The Pain of Discipline vs The Pain of Regret

By | Uncategorized | No Comments

“We must all suffer from one of two pains: the pain of discipline or the pain of regret. The difference is discipline weighs ounces while regret weighs tons.”

– Jim Rohn

Dexter High School's Dan Flowers is overcome with emotion after his wrestling season came to an end at the hands of Allen Park High School's James Cusin, who beat Flowers 10-6 in their 125 pound consolation bracket match of Friday afternoon's MHSAA Individual State Wrestling Championships at The Palace of Auburn Hills. Lon Horwedel |

For all three of my boys, wrestling has been around as long as they have. As long as wrestling has been around them, coaching has been around me. I volunteer and assist running the youth team in our town, and although all my boys have passed through the team, I think the lessons wrestling taught them were very important.

One such lesson is the “Pain of Discipline vs. the Pain of Regret”. The idea behind this is that if you work hard and show self-discipline in the wrestling room, you will not have to feel the pain of losing a match later on. It forces you to ask yourself, “is the hard work now worth the victory later?”

This summer both of my high schoolers have been going to practice everyday and understand that they have to work hard now to win later. They must cover all their bases to ensure everything goes smoothly down the line.

I’ve realized that information security works under the same focus.  We don’t want to spend the extra time to think up a stronger password, backup files, convene an information security committee meeting, write policy or invest in a firewall.  All those things are pain of discipline actions.  It will hurt a little bit now but help us avoid it hurting a lot later.

And hurting later includes the greater of the two pains, the pain of regret.  Like when we lose the key proposal or a customer contract to a bad sector on a laptop or server.  Or when a client asks us to prove we have a security committee and follow whatever alphabet soup regulation they are accountable to.  Or when our weak password is easily guessed and your business penetrated.  Or when you have to terminate an employee for inappropriate behavior but can’t produce the policy he violated. Or when ….

So take the time to hustle in practice and work to win the match.

Take the time to invest in your future and endure the pain of discipline by considering information security’s role in your business and avoid the pain of regret that comes with the impact of a future predictable risk.

Understanding Common Threats

By | Uncategorized | No Comments

Understand the common threats to your business and think about how to prevent them, detect them and respond to them before they occur

A common misconception about information security in businesses involves where their vulnerabilities lie – and they may be closer to home than you’d think. I think it’s important to outline some common data security threats, not only from the perspective of an information security professional, but from the standpoint of a business owner.

If you can better understand where you are most likely to lose data, you can take steps to prevent data loss and a breach of your systems. Whether you are a small business or a large firm, I believe that these threats affect anyone who needs to keep their data secure – and that’s everyone!

Threat models are commonly used in information security analysis to illustrate the potential for risks to impact an organization. The threat model is used to describe the characteristics of a given threat and the harm it could to do a vulnerable system.

If we do a project where we identify threat scenarios we’ll go into detail. At a simple level we’ll identify the pieces of the threat scenarios including the actor (WHO), the action (HOW), the motivation (WHY), the vulnerability exploited (think WEAKNESS) and the potential impact (think DAMAGE). These four steps can help businesses understand and plan for certain threat scenarios.

We do not address the probability of these events occurring, which in most cases is impossible to predict accurately. There’s no way of telling the likelihood of a threat or providing a definite “yes” or “no”, but we can provide information on common threats and issues.

Over your morning coffee, run through these common scenarios and ask yourself how they would impact you:

A trusted employee decides to:

  • Download unauthorized software from the Internet which contains a Trojan horse or other malicious software.
  • Disable antivirus scanning prior to the download of an emailed MS Office document
  • Transfer information from a third-party computer to their work computer bringing in a virus or other           malicious software into the company.
  • With any number of portable memory devices data is copied from the network and is stolen undetected.

A disgruntled employee decides to retaliate against your company:

  • With knowledge of the backup tape courier routine the tape drop off is intercepted and the information contained on the tapes are used to attack your company’s reputation or are used for material gain.
  • With any number of portable memory devices data is copied from the network and is stolen undetected.

A former employee decides to retaliate against your company:

  • With a haphazard termination process the former employee uses his/her still active network access and credentials to damage or steal information from an outside location.
  • With a haphazard termination process the former employee gains access to a company facility and uses his/her still active network credentials to damage or steal information from an outside location.

An authorized visitor or an unauthorized visitor or intruder penetrates one of your company’s facilities and:

  • Unchallenged as they walk the floors of the facility they exploit targets of opportunity such as unlocked, unattended systems, backup tapes set unsecured waiting for courier pickup, etc.

A third party caretaker of your company information has a security incident.  While that incident may not impact your company network, your company has no controls to prevent that incident from impacting your company at a business level.

All of these are common threats which many business owners don’t realize exist. Understanding the possible actors (WHY), along with the action (HOW), and the vulnerability exposed (WEAKNESS) can help you predict the possible damage and prepare for future threats. There’s never going to be 100% certain digital safety in today’s increasingly digital world, but an understanding of common threats posed to your firm can save your information before it’s gone.

Information Security Policy Guides Risk Management

By | Uncategorized | No Comments

The term “policy” is overused jargon with overlapping and confusing meanings.  Information security policy can be several different things.  Company or organizational policies that define a value or a position taken on an issue by an organization, system policies which define a particular computer resource, and firewall policies which define rules for what can pass through the boundary are different things with different purposes.

Here are some thoughts related to good information security policy practices.

Read More