Archives For Risk Assessment

1What’s The One Big Issue Behind Almost Every Hack?

Hint: Most Risk Assessments Ignore It!

One questions I always ask on our final coaching call (in The Security Sales Mastery Program)…
“What is your client’s number one security mistake?” Answers vary…
Is it… 
  • Poorly configured or managed firewalls,
  • Untested backup systems,
  • Improper network segmentation
All are important, but none are right, said Security Expert Thomas L. Norman (author of several security/risk analysis books and a recognized industry speaker).
In a recent interview, I asked Tom what he believes is corporate’s biggest mistake…
“Easy!” says Norman, “It’s a lack of user awareness training. Training is always treated as an afterthought, and a waste of time in the mind of employees”
He went on to explain that every security issue is rooted in a mistake made by an end-user, who just didn’t understand security.
In many cases the mistakes are made by hard-working end users doing their job, looking to be helpful and efficient, but out of touch with the surrounding threats.

Experts Without Experience, Opening the Doors To Destruction

Imagine going in for heart surgery. Your surgeon – an expert on IT and certified with his CISSP.
He’s earned his masters in computer science (with a specialty in data security), has designed networks, written books, and even designed his own operating system.
But this is heart surgery!
So while he is able to access everything he needs online, including the patients medical history, YouTube videos on how to perform the surgery, and perhaps even hacked into a paid channel online to observe an actual surgery, he has zero credentials when it comes to medicine and surgery. Are you going to let him proceed?
Now turn this scenario around. The doctor knows everything there is to know about heart disease and protocol. He’s performed hundreds of successful surgeries.  Yet, this degreed professional has zero IT experience. He’s used computers, but he has no idea how they work, where patient protected data is stored, or how that data can be used to harm him, the organization, or his patients.
The truth is, there are millions of professionals around you doing all kinds of specialty work.  They’re calculating taxes, auditing, designing bridges and buildings (earthquake proof and more), building airplanes and space ships, and performing intricate surgeries.
None of these professionals  took on these complex  projects without significant training and certifications.
Yet, every one of them is given access to the one device that (if used improperly) has the power to destroy an entire company.
Computers are the heartbeat of your prospect’s business, as well as the central nervous system of government, education, healthcare, and transportation (all critical infrastructure). One wrong move could bring lawsuits, expose data to the competition, threaten the stability of your countries economy, the military, and just about everything that matters – including life itself.

Stupid Things Smart People Do

My first IT job was a CO-OP position at Johnson & Johnson (McNeil Pharmaceuticals). I’ll never forget the day one coworkers deleted our entire poison control system (Highly sensitive data used in drug trials for government approval)!!!!
We were working on DOS back in those days (Window’s predecessor),a command line driven operating system. Just one missing parameter in his command-line ended up deleting everything. Keep in mind, we didn’t have a trash can on the desktop like you do in Windows.  Lucky for him, we did have a backup.  Still, it was a major ordeal. We had to restore from floppy disks – a painfully slow and risky process.
Smart People do stupid things on computers all the time. Not because they’re stupid. They just don’t know any better. Image how many mistakes you or I might make while performing major surgery using an instructive YouTube Video!!!
On any given day,…
Messages pop up saying your computer’s infected, call this number (a simple ruse used to take over ones computer by phone).
Perhaps you are at home, working on a late night project with an approaching deadline. What will you do? What would the average office worker do?
Another user receives an email from the bank requesting updated information, or a wire transfer request to a known supplier (with updated account numbers). What will they do? Will they check with someone first, or just move the money so they can be back on task?
How many people have been duped on Facebook to friend innocent or attractive looking people, only to be lured into giving up confidential information?
It’s been shown time after time, people trust people, even when they’ve only met online.  Office workers are busy. They don’t have time to check with IT every time an email comes in or a website looks different.
Do these knowledge workers ever leave mobile devices unprotected and unattended at Starbucks? Do they have personal data on their phones when the list them on eBay? Do they click on sites that have invalid security certificates, or click on links emailed by people they don’t recognize?
Do they download apps with little thought of malware, or work from home on unprotected systems and unencrypted networks.
Yes!
These are all common end-user habits. People are busy, and without some serious training, they won’t spot the clever ruse that comes through the firm’s various levels of security and insecurity.

The Only Reason to Measure Risk…Or You’re Wasting Your Time

The purpose of an assessment was explained in an article I wrote earlier this year – the bottom line is, Assessments should be performed to expose weaknesses, measure risk, and move the company toward remediation (the long tail of security assessments). If your assessments fail to do these three things, you’ve wasted your time.
So, while the misconfigurations (so often found in network devices and server)s are important, understanding the risk (Impact vs. Likelihood) of a user’s mistakes is more important.
Looking at risk, what is the impact of an enduser acting on email infected with spyware or ransomware? It’s extremely high!
How likely are they to act on it by clicking? Again, extremely high.
When the impact and likelihood are both high, the company has a major problem; one that must be addressed.
Take this same concept home or on the road. How likely are end-users (executives, sales people, office workers) to give into just about any social engineering effort – Phishing, infected websites, a fake support call,…? Higher than you can imagine.
You should expect that your client’s office workers are making mistakes every day.
Expect them to be downloading untested apps, letting their kids trade pirated music and videos, accessing high-risk sites such as gaming and porn, and more…
The average teen is probably friending all kids of predators disguised and prepared to steal and destroy. Employees regularly email confidential data, store data on personal devices, and use insecure home networks to conduct business. The end-user is the new firewall, and they’re failing.
After all, none of these workers have ever really been trained.
And if they have (through some ill designed, one-off training program) chances are they didn’t really pay attention. The training was probably boring, overly technical, and ineffective.
In the case your prospect company did bring in someone entertaining, or use one of the few attention-grabbing programs out there, everything they learned was out of date (or forgotten) within a month.
Remember, hackers are creative, stealth, and always one step ahead of the good guys. Training needs to be a high priority and frequently updated/repeated.

What’s At Stake? Your Prospect’s Most Valuable Assets

Looking at your client’s most important assets, it used to be the people. No longer.
Data is the most important asset. Everything your client does is digital. The money, the R&D, the customer lists, the strategies and processes; everything.
There are three areas to consider; confidentially, integrity, and availability.
Anything that would expose confidential data, affect the integrity of the business’s information, or reduce the reliability or performance of the company’s computer systems is at risk.
When building the impact vs. likelihood graph, (Find out more in my book, The House & The Cloud)  your first consideration is assets. Which applications and what data represent the greatest negative impact to the business, if made unavailable, corrupted, or exposed (to other governments or organizations, hackers, or the competition)?
What’s at stake? Loss of shareholder value and customer confidence, competitive advantage, operational efficiencies, quality, and perhaps fines or lawsuits for non-compliance.  The cost of any breach, according to Thomas Norman, is about 20X the cost of remediating that one threat!
So when a company refuses to secure something, in order to save $100,000, they can expect to spend about $2 Million on recovery when a “Boom” (the industry term for disaster) occurs.
Second, consider the likelihood.  The client needs a metric to understand their risk – and it can’t be three colors. These RED, YELLOW, GREEN system is over used, and of little value. CFO’s don’t approve large security budgets just because your report has a RED light on it.

Correcting The Course – How to Include People In Your Assessment

Security awareness training, like policy (the other root cause of security disasters according to Norman), should be a primary consideration when assessing risk. If the user/operator of a mission critical system is highly likely to cause disaster (through ignorance or an act of vengeance) it should be noted in the findings.
A few things to consider in your next assessment:
Make Time For People Interviews. 
There’s no point in scanning networks and looking for patches and open ports if you’re not going to assess risk. The chances of that company actually taking action on your remediation steps are nearly zero.  Build interviews into your assessment process, both with executives and end-users.
On the executive side, you need to know what they believe are their most mission critical systems. You’ll want to know what data matters, what applications are core to the business, and how much risk can be tolerated.
Find out who would want certain data, or what impact a down system would have on the profits and customers, for any given length of time.
Remember, IT can’t answer these questions. There are too many variables. Pending lawsuits, product announcements, M&A actives, and the competitive landscape all play a role in data asset value – it’s a moving target.
Once you know what really matters, it’s time to talk to their end-users. You want to understand their workflow; how and when data is created, used, transmitted, and stored. How about data disposal?
You also want to know how much these knowledge workers know about security. Is email encryption just an option on their email application, or are workers forced to comply with corporate security policies?
Do employees use personal devices, and do they understand how these handy devices are compromised, or what happens to data when they sell their iPhone of tablet online?
A security quiz issued to a sample population would be perfect (I’ve never seen this done – but it makes sense. A quiz would certainly set you apart from your competition).
There’s a lot more to cover when discussing risk assessment process. However, these ideas concerning end-users awareness, and likelihood of enabling a disaster, are a great place to begin.
Copyright 2017, David Stelzl
Advertisements

assessmentOne Thing to Look For In Your Next Security Assessment…

If You Want To Convert To Projects & Managed Services

Are you assessing your client’s data security? More importantly, is your assessment turning up urgent issues.  A week or so ago I posted on finding urgent issues – The Bot is your client’s number one enemy.  Do you know what you’re looking for?

We’ve become lazy. Too many security assessments depend on scanners to find open ports and missing patches. But as I mentioned in a recent post, missing patches are not urgent. However they may be one of the reasons your client has bots on their network.  But if you can’t come up with any bot activity, it’s kind of hard to get the client to see why the patches are so important.

$1 HC Book Ad

More On How To Close Security Business!

So Exactly What Are We Looking For? How Do You Find A Bot?

In the House & Cloud book I recommend using a pro-bono assessment to build justification. If the company you’re calling on sees value in you, there may be an opportunity to actually do some business. If not, you can’t expect them to just sign up and try you.  The assessment is the perfect service to both build justification and rapport.  But you had better find something urgent if you’re going to unseat the competition.  The Bot is your answer.

This is especially true in the small and midsize businesses. They lack the sophisticated security technologies needed to detect and stop the installation of botware on their computers. So chances are, if you look, you’ll find it.  So what is a bot?  It’s software, from an unauthorized user, used to gain access to your client’s computers. It comes in through email and infected websites, or downloads.

Your job in a pro-bono assessment is simply to find evidence of bots (or something else that just as urgent.) Don’t worry about over analyzing what they are and where they came from. If they exist, it means botware can get in, and the company is not properly detecting and stopping it. You job is not to prove an eminent disaster. Bots are bad, even if they are dormant when you find them.

Bot Symptoms – Like Burglars, They Make Noise

When a bot hits a computer, that computer becomes a zombie.  The bot software is installed and begins to execute it’s function on that system – a set of instructions to do something. That “something” is often detectable! While no one can physically stop all bots, early detection and response is the key to minimizing the impact.  Some of these symptoms include:

  • PCs begin communicating with known Command and Control Servers (C&C). “In the traditional botnet, which includes a C&C server, the bots are typically infected with aTrojan horse and subsequently communicate with a central server using IRC. The botnet might be used to gather information such as credit card numbers. Depending on the purpose and structure of the botnet, the C&C server might also issue commands to start sending spam or begin a DDoS (distributed denial of service) attack,” – WhatIs.Com
  • IRC stands for Internet Relay Chat. While there may be some good uses for this type of traffic, chances are your SMB client is not purposely using this method of communication. So if IRC traffic is detected, you should assume there is something wrong.  Further investigation may be needed, but it would be out of scope – so report it as being “highly likely” symptomatic of malware.
  • There may also be DNS requests coming from these systems in an effort to spoof…or there may just be reports of slow computers that are bogged down by running these background processes.  Of course, this may just be a cluttered Windows Computer in need of repair.

How Do You Detect A Bot?

Most of the assessments I review never mention botware or zombies. They only talk about patches and ports. The scans they are using have little or no information that the client will find interesting.

While it is possible to run some detection tools on each PC,”polymorphic viruses” have pretty much defeated traditional AV technology. Your client may need some education on this before moving ahead.

The alternative is to look at the network.  As we mentioned, IRC traffic is probably not authorized traffic. So that’s the first thing I would look for. While it is possible to use a packet sniffer here, network switches make this more difficult – basically you would be looking for unencrypted keywords sent on IRC channels. IRC runs on port is 6667 by default, but the entire port range (6660-6669 and 7000) must be checked.

If you have the ability to access firewall logging, mass mailing can be detected over SMTP from a central location. This is often a sign of botware being using to send spam.  Is spam urgent? Yes! It’s illegal in and of itself. But chances are it contains something worse such as illegal pharmacy marketing or worse, child pornography.  Make sure your client understands what would happen if they were suspected of distributing either one. For one, their family would be ruined long before they could prove their innocence.

If endpoints on the network are simultaneously hitting a single external site, that can also be a sign.  This would be true if the C&C had instructed these bots to launch a distributed denial of service attach (DDOS).

Note: Don’t bother checking server and email logs for this type of activity. Bots don’t go through the normal channels of communication and will not show up in your client’s log files.

This May Sound Technical But It’s Not

In most cases you have someone technical working with you, if you yourself are not that technical. If you’re in sales and you don’t really understand the urgencies listed on the deliverable, neither will your client.

There are a few terms here that border on bits and bites, but with a few Google searches you should be able to nail down these terms and be able to communicate them in simple language to your client.

There’s a enormous amount of business waiting on the other side if this blog post. Learn these few concepts, locate the urgent issues in your next assessment, and be able to share the results (business impact) with your prospect. The rest is easy.

…quod erat demonstrandum

Copyright 2015, David Stelzl

 

 

 

imagesOne of my clients in Tampa just completed a very successful marketing event…in fact, 90% of the CIOs who attended this lunch meeting signed up to have their data center infrastructure assessed.  How did they do it?

In this case they had a former CIO do the speaking.  Understanding the pressures on the CIO role is critical – things are rapidly changing for IT leadership.  Every day the CIO journal (your are reading this, right?) is reporting on trends that are forcing CIOs to become business level participants.  Rather than focusing on 5 9s up time and the next major OS upgrade, the new CIO has to be thinking, “How does my company become the next Amazon.com?”

At the end of their presentation they offered a complementary assessment.  It’s important to note that this assessment is not really free – it’s complementary.  In other words, it has value and is worth paying for.  But as I explained to a senior VP of sales the other day, the trade off may be months of courting a new company.  Which is cheaper, two or three days of intense assessment work, or 3 to 6 months of lunches and golf outings?  They quickly agreed, the assessment makes sense.

You can find out more on how to put together an event like this – my new guide to Event Marketing is available right here in an ebook format (CLICK).

© 2013, David Stelzl

Join me on June 8th at noon EST – Leveraging the Discovery Process to gain access to decision makers (CLICK to SIGN UP).  I will be building on material presented over the past several months, but you can always go back and review sessions you might have missed.  In this one hour session I will be covering important concepts such as:

1. Types of questions to ask asset owners and executive managers

2. How to avoid getting demoted to IT in the discovery process

3. When and how to engage the IT group in this process

4. What to do with data collected in both

5. How to deliver your findings

6. How to present your findings and recommendations

7. How to turn this process into fee based business and product sales

Don’t miss this!  It’s funded by Cisco and costs you nothing but time…sign up here (CLICK)

© 2011, David Stelzl

The fastest way to inculcate the concepts from our Making Money with Security Class is to try it.  Last week I had opportunity to interact with one person attending the 3-day virtual class currently in process…

He writes, “I thought I would try to apply some of the nuggets I have learned this week, in a meeting I had earlier this morning.  It went really well!  I met with a CISO and we discussed assets and started applying the likelihood vs. impact philosophy.  As I was doing this, my customer said the biggest problem he has is understanding likelihood.”

…This is predictable.  As I stated in last Thursday’s session, everyone seems to focus on the impact side of the security equation, but CISO’s and asset owners are already well aware of this, and continue to hear the same ROI and Insurance sales pitches almost daily from your competition.  By taking the “Likelihood” approach, a new discussion evolves.

He continues with a great question, “Based on this approach, is determining likelihood done through risk assessment or are there more dimensions to consider?”

If you’re in the class, you know we have one more session to cover, and this is where we will address this in detail, …but, this is the right question to be asking…how do we move this conversation forward to create business?  Here is a portion of my reply:

“…it means starting with executives rather than IT, and interviewing them to understand the assets; how they’re used, who uses them, who can’t use them…etc.  Then, armed with a complete understanding of the data (the assets), the technical side of the assessment should be used to discover how the necessary security is being achieved, or how to reduce the likelihood to an acceptable level of risk.  The ‘’Impact vs. likelihood” graph from by book, The House & the Cloud becomes our primary deliverable, backed by data from the assessment.

His final comment: “Application to real world is the best way to learn… I personally missed focusing on the asset and pitched it more towards the vulnerability discovery.  The asset that has the vulnerability determines the impact and the level of the vulnerability determines the likelihood.  Starting to add up.’’

This is exactly right and leads to the justification this sales person needs to create new business.

© 2011, David Stelzl

Why do Assessments?

November 1, 2010 — Leave a comment

Almost every reseller does assessments, and now, many manufacturers are not only doing them, but equipping their reseller community through partner program trainings, and portals, and the creation of assessment tools.  Why?  If you don’t understand the core reasons for doing an assessment, chances are you are wasting your time.

 

© 2010, David Stelzl

Why do so many Vulnerability tests fail to produce remediation business?

1. If the test is done for IT, you won’t have visibility into the executive ranks

2. If the process doesn’t involve the executive team they won’t care much about the results

3. The report is too technical

4. The report uses jargon that disguises the problem and it’s urgency

5. The provider appears to be more focused on analytics  than urgent issues

Eg.  If I come to you and say, this is the problem, I’ll put together some options and pricing and get back to you next week, do you feel like the issues are urgent? What if you plumber did that after discovering a leaking pipe in your wall?  You’d fire them! (But only because you know that is urgent.)

© 2010, David Stelzl

Share