InfoSec In The Supply Chain

Andrew Rose

The importance of data security throughout the supply chain is something we have all considered, but Greg Schaffer, acting deputy undersecretary of the Homeland Security Department of the National Protection and Programs directorate at the Department of Homeland Security, recently acknowledged finding instances where vulnerabilities and backdoors have been deliberately placed into hardware and software. This is not a risk that hasn’t been previously pondered as, in 1995, we watched Sandra Bullock star in ‘The Net," and address this very issue. However the startling realism of Mr. Schaffer’s admission means that it can no longer be categorized as a "hollywood hacking" or a future risk.

The potential impact of such backdoors here is terrifying and it is easy to imagine crucial response systems being remotely disabled at critical points in the name of financial or political advantage.

If we are dedicated to the security of our data, we must consider how to transform our due diligence process for any new product or service. How much trust can we put in any technology solution where many of the components originate from lowest cost providers situated in territories recognized to have an interest in overseas corporate secrets? We stand a chance of finding a keylogger when it’s inserted as malware, but if it’s built into the chipset on your laptop, that’s an entirely different challenge… Do we, as a security community, react to this and change our behavior now? Or do we wait until the risk becomes more apparent and widely documented? Even then, how do we counter this threat without blowing our whole annual budget on penetration testing for every tiny component and sub-routine? Where is the pragmatic line here?

Read more

RSA Breach: Two-Factor Authentication Is Not Dead But Is Morphing And Getting More Granular

Andras Cser

Many IT end-user companies deployed hard tokens at a time when intermediate-risk choices were thinner on the ground, and some of these companies would have benefited from a more granular approach anyway. In general, we are seeing companies moving towards risk-based authentication augmented by mobile soft tokens (sometimes called from a mobile application through an API). These software-only solutions are easier and cheaper to deploy, particularly if the target population is on smartphones, and a lot easier to patch in case of an attack. Interestingly, risk-based authentication is now asked about not only in the B2C context (which was a norm about a year ago), but also in the B2E context as well. Right now, end-user companies are thinking about:

  1. How they can ditch hardware tokens altogether; and
  2. How can they can move risk-based authentication, and increasingly authorization (fraud management), into the cloud.

The Power Of Data Analysis - "Spamalytics"

Edward Ferrara

Some of you may have seen the article in the New York Times by John Markoff (endnote1) announcing a paper to be presented at last week’s IEEE conference. This paper is an update to research conducted by a team at the International Computer Science Institute in Berkeley, California. The institute is associated with the University of California, San Diego and the University of California, Berkeley. A paper published by the team in 2008 Spamalytics: An Empirical Analysis of Spam Marketing Conversion outlines interesting research in the area the research team has coined as “spamalytics.”

The paper describes a methodology to understand the architecture of a spam campaign and how a spam message converts into a financial transaction. The team looks at the “conversion rate” or the probability an unsolicited email will create a sale. The team uses a parasitic infiltration of an existing botnet infrastructure to analyze two spam campaigns: one designed to propagate a malware Trojan, the other marketing online pharmaceuticals. The team looked at nearly a half billion spam emails to identify:

  • the number of spam emails successfully delivered
  • the number of spam emails successfully delivered through popular anti-spam filters
  • the number of spam emails that elicit user visits to the advertised sites
  • the number of “sales” and “infections” produced
Read more

More On Metrics...

Edward Ferrara

At Forrester, we place a great deal of emphasis on relevance and what it means when researching a topic.  For the busy executive, it's sometimes difficult to wade through deep lists of operational security metrics and really understand how relevant the information is to the mission of the business.  Further to the problem is the need to understand what your metrics say about the security posture of your organization and the health of the business overall.

The draft title of the report I'm currently working on is Information Security Metrics – Present Information That Actually Matters To The Business. In the paper, I plan to focus on the key factors that make security metrics relevant.  The idea here is that if people start checking their BlackBerrys and iPhones while you're presenting your report, it's probably time for some new metrics.

Success is the ability to educate positively the C-Level suite in your organization and demonstrate the value you and your information security program provide.  

Categories:

Information Security Metrics & The Balanced Scorecard

Edward Ferrara

I just finished a final draft of a presentation on information security executive reporting that I and some colleagues will present at the upcoming Forrester IT Forum in Las Vegas.  For those of you who want more information on the Forum please see Forrester's IT Forum 2011 in Las Vegas. In this presentation Alissa Dill, Chris McClean and I will present an approach for using the Balanced Scorecard to present security metrics for senior level audiences. For those of you who are not familiar to the Balanced Scorecard, it was originated by Robert Kaplan currently of the Harvard Business School and David Norton as a performance measurement framework that added non-financial performance measures to traditional financial metrics to give managers and executives a 'balanced' view of organizational performance[1].  This tool can be used to:

  • Align business activities to the vision and strategy of the organization
  • Improve internal and external communications
  • Monitor organization performance against strategic goals
Read more

Your Vertical Is . . .

John Kindervag

Companies often demand to know what their peers in a particular vertical market are doing within the realm of information security before making new decisions. “We’re in retail” or “healthcare” or “financial services” they will say, “and we want to do what everyone else in our industry is doing.” Why? The TCP/IP revolution has changed everything, including how vertical markets should be viewed. In the old analog world, you could define yourself by your product or service, but no longer. Today it doesn’t matter if your company sells plastic flowers or insurance — what defines you is your data and how you handle it.

When advising Forrester clients on InfoSec, the first question I ask is, “what compliance mandates are you under?” Like it or not, compliance determines how data is handled and that defines your vertical in our data-driven society. For example, I often say that, “PCI is the world’s largest vertical market.” It is a single global standard that affects more companies than not. You may think you are a hotel and your vertical is hospitality, but if you handle credit cards your real vertical — from a data perspective — is PCI.

Data defines markets. Look at your data, your transactions, and your process, and map them to your compliance initiatives. That will determine your digital — not analog — vertical. Using this measure, you can determine your security baseline and compare yourself to companies who must handle data in the same manner as you to help guide your security decisions.

Categories:

A Few Thoughts On Communicating Risk

Chris McClean

In my new report, The Risk Manager's Handbook: How To Measure And Understand Risks, I present industry best practices and guidance on ways to articulate the extent or size of a risk. More than the interpersonal, political, and leadership skills required of a risk management professional, defining how risks are measured and communicated is where I believe they prove their worth. If risk measurement techniques are too complicated, they may discourage crucial input from colleagues and subject matter experts... but if they are too simple, they won't yield enough relevant information to guide important business decisions. Great communication skills can only hide irrelevant information for so long.

This report includes factors to use in the risk measurement process, ways to present risk measurement data in meaningful ways, and criteria to use when deciding which of these methods are most appropriate. As always, your feedback is welcome and appreciated.

In addition, I will be covering a related topic with our Security and Risk Council in a session called Creating A High-Impact Executive Report along with my colleague Ed Ferrara at Forrester's upcoming IT Forum: Accelerate At The Intersection Of Business And Technology, May 25-27, in Las Vegas. Please join us if you can make it. Later in the week, I will be available for 1-on-1 meetings with attendees, and I'll also present sessions on linking goverannce and risk and establishing good vendor risk management practices. I hope to see you there. 

Categories:

Enterprise Information Security Architecture

Edward Ferrara

I always have been interested in Enterprise Architecture.  Enterprise Architecture is one of those terms that security professionals hear about but do not always know how it can benefit what they do. Recently a client asked Forrester to review their information security enterprise architecture. I was both excited and pleased to do so.  One of my accomplishments is I hold a patent in software engineering for the traceability in software systems, supporting business  and IT alignment. Several colleagues and I developed an approach to use different types of models, both business and technical, to model the enterprise.  The Object Management Group at about the same time championed the notion of "Model Driven Architecture."  The premise of theses ideas is that the enterprise can be modeled and the relationships between business processes and underlying systems identifed.

Information security, focused at people, process and technology can leverage many of the techniques of the enterprise architect to evolve the security posture of the organization from its current state to a more optimized state over time.  This presents interesting opportunities for security professionals to look at their security processes and tools to determine if they are really meeting the needs of their organization.

Add to the discussion. I would like to know your thoughts on this topic.  I will be posting more over the next several weeks.

Join me at: Forrester's IT Forum 2011

Accelerate At The Intersection Of Business And Technology
North America: May 25-27, Las Vegas
EMEA: June 8-10, Barcelona 

Information Security Metrics

Edward Ferrara

Forrester receives a significant number of inquiries from clients requesting Forrester guidance on Information Security Metrics.  Chief Information Security Officers (CISOs) need new types of metrics to address economic, legal, regulatory, human resource, communication as well as traditional IT information security concerns. Security metrics must evolve to show the information security effort provides quality, efficiency, and a correlation to cost reduction and profit improvement. CISO’s need new methods for demonstrating the value they and their programs create.  Over the course of the next several months I will be working with our clients to provide additional guidance and insight into this important topic. Look for additional research from Forrester in a new information security metrics research paper series.  As these papers develop I will comment on their development as well as important issues that surface as a result.

Best,

Ed

RSA’s Acquisition Of NetWitness Validates Forrester’s NAV Concept

John Kindervag

Today EMC’s security division RSA announced the acquisition of NAV (Network Analysis and Visibility) vendor NetWitness. Some pundits have suggested that this is a direct result of the recent breach of RSA, but Forrester has been aware that this acquisition was in the works long before the breach was known. In fact, the public announcement of the acquisition was delayed by the breach notification. It is fortuitous timing, however, as the RSA attack shows the need for improved situational awareness.

Read more