If you haven't heard, there is a new smartphone entering the market tomorrow, June 29th. Apple has publicly stated a goal of selling 10 million iPhones in 2008. In the larger world of the smartphone market, 10 million total iPhones is not a huge market share. According to market analysis data shared by Symbian, Gartner says that in 2006, 72.9 million smartphones were shipped. This is a 50% increase over 2005. What you should be concerned about is the expected rapid penetration of all smartphones. Canalys predicts global shipments of smartphones to reach 1 billion by 2012. That's 1 billion handheld devices with gigs of storage, a USB connector, a Bluetooth interface and connectivity to the cellular as well as wifi networks. Moore's law aside, nobody could have predicted that those 1980s era big black box cell phones would morph into a pocket sized computing platform rivaling most computers just 10 years ago.

If someone in your organization hasn't already asked your IT team to support one of these devices, then chances are they already exist and you've chosen to ignore it. Here is your two by four smack to the behind. If Apple's market penetration of the iPod is any predictor of the iPhone, then you can easily anticipate the thundering heard. You can either choose to embrace the change, fight it or ignore it. As a security professional, I suggest a skeptical embracement of the iPhone. And to the overall goal of supporting smartphones in your enterprise, I suggest four top line items for you to consider.

1 Embrace the Need
No matter how much you may want to think that a no tolerance policy keeps these devices away from your networks and company intellectual property, you must learn to accept the truth. There are smartphones, ipods and USB drives in your offices. There are employee, vendor and customer information residing on unapproved storage medium. Don't ignore the requests for IT to support handheld devices, but choose to be proactive. Investigate the options available; speak with your users and vendors to find a palatable solution.

2 Centralized, Supportable, Risk Mitigation
While you are investigating your options, think: centralized, supportable and risk mitigation. Like any good enterprise deployment, you want the biggest win with the least amount of overhead. Consider a solution, which can be centrally managed, and works within existing supported infrastructure. Make sure that you can support the system with an SLA that you, your users and managers can accept. Furthermore, adding service for smartphones may increase the risk posture for your company or other business units, customers and vendors. Its important to consider the possible risk side effects. Those who are process oriented may want to include the services in an information risk analysis and the company business impact analysis

3 Entry and Exit
Networks are no longer the classic cloud protected with a pinprick of an opening and a T1 to the Internet. Not only may we have hundreds of approved ingress and egress points, but also there is the other unknown, possibly dynamic, number of holes. The advent of software VPNs, wireless LANs and now handheld multinetwork interface aware devices are turning networks into moldy Swiss cheese. One item to address -- your wifi networks. If you haven't locked down your wireless networks, do so now. Make sure those wireless networks are first, outside your corporate LAN and second, require encryption, authentication and authorization to make use of it.

4 A Policy is Like Poker
Make a policy, stick to your guns, but know when to fold your cards. Not unlike the familiar Windows Active Directory group policies, an enterprise caliber smartphone solution allows security teams to create and push policies, which affect the functionality and security of the devices. You'll want to invest in a solution allowing you to centrally manage these policies, while also allowing reporting, logging and control of smartphone activity. In developing that policy, consider methods to protect confidential data in transit and at rest. Just a few include data encryption, password protection, remote data wiping and over-the-air data backup. Policies do solve a need, but be aware one must always consider the balance between security and productivity. If your smartphone policy automatically locks the device after 1 minute of idle usage, users will quickly become angered with having to type the unlock password countless times throughout the day.

Even if this isn't your wake up call, it may be time to readdress your security posture when it comes to smartphones. Hopefully, these 4 items will guide you and your enterprise to a more comfortable place.

Trust is part of our daily lives. Its what gets us to work in the morning and its what keeps our society from going insane. That car in the lane next to me on the freeway this morning, I trusted it not to swerve into my lane and cause me to go careening off into the guardrail. But, did I trust the car or the driver? How is trust created and are we using regulations and money to buy customer trust?

On Tuesday July 17th, the Deputy Attorney General made remarks at the Corporate Fraud Task Force, in which he said.

"For the past five years, the Task Force has worked to restore public confidence and trust in the American business community." Deputy Attorney General Paul J. McNulty, July 17th, 2007

What does this have to do with information security?
McNulty's quote refers to Sarbanes Oxley and other regulatory matters put in place since the "Enron and WorldCom" fallout. While he does pointedly say business community, he still talks of business as an entity capable of trust. Many of us like to think we trust an organization, a business or some concrete entity. Regulation does not drive trust in a business, it aids in ensuring that people do the right thing. Further, the people for whom in we really should be questioning our trust are the auditors. Adherence to regulation can, today, only be fully measured by a human. It is the auditor for whom has the job to rate compliance.

The point(s)
The crux of this discussion of trust is that businesses and consumers have since come to define their trust in another company based on regulations and frameworks. The first thing we ask for from any potential vendor is their latest audit findings (SAS70, SysTrust, etc). It's actually become a cop out for many, as opposed to doing the real personal work of investigation. Fail to provide a SAS70 report and you can instantly expect to either loose the deal or need to reduce your bid by 50%. Somehow its thought that a good audit translates into a well-run company for which we can impart our trust.

Do Audits and regulation equate to trust?
Lets get this out in the open; the SAS70 is one step above a note from your mom. It has no standard framework and it's easy enough to change your stated controls to ensure a passing grade. Yes, the SAS70 report does include both the stated controls and their findings. So you as the evaluator of the findings take the risk in ensuring that the stated controls are what you desire in a vendor. After reviewing a SAS70 report, is the consumer now in a position to trust the provider or is that still in the eye of the beholder?

Those of you who work for a company bound by regulatory policy know the pain very well. According to some estimates, 10% to 15% of your overall IT budget is spent on SOX efforts. While some might say that spending 15% of your budget to gain someone's trust is cheap, but that would be false. That 15% was your admission fee to just get in the game.

Lets move out from the cover of policies, regulations and frameworks as a method to judge trust in a corporation. A person awards trust. Audit reports move us along the road to shared knowledge, but don't be lazy. In order for someone to earn trust, both entities need to co-develop a priori knowledge of each.

Network lockdown checklist

NetworkWorld reports that numerous classified government documents along with corporate confidential information is being leaked by use of peer-to-peer networks. Included in the list of documents found are: "The Pentagon's entire secret backbone network diagram, complete with IP addresses" and "physical terrorism threat assessments for three major U.S. cities". The fright night doesn't end there, many corporate documents were also discovered, including: board minutes; launch plans, growth targets and patent information.

Their networks are setup well, but their configuration management is Swiss cheese

Too much energy is being placed on network perimeter defenses. Those who still believe that a good perimeter wall solves the problem need not look any further for proof to the contrary.

Eric Johnson is a professor at the center for Digital Strategies from Dartmouth College who testified at the House Committee on Oversight and Government Reform regarding this issue of inadvertent information disclosure.

Quoting from the NetworkWorld article:

"I spend a lot of time with CISOs and CIOs who think they have locked down their networks and made it difficult for people to join P2P networks," Johnson said. But those controls fail when employees take work home and then connect their systems to a P2P network. "CISOs can do a great job hardening their own networks but controlling what thousands and thousands of individuals do is impossible," he said

Mr. Johnson paints the picture perfectly; the problem is not with the networks, but with the overall configuration and compliance strategy. There is a classic use case when it comes to managing PCs that prove the difficulty of the situation.

The use case

The IT department configures and deploys systems based on a common operating environment. This includes hardware, an operating system and software all configured to a known gold standard. When that device leaves the hands of IT, it instantly changes and it changes in so many unpredictable ways. Even with a good set of centralized administrative controls like Group Policy Objects on Windows, extraneous business needs lead to weaker controls. For example, many enterprises permit the user local administrator access to the system in order to install patches or run legacy applications. Not to mention that not every organization is running Windows 2003 server with Vista on the end points. These reasons and many others open the door for persons to install applications, make changes and overall quickly divert from the IT gold standard.

Continuous Compliance

Beginning with the gold standard is a must, but more importantly once the device leaves the nest of IT, it must be continuously monitored. This is one job of the vulnerability, configuration and compliance strategy.

According to the story at hand, the information was inadvertently leaked using peer-to-peer file sharing applications. If the device were under continuous configuration monitoring, then the application such as LimeWire, Kazaa or other would have been discovered and reported to the security operations team for investigation.

This is the latest security challenge and every organization must tackle the possibility of loss of confidential information and intellectual property. Continuous monitoring has to be addressed as a component of a layered proactive strategy.

Quick note for anyone at BlackHat this week.

nCircle is a sponsor at BlackHat USA 2007. There is a contingent of us at the show. Stop by the booth and say hello.

Sarbanes Oxley, ISO 27002, GLBA - what do they all have in common? Yes, each contain, at least in part, an information security standard or regulation. From an applicability perspective with respect to business size, relatively few small or medium size businesses are directly mandated to conform to these or other standards and regulations. Even though it is the upper end of the medium size business and large business throughout, which are affected by mandated standards, the smaller companies are still being affected by a trickle down movement.

The trickle down effect was originally coined as a marketing term to describe the availability of consumer goods among socioeconomic classes. As new, highly desired, products were put in the market, their initial high price tag meant only those with discretionary cash could afford it. Eventually, overtime the product becomes more penetrated into all markets as the price drops. Thus trickling down to its full market reach. Those familiar with Reagonomics will find the term "Trickle-down economics" one of common rhetoric - providing more working capital to the top tier businesses trickles cash down to the lower working class. Many other trickle down models have been explored; one, which seems to be in play today, is that of information security.

The typical profile of an nCircle customer is one of a multinational, global enterprise as well as local, state and federal government agencies. These are the entities for which regulation like SOX, FISMA and GLBA are targeted. It's also the same subset, which employ standards such as COBIT and ISO 27002. Each of our customers has lengthy contractual security agreements that each of their vendors must adhere to. These in turn, have been driven by their required regulations and standards. nCircle likewise returns the effort by ensuring its vendors employ meaningful security measures. The outcome is a security trickle down affect.

Selling to these enterprise and federal organizations have altered the way my team addresses security at nCircle. While our strategic and tactical methods for controlling risk met every stipulated requirement, we lacked organized and fresh documentation. Today, our policies, procedures and records are much better kept. We have an official InfoSec team, executive approved SLAs and up-to-date standard procedural documentation.

What's more interesting are the ways in which our customer's requirements influence nCircle's vendors. Any potential vendor to nCircle must disclose their information security practices to us. We take a graduated approach depending on what information the vendor may have access to. Depending on what risk the vendor might pose to us, and likewise to our customers, the third company must answer anywhere between 20 and 100 questions before they are evaluated by the InfoSec team. We are proud to see these vendors step up their own information security practices to meet our requirements.

While it might be hard sometimes to look beyond the security breaches of Fortune 500 companies and federal agencies to see that security is moving in a positive direction, the same is still said of the Reaganomics era. The actions of our customers, of nCircle and of our vendors when it comes to driving information security can, by some degree, be attributed to a trickle down effect. There is no doubt in my mind that a handful of our vendors would be left behind if it weren't for them wanting nCircle's business. The technical tools, policies and procedures that a company uses to reduce risk is still a valid competitive value add. Security is getting better and one driving factor is that of a trickle down effect.

I ripped this blog title off from CSO Online.

In December of 2006, I predicted that we would see a nationally recognized information security rating system come to fruition in 2007.

In today's financial markets investors rely on analyst reports and metrics. Often time simply referred to by the company providing the metric - Moody's, Morningstar, Fitch and others. As an investor, these rankings and metrics generally weigh heavily in decision factors. However, we have no security index or rating systems. If as a consumer, you had a choice to take a loan from two companies with varying different security index ratings, you might think twice. Would you want to risk your personal information being negligently handled in return for a lower rate or take a slightly higher rate knowing your information is safer?

Well, 15 months later, Moody's will be announcing their own Vendor Information Risk Rating Service soon. That according to this article in CSO Online.

As a security manager, I can't wait for the day when this tactic is mainstream. The amount of time, resources and lost opportunity given to individually assessing each vendor security practices drives me nuts. Lets hope Moody's does this well. Even more so, lets hope that every independent and trusted rating company jumps on the bandwagon to drive competition in this new marketplace.

In Newsweek, Daniel Gross said there is a growing "crisis of confidence" when it comes to Wall Street. The evidence is readily available - the fall of Bear Sterns, the sub prime mortgage mess and consumer confidence declines to new lows. For the second year, Audit Integrity provided their annual data to Forbes and they have likewise published the data as the "most trustworthy companies". Audit Integrity claims to have an objective means of analyzing a company to deliver an accounting and governance risk score. What that means is simply stated something like, "those companies that play by the rules and take few risks when it comes to creative accounting get a higher score". The higher the score is supposed to equate to a higher level of trust.

While it's the market data that gets the majority of the headlines these day, it's the use of the careful words now being used that gets my attention. Words like: confidence, trust, trustworthy, fear. Sound familiar? They are the exact same emotional words we use in information security.

And while this blog isn't intended to discuss financial market stability, it is about risk management. For us in the information security world, open your eyes; there is a giant event happening outside the bubble of your office. Trust is at an all time low. If you've been in any services oriented group, infrastructure or operational setting for a while you've probably already witnessed what happens when trust is lost - its never regained to the levels it was once before.

To accept a vendor's information security practices, is to some degree to say, "I trust you". Is that an accurate use of what just happened? Or, are you as the person held responsible for ultimately keeping your company's information secure, actually thinking,

"Our information security due diligence process that took months (and way too much money) derived some kind of fallible rating that didn't fall into the bottom of the failure category. As such, we can do business, but I'm going to hand over reams of documents and disclaimers to some legal team which now has the job of limiting our risk by contractual risk avoidance disclosures".

We don't enjoy apathy or lackluster personal performance. And we don't relish the requisite current toolset either. Yes, we have regulation. Yes, we have defined standards and we also have auditors, reports, disclosures and exceptions. And yes, we are suppose to use all that to provide the business guidance in determining the best route to deliver the upside, reduce risk and keep costs down.

While Audit Integrity's list of the America's Most Trustworthy Companies might seem hard to grapple for an information security professional, the idea itself provides hope to this infosec person that, one day I might see a similar list of the America's Most Secure Companies. Though, infosec still has many years of maturity before we can start deriving standards based scoring anywhere on par with the financial models. Hopefully, though, we can learn from this crisis of confidence and not repeat history.

nCircle is at RSA this week and we have remote control helicopters. Lets face it, people like to get free stuff at conferences. So come by the booth and learn how to get yourself one of these very cool RC helicopters.

And while I have your attention, we also have two employees speaking this week.

When: Friday, April 11 at 9:00 AM - 9:50 AM
Title: Using Game Theory to Outmaneuver Your Opponent
Location: GREEN ROOM 102
Speaker: Tim Keanini

Technology Showcase Presentation
When: Wednesday, April 9 at 11:30 AM
Title: Effective Scanning for Production Web Applications
Location: Booth 2603 (lower right corner of the show floor)
Speaker: Tim Erlin