPAA and hospital security and litigation consulting. No cert is too much of a reach for our valued clients.

Oh, You Noticed, Did You?

Recently we received a notice from our one ISP that one of our machines might be infected, and please clean it up or we’d be shut down. Well, we explained the situation to them, and it’s good to know someone’s watching our traffic (It’s 1984?), but we’ve been doing this for nearly six years from this location. And they only just now noticed? We’ve run huge attacks against large customers, it’s our business after all, for six years, and they only just now noticed we “might” have an infected computer? Sort of makes you wonder. What about all the other domains we traverse, like Sprint and AT&T? Are they going to start sending us hate mail? What happens if they start dumping the packets? We’ll have to find another ISP, I suppose, but eventually, if things went that way, the core would be filtering as well, and nothing would work. We’d practically be out of business. Ironically, the bad guys wouldn’t. Because the bad guys would just invent new ways to circumvent the security. Which would let us stay in business as well; we’d just need a new toolset. So if nothing’s going to really change, can we establish right now that filtering anything is a really bad idea, except during attacks? Because all it’s going to do is raise the price tags on security. You have to pay for the filters, you have to pay for the new security to counter the new threats. While standing still doesn’t prevent new threats from becoming a reality, it does allow us lots of ways of tracking people. They may have a new attack, but they probed on high ports first, which might let us locate them. Or at least shut them off from here. But don’t restrict traffic in the middle. It’s like putting a stop sign in the middle of the Atlantic. All you do is make shipping more expensive and annoy some little fish. So keep it open. Please.

Social Networking Risks

“I don’t post anything important on Facebook/Twitter/Myspace/Linkedin,” is what people say when warned about the various social networking sites (SNS). Good, but that unimportant stuff can cause trouble as well. Here’s what you should know, and how to deal with it.

Playing games and accepting friend requests from strangers allows the other party to see your stuff, even if you go in afterword and change their access level, the SNS may allow complete access initially. Even if it doesn’t, and this is true with games, ads, polls or anything else, it will allow them to run code on your PC. The SNS is always trying to secure these things better, but they are always behind the curve. Using the “fun” features of the SNS puts your computer and privacy at risk.

But don’t just be worried about your computer and your privacy, hackers are keenly interested in what is contained in the profiles of employees. If they can obtain information from employees on SNS’s, they can use the info to build attack profiles and make laser accurate attacks on their work systems. Making it worse, once they have access to your SNS profile, they can message all your friends and make it appear you are recommending they use the application that will then compromise their account.

There is only one way to avoid being a target, and that is to not play the games, not answer the polls, and not click on the links. Which makes SNS boring and useless. If you still feel the need to use SNS sites, do your security a favor: only access these sites from a safe computer, and never access your bank account from the computer you use for SNS. Using a boot CD, like Slax, lets you keep a single PC for both safe and unsafe activities. It’s a hassle, but it’s better than finding all your bank accounts empty.

3G Wireless Security Failure

A wireless vendor (who shall remain nameless) is selling its 3G cards to corporate networks as a secure means of remote communication. There’s only one problem with it; anyone that picks up one of these cards, pre-configured for accessing the corporate network by the vendor, can just plug it in and reach out and touch the corporate network. Not to mention being able to browse the Internet and use DNS and other things; more later.

We do need to download the software first, and it does ask for a phone number to do so. Fortunately, any phone number will work, and if they fix it so only their numbers work (impossible given number portability) then you would just need a network phone number. “Hey, Fred, you use vendor for your cell service?” Boom!

Once the software is downloaded and installed, it asks for the device phone number. Which it auto-populates for you by pulling the number off the device. Brilliant. We don’t even have to query the card to obtain the phone number.

Linking to the net is accomplished with the press of a button. Now here, the vendor has limited what protocols and destinations are acceptable, so when we fire up a browser, it fails everywhere you look. Or does it. What actually happens is it hangs. It doesn’t time out, and a look at netstat reveals that we are getting DNS information, and we are initiating connections. Checking DNS directly clearly indicates not everything is locked down tight, if at all. The vendor has put us in a tunnel of some type, so some stuff works, some stuff doesn’t. https also fails. A quick trip to Google revealed an http site on non-standard port 81, which worked fine, so we know we can pass http, just not on 80. The only thing we know for sure is that port 80/443 is not getting us where we want to go, but it seems everything else is.

A quick peek with Nessus (if they’d been using Counteract, that would have failed) reveals Microsoft destinations. From there, its a matter of using hydra and getting onto an M$ resource, at which point the network is an open book.

All from a single lost vendor 3g card.

Several layered security mechanisms would have prevented this, not the least is some form of authentication at the vendor border. From there, we could have been stopped with a certificate check, a Forescout detection and prevention, and worst of all, no free passing of any protocols without authentication to a valid VPN. Boom!

To be perfectly frank, if the vendor or the corporation is alerted quickly to the loss of a card, this is a very low probability attack. But if a corporation is targeted, its much more likely to succeed. Your risk may vary. If alerting is a non-priority, as it is in many places, this is a serious problem. Once inside, hostile forces will plant the seeds that give them continuous access without the 3g card.

Play it safe, make sure your 3g cards are secure. Use layers to compensate for any single security failure. And most important, validate your assumptions when told something is “secure”.

Digital Trust
www.digitaltrustllc.com

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems. Any republication or reuse is forbidden if the Digital Trust name is removed.

Hiring Security People: Insurance

Our (Digital Trust) quest for errors and omissions insurance has led me to discover that many of the people I’ve worked with in the past, or hired for penetration testing services, did not have adequate insurance. Given the current climate of massive compromises by hackers, it seems more obvious now that some E&O insurance for professional is a requirement, not an option. So make sure when you’re hiring security assessors who are going to have access to your network, or draft documents concerning your network security, that they have acceptable levels of E&O insurance.

Because documents detailing your security holes, or worse, data discovered during testing, like passwords, will be wandering around on someone else’s laptop, or shooting across the Internet. If those security folks make a mistake, it could cost your company big time. If you can’t get compensation out of the security company, your company eats all the expense, and your insurance company drops you. Nobody needs that. So check that your business associates are insured, before you need to rely on it.

Digital Trust
www.digitaltrustllc.com

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems. Any public republication or reuse is forbidden if the Digital Trust name is removed.

Insurance & Business Continuity

Insurance is not covering everything you think it is. You should be worried by that statement. Very worried. Most insurance policies have an exception clause specifically exempting War and other items, specifically, war, invasion, acts of foreign enemies, hostilities whether war declared or not, civil war, rebellion, revolution, insurrection, military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority.

What a mouthful.

And in terms of cyber attacks, it means the insurance company doesn’t have to pay you if someone hacks your computers and steals all your data. An act that can cost you your entire business. Cyber attacks can be classed as terrorist activities with little or no effort, and many originate on foreign soil.

For a thorough account of how serious this can be for businesses and individuals, check out this blog entry.

So if your policy excludes any of the above, you need to do one of two things: 1) find a better insurer, or 2) make sure you are prepared for the possibility of having to defend your company against whatever lawsuits you may be at risk for from a computer hacking activity. Your best insurance is due diligence to security needs.

Digital Trust
www.digitaltrustllc.com

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems. Any public republication or reuse is forbidden if the Digital Trust name is removed.

Antivirus Standards NOW

For 20 years we’ve had antivirus PC products, and for 20 years we’ve had no standard for comparison. A number of independent labs have tried, but nobody has established a gold standard.

The time for guessing is well past. We need a clinical, scientific gold standard, and we need it now.

The performance criteria can be documented, and the testing suite can be public. A small lab could perform the testing, setting the stage for better PC protection, and honest competition.

A transparent funding model can be used to guarantee honest reporting. AV vendors contribute a flat fee, they get tested. If they don’t contribute, they don’t get tested. This will encourage substandard vendors to either improve and be included, or stop selling AV.

No more wondering if one vendor is better, now you’ll be able to know.

Who out there can establish such a program? Find funding? Generate continuous, consistent results? Anybody?

Digital Trust

Walmart.com and COPPA

The Child Online Privacy and Protection Act is meant to protect children 13 and younger, who use the web, from providing too much information. Walmart uses it in one case to filter email customer service queries. They ask for the user’s birth year, and clearly indicate that the number won’t be retained or used in any way, which is nice, but why ask at all?

The primary question they are trying to answer is, is this user 14 or older? The way they ask it, implies they not be correctly addressing the law. Are they using 13 1/2 year olds data, in violation of the law, or are they failing to collect 14 1/2 year olds data? If the number can’t be accurately used, why use it at all? Why not simply ask the user if they are 14 or older, unless they really are hanging onto that date and using it for something else, which is not indicated in their disclaimer.

Hopefully, if your company is dealing with COPPA, you’re not doing it like Walmart.