Information Security vs Auditor - foe or friend?

Auditors - hmm... most of the times, nobody really likes them right? And many people see them as a foe. As an Information Security Professional, I see them more of a friend rather than a foe. Although sometimes we don't really see each other eye to eye, especially when dealing with the "dinosaur" type of them, but most of the times I would say we do have common goals - that is to ensure adequate security measures are in place and enforced. 

This story is about how you could "make use" of auditor to achieve your security goal. Hope this would help bring closer your "friendship" with the "foe" :)

Information Security lad: Mr. CEO, after various incidents of malware outbreaks within the company, we have come to the conclusion that we need to raise the awareness among the employee. Here is the business case for our security awareness campaign. As you can see, we will work together with HR to include this proposed Computer Based Training (CBT) program within the induction training...... blah blah blah....  For this to happen, we will require budget of EUR 20K to setup the CBT etc......

Mr. CEO: I like the idea of that CBT... however, as you may have known, budget is a bit tight right now with all these cost cutting initiatives going on. We don't have extra budget for this...

Information Security lad: But Mr. CEO, we really need to do this. If another outbreak were to happen again, it will cost us more resources handle the situation. At the end of the day, it will cost more than this business case.

Information Security screw-up #1 - security vs uptime

Well, after reading through all of my previous stories, some of you may have had the feeling that I'm telling these stories to show that Information Security professional is always right. No, not really... we do make some mistakes... like everyone, we learn from experiences as well.

This is a story about how one Information Security lad screw-up, when "he was young" :) 

Once upon a time, there was this one "young" Information Security lad who just joined a quite successful .com company. As the new Information Security Manager, he felt like he was the town sheriff and everyone got to listen to him when it comes to security matters. 

It was a weekend, a nice weather weekend indeed, when he received a call from his company. Apparently, there was a virus outbreak in his company. He was called back to office immediately... 

Young Information Security lad: After some investigations, I found the source of the outbreak. It's coming from this server called E-pay. You shall take down this server immediately and have that malware cleaned right away!

Server Admin folk: That would not be a good idea. We can't just shutdown a server like that. I don't think the application owner would be happy with that.. we need to...

Young Information Security lad: <* interrupting *> This is a serious security issue! We must stop this before it spreads around! Shutdown that server immediately!

Server Admin folk: Errr.......

Application Owner vs Information Security fun#2 - on Web Application Firewall

I presume most of us as a security pro have heard of Web Application Firewall (WAF). It is not a new technology, but only few enterprises have seen the benefit and have the technology implemented within their infrastructure. I hope this story could shed more light on the benefit of having one and assist you in expediting your decision making process in getting a WAF :)

Information Security lad:  During our security review, we noticed that you have decided not to include WAF as an additional protection layer for your web application. Although it is not a mandatory policy in our company, we strongly suggest to have your web application protected by WAF, as your web application is internet facing and will be handling important e-commerce transactions. Moreover, as you are offering 99.99% availability to your customer, you may want to have extra layer of protection to support this commitment. New attacks could be easily mitigated by the WAF as its signatures are updated on daily basis. I do know that our IT Supplier has a very good WAF team there.

Application Owner dude: Thank you for your suggestion... I don't see the need of it right now. We already have multiple layer of protections in place. We have firewall and Intrusion Prevention System (IPS) in front of the web application. Furthermore, we have done security assessment and pen-test during our application development cycle and we have got a clean bill of health there. I believe your team did some security tests as well and found no weaknesses. The application is just robust.... Anyway, I don't really have extra budget....

Information Security lad: Well... if you insist and understand the risk, we won't stand in your way. We will approve this RFC.

5 months later.....

The Facts of Information Security

Information Security is a Top-down approach;
Information Security needs support of Senior Management e.g. Board level;
Information Security is a responsibility of every employee;
Information Security is about People, Process and Technology;
Information Security's weakest link often is the People;
Information Security is not an IT issue, it's a business issue;
Information Security costs money, so does police, military and alike;
Information Security team is not your enemy, it is your business partner.

 Feel free to add more :)

Ain't security fun? ;)  
acknowledgement - photo taken from http://www.flickr.com/photos/plastanka/4516802479/sizes/m/in/photostream/ 

Business Owner vs Business IT vs IT Supplier - disaster recovery fun#2

Few weeks ago, I shared a story about the impact of not having Disaster Recovery. And I mentioned that there will be a sequel to it. So, here it goes.... the saga shall continue....
 

Business Owner guy: <* Addressing VIP business users *> It is very unfortunate that we were badly hit by the quake. As it was an act of God, we have to accept the loses etc etc.... . Nevertheless, we have come out with a great disaster recovery plan to ensure business continuity in the event of disaster. This time, we WILL be ready to face it!

Information Security lad: <* This guy is surely a great politician.... I wonder how he saved his ass, survived and resurrected from that gigantic mess... Last I heard, he even got a promotion*>  

5 months later......

Business Owner guy: <* shouting over the phone *> What's happening? Why can't my customer access the application?

Business Owner vs Business IT vs IT Supplier - disaster recovery fun#1

This is another classic story that may raise a smile for some security pros out there....

Business Owner guy: <* shouting over the phone *> What's happening? Why can't my customer access the application?

Business IT bloke:  The whole IT Supplier's data center is currently down. It has something to do with the earthquake that happened 10 minutes ago. Seems like the data center was badly hit by the quake. I managed to get hold of the service manager and he has arranged an emergency meeting in 15 minutes to update us on the situation.

After 15mins, in the emergency meeting...

Business Owner guy: IT Supplier chap, I understand you have a lot to deal right now, but my application is business critical. When can you get it up again?I'm losing like 10K per minute here!

Business IT vs IT Supplier Fun#2 - setting data classification

Last month, I wrote a story about BIT vs ITS on who should be the one setting the security requirements... well, as you may have guessed, the saga shall continue. This time, it's about data classification.


The Storybrooke Post today's headlines: XYZ Company fined 100Mil by Storybrooke State for non-compliance with Data Security Act 1337

Business IT bloke: What the heck is this? <* smashing the paper on the table *> . After our last meeting, we have given you all the security requirements for our system. How come we are still non-compliance with that Data Security Act? I believe we have a breach of contract here!
IT Supplier chap: I don't think so. We have carried-out and protected your data in accordance with your security requirements. The recent audit report carried-out by XYZ Group Internal Audit department confirms that. <* showing the report to BIT bloke *>

Application Owner vs Information Security fun#1 - data flow security

Have you ever met an old stubborn mainframe guy that just can't think outside of his archaic box? I bet you did. This is a story about this guy I met sometimes ago..... (My friend Adriano called them "The Dinosaur". BTW, if you time, you should check out his piece on this.)

Application Owner dude: We are using mainframe and we have tight ACL in place. No one can access the data inside. It's a very secure environment. I don't see any security issues here... That web interface is just a front-end for customer to see their order status...We developed this one ourselves and manage the user accounts. It's not even open to public or guest, by the way....

Information Security lad: Well... we see that there are other internal applications interfacing with this mainframe as well. How do you ensure these interfaces are secure?

Application Owner dude: Again. As I have said and stressed for so.... many times. We have strong and tight ACL in place. Those interfaces are connecting to our mainframe with their own credentials and we make sure they can only access their part of data... <* keep bragging about how fantastic ACL works on Mainframe *>

Information Security lad: <* I need to do more to than just talking to this guy to show him that ACL alone is not enough *> We going to run some test.....

Application Owner dude: Go ahead lad... No one ever broken into our mainframe before. I'll bet my every pint of beer on that.