My Dad once told me, “If you keep your eyes and ears open, you’ll learn something new every day.”

Today, I stumbled across that new thing on Twitter.  Thank you @rmogull, for pointing out @451wendy‘s blog, “Idoneous Security.”

What a great word! It describes just how much security we need – the appropriate amount.  Not too much, not too little, just idoneous.

Plus, for good measure, Wendy’s blog post today was hilarious.

A colleague referred me today to a long, but very useful technical report, “Common Sense Guide to Mitigating Insider Threats, 4th Edition,” published in December 2012 by the CERT® Program at Carnegie Mellon University.  The report abstract states:

This fourth edition of the Common Sense Guide to Mitigating Insider Threats provides the most current recommendations of the CERT® Program (part of Carnegie Mellon University’s Software Engineering Institute), based on an expanded database of more than 700 insider threat cases and continued research and analysis. It introduces the topic of insider threats, explains its intended audience and how this guide differs from previous editions, defines insider threats, and outlines current patterns and trends. The guide then describes 19 practices that organizations should implement across the enterprise to prevent and detect insider threats, as well as case studies of organizations that failed to do so.

It was interesting to read how the patterns and trends that they team observed indicated four classes of malicious insider activity:

1. IT sabotage—an insider’s use of IT to direct specific harm at an organization or an individual
2. theft of IP—an insider’s use of IT to steal IP from the organization. This category includes industrial espionage involving outsiders.
3. fraud—an insider’s use of IT for the unauthorized modification, addition, or deletion of an organization’s data (not programs or systems) for personal gain, or theft of information that leads to an identity crime (e.g., identity theft or credit card fraud)
4. miscellaneous—cases in which the insider’s activity was not for IP theft, fraud, or IT sabotage

The following chart shows the top six infrastructure sectors for the three most important classes: Fraud, Sabotage, and Theft of IP:

The nineteen practices that are include in the report are:

1. Consider threats from insiders and business partners in enterprise-wide risk assessments.
2. Clearly document and consistently enforce policies and controls.
3. Incorporate insider threat awareness into periodic security training for all employees.
4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
5. Anticipate and manage negative issues in the work environment.
6. Know your assets.
7. Implement strict password and account management policies and practices.
8. Enforce separation of duties and least privilege.
9. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
10. Institute stringent access controls and monitoring policies on privileged users
11. Institutionalize system change controls
12. Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions
13. Monitor and control remote access from all end points, including mobile devices.
14. Develop a comprehensive employee termination procedure
15. Implement secure backup and recovery processes
16. Develop a formalized insider threat program
17. Establish a baseline of normal network device behavior
18. Be especially vigilant regarding social media
19. Close the doors to unauthorized data exfiltration.

All in all, it is a very insightful and helpful report.

Do you know what is in your wallet? Do you have a treasure trove of PII in there?  What if you lose it or someone steals it?

Kiplinger.com offers a short, informative, online slide show that offers good advice to us all.

A great quote from America the Vulnerable:

When convenience butts heads with security, convenience wins. This is true even among security professionals. If these people won’t follow their own rules, others won’t follow them either. In short, if security is not built into our systems, our systems won’t be secure.

In short, our systems must be both easy and secure … a big challenge.

When I was in 7th grade, I played the trombone in the Gooding, Idaho, Jr. High band – or at least tried to play it.  Once, we participated in a music festival where I played a solo rendition of the soaring anthem, “Jerusalem,” in front of a judge.  When I finished the piece, she remarked, “the trombone can be a beautiful instrument.”  I was devastated of course, and was somewhat relieved to hang up my trombone, so to speak, when we moved to a tiny town without a band the next year.

I was reminded of that incident this morning when I read a Mashable article, “Top 5 Misconceptions about the Cloud,” sponsored by Western Digital.  The fifth “misconception” was “You Can’t Beef Up Security on the Cloud.”  In my mind’s eye, I could almost see my trombone judge saying, “The cloud can be a secure place.”

So what’s the problem?  Much like a 7th grader’s ill-conceived belief that he could impress a judge with little practice and poor technique, the article’s overly simplistic recommendation for bolstering cloud security was “You can use behavior-based key management servers and encryption key management to give your files an extra layer of protection.”

Cloud security entails much, much more than that.

I can accept that cloud based solutions can be well-secured, but we must not be complacent or expect great results with little effort.

Pastebin reported this morning that a repository of all credit card PIN codes had been leaked.  Here is a small sample of the leaked data.

The big question is, “To change, or not to change my PIN?”

On August 28th, I blogged that CNET reported on a congressional committee that wanted to know whether Huawei was a national security threat.

According in an article this week in ThreatPost, Huawei issued a position paper addressing the allegations.  John Suffolk, Huawei’s global cyber security officer stated:

“We have never damaged any nation or had the intent to steal any national intelligence, enterprise secrets or breach personal privacy and we will never support or tolerate such activities, nor will we support any entity from any country who may wish us to undertake an activity that would be deemed illegal in any country.

“Huawei does not, and would not, support, condone or conduct activities intended to acquire sensitive information related to any country, company or individual, nor do we knowingly allow our technology to be used for illegal purposes.”

Whether or not Huawei is culpable has yet to be proven or disproven conclusively, but the current tenuous conditions in the cybersecurity field has many people on edge.  The ThreatPost article quoted Shawn Henry, a former FBI official:

“It’s hard to explain the threat to some organizations. Some people get it, but many don’t. The entire threat out there is kind of like an iceberg. The part that most people hear about is the part above the water line, the unclassified threats. People don’t hear about what’s below the water line, which is everything that’s happening in the classified environments. It doesn’t get a lot of attention outside of the classified environment, but I can tell you that it’s deep and broad and extensive.”

It is indeed a challenging world we live in. Let’s be careful out there!

An interesting observation in Joel Brenner’s book, “America the Vulnerable.”

The overlapping and ever-expanding appetite of government and commerce to keep tabs on us— and our own appetite for keeping tabs on one another— means that it’s virtually impossible to elude our own autobiographical trail of purchasing habits, property ownership, employment history, credit scores, educational records, and in my case, a security clearance record a mile long.

What have you added to your trail today?  Are you sure you wanted to do that?

Finally, a solution to big data breaches …

I am beginning to read a compelling book, “America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare,” by Joel Brenner, former senior counsel at the National Security Agency.

My favorite line in the introduction:

Our world is becoming a collection of glass houses that provide only the illusion of shelter.

More to come soon.