Archive | Security RSS feed for this section

Solving “Big Problems” in Security by Building a Service Model

Remediating strategic security concerns can be very difficult, particularly in large organizations with diverse and rapidly evolving product lines. While security is critically important for every part of an organization, individual security risks are not necessarily the most urgent problem to solve for all teams at the same time.

That means our ability to effect widespread change on a reasonable (to us) timetable can be a real struggle. Oftentimes, security teams will fail because they tried to solve all of the world’s problems at once.

At first brush, it makes sense to go after the problem everywhere it exists, considering economies of scale and all. Unfortunately, that doesn’t translate so well when attempting to push work on teams with competing priorities. “Fix this now” is not really an effective motivator.There is another way though that works particularly well for the “BIG” problems, and that’s developing a service model that teams can take advantage of on a timetable that works well for them.

Metrics Develop Interest

If you can’t measure it, you can’t sell it. Regardless if your “big problem” is log management, threat management, or identity access management you can measure it specifically for every team in your organization. Some may be successful, others may struggle, but if you start measuring it regularly and effectively you can demonstrate a problem that can be solved.

Capabilities Solve Problems

Tools are not solutions (no matter how much your vendors may insist otherwise). Solutions are principally capabilities an organization must develop to evolve. Other teams in your organization have no idea what any particular tool does for them, and they have no reason to retain that information if you explain it to them.

Instead, develop a story around the capabilities you want to deliver as a service that addresses the specific problem your organization has. Remember your metrics? Those are now riding shotgun on the road to risk remediation. Keep them handy and keep them coming, month after month. Trending data is beautiful thing!

Service Models Are Tangible

A service needs to be a tangible thing. Would you buy a service from Amazon, Google, or Microsoft if you they couldn’t demonstrate it to you? Neither would others in your organization you are trying to sell to. You must be able to clearly show how the capabilities your are proposing will not only directly affect the metrics you are delivering (i.e. reduce risk), but also show how it will improve the management of that team’s solution. Good security practices often result in big operational wins.

Operationalization is key. There should be a clear path (in the form of a process flow) from service request to service fulfillment. You should also be able to demonstrate how the management of the service will be maintained over time.

That also means clearly understanding the financials. Gaining executive approval to deliver a service in this way is largely dependent on demonstrating a firm understanding of what it will cost to establish the service and maintain the service, as well as a pricing model to calculate how much it will cost to onboard typical use cases. You can demonstrate a positive cost/benefit ratio by highlighting the operational benefits.

….and keep it simple! Your target audience needs to know what you are doing for them, not how you are doing it for them. Keep it high level.

Market the Solution

At this point, you have trending metrics creating market demand and a very consumable solution with a clear cost model. The marketing is practically done for you, but there is still real work to be done. The most effective thing you can do is begin to socialize the solution across the organization in a very positive way and ensure your new capabilities are already on roadmaps around the organization.

Developing a service model like moves Information Security from being a source of unwelcome work to a solution provider that can demonstrate real, tangible value to the organization in a very consumable way.

Best of all, taking a measured approach such as this generally leads to teams taking a fresh look what caused this “big problem” with their solution in the first place. Typically, this will result in the streamlining of accounts, systems, or processes in order to reduce the cost of on-boarding the capabilities you are offering.

This is a BIG security win, a BIG operational win, and a BIG financial win!

Was this interesting or helpful? Like, Comment, or Share and I’ll write more.

Advertisements

Internet Security @ Home: How to Protect Your Kids Online

CB102240Protecting our children is one of the most important things we are charged with as a parent, and for thousands of years parents have used their own experiences growing up in order to know what to protect their own kids from. It only took three summers of burnt fingertips in the 80’s for me to learn that, when it comes to my own children, they probably shouldn’t try to throw a lit firecracker.

Fast forward to the new millennia, and parents are faced with an interesting challenge. Our children are growing up with an amazing array of technology and communication options way beyond anything we ever had available to us. For instance, Nintendo’s “Duck Hunt” wasn’t a very good reference point for me to know how to protect my kids on Facebook.

Nevertheless, it’s our job to protect our kids, and as an IT professional with a strong background in securing Microsoft-based systems, I thought I would provide some tips and tricks to make your household a little bit safer.

Tip 1: Have a Household “Acceptable Use Policy”

OK, don’t call it an acceptable use policy, but that’s really what it is and you really, really want to keep it short, simple, and to the point. If you think your boss has a short attention span, your kids’ will be even shorter. So, next to every computer in the household post a one page set of rules for using the computer. Also, don’t forget to laminate it, kids tend to spill stuff (at least in my house).

Here are some items from mine:

  1. Use of this computer is a privilege, not a right
  2. When asked to leave the computer, you have 15 seconds to do so
  3. All activities on this computer are monitored*
  4. Computer time is limited to ## minutes per day
  5. If a stranger contacts you anywhere online (Facebook, Instant Messenger, or email)… tell mom or dad right away
  6. If you see anything inappropriate… tell mom or dad right away
  7. If anyone, even one of your friends, upsets you…. tell mom or dad right away

I put the * at the end of #3 because, although there is software to do so, it’s actually pretty impractical to actively monitor everything your child does online… if you’re going to do that, you might as well just sit there with them. However, your child doesn’t need to know that. 😉

Tip 2: Understand the Threats

When thinking about threats, we tend to focus on the ones that make the news…. Viruses and predators. While those are certainly threats to take very seriously, it is far more likely that your child will be the target of cyber bullying at some point. Cyber bullying can occur over Facebook, Twitter, IM, Text, Phone, Skype or even in a game like Minecraft.

Understand where and how your child communicates with people he or she knows, and make sure you have a process in place to routinely check on that communication. Also, and I can’t emphasize this enough, talk to your children about bullying…. Cyber or otherwise. They need to know help is available if they are a target and they need to know it’s unacceptable target anyone else.

Tip 3: Children Should Have Their Own PC

I realize this isn’t practical for everyone, but this is one of the best pieces of advice I have heard recently. While parents certainly aren’t infallible, kids are going to do a lot of dumb things on their computer. So keeping their Internet activities limited to a separate computer than the one you use for online banking and shopping might be a really good idea.

Ideally, this computer should be located in a public space, but again I’m sure that’s not practical for everyone. If the computer must be located in their bedroom at home, insist that if the computer is powered on (even if they are not using it), their door stays open.

Additionally, if you have multiple kids using a computer, give each kid a user account of their own with their own password (make sure you know the password… snooping is the right of any parent).

Also, more than anything else, make sure the kids are not an administrator on their computer or any other computer. Just give them a standard account and keep the administrative password for yourself.

Tip 4: Use OpenDNS.com

I cannot recommend OpenDNS.com enough for home users. It is a completely free product for home use, and will protect your computer from numerous threats on the Internet simply by ensuring your computer won’t be able to find the address of nefarious sites by filtering them out.

Their web site, OpenDNS.com, has very good instructions for the novice home user to enable their service. You will have to fill out a sign up form, but the service is completely free and highly recommended. It’s the easiest thing you can do to actively block a lot of threats against your children.

Tip 5: Charge Cell Phones/iPods Somewhere Public

Remember that the computer is not the only device you need to be concerned about in your house. Cell phones, iPods and Nintendo DS’s can be just as much of a threat to your child’s wellbeing and your sanity. By charging those devices in either the kitchen or other public location, you ensure it’s going to stay somewhere you have access to it for several hours a day. It also prevents your child from being distracted by those devices when they should be sleeping.

Tip 6: Don’t Rely on Filtering Software

Products like NetNanny are great, but they are no replacement for parental monitoring. At best, products like NetNanny protect your kids from accidentally (ok, maybe on purpose) visiting inappropriate web sites. Unfortunately though, there are a lot of sites that your children will want to visit that aren’t going to be blocked by NetNanny, but may still have inappropriate content. Sites like YouTube (which host an amazing array of videos horribly irritating to anyone over 16) contain lots of content targeted at kids, and their rating system is hardly reliable.

The point is, a product like NetNanny  can be helpful, but it can’t block content on a SmartPhone, XBOX, or iPod, and it can’t block inappropriate content being sent to your child by friends through Facebook, IM or text. It’s good for younger kids, but older kids will find a way around it.

Tip 7: Beware Grandma’s PC

Your kids are really, really smart. If you place all of these restrictions on them, they are going to start to look for ways around them to do whatever it is they want to do. While you may not be able to prevent them from doing so 100% of the time, you can minimize the damage where they are most of the time.

My mom has her PC in her office in the basement, and she is all too happy to let the grandkids go down there and play on it (it keeps them quiet). It’s down a flight of stairs and behind three doors. My kids can hear her coming a mile away and know they can get away with anything at Grandma’s anyway.

So, my advice, sit down with the grandparents and try and put in some control measures at their house as well. Or, at least restrict your little one’s use of the computer while visiting the grandparents.

Tip 8: Use Security Software

Trend Micro, Symantec and McAfee all make great commercial products to protect your Home PC from different types of malware such as viruses and worms. Most of those products will cost between $50-100 annually though, which may not fit in everyone’s budget. However, some banks provide the software at a sharp discount, and I’ve also seen really good deals on Amazon as well.

Microsoft has an excellent product called Microsoft Security Essentials. It is free for XP, Vista and Windows 7 and works surprisingly well. It can be downloaded for free from Microsoft.com/Security. It’s not nearly as good as the paid options, but it’s certainly better than nothing.

Tip 9: Educate Yourself

The very best thing you can do is educate yourself on the threats that exist and the methods available to you to mitigate them. Microsoft & Symantec both have free products to help you protect & monitor your children online as well.

Microsoft Safety & Security Center

Facebook Family Safety Center 

Symantec Online Family

Finally…

Make sure your children understand that what they say or post online will likely never go away. Even if they delete something, there are all kinds of archival sites on the web that may still keep a copy or one of their friends may “Share” or “Retweet” what they said or posted.

Colleges and employers are getting more and more aggressive in their searches of social media while screening applicants and they are not always straight forward about it. Ever “like” a business or your school? That action alone gives those schools and businesses visibility into your profile.

Ever “friend” someone you didn’t quite remember meeting? Maybe not, but I’m sure your teenager with 900+ “friends” and applying to college wouldn’t think twice about it… though it could actually be the college or business they are applying to.

So, the rule of thumb in our house is to never say, do, or post anything online you wouldn’t want Grandma to see.