Rick’s Playground

For the past one month, I probably spent half of my free time in playing Starcraft II on the Battlenet. While I am trying to pull back a bit and get back to the usual IS research stuff I am doing, I just find the two (Information Security & Starcraft II) are amazingly similar in multiple aspects.

In the Information Security world, we always look at People, Process and Technology while in Starcraft - Resources, Troops and Technology are the threesome to win a game. As in both case, an optimal balance of these three factors are the key to successfully manage an enterprise information security or defeat your opponent in a Starcraft 1vs1 game.   Also an objective and adaptive strategy are fundamental in both cases.  As an IS professional, we need to keep a close eye on the current threat landscape, the emerging threat and allocate resources (your budget) accordingly. In Starcraft, scouting and intelligence about your enemy’s strategy is the used to decide how you want to use your minerals and gas.

At the tactical level, a complimentary mixture of your troops are the most basic micro techniques in Starcraft. Similarly in the Information Security, I am a strong believer of multi-layers/tier implementation and diminishing returns of investment in single type of Information Security controls. A single type of IS security controls can only reduce the overall risk to a certain percentage and subsequent return of investment in the same type of control will decrease and reach a plateau. In one of the recent talks I have attended, Dr Peter Tippett from Verizon Business also illustrated this by using the example of safety belt in car safety controls. A nylon safety belt will reduce the probability of fatal car accident by 50% while a high-cost titanium safety belt will only reduce another 3%. Instead, an airbag at a fraction cost of a titanium safety belt, will reduce the risk much more significantly.

Just like Starcraft’s micro (unit controls in battles) and macro (resource planning, map controls etc)management, there are also micro and macro in Information Security. We need Risk framework, Governance, Strategy, Measurements and Metrics etc at a macro level, but we also need micros such as vulnerability research, code analysis, log monitoring, intrusion signature developements,  reverse engineering. Lacking either one will neither win you a Starcraft game nor will protect your enterprise information effectively.

In an era when newsletter from vendors are almost the equivalent of spam emails, I am pleasently surprised by the content of Microsoft Security Newsletter - at least for this issue volume 6, issue 10.

First of all it is of the right length, no chunky huge paragraph and with proper links - it is an absolute turn-off when you see something interesting and yet no links or even worse - the content is for restricted groups.  Next, related articles give the interested readers full picture of tools and their relevant usage - For example, BinScope is introduced in this newsletter together with a how-to article. (BinScope Binary Analyzer and Security Tip of the Month: Using BinScope Binary Analyzer to Improve Code Security ). In the Business Security session, Andreas Wuchner speaks out the exact thought in my mind of “What I Look for When Hiring IT Security Staff “. It is short, precise and very accurate summary of the reality in hiring of IT security staff.

This is the 2nd time in the week I am impressed by Microsoft (the first one is the Microsoft Security Development Lifecycle blog). Probably it’s time to get a copy of Windows 7 ..LOL

I can’t believe this is the first entry in my blog for the past 6 month and we are more than half way through year 2009. It has been … ‘busy’… (err.. i tend to not use this word because everyone is busy and it’s not really justifiable due to the very diverse scale of measurement ..) Anyway I have been travelling around the Asia Pacific region, meeting people from very different cultural background, professions, ways of thinking and life styles. It is fun although there is frastration, boredon and stress. That’s part of parcel for life anyway.

The only reason which triggers me to sit down and write down this post is the inspiration after reading a couple of articles in one of the backlog ISACA Journals. In the “HelpSource Q&A” session, there is a question on how to fight phishing attacks for online banking applications.  Although I have been dealing with process-level controls for the past year, the words “attacks”, “applications”, “phishing” just trigger the technical geeky style of problem-solving thinking in me and ideas of strong 2-factor authentication, SPF (Sender Policy Framework), gateway spam filtering etc immediately come into the picture.

However the very first key control suggested is to have a properly defined e-mail communication policy for both sending and receiving emails to and from customers. Subsequently the advice mentioned a number of very good business process improvement which take fighting spam/phishing emails into consideration. A few small changes to a business process will easily mitigate bunch of relevant security issues which technology alone finds them difficult to tackle. It reminds me of those days when great amount of efforts and resources were spent on network level controls in order to fight application level security issues.  Are we in the same situation nowadays while we are spending too much efforts in creating application level or even information security process level controls in order to tackle business process level security issues?

I believe it’s time to introduce business process security into the information security model and make it a layer-8 practice. It just like buiding security into SDLC and we shall build security into a business process from the very begining. The thought of having a whole new paradigm in the information security model is really exciting. I am sure this will bring drastic changes to the infosec industry - probably soon we will see business process level security penetration testing, business process hardenning etc .

I just read an article “Confessions of a Risk Manager” from economist.com. It is recommended by a featured blog post “Risk Managers Are Just Like Security People” on securityfocus.com.  The article truely and vividly described the kind of difficulties and dilemmas encountered by a Risk Manager, which I can very much relate them the information security folks in the finanical sectors. The situations are amazingly similar between information security folks and the risk managers.

” In their (By Rick: the business people mainly front line traders, bankers, sales) eyes, we were not earning money for the bank. Worse, we had the power to say no and therefore prevent business from being done. Traders saw us as obstructive and a hindrance to their ability to earn higher bonuses. They did not take kindly to this. Sometimes the relationship between the risk department and the business lines ended in arguments. . . .

Tactfully explaining why we said no was not our forte. Traders were often exasperated as much by how they were told as by what they were told.At the root of it all, however, was—and still is—a deeply ingrained flaw in the decision-making process. In contrast to the law, where two sides make an equal-and-opposite argument that is fairly judged, in banks there is always a bias towards one side of the argument. The business line was more focused on getting a transaction approved than on identifying the risks in what it was proposing. The risk factors were a small part of the presentation and always “mitigated”. This made it hard to discourage transactions. If a risk manager said no, he was immediately on a collision course with the business line. The risk thinking therefore leaned towards giving the benefit of the doubt to the risk-takers.

Collective common sense suffered as a result. Often in meetings, our gut reactions as risk managers were negative. But it was difficult to come up with hard-and-fast arguments for why you should decline a transaction, especially when you were sitting opposite a team that had worked for weeks on a proposal, which you had received an hour before the meeting started. In the end, with pressure for earnings and a calm market environment, we reluctantly agreed to marginal transactions.”

Probably I shall replace all the financial terms with information security terms in this articule and come out a new version titled “Confessions of a Information Security Manager”.

Recently I visited a number of outsourcing partners in India, Philippines and Malaysia. They are providing various back office operations, sales and marketing services for the bank. It is not a secret that most fortune 500 IT firms have operations in India, however I didn’t expect that in places such as Manila, Philippines, there is a significant presence of the world’s major financial institutions’ outsourced activities. It is true that most of the outsourcing activities were initially cost-driven although it is debatable whether the cost-saving is still significant with the rising operation cost in these emerging economies.(see this) However despite the diminishing cost-saving, there is still a steady growth of outsourcing activities in this region. For example, Infosys - voted the best outsource partner, is still projecting a 20% growth in year 2008. Most of these off-shore services providers have successfully transform the local workforce to be skillful, productive, disciplined and most importantly passionate to their work. I have seen credit card sales teams cheering together whenever they make a successful sale. Their energy level is incredible even in the middle of zombie hours. That’s the attributes which companies are seeking for a successful outsourced business partners.

While benefits of outsourced operation are tremendous, the risk is also significant. Information security risk is very often the first in the list. In most cases, an outsourced operations means handing part of your business to your outsourcing partners and providing an interface for the business partner to have direct interaction with your core business operation. In some cases, while you are lowering your operating cost, you are also lowering the threshold of launching attacks over the confidential information through your outsourcing partners. There are already quite a few cases of ID/accounts theft (see this ), privacy information violation. Sometimes the cause of the incident may just due to cultural differences. In India, personal matters such as marriage status, age, pay package are just common topics during chatting sessions. Measures to mitigate these risks should be implemented as part of the supplier management programs.

1. Clearly define the information wall/boundary between outsourced operation and in-house business operation so that a need-to-know style practices can be established for the outsourced partners.

2. Education, education and education - convey the information security control practice to your outsourcing partners especially if there is a significant gap between the current practices between the two entities. One thing I noticed that outsourcing service providers in this region do have the initiative and willingness to learn from their business partners.

3. Risk Assessment and Contractual obligation - risk assessment/audit should be included as part of SLA or general terms in outsouring contract. It’s critical for both parties practicing due diligence to ensure information security policy, procedures and guidelines are followed and practiced accordingly.

The recent release of Internet Banking And Technology Risk Management Framework version 3.0 by Monetary Authority of Singapore (MAS) includes a specific chapter on outsourcing management. (MAS is the central bank of Singapore and also the regulator of the financial industry in Singapore)

Information security is critical to the financial industry and yet it is not a revenue generation functions - not the core business process. This complex relationship between information security and business put security leaders in a position requiring significant communication skills. A very good article from www.csoonline.com and a few lines which are particular true for Information security professionals in the financial industry.

1. Sensitivity to the audience and its context is a cornerstone of excellent communication.
2. Companies are no longer willing to forgive a lack of excellent communication skills.
3. In short, when a company says it’s looking for a security executive, it’s seeking someone with the same business skills as any other departmental leader in the organization, who also just happens to know how to prevent, identify and thwart threats to that company and its employees.
4. Security people tend to focus on what could go wrong and how to avoid it. This is often not only off the radar for many businesspeople, but it is often demoralizing and can tend to get tuned out. “When you just talk about bad things, and bad things don’t happen, you just lose your credibility.”

The full article: Security and Business - Communication 101

These three terms (let’s use a short form “PPT”) are very popular among the InfoSec folks nowadays. They were mentioned at least in 4 of the conferences I attended last week. If my memory doesn’t fail me, my first encounter of the usage of these three terms in InfoSec arena was 5 years ago. I was attending a certified information security practitioner course conducted by a Singapore based institute. (I was sponsered for winning an on-line hacking competition :D) I can still remember that DBS internet banking fraud was used as an illustration of vulnerability in business process.

I guess no one will try to argue the validity of PPT in infosec because there are plenty of examples illustrating failed attempts to solve infosec problems with isolated approaches. Among the conferences I attended last week, one is about Vulnerability Management, one is about Enterprise security practices, one is about IT Governance and the other is about Technology Innovation in Banking.

In the VM talk, the idea of staged gap analysis from PPT aspects is a good structured approach besides the usual PPT oriented vulnerability remediation. The Enterprise security talk was not very interesting except the analysis of impact of web 2.0 (or Enterprise 2.0 - usage of web 2.0 in enterprise environment). The speaker from the IT Govenrnance talk listed few obstacles and hurdles encountered from PPT aspects when pushing information security to LOB (Lines of Business). I like this one very much because this guy showed that he had hands-on practical experiences instead of just big talks and I can actually relate my current challengers in my workplace to his examples.

I will write more about technology innovation in Banking in separate posts because this is the newest portfolio I take up and I am really excited about this global initiative in my workplace. Again we can always use PPT to draft some structured approach on doing innovation, but where is the fun when everything is structuralized?

I can’t believe I am writing this post to talk about “IT Governance”, “ITIL” and “ValIT”. For techincal folks like me, terms like “IT governance”, “Value IT” and “ITIL” were always vague, abstract and a lot of “bxxxxxxt”. However after working in a consulting environment for 2 years and now in a regional role of a huge financial institute, I start to see the type of problems which IT Governance, ITIL and “ValIT” are created to address. It’s impossible to cover everything about these three musketeers within a few blog post, so I will keep them as a continuous efforts to share my understanding especially for geeks out there who faces the same challenge as me.

IT Governance comes from corporate govenrnance and the definition by IT Governance Institute is - “The leadership and organisational structures and processes that ensure that the organisations’s IT sustains and extends the organisation’s strategies and objectives.” It is a concept usually includes 2 parts - IT decision making and execution. Firstly it aims to make the right person at right position to make right IT relevant decisions and establish the accountability for the decisions as well. Secondly it requires controls and measures to make sure the decision is properly and effectively executed and meanwhile the risk is controled during the delivery.

Based on ITGI’s definition, there are 5 focus areas of IT governance - Value Delivery, Strategic alignment, performance management, resource managmement and risk management. ValIT is the framework and best practices to achieve the value creation in IT governance. Val IT is derived from Control Objectives for Information and related Technology (Cobit). It’s not surprise that Val IT is one of ISACA’s “product”.

ITIL ( Informatoin Technology Infrastructure Library) currently comes as v3. It supposes to cover 5 Key volumes including service strategy, service design, service transition, service operation and continual service improvement. ITIL is purely a collection of best practices. It aims to be a practice guide for IT governance implemenation, but the word “Infrastructure” indicate a pretty limited scope although I seriously doubt the accuracy of these namings. Also the volumes are only available to commerical users.

References:

• IT Governance in Wiki
• ITIL in Wiki
• ISACA on Val IT