Security Program Hacks – Using Security Liaisons as Force Multipliers for your Security Program. (Part 2)

Part 1 introduced the concept of transforming a paper “security contact” into a security liaison for your organization.  

My experience working with organizations is that while most have a security contact attached to an asset or functional area many of the designated contacts when asked are surprised to learn of their role.  This is a sure indication of checkbox compliance and missed opportunity.

Creating a security liaison program is an exercise in taking a latent asset tied to a compliance objective and activating them to become an active participate in the overall security of the organization.

How can this be accomplished?

  • Policy – Authorize the security liaison program by writing it into your overall security policy.  Define the role and overall responsibilities of the liaison.  I’ve found that the liaison program tends to map closely to the security steering committee so placing this section immediately following the steering committee makes sense.
  • Process  –  Make it real.  Make it auditable.  Meet regularly with your security liaisons and document much as you would for the security committee.  A functioning security liaison program can be used as a control at audit time to show the maturity of security within your organization.  
  • Empower/Enable – Assign real responsibilities.  Enable your security liaisons to participate in your risk management program and other key areas.  Empower them to drive improvements to the security of the organization by encouraging them to ask hard questions that may not have easy answers.  Empower your liaisons by allowing them to communicate/report issues and progress to the security committee/leadership.

Final Comments

The overall goals of any security program are to reduce risk and increase security.  Adding security liaisons can be a key component of your overall security strategy.  A group created with zero additional headcount, authorized by policy and doing your security bidding?  It is only a dream if you don’t act.


Security Program Hacks – Using Security Liaisons as Force Multipliers for your Security Program. (Part 1)

The problem is well rooted and endemic.  Security organizations and their leaders are overwhelmed, understaffed and facing an unprecedented volume of new threats both inside and outside their organizations.  A natural human reaction to such conditions is to retreat, become reactive, siloed and isolated.  Effective security leadership requires we counteract these conditions by finding solutions in spite of organizational (and personal) limitations.

Enter the “Security Liaison”.  Initially the security liaison can be viewed as nothing more than a “security contact” for an organizational unit, project or application.  A designated individual that can be contacted in the event of an incident or other security related issue arises.  Nothing interesting or compelling at this stage, innocuous and innocent, right?

Instead of being the end of the story though, consider it only the tip of a land and expand policy. This is where it starts to get fun.  Ever wanted to use “scope creep” to your advantage? (for once) 

Stay tuned.  Part 2 introduces techniques and tactics to transform the security liaison from a passive “contact” to an active participant in your security efforts. 

A CISO’s Minefield – Dysfunction on the Board

I tweeted the other day in response to a blog post I read which seems to be an upward trend of information intended to help CISO’s disseminate information to their board of directors.
Good actionable information for sure but I feel the need to push the envelope a little and provide some unvarnished and unsolicited observations about boards.

Board members are silos to themselves – My experience has been that board members are generally smart, successful independent types.  They are often wonderful resources for asking entrepreneurial questions and generally getting to know better, even if only to further your agenda.  Rule of thumb: They generally like to talk about themselves, so let’em…

In many cases these individuals are highly competitive and often do not like other board members.  Rule of thumb: Boards are at often AT LEAST as dysfunctional as the organizations they govern.

Some board members do not understand the business – Many times especially within smaller companies board members will be family members that have no clue what the business actually produces let alone how it operates.  If they do talk to the CISO they may ask what kind of gun they carry.  “You are security, right”..?

Don’t spend much time on these folks. Rule of thumb: Focus efforts on board members that can actually spell vulnerability.

Understand the CISO’s place –  There might as well be a sucking sound that accompanies any CISO’s entrance to the boardroom.  That sucking sound is the board’s top line revenue being sucked dry.  Let’s be real. The board only cares about security insofar as it relates to the income statement, balance sheet or cash flow. Speaking to them on any other terms is wasting oxygen.  Rule of thumb: To be a successful CISO you must relish being a cost center. Success is defined by sucking less…

The bottom line is that success in the boardroom is the same as success in life.  Observation, seeking to understand, developing relationships, being strategically humble for tactical gain are all key.

Stuart Clark





Hacking Cars and Human Drivers Sucking

I spent most of the last week at Black Hat/Defcon/BSides Las Vegas contemplating a future filled with Internet enabled vehicles, infrastructure and hackers with ill intent.  The lead up to Black Hat 2015 again provided fodder for the mass media as researchers on their path to fame rolled out more than a couple of high-profile hacks against different automakers:
Jeep :

While it is concerning that these types of vulnerabilities exist I would argue that a world of vulnerable smart vehicles is far safer than continuing to allow humans to drive unassisted.

Over 30,000 Americans die annually on our roads, the vast majority of these attributable to human error.  Face it, we suck at driving.

Obviously my “bury the head in the sand” approach to making vehicles less vulnerable is not a strategy that even I would endorse over the long-term.

Good thing there are folks like “I am the Calvalry“.  This org with probably the best name ever has produced the Five Star Automotive Cyber Safety Framework (PDF) and are spearheading a grass-roots campaign to encourage automakers to engage in a collaborative approach to finding solutions to their security problems.

While I remain optimistic that this effort has at least a snowball’s chance in hell of gaining traction I am concerned that the silos that exist across manufactures will not allow for a collaborative approach to solving this particular security challenge.

I hope to be proven wrong.

What can I do to help after a disaster? CERT may be for you.

The recent floods that devastated the Central Texas community of Wimberley in May left many asking themselves this question.  Becoming a CERT (Community Emergency Response Team) member will help prepare you and your family for a disaster and provide basic disaster training to assist others in the community.
CERT is coordinated by FEMA but led locally.  As of this writing there are over 2200 CERT teams nationwide.  You must be at least 18 years of age however local coordinators have the discretion to allow under 18 to participate.

I joined Austin CERT in 2011 by attending evening courses over a period of several weeks.  The training was held in the Austin/Travis County EOC which for a technology geek like me was worth the time investment alone.  The training class itself was about 35 strong and a diverse mix of young and old alike.  The training was interesting and engaging even for a seasoned first responder like myself.  For reference the current Austin CERT course description is here.

Working in law enforcement as both police officer and dispacher offered me ample opportunities to help people utterly unprepared, oblivious or even obstinate and hostile.  An informed and educated public is the greatest asset to both the first responder and themselves in time of disasters. Preparation prevents panic.

A photo taken during a 2011 Austin CERT Disaster Training Exercise

Culture Clash – Digital Forensics and Infosec

This week I will be traveling out to Las Vegas to attend the Computer and Enterprise Investigations Conference (CEIC) the largest digital investigations and forensics conference in the world.  A few short years ago this may have seemed an odd destination for a CISO of a cloud service provider but this is precisely why I am excited to attend.  

There is a very interesting convergence taking place that I will be exploring.  This convergence is the integration of digital forensics tools into the mainstream enterprise, but more interestingly the network/cloud.  Forensic tools, techniques and tactics show great promise when used in conjunction with existing security tools to reduce the time from breach to discovery, assist in remediation and ultimately reduce the entire incident response life-cycle.  At least this is the kool-aid that companies like Guidance Software (owns CEIC) and AccessData would have us drink.  This is a developing market segment with software that needs several iterations of development and integration before its full potential can begin to be realized.  

Maturation of the software may not be the greatest challenge however.  There is a larger cultural clash to be considered.  Traditional forensics software is heavily rooted in law enforcement investigatory procedures, rules of evidence and other legal benchmarks. This world is largely foreign to the network administrators and other information security experts that are battling on the front lines to protect their organizations from beach.  I have often argued that the best approach to solving many IT/security related problems is with an investigatory mindset.  Think like a detective in other words.  The intersection and integration of digital forensics into the network culture will certainly help bring this transformation over the next few years.  

Certified Cloud Security Professional Certification (CCSP)

The Certified Cloud Security Professional Certification (CCSP) was announced by ISC2 in conjunction with the Cloud Security Alliance (CSA) this morning.  I have included both the exam outline and brochure for easy reference at the bottom of this article.
The new exam includes six domains and requires 5 years of IT experience, of which 3 years must be in information security. Interestingly the CSA’s existing CCSK certification (Certificate of Cloud Security Knowledge) can be substituted for one year of information security experience.  This protects the CSA’s investment in what to this point has been the only other relevant certification available since the advent of the “cloud”.  The CCSK certification is now clearly positioned as entry level and accessible to everyone at nearly any skill level.

Inline with this announcement was the release of the FrostSullivan-(ISC)²-Global-Information-Security-Workforce-Study-2015.

A quick search of the document returns 29 references to “cloud” which I will explore more in an upcoming article.

CCSP Exam Outline
CCSP Brochure

Digital Forensics Resource List

Good Morning. I’ve published a list of digital forensic resources primarily for those in law enforcement interested in extending their knowledge/skills.  My personal observation being both technologist and cop is that traditional law enforcement investigative knowledge translates well to  incident response and digital forensics in particular especially when combined with aptitude and desire to be constantly learning.
HTCIA Austin Chapter –
Open Source/Free Forensic Tools
Commercial Tools
Digital Forensic Certifications
Texas Law Enforcement Forensics Training

Buy a Lottery Ticket Lately? – Fraud Alert

Since Wednesday’s powerball lottery drawing is at a staggering $485 million I would not blame even the most rational readers of this blog to be tempted.  It is also a great opportunity for me to pass along some information that may save you from being a victim.
Let me use myself as the example.  I’ve noted myself not always 1) getting 2) checking receipts from convenience store runs.  If this resembles your experience ask yourself; would you notice if you were overcharged a dollar or two?

Here is the issue.  Unscrupulous convenience store clerks are betting you simply decline a receipt or don’t closely check the one you receive.  Seems that they are skimming small amounts from customers to support their own lottery habits.

Obviously the vast majority of convenience store workers are not stealing from you but it does highlight the fact that you should at least 1) get a receipt 2) check it.