Security Architect

"Security Architect" posting moved

2010-07-23T04:51:00.000-07:00

Dear Readers,

With Gartner acquiring Burton Group, I've had to move the blog posts.

They are now at the Gartner Blog Network.

Best regards,
Dan

The Tangled Mess (Part 2)

2009-11-15T17:23:00.000-08:00

Is cloud computing the answer to the tangled mess of IT that I wrote about in September?

Certainly the current enthusiasm for cloud comes in part from business units on the rebound from IT departments with tangled messes, unreasonable costs, and lengthy delays. Cloud, they hope, will cut their IT costs while making them ever so more agile.

And so it might, for green field applications. Cloud computing – as delivered through innovations such as virtualization – can work wonders. But it can’t take a tangled mess of existing legacy systems and bad designs, move them to a cloud computing service, and expect them to get better. A straight migration is not always the answer.

Suppose business units just moved green field applications to the cloud that have no dependencies on legacy IT? While green field applications exist, the business IT landscape is not green, but brown. Applications must integrate with other applications, share data, meet compliance mandates.

Benjamin Franklin once said that the definition of insanity is doing the same thing over and over again but expecting to get different results. So it is with expecting cloud computing to accomplish miracles; IT is littered with the corpses of “next big things” that failed to do that.

Instead of naively or insanely hoping that cloud computing is the quick fix for the tangled mess, we need to think of IT strategically. In an upcoming post, we’ll see whether the use of service-oriented principles in building cloud and “terrestrial IT” applications may offer a path forward.

More cloud mischief as Amazon users get dinged for spam

2009-10-21T14:57:00.000-07:00

So many things about this news that Spamhaus has blacklisted or policy-blocked the entire Amazon Elastic Computing (EC2) service is worrisome

Attackers are wreaking havoc in at least two IaaS environments (yes, Rackspace too)
Amazon and the users with their virtual machines seem unable to stop the malware from spreading within the multi-tenant environment
Legitimate users whose VMs are not compromised in effect suffer a denial of service, getting blacklisted or graylisted along with the real spammers
Once Amazon smooths all this over, in its typical “security by obscurity” fashion the company is unlikely to come clean with customers about the full scope of the vulnerability

While waiting for a fix, users can bounce mail through an authenticated SMTP relay such as the enterprise mail server. Not an ideal situation, but at least a workaround.

Cloud vendors of Amazon’s ilk need to provide filtering services that AMI users can opt into. Receiving an alert that some of your email is being blocked as spam might be occasionally inconvenient if it was a false positive, but should at least as often function as a species of intrusion detection. More than likely Amazon could even charge for it.

The Tangled Mess (Part 1)

2009-09-07T19:07:00.000-07:00

I’ve just recently returned from delivering a cloud computing seminar as part of a road trip visiting Burton Group customers with my colleague Anne Thomas Manes.

My job was to deliver the security content and field the security questions. But in a way, the subject matter Anne dealt with was harder. She addressed some difficult fundamental questions that customers have. To paraphrase: “How can we manage all the applications in our complex IT environment and do a better job of developing applications in the future?” Given the obvious relationship between manageability and security I paid close attention.

Repeatedly Anne said: “Our IT systems are a tangled mess.” In the seminar, she used the figure below to amplify this point. In some meetings she used the term “tangled mess” as shorthand for larger discussions.

Source: IBM

That IT is a mess probably isn’t news to you. Personally, I saw my first mess picture in 1993. The fact of the matter is that IT environments comprise multiple generations of technology, one overlaid over the other, customized into strange designs by the unique requirements of organizations, the deployment styles of individuals, and the crazy pressures of costs and deadlines. It is the technology equivalent of the Grand Canyon’s layered and eroded geology.

We are all curators of an IT museum. Many organizations spend almost all of their budget just maintaining the museum.

Organizations are trying to understand and improve the tangled mess of their IT environments by following various processes and maintaining catalogs or repositories, such as:

Asset management systems support license management, contract, and inventory functions for hardware and software. In security, we often use these systems to inform vulnerability and risk management.

Configuration management databases (CMDBs), which derive from the ITIL framework, keep track of the configuration of production systems in deployment, and the relationships between those systems.

Software service registries provides a central point of reference and integration among all managed web services (or similar) application and infrastructure components. A service registry also provides a standard mechanism for advertising and discovering services, service metadata, and service policies.

Software asset repositories maintain numerous software artifacts and their relationships and dependencies, including code, components, metadata, configuration files, and documentation. These repositories support software development activities as opposed to runtime operations. They are much more common than software service registries.

Data management systems seek to model, classify, catalog, or actively cleanse, mine, or warehouse data.

Unfortunately, each of these management disciplines is shooting at a moving IT environment target and is itself a moving target. For example, server virtualization (and live migration of virtual machines) has thrown a monkey wrench into existing hardware asset management and CMDB systems as well as complicating data path visualization. Management systems may be provided by multiple vendors and are generally maintained by multiple support groups. Coordination or synchronization amongst repositories is imperfect at best.

What will happen when we try to move IT functions to the cloud? To be continued…

Not one cloud fits all

2009-08-17T04:24:00.000-07:00

During the Catalyst conference, some of us Burton Group analysts covering cloud computing risks got the pushback that our positions are overly cautious. One has to be careful these days not to get caught up in the hype, or the fear. Because “cloud computing” is such a general term, any statement or position one takes gets applied to every type of service and vendor. Yet while many vendors and customers use or provide cloud computing, not all of them agree on what it means.

Burton Group categorizes clouds as internal, private (community), or public. When it comes to internal cloud, the organization runs its own virtualized and/or web-facing IT environment. The primary difference between internal cloud and dedicated IT facilities is architectural. Information protection can be accomplished through familiar internal processes, though details of the technologies change.

The strongest security concerns arise with public, multi-tenant cloud service providers that might process and store the organization’s sensitive data. We’ve expressed concerns about public cloud service providers in the posts Cloud Computing: Who is in Control? and To cloud computing vendors: Stop practicing security by obscurity!

Private (community) clouds fall in between internal cloud services and public cloud services. Some actually deliver software, hardware infrastructure, or both as a service but design and operate the service for customers in a particular vertical industry, such as aerospace, automotive, financial, or health. Some have been around for years and only recently jumped on the cloud computing bandwagon; others are still wondering whether to associate themselves with it. Covisint, Exostar, IntraLinks, SecuritiesHub, and Sentillion are just a few examples of service providers that seem to fit the private (community) mold.

The real question is not whether these and other service providers call themselves cloud, but what value do they deliver and how well do they protect customer interests? Some of them tailor their security measures, audit reports, and contracts to the needs of their vertical industry. A customer in their target industry may be better off with them than with public cloud vendors from a security perspective.

One must also attune security and compliance expectations for service providers to what you’re relying on them for. You have to get past the description of a service and analyze it based on the technical capabilities it’s actually providing. For example, multiple providers may claim to offer “secure collaboration,” but one may be an identity broker that sidesteps liability by not storing any customer data while another actually provides secure document storage. The technical security requirements for these two providers should be different.

The industry is clearly evolving toward a hybrid cloud environment where many different types of cloud offerings (both internal and external) will interact to provide different layers of service. As a customer, you can choose to keep some data and some layers of service under the wing of internal IT facilities; move commodity functions into low cost, public cloud services; or subscribe to vertical industry oriented community services. How you mix and max services and what you rely on them for in the hybrid cloud environment determines your risk and requirements. It’s not one cloud fits all.

And in that light, our guidance to “Be very cautious about putting sensitive data into the cloud” is still good. One needs to be very careful with sensitive data - wherever one puts it!

BYOC and desktop virtualization security

2009-08-05T08:31:00.000-07:00

Eric Maiwald recently blogged about BYOC on our Burton Group blog. In the post, he mentioned that I've been working on endpoint virtualization technologies:

- Presentation virtualization
- Application virtualization and streaming
- Full client-hosted or server-hosted desktop virtualization

These technologies all have their cost, functionality, and security tradeoffs which are described in my just-finished Burton Group reports. I'll try and blog more about it later (or let me know in the comments if I should do that sooner :-)

Vendors such as Citrix, Microsoft, and VMware are starting hybridize endpoint virtualization so that their products can move workloads offline or online, migrate data, and loosen or tighten security depending on policies that should vary based on whether the data in sensitive or not, and whether the user is

- an employee, contractor, or in some other relationship to the organization
- stationary in a dedicated facility or a mobile road warrior
- a knowledge worker, task worker, or somewhat in between

What I said in my presentations at Burton Group Catalyst last week was that virtualization can help slay the four horsemen of the traditional thick client (unmanageability, high support costs, public malware epidemic, and information sprawl/exposure) by decoupling data from applications, applications from OS, or OS from device.

We have a brave new world of endpoint and information management ahead of us thanks to virtualization. Not only are the hybrid products from the major vendors emerging, but there are a number of very interesting startup companies including Leostream, Neocleus, Ringcube, and Virtual Computer that I've spoken with, and all of whom are very interesting and creative in adding value to their niches.

Notwithstanding such progress, we're not yet quite ready for wholesale desktop replacement. Even by mid-2010 when many of the security and management enhancements from the major vendors come to fruition, there are still tough licensing, hypervisor commoditization, remote attestation of endpoint health and other questions to resolve. When BYOC means that any user can bring any computer to work (with no centralized configuration management of the OS) it is actually one of the toughest use cases.

However, organizations can get some solid business benefits from various endpoint virtualization use cases immediately and I think we'll see a lot more of it down the road.

Identity 2009: A Market in Upheaval

2009-07-29T09:28:00.000-07:00

Bob Blakley kicked the Catalyst 2009 identity discussion off by asking the audience not mourn the coming death of the meta-directory and enterprise identity management (IdM), but celebrate the birth of a new market premised around the holistic, virtual “person” identity.” The millennial generation, as well as externalization, are driving this trend. Many young millennials have had computers all their lives, and they are ready and waiting for personal identity solutions.

The market is still doing well – 6 o6 7 vendor have raised revenue even during the bad economy. The ones that did well offered quick time-to-value compliance fixes (such as Active Directory bridge products.

Mid-tier vendors have done well because they’re products are integrated well, developed organically. Large suites are struggling, however, as customer budgets are tight. Notwithstanding tight budgets, IdM programs not getting cancelled due to their criticality for security and (in many cases) their potential to bring cost reduction.

The Oracle acquisition of Sun has redefined how we think about vendor viability. The acquisition is not necessarily a bad thing for customers; we don’t think Sun customers will be “cut off” or anything like that, But it creates uncertainty. It has also made us dream again about data portability, products interchangeability.

Interest is growing in SaaS providers due to a focus on 3-6 month ROI; lot of vendors coming into this market. We’re hearing about a “new vendor every day, sometimes more.” And there may be some that we haven’t heard about. The rise of SaaS is also driving a resurgence of interest in federated provisioning, in the Service Provisioning Markup (SPML). SPML has lain fallow, still lacks a schema, and this could be an area needing enhancement in the future.

Lori Rowland suggests that provisioning has also been a “beasty” product niche, often too complex and overloaded with unnecessary features. The products are still struggling with role management, compliance, and user experience issues. They have multiple audiences – administrators, business users, and auditors or regulators and not all features are well suited to each audience.

Lori suggests that provisioning needs to be like an “orchestra” - more nimble and flexible. It needs to bring different capabilities to different combinations of issues that customers have. Part of the problem has been terminology, terms like "provisioning" and "entitlements management" are overloaded.

What's hot? Mark Diodati discussed privileged user management, a critical issue that shouldn't be obscured in a cloud of terminology. The accounts used by super-users shouldn't be shared, or used casually. There must be sufficient accountability, audit, and assurance around the use of these accounts. Vendors such as Cyber-Ark create special repositories to check in / check out privileged accounts.

Kevin Kampman and the rest of the team tell us that role management is still hot too. Organizations aren't saying "when" they're saying "how." Or, as Bob cynically puts it "When again?" My own (Dan Blum's) opinion of RBAC is that it is one of the enterprise identity management perennials; though it won't scale to multi-domain environments, it is important for domain compliance. But companies are outrunning their tools.

Federated identity, on the other hand, is coming into its own with cloud computing. If a technology only becomes successful when it is invisibly integrated into other technologies, then federated identity is on its way. Most SaaS products support some federation protocol, but they're not marketed as "federation" products. At the same time, true federation products are flourishing as well as open source tools such as OpenSAML.

Burton Group is hosting a federation interop event tonight, including demos with cloud computing services. Bob noted that Burton Group also has production federation available with at least one customer today.

Identity management is also converging with other security market niches, such as data leakage prevention (DLP) and security information and event management (SIEM). Identity needs to infuse other security policy enforcement, or detection controls. Lori also identified IdM affinities with ITIL and business process management. I've always felt that role management and BPM were long lost cousins.

What's not hot: the market category governance, risk, and compliance (GRC) seems to be getting consigned to the dustbin of bad terminology.

iPhone debased

2009-07-25T05:17:00.000-07:00

Wired just came out with a good article on how mass commercialization and convenience is debasing the iPhone.

The original iPhone didn’t store (much?) data locally but this has changed. I’ve just confirmed it for myself – even in airplane mode I can access stored Microsoft Exchange email. And of course anything from the App Store will do whatever it does.

Moreover, banks and other ecommerce sites are enabling riskier mobile functionality. You’ve probably seen TV shows where international criminals and arms dealers wire money from their cell phones. Now if you’re mugged the thugs don’t even have to drag you up to your ATM at gunpoint anymore. I haven’t tested THAT out yet, nor do I intend to!

Skilled hackers are developing exploits and providing them as free, convenient tools for common thieves.

If you compare the data in the National Vulnerability Database for BlackBerry with the data for iPhone the contrast is pretty stark. Is this contrast due to BlackBerry's more closed architecture, or is it that RIM does a better job than Apple, or both? My theory is both. Apple could do a lot to improve, but at the end of day, the convenience and openness of a general purpose OS inevitably debases security.

Was I eerily prescient last week?

2009-07-16T05:53:00.000-07:00

"Eerily prescient." Gotta love that phrase. Its what all of us security analysts aspire to, every now and then, predict something.

In a way I did with the blog post Do you know my pet's name yet.

Because what I see today is Twitter files leaked in ‘cloud’ lapse

To sum it up briefly, Twitter employees (like so many of us) are dummies when it comes to security. The founder of Twitter was caught with his virtual pants down, putting annual revenue forecasts and all sorts of sensitive company documents into the Google Apps cloud computing service.

And he, or his wife, used his dog's name as the answer to a security question used by Google Apps to recover passwords.

Now, bad passwords and password guessing attacks are hardly unique to cloud. There are many systems within dedicated (non-cloud) IT services that have weak passwords and flawed password recovery processes. But hopefully, those systems are not only non-compliant with the organization's security policies about strong passwords, but also behind firewalls and web access management systems that enforce stronger, remote access protection.

The point is that organizations should enforce their policies, and for Internet exposed systems on the cloud, those policies should be similar to dedicated IT's remote access policies which often require two factor authentication. If an organization wouldn't expose sensitive data in dedicated facilities to simple password attacks, why should it expose such data in the cloud?

To cloud computing vendors: Stop practicing security by obscurity!

2009-07-08T12:57:00.000-07:00

You gotta check this out! After the frustration of having Salesforce refuse to give security briefings and both Amazon and Google ignore briefing requests so that I had to get information through reliable hearsay, I've been itching to pound the cloud computing vendors with a powerful post on transparency.

Here it is on our Burton Group blog!

Do you know my pet's name yet?

2009-07-06T07:41:00.000-07:00

I just logged onto a site and saw they have a plan to "enhance security." I clicked on the link and saw that this would involve "secret" questions and answers. Without seeing the user interface yet, I'm not absolutely certain, but it seems the questions must be selected from a pull-down menu. The one example they gave was "your first pet's name."

HELLO, but I fear it is not quite a ridiculous exaggeration to say that everyone on the Internet must know my first pet's name! Not that I put it in Facebook like some people, but certainly I remember giving it out to other sites as a "secret." Funny thing about "secrets," once two or more people know them they unlikely to remain so.

In fear of KBA in the past I have tried to be creative, making up different answers for different sites. But then I have to recall what I said to whom. Certainly not the kind of thing you want to have to remember after having been robbed and hit on the head or something. More often then not, the user forgets.

Unfortunately, there are no perfect alternatives. Sites can get better secrecy by letting the user make up his own questions, but recall (of exactly what you typed) is only slightly better for this alternative. Sites can use administratively known information, such as tell me about three transactions you made in the last quarter. Even this can be problematic.

Back to my dilemma - I'm now trying to think of how to "encrypt" my "secret" Q&A site-specifically in a deterministic manner that no one but I could understand...

Cloud Security Updates

2009-06-30T02:55:00.000-07:00

I recently put up a post called Cloud Computing: Who is in Control? on Burton Group's security blog.

The centerpiece of that post is the diagram, which has attracted all sorts of interest. For example, Tim Mather and co-authors Subra Kumaraswamy and Shahed Latif will use it in their upcoming book Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. I finished reviewing a draft of this book over the weekend and it has great promise!

Also, registration for my Cloud Computing Security and Identity Management SIG at Catalyst is up, they increased my room size, and there still are a few more spots.

Check it out!

CEE showing signs of life

2009-06-10T08:37:00.000-07:00

The important issue of common event and log standards, and the Mitre-coordinated Common Event Expression (CEE) (which I've written about before, most recently at http://security-architect.blogspot.com/2009/04/rsa-panel-covers-log-standards-least_27.html) need more mindshare.

I was speaking at the (ISC)2 Secure Americas conference last week. Just before my session, there was an interesting panel with representatives from FBI, NSA, and DOJ. Among the memorable sound bites: "One of the few advantages we have [against criminals] is our information. We need to get more effective at sharing it." Common Vulnerability Expression (CVE) and the whole vulnerable reporting system originally standardized by another Mitre-coordinated group and now strongly adopted by NIST, the U.S. government, and most vendors was cited as a success story.

I was itching to bring up CEE at this panel, since it ultimately aspires to take a position in the industry similar to CVE's. How much better things might be if organizations could not only share information about events, but also have the taxonomies and schemas to be able to understand its meaning in a more automated fashion!

So it was great to see that William Heinbockel from CEE put out the second edition of CEE's newsletter. The copy is at http://cee.mitre.org/news

Cloud Computing Security and Identity Management SIG coming soon

2009-05-28T07:02:00.000-07:00

Good morning! I want to announce our plans for a super meeting, and hope that lots of you enterprise security architects and strategists will be able to attend.

EVENT: Catalyst Cloud Computing Security and Identity Management SIG

LOCATION: San Diego

SPEAKERS: Dan Blum, Burton Group; Cloud Security Alliance (TBA)

DATE: July 28, 2009 8:00 AM

Cloud computing alters business risk and limits organizations’ ability to control, monitor, and audit access to their data. The cloud computing security SIG will bring Burton Group analysts, Cloud Security Alliance (CSA) representatives, end user organizations, and leading edge solution providers to discuss identity management and other issues in the rapidly emerging cloud computing security space. It will provide an opportunity for attendees to come up to speed on issues such as:

- How is cloud computing transforming enterprise security programs and approaches?
- How can identity and access management help to enable cloud adoption and enforce policies on usage and administration?
- What architectures and tools work best to project identity to and from the cloud?
How should organizations integrate cloud and on-premise IdM and security systems and processes?

Locked down desktops

2009-05-12T05:39:00.000-07:00

Had a customer inquiry on what my recommendation was for Windows administrative rights on desktops.

My recommendation, and Microsoft’s recommendation is for enterprises to set up managed Windows workstations (i.e. organization-owned and controlled) in the “standard user” configuration.

The pre-requisite for this policy is an IT support infrastructure capable of pushing software and/or configuration changes out to client workstations, either through a tool such as Symantec/Altiris or Microsoft System Management Center, or through remote installations by IT staff depending on the situation and the number of users requiring the changes.

Standard user configuration may need to be tweaked for different types of users, for example, mobile users requiring wireless access or the ability to change time zones. Vista and Windows 7 offer more flexibility than XP; often with XP it has been necessary for administrators to unduly weaken the standard user configuration for “power users.”

There are a few cases where exceptions generally must be made:

1) Client-side application developers or testers that need to frequently adjust operating system settings, and install/reinstall software
2) Knowledge workers or market researchers that can justify a legitimate business need to frequently need to install/reinstall software
3) Users that do not have access to IT support infrastructure

If the IT support infrastructure is lacking or the policy is not strongly enforced, categories (2) and (3) can grow fairly large.

All that said, it may be that the locked down desktop will fall into the minority of what enterprises have to deal with as trends such as telecommuting, partnering, outsourcing, crowdsourcing, and consumerization gather force.

In the coming months, I'll be researching a topic along the lines of "Endpoint Virtualization to the Rescue: Protecting Against Unmanaged Desktops and Mitigating Information Sprawl."

RSA Panel Covers Log Standards: The Least Sexy Part of Security

2009-04-27T13:53:00.001-07:00

My RSA conference panel “Common Event and Log Standards: Leveling IT's Tower of Babel” drew a crowd that looked to be well over 100 people. Considering that it was one of 10 tracks, that is a great turnout for a topic that is important, but not exceptionally exciting.

With me on the panel were

Anton Chuvakin (from Qualys emeritus LogLogic and of CEE and CVE fame)
Mary Ann Davidson (CSO from Oracle)
David Corlette (XDAS editor from Novell)
Eric Fitzgerald (Microsoft’s log standard representative)

Because half the crowd raised their hands when asked if this was their first exposure to log standards, I went through some slideware describing the problem and a quick sketch of standards building blocks and ongoing activities. Much of this kind of background was covered in a previous blog entry: "Prospects Brightening for a Common Event Standard." After the slides, each of the panelists introduced themselves in relation to log standards.

During the panel (and some sidebar discussions with Anton) it came out that Anton, Dave, and Eric had met face to face for 4 hours earlier the same day with Raffael (“Rafi”) Marty to discuss their different views on event taxonomy. Anton said that they came to some common understandings. This is important because the CEE has been stuck in neutral for the last few months waiting for these key players to come to some consensus; if we accomplished nothing else, the panel at least brought the players together for a rare face to face meeting!

I also heard that Mitre had appointed a co-chair for Common Event Expression (CEE) group to provide much-needed coordination. With Defense department and NATO support, CEE is not exactly a “grass roots effort” as a question from the audience would have it. But the effort does need more top down support and organization. XDAS, on the other hand, has made considerable progress and Dave Corlette recently put out new chapters of the specification for review.

Concerning the “grass roots” versus “top down” question, Mary Ann Davidson ruefully admitted that she had been on Capitol Hill testifying for Congress and not thought of log standards when asked what the government could do to help the cause of cybersecurity. Next time, she says, she’ll bring event and log standards to the attention of the powers that be. While government mandates can be a mixed blessing, it’s worth pointing out that smartcard technology in the U.S. has gotten a tremendous boost from HSPD-12, which in 2005 directed NIST to come up with smartcard standards. Today, there are over 400 FIPS 201 approved smartcard-related products. Common vulnerability expression (CVE) on the other hand originated as a grass roots Mitre Corporation coordinated project and ultimately gained government endorsement and considerable adoption in the industry.

Log standards are the least sexy part of security. And yet they could also greatly improve coordination of protection mechanisms, detection, investigations, e-discovery, compliance reporting, and reduce costs. The challenge is that many event sources have to implement the standards. The fact that the problem is hard just means the industry needs to start working harder on solving it.

Thrown to the Wolves

2009-04-15T04:06:00.000-07:00

John C. Bogle, the founder of the Vanguard Group, was quoted in a New York Times interview: “We [mutual funds and money managers] own all this stock but we pretty much do nothing.”

Per the article, institutional investors such as mutual funds, professional money management firms, and pension funds control 70 percent of the shares of large public companies today." Bogle "also identified one group that hasn’t been singled out for shame: the institutional money managers that allowed the nation’s financial companies to amass enormous risks on their balance sheets and pay gigantic compensation based on false profits. The big funds let this happen without uttering a word."

The individual investors and traders that presumably control most of the other 30% of many large companies don't exercise much control either. In a corner of my living room lies an untidy stack of prospectuses for the companies in which I own tiny bits of stock. These documents are waiting for me to find time to tear off the plastic so they can be recycled. Investor and good citizen of the earth I may try to be, but good shareholder citizen I am not. Who has time to actually read the prospectuses and vote?

Thus, the governance of corporate America has been thrown to the wolves. Most Board of Directors may be diligent and most executives may be responsible. But we've also seen companies with compliant Boards of Directors, with executive pay and golden parachutes ballooning while risk soars off the charts.

How does this relate to information security? Simple - if the governance of the company is out of whack with the shareholders, business risk management suffers. And business risk management is front and center in a systematic, comprehensive approach to security. IT security as a purely technical matter may be unaffected, but sometimes executives behaving badly with impunity rip aside IT controls and cause consequences for the rest of the company and its shareholders. There's little a poor security person can do to stop them short of turning whistleblower and probably wrecking his/her career.

What does this mean for capitalism and the "ownership society?" I don't know. Risk taking and corporate fraud are not new. Was there ever a golden age of corporate governance? Bogle says "the government must apply a federal standard of fiduciary duty to institutional money managers. This would force them to use their stock holdings as a cudgel, to demand that directors and executives of corporations honor their responsibilities to their owners." Also, Bogle feels that separating the money management units from the larger, publicly traded firms is needed to prevent conflicts of interest. Thus, according to the article, "the Deutsche Bank Group, for example, would spin off DWS Investments, its mutual fund unit, or Sun Life of Canada would divest itself of MFS Investment Management."

Like THAT would happen....

(By the way, I looked for a good ravening pack of wolves picture on flckr to include in this post but could not find one. Most of the pictures of wolves looked adorable to me. In end I decided wolves don't deserve to be lumped with bad people, so there's no photo here. But the expression "thrown to the wolves" is from an earlier time when people were weaker, wolves were stronger, and people feared them.)

RSA Panel on Log Standards

2009-03-17T08:15:00.000-07:00

I was able to get this panel placed in RSA conference, so it is upcoming. Please attend if you're there!

Session Code: HOST-304

Session Title: Common Event and Log Standards: Leveling IT's Tower of Babel

Scheduled Date/Time: Thursday, April 23 02:10 PM @ Purple 304

Abstract: The IT industry suffers from a lack of standards for event, log, and audit information. Regulatory requirements to retain, protect, and destroy log data continue to increase. Organizations also need better situation awareness and cost control across complex IT security event horizons. The good news is that standards efforts are underway, which this session will detail.

Moderator:

Daniel Blum, Senior VP, Principal Analyst Burton Group

Panelist:

Anton Chuvakin, Director of PCI Compliance Solutions, Qualys
David Corlette, GRC Solution Architect
Mary Ann Davidson, Chief Security Officer, Oracle
Eric Fitzgerald, Senior Program Manager, Microsof

Virtualization security

2009-03-11T14:48:00.000-07:00

Virtualization security security is going to be so complex, its unreal!

CLICK HERE FOR MY POST ON SRMSBLOG

Still Can’t Win the Core Wars: A Report from Black Hat

2009-03-11T14:45:00.000-07:00

Check out what I wrote on srmsblog

CLICK FOR MY SRMSBLOG POST

Science Fiction and Technology Innovation

2009-03-07T10:41:00.000-08:00

In one of Burton Group’s more interesting consulting engagements we were asked to envision identity and security trends stretching out up to 15 years in the future.

Looking so far out, I thought, the identity and security trends are determined by larger trends in mobile networks, user experience, business models, and even artificial intelligence and cybernetics. In short, we’re into the realm of science fiction.

I held my tongue during the single day consulting engagement, for I didn’t want to appear fanciful. But the notion may not have been overly fanciful after all, and I was not alone in these thoughts as my colleague Bob Blakley did observe “We’ve invented half of the gadgets on Star Trek.” My mental wheels kept turning, and now I’ve concluded that science fiction is a valuable resource that vendors who have research money and plan to be around in 10 or 20 years should take advantage of.

I decided to work on this idea on my own time. The table below contains a list of titles, authors, and imagined inventions that I can think of in just a few minutes. Of course, there are many more – I should have spent more time reading scifi after all! Perhaps I’ll update this later, or you can help me by putting more scifi references into the comments of this blog.

CLICK TO ENLARGE

The vendors that hit the market with products like these in the next 10, 20, or 50 years will make serious money and they - or someone - will have to take care of the identity and security issues. But how can vendors, developers, manufactures, and inventors leverage this information? Here are some ideas.

Harness the power of social software. Your employees collectively have read hundreds of science fiction books and/or are aware of technologies in existence today that are so advanced they may seem like scifi to the uninitiated.

Create a product development wiki that lists important emerging technologies and potential future future inventions, including those from science fiction books. Make sure you capture the attributes of the scifi invention that are relevant to your organization’s business focus. For identity and security I would want all wiki entries to include the author, title, a description of the invention, the user experience, and the business model, specific security characteristics, and other relevant attributes.

Do something with the information. I would suggest creating a public or private prediction futures market where participants have the opportunity to “IPO” an idea and then to trade it like a stock. I understand that Google already does this using fractional “Google dollars.”
As the “futures” move close to their maturity date select the inventions that come to the top of the predictions market for further analysis, prototyping, and focus group evaluation.

For more information on leveraging social software and prediction markets see the books “Wikinomics” and “Infotopia.”

Hackers relentless, like ants

2009-02-13T05:40:00.000-08:00

My friend from a conservative think tank in DC shared a personal story with me.

One of the think tank's analysts (a Korean woman) had left the organization to work for the Department of State. One day my friend received an email from her, clicked to open, and his screen went blank.

He's pretty sure this was a virus that sent all his files to China. "You know, they can forge the email addresses. I should have known better than to open it."

Subsequently, he notified their IT person who looked at him angrily and took the PC away. He heard no more about what happened specifically to his PC, but passes on plenty of hearsay - presumably from other analysts or the think tank's own IT people.

"They're still communists. They hate us because we hate them (well, not really). We get attacked all the time. The Pentagon too. There's so many of them, they keep coming. They're relentless, like ants."

One of these days I'm going to try to talk with my friend's IT people. They must have some interesting cyberwar stories.

Worst Practices for Network Security in "24" Melodrama (Part 2)

2009-02-05T14:59:00.000-08:00

A key premise of "24"' Season 7 is that bad guys have acquired a "critical infrastructure protection (CIP)" module, or appliance, that is capable of breaching the government's CIP firewall and taking over air traffic control systems, chemical plants, and all sorts of stuff. There's no such thing as defense in depth in "24" (unless, of course, you count Jack Bauer). I wrote about this a couple weeks ago in Worst Practices for Network Security in "24" Melodrama (part 1).

The "CIP module" was back in action Monday night on Episode 151 (see http://www.tv.com/24/show/3866/episode.html). The bad guys are able to get into the chemical plant and raise the pressure on the insecticide tank all the while locking the controllers (who by then knew about the problem) out of the system. That's either an awfully powerful CIP module or an awful security architecture or both. Alas, the CIP module was destroyed at the end of the episode so I may not get any more blog entries out of it. But the season is still young - something else may come along

Security Strategies for the Recession

2009-02-05T06:38:00.000-08:00

After much work, I finished "Security Strategies for the Recession" last week and turned the document into Burton Group's production department for the copyedit process.

Some of the interesting research questions have been:

How is security spending doing? The surveys from last fall said that security spending was holding up, at least as a percentage of IT spending. This seems counter-intuitive as we watch the economy crashing around us. The document made the point that just as you don't cut the building guards during a factory layoff, you limit your cuts to IT security in these times. But IT is getting cut, so absolute security spending will decline. My document tries to address a range of budget perspectives - from "busted" to "flush."

Where should security departments NOT scrimp on spending? This question led to itemizing the "security baseline." What is baseline and what is not differs depending on different organizations' security postures, but there is a rather long list of things that you really can't afford to cut, especially considering that threats increase in hard times, and many of those threats are IT insiders.

How to build (or hire) the Dream Team for security: While the recession increases insider threats and challenges, its also an opportunity to increase staff loyalty and (if you're flush) to make some great hires. Treat your people well!

The following is a summary of the document:

"IT budgets are contracting amidst a strong economic recession. Security spending is holding up better than IT overall in many organizations, but contingency planning is needed as conditions worsen. External threats, insider threats, and compliance risks are increasing. Business changes – such as outsourcing, consumerization, mergers, and acquisitions - challenge security managers to improve and adapt. Working smarter and doing more with less requires maintaining baseline security and carefully prioritizing and optimizing all activities."

"As IT security departments align with the business and IT, some application and infrastructure rationalization opportunities may simplify security environments. Organizations should make cuts to ineffective security technologies and inconclusive projects, but not scrimp on controls that protect mission critical applications and infrastructure from hackers and insider abuse. Organizations should also improve IT security processes, strengthen teams, and look for opportunities in future economic rebounds."

I never did get much external review (outside Burton Group) on this document, so if you'd like a copy in the next couple weeks and promise to give me some comments please leave a comment on this blog entry!

How to plug common event and log standards

2009-01-24T08:18:00.000-08:00

I was promoting the possibility of having a conference panel on common event and log standards. As I missed the proposal process for the conference, its an uphill battle to get it on the agenda. I got a skeptical email from my friendly conference organizer early in the morning when I was still very stimulated by my first two cups of coffee.

This is the whole dialogue - maybe you'll get a kick out of it and see how (or how not :-)) to promote standards.

This is the message that got me going.

From: Redacted
To: Dan Blum
Subject: RE: Common event and log standards

Let's talk tomorrow (Thursday), but my initial impression is that your proposal for a common event and log panel reflects routine actions and do not rise to the level of a "Hot Topic". What below is really new and urgent? Thanks.

Here is my coffee-fueled response.

From: Dan
To: [name redacted]
Subject: RE: Common event and log standards

As you point out, events and logs are not new. They’re not the sexy part of security. No one’s been able to do anything about standards – yet.

What’s new is that the industry has its best chance ever to solve this problem with the gathering momentum behind CEE and XDAS. But those of us with influence over the industry have to help.

As you point out, standards for events and logs are not urgent. We could go on generating a tower of logging Babel in IT forever. We could continue to have expensive SIEM that doesn’t get much done. That doesn’t interoperate across organizations. That limits the control over cloud computing and other outsourced environments. We could continue having lousy metrics and being mostly unable to automate security responses because we can’t understand the full context of events. We could continue having mediocre security.

Steven Covey distinguishes between what is urgent and what is important in his four quadrant model.

1) Urgent and Important
2) Important, but not Urgent
3) Urgent, but not Important
4) Not Urgent and not Important

If you don’t spend some time in Quadrant 2 you end up in Quadrant 1, crisis mode, or Quadrant 4, never getting anything done. Maybe that’s the problem with the security industry, we spend too much time futzing around in quadrant 4 (reading logs, trying to understand what’s happening) and quadrant 1 (putting out fires).

Events and logs are not a “Hot Topic”, only an “Important Topic.” It’s an opportunity to influence the industry to solve serious customer problems.

This was my original proposal...

From: Dan Blum
To: Redacted
Subject: Common event and log standards

I’m proposing you consider a panel, talk, or some exposure for common event and log standards at the conference for the following reasons.

Lack of these standards creates serious customer problems with log retention, destruction, and protection as well as storage costs, integration costs, poor situation awareness, and limited capacity for investigations

Standards would benefit customers by helping to solve these problems and, in the process, improve the state of the art in security information and event management, audit, and metrics

Standards have been difficult to achieve in the past, and still need all the help they can get from folks like ourselves

Despite the ongoing challenges, Common Event Expression (CEE) and XDAS are proceeding collaboratively with more collective mindshare, more understanding of the problem, and more participation from customers and vendors than the industry has ever seen devoted to this problem before

With Mitre’s involvement, there is a realistic chance that if good specifications are produced, CEE could end up with government/FISMA support similar to that provided to the SCAP and Common Vulnerabilities Expression (CVE) standards

All of this may start to gell this year with the production of CEE and XDAS specifications, which are now actively under development

I’ve attached a copy of my final draft paper covering these issues and look forward to discussing it further

Consumerization, the White House, and Rockin’ IT

2009-01-24T07:57:00.000-08:00

Click here for my post on this at SRMSBLOG

Worst Practices for Network Security in "24" Melodrama

2009-01-18T11:56:00.000-08:00

The first episode of Fox's "24" season 7 starts with the kidnapping of an engineer from what I hope is the mythical national critical infrastructure protection firewall (CIP firewall). Soon the tortured and bloodsoaked engineer wires together an appliance to breach the CIP firewall.

The government detects the breach almost immediately but can do nothing. Never mind that the kidnapped engineer is practically on the point of collapse. Disregard the fact that it probably takes much more than a gizmo to sustain a firewall breach after any defensive team with a room temperature IQ detects it. Terrorists are soon exploiting the breach to hack into air traffic control networks and cause a near miss between two airplanes on the runways.

The situation escalates and we are treated to the following dialogue between the president and a cabinet official.

“How bad is it?”

“Top of the list, the national power grid. A blackout of that system could result in rioting in the major cities. Even more damaging, the water treatment plants…”

“When are we going to fix this?”

“The CIP firewall was the result of a multi-year engineering effort. Reengineering the code could take weeks or months at this point. NSA just doesn’t know.”

There are so many things wrong with this picture that I hardly know where to start.
How could so much risk be aggregated into a single firewall? Where is the defense in depth, diverse methods of defense, diverse security products? What happened to a de-perimeterized architecture allowing endpoints or subnetworks to self-protect? Why not use secure communications among CIP endpoints that can be rekeyed in the event of emergency?

Of course, the government wouldn’t make such mistakes in real life, would it?

Actually, its hard to know for sure. The Department of Homeland Security (DHS) Comprehensive National Cyber Security Initiative (CNCSI) reportedly reduces government portals connected to the Internet to less than 100. This in itself is not be a bad thing – unless it signals an unhealthy dependence on network security and leads to another hard shell, soft chewy center disaster. Since everything about the CNCSI is secret, we can’t be sure…

Thinking about cloud computing and security

2008-12-15T14:00:00.000-08:00

I'm getting ready for a Computerworld Virtual Security Trade Show webinar on cloud computing, and getting lots of good ideas.

At Burton Group we've defined computing as "technologies that enable delivery if IT as a service" and have modeled a cloud stack with four layers including Software as a Service, Platform as a Service, Software Infrastructure as a Service, and Infrastuture as a Service. We've also been thinking a lot about what it takes to secure the layers.

As I poke around for information, I like this quote from this article on cloud computing security by Jim Hietala, Open Group Jericho Forum

http://www.ft.com/cms/s/0/303680a6-bf51-11dd-ae63-0000779fd18c.html?nclick_check=1

“At the heart of all forms of cloud models is the concept of “abstraction”. Cloud models separate one layer of business from another, for example process from software, or platform from infrastructure. The more successfully you can separate the layers in your model, the better your cloud implementation will be.”

Also, a colleague of mine attended a panel on cloud computing in NY with the same Jericho folks, and shared some insights with me

You need to think about criminals in the cloud - how to track the bad guys
You’re business is once removed from operations but still responsible for compliance, risk
What’s really driving cloud computing is business constituents (executives, managers and employees; Gen B, X, and Y) are no longer willing to wait for IT spend months or years on projects; if the functionality is available from a cloud provider, they want it now; get the application up and running!
Its a hybrid world – no organization will all cloud nor all “silo”
Emerging threats are carbon-based – technologies are working fairly well – but you have to make security measures easy or people won't observe them
You have to have classified your information and your business processes; know them well enough that you understand the requirements for cloud and/or internal security
The Jericho Forum commandments are a reasonable yardstick to hold cloud computing providers up against; if they do not comply think seriously about whether the business can afford the risk, the lock in

It occurs to me that one can divide much of cloud computing security into thirds

Risk assessment and information classification so you know what really needs to be kept most strictly controlled
Contracts and audits of the cloud providers
Access control through IT controlled portals to all cloud computing environments so that single sign on, account provisioning, de-provisioning, usage monitoring/auditing, license management, and volume purchasing can be accommodated (carrots and sticks aplenty here)

Identerati Renamed

2008-12-06T06:19:00.001-08:00

Identerati was a nice name, but as my job responsibilities have expanded, it is no longer the right name for my blog.

I still plan to write about identity, access control, privacy and that whole complex of issues but will also cover other topics. I'll post more frequently - and that is an easy promise to keep given the sparseness of posts on this blog of late. Yet I renamed rather than discontinued it because I think there's some good stuff back in the archives that should remain in existence.

Why so infrequent in my posting? A number of reasons, some I don't wish to discuss. But one reason was that the nichieness of the identerati title held me back a bit from posting on non-identity related matters. Also my blogging attention was diverted to Burton Group's http://srmsblog.burtongroup.com. I'll continue to post there, but some of my colleagues have become much more active, lessening the burden on me.

Until later!
Dan

Whatever happened to XML-based PKI?

2008-07-05T07:44:00.000-07:00

In recent discussions with colleagues the question came: whatever happened to XKMS? And other OASIS PKI initiatives? I became intrigued with this as we remembered that Microsoft seemed to be an early supporter of XKMS (along with VeriSign), but neither they (or other vendors) seem to have implemented it.

XML Key Management Specification (XKMS)

Wikipedia describes XKMS as follows:

XKMS consists of two parts: XKISS (XML Key Information Service Specification) and XKRSS (XML Key Registration Service Specification).

The XKISS service specification is concerned with management of the public component of a public key pair. The XKRSS is concerned with management of private keys.

In both cases the goal of XKMS is to allow all the complexity of traditional PKI implementations to be offloaded from the client to an external service. At the time XKMS was proposed no security infrastructure was defined for the then entirely new SOAP protocol for Web Services. As a result a large part of the XKMS specification is concerned with the definition of security 'bindings' for specific Web Services protocols.

Wikipedia's last sentence suggests that XKMS may have come before its time. But other research suggests the problem goes deeper than that.

OASIS PKIA TC

In 2002, the OASIS Public Key Infrastructure Adoption (PKIA) TC was founded with some fanfare, and, according to the TC's web page modified in early 2007, a long list of deliverables:

business implementation guideline white papers
technical implementation guideline white papers
best practice and sample implementations
applications white papers forums for networking, information sharing and implementation of PKI-related projects
solutions showcase.

None of these seem to have been published; if they were, they're not to be found linked at the TC's web site.

OASIS Digital Signature Standard

Also in 2002, the OASIS Digital Signature Services (DSS) TC was founded. This TC has published and approved its V1.0 specification. On the face of things, that's wonderful, but it may be telling that the home page lists the work as Completed (no further deliberations? maintenance? new specs?) and a google search for "OASIS DSS products" yields only one from an obscure vendor called Co-sign.

Epilogue

I tend to think that PKI, or some type of public key management, is very important. Sure the role of PKI in the world of XML security shrinks as specifications like SAML provide an abstraction layer for authentication and authorization. Sure PKI is struggling terribly in some applications like secure email, which after about 20 years of trying the industry still can't get right. But I would have thought the industry could do better than create a series of lackluster specifications that are gathering dust.

The question arises for these key management services that XKMS and DSS try (or tried?) to provide: were protocols of this kind even necessary?

Lack of adoption would indicate "no"; the persistence of key management problems might indicate "yes."

Key management remains a big problem in general for the encryption of data in motion (email, web services) and data at rest. There are also efforts in IEEE and OASIS to provide symmetric key specifications. Will symmetric key standards fare better than PKI ones? Will the issue of standards for public key management services will resurface and get it right this time?

It seems unlikely, until we really understand the problem.

Putting the finger on Active Directory ACL Vulnerabilities

2008-05-07T11:46:00.001-07:00

Pop Quiz: What do these administrative tasks have in common?

Change an object's ownership
Change an object's security permissions (ACL)
Reset a user account's password
Change a user account's expiration date
Change a user account's name
Unlock a user's account
Change a user account's logon hours
Force a user to change password at next logon
Change a user's pre-Windows 2000 account name
Disable a user's account
Change a user account's password requirement
Set a user account's password to never expire
Change a user account's password storage encryption behavior
Disallow a user the ability to change account's password
Change a user's logon name
Change a list of computers to which a user can logon
Unexpire an expired user account password

Answer: They are all important security administration privileges that any logged on Active Directory user can look up at will for any account in your Active Directory forest.

Concerned that hackers might use LDAP reads on your directory ACLs to find ways to control a domain administrator’s account, CEO account or other valuable resource?

Sanjay Tandon - Microsoft’s former Active Directory program manager - was. One day, Sanjay decided to do something about it. Through his Paramount Defenses startup company, Sanjay created the Goldfinger product to help security staff search out and eliminate weaknesses in their Active Directory access control models.

For the typical enterprise, calling something an “Active Directory access control model” may be a bit too charitable. The word “model” implies a sense of order that may not exist. Active Directory in the large enterprise environment has multiple powerful domain administrators, a bewildering array of OS-integrated functions, a powerful delegation capability, inheritance, and many privileged service accounts and group objects for discretionary access control. It is very difficult for security staff or auditors to know who has access to what.

Security staff may have started out with an orderly model, but as more help desks are added, procedures changed, emergencies dealt with, applications like Exchange enabled in Active Directory, things fall apart. Somewhere, perhaps many somewheres, are user or service accounts with privileges that security staff never knew about, anticipated or approved.

Using Active Directory as an intelligence tool, an attacker need only read the CEO account’s access control list to find which accounts can reset the CEO’s password. Search those accounts’ ACLs until finding a nearby user or computer that can be compromised through a targeted logical, physical or social attack. Do that, gain control of the first account, follow the privilege chain to the CEO’s account and exploit for the desired effect.

Today, however, organizations can consider using Goldfinger to help get their house of ACLs in better order. Goldfinger provides an easier way to point at accounts, groups or other entries in the directory and list out their “resultant access control” information. With the tool, administrators can seek out paths to privilege that are not appropriate and perhaps unnecessary. Then get rid of them.

Paramount Defenses carefully controls Goldfinger distribution so that the tool does not fall into the wrong hands. But the company’s web site points out, it’s no longer a question of if hackers will develop similar Active Directory reconnaissance tools, but when. Goldfinger’s value proposition is to help security staff more efficiently uncover ACL weaknesses before attackers do.

What else can be done? Organizations could tap their favorite intrusion detection system (IDS) or security information management (SIM) vendors for traffic analysis or log analysis to detect Active Directory reconnaissance in progress, then stop i. Better yet, Microsoft could increase the authorization required to see authorization information. Hello!? Anyone from Microsoft reading this? Please comment!

IDTrust 2008

2008-03-13T06:32:00.000-07:00

Last week I attended the IDTrust 2008 conference put on by NIST in Maryland. This used to be the PKI Conference, but it has come a long way since then. This year there were presentations on federation, user-centric identity and other topics in addition to PKI.

I was honored to give the keynote at OpenID, and you can download my slides "Identity Interoperability, Standards and the State of Adoption" at http://middleware.internet2.edu/idtrust/2008/slides/01-blum-standards.ppt

I was only there for the first day, but was particularly interested in the presentations on OpenID discovery and the new Open Reputation Management System (ORMS) technical committee at OASIS. Here are some thoughts and there are also presentations on these topics at the conference proceedings site.

OpenID: While OpenID 1.0 enjoys some usage in the blogosphere and lots of mindshare, the security is pretty weak. Drummond Reed described the work that has gone into OpenID 2.0 to leverage XRI for discovery, which will help fix some of the problems. OpenID 3.0 is also on the way. By the time they are done OpenID will probably become quite complex and lose its ease of implementation.

ORMS: While reputation systems have their uses on sites like eBay as well for spam detection and web security, the issues this technical committee proposes to address are extremely complex and it isn't clear how or when useful functionality will emerge.

Where have I been?

2008-02-28T06:44:00.001-08:00

It has been since 10 months since I posted here. The primary reasons were that my job got a blog and I was generally very busy.

These days other Burton Group analysts are doing the brunt of the blogging and while I'm still very busy, the nature of my days is more conducive to blogging now than it had been.

So I will resume blogging here on Identerati.

You can also view my intervening posts on http://srmsblog.burtongroup.com. Some of my favorite ones are:

Propects Brightening for a Common Event Standard
http://srmsblog.burtongroup.com/2008/02/prospects-brigh.html

Financial Services Roundtable Plans for Changing the Game http://srmsblog.burtongroup.com/2007/09/financial-servi.html

Catalyst Clarifies Information Security Challenges
http://srmsblog.burtongroup.com/2007/07/catalyst-clarif.html

The NAC Fog Begins to Clear
http://srmsblog.burtongroup.com/2007/05/the_nac_fog_beg.html

Active Directory Domain Controller Hacked Through Remote DNS Management?

2007-04-13T04:10:00.000-07:00

This is my initial reaction to Microsoft's Security Advisory 935964, and should be correct to the extent the advisory is complete and correct.

Through a buffer overflow attack on the RPC port of a Windows server an anonymous user can execute code in the DNS. Since the Windows DNS Service is integrated with Active Directory and often run on a domain controller, this means the attack has the opportunity to compromise a Windows domain controller, which is a great start towards

Compromising other domain controllers (DCs)
Compromising computers in the forest, attacking non-forest computers in the zone of trust accessible to the DC
Escalating any kind of privilege that is controlled by groups, accounts or other objects in the Active Directory
Intelligence gathering
Doing mischief with DNS against anything that uses the DNS

No information has been released yet on how Microsoft found out about this targeted, undercover exploit and what was compromised – maybe they saw the vulnerability for sale out in hacker land, but there could be some very unhappy security departments out there that aren’t talking about this publicly!

And the auditors should be asking questions – how does your organization know this couldn’t have happened to you, that it didn’t happen, that it didn’t compromise regulated environments.

I find this to be a very significant advisory because it demonstrates some important concepts my colleagues and I have been writing about

Risk aggregation in Active Directory forests (first written about by us circa 2000) – don’t integrate sensitive environments with a single forest that contains lower surety elements
Targeted attacks and undercover exploits – this doesn’t look like a worm put out for show, this is going after the money
The need for a perimeter layer of security (network IDS and firewall traffic control) to serve as a preventive or detective control for vulnerable hosts that perform critical functions

No patch yet. The workaround is to lock down the RPC port on the host (so it can’t be managed remotely) and/or through firewalls (so the RPC port is blocked). The trouble is, organizations actually need to be able remotely manage DNS and other things on the DC. They can shut remote management down temporarily while waiting for the patch, but the longer they have to wait, the more painful this get for network and security support.

Organizations that have implemented what we call a “control zone” – where domain controllers and other sensitive infrastructure are firewall protected so the ports used for remote management are either blocked (if unneeded) or restricted to authorized IP addresses or IPSec authenticated hosts. Microsoft has provided some documentation on how to run domains and forests within firewalls by tunneling DC to DC traffic through IPSec http://www.microsoft.com/downloads/thankyou.aspx?familyId=c2ef3846-43f0-4caf-9767-a9166368434e&displayLang=en but I haven’t reviewed this in depth yet. There is also some good information in the blog entry http://blogs.zdnet.com/Ou/?p=469.

Finally, I want to say that these kinds of exploits can happen to any operating system. Microsoft is to be commended for its responsible disclosure of the problem so that organizations can undertake workarounds. Microsoft also warned about risk aggregation years ago when identified that the domain is not a security boundary when included in a forest. But many customers still persist in creating large forests, not protecting their control zone and may be including things in the forest that they shouldn't.

Appalacian Identity Management at Myspace

2007-03-28T03:49:00.000-07:00

What do you think about when you hear the word Appalachia? Beautiful mountains and trails? Poor, inbred communities? Its all there. And weirdly, it all relates to this blog entry. Sort of.

This post is actually about poor (shall we say, inbred?) identity management on Myspace.com. But it starts on the Appalachian trail.

My cousin's son Mason is taking the summer off to hike the Appalachian trail. As I write, he and his friend "Swamp Yankee" are somewhere in Tennessee. They are posting accounts of their travels whenever they reach a suitably high peak or civilized valley boasting cell phone signal. The trail is beautiful, but what they find most interesting about the hike is the community of people out there. (Isn't it great how everything always comes back to people, to identity?)

Mason's posts are on myspace.com/skhikers - another strange community. To send Mason a message, my wife (Ginny) had to join myspace too. But when she typed in her email address, myspace said somebody already had it! Her proprietary instincts aroused, Ginny clicked on "forgot password" and sure enough myspace sent the password. Ginny used it to login and found she had become "Amanda" - a Pennsylvania girl with a lot of rapper talk in her profile.

Amanda's gone now. Ginny took control of the account keyed on her email address. Fortunately, the account had hardly been used and there was only one friend named "Tom" (who seems to be everyone's friend.) Most likely Amanda forgot her password and could never get it back because she had (accidentally?) misappropriated Ginny's email address and could not successfully invoke "forgot password." But it could have been much worse. There could have been a lot of information there, and ethical vagueness about who owns the account and what should happen to it.

The real fault lies with Myspace's inbred identity management, and this could have turned out worse. Myspace has failed to fully protect the identity and privacy of their customers.
I know because I also created an account with Myspace. While I did get email from myspace, they do not verify that had access to the email address I claimed.

Myspace has already been ravaged by the Samy worm, and judging by the quality of its identity management, there are more problems ahead before that community gets out of the woods.

Haiti, Urns, and Non-Quantifiable Risks

2007-03-09T06:18:00.000-08:00

I've been too busy to post lately because I went on a mission trip with our church to Haiti. They was a fantastic experience, so I started another blog about it at http://global-mission-trips.blogspot.com. Please check it out and let me know what you think!

There are definite lessons from the security perspective, though. It is no secret to professionals in the field that we tend to over-estimate the risks of what is unfamiliar and novel, and under-estimate other risks.

Concerning Haiti, much has been sensationalized in the press about gang kidnappings. However, our mission group drove all over and almost everyone was friendly and there were no gangs in sight. In fact, the UN and the police have been cracking down on the gangs, with some success. We definitely worried about the risk way too much.

At the same time, I kept emphasizing to our group that we should not get complacent. Everyone was starting to relax as we kept going places and nothing happened. For example, one day we got lost and were driving through unnamed alleys and streets, rocky dirt roads, the driver didn't speak English, was lost, we had no interpreter and though this wasn't a bad area, it wasn't far from one. I took our team leader to task, insisting that we must always take "reasonable and prudent measures."

I told the group Bob Blakley's story about the Fallacy of Induction, that he wrote about in his Burton Group report "Managing Non-Quantifiable Risks." Imagine that you have an urn and are told it is full of red marbles and blue marbles. You can draw one marble at a time out of the urn; blue marbles are good but red marbles are very, very bad. And you can't see into the urn, so you don't know if it is full of one color marble, or mixed and what the proportions are and if they random or how they are distributed.

So, you could draw a long string of blue marbles and go on without a care in the world, let your guard down, and then draw a red marble. Oops! So let's not let familiarity make us complacent.
There could even be an evil child sitting above the urn, watching someone draw blue marbles, and waiting for the perfect time to drop a red marble on you. Kidnap risk, insider IT risk, and even some external hacker risks could be like that enigmatic urn.

Well, I didn't talk about security the whole time on the mission trip. We did a lot of good work, putting solar panels and water pumps into a combined church, clinic and school. And it was great trip. I'm still writing all about it at global-mission-trips.blogspot.com.

Peace,
Dan

Honey, can I have your SSN?

2007-01-28T07:02:00.000-08:00

Interesting article today in the Washington Post by Sara Kehaulani Goo called "Dinner, Movie -- and a Background Check -- for Online Daters."

I'm one of the 31% of Americans that the article says personally know someone who is using online dating services, and for the single guy I know, one of these services has worked very well for years. If I were in his situation I'd use such sites. Still, there's a downside to online dating if you get hooked up with certain kinds of criminals or fall in love with a supposedly single person whose actually married.

In Sara's article we can see a microcosm of identity and privacy issues - authentication, background checks, reputation services, privacy and more. In particular, some of the sites are starting to offer

- criminal background checks
- verification of marital status
- double blind phone numbers for talking with a person anonymously

Third party sites of course also offer these and other services. For example, while I haven't heard of an online dating site that offers a reputation service yet, there is one called dontdatehimgirl.com where "girls" can report serial cheating and other misdeeds of the miscreant, or why not just assassinate someone's character?

This is not a reputation service in the sense of ebay or amazon, of course. Probably wouldn't want to date someone with the reputation "99.6 satisfied - feedback from 964,551 users..."

Then I suppose SSN is not enough - gold diggers could pay extra to get someone's credit score.

Anyway, it was an interesting article. Check it out at http://www.washingtonpost.com/wp-dyn/content/article/2007/01/27/AR2007012701210.html

2007-01-24T18:11:00.000-08:00

During International Information Integrity Institute (I4’s) most recent meeting last year, Donn Parker gave his perspective on the organization’s history and why it was founded.

Donn B. Parker is a retired (1997) senior management consultant from SRI International in Menlo Park, California who has specialized in information security and computer crime. He has written numerous books, papers, articles, and reports in his specialty based on interviews of over 200 computer criminals and reviews of the security of many large corporations. The Information Security Magazine identified him as one of the five top Infosecurity Pioneers (1998).

Perhaps his lasting achievement was to form I-4. I-4 (http://i4online.com) is an information sharing organization whose members comprise CISOs, CSOs and other senior security managers from corporate, government and academic organizations. I-4 has been around since 1986 to keep its members aware of the most advanced information security concepts and controls.

Donn saw the need for information sharing in the security field early on. Donn does not believe in risk assessment, but recommends doing due diligence by benchmarking, which can be facilitated by information sharing in groups like I-4. While I don’t see eye to eye with Donn on risk management, I do agree on the need for information sharing, for neither risk management nor any other information security program can be conducted in a vacuum.

Information sharing requires trust. There are many things that should not be revealed in surveys or public conferences, and yet information security practitioners desperately need to hear the real score from their peers.

Close knit law enforcement and military communities have had such trust. This trust often extended (and still extends) into industrial and other corporate physical security departments, often run by retirees from the law enforcement and military communities. But information security is still a relatively new field, at least when computers are involved, and close knit networks of interpersonal trust are few and far between.

It was for these reasons that Donn Parker and kindred spirits founded I-4. After a long incubation in SRI, they eventually documented 82 controls, which ultimately fed into the UK’s BS7799 which in turn evolved into ISO 17799 and ISO 27001. I-4 went into one of its heydays and eventually capped its membership at 75 so as to keep the sense of trust and confidentially. There was even a waiting list for new members at that point.

Through the dotcom bubble and the downturn and intervening recessions I-4 has survived. Don Parker and Bruce Baker retired, and eventually John Thurlow took over, and now Jim Wade is the Executive Director for the organization. Loyal administrative assistants and members have carried I-4 through a number of transitions of the supporting company that provides conference and logistics support (these companies have had colorful names such as Atomic Tangerine, RedSiren and lately GeTronics).

Fast forward to today – the good news is there’s no waiting list for I-4 currently. I recommend it – there are great people there, excellent conferences with everything under NDA and no vendor marketing, and a relatively small investment required for participation. Security professionals can pretty much get out of I-4 what they put into it, that’s the way information sharing works. They have a meeting on February 12-15 in Monterrey. Its not too late to plan to attend, if you are interested, you can contact their web site, or myself I suppose.

At the end of the Donn’s speech, Jim Wade brought up Donn’s wife – the “power behind the bald eagle.” What a moment! We could all wish for such a rich professional legacy…

Security 2.0? No, Symantec 2.0? Maybe

2006-11-28T05:25:00.000-08:00

Vendors will try anything to get attention, so I suppose one shouldn't be surprised that Symantec keeps pressing forward with a strange term like Security 2.0.

According to CIO Magazine, http://www.cio-today.com/story.xhtml?story_id=1230048NUQOC&nl=5, Symantec chairman and CEO John Thompson laid out his company's Security 2.0 vision, which he said is less about locking down the physical network perimeter and more about protecting digital collaboration and transactions.

Well, ok. But then Thompson went on to say that problem of worms and viruses is largely solved…That's strange – there's a huge divergence between what Symantec’s own threat reports say and what their executive marketing pitch now is. Perhaps Symantec is worried that another vendor will move to the "forefront" of the anti-malware market (this was a pun on Microsoft's upcoming anti-virus offering in mid 2007).

But its dead wrong to say malware is diminishing. In fact, its just changing. While it is true that viruses and worms have less impact than they did at their apex in the early 2000s, the breadth of spyware, Trojan horse programs, spam and web attacks (many targeted, or “low and slow”) has greatly expanded to more than fill the gap, anti-malware solutions remain inadequate, and most organizations still very worried. Also, recent attacks on MySpace and Second Life demonstrate once again that worms and viruses will resurface for each new computing environment.

It would be nice to see Symantec easing off the FUD gas pedal, if they weren’t stepping on the hype pedal with the other foot.

For if Security 2.0 is a takeoff of Web 2.0, that’s not much of a launching pad. Web 2.0 is an ill-defined term that means different things to different people. And as for security, we’ve doing it since the dawn of human civilization. The more we invent, the more things stay the same. So its not as if we should draw a line under everything heretofore and start over with Security 2.0.

Even if there is no Security 2.0, there may be a Symantec 2.0. They are fielding new products and services such as database audit software, data leakage detection, and message content filtering. They later plan archiving tools to categorize and index data from e-mail and instant messaging, and an analysis tool called Discovery Accelerator for administrators to mine archived messages for legal discovery or evidence gathering.

The substance of this is all very interesting, but Symantec might have named it better. Its not Security 2.0, but it is progress.

Is KBA a Solution or a Problem?

2006-10-05T02:47:00.000-07:00

Is KBA (Knowledge based authentication) a solution or a problem?

Depending on how it is implemented, KBA can be either.

There follows a slightly edited transcript about knowledge based authentication (KBA) that you may find illuminating. I'll bottom line it....at the bottom!

------------ original question

"I just got off the phone with [client]. They wanted to speak about password resets for access to [database] which is protected customer [data]. They’re regulated on improper access to this data and the issue has become higher profile at the company since the HP Board of Directors pretexting scandal.

We had a good call and I was able to answer all of their questions except this one: What kinds of proofing questions are asked in audited password reset scenarios to protect valued data?

We discussed alternatives to automated reset on the site for higher assurance (such as a phone call from the registered device of record, speaking to a human, out of band via USPS, etc.) We also discussed closing the control and audit loop through notification of access/change (via phone, email, or USPS) – so this is really just a question about the questions.

Specifically how many questions is a good threshold and what kinds of questions should be used?

Suggestions were:

SSN
Mother’s Maiden Name
Street grew up
City born in
Favorite color, movie, book
Pet’s name

Do we have any information on this? Know of any good references towards research I can point them to?

Thanks!
D."

------------ First reply

I replied to this first

I don't like these questions personally or professionally.

It feels I'm being asked to give out still more personal information in order to protect my personal informationl. What's wrong with this picture?

I recommend letting the user define the questions and answers, and advising the user to put in something and completely valueless that he/she can easily remmeber, but never to user the same one twice at any site and not to put any personal information into the q/a. And then protect it as senstitive informatoin anyway.

Dan

----------- Reply 2

And then my reply was skewered by the following comment...

…and then write down all of the questions and answers so that you have some idea how to answer all of the questions….and then keep that list with your computer for easy reference…..

E.

E. is quite correct, when I use the personal whimsical stuff I usually have forgotten months later - what was I thinking! (or what was the syntax!). Anyway I do write it down...but then I sometimes lose the lists. I think I have a better system now but can say no more for reasons of personal security :-)

------------- Reply 3

More commentary follows.

"SSN and mother’s maiden name are two of my pet peeves – these in particular should never be included in the list. I’ve been suggesting using voice biometric authentication to sidestep this whole issue of self service question and answer content

G."

This may just be a good idea. If the voice matching software works, scales, and the users all have microphones everywhere they go, attacks on this might be relatively difficult...

But wait -

----------------- Reply 4

"All of which is precisely why my recommendation is that the business should use information which it already has (e.g. recent bill amount, etc...) - so that it’s not digging for more information and it’s not requiring you to make up something which will be hard to remember.

B."

----------------- Reply 5

M. agrees and provides a good bottom line to the whole issue

"Ultimately, the quantity and nature of KBA questions are like password construction rules – interesting, but maybe have little value from a security perspective. The answers may be easily guessed and administratively known. Applications requiring lower identity assurance may be well-matched with KBA, though.

For applications requiring higher identity assurance, dynamic KBA (non-administratively known questions like last deposit amount in bank account) and OOB identity proofing are better.

M."

OOB = out of band. I think M. means that at this point the password reset (or other) system would go to 3rd party to proof the user's identity. This third party could be a credit bureau or some service plugged into credit bureaus, for example. More expensive but perhaps the only option if the site is not itself a bank with lots of transaction history on the user...

Bottom line
- KBA as often implemented with mother's maiden name is a joke
- KBA that digs deeper into less obvious (but still guessable) personal information is slightly better but creates privacy problems
- KBA with voice authentication may be a good idea, but there are problems with it, and the group didn't come to consensus
- Using administratively known information like recent transactions seems to be the safest approach

FFIEC Mitigation Update

2006-09-14T13:33:00.000-07:00

Identerati is not as prolific as some blogs, partly because it does not usually recap other posts or news; thus its posts require a non-inconsequential time slice to create. In this case, however, the recap opportunity was just too good to pass up. And there is even a little analysis (and humor!) to add.

I've known Linda Elliot for a few years, and at Digital ID World she told me about a site she is maintaining concerning published bank FFIEC mitigation status. This site is at http://www.paymentsnews.com/2006/09/ffiec_internet_.html

The results show almost a clean sweep for RSA. On the other hand, Linda agreed with Burton Group's conclusion that there doesn't seem to be much enthusiasm in U.S. consumerdom for one time password (OTP) devices. However, authentication devices are more broadly accepted in ASIA-PAC and EMEA.

Related to this, I attended David Jevans' panel on crimeware. There was some discussion of a study that says consumers might adopt OTP devices after a bit of griping, especially if the banks offered to make them whole (in the event of fraud) if and only if they used the two factor authentication. There are some European banks that are taking this approach. However, U.S. seem to reduce the value of such guarantees to consumers because we already have some potential guarantees through Reg E and state legislation. I'm afraid this is a very confusing area.

It is also telling that Linda said she thought that the consumer adoption of opt-in OTP from E-Trade was less than 1%.

So the question is, my friends, as a consumer, would you prefer an OTP, a PKI, a root canal, or to have to program your VCR?

Happy authenticating!

2006-07-16T16:10:00.000-07:00

We are facing a not-so-perfect storm of rapidly changing business requirements, cybercrime and compliance. The answer to these challenges is a full-spectrum defense.

Simply put, this means defense in depth plus defense in breadth.

Significant technical improvements can be made to layered defenses (depth) by increasing assurances for the user, identity and system, as well as network protections.

Gaining breadth of control is the greater challenge. The technical control system and security processes also must cover outside business partners that have become part of the extended enterprise ecosystem. Security must become part of normal business process, accountability and incentives.

Please see my Network World column from July 10 for more detail on the notion of a full spectrum defense.

Perils and promise of self-asserted information

2006-06-29T06:15:00.000-07:00

My colleague Mike Neuenschwander has been exploring the advantages of self-service updates, self-asserted attributes, and "social policing" processes. He wrote recently about a company that

"created roles both for individuals and managers in data administration. The system enables managers to 'claim' direct reports from the corporate white pages. In doing so, the individual and other interested parties are notified of the change, allowing them to dispute the claim. Notably, no workflow-style approvals are required for a claim to be enacted—the system relies entirely on the reaction of notified parties as a policing function. Similarly, individuals can update the corporate white pages at will. The process is based on the “business card model.” That is, information printed on business cards is entirely self-asserted at the company. The self-service update feature of the corporate whitepages information therefore relies on the same social processes as business cards for ensuring data quality: the community is to a large degree self-monitoring."

Also

"For user-facing registration and data cleansing systems to succeed, users must be sufficiently motivated to participate in the process. Fortunately, a side-benefit of allowing people to manage their own address book information is the sense of ownership improves user motivation to participate."

While I think this is a promising avenue of research in the areas of business enablement and cost savings, the security implications must also be seriously considered.

There is an insider threat with the notion of self-asserted information. In a large enterprise, a determined attacker with the objective to steal intellectual property, do damage, or gain unseen control on a large scale for later exploitation could get in the door as a contractor or employee and fake attributes in the business card as part of a social engineering bid to gain greater acess to an objective along the way to the target. By the time the social policing function Mike describes has exposed the fake business card information for what it is and appropriate incident response processes are taken, it may be too late to stop the attack.

Of course there are other ways the attacker could pose as someone else. Notably, one can use spoofcard, nextdayid.com and various other inexpensive and openly available fraudware. Nonetheless, to the degree people and processes put trust in identity system, self-asserted information adds risk.

The benefit of self-asserted attributes may outweigh the risk as long as the risk could be kept low through appropropriate diversification of process and separation of sensitive processes from an IT baseline environment.

It is important ANYWAY that all medium and high risk objectives be appropriately secured at the people, process, and technology levels. Part of this protection is verification of identity and attributes during both electronic authorization (software) and manual authorization (wetware) processes.

Where self-asserted information is used surety might be increased where necessary through one or both of the following methods:

1) Self-asserted attributes could be endorsed or timed (there is a reputation around them). Before an authorization system allows a user to access the secret molecule (or whatever) based on attribute information or roles, the authorization system should understand the extent to which it can rely on that information.

2) The medium and high valued systems might use a separate directory. This would be necessary if the reputation system was judged too complex too construct, and also when access controls are enforced manually by personnel - Since people cannot be programmed to be as diligent as electronic authorization systems, the guard at the door might use a filtered directory rather than one that could contain self-asserted and unverified information.

Advanced Id Policy Management Demonstration?

2006-06-18T16:30:00.000-07:00

At the Burton Group Catalyst conference this July, there was a successful demonstration of SPML 2.0. But in my humble opinion, the industry needs more!

I like the idea of an “Advanced Policy Management and Interoperability Demo” theme rather than a protocol theme. Much like Burton Group's “Multi-Protocol Federation Interoperability” from 2005. It is possible that the vendors might surprise us again with their ability to make things work, creating an industry first. The more we are flexible and focused on customer-centric issues, the more likely we are to succeed in raising vendor and customer interest. Basically its all about the same identity management tasks in a federated environment. The possibilities are endless.

The demo could leverage multiple protocols - SAML, XACML, WS-Trust, SPML 1 and 2, Liberty, etc.

Possible use cases that to my knowledge have not been demonstrated could include some easy ones (more or less in priority order):

- Provisioning new federation partner(s) or domain(s) with SAML 2.0 (or other) metadata in a turnkey manner (resolving a hard problem discovered in previous demo)

- Provisioning a federation partner or domain with users that must be pre-registered in a federation (SPML 1 or 2, or DSML 1 or 2, other)

- Revocation or de-provisioning of partner/domain/user

- Ability to manage group objects from multiple authorized federated domains, where the list of subjects crosses domains, where only authorized subjects from domains can modify the group, and where multiple applications (collaborative functions?) can be enabled/disabled based on group memberships (SPML 1 or 2, or DSML 1 or 2, other)

- Using a persistent or one-time pseudonym to access resources at multiple domains with audit, so that true identity can be ascertained during an authorized investigation – demonstrate the use of opaque pseudonym with subsequent “investigation” and discovery of the true name (multiple protocols could be involved, but an “audit site” would need to consume an “audit id” for each transaction, and the participating sites would need to use the “audit id” as a secondary key, which might or might not be different from the applicable pseudonym)

- Dynamic attribute exchange (not preconfigured in the federation, but restricted within the bounds of policy) for use in authorization at the relying party (RP) domain (SAML, WS-Trust, ID-WSF, other)

- Multiple types of OTP, biometric, smartcard, and exotic authentication methods required to access different levels of application– demonstrate ability to access application only with appropriate token (WS-Trust used as credential selector, SAML, X.509, XCBF used as token formats)

Relatively easy but likely to have limited number of participants

- Provisioning of policy via some combination of XACML, UDDI, and WS-SecurityPolicy from a PAP to multi-vendor PDPs

- Authorization decision assertion req/rsp to/from RP to a centralized PDP

And some hard ones but which could be very valuable to customers:

- Extend SAML 2.0 metadata to encapsulate XACML declarations of the authorization decisions that a PDP is prepared to make, allowing RPs to discover the appropriate PDPs for an application

- Federated one time password (OTP) tokens (simple token used to access multiple sites)

Deperimeterization and Irresponsible Security

2006-04-29T03:18:00.000-07:00

Last week at the Infosecurity Europe conference I participated in, and lost, a debate on deperimeterization. I fear that I'm not alone; other security people may also be losing this debate but in situations where the stakes are for real.

The debate was held Oxford style with two 5 minute opening propositions, two responses, questions from the floor and finally a proposition and opposition summary. At the end the audience would select the winner by show of hands.

The proposition for the debate was 'This House Believes that Responsible Security Architecture is Based on the De-perimeterised Paradigm'

I was in the opposition along with Mark Waghorne from KPMG. We had prepared somewhat. On a cell on a train speeding towards Zurich two days before I had agreed with Mark that he would go first because he seemed to understand Oxford debate formats well. He said all we had to do was to disprove some aspect of the proposition and we would win. Ha!

Jericho Forum members and CISOs Nick Bleech and Paul Simmons made the classic deperimeterization argument that outsourcers, telecommuters, wireless users, business partners and so on have broken down the boundaries. "The world has moved on," Paul said. Anyway in the deperimeterized world we must all establish a five year vision of secure endpoints and secure protocols with transparent borders. Perimeters tend to get in the way of business and must be phased out over the long term.

Mark and I got to work for the opposition. Yes, deperimeterization is a fact of life and we have to support it. However, recognize we are dealing with widely distributed environments comprising at least some untrusted users and semi-trusted or untrusted host computers. We have limited capabilities to mitigate this environment, and the situation may not get better even in five years. How much functionality to support in deperimeterized environments comes down to a risk-based decision. "If you go too far with the deperimeterized architecture it leads to irresponsible security and your organization will rue the day," I said.

At which point the moderator Richard Starnes from ISSA observed: "I think the fangs are starting to show."

During my time and during the Q&A I set forth my research service's analytical conclusions. There are three classes of mechanisms that can protect information: filters, transforms and enclaves.

Filters keep known good content within some boundary and prevent undesired information from entering or leaving enterprise environments. But they are subject to time based attacks, steganography, and obfustication. This is why we still get spam.

Transforms include encryption or signing to protect confidentiality or integrity of content between distributed users. But users are unreliable (try a web search on "why Johnny can't encrypt"). Also, in widely distributed heterogeneous environments there are many vulnerabilities in implementation and seams between implementations that attackers can exploit. Rights management attempts to protect the content even from its recipient and as such suffers some of the crypto issues and may be actively attacked by its own users. Encryption also introduces recovery and availability issues and can be a management nightmare.

Enclaves are groupings of users and computers that can communicate securely together and keep the rest of the world out. They can be achieved through various mechanisms including network separation and isolation. The hardened, dedicated firewall is in general a higher surety solution than enclaves created with cryptographic or identity based access controls. And the hardened, dedicated firewall offers higher surety than what most filter or transform mechanisms have.

My security research service at Burton Group recommends that enterprises leave the hard shell soft chewy center architecture behind and create internal perimeters to establish zones of trust. Enterprises should have restricted zones that are inaccessible from the internet for things like trading, manufacturing control, and credit card databases. They should have outer zones for extranets or visitors, and business zones on facilities that could be extended through VPN.

Our opponents then countered that they had zones all over the place and kept having to change them. That none of the restricted zones could be isolated. Yes, I reply, but that's what secure proxies are for.

At the end the proponents closed by repeating "the world has moved on" and we can envision these new security technologies that will be great for business. As I mentioned earlier, they won the vote.

It might have helped if I had said what I thougt of later: "The world has not moved on. Human nature hasn't changed. The nature of markets haven't changed. Haven't we learned - there is no new economy. In the five year vision time frame we still won't control all the users and systems in the deperimeterized environment, software vendors may still continue to favor convenience over security, and business constituents may often opt for the cheap but less secure solution. Many users will certainly continue to be lazy or naïve. Criminals and attackers certainly aren't going away. In this environment, how could responsible security architecture not preserve the option to make considerable use of firewalls as a strong separation defense?"

That we lost this debate is, I think, a triumph of wishful thinking on the part of that audience and perhaps others.

Timidity Trumps Trustworthy Computing

2006-03-03T08:09:00.000-08:00

Last year following a great demo of the potential dangers of remote control trojans and increased awareness of crimeware, I tiptoed around my keyboard for months, hardly daring to do any online banking except from behind my own firewalls of various kinds. But in discussions with my fellow analysts it became clear that phishers were still doing just fine with basic redirection and deception attacks. The bankrobber trojans I was worried about probably didn't exist yet, might not even be very practical, and in any case the latest versions of my anti-virus tool seem to be scanning for spyware, so that's all good. But now...

They're here. Stealthy rootkit bankrobber trojans are starting to make their appearance on the Internet and as these become integrated with burgeoning crimeware, they are further eroding consumer confidence in Internet banking.

I also found out that Brazil apparently has the unenviable distinction of being about 3 years ahead of other countries in terms of the client malware targetting banks. The scary thing about client malware is that it can do whatever the user can do, no amount of strong authentication, customer education, or even fraud detection really helps with this threat.

Improved system assurance is one approach that can help, and in that regard we're going to need the Trusted Computing Group (TCG) Trusted Platform Modules (TPMs) as another layer of defense against host based crimeware. And TPM is happening way too slow.

TPM could help increase user confidence that their computer has not become some evil being bent on their financial destruction by validating that key OS modules and even applications have not been compromised by malicious host-resident software. TPM, a little chip on your motherboard has its own private key, its own trusted code execution space, and it gets a look at your computer while its booting up. It can check hashes to make sure files haven't been modified.

Sound simple? Not! What about when you add new applications or patch the OS? The hashes need to be kept up to date for the TPM. What's to stop crimeware from modifying the hashes itself? The wonders of cryptography, of course! How do you manage this if you're an enterprise? Let's see, throw some directories and policies at the problem. Fine. The industry can do all this but its going to take significant work. Unfortunately, the powers that be are doing this only at glacial pace.

One would think the OS vendors should be working on TPM as a top priority, but that doesn't appear to be the case. Microsoft Vista will only support TPM for full volume encryption and secure startup (boot) and only from TPM V2 which has less installed base presence then TPM V1. Microsoft Vista's support for TPM will probably not be enough to deter all rootkits. From Apple, we hear only rumors. IBM was a strong supporter of TPM until it sold out to Lenovo in China.

The new Microsoft Vista will only have TPM support in the expensive versions of Windows - Vista Ultimate and Vista Enterprise. Not in Vista Home or Vista Business. This is a huge missed opportunity, or missed march. What kind of message does this send to computer vendors? Not yet, is the message. A few dollars can be transferred to the bottom line rather than to the motherboard, it says. So still more untrustworthy computers are rolling off the assembly lines every day.

Microsoft's explanation for not putting TPM on Vista Home or Vista Business is that there is that individual users are not capable of backing up the encryption keys, leaving them in danger of losing all their information because, in the event of a computer failure, the hard drive cannot be decrypted. Bad news to be sure. But why couldn't Microsoft have shipped their "Bitlocker Drive Encryption" module with all versions of the OS but left it disabled until some some key escrow services appeared to activate it?

We seemed to have missed a march on trustworthy computing. Again.

What is the value of identity?

2005-11-25T09:37:00.000-08:00

John Madelin of RSA writes on this subject in his blog at http://www.rsasecurity.com/blog/entry.asp?id=1039.

I think that virtual identity has one value to the individual, another value to the employer, and yet another value to the service provider or merchant.

Value of virtual identity to the individual is
- the importance of the functions that can be performed with it
- the persistence (or inconvenience of replacing that virtual identity)

Value of virtual identity to the employer
- the extent to which it reduces risk of unauthorized access to the network
- the extent to which it increases employee productivity

Value of virtual identity to the service provider or merchant
- the extent to which they can monetize that virtual identity through sales, customer loyalty, advertising, exchange of lists, or other means

To me, the most valueable identity would be that of my main bank account, my employer, and my client-based SSO tool. After that none of them have much value today.

Dan

Why strong authentication won´t fix phishing

2005-10-18T05:30:00.000-07:00

I was chatting with a representative from Swivel, the vendor of a product called PinSafe that delivers one time passwords (OTP) over cell phones, browsers, or smart phones and PDAs in order to strengthen authentication.

One would think this would be an ideal solution for banking customers, most of whom have cell phones and might gladly opt into any opportunity to strengthen their online account protection. PinSafe turns the phone into a second authentication factor, and to use it one doesn´t even have to be within coverage; Swivel´s Java applet will save several OTPs for later use. However, it turns out that the banks are not as interested in OTP solutions as one might expect.

Why not? Because OTP solutions have a glaring vulnerability in this day and age: they fall to the man in the middle (MTIM) attack. Once the user has been diverted to site masquerading as the bank, for example, the MTIM simply passes the user´s keystrokes. While the OTP goes to the user´s phone and not the MTIM, the MTIM still gets the passphrase from the user.

The only authentication solutions that resist MTIM are those that are tied to a cryptographic signing device and contain entropy which the MTIM cannot reproduce. But such solutions are generally not portable unless a smartcard is used, and smartcards are hard to deploy to systems the enterprise does not control.

Banks could use detection, analzying addresses to distinguish an MTIM (which may be in an address or address range that is across multiple sessions) from a user who is only engaged in a single session. While this solution isn´t foolproof, it doesn´t have to engage the user so much and there is no implicit promise to the user that it will always be successful. Small wonder banks aren´t flocking to strong authentication...

Global regulations, the conflicting nightmare

2005-10-18T05:17:00.000-07:00

One of the highlights in the RSA European Conference "Information Security - An international challenge demands a global response" were some anecdotes on how it is impossible comply with the Sarbanes-Oxley Act (SOX) and French law at the same time. Following up with some security people later, I discovered this was a relatively well known problem that has nothing to do with technology, but does touch on different culture's positions on privacy.

There are two issues - one has to do with the prequalification of auditors, but the big one concerns the SOX requirement to provide an anonymous line for whistleblowers who might reveal financial skulduggery. Such a rule might raise eyebrows in the U.S. where the stigma around infoming on your colleagues is relatively mild, the rules raises hackles in France, which has a huge cultural stigma against informers, perhaps dating back to the time of Vichy government.

French data protection laws outlaw anonymous whistleblower laws, which could be used maliciously to hurt a person's reputation. Thus, McDonald's and other companies have been fined by the French for creating a SOX anonymous whistleblower's line in France.

There are some sneaky workarounds to this problem, but I can't talk about them publicly for fear of ruining their effectiveness...

Gartner sound bite oversimplifies: "Ignore Longhorn and stick with XP"

2005-10-01T07:32:00.000-07:00

Because WinFS will not be part of Longhorn, Gartner reportedly argues that it Longhorn (Windows Vista and Windows Longhorn Server) are just a transitional release primarily designed to stoke up revenue and smooth the feathers of Windows Software Assurance customers who expect some value for their annual license tribute. See
http://www.techworld.com/opsys/news/index.cfm?NewsID=2213 for an article on that subject.

This is actually a gross Gartner oversimplification of the issues. Although the long-awaited WinFS relational file system revolution slips yet again, in fact, Windows Vista will have many other features that have value.

Thus, Peter Kelly and I from Burton Group do not agree that the Longhorn releases should be ignored, but we do find that enterprises can take their time about migration, probably deferring to dovetail with their upcoming hardware refresh cycles.

The primary reason enterprises can take a leisurely pace is not WinFS, it is that that Microsoft plans to back port many of the valuable features of Longhorn to XP and/or Windows Server 2003, including the Windows Communication Foundation (aka Indigo) and much of the Windows Presentation Foundation (aka Avalon). Microsoft is primarily doing the back porting to woo developers, but enterprises get the benefit too.

Spam and identity management

2005-09-20T05:05:00.000-07:00

A colleague suggested that I turn off comments on identerati because I'm getting comment spam! Like insects, the spammers seem to be infinitely adaptable, and perhaps they will ultimately take over the internet, much as insects may ultimately take over the earth. Is that what Christ meant when he said "The meek shall inherit the earth?" Who knows! For now I will leave comments on because not all my comments are spam but will certainly monitor this situation.

Speaking more technically now, spam in many ways is an identity management, or at least subject to identity management solutions (blacklist / whitelist).

It seems to me that those of us discussing identity management on the net should be eminently qualified to create some sort of reputation-based community. The members of the community would be allowed to comment, others requesting to comment would be redirected to the reputation system where they would have to create an account with the community. Comment spammers could be reported to the community, investigated by the moderator, and removed from the whitelist.

I suspect that Identity Commons or any of the other fledgling identity systems might be able to accomodate the community, but we'd have to get blogger and other operators to wire the comments interface to the reputation system...

The Microsoft PDC 2005 begins...

2005-09-14T15:19:00.000-07:00

Based on my first day of the PDC, it seems that:

Vista and Office 12 are visually and functionally impressive,
They may come out on December 32^nd of 2006 (so to speak J)
Microsoft is trying hard to create a smooth transition for developers and customers
There will be security improvements, but much risk will remain in the increased complexity of the new behavior,
We haven't identified compelling reasons for enterprise customers to rush into deployment.

Bill Gates began by saying Microsoft had originally wanted to make Windows “as secure and reliable as the electrical network” but that was before the LA blackout of September 12, 2005. Today, he would amend the goal to “as secure and reliable as the electrical network should be.”

Next, he appeared in a video with the ultra-modern-nerd character Jon Heder who starred in Napoleon Dynamite. It was kind of cool to see Bill on skates being pulled by Jon on a bike…

These were the most interesting parts of his presentation, which went on to discuss trends in the industry and in Microsoft’s platforms. The subsequent presentations and demonstrations by vice presidents and technical staff were more informative, since I hadn’t focused much on what Microsoft might release in 2006 or 2007 yet, somewhat of a primer on Windows Vista and Office 12.

As these releases, now forecasted for the “second half of 2006”, draw closer. “Avalon” has been renamed to the Windows Presentation Foundation and “Indigo” has been renamed to “Windows Communications Foundation”. They sit alongside “Win FS”, or the Windows Data Foundation” over the “Base OS”. Problem is, “Win FS” will come later and is less defined.

Over and over again, the demos highlighted Vista’s “beautiful graphics” which will surely enrich the graphics card vendors. But they also showed a number of handy features planned for Vista, including virtual folders, quick search box, integrated RSS store, sidebar applications, sideshow that can run in a little window on the back of your turned off laptop, and parental controls platform (for use, they said, if your two year old isn’t quite ready for Grand Theft Auto.”

As a user, I was most impressed by the enhancements in Excel and Powerpoint when coupled with the Sharepoint collaboration server. My homework assignment, however, is now to find out whether their file formats will be backward compatible, and what is going to happen to Exchange collaboration (barely mentioned).

As a security analyst I am hopeful that the anti-phishing UI improvements – which flag suspicious sites and can suppress known phishing sites. The user account protection feature whereby most applications should not need to run as the Windows equivalent of root; a protected mode of IE7 that allows one to go to the worst web sites in a sandbox; and full volume encryption all sound promising.

A few words were also said about Infocard; I hope to learn more about that today.

And there’s lots more good written information and more detailed information about Microsoft’s PDC in my colleague Peter O’Kelly’s blog.

North American Catalyst 2005 and the federation demo

2005-07-21T07:37:00.000-07:00

This was a great conference. I felt that the multi-protocol federation demo was a historic moment. Jamie Lewis has already written about it at http://www.burtongroupblogs.com/jamielewis/2005/07/catalyst_intero.html
which also links to a network world article.

We'll be writing more about this.

Liberty Alliance Identity Theft Summit

2005-07-21T06:44:00.000-07:00

I attended part of a Liberty Alliance identity theft summit in Chicago yesterday. They had booked out most of the mezzanine of the downtown Radison hotel for this summit and a separate deployment conference. Both had about 50 people, drawing both from Liberty membership and from interested parties.

The meeting was attended by various vendors, financial services firms, telecommunications firms, and miscallaneous others. There was an employee from one of the major credit bureau companies in the back, but he was as quiet as a mouse. Can't say I blame him.

My sense is that Liberty is still running on its initial momentum from ID-FF, but looking for a new vision to take the organization forward. They are just starting to explore the problem of identity theft, but don't have any specific positions or plans yet. The following kinds of interests seemed to be represented in the meeting.

IT departments: Very concerned that public furor over id theft would lead to burdensome legislation - another SOX or HIPAA.

Data custodians: Deer in the headlights, especially when someone from the FTC said that slowly but surely the door would be opened for class action suits in the wake of breaches (which Jamie Lewis calls "data spills.") Scott Blackmer had indicated to me when I talked with him at Catalyst that eventually class action suits could claim something like $500 per affected individual without having to prove the identity was actually exploited. This had something to do with the Fair Credit Reporting Act.

Vendors: Hoping that some prescriptive foolishness such as requiring encryption would foster their sales.

Enlightened individuals (possibly belonging to any of the above groups): Recognizing the magnitude of this problem, the absence of simple solutions, and the poor state of privacy laws and credit practices in the U.S. Self-satisfied Europeans in the audience repeatedly had fun at our expense. Can't blame them either.

Donal O'Shea, the new Executive Director, compared identity theft to the problems of highwaymen in England and the pirates on the high seas. Until order can be established in the transportation and communications environment, commerce will be hampered. They introduced the notion of federation for any newbies in the room. They presented a matrix of attacks and mitigations for identity theft. There was much discussion about the definition of a breach, and the dismal state of user education and preparedness. Then it was time for industry speakers.

Paul Kurtz from the Cybersecurity industry alliance (CSIA) spoke on pending pre-emptive Federal legislation, such as the draft Nelson-Smith bill. These bills could be quite far reaching, but would likely leave it to the FTC to define prescriptive measures - the so-called "best practices." One vendor in the audience commented that what we really needed were definitions of breach, PII, custodian responsibilities, etc.

David Jevans from the Anti-phishing working group, which runs a data sharing network of phishing URLs, warned the audience not to underestimate the power of social engineering. Social engineering includes clever emails, typosquatting, and cousin domains. He said we (the U.S.) are our own worst enemies, hosting many phishing/pharming sites. Next most numerous our sites in the Chinese countries, which are hard to shut down because someone has to speak Chinese to even talk to the web site operators.

There's quite a lot of crimeware out there fake toolbars, keyloggers, cut&past loggers, dns hijackers, session hijacking & trojans, and trasaction generators. Some keyloggers are targetting specific industry sectors or companies; worm/virus people are now doing keyloggers, or cut and paste loggers. Signatures defenses can't keep up with mutating variants.

Jonathan Rusch from the Department of Justice spoke about various cases of identity theft they had prosecuted. He also talked about the identity theft laws, which are reasonably robust. It is not difficult to prosecute identity theft in this country.

I spoke also about identity theft being a complex problem that defies simple solutions. The good news about federation is that it reduces the need to copy id information and transfers risk to the identity provider domain (IDP), or custodian. The bad news is that interoperable identity federation will increase the volume and velocity of use, increasng risk, and the relying parties cannot transfer all risk to the IDP.

I presented some slides from Mike Neuenschwander's April 2005 telebriefing on identity theft, in which he and I had applied Burton Group's systematic, comprehensive approach to security to create our own matrix of risk mitigation approaches including preventive/technical, preventive/non-technical, and detective measures; and risk transfer approaches such as contracts and insurance.

My concern is that the risk model has gotten seriously out of whack by laying too much risk on the individual, and soon they'll be "mad as hell and not gonna take it anymore." People are having credit taken out in the their name and having to notarize multiple letters to restore their credit causing stress over a period of months. Some people are having their accounts cleared out.

Technical preventive controls, legal deterrent controls are somewhat helpful but will not overcome the attackers. User awareness is one of the more effective tools as is increased adoption of technologies that enable anonymity and selective disclosure of information. More database security, id obfuscation, and frequent change of id database identifiers would also be effective.

Risk, however, is a function of threat-vulnerability-consequence. The Liberty matrix you showed focused mostly on vulnerability, little on threat, and not at all on consequence. I'm playing with the notion that another effective strategy is to focus on the response function. That is, how to help the individual AFTER his/her identity is stolen, so as to reduce the consequence, thus reducing risk. It seems that some of the low consequence fraud would be easy to mitigate through new response approaches (service bureaus that send all the "wasn't me" letters for victims and perhaps more legal obligations of finservs/merchants to make consequence unwinding easier on victims). But it is unlikely that we could beef up response functions to help people with more personalized high consequences like murder or blackmail resulting from id disclosures. So a holistic approach is needed.

Can strong authentication become a commodity?

2005-06-15T06:07:00.000-07:00

One of my colleagues recently had a slide titled “Languishing expectations, failing hopes” in one of his identity management presentations. Among the supposedly doomed technologies was strong authentication, which the slide said has failed us by not becoming a commodity.

I disagree with this because enterprise smartcard deployments, one time password generators for consumers, biometrics for passports, and a number of other initiatives are – if not taking off meteorically – at least gaining ground. If this is “failing” then it is my colleague’s expectations that must be adjusted.

Strong authentication is hard, and will continue to be hard for the foreseeable future, because it involves many moving parts, some of which concern process.

Simplified equation:

Strong authentication = identity proofing + local authentication methods +
remote authentication methods

A more detailed equation

Strong authentication = identity proofing + initial credential distribution method +
credential management and recovery methods + local authentication methods +
operational security of local platform + remote authentication protocols +
operational security of relying party + operational security of intermediary hosts

If any link in the chain fails between the subject and the ultimate relying party, than it is no longer strong authentication.

Far from failing, strong authentication is succeeding…though slowly. As an industry we may be able to improve its adoption some, but part of the improvement will have to involve developing more realistic expectations. As an industry, we have no alternative but to promote strong authentication as one of the very important weapons in a balanced protection suite.

In supporting strong authentication, we must have realistic expectations – neither too high nor too low. On the high side, vendor hype about the password’s pending demise at the hands of strong authentication are false and greatly exaggerated. Even in a world where strong authentication proliferates, we will still often use passwords as one of the authentication factors, or even use passwords as the only factor in environments where low risk or compensating controls keep passwords viable.

Strong authentication cannot become a commodity because it is hard. Even if the cost of the authentication token (smartcard, biometric, or one time password generating device) was zero, strong authentication would still be hard, therefore expensive. Free, or at least inexpensive devices will be important for the consumer, but the provider is less concerned with the cost of buying the horse than with the cost of caring for it, feeding it, and training it.

National ID Cards - Kicking and Screaming?

2005-06-04T09:17:00.000-07:00

http://www.vnunet.com/computing/news/2137408/id-cards-plan-faces-increased-hostility

It would be pretty incredible if UK citizens actually ended up having to pay 93 pounds each for a national id card! Under current plans the card would not be mandatory, but eventually they would be required to obtain passports.

Of course, one could point out that citizens are paying for it anyway, through taxes. Just as in the U.S. taxpayers will ultimately pay the increased costs from Real ID.

Clearly, in many cases, people have to be dragged - kicking and screaming - into having more assured identification. Look on the bright side, a national id card would be better than an RFID implant!

/djb

Introducing the Identerati blog

2005-05-12T03:24:00.000-07:00

I'm the research director at Burton Group covering identity and privacy strategies and security and risk management strategies.

Much is happening concerning identity management on the blogosphere and I would like be part of the dialogue!

I have a few postings in mind on identity and privacy strategies, but in the meantime, you can find the columns that I've written over the years at http://www.networkworld.com/columnists/blum, and also at http://burtongroup.com/promo/columns/articlelist.asp?employeeid=26html.