Week 7 - Of models and practices

     The discussion area for this week is security management models and security management practices.  Security management models describe the rules of the road giving guidelines on designing information security for an organization.  Many of the security management models begin as frameworks that are used to create detailed blueprints for implementation of information security.  The framework approach allows selection of relevant items to include in a blueprint resulting in a customized information security model for an organization.  There are also generic blueprints available as security models from third-party vendors that allow an organization to get a head start on defining an information security model.  Once the security model is defined and a plan is made for implementing this, or perhaps better yet as the plan is made for implementing this, consideration must be given for how the effectiveness of information security will be measured. This is the point that security management practices must be considered.  Measurement, or metrics, must be taken for key processes and activities to ensure that information security is being performed in a manner that benefits the organization over the cost to the organization.  Before measurements mean anything there must be an understanding of what a measurement is expected to be.   This can be discovered using benchmarking by reviewing what similar organizations, or an industry, expect a measurement to be or through baselining where the performance of a process is measured and this becomes the standard that is used to compare future results.  Both of these methods have some challenges but are useful when starting from scratch.  Adjustments can be made as learning takes place over time, and this is in fact a standard method used with metrics in other management areas where a range is used to define success then over time the range is narrowed to encourage continuous improvement.
     So, your organization has its security management model in place, security management practices are defined, best practices and industry practices and regulations are being followed then what happens next?  Lately that has been a security issue that comes out of the blue that no one has seen or considered previously.  The latest example of this is the so called “Shellshock” bug found in the widely used Borne again shell (Bash) used with the Unix and Linux operating systems.  These operating systems essentially run the Internet as well as newer Apple Mac PC’s and other devices.  In the c|net article "Bigger than Heartbleed: Bash bug could leave IT systems in shellshock" on September 24, 2014 Claire Reilly discusses the ramifications of this new bug and how widespread the effects could be.  The most concerning aspect of this bug is that it has been in place for over 25 years passing through numerous code reviews by both the original author and subsequent reviewers as changes have been made.  There is little any organization can do to combat this type of flaw regardless of models or management practices put in place.  At best a rapid installation of patches to correct the problem is the only way to address it.  What other options do organizations have to protect themselves in this situation?
     A number of years ago several authors started a program that made payments to students who found errors in their textbooks.  The result was that the accuracy of the textbooks improved over time. Google has implemented a similar program regarding its Chrome browser beginning in 2010.  Seth Rosenblatt writing for c|net on September 30, 2014 in a story titled "Chrome bug hunters, Google's giving you a raise" highlights some of the successes of this program states that Google has paid out $1.25 million for identification of over 700 bugs.  The maximum bounty for bugs has now been raised to $15,000 from $5,000 with the bottom of the range remaining at $500.  In the past Google has overridden the maximum for especially significant bug finds as well.  Is this something other companies should be considering and would putting an army of bug finders to work reduce the surprise bugs such as Heartbleed and Shellshock that have already come up this year?  There have been incidents in the past where those locating bugs have attempted to blackmail companies into paying them to identifying these.  Perhaps a better arrangement would be to have representation, an agent of sorts who could contact companies and negotiate a reasonable payment for bugs located.  Looking back to the retail credit card problems that have come to light over the last year due to malware being loaded to point-of- sale devices would the companies affected have been better suited if the attacker had been paid to identify these problems?  The surely had security models and security management in place, but to no avail.  Offering a commission for researchers is something to consider adding to the security landscape.