Would you, could you, protect my data? Protect it now, protect it then, please protect it everywhen. Protect my health and banking stuff, though it can be, will be rough. Policy is done, it's in the can, I am ready, audit man. Use a firewall and antivirus, Listen to experts who says "hire us". Set your policy, make your plan, Before it all just hits the fan.

Would you, could you protect my data? Protect it here, protect it there, please protect it everywhere. Do not forget continuity Or we are lost in perpetuity. Put our fears all in a thimble, 'cause security must be nimble. Protect my private information, Protect it here and o'er the nation. I might join a security alliance, If it helps in my compliance.

Would you, could you protect my data? Protect it well, protect it good, please protect it in da hood. It really is not much a reach, To say I worry about a breach. Every day do my database backup, But the threats continue to stack up. Make my data safe with encryption, And my users have a conniption. And when you leave, I worry about you more, What all just walked right out my door?

Would you, could you, protect my data? Protect it olde, protect it gnu, protect my data true. I want so much to make this easy, Security must not, can not be sleazy. After all of this, I worry about most, That some techno-teen of me will boast. Before I get a permanent vacation, I must have in place true revocation. If only I could see like echolocation Security, it is my lifelong vocation.

I would, if I could, yes, protect your data. Protect it then, protect it now, protect that data all somehow. Protect the media, wherever it sits, Though I know it will give you fits. Protect the apps and database, And keep security up in your face. Follow the standards, follow the law, I know it will keep you just in awe. The hardest part is not being a jerk, And making everything all just work. The bad part is, no matter what I do, in the end, it’s up to you.

A couple weeks back, a friend asked me over martinis (Belvedere vodka, extra dry, two olives, chilled glass, thank you very much), “what are the single largest contributors to good security or bad security in your environment?” I believe my answer surprised them. The single largest contribution to a good security program is due to the security professionals you have working in your environment.

1. They bring a planned methodology to security program planning, which helps make you think strategically, not tactically; you might think, "treat the disease instead of the symptoms".

2. Since they are planning ahead, this usually means planning instead of reacting - always a good thing when you can avoid a problem before it arises.

The single largest contribution to poor security is…

Yes, the security professional. Hopefully it does not happen too often, but like any proud professional, sometimes we take ourselves too seriously, and sometimes we take the job too seriously. People I work with have often heard me use the words "Security Nazi". The analogy is not perfect, but the message comes close - they create more problems than they solve. This is in part because they solve the wrong problem, they often spend money unwisely (more for a pet project than for any purpose that really serves the company), and sometimes they are just intent on winning a power struggle.

Once upon a time, I worked for an organization in the U.S. Government. Part of the process for my organization was that the Office of Security (OS) had to sign off on any project before anything could be put into production. Unfortunately, OS knew this. They actually had a plaque next to their main office door which read “The answer is ‘no’.”

I mentioned in an earlier blog that one company I knew had installed a $400,000 biometric system everywhere. That had ultimately been the decision of a seasoned security professional, even though it was clearly not the best use of that money.

In another case I was talking to a CISO about PCI compliance. She had ultimately decided what their compliance strategy was going to be. I pointed out that they were doing way more than they needed to do in order to be compliant with PCI. If they had stopped with control "A", they would have been fully compliant with the line item PCI requirement. However, she chose that their implementation was "A", plus "BCD". So, while "BCD" were indeed nice security measures, it was way more than they needed and effectively tripled the cost of reaching and maintaining compliance. And, by the way, nothing in PCI even suggested "BCD", she was just using PCI as the club to help her get them done.

And, unfortunately, the above are some examples of the impact that misguided security professionals can have. We [the security professionals] have to strive to help make the right decisions because they are truly the right decisions. The ultimate job of security, after all, is to make things easier for all employees. We enable your employees so that the company can meet the goals of their mission: getting the job done, while protecting our cool information, is it not?

I read an article last week that talked about how apps on your smartphone are grabbing and sharing personal information from your smartphone or other personal device without you really knowing. And realistically, paranoid security geek that I am, the only reason I really say "you" instead of "our" is because I don't use a smartphone.

According to the article, a security company testing these apps found that "nearly a quarter of the iPhone apps and almost half the Android apps contained software" that included unintended or unknown functions. This was, apparently, despite control exercised over the apps, and in some cases even without the knowledge of the actual application developer, since the functions were provided in third-party code. We are not just talking about software that grabs browsing habits; we are talking about this software taking much more detailed information from your phones, like full details about people in your contact list, your pictures, text messages and search histories.

I don't know about you, but this kind of scares me a little, as well as ticks me off. First of all, these third parties thought it was okay to grab this type of information from the devices. However, having access to that information does not mean it is okay. Just because there is no guard by the door at the airport that says "authorized users only" it does not mean it is okay to go through it. In the end, this was a conscious decision by the developer of the third-party software to violate the personal privacy of the device owner, because there is absolutely no way they did not know this was a violation of your privacy.

Second, the app developers were including third-party code without knowing exactly what that code does. Okay, the code was supposed to let the developer push out ads in a free sample version. Yet, it says something that it does not appear that many, if any, of these developers actually checked to see if what they were buying was a zebra or a painted donkey. At least this does not appear to be as malicious as the first problem, though it is, at best, lazy and sloppy.

Third, users would just install these applications without knowing what they were getting into. Admittedly, in some cases there was probably no reasonable way to know. Nonetheless, in some cases there is a little "terms and conditions" notice that you accept when you install the app, and some of them include language about gathering information from your device (now, we don't necessarily think that they are going to be grabbing information as private as they were, but that point is covered above).

And of the three, I do not know which really scares me the most. I was paranoid before I was bent over the hood of a car at the barrel of a machine gun (ah, story for another day) but I don't really find the first two points that surprising. But by now, we, as users really should know better. This is the biggest current and future trend that worries me - that people are becoming consumers without thinking of, or even knowing (or without even really caring, since they want the app), the security consequences. Social media and mobile devices magnify the problem because more and more people have access to more and more information without the experience to deal with “issues”. We cannot be complacent sheep led to the slaughter by our desire for mass consumption of media, powered by the coolest new app. We simply have to be better. 

In the end, I guess this does include me, since my kids have various smart devices, and I actually wrote this on my iPad. But then, I've had the thing for a couple months and still have very few apps. My kids tell me I am paranoid. I tell them that they are naive, and that a proper dose of paranoia is a good thing.

Security – Freedom from danger or risk, or actions taken to prevent or decrease danger or risk. The quest for information security is a form of perpetual motion.

Secure – Nothing.

Insecure – Everything.

Privacy – An illusion.

Backup – What you wish you had done before your system crashed.

Social Media – Alternate communications media that supports socialization and promotes communications. Does not normally fall under the same level of control as "official" communications media such as email because of rapid adoption rates, informal communication formats, and immature controls and policies.

ROI (Return on Investment) – The amount you need to project as hopeful future savings to justify spending money on a project now. Sometimes also known as Rationalization of Imagination.

RGE – The result of a crash in your main data center that wipes out half of your corporate information because your DR site had never really been tested and was not working the way you needed it to. Also known as a “Resume Generating Event”.

Incident Response – Unless accompanied with planning, usually involves screaming, hair pulling, sobbing, and cursing, immediately followed by accusations of blame for some unwitting party. Often results in an RGE.

Cookies – What you bring the auditor to help make sure you pass your audit, since you had not been doing the right logging, or the right reporting, and you know you weren't really ready for them.

Disaster Planning – Planned, measured steps taken to help limit the negative impacts of a foreseeable disaster or other significant event before the actual event. See also "What BP didn't do".

Security Policy – What someone who does not understand your operations wrote down so that you could claim you had one.

TANSTAAFL – There Ain’t No Such Thing As A Free Lunch. It’s just a matter of when you pay for it in the end. And you always pay for it. Always.

Synapticurse – When you enter the command to restore the backup image, and you tell your finger to press the “Enter” button, the synapticurse is the physiological and psychological reaction you get in that fraction of a second after you realize you have reversed the parameters and will destroy your only backup, but it is too late for your synapses to fire the impulse to tell your finger to stop from actually pressing the button.

Blended Threat – That strawberry daiquiri you should not have had before you logged onto your work system to promote code to production.

SSID Roulette – The act of just picking one, when faced with that chaos of wireless networks that shows up in public or hotels where you never know which is the hotel approved wireless or which ones are the hostile, fake, access points that are waiting for you to connect for evil purposes.

Silver Bullet – That one security fix, enhancement, or product that can heal/prevent all security woes. Or, a projectile made of a pure metal used to kill werewolves. I mean, each one is just as likely as the other, right?