We're not prioritizing security activities properly...or are we?

Dark Reading and Black Hat conducted a survey of Black Hat 2015 attendees in June 2015. Their executive summary has some interesting findings. They report that there are significant discrepancies between the priorities of security professionals and the resource allocations. They also report that "Many security professionals feel that the perception of current threats - both in the media and among their managers and supervisors - is different from their own" (p. 5).  While you should take a look at the full report, here are the top 5 responses for the security pros' greatest concerns, time consuming incidents, and budget consuming incidents.

Greatest concerns:

• sophisticated, targeted attacks
• phishing, social network exploits, other social engineering
• accidental data leaks by end users not following policy
• polymorphic malware that evades signature-based defenses
• espionage/surveillance by foreign governments or competitors

Consumes time:

• vulnerabilities introduced by own app dev team
• vulnerabilities introduced though purchased apps/systems
• phishing, social network exploits, other social engineering
• internal mistakes or external attacks affecting industry or regulatory compliance
• accidental data leaks by end users not following policy

Consumes budget:

• accidental data leaks by end users not following policy
• sophisticated, targeted attacks
• internal mistakes or external attacks affecting industry or regulatory compliance
• vulnerabilities introduced though purchased apps/systems
• phishing, social network exploits, other social engineering

Let's talk about one problem with this survey - the respondents are all 'security professionals' and they're all Black Hat attendees. This would suggest that they are, for the most part, more technical people. These are the people doing the job of computer security within organizations. That's great. They are needed. I used to be one of them. But they have a completely different view of the problem than a business manager would. So, I'm not surprised that they feel that management doesn't 'get it' - that their perceptions of the problem are wrong. However, these security pros' perceptions of the problem are also wrong.

Wait, no, that's not it. The professional in charge of maintaining secure and functioning information systems has a different problem to solve than the professional in charge of managing a company/business. So, since they have different problems to solve, their perceptions of how to solve them are going to be different. Management thinks in terms of risk management - what are the risks to the organization and what do we have to do to get those risks within acceptable parameters. Security folks think in terms of risk to their specific piece of the business and are trying to minimize it - no data lost, no hackers in our network, no (little) down-time, etc. They definitely understand the problem (threat to the systems) better at a technical level than anyone who gets their information from the popular media. But they don't necessarily understand the bigger bundle of concerns that management is dealing with.

So, what are Management's greatest concerns? This survey hasn't captured that. There are some built-in assumption. If a concern is 'sophisticated, targeted attacks' I ask you why? What is it about that threat that makes it a big business concern? When you, as this security professional, can explain to the manager why she should care about this thing and what you can do about it, then you may get the resources you need to counter it. If you're spending all your time dealing with vulnerabilities introduced by your own app development, then quantify that so you can explain how much this particular problem costs the business. And, align your concerns with the business concerns. In short, learn to speak in business language, become part of the risk management team and process. And use that to get better alignment of priorities and resources.

Thoughts?

Employees as weak link

Yesterday, Krebs on Security posted this story about the Ashley Madison hack. OK, this is a problem for the company and comes with all the standard issues of data loss. But here's something else to think about.

Firstly, if you didn't know, Ashley Madison is an online cheating site. That means, account holders at AM likely do not want it widely known that they use it. Unlike other data breaches where the fear is ID theft and financial fraud - activities for which AM could simply offer ID theft protection services like everyone else -  this is a case where the compromised information could be used to blackmail individuals. Ask yourself:

• Do you have privileged users who are AM account holders? Two factor authentication isn't going to help you protect privileged accounts if the user herself is compromised.
• Is your CEO an AM account holder? What would exposure of this fact do to your company? What would he do to keep the information quiet? Are there other high-profile employees that could be AM users?

Even if you perform security checks before you hire people, you need to remember to keep monitoring them. Circumstances change and an employee who was fine last year may have run into financial difficulties or engaged in activities that have compromised her previously secure standing. These changes have impact on your organization, regardless of how much security awareness training you provide.

The next questions - How will you know if one of your people has been compromised? What will you do if it turns out they have been? What HR policies are in place to support your choice of action?

Cybersecurity is not just an IT thing. It never really was even though we shoved the responsibility into the IT department. Cybersecurity is a corporate risk management thing and it touches on every aspect of the business. HR and IT are just the first two that spring to my mind, but clearly finance, production, and operations may all be impacted by any information breach - even if it's not at your company.

Note: Edited to correct spelling mistakes on Aug. 5/15.

US Federal Cybersecurity Sprint: Maybe you should do one, too.

In early June, the US Federal Government announced they would be undertaking a 30-day Cybersecurity Sprint. The goals of the program included:

• scanning systems for indications of malicious activity
• patching critical vulnerabilities without delay 
• reviewing and improving policies regarding privileged users
• accelerating multi-factor authentication implementation, especially for privileged users.

For anyone who's working in cybersecurity for any length of time, these 4 items seem like baby steps. They are activities that a/ should have been implemented a long time ago and b/ take time, money and commitment to carry out. I suspect the problem in the past as been item b - there has been no commitment by top decision makers and, thus, there has been no money to make it happen. That is why this sprint has been such good news (once I ignore the fact that it's 2015 and it's only now happening...I started in this field in 1999 and had rather hoped we'd be in better shape by now). So yay, US Federal Government. 

Preliminary results have been discussed stating that:

• Federal civilian agencies have increased multi factor authentication use for privileged users by 20 percent within the first 10 days of the Sprint.  Several agencies have increased multi factor authentication use for privileged users to 100 percent.

• DHS has scanned over 40,000 systems for critical vulnerabilities and it is increasing those numbers every day.  Federal agencies are patching vulnerabilities as they are identified. 

The fact sheet also notes that there are several activities that remain ongoing, as we would expect. Cybersecurity is not an end-point, it is a process of continual improvement.

Now, here's the skeptic in me commenting.

• "...increased multi-factor authentication...by 20 percent..." So, if 10 privileged users used to have multi-factor authentication, a 20% increase means that there are now 12 privileged users. If you want me to applaud you, you're going to have to tell me what that increase represents as a percentage of all the privileged users. And if some agencies have increased to 100%, great for them, but where did they start from? Did they just remove privileged users (which could be OK; maybe they had too many privileged accounts to begin with).
• "...scanned over 40,000 systems..." And that represents what percentage of systems? Are we talking end-nodes (user workstations and PCs) only? What about telecommunications equipment, servers, smartphones, etc.? I suspect they still have a *very* long way to go.

In short, provide real data. I know my statistics and I know how to make numbers look impressive when really they're just 'meh.'

As government agencies continue to look closely at their systems, we can expect them to find evidence of additional leaks or breaches - that means we're going to hear more about lost data and it's going to make everyone angry, especially those who learn they had personally identifiable information exposed. I'm really sorry, but at the same time, I think it's a good thing. We need to be honest about the scope of the problem before we can start fixing things. And that means that those of you in industry need to be honest about the scope of the problem in your organization(s), too.

So, what is your organization doing to improve its cybersecurity processes? Did you take the opportunity to run your own Cybersecurity Sprint? I would suggest that the activity would be helpful in any organization, regardless of how well you believe you are managing this aspect of your business. For those with strong processes and procedures in place, it's a chance to measure their effectiveness. And for those with little cybersecurity infrastructure, it's a chance to learn from the federal initiative and get yoru house in order, hopefully before you have a significant breach.

Teaching with technology

So, today I was thinking about how I use technology in my classroom and/or assignments. It's pretty typical in an intro MIS course to use MS Access to introduce students to databases. Excel is also a pretty common application - you can use it to teach ways to create simple decision support systems -  build a predictive model of stock prices, use pivot tables to do what if analysis, for example. But what about other things that might be useful in the working world?

In my class, there are several group assignments. This means, students need to learn how to collaborate. Despite my expectations, they don't actually already know how to use tools such as wikis or GoogleDocs to create content in a collaborative way. They stick with passing Word documents back and forth and seem to rely on the ability to meet in person. This is crazy - the world doesn't work like this anymore. I regularly collaborate with people all across North America. For a short time one summer (as a PhD student), I was working on a project with 4 people spread across 3 continents; one person in China, one in Turkey, one in Alberta (western Canada) and I was in western NY at a conference. Sure, it was a time-zone mess, but we had work to be done and timeliness mattered (I really felt for my colleague in China as he had just finished teaching all day and had to wait around until 9pm his time to connect with us).

What to do? Well, I guess I see it as my job to help students learn how to collaborate in new ways. I mean, I teach them about the need for collaboration and what types of applications might be used to collaborate, but I've never required them to actually use any of these tools before. And, like all time-pressed individuals, they just won't try something new if they don't have to. I guess it's about managing risk & reward - too risky to try a new way of working.

New this term, then, I have implemented a wiki (http://is251.openlearner.com) where each group will be developing their strategic IT report project. Here, they'll be writing about a company, identifying it's strategy, performing a value chain analysis, discovering the current IS in use and, ultimately, making some suggestions for future IS initiatives that make sense given the corporate strategy. The students will be presenting their findings in class (part of teaching them to be comfortable making presentations), but they'll be working together in public on content creation. Wish me luck.

Business Strategy & why IT folks should care about it.

So, in teaching IS251 here at Loyola, we require students to find and post stories to an online site called Microsations.com. It's a bit like Reddit; they must post a link then have 255 characters to summarize it. I wish I could say this was my bright idea, but it belongs to my colleague, Paul Di Gangi. Ideally, the summary will explain how this story relates the 3 key resources in information systems - People, Information & Technology (at least, according to the text we use). I happen to be a "people, process, technology" proponent, myself. Whatever.

Anyhow, this week students are tasked with finding stories related to business strategy. It's not surprising that they're struggling with this a bit. First off, we have started lecturing on strategy yet. Secondly, they haven't taken a business strategy class yet, either. So, we're seeing lots of stories that are more along the lines of marketing strategies. It's good for me, it will provide many teachable moments. :-)

But, why do we bother even looking at business strategy in an IS/IT course? Well, it's the classic Business-IT alignment argument. And before we can discuss the right IS choices for a firm, we really need to be sure we understand what that firm does - what it aspires to be and how it plans to make money. So, for this course, we focus on Porter's 3 generic strategies (low cost, focus, product differentiation) with some minor variations. We also talk about Value Disciplines from Treacy & Wiersema  as another way of looking at these generic strategies. Where Porter takes a market-centric view in defining his strategies, Treacy & Wiersema shift to a customer-centric focus.

The first lectures will centre around understanding the business so that we can find the appropriate IS solutions to support business goals. This is why I ended up studying in a business school - I'm an IT person who really does think technology is cool. But I recognized that just because something is cool, doesn't mean it's worth spending time or money on, from the organization's perspective anyhow. Technology has to support what we want to do, it has to help the organization deliver on it's strategy in some way be that through reducing cost or opening up new products/services that delight the customer (who will then pay!).

My students need some help...

After several years' hiatus, I find myself reactivating the blog with this call for help. You see, I'm no longer a PhD student, but a real academic with teaching obligations. What fun! This term I'm teaching the standard intro to MIS course and the students need a bit of help collecting some data for an assignment. They'll be learning how to work with Access to do some simple data mining and have been set the initial task of collecting survey data.

As anyone involved in market research will tell you, getting people to respond to surveys is challenging. So, I've agreed to help them out with a posting to the world with links to their surveys. Each survey is 10 questions long, but some are really only appropriate for college students as they ask about the school you currently attend.

I've grouped the surveys by their basic subject. If you have 10 minutes and are willing to help out some students, please consider taking one or two of these. All responses are anonymous and the data will not be used outside this exercise. I expect the students will be only too happy to destroy it all when they're done.

Athletic Apparel:
https://academictrial.qualtrics.com/SE/?SID=SV_cPhIzuN6TTndq73

Online Shopping:
https://loyola.us2.qualtrics.com/SE/?SID=SV_3Q9sWfTfwYQbD6d

Coffee:
https://academictrial.qualtrics.com/SE/?SID=SV_cVjRiA7ZyKCUpUN

Health Care:
https://academictrial.qualtrics.com/SE/?SID=SV_emnLdp17J7sq40B

Cellphone Choice:
https://academictrial.qualtrics.com/SE/?SID=SV_06tE4oTsEU9auhL
https://academictrial.qualtrics.com/SE/?SID=SV_extrPJsTTE2J8wJ
https://academictrial.qualtrics.com/SE/?SID=SV_74e4TJJPhNCijOJ
https://loyola.us2.qualtrics.com/SE/?SID=SV_5d5PsvLyMMKvjZb

College Choice:
https://academictrial.qualtrics.com/SE/?SID=SV_86AqouSvNXUZQy1
https://academictrial.qualtrics.com/SE/?SID=SV_86AqouSvNXUZQy1
https://academictrial.qualtrics.com/SE/?SID=SV_aeNiYehOoC8ucoR
https://loyola.us2.qualtrics.com/SE/?SID=SV_bvH3EHVAl6m0mwd
https://academictrial.qualtrics.com/SE/?SID=SV_2rgKQEfBE0miOJ7
https://academictrial.qualtrics.com/SE/?SID=SV_efitQ3qGLm7jA6F
https://loyola.us2.qualtrics.com/SE/?SID=SV_cVkAoatGQeQQ7Jz
https://loyola.us2.qualtrics.com/SE/?SID=SV_805rZaQREigTGIJ
https://loyola.us2.qualtrics.com/SE/?SID=SV_2cydXbIKr1fi7g9
https://loyola.us2.qualtrics.com/SE/?SID=SV_78kxW0Rd56fTLgN
https://loyola.us2.qualtrics.com/SE/?SID=SV_72Olb0gWHhUvfeZ

Relocation!

This is just a quick posting to explain what's happening. I've had to relocate my Hit/MIS blog and this is its new home. I've just put up the few past postings here (labelled with Archive) for anyone who cares.

Thanks for joining me here.