Picture this scenario:  you, your spouse, and family are standing in front of your recently completed home.  You spent years saving, planning, and building the home of your dreams.  As the sun sets on the first day in your new home, your smart-aleck kid asks, “How do I turn on the lights?”  Just then you realize you didn’t install any electricity in the home of your dreams… now turned nightmare.  This is exactly what has happened to many   project managers, acquisition managers, and/or developers when it comes to information security.

You spend months, sometimes even years, planning, designing, developing, and deploying the business solution that will save the organization loads of money and make you a star, only to find out, hopefully from someone within the organization and hopefully not from an outside attack, that you did not plan for the security of the information and/or the information system.  An example of this happened at a government agency recently.  I will speak very generically about this to protect all involved.  An application was deployed that solved a legitimate business need.  It had a good amount of users and worked well for approximately one year.  Employees of the agency started to report an unusual amount of identity theft issues.  Investigators traced the source of these issues back to this application.  Users had personal information, including their bank account information, compromised which caused numerous fraudulent transactions.  Once the agency discovered this problem, the application was taken offline, security was added, and they re-implemented the application while looking for a replacement.

So what’s the problem with adding security later in the process?  Well let’s go back to the house scenario… image the cost associated with running electricity to the house that is totally completed, then installing the electrical panel, running the electrical lines from the panel to every room, fixture and outlet, tearing out drywall, making holes in the studs and the joists, wiring, installing the fixtures and outlets, and finally reinstalling/repairing drywall, and painting.  The extra time and labor costs would be enormous.

Like the home scenario, an application or system reprogramming will set the project back in both money and time, essentially, going back to the drawing board.  For example, imagine trying to retrofit security into an application’s code.  You would need to work through the SDLC all over again, but this time with security in mind.  This means creating security feature requirements, analyzing security best practices, reviewing the attack surface, running through threat modeling, and you haven’t even started to think about manual code reviews, code scanning tools, pen-testing, etc.  Considering that you basically have to review the entire application from scratch and purchase security development tools, the cost would obviously put you over your initial project budget, if you hadn’t already surpassed it …  not to mention the time involved in fixing the problem.  And we all know that time = money!

So obviously, like electricity in the house, information security must be included in the planning process, but whose responsibility is it and exactly how do they go about including it in the system development lifecycle (SDLC) of a system or application?  First, let’s start with the “who” problem.

You would hope that anyone requesting a new piece of hardware or software (system) would be concerned about the security associated with that system, but in a normal situation, individuals rarely are so knowledgeable; they just want to improve their business performance by purchasing the new system.  When the requested system gets a project manager, surely they would know and ask about the system’s requirements for security; but sometimes no.  After the assignment of a project manager, hopefully an Information System Security Officer (ISSO) is designated and they would require security to be included in the SDLC.  Next, if there is code development required for your system, the developer should be versed in and use secure coding practices in addition to any of the security requirements that are identified for the system, but in most cases, if it is not written in the requirements document or statement of work, security is overlooked. If the developer doesn’t ask for security, the last line of defense may be the acquisition officer.  Chances of that person adding security requirements are better if they are from the new school (versus the old school), but how often is that the case?  If that does not happen… basically you’re screwed. Call the electrician and start ripping out the walls.

Now for the $64,000 question: how is security included in a new system?  That answer is easier than you think. Ask for it.  Require it.  As mentioned above, someone has to include it in the requirements statement from the very beginning. Whatever bells and whistles are required to satisfy the business need of the requesting business function, don’t forget to include security.  What?  You don’t know how, what to ask, or what to include?  Well that answer isn’t too difficult either.  The National Institute of Standards and Technology (NIST) has done all the research for you.  They have documents that cover just about every aspect of technology and the secure deployment of that technology.  (NIST Special Publication list) If you want the full list of security features that need to be included in a system:  SP 800-53 rev. 4.  If you want to review how to include security in the SDLC then review: SP 800-64 rev. 2.  Other important documents to aid you in the development of a new system are the risk management framework guide: SP 800-37, deploying a web server, email server, firewall, wireless solution, and even the hot issue of mobile devices (in draft).  See the links included.  I think you get the picture.

Speaking of pictures, now picture yourself sitting in front of the CEO of your company, or in front of the executive director of your agency, answering questions about an information security breach.  Hopefully, those questions are about how your system was the only one in your organization that did not have information compromised.  You will be the star of the organization- an example of how security should work.  Otherwise… we don’t want to even think about that alternative.

So take some time to analyze the security of the systems within your organization.  Is there security in place?  Do the users have access to only what they need in order to accomplish the mission?  More importantly, are they restricted from what they do not need to know? Remember Wikileaks?  Are there any new systems coming online?  Is security included in every step of the SDLC?  Is there an ISSO?  Do they know what they are doing?  These are just a few of the questions that need to be asked.  Is someone asking them?  You can ask them!

$pIk3 and mind.

mind.

I am involved in a lot of meetings with executives and other IT professionals and before any actual productivity occurs, I have to spend time convincing everyone that the sky isn’t falling in on our information and information systems.  After everyone is settled and the meeting begins, the mere mention of BYOD, the cloud, shadow IT, or wireless brings about a very strong response of “oh, no, those technologies are extremely dangerous, they should never be implemented in this environment.”  What?  I can understand, somewhat, how a non-IT-savvy executive might say this, but from IT professionals, that should never happen.  New technologies and innovations should not be shunned or kept out of organizations that would most likely profit (or at least increase their profit) by implementing them.  Where is this coming from?

Let’s clear some things up.  First, the IT industry has spent the better part of the last 20 years promoting cybersecurity through scare tactics.  Media outlets thirst for a breach, any loss or even potential loss of information, and they splash it in the headlines.  Reporters try to make a name for themselves by finding a story and over sensationalizing it.  Even though the mainstream IT industry has only been around for the better 20 years there are still naysayers that want to tell us how bad it is.  Now, after so many people have become the victims of data loss and identity theft, we have reached a point that most people have at least some idea or are somewhat concerned about the security of their information.  However, these scare tactics also worked on our IT security folks and they pounded down the security Kool-Aid.  It still surprises me how many IT professionals say “no” to new technologies without the slightest hesitation.  How did this happen?  Well, if you cry wolf long enough…

One problem is that we no longer look at the benefits of emerging technologies.  We immediately jump to “it’s so dangerous.”  Well I’m here to say STOP IT!  Stop freaking out your IT security folks.  It is probably making you LESS secure.  Let me give you an example: I recently walked into an environment where pen-testing was a no-no.  I understand that pen-testing is not always the best solution for every environment; however this was not of those situations.  Even though it was something the organization could have benefited from, you could not mention it without the security folks or management turning 18 different shades of green.  The result of the effort: no pen-testing allowed and … continued vulnerabilities and risks to information and information systems.

What about the ol’ “that’s how we’ve always done it here?”  Um… then change.  Nuff said!  Just because it has not been done a particular way before does not justify sticking with an insecure process.  We get a lot of this from the “old schoolers.”  So my statement to you “old schoolers:” get with the program or get replaced.  Your VCR has been blinking 12:00 since you bought it, but the rest of us have been using video-on-demand for a while now.  If you want to stay relevant, embrace what is happening today.  It is usually more effective, more efficient, cheaper, and easier.  Stop being so darn stubborn mom!  (But seriously mom, replace the VCR.  I love you).  Someone has to lead the way.  IT professionals have to push these innovations to continue our progression forward with as much force (if not more) than the “old schoolers” are pushing back.  Someone has to do it, and there are many examples in the IT industry of those that have pushed and pushed innovation until “society” changed, Bill Gates, Steve Jobs, and the rest of their contemporaries come to mind.

Look, every new technology has issues we need to deal with, and I am with the “old schoolers” in the fact that we cannot just implement new technology without facing those issues, especially regarding security.  So face them.  Security is one of the major issues today.  We cannot hide our collective heads in the sand and hope the technology goes away.  The fact is more security equals less productivity, and vice versa.  We need to find a balance.  Yes, I do believe we still need to say “no” sometimes, but only after a detailed analysis has been undertaken.  Let us actually look at the security risks, especially in the analysis phase of the system development lifecycle (that is the subject of another paper), find the best controls, and embrace what is going to eventually come anyway.  Educated IT professionals can either be the ones finding the solutions to the problems or we can continue to perpetuate the problem.  BTW, isn’t security all about a risk based approach?  So ask yourself: Does this new technology make the mission more effective, more efficient, less expensive, and can we implement it in a way that will not compromise the confidentiality, integrity, or availability of our information or information systems?  If so, then maybe you should consider the option of first looking at how the new technology can be implemented in a secure fashion while still accomplishing the goal of improving efficiency and/or lowering costs. Trust me, it will keep you and your organization relevant and reflect forward thinking.

Don’t know how to say “yes?”  Well, tap into the great minds of others.  Google uses a wireless network so maybe your organization should google Google.  Or find some of the Ron Ross types of the world who are innovative and forward thinking.  A perfect example would be NIST’s SP800-160 (still in draft) on creating new trustworthy and resilient systems.

Oh, and btw… those “dangerous hackers”, well they ARE using new technologies and they know you aren’t.

mind. and $p!k3