Friday 31 October 2008

Pitchforks in sheds

I once heard someone describe network tools as 'pitchforks in sheds' - the basic premise being that although the tools themselves were all incredibly useful, without someone to use them, they are essentially useless.

I've looked at a lot of security tools in my time, and have seen some great ones. HP recently showed me WebInspect, which looks like a great hacking tool on its own, and an awesome development and QA tool in conjunction with other pieces of software in the family. They obviously know this, because they invited me to a dinner which I sadly couldn't make. I always think that when a company is confident enough to invite critics for a dinner, the tool is probably a market leader which wants to stay in that position. If it's just a presentation, then it's probably a start up. Just a thing I've noticed over the years... anyway, back to the point.

There are a great many tools out there which are very useful for networks, security focused or otherwise. However, without someone to roll-out, manage, and insert into processes - i.e. to get them used now and in the future - you may as well make a big pile of company cash in the car park and have bonfire night early.

Wednesday 29 October 2008

Build your own network

I had an interesting security conversation today, about network architecture. Hmm... don't run away just yet.

I think we'd all be agreed that it is safest to put your production networks away from your testing networks, and to make sure the data in your test areas is not live sensitive data - I'm not going to go over well trodden ground.

I also think most would agree that splitting web servers from applications and both from data is the way forwards, and using firewalls to split them out is only sensible. We may also split out external and internal DMZs on the internal and external firewalls, and of course our internal LAN. This is all stuff that can be found in books and on websites, of course.

But what of the relatively new worlds of web services and 'cloud computing'? I chuckled recently when these were referred to as Marketecture. In reality, these don't change anything about the way we build systems, in fact sometimes they are just making it unnecessarily complicated for the poor souls designing and building it.

Back to my interesting conversation though. Picture if you will a 3 tier network, external firewall with external DMZ hanging off it, and an internal firewall with the LAN and data tiers hanging off it. Where do you put the application tier?

My companion pointed to a case where it was also hanging off the internal firewall, and asked whether it shouldn't be attached to the external firewall as well. I argued the point that it didn't really matter as you could just punch a hole through the internal firewall anyway, but is that really such a good idea? No, not really, so I capitulated, and realised that that was in fact how I have always done it in practical terms, I'd just never really thought about it too hard until faced with the direct question.

The fact of the matter is, the diagrams we draw of these things are really only ever representative. I don't think I've ever seen a network diagram which could be used to trace a real physical network - to make the important decisions, yes - to dismantle and rebuild, no.

Wednesday 15 October 2008

In my opinion...

It's funny, I keep getting invited to dinners, phone calls, webinars, etc... by people who have done surveys, created documents, got an expert in, etc... and I keep on politely turning things down. Not because I don't want to speak to people, far from it, I'd love to talk all day, but because I have more pressing engagements, and my life, to get on with.

I received a missive from Compuware earlier in the week, who have actually done a really good job of surveying IT professionals and printing out some relevant statistics. It makes a refreshing change from previous surveys I've had to rip apart here. Having said that, I'm not really 100% sure what they are trying to achieve with it, and fully expect them to explain by return of mail tomorrow...

HP have also come knocking, with an invitation for dinner up in London in a couple of weeks. On a Monday night. I don't know about you guys, but I have busy weekends, stay up late, watch "Poker After Dark" (Hellmuth is a dick isn't he?), occasionally even play poker and even less frequently win, but I'm always up past my bedtime. Monday morning, I get up at 6am, drive to the gym, churn out a couple of k's, and by the time I go home I'm ready for anything except getting on a train to London. I'm normally asleep on the sofa by 6:30pm.

I know exactly why they approached me though, and I AM interested in what they have to say, just not in London on a Monday night. Southampton on a Wednesday lunchtime, when they're paying, different matter entirely. And I think that's really my point here.

Neither of these companies is wrong, bad, or even out of line. They have both done good things, reached out to me in a polite and positive way. However, I can't help thinking that something isn't working. How much research gets done in the name of security, only to find that 70% of attacks/breaches/losses are accidental/internal/external/laptops? How much of it do you read?

How many solicitations do you receive on a daily basis for your opinion/answers/blog space/ or just to plain sell to you? How do you like it?

I like the personal approach, and don't even mind when it comes through a third party, although I'd prefer it was direct from the companies themselves - shows more respect somehow. Just a perception maybe?

I like the offer of something for my time/blog space/amazing company - it doesn't have to be much, but I kind of value my time, and it doesn't normally come that cheap.

I hate being sold to. I've worked for vendors all my working life in one way or another, and know what every sales cue sounds like a mile away. I will most likely lead you down a very inviting path and slam the door in your face rather than buy anything, sorry, but I just don't own the budget, I'm a contractor. By the way, you can hire me... :)

Monday 13 October 2008

Dog eat dog

I had lunch a couple of months back with David Lacey, one of the thought leaders of the Jericho Forum, (who I STILL think have the right idea, in case anyone was wondering). We talked about literally hundreds of different topics, but one which has stuck in my mind was about how good companies often lose out to not-as-good companies.

Hands up who remembers Dr. Solomon? Arguably the best anti-virus of its day, 10 years ago, this neat little tool was as cool as digital watches had been 10 years previously, and on the way up. Today, type Dr. Solomon into Google, and you get McAfee. They used to fight like cats and dogs, but McAfee continues on - did they maybe acquire them?

And who is the biggest of them all? Well, it's Symantec, the fourth largest software company in the world, who just spent a whopping $785m on MessageLabs in the middle of the biggest economic downturn in 80 years. Symantec, who previously bought Vontu, Veritas, Norton, etc... deep pockets, but I'm not 100% convinced it has bought all the best toys, just the shiniest.

And in this game, that seems to be what counts. I commented last week about the RSA and InfoSec shows not being what they used to be. I like nurses' uniforms as much as the next man, but it isn't security. The big stands go for 10s of thousands of pounds, and I can't help feeling we're losing out on some great ideas, more so as we hit recession head on.

It's time to batten down the hatches for everyone, so I wonder how this will affect further acquisitions? Sadly I think we will see some good little companies being snapped up for less than they're worth. Happily I think we'll see more development taken in-house, and more of these developers looking for safer permanent jobs. Maybe Symantec will come up with some ideas of their own instead of buying up all the other good ones?

Wednesday 8 October 2008

All the shows

I've been ignoring the usual slew of mails I get telling me that RSA Europe is just around the corner, not because I don't care about the shows any longer, but because I can't see myself going this year due to work commitments. Not that I don't want to go either, it's always interesting to see what's up and coming, and who has made enough money to get there this year as the prices escalate still further.

I have a couple of issues with the RSA show, the most off-putting being that it is miles out in Docklands, and takes me 2 hours to get to by train, and longer by car. There is ample parking of course, but at a crazy cost which ensures I will only be able to afford to stay for an hour or so.

And maybe that's enough for shows these days. To be clear, I'm not anti-RSA, I enjoy their shows, they flew me out to San Francisco earlier this year (with disastrous results sadly) and gave me a free conference pass, just for writing something about encryption, so in fact I probably owe them. Without SecurID I wouldn't have started in security in the first place, so maybe they owe me. :)

The problem with the RSA show, and InfoSec is that they have become the victims of their own success, and IT Security companies are no longer the one or two-man band start-ups from a garage, but multi-national corporations with oodles of cash to spend on flashy marketing and shiny suits.

The first RSA shows were a group of like-minded guys in sandals with long hair showing each other what cool stuff they could do. I wish it was more like that now. I fear however, that we have lost those days forever. In their place, I suppose the 21st century marches on, but that doesn't mean I don't miss the BBC model B, ZX81 and the Amstrad 464 either.

Sunday 5 October 2008

Rewriting the Code

"Can you take a quick look at this please, Rob?"

The 'Group' of which our company is the shining star (i.e. highest returns) has been trying to put together what they refer to as a 'Code of Connection' such that everyone who attaches to our Global WAN comes under the same set of rules. Sounds like a reasonably simple task you might think, unless of course you had ever had to write one yourself... I, however, did not have to write one, merely cast a critical eye over the work in progress before me, and comment on it.

Half an hour later I emerged from my task, confused and rubbing my eyes. I had a thought which I am positive anyone practicing security today will have experienced - "there's a lot of words there, but I'm not certain that everything's been covered, I have no proof..."

Basically, I had no idea what was required from the Code, because I didn't know what it was trying to be. So, a quick Google search revealed to me what I was looking for, the difference between Policy, Standard and Procedures.

This is when the trouble started. I went back with a handful of notes which I'd put together in PowerPoint and printed off. Having explained the differences, I was asked to pull everything out of the Code of Connection that wasn't Policy, and send it back to the IT Security team.

I then spent 3 days putting things into tables, deleting headlines and putting them back in, writing bits, deleting them again, and generally getting in a mess.

Realising that I needed a better reference, I went back to basics, and pulled out the IT Policy. To my surprise, I noticed that the Policy was actually called "IT Standards", a collection of Standards from across the group, all in one place.

I think I may have just created a monster. I'll let you know how it goes...

Tuesday 16 September 2008

Testing,testing,1,2,1,2

4 or 5 years ago a friend of mine approached me with the idea of going into the penetration testing business: "Let's go into the penetration testing business", he said, and we did some market research. We could buy the required tools, a server, a shed, and a reasonably large internet connection, install a free copy of Nessus and be up and running by the end of the week.

Of course we looked a little further than that, and realised that everyone and his dog was already doing it, and like every other business, it was just a case of whoever was shouting the loudest would make the biggest bucks. Steve and I were total techheads and neither particularly interested in making noise at the time, so we went back to the day jobs...

A couple of years later, a new friend at a new company asked me about my background. We got around to talking about my close call with pen testing and he said: "yep, I thought about that for a while, no money in it."

All of us remain firmly under the employ of other entrepreneurs, some large, some small, but none of them us.

Today I saw a quote from a pen testing company, not one for dropping names, let's just say they do secure tests. My jaw dropped when I saw the price for 4 days work. An amazing return for them, but just like Starbucks charge more for a coffee I could make at home because of their ability to make it in bulk and present it better than I can, so they can do a much better job than we can, make a pretty report, tailored to our needs, and there's probably negligible real cost difference to us anyway. Not that we could do our own tests, but it did strike me that the only reason we have to do them anyway is because our security team (now disbanded) had identified the need in the first place...

The MD of this testing company often writes for a magazine that I have written for in the past. He shouts louder than I do, and makes his presence known. He's also very good, knows the market and knows what makes a good product. I'm not sure I could have built a business out of it in such a cutthroat market.

Still, it would have been nice, wouldn't it?

Sunday 14 September 2008

Bad security awards

I wrote recently of how it could be excused for me to complain a little whilst I'm writing here. Of course I'd like to be constructive in everything I write, but the job of security is so often finding holes that it is a rut that we get stuck in, and maybe not a bad one at that.

I recently received an e-book from a provider of security solutions. Their name shall remain private to me at this stage, as shall their niche. What I am going to reveal to the world however, is their utter crapness. The e-book was sent to me, I presume, for approval. I sat and read it for 10 minutes, tutting as I went, and then went to reply. The first draft took half an hour. Then I realised it was slightly offensive and saved it in my Outlook Drafts folder for later adjustment.

I picked up where I'd left off 2 days later, re-reading my draft, adjusting the text to be less rude, and then cutting out whole paragraphs. Eventually I deleted the whole thing and started again. The problem was manifold, and the amount of time I had already spent trying to pick the bones out of it was worthy of being paid. So thus I replied: "I did write up a full retort to everything in this article, but I realised that I would normally charge for the amount of work I've done on it. My main issue with the article is that it seems to have had headings written by someone who knows about security, but the paragraphs underneath were filled in by a marketing department with access only to Google."

"We've passed it back to our client" was the rather mute reply. I never did hear back, I guess my services aren't required on that one. The thing that really got to me was the laziness, no backing up of wild assumptions, repetition of useless statistics (did you know that 70% of attacks are internal! No way!), etc... the kind of crass indescribable blah that we read on a daily basis, and yet means entirely nothing.

Still, that isn't the worst piece of security I've seen this week. No, that goes to an internal project that wants to use digital certificates to REPLACE passwords. No way is that one getting through. If there is anyone out there who doesn't understand why this is a bad thing, please ask, I will gladly explain, again...

Wednesday 10 September 2008

Projects march on

Following on from my last post, I've had a lot of comments suggesting various technologies for firewall monitoring and application scanning, but absolutely nothing on endpoint security.

Funny that, but I'm wondering exactly why. Is it maybe because you all assume I know enough about endpoint security to make my own decision? I think not. Is it because endpoint security is totally irrelevant to our current situation? Again, not very likely.

What I think is more likely is that it's still just too early for anyone to really have the requisite experience of these technologies to have a real opinion yet. Certainly my conclusion on the project is that we should wait. Although the action to get something to protect our endpoints came from an audit, I believe we can mitigate the risk sufficiently to pass the next audit until the endpoint/DLP market has settled down, and therefore 'sweat the assets' a bit more. I hope the business would appreciate that thought.

Therefore it follows that the project I got most feedback on - web app scanning - should be the one I concluded was the most important. Incredibly, it was. My suggestion is to make it into a real project, but try to get our outsourcer to swallow some of the cost as they do our solution design. I like the idea of getting something that checks sourcecode too, so that will form the next part of my project.

Which leaves us with the firewall monitoring. One comment, which predicted the technology which has already been suggested to solve the issues we are facing. The problem and the solution were suggested by the operational security guys, so I've suggested we pass ownership of the whole project back to them... seems simple enough.

What's really pleasing is to get my ideas out and validated by the great and the good. Glad to be back and blogging...

Saturday 6 September 2008

More e-projects

I'll come back to secure email at a later date, I'm interested to see if our business processes will come up with the same conclusions as I have. I'm prepared to admit that this is a two-sided argument, there may be a requirement for secure email, or it may be that email was never meant to be secure, so no-one will ever use it as such. Comparing it to terrestrial mail services doesn't really help, because to a large extent, email has replaced snail mail, and even phone calls. The 'more secure' version of land mail was email, so the more secure version of email is...?
Personally I think it will be as the banks are finding - directing people to portals to download (NOT giving links in the mail, but asking them to log into their account - beware of phishing attacks).

So I now have 3 new Security Projects (note the capital letters) to get on with:

1. Endpoint Security - not DLP, we don't have any data classification on our network, and it was identified specifically to stop CD burners being used on our network, so DLP is deemed too much.

2. Firewall Monitoring - thrilling stuff, we need to know if our firewall rules are sensible.

3. Web Application Scanning - Third party web app provider, variable quality of code, our problem.

I keep going backwards and forwards, depending on who I talk to about these. The higher up the chain I go, the less I want 1 and the more I want 3. When I come back to the security team, I want 2 to help them, and 1 to protect them.

I'm not sure there is a good way to justify endpoint security, not until the market has settled down a bit anyway. Maybe then we'll be ready for DLP?

Firewall monitoring seems to be something that's been put in to make someone's job easier, so again, hard to justify.

Web Application Scanning on the other hand seems to be vitally important. As I've been brought in to secure the e-commerce rollout, I think this is the one I will be most behind.

WebInspect seems to be the best (only) option at present. I'll talk more about how I get on with it once I've found the best way to justify it.

Wednesday 3 September 2008

My first issue.

I read a post somewhere last week (it may have been one of Rich Mogull's?) where a simple question was asked about what people liked about IT Security blogs. The (rather ironic) answer from one commenter was that they didn't like all the complaining that went on - and preferred it when people explained answers to security problems.

Having written a post just beforehand having a good old moan about things that people do stupidly, I thought I'd try and redress the balance in the force by starting to discuss a few issues, and how I would solve them. I hope to get some input as to why I'm wrong, and as many complaints about my stupidity as my comments can hold.

Issue of the day for me is secure email. Without discussing any more politics, let us assume that we have a business requirement for secure email. I can't tell you what we are sending out, because then I'd have to kill you, just rest assured that we need to. We need to send out to lots of different domains, and we want to initiate that exchange every time. Users of the system must be registered with us.

The solution that was proferred to me was one of the IBEs (Identity Based Encryption). There are 2 that I know of, Trend and Voltage. I'm not going to say which one has been picked, because they are much of a muchness as far as I can see, and neither is right for me.
Requirement - must be standards based.
IBE isn't a standard as yet. It's a great technology, lots of fun, and has some great applications, but it isn't something that's tried and tested. I'm worried by it.
Requirement - must not add complexity of management.
plus Requirement - zero download option.
IBE isn't as simple as you might think. Key management is still the major issue, especially when you are dealing with external clients coming into your network to pick up decryption keys.
Requirement - Blackberry compatible.
Those people who have a requirement for Blackberries probably have a requirement for secure email. It's bad planning not to be addressing this immediately.
Requirement - must integrate with current architecture.
As with the 'standards based' requirement, this is going to be hard work. Anything so new is going to be crowbarred in. The only thing it integrates with is Exchange and Outlook, but then all email solutions do... how about working with certificates, protecting attachments end to end, and being able to vary the levels of security via policy.

Which reminds me - who's writing the policies on this thing. I don't really understand who needs to be encrypted to, or in fact... why?
Requirement - fully audit when this data is sent out of the network.
You just can't do that with the system which created it. If it's being emailed, an internal user can email it out, but there is no reliable automated process to log this. It's either a manual process by the user - so more policy writing, more holes for errors to slip into - or it's nothing. That's scary, especially when the next step is emailing data out of the network.

Which brings me back to the politics I'm afraid. Why does anyone need secure email? Email is NOT secure. The only reason you need secure email is because another process is broken, it is a sticking plaster option to my mind.

Better to create a secure extranet, register your users there, use a third party PKI if you need to use keys at all, and use the certificates to authenticate your users too whilst you're at it. Use a CMS type too to publish pages to individual users as and when they require to download data from your network. That way you have a full audit trail too...

In short, no matter how hard a security person tries to be helpful, they will always end up moaning. It's kind of my their job.

Tuesday 26 August 2008

Electing to receive

I've been off the air again for a short while, changing positions again as a contract came up locally without quite so much travel. I'm not going to reveal my new whereabouts, largely because I'm not sure they'd be too happy about me talking about them, but also because it wouldn't add much to the mix.

I've been there a week now, and things are changing fast. The security department is being split up and pushed into every area of the company so that 'security is part of everything we do', which is admirable, if not lofty. I've ended up in the architecture team, which suits me fine, if not what I'd expected. What it does do is allow me to get on the receiving end of some vendors for a change, instead of delivering.

Last week I had a Webex about WebInspect from HP. Now I'm sure this is a great piece of kit, but it's really tough to sell over Webex. Fortunately for them, we've already bought it. I'm sure another sale would warrant a site visit, at which point the SE could shine, but over the phone it didn't really work for me.

I don't miss being an SE, it did serve as a great way to increase my salary quickly over a short period of time, and latterly to help me move from permanent roles into contracting because I found myself moving around so much and didn't want to appear like a job hopper. It also half killed me with travel and working from home is more stressful than you might imagine.

I was lucky to find a contract with work which suits me well and is practically on my doorstep. I don't think I'd ever go back to being an SE now, maybe I'm over critical because I've been one, but it's a thankless task, and I don't think you could pay me enough to do it again now.

I look forward to writing a bit more about the various technologies that I look at in the next few months. In the meantime I obviously can't talk about projects or politics in the workplace, but maybe I'll thrill you all with policies and general security blather.

Friday 1 August 2008

DLP going mainstream?

Alan reports the recent Reconnex acquisition by McAfee today. This started my head spinning off in all sorts of directions.

Compare and contrast the price which McAfee have paid for Reconnex with that which Symantec paid for Vontu. $46m as opposed to $350m. Websense bought PortAuthority for $80m. That's quite a big chunk of change in difference. Prices are coming right down, but the reality is, that's still a good price. Reconnex have been pretty lucky, considering the current financial climate. Maybe they don't care too much, as a small privately owned company, they will have all done well and be able to ride out the storm, and that's great for them. McAfee already have Onigma under their belt, so I hope Reconnex is a good complementary piece of kit for them.

My concern is where this leaves other DLP companies. I have worked and collaborated with Vericept and Orchestria, two other players in this space. Vericept and Vontu used to be the 2 big boys, but Vontu did some great targeted marketing, picked their key accounts, did all the right things, under-developed and over-promoted in the early days, then let the technology catch up as they rode the wave. That's the way to do it, and despite Vericept's complaints that they did it the "right way", i.e. had a solid product and spent less on marketing, that's not how the world works.

Orchestria is another product that falls foul of this effect. It is vast and comprehensive, a techies dream. Give it to a sysadmin and they will not come out of their cave for a month. However, it's not the sysadmin who buys DLP. I like Orchestria, it is far more than DLP, but it isn't productised and it isn't marketed enough.

Both of these stories are disappointing, not least because I know and like the people involved in these companies and they have worked hard, possibly harder than those in the other companies I've mentioned. If I had a few million dollars, I'd buy one of them, because although the prices for DLP companies are going to be much lower from now on, the market will stay and increase, especially for those technologies which ARE more than DLP.

There are a couple of acquirers left, but they are the ones who traditionally bide their time and watch the market - HP, IBM, etc. they don't pay big bucks for technology on the rise, they pay sensible bucks for established kit which they can add to a portfolio.

Tuesday 29 July 2008

Help put the record straight

I have no idea who reads my blog, if anyone. But there are at least 250 who regularly tune in, and drop right back out again throughout the day and the globe. I hope beyond all reasonable hope that some of you are wise old CISOs with a keen interest in helping the wider community, or at least me.

You may remember this article where I pulled apart a recent vendor survey. Always satisfying, and no-one really has much sympathy for vendors, I should know, I've worked for them for years, and it really does take its toll. Anyway, I guess I got all my vitriol out... and got a reply from their marketing manager. I did this last year with another blogger, and spent several hours apologising and putting the record straight, so this time I just kind of whimpered and ran away.

However, this marketing manager, who I will call David, because that's his name, was very kind, very pleasant and quite persistent in getting my help. The result was that I said I'd help out if we could make the PCI survey a bit more focused, less vendor-y and more like something I could shove up on my blog.

Here it is - please read and fill in, it will help us sort out exactly what IS going on with PCI right now. And if it's statistically insignificant, we'll have another go.

Tuesday 15 July 2008

Insane in the mainframe

I'm back in the UK. Jetlag plays funny games with my head for a few days, but I'm generally over the worst of it by now. Apparently it is a really hot day today, I wouldn't know, my car's been in the garage so I deliberately arranged all my boring admin jobs, which kept me inside. I re-wrote 2 documents for colleagues, did my expenses, drank copious amounts of tea and then, with a little 'spare' time I logged onto the mainframe in Dayton.

Now, not everyone has a mainframe at their disposal like I do, I appreciate that, but if you haven't touched one in a while, or even ever, and you consider yourself a techie, find one somehow, they are great (techie) fun. Maybe I should explain... PKWare, whom I am currently contracted to, have a fine mainframe SecureZIP product, which is extremely powerful and useful, but for some reason not widely known about yet. I think everyone is still pretty happy with PKZIP, despite the extra power and security this gives them.

I guess in the 80s when Phil Katz (the PK of PKWare) wrote ZIP, the internet was a smaller place, and everyone used BBS (which PK was also instrumental in developing). What a shame publicity costs money these days. My opinion of the product isn't so relevant in this context though, I've expressed my satisfaction with the PK solution already in these pages.

What I am currently enjoying is playing on a mainframe. There is nothing so satisfying as typing short commands into a green and black (sometimes red and white too) screen, all on command lines, and getting numerical return codes. I don't know why this gets me so much, perhaps it's in my blood. My father sold mainframes for IBM back in the 60s and 70s, my mother programmed on them. No wonder I'm a geek.

Did you know, there is even mainframe related humour? If you understand this joke, you are probably in your 50s or 60s, or have a manual somewhere which explains it...
"What's a SOC4?"
"Covering your foot."
It's so lame, it's good. And I know of at least 2 people (working for PKWare) who are chuckling at this right now. You know who you are.

Sunday 6 July 2008

PCI the priest

When I said previously that I hate traveling, I need to re-phrase that. I hate flying. I hate flying to work specifically. I mitigated my travel this week by realising that there would be some great people at the end of my travels. I get to meet the PKWare techies tomorrow, and play on their mainframe, that's worth the hop. I can use the mainframe over VPN at anytime however, and I've spoken to them on the phone before. I guess what I'm saying is, I still find it hard to equate my paranoid fear of flying with the extreme sensual pleasure of meeting the IT department face to face. Still, I also get to spend time at head office, which is also fun, and I get to pick up another laptop with all sorts of groovy demos on it. So having entered the country with 2 laptops, I will be leaving with 3. The TSA is going to have a field day.

On top of all of this, I've just spent the afternoon with Alex Hutton. Now I feel like my journey was worth the palpitations and sweats on take-off and gut-wrenching lurches of landing. We spent the afternoon getting lost on the highway, talking risk, FAIR, UK and European markets, all that jazz. He made me look at some things in a totally new way, which is always a sign of a great conversation.
"If I went to a doctor and said I was feeling unwell, and he just gave me a bunch of things I needed to do to protect against that...", Alex started, "he'd be a witch doctor".
"Or a priest", I interjected.
"Or a priest", he concurred.
"Well, that's what PCI does."
The general consensus of the conversation being that we are still in very early stages of our understanding of security, and what is possible. It feels like we have reached a glass ceiling to me, and after our conversation this afternoon, I finally realise why that is. We're looking at it all the wrong way. The problem with security is that it is too much of an art, too much is left to opinion, and too many are looked up to for that opinion. Myself included.

Rather than PCI being the witch doctor, what about us, the bloggers. WE are the ones who are the witch doctors. I rather prefer PCI as priest, because it does not pretend to be the healer, rather a guide, and I think it is a good analogy for keeping both the critics and the advocates happy.

What we need in security is a bit more science. I enjoy security because, as everyone is very fond of saying recently, it is an interesting intellectual pursuit, like philosophy in many ways. Only it is also something which we can make money out of, by applying business ideas, or consulting, explaining our hand-wavy ideas to people less intellectual than ourselves.

What we don't have is an exact model, a method which says "here is where the problem was, here is where it is now, and here's where it's going to be. This is how much it will cost." PCI says "do this and you will be living a good clean life, the wages of data breach is fines" - the priest. Bloggers say "apply tree-root bark, AV, firewalls, DLP, etc, to the wound and it will solve all that ails you" - the witch doctor. Very much steeped in opinion and personal bias.

The model needs to be accurate. As Alex explained, it has many variables, few absolute metrics, and varies threats, data flow and system management. How that model comes about is anyone's guess, when it does, it will be incrementally improved, much like modern medicine. It will probably have it's critics, none more so than amongst the bloggers it seems to contradict, or the PCI advocates it initially seems to put straight. I see no reason for it not to co-exist with both however. As a blogger I am always willing to learn. PCI is not a fundamentalist, it is flexible, and will adapt if given the scope to. In this regard I am the Christian Scientist.

The model will be guided by experiment and empirical analysis rather than opinion. How many times have we all been proven wrong by new evidence? "80% of threats are external", "firewalls will secure your network", "<insert technology here> will be the next big thing". I think there will still be a place for the priest however, and hopefully not just during the last rites - deciding how big that fine should be.

You should listen to Alex. He's a very smart guy, and he's leading the field in finding the answers in this, along with his business partner, Jack. I understand what he's been getting at a little better for meeting him, picking his brains and getting to the bottom of where's he's coming from. If only I had another 4 hours to write it all down...

Saturday 5 July 2008

Award up for grabs

Obviously Schneier's going to win this, he's older and wiser and more bearded than I. On top of that he's written about 20 books on security and has 4 billion people reading his blog. Personally I think he's over-rated. :)

I remain fully seated in controversy of course, winning friends and influencing people wherever I lay my hat. Tonight my hat is in Chicago, I am exhausted, and I'm going to bed.

Goodnight America, god bless. Oh yeah, VOTE FOR ME!

Thursday 3 July 2008

If you can't beat 'em, join 'em

I have to be careful what I say here, but this annoyed me. No, not because they are promoting firewalls, which suck, and will always suck, and should be shot, but because of this:
Firewalls are underrated, but only by an industry which is perpetually looking at selling you the next new thing.
Again, not because it's a lie, firewalls are not underrated, they couldn't be. No, because it's hypocritical crap. Sorry Matasano, you may have some of the finest security minds in the business, who could knock me into a cocked hat, but this is spin. If you don't like being part of an industry that is perpetually trying to sell the next new thing, don't build new things and try to sell them whilst pretending to be a research company.

You guys are supposed to be teaching people about security, not dragging it back into the 20th Century. No wonder "Firewall adoption is huge, and what most companies struggle with is with managing their rules and making sure they get the most out of their existing deployment” - when even the most stand-up, hands-on-hearts, honest to goodness pure security folks are trying to hawk them bloody firewall enablement software!

This is the most circular, hypocritical and ridiculous argument from a bunch of otherwise extremely clever and normally responsible people that I've read in a long time. And I've been reading PCI surveys.

Survey warning

My dear chum Walt has something to say on PCI surveys today. He puts his questions in a very understated way, such is his low-key manner. I can reveal that it was I that was the straw which broke the camel's back however. You might recall my recent whingeing about a NetIQ survey which said that PCI in Europe wasn't being taken seriously, and they could prove it from a pretty small sample.

I was approached by their marketing manager afterwards, and whilst my back was up initially, I have to say he has won me over with his patience and more importantly, his desire to learn what would make it better. We are going to try and increase the sample size in the coming weeks with a new survey, more targeted and less commercially orientated. Hopefully this will have some real value, and maybe even more coverage in The Register again.

Walt has been very helpful in pointing me in the right direction about how to make this survey objective, but something he did say in a mail to me, he didn't put in his post. The gist was that now PCI awareness has been achieved, everyone wants to know what everybody else is doing. This is subtly different from "wanting to learn from each other", which is a very nice way of looking at it.

Maybe that's because it assumes too much and he knew I'd get what he was saying, but it kind of put things in a nutshell for me. What IS everyone else doing. It seems that the more we talk about PCI, the less we want anyone else to know what we've done. Are we afraid that our solutions aren't as good as next door's? Are we afraid they will try and copy our homework? Come on retailers and banks, let's have a bit of care in the community, share the knowledge!

Colour blind elephants

I'm off to Chicago again at the weekend, 2 days in Dayton, Ohio and 2 days in Milwaukee, then back on the red-eye next Friday. I wasn't really looking forward to this traveling much, in fact I'm still not, I hate flying and I usually think that most trips to the US could be pretty easily replaced by a Webex, but that's another story entirely. I was treating it as a chance to meet some new people and see a bit of some new places, until I remembered that last time I came out to San Francisco I'd polled all my security contacts in advance to see who'd be there. I met up with quite a few, but one who I'd always wanted to hook up with was all the way out in Columbus... Ohio. See where this is going?

I quickly rattled off a mail to Alex Hutton on Tuesday, and by close of play yesterday we had not only arranged to meet up, but he's picking me up from the airport and depositing me at my hotel. I think that just about sums up what I love about the Security Bloggers Network, security people in general, and particularly Alex. From the very moment I started waffling in these pages about data, PCI, certificates, encryption and the like, I have had a warm reception and made some great friends. Yes, yes, I realise you're waiting for the reference in the title, and no, as far as I know, Alex is neither colour blind, nor an elephant.

At the same time as I was writing my mail to Alex to say thank you for his hospitality, another email landed in my inbox. A spam mail, which I usually ignore as they refer to me reclaiming my manhood or enlarging it somehow. This one I could not, the sender name held my attention for far longer than necessary, and the title I had to explore more.

Mr. Rottenberg Bonson has sent me a mail about "proboscidean tritanopia". Two words so obscure even my spellcheck questions them (but then it questions 'spellcheck' too.) I had to look them up, but on closer inspection this does of course refer to a subject close to my heart:

pro·bos·cid·i·an (prō'bə-sĭd'ē-ən) also pro·bos·ci·de·an (prō-bŏs'ĭ-dē'ən)
n.

A mammal of the order Proboscidea, such as the elephant or its extinct relatives, having a long trunk, large tusks, and a massive body.


tri·tan·o·pi·a (trī'tə-nō'pē-ə)
n.

A visual defect characterized by the inability to discern blue and yellow.

Yes, my interest in colour blind elephants has emerged, my fame is spreading. Rottenberg and I would now be firm friends, except the body of the mail then complete ignored my interest in dichromatic pachyderms and instead waffled on about Viagra. Boo. Sorry Mr. Bonson, if indeed that IS your real name, I won't be following you up on that one.

Monday 30 June 2008

A worthy cause...

Now I'm sure all of you high earning security types already give substantial sums of money to charity each year in any case, but this cause is one close to my heart. My father died of cancer 7 years ago at the tragically young age of 54. I miss him every day, and this is one small thing I can do to help other people avoid the kind of upset that we went through.

My friend Tanya is hoping to raise just £100 to help Cancer Research UK fund further research into cancer treatments. I'd like to see her reach 10 times that... not least because she has no idea that I'm writing this.

Go on, make her day, make mine, confuse her completely by having complete strangers donating to her site. Maybe one day I'll let her into the secret...

Wednesday 25 June 2008

What's up with HMRC?

Her Majesty's Revenue and Customs has been in the news again today. The data leaks that have led to their recent ridiculing in the national press are not all due to 'junior ministers', but, as suspected, 'systemic failure'. I'm not going to write any more on this yet, it's just too obvious for words, and they should have done it better a long time before this.
So, what do you do when your systems fail? Bring in an expert of course. So who's getting the top job at HMRC next? The name Mike Clasper may not mean much to you, it didn't to me, but the name BAA certainly will, especially if you've been reading these pages recently.
Mr. Clasper is the ex-CEO of BAA, before the Ferrovial takeover which seems to have brought it to its knees. It seems that he's good at making things run well then, and then selling them off and watching them collapse from a distance. Here's hoping he can get the data security big right at least. I would hope for £150k a week, 3 days a week, he could at least get someone to look at it for him. I'll do it for 2/3rds of that. :)
Good luck to Mike C. then, he's got an uphill battle, but he certainly knows how to make the best of a bad situation. Let's just hope he never leaves.

European PCI: bad state or bad reporting?

A scary looking headline in The Register this morning informed me that PCI DSS is further behind in Europe than we had previously thought. I read the first paragraph open-mouthed (lips only moving very slightly):
Nine in ten (88 per cent) European firms have failed to achieve compliance with a credit card industry standard for processing ecommerce transactions.
then came across the killer line:
A poll of 65 merchants across Europe by NetIQ
Oh dear. Sorry, but I've complained about this sort of thing before. I'd like to stop writing now, but I have some heavy sarcasm to dish out.

Come on NetIQ, 88% of 65 merchants ACROSS EUROPE, equates to far less than 1% of all the merchants in Europe. After citing 65 as a total, the rest of your statistics cease to make any sense at all:
Worse, the majority (54 per cent) have no timetable for getting up to speed. Only 17 per cent of respondents reckoned that they would be compliant within six to twelve months.
Hmm, so 35 weren't interested, 30 were, but 11 were compliant, or on their way already. I don't really get where the statistical significance over several thousand merchants is between 11 and 35, but let's also look at who you were asking.

I presume these are all NetIQ customers, or people driven to the NetIQ website by promises of not having to do any work that morning, whilst being able to stare at a screen, and therefore look as though they were working, whilst not actually doing anything at all.

Something which again made my blood freeze as I read it however:
Seven out of 10 of those quizzed by NetIQ reckoned that the penalties for non-compliance would only occasionally be levied, while 23 per cent said that fines would "almost never" be issued. Many of the merchants are more worried about dishonest workers than external hackers or business partners.
That's an awful lot of ignorance, even in such a small sample. Wake up guys, this just isn't true. That's 45 merchants out there in Europe who are sitting ducks for a fine after June 30. I presume and hope that these are relatively small merchants, in which case they MAY have a short period of time before the hackers or auditors catch up with them - I am prepared to admit that the spotlight will be on the Tier 1 merchants in the first instance. However, its a bit like relying on everyone else being fatter to avoid heart disease, i.e. stupid.

However, so far, all I can conclude from this survey is that NetIQ customers are ignorant, which isn't a great advert for them.

Tuesday 24 June 2008

Don't look up

One thing I shouldn't really do is sit here working on my laptop whilst my wife watches Angel on the Sci-Fi channel. In today's episode (I'm afraid I don't know the episodes by name, or who said it, but...) one of Angel's chums quipped:
"Let's face it, unless there's a website called 'www.oh-by-the-way-we-have-darla-stashed-here.com', we're out of luck."
Well, if you had a laptop available in the same situation, you'd check, wouldn't you? Guess what? Yup.

No, I don't know who Darla is, or anything else about Angel, but the Internet is way funnier than real life in any case. Back to checking my emails...

Where are all the UK startups?

Many years ago now, I was discouraged from applying to Cambridge by a very short, bitter tutor (who had been to Cambridge) because he said my predicted grades of A, A, B, B were not strong enough. He even said I shouldn't even apply, because it would look bad on my UCAS form to the other universities. Yes, I know how stupid that looks now.

Well, I never applied, so never got a chance to prove him wrong. Little did I know they probably would have been happy to accept - I later got on to a Physics course at Bath University where other attendees were accepted with just 2 E grades, they were that desperate for intake, and that was considered one of the top non-Oxbridge courses in the country at the time. Still, I can't change history, and Mr. Sampson is still short, and a poor teacher. I have never trusted anyone in authority since, never let anyone question my intelligence and I cannot abide the short. So I guess I learnt some valuable life lessons.

All of which roundabout rambling brings me to the subject of the fabulous technical parks set up by these bastions of British learning. Cambridge in particular has thrown up many security start-up companies. Indeed, the area around Cambridge is often referred to as "Silicon Fen" (being in the area known as 'the Fens'). There are apparently over 1000 technology companies there with several billion pounds worth of investment. Most people will have heard of nCipher in particular, now a little past their prime, but at one point valued at hundreds of millions of pounds on the FTSE. I could name half a dozen bright little Security ideas that have come out of the area in recent times, some whom I have had contact with, others not. Of course, not all of these go on to greatness. The investors play a numbers game here just as they do in Silicon Valley.

Outside of those hallowed walls, there seems to be a scattering of other good UK-based technology startups around at the moment too, right across the country. I'm encouraged, because it's an area I know quite well, I know the processes and the pitfalls, the people to work with and those to avoid like the plague. I just want to hear more about them at the moment as I'm pretty sure we're about to see a lot more growth in this sector over here.

If you've got a security startup and think it's worth talking about, get in touch, I'd be interested to see what's new and what's working.

Monday 23 June 2008

Data Integrity is important, now official!

I'm a big fan of the Jericho Forum, it was set up by a bunch of visionary Brits for a start, they have never listened to criticisms from the cynics, and kept their stance broadly the same since inception. Many of the cynics have now come around to their way of thinking, "actually, it was only getting rid of firewalls I objected to, de-perimeterisation is a good idea"-type responses abound. And that's from the clever ones.

I first met Andrew Yeomans from JF about 5 years ago, with a considerably flatter stomach and more hair (me that is, Andrew hasn't aged a day). I was extremely flattered to get a comment from him on a recent post, and a subsequent email to say that he regularly reads these posts. I'd better write something sensible then.

My attention has today been brought to the comments of another Jericho director, founder and all round security Titan, David Lacey. I've never met David, but you can't really move far in the UK Security arena without hearing the name, especially not in data-security. I was beaming from ear to ear then, when I heard this.

What's that? Data integrity will be the next threat? So, I'm NOT mad? Maybe just a little early to the game when I said it last year? Once again, a prediction came true, and far earlier than I thought. I'm hoping this is going to build from here. Obviously no-one is going to listen to my little voice, but with DL saying it, I think some people may start to sit up and pay attention.

Of course, I hope he will take a look at my old chums at Kinamik, he already has some pretty big fans there out in Barcelona. And if he's reading, David, if you fancy a quick break in Spain, I know some people who would happily put you up!

Sunday 22 June 2008

Is there a future in PKI?

PKI is something which often strikes fear into the hearts of IT managers and administrators. It can be complex, fiddly to administer, and slightly ethereal at times. The expense of a PKI is often difficult to justify over a large enterprise, especially when it can't be guaranteed that identities will be trusted outside their own domain.

Speaking to a friend this weekend, he told me to take a look at Certipath - an interesting company with a great pedigree. From their website:

In late 2003, ARINC, Exostar, and SITA began discussions on how to jointly operate a PKI Bridge to meet the needs of suppliers to the U.S. DoD and UK MoD. Both the Air Transport Association (ATA) and Transglobal Secure Collaboration Program (TSCP) had simultaneously been working on specifications that called for such a trust broker. The need of the A&D industry to interoperate with the U.S. DoD was the initial requirement, with a secondary need of being able to exchange PKI-enabled data with other suppliers in a trusted manner. The global aspects of addressing the European Union, Canada and AsiaPac/Australia drove the need to have a consortium of companies with competencies in security and communications.

CertiPath LLC was formed to provide this service in June 2005, and went ‘live’ in May 2006. The service is now operational with Boeing, Lockheed Martin, BAE Systems, Raytheon, Northrop Grumman, EADS, and the U.S. governments’ Federal Bridge Certificate Authority (FBCA). For more information please visit www.certipath.com.

Now, if this had been set up commercially, I wouldn't expect it to succeed, but the fact that this already services most of the important defence companies in the world, I think that people are going to want to pick up on it. I would certainly expect the UK and US governments to pick up on it more than just in their defence departments, and extend it to the rest of their concerns.

What I particularly like about this is the way that it links into data security with federated identity. Soon, all of the junior ministers (because it's always junior ministers) will be able to leave their laptops on trains, in taxis and in the local park with complete impunity.

Thursday 19 June 2008

DLP moves slowly into data security...

Today it seems to be big news that DLP deployments should include encryption. I'm amazed that it's taken this long for something purporting to be data centric security to have this included as a standard feature, but it's about time!

This report includes soundbites from an RSA marketing guy, which is all fine, they are the people to go to for encryption information after all, but I wonder how much of this will come back to bite them, or rather the hand that feeds them. I'm sure over time EMC will work out a clever strategy for commoditising their storage again, but data-centric security can only see storage getting cheaper and cheaper - the protection being in the data, not the hardware around it, or the applications it runs through. Centera and Celerra arrays are massively over engineered blocks of expense, but they sell at the moment because there are few well known alternatives.

What these big beasts don't do is allow you to move your data with any sort of security still attached. This is their big fault. Encrypted information with a master key available to decrypt at the endpoints for scanning purposes, or to make a decision on encrypting information as it is sent out - now that's more like it...

... and exactly what I was talking about yesterday. The trick is to get this all working without getting tied into one vendor, using a standard of some sort. Perhaps the ZIP standard would work? It is already installed in 25,000 corporate users, and those are just PKZIP and SecureZIP customers, not the free download users, or everyone on WinZIP, for whom half of the security is available, despite the lack of control.

I'm surprised DLP vendors have taken this long to come up with encryption, and I'm surprised they aren't already looking at compression and integrity on top of this. It would have been smarter to do this before now.

Orchestria revisited

I'm used to seeing US businesses struggle in the UK market, I've helped a few now to recover after false starts, or to launch successfully in the first place. I'm currently working with PKWare on a long term contract which I'm really very pleased about. I count myself extremely lucky that much of what I have blogged about as being necessary security over a number of months and years, actually exists as a set of products.

I've commented an awful lot about the dynamics that make this possible over here, the fact that a market has to be built up from scratch, reputation not doing much for a company which is big in the States when it comes to these shores, how the American style of business differs from the slightly more staid version we have over here, etc.

Something I hadn't come across before is the reverse of this process, a company launching over here and trying to break the US. I covered Orchestria a few weeks back, talking about how they seemed to appear from nowhere in the DLP space, and yet kept hearing good things about them. I found it surprising then that I got a slightly different story from some friends the other side of the pond.

I have thoroughly researched Orchestria, spoken at length with their English CTO, Pete Malcolm, and gone into numerous demonstrations of their technology, proofs of their customer base, and have even, surprisingly, been shown a very impressive set of accounts. At this point an NDA prevents me from saying anything more. Needless to say, some of the negative comments that were made after my story last week now look pretty much like sour grapes.

I fear that Orchestria are suffering the reverse of what many small US tech companies experience when trying to enter the EMEA market. I fear that sales and marketing teams in the US are maybe not set up for this type of technology without having it on their doorstep, or a specialist from the industry on their team. I fear that only a handful of people in the country may understand this fully. I fear that analysts in the US have been in touch with the wrong people in the organisation - because this stuff is pretty damn good. I also fear that properly marketing it is going to be a mountain to climb, but whoever takes it on is going to do very well out of it.

I would urge anyone who is looking at DLP to look at Orchestria. If you are in the UK, it's a no brainer, local support, local development, etc. If you are in the US, don't believe the poor marketing and doomsayers from the rest of the industry. If you are in Orchestria, get a good marketing team out there, and beef up the support you already have out there. I think we could see them coming out near the top of the pile in the DLP wars. However, this isn't just what Orchestria does - and here's the only 'issue' that I could find with them - the technology is way more than DLP. You could use a couple of Orchestria devices and some SecureZIP in your entire environment and dispense with 50% of your hardware... if you don't believe me, try it out.

This is in fact the reason that this reasonably large company (and expanding monthly) seemed to appear out of nowhere and hit the DLP market. They had a product in a different sector (compliance) which happened to cover DLP very well, and they decided to market it as such. Good idea, poor execution, to get into a security market you need people who know that market inside out, whether they are in the US, the UK, Norway or Timbuktu. This is unfortunate though, because it has given a good piece of technology a slightly false start in an industry where they could be a shining light.

I haven't been this excited by a product since, well PKWare actually, but before that, Njini with their data classification / de-duplication software (another British company, yeah!). What I'd really like to do is put them all together and make a demo. What makes me feel good about all of this is that this is how I predicted the future of security just a year ago. I just didn't expect it to come so fast.

Tuesday 17 June 2008

Happy Birthday to me

Wednesday marks one of the big binary milestones of life for me.

Yes, tomorrow I turn 100000.

I don't feel a day over 10101.

But enough of this computer-related geekery. On with the celebrations.

Saturday 14 June 2008

Compliance abuse

Vendors talk about PCI so much that the reality gets skewed, walking around RSA or InfoSec this year, you could have been forgiven for thinking that PCI was a problem that could be fixed with software. Certainly some software may be able to help with a couple of point of PCI, but there are a couple of issues I have with this vendor approach.

Firstly, presenting PCI as a problem, along with other FUD. FUD is so 90s, so Chicken Little. Security has got stuck in a rut in the 00s because we've spent so long saying the sky's going to fall in. When it didn't, no-one believed us any more, and had to try and make up their own minds. Now the people who stand out are the ones who say the opposite - who say that they can actually aid your business, help it to make money. In fact, that's always been a way to make money from software, it's just that using compliance as part of FUD has detracted from the overall value of both security and compliance.

Used properly, compliance will make your business run smoothly, without you having to recruit too many specialists. Security will help you achieve that, but here's the second problem. Whereas I have been firmly on the vendor side of the fence for many years now, I can't repeat enough that security isn't all about software. Without decent policies and education security software is near useless.

My friends over at the SPSP (Society of Payment Security Professionals) have recently developed the CPISM (Certified Payment-Card Industry Security Manager). It strikes me that this is something long overdue. Developed by Mike Dahn and Heather Mark, two of the biggest names in PCI that I can think of, and with Walt Conway on the advisory board, it's sure to be comprehensive and more importantly, relevant and useful.

I can't wait until RSA next year when all the newly qualified CPISMs start asking the questions that Walt and Mike did this year. I'm going to suggest to Mike that he makes this part of the course!

Tuesday 10 June 2008

Another blog contest

I'm busy writing a presentation about data security, no surprises there, when I decide to check my mails and see the old Google alert for "Rob Newby" (don't tell me you don't do it too). Imagining it to be about the other Rob Newby, Tory councillor for Topsham in Exeter, who often does the rounds, I almost ignored it. However, it was for me this time (imagine how pissed off other Rob must be about all his IT security alerts!).

As well as my fellow Euro-Securo Kai, writing about the new Black Hat Bloggers Network, there was one from the Computer Weekly magazine. Apparently I have been nominated in a blog competition. I wonder if that was down to Kai too, or if they were just thin on the ground and needed to fluff it up a bit?

In fact I think it's probably because I've written a couple of articles for them recently and they probably like me because I do it as a hobby, not for work. Something I have noticed though - it specifically says "Help us to identify the best IT blogs in the UK in the IT Security category." Then it lists Bruce Schneier, Richard Bejtlich and Anton Chuvakin! Much as I respect and love them all, especially Anton, who I met at RSA recently, they're not from the UK, nor do I suppose they want to be.

Besides, they're all better at security AND writing, so it's really not fair.

Tuesday 3 June 2008

BAA tackles security... BAA style.

*** this story has been altered due to Rich pointing out that I was flogging the wrong dead horse, sorry British Airways, you are of course infallible...***

You may already know that BAA are a pretty useless bunch. If you've read my recent exploits in San Francisco, you'll know that they can't get luggage to the same destination as their passengers.

It comes as no surprise then that they will throw someone off a plane for wearing a Transformers t-shirt. I say "it comes and no surprise", but it's the same sort of "comes as no surprise" as finding yourself under arrest for shopping because the police saw you in a shop, and realised you were prone to shoplifting.

Come on BAA, you're already a laughing stock. You look like complete idiots already, don't let's make it any worse. Oh, too late.

Sunday 1 June 2008

The next move

Often, when I read other people's blogs, I look at the companies they are working for and think "well, they would say that, wouldn't they?" Richard Stiennon was very vocal whilst at Fortinet about all things firewall and network, at a time when I was coming down heavily on the other side of the fence. Chris Hoff, when at Crossbeam, talked a lot about UTM. Both of these guys are at the top of their game however, so their arguments also seemed reasoned and seasoned, and when they both moved to new jobs, their opinions remained broadly the same. Indeed Stiennon is now at a new startup with a similar message, and Hoff still refers to Crossbeam with reverence.

I fully admit that I have made mistakes in choosing various parts of my career path so far, hence why I took the last 2 months off and took advice from Rich Mogull, Mike Rothman and as many others who would listen to my limey whingeing. The general message I got was "take your time, listen to what comes your way, and act only when you think you've got something worth doing". In the meantime I was still in constant contact with the security community, vendors and colleagues. Jobs are not as thin on the ground as I had expected in the current downturn, possibly because of the heightened awareness, particularly in data security created by the mistakes our government have made over here recently.

It is therefore with great pride that I am able to report my latest move. I've just signed up Robert Newby and Associates (i.e. me) with PKWare for 12 months. I talked about some time ago when they first aroused my interest. I am going to be helping them make a big noise in the UK and EMEA. My reason for choosing this company...? Because I could. I'm genuinely excited about the software, the product direction and the easy story it tells. It aligns with everything I've ever thought about data security, and from the conversations I've had with the CTO and product managers, all I am likely to think about it in the coming months.

So what do you know of PKWare? The normal reaction to the name is "PKWhat?", so I say "you know PKZip?", which of course everyone does. "That's them." The history is interesting, and something I will write more on another time, but their future is what concerns me for now. PK are no longer just about zip, but security too, SecureZIP is just that, a secure zip product, encryption and compression in one. PartnerLink is again, just that, linking a company to their partners by encrypting, compressing and applying policies to data at source. I wrote about PartnerLink before, saying that it was something I'd wanted to get written when I was a product manager. I'm quite glad I didn't now, as this is better than I could have managed with my resources.

The products are good because they are simple ideas, effectively executed. Being a fully private company with no VC borrowing, there are no odd decisions passed down from people not involved in the business, so no nasty surprises or sell outs when the market is at its lowest point of appeal. Being a small company with an excellent pedigree, I can talk to the CTO as easily as I can the sales guy working on my accounts. This communication is evident throughout the company, most obviously to me by the quality of the software. At last, someone who QAs to their own deadlines, not the VCs'. So, I'm excited, I've found a breath of fresh air in an industry which looks like it's slightly lost its way of late.

So, look forward to lots more data security posts again now I'm back working amongst customers with real data security needs. And to those of you who have picked this up because you have a Google alert for "PKWare" - hi, good to be working with you.

Tuesday 27 May 2008

A worrying trend

People often complain that there are too many TLAs in IT. We have DVD, RAM, ROM, PCI (MCIA and DSS), WAP, ERP, CRM, PKI, DTS, etc... it's all very TDS. However, I think the reason that so many of us resort to abbreviation is that the alternatives are sometimes too horrifying to put down in type.

When I was in Spain it was common to hear people talk of "plannifying" and "authentification", but as I couldn't speak a word of Spanish apart from "caffe con leche" and "jamon", I kind of let it slide. It is also common to hear and read our American cousins speaking a different form of English to, erm, the English. Think "-or" instead of "-our" and how you pronounce the following words: "pasta" and "pastor". Cross the Atlantic and you pronounce them the other way around. I accept and even celebrate these differences.

However, I've spotted a worrying trend today which I hope to be able to nip in the bud before it becomes too popular and an "accepted failing" that gets into everyday speech. I speak of "deduplification".

Let's get this straight, we "duplicate", and therefore we must "de-duplicate". We do not duplificate, or at least I don't. I expect you could get away with it in Barcelona. If we're going to be making words up though, I prefer the more straightforward "singlification", but I wouldn't want to confuse things...

Saturday 24 May 2008

<rant>

I've spent the last couple of months trying to be lazy. Had it not been for British Airways messing up my flight to San Francisco back in April, then my flat flooding when I got back, and then this month Abbey sensationally screwing up the renewal of my mortgage, then I would have had very little to do. As it is, I've been rushed off my feet complaining about various things, banging my head against brick walls and generally getting up people's noses. The mortgage STILL isn't sorted out, and is in fact the fault of the solicitor, Pannone, who have lost EVERY piece of information I've sent them in the past 4 weeks. Terrible service, and they were quite rude to me in an email.

The management company which looks after the building I live in also sent me a couple of unpleasant emails whilst giving me an awful service. British Airways have given me back my money now, but they are extremely unhelpful whilst trying to reclaim.

My phone company, O2, seemed to be the best service I've received in a long time. I broke my phone on Monday at the gym, and had it replaced on Tuesday morning by courier. Mind you, I have had to pay for this, and my bills are frankly huge. Close to £100 a month so far (only had the phone 2 months).

Whilst chatting about this phenomenon to friends a very worrying trend showed up for me. Terminal 5, where my fated flight left from, is actually run by BAA, not British Airways. BAA is run by a company named Ferrovial, who runs the public transport in Spain. They aren't that good.

Abbey National used to be a great little building society, until it was bought by Santander a few years back. Santander are a big bank based in... Spain.

The solicitors, Pannone, are not pronounced "Pan-own" as you might expect from reading it, but "Pan-oh-ni". Sounds a bit suspect to me, probably Italian, but certainly southern european.

And O2? Well, they were bought by Telefonica, who provides Spain's public telephone system, and whilst I lived in Barcelona, ripped me off consistently for months. I moved out and ran away from the problem rather than trying to get the phone cut off. I couldn't deal with them in any language. If I ever go back there I fully expect the Mossos D'Esquadra to beat me to a pulp before I get out of the airport.

Spain's economy has relied heavily on construction for a number of years now, ever since Franco decided that Marbella and the rest of the south coast should be dedicated to tourism. It kind of took hold and they carried on building until... well, until they had so many places to stay and live that they didn't need any more. At this point, even a surplus of one causes the price point to drop exponentially. This is basic economics. Read "The Logic of Life" if you need a better explanation.

Spain has needed to branch out and invest in other areas for some time, and now it seems to have found somewhere willing to take it's money. Unfortunately, it's Britain. Unfortunately, the Spanish are the best providers of fun in the known world, but the worst providers of service. You can sit in a cafe in Barcelona for over an hour BEFORE you get served. This is expected over there. Over here, it's not. Living in Barcelona you get perks like weeks of sunshine all year round, cheap everything, street parties and a beach. Living in the UK, you do not.

No wonder I've been missing Spain recently. I'm getting Spanish service, but crappy English weather and prices. Not sure how this happened, but I'm seriously considering going back the other way - maybe the service wouldn't be much better, but at least I could take my trousers off and forget about it. Isn't that always the best way?

</rant>

Friday 23 May 2008

Article in the popular press

I've been blogging for quite some time now, and of course it's a very ego-centric thing to do, but I still get a buzz from seeing my name in print. Seeing it willingly printed on someone else's website is of course the biggest buzz of all, and having articles accepted by Computer Weekly makes me all warm and fuzzy inside.

Of course the rest of you won't have a Google alert for "Rob Newby" (if you do, I'm already scared), so here's a link to what I'm talking about:
http://computerweekly.com/Articles/2008/05/22/230777/pci-a-matter-of-timing.htm
Enjoy!

Friday 16 May 2008

Clearing up

I had a mail yesterday after my DLP post expressing concern that I was endorsing Orchestria. It wasn't from any of the Vontu crowd, nor Vericept, nor any of the others in this space, just to be clear.

I'm not going to say who it was as they wouldn't thank me for making it public, but just for the record, I was deliberately not endorsing them. I think it's hard to tell in print, but it was supposed to be slightly tongue in cheek. I was told a lot of impressive stuff by the CTO, and without any proof. I have no idea if they are any good or just have a big marketing budget. Personally I would be surprised if it was all true, as they wouldn't need any advertising budget if it was, it would sell itself - and they seem to have blown a huge wedge on getting out into the media. I am still surprised by the suddenness with which they appeared on the scene, even though they had been around for 5/6 years previously working in the compliance space. I've just come out of the compliance space myself, and never saw them there.

I was slightly mystified by the claim that they do 'more than just DLP', and then described what they do, which was... erm, DLP. If they DO do DLP to the extent they say, then they still just do DLP I'm afraid, not super-DLP, not DLP-extreme, or even DLP-with-knobs-on, just plain old DLP. They may be doing it super well (or well-extreme, or even well-with-knobs-on), but DLP doesn't break down into subsets, it's already an all encompassing term. This makes me think that they might be a little confused about what they are selling.

This often seems to happen when a company has to make a swingeing turnaround from their original product marketing direction. I've worked for a couple of companies (again, no names) where the original idea has been technically sound, but completely unsellable, and changing the message serves to confuse not only the customers, but the internal staff. I wasn't at Ingrian when the focus changed from SSL to data security, but I was selling their kit in the UK. People loved the SSL device, I still do, they are still used in the UK deployments I performed. People didn't understand the data security device, and a complete change of architecture really stalled the company for a short while. They recovered of course to be purchased recently by the marvelous SafeNet (it really doesn't work in print does it?), but it was a tough time.

I've been through that twice with other companies, and changing the marketing message can be as time consuming as changing the product direction, sales model, or any other part of the organisation. Something I will say for Orchestria though is that they have the right attitude towards this to succeed - complete self-confidence in the face of adversity, and seemingly infinite marketing dollars. What I can't yet do is endorse them, I hope this is all clear now!

Thursday 15 May 2008

New kid on the DLP block

When I was at InfoSec, my friend and Ingrian predecessor Norberto Costa, now at RSA, asked me if I'd seen Orchestria. I immediately got a mental picture of their stand at RSA2008, and realised that that was all I knew of them.

"Yes, they were at RSA," I said helpfully. When I got home I looked up their site and saw that they had an international presence, but an R&D centre in Taunton. For those of you not familiar with UK geography or anthropology, Taunton is in Somerset, on the west coast of the UK, which is not quite as cosmopolitan at the west coast of the US. Somerset is famed for its cider, cheese (Cheddar is in Somerset) and holes (Wookey Hole is a cave, near Cheddar), not its technology.

I dropped them an email, explaining my fondness of all things west country and my desire to speak to them, and managed to get a half hour on the phone to the CTO yesterday. I was most disappointed to find that he did not speak about combine harvesters with a Somerset burr. In fact he was very obviously a professional business man, as proven by his opening gambit.

"I was a technical specialist at Benchmark Capital, who invested in Google amongst others."

Benchmark paid for him to set up Orchestria, with proper funding, a proper team, and some real experience. This was in 2001, and I hadn't heard anything about them until last month. Since then I have been asked about them a number of times. For someone who pretends to be familiar with the data security space, this was slightly embarrassing. Not any more though.

"Orchestria was set up as a compliance tool, and was sold as such into very large companies for the last 5-6 years."

It was only the DLP bandwagon coming along which made them realise that they had something which could do that and a whole load more. If they are to be believed, Orchestria are beating the likes of Vontu in accounts where they appear together. I fully expect a mail from Kevin to explain why this is untrue, and will print it here in the interests of fair play. If this is the case, it is little wonder they have been so hyped recently.

Digging a little deeper into the technical side, Orchestria uses a natural language engine, hundreds of times faster than regex and other methods used in current DLP. They have 26 agents, covering every possible exit point on the network, on every popular platform. They cover email protection, which few of the others manage to do well. It all sounds very impressive.

I have yet to see proof, and I'm sure to get a barrage of emails from my other DLP contacts saying why theirs is better. In fact I hope I do, this is exciting stuff.

There you go Norberto, I asked.

Saturday 3 May 2008

Encryption does what?

A couple of weeks ago, after I wrote a piece about data security, a friend of mine wrote to me to say he had chosen 'none of the above' for the question 'why do we encrypt'. My answer was 'to keep data secret'. His argument was that encryption was actually only preventing physical theft.

I think this is a bit of marketing spin, and not really looking at it from a pure security viewpoint. The fact that my friend was a very successful SE, now Engineering Director for a software company may confirm this. Let me explain. Of course encrypting deters from physical theft, if it is known about. So without splitting too many hairs, let's assume my friend meant that it prevents access to the data after it has physically been taken. Therefore physical theft hasn't been prevented or deterred, so there is no benefit to the encryption. So what are we left with? Well, the data is still secret of course.

OK, now let me assume that company X has bought encryption and is now boasting about it in the newspapers. Data thief Y, external to the company, with no knowledge of the systems, thinks twice before stealing from company X, and steals from company Z instead, as there are easier pickings. Great marketing of encryption. But what happens when encryption becomes a commodity, as it surely must if current storage trends continue. Assume all valuable data is encrypted, what is the best way to crack that encrypted data?

Well, personally I'd steal the physical device and take it home, get my botnet to search out a few thousand PCs for extra computing power and set them to work on breaking the algorithm. So, does encryption really deter physical theft?

Once again the successful crackers are going to be internal people, who already have access to the data. You still need to make sure your physical controls and policies are strong, even when you have all of this put to rights.

Friday 2 May 2008

A position of power

I’ve just got back to London from Chicago O'Hare airport where I was driven from Milwaukee. My driver was Joe Sturonas, CTO of PKWare. He liked to refer to himself as a bit of a geek when it comes to number crunching and IT (he may well not like me referring to him as ‘my driver’ however). Joe studied Artificial Intelligence whilst at University, and subsequently worked for the Illinois Department of Transportation's Traffic Systems Center (TSC) before ending up where he is now. [I hope the details here are right, I blame jetlag and artistic license for inaccuracies.]

The Chicago based TSC has sensors on most of the main routes surrounding the city. These count cars and their speeds, giving a fair indication of congestion levels in each of the lanes on Joe's commute to and from work. The TSC used static data, daily counts and average speeds to designate 2 different types of roads for different types of road user – these are Express (E) and Local (L). Thus on Joe’s route to work each morning, the first part of the journey he could choose from 2 L roads and 1 E, and later on 2 E roads and 1 L. Once a lane was picked, it was impossible and impractical to change. Most people ended up picking either L or E and sticking in that until the end of their journey for the sake of getting anywhere at all.

Using his knowledge of the transport department's IT systems, Joe managed to pick up transmissions (legally) from traffic sensors in the roads. He then applied a simple algorithm to the traffic reports using his AI knowledge, and programmed his PC to send him a text message each morning, telling him which route to take, in the form of either EE, EL, LE, or LL, in this way he would choose which lanes to take at the beginning and end of his journey. He even went as far as factoring in weather and seasonal conditions, holidays, etc.

He calculated over time that in an average week he was saving between 90 and 120 minutes compared to the 'average' commuter, taking pot luck and sticking with it. This was a huge saving and meant Joe could spend more time at work, AND more time with his family, possibly why he made it to CTO whilst remaining a devoted family man. Needless to say, this also gave Joe excellent geek bragging rights, which he duly exercised at a party amongst commuter friends. Obviously the idea was to share his funny little idea and get some respect, but, also rather obviously in hindsight, his friends nearly ripped his arms off to get a piece of the time-saving action, frustrated as they were with the extra 20-40 minutes in the car during their working day.

Joe complied and allowed a select group of his friends to receive the same information as he did every morning, but took his idea no further. So what stopped him? Joe, being a mathematician and logician by nature, realised the fatal flaw in commercialising his invention. What happens when more than his select group of friends gets interested? Of course, the routes become just as blocked, if not more so than the ones being reported on. So the algorithm has to be real time, perhaps different for each subscriber. This was far too complex a problem to warrant the launch of a company, so the idea died out when Joe moved jobs and his commute reversed, out to Milwaukee.

This neatly demonstrated the value of requirements and reality to me, something I thought was a great idea, was great only if you remain the one single person using it. Not so profitable if you are a vendor trying to sell it. Joe also pointed out that there was a point of ‘critical mass’ of subscribers to your service, where if you know that you are controlling the majority of commuters’ traffic decisions, in Joe's words, it becomes 'less of a math problem, more of a routing problem, and of course I get QoS'. I noted that he was only one step away from making his own weather machine with that sort of approach, to which he laughed - "MWAHAHAHAHAAA!".

Dr. Joe Evil dropped me off at the airport and sped off into the distance, leaving me to ponder if he really was controlling the weather already. A crack of thunder in the distance and a puff of smoke where Joe’s car had been a moment before confirmed my suspicions.

Thanks for the lift Joe, and for the good weather on the flight back.

Tuesday 29 April 2008

nihaorr1 attack explained

I went and introduced myself to the guys at Secerno again at InfoSec last week, and whilst I have no professional affiliation with them, I'm always interested in exciting technology which does something new. Steve Moyle, CTO, is a friendly guy who oozes enthusiasm, just as Paul Galwas was when I met him last year. I just got a mail from Steve to tell me about a recent attack, and I thought it was so well explained I offered to reproduce it here. Steve agreed, so here goes:

"The nihaorr1 attack trashed web facing databases all over the planet last week. It was based on an automated SQL Injection attack (Secerno stops these). Previous attacks like this were targeted and individual. It was only a matter of time before someone sinister worked out how to automate it. We were working with a victim not long after the outbreak.

In this attack, they were not stealing data. However, for the affected web sites it would be difficult for anyone claiming PCI compliance that they had their data under control. The attack can easily be rewritten to take integer values (e.g. credit card numbers) from one field (say) and copy them to a text field, and then expose them on web pages ...

Basically, the attack worked as follows:

Step 1: potentially vulnerable sites identified automatically (probably by a Google query)

Step 2: SQL Injection part 1. SQL injection at a site to ask the database for every field it has that contains text

Step 3: SQL Injection part 2. Update every text item in the database with the original item plus a link that will download a trojan to the web browser

Now what happens is that when a web site serves up a page, the text it serves up is called up from its database -- but every piece of text now has a malicious link under it. When clicked on, the link serves up a virus that infects the viewer of the web page.

Note that the original victim -- the web site -- has become the attacker. Whilst the new victim is the website visitor who trusts the site.

This attack will be adapted and will cause real chaos."

Thanks Steve for the entertaining story and explanation of how this attack is working. And, as the Romans say, caveat emptor internettus.

The road ahead

With user security, CIA (or AAA as it becomes) is fully integrated. This is an area of security which has been around since computers were first invented, to some degree. It is the most mature of the 3 areas I have picked out in my series of posts so far. [Although please note, these are only picked out for sake of ease, in reality there are overlaps.] Network security is less integrated, although in my career I have watched as point solutions in the network have become more fully integrated. Network devices at least all talk the same language to each other now, TCP/IP as a standard form of communication has kind of settled in.

With data we are not quite so fortunate, C, I and A are not integrated, although large storage companies are trying. There are a few of these though, so they all have their own standards.

In my original piece I said that integrity was the future of data security, and indeed, it will be an important part of every piece of storage eventually, when everyone realises its importance - but that's not a great starting position. I don't think it will be a point solution that becomes part of a data security standard. Integrity will always be an option, along with encryption and compression as the whole data centric security space merges and evolves.

This will happen separately from hardware as well as being built in to it. But will the standards emerge from the hardware, or something distinct and separate from the hardware that the information resides on?

Data-centric security has to be able to move with the data. Anything that the large storage companies try to apply directly into hardware will be difficult to use at best, more likely ignored. We've already seen a big pull and push between Sun, IBM, etc. in trying to standardise key management. If they can't even agree on that, where keys are already in reasonably standard formats, what chance do they have on agreeing on compression, encryption and integrity standards? It is more likely they will pick up and use existing popular methods over time as happened in the network.

I don't want this to become too much of an advert, but I spoke recently about PKWare, because I am interested in them, and will be visiting them this week. I'm going to talk with them about their products in more detail, but they sound very close to my heart, and as close to the reality of reaching my data security nirvana that I've actually seen. What's more, it makes sense.

I've heard some very interesting things about them recently, their new SecureZIP line, and PartnerLink are both areas I identified as being massive opportunities for growth whilst at my previous job. I actually asked our engineers about designing a product almost identical to PartnerLink, but it was too much for our small team. We didn't have the resources to develop the ideas, but now I find those ideas already exist.

Ask anyone (as I did at InfoSec) whether they've heard of PKWare and they will often look blank, until you say "have you ever used PKZIP?", which of course everyone has at some point, if they've used a computer for anything other than emails. I'll be asking some more searching questions this week and reporting back in due course.

Monday 28 April 2008

Nearly there...

I've just finished writing my final post in the series of 'data nirvana' posts - you can read it here tomorrow - and taken a quick look back through the other blogs I enjoy to find Rich talking about data classification being dead. I have to agree. I started writing about this last year and even ranted at someone else about not understanding it properly (which I won't dig up again).

Data classification is the real data nirvana of course, but it really can't be achieved satisfactorily. To echo Mr. Mogull for a moment, a network is a dynamic thing, it's constantly being updated with information, which can change its status from Top Secret to Private, or Public to Classified in a stroke. Tags just don't cut it. A company I spoke to at length last year propose a data classification solution. They haven't pushed it as such yet because the market isn't there. A few tyre kickers have had a go, not because they want to classify their data, but because they want to find it. That's a totally different matter. De-duplication is a very good idea, and simple, and sellable. Data classification is a great idea, but complex and completely un-sellable to anyone except me and Rich. [If you manage to invent it, please drop us a line.]

The only way you could manage to classify a system is to close it: make it read-only, or take it off-line as Rich also talks about. That kind of makes technology about as useful as your local library, though, and sends us crashing back into the 20th century just as everyone is getting used to the 21st. Something I find much more interesting is the idea of controlling information from a central hub, with policies in place around it - information sharing. It's more of a 'real world' example of how people are likely to use data security.

It reduces the need for classification as you only have to choose policies around the data you are making available outside your network. I also talked about this last year, as Microsoft released their SISA idea with about 10 other companies involved. This is clearly a good idea, but with so many technologies involved, bound for disaster. I don't know if anyone got anywhere close to deploying this, but I rather think not.

So Information Sharing is my new proxy-nirvana, or pseudo-nirvana, that is, the thing that will sell and be used, and is actually practical and possible. And guess what, I just happen to have written something about it in my post tomorrow... read on.

MadKasting