Posts

In case you didn’t know by now, Security is HARD.  Apparently, even more so in Higher Ed.

Unlike the Educause Security Conference, which supports and encourages Security Professionals, the greater Higher Ed IT community seems befuddled and surprised by Security stuff.  Like a kid who forgot until the last minute that their big assignment was due.  Even though their teacher had been telling them for months.  Even though their parent kept asking “how’s that assignment coming along”?

So if they have been avoiding Security like the plague, then what has captured their attention?  I walked the Exhibit Hall (hide your badge!!) yesterday.  Not surprisingly, it was predominately learning technologies, learning analytics, learning devices and even learning furniture (sorry Researchers, Educause is not yet for you it seems).  The good news is, there is some really cool stuff out there, and I look forward to being a student again!

I did manage to go to some sessions.  Here were my takeaways from the day:

– Read “The Innovative University” – written by the Keynote speaker, not at all Security related, but interesting enough I want to read the book.

– ECAR will publish a maturity index for Risk Management in 2015, focusing on Management, Investment, Communication and Acceptance as the measurement areas.  I volunteered to be part of this, since they incorrectly defined Acceptance as “lack of resistance”!

– I noted that I should think about unconscious bias in my thinking, managing, and hiring.  There is a test at “implicit.harvard.edu” which I will take.  I might even ask my team to take it…

– Princeton’s CIO did a nice job of talking about Grid Security.  I’ll be talking to our facilities team and our risk governance team about this more when I get back!!

So, back to my learned colleagues…  why is the collective so discouraged about IT Risk, when it’s their job to manage it?  Well, I’ll continue to ask around over the next couple of days, but I’m guessing it’s simply that they haven’t been paying attention.  So, now they are… and they don’t like what they see.

Truth hurts, doesn’t it?

This week, I have the privilege of spending time at Educause.  This conference is all about Higher Education IT, and Security is one of the focus tracks. I actually don’t think I’ll spend a lot of time listening to the Security presentations, although I will certainly be networking with my Security colleagues while I’m here.  Instead, I’m here to learn the business of Higher Ed IT.  Which is as varied as the Universities and Colleges represented.

I’ve been noodling (that’s a technical term, btw) on how to understand the individual and corporate Security risk tolerance at OSU.  There seems to be a wide range of opinion on this matter, such as:

– Using a 45 character password  (full disclosure, my password is not that long!) and changing it every 60 days versus using a memorable password, and changing it as infrequently as possible

– Parking in the dark corner of a convenient garage, versus parking in a well lit parking lot

– Using a laptop lock versus. leaving your laptop on the lunch table, logged in

– Engaging Security when rolling out a new technology project, versus not engaging Security at all

– Encrypting your mobile device versus not using a PIN at all

– Fastening your seat belt versus Death.

It becomes more problematic when we realize we’re not just risking our own stuff; we’re risking the university stuff, and the University Brand.  OSU hits the news for a ton of really great reasons – football, of course, and research breakthroughs, and academic success, and on and on and on.  

However, we occasionally hit the news for not good things, and when that happens, we invariably ask “Shouldn’t someone have known better?”  “What were they thinking?”  “Who let that happen?”  All good questions, and the answer cannot be “because I (the Academic, the Researcher, the Administrator, the Security Professional) was OK with it”, or “because I thought it was too much hassle to do what Security was asking” or “I didn’t want to change my behavior”.  We have an obligation to hold our own Risk stance subordinate to the Security of the mission of the university.

Which brings me back to Educause.  One thing I hope to learn more about here is where technology is taking colleges and universities in the US.  And then to work out how Security aware that thinking is.  And then to work out if OSU is more, or less, Security tolerant than its peers.  Because OSU is a terrific university, and does a lot of terrific things.  But if it gets this Security thing at wrong, it’s not only data at risk , it will be the whole Brand.  O-H-I-O will become synonymous with OH-NO, and that will be a fate worse than Death.

So, wish me luck.   There’s a lot of people here.. and only 4 days to talk to them all.

No, really.  I hate them.   Why?  Because they provide a false sense of security.  Don’t get me wrong…  in the absence of all other security measures, passwords are slightly better than nothing.  Like, shutting your front door is better than leaving it wide open, but not as good as locking the door, and having motion detectors on your outside lights, and having an alarm system, and locking up your valuables in a safe.  Having passwords is SLIGHTLY better than nothing.

So why do we ask people to have passwords at all?  Well, sometimes the law requires it.  Sometimes, that’s all we’ve got.

But is that enough for me to hate passwords?  No.  The reason I hate passwords is that people behave as if having a password protects them from everything.  It provides a false sense of security for those who know nothing about security.  It allows people to think that if they put their data somewhere “in the cloud” that it’s safe.  Because they have a strong password.

Here’s a good example of the general user understanding of password management: http://www.youtube.com/watch?v=qz5i171h_no

No. No.  Just No.  Don’t just “change the S to a dollar sign”.  Really?  This is the best you’ve got, CNN?

Passwords, in the beginning, were not designed to be an anti-theft device.  They were used for YOU, to prove that YOU are who YOU say you are.  That’s all.  But if someone else knows your password, no matter how many weird characters you use, they can pretend to be you.  Kind of like Tom Cruise wearing cool masks in “Mission Impossible”.  Passwords are a key to door.  Not a lock.  Somehow, over time, people have begun to think of them like a lock to be opened – and they are about as user-friendly as a lock.  And, just like your keys, it’s pretty easy to lose your password.

So if you can’t help but lose your password, then what can you do?  Changing the password more often is an answer, but not the best answer, and not the only answer.  This is one reason why we’ve gone to #password180 here at the university.   Instead, consider 2 factor authentication for access to critical systems, including your iCloud storage, and your email.  Consider removing sensitive data from your systems as soon as you’re finished with it.  Consider learning more about the security practices of your IT support groups (including vendors) before you share your important data with them.  Consider not auto-forwarding your email.  Consider talking to your friendly security professional and asking for advice.

And when you’re all done with this, turn on your outside lights, lock your door, and arm your security system.  

You’ll sleep much better.

So this week I was asked to be an “expert” for a TV news piece.  The general topic was about mobile device monitoring, and the implications to privacy.

The interviewer could have gone many ways on this, but basically he wanted to know if there was any hope for privacy in the digital age.

Honestly?  I don’t know the answer to that question.  There was a Wall Street Journal article about this very topic, just today.  They don’t know the answer either.

http://online.wsj.com/news/articles/SB10001424052702304704504579432823496404570?mod=ITP_journalreport_0&mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052702304704504579432823496404570.html%3Fmod%3DITP_journalreport_0

I do know, however, there is one thing we can do now to try to protect our data from people taking it without our consent:  turn off your phone.

Oh yes, you can password protect it, and encrypt it, and turn off roaming, and your GPS.  But most of the attack vectors work on the presumption that you’re using your phone.  And for most of us, our phones are on just in case, while we’re bored, because we’ve got nothing better to do.  So, turn it off.  Talk to someone.  Observe the beautiful Ohio weather.  Get a(nother) life.

If this isn’t possible, check out some of the tools in the WSJ article – they’re kinda cool.

Hallelujia, it’s the last day!

Being the last day, it meant some morning session that were remarkably well attended, then some really great afternoon keynotes designed to keep people in their seats.  Nicely done, RSA conference organizers.

So, in the morning, it was metrics, metrics, metrics (and measurements). Here are the themes:

– Metrics measure services, and link to the organizational mission

– They measure the underlying pieces of services:  People, information, technologies, and facilities

– For security, metrics at some level measure “How Secure Am I?”  “Am I Secure Enough?”  “How Secure Do I need to Be?”  “What would change if I was more secure?”  “What Is the Business Value of Being More Secure?”  and most importantly, “SO WHAT”.

– Metrics are only valuable if they inform decisions, affect behavior/actions, and determine improvements

– Metrics should:  guide decision making, guide variance (aka compliance) measurement, guide loss exposure

– Benchmarks against peers may also been known as the “Lemming approach” or “Regression to the Mean” – in other words, benchmarking works if you are starting from scratch, but can sometimes be used to replace critical thinking of what is important to an individual business.

So, that was it for the really Security focused sessions.  Which brings us to the last Keynotes of the conference.

The first session was “Hugh Thompson and Friends”, discussing the intersection between predictive analytics and the implication for privacy.  The first “Friend” was Dr. Angela Duckworth from UPenn, who has worked out a 10 question measurement of “Grit”, used to predict success, and measure passion and perseverence.  It is used at West Point to determine who will stick out the program (25% of entrants drop out), and who will last.  If you will, this measures “Top Talent”.  I won’t tell you what my score was, but the good news is you can learn to model your behavior after people with “Grit”:

– Be Specific about the skills you want to sharpen

– Work on fixing your weaknesses, not improving your strengths

– Work in your discomfort zone

– Get feedback often and early

– Be loyal and steadfast to your goals

Then, Dan Greer came on to discuss more of the predictive analytics in a security sphere.  Most interesting assertion:  That de-identification (anonymizing data) can be reversed – always.  The implications to big data research is significant.  Here was another zinger:  Knowledge is power.  We are Creating Knowledge.  Where does the Knowledge/Power Go?    Here’s another thought:  it is cheaper to keep data forever than to selectively delete it (which is what our current records retention policies require).  Private industry keeps data long enough to work out that the data cannot be monetized; government keeps data as long as they can afford to store it.  “The right to be forgotten” is not achievable.  (Ominous music plays in the background).

Lastly, and by far my favorite, Stephen Colbert was the final speaker, and was predictably hilarious.  He noted that he has created a new company called “CloudFog” – look for it in a store near you.  I leave you with his thought:

“There is no greater threat to our security than not knowing where the money goes, and not voting.”

Stay warm!

Will this conference never end???  Actually, although my brain is almost at saturation point, it was quite an enjoyable day.

My first session was titled “Public Cloud Security: Surviving in a Hostile MultiTenant Environment”.  Certainly not for the faint of Security heart.  The presenter (an architect from Microsoft Azure), defined 3 computing eras: mainframe, client/server, and mobile/cloud.  Obviously, we are in the relatively early stages of the 3rd phase.  The number one concern of IT leaders related to cloud is, not surprisingly, Security.

The Cloud Security Alliance has defined the “notorious nine” security concerns about the cloud.  You can read more at https://cloudsecurityalliance.org/research/top-threats. Here’s the main thing about cloud:  in order to be scalable, cloud vendors have to architect their systems in a very homogeneous way – same hardware, same o/s, same hypervisor, etc.  This introduces a LOT of concentration risk (if you have one vulnerability, you have LOTS of them).  It also means that you cannot assume that you can trust the hardware/software of the providers, and that attackers are anonymous and diverse.  So, the session focused on what can be done, both by providers and customers, to mitigate these risks.  I won’t focus on these mitigants now, but here’s the thing:  IT groups (and security) have made assumptions that off-premises cloud providers are inherently less secure than on-premises in house architecture – but are they really??

The second session blew my mind.  It was a presentation titled “practical attacks against MDM solutions”.  In this session, the presenter did a live demo of how to hack an iPhone, how to hack a Container solution on that iPhone, and how to hack an Android.  In each case, he was able to hack the phones in about 3 minutes, and gather so-called encrypted email, and to take control of the microphone and camera of the iphone.  All with publicly available commercial software.  Guess what, they’re cloud services, known as TaaS:  Trojans as a Service.  Now, in all cases the phone had to be infected via a Phish in order to get the software installed, but he wouldn’t eliminate the possibility that the malware could be inserted remotely, either.  There are not commercially viable solutions available to prevent these kind of attacks – we’re dependent on PEOPLE to NOT respond to a Phish.  You know those QR codes used by companies to so easily direct you to their website??  Be careful with those…

So I stumbled from that session to a session about implementing security in Agile/Scrum software development practices.  There were some key takeaways from this session, mostly to do with having a Secure code baseline, doing dynamic testing, and training developers how to hack their own code.  To be honest I would have paid more attention if I wasn’t concerned that someone was hijacking my iphone camera…

I then went to a session called “Privacy Reboot”.  Here’s the nickel tour:  Privacy is not dead (if it is dead, think of it like a cat who has not yet exhausted all nine lives), it is simply being reworked and has not yet stabilized in the latest technology environment (aka Social Media). 

Now, I know that at this point you are feeling sorry for me for having to sit through all this stuff…  so I will remind you that I spent lunchtime sitting in the SUN (I couldn’t resist rubbing that in).

The keynotes seem to be getting (mostly) better as the week progresses.  This afternoon, we started with Peter Sims who has written a book called “Little Bets”.  This is a book about innovation (not security) and about how we should take lots of small, low risk actions rather than waiting for a Big Bang success.  Beethoven did it, Pixar did it, and even comedians do it.  We have to allow for, and be comfortable with, failure – to go “from suck to non-suck”.  At Pixar, they avoid the HIPPO effect (the Highest Paid Person’s Opinion counts) by implementing “Plussing”.  That is, you don’t immediately dismiss an idea, instead, you say “Yes, and…” and then “what, if..”?  I know, that is as clear as mud.  Get the book.

Two VPs (one was a woman even!!) from Cisco then did a presentation about the “Internet of Things” (IoT – see my post about your fridge attacking you for more info on this).   Here’s the gist of the presentation – all these “things” are now internet-connected, and internet-aware.  This connects people, process and data in new and interesting ways (think of how enStar works in your car, for example).  The IoT will PERSONALIZE the internet.  So, for Security, we need to get visibility to all these devices and networks and data and identities, we need to have realtime threat analysis, and we need the ability to act on that analysis in realtime.  Not surprisingly, the industry is a bit short on talent right now…  They also suggested that we have to ASSUME COMPROMISE, and have things PROVE THEY ARE TRUSTWORTHY.

Kevin Mandia, of Mandiant-the-chinese-are-attacking-us fame, presented his 2014 report.  In summary:

– There are no risks or repercussions to cyber-actors

– Future conflicts will have a cyber component

– Cyber-actors target people as an attack surface – this makes Security a decentralized problem

– The “theatre of war” is asymmetrical – offense develops faster than defense, and defenders have to defend EVERYTHING

– Cyber crime is the only crime where the victim has to apologize for being a victim

– The risk of disclosure of a breach is very high (more than the risk of the breach itself)

– Security awareness erodes in an organization over time after a breach (“vigilance fatigue”) and the bad guys adjust

– The goal of Security, then, is to eliminate the impact of a breach, and shorten the time from alert to when it is fixed.

Phew!

Lastly, Scott Harrison did a fabulous presentation on the creation of Charity: Water.  He is not a Security dude, he runs this non-profit with a goal of getting clean water to world-wide communites.  More explicitly, to get access to clean water to 100 million people in the next 10 years.  Did you know that for every $1 spent on clean water, it returns $4 to $12 in economic benefit?  You can check it out at charitywater.org  – really really amazing stuff.

Tomorrow is the last day of the conference.  I hope there isn’t anything else new to scare me.

Today began with a discussion on Boomers, Gen Xers, Millennials and Gen-Zers.  You know who you are. 

The point was, if we’re going to reach them in training and awareness for security, we have to know how they think, and how they consume information, and tailor our stuff appropriately.  It was a fun session, with a lot of your usual psychology stuff

– Boomers = Kennedy, Vietnam, Moon Landing, etc

– Gen Xers = Challenger disaster, MTV, End of Cold War, Latchkey kids

– Millennials = Colombine, 9/11, and Facebook

Here was the funny thing – Millennials think they know security really well – better than the Boomers rate themselves.  But, they are 15% more likely to have been breached.  Overconfident?  Perhaps.  As a university CISO, I was interested in knowing how to get Millennials to care about security and privacy – but in general they just don’t.  So, focusing on the fact that the UNIVERSITY cares about the data they manage is where we have to focus our training efforts.  For everyone else, we can just tell them what they have to do. (OK, not really).

From there I listened in on a presentation about Insider Threats, and how to programmatically address this.  In this sense, Insiders are malicious, not accidentally careless.  HR, Legal – we’re coming for you  🙂  Actually, we need great partnership with HR and Legal to identify likely scenarios and triggers for “insider” behavior, so we can QUICKLY triage incidents.  Note the golden 30 day window – insiders are disproportionally more likely to do something nefarious between the time they resign and the time they actually leave.  Of course, most people DON’T do something creepy – but should the university keep an eye out for this?

I then dragged my tired mind over to a panel discussion on letting users “go rogue” using cloud services.  No real new stuff there.  No surprise, folks are using cloud services (the average company uses 395 vendors today – I can only imagine the exponential OSU numbers).  The goal here is to enable secure cloud usage, not to prevent it from happening.  We also need to orchestrate HOW we use cloud services – we can get pretty inefficient pretty quickly without some air traffic control.  Even for all the support of people using cloud, none of the panelists want “Crown Jewels” to be there – some things (like the Coke recipe – yes, really) don’t belong in the cloud.

Of the five keynote speakers today, only some are worth mentioning.

First, James Comey, our new FBI Director, spoke about the need for the FBI and private industry to support one another.  We need to share information quickly and routinely, at the speed of computers, not the speed of humans.  His presentation was well received, and he comes from private industry where he ran Security teams (he’s a lawyer, actually), so he’s been on both sides of the political fence.

Art Gilliland from HP threw out some interesting statistics:

– We collectively, as an industry, spend $46B (yes, Billion) a year on Security. 

– We’re seeing 20% increases in breaches year over year

– A single breach costs 30% more this year than last year, on average (pity the Universities of Maryland and Indiana…)

– Statistically, we’ll get better bang for our buck if we focus on people (training, analysis) and process (intelligence gathering), than on “silver bullet” tools.  No argument from me on this one.

The most interesting speaker of the day was 19 year old Taylor Wilson.  He’s a nuclear scientist, and from the age of 10 (when he built a nuclear reactor in his garage) to now he has created nuclear material scanning devices, medical isotopes scan tools, and is currently working on cheaper, safer nuclear reactors.  It is not a stretch to say that he is a Genius in Action, and he absolutely gives me hope for our future.  If I thought the Cryptographers were above my IQ paygrade, they’ve got NOTHING on this kid.  Yes, kid.  Millennial, actually.

Apart from the speakers, we also cruised the vendor halls today.  Some of our own vendors were there, of course, but there were also PLENTY of new vendors.  It was a bit like running the guantlet to make it down an aisle without being accosted for our contact information.  I would also say that my unscientific poll shows more Michigan fans than Ohio ones at this particular event!

2 days left to go.  Let’s hope I’m still standing when it’s all over.

William Shatner beamed down to the Keynote session and sang (sort of) a really bad version of “Lucy In The Sky With Diamonds”.   Then, mercifully, he left.

Art Coviello, the Executive Chairman of RSA, gave the keynote speech, spending a lot of time discussing hacking, trust and morality.  With a lot of quoting of President Kennedy, he called on governments everywhere to renounce Cyber Weapons, Cooperate on International investigations and prosecutions of cyber criminals, ensure Internet Economics are “unfettered” and IP Rights are protected, and ensure privacy of Citizens.  A call to action, so to speak.

Scott Charney of Microsoft then reinforced this by suggesting that one of the reasons Security is such a tough field to work in is that there are no “norms” around acceptable internet/security use.  He called for the equivalent of the Geneva Convention, or the Hippocratic Oath, for the Government and other practitioners – to establish a “sense of proportionality”.

Nawaf Bitar from Juniper Networks then followed, urging all to “Be Truly Outraged” (“Liking a Cause on Facebook is not outrage”).  He insisted that we are complicit in the apathy around how governments, industry and users are allowing the Internet to be handled.  He urged us to take an Active defence to disrupt the economics of hacking.

Lastly, there was a cryptographer’s panel.  Four really really smart guys discussing the past, present and future of Cryptography.  Nothing new here, I didn’t think.  Of course, my ability to actually understand what was discussed was proportional to how far I could collectively throw the panel. 

Overall, an interesting morning.  The afternoon got better.

In a session titled “Securing the Big Data Ecosystem”, we were urged to take an IKEA model of security – Identify “sick” assets, Keep adequate records of asset problems, Evaluate assets daily, and Adapt until we see noted improvements.  Essentially, in big data, we will have too many things to take care of at once, so a high touch approach is not scalable or practical.  Instead, we should look for areas of leaks, tampering or loss events in “data lakes”, and focus on on that until things improve, or we “kill it”.  We will need lot of Intelligence Analysis to do this (good thing OSU does this well!).  The analagy was to treat the assets like “Cows, not Pets”.  hmmm…

In a session titled “Measuring Change in Human Behavior”, Lance Spitzner from SANS reminded us that we should focus on a few key behaviors we want to change, instead of boiling the metrics ocean, and our training/awareness efforts should be measurable, repeatable and actionable.  securingthehuman.org/resources/metrics is a place to start.  Yup.

Then there was a panel discussing “How to Sleep Soundly with your data in the Cloud”.  In short, they suggested we “bring our own security to the cloud”.  Okay….  not helping me sleep soundly, guys.   The elephant in the room was named as “okay, so you get comfortable with your cloud vendor – but what about the vendors THEY use?”  Frankly, I’ve already lost enough sleep to worry about that right now!

To take away something more personal, I attended the session titled “Monitoring and Filtering your Child’s Web Use”.  Comforting to know (not) that kids today have so many connections to the Internet that there is no real effective way to monitor kids use unless you’re a highly techy security geek who applies work controls to your own house (who would do that!!).  Ethics of monitoring kids use to this degree was not discussed.  Oh, and there isn’t much out there to review Chat and Peer-to-peer sessions (one lady suggested using a keystroke logger).  The session should have been titled “There are no Parental Controls”.

Running from session to session is starting to make my head hurt.  But, there are useful snippets in each session to make it worth it.  Hard to believe it’s only Tuesday….

This conference is enormous!  That doesn’t make it great (not yet, anyway), but there is certainly a lot to see and do.

Getting my feet wet, I spent the morning in a 3 hour session titled “Surviving As A Security Leader”:

We discussed “making Regulations and Audits work for you”.  Key takeaway:  don’t expect an auditor to know more about your space than you do (if so, you should consider a different career…) – so in the Audit planning process you should partner with Audit to help them understand the technology and the control/risk environment you work in.  RISK-RELEVENT FINDINGS SHOULD BE THE MUTUAL GOAL of an audit – they are partners to help us do our jobs better!

We then discussed Security/Risk leadership – we need to lead participatively, to get buy in and reduce resistance.  We also need to develop others in the organization to be security leaders – even when they are not in the business of security.  Motherhood and apple pie, right?

Then, there was a panel of ex-CISOs talking about being a CISO.  The main skill?  Influencing without direct authority.  The primary focus?  Basic IT blocking and tackling – configuration management, change management, asset management, etc. etc.  Think ITIL…   The most valuable thing?  Understanding the business: Goals, objectives, motivations, stressors. To know how security supports the business is to make Security relevent and useful.  The most depressing thing?  Not one of the ex-CISOs on the panel want to be a CISO anymore.  The function was self-described as a “high burn-out position”.  Hmmm….

Lastly, in the morning session we discussed Boardroom presentations.  Not necessarily Security-specific, but interesting nonetheless.  Fun fact:  ROI can also mean “Risk of Incarceration”.

In the afternoon, the session turned to Risk Management and Operational Resiliency Frameworks.  Really bad topics for the “first after lunch” spot.  Key takeaway?  Most Risk Managers are really bad at estimating risk…  how to fix this?  Get Risk Calibration training for Risk Analysts.  Oh, and scrap ratings of High, Medium and Low and use real numbers to quantify  orders of magnitude when evaluating risk.  You can check out www.societyinforisk.org for the Society of Information Risk Analysts. 

For Operational Resiliency, we heard from Carnegie Mellon and www.cert.org/resilience, and how being operationally resilient means you’re like a Slinky – you can snap back into shape during and after an incident.  Another fun fact:  The average age of a Script Kiddie (you can google the term) is 10.  Ten!  (Editorial:  It’s time for our elementary and high schools to be teaching software coding so we can teach them how to do things well…)

So, as you can see, the topics are varied, broad, and for geeks like me, interesting.  Tomorrow is the real kickoff of the conference, so I’m looking forward to sharing more then. 

Sleep Well!