Archive | Compliance RSS for this section

Safe Harbor R.I.P.

Open photo-for size2

Safe Harbor has officially fallen from grace, here is a link to the actual ruling:

http://datenschutzpolitik.de/dokumente/ecj-c-362-14.pdf

What this actually means is still not fully clear, but what is clear is that it affects thousands of companies who now find themselves without the added “protection” of its (self certified) legal framework. Thousands of contracts will be invalidated and thousands of companies will be deemed to not have met minimum standards of protection of EU data in the USA.

There is one thing for certain though; with the speed required to address this, there will be one group of people set to profit from this to get the next best thing into place as quickly as possible…

quentynblog_2015-Oct-06

Picture credit – Quentyn Taylor (@quentynblog)

Less is sometimes more; InfoSec’s role in the business

Funny-and-Lazy-Animals-7-300x229I read an excellent article the other day from a LinkedIn reference talking about how laziness can be an effective approach to productivity. It dispelled the myth that “leaning in” when applying yourself to your job isn’t always required to do a good job. There is no need to get up at 04:30hrs to get your morning yoga done before getting to the office at 06:00 and working through the next fourteen hours. it even makes mention of an old Prussian army management matrix that made use of this concept. It reminds me of a Bill Gate’s quote (although it sounds like Steve Jobs!):

I will always choose a lazy person to do a difficult job, because a lazy person will find an easy way to do it

When put like that it sounds right, and yet the concept of using a lazy person seems counterintuitive. Perhaps we should replace lazy with “busy”, or “time poor”, but I think the point is well made nonetheless.

It reminded me of when I wast first put in charge of an information security project to ascertain the organizations level of exposure to personally Identifiable Information (PII). There had been a number of high profile breaches in the media, and the leadership was concerned about how many records we had access to and what we were doing about it. My approach was to work with a very talented team of junior infosec professionals, and we came up with an amazing spreadsheet that tracked every facet of what we thought we might need with, with macros and reporting buttons, lovely color scheme etc. We even tried to make it as friendly as possible as the trick up our sleeve was that we would be asking 95% of the organisation to fill this in themselves (and therefore saving on high labour costs to get this done). The other 5% were the very risky ones we already knew, so they got a personal visit from us to make them feel really special!

After a month of pushing, chasing and cajoling, our completion rate was something like 13%, and we were just a few days away from our deadline. Senior management were not happy, and demanded a full review. The career dissipation light started blinking in my peripheral vision.

We were trying to be far too clever for our own good, far too detailed, we wanted to cross EVERY i and dot EVERY t, whatever the cost to the project and the business. We were detail oriented and were going to get the most accurate report this company had ever seen. Except we didn’t. I was clearly told in no uncertain terms that I had completely misunderstood the business, how busy they were, how finite detail wasn’t what was at stake but getting a good idea of the scale of the problem was, and also to understand that people are generally doing their best to protect the company and were not in the habit of hiding the sort of activities we were doing our best to uncover.

We reduced the 154 question spreadsheet to 10 questions, some of which were voluntary. They were the the most important questions we had to ask, and we subsequently got the data we needed in a little over three weeks for roughly 97% of the organisation (you can’t help some people unfortunately). I managed to keep my job.

Perhaps it is our backgrounds in audit and compliance, but we infosec professionals love our checklists, our questions, our matrices and black and white answers to really drill down to the finite detail. That is not to say that at times they are not important – a good penetration test does need to be detailed and very complete, but that is mainly because the expectation of it being so. It wouldn’t surprise me though if 20% of a pen test uncovers 80% of the vulnerabilities. Vendor security questionnaires, risk assessments, audits, project or team reviews etc., can all potentially be done just as effectively with an element of brevity. Understanding what is important to the business and not to the security function is key here. If infinitesimal detail is important to the business then by all means go for, just ensure that is what the business really is after. most of the time they just need a reasonable picture.

Creating barriers to the successful adoption of security practices by using fifty page reference documents, or encouraging people to work around a security risk because doing the right thing involves sign off from six different gatekeepers is not a recipe for success as it puts the organization in direct opposition to the security function. By making sure that checklists and questionnaires are focussed, relevant and to the point will only encourage people to adopt the security measure that matter because there is clear benefit for a small amount of input.

We have all got better things to do with our time than collate thousands of questions that we have insisted are answered in order to ensure that the ultimate security objectives have been met. In some instances there may be value in that, but in the majority of cases I would wager there is none.

And besides, the rugby/cricket/baseball* match is on this afternoon, so we need to leave early to catch the game.

*Delete as appropriate. Just don’t add football.

 

An open letter to Apple – a change of heart

overcome-regretDear Apple,

I wrote to you back in 2012, deriding your decision to remove the lock lead security hole on your laptops. I may even have been a little rude.

An epiphany of sorts has happened to me at some point over the last few years though, and I think it stemmed from your decision to remove the security hole. Back then, I argued that physical loss of an asset was still bad, even with encryption enabled, because of downtime, replacement costs etc.. It also, I argued, helped to instill a culture of security in people as the physical act of locking their laptop would also remind them of their other security obligations, a constant reminder pif you will.

I was wrong.

The lock lead has been seen as barrier to productivity as our workplaces have changed and our people have become more mobile. People have avoided using them, or evened cursed them because their offices didn’t take the relevant logical step of ensuring there were adequate anchor points to be used. People were moving from one room to another on a regular basis for their meetings, and locking and unlocking their laptop reminded them of how out of touch security was with the realities of daily life.

I even did a back of a napkin calculation; a company with 10,000 laptops would spend (roughly) about $500k USD every three years on lock leads. That same company may experience thefts that could have been prevented by a lock lead that would total less that $10k a year. Financially this no longer makes sense. My inner chimp was scared that laptops would simply be stolen regularly from our offices and if I didn’t do anything about it I would get fired. In fact, decisions like this are costing our companies hundreds of thousands of dollars off the bottom line. So much being a “business enabler”.

So I take it back, all of it, and I want to thank you for setting me on the right path (and saving us all lots of money).

Your sincerely,

Thom “with regret” Langford

What’s this security stuff for anyway?

I am currently sitting in the BA lounge in Heathrow awaiting a flight to Delhi, and as I look around at the number of laptops lying around it reminded me of something I saw a few years ago at Delhi International Airport as I was waiting to fly back to the UK. It was so shocking I even used it as an example in a security article I wrote for my company on my return. Regular readers will know that I have a thing about unattended laptops anyway as it  has the potential of negating all of the technical measures put in place in certain circumstances. Anyway, I decided to write it up here as an example (and of course to kill the time in the lounge!).

It was about midnight, and I was in the BA lounge (sometimes shared with other airlines), and it was quite a busy evening so most of the seats were taken.

I was sat next to a gentleman who opened up his laptop and switched it on. It immediately asked for a password, I presume for the on disk encryption. He then had to log into his account, and then finally he connected his own data card (no local WiFi and inherent insecurities for him!) and subsequently connected to his corporate VPN using a username, password and an RSA two factor authentication token. All good stuff from a security perspective.

I noticed from his wallpaper logo right in the centre of his screen that he worked for an aeronautics defense contractor, so the level of security didn’t surprise me. What he did next however did…

After successfully connecting, he placed his laptop on on the table in front of him and went to the toilet… without even locking his laptop. He was away for 15 minutes.

I was so shocked I even took a photo of his laptop which is attached – this is honestly the laptop in question! If you look carefully you can see the window with his VPN connections in the middle of the screen

image

It summed up to me that even though there was all of this security on his laptop, it was rendered useless by his carelessness and utter disregard (or utter lack of awareness) of the security of the contents on his laptop. He entered the passwords that protected his data because that was what he needed to do to get his job done, not because he understood what it was for.

When we overcome scenarios, attitudes and understanding that results in this kind of thing being played out the world over, we will have addressed a huge amount of risk in our industry.

Bon voyage!

Where is Your Data?

Have you paused to consider where your data is at any given time in your organisation?

All but the smallest of organisations is likely to have notes, CV’s, financial records, personnel records, legal documents and the like, and that is just the stuff in paper form. Throw in electronic records, and you include emails, working documents, client deliverables such as code or documentation, even firewall logs or IT documentation and records.

Now that you have a picture in your head of what exactly might be out there, do you know where it actually is? Any organisation that operates in more than one country, and with the advent of the cloud any small organisation that uses third parties for any of it’s traditionally in house capabilities is very likely to find data in different countries. While this may come as no surprise to some, for many once they have carried out even a rudimentary analysis this is likely to come as a shock.

The problem I feel is that the pervasiveness of technology, and the ability in the modern business to operate without boundaries as result. By this I mean  when, for instance, someone looks at, alters, reviews or saves data of any kind more often than not they have no idea where that data resides. Is it in the server room across the hall, a colocation facility across town or in another continent? Even when the various professions in an organisation are aware of the various compliance and regulatory requirements (Human Resources, Legal etc.), because the location of the storage devices themselves are invisible to them the issue is not even considered.

For instance, a Hiring department in one country may take the personal details of a new hire such as name address and bank account and upload them to a file server in Excel or onto a SharePoint for the Finance department to set up into payroll. The server this data resides on may be in a second country, while the person who updates the financial systems resides in a third country. In many cases this may not be acceptable according to local data protection laws for the storage and access to a given country’s resident data. This is more often the case when one country has significantly greater (or better) privacy laws than another.

The solution to this is two fold, one legal and one common sense:

Legally, agreements can be put in place; these can include well known standards that can be adopted between reciprocal countries. Perhaps the most well known is the Safe Harbor Privacy Principles. This is a set of seven principles that allow for the streamlined compliance of US companies to the EU Directive 95/46/EC and was developed by the US Department of Commerce in consultation with the EC. There have however been concerns raised about the efficacy of this approach, but it still remains a common and well known one nonetheless.

Another legal approach, and one that appears to be be more commonly adopted in recent years is that of Binding Corporate Rules. Developed by the European Union Article 29 Working Party it is wider in scope than Safe Harbor as it applies to any country that may want to exchange or store data from an EU country. Both of these examples (and other alternatives) do require a lot of work to effectively adopt, the latter especially, and should not be entered into lightly. More often than not third parties/consultants will need to be employed to bring the very specialist skills required.

The second solution, and one in reality that should be taken in conjunction with the legal approach, is that of awareness. This is awareness on behalf of the organisation as to where it’s information and data is stored, and also awareness of the individuals who are managing and posting this data to the various locations required. IT moves faster than ever, and the location of your data store may well move with it. These individual teams will need to engage with IT and the CIO and become firm stakeholders during any kind of IT infrastructure upgrade and bring their specialist knowledge to the table. And the company will of course need to commission an international data location map!

The alternative unfortunately is a knock on the door from the Data Commissioners Office (or equivalent from outside of the UK) and a potentially heavy fine and the related embarrassing media frenzy. That is going to cost significantly more money than that cheap hosting deal in India.

%d bloggers like this: