Risk Management with Stuart King and Duncan Hart

How many botnets reside within your network? Are you worried about the almost certain fact that they do?

I described it to a colleague today as being similar to rats in a sewer. These insidious creatures crawl around within the dark tunnels of our global network usually remaining out of sight. We know they are there but unless we go on a hunt it's unlikely we'll actually see them. My colleagues' view on the matter is as follows

"So in infosec nuisance malware is just that, but must not be allowed to take the focus. The focus needs to be what matters, the effects on the company and its information/reputation. So this comes down to managing the risks and knowing what the critical assets are rather than trying to protect every device and scrap of information as equals. … you have as much hope of protecting everything perfectly as removing the rats from the sewers of London."

It's a view I fully agree with. Instead of chasing rats, focus on protecting assets. We have little choice but to live with the nasty stuff so be aware that it is there, mitigate risk as far as you can, and don't spend too much time trudging through the sewers because it's not very nice down there!

There some more information on botnets here including a link to an interview with a botnet owner - won't his parents just be so proud!

http://www.wormblog.com/2006/03/an_inside_look_.html (an excellent blog)
http://www.mckeay.net/secure/2006/02/botnet_owner_interview.html
http://www.schneier.com/blog/archives/2005/12/dutch_botnet.html

Another news story suggesting that a hacker "may have breached" information but that personal information "was not compromised." If you want to read the full story then go here. I'm not sure it's even a story worth reporting. This particular university has a large computer science department - so we have a large number of students, with access to huge computer facilities, and they get surprised when they find "unauthorized movies and games on the network." Not exactly a case worthy of Sherlock Holmes.

But it does raise the issue of what comprises an incident, how we identify and categorise an incident, and what is an appropriate response. I found this definition of an incident here:

An Information Security incident is an event which appears to be a breach of the organisation's Information Security safeguards.

Incident refers to an adverse event in an information system, network, and/or workstation, or the threat of the occurrence of such an event

An event is any observable occurrence in a system, network, and/or workstation

Anyway, to finish off, here's an interesting blog on incident response for the more technically minded: http://windowsir.blogspot.com/. Lots of links to other resources and some good narrative too.

I've been trying to sort out my opinion on how worried I think we should be over the Microsoft Vista speech recognition security hole as reported here by the BBC. On the one hand it would appear to be a "technically possible" but unlikely risk, on the other hand after hearing so much about how secure Vista is going to be and drinking the "trustworthy computing initiative" cool-aid I'm concerned that we will see a lot more reports of Vista security problems. SC magazine report Microsoft's Adrian Stone as saying "While we are taking the reports seriously and investigating them accordingly, I am confident in saying that there is little, if any, need to worry about the effects of this issue on your new Windows Vista installation." Well, that's all fair enough and I don't doubt Adrian's word however, I do think that there is cause to be worried.

The reason is that despite the focus on quality of code, the embedded security within the lifecycle, the review and testing process, the whole focus on security, security and more security from Microsoft, a few days after release of their new flagship consumer product, an exploit is apparently discovered that might allow someone to delete files simply by uttering the word "delete."

More to the point though, it's not just Vista that I'm worried about because this is evidence that despite all the best efforts - and I give Microsoft a good deal of credit for their security initiatives and have mentioned before how much value I get from their associated tools such as the threat modelling software - having a goal of eradicating all security bugs is going to be nigh on impossible to achieve.

The nay-sayers will continue to try to put Vista down. Personally I'm with Ed Bott and his blog on the features that sell the software but I hope that he hasn't spoken too soon when he says there there has so far been no "devastating security breaches." However, from a risk management perspective, the jury is going to still be out for a while. Richard Stiennon of Fortinet, who keeps a blog here makes the comment that reportedly "you can already purchase Vista zero day exploits on the web." Now, while I'm generally suspicious of comments made by a vendor of IPS solutions for problems that would be resolved by an IPS solution I have some measure of respect for Richard's opinion.

So, this is a rather garbled, unstructured, blog entry on a subject that will remain a topic of debate and discussion. Maybe it will have triggered one or two questions in your own mind. To close this one off I'll refer you to Mark Curphey's other blog and this amusing cartoon take on Microsoft's entry into the desktop security market...

Did you see this gadget, on show at the RSA Security Conference? It's a "a portable hacking device that can search for and join 802.11 (Wi-Fi) access points, scan other connections for open ports, and automatically launch code execution exploits from a built-in exploit platform." One of the scenarios created through this device is the ability "to scan every machine on every wireless network for file shares and download anything of interest to the device. Then just put it in your suit pocket and walk through your target's office space..." Read more about this here, where Immunity CEO Dave Aitel makes the important point that "There's wireless testing. Then there's pen testing. Those are very separate things. With this, we're joining those two things.."

The device can clearly be used for the purpose of testing one's own environment but I was pondering on the potential threats that this device might pose. It makes for a stealthy way to attack security within an office environment and perhaps just as worrying is the threat it might pose to workers who are getting into the habit of sitting in the coffee-shop and on other public Wi-Fi networks to catch up on work.

And here's a comment I found on Slashdot

Activate one of these devices and drop it in at the post office addressed to yourself. It'll ride in postal delivery vehicles, stopping in front of each house long enough to do some serious searching until it reaches yours. Then unwrap and see what you've harvested. Only cost is the postage and packing, virtually no gas or calories from you.

A couple of years ago, I along with the team I worked with, assessed zero-day malware as potentially the biggest risk faced by our business. In fact I wrote up a white paper based on research I performed at the time where I stated that "there is a serious danger to the organisation from blended-threats and zero-day exploits" and went on to say that the impact of such could be "catastrophic."

The time frame over which my paper made the prediction of catastrophy has passed and we're yet to see the likes of the type of attack that we imagined at that time. We are, however, seeing zero-day vulnerabilities being exploited such as the latest Word vulnerability as reported here on the Computer Security News Portal, and on PowerPoint as discussed by Bruce Schneier here, and we also often hear stories of the likes I mentioned in my blog a few days ago when I reported that "you can already purchase Vista zero day exploits on the web" (see my Feb 5 entry). This blog article is also typical of the types of reports we are getting used to seeing. Such news is no longer a surprise and it no longer causes panic beyond the usual warnings and guidance.

The truth is that zero-day attacks so far have not had the dire consequences on our abilities to go about our business. We've yet to see the devastating malicious payload and at the same time our defences have strengthened and our networks become more resilient to attack. Should we still be so worried? This article on the Internet News site makes this point about the motives behind malware: "Hacking is not about getting your 15 minutes of fame anymore. Cybercrime is a multi-million dollar global business." It's a good point because we're led to believe that many of the individuals writing malware are increasingly motivated by financial gain and the "Return on attack" as opposed to simply causing damage for damage sake. It therefore follows that where some zero-days are being exploited, there's a likelihood that it's happening in a relatively stealthy fashion.

However, some people are still worried. In a recent article published in Network Security Journal, Georgios Portokalidis and Herbert Bos state "new breeds of worms are expected to spread to millions of hosts in minutes, if not seconds" and that our existing systems of detection and prevention are too prone to false positives, unable to check for variance in worm signatures, and only effective against known malware as opposed to zero-day attacks. They go on to discuss a system called Sweetbait which addresses "the problem of fast worms by means of honeypots." The paper makes for interesting reading and the full citation is as follows:

SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots
Computer Networks, Volume 51, Issue 5, 11 April 2007, Pages 1256-1274
Georgios Portokalidis and Herbert Bos

Do the anti-malware controls built into Windows Vista mean that we can begin to think about reducing the amount we spend on third party desktop AV products? Discuss!

I'm sitting on the fence on this issue - so far. On the one hand there are opinions of the sort being aired on The Register as evidenced in this article by Thomas E Green who says "don't rush out to buy Vista in hopes of getting much in return security-wise", on the other there is this mostly positive - and somewhat critical - well written review from Joanna Rutkowska who concludes by stating "Microsoft did a good job with securing Vista. "

Did they? Have they? What do you think?

We've been having some discussions here about UTM (Unified Threat Management) devices. For those of you who don't know, UTM applicances are products that unify and integrate multiple security features integrated onto a single hardware platform. For instance, a single device typically includes firewall, SSL VPN, anti-malware and web URL filtering. Example products include Fortinet's FortiGate and Checkpoint's UTM-1.

UTM devices certainly appear to offer the promise of a number of benefits. In particular in terms of cost savings, management overheads and interoperability. For example, a single management console and a single device potentially saves a lot of overhead.

Conversely there are drawbacks. The one that concerns me most is that we could end up with a single point of failure. On his blog, Kurt Seifried discusses some of the risks. He states that devices "that combine multiple functions into a single platform have a great deal of added complexity" and goes on to say that networks will "have a small number of highly critical security devices placed at network choke points and other strategic locations that are potentially vulnerable to compromise."

It's a good point and UTM devices are going to need to be extremely "robust and less prone to security failures."

Initially, it's likely to be smaller businesses that take advantages of the cost savings of having a single management device. But here's a word of caution from IT Week:

It may well be up and running, but the main question is - is it giving your business proper network security? How can you tell?

In my opinion, UTM devices should certainly be considered as one part of a strategy to consolidate infrastructure and decrease costs. The most important thing of all is ensure that UTM is fully understood in terms of it's capabilities; potential drawbacks and risks, as well as the promised benefits.

I need to correct an error I made in my blog entry earlier this week where with regards to a test performed by AV-Comparitives on MS OneCare I stated "There is no detail as to what configurations or settings were used to perform the evaluation and neither do we get much insight into the test methodology used."

As has subsequently been pointed out to me, there is a seperate document containing said methodology, available here: http://www.av-comparatives.org/seiten/ergebnisse/methodology.pdf.

The subject of Skype came up again. We've taken a pretty hard line against the use of this software on the corporate network and for good reason too in my opinion. Questions around fundamentals such as confidentiality, issues around protocols, and risks from malware have led to a policy banning it's use. However, use of Skype is becoming quite common within a increasing number of businesses and inevitably the policy gets questioned when customers and vendors request to have Skype based conversations.

I've not softened my stance against using the software within the corporate network (we offer plenty of alternative messenging and VOIP services) but have allowed it to be installed on laptops on a per-need basis so long as it's use is strictly off-piste, that desktop anti-malware controls are in place, and that users are made aware of relevant risks.

Of course, that still leaves the potential risk of a malware infected laptop being plugged back into the network One of my colleagues stated that he would not allow the machines used to be brought back onto the network even with AV. I think the risk is manageable so long as there's close supervision but it has become an emotive subject of discussion and I know that some believe my opinion on the matter to be rather too flippant.

It comes down to business requirements. We need to be a business enabler and not a block. There is a request to make use of some banned software for a good business reason and I've prescribed, what I believe to be, suitable controls that allow that to happen whilst also ensuring that stakeholders are aware of what the risks are.

I'll be interested to find out what others are doing.

There's a couple of blogs and articles that I found interesting on the subject of Skype and general VOIP security:

From Skype: http://share.skype.com/sites/security/

A VOIP security blog: http://voipsecurityblog.typepad.com/marks_voip_security_blog/

Recently discovered Skype security glitch: http://nanocrew.net/2007/01/19/skype-security-fud/

Skype based Trojan: http://securitywatch.eweek.com/exploits_and_attacks/trojan_spreading_via_skype.html

Last word from Bruce Schneier's blog: http://www.schneier.com/blog/archives/2006/08/skype_call_trac.html

The very first time I put finger to keyboard on a task to write some useful code was whilst serving in the RAF back in the early nineties. Judging by the decision made by the MOD to extend the life of the RAF's NT4 network (see article as reported in Computer Weekly here) I wouldn't be surprised if some of that code is still being used! The reason being given for this folly is that they have to wait for delivery of the new Defence Information Infrastructure before upgrading. Who'll wager me that this will turn out to be yet another late, over-budget, delivery? (tip. you might want to reconsider your wager when you realise that the principle contractor, forming part of the Atlas Consortium responsible for this £4billion project is EDS whose most recent turn in the limelight was their incomplete Child Benefit Agency system. Read all about that fiasco here. Another contractor, Logica, also made recent headlines through their being canned by Transport for London over a failure to meet SLAs as reported here). In the meanwhile the RAF's infrastructure is being run on an insecure, unsupported platform.

The number of excuses for still running NT4 is diminishing but, granted, some of us have no choice through circumstances so what should we be doing to ensure that we're doing all we can to maintain security? I would suggest, at a minimum, ensuring that effective anti-malware\firewall controls are in place and that the NT4 domain is as isolated as possible. Utilise Host-based IPS and don't give users access.

Taking into account that NT4 was released in 1996 then I fall into the category of people who didn't curse Microsoft for ending support when they did: you wouldn't expect Ford to provide free servicing to a 1996 model if it broke down tomorrow and given the speed the IT world moves at then I think MS did a good job of supporting it as far as they did. So, sensible cost effective precautions need to remain in place until you get around to trading up to something better.

This refers to a blog entry I posted early in January. My good friend, Bryan Fite, has posted a comment and I didn't want to let it pass un-noticed because I think he makes an important - and eloquently put - point. Bryan says:

Are the rats contained to the sewer/cellar? I contend they are in your pantry caressing your breakfast. They are on your AD Admin's desktop. How would you know? The botnots of the past were used to DoS or deploy SPAM. The new breed of rootkit is dedicated to harvesting access credentials and establishing a base of operations. OPCR (Other People's Computing Resources) are an incredible motivator for criminals. How can you protect the castle when the family jewels are in the fields?

I'm no hacker but not so long ago I was invited to participate in a "capture the flag" contest. This is where groups of bespectacled, potato-chip munching, pizza eating individuals attempt to be the first to exploit vulnerabilities on a target computer system. I was fortunate enough to be paired up with an old-hand at such contests who was able to demonstrate the ease with which it was possible to hack into a seemingly secure system using readily available, free, easy to use tools including one called Metasploit. Quite frankly, from a security management perspective I found this tool frightening in it's capability. It allows you to design your own payload to fit the exploit and then simply hit a button to launch your attack. There's a new version now released that you can read about here: http://www.securityfocus.com/columnists/439. There's also a Metasploit blog here: http://blog.metasploit.com/.

While I'm obviously very aware of the need to ensure that systems are patched and networks protected, this day brought home to me the message of how easy it can be for an experienced and determined attacker to drill into a network given the slightest hint of an exploitable vulnerability. In fact, scratch that bit about the need to be experienced because even I, with a couple of useful tools on my laptop and a surfeit of strong coffee, was able to find my way into a command window on a target PC.

Hooray for HSBC and their new security authentication system as described here: http://www.computerweekly.com/Articles/2007/09/06/226622/hsbc-develops-new-security-authentication-system.htm. I've noted in the past the downside of giving customers tokens to keep, look after and ultimately break or lose. Using the mobile phone is a good solution: nearly all of us have one and this method can enable 2FA into multiple services from the same device without burdening people with a pocketful of tokens.

I've been looking at a similar solution from a company called SecurEnvoy. This will send one time passcodes by SMS to a mobile phone. The passcode serves as the additional form factor for network access. I was reading here that T-Mobile are already using this system. Some will criticize, some already have. Ian Yip says I can't help feeling that there's a way to game the system and warns about losing your phone (see here). Fair enough point but it's early days, it does mitigate risk to some degree and it's up to you whether or not it's enough. It's the approach that I like, and so long as we acknowledge the weaknesses we can make a judgement on affinity to risk. Those weaknesses are:

- the mobile phone is not as good a second factor as a dedicated token

- if you're caught in an area without a phone signal or a period of high network traffic then the token might not arrive

- a one-time password is going to be more vulnerable to compromise through phishing attacks where the captured data is sought for immediate use

There are other vendors moving into this area including Entrust (IdentityGuard) and i-Sprint (AccessMatrix). My bet is to couple this technology with something like OpenID and we've got a decent consumer single sign-on solution. Let's see where it goes...

There's a new book out entitled "Securing IM and P2P Applications for the Enterprise " (ISBN: 978-1-59749-017-7 ) where it's written: "Although Skype is well known for its voice communication, it is a very functional client for instant messaging via text and file transfers. Since it encrypts its information natively, this is a good tool to use for online communications."

I wonder how many of you agree with that statement. There's been quite some debate on Skype within my own organisation. Prior to my coming into the company, Skype was banned. Period. Don't even think to argue.

More recently Skype has become a hot topic with some individuals perceiving benefits of using it for free and easy Internet telephony: particular those who travel a lot and spend nights away. In addition, there are plenty of documented potential business uses for Skype. one reference (Skype Me! by Micheal Gough) discusses how using it could be advantageous for a help-desk:

An office in Mumbai, India, can provide the same support that someone at the corporate office in San Diego or an employee at home in Seattle receives. Company X can provide help desk Skype Me! links on the intranet homepage, and calls can be quickly routed for help tickets. The same is true for IT staff members who travel frequently from site to site. No matter where they are, as long as they have an Internet connection, these employees are able to provide reliable assistance....Technicians can take advantage of Skype's text-chat option to provide specific documentation or even case-sensitive shell commands to a user in dire straits.

The book goes on to mention that "Several companies are currently developing software and hardware solutions to augment Skype's capabilities into a fullfledged business-class telecommunication medium." I look forward to this but what of the risks?

Some individuals cite Skype's proprietary encryption as an issue. It's actually only an issue if confidential matters are being discussed. In fact, having read the paper Skype Security Evaluation by Tom Berson I'm not sure that it's an issue at all. Tom states:

Skype uses a proprietary session-establishment protocol. The cryptographic purposes of this protocol are to protect against replay, to verify peer identity, and to allow the communicating peers to agree on a secret session key. The communicating peers then use their session key to achieve confidential communication during the lifetime of the session. I analyzed this protocol, and found that it achieves its cryptographic aims. Further, I explored the strength of the protocol against a range of well-known attacks, including replay attack and man-in-the-middle attack. I determined that each of the attack scenarios is computationally infeasible.....I started as a skeptic. I thought the system would be easy to defeat. However, my confidence in the Skype grows daily. The more I find out about it, the more I like.

So, perhaps those who still argue against any corporate use can cite malware as their reason
It's true that there have been trojans targeted directly against Skype however, with multi-layered network and desktop defences together with basic user security awareness about not clicking on links in unsolicited messages then the malware should be easily defeated.

I'm not trying to be flippant. I'm as concerned about potential risks to private data and network integrity as the next man. Just I think that Skype, if properly managed and if it suits a business requirement, presents a low risk. This is consistent with the message I put out on this blog back in March however, I have softened my attitude somewhat. We need to put the right price on saying "yes" and support what the business wants.

I'll leave you with this final "security flaw" that some-one noted on a blog titled "Skype Security FUD"..There is another loop hole in it when you talk on it they can stand in your office and hear what your saying Amen!

There's an old episode of Blackadder Goes Forth where Baldrick proudly presents a bullet into which he's carved his own name. His reasoning being that if he is in possession of the bullet that has his name on, then nobody else will be able to shoot him with it.

It's that sort of logic which probably keeps those who maintain security devices such as IPS or firewalls but never keep or audit the log files in blissful ignorance of their impending doom! I'll take a recent incident I'm aware of where a production server was found to have been compromised and contained rootkits. Surprisingly for the team who immediately went to inspect the IPS device that was supposed to be affording the server some protection, the logs were empty. The reason being that the device had been plugged into the wrong port - it wasn't actually offering any protection at all.

Now this demonstrates failing in more than just an inability to check logs. We could talk about change control and testing and the skills of those maintaining the server room and we'll come back to all of those topics at a later date, but since the device was presumed to have been in the corerct place and running for a number of months, the fact that no-one had noticed that the logs were empty before is plain neglegent.

I have recently discovered an excellent blog dedicated to log file management from Dr Anton Chuvakin, the "Security Warrior". If you have even a passing interest in the subject then I recommend you head straight over there. Anton lists his 6 mistakes of log management:

1. Not logging at all
2. Not looking at the logs
3. Storing logs for too short a time
4. Prioritizing the log records before collection
5. Ignoring the logs from applications
6. Only looking at what you know is bad

A common excuse for all of the above is a lack of time, resource and skills. It's true, log analysis can be time consuming and it takes a practiced eye to identify important anomolies. But let's be clear, this is far preferable to the time and expense it takes to resolve a security incident or rebuild a rooted server. Here are some reasons from Anton as to why you should bother to look at logs:

- Situational awareness: you know what is going on with your network devices and applications
- Discovery of new threats
- More value out of your network and security infratructure - you've paid for it!
- Measuring security and performance; especially for reporting trends and metrics
- For compliance and regulations
- For incident investigation and forensics

The following lists summarise the value of logging and monitoring and why you need to be doing it.

Logging

-Audit
-Forensics
-Incident response
-Compliance

Monitoring
-Incident Detection
-Loss prevention
-Compliance

Analysis & Mining
-Deeper Insight
-Internal attacks
-Fault prediction

Now, who has a cunning plan?

Malware remains a threat. The Storm Worm is one of the most threatening in recent times, and it continues to propogate. Bruce Schneier discusses it in detail here on Wired (thanks to David Lacey's blog for drawing attention to this piece).

Schneier makes some remarks that should stick in all our minds over the coming months - the choice quotes are:

- Antivirus companies are pretty much powerless to do anything about it

- Inoculating infected machines individually is simply not going to work

- we know that users can't keep themselves from clicking on enticing attachments and links

- We simply don't know how to stop Storm

- Oddly enough, Storm isn't doing much, so far, except gathering strength

- Personally, I'm worried about what Storm's creators are planning for Phase II

A gentleman named Frank Boldewin has reversed engineered the Storm Worm and performed an analysis on how it works. The paper is hard going - especially for a very out-of-practice coder like me - but the message is clear. This is not a virus knocked together by a script kiddie in his bedroom. This is very dangerous malware that will create havoc on our networks and open up the door to more infection. And we can't detect it because it's been designed to bypass and be ignored by all of our desktop anti-malware controls (perhaps we should remember that the chaps who write malware probably test it against common controls before they unleash it). The conclusion of the report is that

it should be clear that the developers of this malware deal with a lot of nasty tricks to gain access to victims’ machines and hide from detection, even on standard protected boxes.

Ultimately, malware has come of age. This is destructive and undetectable, and put together with some no small amount of skill. We need to continue meeting the threat with up to date controls and detection. We need to ensure we have documented incident response plans for when we discover infected machines on our networks (and don't believe that we wont) - and we need to practice running through them. We also need to continue communicating security awareness messages to our employees.

From "Killing Botnets" by Ken Baylor and Chris Brown of McAfee.

A botnet of 1 million bots, with a conservative 128 Kbps broadband upload speed per infected bot, can wield a powerful 128 gigabits of traffic. This is enough to take most of the FORTUNE 500 companies (and several countries) offline using DDoS attacks. If several large botnets are allowed to join together, they could threaten the national infrastructure of most countries.

There's been some debate about whether or not to purchase an IPS device to put in front a new online service. Some of you might be reading this and thinking "why wouldn't you?" Well, granted, if it was a military system or an online banking service then I suppose it would be a no-brainer. Here in the security-suburbs, the answers are not so clear cut. Actually, neither are the questions.

It's not so much a question of "is an IPS required?" rather, does the loss impact potential warrant spending the money? We need to decide the point at which it becomes a necessity as opposed to an expensive but "nice to have" option. Here are some questions I'll be asking:

• Is the service strategically important to the business?
  
• Are there high revenue expectations?
  
• What are the regulatory requirements?
  

1. Signatures
2. Traffic rates
3. Anomaly detection

There is also the promise of the holy grail of network defence: zero-day attack protection. I don't really believe that any IPS truely has this capability, if it were true then there would be no need for signature and rule updates.

There are some downsides to IPS. They generate a high number of alerts and tuning the device requires skill. Resource is required to review logs and react to alerts. The devices are also expensive to buy.

What other defences are already in place? In this particular instance the network architecture includes redundancy, well configured devices, and a well designed architecture. IPS would be an additional layer of defence on a well defended network. So, it comes down to how comfortable the business feels by not having the control. There may be other factors to take into account such as future strategic plans or issues of credibility specific to the business that might not usually figure in the risk analysis. Clearly, this is much more complex an issue than it might first appear to be.

The answer must come from the business once armed with the right information.

Great blog on budgets from Gunnar Peterson. Quote:

How secure am I?

Am I better than this time last year?

Am I spending the right amount of $$?

How do I compare to my peers?

What risk transfer options do I have?

Do we need to come up with new ways to deal with the risks associated with non-company equipment being connected to our networks? I presently operate a policy that prevents anyone plugging in their own personal laptop computer. There are a number of reasons why, mostly related to the threats of malware and other unauthorised software polluting the network. In fact, like many other organisations we have a standard, one-size-fits-all, desktop computer build. I say one-size-fits-all but in fact it's not quite that straightforward because certain groups - developers, for instance - require more flexiblity. Even so, GPOs are tightly controlled with software in place to identify any desktops that fail to comply.

However, my thoughts are now turning to the idea that perhaps there should be more flexibility in the system to allow users own personal systems to connect. There is more demand for this than ever before across an increasing variety of different types of device ranging from laptops, PDAs, digital cameras, and other multi-media devices. However, I'm also very conscious of the need to remain in control of the network. The question is one of how to enable the business and personal resources to live side by side.

What problem am I trying to solve? Here's a few:

We don't seem to talk about spam much anymore. Services such as Postini and products like SurfControl have more or less removed spam from the corporate Inbox. While these products are generally effective, it still amazes me the percentage of email that is identified as spam: up to 90% of all inbound traffic at some periods. Although we are adept at controlling spam targeted at our own mail servers, the biggest risk comes from allowing corporate users access to web-based email services from within the company network. And spammers are constantly looking for new ways to get their messages opened.

GFI report on this new trend on their website here:

MP3 spam is a natural progression from PDF and Excel spam whereby spammers are exploiting a new file format to be able to send spam. This is their latest attempt to evade anti-spam filters.

Once again, we hit on edication as having a large degree of affinity to the risk. But I'd also like to come back to the subject of personal accountability and making individuals on the network responsible for their action. I'm interested in how far other organisations go down this path.

I've just finished writing up a short White Paper on Skype - in particular the old question of whether or not it can be installed onto company equipment, the risks, costs, and some investigation into the system architecture.

Quite honestly, I don't consider Skype to be an insecure system (so long as you keep the client updated. See here...), but it does undoubtably introduce some additional risk. The question is whether that risk is too great to allow a few travelers to have the client installed onto their laptops.

There are opposing forces in action - on the one hand a number of individuals who claim that they need Skype and consider life to be unfair unless they have it. On the other hand are those who consider it to be no more than KaZaa in different trousers, and that it should be kept well clear of company equipment. I'm somewhere in the middle: put a price on saying "yes" and make sure risks are controlled. But is that just a cop-out? I'm wondering whether I shouldn't simply point my finger at desktop build policy and then remind people of that great invention: the telephone.

This all relates to a blog I wrote a while back on the subject of the increasing consumerization of our environments. I quoted there that "consumerization creates a new burden that can potentially cripple already fragile IT organizations" but on the other hand is the point that "consumerization is already in motion, so how do corporate IT departments manage the new reality?"

Do a few users with Skype on their laptops really increase risk to the business? Depends who it is and what they do with it. As a someone has reminded me this very evening, it may not matter until some senior executive is defrauded or their company provided equipment is compromised. I'm not sure it's even an argument worth having - there are so many different solutions for communication out there now that I'm baffled why we are getting so hung up on Skype anyway.

If I have to make one prediction for 2008, it is that I think we will see an increase in reports of targeted attacks against organisations of all sizes and types. That such attacks are already happening goes without saying because penetrating the average corporation appears to be childs-play for the skilled attacker.

To remind myself of exactly how easy it can be, I was re-watching a webcast presentation given by one Marcus Murray at this years Tech-Ed. This is must see viewing with some great practical examples of inserting trojans onto the network, sniffing wireless networks, and a fascinating demonstration of compromising a domain administrator account using just the stolen password hash.

Marcus makes the observation that networks are not hacked because the operating systems are poor, but because of the way they are usually configured. This is a message I'm continually pushing out within my own organisation: you must patch (and not just the Microsoft stuff - patch everything!), you must become very fussy about change control, you must monitor IDS/IPS logs, and you must test your network from the outside.

Even then you can still be compromised the moment somebody clicks a link in an email and inadvertently installs a trojan. The above mentioned presentation demonstrates in stark detail how to do this and also shows how the trojans are designed to ensure that desktop anti-virus controls don't get activated in the process.

Bruce Schneier wrote two years about an increase in targeted attacks:

We are seeing a decline in the "noisy" brute-force vulnerability scanning that hobbyist hackers tended to favor, and an increase in more targeted, stealthy, and sophisticated scanning.

The reality is probably one where we should assume that sooner or later something we don't want is going to get into the network. We can reduce the risk by looking at the various control areas (e.g. Internet access, remote access, wireless networks, device management processes and so on) and making sure basic tasks are being performed such as logging, and the right controls in place such as IPS between wireless and wired networks, and monitoring for rogue access points. We also need to become better at protecting data in-situ with encryption and ensuring that our incident response processes are well rehearsed.

My only other prediction for the year ahead is that it'll be business as usual and more of the same. Our CIO's and business strategists might be getting themselves all hot under the collar about web 2.0, social networking and virtual worlds, but you know and I know that we'll continue to have plenty of work to do as all the same old mistakes get remade in slightly new and unusual ways...

Robert Moore is a convicted hacker, currently serving two years in prison for his role in stealing and reselling VoIP services. In an interview given to Information Week, Moore describes in detail how easy it was to break into corporate systems and the methods that he used.

On particular quote that sticks in my mind from the article is:

Moore said it would have been easy for IT and security managers to detect him in their companies' systems ... if they'd been looking. The problem was that, generally, no one was paying attention.

What's also interesting is the opinion of Alan Paller, director of research at the SANS Institute who is quoted as saying that the problem is with the vendors for making it too easy for system administrators to leave default passwords enabled on devices. "It's all on the vendors. It's not about the user being careless. It's a silly thing for them to have to know to do." I don't agree. While vendors might be able to do more, short of providing systems that can jump into the rack fully configured for any network scenario, the onus has got to remain with network administrators to ensure that the implementation of new devices follows good hardening practices that includes changing the default password.

You can read the full interview with Robert Moore here.

I also recommend the Voice over IP Security Alliance website here as well as their blog.

More than 40 security software technologists and anti-malware testers from around the world recently met in Bilbao, Spain to formalize the charter of the Anti-Malware Testing Standards Organization, or AMTSO. The formation of AMTSO has been driven by industry-wide concern about the increasing mismatch between what anti-malware technologies actually do, and the testing methodologies used to evaluate them.

Read more about this new organisation here: http://www.amtso.org/http://www.amtso.org/

There's an interesting interview with the leader of a Chinese hacker group on CNN. Xiao Chen makes a number of claims: that his group is paid by the Chinese government, that they have successfully hacked the Pentagon, and that even the highest security websites have weaknesses that can be exploited.

I'm not going to outright dismiss Chen's claims as being typical hacker arrogance because firstly, I wouldn't be at all surprised if the Chinese government were paying hackers (in the same way that the American government is probably also doing so). What would surprise me would be hearing one of those hackers talking about it. And as he is so forthcoming in talking to CNN then why wont he "specify what was gleaned" when talking about the alleged Pentagon website hack?

The last point about high security websites all having weaknesses is something I've long stated as being an inevitable fact associated with the increasingly complex products that we are putting online. This isn't just related to the number of lines of code either. The middleware, and third party components that we're plugging in are just as likely to contain exploitable issues as the code that we're writing ourselves. I don't need some self-acclaimed hacker to tell me that as I frequently see the evidence for myself.

Anyone can call themselves a hacker - these days all you need is a few point and click scanning tools and a copy of Metasploit. So, I'm not going to give any credit to Xiao Chen or his group. I'm also not going to give any credit to CNN for wasting their time talking to him.

You can read the full article here: http://edition.cnn.com/2008/TECH/03/07/china.hackers/index.html?eref=rss_latest

If all the hype is to be believed then IT execs who ignore Web 2.0 collaboration technologies could be hurting their company's bottom line. That, apparently, is the message from IT leaders and industry analysts who are convinced that Web 2.0 technologies are the real deal. And, as it's published in CIO Magazine then it must surely be true.

The article goes on to cite examples from the real world (the one where you have real friends and real business relationships) that demonstrate just how vital these collaboration technologies are.

- A company - Serena Software - where some customers only talk to them via Facebook because they've "given up on e-mail because it's such a horrendous technology"

- The same company has Facebook Fridays where "executives encourage their 900 employees in 18 countries to connect with customers, business partners and each other over the company's group portal on the popular social networking site."

- Cisco, "where the virtual world of Linden Lab's Second Life....is quickly becoming a preferred method of interaction among the company's employees, business partners and customers"

- Gartner, who say that "organizations can create a mash-up, a combination of multiple applications, of their CRM database and their employees' Facebook contacts to identify personal links among sales prospects."

Before I talk about why I think all of the above is misguided advice, opens up the network and data to unacceptable risks as well as increasing personal risks to employees, there are actually some good words of wisdom in the same article. Accenture, for instance, who rather than using a public site, .. opted to build a social networking platform behind the company's firewall on Microsoft Office SharePoint Server to connect Accenture's more than 170,000 employees worldwide. This is a good approach because it's using technology specifically developed with business functionality in mind, it has strong security, and Accenture are keeping it within the boundaries of their own networks.

As soon as you start sharing company data across a public facing, consumer network that's also being used by your children to share happy slapping videos and news about what happened down the rec on Friday night then you've lost the plot. Show me the business case and cost savings model that led you to believe that it's a good idea. I'll wager that you don't have one, but that you've leapt straight in and done it anyway because of all the industry pundits telling you to do so and threatening that you're going to get left behind if you don't.

The example quoted above where the company uses Facebook in place of "horrendous" email is one instance where you wonder just what problem they are trying to solve and why and how swapping over to an email service provisioned by an organisation that will know all your contacts and all of their contacts, and all of the information being swapped makes it better. Are you really using Facebook's email service to swap company information? Good grief! Remind me not to use your company if I ever need the type of product you're selling. Just read back through their privacy policy and tell me that you still want to use Facebook in this way.

I realise that not every organisation has the deep pockets necessary to invest in tools such as SharePoint and that they will want to utilise consumer technologies to some degree. Fine, but you generally get what you pay for and if you're getting something for free then don't complain when you find your business profiles being used for marketing purposes by either a) a competitor or b) somebody else pretending to be you. Oh yes, and also don't complain when the service goes down the next time that the Pakistani or some other government gets upset about some of the content.

My personal advice is to not cheapen your brand and to seriously consider the security risks associated with using consumer networks as a corporate sharepoint for email and business relationships. Embracing new technologies is one thing but long term success is built on what comes prior to the embrace: assessing the benefits, working out the costs, determining the risks etc etc. Does that make sense?

It's reckoned that two million new strains of malware, or five every two minutes, will emerge onto the Internet this year. That doesn't include the 15 to 20 new Trojans released every hour. These are the figures reported by Kaspersky in an article in the latest edition of Information Week. While the numbers are shockingly high, they are not in my opinion representative of where the real threat and the greatest risk lies; so long as we continue to deploy multi-layered defences - Network IPS at the perimeter, Host IPS and anti-virus on the desktop, proxy devices for scanning incoming web traffic and so on. It's expensive but essential controls.

The greatest risk is from the targeted malware. specifically designed to attack your network and your data. I was reading about the Russian Business Network. They have a Wiki entry here.

The RBN has been described as "the baddest of the bad". It offers web hosting services and internet access to all kinds of criminal and objectionable activities, with individual activities earning up to $150 000 000 in one year. Businesses that take active stands against such attacks are sometimes targeted by denial of service attacks originating in the RBN network. RBN has been known to sell its services to these operations for $600 per month

More worrying still are reports that virus writers are attempting to infiltrate AV vendors (as described in the aforementioned Information Week article) and that legitimate AV employees are being "approached by virus writers hoping to suppress signatures for particular - highly profitable - Trojans."

What's clear is that long gone are the days when malware was mostly nuisance stuff created by hobbyists. These days there is a well organised and profitable underground business in operation creating malware that our defences don't block and we don't find.

My own anti-malware strategy is based on the defences I mentioned earlier but also security awareness messages and a strong stand against non-company equipment connecting up to the network. But I doubt if all that would be enough if there were to be a targeted attack. So this is where we have to focus also on strong authenitcation, making sure that private data is encrypted, limiting access using the principles of least privilege and so on. Each control on it's own will reduce some degree of the risk. Taking all of the controls together reduces the risk much more. Enough? Arguable. Because that only covers off the data that's on the networks under my policy control. Do all our partners have controls equally as good? I'm going to be finding out!

Following on from the story about dodgy Cisco hardware, it seems that some of our popular consumer electronic gadgets such as MP3 players and digital picture frames are infected with malware before they even leave the factory.

A number of online news sources are running the same story as reported here.

Queries about connecting up one personal device or another frequently escalate to my desk because the policy in place forbids non-company equipment on company networks. I believe that this is a sensible policy to have and the latest news backs this up.

Introducing any consumer device onto your network, in the same way as introducing consumer software, is an unnecessary way of increasing your exposure to malware risks. You don't need to be doing it. Now here's another reason why.

As I said the other day, malware remains the greatest threat.

I was involved in an interesting debate a couple of nights ago about the relative merits or otherwise of IPS. It's a subject I've talked about a couple of times before on this blog ( for instance here talking about the ROI of an IPS device and here where the decision about whether or not to purchase an IPS device is debated) . The general concensus around the table was that IPS is prone to false positives, difficult to monitor, and adds too much latency to network traffic.

The question of latency can certainly be a problem for an organisation reliant on transaction speed - take share trading for instance. Within my own industry a few false positives and the odd extra millisecond on a transaction will not make a whole lot of difference however, I'm beginning to lean towards the view that network IPS might have had its day.

David Lacey's blog today makes the point that "nine out of ten security managers still prefer to monitor rather than block." That's a fine strategy if you have the organic resource (i.e. a person) to do the monitoring. In some businesses I've visited over the years, the monitoring habit had worn off and IDS logs were only being reviewed at fixed times. That's hardly the way to get benefit out of the investment. One of the supposed benefits of IPS is it's alleged pro-activeness in blocking attacks. I've heard this called into question in some instances.

So, what is the best way forward? Innovative products such as the Secerno solution mentioned by David seem like a good idea. More generally, as we de-perimeterise, we need solutions closer to where the important assets are and more tailored to protect them. Host-based IPS systems that reliably block attacks are a good approach. Web application firewalls another.

There is a certain comfort level that's difficult to shake off in having the network IPS - so, it'll still be around for a while mitigating a bit of the risk, but I'm becoming less certain about exactly how much.

David Lacey makes the important point that writing secure software is "not just about cutting secure code or developing better testing tools. We need to get things right much earlier in the development process." It's a subject I've been harping on about for some time, with many references to excellent resources such as OWASP, and great leaders on the subject such as Mark Curphey.

Over the last few years I've heard many solutions proposed to fix the problem of insecure software, ranging from sacking the developers to improving the software development lifecycle so that security requirements are stated from outset and followed through into production and beyond. The evidence is that none of it works. OK, the folk at Microsoft, for example, will say that security is now embedded in their culture, and they've certainly generated a nice new stream of revenue for themselves out of all the books, tools and journals on the subject. But they are still releasing security patches with a frequency and schedule that the I wish the rail company I use each day could achieve with their trains. And other vendors are coming up with clangers at an alarming rate. For example, this latest one from leading CMS vendor RedDot. An SQL Injection vulnerability in an enterprise level CMS system - what were they playing at with their quality control?!

So, here's the thing. We can't write secure code. It's true. Can you show me any decent commercial, consumer focused product (that people actually want to use - not just techies who haven't seen daylight in 12 years and live on a diet of digestive biscuits) that is secure from the off as soon as it's exposed to the Internet and where 12 months later it hasn't required a patch of some sort? Systems are simply too complicated with too many lines of code for anyone to expect that they can be released without containing bugs and security holes. That doesn't mean that we shouldn't try, it just means that we should take a different approach. That approach, in my opinion, is to take a leaf out of the new edition of the PCI standards and stick a ruddy great application firewall in front of everything. That doesn't make the code secure, it's a sticking plaster over a wound. But - to continue the analogy - a plaster stops the bleeding, prevents germs getting in, and while it's not a cure, it's good enough.

I'm not knocking OWASP et al. It's the first resource I recommend developers go to and will remain so. Just that the business expects more functionality, cheaper costs, more complexity, better performance, and a more rapid deployment for its products. Chucking in security with all that lot is like rubbing your belly and patting your head at the same time, while riding a motorbike. So, let's make it easy on ourselves. Application firewalls!

According to this article on NetworkWorld "smartphones are seen as a more of a security risk than laptops and mobile storage devices." Apparently some 94% of senior IT staff fear PDAs present a security risk, just above the 88% who highlighted mobile storage devices as a worry.

The problem with the research is that it was conducted with IT staff. In my experience the IT department is the worst of all to rely on for determining what the biggest risks to the business are. And more often than not they are also the department likely to be the most flippant in their attitude to risk.

You're probably more likely to lose your smartphone by accidentally flushing it down the lavatory than having it stolen by an opportunist intent on stealing any data that's on it (see David Lacey's blog on that very subject here). However let's not lose track of the point that smartphones are yet another extension of our perimeter and need to be managed as such with a decent set of policies and security awareness messages to those carrying them around. In fact my opinion is that they only pose a security risk if companies ignore fundamental rules.

I do not rate the security risk as being greater than for laptops. In fact, if truth be told, in my role as a risk manager, they do not yet feature on my list of business concerns. But I'm open minded on the matter. Perhaps the IT department can give me their view?

A friend and I were debating whether it is really possible to prevent data leakage? Personally I think it's impossible to know an organisation's rate of data leakage.

One of the problems is that the easier it is to copy data then the harder it is to control. I recall that back in my military days we had a process to manually log all signals classified as restricted or secret that came off the teleprinter, record each and every copy that was made, and identify to whom those copies had been distributed to. Each recipient down the line would have been required to do the same. Even with such tight controls in place, the documents would still get mislaid and go missing. And goodness only knows how many copies were really being made and of those copies how many were being logged.

In the corporate world data is completely out of control. I don't think we can stop data leakage and the only way that we can have influence on the likelihood of it occuring is through a couple of fundamental controls, namely

1. Reduce and limit access to data

2. Control the "copyability" of data

That's all fine if the data is stored within systems that provide suitable controls but it's actually more likely to be in spreadsheets or other office document formats, on XML data streams, sitting in an email, in the fax machine, or on a forgotten print-out that went to the wrong printer on the wrong floor. It's also sitting on systems that we don't own belonging to the third parties we entrust to store our data. What do we know about the processes they have in place? We really have lost the game and the increasing number of data leakage incidents prove it. I'm sure that most, if not all, of the organisations we see being reported as having suffered a data leakage have processes in place that are supposed to prevent them from happening.

One of the errors we make is that we place emphasis on deliberate and malicious data theft while the reality is that most of it is accidental. And all we generally do to prevent accidental data leakage is stick up a few posters now and again that have inane captions on them such as "think before you click." Click what?

Investment in technical controls (to monitor and prevent data being copied and printed) together with an eye-catching and relevant security awareness program are, I think, the most effective ways to mitigate risks associated with data leakage. There are also process based controls that need to be managed such as ensuring that the right levels of access are being granted to the right people, and of course, using encryption for data when it's on mobile devices.

All that said, we also need to plan for when the incident happens. Let's assume the worst and ensure that when it happens we're ready for it and have the right people putting out the right messages.

A recent survey from Cyber-Ark Software reveals the following information

Whilst you sit there innocently working away, little do you realize that a third of your IT colleagues have been snooping around the network, looking at highly confidential information, such as salary details, M & A plans, people's personal emails, board meeting minutes and other personal information.

...One third of the survey sampled admitted to using their privileged rights to access information that is confidential or sensitive by using the administrative passwords as a means of peeking at information that they are not privy to.

I don't think these results will surprise anyone. In fact, only last month a case of an employee caught-in-the-act snooping on somebody elses email passed by my desk and I'm sure there are many more that go by unnoticed. Another article here goes into more specifics on employee snooping within an American healthcare business:

Snooping into celebrity health records by workers at UCLA Medical Center sheds light on a largely hidden ailment facing employers: their own people peeking at confidential data.

And then there was the well publicized case about American State Department workers snooping on passport applications.

There are a whole range of controls to suggest but I reckon it's more down to company culture. Having a standard of ethics that all employees have to read is a good start. More fundamentally promoting a decent and open work environment where employees feel valued, get paid a decent wage, and are treated with respect is the best control of all. 

Curiosity however, is human nature. If we want to protect private data from the possibility of access by a snooping IT administrator then we need to also have a decent set of process and technical controls, including auditing. The message needs to be loud and clear that IT staff snooping and accessing resources they have no reason to be viewing will not be tolerated.

I was reading with interest Tony Collin's blog on password sharing in the NHS. In my view the problem is that the system being used was not designed to take into account the way that the customers need to access information. If somebody had bothered to observe and ask about the way that doctors work on the wards then the system would have taken their requirements into account. I'm making a rash and unqualified assumption here but I've seen plenty of examples where new systems are planned by over-enthusiastic CIOs intent on making their mark but then fail because they forgot to account for the simple fact that nobody actually asked for it!

Recently I was chatting with the IT manager from a branch office of a large organisation. His company has recently implemented a new regional network. Employees within the office are in some disarray because prior to the new network being implemented they were using MSN Messenger for video conferencing with clients. With the new network it's banned under the security policy. Now, I'm not going to get into an argument about what the security risks may or may not be. In fact, it's irrelevant. The reason being that usage of this application was a business requirement and somebody should have taken that requirement into account. The fact that they didn't means a work-around has to be found. It's work-arounds that cause the security issues - and that's precisely what has happened with the NHS system.

So says the CEO of Trend Micro, Eva Chen, in this new interview where she describes how a cloud-client architecture is the solution to stop malware.

It's good to finally see one of the large anti-malware vendors sticking its neck out and trying to address the problem at source.  Chen says "For me for the last three years I've been feeling that the anti-virus industry sucks. If you have 5.5 million new viruses out there how can you claim this industry is doing the right job?"

Read the full story here.

Regardless of the type of business you're in, the next couple of years are going to be tight. The impending recession will have an impact on everything and the pressure will be on to cut costs.

Information security costs are difficult enough to justify when things are gong well. Given the market place that we're all about the enter, rest assured we're going to have to become much smarter about the way we go about our business.

So, we need to be thinking about how to reduce information security costs while ensuring that we maintain sufficient controls against risk. There are some obvious things to be looking at such. For starters, we're going to have to get better at haggling with vendors. Make them work for every single penny. Look for cheaper alternatives - don't pay for the expensive brand name. A prime example is in the world of two-factor authentication. Look closely at the price of those expensive hard-tokens (and don't forget support and management costs) then compare with some of the new players in the market offering other form factors. Look at the full feature list and every available option. Don't end up paying for functionality you're never going to need.

More fundamentally than that, you could also consider the question of whether you need to buy it at all. Take a risk based approach, do the assessment work, and look for alternative controls.

Do you really need gold-plated security? Remember, managing risk is all about taking it down to acceptable and manageable levels. Be pragmatic and able to justify every decision you make in relation to the business that you are in.

Look carefully at all the so-called essential devices you've been stuffing into the server room over the past few years. Ask yourself if the maintenance contracts really need to be renewed. In fact, do you need the device at all? Maybe the original purpose it was purchased for is no longer valid. Maybe there are some opportunities to consolidate services.

It's time to make the most of what we've got. Most of all, this is the opportunity now to demonstrate more than ever that information security is aligned with the business. The challenges are going to be same as every other department being forced to slash costs, cut overheads, and keep the business afloat.

The Cabinet Office recently commissioned Nick Coleman, an Independent reviewer of Information Assurance for the UK government , to report back on how well the Government is doing when it comes to protecting and handling information.

The result of that review, The Coleman Report, can be downloaded here: Coleman Report.pdf.

It's a succinct document, first describing the transformation to electronic-based services (for example, in one week the NHS sends 1.4 million prescriptions electronically) across the public sector, and secondly highlighting the main features of the changing environment. The two stand-out items being the rapid pace of technological change, and information sharing on an unprecedented scale.

The section on "Findings from the review: how well is government doing" does not make for particularly positive reading. For example, when talking about accountability Nick states that

"no role exists to provide Independent Oversight that the appropriate Governance;
Information Risk Management; Policy and Operations; and Monitoring and Controls around Information Assurance are in place across departments and agencies."

On risk management, we get also get a far from positive report;

"Risk assessment is patchy leaving many without a clear understanding of the risks they are facing or exposing their stakeholders to."

The list of recommendations makes for equally gloomy reading. And here's why. We've been talking for years, even decades, about the need for strong information security governance, accountability, and setting minimum standards. It's nothing new. But here we are heading towards the end of the first decade of the 21st century and a report about and for the Government - the highest authority in the land - is highlighting a need to  "Define minimum standards that (public sector) departments sign up to"

Good grief. What on earth have they been up to all these years? If there were a book entitled "Information Security for dummies" then that would be on page 1. It shows just how far behind the public sector is and makes for good explanation as to why it is subjected to so many data breach incidents.  

There is a follow-up ministerial statement here. The range of measures being described is sensible enough but even in a modest size commercial organisation such measures don't get implemented overnight. It's going to be a mammoth task in my opinion.

"The Government is determined to take the necessary steps to improve data security."

I don't doubt it.

"In the cloud" computing - using systems and resources outside of the Enterprise such as Salesforce.com, Live Mesh - promises reduced costs and increased flexibility for a business. But what of the risks?

There's an excellent feature on "The Dangers of Cloud Computing" here at CIO.com. The article discusses the potential risk associated with cloud-based services as well as some of the reasons why risk my be reduced as a result of using them:

One reason is that a cloud provider can invest more in security than any individual small business could, because the cost is applied across hundreds of customers. Another is that as soon as a cloud provider patches a security vulnerability, all its customers are protected immediately, unlike the case for downloadable patches that IT must apply itself.

For me, one of the most important points is made towards the end of the article:

When it comes to cloud computing, the experts fundamentally offer the same advice, which can be summarized by two very famous quotations, one an old Russian proverb that President Reagan liked to use--"trust but verify"--and the other by Intel's famous former CEO, Andy Grove--"only the paranoid survive."

That's good advice and the process I use is to apply the same rigour to auditing cloud-based service providers as for other third party vendors. Don't be afraid to question every aspect of their network management. In my experience the good service providers are open and transparent about the systems they have in place and the processes they use for managing them. After all , it's your money they're taking.

There's an interesting new blog on the subject of cloud computing and security here at cloudsecurity.org.

Timely and interesting read online here: http://gigaom.com/2008/06/30/10-of-the-biggest-platform-development-mistakes/, listing the 10 most commonly observed platform development mistakes. A few items in the list particularly caught my attention:

- Confusing product release with product success. I'm familiar with the huge sigh of relief that goes out when the development and implementation is completed. However, measure of success should be when the system is proven to function and has been accepted by your customers.

- Not having a business continuity plan/disaster recovery plan. I'm frankly amazed that this still needs to be stated as a requirement, and more so that I still hear of people getting push-back. An aquaintance informs me that as soon as he raised this issue when taking on a new job, his management told him that it was out of scope for information security.

- Relying on QA to find your mistakes. I like the point made in the article that you "cannot test quality into a system."

I'd like to add one more item to the list

11. Failing to consider and define security requirements. We need to understand the system and it's components, and know where data is intended to flow and be stored, Then we can understand the potential risks and the best controls. I like to set, and get agreement on a list of high level requirements at an early stage in the project. 

If you pick up this weeks edition of Computer Weekly, on page 10 in the My Take column you will read that I describe "In the Cloud" computing as being the new black. Gartner refer to it as an emerging phenomenon while on the Cloud Computer blog at http://cloudsecurity.org/ they take a more cautious view stating there are some strong technical security arguments in favour of Cloud Computing - assuming we can find ways to manage the risks.

Some of those risks are such things as identity management. Most cloud services rely on simple password authentication and authorisation occurs on an application by application basis. The outcome will inevitably be multiple login experiences with different IDs and passwords. This creates an additional burden for user account management auditing within the organisation.

One of the principle risks I've been discussing within my own organisation is that of service reliability and availability. Keep in mind that a loss of availability might not always be down to the service provider: routing problems, cables being cut, and other unfortunate incidents could all result in the systems being inaccessible.

Data protection laws could be another minefield. If you are a company with globally dispersed offices collating customer information from each of your regions of operation then sharing it across your business from a Cloud service based in America, which data protection laws apply?

And there's more that I could discuss at length. Being aware of the risks is always good because it means we can plan contingency. In the case of Cloud computing the business sees the opportunity and that really makes it all worthwhile because, as I've said before, this is where we're all going like it or not.

One of those opportunities is scalability and the way that services can scale up or down depending on requirements (i.e. the Elasticity). In other words, you only pay for the processing time and disk space that you need at any given time.

Just about anything can be offered as a cloud-based service. Gartner make the point in a recently released paper entitled Cloud Computing: Defining and Describing an Emerging Phenomenon that the cloud "is more than just SaaS in that everything as a service (XaaS) would be a more appropriate applellation." Personally I think the opportunities for collaboration are the most interesting as described on the CloudSecurity blog where it states: Forward thinking companies use collaboration technologies to melt away the physical distance between disparate offices, remote workers and suppliers.  Investments in R&D projects to create the next generation of business collaboration technologies and starting to bear early fruits and are worth paying attention to...

There's much more I could, and will, write on this subject. 

I was involved in a debate today where three opposing views were being taken with regards to implementing a hypothetical new online application. Given a limited budget, should most of the money be directed towards network, application or data security?

Personally I believe that a more holistic view of the situation is required. We need to understand the way the organisation works, the cultures, the regulatory environment and so on. Not to mention physical security, security awareness, training and a myraid of other factors.

When looking at new systems I prefer to work out a set of security requirements based on the risks rather than breaking things down into technical categories.we need to consider the risks, describe the controls that work to mitigate them, and then consider the degree of affinity towards the risk that each of those controls has.

Once we've considered which controls are most effective - and what we might presently have lacking - then we can describe the security requirements and where we're going to spend the money.

There's some information available about how the insider fraud at Countrywide that I mentioned on this blog a few days ago was performed. See here.

...in an effort to prevent users from loading unauthorized data onto memory sticks or other portable storage media, Countrywide had sealed the USB ports on all of its employees' machines -- all, that is, except one....

Reminds me of a conversation I had with an IT manager a couple of months ago. She was pleased to demonstrate to me her company policy for blocking access to USB ports in an effort to prevent incidents of data theft. I was about to praise her for taking the initiative when she went on to mention that the policy applied to everyone except management. "They would find it quite unacceptable" she stated...

Is it still necessary to have to make a case to implement encryption on laptop computers or should we, by now, simply consider it to be normal practice? Seems like a question with a pretty obvious answer but clearly not because organisations such as the Ministry of Justice - as reported here in Computer Weekly - are still losing laptops containing unencrypted sensitive data. In this instance it is the names, dates of birth, addresses and offence details of 14,000 fine defaulters.

Is it the case that encryption shouldn't so much be mandatory as standard? It would be good to think that if my company issued a laptop that didn't come with encryption software installed, switched on and with appropriate training provided then the recipient would come to me and complain. Of course they don't. Instead they will pull a face suggesting that poison is being injected into their veins.

If you don't have sensitive data on laptops then you don't need to use encryption. Right? Research performed within my own organisation demonstrates that you cannot always predict which users will have sensitive data. To muddy the waters further there are differing perceptions on what sensitive data is. 

There's little joy to be had in spending company profits on laptop encryption, but I don't think it's up for debate anymore.  

An acquaintance is one of a team developing a new website - Surfing Safer - providing practical advice on security to home and business users.

It promises to be a useful companion to sites such as GetSafeOnline. For instance, that one recommends you use a firewall, Surfing Safer will provide product reviews on which ones are best to use from people with experience of using them.

Visit the new website here: www.surfingsafer.com

My favorite type of Social Networking remains that which involves chatting with mates over a drink in the pub. Call me old-fashioned. There are, of course, various associated threats to "security" to consider: for instance, the extortionate cost of a pint these days could be considered a crime, and after a few drinks I might reveal information that should otherwise remain secret, which consequently might affect my personal reputation. It's also how I met my wife.

I'm also well versed in more modern socialising. I have 38 "friends" on Facebook most of whom I probably wouldn't recognise if they walked past me in the street, and around a hundred or so contacts on LinkedIn mostly comprising new and old work colleagues, a couple of hopeful recruitment consultants, plus a few folk I met whilst engaging in Social Networking 1.0 (i.e. at the pub).

Anyway, it's been a while since I discussed social networking on this blog. Last December I stated the view that organisations who continue to allow full and unrestricted access to social networking sites need to wake up to the fact that they are putting the security of their data and other assets at risk.

Adding some more fuel to the fire is an article just published on Dark Reading entitled The Seven Deadliest Social Networking Hacks where Kelly Jackson Higgins proposes the case that Social networks are the next major attack venue for trolls, spammers, bot herders, cybercriminals, corporate spies -- and even jilted ex-lovers or enemies -- to make money, or just plain wreak havoc on their victims' personal lives.

The seven deadly hacks discussed are:

1) Impersonation and targeted personal attacks
2) Spam and bot infections
3) Weaponized OpenSocial and other social networking applications
4) Crossover of personal to professional online presence
5) XSS, CSRF attacks
6) Identity theft
7) Corporate espionage

Personally, I think the following cartoon (from here) neatly sums up one of the biggest risks....

Users of the Google Docs application have had their information inadvertently shared.