04.04.2010

Introduction:  Changing the Paradigm

Lately, cyber-crime legislation seems to be in vogue.  The Cybersecurity Act introduced by Senators Rockefeller and Snowe (S. 773), and the International Cybercrime Reporting and Cooperation Act, introduced by Senators Gillibrand and Hatch, as well as some serious talk in the European Union of creating a treaty to address cyber criminal activity, have caused me to put a lot of thought into what would make such laws or treaties successful, and what would cause them to be ineffective, or worse, detrimental.  We should all be able to agree (based on solid research and evidence), that cybercrime exists, and that, as the Internet knows no legal or national boundaries, that it impacts us all, whether we find ourselves in the Americas, Asia-Pacific Rim, or somewhere in any number of European–Middle Eastern – African nations.

However, though we can agree on the existence and prevalence of cyber-crime globally, what we struggle to do and fail to agree upon is arriving at succinct way in which to address, investigate, and prosecute it on a global level.  As such, the need for a truly international legal framework, one which scales and encourages all nations to participate while ensuring that proper recourse is taken and justice is being served without bias is required now more so than ever before in human history.  Legislation drafted in a vacuum – regardless of the intentions of those parties responsible for its drafting and creation, will only serve to cloud the already murky waters of prosecution while ultimately negatively impacting the ability of one or many nations to prosecute these types of criminals.  A new era in thought and deed is required to usher in a formulaic, repeatable approach to prosecuting those actively involved activities deemed ‘criminal’, while preventing those from considering involvement from getting involved in the first place.

A Farewell to Arms: A New Era in Prosecuting Cyber-Criminals

The first premise of this treatise, I owe to a great conversation I had with Will Gragido of Cassandra Security, Inc.   It involves basing the international cybercrime laws I’m referring to above in the RICO statutes of the Untied States of America.  The Racketeer Influenced and Corrupt Organizations Act (commonly referred to as RICO Act or RICO) is a United States federal law that provides for extended criminal penalties and a civil cause of action for acts performed as part of an ongoing criminal organization.  It was first enacted by section 901(a) of the Organized Crime Control Act of 1970 (Pub.L. 91-452, 84 Stat. 922, enacted October 15, 1970) and is codified as Chapter 96 of Title 18 of the United States Code, 18 U.S.C. § 1961–1968.

Originally, according to Gragido, its authors had envisioned it solely being used in prosecutorial endeavors targeting members of the United States branch of the Italian Mafia known colloquially as La Cosa Nostra.  Its use has been realized beyond its initial purpose and continues to be used creatively by law enforcement in prosecuting others who were actively engaged in organized criminal activity.  As a result, its application is much more widespread and effective than comparable legislation and traditional, perhaps even out dated, prosecutorial tactics.  Were there an equivalent or a porting of the RICO Act to the cyber realm, cyber-law would move forward at the speed of light, thus enabling it to truly meet the needs of the Internet dependent global economy.  RICO-like statutes would mean that we could prosecute people who were racketeering and conspiring to perform illegal acts on the Internet (as implied by the basic tenets of the act), in addition to those who knowingly associate with known criminal entities.  People like Alberto Gonzalez, who was recently convicted for his instrumental role in the TJX data theft – a theft culminating in excess of 44 million credit cards, could have been stopped while in their planning stages.  Legislation such as the type being described here might very well have prevented some other crimes, such as Hannaford, Heartland, 7-11, and countless others.

Tempus Fugit: Time Flies and Waits for No One

We are living in progressive and wondrous times.  The passing of the Rockerfeller-Snowe bill within the Congress of the United States of America demonstrates a small, yet important glimpse of just how progressive they are.  This bill would permit the United States to apply an enforce sanctions against a nation who knowingly harbors cyber-criminals.  Though the bill is well intentioned, and in truth ahead of its time in some respects, it is fatally flawed in many areas not the least of which its failure to approach the importance of geo-presence and location within the legislation.   Criminals, as we all know, can hide, spoof, and bounce off many countries while they commit their crimes little effort provided they are well organized and possess a rudimental knowledge of tcp/ip networking and spoofing techniques.  As a result we would in many cases find ourselves applying sanctions against mules, hapless redirectors, or a botnet lieutenant guilty of nothing more than having an un-patched system connected via an enterprise or home network, to the internet.  I started thinking about how we surf the internet, or in other languages, how we navigate through it.  That gave me an idea that I would propose could be a great foundation.  We need a RICO-like statute that is based on Admiralty law.  I propose calling it Cyber-RICO.

Cyber-RICO: Changing the Rules To Accommodate The Game

One might ask, why Admiralty law?  Well, for a variety of reasons.  First of all, Admiralty law (sometimes referred to as maritime law) deals with questions and offenses that happen in international waters, and I think that we can draw a solid parallel to the cloud like nature of the Internet and those very real waters.  It touches many countries, and we all have a vested interest in protecting it.  More importantly, no one nation can lay claim to, nor police international waters, as by definition, they are international and thus the responsibility of all who use and take advantage of them.  Think about that for a moment.  Who doesn’t use or take advantage of international waters if not directly, than indirectly? International commerce uses these waterways a seaborne transport mechanism for goods and services, much like people the world over use the Internet cloud.  And just like on the high seas, where for millennia privateers and pirates have sought to try to take advantage of the open, permeable nature of these waterways, so too in the Internet age have our own pirates (cyber-criminals) and privateers (economically motivated hackers), who have sought to take advantage of the nebulous nature of the Internet.

Back when maritime laws were developed, the principle reason that drove ratification of these multilateral treaties was self-interest.  Some nations, such as those that provided safe harbor to the pirates, were hesitant to come adopt them at first.  However, when the pirates turned against them, the countries own self-interest quickly encouraged them to ratify and espouse such a law

The basis of maritime law is that any country that has signed the multilateral treaty can involve themselves in the enforcement of the laws.  In the same fashion, the Internet Cyber-RICO would give countries the ability to prosecute cybercriminals that commit these crimes on the high seas of the Internet.  Even when country boundaries are crossed, international task forces could now work with a common framework of enforcement, such as with the current anti-piracy task forces that are working off the coast of Somalia.  They respond to any call for assistance, regardless of the flag that the afflicted vessel is flying.  That is the right spirit of the law, and it would work as well as it relates to cybercrime.

Filed Under Cloud Computing, Crime and Punishment, Cyber Crime, Information Security Philosophy, Uncategorized | 1 Comment 

01.27.2010

This post is the first in a series of an in-depth review of some of the security challenges we see with cloud computing. In the following post you’ll find some very high level concerns we have regarding the innovations around cloud computing. More detailed analyses of the various cloud offerings will follow in the coming days and weeks.

Cloud computing has introduced a whole world of possibilities for everyone from the largest enterprise looking to reduce operational expenses down to the individual consumer wanting a place to store their summer vacation pictures. At first glance, the entire concept of cloud computing is a fantastic way to lower data center costs, reduce the number of personnel required to manage a system, save on software licenses and to eliminate the need to purchase a product or service that is not within your core competency.

My guess is that every enterprise is looking for some way to leverage “the cloud” in some form or fashion and the numbers of advertisements for web-based services geared to the small business and consumer are all over the mainstream media. All of these services are promising a lower cost, easier to manage solution or promising a “quicker” something whether it be a tax return or “anywhere” access to files. This generation of computing promises to be great, except for one thing: security.

By definition, security in the cloud computing infrastructure is not possible. That said, nothing is completely secure and risk free except maybe that computer that’s not plugged in and has no users or operating system but then what good is that other than to serve as a paperweight or to hold a floor down? Anyhow, ever since I was an “InfoSec toddler” three things have been driven in to my head:

1 – Confidentiality
2 – Integrity
3 – Availability

Those three simple words describe everything we need to know about security, no matter whether we call it network security, system security, IT security or that all encompassing term – information security. As I said in an earlier post on Cassandra, security is all about protecting information; I agree that it is no fun when a computer is infected with malware which causes the owner to have to rebuild a hard drive or worse, an “outbreak” occurs across multiple systems. It is bad when a gateway device or web server goes offline because of a DoS attack. However, in both of these cases if information isn’t compromised, it can be classified as an internal security event and not a reportable security incident. In fact, if it were not for the above tenets of information security, the attacks that compromised a browser flaw (a vector that was predicted by members of Cassandra Security in 2006 and 2007 to have severe implications to the security of our information) would have been nothing more than a patch event from a security perspective. Again, the time has not come to protect your critical information, it has always been here it’s just becoming more complex with advancements in technology. I would even argue that some forms of cloud computing, specifically Web 2.0 and collaboration, have led to the critical nature of the recent IE exploit that affected so many companies.

Security is all about protecting information and it has been so since the ancient Greeks would shave and tattoo a message to a slave’s head and send them across enemy lines to deliver that message. Whether we call it steganography or encryption, they found a way to protect information that needed to be delivered between two points. Yes, that person may have been at risk or, if that person was killed then the message didn’t get delivered, but there was limited harm because the enemy didn’t have the “key” to decipher the message.

This brings me back to my original point, by definition information security can not be assured in a public cloud computing environment and here’s why: the customer is still the data owner and they are ultimately the organization responsible for the CIA of their information. The act of transferring this information to someone else’s facility does not change that, rather it makes it more difficult.

Confidentiality is difficult at best and not possible at worst. In a public cloud environment, one must ask the vendor if they can guarantee the confidentiality of your data. In order to accomplish this they would have to do a few things:

Integrity is a bit easier than confidentiality of the data is encrypted and can only be accessed by your organization, however how does the hosting company guarantee that only your organization is accessing the data or application.

Availability is probably the most difficult because while you might have a service level agreement in place with the provider for access to their systems, you may have at least two other parties involved; those being the ISPs of the respective organizations. Can you get a guarantee from all of those organizations that your data is going to be available when you expect it to be available?

While this is not all encompassing of the security complexities introduced by the cloud computing initiatives, it should give an organization plenty to think about the next time they hear the advertisement that says “My cloud is secure.” I’m not advocating to not leverage the cloud, rather quite the opposite, educate yourself before exploring the benefits of cloud computing. Stay tuned for specific research papers on the security concerns in the various types of cloud computing and the services offered in that environment.

Filed Under Cloud Computing, Cyber Crime, Cyber Defense, Information Security Philosophy, Next Generation Threats, Risk, SaaS, Security Philosophy, risk management | 2 Comments 

12.03.2009

I had a recent conversation with my cousin Jim about Google’s new public DNS offering, and it got me thinking.  This is one of those times where I have to ask: “In what way does using this service benefit the end user?”  I’m really having trouble thinking of one.  It’s not like there was a compelling need here, as every ISP provides DNS right now – it’s a ubiquitous service.  An ISP that didn’t provide its own DNS to its customers would be like a TV station that only broadcast programs in black-and-white.  ISP-provided DNS does fail on occasion, but in my experience, DNS-related service outages have been the exception, rather than the rule. Furthermore, DHCP makes it so that DNS assignment is transparent – so using Google DNS, which would require manual configuration of each workstation, would actually be MORE difficult for people to use. (Google is apparently aware of that fact, too – as they’ve set up a 24-hour Google DNS phone support hotline).

Google is also making some pretty interesting claims with regard to security:

Google Public DNS was also put into place to prevent the sort of DNS poisoning attacks that were disclosed last year. The system can also prevent so-called DNS “amplification attacks” that attack the DNS server itself, and then use them to route other PCs to attack target sites in an orchestrated distributed denial-of-service attack.

So my question here would be – What’s so special about Google DNS, and why wouldn’t it be vulnerable to a cache poisoning attack?  BIND, the most widely used DNS server, certainly has its problems, but it seems counterintuitive to prevent cache poisoning attacks by increasing the use of caching.    In fact, it would seem to me that widespread use of Google DNS would actually make the Internet less secure, by providing a VERY high-value centralized target for someone in the underground to compromise.  Google, generally speaking, has a decent track record with regard to security in their hosted services, but they’re not infallible.

I have another, more philosophical, issue with this as well.   By pre-fetching and caching DNS entries on a large scale, this appears to be a move to centralize DNS, and I think that’s a bad idea.   DNS was designed to be inherently distributed and decentralized for some very good reasons, and if there’s a compelling reason to start moving away from that model now, I’m not aware of it.

Also, Google claims that they will only keep request log data for 48 hours, and will not monetize that data.  That’s all fine and good in principle, until someone comes up with a way to legally compel Google to start keeping that data longer.  Monitoring a centralized DNS like this would be such a neat way to observe Internet traffic patterns, and logs like this would be an absolute goldmine for law enforcement, repressive governments, and trial attorneys.  Right now, someone looking for DNS request data would have to subpoena that information from every individual ISP – and with Google’s DNS they get a lot more bang for their buck.

So, in a nutshell – Google is taking something that’s not broken and trying to fix it, and in the process potentially opening a big can of worms with regard to security and privacy.   Fortunately, I don’t think the use of Google DNS is going to become widespread any time soon, so the downside for the Internet as a whole is pretty limited.

Tags: , , , , , Filed Under Cloud Computing, Information Security Philosophy, Security Philosophy, Vulnerabilities & Threat Research | Leave a Comment 

10.28.2009

Impressionist cloudsI have written a little in the past on cloud computing and SaaS however as previously stated, have stayed away from doing so for many reasons the primary being that I am an information security professional as opposed to a cloud computing one.  Cloud computing is all the rage in business today, so I thought I would write a little more on it :) .  Its impact is undeniable as are the debates which rage with respect to what defines or constitutes a “cloud”.  In my view of the world, cloud computing is in many respects like modern art; an appreciation of the abstract is necessary in order to derive a sense of meaning otherwise you are just faking it to impress someone.   I for one have little appreciation for modern art and readily admit it (to the chagrin of my brother-in-law who is an artist and lover of modern art) though I do like impressionism and nature scenes :) .  However, that doesn’t mean that I don’t use or apply abstract thought to concepts which require it (it just means I like pictures and paintings which more often than not look like something though I am evolving in this area too).

Now back to the cloud.   I think cloud computing is in many senses like modern art.  To begin with there is no definite shape, size, context, hue, flow, or tone associated with it – in other words no standards, rules by which to be judged against, or measured up to.  The asymmetrical is accepted alongside the symmetrical; there is no right or wrong way just different ways.   This, I think, will not change until formal standardization occurs in that space.  When will this occur?  Who is to say.  Though “cloudies” and security strategists’ alike pontificate on the implications associated with cloud environments, no one seems to have a solid model for standardization.   I maintain that much of the ‘cloud’ services or infrastructures already exist in one form or another as ‘clouds’ in data and telecommunications environments are not new.   Cloud computing is not my forte as I have pointed out before – information security is.  As such, I default to people such as Chris Hoff (all hail the Hoff!) in areas related to the cloud or Nick Selby as they have both written voluminous amounts on the topic.

My personal feelings are that cloud based solutions, like any infrastructural solution, need to meet minimum criteria from an information security perspective that compliments business need and performance rather than hinders them.  Tall order?  Perhaps.  Impossible?  I think not.  Service Level Agreement (SLA) nightmare?  Maybe, just maybe.   Many people quip and wax ecstatic about cloud computing services without taking the time to digest what they mean to a business  and its data.   Whether or not they are qualified to speak in depth and at length are debatable but nonetheless, many folks are out there doing just that.   In some respects, it does not matter so long as there is an audience willing to listen.  It is for those instances and audiences specifically, which I have constructed today’s piece, so enjoy!

demotivational,regrets,star,wars,storm,trooper-cce03c19fb3a032ab6d96de17de13d64_mClouds are nebulous.  Some of them take on a cumulus form, drifting throughout the skies in comfortably billowing capacities.   However, these are not the clouds we are looking for (I apologize in advance for the awesome opportunity to inject Star Wars humor).   Our clouds are earth bound (let us not introduce the role of satellite communication into this post thank you), and as such, terrestrial and man-made.   Are there challenges associated with cloud computing?  Yes, I believe there are and would go as far as to say that even the most astute “cloudies” would agree that it is not all champagne wishes and caviar dreams in the land of cloud computing services.  Of course there are challenges, to assert otherwise would be intellectually dishonest and would likely brandish the party asserting there were not challenges as a neophyte who should not be trusted (you know who you are and you know we’re watching you!).  Some of the challenges associated with cloud-based services are realistic than others.   Examples of these areas of concern stem from the following:

Having said all that, I have no trouble at all believing that services will continue to be stood up in haphazard fashion while some will take the time to properly design their environments to provide the most optimal environments for their customer bases.   The future should prove interesting with respect to cloud-based solutions, let us just hope there remains always a silver lining.

Tags: , Filed Under Cloud Computing, SaaS | 1 Comment 

10.15.2009

tornado_and_lightingClouds are mysterious.   They come in a variety of shapes, sizes, consistencies and architectures.  I like clouds however, I am not sure I want my data floating about in one any more than is necessary.  Cloud Computing is not my forte however; security is.  I believe that cloud architectures warrant the same directional approach as other architectures, after all carriers have been securing ‘clouds’ for years.  I made a point of not commenting on cloud computing or SaaS (Security as a Service), environments principally because I thought that there were others out there (some very astute and knowledgeable folks), commenting ad nausea on the topic, however I felt that the time had come for me to add my input  to this topic.    Why you might ask, have I decided to change my opinion on this?  Well to begin with I feel there is a great deal of “cloudy” (please forgive the pun), thought and messaging being disseminated in the industry today.  Many industry experts whose kung fu is stronger than mine specifically in the realm of cloud architectures, would have us all believing that cloud architectures are new and subsequently superior to that which we have come to know and embrace as the standard in infrastructure today, let alone securing them.   Perhaps they are right.  Then again, perhaps they are not.   Much has been made of the cloud.  Many suggest that the cloud is both the next generation of computing, as we know it and as such a complete shift in paradigm.

I, for one, do not believe this to be true.   Yes, the advent of cloud computing is popular and as a result, worthy of note. But new?  I think not.    As an idea and concept, as I mentioned earlier in this post, the carriers and others (ASPs, MSSPs, and hosting entities – not to mention third party outsourcing entities), have been providing cloud services for decades.   One might argue that these are not the same type of clouds and that as such the argument is moot.   Well, until someone defines and articulates a standard with respect to clouds, I will maintain my postion.   In particular, SaaS services strike me as being derivative and familiar.  Ask anyone who has worked extensively with Managed Security Service Providers (MSSPs), what their thoughts are regarding SaaS and you will get a number of different responses and more than a fair share of eye rolling.

In fact, one of my former employers offered both comprehensive traditional MSSP services in addition to two distinct “cloud driven” solutions – one provided by a third party vendor now owned by Symantec, built around secure messaging and web transactions and the other built around advanced vulnerability management and compliance.  The arguments and justifications used in identifying and selecting these services are shockingly similar (or not so shockingly), to those used when identifying and selecting MSSP services.   Just ask anyone who has either written an RFI / RFP / RFQ for these types of services or anyone whose job it was to answer them in their entirety without pulling their hair out.   You will note from my photo that I shave my head; I gave up :) .  So why are organizations embracing these services?  To a degree, I believe it has to do with cultural tolerance, profitability, the availability of staff (experienced staff), and the businesses interpretation of the importance of information security as a business enabler however, I believe there is more than meets the eye here.  My experience in the MSSP space demonstrated that that there were certain considerations and realities that led to both the introduction of such services and, at times, the displacement of an incumbent provider.   Here is a short list:

  1. Need or desire to reduce costs as they relate to capital or budgetary expenditures :
    1. Eliminates / minimizes the need for new capital expenditure on equipment (potentially)
    2. Eliminates associated maintenance & support costs for said equipment (potentially)
    3. Enables operational security staff to focus on other, more compelling security driven initiatives on behalf of the business (this is how I used to pitch it)
  2. Complexity of threats and / or evolution of challenges being presented to enterprise security teams  by internal business clients, partners or external clientele continue challenge and strain pre-existent teams:
    1. Expertise is neither easy to come by nor always geographically available; these services can be used to counter act those realities
    2. The ability to correlate, normalize and analyze data from disparate network and host elements enables these teams to provide salient detail pertaining to the enterprise and / or its initiatives and user community.  This is obviously important and of value to external clientele as well
  3. The inability to achieve a realistic risk posture, one which reflects the environments physical, logical and procedural state while providing meaningful artifacts and evidence necessary in appeasing internal audit and risk management entities in addition to external auditors and regulatory bodies.
  4. Transference of risk:
    1. Often times, though not spoken (although at times it was spoken of), the transference of risk was the primary driver though typically it was associated with one or all of the above
  5. All of the above:
    1. Rare but at times the case

My concerns with respect to cloud computing and SaaS provider’s stem from the assurances or lack thereof being made to potential clients when considering these solutions.   I understand that heated debates are going on (probably on a forum near you!) with respect to this very topic and as such I feel it vital to discuss what I feel is solid criteria for initial vetting of these providers.   The first rule however is that we shall not discuss pricing.   Why is the first rule?  Mainly because price varies as does the quality of the services being rendered however, they are not always mutually exclusive.  We will however discuss the forms in which these service offerings are presented in and as it merits, discuss deal or offering structure.   I believe it is necessary for enterprises considering the adoption of such services and architectures to consider how their data is treated as it enters the cloud, what occurs during transmission, what occurs at rest and what occurs during egress.   Put plainly, what occurs from the perspective of confidentiality, integrity, availability and assurance?   One should always inspect what one expects scenarios such as this are no exception.

I believe that those organizations providing cloud driven security or SaaS services should follow the example (minimally), set by MSSPs or at least those that I have worked with and competed against, with respect to data preservation and security.    In my experience, there is no excuse for short cuts with respect to data integrity and preservation, as such, I have worked with and represented organizations that espoused the same ideological stance on the matter of handling other people’s data.  A minimum criterion in my mind includes but is not limited to the following:

  1. Attainment of accreditation and certification relevant to secured carrier or cloud environments
    1. SAS70-II
    2. SafeHarbor
    3. SysTrust
    4. Regular internal & external security assessment and audits performed and delivered by qualified internal employees as well as trusted, third parties:
      1. Penetration Testing
      2. Social engineering
      3. Application assessment
      4. Customer premise ingress (if possible)
      5. Concise, meaningful documentation of the environment and the ability to produce report deliverables, accreditations, and artifacts upon request

Beauty, after all, is in the eye of the auditor and his or her interpretation of the standard against which one is being audited is, paramount in attaining or maintaining status.

cloudsWith respect to the monetary value associated with such services, there is no question in my mind that savings can be achieved via the selection and adoption of such services.   The value represented in dollars in sense can be arrived at when negotiating initial pricing as these contracts are typically written for specific durations; sometimes month to month however it is more often the case where these services are delivered on a term basis (12, 24, 36, 60, 72 months etc.).  The more mature the offering and provider; the easier (typically), it will be to estimate initial (capital) signings costs and subsequent savings over time.   Numbers do not lie; people do, so inspect what you expect.   Again, a familiar model should one look beneath the covers.  You might be saying to yourself, “Wait, wait what if it is a service that is software driven and predicated on a subscription model?,”; my assertion is that fundamentally the numbers will either demonstrate value over time or prove to be cost prohibitive so again, inspect what you expect.   In many respect this is no different from any time an enterprise engages in a long-term contract with a third party for the delivery of a service.   Whether its telecomm, call center or SaaS, I believe fundamentally that they are analogous to one another.

Organizational security posture may also play into the immediate revelation of value realized by the organization upon engaging in this type of service agreement.   Depending on the condition of the enterprise in question, the needs of its user community and its overall risk posture costs may vary (most providers will offer various levels of service all of which will have or should have, differing degrees of service level agreements each with its own merits and penalties to be paid to the enterprise client should the provider miss an SLA), in order to enable and empower the enterprise in realizing their goal: protection of their data, their user community and brand, all while minimizing and transferring risk.  No decision of this sort should be made in a vacuum and as such, decision makers, influencers, recommenders, stakeholders (departmental and within the various and sundry elements representing the business units which make up the enterprise), should investigate all options available and arrive at a decision which best suits their needs while providing the most value to the business.  In doing so, they will effectively enable the business to do what it does best to generate revenue while fostering a culture of cooperation and partnership.   The net effect of which could lead to a fundamental change in comprehension, attitude and application of information security within the enterprise as a whole.  In closing, clouds can be beautiful; amazingly striking things or, depending on the conditions ominous forbearers of storms to come.   In choosing wisely you might just be able to remain in Kansas Toto ;)

Tags: , Filed Under Cloud Computing, Cyber Defense, Information Security Philosophy, SaaS, compliance | Leave a Comment