Thursday, July 17, 2008

The Perfect Storm

Its time to get your raincoats and lifeboats - the perfect storm is finished brewing - it is about to rain down upon us.

This may sound dramatic but I think that I may not be conveying the amount of pain that Information Security is about to receive. We will certainly have to step up our game.

Symantec and Verizon have done some interesting research into the underground hacker community and their findings are rather interesting. A bit scary too.

There is an entire community of totally different players that all work together to get from the point where a nerdy kid finds a vulnerability to where a hacker uses that to get into a PC, steal personal information and credit card details, sell them or use them and move on.

So far, it seems, that the community has been quite lazy and have just discarded company information to get to the credit card information and personal information (ID numbers, social security numbers, addresses etc).

This has provided us in Information Security with a perfect opportunity. We have been able to observe how hackers work while they have been taking information that is not our own. Companies that have credit card information have been the ones that were most under attack but those that don't handle credit card information have largely been ignored by hackers except for some members of staff who have been caught out but then they have only lost their own personal information.

There just really isn't a (black/underground) market for information that is not credit card or personal finance related.

However, it was always my feeling that the credit card/personal finance market would become saturated at some stage and the loosely-bound-but-still-very-organised-and-co-ordinated underground market would start to look elsewhere.

Essentially, the infrastructure is there for wide-scale information theft but the will wasn't there. I have thought this for a while my question was always - when will the will be there? When will Jack-the-hacker decide that credit card theft is no longer worth his time and start to deal in company information ?

Adrian Lane from Securosis thinks that the falling prices in the underground economy is humorous. I disagree. I look at it as very scary and the final puzzle-piece.

I think that the perfect storm is about to be unleashed.

Posted by Allen Baranov, CISSP at 9:15 AM 1 comments Links to this post

Labels: , , , , ,

Thursday, July 3, 2008

Virtualisation - Welcome Back to the 90s.

I've been thinking about this for a while but this blog post by Pascal Meunier pretty much sums up my feelings about Virtualisation.

Back in the 90s when the Internet was new-ish and just becoming important all the machines running it were Unix boxes. (Maybe not all, but most). And a 386 would typically run DNS, sendmail, telnet (shell accounts), ftp and apache. All on the same box.

Security wasn't so tight in those days but it was usually good enough and the box could happily do what it needed to do.

Along came Microsoft and produced the idea of "one box - one service". You can't seriously consider running your domain controller as a file server. What are you thinking? And to put mail on the same box? No way. In fact, your SQL server is running under significant load, chain a few together.

And companies would buy into this concept. Microsoft were happy - more licenses. All the PC guys were happy too - more money. More complexity - more jobs.

Essentially what has happened now is that Moores Law has kicked in and has caught up with the complexity of Microsoft's software to the point where one server box can run multiple applications on it. Imagine that. But Microsoft has planted the one-service-one-box concept so well that it is now part of IT law. File server and mail server on one box? But wait...whats this button over here....? Vir-vir-virtualisation.

And now we have the tools to allow us to once again run multiple applications on one server without having to admit that one-application-one-server never made sense.

To be fair - Virtualisation does have other advantages - running multiple Operating Systems for example, being able to easily move a virtual machine from one box to another (without configuration issues), being able to make a snapshot backup of a system.

But running multiple applications on one box is not a huge win.

Posted by Allen Baranov, CISSP at 8:37 AM 2 comments Links to this post

Labels: , , , ,

Tuesday, July 1, 2008

Andy sees the light

As per usual the man-in-the-trenches Andy-It-Guy comes up with some excellent observations.

He has found an example of what Bruce Shneier calls movie plot security. What is also known as "whack-a-mole" security or knee-jerk reaction. Essentially, something goes wrong and we put in controls in case it happens again. Then something else goes wrong ... we put in something different. Ad infinitum.

(The name "whack a mole" comes from the game where you have a mallet and you keep whacking plastic moles on the head. Every time you are successful a new mole pops up.)

This is a solution but its not the best solution. And in case you think that it is a terrible solution think about what anti-virus, anti-spam, anti-spyware, firewalls, IPS, patch management etc etc are... point solutions to single issues. Whack-a-mole solutions. Knee-jerk reactions to problems that crop up.

The one technology in the above list that is unfairly listed is Firewall. Best practices state that you should block everything and enable only what you need. But in the past Firewalls were generally configured to block only what was bad and to open up everything else. Then they started to "by-default" block everything in and allow everything out. We have learned our lesson with Firewalls.

Antivirus too is starting to move from a "detect and delete the following..." to a "detect strange happenings from all software... but ignore this that we know is supposed to have extra access."

Note the move from "allow all and block specific known bad" to "block all and allow specific known good".

I think that the challenge going forward will be for us to create an environment where it is possible to tie down exactly what every single person in the organisation does. Make sure that the technology supports this. Make sure that deviations are blocked.

And on top of that allow for agility.

This is not impossible but it won't be easy. But there won't be turn-key technology solutions to be able to achieve this.

Posted by Allen Baranov, CISSP at 3:40 PM 1 comments Links to this post

Friday, June 20, 2008

CISSP is here to stay! Sorry, Dre.

Dre wrote an article in which he put the argument down that the CISSP is on its way out. What he really argues is that a "generalist" Information Security position is no longer very important, specialisation is the only way to go.

I disagree. I am a CISSP and an InfoSec "generalist' but that is not why I disagree.

I love it when I read a blog and then read another about a totally different topic but that in some way relates to the first blog. And the second blog I read today is Mr Andy, IT guy's blog. In his blog entry he complains rather tongue in cheek about how many meetings he attends.

While Andy and I are many miles apart it amazes me just how similar our lives are and, yes, I also spend ages in meetings. On average I spend about 2 hours of my day not in meetings. And I love it. Every meeting that I attend makes me more educated by how the business I work for - works. I also give my input and hopefully touch on all the people just how important protecting information is.

Just like Andy, I was a techno geek until recently. I was a Firewall specialist. A Check Point Firewall specialist. I could read the pseudocode it would chuck out. I could edit the configuration with a text editor. I could read log files. I knew the system backwards. I am now employed in a company that doesn't even have a Check Point Firewall. I have moved onto something totally different.

There is a need for people who can configure security devices, perform active directory magic etc, etc. Even guys who are experts in logs. But you certainly don't want these guys tied up in meetings the whole day. You want them working on the systems that they know well.

You also want someone who can go to meetings and interface with business. Someone who can make a risk decision or at least know who to speak to. This person must be technical but also able to chat formally and informally to business and must always be thinking security. He must understand that meetings are not a waste of time but time spent educating business about security.

It is my belief that this person is not just important for a large organisation like the one I work for but even a one person shop should have one. Obviously, in that case a consultant should be used rather than a permanent employee but it is important.

The person does not have to be a CISSP but it is a good way to show that they are interested in an InfoSec career.

On a related note - I, like Andy, miss the technical side of InfoSec. But I also enjoy the ability to see my larger ideas implemented. I also enjoy selling InfoSec, something I am passionate about. In short, I enjoy my job and am happy I moved from being a techie to being an analyst. They are very, very different jobs. There are some people who may not be as happy as me. I know some, they are techies and are really good at what they do and they have no want to move to anything else. They want to specialise. In South Africa, these people are not rewarded for their knowledge and that is a problem because there is a need for the specialists. Hopefully, as demand increases and there are some techies that shine, they will be rewarded.

Posted by Allen Baranov, CISSP at 1:14 PM 1 comments Links to this post

Friday, June 6, 2008

The Future of Information Security in Two Sentences

I just realised how verbose I really am. I have written a few posts about what I think the future of Information Security will be in the future and it seems that I am in total agreement with Gartner. The problem is that it has taken me many posts and much typing to put onto the Internet what Gartner sums up in two sentences:

“The next generation data center is adaptive – it will do workloads on the fly,” [Neil MacDonald, vice president and fellow at Gartner] says. “It will be service-oriented, virtualized, model-driven and contextual. So security has to be, too.”

I particularly like the term "model-driven". I have been using "process-centric security" to describe my vision which I believe is an extension of "info-centric security".

Posted by Allen Baranov, CISSP at 1:09 PM 0 comments Links to this post

Labels: , , , ,

Thursday, June 5, 2008

Henry Ford and Agility (Once you are secured - whats next?)

Since I read this post by Andy Willingham I have had an idea for a Blog post in my head. But, in my new job, I am very busy and have very little time for Blogging so I left the thought in my head. Today, I had some time and started going through my blog list and saw this article by Jeff Lowder and then I knew I just had to write this article.

Its amazing how two people can take in the same story and both get similar but different conclusions out of the story.

Andy basically relates the story of how Henry Ford lost out on market share because he was not prepared to make cars of different colours. He was basically so in the “make it quick and cheap” mindset that he would rather lose out to everyone else than change his beliefs.

You can read Andy’s article for his take on the story but I’m going to relate my take on the story.

Basically Henry Ford had an idea and it literally changed the world. For better or worse – cars are now cheap because of what he did. He missed out on the next step (making cars of different colours) and lost a lot of market share.

But bringing the conversation back to Information Security and IT – computers are now cheap because of efforts by companies such as Microsoft and IBM and Intel to make computers accessible to the man in the street. Of course, in doing so they have made Information Processing (creating information, storing it, working with it, moving it) very messy. Information flows all over and some of it gets lost and falls into the hands of people who shouldn’t have it. This is very similar to the mess of Car Manufacturing that Henry Ford was faced with. He then realised that getting rid of the mess and flurry that making a car entails and formalising the process would mean that cars could be made quicker. And with better quality.

I think that the next step for Information Security is proactively improving business processes so that Information Processing and hence Business Decision Making can be done with the minimum amount of “mess” (think maximum amount of CIA).

The problem with doing this is that Information Security will start to make the business slower and more restricted as processes are followed.

HOWEVER, and this is where Henry Ford went wrong, once the Information Security Nirvana state is achieved (and this is possible) that process can start to expand in ways that were not possible before. This is where the holy grail of ROI starts to show itself.

It takes some serious introspection to get to this point – if a business does not know what all its processes are (or should be) then the general feeling is to allow everything. Once it is known what the process should be then it is possible to manage the availability of information, the confidentiality and the integrity. More importantly you should be able to know who does what and what Information they need to do it.

We can also then know what the process should be doing and add in the nice-to-haves over time making the organisation more agile.

I guess the whole point of this post is that the fight is not “Information Security vs Ability” but “Knowledge vs. Ignorance”.

Henry Ford got to the point where his organisation (at least the manufacturing part of it) was self-aware and everyone knew what their part in the process was. He reached Nirvana but he never took the next step – expanding the process to be more agile.

I believe that the race is on now to get our Organisations to the “Nivana” point by introspection and using Information Security to tie processes down. And then to take it one step further by expanding the process and beating competitors.

Posted by Allen Baranov, CISSP at 4:04 PM 0 comments Links to this post

Labels: , , , , , ,

Thursday, May 22, 2008

Information Centric Security is dead!

Ok,ok, I just want to jump on the bandwagon. It seems you are not regarded as an innovative and forward thinking Information Security Blogger unless you declare something dead so I will do that with Info-Centric Security.

So, what do I elect to replace this with? Process-centric Security.

I think that as we get closer to Information Security Nivana (and isn't that what we really want?) we will start to get closer to the point where we look at Business and how it uses Information to do what it does. We define processes, work out what Information is needed, add in resources and voila we have all the information (process, standard, information classification, user details, etc) that we need to properly define and hence secure a process.

If this brings back bad memories of Flowcharts and the like then maybe, just maybe, flow charts are what we really need to secure our businesses. Maybe when we decided to throw out all of those tools we had way back when, we did it without thining of the repurcussions. The goal to get a "Fast Company" and "be more adaptable" and "beat our competitors" just made us more sloppy and insecure. It may be a good time now to reassess.

And, by the way, Information Centric Security is not really dead... its just part of this larger idea, just like IDS is part of IPS.

Posted by Allen Baranov, CISSP at 8:11 AM 0 comments Links to this post

Labels: ,

Subscribe to: Posts (Atom)