The Southern Fried Security Podcast (podcasts)
Join Andy Willingham, Martin Fisher,Steve Ragan, Yvette Johnson, and Joseph Sokoly as they discuss information security, news, and interview interesting people. Get in the discussion at www.southernfriedsecurity.com.

Episode 195 - Annual Policy Review - Making It Worthwhile

 

  1. Define policy vs. standards vs. procedures
    1. What is a Policy? It is a guiding principle to set the direction of an organization. High level, governing, statements. Do not include technical details.
      1. Example: Policy statement = Users must authenticate with a unique ID and password
      2. Standard: User passwords must be: # of characters, include one uppercase letter, one special character, be at least 10 characters in length. This type of information would go into an Access Control Standard.
    2. What is a Standard? Standards support the policy, make it more meaningful and effective.
    3. What is a Procedure? A procedure is a step by step, how to guide to which is consistent with the end result being the same. These are the steps for configuring your firewalls, setting up a new user, building a server, etc.
    1. Every policy guide everywhere says you need to review your policies regularly which almost always means annually.
    2. Failure to do the annual review can get you in hot water with your regulator and/or auditor.
    3. It just Makes Sense.
  2. Why review your policies?
    1. It’s the one time a year you can nudge the organization where it needs to go
      1. Past Problems
      2. Current Issues
      3. Future Challenges
    2. Killing off/modifying policies that get in the way of people doing work will Make Friends And Influence People
    3. There is no better way to ensure your team is working on what needs to be worked on than aligning with stated policy.
  3. Making Sense of Policy Review
    1. Alert The Approvers
    2. Line Them Up
    3. Divide and Conquer
    4. Bring The Business Into The Process
      1. Internal Audit
      2. Legal
      3. Risk
      4. Corporate Security
      5. IT
      6. Marketing / Public Relations
    5. As Needed Bring In
    6. Change Crosswalks FTW
    7. Communicate, Communicate, Communicate.
  4. The Review Process
    1. Have a process to deal with questions.  Route questions to the authoritative source for an answer - don’t answer stuff you can’t/shouldn’t
  5. Questions?
  6. Resources?

 

More Notes

 

  • Make sure what is being added is enforceable. This is a legal document and can be used in court. Statements support what is being done today, not what you would like to do or wish the program would do in the future.
  • Go back to those “parking lot” statements that were not added or removed from a draft because you couldn’t enforce them at the time. Can they be added? Don’t lose sight of them if they are important to your security program  
  • Does the corporate culture / C levels support statements in the policy? As a security practitioner you may firmly believe that your security program must abide by certain policy statements but the corporate culture or your CEO/CFO even CISO may not support it. They may become “parking lot” items for a future version or you may be able to successfully display that the program can support that statement without affecting the culture.
  • Legal is an important reviewer. It feels nitpicky during the review but Legal knows when “should” and “must” are appropriate.
  • Don’t reinvent the wheel. ISO 27001 is a good framework for your policy. Use it. Don’t try to come up with statements because you think you have to appear to be an Info Sec Policy God. KISS!
  • Don’t write standards and procedures in your policy! We’ve reviewed countless policies that had what we’d consider a standard or “step by step instructions for making firewall changes. That’s a procedure! Keep it out of your policy.
Direct download: SFS_Podcast_Ep_-_195.mp3
Category:podcasts -- posted at: 8:21pm EDT

Evaluating Security Product Vendors

 

In light of recent news about “Vendors Behaving Badly” we want to talk about how a security professional should evaluate vendors and their products.

 

Recent News:

Tanium exposed hospital’s IT while using its network in sales demos: https://arstechnica.com/security/2017/04/security-vendor-uses-hospitals-network-for-unauthorized-sales-demos/

Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance: https://arstechnica.com/information-technology/2017/04/the-mystery-of-the-malware-that-wasnt/

 

  1. There are so many different sources of information about vendors and their products.  You owe it to yourself to evaluate not just the vendor but also each source of information.
    1. Analyst Firms:  Gartner/Forrester/etc
      1. Always remember they take a very generic view using a notional enterprise as the standard.
      2. Current customer interviews are important but, remember, those customer contacts likely came from the vendor.
      3. The perception of “Pay for Play” is there no matter how much the firms want to squelch that.
      1. These tests presume a lot so make sure you understand what the conditions of the test were.
      2. The “Pay for Play” perception exists here too….
      3. The results of the testing aren’t specific but can help show outliers in a group
    2. 3rd Party Testing:  NSS Labs, etc.
      1. Obviously your best and most relevant source of information.  :-)
    3. Podcasts
      1. If you have developed a reliable network of peers you can reach out and ask folks.  But, remember, buy them a beer for their troubles…
      2. Always remember perspective is everything.  Some people just don’t like Company_Z and will always hate their products.
    4. Networking
  2. Information Sources
    1. Start with 3rd party data and demos.  This will determine if your requirements (you did write out your requirements, right?) are met by the product
      1. Do not allow the vendor to drive the definition of “success” in a PoC
      2. Try to break it.  I mean REALLY try to break it.
      3. Remember during the PoC is going to be the best support and interaction you will ever get.  If that sucks you might want to move along.
      4. Test *all* of your use cases. (you do have documented use cases, right?)
    2. Do a PoC (Proof of Concept).
  3. Product Evaluation Rules
    1. Service providers such as penetration testers and MSSPs
  4. Edge Cases
Direct download: SFS_Podcast_Ep_-_194.mp3
Category:podcasts -- posted at: 9:53pm EDT

Tonight's episode is all about those learning moments. 

CISOs and security orgs find new and interesting way to screw up all the time.  Leaving that Any-Any rule in place on the new firewall…  Disabling the CEOs account by accident…  Not realizing that Shadow IT had just installed a new egress point…


Here are our stories.  The name have been changed to protect the culpable.

Direct download: SFS_Podcast_Ep_-_193.mp3
Category:podcasts -- posted at: 10:02am EDT

Today's Topic: Security Waste - Buying new tools without maximizing use of current tool set

It’s not just a security problem but we often add to our arsenal without fully (or even mostly) utilizing the tools that we do have.

Problems associated with this are:

  • Have more complexity in your environment
  • Needing more staff or requiring current staff to stretch themselves thin to support differing tools
  • Increased cost (capital, operational, support)
  • Information overload - even with a SIEM more data requires more analysis
    • Increased chance of missing key events
    • Increased false positives
  • What am I missing?

 

How do we work through this when you’re not the decision maker?

  • “Operational Excellence” - Martin’s story

 

How do we work with our vendors to ensure that we are leveraging their tools without over dependence on one tool or vendor?

Direct download: SFS_Podcast_Ep_-_192.mp3
Category:podcasts -- posted at: 9:02pm EDT

Guillaume’s last visit to the show: Episode 167
Last year’s WWDC episode

WWDC 2016 Security Rumors and Wishes
Possible Touch ID changes
Touch ID for the Mac?

Wishlist
Encrypted iCloud Backups
Permissions and Pairing
Granular Location Access
Better Public Wi-Fi, VPN And SSL/TLS Handling

Reduced Annoyances and Increased Security on iOS

Find us on Twitter:
@gepeto42
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter. And if you’ve found our Facebook page, we’re sorry. We’re going to fix that up.

 

Direct download: SFS_Podcast_Ep_-_181.mp3
Category:podcasts -- posted at: 10:35pm EDT

This evening, Martin sat down with Patrick Heim from Dropbox. Enjoy the interview, and the gang will be back next episode.

Direct download: SFS_Podcast_Ep_-_180.mp3
Category:podcasts -- posted at: 9:00pm EDT

The 2016 DBIR
OSVDB Thoughts on the DBIR
Analyzing the 2016 Verizon Data Breach Investigations Report » Digital Shadows
The DBIR’s ‘Forest’ of Exploit Signatures – Trail of Bits Blog
Response to Kenna Security’s Explanation of the DBIR Vulnerability Mess | OSVDB

Find us on Twitter:
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter.

 

Direct download: SFS_Podcast_Ep_-_179.mp3
Category:podcasts -- posted at: 8:36pm EDT

This evening, Martin, Steve, and Joseph talk about overhyped vulnerabilities, and how that affects communication with the business.

Badlock’s Site
Sadlock
Hyping vulnerabilities is no longer helping application security awareness | TechCrunch

Find us on Twitter:
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter. And if you’ve found our Facebook page, we’re sorry. We’re going to fix that up.

Direct download: SFS_Podcast_Ep_-_178.mp3
Category:podcasts -- posted at: 8:45pm EDT

Tonight, Martin and Joseph sit down and talk about communicating cautionary tales without turning them into FUD.

US-CERT advisory on ransomware

Find us on Twitter:
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter. And if you’ve found our Facebook page, we’re sorry. We’re going to fix that up.

Direct download: SFS_Podcast_Ep_-_177.mp3
Category:podcasts -- posted at: 8:40pm EDT

InfoSec programs without money are like cereal but no milk, peanut butter but no jelly, Milli but no Vanilli… (Get over it, I’m old - Martin)

Martin is doing a talk on “The ABCs of Getting Your InfoSec Program Funded” and we’re going to discuss how this works in the real world at all of the different levels.

Find us on Twitter:
@SFSPodcast
@armorguy
@jsokoly
@andywillingham
@SteveD3
@jetsetyvette

And if you have any feedback, questions, or comments, drop us a comment or find us at @SFSPodcast on Twitter. And if you’ve found our Facebook page, we’re sorry. We’re going to fix that up.

Direct download: SFS_Podcast_Ep_-_176.mp3
Category:podcasts -- posted at: 10:06pm EDT