Friday, January 14, 2011

The CIA, the lead box at the bottom of the ocean and the sacred cow.

[Where does Availability sit?]

So, the first thing you'll learn when doing Networking is the OSI stack even though everyone uses TCP/IP which doesn't fit neatly into the OSI concept. The first thing you'll learn in InfoSec is the CIA triangle. This is our sacred cow even though we don't really work towards it. Or do we? Should we?

I really respect the guys at Securosis and admire the way they dust off the sacred cows and relook at them arguing first that availability is not for InfoSec to bother with, then that it is most important.

If you speak to those that know me professionally, you'll know my feeling of how Information Security should treat The A. I sit in the IT building and my favorite saying is "everyone else in the building is making sure availability happens. I look after the C and the I"

The problem is that protecting Availability is very broad. It is actually easier to define the opposite - lack of availability:

If a server disk crashes who gets called in? Its not me.
If a service stops on a server?No me.  
If the Firewall blocks a business website? Yep, me. 
If a virus crashes the mail server or slow it down? Me.

So, I do manage availability to a point but not all of it. And, in fact I seem to manage more Availability than I should. The point is that Availability is an easy sell. IT is full of it. Check you agreements with vendors - they all have something like "99.9...% uptime" SLAs. There are no "99.9...% integrity" or "99.9..% confidential docs will not be moved". Availability can be measured - its there or it is not. Integrity and Confidentiality - not so much. Another favourite phrase of mine is "The A in SLA stands (not for agreement but stands) for availability - where is the SLI and SLC?"

The problem is that because InfoSec is traditionally based in IT - some of the Need For Availability (NFA?) seeps into our area. The tools we find easiest to sell to business - firewalls, IPS, antivirus all are there to primarily protect availability. Tools like web-filters are also very easy to sell because they stop abuse of network (think availability) and time (same). Tools like DLP are a tougher sell because they don't touch availability (and can cause issues there). Backups and DR have been the cause for some really bad C and I episodes. Yet every company does them - availability. This is not to say that backups and the other software we have are bad. Backups are essential for one but availability is king. When last did you audit all of the excel documents that people use to make business decisions for integrity?

The thing is that that C and I are opposed to A. The safest network is one that is not connected to the Internet but what use that? The way to properly secure a document is to put it in a safe, cover the safe in lead and then in concrete, chain it up for good measure and then dump it at the bottom of the ocean. But, again, what use is that? So, there is an arm wrestle between C and I on one side and A on the other and that is a good thing.

IT will always fight on the side of the "A" and so should InfoSec but we also have to fight for the C and I and ultimately get a good balance between all three. 

Wednesday, January 5, 2011

A WTF to the start the year.

[Every once in a while a news story comes along that makes you wonder...]

According to TechCentral :-

Thieves steal Sim cards from Jo’burg traffic lights
"The Johannesburg Roads Agency (JRA) suspects that a syndicate is stealing Sim cards from the city’s hi-tech traffic lights, and using them to run up phone bills."

The article goes on to say "If all 400 traffic lights need to be repaired due to theft and vandalism, it could cost about R8,8m."

So, the big question is why the JRA used normal SIM cards in their traffic lights. It was probably a cost cutting method so they can just get them off the shelf but it is backfiring for them. 

A comment in the article says to glue the SIM cards in place or use resin but this doesn't seem like a great idea as it would be almost impossible to replace a SIM card that is faulty. 

Maybe the answer for the JRA is to react fast. As soon as a traffic light stops reporting to the central server (which is what these SIMS are used for) then move to disable the SIM immediately. Send a team to the light to assess and re-enable it if it is a false positive. 

Another comment was about using PIN codes. But these would end up either being easy to guess "1234" "0000" etc; well known "Jack the JRA last week, now we need to redo all 400 PIN codes" or a mission to manage "Did anyone see the spreadsheet with PIN codes?" Even 1 PIN number is too much for some people to manage. 

It seems that the SIM cards are well protected in the traffic lights because it takes the scum thieves a lot of destructive work to get to them so that is not a deterrent. The only option I can think of is to make the SIM cards useless to anyone but the JRA either by using special cards or by the above "react quickly" method. 

Surely these SIM cards must be connecting to a private APN. (This is the gov. so this assumption is not a certainty). In which case they should have been disabled on the normal GSM APN. Problem solved. 

One wonders how much the cellphone bills that were clocked up came to.