April 28th, 2008
While I am still on the topic of the relative security of one operating system versus another, it is a good time to mention the results of a fascinating study recently conducted by Stefan Frei, Bernhard Tellenbach and Plattner of the Computer and Engineering Networks Laboratory at the Swiss Federal Institute of Technology.
The results of this study show that from 2002 through 2007, 678 vulnerabilities (including 658 high- and medium-risk vulnerabilities) in Windows operating systems were discovered. Over the same period 810 vulnerabilities (including 738 high- and medium-risk vulnerabilities) in MacOS were identified.
Not only did MacOS have more vulnerabilities, but Apple was on the average slower in developing and releasing patches for the vulnerabilities. Furthermore, over the six year time period covered in the study, there were more unfixed vulnerabilities in MacOS as well as a higher number of attacks in which these vulnerabilities were exploited (including by using zero-day exploits) than in Windows systems.
I’m not a betting person, but if I were, I’d bet that Steve Jobs was extremely surprised and displeased when he learned of the results of Frei and his associates’ study.
Somehow, I am not at all surprised. But I do not think that the results of this study in any way prove that Apple is somehow bad in its product security, nor do the results suggest that Microsoft is doing exceptionally in its product security. Instead, it is apparent that when it comes to security, Microsoft surpasses Apple.
I’d like to think that a huge change in Microsoft’s attitude about and approach to security in its products started with its Trusted Computing Initiative (TCI), which Bill Gates first announced six years ago in response to the many massive worm infections and other security problems that plagued Windows systems at that time.
TCI’s provisions included mandatory security engineering training for developers as well as other employees and monetary compensation and promotions given to developers according to how bug-free their code was. Critics initially scoffed, saying that the TCI was nothing more than a big publicity stunt, but they were dead wrong. Slowly but surely, Microsoft products have improved in their out-of-the-box security, and Microsoft has showed itself to be increasingly responsive in dealing with security-related vulnerabilities found in its products.
By all appearances, the TCI thus stimulated changes within Microsoft that have resulted in substantially improved (or perhaps better said, substantially improving) product security. There appears to not currently be nor never have been such an impetus within Apple.
The Frei et al. study also provides further corroboration that all is not as well in the Mac security arena as the Mac user community believes, and, accordingly, that this community should not relax, thinking that their machines are as safe as can be.
Vulnerabilities for which there are exploits, but for which a vendor has not produced a patch raise the level of security-related risk substantially.
A little healthy paranoia, a paranoia that we all really should have anyway, would go a long way within the Mac user community right now. And at the same time, the results of the Frei et al. study should not in any way make the Windows user community smug, either.
Windows systems are still a major target of attacks, and a generous supply of free tools designed to breach the security of Windows systems is freely available to the public on the Internet.
Let’s face it; the world of computing is not a very pretty place right now when it comes to security. It is thus quite noteworthy that at this point in time, Microsoft seems to be realizing this and is doing something about it better than is Apple.
~ : ~
April 24th, 2008
The CanSec Conference has a reputation as one of the best information security conferences anywhere, and apparently the recent one that was held in British Columbia was no exception.
One of the most interesting events at this conference was a hacking event in which white hat attacker contestants launched attacks against a variety of machines running different operating systems-Windows, Linux, Unix, and others. Interestingly, a Macintosh running Leopard OS X 10.5.2 was the first to be broken into.
I know a lot of Mac fanatics who probably will not believe the news about what happened-many of them believe that Macs are very secure out-of-the-box and that vulnerabilities that are discovered in these boxes are almost always minor ones. In the past, some of my job responsibilities included issuing security alerts; more than a few times Mac users who received them bristled at the notion that any serious security vulnerability could be present in this operating system.
I have no ax to grind concerning Macs. I would, in fact, if anything, call myself a Mac enthusiast. Most of the computers that I personally own are Macs, and I have converted my wife, my father, my children and several close friends over to Macs because, frankly, Macs are in my estimation the easiest type of computer for home users to operate day in and day out.
Macs do not, for example, seem to get infected by viruses, worms or Trojans nearly as frequently as do Windows systems. Additionally, Macs do not have a Registry or anything resembling this massive, confusing repository of system and application parameters in Windows systems.
At the same time, however, even the most avid Mac enthusiast needs to be acutely aware that Macs are becoming a more and more frequent target of attacks.
Just look the recent growth in the number of Web postings on this topic and the greater emphasis Mac hacking has been receiving at information security conferences. The black hat community is now openly interested in attacking Macs; .
Remember, too, that MacOS 10 is actually a variant of Berkeley Unix, an operating system that has been frequently and proficiently attacked for several decades now.
Out-of-the-box Macs (like many other operating systems) are not bad when it comes to security. Some amount of effort must be expended to make this operating system adequately secure. But securing an operating system is only the beginning of achieving suitable levels of security.
Vulnerabilities in Web browsers and other applications can be exploited just as readily as operating system vulnerabilities, as nicely shown by the fact that the break-in into the Mac at the recent CanSec Conference was through exploiting a vulnerability in Safari. So believing that Macs are sufficiently secure to withstand attacks without having to change certain configuration settings, turn off services, and install patches is sheer idiocy.
Which particular operating system is most secure is more a matter of religious debate than anything else. At the same time, however, CanSecWest’s hacking contest produced a clear winner-Ubuntu (a version of Linux)-the only operating system that withstood all attacks against it.
Hopefully, all these events will help serve as a gigantic wake-up call to the Mac user community-Macs, like any other operating system, need to have their security tightened if they are going to be able to withstand today’s highly sophisticated and numerous attacks.
~ : ~
April 21st, 2008
The fact that additional data security breaches have recently occurred should come as no surprise. What is so interesting about one of the most recent ones, however, is the way 4.2 million pieces of credit and debit card information at Hannaford Supermarkets appear to have fallen into the wrong hands.
This supermarket chain stored the card information in branch servers that collected and stored information sent from its many points of sale before forwarding it to central servers. Perpetrators appear to have broken in to one or more of these branch servers to gain unauthorized access to this information.
Ironically, it appears Hannaford Supermarkets was compliant with PCI-DSS data security regulations. To its credit, this corporation promptly notified the credit and debit card holders. This incident shows that although the PCI-DSS regulations are basically sound from a security standpoint, they are by no means perfect. Being PCI-DSS compliant is no guarantee that data security breaches will not occur. Hopefully, the PCI-DSS consortium will consider changing these regulations in a manner that will help prevent incidents such as the one that Hannaford Supermarkets experienced.
Elsewhere, a stolen laptop resulted in sensitive medical data pertaining to 2,500 patients who were participating in a National Institutes of Health (NIH) study being compromised.
Superficially, a data security breach involving only 2,500 individuals does not appear to be very noteworthy in comparison to ones in which millions of pieces of data have been compromised (as in the case of Hannaford Supermarkets).
The nature of the information compromised in the NIH laptop incident makes this mishap very significant, however. Names of the patients, their medical diagnoses, and information concerning their heart scans were among the data stored on the stolen laptop system.
Although federal law requires encryption of clinical trial and similar information, none of this information was encrypted. And though this incident occurred nearly a month ago, the NIH did not notify potentially affected individuals until last week, saying that notifying individuals earlier might have caused undue alarm.
What a crock! I hope that news about this incident and the way it was handled causes you to experience the same amount of indignation toward NIH that I feel. NIH was clearly downright negligent in its care (or perhaps better said, its lack of care) in handling these sensitive data, and it only made things worse when it failed to promptly disclose what happened to those who were potentially affected. NIH management ought to be preparing new resumes, if they have not already done so.
The toll from data security breaches continues to mount yet organizations around the world continue to remain in blissful ignorance unless they experience a data security breach firsthand.
The fact that there are so many threat vectors and also that data retention and eDiscovery requirements preclude data destruction practices that were commonplace only a few years ago greatly compounds the risk.
One can only wonder how many data security breaches will have to occur before senior management finally catches on that there is a big problem here and that something needs to be done about it.
~ : ~
April 17th, 2008
One does not have to be very observant to notice just how many data security breaches have been occurring over the last few years. It is almost as if data security breaches are becoming an epidemic. Financial losses have also mounted accordingly, and there appears to be no end in sight.
In information security governance there are four possible responses to security-related risks; to eliminate them (often by getting rid of a type of a type of vulnerability-ridden technology altogether), to mitigate/reduce them, to accept them, or to insure against them.
Historically, organizations have tended to mitigate risk or accept it more than anything else. The last of these options, insurance, has not been popular for a number of reasons, including the fact that it tends to be expensive, and also that when security-related incidents occur, insurers have too often not reimbursed insurees adequately (at least according to the latter’s perception).
I suspect that another reason that taking out insurance has not fared all that well in the information security arena is that senior management has too often summarily dismissed talk about potential security incidents within their own organizations.
“Have any major security incidents occurred within our organization?” is too often their response when they are urged to expend resources to counter security-related risk. When information security professionals respond by pointing out real-world incidents that have occurred in other organizations, senior management frequently remains unconvinced and unmoved.
But data security breaches have now become widespread-I cannot think of any major sector (e.g., transportation, petroleum, manufacturing, and so on) within the business arena or even within the government arena that has escaped having at least one massive and widely publicized data security breach.
Thus although insurance against security risk has not fared all that well so far, perhaps insurance against data security breaches might fare better.
Not long ago a Canadian insurance company must have been thinking the same way, because it announced that it will offer insurance against data security breaches. If such breaches occur, this company will reimburse the insured victim for costs associated with computer damage, notifying potentially affected individuals, and losses that credit card companies suffer due to identity theft.
I think that this company has caught on to something that is bound to be more popular than conventional security insurance, and I expect that the announcement of this specialized form of insurance will be only the first of many from other insurance companies within the next few months.
It is also safe to say that you can count on an increasing proportion of organizations taking out insurance against data security breaches.
On the other hand, if insurance companies continue their historical pattern of not reimbursing insurees in accordance with insurees’ expectations, this form of insurance will start to become less and less popular.
Only time will tell.
Meanwhile, though, the notion of offering a very specific form of security insurance against a type of incident that is plaguing nearly every organization, the data security breach, seems like a very good one.
~ : ~
April 14th, 2008
MTV recently experienced a data security breach in which files containing the data of approximately 5,000 employees were accessed without authorization. Names, dates of birth, Social Security numbers, and salary information were all potentially compromised.
Although a data security breach involving this small a number of users is normally hardly worth noticing compared to some of the massive data security breaches that have occurred in the past, something about MTV’s stands out. The cause was unauthorized access to an employee’s computer while it was connected to the Internet, not a lost or stolen laptop or breached server.
My first reaction when I heard of this incident was why were employee data on a user’s computer in the first place, especially after the widely publicized incidents involving stolen and lost PCs that Veteran’s Administration, Ernst and Young, and others experienced? I would like to see MTV’s policy regarding where and how personal and financial data can and cannot be stored.
Additionally, why did the employee’s computer have security vulnerabilities that could be remotely exploited to allow someone to gain unauthorized access to it? I would like to find out what MTV’s vulnerability patching program is like, or whether it even has such a program. My guess is that if a security audit were to be conducted at MTV, there would be some significant findings related to data storage and protection practices as well as vulnerability discover and patch protection practices.
Finally, I would love to learn how long it took MTV technical staff to discover the security breach. My suspicion once again is that this incident was not detected shortly after it occurred.
At the same time, however, MTV hardly deserves to be singled out. Lamentably, in most security practices there is almost always a big gap between needed and actual security controls. It is becoming increasingly apparent that there are so many ways that data can become compromised-via lost and stolen laptops, lost or stolen backup media, lost or stolen flash drives, break-ins into servers, improperly configured Web sites, spyware, social engineering, sniffing, and now break-ins into individual employees’ computers-that this gap appears to be growing faster than senior management (and even information security professionals) within organizations realize.
One thing that security practices can do to bridge at least some of this gap without major allocation of resources is to improve their incident detection and response capabilities. With better incident detection and response capabilities, organizations can at least quickly identify and respond to incidents, thereby minimizing their impact, damage, and ultimately financial loss.
Intrusion detection event correlation often delivers the best “bang for the buck;” and if MTV does not use this technology, perhaps it is time for this corporation to consider doing so.
~ : ~
April 8th, 2008
Occasionally I hear something that strikes me as unusually incorrect. Most of this information is about world news, the stock market, and politics, but some of it is within the mainstream of information security. Consider an example from a conference at which I recently participated in a panel on emerging security threats and risk.
After a few panel members made their opening spiels, another panel member made one that contained a claim that government compliance burdens were currently the biggest information security risk of all. He asserted that the federal government is so badly over-regulating organizations that the cost of security compliance exceeds the expected loss from security-related incidents.
Shortly afterwards a member of the audience challenged the panelist who made this assertion, saying that information security compliance is actually beneficial to information security practices in that it often results in obtaining resources needed to implement security controls that would not otherwise have been available.
The audience member was correct-I was impressed with his challenge, because it was clear that he had considerable real-world experience in information security, something on which reality in information is heavily based.
I then added that not only does security compliance make resources available to information security practices, but security compliance issues provide a natural way for security professionals to win the proverbial ear of senior-level management, which learns very quickly in MBA programs about the importance of compliance.
Furthermore, I said that the provisions of most of today’s security-related regulations are really quite reasonable.
For example, PCI-DSS requires that credit card data must be stored in machines that are not directly accessible from outside an organization’s internal network. Additionally, it requires that credit card data at rest must be encrypted.
One does not have to know very much about basic principles of information security to realize that a competent security practice would implement these two security control measures regardless of whether it was required to by PCI-DSS regulations.
After the session ended, all I could do was hope that not many of those who attended the session ended up believing that government overregulation is the greatest security risk that we information security professionals face.
Several years earlier at another conference a speaker advised the audience to “strike back”-to damage or disable systems that attack systems, no matter who owns these systems and where they reside. Additionally, I recently read an otherwise very nicely written article in an information security journal that advised the readership to avoid disconnecting potentially compromised systems from the network during investigation of potential security breaches. And, believe it or not, I once heard a speaker claim that because there are vulnerabilities in the WEP (Wired Equivalent Privacy) protocol, it is better to have no encryption in wireless networks than to use WEP.
Honestly, these are just a few of scores of sordid examples of misinformation and advice that have been spread in the name of information security training and awareness.
Free exchange of ideas among professionals is something to be highly valued and desired. At the same time, however, I worry that fledgling information security professionals and students will believe some of obviously wrong advice and information to which they are exposed.
Fortunately, certain processes, the best known of which are reviews of papers and articles that are submitted to journals and magazines, help weed out submissions by faulty thinkers and talks by unknowledgeable speakers.
But no process is perfect. So after thinking about this problem for some time, I’ve come to the conclusion that all one can do is to firmly but politely point out specious assertions and poor advice to ensure at least that those who are more likely to accept both at face value are less likely to do so.
I view doing this as a professional obligation-in some respects, a matter of ethics-so that the truth as we know it (e.g., the GASP-Generally Accepted Security Principles) will be properly disseminated and preserved.
~ : ~
April 3rd, 2008
Ethics in information security is such an important topic that I feel the need to cover just a little more about it. As I said in my last blog entry, different professional organizations have different ethics standards. Consider, for example, the Information Systems Audit and Control Association’s (ISACA) code of ethics. Some of the provisions include:
- Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices.
- Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
- Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
- Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.
- Inform appropriate parties of the results of work performed; revealing all significant facts known to them.
- Support the professional education of stakeholders in enhancing their understanding of information systems security and control.
These provisions are only part of the complete set of ISACA’s code of ethics, but anyone who reads these provisions and seriously thinks about what each actually entails will almost certainly feel a bit overwhelmed.
Consider, for example, the fourth provision above. An information security professional or auditor must agree to undertake only those activities that one can reasonably expect to complete with professional competence.
Does this mean that if an information security professional is undertaking an activity for the first time without suitable training or guidance from another professional, the person should seriously consider not undertaking the activity?
I worry that possibly this provision does not seem to make allowances for the “learning curve” in professional work
The next provision requires that appropriate parties be informed of the results of work performed, revealing all significant facts known to them.
Does this provision require someone who has, for instance, had an external penetration test conducted inform users within an organization of the testing outcomes and recommendations?
Users’ on-line security might, after all, be adversely affected if vulnerabilities found as a result of the penetration test were exploited by an external attacker.
The point that I am trying to make is that I suspect that those of us (myself very much included) who must abide by certain ethical standards to be certified by various professional organizations almost without exception take the time to read these standards, but we probably do not adequately think about what abiding by them genuinely entails.
Acting in accordance with certain provisions is likely to be far more complicated than one would imagine, and in some cases I fear that on-the-job political considerations might dictate deliberately failing to comply.
Distributing certain security-related information (such as performance metrics that reveal a number of deficiencies in the information security function) to a function within an organization that has a bona fide need to know, but that has proven itself adversarial to the information security function could, for example, be tantamount to political suicide.
Ethics should be one of the most important motivators of on-the-job behavior of information security professionals. It thus seems ironic that we spend so much time and resources teaching users that they should choose better passwords and system administrators that they should configure systems in accordance with certain security standards, but do so little to educate information security professionals concerning ethics.
An appropriate start would be for certification-granting organizations such as ISACA and (ISC)2 to expend considerably more effort in helping security professionals learn much more about the meaning and implications of relevant ethical standards and to train these individuals in applying ethical provisions to real-life on-the-job situations.
~ : ~
