Knock, knock on the door… “Do you have a minute to talk about a report request?” asked the developer.

Security awareness typically focuses on employees – the people working in support, the call center, or with business partners. What about developers? The people who receive requests from the company to execute something – be it a new cutting-edge application, business-driven reports, or efficiency requests so we can do more with less. All of this is great – developers provide significant value to companies.

“With great power comes great responsibility.” Where are developers in the security awareness and training matrix? Oftentimes developers are pressured for being on-time and under budget and security isn’t always top-of-mind.

What about those innocent reports mentioned above? You know, the kind where extracts are pulled from the databases to list whatever it is the business wants to know.

Who are the most profitable customers? Which location is making the most money? Which business partners require a report to reconcile their financials or provide an outsourced service?

These examples are not about SQL injection or cross-site scripting, but rather extracts of data from databases accessed by (likely) internal web applications. If the developer provides exactly what the employee asks for, is he/she providing too much information when there are other options?

Can the extract be provided with masked or truncated data? Can another unique, yet meaningless number be used instead of a social security number (for example)? Are there queries that connect into the database with reusable credentials that could be misused if in the wrong hands?

You get the point. The likely answer is that with the proper structure to the awareness program, these discussions and procedures can be put into place and executed.

There are countless examples where the business provides a request and developers write web applications or reports that allow for too much information when in reality less may be needed. Granted, there are times when this is not the case. But without security awareness with developers, there’s great potential for providing too much.

It’s worthwhile to establish secure developer training and a formal SDLC – no question. The point is that the ability to connect to, and extract sensitive data in business intelligence reporting can be easier to address through an effective awareness program that links into development.

There’s an opportunity to get out into the business and strive to make significant improvements to the data extracts and web applications and it can be easier to achieve than formal secure application development. Both are important of course – the key is to drive awareness and process change into the business by chipping away at areas where there is opportunity for a quick turnaround.

Get the conversation, training, and awareness flowing and the next report extract can contain less sensitive information and make improvements across the business.

The post Security Awareness of the Developer Kind appeared first on Security Current.

Influence, it’s one of those things which some have mastered. In the business world influence can be used as an advantage in order to achieve the desired outcome.

Many people in security get locked into the technical realm which is only natural. However, what about learning something new which has to do with people in order to strengthen the security program?

Not too long ago I stumbled upon the book, Influencer: The Science of Leading Change. The Influencer is useful in so many ways…could it be for security, too? After reading, it became evident the book does tie into security, and in particular, security awareness and obtaining behavioral change.

Security awareness is oftentimes focused on the outcome, which is more about statistics (how many people took the CBT and what their score was). Whereas, a program focused on behavioral change will be able to strive for the impact they seek (contacting the helpdesk and not clicking on a phishing link).

I found some key excerpts from the book and wanted to share each one and illustrate its relationship with attributes to security awareness.

The post Behavioral Change Through Influence appeared first on Security Current.

InfoSec World 2015 just wrapped up from Disney’s Contemporary Resort in Orlando, Florida. With around 1200 attendees, over 75 speakers, and over 50 exhibitors, the event provided something for everyone. In addition, MIS Training ensured attendees had opportunity to attend workshops and hands-on training to provide a top-notch educational experience.

Many attendees commented on how the size of the event was ideal – big enough to provide depth and diversity while at the same time allowing for up close and in person contact with speakers and exhibitors.

Keynote speakers included Deviant Ollam, who opened the event demonstrating weaknesses in many of our physical security controls which we rely on so heavily. Deviant’s demonstrations carried into hands-on lock picking where attendees could see first-hand how anyone with a little time can bypass physical control locks.

Walmart’s VP and assistant CISO, Kevin Walker, provided an informative lunchtime keynote which included obtaining stakeholder buy-in and driving accountability within the business. This is an area which continues to provide challenges for CISOs as security becomes a board room topic, and Kevin shared his experiences.

Day two attendees heard U.S. Secret Service assistant special agent in charge, Ari Baranoff, provide insight into the criminal world of organized crime leveraging weaknesses in security to siphon billions. The USSS shared examples from July 2014 where POS malware was identified through their efforts which may likely be undiscovered to date had they not been involved.

On the closing day, Silent Circle’s CTO and co-founder Jon Callas, educated attendees with where mobile device security and encryption is going given the explosion of its use. Jon’s rich cryptography background and days with PGP provides unprecedented vision in this space.

Speakers attending gave attendees upwards of 7 choices during the hour sessions of which to attend. Topics ranged from IoT, cloud, threat intelligence, mobile, insider threats, and software development, just to name a few. While some of the topics tend to get more buzz than others because they are hyped, attendees gained the most value from sessions providing tips on “getting back to the basics”.

For example, is threat intelligence something your organization needs? Sessions dispelled the requirement for threat intelligence and provided practical solutions for little to no investment. Also, where is your greatest risk? Look at the top 10 list of problems from firms who are repeatedly seeing the same thing from client to client. This is just a taste of what attendees were able to take back and immediately focus on having an impact versus getting surrounded in the sea of noise. Want to improve security and reduce costs? There’s a session for that, too!

All in all, InfoSec World’s growth has shown attendees and exhibitors some great value given the exuberant number of conferences hosted almost weekly in the area of security and would be one to put on the list for 2016 when it rolls around – it’s not to be missed!

The post InfoSec World 2015 – Recap appeared first on Security Current.

You can feel the enthusiasm this time of year as football playoffs and bowl games capture massive attention. Us vs. them. You vs. me. Offense vs. defense. In the sporting world, this is how it works. There is no collaboration or uniting of opposable forces. Someone wins, and someone loses.

Historically, we’ve had similar tactics in the security world. Attackers vs. defenders. Red teams vs. blue teams. Even attackers vs. employees – oftentimes this is like an NFL team vs. high school football.

“Let’s see how bad it will be.” This was a management statement many years ago suggesting the attack should just commence without any defensive awareness, education, and training for developers, administrators, analysts, and incident responders.

Attacking without knowledge? Sure, this is an option, but is it a good one anymore? After all, it’s easier and likely less expensive to just attack – no warning, nothing. Wouldn’t it be better all-around if defense had some preparation? Isn’t this what teams do in the sporting world? Don’t they prepare for their opponent? Sure they do. They watch films and study tactics so that when it’s game time they aren’t going at it blindly.

Can’t we do the same in security? We can, and we should.

Colleagues of mine who regularly conduct penetration test have countless examples of engagements done year after year with the same findings. In other words, a company hires out the penetration test; the report is delivered, and then not acted upon. What kind of improvements are we making in this scenario? It doesn’t appear much.

In an industry where information sharing is supposed to be helpful, why not collaborate?

Nearly 10-years ago I sat down next to a penetration tester and together my defenses were attacked. There was instant value in seeing the attack and being able to identify and respond in the moment. There’s another side benefit of this and that is the attacker gets a firsthand look at the defensive attack surface and tactics used. Some may question this because the attacker is not supposed to need any more insight. But this isn’t true. There’s reciprocal benefit to each team learning more even with the primary objective of making the defensive posture that much stronger in the end.

When the attack starts, can defense even detect it? If not, that’s a great place to start!

More are starting to adopt collaboration as opposed to the shock and awe approach. Just think about it in the area of application security. Developers have an immense sense of pride in their work. They want (and will try real hard) to develop great software. Yet, after their code is in production security comes through and breaks it and then tells them the ‘X’ number of things they need to fix. And as previously mentioned, that’s a lot of what has been happening in operations after a penetration test. The engagement is completed, the report delivered, and there is a whole bunch of stuff to fix! Oh, and to be done somewhere in between the other umpteen projects already going on. It’s no wonder improvements haven’t been made through the years.

Working together allows for:

• Insight into tactics, both offensive and defensive;
• Improvements in incident response;
• Opportunity to harden and fix and retest to validate;
• Improvements to build security into the operation and avoid silos;
• Baseline opportunity to show progress and improvement;
• Measurements which can be tied to business goals (i.e. software delivered on time and more secure);
• Overt, not covert.

There’s value in working in tandem towards the old cliché of TEAM (together each accomplishes more). This does, can, and should cover operations and development, but also done properly, employees. It’s about adjusting the approach and priorities to change the behavior towards red and blue. The good news is that this approach is getting adopted and it is headed in the right direction for those who choose to collaborate vs. segregate.

The post Offense vs. Defense – Unite! appeared first on Security Current.

Happy anniversary?

One year ago the infamous Target breach occurred; November 27 to be exact. Unless you’ve not ventured out to a retailer in 2014, there’s a good chance you’ve been impacted by a card breach.

Impacted? What does that mean?

Like many, probably an inconvenience. Granted there is risk of fraud but that’s waived, provided it’s reported in a timely manner. In the case of debit cards there can be greater impact that can affect transactional checking balances. But for the vast majority, there’s an inconvenience, which is the trade-off for the convenience of using plastic and (possibly) earning rewards for card usage.

As the family retires to the family room after Thanksgiving dinner and the Black Friday sales are discussed, poll them and ask if they will use paper (cash) or plastic (credit/debit cards) this holiday season.

Then ask them why? More than likely most are planning on using plastic, and why not? It’s unlikely they’ll say they have fear and lack of trust in where they shop, even with a reported 1,000 retailers infected.

Simply put, the retailer has what we need and likely at a great price, Black Friday or not. The plastic is the convenience and the feeling is as if nothing was spent, until the statement arrives.

How does Wall Street feel about these breaches? At the time of writing, TGT is at a one-year high closing (11/26/14) at $72.17. Home Depot? They’ve had a great 3rd quarter and grew more than 20%.

Regardless of the viewpoint, these businesses have shown their resiliency in the face of very adverse events. And this is how it is supposed to be. Businesses are supposed to be able to weather the storm even with turbulence along the way. There’s a business impact, but in the grand scheme of things, the feared doom and gloom in the retailer space hasn’t hit as hard as expected. At least if the stock price is the yardstick, which for all intents and purposes it is.

By the way, it’s easy for the security industry to look back at the Target breach and poke holes and say we’re not getting any better. But there was improvement and it may have gone unnoticed in the midst of the chaos.

The TJX breach went undetected for 18-months, whereas Target was 18-days.

This statement isn’t about who is better, but rather to illustrate that the industry as a whole has gotten better at closing the window of compromise. Still, many will say that’s not good enough, which is tough to argue.

Would it have been ideal if Target discovered this (outside of the internal alerts received) and addressed the incident? Yes, of course. However, in the age of information sharing and leveraging our allies, every business needs all the help they can get. The bottom-line, if this was the TJX timeframe, the Target breach would still have 6-months more to go before detection.

The industry has seen change in 2014 during the barrage of breaches. Influential figures have changed their tune and stated; “compliance does not equal security”. The security industry already knew this, but now it’s coming from the Council rather than the echo chamber. Vendors like Cylance are changing endpoint protection as we know it which factors into PCI-DSS 3.0 requirement 5 updates.

At a time of giving thanks with our family and friends, as security professionals, let’s give the gift of awareness and education, too.

There’s value in “what’s in it for me” – which is about providing people personal value as opposed to always focusing on corporate where employees may become disengaged. While some may view this as an ineffective approach to enterprise security, the opposite is true. Employees can and will learn security information that is personal to them and that carries over to the business, too.

Examples of fake shipping invoices, URL analysis in emails, creating better passwords, and mobile, are just a few topics which nearly anyone shopping this season can learn from. So rather than focusing on retailer breach trust or lack thereof, flip this on its head and change the conversation in areas where the employee has some control and can learn from everyday events.

The paper or plastic poll serves as the catalyst into an opportunity to provide awareness and educational value to those closest to us, and work towards chipping away at improving our security at the endpoint. We’re the trusted advisor for our family and friends and can make an impact in a roundabout way. To which, they may give thanks to us, and our corporations when they return to the office.

The post Black Friday – Paper or Plastic? appeared first on Security Current.

The latest iCloud photo leak news makes for interesting conversation – both with friends and family as well as business leaders. Yet not surprisingly, many are entrusting their digital lives and their business with something they know very little about.

Is this the epitome of trust? Just do what others did; it’ll be fine? This is not about whether the cloud is good or bad or whose fault it is for the latest blunder. Rather, what’s the process of moving data to the cloud? What data is stored? Who decides? For the sake of argument, let’s skip consumer options since that’s a different conversation, and jump to the enterprise.

The cloud as a business tool provides benefits such as elasticity, on-demand availability, convenience, cost-effectiveness, and efficiencies. No more waiting for IT to provision something which will take two-weeks when it can be done in minutes; with a credit card. Where is the business and technical teams in this process? This question isn’t suggesting that teams are not collaborating, but rather, what’s the process look like?

Security teams are interested in control, privacy, and trust. Is the business? Yes, likely, assuming they know more about the topic and the options available. Or, is there a trust, but don’t verify, just get it done mindset? Let’s face it, businesses care. Leaders care a lot about their data; they just don’t always know the risks and what controls are available. This is where the collaboration between security and the business should take place.

For starters, moving to the cloud should address:

• Communication: Technical teams and business units need to have proactive discussions about needs vs. wants, and timeframes to get there.
• The Data Involved: What is the data? Is the data regulated? What are retention requirements? What about access requirements and logging?
• Third-Party Due Diligence: Trust but verify the cloud service provider (CSP). It sounds simple, but is easy to neglect. Keep in mind; this is not a one-and-done level of effort. Depending on the criticality, this is even more than once per year – think continuous monitoring depending on the circumstance.
• Before a PoC: Long before the first data exchange, what’s the decommissioning and destruction process look like if a contract is not executed?
• Can the CSP View Data?: Can the CSP see the data? How would you know? Has anyone looked into encryption offered by the CSP or add-on solutions?
• Who Manages the Encryption (if any)?: Does the CSP manage the keys or does the business? (solution provider examples below).
• What if Data is Subpoenaed?: If the CSP manages the keys and the data is turned over upon subpoenaed request, where does this leave the business? The ability to control what is handed over is a significant problem if the business does not own the keys, which means the CSP can turn over whatever they’ve been requested to and the business may have little room to help manage the situation.

Once these issues are discussed, security teams will have a better chance of being a security business enabler. With some of the more public events which have occurred lately, it begs to ask the question as to what additional controls a business is looking to undertake.

One area which is getting more attention stems from one the of the initial discussion points; encryption. Many CSPs offer encryption of data at rest and in motion, but in use is much harder. Granted, in many situations at rest and in use may very well be an improvement to what the business is capable of doing today in their own data center.

It’s not uncommon to see a business gain some additional encryption benefit by choosing a CSP because this was not dealt with internally, especially with legacy systems and concerns about performance, recoverability and key management.

If the business wants to take matters into their own hands, than they will need to look into encryption options where the business is responsible for key management rather than the CSP. This decision depends on the data involved, its sensitivity, and risk appetite with whoever the CSP is. Vendors in this space are evolving and the idea is to allow businesses to place their data in the cloud and then have control as to who can see the data. While not an exhaustive list, here are some vendors in the space of cloud data encryption:

• Boxcryptor
• CipherCloud
• Perspecsys
• Porticor
• SafeNet – HSM for Amazon
• Skyhigh Networks
• Vaultive

At the end of the day there are a lot of moving parts to a successful migration of data to the cloud. The various IaaS, PaaS, and SaaS offerings provide businesses the power of choice. Furthermore, many of the security vendors in this space provide the opportunity to regain some control. At least for starters, engaging teams and business units need to take place to address key concerns and make sound decisions based on what is known.

The post Cloud Data Security – Control, Privacy, Trust appeared first on Security Current.

Everyday businesses make decisions. The saying, “it’s a business decision,” is loathed by some in the security industry and largely because security was not involved in the decision.

Many of these decisions should involve the security team. However, this assumes security’s embedded into the business and not on the outside looking in. Anyone who’s been at this for a while knows that this is easier said than done.

The challenge is that many of the business decisions to “accept the risk” are not fully understood, especially when it comes to handling sensitive data. Sure, businesses deal with risk daily so this is nothing new.

However, security can be very different. It’s different in that many other decisions made don’t assess possible security implications from many different angles. The security impact worthy of analysis may be in the form of regulations, third-parties, access controls, legal, data classification, and architectural design, just to name a few. Yet without security teams better connected to the direction of the company, “accepting the risk” may yield uniformed decisions which can have future negative ramifications.

However, if security is involved upfront and has a chance to advise leaders on their choice, at least it’s a totally-educated business decision. In the end, sometimes we agree to disagree.

There’s been a lot of discussion lately about creating a security culture. A security culture is more than lip service and is crucial.

Sure, security is important to every business. No self-respecting business is going to come out and say it in any other way. The difference is in action, not words.

Action in that security is seen as a strategic partner and not an inconvenient speed bump. Action in that the alignment of the Chief Informaiton Security Officer (CISO) has unobstructed access to leaders, including the CEO, to influence his or her team as a strategic partner. Action in that achieving compliance is not viewed as a successful security program. Check!

In just one recent example, the FFIEC’s press release mentions in their first bullet “setting the tone from the top and building a security culture.” Furthermore there’s emphasis on aligning security with business strategy.

Ideally it wouldn’t take something in writing for this to take shape and for that matter simply be told what needs to be done. However, in the absence of execution, regulators step in and provide oversight into what needs to be done in the first place.

It can be perceived that it’s more obvious than less that business decisions are being made without security teams having a chance to be in the know. Many will look at this and say it’s a failure of security teams because they haven’t been able to maturely make their mark internally.

While that may be true for some, not everyone should be painted with this brush. Readers of Dan Geer will likely agree with his repeated wisdom, stating, “cybersecurity is the most intellectually difficult profession on the plant.” The uphill battle will persist, but it seems as of late, more are turning the corner and maturing their company to include, rather than exclude, security.

Creating a security culture is also a business decision. At some point along the way investments in security, and not just product, is required in order to influence the human capital. Getting a seat at the table without a solid security culture is easier said than done. For those who’ve yet to get a seat at the table, there’s needed reflection as to why business decisions are made without involving security.

One key area to consider is evaluating the security alignment to the direction of the business and what matters most to the business. While this again sounds obvious, it’s not a bad statement because many teams are not projecting the right message to management as to how security is aligned with their strategy.

Security often reports on things such as attacks stopped, patching success rate, and speed to update signatures. All of this is good data, but it doesn’t likely match what matters most to executives.

For example, executive may track things such as lost customers, lost inventory, and number of units sold. How does patching a webserver correlate to lost customers? Security teams realize the correlation, in that one protects the other (i.e. patched servers yield hardening which means a less vulnerable server at risk for compromise which could lead to lost customers).

As such, security teams must ensure their measurements align with what the business is concerned with, as well as other technical data. The technical data will likely not surface to the board room. However, the alignment as it relates to the strategy of the business would, and should.

There is movement in the right direction as of late to help shed light on the need for security cultural improvement. It’s necessary to help teams collaborate and align with the business in order to better protect what matters most. The failure for this to occur will lead to more business decisions where the risk is accepted, but where the true understanding of the security risk is not fully known.

The post Security Culture – It’s a Business Decision appeared first on Security Current.

Third-parties are an expansion of the corporate network. They’re a necessity providing a range of services which are better off outsourced than to try and do in-house.

Often-times third-parties are less expensive and more efficient which has become attractive to business leaders to maintain or gain a competitive advantage. The expansion of the corporate footprint not only means there are more points of contact, but also the complexity in managing it all can take on a life of its own.

This can draw the ire of security professionals who are already stretched thin managing their own company, let alone third-party businesses where they have less control.

When business units engage third-parties, are they aware of certain risks when entering into an agreement? Without the involvement of legal and security teams, chances are good due diligence security assessments are lacking and present unforeseen risk to the company.

Data is a business asset that is not thought of in the traditional sense by many business units.

How does the third-party protect the shared data assets they’ve been entrusted with, and how does the company who provided the data know? These are simple and critical questions to have answers to prior to the first proof-of-concept (PoC).

The beginning is really important even if there is no formal contractual agreement in place and the service provider is just offering a PoC. Why? What happens to the data when the PoC is over and there is no contract signed? Did the third-party properly destroy the data provided? If a contract is signed, going forward how critical is this third-party to the business and what are their security measures to protect the continuous flow of data they may be receiving? Is there a termination clause based on security incidents?

It is worth noting there have been several announcements made within the past 12-months relating to third-party management in both the finance and healthcare industries.

The Office of the Comptroller of the Currency (OCC) provided guidance in 2013 specifically referencing risk management for third-party relationships. This is an expansion from the 2007-2008 financial crisis, where the Dodd-Frank Act created the Consumer Financial Protection Bureau (CFPB), aimed at enforcing consumer protection with banks, credit unions, payday lenders, and securities firms, to name a few.

The CFPB expects the financial sector to oversee and manage third-party relationships and to protect against consumer harm. As expected, HIPAA is also involved in ensuring third-parties (business associates) are carefully watched as part of the HIPAA Omnibus Rule. As such, businesses should be able to address three questions prior to the first data exchange or service provided. These questions can be seen from the OCC’s Risk Management Life Cycle Illustration provided below.

• What is the third-parties’ security posture and risk of sharing data? (this should be documented and reported)
• Who is managing the relationship and are stakeholders involved? (oversight and accountability)
• How does the company know? (independent reviews)

It’s important to note that third-parties are not just the recipient of sensitive data. It’s very likely a third-party connects remotely to systems within the company to provide a service. The relationships occur in one of two broader scenarios:

• Businesses sharing data or accessing a service externally
  • This is the classic scenario mentioned thus far and relies heavily on leveraging an external entity (and sometimes internal company divisions) to provide a service and process data. The risk is the third-party has a security incident which negatively impacts the business due to the initial sharing of intellectual property or non-public information.
  • Watering hole attacks are becoming more prevalent because attackers are exploiting less security savvy companies when they can’t yet compromise the victim they are seeking. Rather than go through the trouble of directly attacking the company they want, attackers find that it is easier to compromise a small, less-savvy third-party, of their intended target.
• External entity connecting to the business to provide or obtain service
  • It is very common for businesses to rely on third-parties to remotely manage, support, monitor, or process a service for a company. What systems can they access remotely and what data is at risk? This is the case with the infamous Target breach where a third party HVAC contract was compromised which became an enabler for the hackers to leverage their access into the giant retailer. With stolen credentials, hackers were able to breach Target’s system based on the trust relationship with the third-party.

Developing third-party process and procedures is required to ensure a top-down effective process. Regulated or not, businesses must have a process in place to manage data flow from their own network and external connections. The steps include:

• Building a foundation with executive management for third-party management. This includes governance, policies, procedures, and standards.
• Determine risk tolerance for the business.  What is the business willing to share or provide as a service to other entities.
• Assign ownership and align with stakeholders. Third-party relationships are driven by business needs and key stakeholders must be aware and involved from the beginning.
• Strong legal contract language is imperative. This may include the right to audit, full visibility into independent security reviews, and clause to terminate if the vendor fails to meet requirements.

Fortunately, there are vendor management solutions available to help organizations maintain and manage all of the relationships they have. The following is a list of solutions which businesses can turn to in order to help better manage the process.

• Shared Assessments Framework – Since 2005 Shared Assessments, a consortium of Big 4 accounting firms, leading financial institutions, and key service providers, have created a framework. The framework is designed to streamline the vendor risk assessment process through consistent standards with speed, efficiency and cost savings. Simply put; Shared Assessments is a trust but verify framework which uses the following tools.
  • Standard Information Gathering (SIG) – The SIG, is the trust element of the program, is a questionnaire that allows organizations to obtain information about a third-parties technology, privacy, and data security controls. The SIG allows organizations to gather information through a series of questions to better understand how the relationship may impact their security posture.
  • Agreed Upon Procedures (AUP) – The AUP provides for verification of the program based on answers obtained from the SIG. For onsite assessments, the AUP is recommended. Furthermore, the AUP allows organizations to focus on control areas during on the onsite assessment and what procedures should be followed and sample-sets to be used.
  • Vendor Risk Management Maturity Model (VRMMM) – The VRMMM’s purpose is to refine the third-party management program. Through its use of vendor risk management best practices, the model can be used to assess the current and future state.
• Third-Party Security Rating – What is a third-parties risk rating to the business? What if the rating was good around the time of contract signing but one month later would raise a red flag due to a change in security posture and more importantly, how would the business know? Rating third-parties with a score which is continuously monitored, is the approach some solution providers are taking. The rating is similar to credit scores used in the financial industry for lending and to benchmark the level of risk loaning money. For example:
  • BitSight Technologies analyzes data feeds to and from the third-party and examines botnet events, spam, malicious code, IP reputation, and social media, just to name a few.
  • CloudeAssurance provides standards (ISO, PCI, HIPAA, etc.), risk and threat-based (Top 20, benchmarking, etc.) third-party assurance for cloud and non-cloud environments.
  • Evantix is also providing a risk rating SaaS-based product to map across many regulatory requirements.
  • Navex Global offers risk rating status on-demand through their SaaS-based product suite.

Our dependence on third-parties isn’t going to slow down and managing third-parties is no easy task, but with the proper structure in place, it can be more effective.  Developing a plan will help manage the process through:

• Develop policies and involve the business
• Identify data flow and access requirements
• Evaluate program tools and assign dedicate resources
• Implement remote access segmentation and monitoring of third-parties
• Continuously monitor the security posture of third-parties

The post Managing Third-Party Relationships appeared first on Security Current.

How much is a security professional worth annually?

A number of factors go into this equation, but suffice it to say, the security industry and the salaries have not felt the recession the same as other professions. And with suggested security professional unemployment at zero, it’s no wonder young security professionals are opting for (formal) education in information assurance.

As someone who resides on two higher education curriculum advisory committees, I’ve seen firsthand the influx in interest in building security programs for students while the market is hot. Supply and demand has been a big driver in recent years.

For what it’s worth, several in the academia field fill students full of hope that their first gig is going to pay $90,000+ with nothing more than an undergraduate degree.

What (some) institutions are not saying, not because they are holding back, but because they are not seeing the full picture, is the relationship to location, industry, and experience.

As a result, future employees are expecting bigger salaries simply because a professor suggested searching usajobs.gov for “security analyst.” Again, location among other factors obviously matter.

In fact a recruiter for a well-known agency recently said; “companies don’t pay cost of living, they pay cost of labor.” To anyone who has been around the block a bit, this makes a lot of sense. To a young graduate, not so much. They may fail to see that while salaries in Washington DC or San Francisco may advertise $90,000, the cost of living is outrageous. But, students get caught up on the top number and assume that’s the going rate wherever they go.

Have security salaries and positions in the market started to peak? Have companies met their quota? There’s been little to no indication that this has been happening and that security is still one of the fields to consider when looking for a career. Or has that recently changed?

SANS recently published a professional trends survey comparing salaries across roles, level of education, and often debated certifications. SANS’ report shows that will salaries are still on the rise, they don’t appear to be rising as sharply as assumed. So while positive growth is encouraging, their survey does not show the spike many claim.

Granted, surveys are surveys and a lot of variables make up the results. SANS cited a majority of respondents believe certifications are big contributors to their success and have added up to a 5% increase as a result. This is great for SANS given their specialization in advanced technical certifications which are highly respected.

Not everyone agrees with the SANS survey, in particular, David Foote of Foote Partners. David recently responded to the SANS survey with the following:

“This SANS research is flawed but then among the many great things SANS is, a professional compensation survey firm they are not. We are, tracking and reporting pay at 2,600 employers in US and Canada. Our data going back to 2008 does indeed show a few tough years in the 2008 – 2011 time period but it generally disputes any notion that growth in infosec pay has been as anemic on a CAGR since then as the SANS survey may be showing. We also track pay premiums for 53 individual security certifications: pay for those was up 5.6% in just the twelve months ending April 1, 2014. We like SANS a lot for what they do well. We don’t think their compensation numbers are up to their usual standards but it’s great that they’re entering the debate on pay for security professionals. That debate deserves to be given the light of day.” Source: http://www.bankinfosecurity.com/blogs/infosec-pay-shows-lackluster-gains-p-1668/op-1

The debate will continue and many factors should play into evaluation of salaries. What’s helpful is to be able to compare publically-accessible data from various sources, some of which require payment. SANS now adds more recent data to this list. SANS is one survey, what other sources exist to assist hiring managers with offering an appropriate salary? The following are various sources to consider when seeking to benchmark new or existing roles.

Foote Partners: Foote Partners has been conducting salary surveys for years across many areas of IT, and in particular, information security. Data requires payment, but a sample report is available as a general guide at: http://www.footepartners.com/TCSecurity2011.htm (updated as of April 2014)

Robert Half: Robert Half conducts research on IT and security as well as other areas outside of technology. The security-related data is available starting on page 14: http://s3.amazonaws.com/DBM/M3/2011/Downloads/SalaryGuide_RHT_2014.pdf

Ponemon and SecureWorld Insight: Recent collaboration produced a benchmark report of compensation and role of security teams. The report was conducted across 133 companies with more than 1,000 employees. The report is available for purchase at: http://secureworldinsight.com/products/the-compensation-and-role-of-security-teams

United States Bureau of Labor Statistics: The Bureau of Labor Statistics provides supplemental information to use in the technology industry. While not an industry report, it does serve as a complimentary guide to additional resources and is located at: http://www.bls.gov/ooh/computer-and-information-technology/home.htm

Global Knowledge: The training firm, Global Knowledge, helps organizations who are looking to benchmark staff with certifications. The salary will vary by geographic location (included in the table) but this serves as a quick glance supplement to other resources which may not specifically reference certifications in the salary range and is located at: http://www.globalknowledge.com/training/generic.asp?pageid=3202

Semper Secure: In partnership with NetApp and Northrop Grumman, Semper Secure hosts the results from the cyber security census and has a heavier focus on government positions. The study is available for download at: http://www.sempersecure.org/images/pdfs/cyber_security_census_report.pdf

Certainly salary negotiation is not a perfect science and a lot of factors go into salaries and surveys. Many find comparing more than one source as an effective benchmark. Especially during a time when breaches are occurring and security spend isn’t slowing down. Business leaders are asking if these salaries are worth it and to prove it.

The post Salary Sources for Security Professionals and Hiring Managers appeared first on Security Current.

“Should I change my password?” “OK, I changed my password, now I’m secure, right?”

Media reports over the past month certainly heightened security awareness and drove the public to sit up, pay attention, and do “something.” What that something is, depends on the guidance people heard, the importance of the service they are using and what it would mean to them personally if the service was compromised.

Is it related to their finances, healthcare, or maybe just some free service designed to simplify their lives?

Perhaps just as important is what people felt they were knowledgeable enough to do, to go and take action. In other words, is the guidance they are receiving something they have the skill to be able to do?

Changing passwords while on the lower-end of the complexity spectrum is a security-based task which people are capable of. Multifactor authentication, password managers, overall good security hygiene – while not rocket science, these are not top-of-mind (or even known) with the average person on the Internet.

Simply put; people want to access a service without complications and like it or not, passwords fit into this basic need.

This is security awareness of the Heartbleed kind – global media warnings driving awareness and prompting people to take action, and in some cases, lack thereof.

Emotions play a big role when people decide to take action. While the security community would much rather address security awareness more effectively, like it or not, events like Heartbleed grab global media attention and some people take notice, and do something within their skillset. Granted some sites forced password changes whether people liked it or not.

Pew Research Center’s Internet & American Life Project posted a recent study and examined Internet users who were aware of the Heartbleed bug, took action, and decided to change their passwords. Pew Research’s does not partake in Internet policy issues or endorse technologies, but rather examine American’s Internet use and how it activities affect their lives.

Between April 23 – 27, Pew Research conducted random research and found that roughly 39% of those polled took action to change their passwords. And of those polled, about 60% had heard something about Heartbleed. Not surprising, the higher the education-level and salary of the person polled, the higher the percentage of those who had heard of Heartbleed.

Critics may argue this poll didn’t reach enough people. Yes, this would make it even more credible if the poll reached millions of Americans. However, polls aside and from personal and professional experience, Heartbleed ranked near the top (second to Target) with the most discussion I’ve had with people outside of security, in my career.

There are always side-bar discussions about whatever the latest security buzz is. But the last 6-months in particular have driven more and more interest in security at the highest levels of the business and among everyday people.

This isn’t how security awareness intended to reach the masses – through security events driven by primetime media only to then break it down to explain to people what this means without FUD.

Since this is the hand we’re dealt, there is an opportunity to capitalize on the discussion momentum with business leaders, employees, and everyday people. Heartbleed allows security teams to take a step back and examine how this handled internally. Even if an organization wasn’t running the vulnerable version of OpenSSL, chances are good employees within the company access third parties who did.

What was the communication plan to the employees internally? What was the communication to your customers and third parties relying on your services? How did the organization monitor access to third parties who may have been vulnerable?

These are just a few questions organizations can use as takeaways from Heartbleed. The events from Heartbleed were at one point an awareness moment for security teams, and then we were prompted to go and do “something” just like everyday people. What was that “something” and how can this be used as a learning experience in communication and incident response as well as keeping the discussion momentum going on security within the business?

The post Security Awareness of the Heartbleed Kind appeared first on Security Current.