Friday, March 25, 2011
Not so fast about SecurID
Thursday, March 24, 2011
Light Blue Touchpaper » Blog Archive » Can we Fix Federated Authentication?
Can we Fix Federated Authentication?
March 24th, 2011 at 11:44 UTC by Ross Anderson
My paper Can We Fix the Security Economics of Federated Authentication? asks how we can deal with a world in which your mobile phone contains your credit cards, your driving license and even your car key. What happens when it gets stolen or infected?
Using one service to authenticate the users of another is an old dream but a terrible tar-pit. Recently it has become a game of pass-the-parcel: your newspaper authenticates you via your social networking site, which wants you to recover lost passwords by email, while your email provider wants to use your mobile phone and your phone company depends on your email account. The certification authorities on which online trust relies are open to coercion by governments – which would like us to use ID cards but are hopeless at making systems work. No-one even wants to answer the phone to help out a customer in distress. But as we move to a world of mobile wallets, in which your phone contains your credit cards and even your driving license, we’ll need a sound foundation that’s resilient to fraud and error, and usable by everyone. Where might this foundation be? I argue that there could be a quite surprising answer.
The paper describes some work I did on sabbatical at Google and will appear next week at the Security Protocols Workshop.
Entry filed under: Academic papers, Banking security, Legal issues, Protocols, Security economics, Security engineering, Social networks, Web security
Great paper by Ross Anderson. I like this piece from the first page about SSO:
"There are always systems that just don’t fit. Even in young high-tech firms with everyone trying to pull in the same direction – in short, where there are no security-economics issues of strategic or adversarial behaviour between firms – there are always new apps for which the business case is so strong that exceptions are made to the rules. This should warn us of the inherent limits of any vision of a universal logon working for all people across all systems everywhere."
This is not limited to universal logon; it could also be applied to universal visibility, universal least privilege, universal antivirus coverage, and many others.
Is Risk assessment just change resistance?
Wednesday, March 23, 2011
Lenny Zeltser on Information Security — 7 Inconvenient Truths for Information Security
7 Inconvenient Truths for Information Security
Information security policies and corresponding controls are often unrealistic. They don’t recognize how employees need to interact with computer systems and applications to get work done. The result is a set of safeguards that provide a false sense of security.
This problem will continue to grow due to consumerization of IT: the notion that employees increasingly employ powerful personal devices and services for work. This trend makes it easier for the employees to engage in practices that make their life and work more convenient while introducing security risks to their employer.
Corporate IT security departments need to recognize that employees:
- Use personal mobile devices and computers to interact with corporate data assets.
- Take advantage of file replication services, such as Dropbox, to make access to corporate data more convenient.
- Employ the same password for most corporate systems and, probably, personal on-line services.
- Write down passwords, PINs and other security codes on paper, in text files and email messages.
- Click on links and view attachments they receive through email and on-line social networks.
- Disable security software if they believe it slows them down.
- Don’t read security policies or, if they read them, don’t remember what was in them.
These are inconvenient truths that, if acknowledge by organizations as being common, can be incorporated into enterprise risk management discussions. Doing this will have strong implications for how IT security technologies and practices are configured and deployed.
This is a very interesting post from Lenny Zeltser. It's not only about things that we keep trying to avoid when they are just plain representation of the user (and business) needs. These inconvenient truths should be used as basic assumptions for any security strategy. By doing it you'll be building security that is not based on weak assumed controls, and will have more chance to succeed when they fail.
So, try this as an exercise: Assume all the items listed by Lenny as truth for your environment. Think about how efficient your remaining controls will be against the most common threats; and, finally, Identify what you could do to compensate any weaknesses you might have found.
Keep that list. That will probably be more valuable than what you can get from a lot of complex and expensive "strategy exercises" out there :-)
Tuesday, March 22, 2011
Deputies
It was nice to read two tweets by Richard Bejtlich Today about the importance of having a "second in command":
@taosecurity http://bit.ly/hOl3lv BNET on "Why you need a second in command." .mil/.gov get this, have "deputy" roles. Agree, if you lead you need help.
@taosecurity Deputies are great for sanity checks, like telling you that you're making a mistake or that you should consider other aspects of an issue.
Friday, March 18, 2011
the most important infosec word
Friday, March 4, 2011
The key issue on current risk measurement?
Thursday, March 3, 2011
The great IT risk measurement debate
RSA Conference: Ben Rothke: Security Reading Room: Everything I need to know about PowerPoint, I learned from Adi Shamir
One of the highlights of the annual RSA conference are presentations from Adi Shamir; the S in RSA. For those that don’t know who he is; let me put it this way; if there would be a Mount Rushmore for information security, he would be on it.
With that, Shamir along with Ronald Rivest and Len Adleman were awarded the RSA Conference Lifetime Achievement Award at the conference this year.
Shamir is a most unassuming person. If you saw him get out of a cab, you might think he was the driver. His ensemble for a talk is a t-shirt, running shoes and jeans. He does not have to dress for the part; his accomplishments do that for him.
Shamir’s presentations are more unassuming than he is. No clip art, no flashy images and certainly no animation. I don’t think that he has changed his font in over a decade. And therein lays the rub. Shamir is so overwhelming with content, that his presentations require zero flash or animation. People come to his talks knowing that he is full of form and substance, with zero hype or funky PowerPoint animation.
Most of us can’t bring to the presentation the same firepower and brainpower that Shamir does. Nonetheless, what we can all learn from him is to focus more on the content and substance, and not on the font.
After attending to a lot of useless sessions at RSA, I cannot agree more with Rothke on this one. If you have content to show, the wrapping doesn't matter.