I received an e-mail this morning that somehow reminded me of an often overlooked threat and arguably the greatest single source of risk to organizations. First off, I need to put the e-mail in context; I perform risk assessments and write security plans documenting operational risks associated with a particular resource (application, system, infrastructure, facility, vendor, etc.) utilized by the organization. To do my job I will need to interview stakeholders and do discovery on the overall posture of the resource. Being a large organization, discovery meetings are done via conference calls and I typically schedule those in advance requesting stakeholders and subject matter experts to participate.

In one invite that I sent, I received this not-so polite reply. Again the organization that I work for have hundreds of thousands of employees, so I don’t know this individual and all I know about him is that we work for the same company. Anyway he said (partially edited to remove proprietary/confidential info):

Why can’t we do this now?  I have a need to use this and am wondering why we even need a security plan as other groups are using this software inside the organization today, without security plans.

The first statement is really inconsequential, since I scheduled the meeting a few weeks out as a common courtesy to give them time to prepare. At the same token, it made me want to say: “The world doesn’t revolve around you, Sparky. You have commitments, but so do I.”

The second statement is really the focus here. I was tempted to reply with my standard reply to my kids when they are about to do something dumb: “If the other groups jump off a cliff, will you jump, too?” In both cases, I decided not to stoop down to that level and be the better man and instead gave him a “professorly”-like reply on the importance of security and risk assessments.

All that said, back to the purpose of this blog entry. That comment reminded me of a particular threat to information security that is sometimes forgotten or ignored: the threat of an insider. When insider threat does come into the conversation, the typical discussion points are typically about bad seeds in the organization, the ones with an ax to grind or the ones that are just malicious. We often ignore those with a higher likelihood of creating a serious vulnerability to the organization, because of:

• Ignorance
• Apathy
• Self-importance
• Complacency
• Laziness
• Plain stupidity

Not knowing this person I mentioned, based on the e-mail, I essentially pre-qualified him to have three of the six items I mentioned above. The information is not enough to qualify him as complacent, lazy or stupid. But, there is a good chance that he is ignorant to the security policies of the organization, not to mention the liabilities and risks it face for failing to maintain a sound security posture. He is probably apathetic to the overall security requirement, because really this application is so small. It can never happen to me. And finally, he sounded so self-important, because he thinks his need to use the software outweighs the need to first assess the risk brought upon by the software to the organization.

You may also argue that he is also just plain stupid to assume that just because others are getting away with something he should be able to get away with it, too. I would not go that far, but I would not argue with you either .

This is essentially what we are up against as security professionals. Technology, processes, policies and our technical skills can only go so far as to ensure the security of the organization that we are protecting. The weakest link remains the people inside that organization. It behooves us, as security professionals to go beyond the technical skills and know-how and learn to effectively communicate and educate our co-workers on the importance of security and understanding the risks.

Oftentimes security is often just seen as road block to progress. As security professionals, we will need to learn the politics of the organization and understand its business goals and effectively communicate to stakeholders that security in fact enhances the competitiveness and viability of the organization. By helping educate stakeholders, security professionals can develop partnerships in security that can prove invaluable in ensuring that not only insider threats are mitigated, but also help protect the organization from external threats.

I then added that the gift of interconnectivity does not come for free, it has opened all of us to threats to our privacy, identity, intellectual property and other confidential information that our society never have to face before.

That thesis was written when Web 2.0 and social media were still at their infancy. It was before the age of Facebook and iPhone. The best technology available for remote access to your work place is through an unstable Virtual Private Network (VPN) connection. The cloud computing concept was generally still pretty much a concept. And finally, even in the heart of the Silicon Valley, I still knew people who still have dial-up connection because neither DSL nor Internet Cable is available in their neighborhood. It seemed like ages ago. However, those statements still ring true, and I would dare say more profoundly, today than back in the early part of the decade.

Fast forward to the present, my mom just demoed her new Droid-powered smart phone and her Video phone to me and she essentially knows more about Facebook features than I do. It will be quite rare to meet someone who is still using dial-up (unless that person, of course, live somewhere in the far reaches of the galaxy or maybe somewhere very remote). In one of my trips from the Bay Area to San Diego, I met someone who works for Google and she bedazzled me with all the work she can do through the cloud. No VPN, no remote access software, just an Internet connection and the cloud.

Within the past half-decade we bear witness to evolution of technology’s usability and also the tech savviness of the end-user. To paraphrase one of my former instructors, “technology is ready for mass market once it becomes as easy as making a phone call.” Facebook, the iPhone, the video phone, cloud computing and the like, no matter how complex they are in the back-end, have made computing essentially as easy as dialing a telephone.

These innovations with all the benefits and promise they provide to the individual and businesses, they also make the task of insuring the confidentiality, integrity and availability of information a little bit more of a doozy than it was in 2004. Social media, portable mass storage present in outwardly benign devices such as smart phones, USB flash drives, digital cameras and even digital photo frames, availability of mass storage (often free) in the web, present a clear challenge for businesses to ensure the security of the information that they are responsible for.

Technology alone cannot provide the answer to the dilemma brought upon by these new technologies. Every security professional, and common sense should, attest to the simple fact that there is no silver bullet to information security. To effectively address the ever evolving threat presented by an ever-changing and extensively complex digital world, businesses of all sizes must be able adapt and effectively ensure the security of the information within their organization. Smart businesses understand that there is a need to develop a information security management strategy that focuses on development, delivery, implementation and enforcement of a comprehensive information security program.

Effective information security goes beyond the boundaries of technology solutions, businesses, specifically information security managers face a daunting, yet highly achievable, task of developing, implementing and maintaining an information security program that is both systematic and is aligned with the organization’s overall business objectives. This involves an extensive understanding the effective information security management will greatly involve a synergized integration of people, policy, process and technology.

An effective information security management strategy will typically involve understanding of and accomplishing key tasks within 5 key functional areas:

• Information Security Governance
• Risk Management Strategy
• Development of Information Security Program
• Management of the Information Security Program
• Incident Management and Response Strategy

Overall, an information security management strategy will need to address various threats faced by an organization with regards to its security posture and how it protects information. In addition, to addressing the obvious ones such as malware or malicious intrusions, it must also concern itself with non-technical threats such as legal liabilities and compliance issues. The organization must develop an information security program that is cost-effective and based on an effective assessment of risks faced by the organization and finally it must be able to develop a plan that will ensure effective response in the event of an incident or a disaster.

Some of the entries in that document are a little outdated and I am still trying to nudge my lazy self in drafting an updated version.

Below are some of the key points of the framework.

• Three-factor approach that I believe is important to meeting the 50-30-20 principle
• It is a lifecycle that continually evolves and allows for continued flexibility and adaptability based on the needs of the organization and the willingness of the stakeholders to support the organizational objectives
• This is a three-legged stool principle that relies on the effective planning, execution and support of each “leg” to ensure that the stool remains stable and standing
• Each of the leg has underlying milestones or procedures depending upon the scope of the task or project
• Assess – it is necessary to do a full assessment and/or analysis of the task, concept and their requirements. This includes, but not limited to, project/task feasibility study, analysis of business objectives, needs assessment, risk assessment, gap analysis, cost v. benefit analysis and project scope assessment
• Resolve – Once assessment criteria is addressed and outcomes are accepted, resolution begins, this includes the start of fully defining project scope, addressing resource requirements, implementation, testing, configuration and change management.
• Manage – Management involves more than simply making sure the program or project works, maintenance or delivering it on time, on budget and within specification, but rather to truly provide value to the organization, effective management requires continually looking into improving and streamlining the processes involved. This is addressed via measurable objectives, effective analysis of results and development of benchmarks and metrics. As the process, evolves, we continue to go through the ARM principle.

There are a multitude of methodologies, frameworks or what-have-you for effectively managing IT and information security. Each of these frameworks has their key strengths and weaknesses. I am in the belief that none really have a significant advantage over the other as each offer best practices principles that if effectively matched with the organization and properly planned, implemented and supported brings plenty of value to the overall evolution and effectiveness of the organization.

There is, however, three commonalities to each of these methodologies:
• The need to Assess the issue, problem or requirement and finding the right solution
• The need to Resolve the problem with the identified solution
• The need to Manage or Maintain the solution and adjust accordingly to ensure that the problem remains resolved

So within each key leg of ARM (no pun intended), you can insert applicable steps, processes, practices, controls, procedures as it apply to your specific business, field and/or requirements and be able to have a continuous process improvement process, which have goals that that is essentially pretty S.M.A.R.T. Okay, another acronym, but I did not invent this one. SMART means Specific, Measurable, Achievable, Realistic and Time Framed.

Yesterday, I wanted to introduce another section of the site that I plan to do every Thursday, I call it “Geek Mail”. I subscribe to a whole bunch of mailing lists that has something to do with Technology, Security and a whole bunch of other stuff that is essentially the overall theme of this blog. Sometimes I get to read some of them, but most of the time they languish in my mailbox as “clutter”.

So I figured, I post some of them here (at least the intro and the link to the actual article, don’t wanna get dinged on some weird copyright infringement thingamajig)… I see this as having three benefits: (1) it’ll force me to read more, since I’ll try not to post anything that don’t make any sense to me;  (2) hopefully some of you will get some valuable nuggets out of these articles; (3) If the links don’t get outdated, it’ll help create my own personal knowledgebase just in case I am researching something, which you can use as well.

A quick disclaimer: Some of the links will require you to subscribe to their newsletter or whatever else they are offering. Please read and use your common sense. I have nothing to do with these people, I am much of a browser of their sites as you are and I am not getting paid on any of this stuff (If ever I am paid for anything I write – you will know). It is for your information and if you find value on the info, it is your job and your responsibility to take the necessary steps to get and properly use the info.

So without further ado, Let’s Read Geek Mail:

IBM Smart Business — Rewriting the Rules of IT for Small and Medium-Sized Businesses
From the PC to the Internet to every piece of hardware and software in between, technology innovation has been a key factor in helping small and medium-sized businesses in their struggle to provide better customer service, improve efficiencies, respond to competitive threats, efficiently grow their business, and increase the bottom line. IBM® can help. Introducing IBM Smart Business, a new three-in-one solution that makes it easier than ever to find, run, and manage your business applications. Search for applications across multiple suppliers using the Smart Market, run those applications on the Smart Cube, and then manage them with the Smart Desk — all with one single point of contact for troubleshooting support. Read this white paper to learn more.  CLICK TO DOWNLOAD THE WHITEPAPER

Improving Process Flexibility: How to Respond Quickly to Changing Market Demands by Streamlining Processes
Sponsored By:    Oracle Corporation
Midsized organizations are under increased pressure to not only freeze expenditures but to also produce more return than ever from existing assets. Read this whitepaper and learn strategies to improve process flexibility and transparency through centralizing data management. Discover how your firm can:

• Achieve elevated ROI
• Adapt more easily to changing requirements
• Identify problems easier and resolve them more quickly

Achieve ROI on a tight budget. Learn more.

Don Intermission: I thought I will be able to go through a whole bunch of e-mails, but this next set came from one e-mail and I think it should be enough geekiness for the week. I think it is pretty timely, too since it deals with Windows 7 Security… Windows? Security? For some reason everytime these two words are put together the next phrase that comes to mind is “about as many blonde jokes”…

Take a look at Windows 7 application control and remote access
by Michael S. Mimoso, Editor – mmimoso@…

Have you started looking at the built-in security features in Windows 7? Some of our best security experts and contributors sure have, and they’ve been pretty eager to share their early insights with SearchMidmarketSecurity.com readers. In case you’ve missed it, here are some links to the technical content our experts have been filing:

How to use Microsoft Windows 7 AppLocker for whitelisting applications
Windows 7 AppLocker is Microsoft’s latest tool to help organizations block the execution of unwanted applications on endpoints.
http://go.techtarget.com/r/9950432/6358329

How to automate and apply Microsoft Windows 7 AppLocker rules
Microsoft Windows 7 AppLocker enables administrators to automate rules generation, but proceed slowly to get a feel for its whitelisting capabilities.
http://go.techtarget.com/r/9950433/6358329

Understand the pros and cons of Microsoft Windows 7 DirectAccess
The upcoming Windows 7 features Microsoft Windows 7 DirectAccess, a built-in secure remote access capability.
http://go.techtarget.com/r/9950434/6358329

Tradeoffs and advantages of network access control with Microsoft NAP
Microsoft NAP’s endpoint security policy compliance checks and integration with third-party security products make it an attractive option over traditional network access control solutions.
http://go.techtarget.com/r/9950435/6358329

MORE ON SEARCHMIDMARKETSECURITY.COM:

Get more out of your security event log data
Your network has plenty to say about your organization’s threat posture. These three tips will help you get the most out of security log management tools.
http://go.techtarget.com/r/9950436/6358329

How to choose hosted Web security services
Hosted Web security services that analyze Web traffic for malware are an attractive alternative to on-premise Web security gateways.
http://go.techtarget.com/r/9950437/6358329

Social Media has become a major phenomenon. It has spawned a whole new vocabulary of terms that will perhaps add several more pages into the Oxford (or Merriam-Webster’s) Dictionary. People are tweeting, Facebooking, tagging, liking, sharing, embedding and wall writing. Some are LIONs, some LIONs are also tweeting… And guess what, these Tweeting LIONs can even have their own channel… Imagine that…

(Let’s make this fun let me know of some fun terms you’ve learned dealing with Social Media – Contact Me or place a comment below)

Until recently I have been somewhat averse to going into these sites. Not really quite sure what to make of it. The Information Security geek in me is waving all the red flags, pressing the red alert button, flashing the red lights and sounding the alarms telling me to “STAY AWAY FROM THE RED LIGHT DISTRICT!!!”

WHOA!!!

Really, why would I want to provide my “Top Secret” info to some complete stranger that I would be somewhat hesitant to share with my own family? Okay that may be a tad bit exaggerated, but we all are familiar with the privacy implications of being in this Social Networking sites. First you are sharing information with people that you may, may barely or may not know. Second this information is shared somewhere in cyberspace controlled by people who may or may not have your best interest in their “business model”.

Let’s get this straight, if it hasn’t sink in yet… Folks who run these social networking sites created their sites not as a public service, they created their sites to make money. And they are offering you their services for free… In life in general, and in the Internet in particular, THERE IS NO SUCH THING AS A FREE LUNCH. They will need to and they WILL make money out of you.

In this era that we call the Information Age, knowledge is power and INFORMATION IS MONEY. You, me, us, the freeloaders are actually not riding for free. We are providing them with their most valuable asset. We are providing them statistics, metrics, behavior, OUR INFORMATION.

Hey Mr. Advertiser, did you know that Don likes beer and long walks by the beach? Why don’t you target him with your fancy Corona ad with the picturesque shoreline of Cancun in the background?

FIND AND CONNECT WITH YOUR LONG LOST FRIEND NOW. FREE!!!
(Seriously… There was probably a big reason why I lost him in the first place…)

Okay so enough with the scary and creepy part… (But before that, how about sharing some other creepy crawlies that you can think of when dealing with Social Media – Contact Me or Comment Below)

I’m a geek, a security geek… But I am also a business person. While the security geek in me is placing all the stop signs and telling me to batten down the hatches and lock all doors, the entrepreneur in me is yelling, GO! GO! GO! YOU CAN DO IT! DON’T MISS OUT IN THIS ONCE IN A LIFETIME OPPORTUNITY! WAIT THERE’S MORE!!!

Holy Crap! Imagine all the opportunities. I could be the one selling you that Corona using Cancun as a back drop. And I can do this without loosing an arm, a leg or my shirt for that matter. I can keep all of them as a matter of fact, all I need to do is to have you join, follow, make friends with, connect with or link with me or check out my profile, photo, video or note in some greatest thing ever that happened in this thingamajig that they call the Internet. And no, I will not be considered a spammer… Man, this is just the greatest thing since sliced bread!!!

Major businesses understand this. Entrepreneurs and small businesses should, too. Here is a quick demographic for you:

A recent survey shows that 55 percent of 120 surveyed small business owners believe that online social networking — such as Twitter, LinkedIn and Facebook — can be beneficial to their businesses.

The survey, conducted by online payroll service SurePayroll, indicates that one out of every five of the small business owners polled have obtained at least one new customer as a direct result of using social media.

According to the company’s report:

With more than 50 million non-college attendees using Facebook today, the prominence of social media is growing. Professional social networking site LinkedIn grew 187% over the past year. Based on a research project developed by Universal McCann, 36% of online users think more positively about companies that have blogs. In the SurePayroll survey, 85% of business owners participating in social media for business are doing so by way of blogging online. – Source: http://blogs.zdnet.com/feeds/?p=284

Social Networking is essentially Networking on steroids. You get all that mass without leaving your seat. You gain without the pain (of having to look pretty to talk to a complete stranger in person in a strange place where they serve $12 beer – I like beer, but I don’t like it that much)…

Before we get all excited and start yelling CA-CHING!!! There is a third aspect to Social Media that we must consider. Your Momma, Grandma and your snooty sister-in-law all love to use Facebook and they are your “friends.” You like to share with them pictures of Snoopy your puppy, but somehow, you don’t want any of them to be snooping around all up your bizniz. It’s just not a comfortable conversation in front of the dinner table for some reason or another.

On the other side of the coin, you also don’t want Joe-potential-client-or-potential-boss Schmoe to be snooping around your kids pics or your wild vacation in King Tut’s Tomb. There in lies the dilemma. And we’ve finally got down to the bottom line of this article.

How does one balance the need for privacy and need to do business? How do you separate your personal life from your professional life?

I have to cut this post short, because if I continue on, this is going to be a long-ass article and no amount of corny jokes and sarcasm can keep you reading this entry…

For now, though how about answering the above questions: How does one balance the need for privacy and need to do business? How do you separate your personal life from your professional life? Contact Me or comment below.

If you are looking for Part 2, click the link: Social Media: Separating the Personal from the Professional (Part 2)

• Threats – potential to cause harm
• Vulnerabilities – weakness that can be exploited
• Risk – potential for harm

Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man made or act of nature) that has the potential to cause harm.

The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called residual risk.

Planning to take the CISSP Exam? Get a copy of my personal notes (300plus pages worth) that I used to pass the exam for only $25.00. Click the Add To Cart Button to Purchase Plus you will also get copies of notes from other CISSPs. Learn more about this package by visiting this blog entry: CISSP REVIEW NOTES I USED TO PASS THE EXAM. CLICK BELOW TO MAKE YOUR PURCHASE NOW. All Purchases are securely processed through Paypal. IMPORTANT NOTICE: I MANUALLY REVIEW ALL ORDERS. SO ONCE YOU PURCHASE THE PRODUCT, THERE WILL BE SOME DELAY ON YOU RECIEVING AN E-MAIL FROM ME WITH THE LINK TO THE DOWNLOAD AREA OF THE PRODUCT. YOU WILL GET A RESPONSE FROM ME WITHIN 24-48 HOURS.