Security Perspectives Inc.
IN THIS ISSUE

1) For Executives -

What do you mean "Table Stakes"... I just want to do BUSINESS!
2) For Home Computer Users -

Its wise to have multiple e-mail addresses these days.  Here's why...
3) For Managers and Office Staff -

Security is not just the domain of the Security Team... So help them whenever you can!

Privacy is something we all want... So think of your customers' privacy when handling their information.
4) For Security Professionals -

Remember, you are not alone!

More help for IT Security consultants

Did You Know?

Those annoying warped images you encounter when registering or entering comments on websites actually have a name and well-intended purpose.

CAPTCHA example image

They are called CAPTCHA's, which stands for "Completely Automated Turing Test To Tell Computers and Humans Apart". The objective is just that; to make sure the entity creating the email account or website comment is a human. It's a class of test that dates back to 1936, invented by Alan Turing. But they are just starting to become widely encountered by just about anyone using the Web.

The reason they are used is to try prevent automated programs run by spammers from being able to register for hundreds of email accounts at a time which they could use to send spam, or from posting many comments with links to their sites. The reason spammers like to post links to on websites is primarily to have search engines rank their own sites more highly in search results. This can happen if there are many links to a site from other websites. That's why you may see strange, seemingly unrelated websites in the list of search results you get from Google. This practice presents a nuisance for many sites, such as media sites that publish articles where readers can post comments, or on blogs where commenting by readers is enabled.

CAPTCHA's are supposed to present a problem that is hard for a computer program to solve, but easy for a human to solve. Some types of CAPTCHA's work better than others, and it's a constant fight between good and evil for search engines and spammers. Many CAPTCHA schemes have been "cracked" by people who write programs for spammers. The most effective ones have been found to have lines going through the words or characters, which makes it harder for programs to segregate the characters.

CAPTCHA's are probably doing some good in reducing the amount of spam we get, although it may not seem like it. And with the schemes they use to distort the characters, it can be harder for humans to interpret them. But they are improving.

Carnegie-Mellon University created the term CAPTCHA, and continues to study and innovate in the area of this technology. For more information, check out http://www.captcha.net. They have many links there, including links to Wikipedia and even a link to a large-scale project that uses CAPTCHA's to transcribe scanned book pages into digital media called "Recaptcha".

More Articles at:

http://www.securityviews.com

If you are interested in reading more of my security and risk management articles, please visit the Security Views web site by clicking on the link above. There are now over 70 categorized articles on topics such as insider threats, chain letters, awareness training, application security, and many other issues. 

I try to write at least one practical article a week on issues of interest to people like yourself. If you would like to use any of my articles in your organization's newsletters, please let me know.

Wondering About Security?

I am interested in understanding what kinds of issues are on your mind that might be worth writing about.  

Do any of the following cause you to lose sleep at night?:

  • Unauthorized Internet use by employees or family members
  • Corporate strategy and security
  • Security awareness
  • Screening new hires
  • Personally Identifiable Information (PII) at home or in business systems
  • Regulatory compliance
  • Asset valuation
  • Justifying security investments
  • Any other topics

Please reply to this message or email me at scott@securityviews.com with your questions or suggested topics.

Free Security Tools


I have developed some security self-assessment tests that you can use to score yourself on security at home and in the office. Just click HERE to go to the "Free Tools" Web page at http://www.securityviews.com where you will find the links to download these printable PDF files. 

I expect to have more downloadable tools on this page in the future.
About Scott Wright

While I may seem like your typical Engineer with an MBA, I have been known to actually help businesses and government organizations in the Ottawa area for over 20 years. 

I am always looking for ways to "Secure the Bottom Line".  It is my firm belief that security management is a key element of organizational success. My aim is to put the many different views of security into perspective, which leads to more efficient and effective organizations. Hence the company name - Security Perspectives.

Our role can involve facilitating change in areas such as corporate strategy, policy and process analysis, compliance, security awareness, product development methodology and deployment.

Methods we can use include surveys, interviews, workshops, organizational development, technical analysis, strategic discussion, training, coaching and keynote speaking on various topics.

I am a member of the Linked-In network, and would be happy to add you or your associates to my network. You can send an invitation to: swright@securityperspectives.com.
Distribution Information
 
You have received this initial distribution because you are one of the following:
  • A business associate of mine whom I thought might be interested
  • A Security Professional
  • A person who uses a computer, and might be interested in some practical information on how to secure your personal and private information!
  • A friend or associate of one of the above, and they thought you might be interested.
If you are not one in one of these categories, or just wish to be removed from my email distribution list, simply reply and let me know. If you aren’t on the mailing list, but would like to be, you can also send me a reply.

This newsletter is available in either HTML (with graphics and formatting), or in Text Only versions. Just click HERE to change your profile.

 
You should feel free to print, copy or forward this newsletter to anyone whom you feel might benefit, or be interested.I especially encourage you to pass it along to colleagues in other organizations, or to others at different levels in your organization. However, if you are forwarding or using an excerpt, please include the following copyright attribution:
 
(c) Scott Wright, 2007.  All Rights Reserved.



The Practical
Security News
Issue 02, September 2007
Authored by Scott Wright,
Security Management Coach, Consultant and Presenter
Security Perspectives Inc.

The Practical Security News (TPSN) is aimed at providing news and information you can use today... in the board room, in the office or at home. For more information on this newsletter, why you are on the distribution list, or how to subscribe or unsubscribe, please see the note in the bottom left of this message.

For Executives

  What do you mean "Table Stakes"?...
I just want to do BUSINESS!

I sometimes run across line or mid-level managers who are aware of the need to improve security in their environment but simply don't know how to get the point across to their senior managers. It's a tough sell because security often represents an unbudgeted cost which nobody quite knows how to justify. Senior management is seen as wanting to deal quickly with traditional business problems of budget, cost, competition, productivity, etc. For managers, talking to executives about security is like discussing religion or politics; a very uncomfortable subject, because there are conflicting assumptions and views of who should have to justify it and who should have to budget for it.

There are many ways to portray security, and each one seems to have its weakness. People often talk of the Return on Investment (ROI) for security. But you can't really measure an ROI on a security investment, because you can't accurately estimate the outcomes for security safeguards you invest in.  That's because a security safeguard protects you from an unknown number of uncertain future events. You are simply counting on the safeguards employed to reduce the likelihood or impact of such events. That's what security risk management is all about.

Many people like the "insurance" analogy? You pay a premium up front, and if something goes wrong you get a lump sum of money to cover a portion of the cost resulting from a compromise or security failure. There are a lot of similarities between insurance premiums and the cost of security safeguards. But security safeguards don't pay you back according to how much was lost or how much coverage you had. They either help prevent the loss, help recover from the loss, or ... they miss the loss. So, insurance is not really an ideal analogy for illustrating security in a business model.

So, how can we view security in a way that everyone can relate to it? Here's my suggestion. If you can look at business as you would a poker game, you have to decide if you are in a certain business or not. Are you going to play the game or not? The cost of Security is the "Table Stakes". It's the cost of getting into the game. If you can't afford to protect the your accumulated assets by implementing security safeguards, then you shouldn't be in the game in the first place. What's worse, you are gambling with your shareholders' and customers' money!

To elaborate on this concept, consider that in any business model the aim should be to provide Clients with value via a system, service or product in return for remuneration. Whether implied or written, the ultimate goal for the business system (internal), service or product (external) is for it to operate "correctly", as intended.  (In other words, play the game fairly, and don't cheat.) If the system fails to operate correctly, then it is not providing the value that was intended to the shareholder or the customer. 

Security breaches are never "intended" by honest business managers.  They want the product to operate correctly, and therefore, securely. So, the cost of security has to be built into the cost of building the system, service or product to operate correctly. In fact, you can't do a cost/benefit analysis without factoring the cost of adequate security. It really belongs in the business case, before you even start designing the system, service or product offering. An unexpected increase in cost has to be balanced against the anticipated benefit for a system, service or product for it to be a worthwhile business investment.

I have designed an exercise for executives to use in this situation. Your managers would probably like to know how would you answer the following questions:

1) If one of your key business systems, services or products had a vulnerability in it that could expose multiple clients' sensitive information to the general public, would you want to know about it? 

Discussion: The answer should obviously be "YES".  If not, then I respectfully suggest there is a bigger business problem at play than simply justifying security.

2) If you said YES to (1) above, "HOW" would you expect to be made aware of this situation?

  1. As a result of a design review escalation (for products designed in-house)
  2. As a result of a test failure and problem report escalation (prior to being put into operation or general release)
  3. As a result of an operational helpdesk incident escalation
  4. As a result of an internal audit report
  5. As a result of an external audit report
  6. In a publicized media report

Discussion: Again, the answer should be fairly obvious. The design review is the first and easiest place to fix such a vulnerability. This is the key to illustrating the objective of "Building Security In". If you don't think the answer is (a), there is probably a lack of understanding of the costs of addressing major flaws (of any kind) at various stages of a product lifecycle (maybe a topic for my next issue), or an unrealistic expectation of "good luck" in the face of a known risk. So, you either need to see some metrics that show the relative costs for changes at various stages of the lifecycle, or a few months worth of relevant news from publishers of security breach data to show that the risks are real.

3) If you agree that the best place to address a major security vulnerability is during design (or pre-production for commercial products being used in production business systems), "WHOSE BUDGET" should bear the cost of analyzing the problem and implementing the change to address it? 

Discussion: If you are thinking of pointing to the Development or IT group, you should stop and think about the fact that the only group that can accurately perform a Cost/Benefit study to justify the "Table Stakes" is the Business Unit owner. Yes, the Development and IT group has to work with the business managers to let them know the costs, but the Business Managers must make the decision on whether to increase budget or decrease the scope. They need to determine what it will take to build the system correctly. Incidentally, they should also be accepting the risk and accountability for going live.

After you have thought through your answers to the above questions, you might want to gather the managers together to discuss them. You are right to want to delegate these issues, but everyone needs to understand the rules of the game, or you are likely to be over-budget and under-resourced for the projects you have under way, let alone any new ones.

If you would like to discuss the topic of "Justification for Security Investments" please contact me.

For Home Computer Users

  It's wise to have multiple e-mail addresses these days. Here's why...

Having multiple e-mail accounts can help reduce the amount of spam you get at your most private e-mail address. Thanks to Rich Mogull at the Securosis Blog for posting (click HERE) the method he recommends for utilizing multiple e-mail addresses.

The following are the types of e-mail addresses that Rich recommends:

1) Your Permanent Address - the one you only give to trusted friends who won't abuse it; you don't want to change it

2) Your Work Address - given to you by your employer; most offices allow employees to do a reasonable amount of personal e-mail from work accounts; but don't use this address for subscriptions, online purchases or newsletters

3) Trusted Merchants Address - use it for buying from places like Amazon, eBay, Apple, etc.

4) Untrusted Merchants Address - they only have to send you an email confirmation after you purchase, so you don't need to keep this one active forever

5) Newsletter Address - they need to send you confirmations when you change your subscription or profile, but it's not the end of the world if you need to change it (i.e. when you start getting too much spam).

Rich recommends NEVER using the e-mail address given to you by your Internet Service Provider (Sympatico, Rogers,etc.) as they can be big targets for hackers looking to harvest e-mail addresses. You may also change ISP's over time, and you don't want to have to change accounts every time. Yahoo, Gmail and Hotmail are also targets, but they generally put a lot of effort into protecting their e-mail accounts.

If you can get someone to help you, it only takes a few minutes to set up all these accounts and put them into your e-mail client program such as Outlook, Eudora or Thunderbird. That way, you will be able to view mail coming to all these accounts from one program. 

Many people don't realize that e-mail programs can handle more than one account at a time, and this is a good use for that feature.

For Managers and Office Staff

  Security is not just the domain of your Security Team... Help them whenever you can!

We all have a lot on our plate, and it's easy to say that "Security is the Security Team's job". But the truth is, security is everyone's job.  The Security Team's biggest responsibility is to see that it security is being properly addressed throughout the organization, not to do it all themselves.

The Security Team rarely knows what information or systems you access every day. They depend on you to respect policies and follow the proper procedures, no matter what roles you are acting in.

The best thing you can do to help the Security Team is to be familiar with the policies and procedures that govern the jobs you are doing, AND with the organization's global policies that try to ensure consistency in everyday activities where procedures may not explicitly deal with situations.

Shortcuts may save you time, but in the end, if information is lost or divulged to the wrong people, it can cost the organization a lot of money and effort to recover. When it happens while you're supposed to be responsible, it's like being on the ice (or field) when the other team scores. A good team helps each other and sometimes goes beyond the call of duty to make sure the business systems are working properly and securely. Not only does it preserve shareholder value and customer loyalty, but it may save your job someday.

The procedures and policies may not be perfect, and if you see ways they can be more secure, write them down and send them to your manager or the Security Team. Policies and procedures can take a long time to put in place, or to change, so the earlier you start, the better.

Privacy is something we all want, so think of your customers' privacy when handling their information.

We can all relate to what it's like when someone gets their hands on your personal phone number or mailing address. We've all had to spend time dealing with unwanted salespeople on the phone, or cleaning out our INBOXes filled with unwanted correspondence, but telemarketers, spam and junk mail aren't the worst things that can happen to you when privacy is lost.

When organizations collect personal information from customers, there are laws that dictate how that information has to be handled. The laws can be harsh on your organization if you don't comply with regulations, and even with your own published privacy policies. So, that should be some incentive for you to make sure they are followed.

If we turn the tables around, though, and you think of yourself as the customer, what will your experience be if information is mishandled?  Even small amounts of Personally Identifiable Information (PII) finding its way into the wrong hands can be put together with other information to create enough of a personal profile to apply for a credit card or other type of ID. This is how the pyramid of ID theft is built.

Once someone has enough information about you to get bank loans or credit cards in your name, it can make your life hell  for some time, causing legal battles and phone calls to banks, telephone companies and credit bureaus.  It isn't fun.

So, even if it seems like the customer information you're handling isn't that sensitive, be aware of how it can be mis-used.  If not to comply with laws and policies, you should be thinking of how you'd like your information to be protected. Use the Golden Rule.

For an excellent discussion on privacy by some industry-leading experts, listen to The Security Roundtable's September 2007 podcast found at http://www.securityroundtable.com.

For Security Professionals

 Remember, you are not alone!

Are you facing daily announcements of new security vulnerabilities from product vendors, and handling an increasing number of security incidents from both outside and inside the organization? This can be enough to make you want to give up the fight to protect your employer's computing environment. Nobody seems to appreciate the incredible stress you are under, and very few realize that you are often the only one actively working to protect the organization from its own ignorance and short-sightedness.

If you feel like you are under attack from all directions by people trying to "enable business", who see you as just a barrier to productivity, don't forget that every organization faces similar problems in protecting its information assets.  The security professionals who manage to keep their heads above water know that it takes a lot of patience and perseverance to effect a large scale change of attitude towards security in a well-established culture.

If it's really true that so many of your peers are struggling with the same issues, where can you go for help, or at least a little sympathy?

There are a growing number of on-line websites and forums organized by, and for, security professionals. We are a dedicated group of problem-solvers who want to help each other. Many have learned lessons the hard way and are eager to share their experiences and wisdom with others, in the name of promoting security across all organizations. One of the most comprehensive lists of security websites I have found is located on The Security Catalyst site (http://www.securitycatalyst.com). The list, which contains over 40 links, can be found by going to this URL - http://tinyurl.com/2fy3lk .

The Security Catalyst website is run by Michael Santarcangelo, who is very passionate about helping people protect their information.  I have been fortunate enough to speak with Michael, and am hoping to join him in a podcast sometime in the next couple of months on the topic of Security Awareness. We also expect to bring in Rebecca Herold, who is one of the industry's leading experts and authors on the subject. Both of these professionals produce regular podcasts.

While on the subject of podcasts, this is a great way to get up to speed on many of the most current topics in any field, not just security. If you haven't encountered podcasts yet, I highly recommend them. There's nothing magical about them. They are simply audio files, usually in .mp3 format, that you can download, most often for free. They are usually between 5 and 70 minutes long.  I prefer to put them on a CD or load them onto an .mp3 player (or iPod) and listen to them when I'm driving. (Even my kids learn a bit about security on the way to school!) It's a lot like listening to satellite radio, with targeted content and news that you can pause, rewind and listen to multiple times.

On my site (HERE) I have posted links to some of the sites that typically have an ongoing series of downloadable audio podcasts. I hope you'll try them. You can listen to them straight from the host site by clicking a link or icon, or you can download them and put them on a portable device. Some services, such as Apple's iTunes, provide a directory and subscription service that automatically downloads the latest podcasts from any series you subscribe to.

The point I'd like to make is that you will find, in reading articles and forums, and listening to some of these programs, that many of the problems you are facing today are also being encountered by your peers across many industries. You can get ideas and build a case for improving your security based on others' experiences. It keeps you on top of the latest industry news and, more than anything, gives you a sense of community with others in the industry.

In the end, you want to focus on the business priorities just as everyone else does, so you can't let the firefighting consume all your time. Besides, it's not as much fun fighting fires as it used to be, is it? Learning how others are dealing with these problems will make you more valuable to your employer, and probably less stressed.

More help for IT Security Consultants

The Security Perspectives Forum is a closed discussion form for IT Security Consultants. It is a place where we keep each other abreast of new opportunities, and ask technical questions that may be of interest to all of us.

Membership is moderated, but once you are a member, anyone can post messages to the group. You can join by going to:


You just need to provide some detail of your consulting activities in the security field so we can ensure that the members who post have potential value to contribute to the group.

(c) Scott Wright, 2007. All rights reserved.