Human response to changes in risk


Gerald Wilde had a theory called risk homeostasis.  This theory hypothesizes that people have a level of acceptable risk.  When they perceive that there is less risk, they will take more risky actions to bring them to an acceptable level and when they perceive more risk, they will be more cautious.  Information security is very concerned with managing risk and reducing it to an organizationally acceptable level.  However, an organization is made up of many people and they may have a different level of acceptable risk than the organization does.  If the theory of risk homeostasis is applied to information security, individuals will take riskier actions when the organization implements controls to make them safer or when they perceive the environment to be safer.

This has far reaching ramifications for those in information security because the perceptions of risk by the individual may differ greatly from the actual risk.┬á Despite awareness of information security breaches in the news and the overwhelming statistics that a data breach is likely, people still have difficulty accepting that a breach could happen to them.┬á It all comes down to perceptions.┬á With WildeÔÇÖs theory, if a high risk is perceived then users will be more cautious and that is where the security minded organization wants to be.┬á So the question is, does the risk homeostasis theory hold water and if so, how do organizations manage perceptions in information security?


ISO 27000 compliance primer

The last two articles on compliance have covered the Health Insurance Portability and Accountability Act (HIPAA) and the ramifications of that bill on healthcare providers and business associates and the Payment Card Industry Data Security Standard (PCI-DSS) which provides guidelines for securely handling credit card and related personal data.  This article outlines the ISO (International Organization for Standardization) 27000 and its benefits for organizations.


ISO 27000 came out of the BS (British Standard) 7799, originally published in 1995 in three parts.┬á The first part of BS 7799, dealing with the best practices of information security, was incorporated in ISO 17799 and in made part of the ISO 27000 series in 2000.┬á Part two, titled ÔÇ£Information Security Management Systems – Specification with Guidance for UseÔÇØ became ISO 27001 and dealt with the implementation of an information security management system.┬á The third part was not incorporated into the ISO 27000 series.┬á Similar to ISOÔÇÖs 9000 series, which focuses on quality, ISO 27000 is an optional accreditation that can be used to show that an organization meets a certain level of information security maturity.

Overview of the ISO 27000 sections

The six parts to the 27000 series each deal with a different area of an Information Security Management System (ISMS).  This document  will briefly outline each section and then concentrate on ISO 27001, the section that details the requirements for ISMS.  An overview of what the series deals with can be found  in the table below.

ISO 27000 Series

ISO27001 ISMS Requirements
ISO27002 ISMS controls
ISO27003 ISMS implementation guidelines
ISO27004 ISMS Measurements
ISO27005 Risk management
ISO27006 Guidelines for ISO 27000 accreditation bodies

As can be seen in the table above, ISO 27001 details the actual requirements for businesses to comply with the ISO 27000 standard.  ISO 27002 builds on ISO 27001 by providing a description of the various controls that can be utilized to meet the requirements of ISO 27001.  ISO 27003 provides details on the implementation of the standard including project approval, scope, analysis, risk assessment, and ISMS design.  ISO 27004 outlines how an organization can monitor and measure security in relation to the ISO 27000 standards with metrics.  ISO 27005 defines the high level risk management approach recommended by ISO and ISO 27006 outlines the requirements for organizations that will measure ISO 27000 compliance for certification.

Series contents

The ISO 27000 series provides recommendations for ÔÇ£establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management SystemÔÇØ (┬á The standard can be broken down into the following sections:

  • Risk assessment ÔÇô a quantitative or qualitative approach to determining the risks to organizational assets. The degree of risk is based on the impact to the asset and the likelihood of occurrence.
  • Security policy ÔÇô formal statements defining the organizationÔÇÖs security expectations.
  • Asset management – inventory and classification of information assets.
  • Human resources security – security aspects for employees joining, moving within or for those leaving an organization.
  • Physical and environmental security ÔÇô physical/tangible systems used to protect systems and data such as alarm systems, guards, office layout, locked doors, keypads, cameras, etc..
  • Communications and operations management – management of technical security controls in systems and networks.
  • Access control – restriction of access rights to networks, systems, applications, functions and data; maintaining the confidentiality of access credentials and the integrity of access control systems.
  • Information systems acquisition, development and maintenance – building security into applications when they are designed or purchased.
  • Information security incident management ÔÇô planning and responding appropriately to information security breaches.
  • Business continuity management – protecting, maintaining and recovering business-critical processes and systems when they become unavailable.

Certification process

Within the ISO 27001 document there are specifications to which a companyÔÇÖs ISMS can be submitted for potential certification.┬á The certification process begins after an accredited organization finds that the corporation has met the requirements as outlined in ISO 27001.┬á Once this organization determines that the company has met the requirements of ISO 27001, the certification is granted.┬á Certification must be renewed every three years and is subject to audits.

Benefit to business

Compliance with the ISO standards provides companies with a credential which demonstrates that the company is in compliance with the requirements of this well-recognized standard.  It also gives employees and clients more assurance that their data is safe with the company.  In some cases, companies may require ISO certification in order to do business.  The ISO 27000 standard contains many useful recommendations and companies are encouraged to familiarize themselves with the recommendations, even if they do not plan on becoming certified.  The acquisition of the standard does cost money to obtain; however, qualified compliance practitioners can assist with the preparation for the compliance effort.


ISO 27000 is comprised of six parts outlining the requirements for certification, guidelines for achieving the requirements, and guidelines for accrediting organizations. The standard provides many useful recommendations for companies seeking certification as well as those merely interested in improving their security.  Similar to the ISO 9000 quality standard, ISO 27000 is optional but it may soon be a business requirement.

A cybersecurity employee profile

As you laugh at my title, anticipating several paragraphs of satire, think about what IÔÇÖve just said because IÔÇÖm actually seriousÔǪto a degree.┬á These traits, mostly viewed in a negative light, can also be harnessed to deliver better security solutions.┬á Just remember that little trick of moderation.┬á Observe.

The Paranoid:

The first of these unlikely traits is paranoia.┬á ┬áSecurity professionals are called to be somewhat distrustful of people and wary of their actions.┬á ┬áThe security professionalÔÇÖs circle of trust is limited because he or she must be watchful for suspicious or malicious actions that could constitute a threat to company employees, data and systems.┬á After all, insiders constitute one of the largest threats to information security.┬á Combined with proper security training, this individual will raise the level of security in a company thus saving a company headaches and hardships down the road.┬á ┬áWhile a multitude of threats need to be considered, not all may be acted upon. ┬áThis is where paranoia must be moderated by logic by using a risk-based approach to consider threats and then determining the likelihood of each occurring and their impact to the organization.

To elaborate, the paranoid security professional considers many possibilities that others might not.  For each of these possibilities, no matter how far-fetched they might seem, they must determine if it presents a real threat to the organization by determining the likelihood and impact.  If the threat does present an unacceptable risk to the organization, action will need to be taken to reduce the likelihood of the threat, minimize the impact or transfer the risk by implementing a security control or changing a process, etc.  Many things considered by the paranoid might be easily eliminated because they do not present enough of a threat but the act of identifying such things will enable your organization to be better prepared.

Mark Burnett provides a further illustration in his article Security for the Paranoid.  He says,

ÔÇ£I frequently see people posting PGP signed e-mails to security mailing listsÔǪthey just make it a practice to sign every e-mail, no matter how trivial it might be.┬á Sure, these people are signing e-mails when it’s really not important, but I doubt they get caught not signing when it is important.ÔÇØ

In other words, security professionals who always practice security will not neglect it accidentally when it is necessary.┬á It is important to be vigilant.┬á For example, locking your computer every time you step away from it will prevent you from accidentally not locking it one day.┬á You may think you will only grab a cup of coffee and be right back but what happens if you are pulled into a meeting before you get back to your desk?┬á In other words, it is better to create the habit of security when it is not necessary in order to be secure when it is necessary.┬á At JURINNOV┬áI call it my Security Pattern.┬á Such ÔÇ£paranoidÔÇØ security professionals, who consider all options, execute caution and practice security always can be a great asset to your team.


The Skeptic:

The second of my rather marginalized set of personality traits is skepticism.   The skeptic does not take the claims of software, hardware, vendors or even users at face value.  The skeptic understands that software claims are often idealized and that hardware may not perform to specifications so they consider ways to ensure availability when such problems do occur.  Similarly, when a user gives a reason for a security violation the skeptical security professional tests the theory to determine if that is indeed the cause or if something else is wrong.

The skeptic questions assumptions and seeks confirmation of claims.  A recent article from the US Air Force Academy, titled Promoting Skepticism in the Security Classroom,not only recognized the importance of skepticism in security but advocated a project geared to promote skepticism.  The project taught students about how digital signatures could be used to validate the identity of others but then tricked them into downloading malware that sent digitally signed messages from their machines to the professor without their knowledge.  The experience caused them to be more skeptical and to consider that simply digitally signing emails is not enough to ensure authenticity of the message.

Skeptical security professionals avoid many pitfalls in implementing security solutions because they do not assume security where it is not present.  They confirm that security solutions work as expected, they implement procedures to handle failure cases and they understand the implications of changes made to systems.


The Cheater:

There is a reason why the cheater was saved until last.  This characteristic is the most overtly negative of the three and its value will take some explaining.  In the Star Trek series, a test called the Kobayashi Maru was administered to Starfleet cadets to measure their decision making ability.  They were given a no-win scenario and the test analyzed their ability to recognize this.  Captain Kirk beats the test by cheating and altering the rules of the game.  Not only did he recognize the no-win scenario but he thought out-of-the-box to come up with a solution.  An article in the IEEE security and privacy journal references this test and explores the value of exploring cheating methods.  Researchers gave students a test they could not pass but encouraged them to cheat.  If they were caught cheating or if they did not cheat, they would fail the test.  Those who did cheat were then asked to describe how they passed the test.  The students came up with a variety of interesting ways of circumventing security.

Likewise, security professionals need to consider how users and attackers might bypass security measures so that security controls can be improved.┬á For example, a security guard is required to look at a photo ID for each person entering the building and compare it to a list of authorized persons.┬á Most people show a driverÔÇÖs license.┬á One day an attacker shows a student ID and is granted access since their name is on the list.┬á Since the policy did not say that a government issued photo ID was required, this person was allowed access without it but student IDs are much easier to fake.┬á If security professionals consider scenarios like this then they can create better policies or enact controls to prevent such occurrences.

Attackers will seek out ways around security controls.  They do not have to act according to company policy nor should they be expected to.  They are after your data and they will seek the easiest way to their goal.  Protecting organizational data requires thought into how systems or procedures might be compromised.



Today, I looked at some characteristics for information security employees that are not normally considered.┬á Ymy first inclination might be to think weÔÇÖve gone crazy.┬á Why in the world would anyone or company want to hire a paranoid, skeptical cheat for anything let alone something as important as information security.┬á This pessimistic list may seem far fetched, even comical, but these attributes help secure companies from external and internal infringement.┬á The cheat thinks like those who attempt to destroy or steal company secrets.┬á Paranoia in conjunction with skepticism keeps security professionals vigilant and thwarts people looking to mount an attack against a relaxed system.┬á Lastly, individuals with these characteristics ask the questions necessary to keep systems secure.┬á Just look for these traits in moderation.


For more information:

Paid Paranoia: Hiring Security Experts

Security for the Paranoid

Insider Threats


Basic Cisco security configuration for routers, switches and firewalls

Many organizations use Cisco devices to interconnect, protect, filter, and manage networks so it is important to understand ways to improve the security of these devices as part of your information security program. Within this article three basic access controls you can implement on any Cisco device will be discussed. These access controls are intended for those who are new to Cisco, so if you are a Cisco veteran, please peruse some of my more advanced articles on Cisco and information security.

The three basic access controls you can implement are as follows:

  • Set passwords for all methods of access
  • Encrypt the enable mode password
  • Encrypt passwords stored in the configuration

Set passwords for all methods of access

Cisco devices can be managed in a number of ways. The device can be managed by using the console, auxiliary line, virtual terminal, or asynchronous serial lines. A brief description of each of these lines is necessary. Each of these lines can and should be configured with a password so that none of them will provide unauthenticated access to the network device. You can configure passwords for the devices using the following commands issued from the global configuration mode. Thiscan be accessed by entering enable mode (typing “enable” or “en”) and then typing “configure terminal” or “config t”. Note that the prompt will change from router> to router# when you issue this command.

router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

The console port is a physical RJ45 connector that is located on the device. It is configured for sending serial data. Using a Cisco console cable you can connect the serial port on a computer to this console port on the Cisco device to perform administrative tasks. You can set a password on this line by issuing the following commands. In this example I set the password to consolepassword. The first line puts you in line configuration mode so you can configure settings for the console line. The next line sets the password. This is followed with the “login” command which tells the device to prompt for the password. The last line puts you back into global configuration mode.

router(config)#line con 0
router(config-line)#password consolepassword

The auxiliary line or “aux” is also a physical port on the device and it is a backup to the console port. It can be used in much the same way and therefore must be secured in the same way. Note the example below where I set the password to auxpassword.

router(config)#line aux 0
router(config-line)#password auxpassword

The virtual terminal or “VTY” lines are virtual lines that allow connecting to the device using telnet or Secure Shell (SSH). Cisco devices can have up to 16 VTY lines. You can determine how many VTY lines you have by issuing “line vty 0 ?” from global configuration mode. This example has 16 lines and it sets the password to vtypassword.

router(config)#line vty 0 15
router(config-line)#password vtypassword

The last method of managing a device is with asynchronous serial lines. These are enabled by installing an asynchronous serial card into the router. These lines can be used to connect terminals or models to the device. The commands for configuring a password on the asynchronous line are similar to the above commands but the lines are usually assigned a logical group and then this group is configured. For example purposes I will assign the interface to group 1.

router(config)#interface group=async 1
router(config)#group-range 1 8
router(config)#line 1 8
router(config-line)#password asyncpassword

Encrypt the enable mode password

Enable mode is a privileged made on the firewall that allows you to modify major settings on the device. An important information security step is to ensure that a password is required to enter this mode. This password is called an enable password. Furthermore, the password should be encrypted. Unencrypted passwords can be revealed in plain text to unauthorized users if someone executes a show running-configuration from the device. Note: the show running-configuration command does not need to be executed from enable mode. Set an encrypted enable password with the following command from enable mode:

Router#enable secret insertpasswordhere

Encrypt passwords stored in the configuration

Just like the enable password, other passwords are stored by default as unencrypted and could be viewed by issuing the show running-configuration command. Also, you may be storing Cisco configurations somewhere on your network and if you do, others might be able to access this and view your passwords if they are not encrypted. It is important to make it a practice to encrypt all passwords on the device. One command can encrypt the rest of the passwords and is as follows:

router(config)#run service password-encryption

However, this command encrypts the passwords using a rather weak algorithm, type 7 that can be reversed to reveal the password. This link provides a Perl script that will decrypt type 7 passwords.

Because of this, an alternative to type 7, called type 5 encryption is available. To encrypt the passwords using type 5, issue the above service password-encryption command and then for each of the methods of access mentioned earlier in the article add “5 encrypted-secret” to the end of the line as follows:

router(config)#password consolepassword 5 encrypted-secret


This article presented you with three basic things you can do to better secure access to your Cisco devices. They are (1) Set passwords for all methods of access, (2) Encrypt the enable mode password, and (3) Encrypt passwords stored in the configuration. Remember that this is only a basic step but an important one. Look for further articles on Cisco information security to better protect your networking equipment.

For further reading

Cisco Router Configuration Tutorial 

Using Modems with Cisco Routers

How do I decrypt Cisco Passwords? 

Cisco IOS Software Release 12.2T: Enhanced Password Security document

Increased control over data flows using Data Loss Prevention

Data Loss Prevention (DLP) is one of those terms that is often mentioned but less often defined. The term can be as ambiguous as its scope which can be both large and small. So what is DLP and why does it matter?

Data Loss Prevention (DLP) is an effort to reduce the risk of sensitive data being exposed to unauthorized persons. Data is extremely valuable to organizations. Just think of trade secrets, financial information, research data, health information, personal information, source code or credit card numbers and you begin to understand both the value this data holds for the organization and the threat its unauthorized disclosure would have on a company. Data loss prevention focuses on this threat by enacting controls to limit access and distribution of data. DLP still establishes controls to restrict outsiders but it has a major focus on controlling the usage of data within the organization.

Information security efforts have historically been focused on preventing attacks from outside the organization. Controls such as firewalls, network segmentation, and extensive physical controls try to keep the bad guys out but this is only part of an information security framework. Numerous studies (see further reading below) have identified the weakest information security link as human error or insider threats.

Content Filtering

One method DLP uses is content filtering. Content filtering blocks communication leaving the organization by filtering instant messages, emails, file transfers web pages and many other data transfer methods. DLP programs need to be able to work with many different data types and transmission methods. For example, a user may email a sensitive word document or they may store it on an unencrypted flash drive or download it to a mobile phone. Each of these scenarios and thousands more need to be handled by DLP.

The first step is to determine what data needs to be protected. Above I mentioned trade secrets, financial information, research data, health information, personal information, source code or credit card numbers. These are just some examples of the data an organization holds. Organizations need to determine what to protect and to what extent it should be protected by determining the criticality of each type of information to the business and the loss the organization would incur if the data were to be disclosed to unauthorized entities.

Once the organization understands what it needs to protect, data loss threats to this data can be identified along with effective controls to mitigate such threats. One way to more effectively identify threats is to consider the different states data can be in. These states are as follows:

Data at rest - data that is stored such as data in databases, file shares, backup tapes, laptops, or external storage devices. Data at rest is an important state because it is here that data spends most of its time.

Data in motion - data that is being transmitted from one location to another. As data changes state from being at rest to being in motion it may become unencrypted or travel over an insecure network. This is why it is important to look at this phase.

Data being accessed - data that is being used by a user such as an open word document, a report being viewed in a conference room, or statistics displayed on a cell phone widget. Data being accessed has already passed many information security controls so it is available to the authenticated user. It may be available to others as well. Threats such as shoulder surfing, unlocked and logged in desktops, and printouts on a desk are all potential ways data can be exposed.

Case study

Let’s consider a case study for one type of data so that data loss prevention becomes clearer. A small business determines that financial data needs to be protected. The financial data is stored in a database that is attached to a managerial portal on the company intranet. Accountants use a custom application to input financial data into the database. Each week, managers generate reports and store them on a shared drive. The database and the shared drive are backed up nightly to tapes that are stored in a vault at the company headquarters.

This case study already identified the financial data as something that needs to be protected from disclosure. The company further specifies that financial data should be available only to managers, accounting staff, executives, the IRS, and outside auditors.

First, I will look at the data at rest. The data is stored in the database, file server, and on backup tapes. Data loss prevention can protect the database by limiting the accounts that can directly access the database and by assigning the minimum level of access to each account. The information security data loss prevention system would next establish strict access controls to the file server share and the file server itself. We need to consider the administrative access to the server because anyone who can log onto the server with administrative credentials will have access to the shares as well. Administrators will need to be restricted to one of the groups identified as having access above. Tapes could be encrypted and stored in a separate area for less sensitive data.

Next, I look at data in motion. The data is in motion when it is accessed through the intranet. Granular access controls could be established for intranet access and the communication channel could be encrypted.

Lastly, data being accessed would include viewing reports through the intranet or updating accounting data by accountants. Client side caching of data would need to be restricted as part of the data loss prevention system. The accountants also interface with the data through the custom program. This program would need to be evaluated for any information security holes including developer access to financial data. Now what would prevent managers from storing the financial reports on their local machine? With the information given, I do not know if this happens but it would need to be addressed possibly through a policy stating that the reports cannot be stored locally or by encrypting local hard drives.

This simple example addresses only a small part of data loss prevention. A true information security analysis would include much more than this, such as whether computers accessing the data contain malware or what to do if financial data is emailed or sent via instant messaging. Additionally, it is not enough to just say that data should be encrypted. A detailed design needs to be specified for the encryption if the data loss prevention controls are to be effective.

Bruce Schneier points out the importance of a well architected data loss prevention design in his June 2010 article “data at rest vs. data in motion” where he discusses encrypting credit card information for use in a website.

If the database were encrypted, the website would need the key. But if the key were on the same network as the data, what would be the point of encrypting it? Access to the website equals access to the database in either case. Security is achieved by good access control on the website and database, not by encrypting the data. 

Bruce Schneier

Those implementing data loss prevention need to have a good understanding of how to architect information security controls and to implement controls in layers so that if one control is compromised another control still prevents data loss. Remember, information security is only as effective as its weakest link.


This article introduced you to some of the complexities associated with data loss prevention. Data loss prevention is a worthy goal and an excellent information security initiative but it requires high level decision making from the beginning and a comprehensive analysis of threats and controls. An understanding of the work flow surrounding organizational data and a detailed design for each control in order for it to be effective is also imperative.


For further reading

Human error biggest threat to computer security 

IT security: the human threat

Security special report: The internal threat

Insiders cause most IT security breaches, study reveals

Data at rest vs. data in motion