Sunday, 25 March 2007

Inaccurate data...

I haven't had any negative feedback so far on my data security postings from last week, but talking to people who've read my posts and tried to understand where I'm coming from, it's clear that I've oversimplified something which needs a lot more explanation.
I normally generalise to make points, but this time I need to go back and fill in some gaps.

Firstly, I talk about transaction security, from user through the network to the data. This ignores a large part of physical and logical security, the security of the host itself. I stayed away from content and activity monitoring because where I have traditionally worked with data, these I tend to view as perimeter controls.

I also perhaps don't mention DRM when I should. That's simply because I don't anyone who's got a reliable solution yet, although I've been told that such things do exist.

Really, it's because there is enough of an overlap for me to consider these things part of the huge number of network devices that are in existence now. There are fabulous solutions like Vontu for controlling all of this.

Encryption is covered by a panacea of products, you can protect inside your database, outside your database, at the file level, on the wire, in transit and at rest. I've worked for Vormetric, (which, by the way is still the best file level encryption I've ever seen), I've worked with Ingrian for a number of years, I know the guys at Protegrity too. Then there's Decru, who I wish I'd worked with (certainly when they were bought by NetApp in 2005), and NeoScale who I know only by reputation (and their systems guy who joined Vormetric just before I left). These are just the good solutions, there are tens of others which don't make my list of top guys.

And yet still no-one does data integrity properly. Encryption and restriction doesn't provide it, WORM devices don't provide it except in storage, digital certificates provide a partial solution, etc. And this is why I focused here. Sorry for any misunderstanding. I'm not an analyst (yet), if you want that, read Rich Mogull on Securosis, I've followed his work my entire career and what he doesn't know in this space isn't worth knowing.

Me, I just see holes I want fill, and that's what I write about.

Can we license data? - part II

The issue is that people will still want to steal data if it's licensed or not, my wife just gave me the example of someone stealing the blueprints to a new BMW car (I was actually involved in encrypting the blueprints for the new 6-series in Munich because someone had stolen a part of them, but that's another story). If it was licensed, people would still want to steal it, change it slightly and then produce a new car that drove well and looked good, but wasn't a BMW. The problem here is identifying where the value lies in the data and how you would license it.

If you can prove that various parts are the same, you can charge for breach of copyright, and therefore could license in our data sharing model.

I've heard of technology which will analyse databases of information and tell you if the data has the same patterns in it. They are currently using it to detect picture spam, i.e. delta changes in emails and pictures attached can fool anti-spam because of weak rules, but not with this thing attached, which seems like a waste to me. They are also doing trials with some sort of medical research which is more valuable.

If we could prove that the car was essentially 90% BMW we could charge for the license...

Can we license data? - part I

Following on from my last post, Jon Robinson asked me whether it was feasible to license data. He said to me "What I think would be enlightening would be creating a taxonomy of information that needs to be secured or leveraged in one form or another and then listing the best alternatives for doing so."

The securing or the leveraging is utility of the information. It comes down to ownership of the data, its permanence and perceived value, i.e. this really boils down to "what is 'private' data?"

One of the problems with data is that once it’s in the public domain, it loses it’s identity (unless it IS an identity), whereas a process, or utility, is still identifiable as the original, it has a fingerprint, or some part of it does, and can therefore be licensed more easily. If the data IS an identity of some sort, then we have a different issue, it is identifiable as the original and therefore always has a value, hence why identity theft is a problem. Maybe therefore data either has identity, or none, and if you can’t prove the identity, then if you try to license it, you can’t collect. If we can prove that the data in it’s original form falls under our own license, then we should be able to charge for it, i.e. a copy of a book, a print of a painting, etc.

This is why there is such value in proper data integrity, proving that the original data is still original, to a more granular level than digital certs hopefully. What is harder to do is retrieve data or reconstruct data once it is lost, so an 'idea' can be rearranged and still be a pretty close copy, without bearing any relation to the original fingerprint, this is a real world issue with copyright and trademarks still.

Recreating the Industry

I've just been reading through Mitchell Ashley's Network Convergence paper and I'm still a bit annoyed that I didn't think of it myself. I've been involved in a similar project, but centred around an open compliance framework (open source and open standards), so I have to be convinced that this is the way which makes most sense for the industry to proceed.
However, something is nagging at me. I can't quite get past the facts that big organisations like to pay for software and have it properly supported, plus all of this "free" stuff has hidden costs which usually come in the form of expensive consultants (like Mitchell and, er... me). And there aren't going to be enough consultants available for it to be viable for a very large and dispersed organisation.
I really wish everyone would install Cobia and develop tools to run on top of it, but unless they are going to see an immediate return on their time investment, I don't think it will happen that quickly.
I agree with Jon Robinson that network appliances CAN suck, and Mitchell's answer is almost perfect. Certainly for anyone brave enough to have a go it is cheap and effective. Jon and I have been talking on this point since his post and it seems there is a lot more at stake than just cost however. I didn't realise quite how much more until Jon pointed out a few things. I will let him post on this next week when he's moved his blog over to Wordpress rather than stealing his thunder. Essentially though: it is the data that is of value, but not JUST the data, it's all down to how we use it. I blogged on this last week in answer to something Kenneth Belva posted, and now I think it's all part of the same set of convergence ideas, which relate to the advancement of security, and vice versa.
All of which talking led Jon to ask me a simple question: "Could we license our data and let anyone use it, like we do with GPL for software for example, and what are the implications for its security?" (That's paraphrasing, his email was rather longer, but you get the idea). Answers on a postcard please!

Monday, 19 March 2007

The great data debate.

A great blog entry from Kenneth Belva here in bloginfosec, got me slightly excited. An open debate about data security is something I've been looking forward to. Quite apart from the fact that I've studied his work for years and have a bucket of respect for the guy, I have to continue the debate as it seems to have opened up a few lines of communication with the wider community, and I love nothing more than a good healthy discussion.

Kenneth says " has utility. By that I mean that if one cannot do anything with the data there is no value to it." Thus echoing Donn B. Parker's awkwardly named but intricately woven Parkerian Hexad.

The paradox here is that if I completely secure my data, it becomes unusable, so loses it's value, but if I make it too widely available, it loses it's confidentiality and thus the value becomes so diluted that it effectively loses its value... uh?

This is simply because it is a mistake to think of a secure network as giving you secure data. They are 2 very different forms of security. The data can still be widely available on the network, but as confidential as possible. It is this that makes the network so important to secure, because it ensures the data's availability AND utility. But then the data needs to be secure in itself.

There are a couple of issues of paramount importance here, the integrity of the network, and the confidentiality and the integrity of the data. These are the very things we should be looking to secure to ensure our use of the data and the network is safe. I will follow up on PCI Answers with the data disclosure debate later tonight. These are just the kind of conversations we should all be having.

Sunday, 18 March 2007

ERP Security, any ideas?

Friday afternoon, 4pm, Barcelona: The Managing Director comes to me and says we need to reposition our approach to the European market. "Everyone is saying they need us, but as part of a bigger picture". My heart sank, we've put a lot of effort in since I moved out here and to tell the truth I was experiencing the same thing with my calls, even to the guys I know in the States who are at least 4 years ahead of us in security terms.

So we're repositioning, and I've spent the weekend preparing our ERP security program. I'm pulling industry best practices and solutions from all over the place and putting them together in a package, but one thing is overwhelmingly clear. The ERP guys don't pretend to have security sewn up, they are ERP guys, not security guys after all, but the security that is available for these applications has a large amount of holes, and not a huge amount of solutions.

Does anyone out there have some good ERP security offerings? Tools for getting right inside the database to audit the data, identifying users after connection pooling from the app has anonymised them to the db, tracking transactions from start to finish, etc. I know enough about securing the data once it's got to the storage, ensuring the integrity of all the transactions through to reporting, and even applying user security, but the "application to database audit problem" seems to be pretty tough.

I'd really appreciate some pointers.



Thursday, 15 March 2007

And I repeat...

I have admit I didn't expect to make a big splash when I entered the world of data integrity. We're up against digital signatures, TripWire, encryption and access controls, and everything else that's been wedged into this space by poorly thought out compliance regulations, over eager sales people, network engineers, silver tongued pre-sales, security guys...
Yes, I place the blame squarely at my own feet. I have been all of these things, apart from a poorly thought out compliance regulation of course, that would be odd.
The fact is, data integrity still doesn't exist, and here we are basking in the swimming pool of security whilst the administrator of false senses dances through our data, happy in the knowledge he is king and no one can catch him. A bad mixed metaphor, but quite picturesque I think.

Let me explain. In the beginning there were firewalls, this kept out some Bad People. Then there was AntiVirus. This kept out some Bad Things, written by Bad People. Then there was IDS, followed by IPS, then IDP, then app firewalls and UTM. Basically it's all sewn up at the perimeter. Then we realised the attacks were coming from inside. Alan Shimel calls it M&M security, crunchy on the outside, soft in the middle. I call it armadillo security for exactly the same reasons (anyone in the UK will remember the Dime advert along the same lines).

Of course for perimeter security to work, user security has had to work. RSA had SecurID all figured out years ago, and I've still to see a better answer to strong authentication. Every year I expect to see something to challenge it at Infosec, and still nothing. CryptoCard, Entrust, OK, they're pretty good as cheap alternatives, but they aren't as secure, and that's what I like, security.

So, we move inside the network and start to rely on Cisco for everything. Ooops. Cisco are the dogs danglies when it comes to networking, but networking security? They try bless them, but they just can't move fast enough. I've mentioned ConSentry in the NAC space already in this blog. I spoke to Sean Remnant there this afternoon and it seems he's getting busy now. When he last visited me in the UK, he and Bill Wester (SE Director) looked a little nervous of how sales might go. Despite my full support (and who wouldn't be delighted with that?) they seemed worried that Cisco and Micro$oft (why do they persist with that silly name, surely trading standards should have had them by now, MegaHard, that's much closer), would be able to knock them out of the market by their sheer size. Cisco even threw them out of the NAC Consortium because they were too much of a threat. Ooops again Cisco, don't think we didn't notice!

As far as I'm concerned then, NAC has the network sewn up pretty well, again, as long as your users are authenticating properly, all the network needs is good access controls. But then, what about your data? Do I sound like a stuck record? Do I? Do I?

Right, let's assume you have encryption. What happens when superadmin walks in and disappears with your financial accounts? What about the CEO, the CFO, etc, etc.? OK, apply some clever data centric access controls. Now the security admin has control. What happens when he walks off with your data? Now apply some separation of duties. What happens when the security and network admin get together and decide to rip off the company because they aren't paid enough. The solution? Pay your techies more! No, obviously not, that would be counter productive, if you do that, they hold you to ransom more.

OK, so we apply separation of duties, and implement TripWire. They still walk off with the data, but at least they didn't change anything on the network whilst they were doing it. PHEW! Email still works! Sorry, I don't mean to disrespect TripWire for a second, they are a vital piece of network security, which no-one else addresses, but they are monitoring controls, not data controls. OK, so now assume you have the data access logs streamed, encrypted, controlled for access, duties separated, and a digital signature of the data taken every time a log is saved, just for good measure. Apart from the incredible amount of data that would create in new signatures, what does it prove?

Now my superadmins, who know where this logging information is kept, just go in and delete the entries which show where they stole valuable data. The digital signature is broken, the files don't match up when I come to read them, if I come to read them at all, etc...

There are still holes, that's my point. We need something which gets around this, something which follows the data, not the network or the user. Something to go with the encryption and access controls, with the user security, with the network security. The rest of it we've had sewn up for a while, and we're just banging on down the same old path of tweaking it and polishing it, before we've even finished the whole story.

You wouldn't have had to spend $/€ 50k a year on firewalls, chasing your tail and wondering why your data was still going awol, if you'd just waited and insisted on the security being tighter. Understanding your security even. Getting a security guy in who knows what he's doing. The problem is, we're the only ones who know how it's done, us, the security guys, and we don't tell anyone. I don't think even we understand it properly, that's the real issue, and until we're prepared to admit that, we're not going to make any progress.

My previous posts have explained it in part, but I don't think people will even try to understand until the penalties are high enough. Compliance is one thing, fines are another, what we really need is a tight disclosure law. The only thing that really affects people is reputation, banks put aside money to deal with fines and breaches, did you know that? They EXPECT to be hit. Why?

These are all the themes I cover on a weekly basis and I wish I didn't sound like I was repeating myself. The fact is, I have to.

Tuesday, 13 March 2007

Same old story?

I don't know about you lot, but much as I love IT security, I love the new things, not the old things, things which make me go "yeah!" and going back over old ground every time I need to explain the new stuff is starting to get to me. I want to be at the cutting edge all the time, not going back to basics.

I've been reading the other blogs on Feedburner's Security Bloggers Network today, something I rarely get the time to do, and there's one overwhelming thought that keeps crossing my mind. Are we repeating the same stories over and over again?

Alan Shimel's RSA webcast, just posted as I type this, is typically well thought out and well explained, to the point where he sounds like an ever patient father explaining the same thing to an errant child... again. He's explaining why insider threat is more prevalent than external threat these days, something I blogged briefly about myself just last week. Although I rather think more people have seen Alan's webcast than my blog, (it's far more interesting and you don't have to read it). Haven't we been using this story for years though? I did with encryption, access controls, and more recently NAC and data integrity (and that was in the UK, it must have been even longer in the States!).

Mitchell Ashley in "The Converging Network" blog has posted recently about the death of the firewall (hooray!) as firewalls move towards UTM solutions. And about time too. This is a well written and well researched article from an uber-smart guy, not everyone could have written it. I also blogged last week about how network security has been split up into many different solutions (the opposite of what Mitchell says is now happening at long last). I'm pleased that it's moving towards UTM at the perimeter. Sadly I don't think the vendors will allow this transition to be that quick, but it puts the focus (and the budget) back in the equally important areas of user and data security. But still at the root of this, isn't there a CIA triad somewhere? UTM is surely just about ensuring the Confidentiality, Integrity and Availability of the network at the perimeter. Please correct me if I'm wrong.

Don't think I'm saying this to be cynical, certainly not about what these guys have achieved. What they prove to me is that I need to keep on trucking. We need to be telling this stuff at the right time. Security is all about hitting the market when it's ready, believe me when I say I know what it's like to miss.

Maybe this is why I love IT security however. The people I work amongst, not the explanations. We are some of the most patient people I know, always prepared to take time to explain to people, even when they are asking the "stupid questions". Something I have stated at least once a week (since I stopped working on a helpdesk) is "There are NO stupid questions, only stupid answers". This sometimes varies, "...only stupid people", "...only stupid haircuts", etc. depending on my mood, but the sentiment is the same. Sometimes now my head gets so tied up with the minutiae of security that I crave a stupid question so I can get back to grass roots and prove to myself that I do know what I'm talking about.

And actually, the market does move on. The principles stay the same, but the stories are just as relevant now as they ever were. I may feel a little bit like I'm the only person in Europe who cares sometimes, certainly there are few others in Spain, and I've worked with most of those in the UK that do. What I need to do is get out and meet some like-minded people, talk about really complicated stuff for a few days and get my security fix. See you at InfoSec.

I'll be the one explaining data integrity v-e-r-y s-l-o-w-l-y.

Monday, 12 March 2007

Reply to "PCI compliance in Europe".

I was quoted on the excellent PCI Compliance Demystified blog by Michael Dahn earlier in the day. I started to add a reply to his post and it turned into a blog, so I'm putting it here:

Hi Michael,

The lack of PCI awareness in the UK and Europe isn't due to the fact that there is less fraud, if only that were true. The problem is that PCI has no teeth over here, because there are no disclosure laws. There are no disclosure laws because that kind of thing has to be driven through the European parliament in Brussels, and that takes forever. Europeans never agree on anything, we're all far too different. It would, in short, cause a right stink and have to be debated for years. VISA and MasterCard brought out the PCI rules over here at the same time as in the US, but in the US you were already talking about disclosure, or at least in California they were, and that's where 90% of America's wealth seems to come from, so people listened. In Europe, the wealth is less obviously distributed, although I would guess London's got to be the leader, Germany and France can't be too far behind and certainly have a lot of influence. We would be foolish to ignore the Nordic nations too. The thing about Brussels is it says that everyone's got to have an equal vote, so nothing ever gets sorted out quickly.

We could introduce our own laws in the UK, we tried with the UK Companies Act, and there's the UK data protection act. There's LOPD in Spain and the EU data protection act too, but none of these are the thing we need, disclosure. It's beautifully simple. Tell the world when someone's lost your data and everyone will hate them. It's the equivalent of squealing to the teacher at school. Maybe it's because we think it would be un-British that we don't do it? I don't know, but whatever the reason, PCI isn't working.

There's little enforcement of PCI in the UK and Europe because there's little to back up the credit card companies when they decide to impose fines. Like the vendors, they have to cite events, which, believe me, are very hard to find... because there is no disclosure. Unless of course they are publicised already, but the chances are they are publicised because they have already been disclosed, by a customer or leaked by internal staff. In that case the vendors are all over them, the QSAs, the press, the FSA, etc. VISA and MasterCard might be in the queue, but they aren't going to make big bucks out of it once everyone else has had a slice.

There have been some pretty big breaches, and we have to assume not all of them have made the press. I recall reading a front page headline in the Sun before I moved over to Spain. There was a breach at Nationwide last month which warranted a £1million fine, from the FSA, not VISA or MC. That's been all over the news. Still no disclosure laws though.

In the US, something happens in California, a bill comes out and the rest of the States gradually adopts it because it's the right thing to do.

I spoke to Mike Howse from Protegrity last week and he told me that there is an estimated 3% PCI compliance rate in Europe, with around 19% "some way there". That is probably over inflated to avoid the attentions of VISA and MC.

Ingrian are the only people I know doing good PCI trade at the moment in Europe - that's because they got in with the QSAs early and Jon Shaw did a LOT of hard work in sales.

When I was with Vormetric we had a great PCI solution, and it still sells like hot cakes in the US because Heather Mark, ex-TrustWave PCI guru is now their director of marketing, her husband Chris is a big name at MC. Could we sell it in the UK and Europe? Not then, and as far as I'm aware, not now either. These accounts are rare, because the retailers don't yet have to care. Fraud they can pay for in the blink of an eye, fines are non-existent. It makes me want to weep just writing it, but that's the sad fact. Until we have something that really makes it painful NOT to comply with PCI, it just won't happen here.

In November there will be disclosure laws discussed in Brussels, until then, I'm staying away from trying to push the PCI buttons in the UK or Europe. I've tried for 7 years already, and it doesn't really work. When I was hawking encryption we had to look for events, PCI was no driver.

You are privileged to live in a country where the most powerful state is the one with all the technology. It means things move forward at an incredible pace. The UK is generally thought to be about 4 years behind the States in terms of IT security, although it can be as many as 6 in some cases, but usually the leader in Europe still.

I'm looking forward to data security really being sewn up in the States in the near future. I may even have to move there if the market here stays as it is. People here aren't even really interested in encryption yet. I'm getting tired and nervous waiting and it feels like I've been talking for too long without anyone hearing.

A case in point - when I worked in distribution last year NAC was just becoming popular, and I mean just. I gave a seminar on IT security back in November and you'd be surprised how many resellers didn't know what it was. I wasn't surprised to read in a blog yesterday that it was big in the States as far back as 2003.

So what else was big in the US 4 years ago? Let's do some business here.



Good money after bad?

We all know how easy it is to get carried away with spending money when you're in the mood. I went out for dinner three times at the weekend, including an unprecedented Sunday night trip out to the Passeig de Gracia, just because I couldn't be bothered to cook. So why didn't I just get a sandwich from the shop at the end of my street, which like all good Spanish shops, is still open at 9pm on a Sunday night? Bear with me, there's a point to this. The reason I didn't go there is because I had got used to a level of service, a level of satisfaction provided by the wares of the folks in the middle of town, and I thought one more dinner wouldn't hurt. I will read this post again at the end of the month when I am reduced to begging for crumbs from my workmates before the next payday.
This is something which happens all around us. Not just in our private lives, but in our working lives too. It is pretty dangerous for our security. If I keep eating out in fancy restaurants, I will just become poor and fat. My wife may leave me for a rich Spanish waiter, and I may lose my job because I am unable to fit through the door to get to my desk. This is a Worst Case Scenario.
In all seriousness however, when this happens with our IT spending, as it has done for some time, it leads to bloated networks, unable to run with the competition, unable to create new business because they are growing in the wrong direction, or putting all their eggs in one basket.
It is bad for companies not to experience a few security problems, it is worse for them to experience one. Once we start going down one road to protect ourselves we rarely want to turn off. This is why firewalls are so popular still.
I have already vented my hatred of firewalls. This is not very fair of me. Firewalls are fine, it is the marketing people behind them that are vile. Firewalls fix a problem for sure, just as anti-virus fixes a problem, load balancers, IPS, encryption, etc, etc. all fix A problem. But for God's sake don't go blowing your wad on a new one every year. It just isn't necessary.
I've already put forward my view of how we should be protecting transactions more completely. A lot of people are anti layered security. The more applications that are in one solution, the more holes are likely to appear. I've heard this put forward even this week, and to an extent this can be true. But only if you don't know what you're installing. Get a decent SI and you shouldn't have this issue.
Personally I think you should have at least 9 different vendors providing at least 9 different areas of security, plus backups, monitoring and reporting. So make that 12.
But WOW, isn't this going to get expensive? Not at all. Open source solutions are available, there are many great open source firewalls, some good IDS/IPS solutions, antivirus, even certificate authorities. Some of it you will have to pay for of course, hardware can cost a little bit, and the less well known solutions you will need to dig into your pockets for.
Open source is the way forward, that's why it's so popular. Loosely coupled, SOA Security frameworks are being developed now which will cut out the problems of integration, and the phantom "holes" in security. Keep your eye on these developments, they will transform security as we know it in the next 10 years.

Sunday, 11 March 2007

Addressing Data Security.

OK, let's get out of the transaction for a moment and concentrate on the data itself.
I'm assuming the data is available because the network is in place and the users are all able to authenticate. So what do I need to do to make sure my data is secure.
Encrypt it, right?

Well, yes, good start. If I encrypt my data though, what am I really doing? Encrypted data is safe from people without logical access to it, that is correct. What if I have logical access and no decryption key though? The sad fact is that even the strongest encryption methods can be broken given enough time. This might take 10 years compared to 1 minute, but if you've got 10 years and the information is valuable enough to you, you'd do it wouldn't you?

With RSA SecurID, the number you type in changes every minute or so, so if it is ever found out by someone else, it changes before they get the chance to use it. Anyone trying to reverse engineer the algorithm used only has 1 minute to find the answer which would take even the most powerful computer 8 years to hack. It's perfect security.

With data security we aren't so fortunate, we can't change the encryption algorithm every minute or we wouldn't be able to decrypt the information, so we have to rely on the strong authentication and put access controls in place.

The access controls prevent all but the privileged users from getting to the data. Now a logical attacker has no chance of accessing the encrypted data. We still have to be careful of the physical attacker however. Anyone coming in to our storage area, whether it be on a SAN, NAS device or Direct Attached Storage (DAS), can just unplug the disk and walk off with it. He then has 10 years to decrypt as before.

Of course we take care of that with proper physical controls, and for data security we have to assume that these are already in place. (Already the table I drew earlier is looking in need of an update.)

But the logical conslusion for this level of security is for the good guys to be driven bad. We already know that administrators are capable of pretty large breaches, the BoA case proves that. Privileged users can be subject to interviews, asked to sign policy documents, be strongly authenticated, have all their data subject to access controls and encryption, and yet still walk off with it, and no-one may ever find out. In this case, what use are disclosure laws and PCI regulations?

Part of PCI DSS (requirement 10) states that audit trails must be reliable and tamper proof. So what happens when this administrator logs in to view data he is permitted to see, copies it, goes back to the audit trail, which he is also permitted to view, deletes it and goes home? He sells the data and gets away with it, so continues to repeat the process. This is something like what was happening at TJX.

The data needs something else. The audit trails of the data need to be secured in the same way as the data, and they need the integrity to be proved.

We have already established that digital signatures cannot do this. A digital signature can tell me that something has been changed, but not by whom, or when, or what. Some form of monitoring is good, but monitoring systems can be switched off, or in the case of the administrator gone bad, not alert at all.

Integrity of data is a tricky one. It is hard to get straight in your head for a start. Take the case of a CCTV video for example: There is a tape with a video of me committing a crime on it, I take the tape and wipe the information from it. If this is digitally signed, I have lost the integrity of the whole video, but when the police come to prove I did the crime, they can't because the video they had is not only missing my criminal activity, but the certificate proves that it isn't the original file. All we know is that someone has broken into the system. Yes, it was probably me, but you can't prove that.

We need to be able to keep a constant watch on the integrity of the data, as the data is produced, and feed that into an integrity file which is kept with the data. If the data is tampered with, this needs to be matched up with access logs for proof. This is on top of normal access controls and encryption of course, to keep the whole thing safe.

And to top it off, we also need to do the same with those log files. If the logs of the video activity are tampered with, we can't match up the changes with the culprits. Likewise if we are securing logfiles we need to switch on verbose logging of access to the filesystem to catch any access to the logfiles, er, in a log.

Try explaining that on the whiteboard to the CFO. You wouldn't get 5 minutes in before being asked to leave. But this is still the message that we need to get across. Integrity is more important than ever. Networks and users are already secure, you need to be concentrating on your data. Encrypt it, secure it, make sure no-one can do anything to it without you knowing. That way, when Brussels comes along in November and steps heavily into IT, you won't be running to catch up.

IT spending is a delicate subject which a lot of corporations don't like to talk about. But I do, and I've seen it all from a privileged position. I can scrub my data before letting it out in the open though, and so not be held in contempt of any laws. Next time I will talk about why IT spending in Europe is focusing in the wrong places, still.

Digital Signatures - never quite enough

Digital signatures, the poor cousin of digital certificates, suffer from many of the same issues, but benefit from being slightly more simple.
Digital certificates are a bit of a false friend in many cases. Yes they can assist in authentication, authorisation, access control, session encryption, data encryption, and data signing, but they can never cover all of these things at once to the level required for full security. Just as I am a specialist in one particular area of security, so we need specialist tools to create enough depth of security in any one particular area. PKIs are complex, require constant administration, and can become extremely expensive. I've only ever installed one, and to my knowledge it was never actually used for its intended purpose. The problem is that is purports to do too much, and it can never deliver. Certificates might be a good start to security, but they really need some development.
This is why companies like nCipher, RSA and Decru have done so well, they have leveraged individual areas of digital certificates, protecting the keys which can be so easily copied otherwise, using the keys for secure data transmission and encryption. These are all areas where more work was needed on what was essentially a step in the right direction.
Digital signatures therefore, are in the same boat. They only go half way to being what we need. HMACs, halfway again. A digital signature is the equivalent of having a picture of a piece of data, an application, a system, which we can use only to verify is the data is the same at a later date. My old company, Vormetric, used this to great effect in their Coreguard product, applications had to authenticate themselves to the policy enforcement module before they were allowed to run on any data held in storage.
Great for authentication then, but not for verification. If the data has changed in any way, it's just a negative reply. No explanation of what has changed or where, just an indication that the data you are now looking at is incorrect.
TripWire have come along and moved the goalposts recently by automating everything and constantly monitoring networks by taking a snapshot of the whole system at regular intervals, then reporting on it if there is a change. This is much closer to being secure, but this is not my area, this is still in the network space.
In my next post I will be revisiting data security and explaining what we need to make it fully secure. Digital signatures are a vital part, as they are in so much of IT security, but they will never address any problem you have in full.

Data Security - Part III

This is going to be the last part of my data security diatribe, although it will be a common theme of future posts as it's where I focus most of my energies these days.

So, we've established the need for Confidentiality, Integrity and Availability in everything we do related to transactions on our network, this is the first thing most of us learn in IT Security. These transactions can be anything by the way, from a financial transaction with an ecommerce site, to logging in to our PC at work, to looking at our bank details online. They all start with a user, use some sort of network, and then end in storage. I like to represent this with a table, thusly:

Transaction Security Table

It might not look like much, but think for a moment where you are concentrating your security efforts at present within your network. I'm talking here as though I'm addressing the network administrators, but really it's everyone's responsibility. Everyone who uses a network, everyone who uses the internet.

The security of it is your choice. You can push for change.

If you don't know about the security of the network you are on, why not?
Why aren't you asking the questions?

It's YOUR information they are using, it's valuable to you, and it's valuable to the people using it. You have a right to expect your details to be secure.

If you DO know about the security on your network, most people will still be sticking a pin right in the centre, at the network confidentiality point, maybe to the left and right a little where availability is needed more than ever, and people are savvy to idea of network integrity. This is OK, it's the obvious place to invest after all. But it isn't the whole story.

Let's fill the table in the best I can at present (please note that this is only illustrative, it doesn't pretend to cover everything):

Transaction Security Table
Access Controls
Wireless, Load balancers
Firewalls, IPS, etc.
Anti-Virus, Change Control Mechanisms, Digital Signatures
Access Controls
Digital Signatures

It looks a little strange, doesn't it? Where with user security we have generic terms, with network security we have specific remedies, and with data security we are back to generic terms, except in integrity where I can only think of one solution that is commonly used. I will cover digital signatures and their multitude of sins in my next post.

For now, consider why there are so many solutions for network confidentiality, and the network as a whole... is it because this is the most insecure place? Hardly.
Is it because that's the place from where everything can be secured? Definitely not.
Is it because that's the easy selling point? Aha!

I can draw you a picture on the whiteboard in your office that shows you, or rather the CFO, VERY simply why you and he need a firewall. I can then go to your techies and show them how it's better than any other firewall because it's simpler, more throughput, higher bandwidth, more intelligent, a nicer colour, more complicated, faster, shinier, taller, better looking and better at toasting.

Getting it past the techies is actually the easy bit, any salesman knows this. Getting the attention of the person holding the purse strings is a little harder, the non-technical person holding the purse strings for a technical sale is harder still.

That's the problem with data security and particularly the integrity part. But that's where I am now. Digital signatures, by the way, really don't cut it.

Data Security - Part II

So, I've been quite safe so far and said that I agree with the CIA triad, and that it should be applied to the whole transaction:

User --> Application --> Storage

I have yet to hear an argument on that, so I will press on.
The transaction above translates directly to the 3 areas of security which we hear about most often in IT, User-centric security, Network security and Data-centric security.

Most of us know what AAA is, most of us know what a firewall is, so I will assume User-centric and Network security are wrapped up for now. What few people appreciate is the state of data-centric security today. We really need to be pushing it out of IT circles and into the outside world, but there's a backlash from inside, the very people who should be shouting about it don't want to because it's our last line of power - gone. We will no longer have the CEO's balls in a vice like grip, no longer get the respect of the whole company just for being techies.

Come on, do you really think so? We'll always have the CEO's balls, because he barely knows how to switch his PC on in the morning. We'll never have the respect of the entire company because we wear jumpers with patches on the elbows but drive better cars than them. That's how we wanted it. The geeks inherited the earth.

In the US they know where the importance of our data lies, and what to do about it being breached. In the US, if some data gets stolen and it belongs to someone else, the person responsible has to be beaten senseless live on National TV in their underpants. I think. More seriously, California Senate Bill 1386 is now applied in 37 states across America, soon to be passed as a national law. Section 2 states that if there is a data breach containing any private citizen's data, it must be publicly disclosed. This seemingly simple ruling has massive ramifications for companies holding US citizens' data.

Bank of America in 2005 lost 670,000 customer's details when an internal employee sold the information to various collection agencies. Before SB1386, implemented in July 2003, this might have gone unnoticed. The fact is, I don't have a statistic to tell you how, if and when this kind of thing happened before 2004... anyone remember it hitting the news before that? I don't. Sure I remember hacks and webpages being defaced, but nothing like this.

TJX is the latest breach to hit the news. This has apparently been going on since 2003, and they've only just noticed. OW!

Just think for a moment if you worked for BoA, TJX, BJs Wholesale (2004), CardSystems (2005), ChoicePoint (2005), etc. etc.

For a full list of US breaches see this excellent site:

If you were the sysadmin or security guy responsible for looking after that network, and even if you'd done nothing wrong, you would now be at best out of a job. You would probably be under arrest, under suspicion and would certainly find it hard to fnid another job. The publicity part of SB1386 is where it's real teeth are.

Financial penalties have never been an issue for banks and retailers. Look at PCI DSS in the UK: the more VISA and MC snarl and bear their teeth, the more the retailers polish their fingernails and wait. They know if they get bitten, it isn't going to even make a mark. Brand loyalty is a different matter.

So both personally and on a company level, these laws are bad news, but now imagine you are a customer - because you are. You are more likely to be a customer of the online banks and retailers just by the very fact that you are reading this, but just because you aren't online, doesn't mean your details aren't. Wouldn't you rather know the INSTANT your details were compromised?

I was taken for £3000, and I didn't know until it was slightly too late. I was in Germany at the time, and only found out when I got home a week later. A lady I worked for in the US had $10,000 taken from her account at roughly the same time. She found out immediately, the bank gave her back every last cent and she was fine, if a little shaken. I had to file a report at the local police station, walk to the bank, walk back to the police station, etc.. it took over a week to get it reported even. Then the bank grudgingly gave me back what they had mislaid. But it wasn't straightforward and I had to make a lot of noise about being an IT security professional, etc...

The good news is, disclosure rulings are on the horizon. They are set for discussion in Brussels in November this year. The bad news for us as techies is that it means PCI DSS will now have a big mean brute standing behind it smashing a fist into his hand. The good news for us as customers is that these laws in place to protect us can now be enforced in a way that really DOES hurt the people who lose our money.

But is there any good news for us as techies? I hear you cry... Well, we'll still have the CEO by the balls, but he won't really notice because so will all of his customers. He be watching us like a hawk, but he'll be more inclined to listen when we say we need a few more pennies for our networks...

Saturday, 10 March 2007

Data Security - Part I

I am no expert on user security, I have installed a few SecurID rollouts, some very large indeed, but that does not make me a grandmaster.

I am reasonably skilled in network security. I have worked in distribution and resellers, and even administered a couple of reasonably large networks in my time, but that does not make me a ninja.

When it comes to data security though, I consider myself slightly more advanced, and I will tell you for why. I have spent many years now walking the streets, plying my wares, telling the world how they should be securing their data. I have done this for a number of data security companies and spent time with most of the big names in this area.

When I started selling nCipher cards many years ago, a company called Ingrian came along and asked if they could use our reseller as a launch pad into the UK. We jumped at the chance to have a piece of Silicon Valley in our little converted farmhouse office in surburan Hampshire.

Ingrian was all about encrypting data on its way into storage, so it encrypted on the fly, AND in storage. This was amazing to me. It all made sense, of course you should encrypt in storage, then no-one could break in and steal stuff.

Of course this only applied to people actually physically walking off with the disk though, because if you could break in logically, you could still get clear access. In fact, all Ingrian relied on was access to the application, and it would allow any data to be decrypted. This relies far too heavily on user and network security for my liking.

So, when I was approached to be an SE for Vormetric, I was delighted by their solution. It was so simple, and yet to me it seemed perfect. With Vormetric you needed to have the currect user access, and an untampered application. Plus the encryption was far quicker. The database solution was much simpler and didn't rely on encrypting inside the database, which inevitably slowed things down.
And the killer app for Vormetric? You could encrypt and control access from the administrator. This was the best move I'd ever seen. Now any administrator who previously had rights to everything could be blocked by a security administrator. Separation of duties for data, fantastic news. This stuff was going to sell like hot cakes.

Wasn't it?

No. Sadly not. You see, when you go to the CEO of a company and tell him you have an encryption device... whoa, stop there, go and talk to my Network guys... OK, when you go and talk to the Network guys and tell them you're cutting down access to the, erm, Network Admins... you get the picture.

This is the eternal problem with data security. The people you want to secure it from are the people who are in charge of it. Still, users got used to it when we asked them to have passwords, hell, the network guys even got used to it when we asked them to use SSL. What these network guys don't like it handing over control to the security guys.

A key issue for security is that the more you secure something the less available you make it. The CIA triad told us this years ago. So, the less available you make it, the more you hide its value, this we know, but what is less obvious is the more available you make it, the more you dilute its value.

Whoever controls the data can therefore play God in some small way. Data is not just knowledge, it is power inside a company, and hence worth above any financial reward.

Full transaction security.

What does a transaction look like?

Very simply:

User --> Application --> Storage

Either the application and the storage are housed somewhere on your e-commerce network, the users are outside, or app and storage are in your corporate network and your users are inside and outside.

We have already established that users are a big pain to security, but without them we are nothing!

You might look at the simple picture above and say "Well, we've covered user and network security", and go home and put your feet up, happy that you are covered. The smart cookies might even put in clever management and reporting systems like Nagios, HP Openview, etc. I haven't even mentioned IPS yet, with Snort, RealSecure, TopLayer, Teros, etc. in place, you haven't got a care in the world... have you?

That's all very well, and congratulations to you if you HAVE got this much in place by the way, you are streets ahead of your competition. But you are still missing one major issue. Your data.

Data is THE MOST VALUABLE ASSET in your organisation. You can replace staff, they do pretty much the same job across the board. You can replace hardware, from staplers to security devices, software from SAP to syslog, but you cannot replace your data once it has gone. OK, that's slightly badly phrased, you can back it up and restore it, but once it's stolen, someone else has it and that decreases its value.

Data is only valuable when shared with chosen parties. In my next thread I will explain a bit more about data and what it is, what makes it valuable and how it needs securing.

Right now my wife needs taking out, I've just remembered I live in Barcelona and the sun's out. Cheers...

So what is enough?

I said in my last post that firewalls and AV weren't enough. So what is?
I've already said somewhere else in my posts that essentially we'll never have enough. However, there are sensible measures that we can take, especially in auditing and monitoring.

As firewalls drove attackers internally, businesses adopted new security measures to keep the good people good and make sure everyone was authorised to do their jobs, and nothing else. This worked... to an extent.

AAA, great idea, authenticate everyone coming in to the network strongly, authorise them to do the things they are permitted to do. Proxies, I am a big fan of the proxies, Bluecoat is a wonderful device, and improves in leaps and bounds with every release. Firewalls, by the way, will not feature much in my blogs, I dislike them intently. They are far too overblown and popular for what they are. They are the Tom Cruise of the IT security world - a short man with a bad haircut and badly written software in a world where uglier and much taller devices have much more to offer the network. Sorry to mix metaphors, but you get my drift. [I am 6'6" incidentally.]

But as with all security ideas, this just created another problem. Now some of the internal users were cut off from causing harm. The opportunists mainly. But what of the rogue administrators, the CFOs and CTOs in full control of the network, the techie with a grudge? There are many.

Even if you have 2 factor authentication in your network, and I know of very few corporate networks which do in Europe, even now, then once you're in, you have a much wider scope for causing harm. Whatever access you are limited to tends to be at a group level still. Temporary accesses are often granted and not removed, many staff are transient by nature, outsourced, contracted or temporary workers. This creates even more headaches.

Network Access Control, or NAC is a big thing these days. Cisco and MS are making their typical dog's dinner of the whole affair. One vendor who I think will come out on top is ConSentry. Small at present, but nimble and receptive to input. The European SE is an ex-colleague of mine, Sean Remnant, and if he thinks it's good, it most probably is.

The only thing that worries me about these issues is the focus which we are still seeing. AAA is user security, NAC is network security, with user security tied in, but firewalls were network security and they didn't solve the bigger picture. 2 factor and 3 factor AAA hasn't made the threat go away. What are we doing wrong?

In my next post I will examine a full transaction from end to end and discuss what is needed to secure the whole thing.

Some explaining, a bit less moaning...

It's just been pointed out to me that I seem to be being quite negative about security in Europe so far. OK, I admit it, the endless sales cycles and worthless PoCs may have driven me close to the edge, but it's time to haul my neck in and meditate a little on the positive side of IT security.

I could be cynical here and say "The United States", it is their endless litigation and willingness to sue their own mothers which has brought about such simple self enforcing regulations like the aforementioned SB1386 for example. At the end of the day however, they are safe because they choose to be safe. We might scoff at them in Europe and accuse them of being soft and flabby, but just because we're lean and fit, doesn't make us bulletproof. Ask Captain America. (

The truth is, perfect security DOES NOT EXIST. It never will, as long as we are sewing up holes a) we will be creating new ones, and b)someone will find a way in.

It is an oft cited statistic these days that 80% of attacks are now internal. Let's examine this stat though. 80%! Wow, that's a huge number isn't it!?
Well, what about the number 8? Is that huge?
Would you prefer to go back to a time when only 1% of attacks were internal?
What if the number of attacks was the same?
For the numerically challenged, let me explain. The stat sounds impressive because what we are talking about is before firewalls and AV and all that jazz, our networks were getting hit many times a day by kids with computers, doing what kids with computers do, messing.

If they could get through our measly defences, that was an attack. For every 792 of these in a week and you only need 8 people going awol inside the network to account for 1% of your internal attacks. Now put in a firewall. That's most of your external attacks taken care of. Someone 2 of them manage to get through, because they are proper hackers with a knowledge of your network and your applications perhaps. Now you suddenly still have the internal problem, but it's 80% of all attacks!!!

See how we've been duped by the marketing men? OK. But it's still valid. If we're savvy enough to put firewalls and AV on our networks, we're sensible enough to know that we need to protect our data. But if we're only protecting our networks, we're not doing enough.

The state of the market.

I seem to have spent the last couple of weeks writing about where the IT security market in Europe is, where it's going, how it's going to get there, and why. The problem is, no-one else knows this yet!

The sad fact of the matter is that whilst in the US they have bills like SB1386, and standards like SOX, HIPAA, GLBA, etc. we in Europe have very few with any real teeth. "What about PCI?" I hear you cry, well, maybe one or two of you. Sorry to break the news to you, but VISA and Mastercard still don't have this sewn up properly in the UK or Europe.

There is a team of 8 people working inside VISA for the WHOLE of Europe on PCI, and Mastercard has just 2. That's 10 people evangelising, directing and policing a population of thousands of vendors. [The UK alone is a nation of shopkeepers, even Napoleon knew that and he was French.]

Security in the US is incredible. It blows my mind. I've worked both for and with US companies my entire career, starting with a fledgling nCipher, then Ingrian, more recently Vormetric, and all the device manufacturers you care to name, Juniper, Bluecoat, F5 to name the better known ones.

All of these guys are doing what SHOULD be done in networks. Devices make sense, good security makes sense, but only if you're going to do it properly. It winds me up to see the CEOs and CFOs spending £40k on a new firewall 'solution' (and if I hear that phrase again I'm going to combust), and then spend nothing on decent user security, no data protection and leaving their internal networks completely unguarded. In the next few days I will be explaining myself fully, but for now, you know who you are...

Tuesday, 6 March 2007

Check me out!

This appeared on a German website today...
so it's official. Maybe tomorrow I'll write some more about security.

The view from here.

So, here I am, in Spain. I made it. I started as Director of Product Management for Kinamik Data Integrity just a month ago, and so far it's been great fun.

So many times I've asked myself why I'm doing this, and still I don't have a clear answer. I don't speak Spanish, few people here understand me ALL the time, even the English ones, but I had a strange compulsion to go through with it all the same.

A step back: 3 months ago I was happily working in Basingstoke for a UK distributor, minding my own business when I got an email from a foreign chap asking if I'd speak to him about IT Security. I'll always talk about security, given the chance, so off I went to Spain for the weekend, wife in tow to see what I could talk about. A week later I'd accepted a job in Barcelona, hell, it was raining in Basingstoke. But seriously I was impressed by the technology and it just sounded more interesting than selling firewalls.

Back a bit further: A year ago I was working for an IT Security vendor, focusing on encryption and access controls - there aren't a great many of them, but that's as far as I need to go here. We had... issues getting customers. No-one cares about encryption in Europe, more fool them.

So I left, went to the disti, and tried to see where the real fuss was in security. I have to say it wasn't that exciting. People are still buying firewalls, who'd have guessed? Of course the firewalls now have to do everything from stopping traffic to inspecting it to making the sysadmin's toast every morning, especially if he's had to spend the night rebuilding the Exchange server (yes, that still happens too).

People are buying load balancers as their e-commerce networks and application servers are getting overstretched and they have to squeeze every last penny out of their existing architecture. (Some idiots are even buying load balancers before they buy the rest of the e-commerce network to go behind it, then ordering an engineer to go to site and configure it. Giles, you tried, bless you. The culprits, you know who you are, and you got your money back!)

But is anyone buying anything that really matters?

In a word, no. In 2, not really. Not enough. Nowhere near. Take your pick.

I am horrified that in the biggest disti in the UK the absolute lack of high end security kit we sold. The reluctance of anyone at high levels to invest until after the horse has bolted is astounding. I've seen it all my career.

And why firewalls? Why load balancers? There are so much better things to spend your money on!

I'll tell you why now, and start doing something about it at the same time. No-one knows quite how futile this behaviour is, that's why. No-one knows exactly what security is or how to do it completely. And I mean no-one. I have an idea, probably better than most, that's why they call me Director here and gave me a CISSP a while ago. But that doesn't mean I know everything, nowhere near. I'm here to tell you what I DO know, where I see security going and to see if you agree. I want your feedback and I want your ideas.

I hope this blog will become somewhere for me to learn, not just disseminate information that I've picked up along the way from my (bloody hot) ivory tower. I'm miles away from home and don't have quite the feedback or the insight into cutting edge projects that I used to, but I don't think I'm really missing anything yet.

Plus it's lovely in Barcelona. Come up and see me some time...