The link Between a Company’s Supervisory Board and its Security Strategy

Posted on 20. February 2014 by Joerg Asma

Companies Need New Security Strategies

With regard to cloud computing, Bring Your Own Device (BYOD) or Social Networks companies have to think about their security strategy. Whereas the principle of prevention was effective for a long time it is not effective any more. Having a huge number of mobile devices in place, using various storage systems within the enterprise or outside and the demand for flexible and fast collaboration with clients, partners and suppliers nobody is able to predict where a certain piece of data is right now, how often it has been copied or will be tomorrow.
It is just a fact that business critical information does not reside within the perimeters of the enterprise any more.
Given this fact a company can protect its perimeters with huge efforts and be almost save, a weak system outside the enterprise like a social network or a pubic cloud system destroys all efforts of protecting the assets by preventing intrusion in the own infrastructure. The enterprises are simply not in control of prevention system any more.
Another challenge is the complexity of of attacks against enterprise infrastructures. Nowadays more often zero day exploits and strongly customized malicious code is being used, applying advanced persistent threat techniques which leads to the situation that most of the high sophisticated attacks are not recognized by any prevention system like antivirus, intrusion detection / prevention system or firewalls.
These attacks are simply below the radar screen of the traditional security systems.

What are the new Security Strategies to be applied better today than tomorrow?

The prevention of the future is detection! What does that mean? This means that enterprises have to improve their ability to register anomalies in the data flows leading to a more reliable and faster detection of security incidents. There are two main areas of improvement:

Time to detect a security incident caused by APTs or other high sophisticated techniques
Time to fix the issue

Especially the time to detects requires companies to have intense monitoring capabilities in place to ensure reliable detection. By building these capabilities not only the requirements of companies are in scope but also the personal rights of employees are affected. A company going this way will need to have trust within their working councils and from my perspective it is even better to integrate the employees to build trust that these facilities are not only a requirement to secure the enterprise but also the individual.

Any requirement for the supervisory board?

With respect to the supervisory boards requirements to monitor and give advise to C-Levels, a few questions have to be clarified:

Does the internal control system of the enterprise reduce the risk of exposure of employees and management against threats from the outside (e.G. Use of eMail, websites, unknown documents)?
Is a reporting system in place to to indicate potential threats and suspicious activities?
Does the enterprise have a stable detection system in place to uncover security incidents?
Did the company test the effectiveness of detection techniques and includes the results in a continuous improvement process?
Are security incidents adequately reflected in the board of management’s report on the business situation of the company?

Conclusion

In the end this means that companies have numerous options in place to improve security, deal with liabilities of board members and the supervisory board and drive efficient security measures.

I would suggest to keep an eye on two work streams:

Switch of non effective security measures that simply address prevention – Just talk to me and I will assist you to go this way based on a success fee.
Establish a process too ensure that materiality and severity of security incidents becomes transparent to board members and their supervisory boards to ensure conformity to financial reporting standards.

Just in case that you do not believe that security is to be reflected in the financial reporting you should read the Corporate Finance Disclosure Guidance No. 2: Cybersecurity issued by the SEC. You might also want to use Google to find out who was already addressed by the Regulators of the US to have not properly addressed this issue!

What is the bigger threat? Employees or hackers?

Posted on 19. February 2014 by Joerg Asma

Years ago I read an FBI survey on security incidents and a root cause analysis. I didn’t find it again (if you have it – please send it to me) but I can still remember that it said something like almost 70% of security incidents have been caused by employees.

The last survey I found from the United States Secret Service named “2013 US State of Cybercrime Survey” says that only 21% of cybersecurity incidents have been caused by current and former employees (T here is a summary availabe from PwC in the US that helps you to avoid reading all this stuff).

Nevertheless I found it really difficult to qualify these information and have a more solid foundation of sources that helps me to better understand and to better argue with my peers.

But as time went by and big data is not just a buzzword but real applications are available I found a website I desperately want to share with you. They analyzed hacks and other security incidents and built categories to classify these hacks.

The result is a really meaning- and beautiful visualization of security breaches and their sources. What strikes me is the possibility to slice and dice industries sources and size of the incident and get a visual presentation.

I believe that this is one of the most advanced ways to present these figures without leaving room for arguing if the numbers are correct or not. They are simply based on press releases!

My suggestion: Read it and play with it! Click on the graphics and you are forwarded to the website. Enjoy it!

Btw: They also disclose the source of information that leads to this fantastic visualization: Click me!

They got me!

Posted on 29. November 2012 by Joerg Asma

Being a security professional is sometimes a difficult thing. Everybody expects you to be wise in terms of security, threats, knowing all different kinds of attacks and so on.

Being phished yourself as a security pro will make people worry even more and they ask seriously how this could happen.

As mentioned before I was phished some days ago and I would like to give you my lessons learnt so that you might be slightly more carefully than I was.

How Was it Done?

I received a direct message from somebody I trust. A colleague. Usually phishing mails – or tweets – are written in a way where you can see that something is wrong. Not in this case because what I learnt from his tweets is that he has a certain way of tweeting and accididentally his way of tweeting matched this direct message.

I was directed to a facebook app which seemed to show twitter videos – whatever that means. It looked like I was not logged into twitter so I tried to log in – and my user account was captured.

Three days later somebody wrote direct messages to my twitter followers asking them to log on to the same web page. I saw that something was going on and changed my password so not all of my followers received this direct message and I sent out two public tweets saying that my account was phished.

What I could have done better?

It is a bad idea to enter social login credentials into an app. When using oauth the machine receives an access token and this may be used y application. There is no need to enter credentials any more. So use the native applications itself to authenticate and do not enter anything anywhere else.

I looked at the facebook application later and found that it looks really similar to the twitter login application. I reviewed the code of this application and saw that it was linked to an external webserver with a real strange name. That should have worried me.

My conclusion is: If I do not know a facebook app I should verify where it comes from and look at the code which tells you where the server is. The easiest way is when opening the sourcecode window of this website and then you will see the server name in the text edit headline. If it looks strange, stay away!

Two very simple things to make yourself more secure.

What did I do else?
You also should verify the apps that have a trust relationship with twitter just in case that anybody installed something there. If you don’t know an app, revoke its access.

Furthermore change ALL your passwords that have the same password as the phished application.

Last but not least: Communicate open that you have been a victim to stop the infection of your followers.

The “traditional” Software Industry is loosing their key to the Internet

Posted on 10. October 2012 by Joerg Asma

Those of you who already read one of my articles might have already realized that I am looking at the pain points of our environments with a focus on security. One thing that is driving me crazy is what is happening in the internet with regard to its usability and convenience having an impact on our social structures, society and industry in terms of authentication.

In my articles “Next Generation Security” and “Theorie about securing passwords” I have written about social networks being the authentication provider of the future. I still believe in this statement and I am even more convinced that there is a remarkable development when considering the impact on the software industry.

I believe that authentication is the key for the use of the internet. Everybody is talking about personalized content, user generated content, tagging and much more. All these mechanisms need to rely on a good and strong user authentication. Facebook, Twitter, linkedin and all the other usual suspects are there to offer their services.

I don’t exactly know the numbers of managed user accounts by traditional IAM (Identity and Access Management) suites but when it comes to the use of the public authentication providers I believe there are more users on the internet managed by Facebook & Co. than in private environments.

It is absolutely surprising that all the big names in the IAM market have failed to develop services delivering a strong and reliable authentication to internet users. They failed to realize that consumerization of IT increases the demand to also deliver authentication services to end users. If you want you may name it Infrastructure or Software as a Service. Very quickly we realize that we are talking about cloud computing services. Almost every bign(and traditional) IAM provider has also a cloud service offering which could have been a key to those customers that now need to rely on Facebook & Co.

If you may follow my line of argumentation you will agree that the key to internet applications is already in the hand of the big social networks.

Let’s try to anticipate what happens if nation states succeed to establish authentication services for the Internet Protocol stack. This means building global authentication systems for each and every device with access to the internet.

What would this mean to private in-house authentication systems? Right now I can’t imagine who might be able to deliver these services which I would name “Key to the Internet“. Right now the traditional software industry has not even tried to get this key into their fingers.

But stop – that’s not correct. Microsoft tried to established an authentication service – and failed due to the lack of value added services.

Social Media – C-Levels Tricked and Trapped

Posted on 30. September 2012 by Joerg Asma

During various conversations at the dmexco 2012 in cologne I realized that Social Media Risk Management already hit the boardroom but almost nobody is aware of it. So was I!

The reason why I believe that social media already reached the boardroom is so simple and so complex at the same time.

Almost everybody knows that you need to be active on social media. As social networks and social media is constantly gaining more and more power it is the ultimate source to solve a couple of challenges companies and their C-Levels experience:

Marketing Efficiency

Who wants to spend millions for marketing campaigns some really enthusiastic and creative brains build without giving you the tools to find out how effective your campaign is.

War for Talents

New employees are the lifeblood of every professional services firm. Attracting the right people and retaining them is key. But how do you do that? Go social! Young people leaving university and school have an incredibly huge social media competence and define themselves different than people like I did at their age. During interviews with potential candidates for our firm I had to realize that the questions I am asked are different than 10 years ago. People ask for BYOD, Smartphones, Work Life Balance Concepts, Mobility Concepts and much more. Most of the time they already used social media to inform themselves about my company. They even do not use our website, but they use facebook and twitter. So going social is not optional! It’s mandatory and therefore it’s a boardroom issue. The C-Suite usually approves this “HR stuff”.

CRM

Is customer relationship management an application to plugin to you ERP system or buy a monumental application that stores all your client data. I believe we will see distributed CRM systems in the future. These are the Facebook profiles, twitter lists and Xing / linked in groups which are the data marts for future CRM systems. Right now most of the professional people, being active on social networks, maintain not only private but also business contact lists and support sales and delivery through these channels. It became more viral than most of the non social networking C-Levels believe. In the end it means that you need to rely on those people acting in social networks and facilitate sales and generate leeds. In most of the companies (especially the professional services firms) this is done unintentionally and the leaderships are overwhelmed by the “new” opportunities that arise.

What is the conclusion

You might ask yourself or me why a blogger about security and risk management writes something about CRM and war for talents and what this has to do with Social Media Risk Management.

As I already said it is simple but also complex. Everybody accepts that social media is in important factor in people’s life and business matters. We design campaigns for our businesses. We sometime try to enforce social media policies. But do we really think that there is a difference between private and professional social media? We think so but it’s not! People have to disclose which company they are working for or they should not write one word about this company and stay private.

When asking people about their profiles on social network sites like facebook I very often get the answer:

Uuuh good question, but I am prepared for this! I arranged this in a propper way: facebook is used privately and linkedin is used in the professional part of my life!

Sounds reasonable but reality looks different. If you look at those facebook profiles you see that people disclose their company name and their position in the firm. This is the moment when a private account is not private any more. In Germany there was a law suite about where the judges came up and said that the use of a company name and maybe writing that you want to get (business contacts) is sufficient to assume you are not a privateer and that you have to behave professional.

Following this argumentation the C-Levels need to be in control over what their employees do just in case a third party cannot find out ad hoc if a person is a private or a professional person when looking at posts or their profiles.

C-Levels need to have an overview, who is acting as an employee of their company (even when knowing it). And last but not least it means that C-Levels have to enforce and monitor the use of policies in these open spaces. Right now I believe that boardroom members do not realize that they have to extend their control to social media or tell their people that they may not act on behalf of the firm and have to stay strictly private.

But who wants this? Nobody! You would loose the viral effect of social networks!

I know that this is a provocating statement but I absolutely believe what I wrote. Any comments are highly appreciated.

A theorie about securing passwords

Posted on 15. September 2012 by Joerg Asma

During the last years I was really impressed what happened with the internet. Maybe you don’t share my view but I got the impression that content is becoming richer. On the other hand the curators of these rich websites want to “own” the user by simply knowing him or her and ask new users to register.

There is nothing to complain about but there is no common sense on the internet about password complexity and you sometimes see really strange password rules for very simple content.

What happens? You register and you try to harmonize your passwords across different platforms. In the end you are not successful and have a couple of different login credentials you cannot remember at all. One day I counted my login credentials I have to login to different websites (Facebook, twitter, linked in, yahoo, google, banking, asalavista.net and so on). I stopped counting when I reached 30 websites with around 2 different login credentials. I am using a password safe I have written on my own, but others are using open source or public domain software without really knowing what it does with your passwords.

I believe it is a better idea to have one public authentication provider which is widely spread and that has a big interest in safeguarding the identity of the users.

I found a good article / infographic at gigya.com showing the market reach of Facebook, twitter, linkedin, yahoo and google.

It was no surprise to me that Facebook seems to have most of the users – and websites. But it was a surprised that Facebook already covers 37% of the business websites seem to use Facebook connect. I started to review most of the websites I am using and found that most of them already have a facebook connect button and some are offering multiple login buttons (Facebook and twitter or Facebook and linkedin).

Think about the idea that you only login once into your Facebook account and the rest of the websites you use can use this authentication to identify you properly. I like that idea very much because it would help me to use one single and very complex password instead of dozensof passwords which are not that complex.

Some people might now say that it is not a good idea to use Facebook because they are considered to misbehave in terms of privacy and I fully agree with this. But for using Facebook as identity provider you do not need to tell them everything about yourself. You do not need to share pictures, do not need to press the like it button or need to connect to other people or use Facebook apps.

In the end I believe that there is hardly any other social website than Facebook that has this interest in maintaining the integrity of your digital identity. There is one simple reason: If they don’t know you, your profile has no value. The value of the entire Facebook profiles reflect the value of the Facebook brand. Remember Facebook’s IPO and you will understand what I mean.

Think about it! Mabe you’ll like the idea!

Some words about Security in the Cloud

Posted on 12. August 2012 by Joerg Asma

The security of cloud services has been the subject of heated debate and neither side is giving an inch.

One side claims cloud computing harbours uncontrollable risks and warns that we may well lose control of our own data; to them, every new security incident is grist to the mill.

The other side sees cloud computing as the way to higher security through the increasing industrialisation of IT services.

Both lines of argument have their merits. We can naturally expect a greater aggregation of data at certain providers as IT continues to industrialise. If a security incident were to occur in this situation, the assumption is that larger masses of data and even more enterprises could be affected as well. Inasmuch, the damage caused by a security incident at such a provider would be greater than the damage ensuing in the individual operations of an enterprise that has outsourced its data and services to that provider. And there is another factor that makes the impact look even worse. While in-house security incidents are almost never reported (unless required by law), not so for the processes that many enterprises have contracted out to this provider. There will be no mantle of silence to cover up a security incident that affects so many enterprises and causes so much damage.

Deciding which side is right will depend on business indicators which we simply do not have at this time because they do not have to be reported in today’s regulatory climate.

Yet one thing is clear: the need to establish a systematic approach to secure our own data and processes.

That makes it indispensable to learn how to integrate our technical and business situation with cloud computing. As part of the big picture, (Cf. Chapter 3.3.1) cloud computing can be seen in the context of other hot topics.

The basic tendency is to try to prevent security incidents. That goes not only for cloud computing but also general business practice. To achieve that goal, we must clarify and understand the risks associated with cloud computing. That is the only way to do justice to the idea of Prevention.

Significant risk management parameters are ‘impact’ and ‘probability’. As the probability may be low, but not ‘nil’, an effective process must be established comprising two component to deal with actual risks:

Detection
Reaction

Detection is the process of flagging security incidents. Various studies show that only about 50% of all security incidents are detected within a week, while the rest are only discovered much later. Cloud computing complicates matters further.

Detection of a security incident must trigger a suitable reaction. Given the changing architectures in cloud computing, the procedures for obtaining legal evidence of security incidents are subject to change, and both enterprises and the courts have yet to follow suit.

Look at the big picture and understand that the management of identities and authentication for a user’s cloud ecosystem is a not-to-be-underestimated strategic factor.

Next Generation Security – See how Facebook, Cloud Computing and Tablets change our lives!

Posted on 31. July 2012 by Joerg Asma

The use of IT has gone through radical change in recent years and will see increasingly radical change in the future. More and more enterprises are getting involved in the opportunities and risks of cloud computing in all its different forms. This would therefore be a good place to clarify what other hot topics would be wise to consider in the context of cloud computing and what this will all mean for information security in particular.

For instance, seeing cloud computing in connection with Bring Your Own Device (BYOD) and social networks – two of the latest IT hypes –can be particularly exciting as this raises new information security issues.

The first question is why there has been so much hype around BYOD and how it relates to cloud computing.

Given the demographic shift, the related lack of qualified experts and the resultant general employee situation among today’s enterprises – a veritable job-seeker’s market – it is now more important than ever before for enterprises to take the needs of their employees to heart so as not to lose sight of the target markets. New employees are attracted to enterprises that have their individual, personal needs in mind, while long-time employees expect their employers to offer an evolving personal working environment that keeps pace with the times.

By now, the use of consumer devices has grown to become part and parcel of an attractive working environment. An IDC study from 2010 shows that about 95% of all employees also use consumer devices. So it is only logical for them to want those devices to be more integrated into the business structure. That integration is increasingly made possible by web based services, which are provided as cloud services.

One good example is the provision of storage capacity, which can be accessed through enterprise devices, consumer devices or a range of general device types. Cloud services make it possible to use to these consumer devices all at one and the same work location. This is also evident from the number of cloud users: since the launch of Android-based consumer devices in 2008, public cloud computing services have grown. While this trend might not be directly attributable to the new generation of devices, the statistics show a define connection.

By analysing different studies on cloud computing (e.g. Cloud Monitor 2012 – http://bit.ly/CloudMonitor2012) one can conclude that public and private cloud services, in spite of the difference in popularity between the two cloud types at present, will converge in the future. The hybrid cloud will therefore be the de-facto cloud model of the future.

The proliferation of social networks can be seen as another phenomenon. While we see different social networks, whose business model is based on actual ‘networking’, the ‘main players’ in this industry see the network as a means to an end to generate large numbers of users. These are then marketed (e.g. advertising) as the actual value added. In particular, some networks have specialised in reusing the identities in their database for authentication services. Facebook, Twitter, Google Yahoo and LinkedIn can be cited as the main examples. Who the market leader is depends on the field of use (http://info.gigya.com/identity.html). Facebook and Twitter almost always range among the top three.

Banks, mobile telephone providers or government agencies would be more likely candidates for B2B authentication systems given the confidentiality issues. And yet, Facebook has grown to become the leading provider of authentication systems (Facebook: 39% market share followed by Google with 19%, source: Gigya, 14 July 2012). In the first year of Facebook Connect alone, Facebook had signed up 80,000 websites and continues to sign up about 100,000 website a year. That social networks have become the dominant public authentication providers is something we simply cannot ignore.

So what do BYOD and social networks mean for cloud computing? Assuming that the proliferation of mobile consumer devices will promote the growth of hybrid clouds, it will likewise be necessary to use authentication providers that support authentication across the widest range of different platforms, both public and private. That is exactly what the social networks are pushing for here.

If we follow this logic, we also see a change in the need for information security.

Neither social networks nor public clouds can be swayed by enterprise security measures. Security in the sense of conventional border defences is only effective to a limited extent. That makes it increasing important to protect enterprise value while being able to react effectively to security incidents in cloud environments once they are detected. In the end, the data – whether stored on mobile consumer devices, social networks or in a cloud – are owned by company management. They remain responsible!

This results in three main aspects, which are dealt with below:

Prevention of security incidents through risk-oriented measures
Detection of security incidents
Effective incident reaction