Gone to the Dogs!

I spoke recently about defense in depth and layered defence and had some specific comments regarding the deterrent factor of alarm systems, secure doors and exterior lighting, etc.  As a lover of dogs and cats I thought it only appropriate that I bring these critters into the discussion.

I will, with regret, dismiss felis catus from the category of deterrent from the outset.  I own a 15 pound Bengal (cat, not tiger) who only becomes a serious foe when cornered by one of the dogs.  As with most cats, he makes a dash for cover if their is a loud or unusual noise.  Wisely choosing discretion over valor.  The Dog (Canis lupus familiarus) is a different story.  My disclaimer straight away is that I am by no means a “dog expert” but I am an experienced “dog owner”.  I will be pulling from my experience as the latter.

I believe a dog is an excellent deterrent for the home or business.  We might all agree that dogs could fall into several categories, e.g. working in a K9 unit, working companion, or junk yard guard duty.  Lets look at the difference between a guard dog and the watch dog for example.  On the guard dog side we might envision a large property surrounded by fence and patrolled by one or more large breed (and stereotypically quite nasty) dogs.  The bad guys certainly think twice and consider their options before climbing the fence.  The prospect of the animal being connected to a slow moving extremity is a great deterrent.  The watch dog serves a different purpose and, in my personal experience, an excellent addition to home or business security.

I will use my Cairn Terriers as an example.  I do not think that any goblin looking over the wall would be seriously deterred from advancing at the sight of two 15 or 20 pound barking fur-balls.  What these small guys, aka fur-balls,  will do for us is raise the alarm.  Best motion and sound detector money can buy.  Even when curled up and asleep we can watch their ears follow even the slightest noise, a coffee cup set down on the counter to a chirping bird in the yard.  My dogs are ready to start in when they hear footsteps on the driveway.  The pizza guy or UPS fellow have no chance of surprise.  In fact, one of the most difficult training task for the owner is teaching them not to simply bark at everything!

Of course there is a cost involved.  We need to feed and care for them but the ROI is very good.  Can’t imagine sitting back in a comfortable chair with my alarm control panel in my lap sipping tea and enjoying a good movie.  I sleep well at night knowing that my technological and biological intruder detection systems are vigilant.

Defense in Depth – Small Business Style

Defense in Depth – A term not typically heard in the small business world but something I felt compelled to discuss in that context.

It is typical for a small business to have a trusted technology company or an in-house IT guru to manage their IT needs.  It is also typical for a technology company or resident guru to latch on to particular vendors.  Vendors they have learned to trust based on their product, services and support and hopefully not the profit margin afforded by reselling or representing the product or the vendor.  Being an evangelist for a product, to the exclusion of others, is where these relationships go wrong and a business can become exposed to unnecessary risk.  I make this statement from personal past experience, having traveled down that very path.  We should consider our vendors and their solutions based on functionality, support, their ability to reduce risk for the business, cost to maintain and not how much they might contribute to our bank account as an authorized partner or reseller.

Now to the point, what is “defense in depth”?  It is a strategy used as part of overall Information Assurance (IA) strategy where multiple layers of defense are deployed to address security vulnerabilities in personnel, technology and operations.  This approach enables one to defend against a specific attack using several different methods.  It was in fact conceived by the National Security Agency (NSA) and based on the military tactic to delay an advancing enemy rather than prevent an advance and buy time.

Let’s look and some of the layers involved:

  • Physical security (e.g. deadbolt locks, steel doors)
  • Authentication and password security
  • Hashing passwords
  • Anti virus software
  • Firewalls (hardware or software)
  • DMZ (demilitarized zones)
  • IDS (intrusion detection systems)
  • Packet Filters
  • VPN (virtual private networks)
  • Logging and auditing
  • Biometrics
  • Timed access control
  • Software/hardware not available to the public (security through obscurity)

This explanation may add some clarity to my first statements about using a single vendor or solution and the pitfalls of doing so.   Consider using multiple anti-virus solutions across your platform, regardless of how small your company might be.  One vendor on the Firewall and another on the desktop.   It is also important to consider this level of protection as a suite of products to include protection from the many types of malware found in the wild.  The list of very good anti-virus/anti-malware solutions is quite long so one does have a choice.

I point out that although patch management is not specifically mentioned in the list of “layers” I would consider it on a parallel with the anti-virus/anti-malware solution.  Monitor vendor channels such as Microsft, Apple, and the assorted flavors of Linux and install security updates when they are released.  On a test platform first if you wish but install them in production as quickly as possible.  The cost of not doing so far outweighs any unfounded fear that the security update will break the system.  It has been my experience that when a security update is installed and the performance of the system is adversely affected there is another underlying reason why and it is not the fault of the patch itself.

Register with US-CERT, the United States Computer Emergency Readiness Team or the SANS Internet Storm Center and elect to receive security update notifications.  Your preferred anti-virus vendor will typically require registration and one may opt-in for notification via email of threats or outbreaks.  Constant vigilance is the key at this layer.

I must also add a quick blurb about physical security and note that deadbolts and steel doors are shown in parenthesis as a short description.  Not an “alarm system” or what we in the profession call intruder detection and control.  It is certainly not my intention here to denigrate any of the alarm system vendors.  I do take exception, however,  to the marketing of an alarm system as being anything more than a deterrent.  We see, for example, the many television commercials that show the mom and child setting the alarm and feeling safe inside their home and suddenly the bad guy breaks the window glass or breaks through the door.  The alarm sounds and they are saved by a phone call.  Nonsense!  A steel door with  no glass and a 2” safety deadbolt will provide a much higher deterrent level and keep mom and child more secure.  Good outdoor lighting, fences, also add to a good layered security system.  An alarm system is very important but as one of the layers we leverage to keep our people and our business assets safe.

(ISC)2® Safe and Secure Online Program

When I volunteered for the (ISC)2® Safe and Secure Online Program in late 2009 I had no idea what I was getting myself into.  Several months of planning with the Clark County School District, rehearsal of the presentation, meetings with school administrators.  Every second has been worth it!

This is the most rewarding program I have had the privilege of being part of.  My only regret has been that I do not have enough time to do more.  The good news is that we do have more volunteers coming on line and this means we will be able to deliver this very important content to more middle school children in Clark County Nevada as the second semester begins.

I have primarily been working with 6th grade classes, 11 to 12 year old children, during this first round.  The response from the children has been great and I have been quite surprised by the answers to some of the questions.  Some of the answers have been enlightening and provide a more clear understanding of “their technology world”.  Some answers have made the hair on my neck stand straight up.  For example, “does anyone here chat online with people they do not know”?  We would hope for no hands in the air but to the contrary, I always had 5 or 6 from every class who would shoot up their hand and giggle.  I could tell there were others in the class who were weighing their options to determine if exposure was the best course of action and elected not to raise their hands and be found out.

Never talk to strangers!  Something parents start to drill into children even before they are old enough to understand.  It is mystifying to me that this discussion has not extended to the online world and if it has, , it does not seem to be taking hold in many cases.  Even one child admitting to chatting online with a stranger would be unnerving but 5 or more out of a class of 35 is freighting.

I have almost completed the first semester with my very short list of middle schools.  The district put out the word in September and in 5 minutes 8 schools responded to schedule my visit.   I took on those 8 schools and have added three more by word-of-mouth.  I believe I have spoken with over 1500 students so far, a small percentage indeed.  My next goal, aside from the second semester with the kids, is to get in front of parents and share my experiences.  I believe it is very important that parents have a look at the (ISC)2® Safe and Secure Online Program and share their thoughts and concerns.  For parents who may stumble across this BLOG I invite them to have a look at the isc2 Safe and Secure Online Program website http://cyberexchange.isc2.org/safe-secure.aspx and look at the bottom right side to locate “Check out our top 10 tips for parents” link.  This list was compiled as a result of feedback from program volunteers to help enlighten and educate.  I hope many will find it useful and it should help promote discussion between parents and educators.

We have two more volunteers coming on board in January 2011.  More are certainly needed as I count 58 middle school websites on the CCSD site.  This leaves 50 more for others to step up and help our kids be Safe and Secure Online!  Please, have a look at the program http://cyberexchange.isc2.org/volunteers.aspx and consider sharing your knowledge and your time.  Please do not hesitate to call on with questions.  I am happy to help.

Risk Management

Risk Management for Information Systems – What is it and why do I need it?

A tree surgeon sends his crew out to prune a 20 foot Oak. Risk management immediately comes into play. The workers have had safety training, they wear safety equipment, they take steps to protect any dwelling, contact the power company in the event any power lines are in proximity. All these steps are taken to mitigate the risk of personal injury or property damage. Any remaining risk is known as residual risk. In addition, the owner of the tree surgery company takes out insurance to cover people, equipment, and property. This is known as assignment of risk.

I speak here about how risk management works in practice with a tree surgery company but the terms and principals discussed are the same across any industry or system. Risk management for information systems or information technology is no different and the principals cover anything from a single home computer user to a large multinational corporation. We need it because managing risk helps keeps our people, property, and our valuable data assets safe.

We are all exposed to significant risk every day when we turn on our computer and connect to the Internet. There are some basic things we can do to mitigate risk and bring residual risk to an acceptable level.

We first need to identify our people, business, and data assets.

People

  • Who in the company uses the Internet?
  • Do we have an acceptable use policy?

Business Assets

  • What paperwork do we maintain?
  • Where is it kept?
  • Are these documents secured?
  • Who has access?

Data Assets

  • Where is our data stored?
  • Do we have a backup?
  • Who and “what” has access to our data?

This is certainly not a comprehensive list of questions but it should provide a starting point. We then need to ask ourselves questions such as:

  • What happens if a business asset or data asset is compromised or becomes unavailable?
  • What happens if our people are unavailable, e.g. flu, natural disaster, etc.

There are three types of controls that we can implement to mitigate risk across all of these platforms. They are:

Administrative Controls

  • Acceptable Use Policy and Procedures
  • Employee Procedures and Guidelines

Technical Controls

  • Firewalls
  • Role Based Access
  • Login and Password
  • Encryption of Data

Physical Controls

  • Locked Doors
  • Locked File Cabinets
  • Locked Briefcase

Managing risk, for any size business, will provide a significant return on the time and money invested.

Copyright © 2010 F.G. Alu Consulting LLC. All Rights Reserved.