Friday, December 25, 2009

Cloud Security FUD Addressed with Executive Overview
- guidance and news as 2009 comes to a close

(Updated 11/24/2011)

Cloud computing technology and solutions hit many critical infrastructure organizations head on in 2009, transitioning from being a vague concept to a must-have, at times mandated, in-house technology for many, a.k.a. private clouds. During this time, vendor offerings hosted in public cloud settings increasingly also provided quick start, low cost, flexibility with extensive integration options.. without much of the extra lifting and hassles running all the footprint requirements in-house. While some state that clear cloud security standards are still years off, the reality is we're already well into the realm of having to deal with public and private cloud security issues- especially at the business network level.

The following provides a good executive thumbnail of what decision makers need to understand in addition to the latest in more specific guidance for secure cloud computing:

  • The Busy Executive’s Quick Cloud Computing Reference Guide - Virtualization Journal Dec 2009 — As an executive, you may be hearing many different viewpoints about Cloud Computing; some of them promising significant IT cost reductions and reductions in capital expenditures. Don't get caught off guard regarding all the technical complexities of developing and offering Cloud Computing services, the whole reason you're considering this option is so others will take care of these factors for you. Although you still need to be an educated consumer, you don't need to be in the weeds to ensure you're not caught with your pants around your ankles if you decide to use Cloud Computing services.
  • Guidance for Critical Areas of Focus in Cloud Computing- Version 2.1 - Dec 2009 (76 pages). The Cloud Security Alliance (CSA) newly released second version of guidance for secure adoption of cloud computing services provides more details with a good overview, addressing risks and timing, and helps simplify the decision process involved. This non-profit released their first version during the 2009 RSA Conference.
    Excerpt- It is hard to believe that just seven short months ago, we pulled together a diverse group of individuals from all corners of the technology industry to publish the first “Security Guidance for Critical Areas in Cloud Computing.” Since its launch, this seminal publication has continued to exceed our expectations for helping organizations around the world make informed decisions regarding if, when, and how they will adopt Cloud Computing services and technologies. But over those seven months our knowledge, and cloud computing technologies, have evolved at an astounding rate. This second version is designed to provide both new knowledge and greater depth to support these challenging decisions.

    11/24/2011 Update
  • The Cloud Security Alliance (CSA) released Security Considerations for Critical Areas of Cloud Computing- Version 3, 11/14/2011

  • NIST Cloud Computing Project Site. NIST's Role in cloud computing is to promote the effective and secure use of the technology within government and industry by providing technical guidance and promoting standards.
Of course, there is devil in the details which vendors are working feverishly to address and differentiate with. Microsoft's cloud undergoes annual audits for PCI DSS, SOX, and HIPAA compliance, as well as internal assessments throughout the year. Remarkably, the Microsoft cloud has also obtained IS/IEC 27001:2005 certification (this year) in addition to SAS 70 Type 1 and II attestations. ISO 27001 (formerly ISO 17799) remains one of the best information security standards available - a superset when compared with other standards (more). Microsoft's Azure branded public cloud computing platform long in development, is set to go live on New Year's Day. Plans include expanding the new technology into customer settings.

At a technology execution level, the release of vSphere in early 2009 extended VMware's lead with significant performance, features, and security improvements - a game changer - which includes robust Cisco Nexus 1000V software appliance support. Regardless of technology mix deployed, many organizations are coming to grips with virtualization's broader implications and working to spin up capabilities while the technology race presses on.

Bottom Line for Critical Infrastructure. The implications go well beyond the basic virtualization strategy of seeking tactical operational benefits with fewer physical servers and more virtual servers. For even the most critical infrastructure settings, private cloud (aka virtualization) computing is increasingly a must have for any new large investments going forward. The cloud technology benefits are compelling (fault tolerance, hot recovery, managing growing functional and regulatory complexity, layering defenses, etc) even while introducing its own complexity and risks to manage. The future will have layered information landscapes, and underlying systems, networks, and storage increasingly virtualized and extending deeper into and well beyond the comfort zone of today's typical organizational and outsourcing boundaries.

  1. Five big Questions about cloud computing, InfoWorld, Dec 28, 2009
  2. Secure the Datacenter, Secure the Cloud - Microsoft Federal Blog, Oct 2009
  3. Cloud Computing Deep Dive Special Report (21 pages)- InfoWorld, Dec 2009
  4. Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives (10 pages)- ISACA, Emerging Technology White Paper & more, Oct 2009
  5. Microsoft Thrive Live! IT Professional Virtualization Tour Podcast
  6. VMWare vSphere Podcasts Series & YouTube VMwareTV Channel
  7. Cloud Computing Grows Up - Forbes, Dec 22, 2009
  8. Plug Into the Cloud- InformationWeek's Cloud Computing Destination - perspective, hot topics

Sunday, October 18, 2009

FERC Hammers Florida Power & Light Co with $25M Civil Penalty
- $5M to go above and beyond current regulatory requirements

On Oct 8th, Florida Power & Light (FPL) agreed to pay a $25 million penalty after blunders by a field engineer led to a service outage affecting nearly a million customers - i.e. 2008 Florida Blackout.

This marks the first settlement resulting from a reliability investigation by the Federal Energy Regulatory Commission (FERC) enforcing a 2005 law establishing electric reliability standards. This fine won't be going to customers. Instead FPL, facing a potential of $1B+ in fines, agreed to pay $10M to the United States Treasury, $10M to the North American Electric Reliability Corp. (NERC). The remaining $5 million is to go towards measures beyond current reliability requirements in a regulatorily approved manner- otherwise, whatever remains of the last $5M will be evenly split between US Treasury and NERC.

  • "Today's settlement demonstrates the high priority the commission places on electric reliability,'' said Norman Bay, director of the commission's Office of Enforcement. ``The message to the industry is clear: Compliance with the standards is critical.''
Holly smokes! This civil settlement clearly marks the end of wrist slaps for reliability violations with a whole new level of realizable penalty levels. It's also worth emphasizing that NERC CIPs cyber security focus represents just one of fourteen reliability groupings in current NERC Reliability Standards. The process reaching this settlement clarifies how FERC will increasingly be taking a very active role in industry reliability investigations going forward. Industry compliance programs will need to be reviewed and appropriately bolstered to help ensure sufficient program measures are defined and being maintained. The settlement also speaks to the need for continuous improvement efforts by industry aiming well beyond meeting today's reliability requirements- i.e. increasing regulatory margin. Increasingly akin to commercial nuclear regulatory challenges and supporting programs- with heavy doses of auditable evidence required.


Sunday, October 4, 2009

Striking the Right Balance: MS Windows Screensaver Locking
- AutoIt: A Potential Cure for Headaches

Updated 11-16-2010
While there has been plenty of higher stake cyber security challenges dominating my team's attention lately, I stumbled on an interesting approach to address an issue many organizations wrestle with.

The basic, consistent implementation of automatic locking Microsoft Windows PC screen savers, requiring password entry for access after a period of inactivity, poses a number of challenges. At least Microsoft's Active Directory (w/Group Policy Objects) makes implementation technically manageable. However, areas taking issue with implementing a required inactivity lockout often only have occasional legitimate business needs that are not suitable for a full exception. For example, personnel may give presentations and don't want to have disruptions, others may burn DVDs, view network traffic in a locked room, or occasionally engage in other unique activities where there is less interactive PC use- making realistic automatic screen locking burdensome.

To help address this issue, we've been looking at several "Egg Timer" type of PC utilities to provide the means of temporary relief when merited so we can pursue a more consistent implementation of mandatory inactivity screen saver lockouts technical policy measures company-wide. One particular commercial offering has not yet gone to a new release (that we've been waiting on since 4Q2008) with expected pricing $10-$20 per PC plus annual maintenance.

Alternatively, a very interesting, freeware scripting and compilation tool called AutoIt has been available and improving for years. I haven't coded seriously in a long time and wasn't aware of this tool or its capabilities until recently. Surprisingly, the tool and associated slick editor along with lots of sample code, and large community of users together helped rapidly put me at ease. Although I didn't have much time available over the weekend, I still plunged ahead anyway and developed a "Beta" solution for review and feedback. The CDS utility developed since with AutoIt seems to do pretty much what we need and compiles into a reasonably small, single executable file that can just be dropped on the menu or just the desktop - sweet. The latest version supports use of Active Directory groups to authorize specific systems and logs user startup, activation, and exit events (user, timeout) of CDS to the local Windows Application event log and a designated central logging server (if assigned and available).

This excursion is aimed at saving us some hard cash - a good thing in tough times - while also helping make the consistent implementation of screen saver technical controls easier to live with for all involved. Additionally, the sheer ease of using AutoIt underscores how open source-like technology tools are continuing to develop so even the free stuff can be the very good stuff.

Updated 11-16-2010
A SourceForge open source edition of the Corporate Delay Screensaver (CDS) utility - CDS-v100-Open- is now available for download with commented source code, use documentation, and an example AutoIT complied executable at

Saturday, August 8, 2009

BlackHat Smartgrid Worm Attack Simulation - Aug 27th
Live Webcast: Smart Grid Device Security - Mike Davis, IOActive

Updated 9-5-2009

Following BlackHat 2009 in July, the archived webcast below highlights critical research Mike Davis and other IOActive researchers performed on Smart Grid technology.

Davis and other IOActive researchers developed a proof-of-concept malicious code that self-propagated in a peer-to-peer fashion from one meter to the next as part of their effort to identify Smart Grid cyber security risks and threats. Webcast also addresses this attack simulation and discovered Smart Grid vulnerabilities to attack- such as susceptibilities to buffer overflows and root kits.

As one of the top Black Hat conference presentations, this has stirred up further attention to Smart Grid cyber security just as NIST is working to stand up and plow through developing related requirements and standards on an accelerated schedule. For those that missed out on the Blank Hat session, this recap is very informative.

Update 8-20-2009
Davis's Recoverable Advanced Metering Infrastructure presentation slides (23 pages, some thoughtful redactions) are now posted in the Black Hat USA 2009 Archive area.

Sunday, August 2, 2009

NIST on a roll with "Historic" Security Controls Guidance & SmartGrid 3rd Workshop Aug 3-4
-Plus: BlackHat Smartmeter Worm Attack Simulation

NIST SP800-53 Rev 3 is Final
The newly released voluminous NIST SP800-53 Revison 3 (~40 core pages plus supporting sections, 236 pages total) addresses and deliverers a unifying cyber security framework for use across governmental, civilian, and critical infrastructure entities. The focus remains establishing a solid baseline security posture across eighteen control set families Consensus developed SANS Institute - 20 Critical Security Controls - Version 2.0 provides an updated mapping to this NIST release.

NIST said the updated security control catalogue incorporates best practices in information security from the Department of Defense, intelligence community and civilian agencies to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.

Significant changes include:
  1. A simplified, six-step risk management framework
  2. Additional enhancements for advanced cyber threats;
  3. Prioritizing or sequencing security controls during implementation or deployment;
  4. New references section in revised security control structure;
  5. Supplemental guidance security requirements eliminated;
  6. Addresses risk management framework for legacy information systems and for external providers of information system services;
  7. Current threat information and known cyber attacks factored into security control baselines updates.
  8. Addresses organization-level security controls for managing information security programs;
  9. Guidance on the management of common controls within organizations; and
  10. Strategy for harmonizing Federal Information Security Management Act security standards and guidelines with international security standard ISO/IEC 27001.
  11. Tailoring industrial control systemsm, including compensating controls-  Appendix I
NERC emphasized ISO/IEC 27001 (aka ISO 17799) with the introduction of CIPs and 40+ security requirements; this major enhancement to SP 800-53 should help towards NERC CIPs getting even more NISTy.
NIST SmartGrid Workshop - Aug 3rd -4th
Third major NIST Smart Grid workshop - web/teleconference options:
A key objective of the public workshop is to engage standards development organizations (SDOs) in addressing standards-related priorities. Sessions will be devoted to discussing individual SDO perspectives on the evolving roadmap for Smart Grid interoperability standards, reaching agreement on which organizations should resolve specific standards needs, and developing plans and setting timelines for meeting these responsibilities.
Smart Meter Worm Could Spread Like A Virus - Black Hat Presentation.
At Black Hat last week, IOActive’s Mike Davis and team created a simulation demonstrating how, over a period of 24 hours, about 15,000 out of 22,000 homes had their smart meters taken over by a software worm that placed the devices under the control of the worm’s designers. More: Smart Meter Worm Could Spread Like A Virus
Some speculation- the simulation likely focused on a single managed smart grid environment (not across multiple, independent smart-grid settings). The meter manufacturer reportedly first dismissed the claims until they were proven. The vulnerabilities are similar to what happens when computers are linked over the Internet. By exploiting weaknesses in the way computers talk to each other, hackers designed attacks can size control. The Recoverable Advanced Metering Infrastructure presentation information is not posted yet in the Black Hat USA 2009 Archive area.

Black Hat and Defcon draws some of the best talent around to crack security e.g. Black Hat Researchers Find 'Free' Parking in San Francisco and more news.

Sunday, July 26, 2009

Securing the Modern Electric Grid from Physical and Cyber Attacks
- Homeland Security Committee Hearing 7/21/2009

The Homeland Security Committee hearing Securing the Modern Electric Grid from Physical and Cyber Attacks on 7/21/2009 provided solid industry perspective on improving cyber security. Additionally, serious committee attention now is also focusing on the growing threat of physical damage from EMP (Electromagnetic Pulse) threats. An EMP attack, using one or several high attitude nuclear detonations, risks taking out all digital and electrical infrastructure across wide swaths of North America. The EMP threat is not new; however, there is growing risk of a deliberate attack from either a rouge group or nation sponsored effort, e.g. Iran sea based delivery testing for such a device with high attitude explosion. Our vulnerability to this issue serves to increase risk. EMP is a national security issue long overdue for realistic mitigation - there is a need to get beyond just studying the issue. Congress sees the potential consequences from the EMP threat as unacceptable, the cost to substantially mitigate reasonable, and is challenging industry to get after EMP risk mitigation.
  • Mr. Fabro, from Lofty Perch, helped bolster the perspective that industry is substantially improving cyber security- good technical, constructive views, recommendations and responses to congressional Q&A.

  • NERC’s CSO Mr. Assante emphasizing progress since joining NERC in September of 2008- e.g. cyber event reporting, communicating more effectively with +1800 entities, improving analysis of threats and industry alerting. He also clearly stated the grid is not immune to cyber or physical threats. and more will be done with industry engaged, factoring NIST in further CIPs development. NERC also still views a need for more FERC authority to better address the risk of immediate, severe threats in a timely manner.

  • Some committee members remain very skeptical about industry treating cyber security seriously, emphasizing concerns about being lied to by industry, lack of progress. Now questions are also focusing on what industry is really doing about the EMP threat - whether from a premeditated attack or natural in origin, e.g. solar storms. Nothing?
    - Rep. Bill Pascrell, JR’s (from NJ) plainly spoken, eviscerating comments and questions provide an instructive example of some hardball congressional Q&A (jump to about 1:16:05 in recorded hearing)

  • NERC. working with DOE, formed up special invitation-only group July 2nd to further look at high impact, low probability, or better stated - low frequency, events (EMP, solar weather, terrorism, etc)

    - An avoidable catastrophe – Opinion Commentary. – Washington Times 7/20/2009
    - Report of the Commission to Assess the Threat to the United Status from Electromagnetic Pulse (EMP) Attack, April 2008 (208 pages) - Well organized update to the 2004 report, walks through key scenarios and consequences.

Wednesday, April 15, 2009

Yes- Omaha's Infotec09 Rocked !

After taking a year off and regrouping, Infotec09 April 14-15, 2009 rocked.

This bargain conference offered excellent keynotes, including Erik Wahl's phenomenal opening "Art of Vision" message (website), and a broad set of innovation themed tracks addressing security, infrastructure, collaboration, leadership, culture and more. There were plenty of excellent, oft published speakers, industry leaders- one of my favorites being the pragmatic, candid security leadership guru Mike Rothman. Also well represented, a sponsor mix across a wide solution space of products and services. It was also great seeing some folks I haven't seen in a while, catching up and talking shop, and making new contacts.

Infotec's solid comeback with an unofficial 600+ reportedly attending this week at Qwest Center Omaha made its mark- a success to build on bolstered with online and informative session blog summaries w/slides.

Monday, April 6, 2009

Feds Backing Up Rhetoric with Cybersecurity Action
-plus Joe Weiss's latest testimony

Lawmakers and the Obama Administration continue ratcheting up federal level attention to private sector critical infrastructure cyber security defenses. Concurrently, with a 60-day review ordered by the Administration yet underway (interim update -3/3), the Senate is developing sweeping legislation that would Federalize Cybersecurity. Many of the proposals stem from recommendations provided within the seminal Cybersecurity for the 44th Presidency study submitted last year by the Center for Strategic and International Studies, including:
  • appointing a White House cyber security "czar" with the authority to shut down government and private computer networks during a cyber-attack
  • charging the National Institute of Standards and Technology (NIST) to establish "measurable and auditable cyber security standards"
  • mandating an ongoing, quadrennial review of the nation's cyber defenses
  • requiring licensing and certification of cyber security professionals.

Also notable, NSA’s increasing role in such developments is causing growing concerns about privacy and pursuing an inherently flawed strategy by charging the organization with both ongoing intelligence gathering and an expansive new mission around national cyber defenses. The resignation of Rod Beckstrom from an executive-level cyber security federal government position underscores such concerns.

FERC Order - Nuclear "Regulatory Gap" Update.
The Federal Energy Regulatory Commission (FERC) is pressing forward to resolve commercial nuclear cyber security jurisdictional “regulatory gap” concerns raised last year. A FERC issued clarification (~17 pages; Docket No. RM06-22-000; Order No. 706-B) on March 25th addresses previously requested industry input. It also concludes with a determination insisting that the portions of a nuclear power plant, not specifically addressed with tighter security program coverage in the forthcoming regulations from the Nuclear Regulatory Commission (NRC), will be required to adhere to NERC Critical Infrastructure Protection (CIP) Reliability Standards. This rule became effective March 25, 2009. The combination of enhanced NRC requirements and the addition of FERC/NERC expectations into the mix make addressing cyber security an even more important licensing and compliance challenge for commercial nuclear power. Some good news- FERC is providing implementation schedule flexibility which will first be addressed by the Electric Reliability Organization (ERO). NERC, as ERO, is is required to submit related compliance filing to FERC within 180 days.

Congressional Hearing- Latest Round on Cybersecurity w/Joe Weiss.
On Thursday, March 19, 2009, the US Senate Committee on Commerce,Science, and Transportation held a hearing titled Cybersecurity: Assessing Our Vulnerabilities and Developing an Effective Defense (webcast-jump 12m to session start, testimony) Among the witnesses offering testimony was Mr. Joseph Weiss, a nuclear and industrial controls system (ICS) engineer, who long has been critical of most vendor, industry, and governmental/regulatory measures addressing related cyber security risks. His statement included pointing out how industrial control systems have experienced at least 125 significant cyber security incidents during the past decade (written testimony). The effects include environmental damage, mechanical damage and in once case, death. He said that a coordinated attack could have devastating consequences, "taking months to recover." (Editorial note: Potential physical and other electronic systemic attacks yet to be substantively experienced remain a noteworthy risk with conceivably even lengthier recovery periods.) Worth watching as each of the witnesses had their perspective backed with solid points followed by Q&A that pressed for answers around concerns raised and improvement approaches needed.

It's increasingly clear that cyber security in critical infrastructure settings, especially the Electric Sector, will continue gathering growing attention at a national level that goes well beyond sensationalized media coverage.

Saturday, March 21, 2009

Assante Pressing NERC Cyber Security Program Forward
-Tim Roxey appointment and NERC Alerts changes

Updated 3/29/2009
Michael Assante continues making program progress at NERC since his appointment in August 2008 into a newly formed Chief Security Officer (CSO) position. His focus- establishing Critical Infrastructure Protection (CIP) as one of the mainstream functions at NERC alongside continuing standards development, compliance and enforcement, and reliability assessment programs. Some notable developments:
  • The recent appointment of Tim Roxey as NERC as Manager of Critical Infrastructure Protection.
    - Mr. Roxey has extensive commercial nuclear power physical and cyber security program experience.
    - He instrumentally promoted and supported the commercial nuclear power industry initiative addressing cyber with NEI 04-04 Cyber Security Program for Power Reactors as a NRC endorsed “acceptable method” - well ahead of related further regulatory framework development and guidance now firming up. I had an excellent learning opportunity working with Tim Roxey and team as an active Computer Security Standing Committee member back in 2006. The focus then was getting NEI 04-04 packaged up into rollout templated, presentation form for the fall 2006 NITSL workshop.
    - He extensively helped assess and address Aurora vulnerability mitigations- working with NEI to help ensure commercial nuclear generation stepped up and robustly addressed the issue. Tim Roxey also effectively provided congressional testimony on actions taken and completion status - a stark contrast to FERC and NERC testimony.
    - Bottom Line: Tim Roxey's solid industry experience, connections, dedication and savvy add up to a very good move for NERC.

  • A new NERC CIP Alert Communication Process.
    - Communication will use specific email subject lines/levels:
    _ ADVISORY: (Title) - No Response Required
    _ RECOMMENDATION: (Title) - Response Required.
    _ ESSENTIAL ACTION: (Title) - Response Required.
    - Entities acknowledgement required in 24 hours if issue rated higher than Advisory. Grace period on this requirement extends to March 31, 2009 after which responses received after the 24-hour acknowledgement period will be noted as late or non-responsive. Additionally, more sensitive acknowledgement response information may need to be sent via paper until more secure electronic communication facilities established.
    - New alert handling signifiers will future clarify distribution restrictions.
    _ PUBLIC (Green): No Restrictions. Will be posted to NERC’s website alert page.
    _ PRIVATE (Yellow): Restrict to Internal Use and Necessary Consultants / Third-Party Providers
    _ SENSITIVE (Red): Internal Use Only (Do Not Distribute Outside Your Company)
    _ CONFIDENTIAL (Black): Limited Internal Distribution Decided Upon by an Officer of the Company
    - An “alerts manual” instructions book will be developed and released by March 31, 2009 to help entities better understand, organize, and train staff to support the alerts process.
    - More background: Alerts Distribution, Reporting & FAQ - Michael Assante & Doug Newbauer Jan 22, 2009

    - Update 3/28- On March 24th, Doug Newbauer, Manager of NERC Alerts, indicated that the deadline for mandatory 24 hours response on alerts will be extended: "In response to feed back from registered entities and because NERC is replacing the current Alerts application, NERC is delaying the 24 hour response requirement scheduled to begin April 1, 2009, until the new application is on line and operational."
    The application is expected to be prepared and released 3Q2009.

Sunday, March 1, 2009

Significant, targeted attacks even against ISPs?
-Absolutely! (just ask Time Warner)

One might think that larger financial institutions and other entities with directly exploitable financial or personal information remain the major nexus of criminal cyber problems. However, even consumer grade ISPs are increasing facing challenges. Time Warner's drawn out efforts now in the limelight represent just the latest example of an organization scrambling to address service and reputation impacts from a disrupting cyber security attack.

  • February 28, 2009

    During the past week, hackers have launched a series of attacks on Time Warner Cable's servers. Time Warner Cable is working with law enforcement agencies to resolve these crimes.

    As a result of these attacks, you may have experienced a temporary "outage" when attempting to surf the Web, including an intermittent "page cannot be displayed" error message. The outages did not result in services being 100% unavailable; and were limited to sporadic timeouts which appeared to be random events. Some users may have experienced a total disconnect, however. These types of attacks are not uncommon, especially for a network as large as ours. We suspect that the attackers are using "zombie computers," or hijacking unsuspecting subscribers' machines to perpetrate the attack without its owner's knowledge.

    All of us at TWC take these attacks extremely seriously. As previously mentioned, we are working with the appropriate law enforcement agencies that specialize in investigating these types of crimes. We will pursue prosecution of all perpetrators to the fullest extent of the law. We apologize for the inconvenience that these attacks may have caused and encourage you to report any suspicious activity. Instructions for reporting security abuse are located at

    Time Warner Cable

    More: Google News Search: Time Warner Attack

The persistent assault centers on impacting Time Warner’s domain naming system (DNS) services. Given that DNS supports domain name to Internet address resolution functions, e.g., when Internet surfing, an easy mitigation for customers is to use an alternative provider, such as OpenDNS. I've been using both Time Warner and OpenDNS in my home networking environment for years with great results. OpenDNS also helps protect users from visiting known harmful and other inappropriate Internet sites.

Much attention is put on specific, in-scope compliance issues within critical infrastructure organizations. The obvious twist is that even basic, persistent attacks increasingly are a factor in considering overall business risk to service and reputation. Additionally, cyber security problems that affect non-operational, business network settings, also increase the risk of "pivot attacks" creating more serious operational issues that regulators and senior management are acutely concerned with.

From a broader perspective, this issue saliently points out how even narrow, basic attacks can impact an organization and their customers. Critical infrastructure organizations risk even larger potential impacts steming from such issues- driving the need for ongoing cyber security improvements.

Tuesday, February 10, 2009

Top 10 Reasons to NOT Have a Corporate Cyber Security Program

Updated 8/2/2009
I regularly walk past a humorous list of posted reasons why a corporate project management office is not needed based on Jim Chapman’s 1996 list of “Top 10 Reasons NOT to Use Project Management” Considering the focus on cost and change challenges many IT organizations are facing, this insightful list inspired me to come up with my own Top 10- enjoy:

Top 10 Reasons to NOT Have a Corporate Cyber Security Program

10. Our internal and external customers really love us, so they do not care if company information and systems are appropriately and consistently secured.

9. Corporately organizing to manage cyber security risk is not compatible with our culture, and the last thing we need around this place is change.

8. All cyber security work is easy, with little guidance, direction, or accountability needed, and does not have cost, schedule, or any other significant technical, managerial or operational risks anyway.

7. We are not smart enough to develop an enabling cyber security strategy, program, or architecture without stifling creativity and offending our silos of technical and managerial geniuses.

6. We might have to understand our customers’ requirements and document a lot of stuff for review, input and approval which then would need to be maintained and that is such a bother.

5. Understanding, applying, and maintaining specific, definitive cyber security measures and clearly communicating actual status requires integrity and courage, so they would have to pay me extra.

4. Our bosses will not provide support needed for results; they want us to ensure regulatory and legal requirements, congressional concerns, and other related risks are managed through magic.

3. We would have even lengthier debates and still end up applying arbitrary, overly burdensome cyber security measures to all projects regardless of size, complexity, or risk and that would be stupid.

2. I know there is well-developed cyber security body of knowledge that is applicable to the work I am doing, but it is too hard to understand, apply and help us improve with anyway.

1. We figure it is more beneficial to put increasing time and money into cyber security independently in various areas and accept a growing, uneven and obscure patchwork of results than to have an organized, more transparent company approach.

Disclaimer: While there may be times when one or more of the Top 10 resonate, an effective cyber security program should help clearly refute this list at every opportunity.

There continues to be sporadic debate about whether or not IT Security should be viewed as a profit center versus the cost center realty that the vast majority of practitioners work in, e.g., Mike Rothman’s recent commentary: Compliance is SO a Cost Center. Regardless of how security is organized and executed, the best justification approach around security improvements focuses on business benefit in the form of cost savings or value, centered on mutually well understood reality.

Many organizations are under increasing pressure to deliver more with internal resources, including addressing growing security expectations, and keeping costs contained. While the means and alignment to meaningfully execute and maintain security improvements remains vital, an even more important success factor in my opinion to manage such risk over the long term requires clearly articulating an overall company program. The program - however thick or thin in scope and resourcing - provides the means for ongoing leadership driven attention to risk management, policy, goals, results, preparations, with sufficient transparency and organizational support across various groups, compliance programs, and increasingly interested and engaged management.