Wednesday, April 30, 2008

Virtualization - there is also a good security aspect

I was reading this article from NetworkWorld about "Virtual Server Sprawl" and the problems it causes to security. Well, while I agree with the point of view presented there, I also think the the ease to deploy a new server brought by virtualization can also help us to control an old security problem: servers with too many functions.Lots of people already said that VMs should be grouped by their sensitivity levels, and I agree with that. If organizations use virtualization to improve the segregation of duties of servers and keep the grouping concept, it will certainly help to improve network security. It was always sad to me to see those Web+DNS+SMTP servers. Now they can be kept on a single hardware, but with a higher isolation through virtualization.

Thursday, April 24, 2008

Finally someone said it!

I was extremely happy to read this post from Richard Mogull, where he says:"Data Classification Is DeadI know what’s running through your head right now.“WTF?!? Mogull’s totally lost it. Isn’t he that data/information-centric security dude?”Yes I am (the info-centric guy, not the insane bit), and here’s the thing:The concept that you can run around, analyze, and tag your data throughout the enterprise, then keep it current through changing business contexts and requirements, is totally ridiculous. Sure, we have tools today that can scan our environment and, based on policies, tag files, but that just applies a static classification in a dynamic environment. I have yet to talk with a customer that really does enterprise-wide data classification successfully except for a few, discrete bits of data (like credit card numbers). Truth is that’s data identification not data classification.Enterprise content is just too volatile for static tags to really represent it’s value."A few years ago I was advocating the same thing during a discussion with some friends, where I was complaining about how pointless the current data classification policies and procedures are when we think about the current state of applications, data sharing and web 2.0 stuff. I just don't believe that information classification can happen in a dynamic organization in the way that is taught in, let's say, a CISSP prep class. We really need to think out of the box when dealing with the challenges of priorizing security measures according to the value of information.I'll quote Richard again about data classification: "That, my friend, is not only dead, it was never really alive."

Wednesday, April 23, 2008

The new security guy

Alan Shimel has blogged about a very common situation, that where a networking (or anything else) guy becomes the new security guy.I've lost count of how many times I've seen that! The problem is, it's not only common but it's also impressive that several of these guys believe they know all about security from the moment they received the new job title.I worked in a big security team where almost everybody there were not security professionals, they just end up "falling" into the security department. It was a huge nightmare to make them understand that they didn't know the basic concepts and that some things have to change. Until people don't understand that our job isn't something like a new device that you learn how to set up we will keep seeing those cases and the results from them: breaches, breaches, breaches.

Friday, April 18, 2008

Isn't it an interesting case for business continuity studies?

I was reading about the strike of the federal custom auditors here in Brazil. They are not inspecting cargo coming through the ports, so the containers arriving can't be unloaded. Ok, it shouldn't be a problem for exporting goods, as the problem is with imported goods, right?Not necessarily. The strike is causing problems to exportations, as not only the storage areas at the ports are full but now there is also a problem of lack of empty containers! Isn't it a interesting case for business continuity studies?

Thursday, April 17, 2008

Windows Server 2008 - Server Core

I really love the concept of Windows Server Core - an installation that includes only the minimal components needed to make Windows work as a Server - that Microsoft will include in WIndows Server 2008. The advantage of it is obvious, reducing the attack surface.However, just now I found an interesting piece of data, someone looked into information from past security bulletins and noticed that from 25 past bulletins only 4 would apply for Server Core. Quite interesting, isn't it? So follow the tip from this post and go ask your software provider if his product will work on a Server Core installation.

Have you tried Secunia PSI?

In times when we are talking about flaws in Adobe Flash, Apple Quicktime and so many others, it's good to ask how are we doing to ensure that we are not running software with known vulnerabilities. Last August I blogged about Secunia PSI. I'm using it since them and it's impressive how hard is to be updated with all the software running on our workstations. The scanning process is a bit resource intensive, so I choose to run it periodically (once a week) instead of keep it always running.Today I ran PSI and it found some things that should be updated. Some of them were expected (Adobe Flash) and others I was not aware of, as VMWare Server, VLC  Player and  7-Zip.  This is a good example of how easy  is to have vulnerable software running in our computer. PSI does a vey good job on detecting software that needs to be updated, so I recommend it to everyone. If you are not using anything to keep track of software updates, try PSI. You will be surprised.

Adobe is the next target - does anyone still doubt?

A few days ago a new Adobe Flash vulnerability was found (in a very interesting work, I must say). I blogged about my concerns on ubiquitous software, like Flash players. We have been seeing the dangers of security vulnerabilities on this kind of software for years, beginning with Microsoft. Now that Microsoft is doing a good job on closing (and avoiding new) gaps, the attackers are taking the logical approach and changing targets to software that is as present as MS.Adobe (Acrobat, Flash, now AIR) and Apple (Quicktime and iTunes) would be the next  target, and it is being confirmed.  I heard on RSA that Adobe has a good security posture as a company (Dan Kaminski mentioned during his presentation that Adobe was acting very proactive and fast about a vulnerability he found) , but I still haven't found the same posture from Apple. Do we need to wait for a "iTunes worm" before Apple starts to take this matter seriously?

Polaris - A very interesting research piece from HP

Mr. Alan Karp mentioned this piece of research from HP Labs during a RSA session:"Polaris is a package for Windows XP that demonstrates that we can do better at dealing with viruses than has been done so far. Polaris allows users to configure most applications so that they launch with only the rights they need to do the job the user wants done. This simple step, enforcing the Principle of Least Authority (POLA), gives so much protection from viruses that there is no need to pop up security dialog boxes or ask users to accept digital certificates. Further, there is little danger in launching email attachments, using macros in documents, or allowing scripting while browsing the web. Polaris demonstrates that we can build systems that are more secure, more functional, and easier to use."The paper is quite simple and easy to understand, and but gives us some very important lessons. If Microsoft has tried a similar approach on Vista the UAC may have been more well accepted by users.This kind of research should be the core of Security Innovation.  Instead of trying to build "Anti-X", "Anti-Y" stuff, we should concentrate on reviewing things that are badly designed and that can be fixed in a elegant way, the same as Polaris does.

CyberStorm II and languages

The panel about the CyberStorm II exercise on RSA wasn't very good on content (in fact, it was terrible), but there was one thing that caught my attention.  There were other countries participating on the exercise, Australia, Canada, New Zealand and UK. Did you notice that only English speaking countries participated?Last year I saw Mr. Mike Reakey, from Microsoft, showing the kind of communication that their Response Center receive. That includes messages entirely written with different unicode char sets. Now, if this is a challenge for Microsoft Security Response Center, can you imagine the problem that the language barrier would be in a worldwide cyber crisis situation? I think the next CyberStorm exercise should include countries with different languages, to assess the impact that it can have on incident response and communication procedures. I'm certain that it will be bigger than expected.

Some good quotes from RSA

I took note of some interesting comments during RSA sessions. The most interesting are from the "Groudhog day". I was planning to write a post with comments and thoughts about each one, but I'm too tired and busy and RSA is already becoming too old news. So, I think a quick list of quotes will be enough:"Accept that behavior won't change" - Richard Mogull"Accept that vulnerabilities will exist" - Richard Mogull"Auditors don't understand security" - David Mortman(without quotes, I didn't take the exact words): You need to talk to the Business, but don't go there asking "how can I help you?"; Say something. - Mike Rothman

Tuesday, April 15, 2008

How many companies are looking into Security as a Marketing feature?

This question was made by Martin McKeay during a Panel on RSA (Avoding the "Security Groundhog Day", hosted by Mike Rothman). I took a note at that moment because the answer came to me immediately:Half of the companies are not doing that because their customers don't ask for itThe other half uses Security as a Marketing feature, but only as that, i.e., they sell that their products/services are secure but they are not. Consumers don't know how to verify their claims.A good example of that are those "Hacker Proof" signs hosted by some online stores. Everyone that have already performed some kind of security assessment on a e-commerce environment know that a vulnerability scan (all you need to have one of those seals) is not enough to say that a website is "hacker proof".The question is, how to educate consumers on identifying which companies really protect their data. Or, are consumers really worried about that?

From a RSA vendor leaflet

I'm looking at some leaflets that a got from some vendors at the RSA Expo. I've just caught this on one of them:"included signature-based anomaly detection capabilities"WTF is that!?!?! Can anyone explain to me what is "signature-based anomaly detection"?

RSA, final post

Writing this while waiting to board my return flight to Sao Paulo. It’s good to write after a few hours far from the conference, as it gives me a better view of what really impressed me most. I agree with other bloggers that mentioned the lack of innovation this year. However, it was expected.

I think I can mention some highlights. Black Ops, Sins of Our Fathers, Avoiding the “Security groundhog day”, the DLP Panel, Ajax Security were very good in terms of presentation and discussion, but honestly, nothing new from them.

The best sessions for me were Bruce Schneier’s and Malcolm Gladwell’s. Both talked about human perception and the way that we think. Schneier has already published some things about it, especially about the way thaty we perceive Risk. Gladwell presentation was very interesting even if it wasn’t related to security at all. He talked about decision making, but not common decisions, but those made unconsciously. I think there are lots of situations in security that can benefit from his theories. The way that we assemble and conduct security monitoring centers, for instance, can be radically changed. By reading his book (“Blink: The Power of Thinking Without Thinking

”, I bought on the airport) I realized that we may be falling into some basic mistakes, like providing too much information for those that need to take decisions. It would be nice to do some kind of research with good SOC operators to see how they usually identify an attack, what information is used and see if can do the “thin slicing” approach that Gladwell explains in his book. If there was anything that provided food for though during the conference, I think it was that.

The exposition was kind of sad. Tons of “appliances” providing solutions to problems defined by the vendors themselves. Lots of vendors talking about how their products provide very nice reports, but what about detection, prevention? Can all the problems in security be solved by a nice report with some pie charts?

The networking aspect, by the other side, was terrific. I met lots of people who write very good blogs, people that I found that are reading mine. I hope to be able to attend to the conference the next years to maintain all those contacts. Thumbs up for Martin McKeay, Jennifer Leggio and Alan Shimmel for organizing the bloggers meetup. It was very good and an extraordinary opportunity to chat with people that I respect a lot. Thanks!

Thursday, April 10, 2008

RSA post number 2

This second day of RSA was quite interesting. Not exactly because of the presentations, almost everything that I saw today was very shallow and nothing new. I can mention a honorable exception, "Sins of Our Fathers", with Daniel Houser, Hugh Thompson and Benjamin Jun. Good speakers and good (although not new) content.The best part of the the day was definitely the bloggers meetup. I was very nice to talk to people I only knew from blogs, like Jennifer Jabbusch, Chris Hoff, Richard Mogull, Martin McKeay, Mike Rothman and even Bruce Schneier. I have the opportunity to talk to Bruce for a few moments about his RSA presentation, and was pleased to find that he agrees that the source of the Security Theater that we are seeing from new solutions is the fact that buyers are not providing their Model to vendors, they are asking the vendors for Models. Unfortunately, he had to left the meeting early. It would be nice to know what he thinks that should be made to help buyers providing their own Models to vendors instead of asking for one.There are some more interesting talk tomorrow. Let's see if some innovation will appear or if RSA 2008 will be remembered just as "a nice event without anything new".

Wednesday, April 9, 2008

Looking for job in...Toronto!

Well, after 17 months, my Canadian imigration process is finally entering its final steps. That's right. I'm moving to Canada, more specifically, Toronto.I'll try to use this week on RSA to find potential employers. If you work for a security company in Toronto (GTA) and know that they are looking for a security consultant, please let me know.

RSA post number 1

I finally arrived at San Francisco. Luckly, in time for the Cryptographers panel. Some interesting thoughts from the big brains. Shamir said that security losses are concentrated in low and high level attacks. Media, however, only shows the high level ones.Schneier presentation was also very good.  He blogged about it. From his talk I could conclude that buyers should to start pushing vendors to use their models instead of providing their own.After Schneier, Dan Kaminski. As always, Black Ops is always fun and good (in fact, very good) content. Dan mentioned that OpenDNS deployed a very nice feature to block DNS responses with internal addresses. Glad to know that, I'm using OpenDNS at home.About DNS rebinding attacks, what about Snort signatures? Did anybody write rules for detecting those attacks? It seems to be simple and an effective way to do that.I also watched the panel about DLP, with Amrit Williams. He mentioned that DLP won't help against determined attackers, it is aimed against acidental leaks. Are the DLP vendors really saying that to their potential clients?During the panel, Shu Huang mentioned that companies don't know where the data to be protected is: blind spots! Exactly what I said on my article in this month's ISSA Journal.There was a discussion between Amrit and Malte Pollmann, who manages the DLP tool inside an organization? I understand that the DLP tool has as one of the most important features a way to define the management roles that can adapt to different models from diferent companies. It will depend on how the organization deals with security and IT infrastructure.About DLP: The technology can bring a lot of value through IT environment awareness. It's about knowing what is happening on your network. However, the deployment of tools like that will identify several cases that need skilled people to properly assess risks and support the Business on the remediation process.Amrit says that almost no organization has an effective information classification process. I agree with that, I had a discussion about it here in a Brazilian securiy forum some months ago when defending the same argument. Good to know that I'm not alone.And I didn't find anybody from the Bloggers network nor twitter. Where are they?

Thursday, April 3, 2008

Content Management, Monitoring and Protection (from Hoff's post)

I was reading a great post from Hoff that describes what he and Richard Mogull are envisioning as the next evolution of security solutions. Hoff says:"What CMMP represents is the evolved and converged end-state technology integration of solutions that today provide a point solution but "tomorrow" will be combined/converged into a larger suite of services.Off the cuff, I'd expect that we will see at a minimum the following technologies being integrated to deliver CMMP as a pervasive function across the information lifecycle and across platforms in flight/motion and at rest:

  • Data leakage/loss protection (DLP)

  • Identity and access management (IAM)

  • Network Admission/Access Control (NAC)

  • Digital rights/Enterprise rights management (DRM/ERM)

  • Seamless encryption based upon "communities of interest"

  • Information classification and profiling

  • Metadata

  • Deep Packet Inspection (DPI)

  • Vulnerability Management

  • Configuration Management

  • Database Activity Monitoring (DAM)

  • Application and Database Monitoring and Protection (ADMP)

  • etc...
That's not to say they'll all end up as a single software install or network appliance, but rather a consolidated family of solutions from a few top-tier vendors who have coverage across the application, host and network space. "I think that the security market is, in a certain way, walking (slowly) in that direction. If we look at some solutions like NAC and IAM we will notice that they are being built to integrate with other types of solutions. We saw LDAP being quickly choosen as a way to integrate multiple solutions that need to integrate with authentication systems. 802.1X and RADIUS extensions are also making the integration among different solutions easier, specially from NAC vendors. We still need to improve the way that "security endpoint clients" integrate, allowing us to put things that deal with metadata, dynamic content monitoring and identification talking to things like antivirus, host IDS and NAC clients. In a world like that I can see endpoint security solutions being able to take decisions based not only on the security status of a computer, but also on the kind of information that is present and even that is trying to be transmitted through a VPN connection. There are several opportunities waiting for us if we increase the integration features among those solutions. If we work on establishing standards for integration we won't have to wait for a vendor that will be able to offer a complete CMMP suite. That will force vendors into a healthy competition cycle.If you agree with the CMMP concept from Hoff and Mogull, do you think it will be something mostly offered as complete suites from a single vendor or as several different solutions with better integration?

Article on ISSA Journal

My article about "Security Blind Spots" has just been published at April's ISSA Journal. I haven't received my issue yet, but it is available at the site. Please let me know what you think about it!