Last week, I wrote about insider threat and some of the risks it can pose to your organization. Today I’d like to follow up and provide some tips to help address it.

There are many strategies for dealing with the insider threat, so I’ve chosen to highlight the things that organizations most often miss.

Some of these things may seem obvious, but I would ask you to honestly assess whether or not you are living the principles mentioned below. As Morpheus famously said, “there is a difference between knowing the path and walking the path.”

So here goes.

1) Think about insider attacks before they occur.
As I mentioned yesterday, many organizations have absolutely no plan in place for dealing with insider threats. Let’s be clear – if you have an incident, you will almost certainly incur a loss. But if you plan appropriately, you can significantly mitigate that risk.

Most people never even get to the planning phase.

2) Cultivate a culture of security.
The medicine that I am prescribing here must be adopted at every level of the organization to be effective. If only the security and technologists in the company understand the things I’m mentioning here, the security problems you currently have will persist, despite your best intentions.

I have seen many examples where a world-class security team is stymied by a business side of the house that doesn’t fully grasp the security implications of their business decisions.

The worst part is, the risks are often simply overlooked or marginalized without being properly analyzed. In many of these cases, if the true risks were known, completely different decisions would be made.

To be successful here, organizations should train and equip every employee to protect information. A successful program sustainably shifts the way employees think about the value of information and their role in protecting it, and is built with a clear understanding of how employees interact with information in their everyday work.

3) Assume nothing is 100% secure.
Any other assumption comes with huge risks. Most companies have a really hard time with this because they have been led to believe that they can somehow address every problem that comes up. It’s uncomfortable to assume things will fail, but every security expert will tell you that there is no such thing as 100% security.

Embrace this one idea, and you will fundamentally make better security decisions.

4) Build defense in depth, and assume that everything will fail.
This has been said a thousand times, but it bears repeating until organizations actually do it. Every security mechanism will eventually fail, so it is key to put as many security layers in place as possible so that when one fails, there is something there to back it up. And it’s not all about technology – sometimes the best layers are human-based processes!

Which leads me to my next point …

5) Trusting in technology alone is absolutely the wrong approach.
Security technologies are a part of the picture, but people and process are just as important, if not more so. It’s extremely important to know that every security technology can be bypassed in some way, no matter how good it is.

Many of the technologies we deploy to resolve insider threats are flawed in some way. Data loss prevention (DLP) software is a great example of this. DLP software helps keep honest people honest, but no matter what the vendors tell you, It will never stop the skilled, dedicated attacker.

Unfortunately, many organizations are deploying DLP as if it were the holy grail of security. Every technology comes with trade-offs, and the overhead of something like DLP is not worth the trade-offs for every organization.

6) Make the assumption that your employees are also potential attackers when building all your internal systems and processes.
Even if you could be positive that every employee has your organization’s best interests at heart, the assumption that internal is safe leads to major architectural weaknesses.

The assumption that “internal is OK” leads to organizations having a hard outer shell and a soft gooey inside. And from experience, I can tell you that there is no such thing as an impenetrable outer shell.

A healthy dose of paranoia is required here. If you build your systems as if your employees will attack everything, you will make better architectural decisions and you are much more likely to frustrate an attacker who does get part way in.

If you can honestly say that you are doing all of these things, then you are probably better off than 95% of organizations out there.

Insider attacks have recently been in the news yet again. As reported in Forbes, Gucci suffered an estimated loss of $200,000 from an insider incident in New York last year.

The security threat from insiders is extremely challenging, so many organizations address it half-heartedly and focus instead on preventing external attacks. In my experience, this is usually because it is far easier to understand and deal with an external attacker than having to come to terms with the reality that every person in your organization is a potential threat.

Don’t get me wrong – it is important to address the external attacks. But for most organizations, this is where it stops, even if they know they have a problem.

The truth is that insiders have more access than anyone else, and any company or organization that has been around for any length of time most likely has a potential problem on their hands. And this isn’t just theory – more than half of attacks are known to come from inside the organization.

Insiders know how internal systems work, how to get into them, and probably already have at least some level of access. According to a new Ponemon Institute study State of IT Endpoint Risk, concern over negligent insider risk has been consistent over the past three years with 43 percent of organizations polled seeing this as the greatest risk moving into 2012. Insiders know exactly what to do to get in and avoid detection. Therefore, they are harder to catch and often cause far more damage than an outsider.

While many insider threat cases are the result of human error or inadvertent data leakage, all insider threats, whether accidental or intentional, have the potential to significantly disrupt your business operations and lead to losses.

Insider attacks may also lead to expensive litigation to recover missing information or require you to defend your organization against civil lawsuits for violation of privacy and loss of sensitive data. Potential insider attacks are a persistent threat and companies need to be constantly vigilant to defend against them.

Next week, I will post a list of tips for properly addressing insider threats that many organizations overlook.

There has been much discussion lately about technological and legislative drivers forcing companies to rethink their data protection policies.  Amid the slew of vendors attempting to solve a people problem with more software there is some voice of sanity reminding companies that these policy documents they create need to be more than an exercise in business writing.

In a recent Gartner report on organizations revising their privacy policies analyst Carsten Casper says, “The policy needs to be more than a just a piece of paper.” As a security educator, I could not agree more.  One of the biggest assets that companies often overlook in their struggle to secure their information is their staff.  Not just the security staff who toil away keeping threats at bay, but each and every member of your organization.  Consider for a moment all of the employees that make up your organization: Is there a single one who is not, on a daily basis, in a position to behave in a way which either protects or exposes sensitive information?  Each person you pass in the hallway is an all-powerful weapon in the battle to secure the sensitive and proprietary data upon which your organization is built and they so often remain untapped in this effort.

What sort of response would you get if you polled your employees asking who had read the organizational privacy policy?  How many of them understand what is being asked of them?  How many of them truly appreciate the gravity of the threats and their duty to guard against those threats?  Sadly we all too often see unsatisfactory answers to this line of questioning.  Each and every employee in your organization is part of your information security team. You must equip them to do their part to protect the organization.

Educating all users has been an ideal I have held up for a long time.  How many recent high profile breaches would have been avoided if employees understood the dangers of phishing emails or social engineering phone calls?

I am reminded of a security awareness course I taught at a large organization some time back.  This was a course for general staff and we covered all sorts of threats to organizations, such as social engineering.  The class was not any different than the many other times I had delivered a similar course but some months later I was back at that organization and happened upon one of the people who had taken the class.  She stopped me in the hallway to tell me about a phone call she received from a man claiming to be “Joe from Help Desk.”  It seems Joe was troubleshooting an issue and wanted the IP address of the printer in her area.  She confessed that before having taken my class she wouldn’t have thought twice about helping Joe but the discussion about social engineering gave her pause.  She immediately checked the phone display to find that the call was from an external number.  It was then that she remembered he said “Help Desk” while they referred to their support staff internally as “Support Services.”  Instead of handing over the information she began to question Joe, who suddenly no longer needed the information and hung up.  She then reported the incident to information security.

What has always struck me most about this conversation is not that she managed to avoid a social engineering attack and may have prevented a system breach, but the look of pride on her face as she told the story.  Though she didn’t formally work in the information security department, she knew she had done her job as a member of the information security team that day and her organization was better for it.  Your employees want to be helpful, and if properly educated they can put that energy toward helping you instead of “Joe from Help Desk.”

As your organization begins to dust off the old privacy policy for a frantic update, spend some time considering how you will socialize this policy within your organization.  What sort of communication vehicles can you use to effectively enlist the support of your employees in safeguarding your information?  In many ways these are far more important questions than determining which Data Loss Prevention (DLP) vendor to go with.

What successes or hurdles have you encountered when attempting to socialize security best practices within your organization?  Please join the discussion in the comments area below.

Our team in Rochester, NY is growing.  Safelight Security, a young and fast moving media and training firm specializing in application security education, is actively looking for a Junior Flash Animator to be based in Rochester, NY.  The successful job candidate will report to the Development Manager but will be a highly motivated self starter. Projects will include rapid eLearning development, creation of animation sequences for our core products and working with other team members to develop the most engaging eLearning products on information security. If you, or someone you know, may be interested in this position, please visit to: http://safelightsecurity.com/about/careers/ And get in touch with us at careers@safelightsecurity.com.

This week I am out at a Peak Potentials boot camp called Guerilla Business School. It has been absolutely fantastic and I would highly recommend it to anyone!

This is a PUBLIC SERVICE ANNOUNCEMENT for those who are in the seminar and attended Alex Mandossian’s excellent session on web-based marketing.

Today when we were talking about free online sites, a service called LogMeIn.com came up. LogMeIn is a site that facilitates logging into your PC from anywhere in the world.

These types of services can be extremely convenient, but there are some very important security considerations that must be taken. Failure to take appropriate precautions opens you up to ATTACK by professional criminals from ANYWHERE in the world.

I poked around the site, and it seems to offer decent security options, but unfortunately MOST people opt for the LEAST security possible for CONVENIENCE purposes, and the WEAKEST LINK in every security system is often YOU.

Let’s be clear. This site allows you FULL ACCESS to your computer from ANYWHERE in the world.

Here are some tips to use this type of site safely. These are the same tips I teach to my corporate customers:

1) This is an OPEN door into YOUR computer! Only use a service like this if you have a compelling reason. Any open door is a potential security hole for hackers. If the door is not open, the hacker cannot get in.

2) Use ALL the security features they offer! For example, this service has a feature that allows you to check the logs to see who is logging in – USE IT! Also, look into features such as one-time passwords and RSA SecurID tokens. These are significant security improvements.

3) HOW you log into your computer MATTERS. In order to use the service, you must log into the site as well as your computer. Most people log into their computer as an ADMINISTRATOR. AVOID doing this at all costs. Ideally, create a special guest account with low privileges, and use THAT account for this service. This ONE THING will make a HUGE difference. In fact, the less often you log into your computer as an administrator, the better.

4) Strong passwords are CRITICAL. Unfortunately, most people get this completely WRONG!

A few words on passwords. Remember, you are allowing people to log in to your computer from ANYWHERE in the world! You MUST use STRONG authentication. Passwords MUST be L-O-N-G and complex.

Passwords should be at least 8 characters (more is even better), and a combination of letters, numbers, and special characters.

Just for the record, if I were to allow a service to log me in from anywhere in the world, I would choose AT LEAST a 14 character password.

An easy way to remember a long password is to choose a quote from a movie, book, or song that you like. For example, a favorite movie of mine is The Princess Bride.

A popular quote from the movie is:
“Hello, my name is Inigo Montoya. You killed my father, prepare to Die!”

To choose a password using this quote, use the first letter of each word and include the special character. In this case, it becomes:
H,mniIM.Ykmf,ptD!

Believe it or not, this is a 17 character password that you will NEVER forget!

Also, passwords should NEVER look anything like words, even if you use the popular technique of substituting symbols for letters or numbers. For example, @ for A, 5 for S, etc.

Using this method, Password might become P@5sw0rd

Just to be clear, this is NOT a secure method of choosing a password! All good hackers know this trick, and the book/movie/song quote method I discussed above is MUCH better.

5) WHERE you store your passwords matters! Do NOT store your password on your computer, phone or PDA unless it is encrypted! If you do not know how to do this, you are probably better off writing it down somewhere safe at home, or memorizing it.

Remember: if you store it digitally, it can be STOLEN!

6) Don’t make all your passwords the same! A common method of IDENTITY THEFT is to break into one account, and then quickly log into all your other accounts that use the same password. Use DIFFERENT passwords for EVERY site! This goes double for online remote login services!

Think secure and be secure!
–rob

Two out of three IT security professionals say the risk of data or systems breaches is related to a lack of training.

IT security professionals ranked the threat of a data breach and the resulting damage to their company brand, and loss of customer loyalty and sales as the top business driver for information security training. Though surprisingly, the majority of companies do not have formal training programs to educate staff, according to Safelight Security Advisors’ survey. Two out of three companies directly link data or systems breaches, or the risk of them, to a lack of security training at their organizations.

Yet, the state of security training is fairly bleak even with information security programs in place. Only half of companies who rate themselves a low risk for a data or systems breach say their information security policies are effective at helping to prevent them. Often times security training courses are available, but not required for those on the front lines of information security: a company’s IT and development staff.

In this survey, 60 IT security decision makers from a range of industries were asked how their companies are integrating people into their information security strategies and what practices are most effective. They were asked to estimate their current risk for a data or system breach and were categorized as either a low or high risk company. A data or systems breach was defined as including the accidental loss of control over sensitive data to malicious theft of data by insiders or external threats. They also responded to questions about the effectiveness of their organization’s security programs in people, process and technology areas, the security awareness of their management teams and the effectiveness of training IT and non-IT staff as well as IT and non-IT vendors and contractors.

You can download the complete report on the study. In today’s tough economic climate where expensive technology investments may be temporarily on hold, smaller, incremental investments targeted at training personnel on security awareness and compliance, as well as processes for ongoing security risk assessment, security procedure definition and implementation, and compliance tracking, may return significant reductions in risks for companies.

An interesting little rumor recently made its way across the Internet. Twitter, the poster child for Web 2.0 social networking, has apparently been having some security problems. It turns out that the attackers didn’t need to do anything sophisticated at all. For at least one of their systems, Twitter’s admin password was, wait for it … password.

As an author of a well-known password cracking tool L0phtCrack, I have seen thousands of cracked passwords at a time, and I’ve got to tell you, this is not particularly surprising. I can assure you that the most popular password on the planet is indeed password, followed closely by things like:

• secret
• welcome123 (or other default passwords)
• qwerty, asdfg, (and other silly keyboard patterns)
• Porsche, Mercedes, Ferrari, etc.
• Red Sox, Yankees, Patriots, etc., etc., etc.
• Name and/or birth dates of loved ones, friends, pets, etc.

You get the idea. Password technology has been fundamentally flawed for quite some time, but with solid security practices, and the right training, it can still be used effectively if you know how. Unfortunately, most people don’t know how, even some of the ones who should.

Of course, Twitter’s comeback was that this was for a system that didn’t need to be as secure. I’ve got to be honest here. I’ve heard that one before – it’s called an excuse. We need to stop being afraid to come out and say, “Yes, there was a security incident. We were a bit lax in our security procedures and we have addressed the holes. We’re taking it seriously and correcting the mistake to lessen the likelihood that it happens again.”

As long as there are humans running systems, there will always be security flaws. Everyone makes mistakes, and some of those mistakes cause security holes.

But c’mon, password??? I’ve conducted security reviews for many large enterprises, and from what I’ve seen, when people make such basic mistakes, there are almost certainly far bigger flaws elsewhere in the system.

You see, passwords are just the tip of the iceberg. Building a secure system requires a very different mindset than simply “make it work.” And it is significantly more difficult if everyone on the team doesn’t have it. In my next post, I’ll talk more about the effects of the human factor in security and some of the biggest people problems.

–Rob Cheyne
rcheyne@securityadvisors.com

I’m constantly talking with people that are responsible for running Application Security programs within their organizations. These people often struggle with implementing effective training programs for their development teams. The most common issues that they face have to do with scheduling of developers and budget.

It turns out that Computer-based Training, or e-Learning, is a great way to address both issues and has other benefits as well. The challenge has always been finding e-Learning that actually works well. Safelight has been tackling this issue for the last 18 months and has released e-Learning based AppSec training that works.

Take a look at the demo video to learn more. If you’re interested in a full demo license to the training, send an email to training@securityadvisors.com and reference this blog entry.

We hope you’ll agree that effective e-Learning will increase the flexibility and reduce the costs associated with training your development teams about current methods for developing secure applications.

I am out at the RSA Conference this week, and like every year, I am stunned by the number of product vendors selling “silver bullet” technology solutions to solve all of life’s security problems. Seeing the make-up of the expo floor, you would think that you can just throw lots of technology at a problem in order to make it go away. Given that real solutions always incorporate people, process and technology, it always amazes me that most vendors pretty much ignore the first two. (more…)