Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Securing the Information Supply Chain

By

© Alain Lacroix | Dreamstime.com

It’s no secret that we’re in the information age and the rise of the CIO to prominence in most organizations reflects that.  Google, Facebook, Amazon (?), are all large companies whose entire business model is based on the flow of information from creators to customers.  So if that’s the new supply chain, can we leverage concepts from the physical world to the virtual?

With physical goods we have centuries long patterns for value flow, risk assessment, and optimization strategies.  Those can include everything from accounting for weather along the transportation route, geopolitical disruption of critical goods, regulatory oversight requirements, and criminal activity – from fraud to hijacking to shrinkage.  Companies that operate in the physical world understand very well how to get from materials to goods to customer to cash.

Yet those same companies often neglect the information supply chain that follows the goods. While this is starting to change, as the interest in using blockchain to track products shows, most organizations are only focusing on sections of the overall business process, leaving gaps for attackers (either murphy or malice) to exploit.  The approach harkens back to the 90’s and early 00’s, to the days of business process re-engineering and enterprise architecture.

We first map out the core business processes – from raw materials, through manufacturing, to delivery to customers, and ultimately to cash to the business.  Once we have those processes identified, at each stage, we identify the critical information assets required as part of the step, and conduct a threat and risk assessment for each one.  We often find that a piece of information that’s critical at one stage of the process (and highly secured there), actually originates much earlier in the workflow where it may not be critical and properly secured.  Likewise, information that’s critical at one stage, may later not be important any longer, yet expensive security practices continue beyond the ‘expiration date’, wasting resources that could be more effectively deployed.  We don’t continue to use armed guards after the semi-trailer is empty.

Of course, records retention policies and regulations, litigation, and audit requirements make extend the lifespan of information beyond it’s useful date, but that’ll all come up as part of this process.  Having a good handle on the information lifecycle allows for defensible destruction policies that are often missing from most organizations.  Have you purged your email recently?

The key here is that all this work then drives cybersecurity policies to a new level of maturity – ensuring that there’s complete coverage and appropriate investment based on business risk.   So for a late new year’s resolution, let’s make sure that we take time from the day-to-day headline-driven work, and work with our business stakeholders and CIO’s to document, assess, and secure, the information supply chain.

Why do people (or companies) take risks?

By

It’s a dangerous world, and yet there’s a spate of recent studies showing that people and companies continue to take risks with their cybersecurity.   The truth is that we all have to take risks – there is no such thing as complete safety.  The question is, how do we decide what risk to take?

All too often the answer is that we take risks by default – without an explicit decision, and accept the status quo simply by inaction.  As individuals, folks fail to use password managers, or click on links in email.  Corporations may not implement good security instrumentation and analytics.  And both individuals and companies fail to apply patches in a timely manner.  Most often that’s due to a lack of awareness or budget, or an unwillingness to make tradeoffs between usability, cost and security.  There’s a joke among fire protection vendors that the best time to talk to a potential customer is when the building across the street just burned down.  From a cybersecurity perspective, while it’s not quite Dresden after the allied bombing, big chunks of the city are in ashes, and yet the inertia continues.

I recently wrote a post suggesting that folks ask ‘why’ when their toaster asks for internet access.  That’s a plea to assess risk and actually make a decision; to not just accept risks by default.   That requires augmenting our desire to manage risk with good supporting processes including creating a culture of risk awareness and authority, establishing a clear risk workflow, and most importantly, building a security program that responds with ‘how’ instead of ‘no’.

Risk awareness begins with identifying data owners for the critical information – someone who has business responsibility (legal, regulatory, ethical) for the assets in our organization.  A Chief Risk Officer can help identify those owners, and collaborates with them on decisions, but often doesn’t have the business acumen necessary to fully evaluate tradeoffs.  From there, risk awareness has to permeate the organization, down to individual staff and developers.  To paraphrase Ian Malcom in Michael Chrichton’s Jurassic Park, everyone needs to stop focusing on if we could, and start asking if we should.  That’s a mentality shift that our security professionals can help folks make, if we provide proper support.

Key to that support is having an established process to identify stakeholders and owners, and how to evaluate the risk and benefit, and make the decisions.  That process needs to accommodate situations where there are no clear owners or lines of authority – I’ve seen cases where inertia reasserts itself when it becomes difficult to figure out who to ask.  We have to have a default path, and an overall process that returns answers promptly.  Getting risk answers must be easy.

Those answers should very rarely be ‘no’.  This is something that security folks, particularly those from a compliance background, really struggle with.  We have to avoid making snap judgements based our innate low risk tolerance or assumptions about budgets (and willinginess to spend them).  Here’s a great example:   The users have a need to share files security outside the company.  The security team says ‘no’ to box, dropbox, or one drive – either because of a lack of perceived control, or because they make an assumption that the business won’t fund a corporate account.  So folks ignore the policy, and we have hundreds or thousands of users accessing box, dropbox, google docs, or one drive – because they have to do it to run the business.  The better option is to respond ‘yes, and here’s how to do it safely, and how much it costs’.  Better yet, we should provide several options and costs for the users to choose from (including the cost of a breach!).  Business stakeholders generally make smart decisions when presented with reasonable options, and are much better at following – and finding money to support – policies they helped craft.

So that’s our duty – create a risk culture, help raise and expose the risk, then present options and facts.  At that point the business, not security, makes the decision.  For a profession full of control freaks, that can be hard to do (it took me years to really learn it) .  It’s even harder when they make what the we believe is a bad choice, because we know we’ll still get blamed if there’s an incident, or at least have to clean it up (I sometimes think the CISSP logo should be a mucking shovel).  As an aside, that’s why a key part of the process is good, written documentation with formal signoffs.

As long as we make sure it’s a fully informed choice, we can go home, and sleep well at night.  After all, we don’t own risk.  We own risk awareness.

Just ask “Why?”

By

Today we’re constantly asked to make decisions that have security and privacy implications.  Most of the time these are individually innocuous, but collectively they present significant risk.  All too often, we simply click yes, plug in the cable, share the wifi password, or give up personal information.  Instead, before even asking if it’s secure, ask “Why?”

Here’s some examples:

  • Why does my refrigerator, dishwasher, vacuum cleaner, lightbulbs, or child’s teddy bear need an internet connection?
  • Why does the social media site need my real birthday or current location?
  • Why does the doctor’s office need my SSN (unless you use Medicare)?
  • Why does the retailer need my email address for a receipt?
  • Why does that website have 42 trackers (seriously, just saw that today)?
  • Why does that app need access to my microphone, contacts, or music library?
  • Why does my TV need an internet connection? Why does it have a microphone?
  • Why do I want that technology vendor listening/watching everything I do at home?
  • Why should I always use my primary email address for sites that aren’t important?
  • Why does my bank need my mother’s maiden name?

For many of those, the answer is: to provide some functionality I desire and in exchange the company can exploit and sell my personal information.  For others, it’s inertia (like the Doctor with SSN), or poor security question design (like mother’s maiden name).

 

We all have different tradeoff points – I essentially answer no to them all (or give false information – or a junk email address), others may say yes across the board.   Of course, once you decide it’s worth the tradefoff, before you actually do, then the ‘is it secure’ question needs to be answered.  One quick thought on that – if it can’t be patched, it’s not secure.

So the next time a waffle iron, toothbrush, or coffee maker asks for your wifi password, stop a moment and ask ‘why’, then make a conscious decision about the tradeoffs.