[SecurityRatty] tag: echo

Happy Birthday Toddler - - CMDB just turned 2

Tue, 24 Jun 2008 16:24:00 +0000

I participated in a very interesting Gartner IT Operations Management symposium session titled “Ensuring your CMDB Success: Ready, Set, Go!”

Research Director Patricia Adams and VP and Distinguished Analyst Ronnie Colville presented this thought provoking session. It seemed to echo what ScienceLogic has been talking about regarding our thinking around the practical ways to efficiently accomplish key tactical gains against your Configuration Management Data Base (CMDB) initiatives.

They started out with, what are the prerequisites to a successful CMDB implementation?

Garbage in = Garbage out

There is no miracle occurring in all of these new fancy framework tools; these complex databases are only as good as the trusted source of information inserted. You have to put a bunch of elbow grease into figuring out what to actually put in the CMDB.

So how do you define the metrics?

First you need to know where you are starting from – you will need to baseline the environment. Then baseline what your state is 3, 6, and 12 months after installing CMDB.

Next: break metrics down to 2 strategic areas:

Strategic
1. Operational Costs
2. Application performance
3. Compliance - internal auditors doing analysis – keep track of their findings and incorporate into your elements for data gathering
Operational Metrics
1. Changes unplanned (typically 80% unplanned or emergency)
2. Changes withdrawn (how many changes were withdrawn / roll back)
3. Application downtime (what did it cost from app being down)
4. Server downtime (before and after)
5. Tickets generated (before and after)

Having the data to show how you are performing makes it much easier to show why you need more budget to improve performance in specific areas. Having metrics allows IT managers to do marketing back to the business units about the value you are delivering.

Gartner said that from their Enterprise customers they often hear “I haven’t quantified the value yet”…That is not the right answer.

During the session, Gartner did a real-time wireless poll of the audience with some interesting questions:

What are the tools to build and populate your CMDB with IT services?

Focus of CMDB?

Inventory 20%
IT service relationships 68%
Other 6%
Don’t know 6%

Interesting to note, a very consistent set of information from year to year polling which equals a mature understanding of the CMDB’s role for analysis and decision process.

Have you heard of ITIL V.2 & V.3 and considered how it impacts this discussion?

ITIL is a process framework, it is not a technology automation framework. Just because something is pink ITIL certified does not mean that it will help at all with the automation of the process framework.

Gartner quantified the market as being about 2 years old this month. So the point here is we are in early days of this technology. The way they see it, the Large Enterprise/Framework vendors selling you is like a lock-in, but the interesting thing about CMDB is that the tools that you need to integrate and federate were only recently acquired, so the entire framework vendor integration and alignment story is mostly incomplete.

Gartner’s Evolution of the CMDB deployment

On average it takes 12 – 18 months to get up and running.

Through 2011 enterprise should recognize that any of the CMDB tools bought today may require significant upgrades to offer near real time service views to support decision support analytics.

Several items from this presentation jump out at me:

IT Organizations need to deploy tools that will help to automate the continuous collection of IT asset inventory, configuration and business impact analysis. That is a big gap that exists in the marketplace today… the speed at which information is collected and updated into the CMDB.
Investing too much into this immature market before the official standards are set and then adopted by the industry (estimated 18 months after final adoption) is quite risky.

The conclusion that I made from this presentation is that you are better off with our 80 – 20 rule around CMDB’s. Use a tool that will collect 80% of what you need to operate the business in 20% of the time it takes to deploy these heavy, less than automated framework tools!

ShareThis

Manuals (CIA and NGO)

Wed, 07 May 2008 12:57:00 +0000

Today is midweek manual day, and here's a quick selection of interesting manuals to read.

At the top of the list is the CIA's Psychology of Intelligence Analysis by Richards J. Heuer. This is a must read if you're into critical thinking and the inner game of security. It covers information gathering, analysis and the various biases that can creep in and influence decisions. The content presented in this manual should be taught in every introductory humanitarian security course.

Next up, Charlie writes in with some links to a few humanitarian security manuals and resources:

http://www.frontlinedefenders.org/manuals/protection

http://www.frontlinedefenders.org/manuals

http://www.aidworkers.net/?q=advice/security

http://ec.europa.eu/echo/evaluation/security_review_en.htm

(A few of these may seem familiar, but it's good to mention again for new blog readers.)

InfoSec 2008: Key takeaways from Europe's biggest security event

Wed, 30 Apr 2008 04:43:01 +0000

Infosecurity Europe is the continent's premier dedicated information security event. InfoSec, held the 22nd-24th of April at London's Grand Hall, Olympia, saw some 300 security vendors exhibiting and more than 12,500 security folks visiting. Next year will be at the bigger Earls Court. Last year had fewer attendees, but the benefit of a clear key topic: data security.

So, what was the buzz about this time around? Well, for starters there was no single topic that stood out, but instead InfoSec 2008 was a complex smorgasbord of all past and present security and risk management themes. Certainly, deperimeterization, endpoint protection, data-driven security, and compliance strategies were very visible, but at the same time many network security solutions and antivirus stuff were pushed heavily. Some of the traditional security heavyweights were, you guessed it, widely visible and audible and included the likes of McAfee, Sophos, Kaspersky, Juniper Networks, etc.

Many of the attendees and vendor representatives I talked to seemed to echo the notion that the dynamics of the market are changing. As security managers are overwhelmed by complexity and the daily grind of updating, patching, and fixing holes - many tend to retreat to something of a "wait and see" mode. Yet people begin to acknowledge that technology driven, perimeter-based security is largely a thing of the past and either gets operationalized or outsourced. Most people in the industry begin to see the early contours of a new security and risk paradigm. Visionary folks see this promised land of information security and risk management being in the green valley of business-driven risk management, where data, identity, policy, and compliance are crucial cities (elements).

Which of these cities (elements) will be biggest and most important almost entirely depends on where you are coming from as a vendor and what your primary differentiator is in the marketplace (nothing new here...). Sure, we will see more unified solutions and suites that contain most established security features. Sure, we will have small start-ups addressing the latest threats and more tricky challenges - and then we will see the vendor Darwinism that we are accustomed to.

But for security professionals a key challenge lies in understanding that there is a paradigm shift happening outside of the technology/vendor realm which will require out-of-the-box thinking for many of us. There are a few steps you can take to prepare yourself, though: First off, take a crash course in business speak (as opposed to the tech talk we are all accustomed to), secondly, get your corporate ducks in a row by forming alliances and partnerships with other departments (e.g. legal, HR, key business lines) that you haven't worked with on a regular basis before; third: articulate the business benefits of addressing new security challenges (and be easy on the scare tactics here), and finally introduce technology not as the be-all-end-all but rather as the linking layer between people and processes which are what matter most in any organization. If you then learn how to demonstrate that a new data security product or a fresh start on identity management is going to help your company add to the bottom line - then you are on the right track to the nirvana of security and risk management.

RSA 2008 Keynote: John Thompson

Wed, 09 Apr 2008 19:02:00 +0000

Following RSA President Art Coviello on the keynotes this morning was John Thompson, CEO of Symantec. The topic of the keynote was "Information Centric Security: The Next Wave."

On one hand, this was one of the more interesting sessions of the morning, because John brought up his Research Labs VP, Steve Trilling, who shared lots of interesting security factoids from their research:

70% of malware during the latter half of 2007 stole PII
Symantec believes we may have reached an inflection point where more malicious code is created daily than non-malicious code
The bad guys have all the elements of a full scale economy, including specialized job roles and a supply and demand market dynamic

In the underground economy:

Stolen e-Bay accounts sell for $8
Bank can accounts sell for $1000
Credit card number can go for as little as $0.40
World-of-Warcraft level 70 accounts go for $4 and up

This last point was interesting - a WoW account can be worth 100x that of a valid credit card number. As was said in the keynote "even in virtual worlds, there is real money for hackers."

On the other hand, there wasn't a lot of new information discussed concerning the title - information centric security. Mr. Thompson did say that we should start taking a more information-centric approach to security, or as he paraphrased it, "take a risk-based approach to protecting data." But is that really a new approach?

Most of the security professionals (not security technologists or security product folks, necessarily) have advocated a risk-based approach to protecting data for as long as I can remember. It is still a good idea, don't get me wrong, but I don't see it as the "next wave".

One other call to action which John Thompson made was the call for a national approach to security and privacy disclosure laws. He pointed out that, in addition the well-known California law, 40 other state-level bills are currently being considered. In my opinion, should they pass, it would make it really tough for companies to remain compliant. I echo his support of the need for a more national solution.

Regards ~ Jeff

X-posted to: http://blogs.technet.com/security and http://www.microsoft.com/security/rsa2008/default.mspx

Full disk encryption for all!

Wed, 05 Mar 2008 07:32:00 +0000

To echo Bruce Schneier's comments, it's important to encrypt the data on your laptops. Yes, the laptops get stolen, they get lost and your private data is on them. So if you scramble up that data (using an encryption product), then you are somewhat insulating yourself from having that data stolen.

A new attack was introduced by Ed Felten and his band of merry Princeton grad students a week ago, which showed how to steal the encryption key and gain access to hard drive data, even if the data is encrypted. Let's just say, this is not an attack that most of you need to worry about. You are still much better off encrypting your data, than not encrypting your data.

I personally use the FileVault capability within Mac OS X. There are a bunch of 3rd party utilities, but FileVault works fine for me. I don't see any reason to make it harder than it needs to be.

Five-year-old wanders into bank branch after-hours

Wed, 06 Feb 2008 07:24:03 +0000

Technorati Tag: Security Breach

Date Reported:
2/6/08

Organization:
HSBC Group (UK)

Contractor/Consultant/Branch:
Market Place, Easingwold

Victims:
Potentially customers, but no confirmed loss or theft occurred

Number Affected:
Unknown

Types of Data:
Potentially customer banking records

Breach Description:
The HSBC branch in Easingwold was found unlocked during non-business hours on Saturday, February 2nd. A five-year-old boy wandered into the bank while his father was using the cash machine. The bank was closed and unattended since 4:30 the previous day and no alarms were sounded.

Reference URL:
The Northern Echo online story
The Press online story

Report Credit:
The Northern Echo

Response:
From the online sources cited above:

Little Oliver was at the HSBC with mum, Alison, and dad Daniel, when the family visited the cash machine at Easingwold, North Yorkshire, on Saturday afternoon.

Mrs Pettigrew said: "We usually go into the bank and so Oliver just pushed the door and wandered in.

"I was at the cash machine and it was Oliver's dad who started saying, 'where's Oliver? where's Oliver?' "Then Oliver appeared again. He and his dad ended up wandering around the place, which was totally deserted. There were computers everywhere and there was no alarms sounding.

The HSBC tried to downplay the breach saying the emergency services would have been summoned automatically if someone stepped inside.
[Evan] This did not appear to have happened. According to the news story, emergency services were not even aware of this physical breach until notified by the Pettigrews.

However North Yorkshire Police have confirmed that the only call received was from Daniel Pettigrew.

The bank had been closed for business at 4.30pm on Friday and Oliver opened the door at lunchtime on Saturday.

A spokeswoman for the bank said there had been a malfunction with the catch on the door.
[Evan] A malfunction is not an acceptable reason for a breach. System malfunctions need to be taken into account when designing secure systems (physical and technical), especially at a bank.

"When I realised the bank was empty and the service times said Monday to Friday I phoned 999."

He and Oliver also walked right up to the door of the vault where money is kept.
[Evan] It is important to note that they walked up to the door, not THROUGH the door. This would be a more sensational story if the vault were open too.

There were computers and walkie talkies lying around in there. Anyone could have stolen them.

"The hard drives were in there too. In the current climate it makes you wonder if anyone could have got the database with bank customers' details on it.
[Evan] There is chatter that HSBC employs centralized and secure data storage, meaning that there should be no sensitive information on the client computers. This may be true, but often there is much more information on these computers than people realize. I would guess that there is also a substantial amount of sensitive paperwork in the branch.

The Pettigrews stood guard at the bank until police officers arrived.

A spokesman for HSBC, which made profits of about £11bn in 2006, said there was no danger to bank customers.
[Evan] Not so. There WAS a danger to bank customers. It may not exist in this instance anymore, but the danger was there.

She said: "Basically, what happened was there was a malfunction with the door catch. Once the door was pushed open it would have alerted the police anyway.
[Evan] This was obviously not so. Malfunctions must be detected at the time of the occurrence.

She said: "There would have been no danger to customers in terms of cash or information being stolen. Obviously we don't want security issues but sometimes these things happen."
[Evan] Again, I disagree.

From Simon Davies, director of Privacy International:

"extraordinary state of affairs" which could have exposed thousands of customers to a "grave risk"

"I cannot believe that a bank would not have procedures in place to make sure all exits are sealed at close of business."

"This is a situation I have never encountered before. It is a failure on multiple levels, on the human level and on the technical level and what it does is expose thousands of customers to a grave risk."

"It could be that the computers are part of a central control system and are password protected and contain no information locally, in which case you don't have the same level of threat."

"But if they are just password protected then someone could have gained access to the whole central resource of data."

Commentary:
I added this breach to The Breach Blog because the potential for lost data confidentiality and intergrity was real and present. There appear to have been no customer-related victims, which is a very good thing. HSBC and/or their security team should have detected the door malfunction well before a five-year-old did.

How many times have we used a cash machine at the bank after-hours? Most of us just assume that the bank doors would be locked. Even if the door were unlocked, most of us would assume that alarms would go off as soon as I opened it.

I don't suggest that you drive from bank to bank looking for unlocked doors because this might get you in a lot of trouble.

Past Breaches:
Unknown