Saturday, October 9, 2010

Information Security for Business Majors

I recently had the pleasure of guest lecturing to a group of MBA students at Grand Valley State University on the topic of Information Security. This was a fun presentation for me to put together because it challenged me to think of how to present the business value of information security in a way that's meaningful and relate-able to a wider audience not already indoctrinated with the market and regulatory constraints in which I operate. And in this case, I think I pulled it off.

So here are the slides from that presentation, minus a few that won't translate and aren't core to the presentation itself anyway. I've also included my slide notes by title below.

1. Title

What part of the car allows it to go fast? I think it’s brakes.

How fast would you drive if your car had no brakes?

Security is like brakes - it's a set of controls, only some of which are always on, that allows your company to take bigger risks with greater confidence.

Who can define what a DoS attack is?

And can anyone describe to me how the DoS handshake works? (in the book, figure 6.6, page 269)

I am sorry to inform you that you will never need to know this. Every major vendor out there fixed this bug nearly a decade ago.

That’s the nature of security – you don’t get to stop learning or adapting, because the attackers don’t stop learning and adapting.

I hope to share with you this evening things that will take a little longer to become obsolete.

2. OK, so how bad is it really?

3. Are you scared? ...or skeptical?

Gauge your response to the previous slide.

If you were scared, consider whether or not you would panic in the face of a catastrophic security event.

If you were skeptical, consider whether or not you would take a threat serious enough to be prepared.

4. The sky is always falling!

The average time for an unpatched Windows server on the Internet to be compromised is 3-6 hours.

The overwhelming majority of data breaches are caused by human error.

If you have any one of these things, hackers can monetize them.

Computers of any kind can be rented out to send spam or launch DDoS attacks.

Personal data, referred to as “dumps” are stolen and sold by the thousand on the Internet

Money in bank accounts is transferred by EFT and then wire transfer out of the country where it is laundered.

Credit card numbers are used to purchase stolen goods which are shipped overseas.

Despite all of this, consumer-based ecommerce continues to grow 15-20% annually.

If you sell to consumers, the Internet isn’t where you want to be, it’s where you HAVE to be.

5. Information Security's Business Value

Information security can be summed up as “loss avoidance”

The value proposition is that these efforts are less expensive than the consequences of not having them.

Regulation makes some parts of security the price of admission, the rest is about striking a balance between security and flexibility.

Bruce Schneier’s book, Beyond Fear.

6. How Information Security Works

Known as the CIA Triad, these are the “ilities” that security controls impact directly.

There are other “ilities





But even at its best, security is only an enabler of these things. At either extreme, security blocks them.

7. The Goals of Security

8. Policy

9. Controls

Preventive IT controls are not infallible, and covering 100% of corner cases with your controls costs too much and hamstrings your actual business.

Auditing controls are time-consuming, and usually any damage is already done by the time an audit discovers it.

Monitoring controls are typically based on sampling, which means you might miss something. More intended as a quality or health check.

10. Tools of The Trade - Preventative

11. Tools of The Trade - Auditing

12. Tools of The Trade - Monitoring

13. Risk Management (1)

14. Risk Management (2)

15. Incident Response

I like the Richard Clarke quote from your book. “If you spend as much on information security as you spend on coffee, you will be hacked, and you’ll deserve to be hacked.”

Of course, Mr. Clarke is wrong, because having a security incident is not an issue of if, but an issue of..?

Wrong. Not “when” but “how often.”

16. (graph)

17. Awareness & Consultation

Consulting on projects or with operations teams leads to better security outcomes because security is considered earlier in the process.

Raising awareness and then inviting people to share concerns is a great way to organically scale your visibility to issues.

By being proactive and meeting colleagues where they are, you gain goodwill for your security efforts. This is a key piece of a successful security program. Strong-arm tactics are a guaranteed path to failure. Without goodwill and trust, the security practice in your company quickly becomes an obstacle for people to bypass in order to get their jobs done. This is how you lose your job.

18. How IT Security Fails

19. (image)

20. (image)

21. (image)

22. You say "potato," I say "No."

23. Communication

24. Why Buying Security Fails

Buying and integrating security technology only works some of the time, and that time is not right now.

Information security is an arms race.

Technology is both the weaponry and the battlefield.

Security is not a problem that can be solved.

Security is a practice that must be maintained with people and process.

25. Discussion