David Lacey's IT Security Blog

It’s a relatively simple thing. It’s not that difficult. And it needs to be done by every organization. Yet few seem to have done it properly. So make it your New Year’s resolution. Build Security into your System Development Cycle. Make it mandatory for every project of any significance to carry out a security risk assessment, develop a security architecture, and implement a security testing schedule. Do not allow any exceptions. It’s the most important security intervention you can make.

Ed Gibson’s comment on my recent posting on processes hit the nail the head. One size doesn’t always fit all. In this particular case the debate was about the upside and downside of processes, and the consequences of attempting to liberate workers from the shackles of their processes. But the importance of tailoring solutions to the organisation is a key one for practitioners to grasp.

All organisations are different. They have different cultures, different governance systems and different ways of reaching decisions (or not in the case of some that I’ve worked for). You cannot simply transfer a security blueprint from one to another. I’ve built security management systems from scratch for three different organisations, and they were all quite different. One lasted for more than a decade. Another required constant adaptation to reflect major changes in the organisation’s strategy and organisation.

But organisations share common requirements, many of which do not vary over time. That was the key to the success of ISO 17799. When we drafted the original BSI Code of Practice, the DTI assembled a team of practitioners from seven different industries. We expected some differences between sectors and were pleasantly surprised to find that we could craft a standard that could work in all organisations. So yes, one size does not always fit all. But in some cases it can.

Several of my colleagues have pointed me to a highly-publicised paper entitled “A Cost Analysis of Windows Vista Content Protection” by Peter Gutmann, a researcher at Auckland University. Now anything from this academic outpost always captures my attention because I’ve always found their security researchers to be pretty smart. Rather appropriately, Peter describes himself as a “professional paranoid”. He’s certainly been spreading an awful lot of it about with this paper.

In essence, the paper slams Microsoft’s decision to incorporate content protection in Vista. It pulls no punches, pointing out the downside of incorporating such protection (on performance and security) and even suggesting that “The Vista Content Protection specification could very well constitute the longest suicide note in history”. I recommend you read the paper. But bear in mind that it is peppered with comments such as “details are sketchy” and “it’s possible there may be inaccuracies present”. Also check out an interesting critical response from a DRM blogger called Paul Smith, as well as the critical comments on his own posting.

Clearly this debate will run for some time, as most commentary so far contains elements of spin, fear, doubt and uncertainty. That's unfortunate because there are some potential security implications that need to be surfaced. But politics, technology bias and a general lack of solid information continue to cloud the real issues, which are all about the difficulties of implementing DRM and the desire of Hollywood to enforce it on platform suppliers.

I’ve already commented on the possibilities for Identity Theft in the Virtual World. Now it seems that people are waking up to the possibility of Money Laundering in the Virtual World. I’m continuing to watch sites such as Second Life with great interest, as increasing numbers of real investors invest in virtual real estate (now there’s an interesting juxtaposition of adjectives). And real media companies, such as Reuters, establish wire services to report real events in the virtual world.

It all makes me wonder how long it will be before the Revenue start to tax the virtual but real profits. And of course it’s just a matter of time before we establish security, intelligence and law enforcement functions to police this brave new world.

Looking at a couple of web sites from security vendors, I noticed a curious resemblance in the photographs. Chronicle Solutions, a UK vendor of digital communications monitoring solutions, and High Tower, a US vendor of security event management solutions, may be separated by several thousand miles and an ocean, but they clearly share the same computer room.

The newspapers are full of stories about Ross Anderson’s experiments with ATMs, demonstrating something we already know quite well, which is that if you spend enough time in a laboratory with a bunch of PhD research students you will actually find a theoretical weakness in a commercial system. Well of course you will! No security systems are foolproof, especially if you take them outside of their operational context. Any streetwise student can demonstrate this. But just how much does this add to the security of our banking systems? Well, not a lot.

I just wish that a university of the calibre of Cambridge would actually work constructively with APACS and the banks to develop secure solutions, rather than resorting to publicity-seeking exposures that are more likely to inform organised crime about potential lines of attack. But then that would be far too logical.

Reading a recent Techtarget email summary of security content from 2006 pointed me to an excellent paper "Security without firewalls: Sensible or silly?" about the San Diego Supercomputer Center's “no firewall” approach. It’s a very interesting case study for any security architect. And their track record on security is pretty good, with just one major incident in six years. I also know one other high-profile, but relatively incident-free organisation that manages to cope without perimeter firewalls. So does this mean that firewalls are superfluous? Far from it. Because they’re an extremely useful countermeasure. And one that can - and should be - applied at different levels in an enterprise infrastructure.

The key to achieving the optimal security posture often lies in breaking away from traditional models. Before the age of firewalls, we used hand-crafted approaches to network security architecture. They generated many clunky solutions. But they also inspired many interesting and varied solutions that had to navigate the difficult journey from local connections to open enterprise networks. In the early nineties at Shell, for example, we developed an iterative methodology for enterprise architectures, based on combining the access requirements and controls at the business, application, computer and network levels. The trick was to work top-down and outside-in, progressively defining the policies and controls before translating it into technology.

Unfortunately such methodologies were overtaken by security products. Today we usually start with the corporate firewall and then add point solutions to compensate for deficiencies. Or we look for a federated identity management system that can solve all of our problems. But simple solutions can't solve rich problems. That requires holistic methodologies. We can aim to harden our applications. But we can't completely abandon our corporate firewalls given the intrinsically insecurity of many of our legacy systems. We don't need fewer firewalls, just more imaginative and innovate security architectures.

Charles Pask's comments on my recent blog postings raise an interesting and realistic new threat: that our industry might lose credibility due to non-events, because we are simply too good at what we do, and the bean counters are out to squeeze our budgets. It's a good point. I've certainly noticed the mounting pressure from accountants as we aim to spend increasing amounts of money on yet more point solutions that all sound very similar - generally a variation on “network security” - to counter threats that rarely materialise. You can also see this fatigue in the area of staff awareness, whenever we ask to put out yet another staff circular on the importance of password selection. So what can be done? Here are some practical tips.

Firstly, explain what's changed. You won't get a bigger budget unless you can point to something new that demands it. There's certainly plenty of evidence to suggest the risks have increased.

Secondly, don't cry wolf, or at least place a realistic quantification on your risk assessment. If you assess the risk of a major incident in 2007 as 20%, there's a good chance it won't happen and you can pat yourself on the back. If you think it's 80% then you have a good case to immediately go out and spend money to reduce this to an acceptable level.

Thirdly, use a richer vocabulary for countermeasures that sounds plausible and doesn't lump them all together in a single category, such as "network security" or "access control”. Any accountant worth his salt will quickly spot that you've already bought a product under that heading. So why should you need a new one?

Fourthly, explain the need for defence-in-depth. Most managers quickly get this and it makes sense. It also suggests that you will need more than one level of countermeasure, so the accountants will expect further spend to be forthcoming. I've used this one myself quite successfully.

Fifthly, take a course in Neuro-Linguistic Programming (NPL) so you can at least try to manipulate or even hypnotise the Board and the bean counters. But check out my earlier posting on this first.

Next Tuesday, 16th January 2007, Oracle will issue 52 critical patches. It’s clearly a great leap forward for database vulnerability management. But it also illustrates the size of our security exposure at the application level. Any company that relies on database security measures to safeguard critical business processes or sensitive personal data should be very afraid. The security threat landscape is now focused on espionage and data theft. Efficient patching will not be sufficient. We need a step change in the application of good security practices throughout the system development cycle. And we need to take steps to secure our intrinsically insecure legacy systems. Organizations should not simply wait for the next set of fixes to known vulnerabilities. They should identify their critical applications, assess the security risks associated with them and immediately apply additional security measures to prevent external and internal attempts to exploit potential weaknesses. There is plenty of affordable security technology on the market to help with this. So there's no longer any technical excuse for not keeping your critical and sensitive data under control.

RSA have reported the discovery of a “Universal Man-in-the-Middle Phishing Kit” offered for free trial on an online fraudster forum. The kit enables fraudsters to create a fraudulent URL via a simple online interface, to intercept and capture customer account details in real-time. It's a disturbing but inevitable development, providing a more powerful and sophisticated capability to the ordinary criminal. And it highlights the need for all organizations to raise their game in both-ways authentication.

User and customer awareness helps but that won’t stop the problem. Because there is a sizable percentage of people who will not understand, forget or blatantly ignore the advice.

Strong authentication technology has been with us for years. It costs money but it reduces fraud and provides assurance for all parties. Too many organizations have traditionally relied on a reactive approach, hoping they can respond with a solution before the cost of fraud hits a damaging level. But this strategy breaks down when the threat grows much faster than the speed of implementing a fix. And phishing attacks are highly visible to customers. Your reputation is on line as well as your money.

Stuart King's blog posting on the danger of accidentally misaddressing emails reminded me of an incident I came across several years ago. But this was the opposite problem. Wrong source rather than destination address. And deliberate, not accidental.

The incident caused a large supplier to fail to win, or even be acknowledged for an important contract they had expected to win. The supplier enquired and was surprised to discover that at a late stage in the tender process the customer had received a spoofed fax informing them that the supplier wished to withdraw from the bid, and did not wish to be contacted any further.

A simple, crude, blatent dirty trick by a competitor. Possibly with inside help. But it worked. And it demonstrated yet again that the soft underbelly of all organisations is the human factor.

It was refreshing and reassuring to see the Home Office coming clean about the lessons learned from the failure last year if its Electronic Passport Application system. I can understand the argument for keeping gateway reviews confidential, i.e. that the reviewers might pull punches. But secrecy creates a climate of suspicion and leaves Government departments open to easy criticisms based on fear, uncertainty and doubt. So let’s hope we see more openness in future.

The lesson to be learned by all is that it’s false economy to skimp on testing. Because if the human factor is the soft underbelly of organisations then testing is certainly the Achille’s Heel. Yet few organisations get this. Too often sacrifices are made in the interest of hitting deadlines. But as I’ve said before, you can’t do it by luck and you certainly can’t by ignorance. It takes many times longer than the estimated life of the universe to test all permutations of program path or input and output space for even a relatively simple program. But the sooner errors are discovered then the less damage is done and the cheaper it is to correct them.

We need a lot more functional testing, security testing, usability testing, product testing, configuration testing and process testing. Yet I’ll wager that if you examine the IT policies and standards of any organisation the thinnest area will be testing. It’s quite remarkable that after half a century of professional business computing we still haven’t got the message.

For some months I’ve been beta testing an entirely new form of firewall. In fact it’s much more than that with 13 layers of security protection contained within a smart, pocket-size USB device that plugs into your laptop.

The Yoggie Gatekeeper does everything you’d expect a modern security appliance to do, including intrusion detection/prevention, anti-virus, anti-spam, ant-spyware, anti-phishing and policy enforcement. It even intercepts and protects your wireless communications.

And it looks good too. Who said firewalls had to be boring?

Tonight I’m again debating the subject of Employee Monitoring at a CISO dinner. I’ve already posted some thoughts on this subject. But I’ve noticed quite a lot of interest and debate now being generated as CISOs and journalists begin to consider the impact of new technology from Chronicle Solutions that enables any organisation to mount blanket surveillance on their employee’s communications.

The quintessential issue is just how far we should go in exploiting this unprecedented capability. Because it has tremendous potential for business efficiency but it can also trample all over your employee’s human rights.

Most responsible organisations will only examine staff emails as part of a formal, authorised security investigation. There should be no random fishing for potential wrongdoings. But security investigations can be broad in scope. And once you have the capability to search across all staff communications there is a clear potential for scope creep. You’re not restricted by a need to request access to each individual user’s emails.

And when you look at what’s actually going on in any organisation, you’ll find an awful lot of disturbing things that you wished you hadn’t seen.

Ed Gibson's comments on my recent posting on "information security fatigue" raise a timely and important issue: Should we now publicise security incidents?

I'm in favour. Compliance is already moving in this direction. And if you have any Californian staff or customers you will already be responding to this issue. So let's come clean and report what's really happening. It's not without cost. It can impact your reputation. But it will quickly concentrate the minds of both business and customers.

It’s always interesting to see what’s currently on the CIO agenda, so I took a couple of days out this week to attend Information Age’s Effective IT Summit at the Vale Hotel in Cardiff.

Gaining alignment with the business and enabling innovation seemed to be the primary concerns. Not much new there. Though it was interesting to hear Paul Colby, CIO of British Airways, explain how he's actually managed to achieve this in practice. Now that's something.

But the big new issue this year is our impact on the environment, especially the need to reduce our energy consumption. Many organisations are developing initiatives and setting targets to reduce their carbon footprints. So what can Security do to help? Well quite a bit actually. We’ve already seen how anti-virus and spam filters can massively reduce incoming email. And many of us have discovered the hidden performance benefits of blocking and removing undesirable content. So let’s start making the business case for tackling this in a more comprehensive way.

We can free up servers, unblock networks, increase productivity keep ourselves out of jail and reduce our electricity costs by getting on top of all the spam, junk mail, viruses, worms, illegal content and unwanted downloads and communications.

Friday’s excellent White Hat Ball demonstrated that security professionals can deliver value to the Community, by raising a substantial amount of money for the Childline Charity. It was great to see so many user organisations taking tables for their teams. Five years ago, you would have had to look very hard to spot a CISO at any of the London Charity Balls. What a contrast! Congratulations to all of the organisers for a great job done, and special thanks to the highly professional Merrill Lynch team for inviting me to join them.

Intel’s announcement that they will start manufacturing processors with transistors 45 nanometres wide means that Moore’s Law remains intact. For several years pessimists have speculated that this law is beginning to break down. Clearly this is not the case. For as any student of the future will tell you, technology doesn’t develop in straight lines or follow steady curves. It evolves in leaps and bounds. As the legendary Richard Feynman, a nuclear physicist, once put it “There’s plenty of room at the bottom”. There’s also a good deal of inefficiency in many legacy platforms and systems. So improvements can and will continue at an unpredictable pace.

What does this mean for Security? Not much for the short-term. But faster computing means a change to the balance of threats and capabilities. It means better monitoring, easier compliance, faster cryptography and quicker codebreaking. It also means new opportunities to junk expensive, slow legacy systems and install secure protocols and authentication systems. So all security professionals should keep an eye on the future. After all history shows that it can take the best part of a decade to replace deep-seated algorithms in legacy infrastructure.

This week it’s been put to me several times that the major problem for the Security function is gaining the attention and support of Management Boards. This surprises me because contemporary corporate governance expectations generally require that all organisations should operate an effective risk management process that should identify and address all major sources of risk.

So what is going wrong? If an organisation has such a process in place - and if not, why not - then there should be a perfectly good mechanism for articulating security risks to the Board and the Audit/Risk Committee in a form that they cannot possibly ignore without breaching compliance requirements.

Of course it might be that the risks have not been adequately assessed. Perhaps they’re out of date for example? This can easily be remedied. Or maybe the risks are not significant enough to engage Board attention? So the system is working, so what’s the beef? However, I’ve also noticed that this logical response of mine doesn’t quite hit the spot. So I suspect there is a deeper problem that I’m missing. Can someone put me right?