Categories

Recent Posts

Learn More

Archives

Miscellaneous

Business Blogs - Blog Rankings

Data Breach

7 Strategic Givens for CISOs on Foreign State Threats to IP/Trade Secrets

 

APT - InfosecIf you're responsible for protecting your company’s Intellectual Property or Trade Secrets from Cyberattacks, you can improve your Information Security Program by understanding some of the key Strategic givens I've found at my Fortune 500 clients on Nation-State Adversaries.

I assist companies and organizations that are dealing with known compromises or companies that suspect they have been compromised.  These compromises are increasingly driven by Nation-State Adversaries and often include companies that have physically deployed their high value company assets directly into “hostile” regions by either moving or outsourcing their manufacturing, research, or other core business functions.

Here are some of the Strategic givens I’ve identified:

1) Operating facilities abroad in "hostile" regions where intellectual property rights are weak or nonexistent should be viewed by the CISO as the World Cup or Finals.  Organization’s should not be learning or building new security capabilities such as high value information asset identification, incident management, DLP or network monitoring for the first time simply when a company decides to deploy company assets and capabilities abroad.  It is tough work protecting Intellectual Property and Trade Secrets.  Your playbook and team should have already been practicing and running plays before the Finals.  Where are you currently on implementing a comprehensive Information Security Management System?

2) Most Boards of Directors consider taking risks with intellectual property or trade secrets acceptable, especially in light of driving increased revenue in emerging markets.  Business Leaders, like it or not, simply do not weigh the loss the breach or loss of intellectual property as heavily as you might think.  It is a risk/reward calculation for the Board as it should be. 

3) More than ever, Information Security practitioners should follow the mantra that many of us have espoused for years, that Information Security is not just about Technology.  Security Strategies across People, Process, and Technology are required in breadth and depth to protect your company’s high value information assets from worthy Nation-State Adversaries.

4) Oversight of 3rd Parties especially if they are based locally in a “hostile” region, will likely be a company's weakest link in Information Security.  If a company has not over engineered oversight expectations/rights, contractual expectations for information controls, and external monitoring capabilities, it's likely already significantly compromised.  CISOs: Were you or your organization involved in the building or inspection of any plantsite facilities that your company uses in "hostile" regions?  Think about when and how the very basic elements of your company's plantsite were built, such as:

  • Power
  • Racks & Physical Structure
  • Network
  • Security & Fire Protection
  • Cabling
  • Management Systems

If you weren't involved in the building or inspection prior to use of these, you should reasonably expect that your company's operation has been compromised or can be easily compromised.

Service Provider ContractAs a Information Security practitioner, you have a great opportunity to implement measures to minimize your information risks if you are able to proactively incorporate control expectations into your service provider contracts.  If your service provider's contracts are already in place, seek to renegotiate those now or upon renewal.

5) As Information Security leaders, we should acknowledge and operate in large part like our Board of Directors.  We should accept that taking real risks with Intellectual Property and Trade Secrets is readily acceptable and it is merely a cost of doing business.  It is unlikely that your senior business leadership will formally acknowledge this simply due to potential personal liability, so don’t look for a declaration.  Look at decision making and trade-offs as indicators on the organization's willingness to assume risks with their information assets.

6) Organizations should learn to live in a constant state of compromise:

  • Determined Nation-State adversaries can always find exploits
  • Organizations should operate like they have already been breached
  • Identifying your high value information assets, where they reside, and how they are used and what controls are necessary is essential.

7)  Industries driven by producing and leveraging Innovative and Patent Protected Intellectual Property or Trade Secrets, such as: Pharmaceutical, Chemistry, Life Science, SCADA, high-tech manufacturing, or industrial manufacturing -- are already in the Finals.  Nation-State Adversaries no longer need or in fact, particularly care whether a company has physically entered their market place or country.  They are equally adept at conducting highly sophisticated network based operations as well as human intelligence (HUMINT) operations through human agents that have likely been hired by your company over the past two decades.  HUMINT capabilities are one of the many reasons why our strategies as Information Security practitioners need to include People, Process, and Technology efforts.  Some of the more well known IP thefts have occurred by employees simply walking out the door with IP on paper or simple storage devices.  I have on more than one occasion had to retrieve files and external storage devices of "high value" exiting employees...

I hope you find these observations beneficial.  Seeing and learning these consistently over time at my clients, has helped me better understand how to improve the design and deployment of effective Information Security Programs.

I'll provide additional details in the future, by exploring elements of these strategic givens.  In the meantime, I welcome your comments.

 

Mark Brooks

Posted at 12:02 AM in Data Breach, Information Security Strategies, Intellectual Property | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , ,

| | |

The New CISO – Agents of Change

Today's CISOs need to be effective change agents in order to build and lead Security Programs that are successful in managing information risks for their organizations.  This is particularly true for CISOs of organizations that are in the midst of the build out of their Information Security organization and capabilities in response to a breach or other information security incident.  Effectively, the remit of these CISOs is to move their organization from an OLD security posture to a NEW stronger security posture--clearly they own a “Program of Change”.

CyberSecurityOne can also see evidence of CISO roles becoming Agents of Change, as they shift from being implementers of security point solutions (DLP, AV, 2-Factor, IDS, IPS, etc.) to partnering with business leaders to understand business risks and protecting an organization’s most valuable information such as Intellectual Property or Trade Secrets.  They simply are no longer operating in the same spheres of influence such as Infrastructure Operations or Network Operations, where many of us started our careers as network analysts or security analysts.  CISOs are now sitting in the General Counsel's office dealing with IP protection strategies for outsourced operations to China or developing Privacy Frameworks as a member of the Chief Privacy Officer’s staff, or having other business oriented discussions they simply did not have 5 years ago.

So, here are the top skills that I believe are necessary for CISOs to be effective Agents of Change:

  • Strategic Relationship Building – Ability to establish rapport and personal relationships across a broad set of executive-level leaders and business stakeholders.
  • Ability to Paint a Future State – Visioning skills and the ability to define not only an Information Security Program vision, but to define it in business terms.
  • Business Marketing – Today’s CISOs need to understand branding and need to establish an internal GTM (Go-To-Market) plan in order to sell and gain alignment for their Security Program.  They need to establish a specific brand for their Security Program and this brand needs to be defined in a manner that directly ties to existing corporate branding.
  • Story Telling – Today's CISOs need a broader and fairly creative set of communication skills.  They need to be able to tell practical stories to business associates on how and why security is critical to selling product or providing services, tell stories that describe how security enables new business outsourcing strategies to senior executives, communicate relevant risk posture information to Board’s of Directors, and effectively communicate to external customers, partners, and 3rd Party Vendors.
  • Able to Leverage Performance Management and Leadership Incentives – CISOs that are effective Agents of Change are students of and focus on what drives performance and rewards behavior within their organization, such as Performance Management mechanisms for driving business unit performance, cultural norms, or Leadership Scorecards.  This of course is a tall order that requires political skills, skills in negotiation, organizational savvy, and often the courage to step out beyond the CISOs comfort zone.

The above skills are not only critical for building and leading Security Programs, they are absolutely essential when it comes to being able to gain approval for investment dollars for security initiaves and projects.

So what are some of the indicators that you are moving the ball forward on your Information Security agenda?  That you are being an effective Agent of Change for your Security Program?  I plan to share with you in a future article, some examples and evidence that you are moving your organization forward on your program.  You will be surprised that at least initiallly, it isn't the type of evidence you would normally expect.

I welcome your comments.

 

Mark Brooks

 

 

Posted at 06:54 PM in Data Breach, Information Security Strategies, Intellectual Property, Leadership Principles, People, Process | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

| | |

Protecting Your Company's Highest Value Information

RiskAs a follow on to my blogpost on High Value Data Information Governance, I thought I would share some additional benefits that company's often realize when they have been able to effectively identify and assess risk for their most valuable information.

While this can be a daunting task for a company, the business benefits of doing so are numerous and span beyond simply "IT Security" into Enterprise Risk Management, Infrastructure Management, Legal and other business areas.  Here are a just a few example of the reoccurring benefits that I see with my Fortune 500 clients:

Business Benefits:

•  Improved collaboration and cross-functional decision making across business units.

•  Improved business engagement and buy-in to the company’s Information Security Program

•  Improved ties of security investments to any current or emerging Enterprise Risk Management efforts.

•  Data Protection investments are more effectively prioritized and deployed to protect the company’s most valuable information:

  1. BCP/DR – prioritization of Business Continuity Plans/Disaster Recovery resources and efforts.
  2. Infrastructure Hardening - access controls, monitoring, administration, service levels, physical security, etc.
  3. Security Policy and Awareness efforts – Increased control requirements for processes and systems that support High Value Information Assets and greater investments in Awareness activities for staff that make use of High Value Information.
  4. Security Technology Investments can be directed and used more wisely
  5. Focusing or redirecting SIEM, DLP, and other network based security controls to higher value assets and away from lower value.

•  Cost savings and/or Cost Avoidance by redirecting effort and energy away from less valuable information – yes, this can and does happen. When a company’s leadership has agreed to what information is most valuable to protect, then it much easier to reduce control costs and accept risks associated with lower value information.

•  Vendor Management and 3rd Party Risk Management process improvement and decision making, based upon access to and transfer of high value information.

•  Reduced legal exposure via a documented, defensible, and agreed to prioritization of a company’s most valuate information assets and subsequent decisions in control investments. You are in a much better position or at least have a good “1st Line of Defense”, if you have engaged a cross-functional group of business stakeholders that have agreed to what is most important and documented their decisions, than if you DON’T have this.  Even if you what you have is not perfect, at least you have demonstrated some initial due diligence…

If you would like some additional perspectives on High Value Information Assets, here is a good article of a security practioner I work with, Tim Layton, and what he refers to as Data Classication: Next Level.

I welcome your comments.

Mark Brooks

You can follow me on Twitter at https://twitter.com/#!/wmarkbrooks

You can connect with on LinkedIn at http://www.linkedin.com/in/wmarkbrooks

Posted at 06:02 PM in Data Breach, Information Security Strategies, Intellectual Property | | Comments (0) | TrackBack (0)

| | |

Privacy Compliance

BlogPhoto I recently attended an IAPP Practical Privacy Series.  If you are interested in or work in the Privacy Compliance arena, I would encourage you to attend one of these and/or join IAPP.  They have a variety of programs, conferences, and professional certifications available.

The series was held in Washington DC and was focused on the recent guidance issued by the FTC on privacy compliance, as well as the creation of the CFPB (Consumer Financial Protection Bureau) and its expected plans for oversight of the financial industry.

I've summarized some of the key themes and take aways that I noted from the conference.  Please post any questions or comments.

_______________________

FTC Commissioner Brill was the keynote speaker and took Q&A.  I was pretty impressed with the FTC's knowledge and understanding of industry practices and challenges.  Commissioner Brill also actively participated throughout the day conference, along with several of her colleagues from the FTC.

The FTC recently issued a proposed privacy framework, Privacy Report, for public comment that includes these themes:

a) DO NOT TRACK EXPECTATION. Consumers should have the ability to easily know what information is being tracked on them when using the internet.  They should also have the choice to easily turn off tracking, when and where they want.  There is an increasing expectation among consumers that they fully understand and have the option to control what information is tracked about them when they are making use of the internet.  The big internet browser platforms are being eyed as key piece of the solution to enable choice for consumers.  Microsoft, Apple, Google are all taking a look at what changes they can make in their solutions to enable more capability and choices for consumer to control and understand what is being tracked when they surf the internet.  Individual websites will also likely have to make changes to ensure they are adhering to changes in FTC guidance, once they are finalized.

b) ACCESS.  Consumers should have the ability to request and receive timely information about what personal information a company has on them and how it is being used.  Safe Harbor already includes this provision, but it is not considered a clear and consistent mandate across US Privacy Regulations.  This is an acute challenge for US banks, as they are not well positioned to respond to such requests today.  Most banks are not Safe Harbor certified.  Some even see the potential of consumers leveraging this like law firms do with over burdensome e-discovery requests.

c) SHIFT TO “General Sensitive Data Protection” from just protection of PII (Personally Identifiable Information).  INFOSEC standards being viewed as helpful with this shift.  This makes sense.  From my perspective companies should look to common INFOSEC controls to help enable compliance.  Then regulatory bodies should take a risk based approach to enforcement by focusing their enforcement efforts on the most sensitive information of consumers and the data that create the greatest impact/damages from breach or inappropriate exposure.

d) There were a number of active discussions regarding concerns with the CFPB (Consumer Financial Protection Bureau) having too much power.  The CFPB was recently created by the Dodd-Frank Act, as an outcome of predatory lending “causing the housing market collapse.”  The CFPB has the ability to make rules, oversee, and enforce consumer lending practices.  Big banks will be impacted heavily as this bureau solidifies its role.  Of course, those following the bank bailout and the housing market, shouldn't be surprised with the creation of even more regulation.  Ironically, this legislation and the new bureau was created by two of the key legislators that oversaw the old regulations prior to collaspe...

By the way, the deadline for public comment for the proposed privacy framework is January 31st, 2011. Here is the link for public comments Privacy Framework Comments.

Again, let me know if you have questions or comments.

 

Mark Brooks

Posted at 02:18 PM in Data Breach, Information Security Strategies, Privacy | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

| | |

Facebook Notifies Members of Beacon Settlement - Funds Online Privacy Efforts

Facebook Privacy Facebook sent the notification below to its members this past Thursday. Here's some additional background on the settlement:  Beacon Settlement News.

 "Facebook is sending you this notice of a proposed class action settlement that may affect your legal rights as a Facebook member who may have used the Beacon program.  This summary notice is being sent to you by Court Order so that you may understand your rights and remedies before the Court considers final approval of the proposed settlement on February 26, 2010.

This is not an advertisement or attorney solicitation.

This is not a settlement in which class members file claims to receive compensation.  Under the proposed settlement, Facebook will terminate the Beacon program.  In addition, Facebook will provide $9.5 million to establish an independent non-profit foundation that will identify and fund projects and initiatives that promote the cause of online privacy, safety, and security.

For full details on the settlement and further instructions on what to do to opt out of, object to, or otherwise comment upon the proposed settlement, please go to http://www.BeaconClassSettlement.com.

Please do not reply to this email."

Mark Brooks


Posted at 11:36 AM in Data Breach | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , , , ,

| | |

FTC PHR Breach Rule Sites Cloud Computing Requirements

Yes...that's correct "Cloud Computing" cited.  Read on.

Cloud2  The FTC issued its final rule on Health Breach Notifications on August 17th, after soliciting comments over the past several months.  The rule applies to all "Vendors of Personal Health Records" as defined in the ruling.

Definition: "Vendor of Personal Health records” is “an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a personal health record (PHR).” 

In addition, the ruling addresses some of the realities of today's market and the use of third party service providers, as well as entities that leverage the use of web based technologies to offer products and services to manage/process PHR.  In reading through the 88 page ruling (AAGH!), I found it interesting that there was a specific reference to the use of cloud computing.  The ruling addresses the breach notification requirements for cloud computing providers in the context of "third party service providers".

Listed below is the section of the ruling that references cloud computing.  The "one commenter" is a reference to an entity that made comments to the ruling during the solicitation of public comments.

"From Proposed section 318.3:  Breach notification requirement" paragraph...

First, one commenter noted that a third party service provider may be unaware that it is dealing with a vendor of personal health records.  For example, a cloud computing service provider may offer computing power and storage without knowing whether customers use them to offer PHRs.   The Commission agrees with this comment and, accordingly, adds the following sentence to paragraph 318.3(b):  “For purposes of ensuring implementation of this requirement, vendors of personal health records and PHR related entities shall notify third party service providers of their status as vendors of personal health records or PHR related entities subject to this Part.”

Second, one commenter noted that some third party service providers may have multiple vendors of personal health records as clients. [M. Brooks: Sounds just like cloud computing service provider!]  If the third party service provider experiences a breach, it should not be required to identify every individual whose information was breached to each of its clients, regardless of whether the individual is a customer of the client.  This could result in the third party service providers’ sharing customer lists with competing vendors of PHRs, and could undermine the privacy of such customers.  The Commission agrees.  Thus, instead of requiring the third party service provider to identify each “individual” whose information was breached, the Commission’s final rule requires the service provider to identify each “customer of the vendor of personal health records or PHR related entity” whose information was breached.  

 85  Cloud computing is the provision of Internet-based computer services.  Cloud computing provides businesses and consumers with access to software, data storage, and infrastructure services that are hosted remotely. 


Here is the FTC press release, FTC Health Breach Notification Rule News.  Also, you can find the complete FTC ruling here 16. C.F.R. Part 318: Notice of Proposed Rulemaking and Request for Public Comments Concerning Proposed Health Breach Notification Rule, Pursuant to the American Recovery and Reinvestment Act of 2009

Suffice it to say, companies or vendors that are evaluating or making use of cloud computing for data that includes PHRs, will now be required to notify their cloud computing service providers.  Hopefully this isn't new news for vendors of PHRs! 

Second, it is clear that the FTC understands enough how companies are leveraging cloud computing providers and industry may see enforcement action in the cloud computing domain.  The Rule will take effect 30 days after publication in the Federal Register and the FTC said it would begin enforcement 180 days after publication.

Posted at 08:30 AM in Compliance and Ethics, Data Breach, Information Security Strategies | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , , , , , ,

| | |

Preventing a Data Breach

I read this great article that I believe illustrates what is typical of Fortune 500 companies with respect to data leaks.

Editor's note: Security consultancy Networks Unlimited allowed freelance reporter Sandra Gittlen to tag along as it conducted a data leak audit at a Boston pharmaceutical firm, then presented its findings to company execs. In exchange for this type of access, we agreed not to identify the pharma firm.

When the director of IT at a Boston-based, mid-size pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company's data leak defenses and he would then be able to leverage the audit results into funding for additional security resources.


While there are certainly marketing benefits of publishing such findings for the vendors, I found this article to be very good and relevant for large companies too.

The incident numbers stated may be high simply due to false positives, as the IT management team noted in the article.  In addition, since the business management did not weigh in on the criteria of the audit, it is less likely that they were able to identify leaks that require more contextual findings and analysis -- which in many cases can be the most devastating type of data leak.  Examples would be executives or key technical staff that depart companies with 1000’s of files and documents regarding strategic plans, merger and acquisition data, confidential projects, litigation strategies, or impending negative decisions on products, etc.

With that said, I believe the types of findings in this article are realistic even for companies that have extremely sound technical security controls.  Without proactive, ongoing monitoring and the sponsorship of the senior business management data, breaches of this scale are more likely the norm than the exception.

I'm confident that if a similarly designed and executed audit were done, say at the top 100 Fortune 500 companies, the audits results would be very similar in scale and nature for many of the companies.

If you are a senior business executive, I think this article illustrates that your IT group cannot do it alone.  This company certainly was counting on IT.  If you are a senior IT leader, know your IT security team can’t make it happen alone.  If you are an Information Risk Executive, I think this story is a great example to leverage in making your case for the need to understand and monitor data leak risks.

Mark Brooks

Posted at 11:02 PM in Data Breach, Information Security Strategies | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , ,

| | |

Connect w/Mark