Monday, July 27, 2015

Why security leaders must seize the opportunity to implement cloud and improve security

This article first appears on CSO Online, on 7/16/2015.

There is no question the rate of migration to cloud computing continues its meteoric rise. Eighty two percent of enterprises have a hybrid cloud strategy, up from seventy four percent in 2014 (RightScale State of the Cloud Survey, January 2015). As this shift lumbers ahead, security remains a major barrier to cloud services adoption.

A recent CloudPassage survey of more than 250,000 respondents indicates that seventy one percent are planning or have implemented some kind of cloud environment. Almost half of the survey respondents said that cloud security is a barrier to cloud adoption, while forty one percent identified data loss or leakage risks as concerns. And nine out of ten respondents indicated they are moderately or very concerned about public cloud security.

Is this a problem for IT security leaders?

I think it is a great opportunity to champion the move cloud computing for three chief reasons:

  • Cloud computing and services free existing resources to focus on governance, management, and strategic planning 
  • IT security can help the business make decisions focused on risk identification and reduction 
  • Helping to lead this change reveals IT security to be part of the solution, not a hindrance, thus justifying a “seat at the table” in the boardroom 

Time and the marketplace have revealed that in most cases, cloud providers are operating more secure, more scalable data centers.

First step: overcome resistance 

In my experience, most resistance to the adoption of the cloud stems from internal fatigue, borne from the increased pressure to deliver faster and better with fewer and fewer resources. It is easier to fret about the availability of resources to manage daily operations than to spend mental energy planning for future needs. Most leaders – and their companies -- need help justifying the change of gears necessary to move from operational planning to strategic planning. For cloud computing to be truly successful, organizations require a methodical adoption strategy. Specifically, the plan of action must take into account the risks while reaping the rewards. It is critical to understand that ad hoc, untested methods of utilizing cloud services result in increased risk, expenditures and liability.

Map your criteria to expected benefits 

 I believe IT security leaders need to jump beyond these challenges to cloud adoption, by mapping a logical strategy and criteria for justifying, selecting, and facilitating cloud services deployment. This plan helps those in a leadership position divorce themselves from what I perceive as commoditized administration tasks in operations, in favor of focusing on governance and risk management, strategic planning, and oversight. Let us look at how developing a solid plan for cloud services will help IT security professionals lead the charge.

One easy-to-understand strategic approach is to define the benefits of cloud adoption as an offset of operational tasks. Frequently cited as a means to reduce costs, shunting the daily security operations functions to a cloud services provider is a wise move. Delegation can allow IT security leaders to free up team members who may be focusing heavily on security patching, vulnerability scanning, compliance validation, user revalidation, and other repetitive tasks. These same resources can now pivot in more strategic roles, governing the patch management process; evaluating the results of continuous monitoring; ensuring that user management aligns with the business’ objectives. As we are constantly asked to do more with less, does it not make sense to utilize our full-time staff properly, by executing projects and initiatives which add business value?

A second method for leading your IT organization to the cloud is to correctly identify the benefits associated with adoption of this new model of computing. Many assume that risks will increase when moving a service or function beyond the company’s traditional boundary. I advocate utilizing the NIST Cybersecurity Framework for IT security teams that are just starting a risk management program. It combines recommendations and best practices from COBIT, NIST 800-53, ISO 27001, and other standards while outlining a common language for risk management. Using a reference such as this will help IT security leaders clearly articulate how cloud adoption will affect risk. I believe that in many cases, overall risk can be reduced by providing services from a cloud provider.

Finally, IT security leadership must be seen as a critical enabler of business value. With respect to cloud adoption, the leader must ask himself, “how can we focus on what our business does best?” Many would agree that cloud services and technologies bring speed, agility and flexibility to businesses. And licensing what a business consumes versus having IT service what is consumed removes the need to continually upgrade and maintain product lifecycles. The business value statement revealed is that IT, and specifically IT security, can focus on the strategic planning needed for the future. This level of acumen brings security into the realm of managing the organization, ensuring that those in the boardroom appreciate the value IT brings to the table. Security leaders must seize the opportunity to reap the rewards To conclude, IT security leadership must promote the adoption of cloud technologies or run the risk of being marginalized. Rather than reacting to what I believe to be an inevitable shift toward a new computing model, IT security professionals have an amazing chance to lead their organizations toward what Gartner calls digital business. This requires the shifting of security operations and other repetitive tasks to cloud services, properly identifying the real risks and opportunities to offset them, and communicating the business value of cloud computing to the organizations leaders.

Sunday, June 28, 2015

SSL is officially dead

Shower thought: if SSLv3 is now officially deprecated, why do we continue to say "SSL" when we really mean "TLS"? I guess there's no really good answer, other than habit.

Anyway, if POODLE wasn't enough to scare you away from SSLv2 and SSLv3, check out this good site that provides all the instructions you need to disable older protocols and get to TLSv1.2.

Wednesday, December 10, 2014

Holiday spam

This is a message I received today from "Target". I use quotes because this is obviously spam.

Why, you say? Well, beyond the fact that Google categorized it as such, I want to point out a few things about this specific message that can help you identify a suspicious message.


1. The "from" address is clearly not from "target.com". You should always be suspicious of an address with a Domain that does not match the sender. This is your first -- but not only -- indicator of the validity of this message.

2. Delivery date doesn't match the message. Now, I received this message in mid-December, but it talks about Thanksgiving soon approaching. Certainly, a company like Target wouldn't make such an erroneous mistake. Big companies have entire groups of marketing professionals to ensure goof-ups like this won't happen.

3. Funky logo in the message. If you are familiar with Target, you'll know that the logo above is not what Target uses. This is a clear warning sign of a suspicious message.

4. Hyperlink does not go to "target.com". This is the very best evidence that this e-mail is malicious. I've highlighted the actual link at the bottom of the picture above. Because the link doesn't take you to "target.com", you should be extremely cautious about clicking on it. In this specific message, the link redirects to a Web site that downloads a virus to your computer, then redirects to the actual Target site. The objective is to fool you and to infect your PC so it can be used to attack others.

For even more advice and tips, review this good document (PDF) from the U.S. Government's Computer Emergency Response Team (CERT). 

Thursday, December 4, 2014

How not to get hacked

The article "How not to get hacked" appears in entirety on CNN Money. I've recreated it in bullet form and added some embellishments.

This article is a good reminder of the basic security protections you need to have in place, especially as we begin the holiday shopping season. OK, you probably already started... So review these tips!

  • Don't be stupid. Avoid bad links, don't visit questionable Web sites, don't fall for phishing scams, and don't download from unknown sources.
  • Use different/smarter passwords (help with that?).
  • Be careful what you store.
  • Use protection, including antivirus software, secure connections (HTTPS), and two-factor authentication (2FA) where possible.
  • Keep your software updated.

These tips are not a 100 percent complete list of everything you need to do, but it gets most of them right.

Friday, November 21, 2014

Recent retail data breaches may be related

I love reading Brian Krebs' articles; he's a very informative investigator. A recent blog article entitled "Link Found in Staples, Michael's Breaches" shares some very interesting news about recent breaches at Michael's (April 2014) and Staples (October 2014).

In both cases, malicious software was installed on cash registers and similar point of sale computer systems, which was then used to exfiltrate customers' credit card data. In the case of Michael's, the breach persisted over many months.

What Krebs has shared is that for both these incidents, the malware was identifed as communicating to the same command-and-control infrastructure - meaning, the same party is likely responsible.

The prediction by many security professionals is that we'll see more breaches as we get into the Black Friday/holiday shopping season. There are lots of great tips on how to avoid fraud this time of year; here is some great advice from IBM1:

"As the end of the year approaches, so do two of the largest holiday seasons in the United States - Thanksgiving and Christmas. The Friday after Thanksgiving has traditionally been one of the largest sales days for retailers. Many retailers offer huge discounts for shoppers on this day. This year, many stores are offering similar discounts far in advance of "Black Friday", as it is commonly known. Criminals are well aware of the extra retailer advertising and seek to exploit shoppers seeking lower pricing. This could be through phishing emails offering "deals too good to be true", misleading advertising, or fake charities. Infected point of sale devices is also becoming more prevalent, ever since Target's breach last season. We advise our readers to use extra caution this holiday season and "think before you click". A malicious URL could lead to malware. A fake website could be a ploy to steal money you intended for a legitimate charity. While the customer does not have the means of detecting an infected POS device, they can monitor their banking and credit / debit card statements for malicious activity."
At this time of year, it is good advice. You may also want to read up on how to protect yourself when using public WiFi.

1 Disclaimer: I am employed by IBM but the views and opinions shared here are my own. 

Saturday, October 11, 2014

Back from a hiatus

Well, I'm back to blogging after some time away. I have stopped and started blogging several times, and thus some of my older musings are now lost (no biggie). But it turns out I do have things to say and they require more than 140 characters. So, I'll give it another go here.

Thanks for sticking with me, friendly reader...