Innate Security

When a Patch is not a Patch?

2010-10-13T09:31:00.000-07:00

When does turning off IIS' ASP.NET 2.0 Web Service Extension considered a patch? However, in at least one of Microsoft's Patch Tuesday releases, this is exactly what happened (KB953300).

Really, Microsoft?

Actually, I believe it was a flawed fix that disabled the feature in the process of installing the updated dll.

Some references:

http://power-programming.co.uk/post/2009/10/21/ASPNET-stopped-working-after-installing-Microsoft-NET-Framework-20-Service-Pack-1-Update-KB953300-.aspx

http://www.asp.net/learn/whitepapers/ms03-32-issue

Security is not a concern for Web RIA? Really?

2010-07-05T19:39:00.000-07:00

Ok, so I am a bit peeved these past few months... no, these past few years. In my few experiences as a developer of Rich Internet Application (RIA) interfaces

Why is it the two most prominent RIA platforms do not sufficiently support cryptography? For the hundreds of thousands of dollars spent by Adobe on its Creative Suites (Flash/Flex/Air/Actionscript), and the millions of dollars spent by Microsoft on Silverlight; why is security such a non-issue?

Java, whose applet UI has always had a poor user experience, has supported full cryptography and security since 1.3 (or 1.2 with the separate JSE package).

Yet, for the overwhelming majority of the market in rich user interfaces owned by Adobe and Microsoft, there is no security - unless you rely on SSL. Granted, Actionscript has some great contributors for some crypto; but where are the big boys?

There is a plethora of publicity surrounding enterprises that have allowed security breaches against their consumers; I feel the same onus should be put on the manufacturers of software development interfaces. If a company plans to sell a web-supported UI; it should be required to support [X] level of encryption; security data at rest (in memory) and in transit (beyond just SSL).

What do you think? Do organizations like OWASP have the backing to induce such changes?

Contextual Security: Access Control to the Nth Power

2009-10-15T13:12:00.000-07:00

In the 1990’s, the touch screen had its place on some niche markets, such as restaurant consoles, and other businesses that lend themselves to this type of user interface. Yet it was the Smartphone interface that garnered the first real breakthrough in touch screen usability, since reduced real estate forced innovative and efficient workflow designs. The next breakthrough had been inclusion of gesturing, made possible with new technologies in multi-touch sensing screens. In 2006, NYU research scientist Jeff Han[1] allowed the user interface to change lanes from “tasks defining user behavior” to “user gestures defining tasks”.

The innovative use of technology ushers in an astounding array of new input patterns. Input is no longer tethered to keypads, keyboards, smartcards or biometrics devices; rather it has become 4-dimensional – assimilating codes, gestures, motions and timing into a complex representation of user behavior. The time is ripe for new security paradigm to grow from these patterns. Security will not longer be defined by users following security access rules, but by devices “listening” to what the user wants [as security] and learning user behavior in context.

Security can be enhanced in three distinct ways: multi-modal, multi-factor, and cooperative extensions. Multi-modal enhancements increase security by introducing new inputs into an existing system, mathematically increasing its uniqueness. Multi-factor enhancements add additional dimensions of security – i.e. not just what a user knows, but what a user possesses. Finally, cooperative extensions allow security to use external (out-of-band) knowledge about a user to augment the security context in which the user operates.

Increasing Security with Simple Math

Shortly after reading how Synaptics has now introduced a multi-touch screen capable of ten-finger touch[2] for normal mobile phones, the thought of N^th level security came to mind.

Why? Simple math, of course… if a single keypad requires a password of 4 numeric digits, the possible combinations are 0000 to 9999, mathematically a combination of 10 items taken 4 at a time, or 10⁴ power. Imagine if each press of the keypad was replaced by a dual-key press. The combinatorial limit jumps to a staggering 65,610,000 – 90 items (00…99, minus 10 sets of duplicate digits) taken 4 at a time, or 90⁴ power.

Allowing single and double key-press codes, the 10K combinatorial security of a 4 digit pin is matched with just 2 combinations, 100 items taken 2 at a time, or 100². Add any number of gestures and the combinatorial limits jumps another factor.

This type of security does not just apply to computers and mobile devices, but everyday security such as home alarm keypads and car security systems.

Increasing Security through User-Defined Behavior

These new interface elements allows us to have better security through behavior. My expertise is in the keystroke dynamics world where behavioral biometrics is assessed from the rhythm of one’s typing pattern; specifically flight time and dwell time. This creates a pretty robust, albeit single faceted, behavioral mapping of a user.

Having multi-touch screens and gestures, incorporating the characteristics of the user input – not only timings from the keystroke dynamics realm but stroke patterns, angles and pressures from the handwriting recognition realm –the idea of security really becomes an unfettered medium.

Imagine allowing the user to set their security access method to be any behavior combination the user decides is appropriate for them. It could be as simple as allowing a multi-touch code of the keypad. Or perhaps it is the user drawing a custom gesture on the screen of the touch-based interface. On mobile phones with motion sensors, security can even be as natural as doing the Macarena (while holding the phone in one hand)! These phones can even detect if it is not in the pocket of the normal owner by calculating the innate stride and gait of the user from its gyroscopic sensors.

Increase Security utilizing Cooperative Information

Security through user behavior is not a novel concept. Behavioral biometrics has been studied at various times throughout modern history, as far back as WW-II with the U.S. government research on the “Fist of the Sender”. The most limiting factor of utilizing behavioral biometrics is the restriction of the input technology available on the device (or network) being protected.

Ideal security is reached when internal measures can be augmented by external factors. In Bruce Shneier’s security blog (and in his book “Beyond Fear”), there is a great anecdote about the lima bean plant’s natural defense mechanism[3]. To paraphrase this story, when the lima bean plant is attacked by a certain bug, it emits a pheromone that attracts the bug’s own predator. The unique characteristic here is that once one lima bean plants emits this pheromone, all surrounding lima bean plants are triggered to emit this chemical; thus proactively protecting the entire lime bean patch.

This “cooperative security” mechanism provides us with a novel approach to access security. In fact, there exists this same paradigm in some of the newer IPS’s (intrusion prevention systems) such as LayerX Technology[4], whereby a confirmed breach attempt on one edge device will share this information with other edge devices in that community, so that they may be aware and proactively prevent the same attempt across the enterprise.

With the advent in BlueTooth seamless connectivity, other devices can lend themselves to promoting access security by sharing their access meta-information with surrounding devices. For example, in an office where a rogue user has failed to access John Q’s mobile device several times, it may send out a distress signal to other listening devices (such as workstations or laptops) to beware of accessing the network as John Q. This can, in turn, trigger a notification to a security office to investigate this more closely – even so far as tracking which door access pads have used John Q’s access code for entry and exit.

Security in Context

Can we get better security by simply replacing passwords with gestures? Yes, for a period of time.

In the end, we must concede that all this technology leads us to understand that security is a process, not a product. There are no absolute safeguards for access control; but the methods presented here allow us to increase the capabilities of where security can grow.

We can no longer force security onto the user in an isolated medium; or expect security from a single dimension to be sufficient.

The shift presented here is to elicit security methods the user behavior and their surroundings. Like human to human communication, context is imperative to comprehension.

[1] Reference. http://www.ted.com/talks/jeff_han_demos_his_breakthrough_touchscreen.html

[2] Reference. http://www.betanews.com/article/Tenfinger-multitouch-headed-to-mobile-gadgets-this-year/1248280076

[3] Reference: http://www.schneier.com/news-063.html

[4] We do not promote LayerX above any other IPS, but use it as a reference point for illustration purposes only.

Microsoft Search Branding "Faux Pah"

2009-09-17T11:05:00.000-07:00

Here is an interesting tidbit:

Microsoft has just rebranded its "Live Search" as "Bing", right? Well, I opened a Chinese fortune cookie that gave the definition of "Bing" to mean "disease".... Of course, this sounds too good to be true, so I looked it up on several sites -- here is the best explanation of the chinese word "bing": http://www.zhongwen.com/d/175/x102.htm

----

I admit it, I am late to the party... see the explanations given at http://liveside.net/main/archive/2009/05/29/some-quick-takes-on-bing.aspx...

"The actual Chinese characters are two characters, 'Bi' and 'Ing' and combined these two characters mean 'very certain to respond' and 'very certain to answer'," Dr Lu said. "That's a terrific representation of what our brand stands for in the Chinese language."

What Happens After the Lights Go Out?

2009-07-01T07:59:00.000-07:00

2008 was not a good year by any standard. As many of us try to rebuild our careers, our finances and some semblance of normality,; data privacy and information security is probably farthest from any company’s (or any individual’s) objectives for 2009. And that’s when information theft becomes most opportunistic.

As companies fold, merge or experience massive reorganizations, there emerges an excess of unsupervised personally identifiable information (PII) – whether it be through former employees, surplus equipment or forgotten databases. Although every company has a legal obligation to destroy any sensitive data as part of their exit strategy, by the time an information leak has been discovered there may no contact information for the defunct company.

Consider the following distinct cases:

1) It was reported in January of 2009 that patients’ records for [now-defunct] Houston “Express EMS Services” was found in a parking lot and dumpster.[1]

2) Former employees of [now-defunct] L.G. Defelice Inc. had their Social Security Numbers posted on the web from improperly sanitized data retrieved from the DOT about the former company.[2]

3) The former NY United Hospital offered to make its records available to patients for six months while it was executing its closing procedure. As part of its exit process, the hospital prepaid a third party to store any remaining records for a period of seven years; upon which they will be destroyed.[3] The records are retrievable, but the only requirement for authorization is a signature; the verification of which is impractical.

4) Client records from a mortgage broker “Seaview Financial of Corona del Mar” were found in a recycling bin during the company relocation in February of 2009.[4]

5) A large consumer electronics firm, upon exercising its exit strategy, considered two alternatives for data disposal: electronic wiping or physical destruction of storage. (It was found more cost effective to physically destroy the disk drives.)[5]

And the list goes on and on… perusing “DataLossDB.org” will give one nightmares on the inefficacy of data protection in the real world. The fact that the volume of incidents is large enough to be aggregated by industry, breach type, and information type is a disturbing indication on how extensive the problem of information leakage is.

The Perfect Storm

This economy has created a “perfect storm” for identity fraud to thrive and grow.

Given three straight fiscal quarters of economic downsizing, the probability increases that companies which succumbed to the economic crisis will inadvertently fail to properly dispose of their sensitive data.

As the unemployment rate reaches record proportions, the propensity of identity misuse – even something as simple as parents using their children’s SSN to get more credit – increases as well. (A study in 2008 found approximately 5% of families surveyed had children with compromised identity information[6].)

From a market perspective, higher unemployment means the quality of current identity data decreases, poisoning the supply chain. As a consequence, the price of PII drops dramatically, so quantity needs to increase to maintain the present market levels.

Law and Responsibility

There are many regulations and guidelines specifying the protection and proper destruction of sensitive information.

HIPAA has long been criticized for its overly broad requirements prone to ambiguous and sometimes contradictory interpretation. Yet, this is one of the few regulations that mandates organizations to make accommodations for the proper storage and disposal of information for six years, even after an organization’s operations ceases[7].

There are several New York State laws that require businesses to follow a data retention schedule for information[8]. Although these retention and disposal requirements are subject to legal interpretation, conservative legal council should follow the path of least risk and provision for post-operational protection.

The Fair and Accurate Credit Transaction Act of 2003 (FACTA) Disposal Rule “requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report”[9], but it fails to explicitly specify if “reasonable” includes contingency plans if the responsible party ceases operations.

The Gramm-Leach-Bliley Act Safeguards Rule is also quite specific about information protection with U.S.C. Title 15, Chapter 94, “Subchapter I: DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION” and “Subchapter II: FRAUDULENT ACCESS TO FINANCIAL INFORMATION “[10]. There are specific rules for safeguarding nonpublic personal information as well as the communication of privacy protection practices. Yet, even in GLBA there is an interpretation loophole. Although the protection of PII extends to “information of those no longer consumers of the financial institution,[11]” it is unclear if it the responsibility applies if the “broken relationship” is caused by the company’s demise.

The reference to “internal controls” of Sarbanes-Oxley section 302 cannot be interpreted purely in the accounting sense; it pertains to information leakage if the lack of (or management overriding of) controls can lead to fraudulent activity or non-compliance. In Seaview Financial’s case above, there is a clear violation; but what about the similar situation with Express EMS Services? Do internal controls cease to be in effect if the company is no longer operating?

Some legal experts believe more specific regulations are detrimental and that bankruptcy courts should address the interpretation of existing regulations with regard to data protection extensions.[12]

The Sedona Conference – a consortium of legal experts – has created “Best Practice Guidelines & Commentary for Managing Information & Records in the Electronic Age”[13]. This guideline is followed by many legal professionals; and provides an ideal platform to specifically address these post-mortem data protection issues from a legal perspective.

The Reality

Most of the executives interviewed were not aware of any regulatory requirements for post-operational retention/disposal of data in their industries; although some were aware that their companies do have such plans and others have even exercised such plans with former employers.

Looking into the problem more deeply, the root cause comes down to human error in three distinct ways:

1) Lack of awareness or identification of sensitive information by employers, employees, vendors, clients and end users.

2) Explicit negligence to follow proper information protection and disposal procedures; where operational efficiency outweighs privacy rules and regulations.

3) Failure of technology to classify and protect electronic information by both technology developers as well as users.

We need to be aware of how information affects each and every one of us:

As keepers of the information: The information protection priority for every CIO (or CPO) should always be effectiveness before efficiency.

As users of the information: Every employee has an obligation to protect client information as well as ensuring their own PII is well protected and supervised.

As owners of the information: As vested clients of various financial, medical and other institutions, we need to reach out and request the formal policies for data retention and destruction. As with the case of United Hospital above, there was a court-approved plan in place for proper handling and disposal of client data.

The National Association for Information Destruction (NAID) provides a checklist for ensuring your company complies with the maximum set of regulatory requirements[14].

In Summary

Although very few regulations explicitly address post-operational conditions, there is an interpretative factor with any regulation that defines specific schedules for data retention and disposal:

Are records retention/disposal requirements in effect beyond the life of the organization?

There is no clear answer to this question. For records that transcend a company’s purpose – medical record being the most obvious example – there needs to be better data retention policies. Conversely, for consumer data that is only relevant to the operations of a company, common sense dictates the disposal of this information at the proper time.

Hence, we need a robust Information Lifecycle Management (ILM) initiative.

Information privacy, protection and governance are more difficult, more expensive and more costly in times of instability. Considering the frequency of information leaks in active companies; the exposure of PII gets exponentially greater once a company ceases operations. It is imperative that your enterprise’s protection plans outlive the company.

[1] References:

o http://datalossdb.org/incidents/1495-medical-records-of-defunct-ambulance-company-s-patients-found-in-parking-lot-and-dumpster

o http://abclocal.go.com/ktrk/story?section=news/local&id=6605230

[2] References:

o http://datalossdb.org/incidents/734-social-security-numbers-of-300-former-employees-of-defunct-l-g-defelice-inc-posted-on-ct-transportation-committee-website

o http://attrition.org/dataloss/2007/07/conngatc01.html

[3] References:

o http://www.allbusiness.com/health-care/health-care-facilities-nursing/10635002-1.html

o http://www.ironmountain.com/records/release/NYunited.asp

o Interview with Iron Mountain records release specialist for NY United Hospital

[4] References:

o http://datalossdb.org/incidents/1791-mortgage-broker-dumps-files-containing-clients-names-address-tax-forms-and-ssn-in-trash

o http://www.ocregister.com/articles/information-seaview-files-2316272-center-recycling

[5] Interview with CTO [person’s name removed by request] from [company name removed by request].

[6] Reference: http://www.debix.com/docs/Child_ID_Theft_Study_2008.10.pdf

[7] Reference: http://www.glrm-online.com/pdfs/HIPAA Record Retention Periods 2006.pdf

[8] Reference: http://www.archives.nysed.gov/a/records/mr_retention.shtml

[9] Reference: http://www.ftc.gov/opa/2005/06/disposal.shtm

[10] Reference: http://www.law.cornell.edu/uscode/uscode15/usc_sup_01_15_10_94.html

[11] Reference: http://en.wikipedia.org/wiki/Gramm-Leach-Bliley_Act#Safeguards_Rule

[12] Reference: Interview with legal experts [names withheld by request].

[13] Reference: http://www.thesedonaconference.org/dltForm?did=Guidelines.pdf

[14] Reference: http://www.naidonline.org/facts.html

Responsibilities of the Federal CTO and CIO

2009-05-02T07:21:00.000-07:00

I applaud the new president for his awareness that information technology is as important as any other infrastructure in the government. By creating Federal level Chief Technology Officer (CTO) and Chief Information Officer (CIO) positions, there exists the opportunity to create a long-term direction among the myriad of existing systems and processes within the government.

Many articles have already dissected the proposed responsibilities of the Federal CTO and CIO. In the Feb 16^th issue of InformationWeek, for instance, twenty-six (26) business leaders in technology weighed in on the most pressing issues for the Federal CTO. As diverse as the expert opinions are, they all have merit. Congruent to the myriad of other articles covering this topic, this is indicative of how widespread the problems are that need attention.

All these issues can be extrapolated to three (3) ideals that should be addressed by the current administration with regard to the CTO and CIO:

1. Focus on the Organization Mission and Workflow, not Technology:

A CTO cannot possibly assume all of the responsibilities needed to lead an organization focus on technology alone. They must take into consideration the business value of the information issues that technology is trying to solve.

Conversely, the CIO must focus on the accuracy, confidentiality and security of information. But they cannot do so without in-depth knowledge of technology solutions used for the capturing, classification and dissemination of information.

To be an effective leader means to know what the organizations goals are, past efforts, and its current operations. Many times, the operations do not match the goals of the organization, and the technology matches neither the operations nor assists in attaining the goals’ objectives.

The Federal CTO and CIO must align themselves with the missions of the various organizations, their goals and objectives; and affect the strategies pursued to achieve these objectives in a way that fosters cooperation and effectiveness, which eventually leads to efficiencies.

For the Federal CTO and CIO, their customers are the agencies they support, not the OMB.

2. Synergies between the CTO and CIO:

The CTO’s responsibilities are not the same as the CIO’s. [We have yet to see the ramifications of the Obama Administration selecting a former CTO for the position of CIO.]

The CTO and CIO both start from the same basic question: “What information does each agency (or business unit) need to operate effectively?”

The goals of the CIO:

Identify essential information needed for proper business unit / agency operations.
Verify the accuracy of all data points.
Apply an Information Lifecycle Management (ILM) process for determining when information is the most useful and when/how it should be discarded.
Organize, normalize, aggregate, analyze and disseminate information to the appropriate operational entities.
Classify, protect and track usage of business critical information.

Contrary to popular practice, it should be the CTO supporting the CIO, not the other way around. The goal of the CTO is to effectively support the CIO’s objectives:

Design usable business processes and workflows to support data capture.
Provide solutions to minimize duplication of data; thereby minimizing overlap and extraneous work efforts by business operations.
Create effective and unambiguous views of information for each level of audience.
Support feedback channels for refining business processes and workflows.

Both need to focus on the business processes and workflows. Does the unit/agency garner the appropriate information? Do they properly store, organize and protect this data? How do they interoperate and share information?

Although the CTO and CIO may hold distinct views to such questions, they should eventually arrive at a complementary set of goals. This is one place where segregation and specialization can positively affect government operations.

3. Stimulus Investment in Technology Infrastructure:

During the 1930’s, the Federal plan to pull America out of the Great Depression was the creation of jobs through Federally-sponsored infrastructure expansion – specifically through the construction of bridges and roadways. America was primarily an industrial society and this plan answered two key problems: (a) the country lacked a viable transportation infrastructure to support industrial growth and (b) these projects needed the same (or similar) skills of our unemployed workforce at that time.

Post WWII saw the expansion of the housing, education and auto industries as a response to the multitude of military forces migrating back to peace-time. Again, this economic cycle took advantage of characteristics in our population – a mix of engineering and service-oriented demographics and a need for supporting the population explosion. However, it also recognized the need for retraining of America’s workforce, so education became a priority.

Today’s crisis consists of more complex problems. America can no longer be characterized as an industrial society, an engineering society or even a service society. We have become a society of deferment – managing and outsourcing our skills away. But there exists the opportunity to create a recovery effort that parallels those post-war times past.

Our government needs to rebuild its infrastructure; not its public works infrastructure but its information and technology infrastructure. The handling of information at the government level has grown and expanded haphazardly into a complex web of processing silos. Consider the lack of communication (electronic and human) between agencies such as the CIA and FBI. The creation of DHS simply places a wrapper on these problems and allows some cursory cooperation, but internal silos still exist.

The stimulus plans that have been implemented by both the Bush and Obama administrations are misguided; either they try to boost lending among a population that cannot repay its existing debt, buy off toxic debt to allow financial firms to operate with impunity, or try to create jobs through legacy public works projects. None of these approaches can have any long-term success.

To rebuild our economy with strength and longevity means to address our needs as a country and as a society. The stimulus packages should create large public infrastructure projects – but it should be focused on the information and technology infrastructure. This will employ the many Americans educated and skilled in technology (but unemployed due to off-shoring), increase the demand for higher education in technology areas and allow the government itself to be streamlined and efficient for the future.

Yes, it means the government will be paying more for technology services than the corporate world. The purpose here is to employ Americans, to stimulate the higher education of the population, and to launch the cycle of economic growth based on a solid foundation.

In Summary:

The CTO/CIO are first and foremost a strategic thinkers, thought leaders that can extrapolate needs from desires, and prioritize goals into tactical strategies. Secondly, they are business analysts which must address the realities of an organization against its objectives, understand where the gaps lie, and the mitigation options. Thirdly, they are enablers, knowing where change is needed and disseminate authority to the “natural leaders” in the organization to affect that change. Finally, the CTO/CIO must be accountable – to both those below them as well as to those above; they must provide the metrics, the ways and means to measure success.

My hope is that our new Federal CTO and CIO will have the foresight to envision the feasible future, the qualities needed to chart a course, the leadership needed to promote their strategies both up and down the chain of command, and the authority to make a difference.

Or perhaps printing another $800B will do the trick.

Offshore Outsourcing and Intellectual Property Protection

2009-04-02T06:31:00.000-07:00

Entering into the world of IT some decades ago, the typical employment process consisted of a written comprehension exam, two days of interviews, drug screening and even fingerprint registration with local authorities. My most bizarre experience included a multi-task evaluation, where the candidate was enclosed in a small room with a written exam while new-age music was piped through room speakers at extraordinary levels, broken intermittently by verbal instructions to do some really odd tasks (i.e. “…put six pencils and two pens in the coffee mug labeled ‘Bob’ and place it in the bottom left-hand drawer, but only if you answered ‘yes’ to question 35…”). All this effort to ensure that as an employee, a candidate was proficient for the needs at hand as well as loyal to the employer; how times have changed!

“Offshore business process outsourcing (BPO) is expected to reach $3 billion in 2004, a 65 percent increase from the 2003 total of $1.3 billion. In 2004, offshore BPO is expected to represent 2.3 percent of the total BPO market.” - Gartner Research, May 18, 2004.

Given the exponential rise of IT outsourcing by U.S. corporations, it is easily justified to promote offshore outsourcing within your company for several well-known reasons, the majority being:

Breadth of knowledge can be adjusted dynamically to the needs of each project, so the technologies utilized merely become another variable to accomplish a business goal.
Cost of development moves from overhead budgets (full-time head-count) to operational budgets. This expense can now be justified by showing greater flexibility to increase/decrease manpower over the short-term.
Offshore manpower costs are often substantially lower than domestic rates.

For all inherent benefits of offshore outsourcing, there exists a powerful liability that, when left untreated, can have disastrous results. The dissemination of intellectual property occurs every time one business outsources another -- whether for payroll, advertising and especially IT development.

Consider these statistics. From the “2003 CSI/FBI Survey on Computer Crime and Security”, 61 of 398 respondents acknowledged theft of proprietary information which resulted in financial loss totaling $70M . In the “2003 BSI Computer Theft Survey” of 676 participants, 9.2% of respondents who acknowledged theft of proprietary information stated the financial loss at $1M and 2.3% valued the loss at $10M . Would any company hand over intellectual property to an unmitigated risk? Yet, it happens, as exemplified by the source code leaks for both Microsoft and Cisco. Could they have been avoided? Not completely, but it should serve as a wake-up call to all businesses to review their IP protection policies with all their partners, especially those which exist outside a company’s base operating country.

How one approaches intellectual property protection (IPP) can affect the overall effectiveness and efficiency of any outsourcing effort. A traditional project manager will start with a baseline savings of efficiency (time, expenses, et al) and reduce each benefit by applying the cost of risk factors in the 80/20 fashion. A security professional will always start with a baseline cost of protection planning and overlay the benefits to assess a spectrum of “best-case” to “worst-case” scenarios. From these scenarios, a risk / remediation analysis is presented to management, whereby the business can make an informed decision on the amount of risk it is willing to expose. Given the extra up-front planning efforts needed by multiple business branches to implement the security professional’s method, which would in reality get the most support from the decision-makers in your company?

IPP assessments for outsourcing can be daunting, but by breaking the effort down into the risk areas below, much of the assessment needs to be done only once, and can be re-used for subsequent outsourcing projects. Following is a pared-down checklist that can assist in the planning effort for IPP and outsourcing:

Business Assessment
(What are the official host company’s security policies for IPP?)

Where is the company's base of operation?
Does the company have international offices with legal representation?
Does the company currently outsource IT development efforts?
Within those countries with international offices?
In countries without the company’s international presence?
How does the current project rely on trade secrets or other intellectual property?
Are these IP assets considered tangible or intangible?
What amounts of risk are attached to these IP assets?
What methods of assessment were applied to arrive at these figures?
What existing policies are in place to protect IP during development?
Does your company specifically address IP protection and outsourcing?
What IPP compliance does the company require from outsourcing companies and other partners? (bonding, et al)
What is the cost of creating/supporting such policies?
What existing experiences with IPP can be drawn upon?
Are these experiences formally documented?

Legal Assessment
(What legal tools support international protection of IP?)

What types of legal agreements are in place for:
Opening IP to outside parties? (NDA, et al)
Doing sensitive business internationally?
What legal options are available for non-compliance or breach of these agreements?
What international laws are provided to pursue non-compliance?
What protections does the outsourcing company’s host government provide?
In what venue must legal proceedings occur?
Have there ever been any accusations of breach or threat of legal action?
If so, how was it handled?
What internal actions were taken as a result (change of policy, et al)?

Outsourcing Assessment
(What are the official outsourcing company’s security policies for IPP?)

How does the outsourcing company approach the topic of IP-based contracts?
What internal policies are in place to protect their clients' IP?
How do the outsourcing company’s protection policies compare to those of the host company?
Where do the policies go above and beyond your policies?
What specific points do the policies lack?

Accountability Issues

Accountability, as a management tool, is necessary to measure project flow, define remediation procedures for any fallout, and provide root cause analysis for future prevention. Accountability methods work best within controlled environments (i.e. within the enterprise). When uncontrolled factors are introduced, normal accountability methods can actually create a false sense of completeness. Two major issues exist when an accountability matrix includes outsourced personnel.

The first issue with accountability is the lack of host company presence at outsourced work offices. Much of traditional compliance validation comes implicitly from direct (formal and informal) contact with employees. Since the loss of intellectual property can cause irreparable damage to your company, careful planning is needed to validate compliance early and often, especially in the absence of direct contact with the outsourced employees. Scheduled as well as unscheduled onsite visits are crucial even if other travel budgets are frozen. First-hand documentation of compliance is a necessity. To highlight this point, the New York State Department of Environmental Protection relies almost solely on company-generated reports for water pollution control compliance; whereas in another realm, the Department of Defense has inspectors sent to every vendor facility to ensure spec compliance on each batch of materials purchased. Which method of compliance validation matches the needs of your project? (I personally avoid swimming in NYS waterways.)

The other major issue with accountability is remediation. An IT manager has not only the power but also the responsibility to enforce all company policies with respect to protecting company property. An IT manager may even have the power to choose outsourcing companies based on their policies and past experience. But once a contract is determined to be out of compliance, an IT manager may need to turn to the legal staff to enforce remediation. In other words, even if an offshore outsourcing firm has identical IPP guidelines as the host company, compliance is ultimately determined by the laws in the country of arbitration defined in the outsourcing contract. Accountability is no longer an issue of meeting deadlines, but rather a basis for possible legal action.

What Are the Next Steps?
(Document, Document, Document)

Modify your accountability methods to ensure compliance by focusing on three areas: validate formally, validate consistently and validate often.
Determine the measurement criteria that would positively identify an intellectual property breach. This cannot be overstated. These criteria become the pinnacle for any investigation or legal actions. Too ambiguous: no legal case can use them. Too detailed: a breach may not be caught because all the identifiers were not triggered.
Ensure that these findings are well communicated with all decision-making parties.
Ensure the legal support staff includes these aspects with all written contracts. The legal department will most likely define the company’s host country as the point for arbitration.
Ensure the outsourcing parties understand these aspects. This is most effectively accomplished by having the outside parties present a formal document on how they comply with your IPP guidelines.

Creating your “IPP Guideline for Outsourcing” now can save many troubles years down the road. Regardless of any business partners’ guidelines and procedures for IPP, it is still your company that is held liable for compliance with SOX and HIPAA.

John C. Checco, CISSP (john.checco@checco.com) is a member of the American Society for Industrial Security (ASIS) NYC Chapter and president of bioChecTM (www.biochec.com), a division of Checco Services, Inc.

Information Crisis Management

2009-03-25T11:00:00.000-07:00

Information Crisis Management defines the SOP used when proprietary information assets are compromised, either by network breaches or employee breaches. According to ASIS, “Fortune 1000 companies lost more than $45B from the theft of proprietary information” in a single year[i].

Cockpit Resource Management?

The FAA, in response to the avoidable crash of United Airlines Flight 173 on Dec. 28, 1978, developed one of the first “critical thinking” guidelines for crisis management. Originally known as “Cockpit Resource Management” (and later changed to “Crew Resource Management”), this process is integrated by many emergency services into their Incident Command System.[ii] One particular aspect of this guideline that applies to any group of decision-makers is the use of the three “decision outcome avenues.”

Avoid: plan to prevent possibilities of a crisis.
Trap: recognize bad decisions and fix potential problems before a crisis.
Mitigate: minimize the negative effect during a crisis and investigate post-crisis.

The concept of “decision outcome avenues” applies directly to information security planning. Many organizations spend sufficient effort on plans to avoid and trap breaches, but mitigation is usually not a well pre-planned effort.

Pre-Planning for Mitigation

To plan for an effective post-crisis investigation, an organization needs to plan pre-crisis. Content-specific planning addresses the mitigation of direct breaches, intentionally accessing information for dissemination outside its intended audience. Access-specific planning addresses the mitigation of indirect breaches, hijacking legitimate information access.

At the heart of this plan lies the explicit determination of informational risk. The organization must first evaluate any information that is considered proprietary. This may mean a substantial effort in collecting information that is subject to scrutiny, but it is a necessary task for every organization. Second, it must classify information according to damage control needed: i.e. source code needs to be under version control, sensitive documents need to be centrally managed, etc. Information that is considered paramount should be in lock-down mode – inaccessible except through physical means, even if it means having a standalone workstation holding the information in a locked room.

Content-Specific Planning

For documents that are considered confidential, companies need to institute a central document repository. Companies that are ISO-9001 compliant should already have this in place. However, additional precautions should be taken.

The repository should have strict entitlement rules for each user. Proper licensing should be in place for the document management system to allow each user access, rather than a set of shared userids.

Classification is necessary for all new documents being submitted to the central repository. This need not be a committee review, just a second authority to ensure documents are properly protected.

Document server storage should be encrypted.

Authors can request a document in editable form; all others MUST get the document in read-only form. Software utilities, such as Win2PDF, can accomplish this task dynamically as an extension to most document management systems.

Tracking of highly-sensitive documents, already done on the server side through audit logs, should be augmented with steganography. Steganography is a technique to embed requester information (who, what, where and when) into a document when it is downloaded from the server. A recovered document now provides forensic evidence for post-crisis investigations.

Source code can be similarly managed via a variety of version-control systems. Extensions, such as read-only access and steganography, cannot apply here because of the working nature of source code.

Access-Specific Planning

Of 503 corporations and government agencies polled, 33% cited their internal systems as a frequent point of attack.[iii] Intranet-specific safety is comprised of two parts: access and information flow.

Access refers to both ingress and egress of information systems as well as critical information applications. A plethora of secure login systems are available from smart cards to polymorphic password tokens and biometric devices. Other factors, such as auditing, actual vs. intended usage and ensuring logoff, are just as important. Proximity badges, which use short-range RF devices to communicate authorization information to nearby computers, are finding their way into many businesses as a means to provide more security while maximizing user acceptance. Proximity badges are highly recommended as a secondary means of login authorization and for ensuring unattended logoff, although they tend to be misused. In one case, a hospital equipped all personnel with proximity badges for automatic login. “Doctors didn’t like always having to type in a password.[iv]” This particular use of proximity access control systems is troublesome because gives a false sense of security, yet the hospital is considered fully compliant with HIPAA[v] regulations.

Information flow refers to ad-hoc documents and messages exchanged within and/or outside of an organization’s network. The popularity of IM and document swapping via email are two prime areas for security review. Companies should augment employees with their own custom IM packages that have the controls to: transmit using a secure protocol and track/log access between outside persons or large transfers. For emailing of documents, encryption is desired, but many times too difficult to use. Solution providers, such as Sigaba, provide enterprise-wide encryption proxies on top of standard internet services. Another promising technology touted by magiQ Technologies, is the use of quantum cryptography as a method to ensure “a message has been securely delivered between two parties – and that no copy exists.”[vi]

Conclusion

It is important to assess your organization’s mitigation SOP for informational losses. The mitigation pre-planning process allows an organization to assess its information liability and decisively take risk. And most importantly, it provides a solid foundation for any post-crisis investigation.

*** The author is not associated in any way, does not exclusively endorse, nor receives any fees from any of the products/companies mentioned in the article.

[i] American Society for Industrial Security, 2000.

[ii] “Crew Resource Management,” Dennis L. Rubin, Firehouse Magazine, July 2002.

[iii] “2002 Computer Crime and Security Survey,” Computer Security Institute.

[iv] “Security Goes the Distance,” George V. Hulme, Information Week, January 13, 2003.

[v] The Health Insurance Portability and Accountability Act of 1996

[vi] “Security’s Next Steps,” Brian Fonseca, InfoWorld, January 13, 2003.