Posts Tagged ‘twitter’


Five things you should know about encryption… for non geeks!

March 3, 2010

When most people wake up in the morning, somehow, encryption is not the premier thought on their mind. I know, I know, this statement may come as a shock to you.

Most people probably even believe that they could go an entire lifetime without ever thinking once about what encryption is, and what it can do for them.

Some people, I tell you.

The truth is simple: if you are in business, you don’t have to be an encryption expert, but there are 5 things that you should know about encryption.

Before we proceed, here’s a quick primer on how to think about your data.

Understanding data states.

Data resides in different states, including at rest, in transit, or in use.

An example of data “at rest” is a Word document not currently open, but saved to the hard drive on your laptop.

An example of data in transit is that same Word document, attached to an email, on its way to your sister-in-law’s email inbox after you clicked on “send”.

An example of data in use is a computer program that processes information that resides in a backend database.

Understanding threats to the data.

Each state includes inherent risk to the data being used:

That data could be pilfered by an unauthorized third-party (a loss of data confidentiality.)

The data could be corrupted by a virus (a loss of data integrity.)

This data could be erased by malware or a malicious internal user (loss of data availability.)

Protecting the confidentiality, integrity and availability of data assets is what information security is all about.

Understanding data classification.

Data classification is the concept of assigning a confidentiality rating to all data assets. This is the concept to which all the “TOP SECRET” stuff you see in movies is linked. The idea is simple:

Look at each data asset your organization owns, and then decide:

1. “I don’t care who or what sees this information.” It’s safe to say that this data asset can be classified as “Public” as no harm will come to you or your organization if this information were to be read by a third-party.

2. “I want some of my business partners and some of my internal resources to see this information, but not everybody out there.” In this case, the data asset can be classified as “Confidential – Third Party”.

3. “I don’t want anyone but my internal resources to see this information.” This calls for a data classification level of “Confidential”.

Why bother with doing all this work? Tagging each data asset with a classification rating allows you to simply decide during the course of doing business whether an asset should be shared or not – and with whom. For example, you could decide that all Word document titles will from now on be assigned a suffix of C, C3 or P. If a document used to be called 2010_financial_statements.doxc, you could rename it to C_2010_financial_statements.doxc. That way, even if you do not directly know the contents of this document, you will be able to tell, just by seeing the file name, whether it should be shared freely or not. This is a simple and effective control to protect you against inadvertent data breaches.

Five things you should know about encryption:

1. Confidential and Confidential/3rd-Party data should be protected – i.e. encrypted – regardless of the state in which it currently finds itself. Hackers are equal-opportunity criminals. If your data is encrypted at rest, but not in transit, they will go after it while in transit.

2. Rule of thumb: encryption strength is related to the amount of bits. Therefore, 256-bit encryption is stronger and more difficult to defeat than 128-bit encryption. You never want to use an encryption solution with a strength lower than 128 bits.

3. You should have a clear, realistic, enforced and published corporate encryption policy – and supporting procedures – that dictate how data is to be protected. Then you should train your users and make sure that the policy reinforces your business processes – as opposed to hinder them – so as to maximize employee adoption.

4. When in doubt, ENCRYPT! Many encryption solutions are free, there is no reason NOT to encrypt.

5. Confidential data should never be placed on a mobile device – laptop, phone, PDA, etc… But if the organization has a legitimate business needs that requires that this would happen, then said confidential data MUST be encrypted.

In conclusion…

Data should be classified in terms of its criticality/confidentiality status. Confidential should be encrypted regardless of which state it finds itself into. Understand that the state of the same data item may change over time!

Encryption should not be seen as a security control that is “nice to have”, but as a “must have.” This is a perfect example of a control that reinforces your business goals. It is a simple, best-practice control that is required by many regulatory mandates such as HITECH, the Massachusetts Data Breach Notification Law, the PCI standards, etc… so, when’s the last time your organization reviewed its encryption policy and its effectiveness?

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!


An unexpected value gained from Twitter.

March 3, 2010

Using social media is all the rage as of late, and for good reasons. In a previous blog entry, I mentioned several of the risks that are inherent to the use of social media, so it is not my intent to rehash this information here.

At a party I attended recently, I was asked why I use social media. I explained what can be gained from it from a business perspective, from brand awareness to brand management, and used pertinent and impressive explanations to back up the points I was making.

In truth, I wish I could claim that those “pertinent and impressive explanations” were mine, but credit must be given where credit is due: those pearls of wisdom were directly lifted from the likes of Rich Brooks from Flyte Media, Lynnelle Wilson from Bold Business Consulting, Chrystie Corns from Thirteen Thirty Marketing, David Washburn from David Washburn Marketing, Fred Abaroa, the Marketing Imagineer, and Jaica Kinsman from Guiding Stars to name but a few. My thanks to those talented individuals for making me sound smarter and hipper than I am!

One positive aspect of Twitter in particular that I recently discovered may take you by surprise. It is not related to being online – it’s about real life. That’s right, real life. What a concept!

Here’s what I noticed: people whose tweets I follow tend to be people for whom I have a lot of respect in real life.

It gets more interesting: most of those people I had never met before.

In other words, whatever qualities they displayed in their tweets were qualities that they actually have in person, and the reasons why I enjoyed following them on Twitter translated into our real life interaction and why I enjoy being around them so much.

I wonder if part of the reason for that is the fact that Twitter limits us at 140 characters per tweet, and that one has to focus on the essence of the message. I believe that the way in which one achieves that is to also, in many ways, express the essence of who they are as a person in the process.

As much as I enjoy following tweets online, I have far more enjoyed the live, in-person interaction I have shared with many people with whom I probably would never have connected hadn’t it been for the interface that Twitter provided.

The risk? Hey, I am an information security pro, so I have to consider risk… the risk is that a talented social engineer could use this as a way to tweet his/her way into conning unsuspecting targets.

Remain vigilant, and make sure that your security policies and procedures are up-to-date and successfully transmitted to your users!

Oh yeah, and remember to hug your ISO today!

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!


Four things you should know about data breaches

March 3, 2010

It seems that each day brings news of another collection of data breaches. A question I am asked regularly is “What should I know about data breaches?”

Excellent question indeed! Let’s quickly review the salient points raised by this question, and what can be done to palliate these issues.

1. What is a data breach?

Anytime information falls into the hands of an “unauthorized third-party”, it is technically a data breach. Basically, it is a loss of confidentiality for a given data item.

2. How much does a data breach cost?

The cost of a data breach can be difficult to ascertain. It is usually referred to as a “per-record” cost. A recent article in Network World indicated that the per-record cost of a breach used to be around $100 as of 5 years ago. Today, on average, it is in excess of $200.

Note: this cost does not take into account the cost of potential litigation, fines and reputational loss – the latter being the most difficult to quantify pre-breach.

3. How do data breaches occur?

There are mostly three categories of causes for data breaches:

Human error: from losing a PDA or laptop – or, dare I say it, an iPad – to not logging off a computer, the list of errors that a human can make is seemingly endless. It could be summed up as “human negligence.”

Machine-error: a computer glitch, an unpatched host, a PC without up-to-date anti-virus can all contribute to a loss of confidentiality.

Malicious behavior: either internal or external, malicious behavior is first and foremost a crime of opportunity – in a report published a year ago, Verizon reported that about 80% of all hacking attempts started as a crime of opportunity. The lesson to be learned here is simple: remove the opportunity, remove 80% of the actual crime.

Simpler said than done!

4. So… what can I do about it?

The first requirement is to be security-aware. It is quite difficult to protect something you don’t know you have, and didn’t realize you had to protect!

The second requirement is to develop a security program. It doesn’t have to be a cost-prohibitive endeavor to be successful, either.

As part of this security program, different controls can be designed and deployed, including, but not limited to, creating policies and procedures, providing employee training and performing internal and external penetration testing on your computer network.

The need for policies is simple: let’s figure out a way to run a given business process in a way that 1. guarantees the creation of the business value that prompted the need for the process, and 2. guarantees that the security of the assets involved in that process is not threatened.

Once that policy is created, we can create procedures to supplement it.

Finally, through consistently using these policies and procedures, we can protect ourselves from threats to the confidentiality of those assets.

But this consistency will only be attained if all users are trained and made aware of these policies and procedures, hence the importance of training all employees – not just those that are directly linked to IT or the Security department.

So here’s a quick exercise for you:

Think about the type of confidential information your business hosts. Maybe it’s financial records. Maybe it’s health records. Maybe it’s credit card records. Now think about how many of those records your business has accumulated through the simple act of doing business. Multiply that amount of records by $200. That’s the potential cost of a data breach to your business.

Let’s pretend that a medical practice has 20,000 medical records and that they are all breached. That’s an exposure of $4,000,000. Before lawsuits from angry patients, before reputational loss – would you go to a doctor’s office that can’t keep your health information secure and confidential?

So what is a data breach? It is a risk incurred every day by your business, a risk that can severely impact not only the bottom line, but potentially the very existence of your business.

If you were to have questions about the information contained in this blog, please feel free to contact me.

Thanks for reading!

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!


10 questions you should ask about social media and data security.

March 3, 2010

Don’t look now, but social media is everywhere. Try as you may to escape it, you simply can’t. The reason for that universality is that social media, simply put, delivers on the promise.

It is therefore difficult to tell a business that they should refrain from using social media as a growth vector, and indeed, such is not our message.

However, it would be foolish to venture into this new set of business processes without carefully analyzing not only what the business can gain from it, but also what threats to the business are inherent to the use of social media.

Ten simple security questions:

At the InfoSec Group, we believe in two things:

1. Information Security is about business, not IT.
2. Simple – yet efficient – rules yield far more attractive results than complex ones.

With that in mind, here are some simple questions any business should consider prior to launching itself in the wild world of social media:

1. Should all employees be involved in social media, or should it be a selected, chosen few?
2. Should those employees who will not be professionally tasked with handling social media be allowed to access those sites?
3. Who owns the content and the followers/friends/connections: the business, or the employees?
4. Which social media platforms – twitter, facebook, linkedin, etc… – should the company use?
5. Which functions – messaging, posting, discussions, file transfer, group membership, etc… – should employees be allowed to use in the name of the company?
6. Which topics should employees be barred from commenting on? (Politics, religion, abortion, etc… come to mind.)
7. What is the reputational risk to the company of having employees publicly converse on social media platforms as representatives of the company?
8. How much, if any, monitoring of employees’ output and behavior on social media sites should take place?
9. What internal policies should be created or augmented to respond to the risks inherent to the use of social media by the company?
10. What training should employees receive before being allowed to officially represent the company on social media sites?

Some of these questions are first-degree, while others are more in-depth and will require a significant amount of internal discussions. I would recommend that any organization interested in using social media would answer at least those questions – many more come to mind, but for the sake of not writing a tome that would rival War and Peace in length, we decided to limit ourselves to ten.

Furthermore, it would behoove any company to make sure that representatives of different departments be present during these conversations, including, but not limited to:

Legal counsel
Information Security

Because of the perceived threat that social media can represent to an organization, the US Marine Corps decided that Marines cannot discuss anything related to their work on social media platforms anymore.

We are not advocating that your organization’s position should be as black and white, but we are certainly recommended that threats be identified and analyzed, and that remediation controls be deployed to answer them before your organization launches itself into the wonderful world of social media.

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!


Understanding Information Security

March 3, 2010

At the InfoSec Group, we assist our clients with meeting – and exceeding! – their information security goals. Some of our clients are mandated to do so, while others understand the importance to protect their business, their assets and their clients and have taken a proactive approach to acknowledging their responsibility as business owners/operators.

We enjoy the idea of increasing an organization’s information security awareness level from the top on down, and in the process of doing so, we have discovered that there are myths out there that certainly do die hard.

So in an effort to more accurately describe what it is that Information Security is, we traditionally communicate the following concepts:

1. Information Security is about business.
It is, simply put, a business goal. And like any other business goal, it is imperative that a strategy be developed, and that this strategy be designed to be integrated with the organization’s overall business strategy. The two must be aligned, otherwise the goals will not be reached.

2. Information Security is about people.
Because it is inherently cultural and behavioral, information security is and has always been about the people involved. To be successful, the company has to foster a culture of security. That cannot be achieved unless the culture is created and promoted by the C-level executives. After all, who wants to be burdened by security measures if the boss doesn’t have to abide by the same rules?

What we try to accomplish is to have employees understand the value that information security brings, and “buy in”. No buy in, no success.

3. Information Security is hinged on risk management.
Not understanding what risks threaten your assets – and therefore your business – and what costs are associated with these risks means that you are unprepared to protect yourself against these threats. A careful risk assessment process is a potent approach to identifying these threats and the controls necessary to protect the business. And because the process involves assigning a dollar value to the assets and the remediation controls, the process allows for the solutions chosen to make business sense.

4. Information Security is NOT about IT!!!
This is the biggest myth of all. Information Security is NOT an IT function – it is a business function. Making it an IT function means that your strategy is flawed from the start. To illustrate this point, consider the following:

Would you deploy an anti-virus solution to protect an asset threatened by a virus infection? Yes, because it makes IT sense to do so.

Would you deploy a $300,000 anti-virus solution to protect a $100,000 asset threatened by a virus infection? No, because it doesn’t make business sense to do so.

This is why information security has to be a business function, and not an IT function.

Furthermore, for IT to be in charge of security would be a violation of the basic principle of separation of duties, and is therefore widely regarded as a violation of security best practices.

In our next blog, we will look at the risk that the use of social media can create for a business. We will see that social media should be used – but that being aware of the inherent risks, and designing a simple strategy to palliate those risks will insure that the organization can reap the benefits of social media without attracted unwanted threats.

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!