Cloud Computing and Security
This post is the first in a series of an in-depth review of some of the security challenges we see with cloud computing. In the following post you’ll find some very high level concerns we have regarding the innovations around cloud computing. More detailed analyses of the various cloud offerings will follow in the coming days and weeks.
Cloud computing has introduced a whole world of possibilities for everyone from the largest enterprise looking to reduce operational expenses down to the individual consumer wanting a place to store their summer vacation pictures. At first glance, the entire concept of cloud computing is a fantastic way to lower data center costs, reduce the number of personnel required to manage a system, save on software licenses and to eliminate the need to purchase a product or service that is not within your core competency.
My guess is that every enterprise is looking for some way to leverage “the cloud” in some form or fashion and the numbers of advertisements for web-based services geared to the small business and consumer are all over the mainstream media. All of these services are promising a lower cost, easier to manage solution or promising a “quicker” something whether it be a tax return or “anywhere” access to files. This generation of computing promises to be great, except for one thing: security.
By definition, security in the cloud computing infrastructure is not possible. That said, nothing is completely secure and risk free except maybe that computer that’s not plugged in and has no users or operating system but then what good is that other than to serve as a paperweight or to hold a floor down? Anyhow, ever since I was an “InfoSec toddler” three things have been driven in to my head:
1 – Confidentiality
2 – Integrity
3 – Availability
Those three simple words describe everything we need to know about security, no matter whether we call it network security, system security, IT security or that all encompassing term – information security. As I said in an earlier post on Cassandra, security is all about protecting information; I agree that it is no fun when a computer is infected with malware which causes the owner to have to rebuild a hard drive or worse, an “outbreak” occurs across multiple systems. It is bad when a gateway device or web server goes offline because of a DoS attack. However, in both of these cases if information isn’t compromised, it can be classified as an internal security event and not a reportable security incident. In fact, if it were not for the above tenets of information security, the attacks that compromised a browser flaw (a vector that was predicted by members of Cassandra Security in 2006 and 2007 to have severe implications to the security of our information) would have been nothing more than a patch event from a security perspective. Again, the time has not come to protect your critical information, it has always been here it’s just becoming more complex with advancements in technology. I would even argue that some forms of cloud computing, specifically Web 2.0 and collaboration, have led to the critical nature of the recent IE exploit that affected so many companies.
Security is all about protecting information and it has been so since the ancient Greeks would shave and tattoo a message to a slave’s head and send them across enemy lines to deliver that message. Whether we call it steganography or encryption, they found a way to protect information that needed to be delivered between two points. Yes, that person may have been at risk or, if that person was killed then the message didn’t get delivered, but there was limited harm because the enemy didn’t have the “key” to decipher the message.
This brings me back to my original point, by definition information security can not be assured in a public cloud computing environment and here’s why: the customer is still the data owner and they are ultimately the organization responsible for the CIA of their information. The act of transferring this information to someone else’s facility does not change that, rather it makes it more difficult.
Confidentiality is difficult at best and not possible at worst. In a public cloud environment, one must ask the vendor if they can guarantee the confidentiality of your data. In order to accomplish this they would have to do a few things:
- Ensure that all data is encrypted in motion and at rest
- Ensure that your data is not hosted on the same servers as other customers (While this changes a bit if all data is encrypted, there are still many concerns about keeping containers separate that affect the confidentiality or your information)
- Ensure that no unauthorized personnel have access to any of your data (This includes the hosting company’s employees. Are they insiders in your organization? Are they authorized access to your trade secrets, intellectual property and/or customer data?)
- Ensure that you manage the encryption keys, because it is possible they could make an error and use the same public/private key pair for more than two customers
- Ensure that access can be confirmed to only come from your organization
Integrity is a bit easier than confidentiality of the data is encrypted and can only be accessed by your organization, however how does the hosting company guarantee that only your organization is accessing the data or application.
- Ensure that no data can be manipulated outside of the application, if applicable
- Ensure that no data can be accessed or modified by other than authorized employees of your organization
- Ensure that the data can not be intercepted, read or modified while in transit either across the network or to a remote backup facility, should one exist
Availability is probably the most difficult because while you might have a service level agreement in place with the provider for access to their systems, you may have at least two other parties involved; those being the ISPs of the respective organizations. Can you get a guarantee from all of those organizations that your data is going to be available when you expect it to be available?
- What happens if you need access to information regarding a research project and the cloud service provider is experiencing an outage outside of their control?
- Are they hosting your data across multiple servers or systems? While this may help the availability issue within the cloud provider, it could violate the confidentiality and integrity principles above.
- Are you buying your processing time in “slices”? This too could affect availability.
While this is not all encompassing of the security complexities introduced by the cloud computing initiatives, it should give an organization plenty to think about the next time they hear the advertisement that says “My cloud is secure.” I’m not advocating to not leverage the cloud, rather quite the opposite, educate yourself before exploring the benefits of cloud computing. Stay tuned for specific research papers on the security concerns in the various types of cloud computing and the services offered in that environment.
Recent events have caused the world at large to take note of something which many – certainly not all, information security professionals have been intimately aware of for some time; the dynamic nature of the threat landscape as demonstrated by the rise in prominence of subversive multi-vector threats (SMTs). The events related to the Google vs. China attacks are exemplary of a subset of SMTs, the advanced persistent threat (APTs) first brought to our attention as a ‘term du jour’ by the fine folks at the Department of Defense (DoD). Were their other names for these threats in the years prior to the coining of this term? Yes, for many years the unexplained or anomalous were referred to as ‘events of interest’ (crafty no?) as that is exactly what they were when noticed, events of interest. Today, in a wonderfully thought provoking guest blog posting at ‘Threatpost.com’, Scott Crawford and Nick Selby reiterated that it’s the adversaries not the threats which are persistent.
This correlates with the model from which I operate and understand these threats, the subversive multi-vector threat model, regardless of their points of origin (nation state, sub-national entity – criminal, terrorist, mercenary or otherwise). Again, this comes as no surprise to those who have an intimate familiarity and understanding of what motivates, drives and ultimately emerges as an exploitation resulting in data exfiltration and weakening of risk postures (literal, figurative and psychological) in public and private sectors the world over. Experience is the best teacher. This has proven to my colleagues and me here at Cassandra Security and at other affiliated organizations such as Trident Risk Management many times over. What is old is often vigorously repeated as many times people become complacent, forgetting what led them to take note of an event of interest to begin with.
There is a familiarity associated with this idea that echoes the sentiment that Solomon suggested in his writing of the Book of Ecclesiastes “…there is nothing new under the sun…”. We need to ask ourselves why? Why are we surprised by this rationale? Why are we taken aback by the emergence and manifestation of activity, which is not new, but rather the result of creativity, innovation in thought, action and deed in addition to the willingness of those responsible to accept greater degrees of risk than we ourselves are – in both offense and defense? And perhaps why our industry slumbers like a sleeping giant as was suggested by members of this organization last year at Toorcon 11 in San Diego while presenting on this and related topics? Perhaps even more interesting is the attitude that Crawford and Selby noted on the part of several of the ‘Bigs’ with respect to this subject matter, which previously was not part of their vocabulary.
Regardless of what you wish to believe, the threats presented by individuals and organizations alike operating on behalf, in deference or outside of nation state sponsored activity is real. As Tom Clancy said, there is a “Clear and Present Danger” here. This is not up for discussion nor should it become the marketing hammer with which some posit less than enlightening insights regarding just what the goal of threats such as those seen in the ‘Aurora’ attacks are targeting –namely data….in the public sector with respect to defense and strategic offense it has always been about the data…data & intelligence are paramount to all things tactical, strategic and economic. To suggest otherwise is not only demonstrative of one’s own personal limits and lack of understanding with respect to the subject matter but also indicative of one of the greater problems present within our industry: sensationalism and the errant logic which some organizations use in capitalizing off of a ‘hot’ topic. This is both foolhardy and ill advised. This is the information security industry’s equivalent of ambulance chasing and should be looked upon with both a cautious, discerning eye as well as no small amount of skepticism. Regardless of what you wish to believe or may have heard recently from some rather large entities in our industry, the threats discussed in the case of Google in China and elsewhere (Ghostnet for example), are from new.
You may have read articles here at Cassandra Security previously, addressing this topic or elsewhere, perhaps at Taosecurity, Information Warfare Monitor or threatpost. Regardless of where you read or heard about them, it is important to note that these attacks and those responsible for them are not new nor are they peerless or without fault. True, they are often hiding in plain sight. That is something that those responsible for organizational security & risk posture must address for themselves and take note of should they wish to stave off current or future attacks. This is a fact is apparent in a multitude of cases historically, and will no doubt continue to be the case as I and my colleagues here and elsewhere at affiliated organizations have suggested. Equally important will be the need to develop a deeper, more robust understanding of the psyche of those behind these attacks and their motives. Agendas drive everything whether we wish to admit so or not. Cybercriminal activity in all its flavors in addition to nation state sponsored and sub-nationally sponsored activity require this now more so than ever before. The future is now and it is up to those who dare to lead and provide the light necessary to illuminate the paths we tread.
German Government and Internet Explorer
The German government has warned against the use of Internet Explorer citing that Microsoft’s recommendations to increase the security zone setting to High would not make the browser safe.
It’s an interesting statement in what sure is going to continue to be a tough time for Microsoft. You’ll see that in the article from BBC that I linked above, Mr. Thomas Baumgartner of Microsoft states, among other things, “These were not attacks against general users or consumers.” That’s where Microsoft has proven to me their short sightedness in their issues surrounding flaws in Internet Explorer.
In this specific case, Mr. Baumgartner is absolutely correct in stating that the attacks against Google, Adobe, Juniper and unnamed others weren’t attacks against consumers. However, I think he’s missing a key point, with IE installed on over 60% of computers worldwide there is a better than average chance that consumers WILL SOON be targeted and this why I have issue with Microsoft’s defense against the German government warning.
My comments in this post are not intended to be an indictment against Microsoft. The fact is that Microsoft has huge market share at both the OS and application level, thus it follows that their applications are more likely to be targeted for attacks. But, it’s all in how the situation is handled and how the vendor shows they understand the long term implications of this problem. As I stated above, based on the comments reported in the press, they don’t fully understand the potential depth of the problem.
Personally, if I were responsible for IT in an organization, starting tomorrow I would think very, very seriously about taking the following actions:
- First, on all systems running IE, implement Microsoft’s recommendations in the security advisory for this issue.
- Second, have my IT administrators develop a plan to install Firefox on all systems which require a web browser and do so as the default web browser.
- Third, remove Internet Explorer from all systems unless there is a specific internal application or other 3rd business application which only supports IE. Then I would have it only installed on systems requiring access to that app, would have the security settings tuned to high and would disable as much scripting as possible.
I’m not naive, I know there are vulnerabilities in Firefox, in fact when looking at Secunia this morning I found there to be more vulns in Firefox then there are in IE (versions 5.0.1 through 8.) However, the one thing I noticed as well is that Firefox vulns were more likely to patched in a quicker fashion that IE and that the vulns reported in Firefox collectively were not as severe as the vulns reported in IE. My recommendations are based on the fact that this isn’t the first time a critical vulnerability in IE has been exploited and the only defense was to wait for the patch. This recommendation is purely defensive to a future IE zero day that goes unpatched for a significant length of time after discovery.
Granted, zero day is generally defined as an attack that occurs against a vulnerability that was previously unknown. In defense of Microsoft, it’s pretty tough to patch a zero day vulnerability before an attack occurs. However, this series of attack occurred last week and the recommendations against exploit are browser settings, not a patch. This isn’t going to work for the consumer, casual user and very likely, won’t work effectively for the large enterprise.
The reasons are simple:
- Consumers and casual users (non-IT SMBs, etc) don’t understand what these settings really mean and will be very likely to “tune them back down” once their favorite website doesn’t display correctly.
- Large enterprises with thousands of employees can’t absorb the costs of taking calls from the help desk asking “how do I make these changes again?” or trying to explain why some website isn’t working.
It’s quite simple for me to make these changes on the two computers I have in my house and to manage them appropriate. But in actuality, it’s easier for me to have my wife and son run Firefox rather than risk the “next IE zero day.”
I realize that it very well may be Firefox tomorrow if everyone jumps to that browser, but we’ve been here before with IE and we’ll probably experience it again.
Anyhow, I see no issue with the German government advising against the use of Internet Explorer and would not be surprised to see other organizations follow suit.
Again, this is not an indictment against Microsoft, rather this is about taking the necessary steps to protect your critical information and systems. Finally, let me ask you a question. Do you rely on your builder or landlord to tell you how to protect your personal information in your house or do you trust the safe manufacturer instead? For information security, rely on the security professionals.
As a final disclaimer, these views are mine alone and do not reflect the views of my employer.
APTs, Web Browsers and Information Security
The recent event news surrounding the Google cyberattack and the fact that web browsers were exploited to facilitate these attacks come as no surprise. In fact, I recall in 2006 and 2007 when speaking at various seminars, user groups and large events such as ISACA, NASACT and ASIS, among others, I would lead in with the following question:
If I had a give away for you today and gave you the choice, would you rather have $1000 or this brand new 1GB USB thumb drive. Almost unanimously the hands would raise for the $1000 cash because people want the cash.
The whole point of this series of presentations was to point out that security had everything to do with information and viruses, worms, Trojans, bots, etc were simply mechanisms used to enable access to that information. I also pointed out that the web browser would enable these types of attacks simply because of how a web browser functions.
I submit to you today, the same thing that I would tell folks 3 years ago and more, that the web browser is the most widely used application in user land and as such, will allow and enable quite serious attacks against our infrastructure and critical information in the years to come. We do our banking via the web browser, we order pizza through a web browser, I attend conference calls and presentation via the web browser, people attend college through the web browser. You get my point. It was only a matter of time before we realized a large scale compromise that was PUBLICLY announced that was enabled by flaws in the web browser and the near ubiquitous use of the browser on every computing device a user, consumer or employee of an organization uses to go about their daily business.
I remember the first time I mentioned to an audience that the use of the web browser when taken into an information security context was like inviting a thief into your home or place of business and giving them access to your safe. I had to explain that because a web browser and plug-ins like Java, XML, Active X, VML and others “just run” once the browser is launched, it’s no different than giving someone free reign to do whatever they want in your home or office when it comes to valuables.
This series of attacks and exploits of Internet Explorer have proven that point more than ever. The opportunity was there 3 years ago and now the first of many attacks have arrived. But the one thing that we must absolutely remember is that it’s not just these attacks that are all about access to confidential information, trade secrets and intellectual property; nearly all computer attacks have been about access to confidential information, whether it be credit card information of consumers or a chemical company’s intellectual property.
Security is about protecting information pure and simple, everything else is just a by product of that.
For more information on the presentations I mentioned above please check out:
http://bit.ly/8gQfrz
http://bit.ly/74tBEM
Haitian Earthquake Phishing Scams and Some Thoughts
Haiti has been hit by a terrible earthquake leaving the country, her people and its government in state of disarray. The world has recognized her need and private citizens in addition to nation states began sending aid in the form of rescue teams, medical professionals, pharmaceutical supplies, food stores and money. Sadly, as money has begun flowing into authorized relief funds cyber criminals took the opportunity to capitalize (if possible), on the kindness of strangers with respect to aid for Haiti by diverting funds from those in need. This is certainly not shocking nor is it a deviation from their models but it is sad. Spear phishing attacks, illicit malware laden websites and other attacks have been identified and taken note of with respect to this and so it is understood that people should be careful with respect to what they receive, open and visit. Cybercriminals do not sleep. They do not rest or sit back on their laurels hoping for opportunities to make themselves apparent. They actively engage in the creation of opportunities and look for ways to compromise anything (regardless of how benign it may seem to the layperson), in order to achieve their means. It would be foolish to think that there exists some standard of moral decency with respect to these individuals and organizations. I realize this is a strong assertion yet I believe it to be accurate. This is not to suggest that as individuals (or to a degree organizations), there may be activities which are deemed prohibited unilaterally at an organizational level, however it cannot be assumed that any sort of moral compass exists by which these parties set their course. So what can we say then with respect to the latest wave of ‘cyber-fraud’ activity we are seeing relating to Haiti or any media driven incident whether it is the death of a celebrity, the introduction of a new financial application or offering or an international tragedy?
I believe we can say much on the topic the first comment being we cannot afford to underestimate our opponents. In doing so, we make ourselves susceptible to deception, subterfuge and exploitation. We should never assume that those with an agenda (in this case the generation of revenue / profit by illicit means), will abide or hold the same things morally / ethically sacred as we do. This is foolhardy. The second comment is that we must encourage vigilance and attention to detail with respect to the solicitation of information or monies when approached. I believe most people when asked want to do good. However, I also believe that there is a strong likelihood that people who wish to do good are often times ill equipped to decipher when and if they are being manipulated. This is not their fault however; it remains a problem and requires constant information transfer and education in order to avoid further tragedy. Imagine if you will your Grand Mother or Aunt Sally, seeing the tragedies of the Haitian earthquake, being moved to act through the donation of a few dollars but not knowing how do contribute or what the best way to do so is. Then, low and behold, an email arrives in Grand Mother or Aunt Sally’s inbox with a subject line that reads something like “Haitian Relief Fund: We Need Your Help!” The email is opened, it looks official and reads in a very professional way, and links are provided for the potential contributor to use in ensuring their contributions are made as “swiftly” and “securely” as possible. The links are clicked and Grand Mother and Aunt Sally are whisked away in milliseconds to a website waiting patiently for them to populate their personally identifiable information and method of payment (credit or debit card being the preferred method of payment). In an instant what began as the desire to do good, was exploited and an even greater tragedy ensued. Vigilance is key.
The Third comment to be made with respect to this is that cyber criminals are equal opportunists of the highest order. They do not discriminate based on creed, ethnicity, faith, morality or ethics. If profit can be had from an activity and the rewards outweigh the risks, you can be sure that someone somewhere is working on devising a new way (sometimes just a clever twist on an old concept or idea), in order to reap as much monetary gain as possible before being identified. In closing I would like to state that, I believe, it is a good thing to aid that in need. There is nothing wrong or foolish about doing so. In fact, it is the honorable thing to do we, as information security professionals simply need to aid in ensuring that the process remains secure and that no one is exploited in the process of trying to aid another.
There is A LOT of press regarding Google and the Chinese exfiltrating data from many corporations. The Wall Street Journal has a pretty good write up, if you have not had a chance to read it, I would encourage it: http://bit.ly/92Q1CI . Honestly, it does not matter if the attack vector was going through Google or any other medium for that matter. It’s important to understand that any open Internet connection and the financial backing of a State and Non-State Sponsored Cyber hit, has and will continue to exploit any target of value. First, APT’s have been around for a long time. Furthermore, the technology required in uncovering these “Subversive Multi-Vector Threats (SMT)” as my close colleague and friend, Will Gragido describe in a recent blog posting: http://bit.ly/8TlP6d are typically not core infrastructure security devices. What are core infrastructure security devices? FW/UTM/NGFW, IPS, Web & Mail security, A/V, HIPS and some form of DLP to name a few. These that I listed are great for detecting, stopping and mitigating about 80 – 90% of the attack surface according to an article where the NSA was quoted. Keep in mind People, process and select few technologies and vendors bridge that 10 – 20% gap.
APT’s or as we here at Cassandra refer to as SMT’s are typically a topic that not a lot of security professional’s are qualified to speak about and because the threat’s are so stealth it’s not talked about. Will and I recently gave a discussion on APT’s at ToorCon this past fall. Our ToorCon presentation can be found here: http://bit.ly/73tuYA . We are passionate and very experienced in dealing with this subject matter, as we’ve had to deal with this specific attack vector for the past 15 year’s. It’s not surprising that it’s starting to get coverage and unfortunately, it’s probably the best vector for obtaining any type of data almost undetected. Now with that said, the sky is not falling but corporations are going to have to make investments in key technologies and people if they really want to know what’s going on within their network. Correlated event data from multiple threat feeds is a great thing but it’s not as powerful in having full session based data. SMT’s are like bread crumbs that fall through the cracks and the type of technologies that can catch the breadcrumbs are those that are developed by Netwitness and Palantir to name a few. Not plugging them but these type of technologies are needed in uncovering the stealth threats that go bump in the night and broad daylight. Additionally, the time to protection is constantly shrinking and reactive point products that provide retroactive assurance can’t scale with the current threat landscape. The paradigm from a silo data feed model needs to change. A vendor that’s leading this model is McAfee. Again, at Cassandra we remain technology vendor agnostic, however, when it comes to the severity of the threats, the industry needs to change and follow the example of other vendors that are leading the battle in combating SMT’s or formely referred to as APT’s. More to come on this topic.
2010 Predictions…sort of
Its 2010 people Happy New Year! Where did 2009 go? Last year was a very busy year for Cassandra Security. A lot has occurred since we launched and we as individuals and as a team have learned a great deal in the process. 2010 promises to be a very exciting year and if my estimations are sound, we will show no signs of slowing. This is a good thing. My first 2010 prediction is that in not too distant future you will see our site change. The evolution has begun and it is only a matter of time before it is complete. I am personally looking forward to this and other changes however; I will refrain from commenting until the appropriate time. I will say however our goal remains the same to provide the most comprehensive, thought provoking content we can related to our passionate study, devotion and understanding of our discipline. Expect to see more in the way of malicious code and content analysis, threat analysis, reversing, trending and a whole host of other technological and philosophical endeavors related to our work. It is an exciting time to be in our space; it is a time that calls for leaders to lead, followers to follow and those who are confused to kindly step out of the way. Before I get into the heart of this post, I would like to say thank you to those who have shown their love, appreciation and support to us thus far, believing in our work and us and rallying behind us regularly. Thank you. You know who you are and so do we. We are honored by your allegiance and support and hope that in achieving our goals we will also aid you in accomplishing your own whether in business or personal contexts.
This time of year resolutions are the norm and in our space so are predictions. I am not a resolution kind of guy so I will jump squarely into the predictions. Predictions are tricky. In our space often times you encounter a regurgitation of ideas or worse yet, a pilfering of them with the net effect being that they end up on someone’s prediction list. This entry is going to be different. I hope you’ll enjoy it and appreciate for what it is as opposed to yet another broadcast of what may or may not be the next big threat to hit (I will mention some things which fall into this category . As you will see, it will be done in a manner traditionally different from what one would expect in piece such as this). Predictions come in two varieties. They are either related or associated with the divine, the supernatural, or the result of anticipatory science (the type of predictions, which lead to the formulation of a hypothesis for example). As we neared the close of 2009, I read no one’s predictions for 2010. In fact, I still have not read anyone else’s’ to avoid muddying the waters of my own thought process. When I was a child, a very wise person told me that the true test of a prophet or one who makes predictions lies in his or her accuracy with respect to the prophecy or prediction coming true. I took that to mean (and still do), that there are many things which must fall into place either by divine design or by the design of man (some may argue the latter is influenced by the former however that is not the purpose of this piece so let’s table that for another time). I never took it to mean that we as intelligent, informed human beings perhaps lacking ‘divine’ insight could not arrive at conclusions after conducting enough individual and collaborative analysis to make educated guesses or predictions. In fact that is where I believe most predictions fall categorically; into the realm of those driven by anticipatory science. Does this mean that I am ruling out in terms of absolutes, the possibility of one’s “gut” or “instincts” playing a role in this process? Certainly not. However, what it does not mean is that what we conceive as predictions in our space are akin and par with messages delivered from on high, carved in stone and presented to a body of people.
Preface:
I feel that it is important to write and speak honestly about the world in which we live and work; the good and the bad; the sacred and the profane; the beautiful and the ugly. I believe that in doing so we remain in balance and present a realistic view of the world as opposed to one seen through tinted glasses. I believe that there are threats, very real threats, which are at work in the world some more noticeable than others and some operating quietly in remote locations readying themselves for their opportunity to strike. However, I do not believe it to be a healthy nor intellectually honest position to take which speaks only of those threats in an unbalanced light. This I fear leads us away from sound thinking and directly into the land of those who inappropriately talk of fear, uncertainty and doubt. We do not need to lead anyone down a road to perdition; people do that for themselves. Our role to identify the patterns, trends, activity, threats, vulnerabilities and risks may be exploited in order to achieve the goals set forth by those who seek to do harm in whatever form harm “means” to them. Furthermore, I believe we as professionals have a responsibility to avoid (when possible), sensationalism being entered into if possible. Sensationalism is fine for the circus or cinema however terribly inappropriate in other contexts, namely those within which we operate. I find that behavior to be distasteful and amateurish and so should you if you are a professional seeking to improve your skills and understand of that which we do.
Prediction #1: Evolution by Definition Will Fuel the Revolution
I do not believe that we will see a plateau or a peak with respect to illicit activity regardless of the form it takes: cyber crime, cyber espionage, and cyber warfare or cyber terrorism. I believe will see continued growth and likely see greater degrees of interconnectivity between organizations around the world (in addition to individual operators), as there is no shortage of demand for what is being supplied nor is there shortage of innovation taking place. I write often about cyber crime, cyber espionage, cyber warfare and cyber terror as they are passions of mine (in addition to being areas which I have professional experience in), in addition to psychology. I often quip that there is an ‘Evolution Revolution’ in full swing with respect to those factors that drives the creation, support, and growth of sub-economic ecosystems (sometimes referred to as shadow economies). Put plainly there are simply too many opportunities and too many parties ready, willing and able for a plethora of reasons (recall that agendas drive action) for this to not be the case.
Evolution occurs without the aid or impetus of a third party. It simply does not require it; it is not necessary for its manifestation. Revolution, on the contrary, requires an evolution of thought, ideals and action. So long as this evolution remains present (which I believe based on my understanding of Darwin and other’s writings it will), revolution will be made possible and continue unfettered. In our field, in our discipline I believe that we have seen over time examples of this and will no doubt see much more in 2010 and beyond. The world is not enough to quote Ian Fleming, and it is an intellectually dishonest position to take that suggests everything that can be monetized on the Internet (in other words given monetary value), already has been. Assertions such as this boggle the mind and suggest that human innovation and creativity has reached its apex (which we know has not occurred), and as a result markets will dwindle. Do you see that happening? I don’t. In fact, I would argue the opposite completely and passionately. So long as there is evolution pushing revolution within cyber criminal ecosystems (shadow economies), state sponsored cyber warfare and espionage not to mention sub-nationally sponsored (cyber terrorism) there will continue to be opportunities upon which to capitalize. We need now, more so than ever before, remain diligent and prepare ourselves for what is coming even if we cannot (in an unequivocal sense), “predict” exactly what will occur.
Prediction #2: The Sky is not falling, but it is Getting Gray
“All the leaves are brown and the skies are gray”. I love that lyric; it speaks a lot in few words; it evokes a visceral response that the listener can easily identify with should he or she have experienced winter and its realities. Ironically, it is winter and I am writing this less formal but still serious post about predictions. Often people make assumptions broadcasting them the absence of fact with respect to what is real and what is not within our industry. It does not require an advanced degree to recognize that this is foolish at best and quite dangerous as worst. Take the innovation for example. I believe that innovation both good and bad will continue and that in some respects that innovation that we perceive and recognize as being bad in our industry will supersede the readiness of the tools and tactics we have at our disposal should we become complacent and jaded. Cyber criminals for example, are extremely innovative and recognize at times more readily than we would like to admit, the challenges and inability of industry to address all that they have to offer and more. We must ready ourselves in all seasons, in particular the winter of our development in order to address this, as we know that cyber criminals do not sleep but often our industry does. Sound analysis and integrity driven research along with our desire and ability to enable ourselves and our clients to meet these challenges is what is needed, not sensationalistic ramblings or debates having to do with the validity of a new enablement technology or regulatory standard. Preparedness is key and the failure to plan is the equivalent of preparing to fail. Last year, there were ample examples identified and noted which influenced the industry’s belief that the sky is falling however there was little to lead us to believe that utter destruction was upon us. This is not to say that there were not very serious occurrences, which wreaked havoc upon the cyber world, and beyond (to suggest otherwise would be madness). No, some truly thing BAD things did happen and will continue to happen. Will the skies remain gray? I believe they will, I maintain that they will be cloudy and at times become more ominous than at other. Trends change; they evolve and mature. It is because they do that in my mind, it is better to expect the worst, hope for the best, and always be prepared. Very rarely (if ever), are people penalized for preparedness. Should you find yourself being penalized for being prepared, you can blame me or the boy scouts, whichever you would like 
but take solace in the fact that you were prepared.
Prediction#3: The Threat Landscape Will Remain Unpredictable
If I have learned anything in life, it is that life is unpredictable and perhaps that is what we need to focus. Unpredictability is what enables us to formulate strategy and tactics for dealing with everything we experience. Whether it is our car not starting to our enterprises, and our information personal or otherwise being placed at risk. Our goal for 2010 should be to remain vigilant and where appropriate become more so. This requires a reconsideration of risk and its management as opposed to the mindless adoption of the latest new fangled technology or audit requirement. We need to treat information security and risk management in 2010 as though they are living entities; sentient and in need of nurturing. Should we fail to do so then perhaps some of the more ‘sensational’ predictions made by others will come to a head.
It’s the People, Stupid!
Everybody knows it takes people, process and technology to achieve enterprise information security. Let’s keep our priorities straight in 2010: don’t lose sight of the people who want your enterprise to succeed.
Consider your information security priorities this year. Are you creating a culture of mistrust or empowerment? Are your information security challenges primarily technology problems, process problems or people problems? If your goal in 2010 is primarily to leverage the latest technologies to improve the security of your organization, you may be looking at it backwards.
For most of us, there is no security without trust. If you’re an intelligence operative in a hostile environment, you have techniques for establishing a certain level of security without the need to trust the people around you, since in fact none of them can be trusted. But this isn’t the world you and I live in (and even a spy in the most dangerous of situations has to be able to trust someone). Instead, we live in a corporate world of employees, employers, business partners and competitors. And in our world, without trust we have nothing. No progress, innovation, no commerce, no fun.
Like our brave spies working abroad, we can’t afford to trust everyone around us implicitly. But neither can we achieve any kind of meaningful success if we explicitly mistrust everyone. For all of Apple’s legendary (and perhaps overblown) sense of secrecy, you know deep-down that Steve Jobs trusts Jon Ive, and you know that Ive has to trust the people who work for him. We simply cannot create great things without trusting one another. I can’t overstate this, but let me try: no meaningful human collaboration is possible without trust.
Then why are we here? Information security professionals exist to prevent (and clean up after) situations where that vital trust has been abused. We are “CIA” officers of another kind, focused on confidentiality (keep valuable information away from people I don’t trust to access it), integrity (protect my information from those who might damage or destroy it) and availability (make sure the people I trust can access the information they need, whenever and wherever they need it). We infosec folks have a reputation for saying “no,” for getting in the way of business, for putting up walls and barriers. But executives can also place too much emphasis on secrecy and confidentiality. Long ago I worked for someone who believed that the merest act of sharing precious information causes it to lose its value (we all know how that turned out for Hollywood: if you don’t provide a convenient way for people to get music, TV shows and movies from you legally, The Scene is standing by to make it easy for your customers to get what they want–and you’ll get nothing. I digress). On the contrary, information must be shared, collaborated on, improved and productized before it can deliver business value. And you can’t do these things unless you have some measure of trust for the people involved in that process.
If one looks at it this way, whence does information risk arise? It all comes down to the people acting on the information (with only a parenthetical nod to process and technology). If Alex uses his personal webmail account to transmit sensitive information to a business partner because he thinks that’s the most effective way for him to do his job, it’s not because Alex can’t be trusted; in fact, it’s up to you to praise Alex’s ingenuity, then educate him and make it possible for him to choose a less risky way of creating value. If, on the other hand, Barry uses his personal webmail account to transmit sensitive information to a competitor, you have an employee you need to get rid of. How do you solve the Barry problem without demoralizing and alienating Alex? Do you actually have a Barry problem, or is that merely your operating assumption?
Some years ago I was given an after-hours private tour of Pixar Animation Studios. As we passed a table stacked high with posters promoting an upcoming film, I asked whether I could have one of the posters. My friend and guide politely declined, explaining that he didn’t know who the posters were for and that taking one would not be appropriate. No cameras, no inventory database, no security guard, no next-generation poster-loss-prevention technology, not even a locked cabinet was necessary for my friend to come to this decision–just a passionate, empowered and trustworthy employee making sound judgments on behalf of the company he loves. Do you have employees like that? Who believe in what your company does and are that invested in its success? If you’re always thinking about Barry, looking for the perfect suite of technologies to prevent your ignorant or malicious users from wrecking everything, you introduce the new risk that Alex, once passionate and bright-eyed, will feel besieged in a labyrinthine fortress of controls and suspicion. And without Alex you have nothing.
Everything comes down to trust. If your employees aren’t trustworthy, you don’t have a small IT problem, you have a big HR problem. Start with Alex: create and maintain a culture of trust, where employee priorities and company priorities are aligned, where creativity, passion and diligence are rewarded, where everyone is bought into the mission and feels a genuine responsibility to carry it out and make the enterprise succeed. Establish and socialize sensible policies and practices (controls too, where you need them) which promote trust instead of undermining it. Then focus on what IT does best, which is to give your people powerful tools to empower them to use information to fuel your enterprise’s success. Not only will your passionate, trustworthy employees create more value in such a climate, you’ll develop a culture where Barry won’t stand a chance. Go Alex!
Will Irace works for a vendor offering next-generation information security technology. 
eReaders and Corporate Information
I love my Kindle, I really do. I can carry two or three books, magazines, newspapers or whatever with me when I travel, without the added weight of dead trees in my bag. There may be someone reading this who prefers a Nook, but feels the same way I do regarding eReader portability and functionality.
They are versatile, they are light weight, they don’t take much time to turn on and, if you’re savvy, you can put just about any document on it outside of what’s available over the respective wireless networks. And therein lies the problem.
- The nook and the Kindle both support PDF, JPG, BMP and GIF file formats
- The Kindle allows you to send an attachment to a unique email address which is assigned to your device, it will be converted to PDF and sent over the air to your device
- Both the nook and the Kindle can be mounted as a hard drive on your computer
The traveler, productive and efficiency side of me says “Hey, that’s great, I don’t have to boot a computer anymore if I can put a document in PDF format.”
But the security side of me says “Big problems to come in 2010 and beyond.”
Outside of the username and password assigned to the wireless store account, neither of these devices have any sort of access control or authentication mechanism nor do they have any sort of file security or encryption. Therefore, there’s no way to prevent “just anyone” from picking it up, turning it on and reading whatever is on it.
However, there really isn’t a reason to have authentication or any other sort of security on them, right? Simply stated, they don’t need them because they’re intended to devices of convenience for the avid reader. However, business people are always looking for ways to become more efficient.
Very recently, I’ve had conversations with colleagues and friends, during which one asked if documents other than books could be read on the Kindle. His idea is that he will load it up with documents that he needs to review while on airplanes. Great idea in concept, maybe not so much in practice depending on the nature of the information.
The other already had a plan, he was thinking about getting one and one of the plans he had was to put user guides, documentation and other materials related to technology he sells on his eReader. Another good idea in theory, but again this could lead to problems down the road.
I’m sure much of this material will benign and my hope is that the folks I work with in the security industry will show better judgement than to put confidential information on their devices. But what about those not the security industry with the same ideas of eReaders being a model of efficiency for travel? That’s what concerns me.
Generally speaking, most people who will find the ability and convenience of putting documents on these devices won’t even think about the security implications of their actions.
The potential problem that exists is not only the device owner either, it’s anyone who could be configured to send email to the device. In my case, I can set up users or entire domains to be authorized to send a document to my Kindle to be converted to PDF and sent to my device. This happens automatically when I turn on the wireless connection and the device synchs to the Amazon servers. However, I have no way to control what’s being sent to the device. Sure, I can delete it if it looks like it doesn’t belong or looks out of the ordinary, but the risk of confidential data being placed on the device still exists.
The ability to put documents on my Kindle is great, it really is. I love the fact that I’m not restricted to only paid content from Amazon. In theory, I could read and grade student papers during terms when I’m teaching. I can review draft documents intended for public use. Imagine the creative use cases for eReaders in business, they are quite extensive.
This is the problem that information security professionals will face in the coming year and beyond as more people buy eReaders. My years old theory about personal technology in the work place still holds true today, any consumer technology that becomes cheap enough for it to be widely used in the workplace creates a security risk. Primarily because the owners of these devices bring them into the work place thinking it will make their jobs easier or use them as a convenience. The risk introduced by these devices can be attributed to the fact that the users of IT are quite smart; they do what they are allowed to do, in the environments the are allowed to do “it”, with the knowledge and education they are provided.
Because of the ease of interoperability and the challenges associated with managing enterprise infrastructures, many personal technology devices have been introduced into the work place over the years. These include; iPods/MP3 players and their use as a hard drive (I know at least one person who has two iPods – one for music and one as a hard drive backup), mobile phones and their cameras and video/audio recording capabilities, high capacity USB drives, watches with USB drives and portable document and business card scanners. In 2010, I believe we will see the eReader revolution take off as a personal technology device that is introduced into the work place.
The job of the information security professional is only getting tougher and even if companies are primarily concerned about minimum compliance standards, it’s time to start paying attention to where your data and information is being stored. Because in my opinion, it’s only a matter of time before one of your employees leaves an eReader on an airplane, in the security line or in a hotel room and that eReader very well might contain some information critical to your business that is not intended for public viewing.
On Monday January 4, 2010 Information Infrastructure Solution Giant, EMC agreed to acquire Overland, Kansas based Archer Technologies for an undisclosed amount (Archer Technologies is privately held) and anticipates completing the acquisition sometime before the end of Q1 2010. I am slightly annoyed by this as I love Archer Technologies products and think they do a smashing job in the GRC (Governance Risk Compliance) software space however, I am happy for the Archer folks all the same if the deal works to their collective best interests and those of their collective clients and customers. Art Coviello, President of RSA, which has for a while now been the Security Division of EMC summed it up the reasoning for the acquisition best saying that traditional security management focuses primarily on addressing technology issues but their customers were telling them their real challenges came in the area of policy management, audit and compliance. He concluded by saying “You can’t manage what you can’t see”, a fair point yet rather pedestrian for those more fluent in information risk management where the real challenge is not being able to secure what you are not cognizant of. It seems as though Archer Technology will live within the realm of RSA and likely be integrated or, at the very least coupled with RSAs’ SIEM solution, Envision.
All of this is goodness for the end customers and clients of EMC’s current solutions and could prove advantageous for Archer Technologies legacy customer base as well. Tools such as Archer are wonderful for influencing and bringing to bear properly architected risk based process, procedure and policy frameworks while identifying deficiencies where they exist. The challenge is that Archer Technologies does not have legitimate actuarial based data as do vendors such Prevari, which enables you to establish sound metrics against the enterprise. Was I working with Mr. Coviello I would have recommended purchasing both as one without the other is good, but both demonstrate a more sophisticated and complete view of an enterprise world.
So what will become of Archer? As mentioned previously we shall see it working with the RSA suite and if EMC can pull it off, their Ionix unit that aids customers in automating their IT configurations across servers, networks, and storage environments. This would be exciting for enterprises and could prove hugely influential in EMCs maturity as a security player in addition to their ability to provide more robust solutions geared towards governance and risk management. Jon Olstik of Network World wrote a wonderful blog post on this topic stating the following for EMC’ choice and reasoning in acquiring Archer Technologies:
- An enterprise GRC architecture:
- RSA will integrate Archer and enVision into a multi-tiered architecture. The bottom tier will be log management (i.e. data collection, processing, and storage). The middle tier will be data services (i.e. middleware-like functionality including data translation, transaction services, etc.). The upper tier will be dedicated to data analysis. This analysis is dedicated to security and compliance today but it could be used for network operations, capacity planning, and business queries in the future.
- Strategic services:
- With Archer in tow, RSA becomes one of few vendors who can help companies align security and compliance with business processes. Yes, this will drive product sales but it will also help EMC create valuable strategic services and capture lots more services revenue.
- A bridge to IT Service Management:
- Aside from security and compliance, EMC is also pushing hard into ITSM with its Ionix product line. EMC will integrate Archer and RSA together linking log management with the CMDB as well as change, patch, and configuration management. In this way, Ionix can help enterprises automate compliance and security management response.
I do not believe this will be an easy task for EMC / RSA to accomplish. They are facing some incredible technical integration challenges with this acquisition and their intended integration strategy. Between their platforms and will no doubt struggle to define and articulate a realistic product road map that represents their vision and capabilities to current and prospective customers & clients alike.
