Drafting Policies for Fun

Not many people think writing policy is fun. Or procedures. Or standards. Or any documentation, really. But policy and documentation can be fun, and more importantly, if done well, contributes directly to the security and safety of the organization, so it’s worth spending time on.

OK, but how can it possibly be fun? Because when you understand what you’re building, how it is like a set of block like toys that click together to create a structure capable of supporting an entire company, then it’s more like a puzzle. And if you don’t like puzzles, anything around the legal industry is probably not for you, and you should get someone else to do it for you. Like Liticode *cough*.

Policy, and all documentation, really, is a support structure. And just like any support structure, requires engineering. Wordsmithing, not metalsmithing, but still, craft that requires study. If you throw something together without adequate understanding and skill, you end up with more problems than before you made the policy. Like a bad bridge, it will collapse at the worst possible time, probably taking careers with it.

A more visually correct representation is a house of cards, because we’re dealing with documents, and most of them are flimsy things that collapse under the faintest pressure.  But we’re going to fix that problem by building using better cards.  Cards made of reinforced concrete and steel, architected not cobbled together.

Policy is the roof. Why not the foundation? Because policy is the first line of defense. It’s what takes the first hits when you’re under attack by hostile lawyers or other nefarious entities, including your own personnel who just want to do things differently. Policy is the shield from stuff falling on the business.

The walls are the procedures and standards that support the policy. Can’t have a policy without process and standards, or it’s a useless policy. For example, if you have a policy that says no personal use of company assets, but you don’t have a process to detect it, or a standard of configuration for the business computers being used, your policy is going to be impossible to support.

So what’s the foundation? That is your charters, bylaws, explanatory documentation, authorities, and anything else that doesn’t count as part of the super structure.  A simplistic example is the criminal laws against theft.  They aren’t part of your policy or your procedures, but they provide the cause that your HR termination policy uses to support a dismissal.  You rely on them, just like you rely on manufacturer’s documentation, government standards, industry standards, and job descriptions, to direct the business.

So, just like building a complex house of cards, your policy in one area might be the foundation in another layer. The procedures of one layer are the foundation of another. The point to internalize being that all these documents are a) tangible, meaning they exist and you can put your hands on them to produce in court, and b) fit together like a puzzle, reinforcing and supporting each other, so that removing one piece in the bottom layer doesn’t cause the entire thing to collapse.  That last part is important.  They interlock and reinforce each other.

Which brings up the other fun part of the policy game. Who has ever performed a red team analysis of policy? Nobody, other than Liticode. We’re the only company that will look at your documentation and game it with our legal teams and provide you a risk analysis of your policy structure and documentation. And that’s just as important as your penetration testing of your network. The evil hackers might get your database, but the lawsuits that come after are what’s going to destroy the company and careers. We help you prepare with our policy analysis, but we want you first and foremost to have people that grasp the concept of the policy structure and how it is critical to your corporate defense.  Defense in depth includes the legal activities side.  Most (all?) risk assessments simplistically check off boxes indicating policy is present, but don’t evaluate the content.  That will get you blindsided, and we can help avoid that.

So enjoy building policy. Call us if you’re short handed or want an additional set of eyes. Call us later if you want to test it and see if you have any unexplored risks in your structure. Our staff has the skill and experience to turn your house of cards into a fortress.

Security, Cycles, and Management

Organizations frequently have some sort of cyclical systems improvement program in place, yet when we assist with incident response,  we routinely see gaps where different departments have isolated some or all of their systems from the overall picture.

Big picture thinking and management is difficult, so it is easy for these lapses in judgement to creep in. But without a unified systems view of the organization, it is impossible to properly manage risk, and at some point that will create a problem. For example, the IT department may have air-tight policy and practices, but if HR is letting the business hire criminals, those policies won’t matter.

Every department and all business aspects are tied together. The business is a unit, it is not silo’s of independent compliance. That’s why we have the “unified scorecard” approach.  So when we see compliance programs that assign responsibility downward, we know where to start looking for gaps. All the process improvement in the world won’t help if you don’t have a unified model and consistent performance across the business. We like to engage with clients and help them knit together a unified program so that they are better protected and fully risk aware. Nobody wants to find a blind spot hiding in plain site. Our development of management models to provide this unified front is what helps our clients avoid surprises, so they can go about their business without needing our incident response services.

Cycles, frameworks, metrics, scorecards, visibility.  These are things that keep an organization healthy and incident free.  No matter which approach you take, make sure its unified.

If you want to stop having unmitigated incidents, call us for a free evaluation.  We want to help your business be incident free.

Congratulations

to the big man himself for passing the HCISSP exam on the first try! Liticode considers the HCISSP a necessary standard for working on HIPAA and hospital security and litigation consulting. No cert is too much of a reach for our valued clients.

Oh, You Noticed, Did You?

Recently we received a notice from our one ISP that one of our machines might be infected, and please clean it up or we’d be shut down. Well, we explained the situation to them, and it’s good to know someone’s watching our traffic (It’s 1984?), but we’ve been doing this for nearly six years from this location. And they only just now noticed? We’ve run huge attacks against large customers, it’s our business after all, for six years, and they only just now noticed we “might” have an infected computer? Sort of makes you wonder. What about all the other domains we traverse, like Sprint and AT&T? Are they going to start sending us hate mail? What happens if they start dumping the packets? We’ll have to find another ISP, I suppose, but eventually, if things went that way, the core would be filtering as well, and nothing would work. We’d practically be out of business. Ironically, the bad guys wouldn’t. Because the bad guys would just invent new ways to circumvent the security. Which would let us stay in business as well; we’d just need a new toolset. So if nothing’s going to really change, can we establish right now that filtering anything is a really bad idea, except during attacks? Because all it’s going to do is raise the price tags on security. You have to pay for the filters, you have to pay for the new security to counter the new threats. While standing still doesn’t prevent new threats from becoming a reality, it does allow us lots of ways of tracking people. They may have a new attack, but they probed on high ports first, which might let us locate them. Or at least shut them off from here. But don’t restrict traffic in the middle. It’s like putting a stop sign in the middle of the Atlantic. All you do is make shipping more expensive and annoy some little fish. So keep it open. Please.

Digital Camera Evidence Problems

Recently, an article in Evidence Magazine discussed how hot and cold pixels in a camera can be used to fingerprint images from that camera, and thereby convict a suspect based on pictures and camera equipment, one or more of which is found in the suspects’ possession.

This is a clear indicator of why the defense needs quality representation and expert witnesses, and State appointed attorneys may miss crucial arguments without proper expert representation.

The article makes it seem quite easy to match camera to image, but it omits a couple of possibilities that drastically complicate the process and likelihood of conviction. Here are two additional complications that can ruin a case, and there are likely more; each situation is unique.

First, are the criminal images captured compressed or uncompressed? While uncompressed images are used for validating the hot and cold pixel fingerprint of the camera, they can only be matched to illegal images that are likewise uncompressed, or mathematically validated if compressed. Video cameras are likely to use compression to store the images, and photographs are frequently taken using image compression or scene magnification, any of which must be accounted for when eliminating possible errors in verification of the images and camera.

Worse, the author expresses probability of error in terms that appear astronomical, using math to paint a rosy picture of probability that fails to account for additional possibilities that must be taken into account before convicting based on pixel fingerprint evidence.

An example of such an assumption is that those pixels are unique to that camera, when in fact, hot or cold pixels can be endemic to the entire product line of cameras or image sensors. Two ways manufacturing can spoil the odds is by introducing defects to the image sensors when they are being mounted in the camera, or by damaging the sensors in manufacturing of the silicon wafers.

If a production line introduced hot or cold pixels, before going to trial we need to know what the manufacturers criteria is for acceptable bad pixels, and we need to know the production statistics. In the example given, any or all of the four hot pixels could have been present since the camera was made, which skews the probability projection. If all four were manufacturers defects, or cannot be shown to not be manufacturers defects, the fingerprinting process proves nothing, not even the camera family, as imaging chips could be used in multiple camera lines.

Other factors such as the number of cameras in the geographic area complicate or simplify fingerprinting pixels for matching. For instance, if the pictures and camera are found on the person in the Outback, miles from anyone else, the probability of responsibility rises to near positive assumption. But a common camera taken in New York may mean an uphill battle to reach a probability acceptable to a jury.

Improper representation of evidence leads to false convictions of innocent people. Make sure you do it 100% right, and any argument using statistics and probability needs to be examined closely to locate additional factors not taken into account.

Digital Trust
www.digitaltrustllc.com

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided the Digital Trust name, url, and this paragraph are included. Counsel, do not list without contract.

Best Password Trick Ever!

You want a strong password, but every time you change it to something like “2rIght4*deb8” you end up spending an extra five minutes every time you have to log in, and you manage to lock out your account at least once, while getting comfortable with the new password.

Your troubles are over.

With the new Digital Trust password management idea, you’ll have great passwords that are easy to remember AND help you improve yourself at the same time.

What a deal!

Instead of tired old password tricks, like “Blbackack” or “1der-tpactiv8!” you are going to use an affirmation. Unless you don’t like affirmations, in which case, try aphorisms instead.

Pick an affirmation, like “I will have rock-solid abs.” and set your password to that. Yes, you can use blank spaces. Most people end up with mediocre passwords just trying to get past 8 characters, but with this, you can routinely have 16+ characters with complex special characters, and it’s so easy!

So give it a try, and if you like it, pass on the advice.

“Today, I will make the Internet a safer place for users, everywhere.”

Digital Trust

ING Sharebuilder Goes to Weaker Password Policy

ING Sharebuilder has elected to not allow customers to create passwords with special characters. Formerly, it was possible to use special characters, and if your password had special characters before they changed the policy, it would still work with the existing policy, but no new passwords are allowed to have special characters.

Curious, that a financial company that is exclusively web based would choose a standard lower than a previous choice. It’s not as if they ever required customers to use special characters, but they had the option. Now they don’t.

ING, step up to the security plate and bring back special characters. It just doesn’t feel as safe as it did before.

Update 8/4: A response to this question from ING simply spun the request back on its head, saying “We know our new password requirements may be an inconvenience, but we believe your personal data is safer as a result.” Well, it’s not safer, it’s less safe. Further, they pushed a software package called Trusteer, free, as an additional way of securing transactions. You can find out more about Trusteer here.

Brian@DT

Introduction

Digital Trust, LLC is an information security consulting and activities resource. We can assist with any facet of your security program. From corporate guidance and compliance efforts to system implementation and penetration testing. We can help make your security better.

Contact us at sales@digitaltrustllc.com