Information Mismanagement – the need for proper Information Security

At this day and age, it is difficult NOT to automate/computerise your business/data.
Your receipts are part of an elaborate data capture/retention/warehouse infrastructure which constantly crunches numbers, creating meaningful information in a vast cloud of networks, systems and storage. As such, one cannot run away from the responsibilities of protecting that data, which is key to any business in this modern age.

It is nearly impossible to operate a business in total isolation. One might say that he is a petty trader and does not need much information management. Well, you might get into trouble if your books are not in order, your stocks mismanaged, your payments unmet, and your cash mismanaged. You can run foul of your business, or even being chased by the tax collector.

I’ve seen most SME organizations tend to have very small IT outfit, and treat everything as part of the IT responsibility. The reality is, the web designer you hired, may be able to fix some common IT issues, but will not be able to tell you the real risks of information mismanagement. Your organization gets hit by a worm/virus infection, and you invest on some anti virus solution. Your website gets hacked, you just reinstall the OS. After a while, you realize that your competitors seem to know your every move, and you feel helpless trying to move your business further. It can be convenient to blame the IT Guy a.k.a Programmer a.k.a Security Guy.

Then comes the crude Information Security program. You hire someone whose heard of information security, put him way down the food chain (or the reporting hierarchy) and expect everything to be secure. The person comes with standard kit approach. Have firewalls, install anti virus. Spend a little, and get more maybe? Sure, that sounds reasonable. But guess what? You still get attacked, you blame your security vendor and eventually fire your security guy. Again, doesn’t sound that workable, right?

You grow further, having a team, but still buried under the food chain. You have people advising you at the project level on your implementations and do periodic reviews/audits. Sounds good right? But here’s the problem. Projects have the word COST tied to it. And security is a line item thats “nice to have“. So when push comes to shove, the line item called security gets pushed aside because the project must go on, at break-neck price. Even before the team can say anything, their own boss muffles their voice. Risk doesn’t get documented, easily swept under the carpet. (Sounds familiar?)

You reach a stumbling block where things keep failing. You start wondering whether is it the people? the process? What gives?

Herein the problem lies in implementing Information Security in an organization. Depending on the goal of the organization and the governance level of the organization, that’s how successful the Information Security program will be.

As a CEO/Board of Director, the governance determinant of Information Security needs to come as a mandate for corporate governance. The CEO/Board of Director needs to agree that Information Security is an agenda for review (either as a line item by itself, or as part of Audit Committee Review, or as Enterprise Risk Management review). Establishing a clear escalation process to the Board provides visibility and accountability of the company’s status, allows the Directors to have clearer view of the organization. Besides that, the Board is assured that the organization is in compliance with information security/privacy laws that may govern the business. The CEO will be accountable at the company level to ensure that the Information Security program is running and conducts reviews and ensures that escalation reports are discussed and closed timely. Key message here, visibility and reporting.

CEO also has many other functions, so this particular function then goes down to CSO/CISO. CSO (Chief Security Officer) will encompass the 2 large security domains, namely physical & information security. Whereas CISO (Chief Information Security Officer) is responsible for Information Security controls & governance. When establishing the hierarchy, position and reporting visibility also needs to be thought through. The reporting role (both official and unofficial) will ensure that the subject matter gets right attention. In highly governed environment, CISO/CSO reports directly to the COO/CEO level, and has a reporting requirements to the Board of Directors. Otherwise CISO function is absorbed within the Audit/Assurance structure.  In a slightly less governed environment, the CISO/CSO reports to a Head under the COO/CEO level (usually under the CIO/CTO reporting line). In other organizations, the CISO role is just a manager role within the large IT/Technology enclave. Key message here: reporting structure and empowerment.

The success of information management in any organization depends on how well information is governed. Process and policy comes into play. Having a well defined policy (using standards based policy like ISO 27002:2005 as a baseline helps to ensure that you’ve got all your bases covered. But having policies alone does not help. Policies needs to be translated into standards, and guidelines and then woven into the fabric of everyday process. The enhancement of these processes should help in improving the process, while carefully ensuring that it does not disrupt business due to unnecessary red tapes or throwing the process into a state of limbo. Take time to get the policies reviewed at all levels of organization, that helps you to get buy in from everyone. Policies are living documents, so be prepared to time review processes and get the documents to be approved by the right levels (usually CEO). Review quantum should be kept at one year. Have the ability to enforce immediate new policy requirements (due to urgent business needs) without having to do a full review, as this would enable immediate steps taken to prevent further issues/damage, but be prudent with this ability. Key message here: properly defined policy which can be adopted into everyday processes.

The structure of an infosec team would make a difference in how the organization needs are managed. Understand roles that other department plays, such as Audit as they would be performing some of the functions. Having 2 divisions performing the same function is ridiculous, you might as well empower the right divisions to manage the right responsibilities. Clearly state boundaries (use RACI charts) of each team, identify their abilities and functions. Even within the infosec team, you can further structure it. The operational aspect of information security can remain with the operations team, doing the day-to-day operational tasks, whereas the more strategic/tactical roles can reside in a different hierarchy. Key word here: check and balance, even within information security.

Lastly, the organization itself needs to move as a unit. In some organizations, information security is often perceived as a stumbling block. You’d probably hear more NO’s than YES, or more grouses than actual solutions. In those cases, clearly the organization objectives are overshadowed by individual preference. Becoming the solution provider goes a long way in building rapport and getting things done. If you get cold-storage, then you will not move anywhere, nor will you get the right level of participation to see your goals through. Information Security goals must tie back to the overall organization roles. In cases where the book doesn’t work, rationale mind comes into importance. Establish an exemption process which is a catch all/release all mechanism, but at the same time ensure that it’s not easily abused. Hence reporting structure and responsibility needs to be clearly established. Key message: TEAMWORK.

Links: Twitter runs foul of FTC

Information Security & Cryptography

Cryptography or the cryptic art started off as the art & science of encryption. It is a wide area of research and implementation. You will find it touching almost a variety area of quantum physics, law, hardware design, advanced mathematics, user interface and even politics! This makes cryptography an interesting area of study and in fact one of the key reasons why I’m personally passionate about it.

Cryptography is one of the key component in the ecosystem. Cryptography by itself, is not that fancy or useful. It adds layer of protection into an existing deployment/infrastructure/functionality. A physical equation of cryptography would be akin to a metal lock. A lock recognizes no legitimate owner (some electronic locks claims so), but only recognises the right metal key to open it. The wielder of the key could be anybody, both legit or not. As i said earlier, cryptography alone is not so useful, but when deployed properly, it will serve a critical role.

In the current technology world, you’d encounter that most attacks aren’t really against cryptography (yes, the more learned would disagree, citing rainbow tables and collisions, but that’s another story – keyspace). So, the current attacks (such as race conditions, buffer overflows) would be centered around other parts of the ecosystem.

Security is only as strong as the weakest link. One can only improve the state of security by improving the vulnerability of the weakest link. Alternatively you could use the layered onion approach, whereby your weakest link is concealed within layers of added security or risk mitigation.

Attacks to the cryptography layer can be deadly. This is because the system can only recognize whether an access is “legitimate” or non-legitimate. It will not be able to detect whether cryptography is broken or not. Similar to burglary, if one pries the lock open, the physical damage of the lock is seen. However if the assailant picks the lock, prove of crime is not present anymore.

What’s ironic about this situation is that, even security systems are vulnerable. The “over-confidence” and the fact that vendors dealing security are “suppose” to be secure is yet to be seen. We see reports of security vendors scurrying to patch their systems when vulnerabilities affecting core cryptography component such as OpenSSL (which is used widely, even in router OS such as Cisco’s IOS and Juniper’s JunOS).

Unlike nature, which is governed by some laws of physics like gravity, there is none when it comes to threat to cryptography. One cannot assume that functions will be called properly, right types are passed as parameters, bounds/limits respected. As such, writing cryptography becomes a daunting task in ensuring that all factors are carefully considered, all risks identified and accounted for.

Again, it is stressed that cryptography alone does not make a system secure. Just like the widely accepted misconception that having a firewall protects your system. When deployed correctly, cryptography provides key protection to data. However, vendors tend to attempt implementing “proprietary” encryption, which has not gone through peer reviews, extensive tests and verification to prove the strength and ability of those algorithms.

Reality is, cryptography stands somewhere near nuclear physics. It is extremely difficult, has complex mathematical equations in its core functions and usually subjects of doctorate studies. It does require a fair amount of effort and understanding on this subject matter.

Operating Systems – Introduction

Operating System Brains

A computer’s heart is the operating system. The core processing is done at the CPU, and it’s only possible if there is an operating system. So what is an Operating System? Operating system is a set of software, written using a low-level programming language (either C/C++ or Assembly).

Operating system is responsible to manage the requests made by any software applications, and direct them to be executed via the hardware that it’s installed upon. In essence, it acts as an interface between the software and the hardware. You might be wondering “Why do i even need an Operating System? I might as well code to use the hardware directly!!”. Valid concerns, but your application will not be the only application running. If you need your application to run at the Operating System level, that can be achieved via kernel mode access (which will be covered at a later stage).

So, you need an operating system. But what exactly does an Operating System do?

  • Process Management – makes sure that your applications runs smoothly without any interruption, and to ensure that it executes successfully
  • Memory Management – the CPU can only execute a limited number of processes/applications at one time. And as these applications are run, they need storage space to manipulate data. This storage (RAM) needs to be managed so that both applications and operating systems have their own space.
  • Input/Output – Your applications will leverage on the existing hardware. As such, the Operating Systems provide a structured means of accessing these devices (by providing a generic access layer called the device drivers) to access myriads of hardware without having to worry about the specifics.

Though this is a limited list, most other functionality are some form of variation of these basic functions. The exact functions will be covered in the later blog entries.