Category Archives: Burgess – Security Thought Leadership

Articles written by Christopher Burgess in which he provides thought leadership and analysis. These include articles which have appeared in RSA Conference blog, IBM’s MidSize Insiders, IBM’s Security Intelligence, Dice’s ClearanceJobs.com.

Prevendra- BYOD Policies

BYOD: Users are a nightmare without policies

Over the course of the past several years business leaders have evaluated and implemented the bring-your-own-device (BYOD) movement as a cost-effective methodology to preserve or reduce information technology (IT) operating expenses. In the quest to reduce these operational expenses, one might overlook the need to have a robust BYOD policy. A policy of this order addresses not only the technological issues associated with individual use of a personally owned device but also any procedural and data ownership issues. In essence, a policy document levels the expectations between company and employee.

The prevalence of BYOD is growing exponentially. In 2013, Juniper Research recently predicted more than one billion BYOD users by 2018, a number expected to equal approximately 35 percent of all consumer mobile devices. It is unlikely that every one of these devices will be used in accordance with the company’s expectations, but small to medium businesses (SMBs) should integrate their technological solutions and policies and ensure that they are commensurate with their available resources, thus making their BYOD policy a foundational item by coupling it with existing information security policies and other regulatory requirements.

Everyone has policies?

92% of C-suite execs #BYOD, but only 31% have #infosec policies says @helpnetsecurity Click To Tweet

A recent study by Help Net Security indicates, “the majority of C-suite executives (92%) and just over half of small business owners (SBOs) (58%) have at least some employees using a flexible/off site working model. Yet, only 31% of C-suite executives and 32% of SBOs said they have an information security policy for both off-site work environments and flexible working areas in place.”

Whereas, Dell UK Security is spot-on, as detailed in the above video, the use of BYOD is a mainstay. Rare will be the company that does not want their workers to use their own devices.

There is a great deal of work to be accomplished by many companies, who are allowing convenience to trump their security.

Policies Are Married to Technology

In creating the BYOD policy, no assumption should be made by IT professionals or systems administrators regarding the technical acumen of their colleagues who are participating in a company’s offering. The aforementioned Juniper survey noted how 80 percent of smart phones will remain unprotected throughout 2013. In face of so sobering a data point, midsize businesses must implement a technical engagement protocol. The goal is to provide the best possible solution to protect company data today via a secure technological implementation and a road map to a better solution.

Technological solutions cannot stand alone; they must be coupled with appropriate BYOD policies, policies that protect the company’s intellectual property, trade secrets and customer data. At the same time, the policies should not be overly restrictive of how employees may use their device nor overly broad with granting the company access to the employee’s personal data. It may appear to be paradoxical, but an excessively strict policy implementation could in fact put the company at risk of accusation of unfair labor practices, according to a recent piece in CIO; not only that, but many employees faced with highly restrictive policies will seek unsafe workarounds. This is clearly not the purpose of a  policy, which is to improve BYOD risk management, not add to the risk.

BYOD Implementation

An effective BYOD policy engagement will begin with who owns what on the device, under what circumstances the company may access the employee’s device and how that access may occur. Any specialized applications or capabilities as part of the IT BYOD management suite that will be placed on the employee’s device will be identified. These applications may provide the company with an assurance of security through mandatory encryption or remote destruction capabilities. Regardless, it is incumbent upon the implementation team to tender an explanation of what data on the employee’s device the company’s required applications are accessing and how. Similarly, IT’s obligation to declare to the employee with specificity any prohibitions of placing third-party applications on the device that accesses company data should be spelled out with crystal-clear clarity.

As nice as it would be to open BYOD implementation to any and all devices, it is reasonable for the SMB to restrict BYOD to those devices that their IT department is able to support. The last step is to have the policy presented to the employee, signed by both the employee and the company’s representative and periodically revisited with each individual user on a semiannual basis. This will not only keep the company’s expectations top of mind, but IT leadership will also have a window into any hiccups in the technological or policy implementation; the latter is information that could go a long way toward achieving the principal objective of BYOD: To enable business to be conducted in an efficient and secure manner.

BYOD Cost

A desired outcome of any BYOD implementation is to conserve operating expenses, and cost of implementation is therefore a consideration. The Sans Institute white paper, “Managing the Implementation of a BYOD Policy,” provides an effective road map for a pilot BYOD project which can be implemented with little to no additional resources.

There are a plethora of mobile device management suites available from a variety of security vendors. Use one.

All the same, those who rush to embrace BYOD in order to save expense but who fail to ensure that implementation is accompanied by appropriate IT policies and infrastructure that pass legal muster may prove themselves to be penny wise and pound foolish.


A prior version of the above piece, authored by Christopher Burgess, originally appeared on IBM’s MidsizeInsider blog.

Prevendra's Email Updates
Get the latest content first.
100% Privacy. We don't spam.
Prevendra - Data backup

Where’s Your data and Can You Actually Get To It?

You arrive at work or home. You unload your laptop or go to your desktop and power up the system by pressing the “ON/OFF” button. Lights flicker; nothing happens. If you’re like me your mind races; you sigh and think, “I don’t need this today.” You repeat. You inspect. You scratch your head. This was my situation a few weeks ago. I had been away on a business trip, came home and powered up my desktop. The lights flickered, glowed and then nothing happened. I was stymied. I repeated the sequence; still nothing. I grabbed a screwdriver and dug into the system. It didn’t take me long for my inspection to reveal that the motherboard was toast (literally).

My initial reaction was one of relief that it wasn’t the hard drive, and I glowed knowing that I followed my own advice and had a multi-drive data backup regime. But then I quickly realized that while I had thought through the protection of data, I couldn’t get to it. I was offline. This was a scenario I had neglected to anticipate: the death of the primary client having nothing to do with accessing the data. I needed a new computer and a means to access the data from the now-deceased laptop. I removed the hard drive and secured it, along with the multiple external drive, data-backup devices. I took the remnants of the computer to the local technology recycle center. I began researching the type of computer I was going to purchase, and what my options were to access the data housed on the multiple devices in my possession.

Along with the new computer, I purchased an external-drive chassis that was compatible with the hard drive I had rescued from the defunct desktop. This allowed me to place the drive into the chassis and have the new computer recognized it as an external drive through a USB connection. I was able to transfer the data to the new computer as well as keep it on the old drive. The entire process took me three days to complete – three full days that I didn’t have access to data, email, and my life online.

My lesson learned: I need to establish a methodology to access my data in the event the primary routes have been corrupted or are unavailable. In my case, I acquired a used laptop with basic capabilities to serve as a backup device to access my data in the event my primary device fails. I was fortunate. My event happened on a Friday and by Monday I was back in business. Can you or your business afford to be without your data for three days?

I strongly advocate the back-up of data both at home and at the office, as you just never know when that media holding your data will receive a coffee-bath, run afoul with a magnet or simply go missing. I also recommend having a back-up device to access your data in the event your primary device fails. This will help you from having to ask yourself, “Why can’t I get to my data?”

 


Huffington PostThe above was originally published in Huffington Post in March 2010, authored by Christopher Burgess

 

Prevendra - Gregory Allen Justice - arrest

Selling secrets to Russia? It’s a bad idea

The headline read:  Selling Secrets to the Russians? Jason Bourne Fan arrested in spy drama of his own.  Thus implying the motivation for Gregory Allen Justice was his sick wife, a job at which he felt unappreciated and a fascination with cinematic secret operatives such as Jason Bourne and James Bond. There’s more to the story.

When he was arrested for what the Federal Bureau of Investigation called in their filed criminal complaint: probable cause of Economic Espionage, violation of the Arms Export Control Act, and violation of the International Trafficking in Arms Regulations (ITAR),  Justice found out just how adroit the FBI, working with the Air Force Office of Special Investigations (AFOSI), can be when working an espionage case.

BREAKING TRUST

Justice allegedly broke trust with his employer, a cleared defense contractor (who, according to his father is Boeing Satellite Systems). He is alleged to have reached out to the Russian Embassy in Washington, DC to volunteer his services in late 2015.

His first attempt at contact involved sending a letter, followed by a brief phone call to the Russian Naval Attaché within the Russian Embassy (Military attaches in embassies, are on occasion associated with military intelligence). This letter, according to the criminal complaint filed in the United States District Court, Central District of California, contained a “technical schematic.”

On February 10, 2016, Justice again called the Russian Naval Attache’s office at the Russian Embassy and asked if there was interest in maintaining contact and obtaining similar things. At that point, the FBI does what the FBI does … then stepped in and provided Justice with all the rope he needed to hang himself.

FBI COVERTLY ENGAGES  GREGORY ALLEN JUSTICE

Justice was contacted two days later by an undercover FBI special agent (S/A) who posed as a member of the Russian external intelligence service, the SVR. The S/A picked up the conversation and arranged to meet with Justice.  Over the course of the next few months (February – May 2016), Justice would meet the S/A face-to-face on five occasions. On each of the last four occasions, Justice brought information which was either proprietary or in violation of US export regulations, signed a receipt for cash received from the S/A and volunteer to expand his collection efforts in support of what he believed to the Russian SVR.  (NB: It is not revealed if the Russian intelligence apparatus acted upon Justice’s attempt to volunteer, or if they took a pass.)

Justice explained how all of the information he was providing was “ITAR.” And went on to compare his collaboration with the S/A as just like the “spy movies” of Jason Bourne, James Bond and “The Americans.”  Furthermore, Justice claimed to need money to fund his wife’s medical bills. Readers of the entire criminal complaint will see, while his motivation was financial, it was to fund his relationship with a woman other than his wife, and narcotics distribution. Furthermore, he provided information to the S/A on 16-gigabyte USB thumb drives.

INSIDER THREAT PROGRAM

The cleared defense contractor had in place a robust insider threat program. The program detected in November 2015, Justice coping a number of files to an external device, and then provided confirmatory information to the FBI/AFOSI on the information which Justice would purloin prior to each meeting with the S/A.

WHAT WAS AT RISK

While Justice did not have access to classified programs, he did have access to the following satellite system programs:

  • Wideband Global Satellite Communication (WGS)
  • Global Positioning System (GPS)
  • Geostationary Operational Environmental Satellites (GOES)
  • Tracking and Data Relay Satellite (TDRS)
  • Milstar Communications Satellite (MILSTAR)
  • Tangential access to additional programs
    • INMARSAT
    • MEXSAT
    • GPS IIF

INFOSEC TRAINING

Furthermore, as a cleared defense contractor, one would expect there to be a comprehensive cyber and counterintelligence briefing and training program, and there was.  Justice’s training folio showed he had taken a variety of courses.

  • Information Security 2015 (July 10, 2015)
  • Intellectual Property for Engineers and Technologists (July 10, 2015)
  • Threat Management Training for Employees (July 9, 2015)
  • Trade Secrets and Proprietary Information (July 9, 2015)
  • Enterprise US Export Awareness Overview (July 9, 2015)
  • Information Security 2014 (June 25, 2014)
  • 2014 Ethics Recommitment Training (May 6, 2014)
  • Enterprise US Export Awareness Overview (November 27, 2013)

CONTROLS TO PREVENT A LEAK

The cleared defense contractor had in place a data loss prevention (DLP) monitoring program and as noted above, found Justice downloading data to a USB device. In addition, the resident DLP monitoring program captures screenshots of Justice’s computer, at a cadence of approximately every six seconds. In addition, when an external medium, such as an USB drive is inserted into a laptop/desktop, the system prompts to encrypt the data.

Physical access procedures were also in place at the cleared defense contractor’s facility.  To enter the building, Justice is required to display a badge to a guard or enter through a badge-controlled gate. In addition, access controls exist at Justice’s specific work area, via a badge swipe.  In order to access his work station, Justice was required to insert his badge and enter a pin (description fits that of a Common Access Card functionality). Access controls on specific data sets required a re-authentication by Justice in order to garner access. Furthermore, within the contractor’s IT system, when entering the collaborative data sets environment, all data is clearly marked and delineated as proprietary and/or requiring compliance with export controls.

SUMMATION – TRUST BUT VERIFY

Justice broke trust. The contractor’s DLP system identified his accessing and copying files to external devices. It is unclear from the criminal complaint if this actionable information was of sufficient caliber to warrant action or if the action occurred only after the FBI/AFOSI arrived on the scene post-Justice’s volunteering his services to the Russian intelligence apparatus.

Entities with insider threat programs are challenged with both the potential for a mountain of false-positives, as well as determination of what level of activity warrants action.  Each program will be different, but having access to the data, for archival review should be mandatory. The rationale, today’s actions may appear mundane and low-risk, but when added to additional pieces of data, which may also appear to be innocuous and of low-risk, creates a more complete picture of the mosaic of the risk being presented by the employee breaking trust.

 

 


A version of the above, written by Christopher Burgess, was original posted in Clearance Jobs in July 2016: Profile in Espionage – Curtailing a Satellite Spy with an Insider Threat Program

Business woman found risks in information security |

Your IT Security Teams Enable Business

Having an IT security team is an imperative for all companies, not just those in the enterprise space. This dedicated set of eyes is essential for small- to medium-size businesses (SMBs). It is imperative that security team members have a clear understanding of their role as a support to the organization and that their success be measured by the business team’s success.

While it is easy to assume that IT understands its role in enabling business, the reality is that IT finds itself out of alignment with the business all too often. This was recently highlighted in a Network World piece on the Cloud Security Alliance Congress keynote by V. Jay laRosa, ADP’s senior director, converged security architecture: “As security practitioners here, the problem is not with the cloud but with us, with our ability to evolve.” He went on to add that IT security managers are often seen as barriers to innovation.

IT Security Barrier?

LaRosa’s statement is accurate in many cases. The IT leadership team, be it at an enterprise or an SMB, frequently finds that its CIO has no seat at the company strategy table, and the security team is even less welcome. Why? It is largely due to the perception that the security team is an impediment to the business; it is the “no” team. This dissociation between the perceived goals and metrics of the IT team and the business team creates an artificial conflict, especially problematic within an SMB, where collaboration across company units is paramount for success.

The business team’s goals and metrics are easily understood: They provide goods and services that the market desires, retain current customers and obtain new customers. There is little difference in scope between an SMB and an enterprise in this regard, but the security team is a different story. In general, the goals and metrics of the security team are to minimize risk and reduce the number of security incidents that could derail the business. An enterprise has an advantage when it comes to technology and headcount whereas an SMB may be more resource-challenged. The commonality lies in the natural tendency for the business team to expect security to focus on the minimization of risk so that a negative security event does not happen in the first place. Typically, IT teams, when asked to embrace an innovative technology or means of engaging a customer, are perceived as simply saying “no” in order to minimize risk. These perceptions must be adjusted.

Embrace Change with Innovative Business

LaRosa points out that the IT security professional should “never say no.” Indeed, the conversation has to shift; the desire to embrace change and innovation means that an SMB needs a dedicated and focused security entity. A team that can embrace innovation will find its internal client eager to engage.

The road forward will not always be free of obstacles. There will be times when the IT security team just doesn’t know, and in admitting a lack of understanding of or solutions for an identified risk, it provides added value. When unresolved risks are called out, IT professionals outline a road to mitigation. Once the business team has been offered choices, it has the information required to make an informed decision, such as to defer implementation while the identified risk is mitigated; to proceed with the knowledge that both risk and a roadmap to mitigation exist; or to acknowledge the risk and to hope that it does not become a reality. For IT security teams, their value-add is magnified when providing solutions and options that align the company’s goals and metrics.

 


 

This post was originally written by Christopher Burgess as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet and posted on Dec 16, 2013

Source: http://pivotpoint.io/en-us/article/it-security-teams-enable-business

Travel with a USG security clearance? 5 tips for a secure trip

[text_output]Foreign TravelTravel security for the cleared professional is incredibly important, both for personal safety as well as the protection of classified information.

One of the first briefings an individual receives after being informed that they have been granted a security clearance, is the counterintelligence brief. Included in the counterintelligence brief will be multiple references to foreign and hostile intelligence services and their interest in individuals who have been granted a security clearance and enjoy the trust of the U.S. government. This is reinforced during the foreign travel security brief which the cleared individual will receive from their Facility Security Officer.

Both the Federal Bureau of Investigation and the Defense Security Services have issued counterintelligence guidance (see below) to prep the foreign traveler, and it should be a mainstay of the pre-travel preparation by any traveler.[/text_output][feature_headline type=”left” level=”h1″ looks_like=”h1″ icon=”adjust”]5 travel tips[/feature_headline]

[text_output]

[icon_list_item type=”laptop”][/icon_list_item]     Tip #1:

Travel with “designated” travel devices. Ensure the device(s) which are being used are “designated” travel devices, that is devices which are sanitized prior to travel, loaded only with data required for the trip. It is no doubt difficult for the traveling executive to want access to every email and all their electronic files when on the road, as productivity may drop. Security concerns, however, make it prudent to only travel with information specific to the trip.[/text_output][line][text_output]

[icon_list_item type=”globe”][/icon_list_item]     Tip #3:

Register your itinerary with the U.S. Department of State. The Department of State’s Smart Traveler Enrollment Program is designed specifically to alert the U.S. Embassy or Consulate where one is traveling. Enrollment is free, and the traveler can update itinerary via the website. In the event of a natural catastrophe or civil disturbance, the Embassy/Consulate will have your contact data and if warnings or alerts are provided to U.S. persons in the consular zone, the traveler will be included.[/text_output][text_output]

[icon_list_item type=”credit-card”][/icon_list_item]     Tip #5:

Avoid illegal activities. Avoid any activities which could be construed as provocative by the local security services. From time to time, travelers in foreign locales lose their inhibitions, avoid such. Nothing makes the foreign intelligence officer’s job easier than a traveler who chooses to place themselves in a compromising position. This could take the form of taking an envelope from a stranger; engaging in black-market currency exchange; purchase of illegal substances; etc.[/text_output][line]

[text_output]

[icon_list_item type=”bank”][/icon_list_item]     Tip #2:

Maintain 24/7 possession of these devices. As detailed in the counterintelligence pamphlets, foreign intelligence services delight in being allowed physical access to cleared U.S. personnel’s electronic devices. Maintaining 24/7 possession, increases the level of difficulty considerably. Try not to allow convenience to trump security, and use the hotel room safe to secure the electronic devices. While the safe may slow down the casual thief, they are accessible by the aforementioned foreign intelligence service in seconds, using the same technology the hotel will use when you call and advise you have forgotten the 4-6 digit pin and your passport is inside.[/text_output][line][text_output]

[icon_list_item type=”search”][/icon_list_item]     Tip #4:

Have no expectation of privacy. While privacy is fleeting in many locales due to population density and cultural norms, the privacy discussion here is more along the lines of privacy for sensitive conversations or meetings. Hotel rooms, restaurants, elevators, cafes, lobby’s etc., should all be considered hostile environments where no sensitive conversations should take place.[/text_output][line][text_output]Prevendra-Logo-Final-01-90Need to help putting together a travel security program for your company?

We can help.

Contact us directly via our contact page.[/text_output]

[text_output]The above first appeared under the byline of Christopher Burgess on ClearanceJobs.com

Prevendra - Clearance Jobs[/text_output]

Prevendra's CEO presenting: The Four Vectors Targeting Intellectual Property

The Four Vectors Targeting Intellectual Property

[text_output]On 18 February, CEO Prevendra, Christopher Burgess had the pleasure to present at the Seattle Technical Forum conclave, one of five, presenting on a topic within cyber security. His topic, drawn from the offerings of Prevendra’s Two-Day Knowledge Share was, The Four Vectors Targeting Intellectual Property.

Those who have read, Secrets Stolen, Fortunes Lost will recognize the vectors to be that of the insider, competitor, organized crime and nation states.  Espionage is alive and well.  Key takeaway for every company, “The targets are, who you are and what you do.”

Prevendra Books - Secrets Stolen, Fortunes Lost

[/text_output][gap size=”10em”][text_output]

PDF:  Presentation: Four Vectors Targeting Intellectual Property

[/text_output]

[image type=”rounded” float=”none” info=”none” info_place=”top” info_trigger=”hover” src=”6216″ alt=”Christopher Burgess presenting at the Seattle Technical Forum – 18 February 2015″ info_content=”Christopher Burgess presenting: Four Vectors Targeting Intellectual Property.”]
[image type=”rounded” float=”none” info=”none” info_place=”top” info_trigger=”hover” src=”6217″ info_content=”Who is the target?”]
[image type=”none” float=”none” info=”none” info_place=”top” info_trigger=”hover” src=”6218″ alt=”Prevendra – Notable incidents of espionage” info_content=”Notable incidents of espionage”]
Prevendra - Facility Security Officer - Cognizant Security Authority

National Security – Facility Security Officer & Cognizant Security Authority

Prevendra - Clearance JobsWorking within the Defense contractor environment, the roles and responsibilities of the facility security officer are of critical importance.

Thinking of entering the defense contractor market place or wish to provide services to a classified government customer, Department of Defense, intelligence community or other government agency or department? You will want to familiarize yourself with the National Industrial Security Program Operating Manual (NISPOM) and the Director of Central Intelligence Directives (DCIDs). The NISPOM is your security operational bible, containing the many parameters surrounding the defense classified engagement, while the DCIDs serve the same purpose from engagement within the intelligence community.

Fair warning, engaging within the classified community you will encounter acronym overload, the manual contains over 103 of these. That said, there are acronyms which every entity supporting a classified government engagement will want to know. The CSA, CSO, and FSO are three of the most important.

CSA = COGNIZANT SECURITY AUTHORITY

Within the NISPOM/DCIDs parlance, Cognizant Security Authority (CSA) denotes the department or agency which has security administrative responsibility for the classified activities and contracts under their remit. The CSA serves as the ultimate arbiter with respect to interpretation of the NISPOM or DCIDs, whichever is applicable. Inquiries are forwarded to the CSA either through the Cognizant Security Offices (CSO) for contractor facilities or the commander or head of facility for U.S. Government facilities. If a contractor is to utilize a CSO, the CSA will identify the entity to the contractor. In addition to providing interpretation of the operating manuals, the CSA also serves as the decision point with respect to obtaining a waiver.

FSO = FACILITY SECURITY OFFICER

Within Defense contractor facilities, sits the Facility Security Officer (FSO). The FSO must be a US Citizen employee, who is cleared to work within the cleared facility. The FSO is appointed by his/her employer – the contractor – as the FSO. The FSO will “supervise and direct security measures” within the facility. Thankfully, one is not simply appointed FSO and cut loose, the FSO is required to take applicable training courses in order to understand fully the complexity of the requirements levied by the CSA and outlined within the NISPOM/DCIDs.

For those who enjoy the trust of their government, and are working within a classified environment, they can expect the FSO to provide a facility specific standard operating procedures (SOP). The SOP will include those portions of the NISPOM/DCIDs applicable, as well as any unique requirements levied by the CSA or the contracting government agency.

Reference: NISPOM February 2006 (Incorporating Change 1 – March 28, 2013)


 

This article was originally crafted for ClearanceJobs.com in January 2014 and has been updated prior to being posted here.

Prevendra: RSA Conference

Data Leak = Data Compromise

[share facebook=”true” twitter=”true” google_plus=”true” linkedin=”true” pinterest=”true” email=”true”][text_output]

Prevendra - Data Leak = Data Compromise

Hans Brinker Statute – By user:Pieter1 via Wikimedia Commons

Have you experienced a data compromise lately? The old adages “still water finds its own level” and “moving water finds a path of least resistance” both have applicability when we think of the result of a data leak. How do employees’ engage with data loss prevention (DLP) processes, policies, procedures, and software, may be where the solution resides. With still water, data is at rest; with moving water, your data in transit. Just like the two water states, there are also two types of employees: Those who are trying to do the right thing each time they touch your data, and those who have more malevolent intentions (to include not caring).

[alert type=”danger, muted” close=”true” heading=”There are two types of employees:“] Those who are trying to do the right thing and those who have malevolent intentions [/alert]

The latter, malevolent, is perhaps best exemplified by former National Security Agency (NSA) independent contractor, Edward Snowden. Snowden who stated in June 2013 during an interview with the South China Morning Post that he had sought the position with NSA contractor Booz Allen Hamilton specifically with the intent to collect, remove, and expose data about the NSA’s programs. These types of individuals exist, with more regularity than you may think, and are a prime rationale for having a formal DLP program at many companies. These individuals know and understand that they are breaking their trusted access to protected information, as opposed to the well-meaning employee who, trying to do the right thing, ends up doing it at odds with existing DLP processes. These employees when stymied by the “system” tend to find the path of least resistance.

Take the case of the City of Milwaukee, which recently discovered city employees’ (and their families’) personal identifying data was placed at risk when an employee of a city vendor, Dynacare, copied personal identifying information (PII) to a USB stick and placed it in her purse. The purse was then stolen from the Dynacare employee’s vehicle. It is doubtful the Dynacare employee had copied the data to the USB stick with the intent of having it stolen—no doubt the copy was made for another reason—but the end result is the same, data leak = data compromise. The PII was now out of its controlled state and the individual employees of the City of Milwaukee were at risk of having their PII exploited by criminal elements.

It is necessary to protect against both intentional and unintentional data leaks.

The first step must be to verify where your data is at rest and if it’s stored where it should be on the company network and devices. That is to say, is the data being stored in accordance with the information security policies and the regulatory or compliance requirements? It matters not what sector or business, if you don’t know where your data is, you will not be able to determine if you have a data leak or data compromise (until it shows up where it doesn’t belong – in a criminal or competitor’s hands).

The next step is to detail who has access to the data. Smaller companies as a norm have broader access controls, given the many hats worn by the limited number of employees as compared to larger companies, whose employee’s roles are more segregated. Access control lists (ACL) have been used for many years as a means to ensure access to sensitive data is restricted to those with a need to know in order to perform their job functions, otherwise known as the “principle of least privileged” access. Are the ACLs actually used to restrict access? Is there a means to discover if the authorized user is placing the data in an unauthorized locale or otherwise retaining or sharing the information?

Once you know where your data is stored and who has access to the data, enabling DLP programs will go a long way to serving any compliance or regulatory requirements, and it will also provide an opportunity to create workable information security policies designed to enhance, rather than restrict, business success. The responsibility for data protection is not restricted to the IT team—it is every employee’s responsibility—and policies and procedures must be crafted appropriately. As the equation data leak = data compromise remains a mathematical constant, an equation we must remind ourselves of every day..


This post, by Christopher Burgess, was originally crafted in January 2014 for the RSA Conference Blog, and has been updated and modified prior to posting here.[/text_output][x_video_embed type=”16:9″]

May 2013 interview of Christopher Burgess on Bloomberg TV on the topic of National Cyber Security shortly after Edward Snowden’s indicated the NSA had a data leak and there had been a substantive data compromise[/x_video_embed][share title=”Share our knowledge with your network ” facebook=”true” twitter=”true” google_plus=”true” linkedin=”true” pinterest=”true” email=”true”]

Prevendra: RSA Conference

When do you introduce Security Awareness training?

[text_output]Prevendra - Security AwarenessA new employee shows up on day one and walks through his ID card briefing, compensation and benefits brief, and security brief, meets his new team and manager, and tries to retain all the information rushing out at him via the orientation fire hose. All boxes checked, the employee is good to go, and the security team notes that 100 percent of all new employees continue to receive security awareness training. Really?

The human element side of the equation logically tells us the new employee retains the information provided at orientation which will be of highest immediate value. Does the security program’s information break through the threshold of “useful”?

Does Security Awareness Training Work?

While the aforementioned security brief may be a necessary evil or an important box to check on the compliance checklist, it is also an excellent opportunity for the security team to make their first impression a good one, and drive home the point that all employees are members of the security team.

The security team then needs to follow up their orientation brief in short order with a localized brief to include the direct manager. The manager’s inclusion ensures personalization of the training. The manager is able to evolve the discussion with direct correlation to the work of the individual. For example, “The reason why we ask you not to use your personal device to access company data is…” This localization effort also permits the security awareness program to have global strategic initiatives, for example, cutting down/out tailgating into corporate buildings, but with local cultural sensitivities at play. Perhaps confronting a tailgating individual is culturally difficult: even though the “why” is clear, the “how” is ambiguous or culturally awkward.

How Do You Measure Success?

Do you measure how many laptops are lost, devices are infected, data stores are breached, or customers are lost? These are all valid measures of security failures. But how do you know that your employees are taking proper precautions? Cyber-security teams may use off-the-shelf test programs which salt employee email with a piece of “phish.” There are also homegrown tests such as tossing a dozen USB sticks into the company parking lot and then keeping track of how many are found and if any that were found were then inserted into devices.

Valid tests will produce a measurable number—but does that number necessarily produce an actionable result? Did the test have a “right answer,” such as “don’t open email attachments” or “don’t put a device into your machine?” If that was the metric, you had a valid test. But do tests such as these actually teach security awareness? The jury continues to be out. However, these tests aren’t the only arrow in the security-awareness-training quiver.

Some believe awareness training doesn’t serve to address the targeting of the individual employee by those attempting to acquire company or personal information. Invincea CEO Anup Ghosh told SecurityWeek that organizations need to “give up on the idea of training this problem away,” whereas others believe that the in-the-moment training opportunity presents a wonderful opportunity for the individual user to be tested, his learning reinforced, and the test results discussed.

What Is Key?

The key to effective awareness training lies with the attendant discussions that involve the employee base. And Ghosh is right—training will not make the targeting of employees by ne’er-do-well individuals disappear. But having employees who are able to identify the efforts of malevolent individuals is an important security win. Suspicious behaviors employees should learn to recognize include an individual eliciting information at the hotel coffee shop, someone tailgating into a building, the “wayward USB stick,” or the email with the bogus header—recognition of these tactics are measures of the success of the training program. This information is measurable, and gives the security team data points that their data loss prevention (DLP) efforts cannot see. If employees are reporting anomalies, the program can be considered successful.

Security awareness may not be the panacea; it is, however, the gift every company has the opportunity to give itself. Engaging your colleagues continuously and not just “once and done” moves you closer to the real goal—keeping the company’s personnel and information secure.

Added Bonus

When your employee is more “security aware” the knowledge they obtain at their place of work transfers to their personal security protocols, and they and their families benefit. We  at Prevendra teach small & medium size businesses how to create a culture of security awareness, we also provide via our Senior Online Safety portal an ongoing stream of safety tips to keep those 45+ safe and secure online and off.  Do yourself a favor and include regular discussions on cyber hygiene, safety, security at your place of business and home. It will be time well spent.

 


Note: The above was original written by Christopher Burgess for the RSA Conference Blog in January 2014 and has been updated for posting here.[/text_output]

Prevendra - rejected - NISPOM

Top 10 reasons your employee’s security clearance was rejected

We’ve all been there. The Defense Industrial Security Clearance Office (DISCO) or the Office of Personnel Management (OPM) rejects your applicant’s application package. What went wrong? Your employee dutifully filled out all the necessary paperwork you thought the application package was complete and tight. But here you are, reading, “We are sorry to advise that your application package for John Doe has been rejected, please address the following issue and resubmit.”

In this day and age of a highly mobile society, where residence and job change occur more frequently than in the past, the need to have your data complete helps the applicant tremendously – with respect to DISCO – their number one identified issue is incomplete or missing employment information.

DISCO admonishes:

List all employment; include the company which is submitting the clearance request as current employer. Applicant should list all full-time work, paid or unpaid,
consulting/contracting work, all military service duty locations, temporary military duty locations (TDY) over 90 days, self-employment, other paid work, and all periods of
unemployment.”

Whereas, OPM notes their number one identified issue is the fingerprint cards aren’t being submitted in a timely manner.

OPM admonishes:

“Fingerprint cards must be provided to OPM within 14 days of approval by DISCO”

The good news is, both DISCO and OPM have shared with us their top ten reasons for application rejections (current as of July 2012)

DISCO – THESE TEN ITEMS ACCOUNT FOR 96% OF ALL DISCO REJECTIONS

  1. Missing employment information
  2. Missing social security number of spouse or adult co-habitant
  3. Missing relatives information
  4. Missing Selective Service registration information
  5. Incomplete information concerning debts or bankruptcy
  6. Missing education reference information
  7. Missing employment reference information
  8. Incomplete explanation of employment record
  9. Missing personal reference information
  10. Missing explanation of drug usage

OPM – THESE TEN ITEMS ACCOUNT FOR 98% OF ALL OPM REJECTIONS

  1. Fingerprint cards not submitted within the required timeframe
  2. Certification/Release forms information illegible or missing
  3. Certification/Release forms not meeting date requirements
  4. Discrepancy of place and date of birth information
  5. Missing references (character, residential, employment or educational)
  6. Discrepancy of e-QIP Request ID Number
  7. Missing employment information
  8. Certification/Release forms not submitted
  9. Missing education information
  10. Missing residence information

Using the above two lists as a final checklist will significantly reduce the likelihood the applicant’s application will be rejected based on a missing or incomplete item. Remember, it is both the applicant’s and security officer’ responsibility to ensure the packages submitted to DISCO/OPM are complete.

As the adage goes, the devil is in the details.


This piece by Christopher Burgess originally appeared on  the ClearanceJobs blog.

Prevendra - Clearance Jobs

Prevendra: RSA Conference

Cyber Security Event Denial: If I don’t report it, did it really happen?

“If a tree falls in the forest and no one is there to hear it, does it make a sound?” The technological equivalent of this query within cyber security exists, unfortunately: “If a compromise occurs and no one reports it, did it really happen?” The answer in both instances is, “of course.” Yet the recent survey of 200 security professionals by Opinion Matters for Threat Track reveals that two-thirds of these professionals dealt with a security incident which was never acknowledged or reported by the company. In essence, an event denial occurs. Manufacturing and utility companies are far more likely not to report a material breach (79 percent of those who had a breach opted not to report it to customers, partners, or other stakeholders), while information technology and telecom (57 percent) and health care (56 percent) were slightly better and less likely to engage in denial or non-reporting than the average of 66 percent.

Why Report?

This begs the question, “why?” When security events are swept under the carpet, only two things can occur, both negative. The first is the event isn’t documented, remediated, and addressed and thus is likely to recur. The education and remediation portion of the security continuum is not allowed to occur, and thus the loop of constant improvement doesn’t happen. Event denial occurs—the event was never documented; thus, it never occurred. The second is when, not if, the decision to not report or address the incident comes to light, the confidence in and credibility of the company and its ability to be trusted to do the right thing is damaged, perhaps irreparably, with customers, partners, or other stakeholders.

There is a third, if you are in regulated industry. For example, with the health care vertical there is a regulatory requirement to report the breach if it involves the loss of protected health information (PHI). Not only is there a regulatory requirement to report the breach, there is a potential for a fine coming your way courtesy of the Department of Health and Human Services and the Health Care Insurance Portability Accountability Act (HIPAA) if it is not reported.

Perhaps No Reporting Required

But why would someone not report a security event? There are a number of reasons. The incident may have been a security event, but there was no material damage or data breached. For example, a client device goes missing, yet a review of system logs demonstrates the device had full-disk encryption, the encryption protocol on the client was in use, and the device was up-to-speed with required security updates. Situations like these constitute loss of gear and not loss of data. We read, far too often, about people having their laptops heisted from their vehicles or lost at the airport (or forgotten at the security check—1,200 devices a month go missing at the airport security check), the loss of equipment is the internal fiscal report, and the notification is handled internally.

Another example of when a security event may not need to be reported is if the security incident was successfully remediated prior to the exfiltration of information, successful connection to an external element or otherwise prevented from successfully completing the malware’s attack. While the bar for this statement is admittedly high, and requires the ability to have one’s thumb on the pulse of the organization, its data and remediation protocols, it is viable, and practicable.

In sum, the recommendation is to strive to educate the work force, customers, vendors, and other stakeholders to report any and all anomalies encountered. When that proverbial tree falls, once discovered, it is best to let all concerned know. It will go a long way toward building the trust and credibility within the relationship.

 


This post was written by Christopher Burgess as part of the RSA Conference Blog.

Prevendra - IBM Midsize Insider

Customer Loyalty Sweepstakes: The Winner Engages the Customer

Depth of customer loyalty is driven by product quality coupled with how successfully the engagement with the customer is executed, according to the November 2013 Nielsen report, “How Loyal Are Your Customers?” which was derived from the Nielsen Global Survey of Loyalty Sentiment in which 29,000 Internet respondents from 58 countries participated. Nielsen’s global survey noted loyalty to be fickle, especially when competitors appear with product, promotions and technological infrastructure that not only catch the customer’s eye but also engage the customer with the least amount of technological friction.

“There is a strong link between the way consumers describe their loyalty habits and the way they subsequently buy — so even comparatively small shifts in what consumers say can manifest in big changes in what they do,” said Julie Currie, senior vice president of global loyalty at Nielsen, in comments about the survey’s findings. Approximately 84 percent of survey respondents indicated a strong preference to choose a retailer with a loyalty program over a competitor without one. The data points toward the efficacy of having a customer loyalty program over not having one. The vagaries of how customer relationship management (CRM) solutions are implemented is where the differentiation between brands takes place. Membership in the loyalty program does not guarantee loyalty, of course, but it does open the door for companies to earn the customer’s loyalty at every encounter.

This does beg the questions, “How are you going to engage with the customer when they are not standing in front of you?” and “How are you going to use the customer data derived from the engagement?” These two questions are not as simple as they may appear.

Use of Data

Information technology infrastructure capable of handling a robust influx of data is paramount. Data may come via a myriad of sources, including marketing, manufacturing, fulfillment, sales and support. Customers in 2013 are likely to be well versed in digital engagement and will be in search of a frictionless experience. The challenge for the IT decision makers at midsize firms is to ensure that infrastructure is interconnecting all internal entities. Most importantly, it enables the company to avoid fragmentation of effort and to speak with one voice. Furthermore, it means having in place the technology to support personalized engagement oriented to the touch points between the customer and the company.

Engagement

The customer may engage via social networks, a help line or loyalty program portals. In each case, the customer is choosing the manner in which it is most convenient to engage. IT leadership, especially in midsize businesses, is accountable for ensuring infrastructure is adequate to the task. If the infrastructure is not sufficiently integrated to allow the instant engagement to roll up to a customer service screen, then the customer experience will be fraught with potential disconnects. This is especially important for those small and medium businesses (SMBs) that may have a local physical presence as well as a far-reaching virtual presence. Capturing the interaction on both planes, the physical and virtual, allows SMBs a level of dexterity to make real-time adjustments to their customer interaction based on engagement data.

The loyalty program’s connectivity with the company’s social networks permits direct marketing and early warning to support staff in the event of a product failure. Moreover, there is no better way to engender word-of-mouth activity than personalization of the customer engagement via the social networks. The integration of social network engagement with the other areas of the company requires infrastructure concordance. The Nielsen report indicated that 75 percent of respondents expected loyalty programs to provide perks, such as free products, with 82 percent in the North American market expecting discounts or other money-saving offers from the loyalty program. SMBs have the ability to engage their customers on the fly, making adjustments as necessary based on sales, social media network sentiment, volume and engagement, thus keeping their loyal customers loyal.

Are Loyalty Programs for You?

Not all loyalty programs prove successful, and customer engagement comes in many flavors. As noted in Time, a number of brands within the supermarket vertical have shuttered their customer loyalty programs, which have a total of more than 172 million participants. They found that it was a more effective strategy to address the customer set at the neighborhood level instead of the individual level. Does that mean that they stopped engaging their customers? Not in the least.

SMBs that make the investment in customer engagement that provides customers with useful information and that enhances their experience will be best positioned to win the customer loyalty sweepstakes.


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Prevendra - IBM Midsize Insider

Information Technology at the Strategy Table

The chief information officers (CIOs) and IT management teams of the past were assigned a budget and then expected to execute necessary operations based on that budget alone. This was a situation that required the IT department to row, so to speak, after the corporate ship. Today, successful companies, including those in the midsize market space, have incorporated the CIO and IT management team into the corporate strategy team. Their seat at the business decision maker’s table ensures that the only goal is to make all business teams successful. How do they accomplish this? According to an Economist Intelligence Unit report, “The CIO’s responsibility is still to show other senior decision-makers the ‘art of the possible’ when determining how emerging technology can affect their businesses.”

The Art of the Possible

Interestingly, the Economist report notes that the interviewed CIOs believe that only 35 percent of the senior executives with whom they engage have a strong understanding of the technology needs of their organizations and that only 40 percent of their senior colleagues enjoy a high level of technological literacy. What does this mean for IT professionals? They need to be prepared to translate for and to educate their colleagues, not only about technology, but also about the business benefits of technology. Technological advances, such as in cloud computing, virtualization, security and mobile, are all key components in the business-to-customer engagement, and all of these areas are moving forward at breakneck speed.

The seat at the strategy table will go a long way toward addressing the historic perception of the midsize company’s CIO as more of a tactical than a strategic player. Tim Theriault, CIO of Walgreens, provides sage advice for any IT professional — not just a CIO — in the Economist report: “There is a new way of doing things in which you achieve higher revenue or lower cost or better loyalty or all of them at the same time. The good CIOs I talk to can speak directly to their strategy, what they are doing in business terms.”

Strategic IT a Business Imperative

The IT presence at the business strategy table also requires all parties to remember that the sharing of knowledge is a good thing. In his article at InformationWeek, Peter Waterhouse says, “The advent of technologies like mobile and social computing has made sharing not only feasible, but profitable, too.” Instinctively, professionals know the best solution may come from the most unlikely source. Sharing of data and information across the vertical silos within a company raises the odds of discovery of those unexpected solutions. The leadership strategy table is where the company’s future direction is discussed and where the CIO gains insight into the direction being taken by the other chief x officers (CxOs) of the company. The CIO has the opportunity to educate the CxO strategic leadership team about the capabilities of the IT department. When discussing strategic future direction, the CIO’s ability to articulate what falls within the realm of the immediately possible with available resources and what may require building or acquiring a new capability for the IT team is invaluable to calculating operational expense forecasts.

In the course of these strategic discussions, the decision is often made to proceed with the acquisition of some new capability. The CIO ascertains whether the technological implementation is achievable in house or requires a managed service provider (MSP). Building one’s own capabilities in a rapidly changing technological environment is no small feat, especially for small to medium businesses (SMBs). New technologies may require either staff or contract personnel augmentation, including a means of ensuring that these new arrivals come with the requisite expertise.

In addition, the availability of individuals with unique skill sets may be limited. When evaluating the MSP option, comparison of capabilities across a variety of MSPs is desirable. Engagement of an MSP will frequently be the most logical choice since the SMB is able to implement best-of-class solutions via emerging technologies by leveraging the expertise of an MSP in order to provide immediate benefit to the business without the long-term investment in internal resourcing.

Leadership at the most successful companies will allow the discussion to be strategic, empowering and robust. Business decisions, which include IT solutions, evolve for a common goal: Business success. Therefore, the most valuable approach for the IT professional with a seat at the company strategy table is to speak about IT solutions in business terms.


This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. 

Security 2014 – Educate and Analyze

Prevendra - IBM Midsize InsiderWriting for IBM Midsize Insider, Christopher Burgess offered up his thoughts on 2014


Moving into 2014, the chief information officers (CIOs) of small to medium-size businesses (SMBs) have security challenges ahead of them. In an eWeek piece, Michelle Maisto interviewed Steve Durbin, the Internet Security Forum’s global vice president, who made several recommendations of areas of focus for the information technologist in 2014. These included bring-your-own-device (BYOD) and cloud, personally identifiable information and intercompany data sharing.

Contemporaneously, CSO Online offered an in-depth piece by George V. Hulme, which called out five specific ways in which enterprises should reduce risk: By closing the skills gap; shifting away from a regulatory compliance mindset; improving incident response; communicating to business, not at business; and shifting to increasingly data-based decision making. All of this advice comes down to two ideas, both vital to implementing a security regime within SMBs and enterprises: Training/education and data analytics.

Train and Educate Staff

An opportunity exists to enhance the knowledge of IT professionals and their ability to harvest available data and make solid choices based on that data. These decisions may be proactive, to prevent security incidents from occurring, and reactive, focused on the use of data analysis to reach complete and rapid incident resolution. A portion of the recipe for success requires an investment in current personnel.

It is almost always more cost-effective to make an educational investment in current staff than to step out into the marketplace to find individuals with specific talents; the marketplace is crowded with others looking for that very same talent. Daniel Kennedy, research director of information security at 451 Research, commented in the CSO piece, “We are always seeing conversations about staffing concerns. And it’s not just small and mid-sized companies that are having trouble finding and retaining talent, it’s a problem even at the top.”

Analytics

While enhancing employee skill sets is important, it is equally important that IT make use of tools and resources that are up to date with today’s — not yesterday’s — risks. This may require a different way of thinking and collaborating internally. Data can overwhelm an IT team if collected without a road map to utilization, with the result that the team finds itself lost in data. Having in place the analytics tools required to leverage data will in turn keep the CIO’s team working smarter.

Better empirical data analysis can be achieved. In addition, access to similar industry data sets serve to increase the overall knowledge base of the IT security team. Durbin explains, “Cyber resilience requires recognition that organizations must prepare for a threat. It requires high levels of partnering and collaborating, and for organizations to have the agility to prevent, detect and respond [to an event] quickly and effectively.”

In sum, SMBs will be wise to invest in the education of their current staff. The investment not only raises the level of knowledge but also the overall capacity of the company to address current threats. Furthermore, businesses should encourage collaboration and share knowledge within company walls. A decision by an IT professional can no longer be made on the basis of instinct and experience alone; as noted, empirical data and data from other companies must now be factored into the equation.

Source: http://midsizeinsider.com/

Resume Security – Know what and where your are posting

Prevendra - Clearance JobsResume Security – The security risks associated with resumes, including candidate provision of content and employer’s processes and checks and balances.

RESUME SECURITY

There are two sides of the coin surrounding the security aspects of the job hunt. On one side of the coin we have the individual and the risks which the individual jobseeker is exposed during their job hunt and on the other we have the employer, who is sifting and sorting for the best candidate while also managing the risks of making decisions based on resume content.

THE JOB HUNTER:

What are your risks?

The resume: Identity theft comes in many forms, from something as mundane has having your content lifted and used by another person. How can you protect against the identity theft dynamic? Some items shouldn’t appear on a resume, including your Social Security Number (SSN) or your physical address. A telephone number or an email to a unique, one-off, email should be sufficient for an interested employer to reach out and engage. Only when an offer is to be made or when the interview process has advanced to the background check step should these key identity items be provided.

The job search process: It is important you know to whom you are sharing your resume and the bonafides of the recruiter or that blind position requirement you see on a job board. There have been documented cases of individuals with access to Human Resource systems culling through the personnel and applicant files, lifting a sufficient amount of information to craft a parallel identity and then obtaining credit cards and loans under the duplicate persona. The aforementioned steps will go a long way toward lowering the identity theft risk.

THE EMPLOYER:

What are your responsibilities?

The employer is challenged to ensure the candidate is who they claim to be and the information they are providing is accurate. The risk of fraudulent data finding its way onto a resume is not insignificant. According to a recent survey conducted by HireRight, two out of three employers have encountered an applicant lying on their resume (which may indicate that number is actually higher, as the likelihood of 100% of those engaging in this fraudulent practice being identified is slim). Reviewing social networks is a low-cost, high return methodology of validating the candidate’s bona fides. Call references and evolve secondary level references during your due back ground check. And do yourself a favor and use a secure, niche site such as ClearanceJobs.com.

The employer also must remember to protect their job applicant’s information from various types of exploitation to include – financial identity theft (Loans/credit cards/bank accounts); social security identity theft, a market for social security numbers exists to help document those who are ineligible for social security numbers; and use of an applicant’s identity when confronted by law enforcement.

In sum, if you are looking for your next position, when you are posting or submitting resume, you are placing your information into the hands of anther to protect, take a moment and ensure that you are not giving away too much personal information. And for those who are accepting resumes, remember you are being entrusted with the personal information of an applicant – protect it.

Source: http://news.clearancejobs.com

IT Security Teams Enable Business – IBM Midsize Insider – December 2013

Prevendra - IBM Midsize InsiderWriting for IBM Midsize Insider, Christopher Burgess discusses how IT security teams enable business.


 

Having an IT security team is an imperative for all companies, not just those in the enterprise space. This dedicated set of eyes is essential for small- to medium-size businesses (SMBs). It is imperative that security team members have a clear understanding of their role as a support to the organization and that their success be measured by the business team’s success.

While it is easy to assume that IT understands its role in enabling business, the reality is that IT finds itself out of alignment with the business all too often. This was recently highlighted in a Network World piece on the Cloud Security Alliance Congress keynote by V. Jay laRosa, ADP’s senior director, converged security architecture: “As security practitioners here, the problem is not with the cloud but with us, with our ability to evolve.” He went on to add that IT security managers are often seen as barriers to innovation.

IT Security Barrier?

LaRosa’s statement is accurate in many cases. The IT leadership team, be it at an enterprise or an SMB, frequently finds that its CIO has no seat at the company strategy table, and the security team is even less welcome. Why? It is largely due to the perception that the security team is an impediment to the business; it is the “no” team. This dissociation between the perceived goals and metrics of the IT team and the business team creates an artificial conflict, especially problematic within an SMB, where collaboration across company units is paramount for success.

The business team’s goals and metrics are easily understood: They provide goods and services that the market desires, retain current customers and obtain new customers. There is little difference in scope between an SMB and an enterprise in this regard, but the security team is a different story. In general, the goals and metrics of the security team are to minimize risk and reduce the number of security incidents that could derail the business. An enterprise has an advantage when it comes to technology and headcount whereas an SMB may be more resource-challenged. The commonality lies in the natural tendency for the business team to expect security to focus on the minimization of risk so that a negative security event does not happen in the first place. Typically, IT teams, when asked to embrace an innovative technology or means of engaging a customer, are perceived as simply saying “no” in order to minimize risk. These perceptions must be adjusted.

Embrace Change with Innovative Business

LaRosa points out that the IT security professional should “never say no.” Indeed, the conversation has to shift; the desire to embrace change and innovation means that an SMB needs a dedicated and focused security entity. A team that can embrace innovation will find its internal client eager to engage.

The road forward will not always be free of obstacles. There will be times when the IT security team just doesn’t know, and in admitting a lack of understanding of or solutions for an identified risk, it provides added value. When unresolved risks are called out, IT professionals outline a road to mitigation. Once the business team has been offered choices, it has the information required to make an informed decision, such as to defer implementation while the identified risk is mitigated; to proceed with the knowledge that both risk and a roadmap to mitigation exist; or to acknowledge the risk and to hope that it does not become a reality. For IT security teams, their value-add is magnified when providing solutions and options that align the company’s goals and metrics.

Source: http://midsizeinsider.com/

Prevendra - endpoint security

Data Breach: The Downside of Data Loss for SMBs – IBM MidSize Insider – December 2013

Prevendra - IBM Midsize InsiderWriting for IBM Midsize Insider, Christopher Burgess speaks to the downside of data loss to Small Medium Businesses.


 

Preferred business practices dictate cybe rsecurity, but data protection methodologies are a requirement for endpoint devices that contain customer data to protect against the possibility of a data breach/data loss. Customer data is among the most precious of all data within a company, especially if that data contains personally identifiable information (PII). Unfortunately, a substantial number of small to medium businesses (SMBs) in the United States, approximately 14 percent, have chosen not to implement any security measures, and only 9 percent use endpoint security techniques, according to a recent “Small Business Cyber Security Survey” by McAfee and Office Depot. With numbers such as these, it should come as no surprise that a great many SMBs are ripe for a data breach.

Protect the Endpoint

More often than not, endpoint security solutions are viewed as a luxury, an unnecessary operational expense by SMBs. Of course, it is unnecessary until the price of losing customer data is calculated. The situation is analogous to a fisherman setting out to sea without an individual flotation device. At sea without a life jacket? It should never happen. Yet the McAfee and Office Depot survey indicate that 91 percent of SMB companies surveyed are doing just that with respect to protecting company data on endpoint devices. SMBs are rolling the dice in the hope that the device will not be compromised or lost.

Unprotected Endpoint

The risk posed by allowing unprotected endpoint devices within the SMB becomes an actual threat when any of those devices go missing, be it due to theft, accident or carelessness. When a device goes missing, a fundamental breach of the company’s security occurs, and if customers’ PII are stored on the device in an unprotected manner, a material breach has also taken place. It is instructive to consider the incident that compromised over 9,000 Milwaukee city employees, according to the Journal Sentinel. A flash drive containing the names, addresses, dates of birth and social security numbers of approximately 6,000 employees and 3,000 spouses and domestic partners was lost when the automobile of an employee of a city vendor was stolen. The affected individuals are now faced with the very real threat of identity theft and the city and its vendor with the unexpected cost of the post-breach notification and operational adjustments.

Protected Endpoint

The cost to IT of protecting the endpoint would have been negligible in comparison with the cost of the data breach. This leaves every SMB with a clear path to follow: If company or customer data is to be allowed on endpoint devices, then the company’s investment to protect that data is a necessity. The IT department’s investment in the security solution preserves not only the data but also the reputation of the company and its brand. If a protected device goes missing, it is not a data breach; it is a loss of a device that contains protected data.

Every business regardless of size has company data, some of which may include customer data. Regardless of whether the company issues the smart phone, laptop or other device to an employee or the company has embraced bring-your-own-device (BYOD), preferred IT security practice requires the protection of endpoint devices.

Source: http://midsizeinsider.com/

Secure the Data! Big Data Analytics Can Help, IDG Connect, November 2012

Prevendra - Logo“Secure the data!” That’s the claxon call that every chief security officer (CSO) or chief information security officer (CISO) hears 24/7/365 coming from their CEO, their customers and their partners. In the 12th century AD, the methodology of choice to protect one’s data was to place it within the castle-keep behind high walls designed to withstand the attack from catapults and battering rams. Then along came the counterweight trebuchet, and the concept of defense in depth behind a tall wall was forever changed.

Today, we are no longer able to fully isolate ourselves from the rest of the world and successfully conduct commerce. Instead we must embrace the change of our always on, always available society, with the full knowledge that it isn’t a Pollyanna world out there, and your network, device or user may fall within the crosshairs of an unsavory ne’er-do-well, who is looking for a vulnerability to exploit. And we must do so within the context of the realization that the amount of data, structured and unstructured, is exploding. In the most recent Cisco Visual Network Index report (May 2012), it was estimated that global mobile traffic would reach 10.8 exabytes per month by 2016.
The combination of massive amounts of data (volume), coming from multiple sources (variety), at real time (velocity), causes angst as the bounds of size and structure limit effective analysis. But analyze we must, and we must be able to address the three basic areas every CSO/CISO wishes to be able answer:

Know where your data is – especially the crown jewels
Who is in the house? Anomaly detection
Many hands make light work? Industry collaboration

Proven advanced intelligence components are a key part of the big data analytic platform solution. Advanced analytics (natural language processing, machine learning, ontologies, plots and visualizations, information retrieval, data mining, and inference) are all key components of the analysis toolkit. The key is to access the unstructured data in real-time with near instantaneous analysis. The CSO/CISO must be able to search, recommend and classify large volumes of data, but the real payoff comes when the relevance of the data is revealed, and therein lays the return on investment.
The market is nascent, the big data analytic tools evolving, and the need growing. Sadly, there will be a shortage of 1.5 million data analytic managers and between 140-190,000 data analysts between today and 2016, according to The McKinsey Global Institute’s “Big Data: The next frontier for innovation, competition and productivity”. Right now, if not yesterday, entities either have to be educating their technical staff to the nuances of how to work with a variety of evolving infrastructure capabilities, or hire out the expertise. Having the ability to connect the silos of disparate data, allows for the connection of the dots, the revelation of vulnerable data stores and detection of anomalous behavior. In addition, they must engage their community, be it like-sized companies or similar sector and share. Share experiences, share warning signs, share raw network data and then marry the structured with the unstructured for the total 360-degree view.
In sum, the big data analytic toolset for use in addressing security issues is evolving and the evolution cycles are fast, furious and full of opportunity for the CSO/CISO to get aboard that analytics boat early.

Source: http://www.idgconnect.com