Archive for category Security

Do 1st graders have all the answers? Convenience and risk considered.

Posted by Brian in Information Risk Management, Minds4IT, Mobile, Security on August 15, 2011

It wasn’t too long ago that installing an application took an IT professional.  Now it’s so easy a first grader can do it. If you have an Android, iPhone, or Windows Phone 7 your first grader can search for an application in the marketplace or app store and install it. Not only is it easy it is also convenient.  I know I’m not the first person to notice that convenience is a phenomenal sales tool.  The more convenient something is the easier it is to make the sale. All companies are driven by revenue and not security. Vendors which offer a device you carry in your pocket have the ultimate convenience. On the flip side, SAP installs have been known to take years and require hundreds of IT people. This is the old model. The new model is to use a cloud solution with a web based interface which requires no install or a mobile app/web install. Floppy disks were replaced by CD/DVDs and CD/DVDs have been replaced by a connection to the internet. 

The unfortunate truth about not requiring a disk (yes, I’m showing my age) to install software is it has possibly become too convenient.  Ok, there’s no such thing as too convenient, but it helps me emphasize my point.  One of the controls which IT savvy people have taught for years is to be careful what software you install.  This helps prevent malware from making it onto your computer and is augmented by access control settings within the operating system which prompt before allowing installation.  Primary examples are Windows 7 User Account Control (UAC) and OSx/Linux “sudo”. There are some differences between mobile devices and desktops and laptops.  These differences primarily include the ability for location based information and additional access layers added by the platform vendors to isolate applications from the hardware. 

The extreme convenience of application installation occurring under app store models is blurring the risk and leading to a change in the security model.  Mobile device manufacturers are not providing root access by default, whereas desktop operating system vendors traditionally provide administrative access out of the box.  Since people are tech savvy and they are used to having admin access on their laptops, they are requesting and even expecting to have it on their mobile devices. This is part of why the jailbreak and root/rom websites/blogs are proliferating. The mobile device vendors have the right idea in not granting root access to the user. It makes it much harder for malicious programs to infiltrate the device.

The question has always been one of trust.  Who do you trust?  The phone manufacturer or your operating system vendor? Do you trust the marketplace/app store owner?  The application author? Device users may need to change their behavior to ensure they read the notifications regarding what information/hardware they are permitting the operating system, marketplace, or application to have access to.

I think we can agree the days of long setup and install times are gone.  This is a great thing! Self-service and instant software acquisition is here to stay.  However, the ability for users to install apps immediately using an app store is making IT departments across the globe look like they are not agile enough to meet their business’s needs. The ability for the business to execute an instant install is simultaneously increasing the risk tremendously.

To link back to the opening thoughts of this blog article… Do IT departments need to compete with 1st graders?  If IT departments can’t create convenient secure installation scenarios to make tools available to business partners, then the business partners will go directly to cloud or mobile vendors. This is an opportunity.  We as practitioners need to collaborate with our business partners, vendors and solution providers to create an educational feedback loop which allows the users to knowingly manage their trust relationships and security.

 

No Comments

Secure your light bulbs!

Posted by Brian in Minds4IT, Mobile, Security on July 15, 2011

The world is going crazy with endpoints and devices.

Everything is connected to the internet. Google recently partnered with Lighting Science Group as part of their Google@Home effort. At a recent industry event they demonstrated light bulb endpoints which are connected to the Internet via a new wireless solution controlled by your Android device. There are Blu-ray players which are connected to Netflix and Hulu. Home stereos can now integrate across the web to Rhapsody and Pandora. Even your car is connected to the internet for music and soon there will be other internet enabled functions in your vehicle.

While the ability to connect and manage various devices and endpoints via the internet and other integrated technologies, there are two things I’d like to convey related to these technologies.

1. Don’t forget security as you connect everything.

2. At Minds4IT when we say device, it means a phone, tablet, laptop, or other computer which is used interactively and when we say endpoint it is anything which you can connect to through any network.

I anticipate referencing these terms often in future articles so here are the definitions of each more succinctly:

Device is any electronic component or computer which allows input, including stereos, Blu-ray players, phones, tablets, laptops, desktops, car, etc.

Endpoint is any electronic component connected to a network which can be controlled using a device but has no direct input mechanism, including light bulbs, door lock systems, etc.

It’s important to delineate the two, as endpoints generally have minimal security built in. Endpoints rely on being connected to a secure network. If they are not secured through the network and network services then any device which can find a path to them may be able to control them. (a firewall controls the paths). Endpoints do not have the resources for a firewall and therefore need network layer protections. Whereas a device may be capable of running its own security control; such as firewall (some can, some can’t). All devices do not have the ability to control the security; but, security controls typically can be enabled within the device; therefore, provide those controls to the entire environment including the endpoints.

Endpoints sometimes evolve into devices. Printers were originally endpoints. As evolution occurred and printers became network aware, input panels, hard drives and local operating systems were added. As a result this turned the printer into a device.

An example of poor network security permitting device compromise is Firesheep. When connections to Facebook and Google were not protected by network controls any device could be used to impersonate the user. The moral is even your light bulb needs security. To ensure security of your light bulbs you ensure they only connect to your secure network. Granted, there’s probably no market for controlling your light bulbs; therefore, you are safe. But if your best friend wanted to play a cold hearted trick on you it could be a source of opportunity.

No Comments

Figure Eight Feedback Loop

Posted by Brian in Information Risk Management, Minds4IT, Security on May 31, 2011

Two problems for detective and corrective security controls are education and false positives. Education refers to providing the appropriate knowledge required by users of the system or data being secured. Simply stated the people using the system or data need to know how to manage the security control to both enable the secure use and minimize the inconvenience of the control. False positives are the act of identifying risk(s) when there is no risk present. For example, identifying a legitimate Windows system file as a virus and quarantining it. Or incorrectly identifying a phone number as a social security number. They both start with three digits (XXX) and end in four digits (XXXX) and are separated by dashes.

One method of managing both of these security problems which is enabled by the IT savvy mind is what I call a Figure Eight Feedback Loop. The figure eight is created by two feedback loops next to each other which feed information to each other.

  • Loop 1
    • Action is triggered by automated identification of a risk. Event recorded
    • System/data user is prompted, including specifics about what/what automated trigger occurred (Education)
    • User is allowed to make a decision
    • Decision is recorded
  • Loop 2
    • Automated identification and decision records from loop 1 are utilized.
    • Review of identification and decision information by security resources
    • Automated identification triggers are revised to reduce false positives
    • New automation triggers included in loop 1

Let’s look at more concrete example to get a better grasp. As many of you know, it’s a Payment Card Industry (PCI) violation to send credit card information via unencrypted e-mail. This creates a problem if a customer sends their credit card number (CC#) in an e-mail to their financial institution. The customer service representative needs to be knowledgeable of the regulation and ensure they remove the CC# in the event they reply to the customer. To assist in resolving this problem the financial company can institute e-mail data loss prevention tools.

  • Loop 1 – Host Data Loss Prevention (DLP) software on company computer scans e-mail for violations of information security policies
    • E-mail DLP tool scans e-mail for credit card numbers when the user hits the Send button.
    • If CC# is found prompt the user. “It looks like there is a credit card number(CC#) contained within this e-mail. It is against Payment Card Industry (PCI) – data security standards (DSS) to send CC# data via unencrypted communication. Please review the e-mail and make sure CC# is not present (No CC# present button) or hit (Cancel Sending) if you find CC# data. Thank you.”
    • Decision by user after review of e-mail
    • Record of possible event is recorded in system for review by security resources
  • Loop 2 – Insider threat team reviews Host DLP log files to improve patterns used to identify credit card numbers
    • Security team selects either samples or reviews all transactions as appropriate, to identify when associates continued to send CC#s (policy violation) and when the system falsely identified a number as a credit card number
    • If policy violation then associate and associates manager are involved to understand risk to company and possibly warning or termination if severity violation warrants it
    • If false positive, patterns used in identifying credit card numbers are refined to manage the situation
    • New automation is loaded into loop 1

Hopefully, that example provides enough meat for us to discuss the benefits I laid out in the beginning.

  1. Education – The users of the system are informed what they did, why it was wrong, and how to correct it, before a violation of policy occurred. This proactive involvement in security decision making builds a positive image of security, educates the users of the system, and provides a foundation for other risk decisions.
  2. False positives – By educating and then utilizing the intimate knowledge of the user to determine if there is risk or not, the security resource has a much better understanding of the false positive. This enables a collection of false positives to be created and analyzed to come up with new automation methods. The control itself evolves and gets better over time.

This technique can be used for any detective or corrective control. You’ve probably already seen it and or used it, but didn’t have a name for it. Another simple example is password requirements. Most password change processes now refuse to accept characters which are forbidden by the federated systems being managed. The user is told to try again and presented a list of the possible characters they must use and are forbidden to use. This is the end state evolution of many years of figure eight feedback loops. As new creative controls are engineered these concepts need to be applied to best serve both the needs of the business partner and the Information Risk Management requirements of the security/risk organization.

No Comments

Agility comes from standardizaton

Posted by Brian in Minds4IT, Mobile, Security on April 27, 2011

All extremely agile technology solutions have come from their ability to leverage standards. While this may seem like an oxymoron or nonsense, the truth is, the web came about because of the standard IP protocol stack. The web browser came along because of the standard HTML language. The success of the personal computer can be traced to the dominate Microsoft Windows operating system. A standard to build upon and work from is like a house’s foundation. If the foundation is flat, stable, and secure then the architect and interior designer can create masterpieces on top of it. Unique, one of kind, thought leading, representations of what someone wants. Salesforce and Facebook would not have happened if Marc Benioff and Mark Zuckerberg had to solve protocol incompatibility or browser issues. The fact that these standards existed, allowed them to apply their brains to the business/consumer problems, limiting the time/effort needed for the more remedial problems.

Let’s look at some of the standards they leveraged and the known results:

  1. How is the signal going to get from the computer to the internet? Ethernet.
  2. How is the message formed? TCP/IP.
  3. How is the presentation layer going to present the text and graphics to the user? HTML.

Each layer of standardization removes another point of minutia so the technology solution developer and user can focus on the technology opportunity they are really trying to solve.

When there is not a specific standard, there is competition. Using our examples above – Ethernet used to compete with token ring. TCP/IP used to compete with IPX and SNA. HTML was a revolutionary way of presenting text and graphics at the time.  It solved a problem and instantly became a standard.  The alternative was a desktop based application or basic text. Somewhere along the timeline of technology evolution a standard is defined and supporting the standard is a definitive reasoning or level of support which defines the standard.

Let’s use a current discussion as a basis for the process to define a standard.  Companies have been trying for years to create a tablet computer that would meet the standards of the consumer requirements. Along comes Apple and their tablet solution which included a touch screen, created pinch and zoom, and now that is the standard. It’s an interface standard.   All other phone, computer and related operating system companies are scrambling to catch up and innovate their own systems. With the interface standardized we are left evaluating an OS; Android, Blackberry OS, Chromium OS, IOS, Windows Phone 7, and WebOS. While there may be others these seem to be the most prevalent players in the mobile technology platform race.

I’m not going to postulate which mobile operating system is going to survive. I don’t believe in anyone’s ability to predict the future. I do believe that we need a stable and secure identity management or access control/authentication standard. The ability to leverage today’s mobile and cloud solutions are dependent upon a stable, secure and autonomous identity management solution which can provide effective seamless controls related to authentication and authorization through multiple technology layers across the internet. This is where both the career technologist and the technology aware consumer mind can partner to establish the standard. Today if you are like most people you have a login and password for between 40-100 different websites, applications, and services. This complexity is rapidly getting out of hand as users move from standard HTML access to web applications to applications requiring additional access controls at each layer of the puzzle (Operating System Access, Web Access, Application Access, Cloud Access, etc.).

No one wants to enter a secure password to make a phone call.  However, I believe many people want a secure password for when they access their bank account.  Once the browser or application has been logged into, there needs to be transparency.  An app running on a phone should be able to use the same authentication as Javascript in the browser, which should also authenticate to the cloud.  I believe phone applications will eventually overtake the browser because the ability to segment processing between the local processor and the cloud will provide the best user experience. However, the cloud and the ability to segment that processing is dependent on an autonomous access control standard.  Alternatively a method to segment processing in the browser could be developed.  I’m just unsure if Javascript, ActiveX, or any other standard has that capability yet.

What other standards do you feel are required for success in today’s and the future mobile and cloud worlds?

No Comments

Finally, mainstream America knows about root access!

Posted by Brian in Information Risk Management, Mobile, Security on April 26, 2011

Ask the majority of the people you meet if they know what a Jailbroken iPhone is? Or a rooted Android phone? Most people have heard of these things and even the youngest users can complete the process. A good portion can also discuss the benefits of doing this to their devices. They can take a Jailbroken phone onto any network. (Technology supported that is. GSM or CDMA dependent on the phone) They can download any applications they want to their rooted phone. Isn’t life grand!

It scares the bejeezus out of me to think that providing root access to any computer has become mainstream. Yet, this is exactly what we’re talking about. They may have given it a cute name like JailBreak, but it’s still just root access. It’s up to us as security professionals to ensure our friends, associates, and the public at large understand the negatives and consequences of this dangerous technology. There are controls built in to Android, Windows Phone, and iPhone application stores. These controls are not present if they download an application via the web. Just like the early days of PCs, the technologists understood the ramifications of no change control (application conflict) or unknown security of applications (viruses). However, the public didn’t understand these things. Until…. viruses impacted their world! Today everyone knows to run anti-virus software today. They know they need a firewall. They know not to leave their wireless router open.

This is due to the diligence of professionals like you. It’s time for all of us to start educating on mobile security. Talk to your friends about how rooting their android device or jailbreaking their iPhone causes them risk. Recently there has been a lot of discussion around the GPS location data the iPhone is storing. Android is storing similar data, although they are not replicating it to your computer, and they are asking your permission to store it and transmit it back to Google. What they don’t make clear is that if someone has rooted their phone that data is accessible by any application.

You can tell from the title of this article that I am both excited and scared. It thrills me and speaks volumes about how technology centric the world has become, these concepts are in the Wall Street Journal and are known by the lay man. It also ups the ante for IT folks. We have to continually educate people on the other edge of this sword. The good news is, they speak our language. The public consciousness is ready to talk about it. So get it out in the open.

Another topic you may want to talk about is a setting in Android which allows installation of apps from unknown sources. The real kicker here is Amazon’s new app store instructs users to turn this on. Turning this on allows Amazon to load applications onto an Android device. Unfortunately it also removes any security features Google built in to their app load process. Granted I trust Amazon to both review their apps and remove apps which are identified as malicious or behaving outside their stated use. The problem is as a universal setting it doesn’t allow you to maintain which app stores are good and which are bad. Do I sense a reputation based product opportunity here? A product similar to SiteAdvisor for websites, but designed around an app store reputation?

No Comments

Evolution of Security

Posted by Brian in Minds4IT, Security on April 7, 2011

Increasing quantity of threats, growing surface areas, new technologies, static budgets, and larger skills gaps are all on the minds of security professionals according to the 2011 (ISC)2 Global Information Security Workforce Study. This is exactly why security professionals need to consider and integrate the IT capable mind of their peers, consumers, and management into their strategy to secure the organization.

Security has always been part marketing. Some rely on Fear, Uncertainty, and Doubt (FUD). My preference is to keep FUD to a minimum by helping stakeholders and technology users understand the risks. This is now easier than ever. The evolution of security is to utilize the very tools which concern us to solve our own problems. Those tools include mobile devices, social media, and cloud computing. If we can simultaneously make it easier for people use technology while making it more secure, why wouldn’t we?

I’ll use a cloud example first. Lastpass is a secure password management cloud. Installing the Lastpass browser or smartphone plugin allows someone to get closer to a single sign-on for the entire web than most companies have been able to get in the past ten years of identity management projects at most companies. The tool not only reduces the password you need to remember to one, but will also generate secure passwords and scan your list of passwords to provide information on how secure they are.

Social media seems to be the marketing buzz for the past few years and will continue, I’d imagine. Could it be used to market security? Possibly a forum for questions or a twitter feed regarding security changes and their impact on the associate. Either could be used to help your business partners understand why they have to change their password every 90 days. The key is to engage people. Interact with them. Be social…

It’s important for us as IT and Information Security(InfoSec) professionals to embrace these new technologies with our peers. Get them involved in the process. The best controls I’ve seen involve two related concepts: 1. a simple exception process 2.the user of the technology. The example I’ll use is the password to protect my smartphone. The exception process is time based and I can set it. It won’t lock the phone for a length of time which I choose.

The point I’m trying to get across is that we need to as an industry embrace the fact that most people are technology savvy. Then utilize this information to partner with the consumers of our technology and have them assist us with solving our technology and security problems.

This evolution is not going to be easy. The traditional IT professional sometimes thinks in binary. You’ve seen the T-shirt. On the front it says, “There are 10 types of people.” On the back… “Those who understand binary and those who don’t.” People don’t need to understand binary to use technology. The presentation layer is where it’s at. Can the person using the technology understand the risks, get the information they need, and make good choices? Can we as technology and security professional utilize these new waves to solve our problems. I believe we can.

No Comments