Thursday, May 15, 2014

One Character Can make all the Difference

One small change to your source code, one character, or one person can make all the difference between a robust Information Security and Privacy program or reading about your company’s breach on CNN.
(Originally published on Tripwire's "The State of Security" at

Design in security or design insecurity: Looking at Information Security from a project management framework, many companies wait until just before beta testing to check for Information Security risks or exposures. This is designing insecurity. Built in insecurity. Factory equipped at no additional cost to the user!
picEveryone is familiar with project management 101: You can have any two of the three, Fast, Cheap or Good, but you can’t have all three.
If you want it Fast and Cheap, we can’t tell you how good it will be. If you want it Good and Fast, we can’t tell you what it will cost.
We can think of the information security and privacy aspects of your project in this same way.
picHowever, when you factor in Risk as part of this; Cost, Schedule and Scope (or Budget); you need to use a new paradigm, (and graph!).
We need to add in the triangle of Risk, Resources and Quality as per PMBOX 4.0, Practice standards for Project Risk Management.
Instead of just thinking about project risk in terms of cost overrun, or delays, consider what happens when you build insecurity vs building in security. By building in security you reduce the known unknowns of your information security risk footprint.
Let’s go back to project management 101: It costs you $1 to design it in, $10 to build it in later, $100 to fix it before it goes into production, and $1000 if you need to fix it once it has been turned over to operations.
For Information Security and Privacy issues, you not only have to account for the lost time (risk, poor quality, budget overruns, resources and scheduling problems), but you also have to look at regulatory and financial issues due to litigation. Your quality issues don’t just put users and customers off a little, you could lose them for life. Security Project Management 101 goes like this:
$1 to design in security, $100 to build in security later, $10,000 to fix it before it goes into production, and, an average of $5.4 million dollars once it has been turned over to operations. ($5.4 million dollars is the average cost to US organizations for a data breach in 2013before you add in the Target Breach).
Ask your stakeholders: Do you want to budget $1 extra to design in security, or risk $5.4 million if things go really bad?
One User, Employee, or Vendor
One Character, one user one employee, or vendor who has access to your network can bring it down. The next character that can cause you a problem would be an insider; someone who has internal, privileged access to your network.
Yes, that character. You know who that is and wish you could do something about it. An insider with unnecessary access and a weak password helped bring a huge data breach at Target that could end up costing them $20Billion Dollars. Yes, Billion. That comes after Million, and just before Trillion. Not quite national debt numbers, but this number won’t play well during the next stockholders meeting.
Take as example what happened at Target. Old CIO resigned and new CIO is actively taking steps to keep this from happening again. He rescinded unnecessary vendor access, updated technical requirements for password strength and forced everyone to change their passwords to adhere to this new policy.
What else can I do? What about that ‘one character’? Security Awareness Training, and not just a 30 minute computer based flyby of last year’s ghosts and goblins of data security, but a comprehensive, customized training program that will enroll that ‘one character’ as an ally. Not just for ‘the little people’, but for executives.
Instead of causing problems, that problem character (or characters) will understand their part in keeping the company safe and secure, especially if the executives lead the way by example.
One Byte
Insecurity vs in( )security. One byte. That is all it takes sometimes. During a recent web application assessment for a Fortune 100 company we noticed that one byte was missing. This one byte meant the difference between a reasonably secure user experience and a user experience that exposed massive numbers of users to identity theft, bank fraud, and spam.
What was that one byte? (non geeks can look away now and start humming. Come back in 5 minutes and we can wrap things up). On the company home page the button for the user login function pointed to ‘http://{}/functions/login.asp’. (Do you notice the missing character?). A packet trace of the login function confirmed that the username and password were being sent across the wild world web without using any type of encryption.
The company didn’t need to worry about the HeartBleed bug, this information wasn’t encrypted anyway. Anyone listening would have access to information that should have been encrypted. Depending on how long this bug was in place, this could have possibly affected more than 10 million users just in 2013. Not quite up to Target’s 110 million faux pas, but still a respectable number.
Character of the Boss
The bad news is that you can’t fix everything with just one character, or changing one character, or firing one character. The good news is that the Character of the executive management can have more of a positive effect on the information security culture than all the firewall, audits and scrum masters in the world.
The Character of the Information Security group, CISO or CSO will directly reflect the support given by executive management. This top down approach isn’t just for project management or software programming, it is business 101. “It all comes down from the top”.
Employees who enjoy working for their company and respect their managers are more prone to make less mistakes in general, less mistakes on purpose, less security mistakes, and be less likely to ignore security and privacy policies. Their managers will be less likely to ignore policies and rules if their executive management respects them.
If your executive management does not respect their own security and privacy rules you can be sure that the employees won’t.
One Character at a Time
As you move through life, you will work for good bosses and bad. You will work at companies that have a good security and privacy program and you will work for companies that don’t care. If you are tasked with protecting a company that doesn’t care, there might be nothing you can do about it.
Just do your job, learn your craft and try to keep things in perspective. Ultimately it is only your job to detect the information security risks and inform your management. It is their responsibility to take it seriously. You can help by learning more about your company’s business. Your assumption that the company doesn’t care might just be your lack of understanding of the nature of their business.
Every vulnerability isn’t critical, and nothing is perfectly secure. One character at a time. One byte at a time. That is all that can be expected of anyone. one character can make all the difference. Make that character be you.

Michael ScheidellAbout the Author: Michael Scheidell (@scheidell) is a Certified CISO, Senior Member IEEE (Computer Society), Corporate Information Risk Management and Privacy Expert, Managing Director of Security Privateers, and works as a consulting CISO for several multinational corporations in government, finance, manufacturing and health care. A recognized expert in the information security and privacy community with a strong history of innovation and entrepreneurship with a US patent on intrusion detection systems, Mr. Scheidell is a frequent conference speaker and subject matter expert in Information Security, Governance Risk, Compliance, and corporate privacy and has worked to secure US critical infrastructure such as Rail, Transportation and Utility companies. Mr. Scheidell can be reached at

No comments:

Post a Comment