Tuesday 31 July 2007

The bare minimum

I had the good fortune to get in touch with one of the great security thinkers recently. You may have heard of him if you'd read these posts before, or you may have come across him in your own research. He should certainly be more famous than me, but as he says himself, "I'm not a good marketer."

Fred Cohen has been involved with some big ideas, claims to have invented all sorts of security, including the first antivirus, none of which I can prove nor disprove, but he was thoroughly entertaining to speak to, and as he said himself "only human".

The reason I found Fred in the first place was that I was looking for some integrity quotes. I remembered reading something that Alex Hutton had posted about on PCI Answers, so looked it up and mailed Fred. He mailed straight back, to my astonishment and delight.

His idea had been similar to the technology that I now find myself the Product Manager for. A simple pìece of integrity software, with powerful potential. Fred had realised that he could sign an entire system with his software, and if anything changed from the norm, he could stop it from starting up. Any process that was not legitimate could be killed before entering the network. That's pretty cool.

I'd seen it before with the stuff I was selling at Vormetric too. It's an interesting concept, signing a filesystem and sitting in the I/O stream watching for changes in the executables. It means that you have to re-sign every time a patch is applied of course, but then that just ensures change controls are adhered to, and that's a good thing, right?

The only problem that wasn't addressed by either of these was the reporting. The guys who got this right were TripWire. They use their system SOLELY for change control management, and it seems to work. It took them a lot of searching to get their killer app, but they now pretty much own the space. Kinamik works at a different level to TripWire, we sign the underlying file data rather than the system itself, so we are more for long term file integrity rather than short term system integrity, yet people still get us confused. I think we're going to see a time when compliance tells us that we need to be completely sure of the integrity of our data, not just in terms of digital signatures, but down to a much more granular level.

I can't see why Availability and Confidentiality get all the press when Integrity is a much more interesting story. Is it really because people still don't "get" security? I don't believe that for a second. Is it because people are only prepared to do the minimum to avoid fines, rather than securing properly...

... yes.

Monday 30 July 2007

What is SISA?

A couple of weeks ago Microsoft released what they are calling SISA, their Secure Information Sharing Architecture. I'm not going to link to it, because they don't need any help in invading the security space.

In a nutshell, they have taken a few complementary technologies and bridged a couple of gaps that needed filling, then released it all as a package they support under the MS umbrella. Information sharing is obviously something which many businesses need to do, or can benefit from, but there are a lot of hidden security issues here which I'm not sure cobbling together from the top down is going to address in full.

I'd love to read up on the whole solution and tell you where the weak points are, but there's nothing available as yet to tell you how it's done exactly. All there is is lots of fluff about "you asked, we delivered", "it's not vaporware", etc.

The lady doth protest too much methinks. This is hardly a proven application of any of the technologies involved (EMC, Cisco, MS and three smaller companies). I can't help thinking that the "military style security" they talk about would be much better and more easily achieved if they would apply military securing techniques, including data-classification, then applying proper access controls via key management, and making sure the data is not only encrypted (which achieves very little) but has ensured integrity.

Now I may be slightly biased, being a Product Manager for a Data Integrity company, Kinamik, but I work here because I think there is a massive need for what we do, not because I've been told that there is, or because there's any market shift in this direction. I'm glad MS are looking into this area, it means people will have confidence in going down the data protection route.

The problem with requirements driven markets however, is that they are rarely properly secured. Whilst availability has always been well considered, and to a large extent confidentiality is built in, integrity is often overlooked and it's about time people realised how important it really is.

Sunday 29 July 2007

US Security Curmudgeon Tour?

I've been considering for a while now doing a tour of the US, meeting up with like-minded individuals, and generally making a nuisance of myself. I've been egged on by various peers today, with one particularly good idea from shrdlu over at Layer8. The idea is to meet as many bloggers and other security types on my way across the States, pick a couple of major US cities along the way and have a "geek-up".

I know I can get a selection of people together in San Francisco, and I could probably have a stab at New York, but there's still something needed to really bring everyone "together", to create a sense of community and belonging. shrdlu's suggestion was to have a t-shirt made up for the tour with a "catchy, snarky slogan" on it. My reputation as the curmudgeon's curmudgeon is evidently growing.

I haven't thought about when would be an appropriate time to do this yet, it might take a while to arrange, but I've got to design and print the t-shirts yet anyway.

So, based on what you read herein, what do you think would be a good motto for the shirts?

Prize for the best one, and you may get to see the slogan on your very own t-shirt. In fact, that might well be the prize.

Security Curmudgeons Anonymous

Walt Conway commented on my last post to say that he was glad my break had mellowed me a little. Although the sarcasm is hard to pick up in print, I'm beginning to worry that I might be getting a reputation as yet another "security curmudgeon", following in the footsteps of great men such as shrdlu, rybolov, etc... I believe I have already referred to myself as such over on Risk Analys.is in fact. In fact I may well start a Security Curmudgeons Anonymous. The problem is, I use my real name here (yes, it really is Newby, I know it's weak for an IT specialist, but I'm used to it now. I was born before the internet was even thought of.)

So just to set the balance, before I get accused by everyone I know of being a miserable git, here are few of the things I am finding good about security right now:

The kindness of strangers.

I commented a while back that I had been able to contact several security heroes of mine through blogging, the jewel in the crown of this is Rich Mogull, who gave me half an hour of his time for free just a month ago or so. I got all nervous and must have sounded like a big girly idiot, but I was happy and got a strange buzz out of it. Not sure Rich did.

I have also had emails from the above mentioned shrdlu this week (who is this masked menace?), Walt Conway is a regular commenter now, Mike Rothman pops by, and indeed has recmmended these very pages in his Security Incite. Jon Robinson and Alex Hutton also deserve a special mention here, two of the first and most regular people who contact me.

The stupidity of others.

The fact that very few other people know anything about security means I can continue to be employed and stand out from the crowd when talking about it. I mean, it's not that difficult...
It also makes selling stuff loads easier when crowds follow each other like sheep. Really, security vendors have never had it so easy. No-one dares to question you, especially with enough acronyms thrown in.

Techdirt Insight Community.

They've paid me over $400 this week for around 20 minutes writing I did on a Sunday afternoon. A better return than blogging anyday.

My life.

I am alive and well, have a beautiful wife, no kids, live on the Costa Brava, 5 minutes from the beach. Still I have no aircon.

Bugger, I really am a curmudgeonly old killjoy.

Friday 27 July 2007

10 Things I Hate

Some things have been bugging me, which I want to get off my chest. In no particular order, and with no sense of venom, just resigned tiredness:

  1. My blog postings never show up in SBN until well after I've posted them, even after I repeatedly ping my feed. Why?
  2. If I read one more blog which starts "So..." I will scream. In fact I just have, so "Aaaaargh!"
  3. My neighbours are loud and wear big clumpy shoes.
  4. Barcelona is really hot and I STILL don't have aircon in my bedroom.
  5. Trying to make a Spanish engineer work faster is impossible. I live 2 roads up from the Sagrada Familia. They started building it over 100 years ago, and STILL haven't finished. Like my aircon.
  6. It's my wife's birthday next Saturday and I can't think of anything to get her. Then it's our 1st wedding anniversary at the end of the month, so I will have to get some night work...
  7. Barcelona is officially closed for the summer. Everyone's gone away, all the shops are shutting, prices have gone up for the tourists, and...
  8. ...the bloody street performers have come out. If I have one more accordion player come and play a medley of Dire Straits/Beethoven/The Birdie Song at me while I eat my lunch, I will stab his offending organ with my steak knife.
  9. Same goes for the guitar player.
  10. And the bloke with the violin.
On the upside, I received some money last week, and again today, from the Techdirt Insight Community. To cut a long story short, bloggers can sign up and answer questions, kind of like online consultancy. If your input is picked as being the best, you win a prize. Of money.

If you haven't seen or heard of it yet, go take a look, you might just earn something.

E-discovery and data-classification

I talked earlier about de-duplication, and already have some feedback which suggests that it isn't as widely known as I'd assumed in the US. It seems like such a good idea, it saves money, so the CFO will like it, it cuts down on storage space, so the storage monkeys will like it, and it gives the security guy more control, so he'll like it. I expect the sysadmin will get a bit narked, but hey, he only gets one day of people listening to him in a year (damn, it's today).

I started off this little series of posts with a reference to e-discovery, and this is where the real benefits of data-classification come in. E-discovery is the process of investigating issues after a breach, during audit or for compliance/legal purposes. It can be expensive. Not only in terms of the initial breach, audit, etc. but also in terms of man hours, equipment and consultancy spent in trying to catch the culprit, prove compliance or back up claims. There are a few e-discovery companies out there, (Kazeon, Guidance Software, Archivas) and each one of them claims to save thousands if not millions of dollars doing what they do. So what is that?

In a nutshell, it is the process of collecting, searching, preserving and analysing digital information. All of these processes are simple enough, but keeping them all managed together is a real problem. Imagine for a moment that your data is properly classified however. The data will already be in a state where the processes become simpler. The real issue then is the gaps, not the processes. I find this very interesting, because it feels like proper security at last.

And there are some real security issues here:

  1. If I have collected information from a system, how do I know that information hasn't already changed en route to collection?
  2. How do I know it hasn't been seen and manipulated, or copied?
  3. Between collection and searching, how do I know the index hasn't changed, and therefore the information I am now looking at is redundant?
  4. How can I preserve information without it becoming prohibitively expensive?
  5. When I want to analyse this information, how do I know I'm analysing the right things?
So who's interested in this? Well, apparently not the real security guys. I asked Network Intelligence this last question 6 months ago, and it got as far as the Product Management meeting internally at RSA/EMC. We were trying to get them to look at our integrity software at the time, they said "no" because it would stop them selling as much WORM storage, as it's 100 times more efficient. RSA liked it because it was agent based, NI liked it because it was a differentiator, but EMC had the final say, which is a bit sad. So I went to SBN's own Mr. Anton Chuvakin at LogLogic with the pitch. He said it was a great idea, but guess what? No-one else is doing it, so there's not really a need as yet. "We'll keep your application on file, have a nice day"... Same story at NetForensics, ExaProtect ("bring business to bear"), SenSage, etc. etc. You name it, if they analyse logs or report on events, I've spoken to them at the highest level and been turned down. Perhaps it's because I spell analyse with an "s"?

I guess e-discovery isn't big business in the US yet either? Odd, seeing as how the savings claims are in the millions of dollars. The first company to produce a truly secure e-discovery platform will be raking it in. I just hope it isn't MS or Google.

The other questions have yet to be asked and answered, but I'm going to be asking them in the next few weeks and months. I'd be interested to hear other people's views on this.

Driving data security forwards

I realise that so far what I've written this week may seem a little repetitive, or even off the point at times, but as always, there are methods to my madness, themes and threads to come back to and pick up, much like Harry Potter in many respects. Apart from the magic, wizards, owls, hats and bodycount. I digress (far too often).

I talked yesterday about data classification again, and how tagging was a difficult thing to do. In the outside world, "the internet", or any system which does not have one single point of control, tagging is meaningless. If I told you I was holding a fish, you might imagine a small, orange thing with an eye on either side, like a goldfish. I may be holding a shark. I may even be holding a goat, but just calling it a fish. You get the picture.

If I have a central point of control, I can specify what tags are available, whether they are then relevant, and how they might change. Assuming for now that this will never be achieved on the internet, the next best thing is a closed system which I have ultimate control of. Now I can start doing some interesting things.

This system is already effectively used by the military. Using Bell-LaPadula, Biba and Clark-Wilson models to control access based on confidentiality and integrity. It's enough to make any security-head start dribbling with anticipation.

If I can control a whole network of machines in this way, I can encrypt information that I deem to be confidential, apply integrity controls for that which I need to monitor closely, change groups and user access rights, etc.

Great! BUT, how do you persuade someone to classify all the data on their network? As I mentioned previously, the military do this already, but not many others. Can you imagine the time and effort it would take to trawl through every piece of data in your organisation and create meaningful meta-tags for every piece?

And what if those tags are erroneous? Computers aren't foolproof, and neither are fools, er, humans. On the internet we all tag our own blogs by picking out words we think describe them well. Think for a moment of how many different meanings words can have "set" for example means at least 12 different things. What about different languages? What about dyslexics? What about txt spk or h4x0r tags? However, a machine cannot understand the content of the files, and a list of figures may go unnoticed as a highly confidential document, or a useless piece of information marked as top secret.

In our closed system therefore, there needs to be an element of human interaction, but a controlled one. Even with a finite list, this job is a huge permutation, so now you can see again why the task of tagging the internet becomes so huge, so quickly. Explaining why this is a good idea to a security person is straightforward. Explaining it to the CFO is not. Why? Because it costs money, takes time and achieves very little at first glance.

The extremely clever answer so far has been de-duplication, or "de-duping". Instead of spending 100s of man hours going through each piece of data, a crawler is set to work on the filesystem, going through files and making hashes of the data, also picking out what it believes to be relevant meta-data for each file. If (and certainly when) two hashes of the same value are discovered, a note of the match is made and logged. When the crawler has been through all the data in the system, it shows the amount of file duplication, and the location of the duplicates, when an intelligent decision can be made on the necessity of the duplication, and the correct adjustments made (deletion of copies, shortcuts, etc.)

Estimates range up to a 30% saving in storage space for these solutions, which is a compelling argument for the CFO at last, and de-duping has proven a popular technology already. It also shows a good connection between man and machine, each filling in where the other is more prone to error. Of course there is still a necessity to make the tags relevant, but the data is already tagged with a unique identifier, which makes the task simpler in the first place.

In a closed system it is arguable that the relevant tags can be applied as a "work in progress", i.e. added by users via a desktop client as they are accessed. If access and integrity controls are added to all data, if any unauthorised accessing of files occurs before the data is properly classified, retrospective action can be taken, depending on the sensitivity of the information within. Thus a system evolves, any data not accessed within certain times can be flagged up for attention, data can be classified and approved for classification depending on attributes assigned to it, then policies written over the top.

It would, of course, have been easier to have started like this when filesystems were first invented, just as it would have been easier to assign a system of tagging for the entire internet in 1985, but that didn't happen, so we have to find a better way of protecting our data. Starting inside our networks doesn't seem like such a bad compromise to me.

Thursday 26 July 2007

Classified Information

You'll have noticed recently that I've been having to translate a little bit of what I say into American English because I talk in British English, or even "English English", or maybe just English. Being, that is, as I am from England, land of the Angles, where English is from.

Apparently most Americans think England is somewhere in London. Confusingly enough, the Angles, after (for) whom England is named, hail from Angeln, in Northern Germany, and the majority of UK inhabitants have their roots in Anglo-Saxon - a partnering of the Angles with the Saxons of Northern France. There's all sorts of other influences, from Scandinavia in the North to the Celts in the North and West, even Denmark and Holland have some sort of claim over our dialectical diversity and web-fingered ancestry, which goes some way to explaining why they speak funny up North.

As a result we're marked out as a half German, half French mongrel breed of heathens who speak a hundred different dialects, and yet, or maybe because, the rest of the world uses our language for business and leisure activities. And they still call it English! All this and I can't speak a word of German, Spanish, Welsh or Chinese. I get by in French, but most of them speak English these days so I just speak nice and loud when I'm over there, just to make my point clear. :)

I mentioned earlier a quote from Vannevar Bush about how the human mind operates, and how it is completely NOT the same as a computer. He put it a bit better than I did, but then I'm still alive, so I have the last word. What Van was getting at is basically what we call "tagging" today. At the bottom of this post you will see the words "language", "data classification", "English", and "The Welsh". These are the tags I have chosen to associate with this post. That's because I know what I'm talking about.

Or do I? Perhaps you will read this post and come up with "Vannevar Bush", "Germans", "Scandinavia" and "sausages" (oh yes, there's exciting things to come!) Maybe you are a computer and you've just scanned for the most used words, "I", "English", etc.

And here you have the first issue in data-classification. A sensible, meaningful way of tagging things which everyone can use. "One man's meat is another man's poison" as they say in English. "I say tomato, you say tomato" as the song goes, although that's maybe not such a good example now I read it...

Anyway, you'll see that in a closed system, this can work. I believe Mr. Christofer Hoff has such a system in his magical boxes at Crossbeam. As long as 1 entity is making all the tags, and monitoring the usage, all is well. Actually, even if one person is doing it, it can get tricky. A computer can do it reasonably well. Restricting the number and type of tags is a good way for example.

So this is classification, but we need to have a reason to do it. Once it's done, it has myriad functions with which it can assist. Classified data inside a controlled network is a security dream, and therefore completely unrealistic to achieve. So how are we to convince people that it's worth doing?

I'll tell you tomorrow. Sorry not to mention sausages until now.

P.S. My passport says I'm British, from the United Kingdom, but I think as myself as English, mainly to separate myself from the Welsh. Of course I have many great friends who are Welsh, having studied in the West Country, but there is still a great mutual disrespect between us which I admire in the leek-munching sheep worriers.

Introduction to e-discovery

I'm a fairly pragmatic sort of person, not easily offended and generally play well with others. So, on my first day back in the office I did the usual hellos, smiled accordingly and switched on my PC to let it download the deluge of emails I was expecting from my 2 weeks away. You will all know what I'm talking about here, apart from the automated emails from the Security Bloggers Network, Vendorcom, Yahoo! Groups, etc. I usually get a dozen or so emails from colleagues asking me splendid and worthy questions (no room for sarcasm here, this is a serious blog), and half a dozen from desperate customers wanting to buy software, hear my wisdom, listen to my dulcet voice or just aching to see my face again. Sorry, I may have slipped a little into sarcasm there.

So, imagine my dismay when I found there were less than 20 mails in my inbox this morning. What to do for the first 2 hours of work that I had got in early and put aside my morning for? Thank blog for this outlet of frustration and pent up angst. So what's happened to all the desperate colleagues/customers/automated robots? Well, of course it's the end of July, they've all blogged off on holiday. No-one's doing anything in Spain until October, so expect to see a lot of activity herein.

Side note: Sorry about the over-use of "blog" here, but it's a very versatile word, and the only other word this useful in the English language is universally offensive - clue: starts with an "F" and would fit in nicely where I've used "blog" so far, apart from the "Security Bloggers Network" and this being "a serious blog", the alternatives do not bear repetition, no matter their accuracy.

However, with this small burden lifted, I was able to do a bit of reading, and noticed a distinct trend in what I have been sent. It seems that e-discovery is peering over my horizon, in the US it may be fairly mainstream already, but over here it has yet to make any sort of bang. e-discovery being "identification, collection and processing of relevant data on servers, workstations and laptops anywhere on a global network, without disrupting business operations." Reference: EnCase's website.

And from Kazeon: "According to the 2006 Business Roundtable Survey, chief executive officers rank litigation among their top cost pressures. Other studies show that most organizations lack the basic ability to find relevant documents and provide enforceable preservation policies, which explains why eDiscovery readiness tops the list of litigation concerns for corporate law departments."

This has shades of past posts about it for me. I talked recently about data-classification, de-duplication, why they aren't DRM, etc. I read a nice little quote yesterday from Vannevar Bush, early internet contributor, died before I was born (born in the late 1800s!), which makes him a legend in my book. Certainly when he says something as sensible as this as far back as 1945: "When data of any sort are placed in storage, they are filed alphabetically or numerically, and information is found by tracing it down from subclass to subclass. . . The human mind does not work that way. It operates by association."

This is worth a longer discussion, so consider this an introduction to stuff I will continue to talk about here whilst the summer kicks in and people come to Barcelona to get pissed (British English/American English disambiguation: drunk, not annoyed) on cheap booze and sing football (BE/AE dis: hardcore tribal soccer, not that girlie shoulder pads and helmets game) songs in the street outside whilst I go to work and sweat.

Tuesday 24 July 2007

Back in the saddle

Hola amigos! I'm back from a splendid holiday in Italy, and straight onto the computer to see what's been happening whilst I've been away. Well, from what I can tell, not much.
It seems that the iPhone has been cracked but Jon still loves it. Until I get one, I'm torn. Anyone who wants me to try it out, just send me one, no problem.

Apart from this, there seems to be some sort of odd argument about ROI in security in almost every blog I read. Latterly, I've read Anton Chuvakin's post with the usual befuddlement, and came to the conclusion that none of the people he mentions in his post really has a clue what they are talking about (with maybe the exception of Hoff), or why they are doing so at least.

What isn't explained very clearly anywhere in what I've read so far is that fact that ROI in security is not the ROI of accounting, or even the ROI of finance in general. Ask an out-and-out economist what ROI means and they will tell you something along the lines of "ROI is the ratio of money gained on an investment relative to the intial outlay". Not saved, gained. And this is where the great semantic debate has started. But just because the economists are the ones who study money, doesn't mean it applies to what we need the term for. We need it to sell security, so tell them to stick their necks back in, or I'll come and start showing them how the "Safety" tier of Maslow should be subject to PCI DSS.

Investment in security will never help you sell more widgets. We know this. There are many idiotic examples of people not investing in security because of this. We also know that in many cases after breaches, companies have actually performed better because of their new-found exposure in the press. These are false economies however, and once it starts to become more commonplace to be attacked, the bottom will fall out of this sort of argument. You can still make savings with well considered security investments.

It's still your basic P&L spreadsheet. And if you (as a CSO) can show your CFO that the spreadsheet will go from negative to positive, or small positive to less small positive in an amount of time "x", then you have a basic ROI argument. Just because security ROI is based on not spending money you have previously spent, doesn't mean it's not a "return" on the "investment" in any other terms than linguistics. It's a negative spend (or "save" as we say in English) rather than a positive gain, for sure, but even the thickest of economists must be able to get the "return" on that "investment".

I don't really see that it needs much more discussion, for the sake of boredom rather than anything else. I'm sure Dr. C has done much more complicated sums than I in his career and I'm certainly not prepared to get into a "who's got the biggest brain" contest - it's Anton, by around 10lbs, that's why he can call himself Dr. - but this really is a non-starter for me. It comes down to words at the end of the day, and whilst you lot are picking holes in other people's laziness, they are making their fortunes from what was only ever meant to be a sales tool.

The point is, everyone knows what ROI means in this context, and if that works, why bother trying to rewrite the rules? Every finance house, government organisation, retail store, healthcare or pharmaceutical establishment has rules around purchasing which they know internally as "ROI". Typically, for example, a bank will buy a network item (software or hardware), if it can be proven to "pay for itself" within 9 months. Government give a little more time, it varies, but usually a year and a half or more. This is what we mean by ROI, and if you can't produce the figures to talk to these people, you won't get further than meeting 1. You all know this. Why do we need to talk about what the terms mean? Who cares whether it's RROI, ROSI, fake ROI, blah blah. You're just going to confuse people and look like a smart-arse/ass/Alec.

When I left for Italy I was disappointed in what I was seeing in security in general, and ready to throw in the towel. Now I'm back, the towel is still in my hand. When the smartest guys in the business are discussing English Language instead of Maths, Crypto and Linux, we're in trouble, at best we're bored, at worst we are lost and have no idea where to go next. I want to be confused because you're talking out of my league (like normal), not out of my subject.

'Sgood to be back. :)

Wednesday 11 July 2007

Gone fishin'

Ahhh, holiday time at last. I feel like I've been working far too hard these past few months, and a break by Lake Maggiore in Italy is just the ticket. My brother-in-law, Nick, is getting married at the weekend however, so first I'm heading back to the UK with my wife.

You can tell I'm in holiday mood. Nothing security related here. I spent the afternoon re-writing one of the dreariest documents I have ever seen in my life. Written by foreigners, in very technical language, then translated from the rubbish into English-ish by me, and back into the bullshish by more foreigners. I don't even care if it made sense by the end.

So, the posts will be thin on the ground for a fortnight or so whilst I get back in with friends and family, chew the fat and talk the bollocks. Drop me a line if you think of anything amazing to tell me. If anyone has any more fabulous statistics like Walt Conway's, send 'em over.

In the meantime, I'm outta here. Arriverderci!

Tuesday 10 July 2007

Education, education, education

I did a lot of Maths when I was younger (that's 'Math' for my American readers, sorry for the language barrier). I did GCSE Maths a year early, then Additional Maths and Extra Maths the year after. 2 years later for A-levels I did Maths and Further Maths, topped off with a side helping of Physics, which I then went on to study at University. Anyone still reading?

Despite this, I am a fairly rounded individual. Slightly more rounded than I'd like right now in fact, but the Spanish like to produce pork-based products and I like to eat them. What none of this meandering tells you is my complete inability to work with statistics. Perhaps this is why I am in awe of Alex Hutton so regularly, with his swift analyses of risk, percentages and pie charts. Mmm, pie...

Actually, I think it's a book my Dad had when I was younger, I can still remember it vividly, called "How to lie with statistics". I was not prone to lying as a child, and so my aversion to statistics was germinated. What I can do quite well as a result is spot when someone is trying to pull the wool over my eyes with stupid made up figures, self-serving clap-trap and pointless pontification. I urge you read my post on PCI Answers about some of this type of gratuitous balderdash served up by no less an institution than our very own RSA. It's all gone downhill over there since the storage monkeys took over.

So, imagine my delight when Walt Conway of Walter Conway Associates got in touch through this very blog and sent me some statistics of his own. First of all, I have 3 points to make here:

1. Walter was incredibly polilte, even apologising for emailing me directly, when I was really happy to have contact with someone so obviously involved and interested in his field.
2. Walter is experienced. Far more so than I. His research is the most thorough I've seen in, well, ever.
3. People pay VERY good money for this kind of research, and he sent it to me for free, then told I could say what I like about it.

This is either an incredibly kind hearted, generous man who has probably already made his fortune and now wants to give back to the security community, or a crazed lunatic trying to make a point by emailing bloggers with low readership. Seeing as how Walt works in Higher Education after 30 years in Financial Services, I will assume the former until he comes at me with a pitchfork.

So, back to the research... it quite simply turns "received wisdom" (pronunciation key: sales bullshit) on its head. Walt has analysed 666 (spooky) breaches made in the last 7 years (I didn't even know there were that many). And the results look nothing like what we've been told.

Some of the best stuff lies in his table of statistics:

Source of AttacksBusinessEducation GovernmentMedical Total
Inside - Accidental16%22%33%15%22%
Inside - Malicious6%4%4%8%
5%
Outside76%74%61%77%72%
Unknown1%0%2%0%1%

100%100%100%100%100%

Hmm... 72% of attacks come from where? OUTSIDE? But... but... the salesman told me it was INSIDE! For those who don't believe, read the report which Walt has put together. He even tells you what qualifies as internal and what qualifies as external, so don't go berating me for that.

It's gold dust. I'm still reading the report and looking at the statistics for little nuggets. 2 things which made me chuckle:

1. 33% of breaches in the government sector are accidental. Holy crap! Who let Dubya loose on the servers?

2. 8% of medical attacks are malicious internal ones - more than any other industry. Well, you can't trust doctors these days can you? If they're not stealing your medical records, they're out blowing up airports.

But, statistics out of the way for a moment. The largest problem being faced today, hands down, across all sectors? Laptop theft. After this, things look pretty tame except in education, where hacking is still rife. This is the point of Walt's report, so I'll let you read it and draw your own conclusions.

But you know why people are stealing laptops? Because they want your valuable data? Nah, it's because they can. Most thieves are opportunists, always have been, always will be, and, as always, human behaviour is the thing we must protect against, and educate.

Monday 9 July 2007

Nerd me up

Who needs expensive security devices when you've got free stuff? I've talked about the "cost of free" in previous posts, but as an ex-tech-head I like it when people bring out cool stuff. I REALLY like it when people bring out FREE cool stuff that I can try out.

I once tried, unsuccessfully, to build a WebTrends installation for a group of around 30 websites on a brand new dual core Xeon (this was when these babies were pretty new and hot). I got so frustrated that I ended up referring to it as "F*$%ing WebTrends" on a regular basis, and the name stuck in my old company until I left. It was something to do with the fact that it wasn't licensed for a dual core machine, but they also limited the amount of information I could process on a time basis, so during my trial period I regularly lost information pertaining to several high profile financial customers. Not the best thing to do.

I ended up throwing the commercial software away, and rebuilt, from scratch, on a lower spec box, an AWStats installation. It worked perfectly first time, and ran like a dream. 3 years later, that machine still serves the customers of my old company. My brother in law is now an administrator there, and tells me it is the one machine that never needs rebooting.

So, that's because I'm a genius, right? Well, partly. And because Linux is so very good when it works. So, when I was emailed by Ryan over at Guardian Digital tonight, telling me of their forthcoming release of EnGarde Linux, I was a) a bit concerned, and b) a little bit excited, then c) ultimately disappointed.

a) I was concerned because I just don't have time to install and review it, and I think it will be really worthwhile to do so, b) I was excited because I want to have a go, but c) I have a job and no spare dual core Xeon boxes lying around, so won't get the chance to do this. Hmph.

Sometimes I miss being a techie. Not often, but just this once I'd like to drop out and get my geek on. Anyone want to try it out for me and tell me how cool it is? I need a nerd injection.

Other people's work

In serious mode for a moment, I think this could be very important.

Without wanting to repeat some already well discussed maxims, security is a business issue, and treating it as such makes much more sense than delving into the technical nitty-gritty, which frankly anyone can understand given enough time because it's not based on anything except logic. If you can do Sudoku, you can configure a firewall (I was a techie for many years). Thinking in business terms takes experience, and thinking quickly in business terms requires lots of experience before useful models are created. Mike Rothman's P-CSO is a perfect example of that in our little community for example.

What RaviChar has done here is turned security into a Maslowian hierarchy of needs. Simple, but effective. It makes you think. It makes me think that there needs to be more work done in this area. It makes me think that there are a whole set of ramifications, compensating controls and legislation that needs to be re-considered. This has implications for compliance beyond just "it's not good enough", "it has no teeth", "it's a business document, not a technical document".
I'm going to digest this before I go off on one, but I think as many people as possible should be considering this, and giving feedback. You can't do it on Ravi's site without a blogharbour account, but you can do it here for free.

Please do so.

Thoroughly thought through

Google's a pretty big topic. To analyse it all would take the rest of my lunch break, at least. There are 2 things surrounding the Big G that I am interested in however, their recent move into the security market, and (my recent awareness of) a turning tide of criticism against them.

Whenever a company becomes the richest in the world and/or the most recognised brand in the world, people start calling them corporate whores, sell-outs, accuse them of ambiguity and hypocrisy, etc. I wasn't aware of this with Google until relatively recently however. Today I have read seething criticisms of their data retention tactics and, some time ago now, bewilderment from the security community as to what Google were doing on their turf.

The same thing has happened to Microsoft of course, it's fashionable to hate them, and Bill Gates. This has happened previously (in no particular order) to IBM, Coca-Cola, Christianity and IKEA. Not that Coke or IKEA tried to muscle in on IT Security, hence why I still drink The Real Thing and haven't used glue for DIY in over 7 years. (I withhold my judgement on Jesus, in the hope that he will return the favour for a few more years). The fact that both MS and G have recently sprawled into MY space (that's security by the way) indicates something to me:

Like a fat man on an aeroplane, they can no longer stay in their seats, and they're starting to annoy the lean, slim passengers next to them who have paid the same price for theirs. Shortly they will be sweating on them and making the whole plane smell bloody awful, whilst simultaneously dropping pretzel crumbs down their shirts. Sorry to be graphic, but I had this happen to me on a SouthWest flight from Burbank to LA recently... and there were 2 of them, one each side. Urgh.

I fell asleep on the SouthWest flight and woke up just before landing when the fat guy on the left of me, who's shoulder I had been dribbling on for the last half an hour, finally shrugged me off. If there's one thing a fat guy can't stand, it's someone trying to digest them in their sleep.

So, I think this is the tactic we should now adopt with the "fat men" of security. Whilst they are expanding into our flabby areas, we need to fall asleep on their shoulders until they sit up and take notice. In other words, whilst these guys are distracted with shiny security things, everyone should carry on criticising the number one search engine and operating system on the planet, whilst the clever guys write some proper software. We can take a hit for the team, be the martyrs for the rest of the world. Then we'll all be heroes. Won't we?

Maybe then MS and G will sit up and take notice, get back to what they're good at and suck it in for the rest of the flight? Having said that, the fat men on the plane remained fat until we landed and I got off sweating and smelling 2 parts American to one part Brit, not a good ratio. I was only heartened by the fact that one of the fat men had my drool on his shoulder, AND I still had one of his pretzels.

I don't know what this means in terms of my tortured analogy. Maybe I'll be forced to take a job that smells of Google? Maybe one day the whole world will be run by MicroSoftGoogle, or MSG as they will become known. When that day comes, the fat will rule the earth.

[Apologies to the fat if I have caused offence in this article, it was not my intention. Some of my best friends are fat. Well, I say "friends"...]

Sunday 8 July 2007

Give me a break!

I just spent the weekend at Caldes de Malavella, in the Balneari Vichy Catalan spa hotel. Wow. No more needs to be said about this place. If you go there now you can see my finger nail marks on the floor where my wife had to drag me kicking and screaming back to reality and life in Barcelona. That's just to make you jealous, now down to business.

Before I left for a fabulous weekend (did I tell you about it? I had a massage and a thermal bath), I had someone leave a comment on my Friday afternoon blog that started:

"Stastics show that 70% of security breaches happen internally, rather than externally."

Obviously not a regular reader then, or follower of threads. Alex Hutton and I had a brief discussion earlier in the week about how this statistic has been bandied about, willy-nilly, since time immemorial, and yet no-one knows where it comes from, or can prove it. It's easy to infer that more attacks come from internally now that most people have firewalls and IDS, but whereas you used to get thousands of attacks through a flaky perimeter, and maybe one or two from inside, now you get nothing from the outside and one or two from within. Really, nothing has changed, just the percentages.

But I gave him a chance and read on:

"
But then what's Information Security really? My take - Information Security prevents:
1. Productivity Lossess
2. Collateral Lossess
3. Prestige Losses"

Uh-oh. So, apart from the profligate use of "s", what's wrong with this picture? Is information security really just about preventing loss? Is this ALL I do all day?

I called Friday's blog "Back to Basics", but maybe I need to go a little further back:

C is for confidentiality, which is keeping information private, it doesn't prevent loss.
I is for integrity, which is keeping information unchanged unless authorised, this CAN prevent loss, or just indicate a loss.
A is for availability, which is making sure everyone who is supposed to be able to see it, can see it. This has nothing to do with loss.

There are other things which have grown up around this, reporting, management, risk analysis, DR, BCP, etc. The last 2 cover productivity loss prevention. Risk analysis will cover all of them, reporting and management will give you a hook into some of it, but they do far more. Ever heard of return on investment? No security would EVER have been sold without it. If you can't put together an ROI argument, you won't sell anything to a bank, goverment office, healthcare institution, etc, etc.

The commentator then started on about Content Filtering (capitals included). I won't bother repeating the convoluted arguments he went through, but he started by telling me that what I was talking about was preventing Collateral Loss. No I wasn't! I was talking about stuff which used to sell well 10 years ago, and is still selling well now.

It wasn't a comment about my knowledge of security, it was about the state of the market and how slowly it is progressing in some areas, and not in others. There was maybe a hint of bitterness towards salesmen, and frustration that data security hasn't zoomed forwards, but nothing to say that this was the be all and end all of Security As It Stands.

By this time I had lost interest in the comment, but clicked on the commentators homepage link. It went somewhere... which... was... about... f... f... fu... firewalls. Didn't anyone tell you that I'm not a big fan? Have you EVER read one of my posts before? It was one of the things I wrote in the post for god's sake!

Let me get this straight, once and for all. I don't mind vendors coming and engaging in lively debate on my site. I welcome it in fact, most people who work for vendors have reason for doing so. I have a passion for my chosen technology, and always have done, hence the hat tips to Bluecoat, F5, Ingrian, Kinamik, Vormetric, et al.

What really gets on my tits however, is when someone I don't know tells me I'm missing something, then proves to me that he hasn't understood a word of what I'm saying, or just deliberately ignored it to get their own message across. Especially when they sell crappy firewalls - which, by the way, have nothing to do with loss either, merely intrusion, which only then leads to loss after a lack of access controls (availability), encryption (confidentiality) and integrity - we really don't need them.

Thanks to Walt Conway for bringing the comments back to a sensible level. I've downloaded your paper and will be quoting it at some point soon I hope. It's really good, and unlike some others, you've obviously worked hard and done some proper research.

Now I need to go back to the spa to unwind. That's one good thing I suppose.

Friday 6 July 2007

Back to Basics

When I first started out in IT Security, around 10 years ago now, which is a lifetime ago, probably 2 or 3 in technology terms, there were 3 main issues/solutions:

1. Authentication, it wasn't strong enough, passwords were weak, and were being hacked.
2. Firewalls, to protect your network of course!
3. F5 were just beginning to find a space, Foundry had a REALLY complicated box called the ServerIron XL. I'm sure there were others, but I didn't see them.
4. Something to protect data, no-one really knew what, how or where to do this, encryption was popular, but not understood. Some people thought this could be done with load balancers, firewalls, etc.

These are all encompassing terms, but there's a reason for that which will be revealed. Oh, how I love to tantalise you! Read on.

I worked with RSA SecurID, which for all I know is still the de facto standard. I lost interest in AAA around the same time as I did firewalls. It's pretty much the same solution however you look at it. There are clever ways to ensure transactions, etc. (hat tip: Igor Drokov and co. at Cronto have a great looking new solution in this area, please take a look.), but personally I don't find it that interesting and (maybe because) there are better men than I doing the work.

I worked with Checkpoint (didn't everyone at that time?), Cisco PIX (ditto), and more recently Juniper firewalls. They're all much of a muchness, each company did well out of the firewall craze as the internet exploded in the 90s, (OK so Cisco were doing OK before that even, and for different reasons). The very fact that each of these companies is now scrabbling around trying to fit more functionality into their boxes shows me that firewalls are at best a commodity, and probably nearer to a lame duck, if not a dead one. Juniper have added Network Access Control, SSL VPN, content filtering, etc, etc. I'm sure the others have similar. Trying to win back market share is a business decision however, not a security one. This is a worrying trend which often makes for odd security devices. I also note that Bluecoat have turned their fabulous proxy box into something capable of very similar things. Convergence, or following the herd? I don't know, maybe it's a clever product manager, but maybe it's too many cooks.

But what happened to the data security? Back in the day there was encryption of email using certificates, messy PKI, so fledgling encryption devices appeared with their own internal key management, and disappeared because it was too early. I worked with Ingrian in their first foray into the UK, and there wasn't a lot of interest at the time, even though the solution was one of the coolest I'd seen. It was easy to use and made total sense. Sadly the market was still coming down from the trees and still discovering the fire to stop with firewalls, so Ingrian retired back to the US where business was better.

Recently I worked in the channel again for one of the biggest IT Security distis in the UK, Equip Technology, now part of Horizon Group. As well as helping to bring Ingrian back on board with a new sales lead at the helm, Jon Shaw, I helped to raise the profile of F5 in the channel to some extent with the help of Louise Mowatt, and worked with Bluecoat to spread the word courtesy of Graham Davidson and co.

Having a bigger view of the market surprised me. Mainly because after a very short while I noticed the following technologies were at the fore:

1. Authentication and identity management to make it more secure and manageable. This is a step forward, it may seem small, but it's about the right pace for a mature technology to move. That's another reason I'm not doing it, I'm far too impatient.
2. UTM (Firewalls and that), to protect your network of course! I "think" this is a step in the right direction, as discussed previously in this blog, but I also fear it may be sales driven, not security driven. Help! Too much too soon?
3. Load balancers. I really like what F5 are doing, in fact I've decided to write a post on this space, it's very interesting.
4. Something to protect data, no-one really knows what to buy yet, but they seem to be coming to a consensus view. Encryption is popular, but not yet understood. People need educating, the market moves slowly, but I think the time has finally come for this to work.

See, worth reading to the end wasn't it?

Sunday 1 July 2007

Not that interesting

I haven't been blogging much recently, that's not because I haven't got anything to say, far from it, I'm just not particularly inspired again. I've had one interesting conversation in the past month, with Gretchen Hellman at Voltage. I really like their ideas, but then you'd expect that from a team with such a strong security background. I hope their product isn't lost in the mire.

Apart from one or two of the really good bloggers, most of what I read is pretty bland. This is because they are being driven by sales initiatives, not original thought. Before he thinks I'm picking on him with the mention of risk, I have to say that Alex over at Risk Analysis is still a favourite of mine, but that's because he takes often boring subject matter and makes it readable with new twists and insights. That's the sign of someone who's interested in what he says and not afraid to write what he wants.

Backtrack a few months: When I joined the SBN, Mark Curphey had just left in a storm of abuse, saying how it was full of the same old rubbish, people making statements they couldn't back up, etc. I was a little taken aback at the time, but now I think I have to agree to some extent, although generally the SBN is better than the world of security at large. I emailed Mark to get some input on this, and he turns out to be thoroughly approachable, so I wondered if he may have a point.

So, I'm not picking particular examples, I guess it's just the way things are at the moment. Security is stagnating. Too many salesmen in what was an interesting area have diluted the original thoughts so you have to look much harder for the gems. They are still there though.

Sadly, if you are still selling firewalls, IDS and anti-virus over the next few years, you are going to see your profits dropping by degrees. The interesting bits of security are in the data. Salesmen don't seem to get that though, so security is going round in circles, talking about regulations, risk and ROI in areas which have long fallen by the roadside.

I've read too many blogs recently which are all the same. And don't think the big guys get away with it. They are often worse, more often if they are trying to sell something rather than educate. One in particular that I used to enjoy now keeps it's readership by blinding them with science. I doubt many people actually read it. I'm not interested in in-depth technical jargon. I haven't been an engineer for years. What I want is a well explained, easily accessible piece of writing by someone with brain, not a low-level geek back-slapping exercise which makes everyone else stand back in amazement and say "wow, you're really clever."

The point is that very few security commentators are taking the time to really THINK. We can all regurgitate regulations, and stand on our soapboxes about a particular standpoint, but we never get anywhere if we don't put our minds to things. I'm all for a good argument (just ask Rory at Rory.blog), but I wish people would get facts in order, then back it up with some original thinking.

I'll probably rant again about "geniuses", "gurus", and "experts", because we've got too many in an already crowded space, but a brief story should get the point out here: I mentioned in a very tongue-in-cheek manner last week to a colleague that I was "one of Europe's foremost PCI commentators". Perhaps he's been living in Spain too long, but he didn't get the irony. Just because I blog about it sometimes, doesn't mean I'm any good. I have thoughts and have been in security for a long time, that is all. (You will have your own opinions of course.)

Said colleague spent a long time afterwards trying to imply that I wasn't anything special without saying so outright (in case I asked him to prove otherwise I assume). Salesmen are often very insecure, and yet I hadn't said anything to put him down, just that I am an "expert". Is it an alpha male thing?

In fact it started to get quite irritating that he hadn't (and still hasn't) understood my joke. I feel the subtlety will be lost if I have to explain it. It makes my point quite nicely though. The fact is, anyone can set themselves up as a field specialist, and they are rarely called upon to prove it. Time to start asking questions.

So, if you're wondering where I am, I'm amongst your blogs, trying to find some answers.

MadKasting