November 29th, 2007
Information security has proven itself immensely valuable in just about every sector—commercial, government, research institutions, and more. At the same time, however, certain barriers stifle progress, resulting in an increase in security-related incidents that might not otherwise have occurred or unnecessary escalation of the cost and impact of these incidents.
One of these barriers is something that Tom Longstaff, now of Johns Hopkins University, and I first identified and documented way back in the late 1980’s—the “fortress mentality.”
The “fortress mentality” means investing the preponderance of resources and effort on preventative controls to the point that individuals who have done so now view their computer environment as a kind of impenetrable bastion that cannot be breached.
One of the main problems with “fortress mentality” is that it makes information security practitioners blind to the real nature and impact of risk. No single control or group of controls (e.g., in a “defense-in-depth” approach) mitigate all the risk they are deployed to counter. Residual risk invariably remains after controls are deployed.
With most resources and effort devoted to preventative controls, the other parts of the security cycle, namely detection and reaction/correction, are overlooked. Among the unfortunate consequences is not being able to quickly and efficiently detect and react to security breaches that occur.
Consider what happened recently to TJX. Had technical staff promptly detected the intrusions that led to so many successful identity thefts, TJX’s financial losses resulting from the break-ins would have been considerably less. Instead, the incidents went undetected for approximately one year, something that resulted in skyrocketing losses.
Virtually everyone knows that modern armies do not rely on fortresses. Any army that stayed inside a fortress would be blasted to bits by today’s weaponry—it would be a “sitting duck.” The same applies to information security controls. Although up front (preventative) controls are highly desirable, more dynamic controls that detect and mitigate incidents are just as necessary. Consider, too, the need for reinforcement troops in military engagements in case the front line gets breached.
I worry that auditors also reinforce the fortress mentality in their audit findings and recommendations. I fear that too many auditors do not really understand or appreciate the nature of detective and corrective controls; they instead focus mainly on the quantity and quality of preventative controls when they conduct audits.
Perhaps worse yet, if they recognize the value of detective and corrective controls, they might translate these requirements into the need for intrusion prevention tools. Although intrusion prevention is an up-and-coming technology, it is a still much less than perfect technology that is by no means sufficient when it comes to detective and corrective capabilities.
The best solution for combating the problem is security education and awareness, with the target audience being information security professionals, senior management and auditors.
Until the “fortress mentality” becomes a thing of the past, something that eventually will happen, it will continue to interfere with information security professionals’ ability to effectively manage security-related risk.
~ : ~
November 26th, 2007
The time-honored notion that the goal of information security is to protect confidentiality, integrity and availability (CIA) lives on.
Confidentiality means keeping sensitive and/or valuable information from unauthorized disclosure. Integrity means guarding against unauthorized changes in information as well as system files and executables. Availability means assuring that information stored in computers as well as access to systems, applications, and services are available when needed.
Whereas CIA looks good on paper and makes a wonderful acronym for use in security education and awareness, like a growing number of information security professionals, I have for some time doubted that CIA truly captures the essence of the goal of information security.
None of we skeptics deserve credit for wanting the goals of information security expanded beyond CIA–the now long retired Donn Parker does instead. Perhaps the CIA model was appropriate years ago when computing environments were simple and before major developments such as electronic business emerged. Saying that this model is appropriate in today’s computing world does not, however, make much sense.
One of the biggest limitations of thinking of information security goals only in terms of CIA is that non-repudiation and authenticity of electronic business transactions does not fit into the CIA model. Non-repudiation means that the originator of an electronic transaction cannot later plausibly later deny having originated the transaction. Without non-repudiation, ebusiness transactions as we know them would probably not exist; electronic merchants would not be able to do business profitably.
Another limitation of CIA is that it does not take into account the ever growing need for accountability on the part of system administrators, users, and even auditors when they access systems, databases, applications, and more.
The usage pattern of every user who gains computer access must be subject to critical scrutiny, scrutiny that is made possible through the availability of system and application audit, intrusion detection, firewall and security event management output. Accountability is in fact one of the essential elements in a successful information security practice.
Another omission from the classic CIA model is privacy.
Privacy might superficially seem like a sub-topic under confidentiality, but privacy goes way beyond confidentiality. True, users’ data must be protected, and data protection is part of privacy, but the fact that users have accessed certain Web sites (such as mental health hotlines) is well beyond the matter of data confidentiality. Much of the world, the US in particular, has been slow to pick up on the need for privacy in computing, but the awareness of this need is growing, as reflected by recent pending legislation in the US.
Finally, the CIA model does not take into account the need to be able to perform computing tasks without disruption, something that I would term productivity.
IT resources are purchased, implemented and maintained with the goal of increasing productivity within an organization. Certain events such as receiving SPAM, unwanted IM messages, and others disrupt users’ productivity. The growth of SPAM over the last five years has been disheartening–certain studies show that as much as 80 to 90 percent of all Internet traffic consists of SPAM. The notion of SPAM was, however, virtually unknown when the CIA model was originally created.
So what started as CIA is now minimally CIANPP—not a very catchy acronym, to say the least. But it fits and it works considerably better in today’s computing world to the point that the now ancient CIA model needs to be abandoned.
~ : ~
November 19th, 2007
Of all the areas in which information security professionals become involved, few are more fascinating than computer forensics. I suspect that there is a bit of the spirit of Columbo, the legendary investigator in a 1970’s TV series, in many information security professionals, perhaps even myself included. The idea of coming to a crime scene, investigating, and gathering evidence without contaminating it is indeed intriguing.
At the same time I am concerned in that a number of misconceptions about computer forensics have started to become more prevalent.
One of the most common of these misconceptions is that a forensics effort needs to be perfect if evidence is to hold up in a court of law. Although it behooves every member of an investigation team to try as hard as possible to follow correct forensics procedures precisely, mistakes happen. When they do, the results are not necessarily catastrophic.
Consider the case of a botched forensics investigation at a large Department of Energy lab. A system administrator ran a pornographic Web site using a government computer. The lab’s incident response team was called in to investigate, but the team did not make a image backup of the system on which the Web site ran, nor did this team isolate the system from the network. Shortly afterwards someone accessed the system and erased all information from the system’s hard drive.
Despite this forensics catastrophe, the accused ended up pleading guilty to several charges.
A second misconception is that everyone on an incident response team needs to be a certified forensics expert. Although having multiple forensics experts on such a team is highly desirable, it is not normally either practical or cost-effective to have everyone possess that high a level of expertise.
Training is essential in enabling individuals to become forensics experts, but resources are invariably limited, and there are other critical areas besides forensics in which team members need training. Spending a disproportionate amount of these resources to make each team member a forensics expert is thus generally difficult to justify.
As long as a bona fide forensics expert oversees each evidence handing and gathering effort, other, less qualified team members are likely to be able to deal with forensic evidence in a reasonable manner.
Another misconception is that forensics specialists really need to develop forensics-related knowledge and skills, but not knowledge and skills that apply to other areas within information security.
Reality is such that no forensics expert is likely to be involved in forensics efforts most of the time. Having other knowledge and skills is thus important in avoiding wasting resources if incident response team members were to have nothing to do a significant portion of each workday because they did not possess other types of knowledge and skills.
Still another misconception is that forensics procedures must be part of every incident response effort.
Many attacks involve outbreaks of worms and viruses; collecting and archiving forensics efforts in these cases usually makes no sense at all. Other incidents may not be of sufficient magnitude to justify the cost of engaging in a forensics effort. Others may involve attacks from afar that are neither likely to be traced, nor to result in criminal prosecution.
Contrary to what many technical staff members think, therefore, it should be a management decision whether or not to put forth the cost and effort to engage in forensics procedures while an incident is in progress.
A final misconception about forensics is the notion that forensics necessarily involves the use of advanced technology.
Many think that if someone does not use sophisticated technology to gather evidence, including special hardware and software, the evidence has not been collected properly.
In general, having such hardware and software cuts down the time and effort to collect and analyze forensics data, as well as reduce the likelihood of mistakes. I would much rather have EnCase or the Paraben Forensic Replicator and Forensic Sorter or some other tool that helps not only capture forensics images, but also aids in analyzing forensics data than not. However, a known, good copy of the dd (drive-to-drive copy) command can also make a legally defensible bit-by-bit backup of a system, and shell commands such as fgrep can be used for analysis purposes.
In closing, let me assure that somehow construing that the points I have raised in this paper constitute an attack on forensics is completely specious.
Without forensics as we know them, the fight against computer crime would be hopeless. The problem is that as with every good thing, misconceptions surface over time, and many forensics is by no means immune from this problem. These misconceptions need to be corrected; this posting represents a start in doing so.
~ : ~
November 12th, 2007
Not too many years ago there were no certifications for information security professionals. How things have changed over the years; there are now more types of certifications than one could ever have imagined. Believe it or not, I even know of one individual who has ten information security-related certifications, and he plans to pursue even more.
Information security certifications have gained considerable acceptance. Before they existed, individuals with marginal credentials and experience in information security could declare themselves information security experts without having demonstrated any competency in information security whatsoever. Certifications, while by no means perfect, now provide some level of assurance that certified individuals possess at least a baseline of skills and knowledge. Many information security positions now require at least one certification; some require more.
The content covered in certification exams is particularly critical. The Certified Information Systems Security Professional (CISSP) certification, for example, covers six core areas and four optional areas based on Generally Accepted Systems Security Principles (GASSP). The CISSP exam is one of the most difficult to pass, due mainly to the range of information the CISSP candidate must know. The questions in the physical security part of the exam are particularly challenging.
The Certified Information Security Manager (CISM) certification also stands out in my mind as having unusually good content, content that is related to the skills and knowledge an information security manager (ISM) must possess to be effective. The questions in this exam are difficult in that answering them correctly requires ability to analyze, synthesize and apply concepts derived from a job analysis performed on seasoned ISMs.
The Institute of Information Security Professionals (IISP) has recently developed a new and very creative approach to professional certification based on demonstrated knowledge and skills. Potential members must write answers to questions and also be interviewed to determine their knowledge and skill level. Membership is granted only if the demonstrated level meets the criterion. .
Unfortunately, the quality of certifications in the information security field is not uniformly high. Some certifications were launched with little planning and foresight; certain certification exams are not based on the GASSP, nor was a test plan even originally created and used to guide the inclusion of test items in these exams. Some examinations are not even proctored. A few organizations have tried to cover up the deficiencies in their certifications through vigorous marketing efforts.
As the proverbial dust surrounding information security certifications settles, the CISSP and CISM certifications have taken the lead in terms of perceived substance and quality. The IISP appears to have the most promising new approach. But when all is said and done, it behooves information security professionals to obtain at least one information security-related certification. The state of the art in information security has changed to the point that calling oneself an information security professional without having passed at least one examination created by peers or without having survived a rigorous interview by peers is no longer credible.
~ : ~
November 8th, 2007
Compliance is on the radar of just about every information security practice. Regulations such as Sarbanes-Oxley (SoX), the Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Gramm-Leach-Bliley (GLB), Basel II, the European Union Privacy Act, and many others have security-related provisions that require a considerable amount of planning, implementation and documentation effort.
Unfortunately, information security professionals too often get so immersed in attempting to comply with the plethora of information security-related regulations that they lose sight of what is on the horizon. A good example is a piece of pending legislation, H.R. 4127, the Data Accountability and Trust Act. In a nutshell, among other things this proposed legislation would require that organizations that have information needed for legal or investigatory purposes must retrieve and hand over this information to authorities within a specified period of time. Failure to do so would result in a large fine to be assessed every day the organization cannot produce the information.
The emergence of H.R. 4127 is due in large part to a series of incidents that have occurred over the last five years. One of the largest securities firms had to pay $15 million to settle a Securities and Exchange Commission (SEC) investigation of inadequate preservation of email. The same firm later had to pay $12.5 million because it withheld email messages needed in arbitration cases by asserting that they were lost in the Sept. 11, 2001 attacks against the World Trade Center. In 2002 the SEC and other regulators once again fined this firm for destroying email messages and backup tapes needed as evidence in a lawsuit against this company.
In simple terms, eDiscovery means the ability to locate information stored in electronic form. If signed into law, H.R. 4127 would in effect require that organizations implement adequate eDiscovery capabilities so that information needed in an investigation or court case could be readily located. eDiscovery is, however, in reality anything but simple, in large part due to the fact that in the so-called age of information the amount of information possessed by organizations is both voluminous and extremely distributed. Add to these problems the every ubiquitous probability of human error and the challenge of eDiscovery becomes disproportionately complicated.
If H.R. 4127 does not pass this time, something like it will inevitably pass and be signed into law sometime in the future. Organizations must not be allowed to escape justice by simply and conveniently destroying information or by being unable to find it. But creating an adequate eDiscovery capability is bound to be one of the most difficult tasks facing an organization. Tools designed to facilitate eDiscovery are available, but the ones I have seen do not appear to adequately deliver needed capabilities. In their defense, eDiscovery is a recent issue; it will take time for vendors of these products to grow and improve the capabilities of their products.
So what I am trying to say is that eDiscovery looms on the proverbial horizon of information security practices. When eDiscovery becomes law, organizations will have to invest a considerable amount of resources, more than they have had to achieve compliance in most other areas, to achieve eDiscovery compliance. So here is a word to the wise–be proactive. Now is the time to start investigating the requirements and how to meet them. Don’t be part of an information security practice that gets caught by surprise when eDiscovery is required by law.
~ : ~
November 5th, 2007
If you have been following developments in the information technology arena, you undoubtedly know of the many problems that have surfaced in connection with electronic voting systems. The accuracy of vote counts in two states (Florida and Ohio) that used electronic voting systems in the 2004 US Presidential Election came under considerably negative scrutiny.
Afterwards, elected officials several states, most notably Maryland and California, had the security of these systems analyzed. Results were dramatic; investigators found that every major electronic voting system had significant vulnerabilities that could result in votes being mistallied. Some vulnerabilities that investigators discovered even allowed remote perpetrators to remotely access these systems without authorization and gain complete control of them.
Instead of simply trying to fix the vulnerabilities that were found, vendors of electronic voting systems quickly tried to discredit the vulnerability analyses that had been performed, saying among other things that many of the potential attack avenues were not feasible in ordinary environments. Several vendors also launched vigorous public relations campaigns to control the public perception damage that the vulnerability analyses had caused.
The vendors were to some degree successful, but their efforts were, fortunately, insufficient to stem the growing tide of skepticism and mistrust surrounding the use of electronic voting systems. In some states within the US certain voting systems were decertified for use in elections. Several countries, Ireland and The Netherlands in particular, banned the use of voting systems altogether.
Much of the furor surrounding the use of electronic voting systems has subsided now that the facts concerning the security of these systems are out on the table, so to speak. States within the US have been considerably more cautious concerning the use of electronic voting systems, and instead of continuing to discredit the vulnerability analyses performed on these systems, vendors have grudgingly turned to fixing these vulnerabilities.
Reason has prevailed; the hope of having secure voting systems is now within sight. I predict that in five years electronic voting systems will be widely used with great confidence within the US as well as abroad. And although the problems surrounding these systems are likely to be largely forgotten over time, hopefully the “lessons learned” surrounding the security of these systems will not.
Before any type of computing system is used for any critical function, security should be built in by the vendor and vulnerabilities should be thoroughly analyzed and corrected. To use vulnerability-ridden systems for any critical function should be out of the question. Unfortunately, vulnerability-filled systems are used routinely in today’s information technology environments, but people will eventually realize that the cost of deploying these systems is in the long run much higher than the cost of deploying secure systems.
~ : ~
November 1st, 2007
The concept of a security perimeter is well-established within the world of information security. A security perimeter is a logical network boundary that surrounds internal computing resources and devices that protects them. The advent of firewalls (as crude as the first ones were) in the early 1990s followed by the emergence of the concept of a demilitarized zone (DMZ) shortly afterwards paved the way for deploying security perimeters to protect networks against externally-initiated attacks. Cheswick and Bellovin’s now classic book, Firewalls and Internet Security: Repelling the Wily Hacker, served both as an impetus and guidebook for creating security perimeters.
At the same time, however, various obstacles have prevented organizations from creating “bulletproof” security perimeters. Dial-in access, something that frequently bypasses firewalls, thus creating “leakage” in security perimeters, came first. The list of other obstacles—peer-to-peer protocols, wireless networking, virtual private networks, proxy servers, and more—has since grown considerably. Accordingly, a security perimeter that has no leakage whatsoever is more of an ideal than anything else.
Critics have assailed security perimeters from the start, and rightly so. Too often organizations set up firewalls and DMZs and then relaxed, assuming that they had a very high level of network security that could not for all practical purposes be breached. A kind of “fortress mentality” prevailed among many of those who had set up security perimeters. A combination of penetration testing results and security breaches in which firewalls were compromised or bypassed has provided startling wake-up calls to many individuals who were naïve about security perimeters, however.
Another, more vigorous level of assault against security perimeters surfaced about six or seven years ago. A group of individuals formed the Jericho Forum, an organization that propounds boundaryless (deperimeterized) environments. This view is in response to the fact that the nature of network connections has become so diverse and complex that it is virtually impossible to enforce a security perimeter; other means of securing connections and internal systems and devices are therefore necessary. I fear, however, that the Jericho Forum has thrown the proverbial baby out with the bath water. They are correct in pointing out that not all networks, especially ones in which customer and B2B transactions dominate the activity within, are conducive to security perimeters. At the same time, however, they have failed to point out environments and situations that would be well served by security perimeters.
Are security perimeters still viable, or are they an outmoded concept? Despite various limitations inherent in security perimeters, security perimeters are still a potentially useful concept in that they can serve as one of several layers of network defenses. Having one or more external firewalls can, for example, substantially reduce the amount of traffic due to externally initiated attacks, especially “kiddie script”-based attacks and vulnerability scans. Keeping “garbage” traffic out makes sense. The key point is that one should never rely on any security perimeter or any other single type of security control, no matter what it is. Other security controls are necessary so that if a security perimeter is breached, other controls that counter the attack will still be in place.
~ : ~
