It only took the company Blog being down for a week to get me annoyed enough to consider starting my own Blog. Thank you, Rich Mogull, for pushing me over the edge. Who knows, maybe Trackbacks will actually start working.
More to come ...
« February 2008 | Main | April 2008 »
It only took the company Blog being down for a week to get me annoyed enough to consider starting my own Blog. Thank you, Rich Mogull, for pushing me over the edge. Who knows, maybe Trackbacks will actually start working.
More to come ...
Posted at 12:37 PM in News & Events | Permalink | Comments (0) | TrackBack (0)
The Washington Post reported that the illegal viewing, and subsequent disclosure, of passport information from Barak Obama, Hillary Clinton and John McCain was caught by a monitoring system.
This is precisely the type of activity that monitoring can detect, and it can be used very effectively for alerting to suspicious behavior regardless of the user.
In early 2005 I was invited by some people at DHS
to pay a visit a couple of congressmen and senators to discuss trends
in information privacy & security. I later
discovered the reason for the invite was one of the Republican staffers
had been reading a couple of the Democratic rivals files and documents. It turns out that both parties shared a common file server & database that had little to no security beyond access control. The staffer was fired and escorted out by the Secret Service. I
advocated database monitoring to detect this type of activity in the
future, coupled with assessment as a preventative control.
It appears that the state department already has something like this in place so ‘Bravo’! And they, like most public companies, only deployed after a breach had occurred.
Posted at 09:30 AM in Monitoring | Permalink | Comments (0) | TrackBack (0)
I selected the email example on Information Centricity for a couple of different reasons. One of which was based upon several Blog posts out there talking about what changes would need to be made to the infrastructure, or basically ‘how do we get there from here’. And now that I have seen Mike Rothman’s comment that “I'm not going to be so bold as to say it isn't happening, but it's nothing I've seen before” I am glad I did. When you start thinking about how to implement Information Centricity, let’s say in an SAP environment, it’s enough to make your head explode. I wanted to start small to demonstrate a couple ways Information Centricity addresses security issues in changing IT landscape.
As email is ubiquitous, and email tools are prevalent, I felt that this was a good illustration. All I really need from the technical side is for a tool kit/extension onto my favorite email tool that can handle keys, digital signatures and encryption. From a people/process side, I simply need agreement on what we will use and the exchange of keys. This is not a big change in technology. But it is a fairly significant change in perspective.
The typical IT security model is to start with systems & processes to perform business functions, and then patch security on top through various preventative and detective controls as new threats emerge. Information Centricity we start with secure data. Then we embed rules on how and when it gets used. It doesn’t mean we are throwing existing systems out, rather we are changing the nature of the information that flows through them. Systemic rather than additive. Assume insecure and uncontrolled, then enable as trust is established.
Posted at 09:27 AM in Information Centric | Permalink | Comments (0) | TrackBack (0)
I am going to be attending a couple of events the first week of April, so let me know if you are going to be in the area so we can meet up!
I am going to the IDC Virtualization show on April 8th, during the day. And there is a Ziff Davis reception that evening over at the Westin.
I am going to be at RSA on April 9th for most of the day. And then I am going to be at the Security Bloggers Meet-Up on Wednesday evening as well.
Hope to see you there!
Posted at 11:21 AM in News & Events | Permalink | Comments (0) | TrackBack (0)
I went on a long rant in one of my previous posts, motivated by the Hannaford Bros. Breach. Not so much because I have anything specific to say about that breach, but simply to express my view that merchants should not be storing credit card numbers in the first place. I was not planning on saying anything else as I am not really sure what to make of the information we have been provided through the various press releases and news items.
I started to reconsider when I picked up Friday March 21st San Jose Mercury News (http://www.mercurynews.com/) issue. An associated press article in the business section is saying this is a new type of breach as the data was ‘Hijacked in transit’. Maybe that’s true. I don’ really know. But most of the quoted experts seem to provide more disinformation than anything else.
Aaron Bills, COO of 3Delta Systems was quoted as saying “Catching data on the move is a bit more challenging”. The comparison made is that stealing merchandise from a truck, meaning is it is easier to do if the vehicle is parked than when it is moving. I seriously hope this guy was mis-quoted. Bits are bits in this case, and the motion has almost nothing to do with the degree of difficulty in theft. At rest or in motion, theft requires some access point to the data, and networks tend to provide more access points (Mirror ports, sniffers, electromagnetic taps on copper wire, etc) than file or database servers. In fact, if encryption was being used, the ‘at rest’ variants tend to be stronger than the session based variety. And we are all guessing that encryption was not being used, and that is why all of this data was sniffed off the network.
Then we have Avivah Litan at Gartner asking the question “Would you like to sit at your gas pump for five minutes to get an authorization?” in response to why encryption is not widely used within the processing chain. Excuse me, but don’t all commercial POS systems already have encryption? Wasn’t there a mandate by most of the banks that required switching ATM & POS systems away from DES a few years back as it was a suspect algorithm? Please, educate me if I am blatantly wrong here. My point is we have had encryption in much of the processing chain for a long time, and we do not wait 5 minutes at the pump … well, except for that one Shell station on Carefree Highway that does literally does take that long, and it does in fact drive me nuts, so I would give this argument credence … problem is much of the processing chain is already encrypted and I get authorization in a few seconds in most places.
Then we have David Navetta, the president of InfoSecCompliance in Denver saying that Hannover was possibly tripped up by ambiguity in the PCI standard. What? Seriously? We have data breaches in the headlines every week, and we have been talking about deficiencies in PCI for a couple of years, so how could Hannaford Bros. custodial duties become ambiguous? Is that a variant of the ‘Twinkie defense’? InfoSecCompliance is a law firm if you didn’t guess.
I must give props for Richard Gorman of Voremetric for providing the sole rational quote “…need to wake up to the fact that they need to encrypt information along every step”.
These stories and many of the quotes are just weird. I’ll chalk this up to more ‘Journalism 2.0’.
Posted at 11:00 AM in Information Security | Permalink | Comments (0) | TrackBack (0)
Sure enough, we are starting to see some more posts on the subject. Rich Mogull took up the charge and put the stake in the ground with some guidelines for defining what constitutes an information centric security model. I am glad he did this, both from the sense that I think he did a great job, but also from the realization I cannot. While I am a big proponent, I have far too many pre-conceived notions about this type of security to provide a neutral definition that does not pre-suppose some deployment strategies. I am thankful he took the first step, and some of the heat for, proposing this model.
What I want to do to take this one step further is provide a tangible example of this model. I want to provide the simplest example of what I consider to be an information centric security. I have never spoken with Rich directly on this subject and he may completely disagree, but this is one of the simplest examples I can come up with. It embodies the basic tenants, but it also exemplifies the model’s singular greatest challenge. Of course there is a lot more possible than what I am going to propose here, but this is a starting point.
Consider a digitally signed email encrypted with PGP as a tangible example.
Following Rich Mogull’s defining tenets/principles post:
I might add that there should be independent ‘Brokerage’ facilities for dispute resolution or verification of some types of rules, process or object state in workflow systems. If recipients can add or even alter some subset of the information, who’s copy is the latest and greatest? But anyway, that is too much detail for this example.
The fundamental problem with this model? People. If you do not trust the recipient or user of the data to whom you have provided credentials, the model does not provide privacy. Un-trustworthy recipients can leak sensitive information. In our example, hopefully we did not send the email message to them, but obviously we do not always know who we can trust, or under what certain circumstances we trust a person. This is serious, but no less of a problem than in just about every other information usage and sharing system ever created.
A note on DLP and Information Centric Security: Security that acts directly upon information, and information that embeds it’s security are different concepts. IMO. Under a loose definition, I understand how one could view Data Loss Prevention, in context Monitoring/IDS and even Assessment as a data centric examination of security. But this is really not what I am attempting to describe. Maybe we change the name to Embedded Information Security, but that is semantics we can work out later.
One of the commenter’s on Mogull’s web site references both the Bell-LaPadula and Clark-Wilson. These papers are relevant and I will discuss in a future post, as well as the topic of evolutionary change and novelty. For now, I just want to propose a tangible example.
### Update ###
Hoff was kind enough picked up this post on his blog. Chris is right that the first bullet is very confusing. What I meant to say is that the business application, email, is self evident. The email header remains as it would normally be. The information is self describing as it is tagged as encrypted content in the message body, or could be an attachment to the email. I mentioned MIME purely for non-text based attachments. Sorry about the word jumble.
Posted at 02:52 PM in Information Centric | Permalink | Comments (0) | TrackBack (0)
For those of you who know me, I
have been on a kick about the fundamental transformations of PR and
Marketing over the last two years. And if you have seen this “Log and event management appliances improve compliance, security, operations”
piece by By Chris Peterson, Network World , 03/19/2008, this is just
one manifestation of a single thread on the fundamental changes in PR
& Marketing. This article comes under the
heading of Network Management, so that identify the viewpoint up front,
but still … this is not news, but an ad.
“current approaches to log and security event management force customers to purchase and integrate two or more products for each discipline”. Not sure where he is going with this, but if I want network event management (SIM/SEM), there are several vendors that offer complete and compelling solutions. Single vendor. Single product. Not sure what his intention is with this statement but it seems misleading to me.
What is more, I advocate that we should have two systems, at least in the short term. One to monitor, assess and audit network infrastructure, and one that does the same for data/applications. Why? The type of information relevant and available to each is different, and both security & compliance challenges are different. It would be great to have one, but I think all too often securing one is seen as securing the other, and that horrid fallacy continues to persist.
“To unlock the value of logs, a new class of appliance has emerged that combines universal log-data collection, analysis, event management, automated report distribution and incident response”. Wow. I have many problems with that statement, but the list is too long to really cover, so I will just mention a couple of points.
“Since log formats are as varied as the log sources themselves, once logs are collected they must be normalized.” Normalization is NOT mandatory. Normalization is very useful if you want to report on very large quantities of data. Migration into the lowest common denominator format is a way to simplify the reporting challenges and reduce the computational complexity of report generation. But just as the author points out “log formats are as varied as the log sources themselves”, the process of normalization means a loss of information that does not fit within the normalized template. So that means the value of the data itself is less, unless you keep both the original record and the normalized record. And if you keep both, the data management and the data processing challenges double in overhead (storage, reporting, archive & restore, etc), and you need to have some reference structure to link the normalized and original record together.
Under the topic of Event Management: “One way to do that is to assign a priority from 1 to 100 based on the type of event; …”. There is no such thing as universal priority. I will grant you that some events, like failed logins, are interesting to security, compliance, IT and development groups alike. Perhaps not the executive team, but it is safe to say most groups want that information. But save for one or two event types, almost no group shares the same priority list. In fact, Internal Audit and IT often have the opposite list.
Under the topic of Log Collection: “They can be
pulled from Windows hosts (event logs) and any database compliant with
Open Database Connectivity.” ODBC? For database log collection? Really?
If 25% of IT data created is log files, (according to the author this is a SANS statistic) doesn’t this indicate a problem unto itself? Does it not suggest that perhaps filtering events not pertinent to core business, security and compliance might be the core issue to deal with a logarithmic growth curve? I actually suspect this number is in fact far higher, but let’s go with 25% for the sake of argument. Is an appliance the appropriate way to grow with this data set? Are you really going to house, analyze, manage and report terabytes of data in remote appliances? Or the corollary, think about your investment in hardware & software for applications like SAP or databases like Oracle.
Are you willing to spend 25% yet again to watch the underlying network log files? Is log file aggregation really that wise of an investment? Does it deserve this level of infrastructure and cost as event management tends to be more forensic in nature? Is it really an effective way to gather and report on security and compliance data? Not to me, and this is not a compelling story for SEM in the picture being painted.
I am a fan of well executed SIM/SEM, and this product may fall into that category. But as it is clear this is not a general advocacy piece, two things need to happen here. First, this article really needs a giant flashing ‘Advertisement’ banner so I don’t choke on my coffee again when I read stuff like this. Second, if there is really is “a new class of appliance” out there, the author needs to explain why exactly that is because you are not going to know from this article. This is exactly the same type of feature set I was reading about and saw demoed from other vendors in 2004. I know Network World wants new and exciting content, but they need to do better than this.
Posted at 02:30 AM in Auditing | Permalink | Comments (0) | TrackBack (0)
I have been working on a couple of different projects lately that have me tied up and I have not been blogging lately. But as usual, whenever I go to trade shows or industry events, invariably something sparks my interest. I was at the IT Security Entrepreneurs Forum last week and one of the panels really got my attention. The concept proposed to the audience:
Do you believe Security & Privacy on the Internet are diametrically opposed?
Seriously. This is not a loaded question. At the forum, one of the panelists, a respected member of the US Intelligence Community stated that we cannot have Internet Security and Privacy. It’s one or the other, and privacy groups’ demands do not allow policing of Internet activity. They are diametrically opposed. This person then gave the analogy that Privacy on the Internet was just like putting cops (His word, not mine) on the street, and allowing them to watch crime occur, but not draw their guns and not make arrests.
I believe that there are ways, perhaps dozens of ways, to provide both. There are many ways to create a trust relationship without a specific identity, or even create a proxy relationship to create this trust relationship. I think it was the American Express Blue card, circa 1999 or so, that offered anonymous Internet payments. It is the concept that is important here, not the individual company offering, so don’t send me nasty email for my lack of fact checking on this point. The payment proxy concept I felt had great promise for providing a platform for anonymous purchases on the Internet. There would not be an exchange with the merchant of the credit card number or other related information, they would only receive payment. Sure, in the case of purchasing goods requires that the name and address information be passed, but for services and the purchase of virtual goods, there may not even be that. But this is privacy and security all at once.
If I run a blog and I want to make anonymous posts, or communicate electronically under a pseudonym a la the fake Steve Jobs , I can do so by digitally signing the blog posts, allowing me to make public comments that could be verified as authentic without revealing my identity. I could correspond through email by posting a public key and email address in an accessible location and allow for correspondence to me that was both confidential and secure while providing me a degree of privacy. There are lots of examples of creating intermediary trust relationships that will work depending upon the goal.
We can have privacy and security on the Internet. At the same time. Arguments to the contrary are FUD motivated by money. Or politics. Whatever. My privacy being at odds with someone else's desires is the real issue.
Posted at 03:19 PM in Privacy | Permalink | Comments (0) | TrackBack (0)
After my previous post on privacy and security on the Internet, I ran across Rich Mogull’s ‘Picking apart the Hannaford Breach' post. To me, issues of privacy and security are related to this post. I am going out on a limb here because I am making an assumption – assertion, actually - of intent, but it appears to me this is the crux of the issue. Merchants want to maintain the relationship with the customer, and probably more importantly to them, the data about the customers. Financial data, purchasing data, location data and preferences that is in turn cross referenced with other data sources to further extrapolate valuable information. The merchant then uses this to make themselves more competitive in the marketplace, or sells the information to others for profit. This data is sensitive and not obfuscated because it is this direct and targeted marketing data that others will pay for. But keeping this data forms the basis for credit fraud and identity theft as it relates to these merchant breaches. In Hannaford's own words here.
Think about this another way: How does a grocery store justify keeping debit card numbers? It is certainly NOT dispute resolution like it is claimed with Credit Cards. The money is transferred immediately. I cannot call up and refuse payment like I can with a credit card. So why would a company continue to keep private information if it involves both cost (IT Infrastructure) and risk (Theft)?
Do you think merchants are trying to have their cake and eat it too?
I mentioned the Payment Intermediary concept in the previous post as well, for consumer privacy in that context, and security in this context. That proxy concept I felt had great promise for providing a platform for anonymous purchases. I would have a relationship with credit card company, and the credit card company has a relationship with the merchant to clear payment. I would only need to authenticate to one party, the credit card company, and not every merchant. Another major advantage to the consumer when this type of payment proxy is implemented is not allowing some merchant to play fast and loose with my financial information. They don’t have it so they can’t lose it. There would not be an exchange with the merchant of the credit card number or other related information, only the credit card company payment.
Sure, in the case of purchasing Internet goods
requires that the name and address information be passed, but for
services, the purchase of virtual goods or in person purchases, there
may not even be that. At its core it relieved
the merchant of the responsibility of having to store the credit card
number, and simply keeping the transaction number for dispute
resolution. Does a merchant need to be involved in the
credit card validation process at all? Note that I am also making the
same assumption Rich is making that, due to the time frame and number
of account numbers, this had to be an HQ central breach as they simply
would not have been able to obtain 4.2 million unique numbers from any
single grocery store.
And on the subject of Internet purchases, any you ever remember Amazon asking you if you wanted then to store your credit card? Neither do I, but they do it anyway. Half of the airline web sites do as well. I have no information to support the claim, but I will bet better than 50% of online merchants hold credit card data long term. As a consumer, I don’t want this because I DO NOT TRUST THEM. Nothing personal. Call it fear of the unknown, but I have no idea how good their security is and would not have chosen for them to keep the number if I had a choice. Credit Card issuers should not been keen on this either as it creates unnecessary risks.
I am told the concept of Internet Payment intermediary failed because the merchants refused to participate as they claimed that they lost the customer relationship. I cannot prove this to be true, but there is certainly evidence that makes this believable. More likely it was because they lost the personal consumer data, which had a hard dollar value to them. The point remains that a solution was proposed that could have provided privacy, and removed one additional link in the chain for credit card processing which I assume would result in reduced credit card fraud. There will come a time that the merchant behavior and business model will force credit card companies to take action to maintain their profits and reduce fraud rates. Visa IPO anyone?
There were a number of publicized reports after the TJ Maxx breach that various merchants were complaining of being forced to store credit card information for the purpose of dispute resolution. I made some inquiries and done a bit of research, but I have never seen anything published that confirms or denies this report. So until I see otherwise, I assume that the merchants create the problem as they are trying to derive value from customer information, which may include the credit card or debit card number.
One final note on Rich’s post: PCI is not worthless. PCI should be considered ‘Security 101: Basic Best Practices’. A PCI audit on the other hand, as a bare minimum lowest common denominator, is worthless. If you need someone to certify your doing the absolute minimum, you’re really missing the entire point of the exercise.
Posted at 03:28 AM in Fraud | Permalink | Comments (0) | TrackBack (0)
I am going to be at the IT Security Forum held at Stanford University on March 11th, and the Data Protection Summit on the 12th and 13th down in Irvine. Let me know if you plan on attending either event. See you there!
Posted at 11:52 AM in News & Events | Permalink | Comments (0) | TrackBack (0)
Recent Comments