http://securityratty.com/feed/c1237d547632cad6b467ef64f9ddf9ae Tue, 29 Apr 2008 09:23:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/ad7dafb059c5f7fab0dc5f23e779270c http://securityratty.com/article/ad7dafb059c5f7fab0dc5f23e779270c
What does that mean from an Information Security perspective?

Not very much and a lot, depending if you are looking at the short term or long term.

So, lets get into the short term - there is a new browser. It will have bugs and vulnerabilities. These will be exploited.

Most of the browser is based on webkit which is sorta what kde uses and sorta what safari uses and sorta what a number of cell phones use. It is becoming browser number 4 after IE, mozilla/firefox and opera. This means that hackers (online criminals) will start to notice the browser (if they haven't already). Assuming that the open source promise (many eyes make fewer bugs) stands true and that Google will be quick with patches then this is merely part of the daily application vulnerability race. And if Google is quick with paches then this browser should not be any more unsafe than the others.

There are a few extra security features in this browser - that is always a good thing. For more information read here. Of course the feature that is most interesting - "each-tab-running-separately" has been compromised.

So short term - move along, nothing to see here. Lets move on to the long term...

What is most important in my mind for the long term is the "why" of this browser - why would Google want to jump into a market where they can't be the biggest or the best or even a very effective niche player? Especially since they have a good relationship with Firefox and their product is almost entirely webkit? And their browser is essentially all open source so all the good bits will be analysed and added to Firefox anyhow or improved upon and added to Firefox.

The answer is simple - Google want their browser to fail.

Huh?

Well, that may a bit unfair but they really don't care either way.

Google is the search engine leader. They are also slowly becoming the Internet. This blog is hosted by Google, its feed is hosted by Google. If I need to host video, pictures, sound etc then I would probably choose Google - they are really good at hosting and why bother looking elsewhere when I already have a Google account?

So, almost all of my public information is hosted by Google. What about my private information?

Well... no.

That is all stored safely on my laptop for four reasons -

1. I don't trust Google.
2. I don't trust the Internet.
3. The tools for creating private documents are so much better than the online ones.
4. I can get to my documents when I am offline.
5. The Internet is too slow.

But a lot of my computer day is spent in Microsoft Office. That is a lot of advertising opportunity lost. And if Google can access my personal files then they will have a better idea of what adverts to send my way. Which in turn will make their advertisers happier and Google stock go up.

And all it would take is sorting out the above 5 points.

I was going to go into each one but this post is already getting quite long. Just note that the three features that are most important in Chrome are:

• Security and stability
• Offline application mode
• Fast running and standards based application engine

In other words - helping making it easier to use Google's online applications. Most of the factors are going to be taken care of with Chrome and its kids.

What will happen is that Firefox will catch up with Chrome but Google won't care what you use to access their online applications - just as long as you access them. And that is their game plan.

What this leaves is the final question - all things being equal - is your information more at risk on Google's servers or on you laptop at home?

That is a good question but one we should be looking at.]]> Wed, 03 Sep 2008 06:59:00 +0000 google trust trust google browser google account google stock choose google information security perspective information Google's New Browser http://securityratty.com/article/32f71212618ca9738aa75adab4f5a3b5 http://securityratty.com/article/32f71212618ca9738aa75adab4f5a3b5
This may sound dramatic but I think that I may not be conveying the amount of pain that Information Security is about to receive. We will certainly have to step up our game.

Symantec and Verizon have done some interesting research into the underground hacker community and their findings are rather interesting. A bit scary too.

There is an entire community of totally different players that all work together to get from the point where a nerdy kid finds a vulnerability to where a hacker uses that to get into a PC, steal personal information and credit card details, sell them or use them and move on.

So far, it seems, that the community has been quite lazy and have just discarded company information to get to the credit card information and personal information (ID numbers, social security numbers, addresses etc).

This has provided us in Information Security with a perfect opportunity. We have been able to observe how hackers work while they have been taking information that is not our own. Companies that have credit card information have been the ones that were most under attack but those that don't handle credit card information have largely been ignored by hackers except for some members of staff who have been caught out but then they have only lost their own personal information.

There just really isn't a (black/underground) market for information that is not credit card or personal finance related.

However, it was always my feeling that the credit card/personal finance market would become saturated at some stage and the loosely-bound-but-still-very-organised-and-co-ordinated underground market would start to look elsewhere.

Essentially, the infrastructure is there for wide-scale information theft but the will wasn't there. I have thought this for a while my question was always - when will the will be there? When will Jack-the-hacker decide that credit card theft is no longer worth his time and start to deal in company information ?

Adrian Lane from Securosis thinks that the falling prices in the underground economy is humorous. I disagree. I look at it as very scary and the final puzzle-piece.

I think that the perfect storm is about to be unleashed.]]> Thu, 17 Jul 2008 03:15:00 +0000 information information security personal information credit card details credit card company information credit card theft wide-scale information theft credit card information The Perfect Storm http://securityratty.com/article/91a97db541c7009ccb12c514e3cee018 http://securityratty.com/article/91a97db541c7009ccb12c514e3cee018 this blog post by Pascal Meunier pretty much sums up my feelings about Virtualisation.

Back in the 90s when the Internet was new-ish and just becoming important all the machines running it were Unix boxes. (Maybe not all, but most). And a 386 would typically run DNS, sendmail, telnet (shell accounts), ftp and apache. All on the same box.

Security wasn't so tight in those days but it was usually good enough and the box could happily do what it needed to do.

Along came Microsoft and produced the idea of "one box - one service". You can't seriously consider running your domain controller as a file server. What are you thinking? And to put mail on the same box? No way. In fact, your SQL server is running under significant load, chain a few together.

And companies would buy into this concept. Microsoft were happy - more licenses. All the PC guys were happy too - more money. More complexity - more jobs.

Essentially what has happened now is that Moores Law has kicked in and has caught up with the complexity of Microsoft's software to the point where one server box can run multiple applications on it. Imagine that. But Microsoft has planted the one-service-one-box concept so well that it is now part of IT law. File server and mail server on one box? But wait...whats this button over here....? Vir-vir-virtualisation.

And now we have the tools to allow us to once again run multiple applications on one server without having to admit that one-application-one-server never made sense.

To be fair - Virtualisation does have other advantages - running multiple Operating Systems for example, being able to easily move a virtual machine from one box to another (without configuration issues), being able to make a snapshot backup of a system.

But running multiple applications on one box is not a huge win.]]> Thu, 03 Jul 2008 02:37:00 +0000 server file server server box box mail server mail multiple applications multiple sql server Virtualisation - Welcome Back to the 90s. http://securityratty.com/article/71f1d10181e7d4f99a675b10639b4d19 http://securityratty.com/article/71f1d10181e7d4f99a675b10639b4d19 Andy-It-Guy comes up with some excellent observations.

He has found an example of what Bruce Shneier calls movie plot security. What is also known as "whack-a-mole" security or knee-jerk reaction. Essentially, something goes wrong and we put in controls in case it happens again. Then something else goes wrong ... we put in something different. Ad infinitum.

(The name "whack a mole" comes from the game where you have a mallet and you keep whacking plastic moles on the head. Every time you are successful a new mole pops up.)

This is a solution but its not the best solution. And in case you think that it is a terrible solution think about what anti-virus, anti-spam, anti-spyware, firewalls, IPS, patch management etc etc are... point solutions to single issues. Whack-a-mole solutions. Knee-jerk reactions to problems that crop up.

The one technology in the above list that is unfairly listed is Firewall. Best practices state that you should block everything and enable only what you need. But in the past Firewalls were generally configured to block only what was bad and to open up everything else. Then they started to "by-default" block everything in and allow everything out. We have learned our lesson with Firewalls.

Antivirus too is starting to move from a "detect and delete the following..." to a "detect strange happenings from all software... but ignore this that we know is supposed to have extra access."

Note the move from "allow all and block specific known bad" to "block all and allow specific known good".

I think that the challenge going forward will be for us to create an environment where it is possible to tie down exactly what every single person in the organisation does. Make sure that the technology supports this. Make sure that deviations are blocked.

And on top of that allow for agility.

This is not impossible but it won't be easy. But there won't be turn-key technology solutions to be able to achieve this.]]> Tue, 01 Jul 2008 09:40:00 +0000 whack-a-mole whack whack-a-mole solutions solutions block specific turn-key technology solutions block mole technology Andy sees the light http://securityratty.com/article/9607b0cffd1cc62c6c5a23140dc11d9a http://securityratty.com/article/9607b0cffd1cc62c6c5a23140dc11d9a CISSP is on its way out. What he really argues is that a "generalist" Information Security position is no longer very important, specialisation is the only way to go.

I disagree. I am a CISSP and an InfoSec "generalist' but that is not why I disagree.

I love it when I read a blog and then read another about a totally different topic but that in some way relates to the first blog. And the second blog I read today is Mr Andy, IT guy's blog. In his blog entry he complains rather tongue in cheek about how many meetings he attends.

While Andy and I are many miles apart it amazes me just how similar our lives are and, yes, I also spend ages in meetings. On average I spend about 2 hours of my day not in meetings. And I love it. Every meeting that I attend makes me more educated by how the business I work for - works. I also give my input and hopefully touch on all the people just how important protecting information is.

Just like Andy, I was a techno geek until recently. I was a Firewall specialist. A Check Point Firewall specialist. I could read the pseudocode it would chuck out. I could edit the configuration with a text editor. I could read log files. I knew the system backwards. I am now employed in a company that doesn't even have a Check Point Firewall. I have moved onto something totally different.

There is a need for people who can configure security devices, perform active directory magic etc, etc. Even guys who are experts in logs. But you certainly don't want these guys tied up in meetings the whole day. You want them working on the systems that they know well.

You also want someone who can go to meetings and interface with business. Someone who can make a risk decision or at least know who to speak to. This person must be technical but also able to chat formally and informally to business and must always be thinking security. He must understand that meetings are not a waste of time but time spent educating business about security.

It is my belief that this person is not just important for a large organisation like the one I work for but even a one person shop should have one. Obviously, in that case a consultant should be used rather than a permanent employee but it is important.

The person does not have to be a CISSP but it is a good way to show that they are interested in an InfoSec career.

On a related note - I, like Andy, miss the technical side of InfoSec. But I also enjoy the ability to see my larger ideas implemented. I also enjoy selling InfoSec, something I am passionate about. In short, I enjoy my job and am happy I moved from being a techie to being an analyst. They are very, very different jobs. There are some people who may not be as happy as me. I know some, they are techies and are really good at what they do and they have no want to move to anything else. They want to specialise. In South Africa, these people are not rewarded for their knowledge and that is a problem because there is a need for the specialists. Hopefully, as demand increases and there are some techies that shine, they will be rewarded.]]> Fri, 20 Jun 2008 07:14:00 +0000 information information security position security meetings blog entry cissp blog infosec career firewall specialist CISSP is here to stay! Sorry, Dre. http://securityratty.com/article/679e738bf61cb82f7a172c3ba6e9ed28 http://securityratty.com/article/679e738bf61cb82f7a172c3ba6e9ed28 a few posts about what I think the future of Information Security will be in the future and it seems that I am in total agreement with Gartner. The problem is that it has taken me many posts and much typing to put onto the Internet what Gartner sums up in two sentences:

“The next generation data center is adaptive – it will do workloads on the fly,” [Neil MacDonald, vice president and fellow at Gartner] says. “It will be service-oriented, virtualized, model-driven and contextual. So security has to be, too.”

I particularly like the term "model-driven". I have been using "process-centric security" to describe my vision which I believe is an extension of "info-centric security".]]> Fri, 06 Jun 2008 07:09:00 +0000 security information security info-centric security future gartner gartner sums process-centric security generation data center vice president The Future of Information Security in Two Sentences http://securityratty.com/article/374a966a12e2afa8394a90c875b96c11 http://securityratty.com/article/374a966a12e2afa8394a90c875b96c11 this post by Andy Willingham I have had an idea for a Blog post in my head. But, in my new job, I am very busy and have very little time for Blogging so I left the thought in my head. Today, I had some time and started going through my blog list and saw this article by Jeff Lowder and then I knew I just had to write this article.

Its amazing how two people can take in the same story and both get similar but different conclusions out of the story.

Andy basically relates the story of how Henry Ford lost out on market share because he was not prepared to make cars of different colours. He was basically so in the “make it quick and cheap” mindset that he would rather lose out to everyone else than change his beliefs.

You can read Andy’s article for his take on the story but I’m going to relate my take on the story.

Basically Henry Ford had an idea and it literally changed the world. For better or worse – cars are now cheap because of what he did. He missed out on the next step (making cars of different colours) and lost a lot of market share.

But bringing the conversation back to Information Security and IT – computers are now cheap because of efforts by companies such as Microsoft and IBM and Intel to make computers accessible to the man in the street. Of course, in doing so they have made Information Processing (creating information, storing it, working with it, moving it) very messy. Information flows all over and some of it gets lost and falls into the hands of people who shouldn’t have it. This is very similar to the mess of Car Manufacturing that Henry Ford was faced with. He then realised that getting rid of the mess and flurry that making a car entails and formalising the process would mean that cars could be made quicker. And with better quality.

I think that the next step for Information Security is proactively improving business processes so that Information Processing and hence Business Decision Making can be done with the minimum amount of “mess” (think maximum amount of CIA).

The problem with doing this is that Information Security will start to make the business slower and more restricted as processes are followed.

HOWEVER, and this is where Henry Ford went wrong, once the Information Security Nirvana state is achieved (and this is possible) that process can start to expand in ways that were not possible before. This is where the holy grail of ROI starts to show itself.

It takes some serious introspection to get to this point – if a business does not know what all its processes are (or should be) then the general feeling is to allow everything. Once it is known what the process should be then it is possible to manage the availability of information, the confidentiality and the integrity. More importantly you should be able to know who does what and what Information they need to do it.

We can also then know what the process should be doing and add in the nice-to-haves over time making the organisation more agile.

I guess the whole point of this post is that the fight is not “Information Security vs Ability” but “Knowledge vs. Ignorance”.

Henry Ford got to the point where his organisation (at least the manufacturing part of it) was self-aware and everyone knew what their part in the process was. He reached Nirvana but he never took the next step – expanding the process to be more agile.

I believe that the race is on now to get our Organisations to the “Nivana” point by introspection and using Information Security to tie processes down. And then to take it one step further by expanding the process and beating competitors.]]> Thu, 05 Jun 2008 10:04:00 +0000 information security information henry ford information security nirvana henry ford lost processes tie processes information flows business Henry Ford and Agility (Once you are secured - whats next?) http://securityratty.com/article/dde288653b5dc334f4108a1e5ffeb8de http://securityratty.com/article/dde288653b5dc334f4108a1e5ffeb8de
So, what do I elect to replace this with? Process-centric Security.

I think that as we get closer to Information Security Nivana (and isn't that what we really want?) we will start to get closer to the point where we look at Business and how it uses Information to do what it does. We define processes, work out what Information is needed, add in resources and voila we have all the information (process, standard, information classification, user details, etc) that we need to properly define and hence secure a process.

If this brings back bad memories of Flowcharts and the like then maybe, just maybe, flow charts are what we really need to secure our businesses. Maybe when we decided to throw out all of those tools we had way back when, we did it without thining of the repurcussions. The goal to get a "Fast Company" and "be more adaptable" and "beat our competitors" just made us more sloppy and insecure. It may be a good time now to reassess.

And, by the way, Information Centric Security is not really dead... its just part of this larger idea, just like IDS is part of IPS.]]> Thu, 22 May 2008 02:11:00 +0000 information information security blogger information centric security information security nivana information classification process-centric security process dead define processes Information Centric Security is dead! http://securityratty.com/article/f26421bb792105fa7f82cb42f723bf04 http://securityratty.com/article/f26421bb792105fa7f82cb42f723bf04
This will take some time to secure and will take some time to get accepted but this is (IMHO) coming so brace yourselves. Life is going to get very interesting, especially for the Information Security guys out there.

This is actually not a new concept - Novell and Sun were working on these ideas about 15 years ago but the world and the Internet were not yet ready. They are now or, at least, they soon will be.

WEB 1.0
This is the Internet as we know it. HTML with some scripting for the pretty factor. Some media added in. Not much interaction. Security is easy here. Make sure that no wiggly things make it from the web onto your network. Make sure that users don't visit sites that waste time and shock people.

Web 2.0
This is the big catchword but I don't think we are where we should be. Web 2.0 is a taste of things to come but we are still chained to web 1.0 thinking. Information is swopped but format and location of information are still king. XML is just starting to come into its own and information is starting to become self-aware. The same information can be represented in totally different ways on different pages but the tools are new and websites are built around specific purposes. Sites with open APIs like Facebook are starting to take hold. Security is starting to become difficult - we have to make sure that internal data doesn't become external data.

Web 3.0
This is the new buzzword but I think it is merely more extreme web 2.0. Early examples of this are Yahoo Pipes, facebook's API etc. Sites with open tools to manage information. Information flows and is not bound to a certain site, location or format. Information Centric Security becomes key here. I think that the tools have not been developed or have not been properly developed.

Web 4.0
Cloud computing. This has been around for a while but it will soon come into its own. Combine GMail, Google Reader and technology like AJAX (of course), Google Gears and Mozilla Prism. I'm sure that Microsoft and Yahoo etc all have their own versions of the above and there will probably be some small niche players too.

Keep all the above free (with advertising) and you get a very useful and smart Office Suite that allows for collaboration and features such as backup and works wherever you are. This is exciting stuff but the assumption is that your data will be safe.

This is a bad assumption. This is Information Security's next headache. The problem with this is that like wireless and portable devices and USBs and the Internet etc etc.. cloud computing will happen. Businesses will need to do it and they will do it. We need to make it secure. Applications such as Microsoft Office etc are already terminally ill, it is just a matter of time...

The next race between Microsoft and Google and Apple will be in this space. I believe that the winner will be the one who can ensure the security of the information stored on their network.

Of course, cloud computing is a walk in the park compared to what will be next:

Web 5.0
This is where it all gets mad. Think Web 4.0 mixed with P2P such as Skype and Bit-torrent. Add in a bit of virtualisation. Your data is hosted on 100 different people's personal machines. In exchange you host 1000 people's data on your machine. A piece of your company's still-to-published annual results are split up between a mac in Japan, an iphone in brazil, 3 pcs in the US and a linux server in the UK. It is xored with Bill Gates's personal phone list and another 6 people have spare copies. If the UK box falls off the Internet then another box picks up where it left off. Processing is done by a further 3 machines, one in Namibia and 2 in China. Each time you access your data the communication takes a different route bouncing off 10 machines between you and all the places that your data is. At any one time you have no idea where your information is. Information Security becomes part of the network - all files have to be encrypted and there are numerous copies of it.]]> Thu, 22 May 2008 01:50:00 +0000 information centric security information information security manage information information security guys security extreme web web data Thinking out the box http://securityratty.com/article/d554c29d4f8e987d1ead6f9a8532dc65 http://securityratty.com/article/d554c29d4f8e987d1ead6f9a8532dc65
99% of all workstations with up-to-date antivirus
Antivirus blocks over 99% of all malware.

That is amazing! That is great stuff to show the IT Director, CIO, CSO, mom and to put on the wall. But, yet, a company I know (not the one I work for) still managed to get a virus which brought about some painful downtime.

The virus was one of the 1% that the antivirus doesn't block and it spread through the organisation like wildfire. Essentially the saving grace was that it infected a small part of the network, brought that down and didn't spread from there. Luck. It was also non-destructive other than network downtime. Luck.

The metrics lied.

You could say that there was residual risk but it really looks quite small. What is 1% between friends? But that 1% is precisely what any hacker (or virus writer etc) worth his salt is targeting.

So, where to from here?

I won't throw the baby out with the bathwater. 99% of PCs with antivirus is certainly safer than 50% or 0%. 99% of PCs fully patched is safer then 70% or even 100% of PCs almost fully patched. But 99% of PCs with antivirus is not a guarantee that no virus will find its way to destroying your network. It is important that your boss(es) know this and more important is that you know this.

And have plans in place when the 1% risk becomes reality.]]> Tue, 29 Apr 2008 09:23:00 +0000 antivirus blocks antivirus virus writer virus network network downtime pcs risk residual risk Because Hackers Don't Care... (Why Metrics Don't Work)