[SecurityRatty] tag: too-powerful

The "A"

Mon, 01 Dec 2008 10:57:00 +0000

Information Security sits in a strange area somewhere between Business and IT in a little space that really hasn't been properly defined. It is exciting here.

Generally, most people in Information Security today did not start out as pure Information Security people, they evolved. And where they evolved from gives one a clue as to their mindset and how they see themselves.

Some come from an Audit background and you'll recognise these guys from their love of lists and frameworks - they dream of Cobit controls and little boxes that are waiting for ticks. Somehow they have tons of documentation and they know it all and can find it all. They generally drive Volvo's and like order.

But most InfoSec guys come from an IT background and it shows. I guess that, having said that, most hackers come from an IT background too. And it shows.

Now, lets consider the C-I-A triangle thingum. Quick lesson for those who don't know it - there are three aspects of information that Information Security wishes to preserve - the Confidentiality, the Integrity and the Availability. From my experience, most IT people are governed by Availability - the "A". In fact, when an IT contract is drawn up - there is no SLI or SLC but there will always be an SLA. With very specific terms, measurements and penalties.

If the Firewall crashes and has to be rebuilt. What will the IT manager be most interested in? The A - how fast can you get the traffic moving again?

So we have tools to measure uptime in 99.999999999999999s and such and anything that can cause network downtime (or if the network is up and the services such as mail are down - same difference) is taken care of. Spam, worms, viruses etc.

I guess that hackers (those that define what we do) are also IT background people. They seem to be more concerned with big-bang, widely deployed DoS attacks and stealing IT resources. At least, they used to be, until they discovered that they could make money from stealing information. Actually, I may be naive but I don't believe that the hackers we have today are the same as those we had in the past... I believe that we have a new generation of hackers - criminals who merely use the Internet to steal money because that it where the money is easiest to steal.

The problem is that we were lucky in a way that our old tools worked against the threats that we had - firewalls, antiviruses, etc etc. They don't work against people breaking into our networks and stealing information. For that we need a new generation of Information Security people (or the old generation to update their game)...

Here is a quick poll to see which generation you are in:

1. What is the one piece of information on your network that your competitors would love to see?
2. What is the percentage of mails coming into your network that are spam?
3. What mail is going to competitors?
4. What is the process for someone to order a pencil?
5. What is a blog?
6. Who in your organisation uses facebook for business?
7. How many of your PCs have up-to-date antivirus?
8. What is the worst virus out at the moment?
9. Do you believe that your Firewall is configured correctly?

The answers are as follows:
1. This is ESSENTIAL to know if you want to be in the next generation. And you can't guess this. You may think that it is something financial but most financial information can be guessed by your competitors anyhow. You may think it is a recipe or special way of doing something but any established company has had their recipe ripped off anyhow and can beat any new competitor by competitive pricing. It may be new product information. It may be staff information. It may be the CEO's contact list. Don't guess - find out.

2. Who cares? Certainly not the CEO. Maybe the CIO. "We are saving you x amount of bandwidth and your users x amount of time" is nice but won't save the business from closing down due to data loss. Operationalise this and get on with your job.

3. Good to know. I'm sure that if you told your CEO/CIO "Last week we detected 5 large emails going to our competitors from inside our R&D department" you'd have his full attention.

4. Good to know. Who does the ordering? Who does the okaying? Who does the paying? If you know all of this then you know how business works. And when things go wrong - you'll be able to help.

5. And do you want your staff to use them? And if they do, what can they put on them? What are they puting on them?

6. This is an interesting question because Facebook is usually an issue of "The A" (productivity). But it can be an issue of C and I.

7. Who cares? Again, this is an operational issue. Viruses that jump onto your radar are usually ones that attack "the A" but its the ones that are pushing information out of your organisation that are sneaky enough not to have sgnatures and not to be discovered. You will have PCs without up-to-date antivirus and you will have viruses. The trick is not to let your information be stolen by viruses. Also, keep backups so if a PC does get wiped out - you can get the information back again (but this is an operational issue again).

8. Trick question - the answer is - the one you don't know about. Old generation InfoSec guys can rattle off names of viruses that are all in the top 10 at the moment.. New generation viruses are targetted and usually do their worst before a pattern is out.

9. Old generation answer - yes. New generation answer - who cares? Information flows all over including in and out of the Firewall. Firewalls also usually rely on port security but most everything runs on port 80 anyhow so the Firewall should be configured but it doesn't kep us safe - more work needs to be done for that.

I find that it is not very easy to move from old generation to new generation InfoSec. The main difference is that old generation was very technical and appealed to the technical nature of computer geeks. The new generation is business oriented and requires more interaction with people, more meetings, more time with people. Ouch.

There will always be a place for technical people in Information Security but as the tools mature and "just work" there is less demand. And a background in technology is very useful when the technical guys try to "BS" you.

And "the A" is very important too. Protecting your network from being brought down. Protecting information from disappearing. Stopping viruses. Etc. But the new generation will need to consider "the I" and "the C" as well because the attacks against these and the importance of protecting information against disclosure or manipulation will increase.

This post was done to add my voice to what Rich says so quickly and concisely in the securosis blog.

Lessons from Mumbai

Mon, 01 Dec 2008 05:03:41 +0000

I'm still reading about the Mumbai terrorist attacks, and I expect it'll be a long time before we get a lot of the details. What we know is horrific, and my sympathy goes out to the survivors of the dead (and the injured, who often seem to get ignored as people focus on death tolls). Without discounting the awfulness of the events, I have some initial observations:

Low-tech is very effective. Movie-plot threats -- terrorists with crop dusters, terrorists with biological agents, terrorists targeting our water supplies -- might be what people worry about, but a bunch of trained (we don't really know yet what sort of training they had, but it's clear that they had some) men with guns and grenades is all they needed.
At the same time, the attacks were surprisingly ineffective. I can't find exact numbers, but it seems there were about 18 terrorists. The latest toll is 195 dead, 235 wounded. That's 11 dead, 13 wounded, per terrorist. As horrible as the reality is, that's much less than you might have thought if you imagined the movie in your head. Reality is different from the movies.
Even so, terrorism is rare. If a bunch of men with guns and grenades is all they really need, then why isn't this sort of terrorism more common? Why not in the U.S., where it's easy to get hold of weapons? It's because terrorism is very, very rare.
Specific countermeasures don't help against these attacks. None of the high-priced countermeasures that defend against specific tactics and specific targets made, or would have made, any difference: photo ID checks, confiscating liquids at airports, fingerprinting foreigners at the border, bag screening on public transportation, anything. Evenmetal detectors and threat warnings didn't do any good:

"If I look at what we had, which all of us complained about, it could not have stopped what took place," he told CNN. "It's ironic that we did have such a warning, and we did have some measures."
He said people were told to park away from the entrance and had to go through a metal detector. But he said the attackers came through a back entrance.

"They knew what they were doing, and they did not go through the front. All of our arrangements are in the front," he said.

If there's any lesson in these attacks, it's not to focus too much on the specifics of the attacks. Of course, that's not the way we're programmed to think. We respond to stories and not analysis. I don't mean to be sympathetic; this tendency is human and these deaths are really tragic. But eighteen armed people intent on killing lots of innocents will be able to do just that, and last-line-of-defense countermeasures won't be able to stop them. Intelligence, investigation, and emergency response. We have to find and stop the terrorists before they attack, and deal with the aftermath of the attacks we don't stop. There really is no other way, and I hope that we don't let the tragedy lead us into unwise decisions about how to deal with terrorism.

SOA Security in Real Life

Sun, 30 Nov 2008 14:29:17 +0000

I started off my last article on SOA Security this way:

When I park my car in the garage, I lock it. Why? Well, although I would hate for someone to steal my snow shovel and hockey sticks, my car is much more valuable to me. Security is about managing risk, specifically protecting valuable assets like my car. I have a higher level of protection on my car than on my garage. In dollar terms, the contents of my garage are orders of magnitude less valuable than my car. I could spend a lot of money fortifying my garage, and that would add some security to my car while it is parked there, but it is not a cost-effective investment. First, my car is the asset of value, and second the garage - no matter how well protected it is - doesn't move.
Car manufacturers know this, insurance companies know this, consumers know this. Even media publishers know, yet in the common enterprise, programmers and architects seem to roam in ignorance. Your average download of a Michael Bolton song carries a far higher level of security than valuable user data, like passwords, social security numbers, and credit card details. Why do we keep protecting critical data with point-to-point security solutions (like SSL) that protect the transmission channel, but leave the valuable assets being transported wide open everywhere else? This is a critical question that needs to be answered in order to successfully add an effective layer of security to an SOA.

Well guess what happened last weekend? I always do lock my car in the garage, but last week I came home with an armful of holiday cheer and forgot. I went out to the garage over the weekend and noticed that a local knucklehead who could see that the car was unlocked tried to jimmy the lock on my garage door, and busted off a piece of wood before giving up (probably when they saw the sign that said the garage was monitored).

The response of the police actually further supports my assertion that security is about assets not threats. I called the police and said someone tried to jimmy my garage door. They said its a holiday weekend, call back on Monday and get a case number. This disturbed me not at all. All they are going to do is record a threat (or security event) metric anyway.

Now in a hypothetical scenario if my car was compromised it would have been a completely different response from both me and the police; why is it different urgency? Not because of the threat and intent which were similar in both scenarios, but its the fact that the asset was put into motion that's what makes it important.

For infosec what do we learn? Infosec is spending waaayyyy too much time and money protecting garages and not enough protecting assets.

Its not just about a strong password any more

Fri, 28 Nov 2008 13:30:52 +0000

Make sure, as discussed in this great article, that you have a hard to guess login name.

clipped from www.pcworld.com

Logins Are Half Your Access

Thieves need the login and password to access your accounts, so make the login difficult to guess, too. Avoid a simple, name-based method; add extra numbers, letters, or an ID that’s entirely different. Ideally, use unique logins (and passwords) for each service to isolate any exposure, should someone breach an account. (At the very least, keep unique logins and passwords for your most sensitive accounts, such as online banking.) While you may have to tell a customer service representative your login on occasion, don’t share the information without need. And never give anyone a password.

Friday Squid Blogging: Cooking a Humboldt Squid

Fri, 28 Nov 2008 13:09:02 +0000

I thought that large squid were too chewy and not very tasty, but this person cooked a 30-pound Humboldt squid.

Protect Your Home With Laserbeams

Wed, 26 Nov 2008 19:50:02 +0000

This video will teach you how to turn those cheap mini-lasers into a security system that keeps out burglars and warns you of intruders. It's easy to make, and cheap too.

New DHS Head Understands Security

Wed, 26 Nov 2008 09:43:33 +0000

This quote impresses me:

Gov. Janet Napolitano, D-Ariz., is smashing the idea of a border wall, stating it would be too expensive, take too long to construct, and be ineffective once completed.
"You show me a 50-foot wall and I'll show you a 51-foot ladder at the border. That's the way the border works," Napolitano told the Associated Press.

Instead of a wall, she said funds would be better utilized on beefing up Border Patrol manpower, technology sensors and unmanned aerial vehicles.

I am cautiously optimistic.

LinkedIn Updates Privacy Policywith Only a Brief Notice to Users

Wed, 26 Nov 2008 09:08:00 +0000

If you haven’t logged in to your linked in account in a while you’ll be greeted with a quick notice next time:

“We’ve updated! On November 14, 2008, LinkedIn published revised versions of our Privacy Policy and our User Agreement. Using LinkedIn means you consent to these policies, so please take a few minutes to read and understand them.”

However, if you log out and back, the notice will be gone– so if you weren’t looking too closely, you might not even realize you’ve just consented.

Rebecca Herold at Realtime IT Compliance looked into this and found that the FTC doesn’t much like this kind of implicit privacy changes. Instead, companies should be getting explicit consent, also called “Affirmative express consent,” says the FTC:

As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers.

This would imply that if LinkedIn is updating its privacy policy with such a minimal notice, it may not have changed in any way “materially different” from before. But if it is different, they might face a bit of trouble.

The Bastards Made Me Do It

Tue, 25 Nov 2008 13:00:00 +0000

Ok, Ok, Ok!!!! The bot will still post :-) but I am on Twitter now too. I read you!

Blurring the Lines Between Managed Service Provider and Cloud Computing

Tue, 25 Nov 2008 11:20:47 +0000

VMware made big announcements at their VMworld conference back in September, talking about adding on a slew of virtualization management functionality to a revamped vCenter and extending into the “cloud” with vCloud services. Like most people, I had a lot of skepticism about what vCloud really meant; was this just more hype trying to take advantage of the cloud computing buzz? Certainly CEO Paul Maritz came from this world and virtualization itself (and especially vMotion) is an enabling technology for cloud computing. But how ready were VMware and its ecosystem of partner vendors to actually fulfill on the promise?

So I was very interested when I heard that Opus Interactive, a customer of ours, had “joined the VMware vCloud initiative as a VMware Service Provider”. I talked to Eric Hulbert, CTO of Opus Interactive, to get some details directly from the source.

Eric shared our own caution about making “cloud-ready” announcements. There have simply been too many companies talking about cloud solutions that lack any substance – usually based on definitions of cloud computing that are hazy or just too broad. The backlash against the cloud hype is often quite justified. But in Opus’ case, there are real components that if they don’t add up to a “full” cloud computing solution just yet, are well on their way – and enabled by VMware’s program for service providers (VSPP).

Opus Interactive is serious about virtualization, which is an indispensable tool in their stated goal of creating a high-density micro-data center with the smallest footprint possible. They are 100% wind-powered and have already virtualized much of their data center, reducing the amount of hardware necessary to run the business and driving down costs to produce even more competitive advantage in a crowded marketplace.

VSPP for vCloud provides a rental model of VMware licenses – e.g., for Enterprise ESX or VDI. VMware Service Providers report on their customers’ virtual machines (vm) and pay only for what is actually used. This model lets Opus Interactive quickly spin up a vm to get a new customer up and running in about an hour and stay very cost competitive at the same time; Opus offers their vClustr entry-level virtual server for only $99.

Cost-effective, rapidly scalable computing “on-demand” based on shared resources, managed by “expert” third-parties, enabled by virtualization technology and pay-per-use vm licenses. Cloud computing? Instead of thinking about a single definition of cloud computing, perhaps it’s more relevant as the market matures to think about a continuum of cloud computing. And by that definition, Opus Interactive is providing cloud services, enabled by VMware’s VSP program. Next on the schedule, automated provisioning and perhaps in the future, API’s that make it even easier for application developers to test and deploy apps on Opus Interactive’s cloud platform – which, by the way, uses EM7 for its core management solution.