Practically Secure:
Information Security in the Real World. Confidentiality, Availability, Integrity, Practicality.
Tuesday 22 May 2012
Don't forget the "A"
Integrity is also easy to understand, and I've blogged before that this was the focus of IT Security efforts when I began my career in the 80s. "C" was hardly talked about, the internet was just an academic plaything back then so we didn't have any public attack surface, thus the only threats were within. The only attack my early employers could envisage was an unauthorised data edit, or perhaps an accidental modification or deletion. Thus we had lots of "I" control.
What of Availability? The "A" of the triad is often the poor relation, many have trouble considering it part of Security in the first place. Surely Availability is part of Service Management, of Disaster Recovery or Business Continuity? Well, yes, but all of those disciplines tend to kick in *after* the service goes down, the first line of defence has to be Security. If you can't apply that change with your day job account, you can't apply those untested code changes and break the system. But perhaps more obviously there is one threat, an attack methodology whose focus is just that single quality. Hitting "A" is the sole objective of the Denial of Service (DoS) attack.
DoS attacks (they are all DoS's but only DDoS's if large numbers of network nodes participate) have exploded in recent years, perhaps due to the perfect storm of ubiquitous internet access, easy availability of simple toolkits with which to launch attacks and political unrest and social disaffection thanks to the global recession. While we security professionals need to do all we can to defend against loss of "A", this article by Dr. Anton Chuvakin points out, among other things, that of the three qualities, Availability is probably the easiest breach to cost, since downtime of your core service usually has a simple economic metric!
But the point of this article is to draw attention to another point Dr Chuvakin makes, almost buried in that blog post, which is this. If Security includes Availability, and Availability is key: why not host your services in a large, redundant, elastic, multi-homed server farm for maximum protection?
Cloud, anyone?
Thursday 3 May 2012
Compliance isn't everything.
What Good is PCI-DSS? from Infosec Island.
More evidence that Compliance should never be equated with Security. There are three issues to my mind:
1. "Point in time" compliance, that is that you're Compliant at the date of the Assessment, but once the auditors have gone, if you don't have Continous Controls, you can drift from that position quite rapidly.
2. Quality of Assessment, i.e. a bad QSA or a good one with bad advice can assess positively in error. And the organisation has no interest in a negative result so will do all they can to gain a pass. The result is false positives.
3. The Human Factor. As the linked piece says.. "No matter how much technology you throw at security, people will always be the weakest link. The PCI-DSS standard (and many others) doesn't do a very good job of evaluating how well we train our people to recognize social engineering and spear phishing."
As I've said before, compliance is not security, but if you do security right, you'll achieve compliance. Get your horse in front of your cart. And manage that Human Factor.
Wednesday 2 May 2012
Life in the old AV yet.
Infosec Island: Why We Still Need Firewalls and AV
Just because they're not covering much of the attack space any more, doesn't mean they're not doing a job. Just because your car is now kept in the garage doesn't mean you forget to lock it. Why traditional commoditised controls are still useful, from Infosec Island.
Thursday 15 March 2012
BYOD - not if, but when.
According to IBM, "Forbidding these devices from the enterprise might seem like a great option, but it's rarely effective. No matter how stringent the rules, some employees will fail to comply and put the organization at risk."
But the most telling rebuke for the CIOs that still think they are doing their business a favour by resisting own devices in the workplace is this survey from Decisive Analytics which says "Almost half of the [440] IT executives questioned in this study said BYOD gave their firm a competitive advantage, while almost 70 percent of CEOs were sure of the competitive advantage." Part of this competitive advantage comes from not paying for the devices, for staff training in the corporate apps, and from IT support savings; But more importantly some is down to the capabilities of the devices themselves, and the productivity that comes from letting the user select the device and apps that they like best. If someone can knock up a slideshow using Keynote on an iPad during a 1 hour train journey, why force them to spend 2 days wrestling with Powerpoint on their work laptop?
But if you're still wedded to the idea that a managed corporate desktop is more secure than a solution that involves your salesforce using their own iPads and Netbooks, think again. Polymorphic malware is making traditional anti-virus and anti-spyware controls inneffectual and the software to defend against it is becoming bloated and slowing down old PCs. There's nothing worse than security software that visibly slows the workstation. Except for security software that visibly slows the workstation and doesn't catch the malware anyway.
A new approach to IT architecture involving cloud-delivered services accessed via approved apps on the users own devices can deliver cost savings and increased security. But more importantly, the business wants it. So we'd better stop holding on to 90s thinking and figure out how to deliver it securely.