Effective Practices in Security
Published: May 14, 2010
Author: Herbert H. Thompson, Ph.D. and Chief Security Strategist, People Security
A few months ago, I wrote an article about the need for security practices that were truly effective in the real world. Over the past year, I've had the chance to talk with information security executives at some of the world's largest companies about how they innovate when it comes to security practices. Many of these conversations were with executives that sit on Microsoft's Chief Security Officer Council - a semi-annual gathering of security executives from leading global organizations. It was clear during those conversations that the growing sophistication of attackers, combined with security departments having to do more with less resources, has forced security practitioners to think creatively to address some very difficult problems. Much of this innovation has been locked away within corporations as they have made isolated progress on issues like security metrics, security risk management frameworks, and security policy. Over the past few months I've worked with Microsoft to help turn these conversations into a series of white papers that focus on how the security community is innovating.
The goal of these white papers is to share practices "from-the-trenches" that address some of the toughest problems in security. After numerous interviews, discussions, and debates with security thought leaders, it is clear that security insight is outpacing security knowledge sharing. Hopefully these papers will help fuel discussions on innovative and effective security practices. Below are abstracts of five white papers in this effective practices series along with links to the full papers:
Social Networks and Enterprise Security
The rise of social networking has brought with it a new crop of challenges for CISOs and security professionals. One looming concern is that employees may be revealing too much of their professional lives online. It might be a status update on Facebook about a "big project that isn't looking good"–a quick cross reference with some other posts might reveal what that project is. It could be a recommendation request on Linked In – this might signal that they’re looking for a job, are other people in their division looking too? Could the company or division be in trouble? This has become an important corporate security issue as tools and technologies are now available to correlate and visualize this data to infer confidential information. This white paper looks at some of the new risks, the state of data mining technologies, and current effective practices are to manage the risks. Read more >
Effective Practices for Cloud Security
Moving some internal processes to the cloud initially looks appealing: lower capital costs, more centralized management and control, and the ability to leverage shared resources and expertise. Groups like the Cloud Security Alliance have identified key security challenges and their work has shown that businesses need to tread carefully. In this paper we look at some effective practices around cloud computing and security. What are some of the first typical forays into the cloud (IaaS, PaaS, SaaS)? How are enterprises managing security in cloud migrations today? How are businesses crafting Service Level Agreements (SLAs) with cloud providers? How are enterprises reconciling cloud-based deployments with the rigors of audit? While the cloud is not new, there is a surge of options to move some operational aspects of the business externally. This paper looks at how enterprises are managing these opportunities and the associated security challenges. Read more >
Risk Management Frameworks
Driven by a wave of legislation and regulations, many IT risk management frameworks have surfaced over the past few years. These frameworks attempt to help the enterprise identify risk, prioritize risk, manage risk, and identify processes and tools to help defend the enterprise. In theory, these frameworks are versatile and facilitate business-oriented risk decisions. In practice, they can be awkward, opinion-driven, and limited in scope. In this paper, we look at effective practices for implementing risk management frameworks. Through interviews and discussions with IT security professionals, we identify the key challenges and success factors for adopting risk management frameworks. Read more >
Practical Security Metrics
Figuring out the "return" part of a return on investment (ROI) calculation requires us to accurately assess the benefit accrued. A lack of good IT security metrics has made this exceedingly difficult for security professionals. In this paper, we look at how organizations are building “benefit” cases for security investments. We will look at how to better measure IT security risk and express the benefits of security investments in monetary terms. As a case study, we take an analytical look at how making informed patch management decisions can lead to real business benefit. Read more >
Mobility and Security - Policies and Practices
Phones, PDAs, and other mobile devices have entered the IT security landscape–bringing both utility and security risk. This paper focuses on two elements of mobility and security. First, we look at the range of security risks such as the growth of mobile malware, device loss and theft, and managing sensitive data on mobile devices. With more than 400 mobile viruses in circulation and an increasingly rich set of applications available on devices such as Blackberry products, Windows Mobile devices, and iPhones the incentive and opportunity for attackers is high.
We then look at some effective industry practices for managing the risk from mobile devices. These defenses include mobile device policies and policy enforcement, data wiping technologies, managing personal vs. business devices, and employee education. We look at what has worked for enterprises and what has not, along with emerging vulnerabilities that loom on the horizon. Read more >
About the Author
Herbert H. Thompson is Chief Security Strategist at People Security and an Adjunct Professor in the Computer Science Department at Columbia University in New York. He is a world-renown expert in application security and has co-authored four books on the topic including, How to Break Software Security: Effective Techniques for Security Testing (with Dr. James Whittaker, published by Addison-Wesley, 2003), and The Software Vulnerability Guide (with Scott Chase, published by Charles River 2005).
In 2006, he was named one of the "Top 5 Most Influential Thinkers in IT Security" by SC Magazine.