Blogs are really pretty awesome things. For one, they are a means to continually provide fresh,
dynamic content to your users. Also, they help your site get indexed and build authority as they are essential for SEO!
Content fulfills the general population seeing your website and it likewise fulfills web indexes! Having solid content
influences your advertising to work a hell of a great deal simpler. Along these lines, the greatest bit of the promoting riddle is there. It's vital to thoroughly consider this technique before starting another crusade. This makes the whole content and advertising process more streamlined and will in the end enable your message to achieve your clients in a more effective manner. You ought not think little of the significance of giving yourself room. Having squirm room takes into consideration steady changes to your methodology en route.
At that point, rather than pushing something superfluous to your users, you can give them something that will stick.
You'll give them something they can identify with and be slanted to share with their companions and associates. Perhaps they'll even be slanted to work with you later on!
Having an advancement technique that is excessively unbending isn't astute on the grounds that there is no space for solid spontaneous creation. Having the capacity to change your advertising procedure will prompt more deals and arrangements.
20 Jan 2015
I essentially predicted that the market for cards would drop off and that "hackers" would start looking at stealing other information. Remember that, in most cases, they have access to the entire network. All the juicy intellectual property is theirs for the taking. They could, as happened with Sony Pictures, steal stuff like unflighted movies and human resources data. They just don't.
It is like a thief who breaks into a house and ignores all of the expensive electronic equipment and collectibles and steals only the cash because cash is already useful and the other stuff is too much trouble. Now, imagine if the cash is not lying about but is locked up in a vault. Maybe the thief will reconsider the other stuff. Once he has to put some work into the job, he may as well make it worth his while.
The reason why I was correct in my prediction but had my timelines all wrong is that I overestimated the ability for companies to secure their monetary assets (mainly credit card information). It has taken until now to get to the point where the money is, if not in a vault, at least not stuffed in a mattress.
The many high profile attacks last year where credit card information is stolen are, IMHO, the dead cat bounce of this kind of attack. The thieves are getting their last good hacks in before security is tightened up. The Sony attack is the start of the next wave where intellectual property is stolen instead.
It would be almost impossible to track down a buyer but holding information ransom is already becoming a viable business with the "cryptolocker" type of attacks. Cryptolocker is more a scorched earth type of attack - it encrypts everything and holds it all to ransom. More specialised attacks may target certain types of high value information assets. They may, as in the case of Sony, decide to release these assets onto public networks where it is impossible to "put the toothpaste back in the tube".
[The South African State IT Agency awarded former provincial top cop Mzwandile Petros's company a R10m deal to recover three stolen laptops. Even at this price, they may not get them back. Intact. With all the data. I have a better plan.]
Now, friends hiring friends aside - they must have come to that figure somehow. It is assumed that especially now that this has hit the press, the management of SITA must value the information on the three laptops at more than R10 million. Let us say R12 million. The hardware costs do not even come into it, they are so small to be insignificant. So each laptop has about R3 million worth of information. (More likely is that they all had the full information set on them.)
So either, the information is so secret that they don't want it to leak, or so irreplaceable that it would take R10 million worth of work to get the information back. Or better - R10 million to try and get the information back.
So, how could SITA have done this better and cheaper? They could have gone to Incredible Connection. They would have found multiple software packages. One I chose at random (and have no idea how good it is or have any affiliation) is Norton 360. It retails for R350. It is SOHO software and not enterprise software but it should still do the job. They would have to buy three copies and I'm not sure if the I.C. staff would maybe give them a bulk discount. So, call it R1000. Plus R1000 for someone to install it. Lets bump that up to R40k for someone to install it (this being the government and used to paying big money for things to happen.)
According to the website - "Automatic backup takes care of your photos, music, and other important files and backs them up to a disc, USB device, or online to one of our secure data centers.Protects files you back up online with government-grade encryption."
Oh, we need a USB or a disk. Lets assume that R10million of data is a lot of information, maybe more than 16 Gigs but if it is on a laptop then probably less than 2Gigs. So.. Western Digital 2Tb Portable hard drive to backup stuff onto with Symantec's "Government grade encryption". Another R2200 times 3 is R6000. I am assuming that the place where they keep these R3million laptops has some type of secure storage, otherwise Makro has a safe for R1500. Plus, say, R40000 for someone to install the safe.
So, if the laptops go, there is still a backup in a safe. Even if they forgot to backup that day or the day before... no organisation comes up with R10million worth of information in one day. If they could do that then the next day they would just come up with it again and laugh about the lost laptops. So, first issue sorted.
I assume that the laptops are running Windows 7 so that full disk encryption is built in and just needs to be turned on. Alternatively, scrap the Symantec and use Kaspersky which has all the backup software and also full disk encryption, both government grade and pretty impenetrable.
So, anyone who gets hold of the laptops will have to format them because they are not getting the information out. Second issue gone.
Lets work out the cost -
Software - R1500
Hardware - R6000
Safe - R1500
Installation - R80000 (but R4000) would probably be more realistic
So, round it up to about R100000 (this is government!) but it could be done for under R20000.
The advantage of my solution is that it is guaranteed! You will have your information and noone else will. The R10 million solution has no guarantee at all.
So, SITA, give me R10million minus R100000 and we'll call it quits. Heck, give me R5million.
The sad thing is that SITA is an IT organisation . They should know this. They should actually be preaching the above. They should be guiding the rest of the government on how to manage information. The word "information" is in their title. Of course, so is the word "State" and that is why they would rather spend R10million on hopefully retrieving 3 lost laptops rather than R20000 protecting the information on them in the first place.
[TL/DR version: Is it ethical to "connect" with an interviewer on LinkedIn during the hiring process?]
As a professional and a contractor, my name is my most important asset. So therefore ethics are everything to me. This is especially important because of the fact that I am an Information Security professional and usually have access to information that is confidential. I need to be trusted.
When I first started with LinkedIn, even if I knew all of the interviewers for a job application, I wouldn't look at their profiles. I could - but I wouldn't.
Eventually, after reflection, I did look at their profiles but wouldn't refer to anything in them lest they think I was spying on them.
More recently, it has become so normal to "research" the interviewers to the point that if you don't look them up in LinkedIn then you are seen to be uninterested. Some employment agencies actually supply the LinkedIn profiles or URLs as part of the job specification.
My question is simple - is it encouraged/discouraged/ethical/unethical to send a LinkedIn Connection request to an interviewer? When is good to do it? Is it unfair advantage? If you land the job, could it be seen as cronyism? Or is LinkedIn professional enough that your contacts are not necessarily your friends.
If the interviewer accepts, what is the protocol? Can you talk directly to them while they are deciding on the position? Should you take that opportunity to talk to them maybe making yourself more human and more of a person than a "candidate"?
Many articles on "how to land that perfect job" (on LinkedIn, it is usually "X things you are doing wrong in job interviews and how to fix them") usually promote the idea of a "follow up" which cements you in the interviewer's mind and makes you their preferred candidate. Can you use LinkedIn to do the same?
One other thing is that some of the people I have met while looking for work have been the most interesting and insightful people and are certainly the type that I want to add to my list of contacts. I usually wait until I hear how the decision went and then send a request.
Am I being over cautious? Am I shooting myself in the foot while all the other candidates are jumping in as fast as possible to make a good impression and I seem uninterested?
Following on from my last post, this is a practical way of using the extensions I proposed for the Security in Depth part of SABSA.
It gives an example of creating a Firewall Standard using the extensions.
I found this to be easier to do with a presentation than explaining it on the Blog so there you go.
Please let me know if you have any comments on this process.
Also, note that I am still looking for a job preferably in Information Security Management, Compliance or Information Security Architecture. Have a look at my linkedin profile for more information - http://au.linkedin.com/in/allenbaranov
SABSA is brilliant. In one short week, I had my head expanded to exploding point. I highly recommend it to any Security person who is looking to understand more how what they do impacts on a Business.
What is very interesting is that Business people understand risks. That is what they do. They understand governance and they also understand (to complete the GRC triad) compliance. They may just not understand IT specific Risks, controls, etc. Usually IT is structured that the Business talks to the CIO or some form of "Business Specialists" who represent IT to the Business. But, the CIO usually doesn't understand risks and the Specialists almost certainly don't. IT is not keen to wheel out the Security guys to talk to Business but SABSA is a useful tool to help all three parties - IT, Business and Security to talk positively and come up with real solutions.
One of the really clever features of SABSA is that when it comes to "Attributes" which are basically "things the company would want to have" - they are all positive. "We want to put these controls in place so we don't fail our Audit" is not as good as "If we implement these controls, we will be totally compliant". "If we don't fix the authentication issues, someone may hack us and change stuff" is not as good as "If we fix the authentication issues, we will have a higher level of comfort around the integrity of our financials." A Business person hearing that will hear "blahblahblah..comfort..integrity..financials" and will give you at least some time to explain the "blahblahblah". Brilliant.
All fired up after the course, I was thinking about how to write Standards so that they would have a similar level of positivity in their descriptions. The first Standard I turned to was the Firewall Standard. I then looked at the SABSA Strategy-in-depth sheet and it was obviously a "Prevent" control. (Or Preventative, even.) But that is the default state of a Firewall and has the same effect as unplugging the cable from the Internet router. You are essentially preventing everything... this is very safe... but not very useful, obviously. So, we open rules for traffic that is allowed. This is necessary and fits in with the whole SABSA features of "business driven" and "risk and opportunity based". So, for this to work - there should be a positive to each of the negatives for the Strength-in-depth controls.
"Prevent" was easy - the opposite is "Allow". So, working from this - a Firewall Policy is a combination of negative and positive controls that allow good traffic flow and prevent bad traffic flow. Restating that - "We have a Firewall with a policy/rule-base/control-list that blocks bad traffic so as to allow good traffic to enable good business transactions".
Spam-control - "We prevent spam at the border and allow good mail to flow inside our network to make management of mail more efficient, cost effective and keeping staff motivated."
I chose to group these actions as "Enforcement".
That was quite easy... what about "deter"? Well, deter is informing "users" of what not to do and what the consequences may be. The opposite is informing user what they can do and informing them of the benefits of connecting. My choice of word for this is "invite" and the group is "negotiate". This can cover more than just MOTDs and logon warnings. Once you add the positive aspect to it, it can cover Acceptable Use Policies and Terms and Conditions.
The interesting thing is that once you define "Negotiate" and "Enforce" and add in the positive aspects - they also flow easier - once you negotiate that someone may use a certain system - you remove the enforcement that denies them access and allow them to access the system within the limits of what was negotiated.
So, those are the first two controls in the strategy - the easier two. The others are "contain", "detect and notify", "evidence and track","recover and restore" and "assure". My feeling is that "assure" is the odd one out. It is almost a meta function of this process. In programming terms we would have an API that feeds what we are doing into the next level for assurance. "The Firewall is blocking all bad traffic and allowing all good traffic" is assurance. So for each control we need to consider "assurance" but I don't believe it deserves a category all of its own.
Moving along, I have had some difficulty in working out the positive aspects of the other controls. "Contain" is like an adhoc post-breach denial of a certain type of traffic or user or system. This could fall into "Enforcement" as "Post Breach Enforcement" which would have the positive being "allow known good traffic or system or user to operate without being influenced by known bad traffic which is contained (denied access to the known good systems)."
I have grouped "Detect and notify" into "Activity Monitoring". If it is a good transaction then it should be detected and the service can be performed on it. If it is a bad transaction then it should be detected as such and the correct person should be notified in a predefined timespan.
"Evidence and Track" can be done for all traffic. This is "Traffic monitoring". Bad traffic should be recorded and analysed. Good traffic should be baselined and services improved accordingly. I have called this "Traffic Monitoring" but I think it can be used for all types of actions. However, I believe it to be more general than Activity Monitoring which looks at a specific event in depth, whereas this applied to a more broad stream of activities. "Activity Monitoring" would notify of a user locked out of their account. "Traffic monitoring" would notify of a number of strange attempts to guess passwords across the organisation.
"Recover and Restore" is very important but I haven't applied a positive aspect or generalisation to it just yet. I think it deserves more thought.
So, in summary - here is my list with the original SABSA strategic controls - my generalised groups and the additional positive strategic controls.
This is still a work in progress so any comments or creative criticism would be appreciated.
I haven't used this model in any practical applications but I am keen to as soon as possible.
Information Security, like any other profession or specialisation has a lot of technical confusing terms and jargon. It has tools that only experts can use and statistics that only the same experts can read. It creates a brotherhood (and sisterhood) of professionals and this is fine.
But, also like other professions, Information Security has its borders of knowledge and its dark scary patches. "Thar be dragons!" Or pirates, or the end of the earth. Or (back to Security) APT. Or super skilled haxors with l33t everything. The guys that can escape jails and sandboxes. They can string single characters together to create small but dangerous stack attacks where there is no stack. And evade DEP and take over phones that don't allow even good programs to do naughty things.
These are the stories that Information Security professionals tell each other. These are the stories they tell their kids over camp fires and only at night and slowly and carefully. Each. Word. Leading. To. The. Next . Scary. Word.
But the reality is quite different. Most doctors that I know, even GPs and only the good ones, have specialities and other interests (not Golf..) because, although they have been through many years of medical school, most of their patients are either suffering from a cold or flu and require either pain killers and cough syrup or antibiotics. The more interesting patients may suffer from allergies to penicillin but that is where it ends.
So it is with Information Security. While we worry about super-great hackers - the two biggest highest profile breaches of recent times have been via a Firewall backdoor in the Playstation network that relied on people not digging in their Playstations' code. And a trojan email sent to some non-technical staff at RSA Security that led to them recalling their entire product range and their devices used to break into some US government departments.
Verizon comes out each year with a report on major breaches across the world. Every year it tells the same story - they are opportunistic and not targeted and they are generally (68% in the 2013 report) easy.
So, if all Information Security is, is a lot of flu... what is the Vitamin C equivalent?
Websense is a company that specialise in border control systems. They are the guys you swear at when you can't browse Facebook at work. They also block a lot of nasty sites and can block secret documents leaving an organisation. They have a lot of systems out there keeping people browsing what they are allowed to. A lot. They gather a lot of information too. Like, what version of Java people are running. They published this pie chart recently:
This is the spread of different Java versions that are used around the world, mostly in organisations but also by home users (and office staff who take their PCs home). The interesting thing about this pie chart is that if you are running anything but the version coloured dark blue at the top right or the thin red line next to it - you are at risk of downloading malware automatically. Let me rephrase that in my campfire voice - if you are not in the 5% of people running the latest version of Java in your browser, you can get infected by any number of types of malicious software (most that are out to steal your money or files) AUTOMATICALLY (fire crackles). You don't have to do anything to get infected, the website does it for you. More than that, your antivirus won't know about this "transaction" until it is too late. 5% of people in the world are safe from this. Simply because they are running the latest version of Java (which is free to upgrade.) That right there is your vitamin C. Patching Java (which 95% of people don't) will protect you from the flu. It won't protect you from interesting attacks but those are less likely to find you.
Do online attackers actually use Java? Yes, they all do, from guys looking to steal money, game credits and information to large Government agencies to groups like Anonymous and Lulzsec. Why? Because its easy to attack and works against 95% of all browsers. Why wouldn't they use Java exploits?
Advice? Patch Java. And flash too. And Microsoft software. Then sleep happy.
Anyone who has spent enough time in Melbourne would have caught a tram and would have probably seen this poster:
It is a warning on the how dangerous it could be to be hit by a tram published in the interests of passenger safety by Yarra Trams.
My brain did a bit of a wobble and came up with this question:
"What would happen if magically each of the trams in Melbourne were to turn into 30 actual rhinos?" The numbers worldwide of rhinos are scary. They are so close to being extinct so lets quickly look at them:
Javan Rhino - population is less than 60 individuals. Most of these rhinos are the Indonesian Javan Rhino subspecies. The Vietnamese Javan Rhino subspecies consists of 5 individual animals and may not recover. The Indian Javan Rhino is extinct.
Sumatran Rhino - population less than 275 individuals, with poaching on the rise
Black Rhino - population 3,725. West African Rhino species declared extinct in 2006. From 1980 until 2006, 14,000 were slaughtered by poachers.
Indian Rhino - population approximately 2,400, a conservation success story - but poaching is on the rise due to regional political instability
White Rhino: Northern White Rhino - it was reported on June 17, 2008 that the last 4 individuals were killed by poachers. Southern White Rhino - 14,000 surviving, due to conservation efforts
So if 1 Melbourne tram turned into 30 rhinos.... it would only take 2 trams for Melbourne to have half of all the Javan Rhinos in the entire world.
It would take 10 trams to turn into 30 rhinos each for Melbourne to have as many Sumatran Rhinos as there are in the world.
It would take only about 120 trams for Melbourne to have as many Black Rhinos as there are in the world. Poachers have killed about 500 trams worth of rhinos recently leaving us with only 120.
There are about 466 trams worth of White Rhinos left in the world.
Yarra Trams have a rolling stock (according to Wikipedia) of 487. So if each of these had to change into 30 real rhinos that would leave Melbourne with 14610 rhinos.
The population of Rhinos would almost double! That is how few of these iconic and beautiful animals are left.
Also, depending on which type of rhino the trams turn into would probably determine how the city itself would react.
White rhinos are pretty relaxed ("no worries") and would generally just stroll around looking for some grass to eat like some large, grey, horned cows. They would do this in herds of about 15 - so a tram would yield 2 herds.
If the trams turned into Black Rhinos then Melbourne would have a bit of a problem. It would have a quarter of all Black rhinos in the world which would be an amazing thing for conserving this magnificent beast (if only!) but these are very angry and aggressive animals. They will charge for no reason and they can show what their horn can be used for (not decoration or medicine). They are also territorial and will fight each other. They can also run at speeds of about 50Km/h. On top of all of this - the city would be impossible to get out of because the roads would be blocked by huge beasts, there would be no trams, and walking and cycling would be dangerous.
But at least the people of Melbourne would be privileged to see this beautiful beast before it is relegated to zoos or killed off totally.
White Rhino just chilling at the State Library of Victoria
[IT is out to kill the business - Business is out to kill IT. We all win!]
My dad has essentially worked for 2 companies in his 50 or so years in business and had he not emigrated, he probably would have stayed at one. I worked at 2 companies in just my first 5 years of full time employ. And this is not strange. No one viewed me as unstable or a "job hunter". It is just the way it works.
"Knowledge workers" moving companies is not something new with the average length of service to one organisation being about 3 years. I've heard that this is tending toward 2 years or even 1 year. Where will this trend lead?
It was only when I started compiling my most recent CV that I realised just how busy I had been over the 4 years that I was employed at my previous employer. But I still managed to have spare time. It would have been amazing if I could have done what I was doing but for 2 companies at the same time with both paying me for the output. Or even better - doing half of what I was doing but for 3 companies with another person doing the other half for 4 companies. There is only so many ways an "ISO 27002 compatible Antivirus standard" can be written and only so many variables that can be manipulated. All companies need to patch and all need to do so in the same time period so an "ISO 27002, Cobit and ITIL compatible Patching Process" would be almost identical for all of them.
Good thinking Allen, but there is a word for this - "Contractor". Exactly. And my employer had many contractor. And Australian businesses seem to have many more. But my argument is that the trend toward using more contractors can actually get to the point where there are no permanent employees in a company.
None.
I love the word "company". We are so used to using it that we never actually look at the word itself. "Corporation" is the same. A bunch of like minded people coming together to keep each other "company" and do something positive. So... lets explore that. A loosely joined "web" of people coming together and using technology to collaborate on a set of ideals. This sounds like a web-board. I haven't seen one yet but I could certainly label the idea of a "cloud company" as "plausible". Crowd sourcing an entire company including funders, workers, salespeople, delivery people, cleaners, security (the physical type...do we even need them if there are no premisses?), management, etc. And since everyone is a contractor, SLAs are important and everyone is measured. You don't need layers of management - you just need clear outcomes. If the whole thing falls apart then everyone just leaves. If it works then the whole process is repeated. There is no workplace and no work hours. There is no receptionist but there may be someone hired to communicate with the outside world and they would need to be available during office hours. (Or this could be outsourced and have a follow-the-sun communication plan) - imagine a company that is working 24 hours and that can be contacted at any time.
The interesting thing here is "who owns the intellectual property?" The general processes and procedures and "intellectual property" such as "patch management", "how the phone should be answered", "how is the product packed" and "how fast should it be delivered" could belong to the individual contractors. The IP that I am interested in is the "core IP". The recipe for the product, the design of the product, the trademarks etc.
So, using technology and IT, it is possible to have a company with no "company". No buildings, no desks, no "office hours", no front desk, lawn to mow, delivery vehicles, office. Just a technologically connected bunch of like minded people with a single outcome. The technology is available, we just to use it and companies have been dipping their toes into this slowly. This is something that doesn't happen overnight. But it is happening. One benefit is that the "employees" can work on a number of projects all at once. Or not. It is their choice but using facebook to waste time waiting for the end of the day is no longer an issue.
So... IT is out to kill Business.
Then we have the other trends which are mostly being driven from the non-IT part of the business. These are Cloud Computing, Consumerisation and BYOD. IT is brought in and asked to manage these but these are all areas where the IT department has had full control and has had to relinquish some of it so that Business can work with the tools that they want and using services that they are familiar with but without the red tape that IT can spin when delivering on an "enterprise ready" solution. Taking this further, is it possible that Cloud services could make it simple for Business to totally bypass IT altogether and put their own solutions together without bothering IT. This could include "I have a new employee in my team. Let me just hook him up with a mailbox and a fileshare" to "I need a way to track my sales staff" to "I need a way to report on the company financials." etc.
Where does that leave IT? Well, in quite an interesting position. There should probably be someone to manage the services even if they are "cloud" or "PaaS". This also leaves IT in the interesting place where they become advisers to Business and architects. "Did you know that you can use this service to monitor your staff? No? I'll just hook it up for you. They offer 30 days for free." etc
So IT ends up being forced to talk "solutions" to business rather than "tech talk" and gradually manages the IT systems outwards until there is no IT department but internal IT consultants offering solutions to business people who own their own IT solutions.
Both of these scenarios are not exclusive - they can both happen. And are happening. And, in fact, feed off each other. The less red tape that business needs to deal with - the quicker they can create flexibility and allow work to be done by contractors. Some companies will take longer to get to "a loosely bound group of like minded people working toward a goal" without the traditional company holding them together but it will come.
This may sound like fiction but ask anyone 50 years ago about whether they would trust someone who moves jobs every 2 years and they would find it difficult to do so. Now it is normal.
So, (you ask) where does this leave Information Security? And I was hopeing that you wouldn't have asked. It is not an easy thing to answer. This movement toward less central control will scatter the IT field (mainly) with concepts such as "Cloud", "PaaS", BYOD, "consumerisation". And IPv6 will just accelerate the change. In all of these cases we end up with less control and more freedom. But the controls don't go away. They just change. In fact, in some cases they get better. In some they get more complex and in some the controls that were important but were overlooked become essential.
The information security team really needs to get more of an understanding of the company and who owns which piece of the process from raw material to money in the bank. Who owns what information and what can be ignored and what is the essence of the organisation - the IP that is so specific that the company is defined by it.
Forget patches and antivirus patterns. Those can be outsourced. Information Security is about working with the company to know itself and how the essence of the company can be protected from those that will do it harm. And we need to do it quickly while the company is still an entity on its own.
HD Moore's Law is a joke. And not a very funny one either being a pun and having a requirement of being very technical and requiring knowledge of the IT Security community just to get half way to understanding it. It usually requires the user of the term to explain why it is funny and that is a serious faux pas when it comes to jokes.
So, let me explain the joke. :)
Moore's Law is pretty well known. The majority of people know it as "computers will get faster each year" which is close enough to the actual definition as to be useful for making decisions such as "I don't need a PC right now, should I wait a bit?" The answer is "yes, if you wait then for the same amount of money you will spend now, in the future you can get a more powerful PC." Moore's Law.
(The actual law itself was coined by Gordon E. Moore from Intel who predicted that the number of transistors on a chip would double every 2 years.)
HD Moore created MetaSploit which is a framework for creating and running exploits. Being a framework, it is as clever as the person using it and can be used to break into anything with enough time and patience and understanding. However, it can also be used by someone with minimal knowledge and understanding to quickly break into a badly protected system.
This really divides attackers into two camps - dedicated and opportunistic. The controls to protect against both of them are very different but initially an organisation should be protected at the very least against opportunistic attackers. This is HD Moore's Law.
But the exploits available on Metasploit are always changing and the systems that can be attacked are expanding. There are modules available to attack PHP. This means that PHP falls into the "opportunistic" area of HD Moore's Law.
My question...finally....is this....
What level of patch does each and every type of software have to be at to avoid falling foul of HD Moore's Law? Does anyone know?
Because, jokes aside, (and it wasn't a particularly good one to start with) knowing that an organisation is not at risk from opportunistic attacks would be useful - more so than knowing ISO compliance or that staff are deleted off the system within .578 microseconds of leaving the organisation.
Then more dedicated attackers can be targeted using the controls aimed at them.
Habit 4 is the first habit to deal with “others”. The first 3 habits are internal – 4 is external.
Think “Win-win”. This is almost impossible for a security professional. Almost.
The issue is that every change to a system (from a lonely PC to a worldwide network) has some risk to the system itself and mostly in terms of availability. In some cases the risk is 100% - for example when a system needs to be rebooted after a patch is applied or even when a service needs to be restarted. It may be a quick reboot and it may be done during a patch window but either way someone needs to sit, sweating and biting their nails, while the box goes through the motions of starting up. In some cases the order that Servers are restarted is important.
I have been attending many job interviews recently and they one question that comes up very often, (and for good reason) is: how do I (Allen specifically) manage teams where there is no will to perform security tasks. It is not easy; security generally does not get given the correct amount of authority to demand that the security tasks get carried out. Nor does the security team generally perform the tasks that are required to keep the organisation secure. Compliance does help (“The auditors are not going to be happy. “) but this sounds like a winey way to get force administrators to perform the security tasks and since Audits are usually annual the Servers tend to be fully compliant once a year at audit time.
Generally, you need buy-in. The easiest way to do this is to live the values yourself. Is it really necessary to patch? Really? All the servers? What if we leave out a couple, maybe the production machines which are all running an older version of Windows? If you don’t have good answers to all of these questions. And by that I mean *good* answers then how do you expect to be taken seriously? The thing I really like about the habits is that they all make sense but more importantly they make sense together. So understanding why you do something is a totally different habit. (Habit one.) Mastering that habit makes you surer of yourself when faced with these questions. It makes it easier to bring the people that count (in this case, the Administrators) around to be on your side.
Once you have buy-in from the Administrators (and their managers) you should approach them to come up with a viable (and practical) plan for performing their tasks. The amazing thing is how much better this works when it has been created by both the security team and the services team (or whoever is going to perform the security task.) When the team knows upfront what is expected and when and can put the methods in place without surprises and has the backing of the security then the processes just flow.
Another place where this habit is important is combatting the idea of the “Dr No. Security Guy”. The idea of this is that Security should not ever be the guy to say “no” to a project or idea without fully thinking it through and trying to arrive at a win-win outcome. It should be a project that is useful to the business, not too expensive to implement and as secure as necessary. A good way of approaching a project that you believe would be too insecure is to start with “I agree that this may be a good idea for the business but I believe that the controls we would need to implement to secure this solution would make it too expensive for any benefits.” You then show what these controls should be and leave it up to the project sponsor to make a decision. Sometimes a project decision made with no thought like “we want it to be a PaaS solution” can be reversed when the security controls are included in the final design without scapping the entire project. Example:
“We want the new solution to be PAAS”
“Why?”
“Because that is our project parameter”
“Um…ok…there are a few things we will need to implement though.”
“Like?”
“Well, for network security we will need to put in a Firewall and IPS and something to monitor them and collect the logs. We will need to do application security since this faces the entire world. We will need to set up someone to monitor all of the equipment. We will need to arrange with the service provider some time to do patching and general maintenance. We will need to do a physical security audit. We will need to have a monthly meeting with the service provider to discuss security controls. The Audit team will need to add this to their annual audit. Plus we will need to investigate the increase in bandwidth costs for us to be able to access the solution. After all that we may need to look at DR and BCP depending on the criticality of this solution.” -Pause-
“What is the alternative?”
“We host it inside our network where all the infrastructure is already in place and monitored and you have to pay very little for additional security infrastructure. If it helps, we can host it on a virtual machine and you can call it ‘private cloud’”
Steven R Covey died on July 16, 2012. This is sad news indeed. I really liked his 7 habits work. It was (like ISO27002 and the like) a good framework but not a good standard. And therein lies its power. It is like powered milk – without adding something then you have nothing. I took the 7 habits and started (5 years ago!) to make a series called the 7 habits of highly effective security policies.
I got stuck at habit 3. I honestly have tried over the last 5 years to write a blog post that is acceptable to my standards on habit 3 but now that I reflect on it, it’s a good thing that this one is the most difficult. It is also the one that everyone should define for themselves. I believe this is the core habit and while the other habits are easy to adopt with practice, this one needs to be revisited often. It can’t become a habit. So, I am leaving this one out for the readers to do for themselves.
The only advice I can offer here is that as a security professional you will always have something urgent to deal with. You will always be reacting to the latest exploit in the news, the latest report from the auditors, the latest breach. There are new virus definitions every day and new patches every month. You are always reacting. You have to set some time aside for proactive security. For acting. How you do that is up to you but it has to happen.
I may revisit habit 3 in future but for now that is all you get…
[Almost every country in the world protects its citizens' person information. Almost.]
This is an example of a Membership Application form that I needed to fill in to be able to rent a video. You'll notice that besides all the usual stuff, they have asked for my date of birth, ID number, employer. They need to know my next of kin which is interesting.. in case I die while hiring a video, at least they can get their video back. Not sure what it helps having my car registration number. I can just picture driving through a roadblock - "Mr Baranov... do you realise that your copy of Twilight is overdue by two days. For that I will give you a fine. Further, for even renting that video.. another fine."
The point is that there is a lot on this page that is unnecessary. Under the proposed Privacy Act, a company would have to be able to answer why each and every field is required for each and every form. Further, they would need to make sure that they protect your information to a reasonable amount of care. Further they would need to notify you if they suspect that your information is leaked. They would also have to contact you if they need more information or need to use the information for other purposes. And they would not be able to share this information with other companies.
Right now there is no legislation making it illegal for companies to share information (excluding credit information). This video shop could (I'm not saying they would) easily share all this gathered information with anyone they wanted and could even sell this information. Most people ignore spam sent to "Dear Sir" or such but spam made using this information could be sent to you and addressed "Dear Mr .....".
Also, since the company doesn't have to do any protection of information and doesn't need to notify anyone of a breach - this increases the risk of your information leaking. So lets look at two cases...
The information leaks and someone wants to infect your PC so they can use it to send spam or to use it to steal your money using something like Zeus... they send you an email addressed to you specifically looking as though they are from a garage. Since they know where you live, they can customise the email to be a garage in your area. They could also make it specify your registration number.... "Mr Baranov, I am from <Big Name Garage> in Blahblahville. Your car registration number EGG156GP was recently at our garage.....please look at this bill in pdf format". At this point you are either surprised or cross ("I never took my car to that garage!") Either way, you open the attached pdf to get more information and your PC is infected. You know not to open attachments from places you don't know but these people seem to know so much about you...
Alternatively, the thieves use the ID number to create a fake ID book. They use the employer information to create fake pay cheques and take out credit in your name. They have enough information above including your telephone numbers, address and even friends of yours. Even if the company granting the loan phones the company you work for, they would confirm employment ... "Yes, Allen works here"
I'm not picking on this particular video rental company (hence the company name covered) because all companies from big to small collect more information than they need and don't necessarily protect it to the best of their abilities and without laws in place they won't because protecting customer information is difficult and costly and breach notification is embarrassing for a company.
Almost all countries in the world have laws protecting their citizens and their information. South Africa has one of the best based on bits taken from the best Privacy legislation from around the world. It is currently in Bill form so it is not yet approved and is not binding as a law. Anyone who is concerned about their personal information, is sick of spam and nervous about hackers taking over their bank accounts should want this law to be passed as soon as possible.
This is the third time I am writing this blog post because I just couldn't seem to get the thought straight and the tone and level right. My first two attempts took a whole bunch of text to say this:
Basically Firewalls came before NAT. NAT is a magic network concept that creates a type of one-way-mirror allowing devices on the inside of the firewall to establish a two way communication session without the other side knowing exactly what device is making the connection and devices outside the firewall can't establish a connection to devices inside the firewall.
(The above paragraph is not totally correct but it is correct enough and stops me having to type a whole networking 101 essay which is besides the point of this post. If you know better exactly what NAT is about then smile smugly, if you don't accept that the above is "correct enough". Either way - read on.)
NAT is so effective that almost half (wild estimate) of hackers' tools and time and thoughts revolve around getting past NAT- the only effective way being to get the inside device to "dial-out". (Think of the protection that NAT affords us as being a door that opens only from the inside and hackers concentrate on getting someone inside the door to open it.)
So, while Firewall rules and policies are weird and wonderful little twisty adventures, NAT pretty much makes them redundant.
And Firewall engineers know this (although may not admit as such). So, then, what is the point of this article?
IPv6 is coming and with it the loss of NAT. We won't need it any more. And we won't want it.
This is my opinion and the network security and general network engineers disagree with me. They argue that NAT is so useful that we will have it around for many years even once IPv6 becomes the norm. Either we will stick with IPv4 private networks inside and IPv6 networks outside or we will have IPv6 networks inside that will remain private.
I have three arguments against this and time will tell whether I am right or wrong.
1. The number of devices will explode. We are well on the way to this already but I think it will accelerate. We have the hardware, we have the software. We just need it all to become easy. So, look around you and imagine what would not benefit from being connected (ignoring security for the moment). Your car keys could beep when you SMS them - what a lifesaver. Your desk could sense when you are behind it. Your chair could auto adjust depending on who was sitting on it. Your desk calendar could be digital. The lighting above you could notify you when the light bulbs are due to run out. They could turn on and off depending on whether someone was in the room. Your desk phone would have an IP address and not a telephone number. That is a lot of IP addresses, now times it by the number of people in a site, then by the number of sites in the company etc. It is starting to add up to a lot of IPs especially since companies are already struggling to allocate IP addresses just for the devices we have now. A company with 2000 employees and each one has 30 devices needing IP addresses would be testing the limits of IPv4.
2. "We are an X shop" is a joke. Most companies stick by the "we are a Microsoft shop" and so only allow Microsoft products. That is, until the CEO wants an iPad. A month after the iPad was released Gartner did a quick poll and three quarters of the CEOs asked had company issued Ipads. How did the companies manage to roll out a proper policy in time, how did they do governance? How did iPads become a strategic tool? It didn't. The CEO asked and the CEO got. Then upper management, upper-middle management, etc. All of a sudden the iPad was a business tool. IPv6 devices that are connected will be so unbelievably cool in ways we can't even imagine now. They will be the cutting edge and they will make your CEO and all your staff so cool. And because they are connected, they will make them cool to their peers. And the ones that are portable - like the keys you can SMS will work without a problem at the CEOs home but not on your antiquated IPv4 network. Guess what will happen then.
3. Management of IPs on an IP by IP basis will become difficult to impossible. So, where does this leave the network guys? How do you manage 30 devices per person? Should you even? Should these devices talk out of the network? What is allowed on the network? What is not? What should talk to what?
So, what does this mean for the Firewall? Well, I don't know. Already with NAT there are Firewalls that have way too many rules. They have rules that are never used, and those that are too big for their purpose. There are rules that are just plain dumb and ones that are highly critical to the business but no one knows how they were made or why just that closing them would stop business. What happens when everyone in a company has over 30 personal IP devices, some that are on a public network and some that are not, some that talk out, some that are talked to, some that talk amongst each other, some that dial out, some that are expecting connections from others, some that will be for safety reasons (think firefighting equipment that checks pressure on a minute-by-minute basis and phones home with the results), some that will be in use by the coolest people in the organisation (the marketing guys with thick black rimmed glasses), some that will be used by your CEO (and when they stop working, you get notified via the CIO who is pissed off that his boss is unhappy) and most that have some blatantly stupid vulnerability that script kiddies are constantly polling for. Oh, and lastly, this will all happen on port 80 by the way.
Mr Firewall, it is time for you to step up. IPv6 will set some challenges for you.
[PS. While writing this article I was wondering if it would not be a plan to actually scrap internal networks altogether and go for a "GPRS-type" network where everything is all in the open anyhow. How one would protect against vulnerabilities on the devices, I'm not quite sure. Also, you'd need to block your servers off from the open network... or they may be "in the cloud" already. Maybe every one of these devices would need its own little firewall. Discuss.]
I am currently searching for a job so if any of my dedicated readers know of anything...please let me know.
I have about 10 years of experience in Information Security and am currently an Information Security Analyst for The South African Breweries Ltd. I have built up a wealth of technical knowledge but my most recent experience is in management which means getting vendors to put security controls in place, risk assessments, awareness, security architecture, policies and related documentation, etc.
I am well known in the security community in South Africa for my passion about Information Security and willingness to talk at length about the topic.
I am looking for something along the lines of "Security Analyst", "Security Manager", "Security Architect" as I feel my skills would be quite appropriate for these or similar job titles.
My preference would be to stay in Johannesburg or Pretoria but I would be happy to consider anything in South Africa or even overseas.
I don't want to bore you with all my details but anyone who is interested or may know of someone interested, please can you email me at: baranov <at> elucidate <dot> co <dot> za and I will forward you my full CV and supporting documentation.
PS. Any job that would require "out of the box" thinking would be very highly considered. My favourite project was an awareness project that I did covering the topic "phishing" which I am particularly proud of and would elaborate on but I have to save something for the interview...
I figure the above is any geek's list. It certainly would be my list. So, having completed points 1,2,3,4 already it is time to work on point 5.
So, sub-points for this are –
It must talk
It must take orders
It must drive itself
It must come when I talk to my watch
It must be bulletproof
Turboboost!
So, point 5 has been done so let’s see about the other points:
Point 1 and 2 are done by Android already but Apple has taken it to the next level. I guess Google will take it even further. Naturally you’d need an android device embedded into the car. Guess who owns android technology? Google. The first commercial car radio was made by Motorola Mobility – Google owns them. But watch Motorola Mobility for a talking “box” that can also listen, chat and take orders. (So, I’ll check off points 1 and 2...)
Finally… a smart watch – check. It needs to be able to talk to the car – check. It needs to be able to pinpoint your position – check. (Actually, not sure if these have GPS but it is not unreasonable to expect that they do or will have soon). It also needs to be able to relay orders again – check.
So, put all this technology together and you have the ability to call your car via your watch and ask it to come to you and it will – all by itself.
The technology is all done… it is just a matter of putting it together. Take the car and make it bulletproof. Put run-flat tyres on it. (And cool black paint. And a funky red LED on the front.)
Now all the Google guys have to do is perfect Turbo-boost. And get Hoff-worthy hairy chests.
I wonder if Google will go into making helicopters that can fly faster than sound…? Maybe that’s next on their list.
He was one of the most influential computer engineers ever. I could go into details as to what he did but lets look only at how his work contributed to Steve Jobs becoming a household name.
Ritchie created the C programming language and with Ken Thompson, Ritchie created the Unix Operating System.
With out Unix, Jobs would not have had a basis for his NeXT language which Apple bought bringing Jobs back into Apple and ultimately back into the CEO position.
Without Unix, Pixar would never have had Linux (derived from Unix) to do massive and cheap rendering. This means there would have been no Toy Story and all the movies that followed and no buy out from Disney.
Without Unix there would have been no base OS for iOS so no Operating System for the iMac, iPod, iPhone and iPad.
C on the other hand is the base of almost every modern programming language from C (itself) to C++ to perl to java etc etc. No Java means no apps for the idevices. It also means no cross platform applications like itunes and no way to get Office to be on both Windows and iOS without having to write the entire program to work on each. Even worse - if programs like Office were written in Assembly (as was the norm before C) then you would have to get a totally new copy of the software for every device even if you upgraded your PC from one processor to another.
To be fair if Ritchie had not created Unix or C, someone would have probably jumped in and created something similar. Or one of the languages and operating systems around in the 70s may have been more successful and changed the world we live in like Unix has but this isn't the case. Ritchie's contributions to the world have radically changed it and we will miss the inventor of these tools. It may be that Jobs was tasked with making some genious idevices up in Heaven and he called up the one guy he needed to help him more than anyone else. A heaven without Unix.... doesn't make sense.
Ps. on the other hand... Jobs's biggest competition Android would also not have been possible without Linux (based on Unix) and Java (based on C).
Just adding an extra point to my recent Blog post.
The question I posed in my last post about email sharing was triggered by Facebook stating that it is wrong for a person to mass move private details such as email addresses and telephone number etc to a new service provider without the person knowing. It is an interesting (and perhaps valid) argument which covers up what they would rather say which is "please don't move your Facebook contacts to our competition and set up an ecosystem (there must be a better word) there."
The point is that Facebook, through its partnership with Skype is forcing its users to do just what it is telling them they should not do with Google Plus.
I haven't used the Skype functionality in Facebook as yet so I'm not sure exactly how it works but from what I've read, once you use it once to chat through voice or video to a contact, it creates them as a contact in Skype. Essentially, by you chatting to someone over Facebook Video, you are creating a link to someone in Skype where one didn't exist before.
This really is very similar to what Facebook is arguing you shouldn't do by using automated ways of exporting Facebook contacts to create contacts in Google Plus.
Facebook is a business so one shouldn't be surprised when they choose profit over strange ethics but then expecting their users to abide by these ethics is a bit hypocritical.
So, someone gives you their business card with all their details. Can you load it on Outlook to make it easier for you to contact them. Can you add them to you phonebook on your phone? What if your phone gets stolen? Can you give it to a colleague? What if the colleague has some work for the person? What if the colleague is an annoying git? Can you give it to a salesperson who is selling selling something you think the person would want? Can you give it to a salesperson just to get them off your back?
Taking things further... Facebook argues that you do not have the right to take your 'friend's details off their network and use it on another network. Obviously Facebook have a vested interest in you not being able to move information off their network and tying you down but do they have a point?
Of course, they've never had an issue before with apps sharing users' details and downloading friends' information.
But this is not to judge Facebook on their new awareness of privacy, it is to ask the question. Should someone be confident to move your personal information including you email address to any system that they want to? Or should they ask first? Or should they just not do it at all?
I really wanted to write something longer but this will do for now. I just want to get something out there that is not a tag-cloud.
Stuxnet and Spy Wars Patrick Gray from Risky Business Podcast and Tony Olivier both spoke about a world that we are only starting to understand now where Governments are playing with Information and changing the world with their own Malware and hidden online activities. Stuxnet, Anonymous, and HBGarry are all the catchwords that made each of these presentations fascinating. Richard Thieme continued and asked the big question - what side are you on? Tony urged the attendees to spread the word about what is happening as it is the Information Security community that is best equipped to understand what the implications are. Very interesting stuff.
Online Auctions Glenn Wilkinson did some interesting research into how online auctions can be gamed. It was very interesting and well done to him. However, I think he missed out on an important point which I would like to take further. On my way home on the first day, my head was buzzing thinking about this talk and it hit me while I was battling some traffic along Sandton Drive - our corporate information is on the Internet and is up for Auction. "Cyber-criminals" have an amount that they are willing to spend to get our information. Information Security is really just one big auction of information. APT was a term that was thrown around loosely at the conference but I think that Glenn's talk is the only talk where it wasn't mentioned (even in jest) and yet his talk would have had the best definition of APT - it is where Information Security and Cyber-Crime are locked in a "war of attrition".
Fig Leaves and Haroon's Hammer Haroon Meer is a great talker and I enjoyed his Lessig style presentation at the end of the conference. It was great that both of the closing talks both had calls to action which makes sense. I agree wholeheartedly with the problem that Haroon builds in his talk. The one question he asked which was along the lines of: Hands up all those here who are willing to put $1000 down on the table that they can protect their CEO's Information. No hands were raised. He then went through some excuses that InfoSec professionals use and rips them apart. His one quote "Your management is one 0-day from the worst day of their lives" was re-tweeted across the world and was the most popular quote from the conference. The next bit was more important though - "... and they don't know it and you (Information Security Professionals) have a duty to inform them". The bit of the presentation that I didn't agree with was the answer that Haroon provided. Haroon is a researcher so by the law of the instrument (or Maslow's Hammer) his answer is more research. I disagree. I believe that two things are necessary to get us out of where Haroon correctly paints us - 1. A fundamental change of the Internet and 2. a realisation that Information Security is rapidly becoming less and less about technology and more about Business. More technical research is also needed but I think that it is not everything we need.
Strange Trends and New Networks My talk was very heavily based on Information I pulled off the Internet from Blogs. If you are passionate about anything at all then you should be looking for Blogs about that subject and Information Security is no exception - there are some amazing sources out there. The talk itself went off well and I had some very positive feedback from delegates as well as some comments which is always appreciated and allows the conversation to be taken further. I started off my talk by saying that if I had all the answers I wouldn't be doing Information Security because I'd be bored. Due to time constraints, I did skip some parts of my talk that I would like to pick up in my Blog so watch out for that soon.
And so... Another amazing conference - one that was very worthwhile and I look forward to ITWeb Security Summit 2012.
Disclaimer - you may think that because I spoke at this conference, I am biased toward liking it. The opposite it true - because I am biased to liking it, I spoke at it.
This is an updated to the previous post. I have cleaned up the data a bit. Again I left out the words "HTTP", "ITWebSec" and "RT" as these added nothing to the cloud and common English words such as "The" and "And". Including these words, there are 2307 different words. The top names (chosen by "@" in front) are: @itwebsec, @haroonmeer, @MushiD, @mattdoterasmus, @abaranov and @DeepPurple77.
The biggest ReTweeted phrase (by far) was: '@itwebsec: "Management don't know what security knows; that we're one 0day away from the worst day of their lives." #itwebsec' which is a quote from Haroon Meer's presentation.
As always - E&OE.
Previous tag made with TagCrowd and this one made with Wordle.
I've been doing a lot of thinking recently about the last year. I basically run my professional year from ITWeb Summit to ITWeb Summit and around this time I think back over the last year about what has changed and what is new.
I find that InfoSec is cyclical and this year is the unexciting one. Last year we were dealing with iPads and their ilk and Cloud and SaaS and all that good stuff was starting to hit us. This year - we are dealing with iPads and their ilk and Cloud and SaaS and all that good stuff is starting to hit us - again.
I'm still looking very forward to the Summit and I always leave with at least one very worthwhile thought that will determine my next year. The international speakers are most worthwhile to see as they bring a perspective that we, at the bottom part of Africa don't usually get. The Internet makes the World smaller but seeing someone talk is so much more useful (powerful) than reading.
While looking through my blog list for some juicy nuggets for my talk I noticed two bits of irony that came through -
1. The DBIR was published with the first line mentioning how it seems that the hacker community has gone more underground and less big hacks with large amounts of data being stolen. Boom, a couple of weeks later and Sony is hit by just one such hack. 2. Brian Krebs publishes how it may be overkill but it is a good idea to use a non-Windows system to do online banking especially for small businesses because there are no trojans aimed at these systems. His next post is all about how someone is developing a trojan crafting tool aimed at these systems.
My speech this year is finally completed (albeit in draft for now) and is a mostly updated speech that I presented 2 years ago at a smaller conference. It is still very relevant and I will enjoy presenting my insights to a larger audience.
Please look for my talk in the program and support me if you are attending.
I have committed to the organisers to post at least 1 blog post per day of the event and 1 to sum up what good stuff I got out of the conference so look out for these.
When I first started with Sudoku puzzles my interest was "how do I reduce these to an algorithm?" I wrote some code that would solve the puzzles and then started to try do it in my head.
I got better and better and the simpler puzzles started to get very boring and the harder ones became easy. Then, recently I got hold of an advanced Sudoku book and I was hooked once again.
But there was one puzzle that I just couldn't do. I would stare at the thing like it was a novel I could not put down. Hours went by and I was starting to see blocks in my sleep. So I decided to re-visit some of the online Sudoku solver sites I had used to help build my Sudoku solver. (Why not use my own solver? Its on a disk, somewhere!)
I found a good site that shows "hints" (because after all, I want to know how to solve it. If I wanted the answer, I could have just flipped to the end of the book but then I would have learnt nothing from the experience)
I typed the puzzle into the site and *boom*... a hint... yay. I was well on my way to solving the puzzle. I actually just really wanted one number and the rest all fell into place.
[The actual point of this long blog is here ;) -] Once I knew what the next number of the Sudoku was then I could work out how I should have gotten to it. But the PC showed me how it would have gotten to it and it was a totally different method altogether. Its obvious but not always on top of our mind, Computers and Humans inhabit the same world but our world view is very different.
This is why Spam gets through. This is why passwords don't work. This is why brute force does work. This is why Web-filters don't work.This is why DLP is partially effective.
Using technical controls for human created problems is what Information Security is all about. Its also something doomed to fail. Whats better? I wish I knew.
I think I was a bit ahead of my time - we are still waiting for a DNS for telephone numbers after all.
But seriously, how many telephone numbers did you used to know? And how many do you know now? From someone with a short-term memory of a Goldfish, thank you Cellphones!
Now... when can I register "allen.baranov.cell.phone.mtn.za"? I've been waiting 10 years!
I usually don't repost blogs and articles that I find because I like this blog to my personal sounding post. The practice can also lead to a blogger feeling that he is accomplishing something but is really just posting links over and over. I have an RSS reader to do that for me, a Google to get the stuff I missed.
However, I was drafting an article on exactly this stuff (and I hate this) but the Hoff managed to beat me to it and put exactly what I was thinking on the Internet better than I could express it myself. (... and had a Douglas Adams reference too!)
So, the first thing you'll learn when doing Networking is the OSI stack even though everyone uses TCP/IP which doesn't fit neatly into the OSI concept. The first thing you'll learn in InfoSec is the CIA triangle. This is our sacred cow even though we don't really work towards it. Or do we? Should we?
If you speak to those that know me professionally, you'll know my feeling of how Information Security should treat The A. I sit in the IT building and my favorite saying is "everyone else in the building is making sure availability happens. I look after the C and the I"
The problem is that protecting Availability is very broad. It is actually easier to define the opposite - lack of availability:
If a server disk crashes who gets called in? Its not me. If a service stops on a server?No me.
If the Firewall blocks a business website? Yep, me.
If a virus crashes the mail server or slow it down? Me.
So, I do manage availability to a point but not all of it. And, in fact I seem to manage more Availability than I should. The point is that Availability is an easy sell. IT is full of it. Check you agreements with vendors - they all have something like "99.9...% uptime" SLAs. There are no "99.9...% integrity" or "99.9..% confidential docs will not be moved". Availability can be measured - its there or it is not. Integrity and Confidentiality - not so much. Another favourite phrase of mine is "The A in SLA stands (not for agreement but stands) for availability - where is the SLI and SLC?"
The problem is that because InfoSec is traditionally based in IT - some of the Need For Availability (NFA?) seeps into our area. The tools we find easiest to sell to business - firewalls, IPS, antivirus all are there to primarily protect availability. Tools like web-filters are also very easy to sell because they stop abuse of network (think availability) and time (same). Tools like DLP are a tougher sell because they don't touch availability (and can cause issues there). Backups and DR have been the cause for some really bad C and I episodes. Yet every company does them - availability. This is not to say that backups and the other software we have are bad. Backups are essential for one but availability is king. When last did you audit all of the excel documents that people use to make business decisions for integrity?
The thing is that that C and I are opposed to A. The safest network is one that is not connected to the Internet but what use that? The way to properly secure a document is to put it in a safe, cover the safe in lead and then in concrete, chain it up for good measure and then dump it at the bottom of the ocean. But, again, what use is that? So, there is an arm wrestle between C and I on one side and A on the other and that is a good thing.
IT will always fight on the side of the "A" and so should InfoSec but we also have to fight for the C and I and ultimately get a good balance between all three.
[Every once in a while a news story comes along that makes you wonder...]
According to TechCentral :-
Thieves steal Sim cards from Jo’burg traffic lights "The Johannesburg Roads Agency (JRA) suspects that a syndicate is stealing Sim cards from the city’s hi-tech traffic lights, and using them to run up phone bills."
The article goes on to say "If all 400 traffic lights need to be repaired due to theft and vandalism, it could cost about R8,8m."
So, the big question is why the JRA used normal SIM cards in their traffic lights. It was probably a cost cutting method so they can just get them off the shelf but it is backfiring for them.
A comment in the article says to glue the SIM cards in place or use resin but this doesn't seem like a great idea as it would be almost impossible to replace a SIM card that is faulty.
Maybe the answer for the JRA is to react fast. As soon as a traffic light stops reporting to the central server (which is what these SIMS are used for) then move to disable the SIM immediately. Send a team to the light to assess and re-enable it if it is a false positive.
Another comment was about using PIN codes. But these would end up either being easy to guess "1234" "0000" etc; well known "Jack the JRA last week, now we need to redo all 400 PIN codes" or a mission to manage "Did anyone see the spreadsheet with PIN codes?" Even 1 PIN number is too much for some people to manage.
It seems that the SIM cards are well protected in the traffic lights because it takes the scum thieves a lot of destructive work to get to them so that is not a deterrent. The only option I can think of is to make the SIM cards useless to anyone but the JRA either by using special cards or by the above "react quickly" method.
Surely these SIM cards must be connecting to a private APN. (This is the gov. so this assumption is not a certainty). In which case they should have been disabled on the normal GSM APN. Problem solved.
One wonders how much the cellphone bills that were clocked up came to.
So it seems that at least one person reads this blog.
I got email from Andrew Yeomans from Commerzbank AG about my ideas in my recent Blog posts - Information Classification Like Creative Commons. (Part 1 and Part2)
I came up with the idea myself but it seems that I was beaten to it by a group called SPIDER in a document available on the 'net here [pdf].
They discuss using graphics as opposed to words to describe what classification a document is. I just took it a bit further by using "creative commons" for icons. But my idea is a bit more important than that. For this to be truly useful the icons used must be instantly recognizable. Anyone who uses the Internet for some time and is involved in publishing even non-professionally will be able spot creative commons icons, know what they mean and know what it means to them. And then abide by them. It would be useful for us to have icons that can do the same for sensitive documents.
I also took it one step further. I proposed the idea of including direction of what technology could be used with documents. So, if it is a "top secret financial document" then you may/may not email the document and there will be an "email permitted/not permitted" icon as the case may be.
Andrew commented that this may be a problem the way that technology moves forward but I believe it to be a good start. It may be better (in future) to have some "meta-mechanism" that automatically adds the icons in as technology is adopted or documents change levels of confidentiality.
It is nice to get some serious comments and I hope to hear more. It makes me think through my posts and tweak them. Hopefully, somewhere down the line it will add to the world's knowledge.
I think this is totally missing the whole point. Why not just give me paper?
It can't be more environmentally friendly to make a CD, copy the information onto it and then print a pretty design onto the CD.
So my story is that on Sunday, I opened the box, took everything out. I decided to do the installation by the book. And there was no book. Just a CD.
So, I had to go inside, boot up my PC, load the CD, run the software, click through the options.
Then run outside, do some installation.
Run back inside read up some more, run outside, run inside.
Still no luck so I have to take some of the wet pieces of the unit inside, put them quite close to my PC. Run outside.
This is not a major complaint (unlike my last post) but it just shows how someone decided to use technology because it was cool but really it just makes life difficult.
It is with great sadness that I write this post. I love Nokia. Loved. When something that you really like so much disappoints you so badly then it takes a lot to gain that respect back.
The short story is that my Nokia E71 stopped working a few weeks back and I took into Nokia to be fixed. They refuse to fix it alleging that it is "liquid-damaged". I refuse to believe that the cause is Liquid-damage. And they refuse to listen to me and fix the device.
I have had a very long history with Nokia. The first cellphone I ever used was a Nokia 2110 (The Brick). I have had many different Nokia "candybar" phones of differing features and costs. My last one was a 6233 which I really, really enjoyed using even though it was a Symbian S40 device. It got stolen and I moved onto a phone I coveted for ages - the E71.
The E71 was everything I wanted in a phone and I used all of its features. When my car radio was stolen, my phone became my music player. It was my diary. It was my watch. It was my browser. It was my mail. My connection to my world. I downloaded all the Google services that I could and all the Ovi services. I even signed up for Nokia Music. The only issue I had with my phone was the expensive Maps software but when Ovi Maps became free for the E71 then my phone was completely perfect.
I actually talked 2 people into buying E71s, 1 person to get an E72 and 2 people into buying E62s.
Then my phone starting flaking out.
One day it just started switching off. Strange, because usually the battery life is great. But that was fine, I charged it and it came back again.
Then one day it just would not switch on.
I took it to a shop and tried a different battery and no luck. We tried another battery and still no luck. I took it to another shop and we tried another battery. Finally I borrowed a battery from a friend who also had an E71 and still no luck. It wasn't the battery.
So I took my phone into two MTN shops and they both said it would take about a month to fix my phone. I should have gone for it but the one lady did mention that a Nokia shop would be able to look at my phone within one hour and "probably fix it" right then.
I was sold so I drove to the Nokia shop with my E71.
This is where the wheels fell off the cart.
I spoke to a lady who told me that if a non-Nokia-approved technician had worked on the phone then the warranty would be void and I would have to pay for their time. No worries there. She also told me that if the phone had suffered any liquid damage then the same would apply. No worries there.
Or so I thought.
At this point let me get it clear:
I have NEVER dropped my phone in water or any other liquid. I have NEVER spilt coffee or any other drink on my phone. I have NEVER lent my phone to anyone who wasn't in my general vicinity.
I would swear to the above in a court of law and sign an affidavit that says as much. I have even offered to do so for Nokia.
What I can't promise is that my phone has never come into contact with water. There is water in the air. I can't promise that I have never walked in the rain with my phone in my pocket although it hasn't rained for a long time in Johannesburg.
So, knowing the above, I handed in my phone. Signed the documents. The E71 has a known issue in that it picks up pocket fluff and some of that can get into the area between the screen and the glass over the screen so I asked that they clean that. I then went for a walk around the shopping centre for about an hour.
When I returned I was informed that the phone could not be fixed because the motherboard was no longer working and it is too expensive to replace the motherboard. Apparently its actually cheaper just to replace the whole phone.
I was also told that there was "liquid damage".
The blood drained from my face. How could there be?! It was like I had walked into an alternate reality like a Lewis Carroll novel.
They pulled up a screenshot of the back the inside of my phone where the battery lives. They showed me the damage and told me that it looks like "liquid damage". The picture was taken very zoomed in and close up it seems that two places on the motherboard have something the looks like rust.
The one thing they confirmed is that they were not able to find any moisture in the phone itself at all - not in the speakers (which are usually the worst parts for water damage) and not in the screen (which has dry fluff in it). But tucked away behind the battery is some sort of "rust" that "proves" liquid damage and hence according to Nokia this lets them off the hook from their warranty and they are therefore not liable to repair the phone.
When the shop people started telling me that my phone could have gotten the damage from water in the air or "sometimes you sweat and your phone in your pocket could have absorbed it" was when I decided that I should leave.
Nokia phones.
So, I left the store fuming. I left my phone there because now, not only did I not get my phone fixed and not only would they not fix it but I had to pay a "consulting fee" for them trying to fix a phone that was not fixable and they would be keeping my phone until they got that money.
I did sign that I would pay the consulting fee if there was water damage. I don't debate that. But I was shocked to find out that there was allegedly liquid damage. Two shops had swapped out batteries without noticing anything wrong with the motherboard but then they didn't have a magnifying glass to hunt for signs of possible "liquid damage" and I *knew* that I had never caused liquid to get into the phone.
I was cross but I figured that a simple call to Nokia head office would sort everything out. They are a very switched on firm and would like to help me out once they hear my story. So I spoke to a very kind, sweet woman and told her the whole story above including the bit about being willing to sign an affidavit and the "water in the air". To her credit she told me the water in the air story is junk. However, the Policy is the Policy and if the shop said it was "liquid damage" then there is nothing that Nokia can do. Can do or would do?
She suggested that I take it to another Nokia shop and get a second opinion. This means I risk another "consulting fee" of R250 in the hopes that another Nokia store may decide that the damage is not water damage. She suggested that I take it to MTN which means she is just passing the buck.
WTF?! Can she not just admit that the phone is defective and get it sorted out? No - there is the Policy.
Can I get someone independent to check the phone out? No, only a Nokia authorised repair person can open the phone or the warranty is gone anyway.
So here I am without a phone and feeling totally let down. My insurance will cover my phone for water damage and I'll be able to replace it but I guess I just wanted Nokia to come to the party.
Actually, I guess I had too much respect for the Nokia brand and wanted reality to reflect my perception.
I'm not an Apple person but I'm surrounded by happy Blackberry users. I guess my next phone will be a Blackberry ... something I've been fighting for a while now but I've been let down.
Following on from my last post on Information Classification - I think that this concept would be better shown by using examples. I guess that the irony of the last Blog is that I was trying to say "Using pretty pictures is better than using text" but I tried to do that in a Blog post which lacked pictures totally. Still, I did get some good feedback on the post even though my coments don't work.
I have done a little bit more research and tried to find some pictures to show what I am aiming toward.
These pictures are all from an icon pack I found here but I'm not sure what pack I would use when it is finished or even if I should make my own. These are just for demonstration purposes. Please don't steal these graphics (they are free so just follow the link).
*deep breath* Here goes:
If a document contains anything to do with someone's medical condition or some such - it gets labled "Medical" and has the following graphic printed on it:
If a document is confidential - it gets labeled "Confidential" and has the following graphic:
Then what you can do with the document is listed - so you can copy it to CD, email it, move it on the network and take it home:
If you are not allowed to do any of these things then a little circle with a cross through it will be added to the image.
Putting it all together again - you have a piece in the footer of the document that says:
This document is classified as "Medical-Confidential". You may do the following: burn to cd, transmit internally, email outside of the network, take the document home.
Then under that, you have the images to re-enforce. The important thing is that the images must be a standard set so that users across companies, regions, businesses, etc all can look at them and at a glance know what is expected from them regarding the document.
For bonus marks it would be nice to have a tool that can automate this process.
[Stealing the CC Ease of Use Icons for Info Classification]
When something is complicated then it usually is quite wrong. I learnt this lesson with Firewall Rules. Usually when something was twisted around and not easy to understand it was because the Firewall was being used for a purpose ti was not designed for.
Information Classification is usually pretty easy to understand. It is logical. There is stuff you want the public to know about, stuff you don't mind them knowing about, stuff that you don't quite want them to know about and stuff they most certainly shouldn't know about.
There is also stuff that can't be shared outside of the company with out breaking the law or some "governance" and stuff that can't be shared overseas.
Finally, there is stuff that shouldn't be shared outside of a department such as "strategy stuff" or "HR stuff".
What you call these is just semantics and what you do to keep these where they should be is where the fun comes in.
Information Security is accused of being overly complex and it really shouldn't be. Much like copyright is (generally) complex. So, the good people of the Creative Commons worked out just how to separate the tricky-to-understand bits from the easy-to-understand stuff and get people using CC without having to read law at Harvard or some such. You choose the pretty pictures that show you what you want and voila.
So, can we do the same with Information Classification?
So, it seems that I am following the trend with Blogging which is somewhere I am not proud to be but it is interesting just how closely I have followed this trend.
Statistics (when they are not manipulated) are ugly things. Sometimes they tell the truth like a little kid with no idea of how to be "nice". So here goes - my statistics of Blogs published on my site:
2007 - 78
2008 - 32
2009 - 34
2010 - er... 3
I had a lot to say in 2007 and a lot of time to say it. I accept that. 32 posts a year is not great, but it is not bad... 3 is pathetic.
Its not that I have been busy.. I have been busy but not way way way more busy than in 2008/2009. I haven't moved my online conversations onto Twitter either. Twitter has impacted on my time a bit... but not that much that 1 blog post a week would break me.
I just haven't blogged. And other people have stopped too. Rich of Securosis seems to think that Twitter is the reason but I think it is more about two other things -
I belive Information Security Bloggers (maybe other blogs too) have just emerged from the Trough of Disillusionment (go, go Gartner, go).
Blogs tend to be mostly a one-way conversation but really are about gathering the ideas of what is floating about in the world and forming an opinion about it then writing about it. So technically its like a general conversation and if everyone has left the conversation then there really is not very much to discuss.
But we are coming back and most of us (me included) are just really blogging about how we have stopped blogging and are now back. But we'll get there... it has been a bit of an awkward silence but its ended.
For the latest ITWeb Security Summit (which was amazing) I was chosen as a speaker.
I had the following challenge -
talk about the different InfoSec Standards available
do it at 3:40pm
do it straight after the tea break
make sure that the attendees don't fall asleep
Needless to say - it took a lot of thought but I eventually managed to keep them interested according to some positive reports I got after the talk.
I'm not going to go into the details of the talk here but after quite a bit of re-assessment I realised that I had basically "hacked" the standards. Hacked - in the good sense. There was no "piracy" involved (me maytee) and everything was above board. (and above plank.)
But to keep the attendees interested in the talk I basically took the standards and applied them in ways they were just not designed to be used. And that is the true definition of hacking.
In the past 4-ish years or so I have tried to model myself as a serious Information Security Professional. I have tried to put away the "hacking" part of me and concentrate on "working for the Man" but it seems that, without me trying, that part of my brain will find a way out.
So, I will set my aim for the next year to nurture the "hacking" side of my brain and mold it into something I can use as an Information Security Professional.
Someone (who shall remain anonymous) took me to task about not blogging. Which is fair enough since I haven't done a blog post since the end of last year - nearly 6 months ago. And it was my aim for the last few years to be the most prolific Information Security Blogger in South Africa (which really means writing more posts than that particular person). And I have been losing the race quite badly recently.
On the other hand that person fell asleep while chatting with me. Which is actually more a comment on how much sleep he had had the night before rather than how exciting the conversation was. I hope.
But.... that someone had an interesting point which I think is quite right - my excuse that I have nothing to blog about is wrong - I should blog and things to write about will come to me. Thats sounds very Zen. Or Xen.
So, I am starting up the blogging again and I hope that all my faithful readers will forgive the lack of posts and come back to be challenged again. (I'm watching you - both of you!)
So, no sooner had I posted the last post on my blog when I saw that Google are seriously considering dropping Google Gears at all.
Google are dropping support for the most important piece of software in the last 10 years? Yes, and no.
Google introduced the world to the idea of offline applications by creating Gears. But maintaining it in all the different browsers and all the different Operating Systems (and variations of each) is painful. And was necessary until HTML5.
But HTML5 is a standard way to implement offline applications, it will be implemented in all browsers soon enough and it will be implemented in a standard way. And Google doesn't need to maintain it.
Google gets what they want and they don't need to support it.
One of the new features in Chrome that separates it from other browsers is the speed that it runs javascript. This became a major feature and forced Mozilla to speed their javascript up to compete. IE will do the same. (Mozilla had a faster javascript engine but they released it sooner than they would have otherwise done.)
So Google don't need Gears but it has already changed the world.
Google Gears is a silly little piece of software that merely allows one to run javascript offline. It tricks the browser into thinking that changes are going to the net but are actually stored locally. When an Internet connection is available, the databases are synchronised. Very technical stuff.
But what it really allows is a PC to run only web applications and allows web applications to be feature rich as desktop ones. What is really allows is GMail to compete with Outlook and Google Apps to compete with Office. It not only allows Google to compete directly with Microsoft head-to-head but gives them a slight lead.
Since Google's applications are designed with sharing in mind and Microsoft's are not, Google is ahead in this respect. And since Google's applications are on the Web, you can get to them pretty much from anywhere.
And since Google are driven by a policy of "good-enough as fast as possible" their applications are sleek and ready to be used online - Microsoft have some way to go if they want to compete in this area.
In the mid-90s I remember a whole host of companies decided to take on Microsoft directly and all of them came off second best. Netscape (with navigator - remember that?) , SUN (SunOffice, Java, Net-PC) , IBM (OS/2), Apple (pre-Jobs, iPod).
Netscape is no longer but they did spawn Firefox which is eating into IE's market share in a big way. SUN has some amazing software like Java and SunOffice (or OpenOffice) but they never really impacted on Microsoft's dominance as they looked like they might have. The less said about OS/2 - the better. And Apple reached their lowest point when Microsoft invested in them to keep the company alive.
SUN's vision for a NetPC is coming about again with Google's ChromeOS. The only difference really is that SUN's vision had lots of pretty blue SUN Servers being the central store for all data and apps while Google's vision has lots of ugly grey and black Internet Servers being the central store. (Internet being the important part). Google are making true what SUN never could - "The (Inter)Network is the Computer".
Whether Google will succeed where many have failed remains to be seen but they have lined up some interesting tools to get themselves with at least a chance and at the heart of each of these tools is Google Gears making it all possible.
So, when SANS comes out with a document - The Top Cyber Security Risks then it is time to sit up and take notice.
And especially when their findings pretty much agree with what the rest of the industry is saying.
The interesting thing is that there are really only two major risks highlighted and one observation.
The observation is that Companies are being good with patching Operating System level vulnerabilities. I guess this is well-done to Microsoft and the other OS creators. However, if you are not fully patched on an OS level then you are the low hanging fruit. And you will be in trouble.
"Hackers" are moving to hacking applications these days - both pre-packaged ones which you will be more likely to find on the desktop and custom built ones which will more likely be hosted on a website.
So, companies now need to look at patching applications quicker.
They must also have a good solid web application plan in place and stick to it before exposing themselves online.
I have some issues with Verizon Business's annual report but it is probably the most important document on Information Security to be published.
My one criticism of the Verizon Business Breach Report is that it shows credit card data to be more at risk than anything else. I was never sure if this is because it is easier to abuse than other data (such as Intellectual Property) or is just easier to detect when it is abused. According to the article, it is the latter. IP is leaving our companies, we just don't know it.
When a whole bunch of credit card information is stolen then the banks track which credit cards are abused. They are good at this and they slowly work out where all the credit cards were used together. So, if 5 credit cards were all used at a specific shop and then end up being abused that points to that shop having had an information breach. In the case of IP, there is no bank tracking abuse so you have to track it yourself... and companies are really bad at that.
The other point which I found quite amazing is that very few times when a PC is lost, is it used for fraud. End point encryption is cheap and easy to apply so it should be done, but most information is lost, not through assets being lost but through network attacks.
If you walk into (any) Exclusive Books book store and go to the counter you will be confronted by a whole bunch of gifts.
There are bookmarks, pens, little torches etc. And there are little gift-books. Some are small, some are sentimental, some are silly but they are all intended to be gifts.
So, on the counter at the EB in Cresta shopping centre are two boxes that hold books. One is called "Don'ts For Husbands" with a blue cover and one is called "Don'ts For Wives" with a pink cover.
Now remember, these are by the gift books, not on the shelves where you'd go to browse and buy a book for yourself. So, the intention of these books is for a husband to buy for his wife and vice-versa.
All the "Don't For Husbands" were snapped up by wives and given. The "Don'ts For Wives" were still on the shelf. The one copy that was purchased was apparently buried with the husband the next day.
You've got to love married bliss.
(This whole article is true - except for the bit about the one copy of "Don'ts For Wives" missing.)
(The pic above is not such great quality but take my word for it - there are no copies in the left box and the box on the right is almost full.)
It is absolutely amazing. There is very little in the way of hardware that I can fault.
My wife has a Nokia too and its camera is so good that our regular camera is now collecting dust.
Bottom line - we love our Nokias.
But, Nokia fail on one aspect which I would hope that they can sort out.
According to this Vodacom page, a Blackberry subscription with Vodacom costs R60 and includes email, all on-device-browsing and most importantly - turn-by-turn navigation.
Nokia offer an email service which is "free for now". My browsing is pretty much covered by my contract and I try not to browse from my phone if I can help it.
But... navigation is R100 a month. That is truly mad. It is almost double the Blackberry deal and doesn't include the email, browsing, etc etc.
If Noka want to compete in the new cellphone world then they need to realise that there is more to a cellphone than just the device. There is a service now and Nokia need to make the price realistic. I wouldn't swap my Nokia for Blackberry any day but Nokia needs to come to the party and bring services that are not ridiculously priced.
[Make backups of your important information. Totally erase all devices with storage before you give them away]
So, because I manage Information Security for a large organization people ask me for advice on how to protect themselves.
The first thing I tell them (stuck record time) is to do backups.
The most important thing that home users can do is backup their information. That includes photographs.
Its like smokers - the people in a restaurant most likely to complain about smoke are the ex-smokers. The people who are most likely to make good backups are those that have lost information.
Except for the fact that my wife does scrapbooking, we would have precious few printed pictures of my younger daughter. They all reside digitally. If my wife's harddrive had to crash then we (potentially) would lose every photograph of our daughter ever taken.
The thing is that hard-drives are built like everything else - to fail. So, all your precious information (and every household has some) is sitting on a device built to fail. (Read that sentence again and again until you totally understand the implication.
Now, consider that most modern PCs have CD/DVD writers and the disks can be bought quite cheaply. What are you waiting for? Disaster?
Having said all of that, my SD card in my phone was corrupted. There was nothing really important on it (and what is important has been backed up) but I thought I'd try recover what I could from the device. I found a tool called PC inspector File Recovery. It is freeware and will analyse a drive and try to restore files which can be saved onto another drive. It is very easy to use and the price is right (free).
It managed to restore files that non-free software was not able to. I highly recommend this tool.
So, yes, it is possible to get files after a drive has crashed but it is not 100% and Murphy will come to the party by making all files restorable except the one you really want. Backup!
On the other hand, delete is not as permanent as it sounds. So, if you have private information on any device (including PCs, cellphones, USBs etc) assume that the information on them is readable by whoever you sell/give the device to when you are done with it. Another good free tool is Eraser .This tool will erase everything on the disk so it can't be undeleted.
One last thing on this topic. Some malicious software (eg viruses) puts fake file recovery software on your PC, encrypts files and tells you that the files are corrupted, asking you to buy the software so it can "repair" the files. Don't fall for this trick, you will just be making the cyber-criminals rich.
I was reading about Ralph Nader on Wikipedia, and came across something called the Pelzman Effect.
This is something I see a lot and I spend a lot of time in my induction meetings trying to work against.
The Pelzman Effect (named after Sam Peltzman, a professor of Economics) is when you are aware of safety controls.
Knowing that you are fairly well protected, you take more risky behavior. This essentially makes all the controls less valuable, worthless or actually creates more risk than if the controls were not in place.
Two of these controls (Firewalls and Antivirus) are important but they do not cover 100% of all risk and users need to know that they must not assume total protection but need to take some of their own precautions.
Backups are even worse.. they are not magical but they are assumed to be.
Bruce Whitfield did an excellent job of chairing the morning sessions. He managed to gather enough knowledge to challenge the speakers and get the audience involved in the round table. His question about the $1 trillion to Greg Day will go down in history. Craig Rosewarne asked Bruce the question that was on the tip of my tongue too. Bruce, as a Business Radio Presenter, has access to all of the top C level executives in South Africa and we wanted to know just how much they were concerned about Information Security. His feelings were "not so much" but he would follow this up on air.
Phil Zimmerman did punt his new product but leading on from that was an interesting talk about privacy. According to one of the delegates, South Africa is about to be flooded with video cameras all with the latest and greatest facial recognition systems. The government will use the "combating crime" and "stopping terrorism" excuses to do the roll out. While these are important in times of massive risk (such as the World Cup 2010), the equipment will stay. Phil is not from South Africa so he wasn't aware of the whole Mbeki, Zuma wiretapping tapdance but his talk largely was about how VOIP is less secure than normal phones but with encryption can be more secure. Jeremiah Grossman. Well.. a speech about how to hack free pizza.. what more can one say - amazing. I think the key takeaway from this speech is that technology is not everything. Hackers can use the technology in the correct way but exploit bad business plans. Jeremiah is very much at ease in front of a large audience and his speech is very polished and nice use of humor.
Greg Day made the fatal mistake of quoting the $1 trillion dollar figure for how big cybercrime is. This is maybe what his keynote will be remembered for. But. I think the key take-away from his speech is that trojans are so easy to compile and send out that signature anti-virus products are lagging. McAfee are trying to fix this by speeding up their signature system. They have also invested in an application white-listing product. Greg refered to this in passing but without going into details. I referred to the proliferation of trojans in my own speech, stating that the insider threat/ outsider threat is no longer up for debate. The point is that hackers are in your internal network. Its a given. Now, what are you going to do?
The ITWeb Security Summit has come to a close and it was amazing.
Unfortunately, being stuck in South Africa, I really don't have anything to compare it to but I thoroughly enjoyed to conference and look forward already to next years' event.
I highly recommend it to all business people, security professionals and technical security people.
(I was involved in the conference as a speaker but, really, honestly, truly, I would say this even if I wasn't involved.)
The only major criticism I have (as a speaker and delegate) is that the Management breakaway sessions were held in the main conference room which meant that you had a smaller number of people spread out in a large area which was rather dark. This meant that the speakers of the management stream were quite separated from their audience.
And, to nitpick - the breakfasts were not great. However, the lunches were amazing and the coffee was great.
Generally, everything moved well. The audio-visual systems worked fine. The microphones worked very well and the clicky things (to move slides) worked.
Registration was a breeze and the venue was perfect. (Aside from the Midrand early morning traffic, yuck!)
The speakers were very interesting, especially the ones from overseas and it was a treat to be able to understand what is happening elsewhere in the world.
Ironically enough, next week I am presenting at a Security Summit on, well, Information-centric Security.
The article, I believe is one of my most important ones. Information-centric security is not really dead. But it is a stepping stone. Read my last blog post and the one linked above together and you will see what I believe is the most exciting and important development in our industry, probably since Firewalls.
If you aren't busy next week Tuesday then maybe come see me talk. It'll be fun, I'll make jokes. Promise.
[NAC and DLP can be so effective together, they just need to be trimmed down]
So, Art Coviello's company (RSA) arranges the biggest and certainly the most important Information Security conference. And so he gets to give the Keynote. But, to his credit he is either brilliant or has brilliant people around him because his keynote is always interesting, ground breaking even. I believe that RSA certainly has the best vision in terms of Security.
But enough of that... lets get back to the topic of this blog. (Btw, if anyone from RSA is reading this - contact me for my details to send whatever SWAG you have to give me for the above... cash is best ;)...
Coviello's main points (in my opinion) are that Security tools are point solutions and don't play nicely together. This needs to change and they need to be more open. Following that, they can then start to specialize.
I guess this is sortof what Check Point were trying to achieve with OPSEC. You have "smart machines" that understand policy.
Think - Firewall Policy server, Anti virus server, IPS. Traffic is sent to these machines and they work out what needs to happen to the traffic - allow, block, log, etc. This is communicated to a dumb device like a firewall node which just follows orders.
Coviello names the functions as follows:
PolicyManagement
PolicyDecision points
PolicyEnforcement
PolicyAudit
So, assuming I am reading a file on how my company makes its secret widgets. I download the file from the server and the following information is available to the different systems around me:
My username, The time, My location by network My location by GPS (not usually but why not?) My PC's latest patches and antivirus level (From NAC) MY PC's installed software My PC's hardware (including USB devices) Any IPS triggers
This information is in many separate databases that don't really interact but imagine if they did.
It would allow the system to make a decision to allow/block based on any of the above conditions or all of the above together. So, if I try to access a file from my desk but it is 1AM then maybe I am denied the file. If my antivirus is old then tough, no files are available.
Every piece of network equipment (including workstations and servers) can be PolicyEnforcement machines. Which means that if I try to access a file that I'm not supposed to then the Server will block the connection, the switch will block it too and my laptop will block it too. This may be over-protection, but it may not be.
So, you may have a DLP server and a NAC server and a centrally controlled personal firewall policy but really the enforcement for all of these is "Allow" or "Block" and network switches can do that already. So, all your systems need to talk and when they all agree on "Allow" then the traffic flows.
I'm looking forward to the conference. It will the first time that I am presenting and I think that this year is going to be great. There are a lot of new technologies and concepts that are going to make this year exciting.
At work I have been working hard at planning my next year and I am very excited about that too.
There is some Information-centric Security in there but lots of other stuff. It is going to be a busy year.
UserId is your userID which you can get by logging into twitter, going to twitter.com and hovering your mouse over the RSS logo on the right.
Step 3 It will ask you for your twitter username and password (unless you are logged in) and pull the information into excel. As a bonus you can right click, select XML and refresh the information.
Step 4 Different versions of Excel will work slightly differently.
Note that the information doesn't just magically appear in Excel, it is loaded via your browser (running in the background with no window) so if your employer has a proxy server (they should) with logging on (it should be) and they have suspicions about you (I hope not) they can still see your twitter browsing even if your boss can't see it by glancing over your shoulder.
PS. using the Twitter API, it should be possible to post to twitter and see DMs and @ messages and your own status etc etc but I didn't feel like playing with it that much. Maybe I will. At the moment, you only get your personal stream, unsorted. In Excel.
So, strange reports started coming in to the media this week about neighbors whose gate remote controls and car remote controls had stopped working. It was across my neighborhood but not those around us. It didn't affect us thank goodness. No-one knew what was causing it.
It turns out that new special meters that have been installed are to blame. They consist of the bit that measures the electric usage and a bit that reports it back to the electricity company. They communicate with each other using the same frequency that gate and car remotes use.
Somehow they have been "over-communicating". This has led gate remotes and car remotes to stop working due to all the signal-noise. It made the press because in South Africa a non-working gate remote on a dark night can lead to some pretty ugly crime.
The electricity department denied that it was their machines until it was proven otherwise with signal measuring tools. Now they claim that it was a third party device that caused their meters to start shouting to the world at large. They have a 'patch' for the machines that can stop this issue.
Exact details are sketchy but it sounds like someone managed to launch either a smurf attack or a DoS attack on the machines which in turn made things like electric gates, garage doors and cars not work. Parts of the neighborhood were essentially shut down. So, I'm claiming to live in the first suburb to be smurfed.
Since my posting about how seatbelt legislation improved the use of seatbelts was very popular, I like the idea of traffic rules being used as an analogy for Information Security. So it was quite exciting to see some Gartner thinkers copying me (obviously they read my blog religiously, debate it at length and then copy it. I am that good).
Reading between the lines, it seems to me that the article puts down the idea of awareness in total as being not effective. Which is fair enough. In Information Security you can preach for hours but unless you actually capture the hearts of those in the room then you are lost. They will not listen. One way to go is to use a combination of things including awareness and enforcment.
Taking John Pescatore's analogy further - everyone stops at red traffic lights. Even when there are no cameras. It has become such a cultural thing that you don't even think "should I stop here?", you just do it. This is for two reasons. You understand that going through the traffic light when it is not your turn has a very big chance of killing you. Also - everyone does it. You are part of a cultural group that stops at the lights.
Awareness does work. But it needs to get buy in from people's minds and hearts. They have to Understand (note the capital U) why they do something and what the risks are. Once this is part of them then it spreads and becomes a cultural thing. Then you've won.
I really like the way The Hoff puts things sometimes:
We’re told we shouldn’t have to worry about the underlying infrastructure with Cloud, that it’s abstracted and someone else’s problem to manage…until it’s not.
I think that sums up in one line the problem with Cloud Computing. You are essentially making your job easier by dumping the responsibility for Security (and Availability) onto someone else's plate. Which is fine until they post a note saying "Sorry" and you are left with no service.
Or worse - data that has gone off somewhere that you don't want it going!
Information Security can get a bit drab and boring. Especially when the auditors start poking around and you are arguing about the minutiae of your security policy. And especially when you look at the designers with their Apples and the programmers pumping out new Web 2.0 frontiers.
But sometimes, someone out there comes up with something so silly but effective that it just has to be blogged about.
The Conficker Eye Chart is simple - it tries to download images from Sites that Conficker blocks. If you can't see them then it could be that you are infected.
But you really have to see it. I wish I had come up with that one!
[Nokia releases Open Source Symbian and it is installed on a toaster]
There is a news story about a toaster running Symbian (the platform that newer Nokia phones run).
It does this so it can provide extra services like measuring the heat of your toast etc.
Full set of features:
BreadSense mode that uses internal sensors to figure out the ideal heat setting and time for the bread you have inserted.
The large touchscreen UI also allows you to tweak the settings to suit your personal taste.
Toast settings can be saved and assigned to individuals. A finger-print sensor on the side identifies the user and automatically displays their personal presets.
Additional presets and sandwich serving suggestions can be downloaded from the internet using the built-in WiFi connection.
Users can share their own presets and recipes online too.
Can connect to your phone via Bluetooth and upload reminders to buy more bread when you run out.
The screen can display useful online information such as news headlines, weather forecasts and video feeds to keep you entertained and informed in the kitchen.
Firmware updates are automatically downloaded and applied over the air to make sure you always have the latest features.
My mother-in-law runs a small craft shop (with lovely craft products, sold very cheaply and with good friendly advice ;) and her business relies a lot on the Internet. Queries come in via email, she has an online store and a website.
Yesterday she got sent an email telling her that due to some unsavory use of the Internet, she would be disconnected. The email had an attachment which was (pretending to be) some sort of log of her activities.
Now, the more savvy of us may think - scam. But she is not "the more savvy of us" and this email freaked her out. She imagined her Internet presence being shut down. And, of course, she was always careful about her browsing.
Fortunately for her, her ISP's antivirus recognised the attachment as being a trojan and deleted it. But she may have been stressed into opening the attachment to see what the accusations were.
I have written this post to tell people about this type of trickery and to just remind those out there that are maybe not so Internet savvy - NEVER open attachments that you are not expecting. If you are concerned about your Internet connectivity being taken away then contact your ISP directly.
[The irony in this article is so lovely, it has to be shared]
The Age newspaper reports that a leaked memo from inside the Victorian Police (Australia) department says that their IT systems are risky.
The article lists a whole bunch of "Availability" risks such as backups failing and the like. It doesn't really go into details about how information security can be compromised although it does list the kind of information that the police have on hand which is very confidential.
The wonderful part is that the article says: 'A police spokeswoman said the force believed its IT applications were secure and there was a "full back-up regime across all our services as well as disaster recovery for core applications".'
My question is ... if the Victorian Police are secure, as they claim to be, how did a highly confidential memo with the ability to cause massive amounts of embarrassment to the department get leaked to the press?
If you have read my Blog posts then there will be very little new information in the presentation. However, I do tie my thoughts together in one big "this is where you should be going" session. It will be on the management track so I should be expecting some high level thinkers and, yes, the presentation is very high level.
Even though I am now involved, I highly recommend this conference for all that can make it. I missed out in 2007 but the twice that I attended (2006, 2008), I certainly came out with some mind blowing insights.
I also highly recommend that management don't have the mindset: "we need to think about this security stuff" and then send their IT Guy but rather that they make the effort to send someone who can make business decisions. Even better - send both. That is why there is a management stream and a technical stream.
The reason I promote this event (and I really don't get commission) is that it is the only major event in South Africa with an Information Security focus. I believe that management at any company should make an effort to stay in touch with what is happening in Information Security.
Unless you don't use information or none of your information is private.
[A bit of background info for our International readers..I think we have more than 1..]
Shabir Shaik was a prisoner. He was arrested for (allegedly) bribing the President of South Africa's biggest political party - the ANC.
It seemed as though he believed that he would escape arrest but after appealing all the way through the justice system he ended up with a 15 year sentence.
From the start things didn't seem kosher. Complaining of a heart problem, he spent more time in hospital than actually in jail.
Eventually, after 2 years of being incarcerated he was released. The reason given is that he was in the last stages of a terminal illness. The law exists that terminally ill patients are allowed out of jail to spend their last days at home.
Huge questions are being asked about this particular case considering his connections with the leaders of South Africa, his huge wealth and his legally proven happiness to use that wealth to grease palms.
[South African readers can start here] So, basically, the only way, really, that Shaik can prove that he is innocent of these new suspicions is to die. And you think that you have issues. :)
[The other side to my prediction. Why I still believe it will happen but why it hasn't happened just yet.]
As per usual, the Securosis guys are smack bang on the pulse and deliver some interesting reading.
The take-away quote from the article is this:
[J] ust because the employee walked out with the information does not necessarily mean that the company suffered a loss. That data has to be used in some manner that affects the value of the company, or results in lost sales.
My feeling is that cyber criminals (hackers) are getting desperate. The average price of a credit card on the black market has dropped to the point where it is not worthwhile trading in credit cards anymore. The new currency will be intellectual property. The problem with IP as opposed to credit card data is that credit cards are easy - there are any number of buyers and the consequences are still not too harsh.
Intellectual Property really would only benefit the competitors of a company so there are not so many buyers for the information. And that company would need to act on the information that they get, otherwise it is not worthwhile.
The Coke/Pepsi example is not very technical - it sounds like the employee stuffed files in her bag but it is still a breach. The thing is that there are few companies that would benefit from Coke's private documents. There are fewer that would take the risk in acting on stolen information. Pepsi was not interested in taking the chance.
I think that my prediction still stands but it requires a desperate employee who has access to valuable information. And a desperate competitor that will use the information offered to them. There will probably be a middle-man orchestrating the transaction. Big money will be paid out for the information and the original company will suffer in some way - market share, share price, loss of tender, etc.
I don't think it will be widespread but it may get ISOs around the world thinking "that could be my CEO with egg on his face apologizing to shareholders about losing IP"
I have enabled Disqus for my Blog and highly recommend every blogger do so.
(No, I am not being paid for this endorsement, but I am open to bribery...)
The nicest thing about it is that I can track comments made by me on different (Disqus enabled) websites and my comments even get added to my FriendFeed.
{I'm borrowing the idea of an Incomplete Thought Post from The Hoff - jotting down some though on my blog before it is fully complete. I hope it will lead to faster posting. I have about 25 posts that are half written which I probably should have posted but they are just not quite right. This post is something I have thought about but may be open to discussion.}
Cloud computing is new which is why it is fun. Its like a new gadget and although you probably have no idea what it is or why you need it the Cloud Computing salespeople are already convincing you that your competitors are using it to get ahead of you.
I think that the original plans for Java are pretty similar to what we are expecting from Cloud Computing. Plug in an object a server, know the interfaces to it and Bob's your uncle - you are up and running. You can do limited customisation but you really don't need to know how everything is happening - just accept that it is. In Java we called it "Black Box" and now it is called "Cloud Computing". In both cases you don't get to see the inner workings. In both cases you are not supposed to care.
The power of this is that once you have a good object defined, you can use multiple objects chained together for scaling up or multiple different objects working together for a common cause. You could even get your chain to scale up and down as needed. Likewise, you could drop new objects in place as you want to create new services. You can even change objects as you find better working examples of them.
An example of this is my Blog. I could run it on my own server and manage the server, the database, the web (HTML, code, etc). Or I could go to Blogspot, sign up and be online in a few seconds. And, if all of a sudden there is a massive interest in my Blog (pfft) then Google will supply me the bandwidth and Server power to keep my site up. This is all very well but I have other advantages now too, such as, I have thrown out the vanilla comment section and put in one that works better. I could throw out that one too if I find something better. I have gone with feedburner for managing the RSS feed but I have a few choices there. Inter-connectivity is making my Blog so much more than a static web page.
I am really benefiting from "the cloud". On the other hand - there is nothing on my Blog that is private at all. The whole point of this Blog is to "get the word out there" so the more people that read my stuff - the better. I may not want spammers getting my email but thats pretty much it.
So, honestly, I don't care where my data is stored, what happens to it in transit, who reads it, etc. It is better not to know because my head can hold only so much junk. I also benefit in that I don't have to stick everything together. (Where I do stick different pieces together - it is made very very easy for me) and I don't need to pay for a dedicated server.
On the other hand, (and this is key) if it was corporate information then the details of where, how, what, etc become important.
Andy the IT Guy is, of all the bloggers I read, the most practical. He isn't an analyst like the Securosis guys or a salesperson like most of the others. Or a ninja-type like the Hoff. He is a hands-on security person. Like me.
I find sometimes, I will be sitting in the traffic or walking down the street or shopping or whatever and thinking "there must be some Information Security parallel to this" and I get ready to blog about whatever it was. You can equate just about everything with Information Security. I'm sure that bloggers of all types go around thinking "...ooo..must blog about that..". There should be a support group. Maybe there is. Maybe it has a blog. I hope not.
By the way, Andy's advice about Information becoming "mixed" is really good advice and all companies should take note. I am about to start an Information Classification program and I shudder to think what it is that I will find. If everything was done right from the beginning ("pffft...") then it would be a simple thing to perform.
Andy, I totally agree with your observation, mate. But, sometimes just switch off and enjoy your breakfast. Even if it does taste slightly generic. I could use my own advice too. Maybe we should just give in to the addiction...
Now, what do fishpaste sandwiches have to do with Information Security? They smell funny but they are really good for you? Hmmmm....
Security lessons not learned will haunt us in 2009
This is exactly what I was thinking but I can't put it any better...
Please take a look at this article called Security lessons not learned will haunt us in 2009 and learn. This article is written in layman's language so no-one has any excuse not to read it and take in the important information that is included in it.
If you haven't read my 1st prediction - read this article first and then read prediction 1. Then get busy fixing up your Information Security Plan or cower in a corner crying.
A major company will suffer losses due to stolen intellectual property.
(I've been trying to come up with all my predictions but I think I will just post them 1 at a time as I think of them. Here is the first.)
If you have been fortunate to attend any of my recent presentations, have read my blog or have gotten caught in a lift (elevator) with me then you'll know all about my Perfect Storm prediction.
I have no idea if it will happen in 2009 or 2010 but it is coming. It may have happened already and we just don't know about it. Briefly - there is a major underground economy happening right now. They are focused on payment card information (PCi) and personal information (PPI) that can be used for identity theft. There is a glut in the availability of this information and it is not worth so much. Either the underground economy will collapse in on itself or (more likely) it will start to trade intellectual property (IP).
IP is worth a lot more than either PCi and PPI but it is harder to find a buyer who can use it and the information is less standardised. But tough times call for tough measures and these are tough times.
I'd like to think that companies would reject offers of stolen information but this is very naive.
The reason that it may happen and we will not find out about it is that companies tend not to report these things to the media or anyone else. And since the information stolen does not belong to anyone else then they don't really have to report it.
The only time they'll have to report it is if it has the potential to make a massive change in their earnings. They'd still be able to fudge the numbers.
So, my prediction is that there will be a growing trend of theft of IP in amounts too small for companies to report until one company is rocked by atheft so big that it can't hide it.
This will happen - the question is whether it will happen 2009 or 2010.
The times has a moving picture of Helen Suzman being laid to rest in the typical Jewish way, in a plain, ugly, boxy coffin. Everyone is equal in death - it is how we live our lives that defines us. And Ms Suzman certainly lived hers as a shining light to all.
I would say "Rest In Peace" but something tells me that Helen Suzman would not find that very easy. The Jewish nation in South Africa have always had an uneasy relationship with the Government, cordial but uneasy. The Nationalist Apartheid government tolerated Jews as they were "Whites" and were afforded the benefits that Whites were given. Most Jews were appalled at the treatment of Blacks and other race groups under apartheid but were too afraid to rock the boat.
Not so Ms Suzman. She will always be remembered as someone who spoke up.
More than that - she was never a loose cannon - she knew she was right and she had an amazing way of upsetting anyone who was doing wrong but in such a way that she gained their respect.
I have a lot of respect for the likes of Nelson Mandela and the other great leaders of the anti-apartheid revolution. But I have more respect for those that had not much to gain and lots to lose by their support. The ones who just saw what was good and what was not and decided to do something about it. It brings to mind the Edmund Burke quote about evil triumphing because of good men doing nothing. We are lucky in this world to have people such as Helen Suzman who see the evil around them and do something. Well, the world has lost one of those people, hopefully there will be others to take her place.
Finally, two quotes -
"I stand for simple justice, equal opportunity and human rights. The indispensable elements in a democratic society - and well worth fighting for." [Helen Suzman]
In what will most likely be my last posting for 2008, here is a bit of advice for all.
I read somewhere that news is never really all that useful. Its interesting. But its not useful. The stuff that you need to know about to go about your daily life is not going to make news.
To get some more perspective on this, I highly recommend that you visit The Onion online newspaper and browse a bit especially at the "Area" reports. (It is humour and is intended for 18+)
One of the interesting news stories of 2008 that I can think of the Dan Kamisky DNS issue that made headlines for all sorts of reasons. DLP made headlines. TJX made headlines.
What is more interesting is what didn't.
Here are some bits of news that you won't see:
"Company patches all servers" "Awareness given at Company. Stronger passwords result" "Good user management led to less options for Hackers" "Antivirus updated led to viruses being blocked"
What did made the headlines today (thanks to Amrit and Dominic for alerting me to this... everyone will be talking about it soon) is the attack on MD5 certificates that makes trusting Web Certificates less of a good idea. The information is here, but this is a big deal so expect this to make the news.
The thing is, that this yields big rewards for the hackers but is also a lot of work. Social engineering methods such as bogus email, phishing, fake antivirus etc are so much easier to do and have big enough rewards as it is. So too do worms and the like that attack old vulnerabilities that should already be patched.
My though for the year is thus:
Hackers are mostly successful by exploiting the boring holes and really do not have to work hard at all. By using tools that are already available such as Firewalls, IPS, Antivirus and doing the boring bits such as choosing strong passwords, updating patches, updating antivirus patterns and being aware at what mails we should not open - we win 90% of the battle already.
I think next year will be very very interesting for us. I hope everyone reading this has a great 2009!
In typical Security Thoughts style, here is an Information Security story that relates to the holidays.
It seems that, in Germany, a company sent a Stollen, which is a traditional German Christmas cake to a newspaper via a courier company. Two subcontractors decided that they wanted the cake so they took it and replaced it with another parcel.
This parcel just happened to be confidential data with banking transaction details and it managed to find its way to the newspaper in place of the cake. Obviously, the newspaper was happy with their Christmas present and printed the story. The bank was not so happy.
I think that the theme for 2009 will be "Third Party Security" but in the mean time I wish you all a pleasant holiday and please be responsible if you decide to have a drink or two.
In the interests of showing the world that I am not perfect, I just had to Blog about this incident.
I sent an email with an attachment out to the wrong person. Its the classic case autocomplete messing up - typing some letters and recognising the person's first name. Click send and then realise your mistake when the wrong Jason (it wasn't Jason in this case...) sends back an email asking "huh?!"
Its one type of "oops" that DLP is supposed to prevent.
The interesting part of it all was that the email went out (of all the people in the world) to the sales rep I've been dealing with who has been trying to sell me DLP...
I guess this just makes it more difficult to say "no".
If you are like me and like to know how the future of IT will impact Information Security then one Blog that you have to read is Rational Survivability by Chris Hoff.
He has a rather "interesting" writing style but his content is amazing. He is a strong voice of reason in how Virtualization, Cloud Computing, etc etc which are all the new buzz words can seriously impact Information Security unless controls are built in.
His latest post is about a new concept where latency of network flows are measured. If a Service is suffering from latency then the Virtual Machine that the Service runs on is moved closer to the User of the Service. Latency is gone. It is an interesting concept and obviously has Security implications which Chris goes into.
I pretty much agree with most of the post but I would like to introduce a new angle on it:
In my last post I introduced a concept that I gave a lot of names. The one I liked the most is Context Sensitive Information Protection (CSIP). I didn't invent the idea but I think I outline it quite nicely in that post. Basically the concept is that everything on the network is aware of what Information is being accessed and acts accordingly. Add this to the concept in Chris's post and your solution becomes secure again.
I think I need to come up with an example. Watch this space.
DLP is made up of two main parts - the "knowing" part and the "watching/blocking" part.
The "knowing" part is built up over time and is generally an understanding of what a piece of information is. Generally, the systems look at a document and label it but it is becoming apparent that the meta-information is also very important. Who is sending it, where is it going, why would someone be using documents at midnight, etc etc.
In an earlier post of of mine I wrote that what we now know as Information-centric Security (and I fully support this) will develop into what I called "Process-centric Security". I think I'm going to trademark BCS (also Business-process protection (BPP) and Business Process Security (BPS) and Context Sensitive Information Protection (CSIP)). This the ability for some system (lets call it DLP) to know what is happening to a document and why.
DLP as we know it today then takes this information and implements some action - block, report, log, etc based on whether the action is allowed to perform the action or not.
Recent developments in the DLP world (See Dominic's comment and Securosis comment) have changed this for the better. Now, DLP does the first bit ("knowing") and passes on the second bit ("blocking") to another tool - a DRM tool. The blocking bit can be done by all sorts of systems and this is where it gets interesting - set up the switch to block, the firewall to block, the mail server to block (and send a "sorry but..." mail), the IPS to block, the PC to block, the application to block, etc etc.. essentially everything can be set to block access to some sort of functionality for documents based on what the DLP Server tells them to do.
Further, all these systems can be set to inform the DLP System what is happening too.
Your network and everything on it becomes aware of how the business works and helps it along, preventing what shouldn't be happening.
The box that makes the ultimate decisions and keeps the database of "good" processes (call this the DLP brain) will not go away. The part of the DLP that enforces and monitors will become part of the network infrastructure and will become a feature of everything from switches to software applications.
DLP as we know it today as a product and fully enclosed system will die off and DLP as a ubiquitous system with tentacles into everything will be born.
My Blog runs on Blogspot which is a free service but I am currently paying for my homepage and assorted other internet services.
These come to about R200 ($20) a month and I figured that I'd use my blog to generate some of that.
So, I have added an advert at the bottom of this Blog. I hope it is out of the way enough that it doesn't distract from the Blog message. I may add an advert along the side of the Blog too.
Hopefully these will bring in some money to make my online life a little cheaper. I hope noone feels offended and I'd love to have no advertising but it seems that I need to sell out to The Man.
Ever since Richard Stiennon came out with his "IDS is dead", he started a trend which even he subscribes to by declairing any big technology to be dead. I really believe though that Information Security products go through a cycle.
I was explaining this cycle to Dominic White a couple of weeks back and we were rudely interrupted by the meeting that we were in fact attending. Had I managed to finish then maybe he would be able to answer the question he asks on his blog. (This is also assuming that he agrees with me, which is not a foregone conclusion.)
The first part to any Information Technology solution is to slide the technology in making the least amount of pain for users and fixing the maximum amount of problem.
Example - Firewalls back in the old days were open by default and as problems were detected, the Admin would close ports and fix routes until the problems were gone. I call this Generation 1. This worked fine until the admin was too much and firewalls started being configured closed by default and opened as needed (Generation 2). I think that the third generation of this is "closed by default, opened for business reasons". We may think we are there but we are not really.
If you use a tool like websense or surfcontrol to control web browsing then you'll be at Generation 1 for browsing. Antivirus is Generation 1. Email is Generation 1.
I believe that we will see a jump to Generation 3 for all of these tools but the uptake will be very slow.
Generation 3 is where every action that someone takes has a strict business reason. A user sends an order to a supplier. The email system knows who the user is and whether they should be ordering something or not. Based on that - the email goes through.
Does this sound like some sort of workflow application? Bingo!
Now, consider DLP and DRM... DLP is Generation 1 - allow everything and block bad things from happening. DRM is there too - let your staff decide what restrictions to put? Doesn't work. Put them together and you get closer to Generation 2 (assuming that you are prety tough with your DLP rules - otherwise - why waste your time?). Generation 3 is where things get interesting - Dave in finance creates a document and lables it "financial results". Workflows are built up automatically around the document and are enforced as such:
The file server is configured to allow only Finance people to access document. Auditors can open the document but make no changes. The firewall will not allow the document out of the organisation, mail server will not allow the document sent out. The antivirus (horrible word - very Generation 1.. lets use "application handler" for Gen 2+) will only allow certain programs like excel to access the document. Anything else is blocked and an alert is fired up.
At a certain date the document is "allowed" to be sent to the communications department who can't make any changes.
You may have a DLP box watching what is happening. You'll certainly have a box with policies and workflows on it (I have a feeling Microsoft want to control this) but everything from smartphones, routers, switches, mail servers, PCs, programs, databases will be "process-aware".
DLP will become part of the "defense in depth" solution but everything will have content protection built in. Welcome to the future.
My job usually involves the normal, boring day to day security stuff and so I don't want to bore my readers (both of them) and give away company secrets. So, I like to stay ahead of the game and blog about what the future holds.
I honestly still think that the past is where we are heading (see my earliest posts). Actually, I think that the future will be summed up thus: "New exciting technologies; good, old-fashioned security".
Some of my most valuable sources are Gartner, Securosis and Rational Survivability. They don't all agree but I use the best of each to make up my own mind.
One technology that all of them have touched on is "Cloud Computing".
This is a lovely concept which has no formal definition. Essentially, it seems to be this: you take all your systems and send them out somewhere to some company who will then host the systems for you. By "systems", I mean applications or technical functions.
The level of control that you have is very variable too but I think that one of the benefits of cloud computing is that you give up having to worry about the nuts and bolts and focus on the benefits. This is wonderful but it can also be a curse - you lose control of your processes and the protection of your data.
For a company that makes widgets not to have to take care of a data center, is excellent. And, you get to leverage off best practices in that you use experts in their own fields to manage your IT. So, you use a dedicated mail place (like GMail or Hotmail), a dedicated storage place, a dedicated CRM place, etc.
Those places can use economies of scale so that it gets cheaper the more people who use their services.
Everyone wins. And especially nowadays that CIOs (at the request of CFOs) are looking to bring their costs down.
The main issue is one of Security. Although, connectivity could be an issue as well. (Your link goes down and you are at the southern most tip of Africa and your presentation is on the other end of a broken link, in North America.. the CEO is waiting..)
But back to Security.
Obviously a company that holds private information for a number of companies would be a target for online criminals so you'd be giving your information to a company that is a target. More than that - you still hold the risk if the information is leaked but you lose the control of knowing where the information is at any one time or what is happening with it. You really only have the company's assurance that they will take good care of your information for you.
It seems that a great a number of Cloud-providers are very vague about what security measures they have in place. There is one that stands out for me though - BoardVantage. I don't use their service (or have anything to do with them really) and have no idea how secure they are but they certainly claim to be very secure - they detail what their controls are and they have had a SAS70 type 2 audit done.
Assuming that they do everything that they say that they do - they are streets ahead of most corporate networks. Going by Verizon's Breach report thing - most companies are breached by methods that are very simple and vulnerabilities that have patches that are very old. So, it may be more secure to use this company than to keep the information on your own network.
PS. I know that there is no one Cloud but as things stand at the moment most "clouds" are really walled gardens (confused yet) and so each provider takes care of their own part of "the cloud".
The answer is that you would have to really consider using a "cloud provider" instead of dismissing them off-hand. And if all major "cloud providers" became more secure then security would not be something holding this idea back but could be a good reason to investigate using the cloud.
Information Security sits in a strange area somewhere between Business and IT in a little space that really hasn't been properly defined. It is exciting here.
Generally, most people in Information Security today did not start out as pure Information Security people, they evolved. And where they evolved from gives one a clue as to their mindset and how they see themselves.
Some come from an Audit background and you'll recognise these guys from their love of lists and frameworks - they dream of Cobit controls and little boxes that are waiting for ticks. Somehow they have tons of documentation and they know it all and can find it all. They generally drive Volvo's and like order.
But most InfoSec guys come from an IT background and it shows. I guess that, having said that, most hackers come from an IT background too. And it shows.
Now, lets consider the C-I-A triangle thingum. Quick lesson for those who don't know it - there are three aspects of information that Information Security wishes to preserve - the Confidentiality, the Integrity and the Availability. From my experience, most IT people are governed by Availability - the "A". In fact, when an IT contract is drawn up - there is no SLI or SLC but there will always be an SLA. With very specific terms, measurements and penalties.
If the Firewall crashes and has to be rebuilt. What will the IT manager be most interested in? The A - how fast can you get the traffic moving again?
So we have tools to measure uptime in 99.999999999999999s and such and anything that can cause network downtime (or if the network is up and the services such as mail are down - same difference) is taken care of. Spam, worms, viruses etc.
I guess that hackers (those that define what we do) are also IT background people. They seem to be more concerned with big-bang, widely deployed DoS attacks and stealing IT resources. At least, they used to be, until they discovered that they could make money from stealing information. Actually, I may be naive but I don't believe that the hackers we have today are the same as those we had in the past... I believe that we have a new generation of hackers - criminals who merely use the Internet to steal money because that it where the money is easiest to steal.
The problem is that we were lucky in a way that our old tools worked against the threats that we had - firewalls, antiviruses, etc etc. They don't work against people breaking into our networks and stealing information. For that we need a new generation of Information Security people (or the old generation to update their game)...
Here is a quick poll to see which generation you are in:
1. What is the one piece of information on your network that your competitors would love to see? 2. What is the percentage of mails coming into your network that are spam? 3. What mail is going to competitors? 4. What is the process for someone to order a pencil? 5. What is a blog? 6. Who in your organisation uses facebook for business? 7. How many of your PCs have up-to-date antivirus? 8. What is the worst virus out at the moment? 9. Do you believe that your Firewall is configured correctly?
The answers are as follows: 1. This is ESSENTIAL to know if you want to be in the next generation. And you can't guess this. You may think that it is something financial but most financial information can be guessed by your competitors anyhow. You may think it is a recipe or special way of doing something but any established company has had their recipe ripped off anyhow and can beat any new competitor by competitive pricing. It may be new product information. It may be staff information. It may be the CEO's contact list. Don't guess - find out.
2. Who cares? Certainly not the CEO. Maybe the CIO. "We are saving you x amount of bandwidth and your users x amount of time" is nice but won't save the business from closing down due to data loss. Operationalise this and get on with your job.
3. Good to know. I'm sure that if you told your CEO/CIO "Last week we detected 5 large emails going to our competitors from inside our R&D department" you'd have his full attention.
4. Good to know. Who does the ordering? Who does the okaying? Who does the paying? If you know all of this then you know how business works. And when things go wrong - you'll be able to help.
5. And do you want your staff to use them? And if they do, what can they put on them? What are they puting on them?
6. This is an interesting question because Facebook is usually an issue of "The A" (productivity). But it can be an issue of C and I.
7. Who cares? Again, this is an operational issue. Viruses that jump onto your radar are usually ones that attack "the A" but its the ones that are pushing information out of your organisation that are sneaky enough not to have sgnatures and not to be discovered. You will have PCs without up-to-date antivirus and you will have viruses. The trick is not to let your information be stolen by viruses. Also, keep backups so if a PC does get wiped out - you can get the information back again (but this is an operational issue again).
8. Trick question - the answer is - the one you don't know about. Old generation InfoSec guys can rattle off names of viruses that are all in the top 10 at the moment.. New generation viruses are targetted and usually do their worst before a pattern is out.
9. Old generation answer - yes. New generation answer - who cares? Information flows all over including in and out of the Firewall. Firewalls also usually rely on port security but most everything runs on port 80 anyhow so the Firewall should be configured but it doesn't kep us safe - more work needs to be done for that.
I find that it is not very easy to move from old generation to new generation InfoSec. The main difference is that old generation was very technical and appealed to the technical nature of computer geeks. The new generation is business oriented and requires more interaction with people, more meetings, more time with people. Ouch.
There will always be a place for technical people in Information Security but as the tools mature and "just work" there is less demand. And a background in technology is very useful when the technical guys try to "BS" you.
And "the A" is very important too. Protecting your network from being brought down. Protecting information from disappearing. Stopping viruses. Etc. But the new generation will need to consider "the I" and "the C" as well because the attacks against these and the importance of protecting information against disclosure or manipulation will increase.
This post was done to add my voice to what Rich says so quickly and concisely in the securosis blog.
In my blog in July, I predicted that we would be seeing a perfect storm as cyber criminals start to see diminshing returns on PII (credit card info, mothers maiden names and the kind of things they have been going after up until now) and thus start looking at the business information that they have been ignoring.
"Elite cybergangs can no longer make great money stealing and selling personal identity data. Thousands of small-time, copycat data thieves have oversaturated the market, driving prices to commodity levels. Credit card account numbers that once fetched $100 or more, for instance, can be had for $10 or less, says Gunter Ollmann, chief security strategist at IBM ISS, IBM's tech security division."
As I said in my original article - the only problem with this is the establishment of a market. The cyber-criminals have established a very viable underground trading system but they now need businessed to want to dip their toes in something that is highly illegal. It seems this is happening.
The scary thing is how much information is actually being pulled out of the organisation. The criminals are literally dumping everyone's My Documents directory with no real aim to a storage facility outside of the organisation and yet the companies are not aware of this.
My advice? Take measures now while the enemy are just getting established. How you manage to protect your employees' and customers' PII will determine how well you survive the next part of the battle - your company secrets.
Also, don't be tempted to get information on your competitors from shady people. They may just be doing the same thing to you.
PS1: (PII = personally identifiable information - anything that can be linked to a person and is usually stuff you don't want the public to know like your credit card details, address, salary, health, etc)
PS2: Thank you to TaoSecurity for the story. Read Richard Bejtlich's post for more information. His take on the story is that it is all to do with money. Of course it is, if you think information security is about antivirus and firewalls then you are truely wrong.
So, it finally happened. I was invited to talk at an Information Security Conference and I went and talked.
My talk was about the risks of information leaving the organisation but I decided to add in the risks of information not leaving the organisation.
This may sound counter productive but in these though times your IT department should really be looking at using services such as GMail, your Marketing department should be looking at using Facebook, Twitter, Blogs etc. Your HR department should be looking through LinkedIn for new staff.
If your Security Department is too tough on information leaving the organisation then you are missing out on opportunities. Of course, if you are too lax then information will make its way out and that can't be good for the company either.
Information Classification is key. As is awareness.
My speech was very well received, achieving over 8/10 for the different areas and I have been invited back to speak again.
I must admit that my speech was aimed at business decision makers and not technical people and yet the people who showed up were more technical people. There are very few companies in South Africa (with my employer being a noted exception) that treat Information Security as a business issue and not (only) a technical issue.
I'm not really one to tooth my own horn but I wrote this blog entry to thank a number of people who made my speech possible.
Firstly thank you to the two blogs that I feel are on the forefront of Information-centric Security - Securosis and Rational Survivability. I used some material from both sites and some that was sent to me by Richard Mogull from Securosis.
I used some speaking tips that I got from Presentation Zen so I didn't put everyone to sleep (even though my speech was at the danger time of 3:30pm when everyone is tired and wants to go home) and I used some (free!) graphics from Stock Exchange.
When I was preparing for the speech, I revisited some of my old Blog posts which I think I need to repost as I have some more ideas about them.
Last year in October a salesperson at Telkom phoned to let me know that my phone exchange supports ADSL and do I want to upgrade my line to have ADSL?
I did the maths and worked out that it would be cheaper for me to have ADSL and have the benefit of all-time-on access to the Internet.
So, I applied and a few days later my application was processed and I had an application number. It all got to the point where I had the modem connected and ready when a technical person at the exchange noticed that "no, the exchange is potentially ready for ADSL but was not, in fact, ready."
"But, good news, there is a project to upgrade the exchange to be ADSL capable. It should be done by latest end of December 2007."
That became end of January, end of February, end of April... then it jumped to end of June.
Now it is scheduled to be completed by the end of April 2009.
The way things are looking - I'll probably be celebrating the second birthday of my ADSL application this time next year... many happy returns.
Symantec bought out MessageLabs and is (in their own words) "combining MessageLabs’ deep expertise in the SaaS market with Symantec’s rich portfolio of technologies".
The interesting thing is that Symantec does not really lead in the anti-virus market (in terms of quality, not market share. All antivirus products are about the same) or antispam (MessageLabs is excellent here).
So, what could they possibly bring to the party that MessageLabs doesn't already have?
DLP.
MessageLabs has DLP but it is very simple and not really worth very much. The framework is certainly there though. Add some good DLP and voila - you have a product that is worth something.
So, Google have released a new browser called Chrome...
What does that mean from an Information Security perspective?
Not very much and a lot, depending if you are looking at the short term or long term.
So, lets get into the short term - there is a new browser. It will have bugs and vulnerabilities. These will be exploited.
Most of the browser is based on webkit which is sorta what kde uses and sorta what safari uses and sorta what a number of cell phones use. It is becoming browser number 4 after IE, mozilla/firefox and opera. This means that hackers (online criminals) will start to notice the browser (if they haven't already). Assuming that the open source promise (many eyes make fewer bugs) stands true and that Google will be quick with patches then this is merely part of the daily application vulnerability race. And if Google is quick with paches then this browser should not be any more unsafe than the others.
There are a few extra security features in this browser - that is always a good thing. For more information read here. Of course the feature that is most interesting - "each-tab-running-separately" has been compromised.
So short term - move along, nothing to see here. Lets move on to the long term...
What is most important in my mind for the long term is the "why" of this browser - why would Google want to jump into a market where they can't be the biggest or the best or even a very effective niche player? Especially since they have a good relationship with Firefox and their product is almost entirely webkit? And their browser is essentially all open source so all the good bits will be analysed and added to Firefox anyhow or improved upon and added to Firefox.
The answer is simple - Google want their browser to fail.
Huh?
Well, that may a bit unfair but they really don't care either way.
Google is the search engine leader. They are also slowly becoming the Internet. This blog is hosted by Google, its feed is hosted by Google. If I need to host video, pictures, sound etc then I would probably choose Google - they are really good at hosting and why bother looking elsewhere when I already have a Google account?
So, almost all of my public information is hosted by Google. What about my private information?
Well... no.
That is all stored safely on my laptop for four reasons -
I don't trust Google.
I don't trust the Internet.
The tools for creating private documents are so much better than the online ones.
I can get to my documents when I am offline.
The Internet is too slow.
But a lot of my computer day is spent in Microsoft Office. That is a lot of advertising opportunity lost. And if Google can access my personal files then they will have a better idea of what adverts to send my way. Which in turn will make their advertisers happier and Google stock go up.
And all it would take is sorting out the above 5 points.
I was going to go into each one but this post is already getting quite long. Just note that the three features that are most important in Chrome are:
Security and stability
Offline application mode
Fast running and standards based application engine
In other words - helping making it easier to use Google's online applications. Most of the factors are going to be taken care of with Chrome and its kids.
What will happen is that Firefox will catch up with Chrome but Google won't care what you use to access their online applications - just as long as you access them. And that is their game plan.
What this leaves is the final question - all things being equal - is your information more at risk on Google's servers or on you laptop at home?
That is a good question but one we should be looking at.
Its time to get your raincoats and lifeboats - the perfect storm is finished brewing - it is about to rain down upon us.
This may sound dramatic but I think that I may not be conveying the amount of pain that Information Security is about to receive. We will certainly have to step up our game.
Symantec and Verizon have done some interesting research into the underground hacker community and their findings are rather interesting. A bit scary too.
There is an entire community of totally different players that all work together to get from the point where a nerdy kid finds a vulnerability to where a hacker uses that to get into a PC, steal personal information and credit card details, sell them or use them and move on.
So far, it seems, that the community has been quite lazy and have just discarded company information to get to the credit card information and personal information (ID numbers, social security numbers, addresses etc).
This has provided us in Information Security with a perfect opportunity. We have been able to observe how hackers work while they have been taking information that is not our own. Companies that have credit card information have been the ones that were most under attack but those that don't handle credit card information have largely been ignored by hackers except for some members of staff who have been caught out but then they have only lost their own personal information.
There just really isn't a (black/underground) market for information that is not credit card or personal finance related.
However, it was always my feeling that the credit card/personal finance market would become saturated at some stage and the loosely-bound-but-still-very-organised-and-co-ordinated underground market would start to look elsewhere.
Essentially, the infrastructure is there for wide-scale information theft but the will wasn't there. I have thought this for a while my question was always - when will the will be there? When will Jack-the-hacker decide that credit card theft is no longer worth his time and start to deal in company information ?
Adrian Lane from Securosisthinks that the falling prices in the underground economy is humorous. I disagree. I look at it as very scary and the final puzzle-piece.
I think that the perfect storm is about to be unleashed.
I've been thinking about this for a while but this blog post by Pascal Meunier pretty much sums up my feelings about Virtualisation.
Back in the 90s when the Internet was new-ish and just becoming important all the machines running it were Unix boxes. (Maybe not all, but most). And a 386 would typically run DNS, sendmail, telnet (shell accounts), ftp and apache. All on the same box.
Security wasn't so tight in those days but it was usually good enough and the box could happily do what it needed to do.
Along came Microsoft and produced the idea of "one box - one service". You can't seriously consider running your domain controller as a file server. What are you thinking? And to put mail on the same box? No way. In fact, your SQL server is running under significant load, chain a few together.
And companies would buy into this concept. Microsoft were happy - more licenses. All the PC guys were happy too - more money. More complexity - more jobs.
Essentially what has happened now is that Moores Law has kicked in and has caught up with the complexity of Microsoft's software to the point where one server box can run multiple applications on it. Imagine that. But Microsoft has planted the one-service-one-box concept so well that it is now part of IT law. File server and mail server on one box? But wait...whats this button over here....? Vir-vir-virtualisation.
And now we have the tools to allow us to once again run multiple applications on one server without having to admit that one-application-one-server never made sense.
To be fair - Virtualisation does have other advantages - running multiple Operating Systems for example, being able to easily move a virtual machine from one box to another (without configuration issues), being able to make a snapshot backup of a system.
But running multiple applications on one box is not a huge win.
As per usual the man-in-the-trenches Andy-It-Guy comes up with some excellent observations.
He has found an example of what Bruce Shneier calls movie plot security. What is also known as "whack-a-mole" security or knee-jerk reaction. Essentially, something goes wrong and we put in controls in case it happens again. Then something else goes wrong ... we put in something different. Ad infinitum.
(The name "whack a mole" comes from the game where you have a mallet and you keep whacking plastic moles on the head. Every time you are successful a new mole pops up.)
This is a solution but its not the best solution. And in case you think that it is a terrible solution think about what anti-virus, anti-spam, anti-spyware, firewalls, IPS, patch management etc etc are... point solutions to single issues. Whack-a-mole solutions. Knee-jerk reactions to problems that crop up.
The one technology in the above list that is unfairly listed is Firewall. Best practices state that you should block everything and enable only what you need. But in the past Firewalls were generally configured to block only what was bad and to open up everything else. Then they started to "by-default" block everything in and allow everything out. We have learned our lesson with Firewalls.
Antivirus too is starting to move from a "detect and delete the following..." to a "detect strange happenings from all software... but ignore this that we know is supposed to have extra access."
Note the move from "allow all and block specific known bad" to "block all and allow specific known good".
I think that the challenge going forward will be for us to create an environment where it is possible to tie down exactly what every single person in the organisation does. Make sure that the technology supports this. Make sure that deviations are blocked.
And on top of that allow for agility.
This is not impossible but it won't be easy. But there won't be turn-key technology solutions to be able to achieve this.
Dre wrote an article in which he put the argument down that the CISSP is on its way out. What he really argues is that a "generalist" Information Security position is no longer very important, specialisation is the only way to go.
I disagree. I am a CISSP and an InfoSec "generalist' but that is not why I disagree.
I love it when I read a blog and then read another about a totally different topic but that in some way relates to the first blog. And the second blog I read today is Mr Andy, IT guy's blog. In his blog entry he complains rather tongue in cheek about how many meetings he attends.
While Andy and I are many miles apart it amazes me just how similar our lives are and, yes, I also spend ages in meetings. On average I spend about 2 hours of my day not in meetings. And I love it. Every meeting that I attend makes me more educated by how the business I work for - works. I also give my input and hopefully touch on all the people just how important protecting information is.
Just like Andy, I was a techno geek until recently. I was a Firewall specialist. A Check Point Firewall specialist. I could read the pseudocode it would chuck out. I could edit the configuration with a text editor. I could read log files. I knew the system backwards. I am now employed in a company that doesn't even have a Check Point Firewall. I have moved onto something totally different.
There is a need for people who can configure security devices, perform active directory magic etc, etc. Even guys who are experts in logs. But you certainly don't want these guys tied up in meetings the whole day. You want them working on the systems that they know well.
You also want someone who can go to meetings and interface with business. Someone who can make a risk decision or at least know who to speak to. This person must be technical but also able to chat formally and informally to business and must always be thinking security. He must understand that meetings are not a waste of time but time spent educating business about security.
It is my belief that this person is not just important for a large organisation like the one I work for but even a one person shop should have one. Obviously, in that case a consultant should be used rather than a permanent employee but it is important.
The person does not have to be a CISSP but it is a good way to show that they are interested in an InfoSec career.
On a related note - I, like Andy, miss the technical side of InfoSec. But I also enjoy the ability to see my larger ideas implemented. I also enjoy selling InfoSec, something I am passionate about. In short, I enjoy my job and am happy I moved from being a techie to being an analyst. They are very, very different jobs. There are some people who may not be as happy as me. I know some, they are techies and are really good at what they do and they have no want to move to anything else. They want to specialise. In South Africa, these people are not rewarded for their knowledge and that is a problem because there is a need for the specialists. Hopefully, as demand increases and there are some techies that shine, they will be rewarded.
I just realised how verbose I really am. I have written afewposts about what I think the future of Information Security will be in the future and it seems that I am in total agreement with Gartner. The problem is that it has taken me many posts and much typing to put onto the Internet what Gartner sums up in two sentences:
“The next generation data center is adaptive – it will do workloads on the fly,” [Neil MacDonald, vice president and fellow at Gartner] says. “It will be service-oriented, virtualized, model-driven and contextual. So security has to be, too.”
I particularly like the term "model-driven". I have been using "process-centric security" to describe my vision which I believe is an extension of "info-centric security".
Since I read this post by Andy Willingham I have had an idea for a Blog post in my head. But, in my new job, I am very busy and have very little time for Blogging so I left the thought in my head. Today, I had some time and started going through my blog list and saw this article by Jeff Lowder and then I knew I just had to write this article.
Its amazing how two people can take in the same story and both get similar but different conclusions out of the story.
Andy basically relates the story of how Henry Ford lost out on market share because he was not prepared to make cars of different colours. He was basically so in the “make it quick and cheap” mindset that he would rather lose out to everyone else than change his beliefs.
You can read Andy’s article for his take on the story but I’m going to relate my take on the story.
Basically Henry Ford had an idea and it literally changed the world. For better or worse – cars are now cheap because of what he did. He missed out on the next step (making cars of different colours) and lost a lot of market share.
But bringing the conversation back to Information Security and IT – computers are now cheap because of efforts by companies such as Microsoft and IBM and Intel to make computers accessible to the man in the street. Of course, in doing so they have made Information Processing (creating information, storing it, working with it, moving it) very messy. Information flows all over and some of it gets lost and falls into the hands of people who shouldn’t have it. This is very similar to the mess of Car Manufacturing that Henry Ford was faced with. He then realised that getting rid of the mess and flurry that making a car entails and formalising the process would mean that cars could be made quicker. And with better quality.
I think that the next step for Information Security is proactively improving business processes so that Information Processing and hence Business Decision Making can be done with the minimum amount of “mess” (think maximum amount of CIA).
The problem with doing this is that Information Security will start to make the business slower and more restricted as processes are followed.
HOWEVER, and this is where Henry Ford went wrong, once the Information Security Nirvana state is achieved (and this is possible) that process can start to expand in ways that were not possible before. This is where the holy grail of ROI starts to show itself.
It takes some serious introspection to get to this point – if a business does not know what all its processes are (or should be) then the general feeling is to allow everything. Once it is known what the process should be then it is possible to manage the availability of information, the confidentiality and the integrity. More importantly you should be able to know who does what and what Information they need to do it.
We can also then know what the process should be doing and add in the nice-to-haves over time making the organisation more agile.
I guess the whole point of this post is that the fight is not “Information Security vs Ability” but “Knowledge vs. Ignorance”.
Henry Ford got to the point where his organisation (at least the manufacturing part of it) was self-aware and everyone knew what their part in the process was. He reached Nirvana but he never took the next step – expanding the process to be more agile.
I believe that the race is on now to get our Organisations to the “Nivana” point by introspection and using Information Security to tie processes down. And then to take it one step further by expanding the process and beating competitors.
Ok,ok, I just want to jump on the bandwagon. It seems you are not regarded as an innovative and forward thinking Information Security Blogger unless you declare something dead so I will do that with Info-Centric Security.
So, what do I elect to replace this with? Process-centric Security.
I think that as we get closer to Information Security Nivana (and isn't that what we really want?) we will start to get closer to the point where we look at Business and how it uses Information to do what it does. We define processes, work out what Information is needed, add in resources and voila we have all the information (process, standard, information classification, user details, etc) that we need to properly define and hence secure a process.
If this brings back bad memories of Flowcharts and the like then maybe, just maybe, flow charts are what we really need to secure our businesses. Maybe when we decided to throw out all of those tools we had way back when, we did it without thining of the repurcussions. The goal to get a "Fast Company" and "be more adaptable" and "beat our competitors" just made us more sloppy and insecure. It may be a good time now to reassess.
And, by the way, Information Centric Security is not really dead... its just part of this larger idea, just like IDS is part of IPS.
I am going to predict the future of the WWW and how Information Security will have to adapt in the next few years.
This will take some time to secure and will take some time to get accepted but this is (IMHO) coming so brace yourselves. Life is going to get very interesting, especially for the Information Security guys out there.
This is actually not a new concept - Novell and Sun were working on these ideas about 15 years ago but the world and the Internet were not yet ready. They are now or, at least, they soon will be.
WEB 1.0 This is the Internet as we know it. HTML with some scripting for the pretty factor. Some media added in. Not much interaction. Security is easy here. Make sure that no wiggly things make it from the web onto your network. Make sure that users don't visit sites that waste time and shock people.
Web 2.0 This is the big catchword but I don't think we are where we should be. Web 2.0 is a taste of things to come but we are still chained to web 1.0 thinking. Information is swopped but format and location of information are still king. XML is just starting to come into its own and information is starting to become self-aware. The same information can be represented in totally different ways on different pages but the tools are new and websites are built around specific purposes. Sites with open APIs like Facebook are starting to take hold. Security is starting to become difficult - we have to make sure that internal data doesn't become external data.
Web 3.0 This is the new buzzword but I think it is merely more extreme web 2.0. Early examples of this are Yahoo Pipes, facebook's API etc. Sites with open tools to manage information. Information flows and is not bound to a certain site, location or format. Information Centric Security becomes key here. I think that the tools have not been developed or have not been properly developed.
Web 4.0 Cloud computing. This has been around for a while but it will soon come into its own. Combine GMail, Google Reader and technology like AJAX (of course), Google Gears and Mozilla Prism. I'm sure that Microsoft and Yahoo etc all have their own versions of the above and there will probably be some small niche players too.
Keep all the above free (with advertising) and you get a very useful and smart Office Suite that allows for collaboration and features such as backup and works wherever you are. This is exciting stuff but the assumption is that your data will be safe.
This is a bad assumption. This is Information Security's next headache. The problem with this is that like wireless and portable devices and USBs and the Internet etc etc.. cloud computing will happen. Businesses will need to do it and they will do it. We need to make it secure. Applications such as Microsoft Office etc are already terminally ill, it is just a matter of time...
The next race between Microsoft and Google and Apple will be in this space. I believe that the winner will be the one who can ensure the security of the information stored on their network.
Of course, cloud computing is a walk in the park compared to what will be next:
Web 5.0 This is where it all gets mad. Think Web 4.0 mixed with P2P such as Skype and Bit-torrent. Add in a bit of virtualisation. Your data is hosted on 100 different people's personal machines. In exchange you host 1000 people's data on your machine. A piece of your company's still-to-published annual results are split up between a mac in Japan, an iphone in brazil, 3 pcs in the US and a linux server in the UK. It is xored with Bill Gates's personal phone list and another 6 people have spare copies. If the UK box falls off the Internet then another box picks up where it left off. Processing is done by a further 3 machines, one in Namibia and 2 in China. Each time you access your data the communication takes a different route bouncing off 10 machines between you and all the places that your data is. At any one time you have no idea where your information is. Information Security becomes part of the network - all files have to be encrypted and there are numerous copies of it.
99% of all workstations with up-to-date antivirus Antivirus blocks over 99% of all malware.
That is amazing! That is great stuff to show the IT Director, CIO, CSO, mom and to put on the wall. But, yet, a company I know (not the one I work for) still managed to get a virus which brought about some painful downtime.
The virus was one of the 1% that the antivirus doesn't block and it spread through the organisation like wildfire. Essentially the saving grace was that it infected a small part of the network, brought that down and didn't spread from there. Luck. It was also non-destructive other than network downtime. Luck.
The metrics lied.
You could say that there was residual risk but it really looks quite small. What is 1% between friends? But that 1% is precisely what any hacker (or virus writer etc) worth his salt is targeting.
So, where to from here?
I won't throw the baby out with the bathwater. 99% of PCs with antivirus is certainly safer than 50% or 0%. 99% of PCs fully patched is safer then 70% or even 100% of PCs almost fully patched. But 99% of PCs with antivirus is not a guarantee that no virus will find its way to destroying your network. It is important that your boss(es) know this and more important is that you know this.
And have plans in place when the 1% risk becomes reality.
I've written often about all the ways I have met people. My network has certainly grown in the last year between facebook, linkedin, the numerous blogs that I read and the numerous blogs that they all link to.
One place that has certainly been a terrific place to meet smart people interested in Information Security and to harvest some of their ideas are the Security Catalyst Forums. Registration is free and gets you access to some really amazing people.
Each week someone volunteers to sum up the last week's postings and this week is my turn so here goes...
Andrew Hay is doing his CISSP and has been given a lot of advice by the members. Generally it is agreed that cccure.org is a good resource but always ready to jump in and start new Security Catalyst initiatives, Michael wants to put together a resource for those Catalyst Members studying for the CISSP.
I personally did the official CISSP boot camp training course and found it well worth doing. I bought the official ISC2 guide but found it to be too wordy and technical. It is a great resource though and I have used it many times since my exam but at 10pm after a days work it is the last thing your eyes want to see.
Education seems to be a theme at the moment - Didier Stevens write his GSSP-C exam and Kevin Riggins is debating doing a Masters in Information Protection/Assurance.
Information Security is slowly becoming so much more more than just Firewalls and Antivirus and the education needed is becoming vast. I think it has already come to the point where it is impossible to know everything and practitioners now need to work out what section of Information Security they want to get into.
I personally am interested in the management side of InfoSec but if I choose that then I will not be able to get deeply into any particular part of InfoSec anymore. I have my CISSP and would love to get a Masters like the one above but GSSP-C would be too restrictive for me but to each his own. Well done Didier and good luck Andrew, Kevin and all those that are looking to grow their knowledge.
Don Weber raises an interesting question - should businesses be monitoring search queries via their proxy servers. My feeling is that yes, they should. Companies should monitor everything and they have the right (in South Africa at least) to do so. However, (there is always an however with me) context is everything. One has to use the information that one gets from logs as a guide and try to understand exactly why someone browses so much or such strange sites or whatever. I believe that Information Security has to become a central part of the organisation and has to make connections with all departments. All browsing issues must be driven by HR with technical and policy help from InfoSec.
There were other discussions, jobs posted and conferences listed but I'm not going to go into them all. The last thing I'd like to say is that I asked a question on the Security Catalyst Forums and got some quality replies - all different but all quality that will allow me to do my job that much better.
It has been quite a quiet year for me blog-wise and it is not because I have been busy.
Quite the opposite. It is because really I haven't been busy.
And, strangely, now that I have moved jobs to a job where I have more resposabilities and less time I think I will blog more. I have more to think about and more to say.
My new job is very interesting. I have been dropped in the deep end and told "swim". At the moment I am still trying to work out what has been done and what still can use the Allen-touch.
Expect some good postings over the next few months and years.
As per usual - you won't get juicy details about my new employer and all thoughts, mistakes and general views are my own.
The state of Victoria in Australia made wearing safety belts compulsory in 1970. This is now almost universal practice.
I don't know the exact statistics but a study done in South Africa found that more people used safety belts after it was made illegal to not use them than when it was left up to the driver.
The conclusion really is that people are more likely to obey a rule because it is law than because it may just save their life.
I think that the same is true with Information Security. It won't (necessarily) save your life but it is good practice. And yet companies are only doing it because it is now law.
The problem with this is that it is not accepted by people in their hearts. I know of people who drive around without their belts on and put them half on when they see a traffic cop.
The Information Security equivalent is jacking up your InfoSec program when the auditors come to visit and letting it slide when they are not around. Or making sure that they don't see some issues that you are well aware of.
I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws. The thing is that the government is stepping in only because people are very bad at self regulation. Really, what a number of InfoSec experts are trying to promote is - understand why you need to protect yourself, understand how and abide by it. Do it for your company, not because the government demands it.
That way, not only will you be "compliant" and full of "good governance" but more importantly - your company will be safe.
While Rich was away he brought in David Mortman who wrote this gem.
I think he hits the nail on the head and together with the article I linked to in my previous post, this is the future of Information Security.
I believe the take-away quote is this:
"However, compliance is not a technology problem — it’s a business problem which needs a business solution. By instituting sustainable business processes that effectively leverage people and technology, enterprises will become not just more secure but also compliant with current and emerging regulations."
I think that everyone involved in Information Security should read that, understand it and learn it off by heart. And then practice it.
Once we can define a process and what information is used in it, who does it and when it happens - bingo - we can secure the process from start to finish. Most companies I have worked in (and I have worked in plenty) have no formal process design and so would not be able to properly enforce Information Security properly.
In the past information was very structured because of disk space issues. Then Moores law kicked in and information got messier and less structured over time.
Now because of Information Security needs the information has to become tidier and more structured again. But now I think we have tools like XML that will allow us to be able to clean up our mess and be more secure and more productive while not being totally restrictive.
It is a very interesting time and I call it Security 2.0 (even though this term is already used by the likes of Gartner and such.)
This is a copy of a comment I posted on Rich Mogul's website. I thought that my answer clearly shows my present way of thinking about Information Security and the value thereof. I have edited my answer for this Blog Post but the essence is the same.
Rich was answering a question of Scott who assumed that as productivity goes up security goes down and vice versa and at some point there must be a sweet spot where you get the most productivity at the least cost to security. Scott uses the word "obviously"
Your (Rich and Scott) assumption is that all security controls actually decrease productivity. This may be the case in an example where passwords are used versus not used. But information security may actually increase productivity eg where spam is blocked and the user does not need to spend hours sorting email. Alternatively if browsing is restricted and time-wasting sites like facebook are blocked then productivity goes up.
My big security theory (which I wish I could put into practice) is that once companies achieve a security zen state (sorry if that is copyright) when security becomes part of the culture and is built into all systems then it actually increases productivity in a way that could actually help the bottom line.
In response to the original poster - if Information Security is at odds with the processes of the business then either the process is wrong or the information security is wrong.
If you tack on security after the fact your thinking will always be wrong.
Example: A sales-rep is always on the road. Because he lives in the North part of town that is where his customers are. He has a list of customers and their details in his laptop. He also has their buying trends and banking details so he can confirm payment. The ISO sees all of this and almost has a heart attack. He implements a rule that the sales person can download only the clients that he is going to see that day onto his laptop and it must be done over a VPN. Sales guy also has to have his laptop encrypted and a password protected screensaver. He can, if he wants to, drive into work and download the information over the network but work is far from his house and his customers.
Man, productivity has gone to hell. He now has to dial in every day for a few minutes where in the past he didn't. He has to type in passwords every time he needs to use his PC. What a shlep.
But... if you think about the savings in terms of productivity compared to driving to work and getting the information, printing it out and then filing it away at the end of the day (another trip) - the complete system is amazing. It is saving the sales rep from making two trips a day into the office. All that needs to happen now is that it needs to be made secure and a few extra seconds each time information is needed and a few minutes at the beginning and end of each day to sync information is a pleasure compared to driving to work in rush hour traffic for no reason.
I'm not so sure about this one and I have been thinking about it for too long. If I take much longer my predictions will be very accurate because it will be December and I'll have hindsight.
Online service providers (yahoo, gmail (google), hotmail (microsoft)) seem to take their security really seriously and that is great. I think that they are targets but they are aware of this and they realise that an attack could render them dead. Their business is all about trust and a loss of trust would break their business.
However, the web was never designed to be so secure and application based. It is meant to be static pages delivered non sequentially (images load up when they can). This is not a very good base to have for a service.
I see that the hackers are already playing with session keys and such. My prediction is that this year or in the foreseeable future malware (all kinds including bots) will try suck session keys from traffic and use them to steal information or do unauthorised actions on "behalf" of a user. This has happened in the past but I believe that it will become more widespread, targetted and automated.
Example possible attack scenario: "Bob logs onto Gmail from an infected PC. He logs into his account on gmail waking and wakes up the malware which either forwards the session key to the attacker or drafts an email to the attacker from Bob with a list of all his contacts. Attacker sells these good emails to spammer. Or malware downloads a preconfigured spam message and sends the message to all of Bob's contacts. All of this happens in a scripting environment and Bob is not aware of anything strange because windows don't pop up."
If this is happening already then I applogise for coming to the prediction party late.. and I'll just predict that it will increase until http is replaced with something else, new online standards are developed for services or it becomes as bad as spam is today.
Wow.. that sounds like a good name for a movie "Coming to the big screen in 2008 - Stealth Hackers!"
This isn't really a new thing. Hackers as we know them (and I use the word hacker in the evyl-skript-kiddie-with-toyz way and not the kind-open-source-guru way) are slowly moving toward the idea that "cool, we can make good money from this!"
In the past hacking was really done for the cool stories hackers could tell their friends to get street cred. Events were big and done for the headlines. Hacking was like graffiti - it was out in the open and done so people could see. Hackers didn't want to get caught but they did want their work to get noticed.
I believe that these people are still out there and still trying to do big things. I think that their work is also being converted over to the new types of hackers.
The stealth hackers are not necessarily very computer literate. They take the research and exploits of the big-bang hackers and craft it into tools like malware, root kits etc. They don't want to get caught, obviously, but they don't want to be noticed either. These are the botmasters who want to use the world' s computers to gather information that they shouldn't have. They also want to use computers to send spam and the longer they can stay undetected, the more money they can get.
There are different levels of technical ability in the realm of the stealth hackers from those that write exploits to those that deploy bots to those that sell information and those that just buy credit card numbers.
I believe that both groups - traditional hackers and stealth hackers will grow in numbers but that stealth hackers will grow much quicker.
For the impatient - Facebook will be hacked. Alternatively, a major Facebook application will be hacked.
Right...the impatient can go now. The rest - read on.
[Personal note first] I decided that my Blog was becoming too important. I have a host of blog posts that are just not quite as well written as I'd like and since my blog is somewhat a reflection of my writing skill (skillz?) I decided that I'd need to fix them up, when I have time.. well, I've changed my mind - my blog is now an indication of my thinking skills as it was always intended to be, hence the name. It is an indication of my quick writing skill and how I write under time constraints. So, ignore the strange terms, spelling and grammer. Read the content.
This is also the reason why I don't have a "my top 10 predictions for 2008". There is no list that I am working from - as I think them up, I wil blog about them. [end personal note]
Last year when Facebook made their application language available I was very excited and signed up as an "application developer". I even wrote an application which is about the level of complexity of a "hello world" program. I think it is a box that greets the Facebook-er by name. Woopy-doo.
But what I found quite interesting is that the application runs on my server and my database but queries information from Facebook. This makes creating applications so much easier and is probably what led to the Facebook explosion in the first place. However, users may not be aware that every time they add an application they are increasing the risk that their Facebook information can be compromised.
I like to believe that Facebook is big enough to be able to throw money at security. I think that their product is simple enough to secure. So, there should not be too much opportunity to hack into Facebook. I could be wrong. Facebook certainly is a huge target for both those hackers who want to make some good money, those that want email addresses (to spam) and those that want to make a big bang and a name for themselves.
But my money is on a large Facebook application being hacked - its a way to get in through the back door.
I have been trying to get the motivation together to blog about my predictions for 2008 but I'm not finding it. So, I've decided to break it up into smaller pieces and hopefully that will make it easier.
So, looking back...
2007 started with me being very motivated, excited and happy. It was going to be a great year with lots of promise. It ended with me feeling very down, de-motivated and depressed. But I am still optimistic for 2008 which either means I am hard to get down or just really naive. I guess time will tell.
My first prediction for 2008 is that I will be a very different person by this time next year. And I will be sitting in a very different place. If I am not - I will have failed.
I don't like to get too much into the personal aspects of my job but a lot of the energy I put into getting security to move forward has been in vain and I am feeling that I am now wasting my time trying to move forward. I have put myself into "cruise" mode while I work behind the scenes to improve myself and then with a big bang I'll be back.
There were some some really excellent moments in 2007. I think that the most important was when I started my blog. I highly recommend blogger. I also recommend feedburner. Both companies are owned by the big G.
While it helps that I am a member of the network and that drives some views to my blog, it has helped me more to explore and find people on the network. I have been able to populate my RSS feed list from a number of bloggers and I hope to add more. I just need the time.
So, who is honoured to be in my RSS feed?
First up is my brother-from-another-mother - Andy the IT guy. I call him that because he has a very similar job, a wife and two daughters and he has had a very similar career path to me. More importantly, I usually see eye-to-eye with him.
Next up is "Security Mike" - Mike Rothman. The daily incite is an amazing tool to get an idea of what is happening in the security blog world. How Mike can read so much still amazes me. One day I'll have saved up enough. The new Audio is also worthwhile.
Next is (this is the order I read my blogs in - obviously I'd want to get the best first) the Mogull. One can see from his postings just how much research he has done into the security field. They are well written and very useful.
Just as wordy and usually more fun is the Hoff. The Hoff is worth reading because of how he pushes the boundaries of what security (or survivability) is all about. He does not pull his punches and is not afraid to sacrifice a few sacred cows along the way.
There are other bloggers that I respect and read too - Anton Chuvakin, Randy Armknecht, Richard Bejtlich, etc etc
I think that the best part of reading all of the above blogs is that the authors all read each others blogs too. This leads to debates, arguments but hopefully lessons learned.
2007 was also the year that I learned about the Security Catalyst Forums where more debate happens. This just proves how new our industry is and how much passion is being put into finding out the answers. This can only be a good thing.
Locally I've kept up with my visits to ISG Africa which has great presentations every month.
I completed almost 100 blog entries over the year, putting into word my thoughts about our exciting industry. My "70s" entries show where we went wrong in the 80s with our IT plans and how we are putting things right again. My 7 habits show how popular business and life philosophies can be used in InfoSec to move us in the right direction. I will hopefully finish those off shortly. (Prediction 2?)
Thank you everyone who has shared their views and hard work with me via their blogs and forums and I hope all that read this blog have learned something and will continue to follow my progress and read my thoughts.
(I really haven't been doing very well with my blog these past three months.
I aim to do better. My schedule has been totally messed around and time I spent blogging has gone. I do however have more time to read.)
So, with all that out of the way...those that know me know that I am total Linux Penguin Man so Bill Gates is not my favourite person in the world. However, he is a great man and has been, I believe by following this vision throughout his life from when he was Microsoft's CEO, Chairman and now with his charity work.
"To turn caring into action, we need to see a problem, see a solution, and see the impact. But complexity blocks all three steps." - Bill Gates, 2007.
His point in context is that people want to donate to charity but find the complexity of donating too much and they just don't. Alternatively, if they do donate, the money gets used up by supporting complexity and not really for what it was intended.
But there is a bigger picture here. I was involved once in a project which developed a security tool. I saw the bigger picture of how this tool would fit into an organisation but was shot down by everyone in the company from the CEO down because they had a different view. They were too caught up with the technology and didn't see the problem they were trying to solve.
I then did some work for two other companies (not Information Security companies) and again they were too caught up in the technology and suffered from red tape. One closed down and the other struggled along.
Most recently I did work for a company that runs its Information Security department in such a way that it jumps from buzzword to buzzword without really getting more secure.
I think we should all learn from Bill Gates and see what the problems are, simplify them, rank them, and solve them.. then move on. After all, he is the richest man in the world and has become so not by giving people the most complicated software but by giving them simple software that solves their problems.
Another post has popped up. This time from The Hoff. I think general consensus is that you will probably disagree with him at some stage, but you have to read his blogs.
Anyhow, he posted a question from someone at a conference he was at:
Why can't you InfoSec folks quite simply come to your constituent customers -- the business -- and tell them that your efforts will make me x% more or less profitable?
My answer to this is the following: Please correct me if I am wrong because I am probably very biased.
A modern business is essentially a group of people who know how to do something. A doctor is a person who knows how to cure people. He has studied and has certificates and such but at the end of the day if he loses his memory - he is no longer able to cure people and is not worth very much.
A little larger - a company that makes car tyres. There are some people who handle the books of the business and manage the investments of the company, manage the money etc. There are engineers who design the tyres and make them the best way possible. There are the sales reps who sell the tyres in the best way possible. The real value of the business is not the tyres and buildings and such... it is the information that the people know. Some of it is in their heads, some of it is in databases. Some of it is just a culture. But take all of that information away and you have a bunch of useless people hanging about and some desks.
Business today is quick. A company can close down in a few months and a new one can be built up in days. It is relatively simple to get capital. It is fairly easy to get premises, phones, cars, etc . It is not easy to get staff who know what they are doing. That is where the real value of a business is.
So, essentially a business relies on its information to stay alive and to grow. If you lose information, a part of the business is lost.
Steve Ballmer knew this when he lost Mark Lukovsky to Google - he was losing some of Microsoft.
The American Government knows this which is why there is legislation making sure companies protect their systems. Information loss is business loss.
So, the answer to the question is - how much is your entire business worth? Take away the net value of the desks and coffee machines and that is how much information security is protecting. HR is involved in protecting the information inside the heads of the staff so you may want to minus that.
Everyone in the organisation is either creating information (this CEO, accountants, etc) or using information to build products or perform services (think craftspeople, packers, factory workers). Only Information Security is tasked with making sure that the information is available and stays inside the company.
Where is most of the information contained? What is most at risk? That is not so easy to answer but is important to us doing our jobs. Should business be concerned? I'm not sure, I don't think so. Should infosec be required to cough up figures so that we can do our jobs? I really don't think so.
Captchas are those weird little blocks with numbers and letters all jumbled up and fairly difficult to read. They are there to check whether the user is a human or a computer pretending to be a human. They essentially prevent hackers from automating things that server owners would prefer them not to automate.
An example is - when you sign up for a mail account you have to decipher the captcha so that you can have the email account. This is to prevent spammers from signing up with free accounts 100 or 1000 at a time and using them to send spam, repeating the process when they are shut down. captchas have a lot of negative points but they have been rather effective.
The new malware is essentially a picture of a blond lady who will do a strip show for you. The catch is that you need to decipher some captchas, for each one she has less and less clothing. This sounds like a nice trade-off but each captcha that you enter basically signs a spammer up for a free email account. They are using you (being a human) as the middle man.
I hate spammers with a passion but I have to admit that this is a piece of genius.
I found this interesting table on Trend's website which takes the number of spam messages it receives, extrapolates it to estimate total worldwide spamming from an IP range and then reports on the range.
The bottom line is that they estimated that SAIX users (corporate, dial up, sub-ISPs, etc) all sent out about 82 Million spam emails in the last 24 hours making SAIX the 88th worst spam network in the world.
It is scary that so many spams are originating in sunny South Africa. Since spammers use unsuspecting PCs to do their dirty work this hints that there are many computers that have been compromised.
Its time for South Africa to take Information Security seriously.
All of these companies have the same physical security barriers that most companies do - card machines, cameras, etc. The guy managed to get through them all with a smile and a calm personality.
It may be time to test out your physical security or at least accept that laptops will get legs.
Just a quick break from the 7 habits. They take awhile to think out and I need to post something..
All the signs are pointing that TJX has suffered a text book case hack attempt and so all the Security Chicken Littles were salivating because this would be the "I told you so" opportunity of a lifetime.
And it didn't happen. I blogged about it here and here.
So, what happened? My personal feeling is that this was just the first punch in the fight. Consumers have taken the knock and have felt a bit upset by it but they can deal with it.
In the back of their minds though they have decreased the amount that they like both TJX and credit cards and maybe their bank ever so slightly depending on how much this breach has impacted them.
TJX is lucky in that if their service levels are up to scratch and if they have no more major breaches then over time their image will be improved and their customers will be happy once more.
For the credit card companies it will be a bit harder. If someone now suffers a breach at another store it won't impact TJX but the consumer may feel a bit less trusting of the whole credit card process.
This is problematic in the same way my swimming pool theory is bad for networks. Every store only suffers a bit of the problem but the whole credit card process suffers the most. Perhaps this is why the PCI members (Visa, Mastercard, etc) are working hard to get the stores to implement the PCI DSS security standard. They may find consumers start to give up using credit cards as much or at all ever.
Maybe the answer is actually for the whole process to be scrapped and redone.
Friday, September 21, 2007 Seven Habits of Highly Effective Security Plans [Part 3]
In this post we deal with habit 2: Begin with the End in Mind
Please first read the Seven Habits of Highly Effective Security Plans [Part 1] Please first read the Seven Habits of Highly Effective Security Plans [Part 2] Please first read the Seven Habits of Highly Effective Security Plans [Part 3]
This is based on Stephen Covey's book The Seven Habits of Highly Effective People and this topic was the one I wanted to get to as fast as possible because I think that it is the most important one for Security Plan development.
If you have read the book this blog post is based on then you'll know that each habit builds on the ones before them. The last one was being proactive and making sure that you define your environment and how you will handle Information Security.
In the past Information Security was a matter of having whatever the box of the day was - firewall, anti-virus, IDS, etc etc. It was also having audits done and responding to their negative findings. And it was about hopefully detecting incidents and preventing the same incidents in the future. Reactive.
Now, what is happening and should be happening is that Information Security is becoming more proactive as per habit 1. We are looking rather at what we are protecting and trying to understand why it needs to be protected and how best to do so.
But once you realise that you have work to do, you need to know what to do. You need a plan - a long term plan. You probably already have one of those - a policy.
I know of a company (not the one I work for) that was told by their holding company to get Policy documents. And they got the boilerplates, filled in their company name and - voila- policy documents. But they missed the point.
The documents are not there for the auditors. ("Yeah, we got some policies." [Tick]). They are a living document of the Company's plan for Information Security. They are an excellent opportunity for the Company to define their end goal and work towards it.
It makes life a lot easier for everyone too when they know their goal and it makes deciding on what is important and what isn't very much easier.
A boilerplate is a good start if you haven't got any idea where to start. The risks to most companies are the same, the technology is similar too. Most of the techniques can be applied to all different organisations. But a lot of work needs to be done to the Policy to get it just right for the organisation.
Another good place to start is with the people who own the information. And these are not IT. These are the people who make decisions based on Information, they guys who would pack up and go home if there was no information for them to work with. they know what it is important to the business and where it is. I will write a lot more on this in later posts but for now just realise that Information Security must start with the end in mind and the end is "protect all important information so business can operate".
I went to a Symantec presentation today to learn about their new End Point Protection and to take a sip of their Kool-Aid.
They took great pains to make sure that the audience was aware that they do not sell anti-virus software anymore - they sell "end point protection". Which, really, is anti-virus with other stuff.
The point is that even according to Symantec's reports viruses are dying out. (By virus I mean a program that self replicates - not a trojan, spyware, rootkit or worm). Trojans and worms and rootkits are becoming easier to modify and deploy and signature lists (against which these uglies are compared and blocked) are becoming too slow.
The moral of the story - viruses are (pretty much) dead... they have been replaced with new threats. Symantec painted a picture of their protection product as the silver bullet that will protect a PC against all the new threats. It looks good but I'm not 100% sold. I'd recommend the product but I'd back it up with a lot of other Information Security goodies.
A while back I learned of the Conscious Competence Learning Model (we'll get to exactly what it is) and I knew I had to blog about it and then I forgot but I was reminded of it again when I read this article by Richard Bejtlich.
It was these two quotes that reminded me of the Learning Model -
You're undergoing a shift from a somewhat blissful ignorance of the serious flaws in computer security to a largely depressing knowledge of them.
and
As [Ron] Woerner puts it, "When you gain visibility, you see that you can't see all the potential problems. You see that maybe you were spending money securing the wrong things. You see that a good employee with good intentions who wants to take work home can become a security incident when he loses his laptop or puts data on his home computer. There's so much out there, it's overwhelming."
This sounds very depressing and sounds like we should just throw in the towel but I think it is more positive then that.
At first you are blissfully unaware of how much you don't know.
Then you start learning and get overwhelmed once you learn just how much you don't know.
Then you learn some more and you struggle along learning all the time.
Then you become a professional and know everything without having to think very much.
My Information Security spin on this is:
At first you have firewalls and antivirus and you feel safe. You don't know what is really happening on your network but you are sure that everything is fine.
Then, for some reason you take Information Security seriously and spend some more money on what is really important. You realise just how unsafe your network and information really is.
You work at it, struggling all the time to get a proper plan in place and back it up with all the good stuff you can such as technological solutions, training, awareness, processes etc all the time refining and updating the process to get more secure. At the same time new projects have security built in from day 1. All the time you are finding new issues to fix but these are getting less and less and you know that you are getting more secure.
All your systems are secured as much as they need to be. All new threats have action plans in place. New projects, users, systems all have procedures that make them as secure as possible. All risks are dealt with in the way Business expects them to be. There may be incidents but there are no surprises.
From the CSO article and Richard's blog post I think that most companies in the survey are at step number 2 moving (hopefully) to step 3.
My feeling is that most companies are at stage 1 with a resistance to move to stage 2. Companies that are at stage 1 would (probably) not be a part of the CSO magazine community. I think that very few companies would be at step 4 but many companies would be battling along at step 3.
Obviously the size of the company and what sector the company is in would help determine what step they are on. As well as the amount of leadership the Top Brass have and the enthusiasm of the Security Department.
This is based on Stephen Covey's book The Seven Habits of Highly Effective People and in this post we look at how being proactive can help raise the general security of an organisation. This is applicable from a micro 1 person business to a multi-national company.
Being proactive really translates into taking ownership. There is a general feeling that Information Security is someone else's problem - usually IT. The thing is that even IT shelve the responsibility onto technology such as Firewalls, Antivirus and IDS boxes.
It has taken legislation in the United States and Europe (not so much in South Africa yet) to put Information Security risk back where it should be - the Business and by "Business" I mean non-IT people. Is this fair? Sure, it is their data and they must protect it from getting lost. Security is there to help and IT is there to make sure that the technology is there but at the end of the day if a spreadsheet with financial information goes missing - it is the department that owns the spreadsheet that is going to suffer.
Of course, all the three camps can be proactive. InfoSec can, should, must promote awareness of Security. They need Business and IT to understand what the dangers are and what is expected from a regulatory point of view. Posters, education, emails, etc etc can all be done.
IT can help by telling InfoSec of incidents that they may find, by making systems secure from the start, from being enthusiastic about patching and hardening servers and helping out with standards that are secure.
Business can be aware that it is information they use everyday that IT and InfoSec are protecting and the protection is for them so they can do their work more effectively which is what business is all about. They should strive to understand the tools that they use and how to use them securely. Strong passwords, clean desk policy, locking workstations, locking offices, thinking twice before opening strange files are all things that can be done for free and together are far more effective than anti virus, firewalls and NAC.
It is difficult to get the inertia going and people are reluctant to change but it is important to at least start working on a culture where information is seen as an important asset is protected as such.
He is now offering a R50 000 ($7000) reward for the return of his laptop because according to him he has lost 12 years of his work. R50 000 is not a lot of money for 12 years of work but assuming that his laptop is insured against theft then the R50 000 is basically how much the information is worth to him.
Now most of what you find on a laptop hard drive is junk - downloaded jokes, movies, etc etc. and also software which is either very easy to replace or comes bundled with the laptop anyhow. Just how big is your My Documents folder anyhow.. so lets assume that the rapper had just under 12 Gigs of vitally important, irreplaceable stuff on his laptop - that is 3 DVDs worth.
This sounds like a better deal than R50 000. Of course the technology is not going to save you on its own.. you need to actually use the technology. It takes about 5 minutes to burn a DVD but maybe 30 minutes to set the burn image up.
Stephen starts his book with the idea of a paradigm and goes to great efforts to explain what it is and why one needs to understand it.
In terms of Information Security I think that the paradigm shift has been forced upon us on July 13, 2001 but it has taken until now for us to be able to understand and deal with the new understanding.
That was the date that the Code Red Worm struck. The darling of Security at the time - the firewall was no match for this worm and anti-virus was infective too.
Today the worm would be very much less effective because we now have more defenses. We have proper patch management, IDSs, deep packet inspection firewalls and application security. These were all around in the time of the Code Red Worm, they were just not being used effectively. We had the technology but the mind set was not right.
When the SQL Slammer Worm arrived it proved that we still hadn't learned our lesson. The paradigm shift had not happened yet but we are slowly getting there.
The fact that new worms are coming out all the time but we haven't had a global epidemic of Slammer proportions means that we are learning our lesson. The fact that the Storm worm is still being successful means that there is still some way to go.
Our first paradigm shift was from realising that:
security has to be done all the time
technology alone will not save us
I think the next one is that we can't tack on security. We need to think security from the beginning even if it means somethings need to be redesigned or abandoned totally.
I've been thinking about doing this for a while. I admire Stephen Covey and his book The Seven Habits of Highly Effective People. I have seen the book being used to manage huge companies and I think that the principals in the book are broad enough to be applied to pretty much anything including Information Security.
I think that the 7 Habits are already built into "Best Practice" already in most cases but this should allow us insight into why we need to do what we already do.
Do I run a highly effective Information Security Plan? I like to think that I am working on it. I also think I won't ever finish but going back to first principals is always a good idea.
I don't aim to rewrite the entire book, that would be pointless and quite illegal. I aim to use it merely as a guide.
Brother Andy sums up nicely the debate that has been happening on the Security Bloggers Network (see right column) about CISSP.
He also sums up most of what I think of the Cert:
It shows that the person is serious about security.
It opens doors. Even Australian immigration.
It is easy for headhunters to spot. And match up with.
The ISC2 is a problematic organisation.
CISSP is not for everyone.
Of course, I have my bit to add:
Terry Pratchett writes amazing stories with some deep concepts. One word he created (or at least a Witch of his Disk World created) is headology. Basically, a witch will never be caught without her hat because once the hat is on anything the witch does, magic or not, will be seen to have been done through the use of magic.
I believe the CISSP is our headology. For security people to be taken seriously we need the tools to make people we are serious and that includes (for better or worse) a professional organisation such as the ISC2 and a certificate of membership - the CISSP.
Having a CISSP doesn't make me very more knowledgeable about Information Security than the me before the exam but it does show that I am serious about Information Security and want to be seen as an Information Security Professional.
It also helps in Information Security debates to sign the extra little letters with a flourish. Headology.
On the 2nd September 2007 the South African Police Service held a commemoration day service to remember the 108 police officers killed in the line of duty in the past year.
Having been a reservist police officer for a short period I understand exactly what these police have faced and what the police continue to face on a daily basis.
In honor of that I dedicate some time and some space on my blog to remembering the heroes in blue who paid the ultimate price to protect the families of South Africa and to those who continue to protect us with the knowledge that they may be the next to die.
"POLICEMAN'S PRAYER" - Anonymous
When I start my tour of duty God, Wherever crime may be, as I walk the darkened streets alone, Let me be close to thee.
Please give me understanding with both the young and old. Let me listen with attention until their story's told. Let me never make a judgment in a rash or callous way, but let me hold my patience let each man have his say.
Lord if some dark and dreary night, I must give my life, Lord, with your everlasting love protect my children and my wife.
"I am the Officer" - Anonymous
I have been where you fear to be, I have seen what you fear to see, I have done what you fear to do - All these things I have done for you.
I am the person you lean upon, The one you cast your scorn upon, The one you bring your troubles to - All these people I've been for you.
The one you ask to stand apart, The one you feel should have no heart, The one you call "The Officer in Blue," But I'm just a person, just like you.
And through the years I've come to see, That I am not always what you ask of me; So, take this badge ... take this gun ... Will you take it ... will anyone?
And when you watch a person die And hear a battered baby cry, Then do you think that you can be All these things you ask of me?
Microsoft has, in the past, had a reputation for not taking security seriously. It had previously run the company on the idea that users want features and that is where the development costs went. Security was put only in where it couldn't be avoided.
Things changed and security became a feature. Microsoft woke up and have done an amazing job of establishing a patching schedule (Patch Tuesday) and supplying tools like WSUS and MBSA to make sure that patches are rolled out with minimal issues.
Thats great for larger organisations but while my PC at work is always up-to-date and secure, my PC at home has been lagging. I feel rather safe because it is not connected to the Internet 24/7 and is firewalled when it does dial up. Yes, dial up. With a modem. I don't process any funny documents on the box so it is really in a safe world of its own.
But being a security professional I feel that I should take some time to patch the box just to be sure.
So...lets get back to that modem thing. My modem does not run at 100% and the connection is pretty faulty. In South Africa local calls are charged for so it could get quite pricey to patch my machine not to mention the amount of time that my phone at home would be engaged.
That is for my one PC... if I had others the time to download and patch would be longer.
Enter the amazing AutoPatch software. All the Microsoft Patch Happiness you can get (and other stuff too!) all on one little platter! Basically it is all the Microsoft Patches on CD with a utility to work out what is needed and deploy. Download it at work, burn it, take it home and patch patch patch. This is one amazing little package and so necessary for smaller companies and home users.
Microsoft also benefit with the bandwidth savings and happier customers (isn't that what business is all about?)
But now Microsoft have instructed AutoPatcher to remove the Microsoft patches from their site. They are quite allowed to do this under copyright law because the patches are really Microsoft patches repackaged. It means that AutoPatcher really doesn't have much of a purpose though.
I can understand the fact that Microsoft doesn't want to face legal liability if AutoPatcher breaks a third party machine but I have no idea now how I can patch my home PC quickly and easily like I was able to before.
If I were Microsoft I would have bought out AutoPatcher for less than Bill Gates makes in a day and renamed it Microsoft CDPatcher. That move would have shown that Microsoft is serious about security and cares for customers rather than serious about security only to make money.
As it stands today I think Microsoft has made a mistake.
Being an Information Security professional I am going to relate it as I see it. And the way I see it both the minister and the paper are correct.
For those of you who read this blog and are not from South Africa I'm going to put a bit of background down for you. If you are from South Africa you can safely skip the next little bit - you know this already.
Manto Tshabalala-Msimang is the Minister of Health and is also known as Dr Beetroot because of her criticized belief that AIDS is cured better through vegetables than medicine. This belief kills people every day and the opposition want her to leave the government because of it.
The Sunday Times newspaper is the most popular weekly newspaper in South Africa and they published an article that hinted very strongly that the minister was an alcoholic without actually saying it outright. They worked this out because of evidence that came from her medical records when she was in hospital and had alcohol when she was not supposed to.
The Minister has not denied the fact that she had alcohol while in hospital but has been upset that the Sunday Times had a copy of her medical records. (This is typical government spin doctoring; according to Nick Naylor from Thank You For Smoking: "That's the beauty of argument, if you argue correctly, you're never wrong". But thats not the point of this post.)
The point is that the Sunday Times did not steal the documentation. They merely happened to get a copy of it. And, once they had a copy, it is their duty to report on news they think the country should know about. And, of course, the whole country is following this very closely so the Sunday Times was right to publish.
So, where does information come from? That is the big question. In Information Security we have a saying "protect all the information that you don't want to read about in tomorrow's newspaper". The Sunday Times is a respectable, "non-tabloid" newspaper. I can't picture their staff crawling around in hospitals, looking for medical records or hacking into medical systems.
Somehow there was a leak in the hospital and this is who the minister should be going after but its a lot easier to sue a newspaper than a hospital especially for the minister of health who would like to pretend that all is well with patient records in hospitals.
The Minister is right that her private details should be kept private but once it is in the newspaper it is too late. It should have been protected from the start and the hospital is (in my humble opinion not being a lawyer) to blame.
If the Minister does take up the issue with the hospital then some questions may arise as to why she used a private hospital for an operation that could have been done at a public hospital and why the government does not protect patients (even at private hospitals) from having their records go missing, ending up at newspapers. Maybe California can help her out.
It appears that TJX have taken a bit of a knock but their share capital is $14 Billion.
This means that a hack that costs them $118 Million is peanuts. To them. It essentially ends up costing each shareholder 25c per share. I don't see any shareholder selling shares based on this hack attempt.
"77 percent of consumers intended to stop shopping at merchants that incurred a data breach"
according to research done in April, they have had to explain how just a couple of months later TJX has reported an increase in sales since they were hacked. Javelin explain that there is just not enough competition.
Gartner are also a bit boggled by this fact but they comment that:
"Most TJX customers clearly care more about discounts than about card security, because they know banks will usually cover potential losses if a card is stolen and used, with the costs eventually shifted back to the retailers."
Gartner go on to preach on how retailers should adhere to good security practices but the "... OR ELSE!" is a bit weak.
I guess this proves that people are just not logical. It will probably take a lot more pain on their behalf before they say that they will avoid shopping at a store with bad card protection and then actually do it.
It also shows that TJX is just not a very good example of what effects a hacking incident can have on a business. They have a strong company, a lot of money to play with and the ability to entice customers back even after TJX has lost their private information.
The TJX Companies, Incorporated is the largest international apparel and home fashions off-price department store chain, based in Framingham, Massachusetts in the United States.
[...]
On January 17, 2007, TJX announced that it was the victim of an unauthorized computer systems intrusion.
TJX ended up as the default PCI black sheep. PCI, for those not in the know, is an industry standard created by the credit card companies telling stores how to protect their customer's information, specifically credit card information.
Basically TJX did everything wrong including storing information they should never have stored in the first place. 45 million credit card numbers are now being traded on the black market because of this breach.
Net income for their 2nd quarter dropped 57% due to information security costs related to the breach.
Bad news for the company, right? Wrong. Maybe someone can explain this to me but on January 16th, 2007 the share price was $29.94. Friday's closing price was $30.75. Man, did the market get them (not)! To be fair they have underperformed the S&P500 until recently but the company does not seem to be very hurt by the breach.
According to CSO merchants in California may end up liable for data breaches.
I think this is a good thing but I also think it is a bad thing.
Its good because a lot of large companies pay lip service to Information Security and don't take it seriously enough. This will make sure that they do. It is good because it is not the poor customer who takes the risk when he does his shopping.
Its bad because it attacks companies for essentially being victims of crime. Not does the company suffer from the crime itself but it suffers from the after effects of the crime.
On the other hand, (I think we are up to 3 by now) there is always a risk in doing business and especially a risk of crime, it has just moved online now. Companies make good profits or else they would not be doing what they are doing so they need to offset some profits into protecting themselves and their customers' information from the criminals rather than ignoring the issues and pushing the risk onto the very customers that give them money.
I guess its kinda like me locking my expensive car and keeping the keys in my pocket but borrowing a friend's cheap car and leaving it unlocked and motor running in the street because, hey, its not my car.
This law is receiving strong opposition but I think it will be passed. If it is you can bet that somehow the cost will be passed on to the customers who will pay for protecting their own information.
Since my posting on the 7th, the Wall Street Journal has posted a follow-up article here
It is by the same author who obviously was not aware of my post because she gets most of it wrong again. She chose to ignore Andy's input too. I found out about this follow-up from his Blog,thank you Andy.
My original post basically pointed out the main problem in her article which is that the Information Security policies that she is showing how to bypass are not made up by IT but by the security department. More to the point, they are signed off by upper management and by breaking them you can get into serious trouble with the Boss. Failing that the Boss himself may get into serious trouble with the law.
The author writes in this article about how "IT workers said they get blamed both by employees who feel too restricted and by company executives who, when things go wrong, fume that policies must not have been restrictive enough."
At the end of the day its not the It Guys who should be enforcing security, they have enough on their plates. It is business people themselves who should be enforcing the rules.
The IT department is usually the least respected department, it hires young people who don't know the art of dealing with people, especially those in upper management. More importantly - they are enablers. They fix things and make things work and that is how they are rated. They are also clueless (or they should be anyhow) about what information is important anyhow.
What about the fools in the Information Security department I hear you ask. They are there to make sure that Information Security is done, yes. But, at the end of the day neither them nor the IT guys will be in big trouble if Information is lost or leaked. Or wrong decisions are made using altered documents. It will be Business that pays. So, why have these lazy Information Security guys around in the first place? Really, its to inform the business people and to help them with implementing security.
If your staff are knowingly breaking rules that you have put in place... well... no Firewall, IDS or Antivirus or amazing CISSP is going to save your data.
I think that the WSJ has missed an opportunity to push the idea that Information Security is important and that the rules are there for a reason and that breaking them will not only upset the guys in IT but can make an employee lose the respect of his/her employers and possibly even his/her job.
As happens in the "Blogworld" I read a blurb in the Daily Incite which then linked to a good Blog entry by Andy It Guy which in turn linked to a really good PDF document by Rebecca Herold who has more letters after her name than in her name.
While we are so busy concentrating on our own security structures (You are, aren't you?) how do we make sure that our partners are protecting our data?
There are several places where this is important
The obvious first one: you give your credit card information to someone. What they can and can't do with it is governed by a standard made by the credit card companies. It is called PCI compliance. It seems most companies don't abide by the rules but the fact is that the rules have been very well designed and slowly, hopefully, companies will abide by them. The nice thing is that PCI complience is worked out already. You don't have to worry. You should as a matter of principal make sure that a company is PCI compliant. I think it would be a good idea for the credit card guys (visa, mastercard, etc) to actually promote PCI compliance as a marketing tool for companies to diplay proudly on their websites and in their stores.
You fill in a form, any form, anywhere, online or offline. This is your personal, private information and you should be aware exactly what happens with it. If you have to give the information across for some law such as the ones preventing money laundering, you don't want that form going to the company's marketing department. ("You are a treasured customer of ours, do you want to be the first to use our new services...?") You also don't want it put into a dustbin and used by anyone who finds it in the street. '
You are trusted with someone's details and have to send them to a 3rd party. If something happens to the details - its you to blame.
Basically, wherever someone has some of your personal data, your company's confidential data or data that has been given to you by some entity that trusts you with it, you should be able to make demands on how they treat it. No security is 100% but you should be able to at least, without getting into all the details, know enough about how your data is treated to make an informed decision on whether or not you trust the person you are giving it to.
The PCI standard came out of a need to protect data but there should be a broader standard for all types of data allowing us to make spot decisions on who to trust and who not to trust with our data.
And, taking an observation from Andy but broadening it: the specification of how data is looked after should be more specific than a framework. A framework is fine for protecting your own data, but other people should be able to judge exactly how you treat their data.
But, on the other hand, you don't exactly want to go around to every company that you deal with (perhaps all over the world) investigating in minute detail exactly what methods they use to protect their network and data. You can't be expected to watch that none of their staff take their laptops home etc.
You shouldn't even be expected to take a look at their policies.
You should just want to be able to see a logo that says "we are secure up to the level 3 of the "3rd party information control standard (3pics)". This should be good enough for a bank but a video shop may be able to get away with level 2 and a doctor should have level 4.
By the way, I made up 3pics because, as far as I can see, there is no widely accepted standard with clearly defined levels that the man in the street can trust and be used to (except PCI and that is for credit card information only). But shouldn't there be? Wouldn't it be nice to be able to trust that a company you are about to deal with is going to treat your information the same way you do?
Rebecca's PDF document (linked to above) goes into great detail about how one can manage personal information that is given to 3rd parties but it is a lot of work and is fine for companies who have few partners but when there are many partners it would be nice to be able to just check their "3pics" compliance level and start dealing with them.
In case you argue that it is possible already using ISO, SOX etc, then read what Andy said in his article about how they are just frameworks and not generally accepted standards.
What we need is someone (who me? I'm too busy ;) to create a(n auditable) standard with a few levels that are easy to understand and implement. And for companies to use the standard and brag about their level of security.
I think part of my thinking comes from discovering this week (but not being rich enough to follow through with actually buying and reading) a book by Stephen Covey (Jnr) about how once trust is established, business can proceed quickly. It is up to us as the public to demand that companies show how they can be trusted with our private information. It is up to us Information Security specialists to make it easy for them to do it.
Particularly upset was my brother-from-another-mother Andy the IT Guy. I call him that because although we are thousands of miles apart we have similar jobs and usually see eye to eye on matters. His post on the issue is here. In the post he links to other bloggers who rip the article to shreds.
I leave it up to the dedicated reader to follow all the links and get acquainted with the article and see why it has upset Andy and several others. Go do that now...I'll wait...
...
If you are reading this I hope you clicked the above links and read up on the issue...here comes my 2c.
The article got it exactly right except for 1 major issue and it is in the title!
It is not the IT department that is trying to stop you doing all of those things, it is the security department.
In fact, in most companies if you are quick (and you have to be quick) you'll see that IT guys are the guys who break the rules the most. Find the geek with the long black coat and chances are he is the guy running the phantom MP3 server that everyone knows about but doesn't exist.
Now that that is cleared up, you may ask: so what? Information Security department...IT department..who cares? But it does make a difference. IT has a mandate from Management to keep the servers humming and the information flowing - thats their job in a nutshell.
Information Security has a mandate from Management to make sure that the company does not leak information and does not break the law. The Information Security guys are also not the ones who make the rules, they may make suggestions but the guys who sign off the policies and rules are Management (read: your boss, his boss, etc etc up to the CEO). The rules you are breaking are the rules set down not by IT but by your boss.
Some of the rules (such as rules 1,2,3) are actually made to stop the top level guys from going to jail or at least to stop the company from being at the receiving end of some expensive legal problems. You can be sure that they would not take kindly at having these rules broken.
Obviously I am all for freedom of the press but just know who sets the rules and who signs off on them - its not IT.
So, yet another strike and another risk to your business.
It felt like I was in Zimbabwe this morning. I had to queue for Petrol. I'm not saying it is as bad as Zims because the queue was only 5 cars long and there was petrol available when I got my turn. I did put in more than I usually do.
I was lucky because I take LRP; the station I went to had no unleaded.
If you have a large corporation what would you do if 70% of your staff are unable to travel into work every day? Can they work from home? Can your VPN handle the load? Do you know your business well enough to work out who should come in to work, who should dial up or connect over VPN and who should just take a few days off?
If you have a small business can you afford for your staff not to come in and to do their work from home. Can you afford your client/customers not to come visit you? Can you afford not to visit them?
One of the aspects of Information Security is availability and most large companies have a plan for Disasters (note the capital - we are talking floods and earthquakes) but not for small issues like lack of fuel. Most small businesses run on gut feel - they will deal with that bridge when they come to it. The bridge is now here and it is Business Continuity.
The most difficult thing with Business Continuity is that it forces us to take a look at our assumptions. We assume that we can buy petrol whenever we want to get us in to work. We assume that while there we can have access to water, food, toilets, electricity, fairly comfortable working environment (Goldilock's not too hot and not too cold), email, our data, the telephone network, etc, etc. Business Continuity is basically the process of saying "what if something is missing" and anyone can do it. Usually the owner or the business people are the best at doing it because they understand the business and how it works.
It can get a little more complicated when multiple things are not available.This is very likely for many businesses at the moment. If you have no electricity and no diesel for your generator, what can you do? Work from another site where there is electricity, but then chances are you will be using more fuel to get there.
Is it worth making your staff come in later to avoid rush hour in the hopes that their petrol will last longer? The humane aspect also comes into this issue in that if the strike lasts long and petrol is scarce will you let your staff save their petrol for family emergencies?
The strike is 3 days on and the negotiations are happening. Hopefully there will be no issues at all except some minor inconvenience and some bad Zimbabwe comparisons. I will then take off my Chicken Little hat but in the mean time: don't panic but have a plan.
So, some people I know were bored yesterday, looking for something to do while FaceBook got its act together. The site was down and productivity worldwide picked up.
In Information Security it is drummed into us how important Separation of Duties is.
I investigate security methods, security matrices and inform the Operations teams one what to do. I also measure what is being done. But I don't do it and I don't ever measure myself.
According to this article in the Times online paper the police are playing with numbers:
" ‘We were told by police officers that there is a general belief that if there is a reduction in the number of rape cases reported, they stand in line for promotion'."
So hence, "an investigation by The Times into child abuse has uncovered claims that some police officers are not recording all rape cases — in the hope that keeping statistics on the crime down will fast-track their careers."
The article goes on to say that the police are refusing to record the crimes or are recording them as common assaults instead.
The problem is that the crime is not receiving the same attention that it would have, had it been logged as rape. The victim also does not get the right medical treatment such as HIV treatment.
How do we get around this? Separate the duties. The police who investigate crime after it has happened should be rewarded for the number of crimes investigated. The police who prevent crime should be rewarded for bringing down the crime. That way, we all win.
It seems that everyone is reporting on new spam techniques. But here goes anyhow:
Spammers are using pdfs and zipped up excel spreadsheets to send spam.
This is not really all that surprising because traditional spam checkers don't look inside these kind of documents or block based on whether a mail has one.
So, its back to the drawing board for spam blockers, they need to check pdfs.
The scary thing about this is that the risk for false positives is much higher with a pdf or office document (I doubt that excel will be the only spam transport chosen) because genuine business documents are usually in these formats.
If you are a broker and someone sends you an excel spreadsheet of their stock picks and you miss it because your spam checker thinks it may be "pump and dump" spam - you could end up in a lot of serious trouble.
Spam is horrible stuff but there obviously is a market for cheap Viagra with no prescription.
I have a doctor I go to regularly now but I tried a few of them for a while and there were some who were so clever but just didn't listen to what I had to say.
They were obviously the experts but I figure I know me better than anyone and had they listened to me I think we, together, would have been able to find solutions better than just me alone or the doctor alone.
I think that, in information security too, you are always fighting someone somewhere but the secret to a good relationship is to listen to what the other people in the organisation have to say.
But never forget that you are the expert.
[Note: I was going to use a plaster/bandage for the little post image but I used a stethoscope because the point of this post is listening]
This little insight I worked out by myself with great difficulty.
My first IT job was probably the hardest I ever did.
It was working in a call centre at an ISP back in 1995 before most people had even heard of the Internet and email. Those that had were termed "early adopters" and it was "cool" to "surf the internet". Having played with Unix and Linux and TCP and configured modems to do interesting things I considered myself to be an expert in what I was doing which was helping people to connect to the Internet. And yet there were people who may well have been experts in what they did that would argue with me. The ones who were the most clueless but argued the most were usually doctors. I guess doctors are used to dispensing advice - not taking it.
I've seen from my wife's craft business that the same is true. Some people look to her for advice on techniques and then ignore the advice and get upset, some listen and are happy with the results. (She tries not to offer advice on the creative aspects, that has to come from within).
And now that I am in security I've seen how business can try to ignore security advice because they feel that they know better. Try to force them to accept what you are saying and you can overstep the "be nice to clients" boundary.
At the end of the day, the client has to accept that he is working with a professional and accept the advice as coming from an expert. Alternatively, if the client can do everything on his own, what does he need an expert for , anyhow?
The Security Blogger's Network has been debating the GPL recently but this is a debate that has been going for years..
The short version of the printer story: Richard Stallman worked for a company. They had a printer. They modified the printer driver's source to do stuff the printer makers didn't think of. They were happy. They upgraded the printer. The new printer driver worked but had no source so they couldn't modify it to do what the old printer did. Richard Stallman fell in love with the idea of having source code. He wrote the GPL to enable users to be able to manage their software.
It was later discovered that the GPL can help a company to expand their product for free and get community involvement. This was an unexpected bonus but not why the license was created in the first place. One of the shortcomings is that if you never redistribute the binary or don't redistribute it to the original author, you don't have to forward your source code changes. This could make coders upset but really - the GPL is designed to make users happy.
I've had a good think about companies changing the license from GPL to something else when their product becomes more successful and I think it is fine to do that.. it is their work but.. they must strip out all the bits and pieces that others have contributed to the product or inform them up front that their work may become part of a non GPL software offering.
I remember back when Netscape announced to great fan fare that they would be releasing an open source version of their browser it took a very long time for the source to actually be released because so much of it had to be stripped out because it was non-Netscape proprietary code.
I remember also when the CDDB went private taking all the hard work of their contributors along with them. I am not a lawyer but I know what is fair.
There have been a number of fake leaks: there are a number of people who write fan fiction and these have been used to trick people into clicking onto websites with worms and the like.
But this one is slightly different. It is not a pdf or text document; it is photographs of each page in the book.
Now that it has leaked the publishers are desperately trying to put the toothpaste back in the tube but with no luck.
On the other hand, reading a 700+ page book page by page from low quality photographs is not easy. It's just better to buy a copy or, at very least, visit the library.
You can bet that, like number 6, there will be pdf versions floating around the pirate sites within a few days.
The one thing to learn from this is that if you have information that is wanted by someone else, you will have a hard time protecting it and as close as Scholastic came to protecting the Harry Potter book from being released, there is no such thing as perfect security.
The other thing is that: with information it only takes one leak and the number of copies will expand until it is impossible to control.
While the rest of the world debates the length of a pin number, we in South Africa have a different challenge. At least, the banks do - explosives.
According to this article at The Times: "security companies and banks have warned the public about unexploded bombs in and around ATMs."
Johan Burger, senior researcher at the Institute for Security Studies, said “Because of the increase in ATM bombings, the risk to the public has risen dramatically. ATM bombers are now hitting machines in business premises in metropolitan areas."
Also according to the article: "[First National Bank of South Africa has a] new security and monitoring system [that] will be introduced at 500 sites in areas considered to be at high risk.
Guards on 24-hour patrols will also keep watch over the cash machines."
I can't imagine that an ATM has terribly large amounts of cash and criminals will start to apply this modus operandi to other types of crime. As a risk, this is on the increase and security professionals should analyse if and how this would affect them.
It may be worth positioning your server room more to the middle of your offices rather than against a main wall so that a little explosion won't leave a gaping hole that PCs can be moved through.
Update: I just took a look at the video on the site and I would highly recommend anyone using an ATM to see video evidence of what criminals can try when you are using an ATM.
A large march of striking workers just marched past my office.
There has been some violence in the past few marches but these are usually on a small scale and directed at those workers who elected not to strike. Usually marches are fairly harmless, even if they look aggressive and scary.
The question for a security professional is - how does one deal with a march that impacts business. In my opinion, besides electricity rolling blackouts and the winter sickness cycle marches are the most likely threat to business continuity that Johannesburg faces.
If you are a small business based in Johannesburg or any city centre then you should at least make sure that you have a business continuity plan. Make sure that you have backups stored away from your offices, a way to restore them to a separate location and a safe separate location that you can work from. This may be a bit of an issue for a small business (in which case lots of planning is needed . And don't forget to think out of the box, too!) but for a micro or mini enterprise it may be worth working from home or for the more adventurous - a coffee shop for the time that the march is on.
This is not a complete solution; each business needs to assess business continuity for themselves. Just remember that the first rule of Business Continuity is that the safety of all the employees comes before the health of the business.
My last blog entry about eNatis seems to be exactly what the D.O.T is trying to tell everyone: "leave us alone, everything is fine except the website which is in no way linked to the personal data was hacked".
Hey, even uber-hacker (did I really use that term?!) Kevin Mitnick had his web site hacked. It happens, and what we should be worried about is not the website but the data in the database. Who cares if some kid scribbles junk on a website? You should care if he manages to get inside the data to your credit card details and personal information like name, address, ID number, car registration number and accesses it for himself to use elsewhere (loss of confidentiality), or changes the information (loss of integrity).
I do believe that the press is squeezing this story for more than it is worth because, well, they need news and this is an easy target. But its also easy news to print because of all the issues that eNatis has had in the past and the lingering doubt that the Auditor General's report brought about.
The department tried to stop the report from being made public but once it was made public because it said that the system was very insecure. The department followed up with a statement that the system had since been fixed which is quite an easy thing to say but not very convincing.
I think that we as the public who are forced to put our private information in this database (or alternatively don't have a vehicle or license to operate one) should insist that the system and processes around it be certified in some way. My choice would be ISO 27001 but there are other similar certifications and I'd be happy with any one of those.
But really, the D.O.T should be proactive on this and not wait for public backlash, they should investigate security measures now so that when the inevitable audit comes, they are ready.
And when the media jump on something silly like a minor website hack they would have their ducks in a row to argue back.
For those that read my column and are not from South Africa - eNatis is a new system that the Department of Transport (DOT) has implemented. It has a website portal and is the system used for registering cars, licenses, paying fines, etc. It has a lot of personal information. The website was hacked and the papers jumped on the story, though most calling it (correctly) a non-event.
Web hacks are (apparently) easy to do.
This is part of the reason why no company worth their salt (and some not even worth that) recommend that the webserver does not contain important information. That should be stored in a database and if the webserver needs to read the data, it should make a connection through a firewall. And the database should be closed up as tight as possible.
In fact, it is almost expected that the webserver will be hacked and the company (or government department) should have an incident response in place to deal with this minor breach.
I liken this hack to the real-life-equivalent of a criminal trying to break into an office of the D.O.T, not succeeding and spraying graffiti on their gate.
The media has jumped on this hack because of the issues eNatis has had in the past, but its the equivalent of reporting on a graffiti incident - the result of the attack is very embarrassing because of the fact everyone can see it but, no real loss occurred and once the mess is cleaned up there will be no further issue.
So, what sort of hack is news worthy? One that will not make it all the way into the papers! A newsworthy hack would be one where a criminal (or hacker..whatever terminology you choose) gets into the eNatis database, manages to manipulate the data for self gain or steal personal information from the database.
This will not get into the paper because:
The user will not make it public that he has done anything wrong, it would make it easier for him to get caught.
The D.O.T may not even know it has happened. Stealing information is not like other crime where if someone steals your stuff, you have no stuff left. Information can be stolen but a copy could be left in place.
If the D.O.T finds that a hack has taken place in their database the last thing they will do is inform the press. (my guess)
If information is stolen from the D.O.T, it may be used for identity theft purposes. (ie. pretending to be someone so you can get credit in their name or get access to their personal assets) and the investigation (if it gets that far) may not know the true source of the information used in identity theft.
That is not to say that I know of an instance where eNatis has had its database hacked, nor am I saying that it has been hacked or ever will be in the future. I'm saying that, if it were hacked in a way that was newsworthy, we probably would not be reading about it in the newspaper.
In a really good blog entry, Mike Rothman talks about how PCI assessors (auditors) are pitching products and other solutions once the audit is done. He goes on further to talk about separation of duty and how the client should make it clear from the beginning that there will be no further business to be made after the audit.
I agree with Mike but I don't think he took it far enough. In an earlier blog entry of mine I discuss this very issue. Once the auditor has been too visit, it is too late. Have a good strategy and see it through long before you call in auditors. Then once they have arrived and start to sell you products and solutions that you don't need - you'll know that you don't need them.
Never use auditors to tell you what should be done.. use your security experts... use auditors to do the checking.
For those of you that know what chutzpah is...scroll down a bit.
For those of you that don't know this beautiful Yiddish term, it is broadly defined as "insolence," "audacity," and "impertinence". But as with all Yiddish terms, the meaning is deeper than just that. It is someone who does something so bad and with so much courage that you hate him for what his done but admire the fact he had the guts to do it.
My best version of chutzpah is the thief that stole a whole bunch of clothes from a department store and the next day tried to exchange the ones that didn't fit.
So, MS07-0056.
If you are a security expert or just someone that patches regularly (which you SHOULD be doing!) you may recognise that MS07-0056 looks very similar to a Microsoft Advisory number. Almost, but not quite. Microsoft advisory numbers ar MS, the two digit year , dash and a three digit number.
Ms07-0056 is a fake version of an email advisory from Microsoft, complete with their logo and formal looking, no-nonsense, go-patch-now look. The email is very cleverly crafted and has a link at the bottom to fake patch which is really malware.
While phishing is not new and fake emails telling one to download stuff is not new, the fact that patch notifications are being used to distribute malware is just way over the line of what is bad and what is total chutzpah.
While we are on the topic.. you are still reading right.. I want to throw in some other examples of chutzpah: fake antivirus and spyware checkers, or even real ones that are themselves spyware.
We, as security professionals, drone on and on and on about people patching, installing spyware and antivirus tools and using them and keeping them up to date. And along come the enemy and attack us and at the same time sow doubt in our defenses.
The rule is still the same though....treat every link in every email as suspect.
My wife used to run a little craft shop and her biggest challenge was getting adults to be creative. When she asked someone straight out to do crafts they would usually reply "but I'm not arty" or some such nonsense. Everyone is artistic. We may not all be Picasso or Rembrandt but there is a little artiste inside all of us waiting to get out.
[For both of the guys who read this column for the Information Security bits (thanks mom, dad) , its coming near the end.]
All of these people have cellphones with their own rings tones, themes, personalizations. Even little things that hang off the aerial, little cases, etc etc
The ones that work have PCs that have custom desktops. It may be a soccer team, cute kittens, a nice colour, pictures of their kids etc.
People in the workplace have, in most cases, few opportunities to express themselves creatively. But it has to come out somehow. And hence, people change their desktops and cell phone rings. This also leads to the attraction of blogging but more to facebook and its friends.
I imagine it would be possible to fill up 8 hours a day for a month customising facebook, adding friends, adding and removing applications, putting in information, getting more applications that need information, drawing, chatting etc etc. And the whole time you are using the creative part of your brain.
How does this relate to Information Security? Well, a big deal of time is spent understanding what users do. A user is a tricky resource to understand. Companies have to accept the fact that their employees need to express their creative side, and not just the advertising guys and the script writers, but Jeff in Accounting too.
The alternative is that users will find ways to bypass measures in place that stifle their creativity. They will spend loads of time on facebook, swap joke emails, download music through p2p or even just spend time by the watercooler.
Or maybe I'm being too lenient, maybe the technological answer is correct and we should just close down undesirable sites, use "managed desktops" where everything is tightened up etc.
She may be behind bars but she can still hurt you..
Or rather, it is reported here that a site offering some private stuff of hers has been hacked. And, ironically, all those looking to get a taste of her private stuff have had their private details downloaded.
Think before you send your details over to "parisexposed.com" and its ilk, do you want the world to know, with pretty good certainty what you get up to? If privacy is like underwear on the Internet -you could get caught without it.
Part of the reason I blog is to put my ideas down in something more tangible than fleeting thoughts, hence the name of the blog. Others can benefit from my thoughts but sometimes I use the blog to record interesting things I have heard and seen. This blog entry is about that.
I was reading a blog and came across the term "intermittent variable reward". It is basically the quick happiness one gets from doing something that is repetitive but rewards you differently. The example given in the blog entry I was reading (see below) is a jackpot. You pull the handle and each time you get a different reward.
I think facebook is like that. Woo-hoo, a new friend, a new wall posting, a new comment, etc. MXit is even more like that. You are never sure when someone will contact you and what they will say. So hope is always there and the addiction comes very easily.
This is something I've been meaning to blog about for a long time but never really took the time until I saw something similar here but about "twitter" which I haven't really come into contact with much yet.
When I was in University I spent more time than I should have on IRC. I made some good friends along the way and found a beautiful wife. So, some good came out of it but I must say I was addicted to the the rush of seeing what is going to happen next even to the point where I would sit and stare at my computer screen doing nothing, just waiting. What a waste of time.
My brother-in-law is the next generation. Every time I see him he has his cell phone out and it is always beeping from some contact somewhere. MXit prides itself on being next to free but the amount of time spent on MXit by some of the youth of South Africa is scary.
And now I have a term for this addiction: "intermittent variable reward".
I am (about) number 30 in the Business section on Amatomu. For those of you who don't know what it is - it is a list of South African blogs, ranked and indexed.
I have read some of the blogs and am impressed at the quality of them and most of them (the business ones) seem to be aimed at small businesses, which is great.
But I am an Information Security blogger and from what I have seen - small businesses don't seem to take Information Security seriously.
For example, I went to a business the other day and they have me listed on their database. But they had my password on their system in plain text. Thank goodness I use a different password for each online service I use but I know some people that use their pin number as a password and some use the same password for every service. Sorry friend, your password is no longer secure.
When you sign up for a movie contract, where does the information go? Who has access to it? Are your credit card details listed, your ID number? If you have to fill in a piece of paper first, where does that go? You probably fill in enough stuff when taking out a movie contract to allow the young kid behind the counter to be able to impersonate you and mess you around.
When you had over your credit card in a restaurant, does the waiter take down all the numbers? More to the point - is this something the manager will look out for?
Does your lawyer, who works from home, keep all your information on his laptop? Or any of it? Is it encrypted? What if the laptop gets stolen? What if all the documents he is busy with for you get wiped out in a fire/virus attack/mistake? Does he do backups? Do you?
Its not like me to sow some fear, uncertainty and doubt but I think that small businesses need to play along.
When I moved from Network Security where the "what" of security is obvious and the "how" is not so obvious to Security Management where the "what" is not so obvious and the "how" is done by others I decided I needed to get a bigger picture view on Information Security.
This blog has been an invaluable asset as I wander along the path of elucidation. Also, as I read and search for wisdom I come across some gems. I have made myself a Wall of Wisdom with some choice quotes that I refer back to when I'm not sure what I should be doing.
I'm going to share one of them with you today. And others in the future.
My first challenge is that Information Security is seen as a technical task - get a firewall, get some antivirus, if you still have money - deploy PKI.
No.
Information Security is a business task. And in all things to do with business success or failure needs to be measured. How secure are you, right now? If you can't answer that, you are not doing Information Security right.
My quote is from Lord Kelvin who was a mathematical physicist, engineer and outstanding leader in the physical sciences. In a lecture to the Institution of Civil Engineers on 3 May 1883 he said:
"I often say that when you measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of Science, whatever the matter may be."
We all (should) know by now that we shouldn't share passwords.
But how many of us know exactly where we should use passwords on the internet?
Phishing and its elk have shown us that you can't trust website links that are sent to you via email.
But what if a friend (or what seems to be a friend) pops up on MSN Messenger or via email or facebook and tells you to "check out this cool site". You do it, you trust your friend's judgment and enter your password only to get caught out and your identity is used to send out the next bunch of "hey, check out this cool site" messages.
That is all in my last post which has a real world example of how one can get caught but the question is how do we define what is right and what is not?
My hotmail username and password is my MSN Messenger password and apparently opens up a whole bunch of access for me to other sites. This is the whole "passport", single-sign-on concept dreamed up by Microsoft. I sign on once to one of the "passport" sites and voila, all the other sites need no sign on. Amazing. Except that someone out there could hijack the system and pretend to be a "passport" site gaining them my password and access to all of my "passport" stuff.
Putting down Microsoft's security efforts is like running the 100 meters against a fish. Its too easy; but Google is starting to move in the same direction. My Google username and password gets me into gmail, igoogle, blogger, etc and the list will expand as Google buy more and more companies and bring more and more stuff out of their labs. I don't really use yahoo!'s services but I imagine that they are following the trend which is not limited to Google and Microsoft but is a general industry wide trend.
When I signed up for Blogger I didn't need a new username and password etc; I just logged on with my Google password. Blogger said that they are a Google company so, boom in goes the password. I did check things out first but that's just me, I doubt most people would.
Another thing that surprised me was when facebook asked me for my email username and password so it could check my email contacts against its subscriber base - not my facebook username and password but my online email username and password. This is obviously a service that a large number of people use or else it would have been taken down, freeing up some vital real estate on facebook's main page. Entering this information is optional, but if you do, you have to trust facebook will not store the information, if they do store it then you have to trust that they will store it securely, and not use it themselves except to check your contact list once. Do you trust facebook?
It seems there are no easy ways around this issue. You have to check to make sure that you trust each site you give another site's password to or, better still, don't share the passwords at all.
Yes, the title is right. And this is finally a post that is actually useful (as opposed to interesting and useful somewhere down the line, I hope).
If a friend of yours on MSN Messenger messages you to look at a site that looks something along the lines of messengerweb don't go. Or, go but know the risks.
The title - confusing as it may be reflects the change in attitudes of the "blackhat" or "hacker" community.
1 - it used to be for show - how many site can you hack in 24 hours?, how many machines can you bring down?, is Google invulnerable? 2 - now its for the money.
The site above is an excellent example of this. It is packed full of Google adverts. So each time someone visits the site the owner gets a (very) small amount of money. The way to make that into a big amount is to get a large amount of people to visit.
There is the way I do it which is try to make good content and hope that people find it useful but there is another way - the way that site does it.
The site offers a dubious service to the people that log into it. You need to log in with your MSN credentials (which also happen to be your MSN passport and hotmail password). The site does some checking in its database for you (thats the service) and (this is the genius bit) uses the recently acquired MSN username and password to send a message (as you) to all of your contacts telling them about this "really cool" site and so the networking effect goes on until a lot of visits happen and the site owner makes a load of cash.
You have to accept the terms and conditions before connecting where it is spelled out in no uncertain terms what the site will do.
I got "fake announcements" from a number of technical people who had obviously not only visited the site but also entered in their usernames and passwords.
To the general public: don't give up your password ever! Even when asked to on websites. The MSN password is for MSN only - not for other websites like messengerweb. Ask yourself before you enter any information onto a site - how much do I trust this site? Rather close the window if you are not sure
To security people: it looks like we have failed again if people are so keen and eager to just give away their passwords. We have to focus on the principals - "Don't share your password! Know where to use them and where not to" and not the modus operandi - "watch out for emails asking for your password or directing you to a bank website" because the principals don't change but the modus operandi do.
A while back I went to a lecture that opened my eyes and inspired me. It is what I look back on when times are dark and enables me to think "Information Security is possible".
The talk was started by the CEO of a large financial institution which is also heavily involved in the medical industry. Alarm bells should be ringing... because the information they have floating around their network is so private - its scary.
The CEO of the company started the talk and told us how secure they are now and how they are working on getting more secure and more to the point - how come he knows.
It seems it wasn't always that way but they are working on getting more secure. They started with a framework, defined goals, worked out a plan and ways to measure their security posture.
And it is something they are very proud of. In fact, that the CEO can talk security already is something special. That he is aware at any one time how secure he is, is more special. Well done to them.
I also had a chance to talk to someone from their competition. I mentioned this inspiring talk and asked this person how secure they are - he told me about firewalls, VPNs and that they had a "full PKI installation with non-repudiation" but gave me no measurables - just product talk. In short, he doesn't know.
There are (apparently) 2 companies in South Africa that are fully ISO27001 certified. I'm not sure what these are but 2 is a very small number. Hopefully, companies will wake up to the realities and as South Africa does more business with overseas companies, hopefully information security will become a selling point.
This is not promotion for my business. Maybe if "blogging" (and other cool web 2.0 technologies) had been so popular three years ago then my business would have survived.
No, it is much more important than that.
When I was trying to pick out a name for my (then) consulting business I literally picked up a dictionary and tried to find a cool name that had not been used. I also wanted to stay away from things that had strange placements of lowercase letters like "e" (e-security) and "i" (iSecureU) and "x" (x-pert consulting). I ended up with "elucidate" which is a lovely word that flows off the tongue.
When I gave up my business due to more pressing issues and rejoined the workforce as a normal lemming, I kept the term close to my heart.
Most of my time is spent on the cutting edge, I definitely don't "take up too much space" as the phrase goes. Hence, my time is spent in areas where I don't (yet) have a clue what I am doing but neither does the rest of the world. I like it here, its not too crowded and its interesting; like climbing up a steep cliff wall with no rope is "interesting".
A better analogy is probably: my work life is like doing a puzzle without the box lid to help, with pieces that all fit together (even incorrectly) and some that don't even belong. Sometimes I'll find a few that just have to work together and I have a sense of enlightenment. I can then pass this on to others without them having to do the hard work.
Its a good feeling.
It is a total sense of clarity - lucid.
I should have probably posted this blog entry first because it gives the clearest insight into myself and what I strive for and how I do it.
Now, go back and read all my blog entries all over again. ;)
This morning I took a look at an article in the New York Times about the Virginia Tech Report.
This report was requested by the American President after Seung Hui Cho shot 27 students and 5 faculty members to death at Virginia Tech’s Blacksburg campus on April 16.
His mental health was shown to be questionable and he had been ordered by a Judge to undergo a psychiatric evaluation. But due to privacy restrictions when he applied for a weapon there was no record of this and he was legally able to acquire one.
When I say "privacy restrictions" I actually mean "assumed privacy restrictions". According to the report (and as stated in an article on examiner.com) schools, doctors and police often do not share information about potentially dangerous students because they can't figure out complicated and overlapping privacy laws.
So, they would rather "fail safe" as such and not release any information. Even though, in this case it would have saved lives.
Rule number one when dealing with people who are trusted with information - they need to know what they can and can't do with it and rules have to be crystal clear.
Kudos to the American government for seeing the problem and reacting to it by proposing a Federal bill.
Finally, just a word of thanks to Jewishanswers.org who put me in contact with Rabbi Seinfeld (yes, really) who helped me find the information I needed for these posts.
A rabbi with a blog sounds like the start of a jewish joke but his blog is interesting and I have bookmarked it.
The actual article I used for my blog is here. And is from commentary on Exodus 18.
I find in some cases it makes sense to take a hard line on something and not compromise. Sometimes you also just know the answer. You can't really be certain of your security posture if you have 20% of all passwords being "password", sometimes you have to compromise a bit - you have to allow some traffic through your firewall.
I like to think that I am more of an Aaron person - I find it easier to analyse, debate and discuss than research and enforce. Which makes me a pretty good Information Security consultant. I have different people, with different agendas all coming at me and I need to find a balance.
I fully expect those people to have the agendas that they do and while things can get heated when someone doesn't understand why I can't fully agree with them, I actually prefer them to have strong ideas. That way I can make a good decision.
Every InfoSec consultant will be stuck in the middle of a few factors, the CSO who wants everything perfectly secured (pull out the Internet cable and lock the doors), the CIO who wants everything up and running and the CEO who doesn't care as long as business gets done. You also have 1,000,001 vendors who all think that their product is perfect and does everything. You have the law makers who want to push laws that protect everyone. You have your wife and kids who want you at home all the time (or at least every night and weekend). Another example is ISACA who believe everything can be solved through risk analysis.
And the sad truth is that you can't make all of these people happy. You have to compromise.
Each of these people is a "moses" - they know their point exactly. They see the world in black and white. A technical salesperson (assuming they are trustworthy and their product is reasonably competent) will know all the good about his/her product. They know all the bad it can eradicate and the risks it can mitigate. They may know about competitors products and how choices were made - some companies decided to use agents, some use no agents. They will stand by their products. They will not budge and so they shouldn't.
I do have a bit of bias and where I can I push Open Source software but I am aware that it doesn't work for everything and that is where I take my Moses cap off and put on an Aaron cap. I know how good Check Point's firewall software is but when it comes time to do NAC I need to judge fairly.
Speaking of Open Source software - the community is made up of people who are Moses-types and Aaron types. Richard Stallman is very much a moses type. Linus Torlvalds is more of an Aaron-type when it comes to license issues but more of a Moses-type when it comes to some aspects of kernel programming.
They are both successful because they have managed to be the kinds of personality they need to be when they need to be that kind.
Information Security is new and fresh and waiting for ideas to mold it. So, I like to look around at older pieces of wisdom in which to help me make decisions on a daily basis.
I was reading the debate between Alan and Michael and it reminded me about an email I got a while back sent to me by a mailing list of interesting lessons from the Torah (Bible books: Genesis to Deuteronomy). I lost the email but I have never forgotten the lesson due to it being very powerful and insightful.(Not inciteful).
Bare with me... there are Information Security lessons and life lessons to be learned here.
Yitro who is Moses' father-in-law comes to visit him after he has left Egypt and tells Moses to appoint judges for his own well being and those of the people. Which makes sense for Moses - he is a busy guy, let someone else do the judging.
But why for the people? They have access to the greatest prophet in history. Moses could judge perfectly. The reason is that you don't want someone who can judge perfectly. Sometimes you need someone who can compromise. This person was Aaron who saw the grey and not the black and white of being sure.
So, Aaron can do something Moses can't which makes him more important than Moses. Wrong. It makes him different.
And here is the moral of the story. Some people are Moses and see black and white and some people are Aaron. And most people are both but at different times.
I think the challenge is to be able to see when to be one or the other.
It is pretty rare for the general public to know about the I.T. workings of a government department. For example - when you go to pay your water and lights account or get your passport all you want is the transaction to go through - you don't care if they are using "PTS.4" or "QUSI-XGT" to process the transaction.
You only really are aware of it when something goes wrong. Which it did at the Department of Transport who are the guys who register new cars, licenses etc. They ripped out the old "Natis" system and to great fanfare implemented the "eNatis" system. Which has been in the papers (Google News turns up 295 articles) because it didn't work.
The staff had no idea how to get it working. The capacity was overwhelming and the IT guys ran around trying to plug the holes and put up new servers to make sure everything worked. This , after it was live, with no way to go back to the old system.
It even led to the Minister flying down from the clouds above and doing something never done in the history of the ANC... apologizing. He hasn't admitted he is wrong - but he apologized none the less, which is a start. In fact, in typical government style the problem remains unsolved but there is a task team in place to investigate whose fault the mess is.
There are many lessons to be learned from this whole ordeal on how not to perform an upgrade including having a backout plan, educating users, having a test case, testing with worst case load expectations (not best case), doing proper governance before hiring IT developers, etc.
But now, a public newspaper has received an audit report of the system that was published before it went live and the have won a court case to be able to publish details in their paper. Apparently the system has no security controls in it which means that any person who uses the system has "root" access.
The government has tried to block the newspaper publishing the details in an effort to have "security through obscurity".
A TV show recently showed that there is little to no physical access control in the Department of Transport's public interfacing offices which means that for a bit of cash one can get access to the terminals.
I'm just relating what I've read. I don't know the extent of the security on the terminals or exactly how the eNatis system works but I am interested in this saga and will publish more when it becomes available to me.
Today I had to do some (personal) work with the Government.
What I did is personal (so don't ask) and probably not offered in all countries but you can think of it as being similar to renewing a driver's license or getting health benefits, etc. Dealing with the Government.
The department I had to visit has moved and not done a very good job of Informing The Public. Also, unlike the Department of Home Affairs it is not a place you'd visit very often. Some people need never go there.
So... while I was in their waiting room I read a newspaper article they had stuck up on the wall about how they were being targeted by fraudsters. These are people who wait on the pavement just outside or near to the building. They can then spot people who are obviously lost and looking for the building and "help" them out.
They take the people to other buildings somewhere in the vicinity in which a little look-alike office has been set up and charge them about $20 to $100 to lodge an application.
The Government charges nothing (its covered by tax).
Even for me that amount is a lot of money but for the poor who would be most likely to use the service it can be almost half their monthly salary. They also leave in the (falsely) secure knowledge that their application has been processed and I'm not even sure if it does make its way to the Government.
And, of course, these guys also have personal details about the person and probably a photographed copy of their ID book and signature. Maybe even a copy of their last bank statement. These are all things needed to get credit.
Only 1% of Africans have access to the Internet and in the largest city built not near a major river or dam or coast phishing is done on the street.
This is one of my theories of Security and why it is such a battle.
I'm not sure if I made it up or heard it somewhere but I stand by it.
"When one person pisses in a swimming pool it affects everyone"
This is why patching is so important but ignored. When a PC on the Internet is compromised by a worm the person who is running the PC may be affected a bit. Their link may slow down slightly but when 100,000 of them are used in a bot-net to attack companies it affects the companies, not the person who owns the PC.
It is the same with TJX etc, personal information stolen from their databases leads to identity theft and hence false purchases all over from many different stores. Everyone is affected.
So, just don't piss in the pool, please. And patch!
"Is something wrong, she said Well of course there is You're still alive, she said Oh, and do I deserve to be? Is that the question?" - Pearl Jam, "Alive"
Yes. I am still about.
The last few weeks have been mad. My folks are visiting from Australia, blogger has been doing funny things, work has been hectic and I'm trying to work out what to do with my life. Lots of excuses why I have not posted in a long while...however...
... I am reading "State of Fear" by Michael Crichton. It is a really good book and worth reading as are all his books. The basic story behind it (besides all the fast paced action you should expect from his novels) is that Global Warming is junk invented by Earth Rights groups to get money that should go to starving kids in Africa and not some theory that may or may not be true.
So, what does this mean for us security professionals? This IS (sorta) an info-sec blog.
Well, he takes it further near the end of the book. He says that there are always issues facing mankind. The press and interested parties (in each case) just blow them up for their own gain. Interested parties so that they can get funding and the press so they can sell their media.
I know I get excited every time some bit of security news makes the papers (sometimes front page) even if once I dissect it, it is really some arbitrary news. It puts what I do in the spotlight and I can get a warm fuzzy feeling. I can also (maybe one day) tell people exactly what I do instead of "I'm in IT". And maybe more companies will take Information Security more seriously and spend more and some of that will trickle down into my usually empty pockets.
Bruce Schneier seems to think about this issue a lot and I like the title of his book "Beyond Fear" because that sums up where I think we should be going. Manage your systems correctly and don't worry.
Still, there are the Fear-mongers - buy security (and then even more) because you may go to jail if you don't secure your company down to the last little screw.
There are also...hmmm... the naive ones... who believe everything can be put into black and white. I always thought I was missing something because even in all my (too many) years in security I have no idea what numbers to use in a risk assessment.
Recently I posted to a security list asking "is a firewall really necessary?" and one answer was "do a risk assessment". I wasn't talking about an external firewall but the answer came from someone who didn't know that.
I can't see how my time would be best spent trying to (research/invent) numbers to prove that a firewall is needed. Its just plain sense (at least on the border) - I think.
Maybe there is a fine line between State of Fear and State of Risk. I hope that I am there.
I begins: "When I was quite young and quite small for my size, I met an old man in the Desert of Drize." This man tells the narrator (a small boy) and the reader to "[s]uppose, just suppose, you were poor Herbie Hart, who has taken his Throm-dim-bu-lator apart!" and other strange ways you could be worse off, in the hope that it cheers you up.
It always did for me.
The modern, Information Security version of this I found in my mail box today. It comes from the Melbourne newspaper The Age. It is an article with the amusing title - How to ctrl, alt, delete $48 billion.
Briefly- Someone at the Alaska Department of Revenue formatted a disk with information on it on how $38 Billion (US Dollars) should be divided. The format was perfect - the information could not be retrieved. The backup tapes failed. The only other backup was paperwork in 300 cardboard boxes. To make matters worse there was a deadline on the payment.
None of the actual money was lost but the department had to hire 12 new full time staff and pay 70 staff overtime to recapture all the information again.
So, in the words of Dr Seuss, and the old man in the Desert of Drize:
Some people are much more Oh, ever so much more Oh, muchly much-much more Unlucky than you!"
We all agree that INFORMATION is the important stuff.
Computers are there to basically make the information look good. Networks are there to move it all about to where (in theory) it is most useful.
Computers are not just all about presentation, they also mold data into useful information and other neat things. But its the Information that is king. That is why the general term for people that work with computers is "Information Technology".
So, why is everything we do there to protect computers? And networks.
If a computer is compromised - kill it. Stick another in its place. Instantly.
The technology is available to do this. But I haven't seen people use it.
Is it being used?
The way to do this is to keep the data on a separate drive to the applications (like Unix has always advised - welcome to the 70s, again) and if there is any doubt - kill the machine. And pop a fresh install in its place.
It seems all the guys who I read online have been honoured by it security.com. I missed out by coming late to the party. Maybe next time I'll be able to slot in just above Alan Shimel.
It has been an interesting few months and I look forward to doing this for a while.
It is an honour ("honor" for Alan and his American friends) to be part of the Security Bloggers Network (and hence number 19 on the list!)
I check the RSS feed of the Security Blogger Network every day and have added a few websites like SSAATY to my list of have to reads.
It is a widely held belief in the Open Source circles that the reason that Windows is so popular is that it is installed by default on new PCs and that if the same were true with Linux it would gain market share.
Maybe and maybe not. But we haven't been able to see this because Linux has never been installed by default on desktops coming from companies like Dell. Conspiracy theories say that Microsoft's secret agreements with vendors contain a no-Linux clause.
If this is true then Dell now has an issue - (from the article)
"Created in response to growing concern that Dell was not paying enough attention to its customers, IdeaStorm allows Dell users to tell the company what changes they would like the PC maker to implement. The suggestions that get the most votes from other users are pushed to the top of the page.
The two most popular ideas on the site implore Dell to consider offering Linux and the OpenOffice suite as an alternative to Microsoft Windows and Office. Between them they have received almost 200,000 votes."
Dell now has to install Linux or accept the fact that they can't deliver what their customers want. Anyhow, it looks like Dell are about to deliver Linux and time will tell what this means for Microsoft who are battling with a new product that doesn't seem to offer much more than a fancy new screen and fighting the growing Apple fanbase. (It is once again cool to like Apple. Welcome back Mr Jobs.)
Of course, since this is a Security blog, I have to mention that so far it seems Vista is more secure than XP. But Microsoft's excuse for why there aren't viruses and such for Linux has always been - no-one really uses Linux as a desktop. Well.. no-one really uses Vista yet either. And having the main selling point as "Well, its more secure than any earlier version of Windows" is not saying very much. Most Operating Systems are.
Still, Microsoft are trying and good luck to them. They are about where Unix was in the 70s.
It is a widely held belief in the Open Source circles that the reason that Windows is so popular is that it is installed by default on new PCs and that if the same were true with Linux it would gain market share.
Maybe and maybe not. But we haven't been able to see this because Linux has never been installed by default on desktops coming from companies like Dell. Conspiracy theories say that Microsoft's secret agreements with vendors contain a no-Linux clause.
If this is true then Dell now has an issue - (from the article)
"Created in response to growing concern that Dell was not paying enough attention to its customers, IdeaStorm allows Dell users to tell the company what changes they would like the PC maker to implement. The suggestions that get the most votes from other users are pushed to the top of the page.
The two most popular ideas on the site implore Dell to consider offering Linux and the OpenOffice suite as an alternative to Microsoft Windows and Office. Between them they have received almost 200,000 votes."
Dell now has to install Linux or accept the fact that they can't deliver what their customers want. Anyhow, it looks like Dell are about to deliver Linux and time will tell what this means for Microsoft who are battling with a new product that doesn't seem to offer much more than a fancy new screen and fighting the growing Apple fanbase. (It is once again cool to like Apple. Welcome back Mr Jobs.)
Of course, since this is a Security blog, I have to mention that so far it seems Vista is more secure than XP. But Microsoft's excuse for why there aren't viruses and such for Linux has always been - no-one really uses Linux as a desktop. Well.. no-one really uses Vista yet either. And having the main selling point as "Well, its more secure than any earlier version of Windows" is not saying very much. Most Operating Systems are.
Still, Microsoft are trying and good luck to them. They are about where Unix was in the 70s.
"γνῶθι σεαυτόν" "Know Thyself". As Neo found out when he went to visit the Oracle.
In an industry where "proactive" is the biggest buzzword it seems to me that we in the Information Security field are not doing so well.
From observations in the industry I have noticed a trend to allow Auditors to dictate what needs to be done (and in turn - point out what is not being done). In some companies what the auditors say should be done is all that gets done.
This is very different to how the Accounting profession works. The books get drawn up, approved by management and then only do the Auditors come through and approve them. Note the difference - here the Accountants decide what and how things should be done and the auditors just see if they are done. And management is involved.
It may be that management sees us as IT "guys". They may not think of us very highly and they may believe that the Auditors are great and all knowing. In my experience the auditors have come across as being very knowledgeable (even though I have had some good laughs at some audit findings). They usually arrive with ties and jackets and shiny shoes. And checklists and boring looking software. And they are backed by international auditing firms that have Ways Of Doing Things.
Us guys are lumped with IT. We are told what the auditors found wrong and told to fix it - that is how IT works. This is what needs to change.
Even many people involved in Information Security over emphasize the importance of Auditors. Here in South Africa and (it seems - abroad). I've noticed a number of American bloggers trying to push Information Security as a goal and compliance as a result. This fits into the same concept.
We need to be proactive and tell Auditors: this is what we do, this why. And slowly change perceptions and become guides to our organisations.
But first, we have to understand who we are and know what we do.
1. Be proactive - procrastinators don't have it easy. Its hard work doing nothing. Make sure you have a plan set up. What if someone discovers how little work you do? Make sure you have a messy desk so you look busy. Arrange false meetings, etc. Book your calendar full. Use your phone a lot. Browse website. Do a blog.
2. Begin with the end in mind - visualize how not to work, what you can be doing, how to get around obstacles like bosses and HR.
3. First things first - blah blah blah long term goals etc etc. You know the drill. Also delegate; if you have to do something make sure that its delegation.
4. Think win/win - if you don't work hard your company doesn't have to pay you much - win/win.
5. Seek First to Understand, Then to be Understood - make sure you understand your boss before you take advantage of the situation. Know his weak points, when he arrives and leaves, what time he takes lunch, etc. Those are the best times to read comics online.
6. Synergize - how to work in teams. Simple - the whole office has one big quake contest while one of you keeps a look out for the boss. Even better - use cameras. But the important thing is to work as a team!
7. Sharpen the saw - all work and no play make you dull - take some time off. Do some work even - shock everybody.
This is tongue in cheek - please do not think I do the above. 'Cept maybe Blog. Oops, theres the boss... until next time..
In summary the article blames all the problems we have today on the way the Internet was designed.
In my first (serious) post on my blog I discuss how secure we were back in the 70s (well..not me..I was still a kid) because computers were designed to not trust their users. With the advent of DOS computers were all trusting and it has taken time to get back to how it was in the 70's. We are still on our way.
Add the two together and you get - strict, secure PCs and open networks. Sounds good to me.
Maybe one day PCs will be so tight that they can sit out on the Internet and we will not have to worry about them. Maybe we will be able to know who is connecting to our network and be happy in the knowledge that their PC can't possibly be in dire need of patches. Maybe viruses will become a thing of the past.
Social engineering will always be with us until we can build better people. Maybe our kids are already learning. We grew up in a world where you don't talk to strangers, they are growing up in one where you don't blog with them or instant message them. The wolf is still there, he is just online. And maybe this will make our kids more infosec aware.
I don't see us ever getting rid of Firewalls but it would be nice if the work of keeping PCs safe was done on the boxes and not on the network. Like it was in the 70s.
Before I begin let me say that this post is about Information Security in a way and, yes, I did clean up the sugar.
I was at work yesterday and I made myself my usual morning cup of tea. On the way between the very cumbersome sugar bowl and the cup I managed to spill almost the entire teaspoon of sugar on the counter. Thats a lot of sugar. And a though went through my head - picture a tiny little version of me sitting on my shoulder dressed in red looking like a devil. "Walk away. Noone will know and someone will clean it up." A little angel popped up and told me differently and I did clean up the sugar but while I was finishing the cup of tea I wondered what factors did I take into account before thinking "naaah." And because I am always thinking Information Security (except at home - I love my family) how can I use this unexpected bit of evil in me for good.
When I spilled the sugar there was noone in the kitchen with me. Noone and I am sure about that. I was not being monitored and I know that too. Had there been someone there or just the possibility of someone there I would not have hesitated to clean up the sugar.
There is always some sugar on the counter because not all of it goes into cups - the sugar bowl is too tall. It is accepted that a bit of sugar on the counter is the norm and no-one feels bad spilling a bit of sugar, its almost expected. So, how much is too much?
There are cleaners that work in the kitchen and they would have cleaned up the mess eventually - if no-one else did first. So, the mess would have been cleaned up.
And lastly, I didn't have anything to clean the mess up with. I went to get a piece of paper and scooped the sugar onto the paper with my hand. And then put it all in the bin, but there was no tool for me to use that was designed for the job.
Another thing to consider, perhaps, is that its not my sugar or my counter. Maybe if they were I'd have been more careful.
Now, InfoSec. If your users are abusing your network it may be because
You are not monitoring them correctly
You are monitoring but allowing small indiscretions through.. where do you draw the line?
It is assumed IT or someone can fix the issues arising from stuff like installing Spyware etc.
They don't have the training or the software in place to help them be secure.
they don't feel security is their job and the company's data is not their asset.
I've been working hard at work. And I've neglected this blog. It started off with a bang and now it is fizzling. So, here is a tidbit I came up with a while ago.
This may be obvious to some and hopefully it will be obvious once you have read the post but it when I came up with this idea it took a lot of thinking and a lot of convincing to all around me that this is how it works.
Please note that this does not necissarily represent the company I work for, the company I am contracted to or any other company living or dead blah blah blah. Its hopefully applicable to ALL businesses.
Lets begin.. businesses sell stuff. They either sell services or products but with nothing to sell they are not really all that useful, ask Enron.
Traditionally there have been two camps of people in businesses - users of information and the guys who make sure that the information gets to where it needs to be. You could call them "Business Decision Makers" and "IT".
Business Decision Makers could be anyone in the company from the CEO to the receptionist, etc
In terms of the CEO think "how many widgets did we sell this week?" For the receptionist it is "What is Jack from Accounts number so I can put this call through".
I call these people "Those that do not know" because they have no idea how the magic happens - they just need it to happen. And if it doesn't - there are problems. Note that IT could fall into this category as they use information but their main job is to make sure that the information gets to where it should be - and they should know how to get it where it is.
Next is IT. Their contract with Business is an SLA or a KPI. The main part the contract in both the IT department's mind and Business's mind is the "Availability" part. Downtime will be "8 seconds every 7 months" or such. Security is tucked in the contract but it is way down at the bottom and usually doesn't have an SLA. Or a realistic SLA anyhow. "IT will keep all patches up to date".
Traditionally security has been seen as an IT function. But try do something that may make the organisation more secure but at the same time will require down-time or could result in unscheduled downtime. You will be hit on the head with the contract and be shown the SLAs. I call the guys in IT from the CIO down all the way to the guy who fixes PCs "Those that do not care". Its not really that they don't care about security as such, they just have bigger fish to fry - their SLAs. Talking about the guy fixing PCs, if he has to choose between setting the CEO's password to something hard to guess or "Password1" which do you think he'll choose? He'll want to get the old man off his back and working again - Availability.
So, we have the two camps "TTDNK" and "TTDNC". Where does Information Security sit? Well, we sit in the middle. And its not a comfortable place to sit. Essentially what we sell (Confidentiality, Integrity and, the big one, Availability) is something that Business does want. They just don't know that their data may be at risk of having one of these taken away. We have to show them that. We also have to show them that by ignoring the C and I, they are at risk and they are the ones that will be left responsible. We also need to work with IT and show them that they can make the C and I work without too much extra on their plates. And with both sides we need to review SLAs that don't allow for things like patching.
Extending this to everyday activities - if a patch comes out for a piece of software. Business should be doing business stuff - not thinking about patches. They should be blissfully unaware of the risk of not patching. IT will be concerned with Availability and will want not to install the patch. Information Security has to sit in the middle and show each camp why the patch must be applied, each in their own language and get it done.
This has taken me a bit of time. I tried to put aside all of the hype and advertising running about in my head and come up with a good reason for NAC.
And without all the hype and such it wasn't easy. A short time back I asked a bunch of CISSPs "Are Firewalls Really Necessary?" and I see a similar question has popped up about anti-virus. I think its good to go back and question the holy assumptions made in the past. And those holy grails of the future. I got some interesting answers to my question and the antivirus debate is heating up nicely.
When I am in doubt I turn to my collection of wisdom, quote I have collected over the years made by guys a lot more interesting than I and a lot more wise. I hope. One of these sages is Kevin Kelly. My university lecturer was a fan of KK and we actually had to learn his rules of god for our exams. Anyhow, Kevin Kelly said "More is more than more, its different".
What does he mean by this? How does this relate to NAC?
Take a PC and put someone in charge of it. No problem. Add another PC. No problem. At some stage the guy will have too much work, so add another guy. No problem. Add a few more PCs and a few more guys. At some stage you are no longer dealing with a few guys and some PCs. You are dealing with a Corporate Network and an IT Department.
It is at this stage that the whole takes on a life of its own. Now, Kevin Kelly encourages you to embrace this sort of chaos because something amazing may come out of it. Look at the wikipedia. Noone planned something so huge and amazing would happen; likewise the Internet. Maybe I am talking about Web1.0 and Web2.0 and when Web3.0 happens it will come out of the chaos that is the Internet and totally take center stage.
If you are trying to innovate by all means embrace the chaos. But if you are in charge of a computer network the chaos could produce a new way of working that will boost your company to be a leader in its field but could more likely boost your customer list to your competitors or innovate your 5 years of financial documents into meaningless junk.
NAC is about control. Hence the name, I guess. And really, its not a product, its a mindset. If you like you can limit connections by MAC address on switches - you always have been able to. You could have a big guy that walks around unplugging PCs that have no business being on your network.
Without even going into the whole "is the antivirus up-to-date, is the box patched" functionality I think it is important for a security officer to be able to say "All users on the network are authenticated."
Then he could go on to say "All the PCs on the network are up-to-date with the controls I need them to have to make sure they behave themselves".
There will be issues in doing this and I don't see the point in having security-through-obscurity which is what DHCP NAC seems to be, there needs to be a chokepoint and it needs to be the switch which is the closest trusted piece of equipment to the user. Their PC is closer but it is not trusted.
Since I started my blog and subsequently joined the Security Bloggers Network (see the side panel), I have been following a number of stories posted by other blog members.
Ok, two debates on SSAATY - open source and NAC. I have my opinion on each and here goes:
Alan contends, and I agree with him to a point, that users shouldn't be concerned with the making of software -ie, is it open source, commercial, closed, powered by little rodents, etc. They should only make sure that the software does what they want it to. And I agree to a point.
However, we are security people and we deal in risks and mitigation. Using closed source software does present one with certain risks that open source software does not and that is: what happens if the product is discontinued.
I have seen companies spend millions on closed source software only to wind up with a solution that can not be upgraded or changed. There are some programs that only run on dos and are so closed and so important the company lives with this outdated operating system. I'm not picking on DOS, think of all the proprietary financial systems that had to be quickly fixed or rewritten for Y2K on Unix. A proprietary system that at least has published and open standards (preferably industry-wide standards) would mitigate this risk to a point.
An example that just popped into my head is Internet Explorer. I know of an IT company that has built its entire way of working around an Intranet site. Good for them but they used IE6 specific "features" in the website and it doesn't work with IE7. Had they stuck to standards they would have no problems but they didn't.
You may argue - but Open Source and Open Standards are not the same but Open Source they usually go together whereas closed standards are usually in place to protect market share and don't work very well with Open Source software (where the standards are open as soon as the code is read and analyzed).
Thank you for the little blog post on me. I hope I can respond with some good, insightful (incite-ful?) posts to keep you interested.
Congrats firstly on your anniversary.
I consider myself a lay-expert (in other words I spent way too much time on slashdot for my career's good) on GPL so I'll add in my 2c.
The GPL severly restricts what you can do with the source in order to try keep the source available. It is known as "viral" in that if you want to use the source in a project - all the source of that project must also be GPL or compatible.
The big news of a project being GPL compatible is that once the source is GPL compatible it can be added to other GPL projects and in turn other GPL code can be pulled into this project.
Being GPL compatible is also a nice buzzword to use. And it would make coding easier - "Oh, its GPL. I know that". (No need to read the license and compare it to GPL to understand how compatible it is.)
I'm not sure exactly in this case how it benefits everyone but the above may give a good idea of why GPL is better to have than just "open source".
This is a very informative and rather scary video.
I suggest all Information Security people watch it. Then show it to all their Internet users.
Home users should watch it too. They may learn something.
The good news is that drive-by downloads are almost impossible if you keep your machine fully patched which - for almost all Operating Systems - is free, so why not?
The official description is: Network security analyst Corey Nachreiner, CISSP, shows what happens when you're browsing the Web and a "drive-by download" attack hits you. Produced by LiveSecurity for WatchGuard Technologies.
It is brilliant stuff and hopefully there will be more from these guys.
Another off topic posting. For an information security blog - I'm not doing so well... but then I never promised that I would. And this is my second post in one day!
According to the wikipedia: The first commercial SMS message was sent over the Vodafone GSM network in the United Kingdom on 3 December 1992, from Neil Papworth of Sema Group (using a personal computer) to Richard Jarvis of Vodafone (using an Orbitel 901 handset). The text of the message was "Merry Christmas".
That was 15 years ago. According to an article in itweb SMS revenues are to hit $67 Billion by 2012. Their source is Portico Research.
Mayor Bloomberg of NYC on the www.nyc.gov site in his "State of the city" boasts that NYC had 44 Million visitors. Thats pretty good going considering that the number of people in the whole of South Africa is 44 Million and the number of people in Australia is 25 Million.
So, essentially the whole of South Africa could have visited New York. Or the whole of Australia could- twice in one year.
Amazing.
Coincidently, the number of people living in NYC is 8.2 Million - which is roughly the number of visitors (estimated, very badly by yours truly, but probably rather accurate) to South Africa in a year.
Sure, Lotus 1-2-3 was still around and still (if I recall correctly) the market leader. Office95 total killed that. But it was not Lotus's most famous software package that IBM wanted. They wanted Lotus Notes. And they paid $3.5 billion (cash money) for the pleasure.
IBM Lotus Notes is still around today and very well respected. And used by some very big companies. But I really don't think it had the impact it should have. I think the reason is that Microsoft Exchange adapted more quickly to what companies wanted.
But, didn't need.
The thing is that IT has (unfortunately) positioned itself both as a strategic tool and a grudge expense. (It is also an operational tool..hmm..maybe we'll come back to this point... but I want to focus on strategic).
What the above means is that companies have salivated at the idea of using technology to beat their competitors. And it is very quick for something to go from stategic (read: competitive advantage) to operational (read:everyone is doing it). So companies push projects out quickly. If you are a leader you want to be that way as soon as possible..if you are catching up - the same. You also want to do it as cheaply as possible, obviously.
So the poor IT department has to roll out projects as quickly as possible, as cheaply as possible. And probably with very little planning or training.
So, with the choice between a proper system for managing staff using workflow, perfectly designed job descriptions and properly though out business processes that all just works or a quickly cobbled mail system with a nice directory system and calendar - what would be the choice of most IT decision makers. Yep, the cheaper and quicker.
Now, don't get me wrong - I don't know enough about Lotus Notes to promote it as a perfect system, nor do I know enough about Exchange to put it down. Thats not my point here. And, in fact, I bet that a good system where Exchange is used as part of a well organised workflow solution would probably be better than a badly created Notes implementation.
My point is - we have now, through the mistakes of the past come to a point where it can happen that a business is not sure what information it has, (perhaps even) what machines it has and what people it has. There are ways to track all of these but the computer systems were never designed for that.
In the heady, do anything days gone by companies from small to big did things like this:
A server comes to end of life and is removed from the network. But, a project that is way over budget needs a not-so-powerful server so the old server is used. Maybe the server was an HR server (inside and fairly safe) and is now a webserver (open to the world). Because its a mission to re-install the OS, the box is left as is and just has a webserver added to it. Your HR information is now at risk and because there was no formal installation or project - the new server is a ghost server, only noticed if/when it goes down.
The mail server administrator moves into a new job but his mail server access is not taken away. He now has access to all the mails on the server.
Even worse - he leaves the company and his account is not removed.
The CEO's personal assistant who has access to all his files downloads a valentines day card that is actually a trojan. It is able to install itself because she has Administrative rights to her PC.
Etc.
If processes had been in place long ago this would not be an issue. Now, you have 10000 user accounts, no paperwork. Who of those is still employed and has all the access (and only the access) they need. If you start a clean-up now - you will piss everyone off, from the top, all the way down. Woops...due to IT's need to impress ages ago and business's need for speed you are the bad guy.
But it will happen. With (more) money, time and tears.
Slowly companies will realise what problems they have and how insecure they are. Or someone out there will show them. And they will put the procedures in place, the technology will follow and the organisation will be turned into a perfect workflow oriented organisation.
And there will be some ROI as people's jobs are down quicker, smoother and with less paperwork. Private information of 3rd parties will be in secure databases. Databases will be backed up and the information will not leak out through discontinued servers and stolen laptops.
And it will all be good.
And then we will have caught up to the vision that IBM had in the early nineties when they paid paid $3.5 billion cash for Lotus - a company that know who it is and what it is doing with IT systems that know the same.
I'm sure that someone out there is going to try patent this idea so let me put it out on the Internet first. I'm not interested in the patent - if I make this I'll try my best to be the best and beat competitors that way.
Right - I will try explain this in simple terms.
(As I see it) The problem with mail these days is
Spam
Contract law
Mail as we know it (SMTP for the geeks) originated in a wonderful carefree environment untouched by the ugliness of unfettered Capitalism. There was no spam. I remember the days when you could use any SMTP server out on the Internet to "relay" your mail. Sorta like travelling in New Guinea or New zealand or New York and you just happen to pass a letterbox/postbox and you pop your mail in. And it will get where you want it to. For free - the owner of the mailbox paid something ridiculously small to move your mail and secure in the knowledge that if he was in your home town your mail server would relay his mail.
Then companies saw this marketing opportunity - free mail! And decided to abuse it. Hence spam. Now everyone only relays their own mail. And we still have spam.
The other issue with mail's naive beginnings is that anyone could pretend to be anyone. It was based on trust. After the first few times of pretending to be someone else the fun wears off. Not for spammers - they need to pretend to be someone else all the time. Otherwise they would be simple to block and everyone would except for idiots who want to lose money on the stock exchange and make up for it with huge..well... pfiser's blue pills.
Wouldn't it be great to be able to only receive mail from companies we deal with? I think so. setup an information account that can still receive spam and all sorts of junk but have regular users only get mail from companies that are trusted.
The other issue is that email was just for fun - first for geeks, then for cool geeks, the for cool people (like wow!) and then for the man in the street (and his tech savvy kids). Then more and more business people saw the advantage of cheap and quite written communication - untrusted as it was.
And more business information was exchanged over email. As information decided it wanted to stay as bit and bytes and not ink spots on a page the definition of "document" as a piece of paper became increasingly wrong. (I remember a story about this - I will put it in my next post). The laws became wrong and they were changed. South Africa made a new law called the "ECT Act" which mainly extended the definition of "documents".
The law was slow to recognise email as a legitimate business tool but so were the geeks. Email today is the same as email of when it was not important to business. All of a sudden email was important - deals could be made through email. Decisions could be made. Companies could be sued. People could be fired. All through a medium that can be very easily spoofed or lost. How does one know exactly who sends an email? You can't, not easily. Not yet.
So companies have been scared of the laws and scared of the power email has the disclaimer was born. The disclaimers used to say "if you are not the intended recipient of this email - destroy it and forget what you have read,please". Now they are more complex but they say "if you are the recipient of this mail and we have written anything that we may want to take back at a later stage - we can!". I know a company that says the above and adds "The law that makes this a document - ignore that law". Its a technology company.
But then what is the point of email?
I think that it would be a great idea to work out all the companies that your company emails. This may be a mission at first but I doubt it would be as bad as people may think. Then work out what sort of relationship you have with the company. Make out a few contracts - one for suppliers, one for once-off-suppliers, one for customers, etc. Then approach them and ask them to enter into a contract. I will provide an example contract soon. Once that is done - no need for spam checking.. just have a white list. No need for disclaimers. You want to do ordering through email and have it binding - perfect - it can be done legally and (now) safely.
More on this soon.... but, remember, you heard it here first!
Ok, this is way off topic. But it is my blog so I can do what I want with it, not?
I bank with FNB and I am proud to be a customer of theirs.
South Africans should know this story by now but overseas readers may not:
First National Bank is involved in a number of non-banking initiatives to give back to the community etc.
One of these was a petition to the Office of the President asking for more action to be taken on crime. They made thousands of little booklets that were addressed to the above Office. The plan was to send these out to the general public who would then fill in an incident of crime that had touched them. The petitions were (at the bank's expense) already stamped and addressed.
The Government got wind of the idea and (it is alleged) put pressure on the bank (who does the banking for some big government departments) and the whole plan was dropped.
FNB is a business and I understand them needing to reassess the situation and watching the bottom line first but I am very upset with the Government and the position they have taken.
It is obvious that crime is a huge deal in South Africa - even the conservative, edited, diminutive statistics that get released each year show how bad South Africa's crime levels are.
Even wikipedia has an article on crime in South Africa which begins "Crime is a major problem in South Africa. According to a survey for the period 1998-2000 compiled by the United Nations Office on Drugs and Crime, South Africa was ranked second for assault and murder (by all means) per capita, in addition to being ranked second for rape and first for rapes per capita."
(I feel that) It got to the point where normal people were sick of crime but were numb to it. The papers stopped printing stories about crime unless they were strange or terrible.
The 19th FIFA World Cup is scheduled to take place in South Africa. This event will bring tons of foreign capital into South Africa and promote to the entire world the idea of South Africa as a holiday destination. On the other hand - the infastructure and initial outlay is huge too. It is do-or-die. This competition has to be handled perfectly for the country to benefit. Crime is a risk to this. Possibly the most important one.
These combined with the fact that Governement does not seem to be willing/able to deal with crime has led South Africans to feel lost about this issue.
First National bank seem to be a very patriotic bank. They have loads of adverts promoting how great the 2010 FIFA World Cup will be. They are also (the main?) sponsor of http://www.homecomingrevolution.co.za/ which aims to promote South Africa to ex-patriots who may be interested in returning.
Reading a few messages on the forum there, the message is quite clear - "we would love to return home for a million reasons. and we will not for one reason - crime!"
It seems to me that FNB as a place has just, like the rest of us, had enough of the moaning about crime and wants to do something about it. They are not allowed to start their own police force and justice system so they are trying to get the attention of the people who can deal with crime.
Unfortunately instead of taking action against crime the Government have taken action against FNB.
A quote, attributed to Henry Spencer goes "Those who don't understand UNIX are condemned to reinvent it, poorly."
I always, being a Linux boy, liked that quote. And I could see it in practice. Linux never hid the fact that it was mostly based on Unix but Dos/Windows did. Microsoft was caught in a bit of a bind with Linux being free that they had to pretend everything DOS was better, everything non-DOS was worse. Fair enough, DOS and the pretty stuff that they placed on top of it was their bread and butter.
But as time has progressed Windows has moved toward looking and working more like Unix. The main change being the fact that the main user of the box is not innately trusted. There are no file permissions on FAT, all files are available to whoever uses the machine. NTFS has changed all of that. Windows 98 didn't need the user to log on, XP does.
It is not my purpose here to trash the Windows Operating Systems of yesteryear. In fact, Linux had some shortcomings in the 90s too. It is my point that it has taken us about 30 years to get our PCs to the point where they are now as safe as the Unix servers that were around in the 1970s.
My Blog is called "Security Thoughts" which is rather plain but explains pretty much what it is about.
It is about Information Security more than physical security but those of you who, like me, have a CISSP or other such qualification know that physical security plays a big part in Info Sec. As does having a "security conscious" mindset.
I would like to just dump all the thoughts in my mind onto this page (and from now on I will use Firefox ver2 with its spell check function). But I am interested in Information Security so that will be the main focus of this Blog. But I don't want to limit myself.
"Gartner Group forecasts that blogging will peak in 2007, levelling off when the number of writers who maintain a personal website reaches 100 million. Gartner analysts expect that the novelty value of the medium will wear off as most people who are interested in the phenomenon have checked it out, and new bloggers will offset the number of writers who abandon their creation out of boredom. The firm estimates that there are more than 200 million former bloggers who have ceased posting to their online diaries, creating an exponential rise in the amount of dotsam and netsam (i.e. unwanted objects) on the Web."
So, is my Blog just for jumping on the bandwagon? Or is it more than that?
Well, at least by submitting this one little comment onto the huge Internet for Google to preserve for ever I become Time magazine's person of the year. Which is not bad going for a few minutes of playing around while on the Company's payroll.
It means I join such greats as JFK (former president), Nelson Mandela (former president) and Rudi Giuliani (for President!). Of course, also in the same company is Stalin and Hitler.
This is not the first time I have left my footprints on the virtual sands of the Internet, if I google (lowercase "g") myself I find little traces of Me all over. Some are surprisingly insightful, (incite-fool?) and some are quite embrazzering.
Blogging is new to me - this is my first geniuine post. And I am amazed at how easy it is. Well done blogger. I look foward to doing more posts as soon as possible. Starting with the next one - what this blog is all about anyhow.