» infosec information overload

The Top 10 Coast-to-Coast

Posted on January 11, 2011 by Dan Berger in Main | Leave a comment

On January 4th, Kroll, a worldwide risk consultancy firm headquartered in New York, released their “top 10 data security issues for 2011.”  Two days later, we published Redspin’s “top 10 security issues for 2011.” (I promise, we didn’t read their version first!) So aside from the coincidence, it’s the differences between the two lists that really caught my eye. Maybe it’s an East Coast-West Coast thing. Or maybe they wear their Bruno Maglis a little tight, while we’re sporting Vibram FiveFingers. Perhaps it’s just a difference in perspective. Kroll, being risk consultants, created a list of potential data security risks.  Redspin is in the business of providing security assessments which include findings and analysis. For us, a list of risk areas alone is incomplete without actionable recommendations.

In Kroll’s Top 10, they simply identify potential breach types.  Number 2, for example, is theft, of laptops, cell phones and even “low-tech” item such as paper files. Kroll’s # 3 is lost devices. Their other breach concerns include sending private data (such as EHR) over networks and unintentional social media exposure. Kroll also discusses the risk of the regulatory environment tightening, particularly HIPAA/HITECH, in response to publicized breaches.  To me, this is a little like saying “fire” is dangerous but the new fire safety laws might also hurt your business. At Redspin, our version might be “don’t play with matches, at least not around any sensitive data.”

Thus our Top 10 list looks quite different. We start by assuming sensitive information will be accessed, wired and wirelessly from all possible devices – desktops, laptops, iPads, Droids. As penetration testers, we know that our “assumption” is basically just the cold hard truth. Almost any networked computing device can be hacked, given enough time and resources. If you accept this premise, does it make any sense to still try to exert control over the device itself? Further, an increasing number of companies are deploying applications and storing data in the cloud. Wireless is nearly ubiquitous. Secure the perimeter? What perimeter?

So we say focus on the data. Quoting from the #1 issue on our list:  “Ensure only people who need access are granted access. Understand where the data must be stored to support business processes and update your information security policies to include mobile devices.”  If you get stuck on that last part, we offer a free mobile device security policy template on our new website at www.redspin.com Our full Top 10 List is there too.

As technology use becomes more mobile and social, the line between personal and business use will continue to blur. My hunch is that Pandora’s inbox is already wide open.  Social media is already a fertile ground for farming private data (and I don’t mean “Farmville.” Oh wait, maybe I do!), we strongly suggest that you “ensure that your policies clearly state what can and cannot be communicated through social media and train your employees appropriately.”

Which brings us to a 2011 New Year’s resolution that both Redspin and Kroll agree on. Train your people on privacy issues and information security awareness. In this regard, we offer social engineering testing. Our assessment determines how vulnerable you are to employee disclosure through insecure or shared password information, unapproved use of portable media, and even unauthorized physical access to premises (you should see us in our blue contractor uniforms and tool belts).

Lastly, it’s certainly wise to know where your potential breach areas are. It’s even better to have policies and controls in place that address them. But ultimately you need to test those policies and controls to see if they are working.  That’s Redspin’s forte. In addition to social engineering, we offer a full suite of penetration testing services for your IT infrastructure (external and internal, including wireless), and web applications

In conclusion, if politics makes strange bedfellows, I’d suggest network security guys and risk consultants just stop for an occasional drink at the bar. Most people think of penetration testers as “ethical” hackers. But you can also think of us as the policy-testing dudes.

Would you Believe it? Twitter as a Way of Coping With Infosec Information Overload

Posted on February 21, 2010 by John Reno in Main | Leave a comment

The job of keeping up with latest threats and vulnerabilities is a daunting task for security professionals. There are many excellent resources for both threats (for example, Symantec DeepSight data feeds) and vulnerabilities (DHS National Cyber Security Division/U.S.-CERT). But it still requires skilled human effort to synthesize which assets in an organization are impacted by the threats, and interpret vulnerability information to understand how likely the threats are to the business, given the current controls that exist. As I’ve discussed earlier,  investing in an information security risk management program is the way solve this problem in a way that maximizes benefit to an enterprise’s business.

However, you may also just want to find out what everyone else is talking about. I recently found a new service called MustExist that does this based on mining the huge data sets generated by Twitter communities. One area (among others such as healthcare) that they have targeted is information security. For example, right now the hottest topic of discussion is sort of a self inflicting wound – a phishing attack on Twitter accounts, designed to steal user names and passwords. You can also find popular tools that security engineers are using, such as a cheat sheet for the latest release of Nmap.

So, maybe it’s not something to build your security strategy around. But I’d say it’s fun and useful.