Wednesday, December 31, 2008

Happy 2009

In what will most likely be my last posting for 2008, here is a bit of advice for all.

I read somewhere that news is never really all that useful. Its interesting. But its not useful. The stuff that you need to know about to go about your daily life is not going to make news.

To get some more perspective on this, I highly recommend that you visit The Onion online newspaper and browse a bit especially at the "Area" reports. (It is humour and is intended for 18+)

One of the interesting news stories of 2008 that I can think of the Dan Kamisky DNS issue that made headlines for all sorts of reasons. DLP made headlines. TJX made headlines.

What is more interesting is what didn't.

Here are some bits of news that you won't see:

"Company patches all servers"
"Awareness given at Company. Stronger passwords result"
"Good user management led to less options for Hackers"
"Antivirus updated led to viruses being blocked"

What did made the headlines today (thanks to Amrit and Dominic for alerting me to this... everyone will be talking about it soon) is the attack on MD5 certificates that makes trusting Web Certificates less of a good idea. The information is here, but this is a big deal so expect this to make the news.

The thing is, that this yields big rewards for the hackers but is also a lot of work. Social engineering methods such as bogus email, phishing, fake antivirus etc are so much easier to do and have big enough rewards as it is. So too do worms and the like that attack old vulnerabilities that should already be patched.

My though for the year is thus:

Hackers are mostly successful by exploiting the boring holes and really do not have to work hard at all. By using tools that are already available such as Firewalls, IPS, Antivirus and doing the boring bits such as choosing strong passwords, updating patches, updating antivirus patterns and being aware at what mails we should not open - we win 90% of the battle already.

I think next year will be very very interesting for us. I hope everyone reading this has a great 2009!

Tuesday, December 23, 2008

Merry Christmas, Happy Hanukkah, etc

In typical Security Thoughts style, here is an Information Security story that relates to the holidays.

It seems that, in Germany, a company sent a Stollen, which is a traditional German Christmas cake to a newspaper via a courier company. Two subcontractors decided that they wanted the cake so they took it and replaced it with another parcel.

This parcel just happened to be confidential data with banking transaction details and it managed to find its way to the newspaper in place of the cake. Obviously, the newspaper was happy with their Christmas present and printed the story. The bank was not so happy.

I think that the theme for 2009 will be "Third Party Security" but in the mean time I wish you all a pleasant holiday and please be responsible if you decide to have a drink or two.

Friday, December 19, 2008

Egg on face

In the interests of showing the world that I am not perfect, I just had to Blog about this incident.

I sent an email with an attachment out to the wrong person. Its the classic case autocomplete messing up - typing some letters and recognising the person's first name. Click send and then realise your mistake when the wrong Jason (it wasn't Jason in this case...) sends back an email asking "huh?!"

Its one type of "oops" that DLP is supposed to prevent.

The interesting part of it all was that the email went out (of all the people in the world) to the sales rep I've been dealing with who has been trying to sell me DLP...

I guess this just makes it more difficult to say "no".

Wednesday, December 17, 2008

Automatic Networks (Part 1)

If you are like me and like to know how the future of IT will impact Information Security then one Blog that you have to read is Rational Survivability by Chris Hoff.

He has a rather "interesting" writing style but his content is amazing. He is a strong voice of reason in how Virtualization, Cloud Computing, etc etc which are all the new buzz words can seriously impact Information Security unless controls are built in.

His latest post is about a new concept where latency of network flows are measured. If a Service is suffering from latency then the Virtual Machine that the Service runs on is moved closer to the User of the Service. Latency is gone. It is an interesting concept and obviously has Security implications which Chris goes into.

I pretty much agree with most of the post but I would like to introduce a new angle on it:

In my last post I introduced a concept that I gave a lot of names. The one I liked the most is Context Sensitive Information Protection (CSIP). I didn't invent the idea but I think I outline it quite nicely in that post. Basically the concept is that everything on the network is aware of what Information is being accessed and acts accordingly. Add this to the concept in Chris's post and your solution becomes secure again.

I think I need to come up with an example. Watch this space.

Friday, December 12, 2008

The future of DLP (DLP is dead, long live DLP)

DLP is made up of two main parts - the "knowing" part and the "watching/blocking" part.

The "knowing" part is built up over time and is generally an understanding of what a piece of information is. Generally, the systems look at a document and label it but it is becoming apparent that the meta-information is also very important. Who is sending it, where is it going, why would someone be using documents at midnight, etc etc.

In an earlier post of of mine I wrote that what we now know as Information-centric Security (and I fully support this) will develop into what I called "Process-centric Security". I think I'm going to trademark BCS (also Business-process protection (BPP) and Business Process Security (BPS) and Context Sensitive Information Protection (CSIP)). This the ability for some system (lets call it DLP) to know what is happening to a document and why.

DLP as we know it today then takes this information and implements some action - block, report, log, etc based on whether the action is allowed to perform the action or not.

Recent developments in the DLP world (See Dominic's comment and Securosis comment) have changed this for the better. Now, DLP does the first bit ("knowing") and passes on the second bit ("blocking") to another tool - a DRM tool. The blocking bit can be done by all sorts of systems and this is where it gets interesting - set up the switch to block, the firewall to block, the mail server to block (and send a "sorry but..." mail), the IPS to block, the PC to block, the application to block, etc etc.. essentially everything can be set to block access to some sort of functionality for documents based on what the DLP Server tells them to do.

Further, all these systems can be set to inform the DLP System what is happening too.

Your network and everything on it becomes aware of how the business works and helps it along, preventing what shouldn't be happening.

The box that makes the ultimate decisions and keeps the database of "good" processes (call this the DLP brain) will not go away. The part of the DLP that enforces and monitors will become part of the network infrastructure and will become a feature of everything from switches to software applications.

DLP as we know it today as a product and fully enclosed system will die off and DLP as a ubiquitous system with tentacles into everything will be born.



My Blog runs on Blogspot which is a free service but I am currently paying for my homepage and assorted other internet services.

These come to about R200 ($20) a month and I figured that I'd use my blog to generate some of that.

So, I have added an advert at the bottom of this Blog. I hope it is out of the way enough that it doesn't distract from the Blog message. I may add an advert along the side of the Blog too.

Hopefully these will bring in some money to make my online life a little cheaper. I hope noone feels offended and I'd love to have no advertising but it seems that I need to sell out to The Man.

Tuesday, December 9, 2008

DLP is dead. (Not yet, but soon)

Ever since Richard Stiennon came out with his "IDS is dead", he started a trend which even he subscribes to by declairing any big technology to be dead. I really believe though that Information Security products go through a cycle.

I was explaining this cycle to Dominic White a couple of weeks back and we were rudely interrupted by the meeting that we were in fact attending. Had I managed to finish then maybe he would be able to answer the question he asks on his blog. (This is also assuming that he agrees with me, which is not a foregone conclusion.)

The first part to any Information Technology solution is to slide the technology in making the least amount of pain for users and fixing the maximum amount of problem.

Example - Firewalls back in the old days were open by default and as problems were detected, the Admin would close ports and fix routes until the problems were gone. I call this Generation 1. This worked fine until the admin was too much and firewalls started being configured closed by default and opened as needed (Generation 2). I think that the third generation of this is "closed by default, opened for business reasons". We may think we are there but we are not really.

If you use a tool like websense or surfcontrol to control web browsing then you'll be at Generation 1 for browsing. Antivirus is Generation 1. Email is Generation 1.

I believe that we will see a jump to Generation 3 for all of these tools but the uptake will be very slow.

Generation 3 is where every action that someone takes has a strict business reason. A user sends an order to a supplier. The email system knows who the user is and whether they should be ordering something or not. Based on that - the email goes through.

Does this sound like some sort of workflow application? Bingo!

Now, consider DLP and DRM...
DLP is Generation 1 - allow everything and block bad things from happening. DRM is there too - let your staff decide what restrictions to put? Doesn't work. Put them together and you get closer to Generation 2 (assuming that you are prety tough with your DLP rules - otherwise - why waste your time?). Generation 3 is where things get interesting - Dave in finance creates a document and lables it "financial results". Workflows are built up automatically around the document and are enforced as such:

The file server is configured to allow only Finance people to access document. Auditors can open the document but make no changes. The firewall will not allow the document out of the organisation, mail server will not allow the document sent out. The antivirus (horrible word - very Generation 1.. lets use "application handler" for Gen 2+) will only allow certain programs like excel to access the document. Anything else is blocked and an alert is fired up.

At a certain date the document is "allowed" to be sent to the communications department who can't make any changes.

You may have a DLP box watching what is happening. You'll certainly have a box with policies and workflows on it (I have a feeling Microsoft want to control this) but everything from smartphones, routers, switches, mail servers, PCs, programs, databases will be "process-aware".

DLP will become part of the "defense in depth" solution but everything will have content protection built in. Welcome to the future.

Thursday, December 4, 2008

What if the cloud is MORE secure?

My job usually involves the normal, boring day to day security stuff and so I don't want to bore my readers (both of them) and give away company secrets. So, I like to stay ahead of the game and blog about what the future holds.

I honestly still think that the past is where we are heading (see my earliest posts). Actually, I think that the future will be summed up thus: "New exciting technologies; good, old-fashioned security".

Some of my most valuable sources are Gartner, Securosis and Rational Survivability. They don't all agree but I use the best of each to make up my own mind.

One technology that all of them have touched on is "Cloud Computing".

This is a lovely concept which has no formal definition. Essentially, it seems to be this: you take all your systems and send them out somewhere to some company who will then host the systems for you. By "systems", I mean applications or technical functions.

The level of control that you have is very variable too but I think that one of the benefits of cloud computing is that you give up having to worry about the nuts and bolts and focus on the benefits. This is wonderful but it can also be a curse - you lose control of your processes and the protection of your data.

For a company that makes widgets not to have to take care of a data center, is excellent. And, you get to leverage off best practices in that you use experts in their own fields to manage your IT. So, you use a dedicated mail place (like GMail or Hotmail), a dedicated storage place, a dedicated CRM place, etc.

Those places can use economies of scale so that it gets cheaper the more people who use their services.

Everyone wins. And especially nowadays that CIOs (at the request of CFOs) are looking to bring their costs down.

The main issue is one of Security. Although, connectivity could be an issue as well. (Your link goes down and you are at the southern most tip of Africa and your presentation is on the other end of a broken link, in North America.. the CEO is waiting..)

But back to Security.

Obviously a company that holds private information for a number of companies would be a target for online criminals so you'd be giving your information to a company that is a target. More than that - you still hold the risk if the information is leaked but you lose the control of knowing where the information is at any one time or what is happening with it. You really only have the company's assurance that they will take good care of your information for you.

It seems that a great a number of Cloud-providers are very vague about what security measures they have in place. There is one that stands out for me though - BoardVantage. I don't use their service (or have anything to do with them really) and have no idea how secure they are but they certainly claim to be very secure - they detail what their controls are and they have had a SAS70 type 2 audit done.

Assuming that they do everything that they say that they do - they are streets ahead of most corporate networks. Going by Verizon's Breach report thing - most companies are breached by methods that are very simple and vulnerabilities that have patches that are very old. So, it may be more secure to use this company than to keep the information on your own network.

PS. I know that there is no one Cloud but as things stand at the moment most "clouds" are really walled gardens (confused yet) and so each provider takes care of their own part of "the cloud".

The answer is that you would have to really consider using a "cloud provider" instead of dismissing them off-hand. And if all major "cloud providers" became more secure then security would not be something holding this idea back but could be a good reason to investigate using the cloud.

Monday, December 1, 2008

The "A"

Information Security sits in a strange area somewhere between Business and IT in a little space that really hasn't been properly defined. It is exciting here.

Generally, most people in Information Security today did not start out as pure Information Security people, they evolved. And where they evolved from gives one a clue as to their mindset and how they see themselves.

Some come from an Audit background and you'll recognise these guys from their love of lists and frameworks - they dream of Cobit controls and little boxes that are waiting for ticks. Somehow they have tons of documentation and they know it all and can find it all. They generally drive Volvo's and like order.

But most InfoSec guys come from an IT background and it shows. I guess that, having said that, most hackers come from an IT background too. And it shows.

Now, lets consider the C-I-A triangle thingum. Quick lesson for those who don't know it - there are three aspects of information that Information Security wishes to preserve - the Confidentiality, the Integrity and the Availability. From my experience, most IT people are governed by Availability - the "A". In fact, when an IT contract is drawn up - there is no SLI or SLC but there will always be an SLA. With very specific terms, measurements and penalties.

If the Firewall crashes and has to be rebuilt. What will the IT manager be most interested in? The A - how fast can you get the traffic moving again?

So we have tools to measure uptime in 99.999999999999999s and such and anything that can cause network downtime (or if the network is up and the services such as mail are down - same difference) is taken care of. Spam, worms, viruses etc.

I guess that hackers (those that define what we do) are also IT background people. They seem to be more concerned with big-bang, widely deployed DoS attacks and stealing IT resources. At least, they used to be, until they discovered that they could make money from stealing information. Actually, I may be naive but I don't believe that the hackers we have today are the same as those we had in the past... I believe that we have a new generation of hackers - criminals who merely use the Internet to steal money because that it where the money is easiest to steal.

The problem is that we were lucky in a way that our old tools worked against the threats that we had - firewalls, antiviruses, etc etc. They don't work against people breaking into our networks and stealing information. For that we need a new generation of Information Security people (or the old generation to update their game)...

Here is a quick poll to see which generation you are in:

1. What is the one piece of information on your network that your competitors would love to see?
2. What is the percentage of mails coming into your network that are spam?
3. What mail is going to competitors?
4. What is the process for someone to order a pencil?
5. What is a blog?
6. Who in your organisation uses facebook for business?
7. How many of your PCs have up-to-date antivirus?
8. What is the worst virus out at the moment?
9. Do you believe that your Firewall is configured correctly?

The answers are as follows:
1. This is ESSENTIAL to know if you want to be in the next generation. And you can't guess this. You may think that it is something financial but most financial information can be guessed by your competitors anyhow. You may think it is a recipe or special way of doing something but any established company has had their recipe ripped off anyhow and can beat any new competitor by competitive pricing. It may be new product information. It may be staff information. It may be the CEO's contact list. Don't guess - find out.

2. Who cares? Certainly not the CEO. Maybe the CIO. "We are saving you x amount of bandwidth and your users x amount of time" is nice but won't save the business from closing down due to data loss. Operationalise this and get on with your job.

3. Good to know. I'm sure that if you told your CEO/CIO "Last week we detected 5 large emails going to our competitors from inside our R&D department" you'd have his full attention.

4. Good to know. Who does the ordering? Who does the okaying? Who does the paying? If you know all of this then you know how business works. And when things go wrong - you'll be able to help.

5. And do you want your staff to use them? And if they do, what can they put on them? What are they puting on them?

6. This is an interesting question because Facebook is usually an issue of "The A" (productivity). But it can be an issue of C and I.

7. Who cares? Again, this is an operational issue. Viruses that jump onto your radar are usually ones that attack "the A" but its the ones that are pushing information out of your organisation that are sneaky enough not to have sgnatures and not to be discovered. You will have PCs without up-to-date antivirus and you will have viruses. The trick is not to let your information be stolen by viruses. Also, keep backups so if a PC does get wiped out - you can get the information back again (but this is an operational issue again).

8. Trick question - the answer is - the one you don't know about. Old generation InfoSec guys can rattle off names of viruses that are all in the top 10 at the moment.. New generation viruses are targetted and usually do their worst before a pattern is out.

9. Old generation answer - yes. New generation answer - who cares? Information flows all over including in and out of the Firewall. Firewalls also usually rely on port security but most everything runs on port 80 anyhow so the Firewall should be configured but it doesn't kep us safe - more work needs to be done for that.

I find that it is not very easy to move from old generation to new generation InfoSec. The main difference is that old generation was very technical and appealed to the technical nature of computer geeks. The new generation is business oriented and requires more interaction with people, more meetings, more time with people. Ouch.

There will always be a place for technical people in Information Security but as the tools mature and "just work" there is less demand. And a background in technology is very useful when the technical guys try to "BS" you.

And "the A" is very important too. Protecting your network from being brought down. Protecting information from disappearing. Stopping viruses. Etc. But the new generation will need to consider "the I" and "the C" as well because the attacks against these and the importance of protecting information against disclosure or manipulation will increase.

This post was done to add my voice to what Rich says so quickly and concisely in the securosis blog.