Information Security in the Real World. Confidentiality, Availability, Integrity, Practicality.

Tuesday, 23 March 2010

Low hanging fruit, outrunning lions and other cliches

It's a fallacy common outside the Infosec world (and to an extent within too, regrettably) that we need to totally lock down our systems and make them impenetrable. Hence the endless debates about optimum password length and strength, key length, multiple-factor authentication - often conducted online between two or more antagonists who swear they are "right", that there is a correct answer. Like we could, say, set all passwords to 14 characters including two each of upper, lower, numeric and national, at all times, cos that's optimal. Like when processing money over £100 we demand a one-time password from a token and two memorable dates. Job done, let's hit the pub.

But it's not like that. Authentication strength comes at a price, and that is usability. If your online bank requires three pieces of personal info, a token and an out of band communication (e-mail, phonecall) just to pay your overdue library fine then your customers will go elsewhere. However if you don't insist on all of these things when they wire £10k to a relative in Africa then they will rightly be suspicious that you are not protecting their money.

In truth, to stay competitive we have to walk a very narrow line between usability and security. Cybercriminals are mostly lazy individuals who go after "low hanging fruit". Make yourself harder to defraud than your immediate competitors and you will avoid a lot of trouble.

It's like an old joke: a safari jeep breaks down in the Serengeti, just a long lens away from a pride of hungry lions. The tour guide takes off his boots and starts putting on Nike running shoes. "You'll never outrun a lion in those" remarks a tourist. "No need," says the guide, "as long as I outrun you."

Thursday, 18 March 2010

System z "never been hacked"?

"I’m not personally aware of any instance where a mainframe has been hacked. However, I think the scarcity of such incidents is due more to a lack of technical expertise by would-be perpetrators than to the sound implementation of controls. [...] It used to be that only those relatively few users with TSO or ROSCOE could manipulate system files and execute routines that could harm the system, but with the introduction of OpenEdition MVS (now z/OS UNIX) and common TCP/IP-based network applications, many organizations, some unknowingly, have opened their systems to a much broader user base, including clients and business partners. This increased connectivity is unfortunately coupled with a lack of upkeep on RACF controls. Newer z/OS capabilities either aren’t being protected or fall under the scope of older, less stringent control settings. "
So said noted System z Security expert Bob Hansel to Stan H. King in the January edition of
z/Journal - The Resource for Users of IBM Mainframe Systems.

What about your system? RACF is impenetrable isn't it? Well, the article begins with the comforting revelation that in a trawl through news archives and trade journals: "When it came to unauthorized mainframe access by outside hackers, there wasn’t a single published report among nearly 850 full-text documents published over the last decade". Nice. But are we relying on Security through Obscurity? Has System z "never been hacked" because of it's relative reticence on the global stage, it's shy retiring nature well behind the corporate firewall and the comparatively closed shop of MVS/RACF experts looking after it worldwide? As that changes, and z owners exploit Unix System Services and Linux for z, will we find we're behind the curve, that the script-kiddies catch up with us and - worst case - they know more about security on the New Mainframe than we do?

Tuesday, 16 March 2010

Human Factors again...

"Hands up all those who have actually received proper Outlook training and/or email etiquette or management training? People still don’t know how to set up sharing of permissions in the folder listing rather than handing over access to their whole Inbox" says Andrea Simmons on the BCS Security Blog in response to the Human Factors in Information Security (HFIS) conference held in February. So true. I know I keep bleating on about it but while you're busy installing two-factor authentication in your payments application your staff are losing, sharing and deleting information through basic lack of awareness and skills, and failures of responsibility and accountability.

While you're patching IE and blocking Facebook, staff are e-mailing eachother huge files of customer data because you have not
a) told them it's wrong
b) enabled effective collaboration through legitimate tools
c) prevented the sharing of data through illegitimate channels.

Educate (the right and wrong ways), enable (the right way), eliminate (the wrong way). Too many security managers do the last point without the first two, which is why they find it so hard.

Monday, 15 March 2010

Anti-Virus and why it's dying...

This worrying report from suggests that AV vendors are missing the point and patching specific exploits not vulnerabilities. Further proof, if any were needed, that defence against cyber attack needs a holistic approach blending everything from policy and people management through perimeter defences down to intrusion detection, malware detection, patching, good application software controls, removable media controls and incident response. We have to get in a room and plan the whole thing. AV is not dead but it is no longer the big gun of our defences as it once was. Quoting Schneier: "antivirus software is neither necessary nor sufficient for security, but it's still a good idea. It's not a panacea that magically makes you safe, nor is it is obsolete in the face of current threats. As countermeasures go, it's cheap, it's easy, and it's effective". But it's clear that holistic security, as discussed back in 2008 by IBM, is an approach whose time has definitely come.

Get IE8 Now!

If (like me) you just can't live without Internet Explorer - and in my case I've got an excuse as I have a sideline in websites for friends and organisations so I need to prove they work on the worlds most popular browser - there's never been a better time to upgrade to IE8.
Protecting against the Internet Explorer zero day vulnerability | Graham Cluley's blog. There are workarounds for IE6 and 7 users, but I don't see why anyone should delay getting IE8. I appreciate there are corporate managed desktops out there and rolling out non-distruptive upgrades to these is tricky but guys, you've now had 12 months, get it delivered.

Thursday, 11 March 2010

Smarter Tivoli - Managing Compliance on Z

"System z is now a hugely resilient, massively scalable and highly secure server architecture. Native security controls are very strong and resistant to attack, but notoriously difficult both to administer and with which to demonstrate compliance with regulations....."
Read the rest here: Smarter Tivoli - Managing Compliance on Z at, free registration required.