I've always been a huge fan of the mantra, "The good Lord helps those who help themselves." It just always has resonated with me and I've used it many times in my life when I've been sitting around, feeling sorry for myself or praying for some miracle or change in my life that just wasn't happening fast enough or even at all. It was my personal "call to action"; my rallying cry that got me to put away the nacho chips and get out of my PJ's and make it happen for myself. It recently occurred to me in both my personal life and my professional life that sometimes there are those who can't or won't help themselves. How do we handle these situations as a family member or a friend without becoming an enabler? How do we continue to help without letting resentment build to the point of anger because we feel taken advantage of? What if there are innocent people involved through no choice of their own that deserve a fighting chance? I fear that as many of us suffer through this horrible economic climate and a government that seems to create entitlement programs that enslave people on a daily basis, more and more of us will be asking these questions about folks in our lives. I'm clueless on the personal side and don't even know where to begin. Since not being able to solve a problem makes me incredibly uncomfortable, let's move to how this relates to data security. I think my life in the trenches of data breaches, security incident response, and litigation support puts me in a unique position to offer a bit of guidance.
How does a consultant whose profession is to help people have security in business processes help those who can't or won't help themselves? Why when we read of data breaches daily do we think that it will never happen to us? I remember watching a show on Animal Planet about people having wild animals such as monkeys and tigers for pets. The recurring theme was that if you have these types of pets long enough, eventually they will viciously attack you. You'll probably end up dead, but the lucky ones end up without faces, extremities, or genitals. While a security breach won't doom you to life with a prosthetic nose or ears, it could certainly make you think that being attacked by a wild animal would be less painful and stressful. The owners of those animals all had the same mindset - that it would never happen to them. And certainly the guy who sold them the tiger or monkey wasn't talking about how they have been known to attack their loving owners. If these folks would have consulted with an independent animal expert, might they have mitigated the risks better, i.e. let's not have the chimp sleeping with us and roaming free on the property? Or might they have decided not to purchase the "pet" at all and instead been guided to a nice loving Golden Retriever? While he might pee on the floor when he gets excited to see you, it's a pretty safe bet that all your body parts will be safe. An independent expert who is selling you nothing but their expertise is one of the most important things anyone involved in risk mitigation and management can have.
I'm a big fan of questions because being willing to ask questions and seek answers has always been way more beneficial to me than someone handing me an answer. So let's start with the professional context of this dilemma that I see at Reclamere for clients and prospective clients. As the Data Security Experts, we live, sleep, eat, and breath data security. Not only do we proudly call ourselves this, but our team has the actual experience, education, certifications and credentials to back it up, as do many other firms. Being completely dedicated to data security consulting in our forensic and risk management practices, we are vendor agnostic and sell no software or hardware. We don't design networks, or configure firewalls. The only thing we have to "sell" in this division is our significant expertise. Particularly in our forensic practice, we see the aftermath of situations where an organization knew to do something to better protect themselves but chose not to for one reason or another. Or more often, IT security folks in organizations knew they needed help, but had been denied the financial resources they needed due to lack of support from the powers that hold the purse strings. Each of these scenarios inevitably lead to security incidents for which the organization is less than prepared to deal with. While the cold, profit-driven business person could look at this as a great opportunity - "Hey, pay me now to help you with preventative/preparation consulting or pay me way more later to help clean up the mess and figure out who did what" - that just doesn't pass the gut check for me. Our duty is to our client; to be the zealous advocate for our clients' data security. Obviously a lawyer makes more money when a client gets sued than when they consult on matters before escalation to the point of litigation. Lawyers have gotten an arguably bad rap; however I have yet to deal with any who aren't passionate about helping their clients stay out of trouble before the fact. Reclamere's security team and executive leadership has the very same attitude as ethical lawyers. We're here to help before an incident occurs.
That's all well and good, however many clients fail to see the need for any outside advice on their security posture. They've got an IT staff or person that keeps things running and a vendor from which they buy their hardware, software and possibly system design. Why do they need a third party to evaluate the security of the operation, tools or designs against fraud, exploits, or attacks? IT security gets incorrectly lumped into the same category as IT operations. Most companies would never dream of thinking that since they have a bookkeeper they don't need a CPA. Just the way that doctors now specialize because of the complexity of medicine, IT professionals now specialize in various disciplines due to the ever increasing complexity of all IT related matters. The person who keeps your network running, printers connected, VPN available, and anti-virus up-to-date is not the same person you should rely on to independently validate that the entire system is secure. The financial and retail sectors have understood separation of duties for decades as it pertains to inventories and financial matters. Viewing every single person in your organization as a "role" may seem impersonal, but it's much easier to create rules for roles than it is to justify why "John" can't have access to certain things on your network. While you may trust John, your network administrator with your life, someday John may be gone. Whether he wins the lottery or gets hit by a bus, someday you will have another person in that role and most likely you will be starting from ground zero in the trust department. By already having an outside security consultant who does a once-a-year checkup, or takes a look if something seems awry, your organization is well on its way to having peace of mind and significant risk mitigation. Your checkup may be as simple as a penetration test or as complex as a full-blown security audit. A true advocate for your security will work with you to find the solution and frequency that's right for you. They also will not sell any of the hardware, software or designs that they are auditing. Wouldn't that be kind of like the fox guarding the hen house? Is the guy who sold you your firewall and implemented it going to find his own vulnerabilities? If he finds them, how likely is he to tell you about them? Yes, here is ASK on her soapbox - security consultants shouldn't sell hardware, software or engineering. And value added resellers and OEM's shouldn't provide audit or assessment consulting on the products they sell, promote or design. Let the fur fly - tell me where I'm wrong, but just like your CPA or comptroller evaluates your accounting practices and financial management, your should not be relying on your hardware or software vendor or network engineer for your security assessments.
So, if I did have to give you a Top 3 List of things that people should do to help themselves in their organizations but often fail to do, what would they be? Well here goes, in order of priority:
1. LOGS, LOGS, LOGS!! Sorry, fellow geeks...I know they suck resources and can slow systems down. I know they are a hassle to monitor. Unfortunately, if you have a security incident that leads to a data breach and/or litigation, not having good log management and monitoring in place will put your organization at a significant disadvantage. Law enforcement will want to see logs. Forensic experts will want to start with logs. Your insurance carrier is going to possibly deny coverage if you don't have logs. Opposing counsel in litigation is going to make you look like a Micky Mouse operation if you don't have logs. These are the facts of life. While shows like CSI make computer forensics look quick and easy, nothing could be further from the truth. When an organization has an incident but failed to keep logs, the forensic team begins right out of the gate at a disadvantage that just drives up costs to the client. There are great VAR's out there who have great products for log and event management. The great news is that the costs have come down and those products are now affordable to SMB organizations.
2. USER ACCESS MANAGEMENT!! Many folks enjoy shows where forensics are used to solve crimes. Reality is way more complex, particularly in digital forensics. While we can often determine exactly what was done on a machine, even if data has been destroyed, we rarely can definitively link the activity to a single person. Putting a person in the chair at the keyboard is often impossible due largely to poor user access management. In most small businesses in particular, users share computers with shared log-on credentials. Every user needs their own user name and password. Passwords MUST be complex and security policy must force changes to the passwords regularly. As with the other 2 things listed here that you must do to help yourself, I know this one isn't easy either. Requiring complex passwords with frequent forced changes are unpopular with the end users. Creating multiple log-on credentials creates more hassles than having a single credential that everyone shares. When there is a security incident, shared access to systems again makes the work of investigating the incident more expensive and time-consuming and lowers the probability of finding relevant or strong evidence.
3. SECURITY TESTING!! We can all be bad when it comes to having our annual physicals; however the one thing we moms and dads are always good about is annual checkups for our kids. We know our kids are basically healthy. We know that the vast majority of kids grow up and never have a serious health issue. We know that the teachers and coaches are doing great jobs with them and all is well. Why then do we bother with checkups for them? Because they are the most treasured part of our hearts and souls. Your data is the most valuable asset in your organization. I know it's politically correct to say that people are, but the harsh reality is that people can be replaced. Money can be borrowed. Data that is stolen, destroyed or compromised can often times never be replaced, rebuilt, or recovered. Data loss can literally bankrupt a business. Treat the security of your business data like it is the health of your child. Look to an outside expert once a year, at least, to check it over. Make sure your consultant is truly a trusted adviser; a zealous advocate for your data protection and security.
You guys who read my posts know I love a good debate. I love to learn from you and banter about the world of IT security. So bring it on! :)
For those of you who are bummed about all the Geek Speak in this week's post, I apologize. I'll try harder next week to mesh the professional and the personal better.
No comments:
Post a Comment