Ok, I admit it. That was a shameless ploy to get you to actually read this. But now that I have your attention, would you please give me a few minutes of your time?
Email Encryption – Turn it on.
I know that we can all understand the importance of protecting sensitive information. Subsequently, we all realize that encrypting our email is an ideal goal. Some of us have performed research for products that can encrypt email transparently without the end user’s involvement. Most of that research comes to the conclusion that good solutions cost lots of dollars and lots of dollars is not something that most of us have at our security program’s disposal.
What would you say if I told you that you may have the ability to encrypt much of your email traffic today without any additional expense?
Just about every major email server being used by enterprises today has the ability to turn on server to server encryption using TLS negotiation (also called opportunistic TLS). What this means is that with a simple configuration change (in many cases literally checking a box on a menu), you can be communicating securely over an encrypted tunnel with everyone else who also has this feature turned on.
I was asked by one of our business associates to investigate whether or not our organization had the ability to turn on this type of protection, and to be honest I just assumed that we didn’t. I did agree to check it out however, and guess what, not only could we turn this on, but it was literally a 5 minute change. What’s more is that I found out that almost every modern email server has this capability; however, it is not turned on by default.
In the past month alone we have been able to exchange a substantial percentage of our total amount of email completely encrypted from our server to the recipient‘s server without the need for user education or involvement, without the expense of another turn-key solution, and without the need for extra administration. Of that amount being automatically encrypted, about 90% is business to business communication.
The more companies that turn this capability on, the greater the amount of protection we can all take advantage of. Considering that much of the sensitive traffic that we engage in is with other Health related organization in Wisconsin, I thought that this forum would be a great place to start.
Even if you have a solution in place, as we do, that allows the end user to press a button to encrypt, and you have the policy in place to define its use, this extra step provides a significant reduction of the risk associated with user or software error with next to nothing spent as the trade off.
Please investigate if your company uses opportunistic TLS on your mail servers. If you do, then thanks for being part of the solution. If you don’t, then let’s work together on this simple step to help ensure that private information stays private and that your company stays out of the headlines.
So, turn on your TLS, and go have a beer. And if you like this article, you can buy me a beer sometime too.
Steve Dake
Wednesday, March 11, 2009
Thursday, June 28, 2007
Finally a company that gets it!
I am so happy that I can finally work with a group of people that actually understand business process and the importance of security. On top of that, I've been making the best money ever and have been able to update my home, save money and paid cash for a new Harley (Woo Hoo!!)
It amazes me that some companies would rather live in a constant reactive state, always running around flustered and angry (at everyone except themselves of course), and some companies understand that if you put a little effort up front and think, they can provide the luxury of quality implementations and a huge reduction in unplanned work while greatly improving customer satisfaction....
All I can say is OMG, the company I am with now is first rate, professional and not afraid to put some effort on the front end....
It is hard to believe that here in 2007, we still have the "help desk" God complex where every call means the end users are stupid and speaking in FUD and jargon gets you kudos with the management. They ask, why did so-and-so delete that database, not why was an end user allowed to do so... ahhhh
Anyway, thanks to the great group of professionals that I work with now. Hmmm security really is more then a firewall and anti-virus... go figure. :)
It amazes me that some companies would rather live in a constant reactive state, always running around flustered and angry (at everyone except themselves of course), and some companies understand that if you put a little effort up front and think, they can provide the luxury of quality implementations and a huge reduction in unplanned work while greatly improving customer satisfaction....
All I can say is OMG, the company I am with now is first rate, professional and not afraid to put some effort on the front end....
It is hard to believe that here in 2007, we still have the "help desk" God complex where every call means the end users are stupid and speaking in FUD and jargon gets you kudos with the management. They ask, why did so-and-so delete that database, not why was an end user allowed to do so... ahhhh
Anyway, thanks to the great group of professionals that I work with now. Hmmm security really is more then a firewall and anti-virus... go figure. :)
Monday, February 19, 2007
What a year
Wow! What a year. I left the insurance company to pursue security work where people actually care.
Regarding my last employer- I have never worked for a more sideways company in my life. The IT staff treated me like I was their enemy from day one and it never stopped. Would not respond to emails, failed to show up for meetings, talked sh*t about me behind my back, purposly broke the security policies...on and on. and management would do absolutely nothing. A few of the directors were so disgusted with the IT staff that they would tell their people to not even bother calling in when they had issues.. But yet they were powerless. It was literally like working in a time capsule from 1998. Smoke and mirrors and FUD drove any questions or concerns into oblivion. The IT area was lead by very junior level admins who would ramble some magical technical jargon until eyes glazed over and that was the end of any discussion. OMG, it was like punching myself in the face everyday all day long.
I was "way over the top" when I suggested that perhaps they should consider changing the admin level passwords when some of them were 2, 3 and 4 characters long and hadn't been changed in years. These were to servers! They would push out untested changes to the company completely unannounced and treat people like they were stupid for calling in and asking why their PC just rebooted and they lost all of their work. It was absolutely unbelievable.
Now I am working as a consultant and couldn't be happier. Besides making more than double what I was making, I now work with people who are professional and treat others with respect. Discussing security topics is considered normal and not a invitation to a fist fight. Directors and management welcome my input and have the ability to act. Some areas of IT still drag their feet, but they come along eventually realizing that there are business drivers for the changes that are taking place and that millions of dollars worth of contracts can be lost from not being in compliance with their contractual agreements (one example).
Watching some organization begin the process of growing up and developing change management solutions, secure application development, security awareness training, and on and on... some people get it, some people don't.
In speaking with other security professionals I am finding that this is apparently common. I worked for companies in the past who were very mature and had their processes down. So, it was a complete shock to me.
I did learn several things while I was there. One of the most important is to pay close attention to the way the organization is set up - its reporting structure. If they want someone to "build their security program" and be Responsible for all of the security for the company, you really should not be reporting to the Help Desk Manager / Technical services manager. There is a conflict of interest there. They are rewarded for speed and ease of use. Convincing them that we need to begin the security process in the requirements phase of any relevant effort was seen as unnecessary and could only push out the end date of the project. Nothing related to security gets much attention.
Another thing I learned was that you really need to take a close look at the culture of the company. If it is "old school" in the fact that they only recognize people for fixing things, then people will not be putting a whole lot of thought into design, and planning. Why should they? It slows down the quick fix. Also, if it causes more problems then to them, it creates more opportunities to get a pat on the back These reactive cultures tend to focus on "who's fault is it?" and "What are YOU going to do about it?" rather than to do things like bring in business areas to fully define the business requirements ahead of time, provide quality testing, and to document for future reference and lessons learned. Also, look at the general morale..the funny saying of "The beatings will continue until morale improves" comes to mind. :)
Another very important lesson was to look at the annual bonus program or other incentive processes. Why? Because if people are not rewarded for contributing to corporate goals, if it is not tied directly to their incentives, then they will not do anything extra. Why should they. They will be paid the same regardless of the extra work involved in working with security to improve the controls and bring the company closer to compliance...
Regarding my last employer- I have never worked for a more sideways company in my life. The IT staff treated me like I was their enemy from day one and it never stopped. Would not respond to emails, failed to show up for meetings, talked sh*t about me behind my back, purposly broke the security policies...on and on. and management would do absolutely nothing. A few of the directors were so disgusted with the IT staff that they would tell their people to not even bother calling in when they had issues.. But yet they were powerless. It was literally like working in a time capsule from 1998. Smoke and mirrors and FUD drove any questions or concerns into oblivion. The IT area was lead by very junior level admins who would ramble some magical technical jargon until eyes glazed over and that was the end of any discussion. OMG, it was like punching myself in the face everyday all day long.
I was "way over the top" when I suggested that perhaps they should consider changing the admin level passwords when some of them were 2, 3 and 4 characters long and hadn't been changed in years. These were to servers! They would push out untested changes to the company completely unannounced and treat people like they were stupid for calling in and asking why their PC just rebooted and they lost all of their work. It was absolutely unbelievable.
Now I am working as a consultant and couldn't be happier. Besides making more than double what I was making, I now work with people who are professional and treat others with respect. Discussing security topics is considered normal and not a invitation to a fist fight. Directors and management welcome my input and have the ability to act. Some areas of IT still drag their feet, but they come along eventually realizing that there are business drivers for the changes that are taking place and that millions of dollars worth of contracts can be lost from not being in compliance with their contractual agreements (one example).
Watching some organization begin the process of growing up and developing change management solutions, secure application development, security awareness training, and on and on... some people get it, some people don't.
In speaking with other security professionals I am finding that this is apparently common. I worked for companies in the past who were very mature and had their processes down. So, it was a complete shock to me.
I did learn several things while I was there. One of the most important is to pay close attention to the way the organization is set up - its reporting structure. If they want someone to "build their security program" and be Responsible for all of the security for the company, you really should not be reporting to the Help Desk Manager / Technical services manager. There is a conflict of interest there. They are rewarded for speed and ease of use. Convincing them that we need to begin the security process in the requirements phase of any relevant effort was seen as unnecessary and could only push out the end date of the project. Nothing related to security gets much attention.
Another thing I learned was that you really need to take a close look at the culture of the company. If it is "old school" in the fact that they only recognize people for fixing things, then people will not be putting a whole lot of thought into design, and planning. Why should they? It slows down the quick fix. Also, if it causes more problems then to them, it creates more opportunities to get a pat on the back These reactive cultures tend to focus on "who's fault is it?" and "What are YOU going to do about it?" rather than to do things like bring in business areas to fully define the business requirements ahead of time, provide quality testing, and to document for future reference and lessons learned. Also, look at the general morale..the funny saying of "The beatings will continue until morale improves" comes to mind. :)
Another very important lesson was to look at the annual bonus program or other incentive processes. Why? Because if people are not rewarded for contributing to corporate goals, if it is not tied directly to their incentives, then they will not do anything extra. Why should they. They will be paid the same regardless of the extra work involved in working with security to improve the controls and bring the company closer to compliance...
Friday, July 28, 2006
The meaning of words
The hardest part of developing policy is not the meat of the content. It is not defining what you want to allow or not. It is not the tone in which to write. It is by far the hair splitting over the true and perceived meaning of words. "This may be interpreted as meaning this.." "That sounds to harsh" "will is so demanding, let's use may"...UGGG!
Take today for example. We have been working on the Acceptable Use poicy for months and it is due today. This morning I get an email from one regarding a paragraph that has been the same this whole time.:
"Failure to understand and adhere to this policy will result in disciplinary action up to and including termination of employment. "
Sounds pretty straight forward don't you think?.. the following is that discussion (names removed):
My only comment is regarding section 5.0 Enforcement: The wording "Failure to understand" seems problematic. I feel this whole sentence should be looked at again and perhaps reworded.
Due to the complexity of the policy, the word "will" should be changed to "may". There could be a number of situations that arise that are completely innocent, just a matter of a lack of understanding.
Suggest something like "While it is not intended to be, nor can it be, all inclusive, it does provide guidance and indicates some fundamental policies that all employees will be expected to know and follow. Failure to do so may result in disciplinary action up to and including termination." This sentence is from our original Electronic Communications policy.
My Reply:
I understand your point Kathy. I think it is a good one.
I agree that we would not want to be in a position where we are forced to unjustly punish people who make a legitimate mistake based on ignorance or otherwise. We also have no intention of making ignorance a punishable offence. (Guilty as charged!! :)
With that same consideration, I am sure that you would agree that we would not want to give the impression that these policies are merely list of suggestions.
I feel that we would all agree that the individuals who have been given the authority to enforce the rules at NGL are not likely to become mindless zombies in the face of this or any other internal policy. We all should understand that some infractions may be completely innocent and the powers that be should be encouraged to make a just determination.
The policy does not state that if you fail to comply you will be fired. On the contrary, "up to and including termination" is the entire gamut from " nothing at all " to being fired. So if one reads that with the extreme in mind, then perhaps they tend to be more encouraged to follow the rules. (not entirely a bad thing)
I would like to offer the following wording which I feel removes the ability to punish non intentional infractions, removes ignorance from being perceived as a punishable offence, yet still provides the tone that the policy remains enforceable:
FROM:
Failure to understand and adhere to this policy will result in disciplinary action up to and including termination of employment.
TO:
These policies are intended to be understood and followed by everyone employed with xxxxx. Intentionally failing to comply with this policy will result in disciplinary action up to and including termination of employment.
after more discussion we settled on this:
If I understand correctly then this should be ok:
These policies are intended to be understood and followed by everyone employed with xxxxx. Failing to comply with this policy may result in disciplinary action up to and including termination of employment.
......
@@@@@@@@@@@@
too much fun for a Friday...
Thursday, July 27, 2006
Responsibility without power
I recently began working as the CISO for an insurance company. They have bee around for about 100 years and are still very old school in their culture. With this culture they are very reactive and not big on analysis or planning. My position was new to them and so there was, I assumed, allot of room for growth and defining the role. It seems that I am finding out that this is not the case.
I am writing this so that others who may have the opportunity will be able to learn a little from my mistakes. The first clue to this situation should have been in the structure of the organization. The CISO reports to the Technical Services Manager. This position, as it turns out, is nothing but a glorified Help Desk Supervisor who in turn reports to the VP of Actuary/ Technology. Now neither of these people know much regarding technology and even less about information security. The fatal flaw of having a position of mine reporting to IT is simple. IT is most concerned with speed and ease of use, functionality. They do not want to hear about anything that will cost performance, time, or IT budget dollars. I have been made fully responsible for all things security, but have not been given any authority to do anything other than to offer suggestions to the IT department. Not good. Needless to say, the vast majority of my input is ignored while at the same time I am being asked to produce my value to the company.
To make matters worse, I work with "administrators" who are junior level at best. One is about a 2nd level help desk tech and the others are excited to figure out how to map a drive on the command line...pathetic really. Anyway, from day one there has been a sense of distain toward me. No longer will the smoke and mirrors that they have relied upon work. I ask the right questions and know when they are full of shit. They hate me. I have tried very hard to be kind, thoughtful, personal, etc. but they will not return messages, blow off meeting requests, ignore instructions, and on one occasion, during the first month, I was threatened to have my ass kicked by one of the help desk techs simply because I tried to engage in a conversation they were having regarding a possible virus that may have infected the company network.
Although these incidents have been reported, they are left un punished. This is the most bizarre place I have ever worked. In fact, I feel like I have stepped into a time machine and it is still 1998 there. "We have a firewall and anti-virus, so we are secure". Help me Mr. Wizard!
Questions:
How do you get people to care about security when you have no authority and they are not punished for ignoring policy?
How do you change the structure of a company so that you can report to the level you need to?
When is enough enough – I hate to quit, but I need to look at my sanity- I am loosing my passion.
Thursday, March 17, 2005
The doom of biometrics
I understand the how exciting it is to get a new toy, especially new technology. However, some things quickly out live their usefulness. It is my theory that biometrics, as a sole form of authentication will be a flash in the pan.On the outside, it sounds like a great idea. Use something that is unique to yourself as an authentication token and viola, no more worries of having to remember long passwords. The problem is, that at some level, even if we go to the machine level, these scans are being converted into zero's and one's. The issue that I see is that these pieces of code, can be captured and reused. So now we have a Trojan, or fake gena, or sniffer of a new bread and I replay your binary equivalent of a finger print. Now what are you going to do? Change your finger prints? Get new retina's? Its just not practical.
Oh I know, but you work at XYZ corp, and they are all about security, they protect everything, its all encrypted, its all safe. Well, how about the near future? How's security at willies hot dog shack? How about Burger Queen? Or Wal-Lots? Remember that convenience of only having one authentication piece? I don't have to hack XYZ, I got your fingerprint from the fake ATM reader that I temporarily installed. Your fingerprint is your fingerprint. Now you're done. It's like the issue of creditcard number today. We use SSL on the transaction and tout the security at POS, but the problem is, that's not where the numbers are being stolen. They're being stolen from the databases that we keep that info stored in. Ooops.
I like being able to change my security token (or better yet, having it change where I like it or not). For now, give me a long password and an ever changing security fob, USB Certificates...But please, no retina scans, or finger prints. I think its just too easy to be added to a national database as it is. This information should remain private.
Subscribe to:
Posts (Atom)
