Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mitigating the impact of organizational change: a risk assessment

Published: 2012-12-18
Last Updated: 2012-12-18 17:41:52 UTC
by Dan Goldberg (Version: 2)
0 comment(s)

 

 

It is a well established fact that insiders and employees can be the largest threat to an organizations information security. Management and organizational change and decisions can exacerbate these insider risks and due to poor management introduce new unanticipated threats as well. Organizational change can take many forms such as mergers, relocations, or closing of facilities. 
 
During these changes risk profiles increase and technical staff who are responsible for managing these risks are often not as focused as they would be during more normal times. This is a situation that management has to recognize and plan for before contemplating change to the organization. Management is not well known for listening to technical staff on these topics.
 
Movement of a portion of a company when poorly planned and organized can lead to loss of key staff, additional poor planning, and loss if institutional knowledge, and ultimately loss of revenue related to loss of confidence by customers, or damaged customer relations. 
 
The primary elements to organizational redesign are:
  - Time line
  - Key roles
  - Project plan and milestones
 
Having a realistic time is the best place to start. Knowing what facilities are required, and where they are required and making sure they are in place when needed will smooth out any change. While not directly related to information security, planning for office moves which involving construction, have to  include time lines for getting permits, and construction delays. Mitigation plans for facilities that are not ready are part of the up front planning as well. When people are relocating this can cause delays as well as a different attention level from staff as they make their own living preparations.
 
People will show up expecting to do their jobs the way they did prior to a move. Presumably people are either living in a new place, or new to the company. In either case certain processes will take longer due to the newness of location, office space, or integration of new employees.
 
Identifying key staff roles in advance is critical, this is a task best performed at lower levels, high level managers and owners don't have the visibility of what roles are really critical. Ensuring that continuity of key roles is preserved either the role is filled with either someone relocating or a new staff member with time to onboard and learn the organization before major change takes place reduces risk of significant changes, particularly when that change is within the new staff members department.
 
This entire process should really start by examining the steps and milestones that need to take place and ensure the amount of time needed for each step is clearly understood prior to embarking on the change path. The old adage that too much change at one time is poor engineering applies to many companies across the board.
 
To mitigate risks procedures and documentation needs to be maintained at all times rather than in the midst of change. This includes knowing who the key architects for information systems are, and ensuring that those roles are spread across multiple individuals. Planning for change needs to include staff members at all levels to make it successful. Additionally involving staff may even increase the number of staff members who make the transition as an added benefit. 
 
this is included rather than endorsing any of these articles or companies specifically.
 
To illustrate this point: I was recently involved in a team which at full strength had 6 engineers and a technical manager. Through normal attrition and a facility relocation, the team was down in strength to 2 members with time in service, and 1 new member. The team was required to maintain a full work load which at full strength required careful management. At this understrength level the team was expected to keep the full work load and relocate a primary datacenter (which had no alternate). The move was expected to take two days and be fully operational on the third. They pulled it off, working for three days straight with many challenges and making compromises in structure and probably security to get it done. Will they remember all the compromises they made and close them in a reasonable time? Will they be motivated to resolve any issues? As a business owner, manager, are you willing to bet your business on that fact?
 
0 comment(s)

All I Want for Christmas is to Not Get Hacked !

Published: 2012-12-18
Last Updated: 2012-12-18 15:45:45 UTC
by Rob VandenBrink (Version: 1)
0 comment(s)

With the holidays coming up, you might think it's time to stop thinking about security, malware and generally anything to do with work.  Unfortunately, in the area of security, the holidays are not the time to let your guard down.  It's always fun to see the up-tick in malware over significant holidays, because the malware authors plan for the time windows when their targets (that's you and yours) and the AV vendors are at reduced staff levels

So, what should Corporate IT folks be thinking about?

Before your users go home for the holidays, ensure that everyone has their Antivirus set up to auto-update over the web.  In some corporate setups, AV clients update from a corporate server.  If your user community is all offsite over the holidays, they won't get their updates when they need them the most.  Which means that some of your users will come back in January infected, and (likely) with their AV turned off by the malware they've picked up. 

Similarly on the OS Side - if your users are using WSUS or some other central update service, you likely want them to either update over the internet, or force them to VPN in to get updates.  There's nothing like a zero day loose on your corporate network to make for an exciting January!

If you are on the security team, keep track of your system logs.  In particular, keep track of backup logs and IPS logs.  Even little stuff missed over the holidays does nothing but get worse over the two weeks we have off!

Think about spam.  We're all expecting a flood of e-cards in our mailboxes from friends, family, customers, vendors, and other people we do business with.  Mixed in with these expect to find some malware, and maybe even some new, ingenious malware.  It's a good idea to send a note to your users to let them know to look out for spam that might get past the filters.  Remind them that if a website or an email attachment tells them that "they might be infected", they should close that window or maybe even instruct them to reboot to kill it (you'd be surprised how many folks will press "OK" to close a window).

Think about new devices.  Off-brand picture frames have come with malware in the past, but you could just as easily see malware on cameras or those keychain picture frames.  Really, anything with a USB port that might be infected, even stuff you might not think about like USB powered remote control helicopters and cars - - yes, some of your users will plug these into their corporate laptops to charge, even if there's a charger in the box.

Your users will absolutely come to back to work with new tablets, mp3 players and phones - all of which "must" have a network connection.  If you don't already have a plan (and a written policy) for dealing with these, you may have an uphill battle ahead of you (or maybe it's a battle you might have already lost)

Whatever it is, if you're in IT, expect an evil present or two from your users in January.

What should you be thinking about if you're at home, and you're NOT in IT?

Well, all the same stuff.  Be sure that all the computers at your house are updated, and have up-to-date AV protection.  Think about e-cards and other holiday spam and malware when you open mail.  Think about USB and network attached devices after it gets unwrapped and eveyone wants to start plugging cables in.

And think about your extended family who might be calling you after "everything got really slow on our computer after Christmas, right after we uploaded our pictures to that new picture frame".  

Because we all know that even if we're not in the IT department at work, we're certainly an "IT department of one" after we get home !

Have a good, safe holiday everyone !

===============
Rob VandenBrink
Metafore

0 comment(s)
Diary Archives