The InfoSec Blog

What Applicants Should Ask When Interviewing For An InfoSecurity Position

Posted by Anton Aylward

http://www.informationsecuritybuzz.com/applicants-ask-interviewing-information-security-role/

Well what would you ask?

These seem to be the kind of questions that might be asked by someone with a strong technical bias. The CISSP cert is supposed to be more oriented towards security management than to the technical aspects, so what would you ask?

We should, I think, be asking about "The Tone At The Top", the organizations attitude towards security and, but what does that mean in terms of interview questions?

My thoughts tend towards Policy and Certification, but them many of my past clients have been financial, so regulatory compliance looms large for them. I'd certainly ask about Policy, how it is formulated, how it is communicated and how it is enforced. That's not as easy as it sounds: most people know what should be done but ask that tactlessly and other than being an opening ("Yes, I can work on that for you") all you've done is embarrassed the interviewer.

So we have a refinement that the article never touched on: this is an interview not an audit.

 

The Truth About Best Practices

Posted by Anton Aylward

An article on Linked entitled 'The Truth about Practices" started a discussion thread with some of my colleagues.

The most pertinent comment came from Alan Rocker:

I'm not sure whether to quote "Up the Organisation", ("If you must have a
policy manual, reprint the Ten Commandments"),  or "Catch-22" (about the
nice "tidy bomb pattern" that unfortunately failed to hit the target), in
support of the article.

Industry-wide metrics can nevertheless be useful, though it's fatal to
confuse a speedometer and a motor.

However not everyone in the group agreed with our skepricism and the observations of the autor of the article.
One asked

And Anton aren't the controls you advocate so passionately best practices? >

NOT. Make that *N*O*T*!*!*!  Even allowing for the lowercase!

"Best practices" is an advertising line of self-aggrandization invented by the Big Name Accounting Firms when operating in Consulting Mode.Information Security SWOT Analysis

Does ISO 27001 compliance need a data leakage prevention policy?

Posted by Anton Aylward

On one of the ISO-27000 lists I subscribe to I commented that one should have a policy to determine the need for and the criteria for choosing a Data Loss Prevention mechanism.

The DLP Logo

I get criticised occasionally for long and detailed posts that some readers complain treat them like beginners, but sadly if I don't I get comments such as this in reply

 Anton
  Data Loss is something you prevent; you enforce controls to prevent data
  leakage, DLP can be a programme, but , I find very difficult to support
  with a policy.

Does one have visions of chasing escaping data over the net with a three-ring binder labelled "Policy"?

Let me try again.

Fly Away

Policy comes first.
Without policy giving direction, purpose and justification, supplying the basis for measurement, quality and applicability (never mind issues such as configuration) then you are working on an ad-hoc basis.

“Paid to be paranoid”

Posted by Anton Aylward

Read the first four paragraphs of this:

http://hollylisle.com/shoes-and-handbags/

Forget the rest, forget that its about 'creative writing', just answer that question.

Bruce Schneier among other, myself included, have asked questions like that. Are you 'paranoid' enough to be in the security business?

Robert Slade

One of my colleagues, Rob Slade  yes *that* Rob Slade when he is teaching in Toronto, usually asks me to come along to talk for an hour to his students about "The CISSP Experience".
The first thing I ask the class is if there are any active or ex-military or law enforcement people present. To date there never have been, and to be honest it leaves me with a bit of a "Bah Humbug!" feeling when the class is really a company stuffing its IT department through the course and exam "for the numbers". Rob has some cynical comments to add but don't forget for him it's a days work and a days pay.

I'm also hit on for a variety of reasons by kids (even postgraduates) who "want to break into" -- yes that's the words they use, ironic isn't it? -- the security business. I suppose because the press makes it look more glamorous than just being a programmer or sysadmin. I keep telling them that its experience that counts, not certifications; too many, especially those from Asia, seem to think that a certification is badge that gets you work. Not so. Mind you, locally the recruiters cant seem to tell what makes InfoSec different from IT.  But that's a subject for another time.

And hence the opening lines to Holly's blog.
No, Holly, you're not alone; many true security professionals, be it Infosec, military or law enforcement, think like that.

  • What is the 'attack surface'?
  • What are the potential threats? How to rate them?
  • How can I position myself to minimise the effect of an attack?
  • What is the 'recovery mode' (aka: line of retreat)?

If you can't do this, then you shouldn't be in "Security".

Another Java bug: Disable the java setting in your browser

Posted by Anton Aylward

http://www.kb.cert.org/vuls/id/625617

Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.

Well, yes .... but.

Image representing XMind as depicted in CrunchBase

Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don't work.

Tight budgets no excuse for SMBs’ poor security readiness

Posted by Anton Aylward

http://www.zdnet.com/tight-budgets-no-excuse-for-smbs-poor-security-readiness-2062305005/

From the left hand doesn't know what the right hands is doing department:

Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be "hard-pressed" to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.

Well, lets leave the vested interests of security sales aside for a moment.

Security Operations Center

I read recently an article about the "IT Doesn't matter" thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don't fully utilise their resources, don't fully understand the capabilities of the technology they have, don't follow good practices (never mind good security), this is all a moot point.

Tagged as: Continue reading

An OP-ED by Richard Clarke on China

Posted by Anton Aylward

http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html

This is better written than most 'chicken little' pieces, but please can we have 'history' of how most nations, including the USA, have engages in 'industrial espionage'.

I recall a presentation by CSIS that was making the point that Canada's greatest threat on the Industrial Espionage scene was France, and France had been practising Industrial Espionage against the "English Speaking World" for centuries. And he had evidence to back that up from at lest Napoleonic times.

But then don't forget that the "English Speaking World" stole such secrets from China as "Tea":

For centuries, the secret of growing tea was one of China's
most closely-guarded treasures. Along with silk, tea was an
extremely valuable agricultural commodity, prized as a luxury
item across Asia and into Europe.

In the mid-19th century, however, Briton Robert Fortune
dressed as a Chinese man (complete with queue) and set out
to discover the secret of tea-growing. He located the bushes
that produce tea, and stole seedlings that he transported to
British India. China's tea monopoly was broken.

Robert Fortune (1812-1880)

Robert Fortune (1812-1880) (Photo credit: Wikipedia)

Fortune's explorations are detailed in a new book, For All
the Tea in China
, by Sarah Rose. She frames this not
simply as a tale of Victorian exploration, but as early
industrial espionage - which, of course, it was.

I'm not saying this justifies anything, any more that the Opium trade or forcing products from the Industrialized West onto Asian markets, also part of or common historic context, justifies any reprisals.

I'm just saying Context is Everything and if you ignore history (especially when dealing with people for whom history is an important context) then you are setting yourself up for a sea of troubles.

Enhanced by Zemanta

Managing Software

Posted by Anton Aylward

Last month, this question came up in a discussion forum I'm involved with:

Another challenge to which i want to get an answer to is, do developers
always need Admin rights to perform their testing? Is there not a way to
give them privilege access and yet have them get their work done. I am
afraid that if Admin rights are given, they would download software's at
the free will and introduce malicious code in the organization.

The short answer is "no".
The long answer leads to "no" in a roundabout manner.

Unless your developers are developing admin software they should not need admin rights to test it.

Surely compliance is binary?

Posted by Anton Aylward

Call me a dinosaur (that's OK, since its the weekend and dressed down to work in the garden) but ...

Surely COMPLIANCE is a binary measure, not a "level of" issue.
You are either in compliance or you are not.
As in you are either deal or alive.

Please Realize That Piracy is a Service Problem.

Posted by Anton Aylward

http://www.forbes.com/sites/insertcoin/2012/02/03/you-will-never-kill-piracy-and-piracy-will-never-kill-you/

NEW YORK, NY - JANUARY 18:  Protesters demonst...

NEW YORK, NY - JANUARY 18: Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) on January 18, 2012 in New York City. The controversial legislation is aimed at preventing piracy of media but those opposed believe it will support censorship. (Image credit: Getty Images via @daylife)

The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at "service" when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that just about everyone else in the world seems able to cash in on, the RIAA etc seem to want to shut it down.

Well if they did there would be outcries not from all the people who had minor copyright infringements from quoting one another, but from all the businesses that were loosing customers, not just from direct action but from the word-of-mouth style propagation, reviews, snippets that had nothing to do with them but caused shut-downs and lockouts. A ripple effect. The Laws of Unintended Consequences doing what it always does, biting in the ass.

Yes, if the media industry provided the service that customers want piracy wouldn't be an issue. As the article says, look at the economics.

It’s not a physical product that’s being taken. There’s nothing going missing, which is generally the hallmark of any good theft.

There's a corollary to that: if the media companies were selling on the net their cost of reproduction is zero. They can sell the same movie hundreds of times over and it doesn't cost them any more.

With VHS and DVD there is the cost of production, shipping and retail mark-up. There's that for every sale. And those are costs that are going up year by year. And if there's a mistake in estimates about volume then either there are lost sales for lack of product, or waste as it gets remaindered.

But with a 'Net based distribution scheme there is only the cost of storage and bandwidth, and those are going down.

Its as if the RIAA have it exactly backwards.

So it costs, what, lets say $20 to buy a movie as a DVD.
That's my budget. If I got to the store and found the movie I wanted was $5, then I'd be inclined to buy some more. Maybe at $5 a shot I'd spend more than $20 as I found other movies that I marginally considered. Now suppose that I didn't have to drive to the store? Many people I know buy more books at Amazon than they ever did in a bricks-and-mortar store. many bricks-and-mortar bookstores are shutting down. Lower the cost of a movie to $1 and make it available on the 'Net, mail buyers about new releases and packages the way Amazon does and there will be more impulse buying. See low-res, high-res and super-high res/HD, alternate endings, have consumers write reviews ... you know how it goes, Amazon does it well.

Amazon have shifted from selling books to selling e-books. No more packaging, inventory or shipping. Instant gratification.

The RIAA are not just stupid, they are extremely stupid.

A stereotypical caricature of a pirate.

A stereotypical caricature of a pirate. (Photo credit: Wikipedia)

 

Enhanced by Zemanta

Upside and downside: How I hate Journalists

Posted by Anton Aylward

http://compliancesearch.com/compliancex/insider-trading/senate-votes-to-ban-insider-trading-by-its-members/

And this doesn't actually stop them form making use of 'insider information' they just have to declare it within 30 days.

No, wait, sorry ... you mean that the legislators are saying that legislators shouldn't do something that is illegal anyway? Or that, if they do something that is already illegal, it is OK as long as they declare it within 30 days? ...

It gets worse:

http://compliancesearch.com/compliancex/insider-trading/house-republicans%E2%80%99-insider-trading-bill-accused-of-catering-to-insiders/

I'd like to claim the system is rigged so 'the rich get richer' but if I did that some people who claim they are right wing would accuse me of being left wing. Indeed, this tells me that their political outlook has not progressed since 20 June 1789. This one-dimensional view fails to describe the rich variety of political attitudes in the Washington, never mind the rest of the USA and points elsewhere on the physical compass.

http://en.wikipedia.org/wiki/Pournelle_chart
http://en.wikipedia.org/wiki/Nolan_Chart

Just those two show we need more that 4 axes to describe a political stance. But as I mentioned in a previous post, journalists are simple-minded and expect the rest of the world to be as limited in outlook and understanding.

http://en.wikipedia.org/wiki/Political_spectrum

Try this test:
http://www.politicalcompass.org/

How does this all relate to InfoSec, you ask.
Well part of that Political Compass is a view of 'how authoritarian'.
And that gets back to issues we have to deal with such as Policy and Enforcement, Do We Let Employees have Access to the Internet, and the like.

Hans Eysenk pointed out that the right wing (e.g. Fascism and Nazism) had a lot in common with the left wing (communism). Both are repressive, undemocratic and anti-Semitic. So on these issues, at least, the left-right distinction is meaningless.

How many more such simplistic distinctions such as those foisted on us by journalists are equally meaningless.

Some while ago my Australian fellow ex-pat Les Bell, who apart from being a CISSP is also a pilot, pointed out to me that the method of 'root cause analysis' is no longer used in analysing plane crashes. The reality is that "its not just one thing", its many factors. We all know that applies in most areas of life.

I suspect most people know that too; its not restricted to the digerati.
There is the old ditty that explains how because of a nail an empire was lost, but no-one is proposing that we fix the failing of the "American Empire" by manufacturing more nails.

Except possibly Journalists.

 

Enhanced by Zemanta

The Death of Antivirus Software

Posted by Anton Aylward

http://www.infosecisland.com/blogview/19386-The-Death-of-Antivirus-Software.html

The real issue here isn't Ubuntu, or any other form of Linux.
Its that AV software doesn't work.
PERIOD.

There are over 50,000 new piece of malware developed and released daily. The very nature of the AV software models that John McAfee foisted on the industry simply can't cope.

This isn't news. Signature-based (and hence subscription based and hence that whole business model) AV is a wrong headed approach. As Rob Rosenberger points out at Vmyths.Com, we are addicted to the update cycle model and its business premise is very like that of drug pushers.

What's that you say? Other types of AV? Like what?

Well, you could have a front-end engine that checks all downloads and all email and all email attachments and all URL responses by emulating what would happen when they run on any PC or in any browser or any other piece of software such as any of the PDF readers you use, or any of the graphical display software you use or any of the word processors you use
or any of the spreadsheet programs you use or any music players you use ... and so on.

Many people in the industry - myself included - have proposed an alternative whereby each machine has a unique cryptographic ID and the legally and properly installed libraries are all signed with that ID, and the program loader/kernel will only load and execute correctly signed code.

Yes, Microsoft tried something similar with ActiveX, but that was signed by the vendor - which can be a good thing, and used PKI, which can also be a good thing. But both can be a problem as well: go google for details. A local signature had advantages and its own problems.

The local signature makes things unique to each machine so there is no "master key" out there. If your private key is compromised then do what you'd do with PGP - cancel the old one, generate a new one and sign all your software with the new one.

The real problem, though, is not in having the key compromised but is the problem that has always existed - its the user. Right now, we have many remote code execution blockers. Your browser might be able to block the execution of Java or JavaScript, but does it? Most people either don't bother setting their defaults to "no execution" or just say "yes" to the pop-up asking them to permit execution.

No technical measure can overcome human frailty in this regard.

Enhanced by Zemanta

Using ALE … inappropriately

Posted by Anton Aylward

Like many forms of presenting facts, not least of all about risk, reducing complex and multifaceted information to a single figure does a dis-service to those affected. The classical risk equation is another example of this;  summing, summing many hundreds of fluctuating variables to one figure.

Perhaps the saddest expression of this kind of approach to numerology is the stock market. We accept that the bulk of the economy is based on small companies but the stock exchanges have their "Top 100" or "Top 50" which are all large companies. Perhaps they do have an effect on the economy the same way that herd of elephants might, but the biomass of this planet is mostly made up, like our economy, of small things.

Treating big things like small things leads to another flaw in the ALE model.  (which is in turn  part of the fallacy of quantitative risk assessment)

The financial loss of internet fraud is non-trivial but not exactly bleeding us to death. Life goes on anyway and we work around it. But it adds up. Extrapolated over a couple of hundred years it would have the same financial value as a World Killer Asteroid Impact that wiped out all of human civilization. (And most of human life.)

A ridiculously dramatic example, yes, but this kind of reduction to a one-dimensional scale such as "dollar value" leads to such absurdities. Judges in court cases often put dollar values on human life. What value would you put on your child's ?

We know, based on past statistics, the probability that a US president will be assassinated. (Four in 200+ years; more if you allow for failed attempts). With that probability we can calculate the ALE and hence what the presidential guard cost should be capped at.

Right? NO!

Schneier on Security: Hacking Cars Through Wireless Tire-Pressure

Posted by Anton Aylward

http://www.schneier.com/blog/archives/2010/08/hacking_cars_th.html

A few alarming things here.
More nanny State :

In other words, the nanny state is forcing upon us expensive and insecure systems that aren't as effective as a human being just doing what he's supposed to, but we should just think of the children we're "protecting" with this misguided effort.

Never mind the basic Orwellian aspects.

But the basic problem is the knee-jerk reaction of Congress combined with lack of understanding of science and technology and legislation that, by specifying method rather than objectives, plays, misguidedly, into the hands of one vendor.

They did this with emission control.
The Japanese could beat the original standard by engine design.
The did this with the old Honda CVXX.
GM wasn't worried, they said it was a technique only for small engine cars. The Honda did it for larger engines. At the time GM had cornered the market in platinum, so they got Congress to write the law specifying the HOW in their favour. Of course that advantage no longer exists, but we still have the expense of the platinum 'converters'.

Now we have more expense.

TPMS became mandatory because of public backlash after the Firestone/Ford Explorer debacle. The public saw cars flipping over on TV and called up Congress and demanded
that they "do something!"

 

Would you buy a computer from a company like this?

Posted by Anton Aylward

http://consumerist.com/2011/05/security-expert-sony-knew-its-software-was-obsolete-months-before-psn-breach.html

  • Its not a camera, its computer that takes pictures
  • Its not a car, its a computer that gets you from place to place
  • Its not a watch, its a computer that tells you the time
  • Its not a radio, tv, hi-fi, phone .... its a computer

Would you buy a computer from a company like this?

http://news.consumerreports.org/electronics/2011/05/data-security-expert-sony-knew-it-was-using-obsolete-software-months-in-advance.html

 

Tagged as: , No Comments

Mistaken Thinking – Risk not threats

Posted by Anton Aylward

Various mobile devices creating interoperability.

Image via Wikipedia

Via a LinkedIn posting in the Infosecurity magazine forum titled
"Internet Threats Posed By Mobile Devices: How Can We Prevent Them?"
I came to

http://www.mxsweep.com/blog/bid/65075/Internet-Threats-Posed-By-Mobile-Devices-How-Can-We-Prevent-Them

OUCH OUCH OUCH!

The mobile devices don't pose threats.
The mobile devices represent risks.

Threats are external. They are not under your control.

The article title is clearly confusing THREATS with RISKS.

There are aspects of risks which ARE under your control.
You can control how EXPOSED you are to threats and how they will IMPACT you - or more specifically your assets. In this case the mobile devices.

You can't prevent threats, you can only mitigate their IMPACT.
You can instigate preventive measures.

Mobile devices and the data on them are ASSETS, not threats.

Correct terminology leads to correct thinking.
Eliminating misunderstanding and confusion leads to effective results.

Enhanced by Zemanta

The Question of Residual Risk value

Posted by antonaylward

People keep asking questions like

If the risk equation I use is Impact * Probability, when it comes to
calculating the residual risk value do I still need to consider the
impact of Loss of confidentiality, integrity and availability of the
asset afterwards ?
My understanding us that the probability value may decrease
after applying some controls to mitigate the risk,  but how does
does the impact change?

English: ISMS activities and their relationshi...

Personally I don't like the use of the generalization "Impact".   It hides details and it hides seeing where the control is being applied.   Assets are often affected by more than one threat or more than one vulnerability.  You really need to recalculate the whole thing over again after the controls have been applied - don't try for short cuts.

I'd further suggest looking at
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/

I discuss this kind of over-simplification at
http://infosecblog.antonaylward.com/2010/02/28/fbi-risk-equation/

 

Enhanced by Zemanta

Compliance? What Compliance?

Posted by Anton Aylward

United States Securities and Exchange Commission

Image via Wikipedia

Sometimes I wonder why we bother ...

The Securities and Exchange Commission doesn't just enforce the rules
that govern Wall Street. When asked, it often grants individual
companies exemptions from the rules
.

Enhanced by Zemanta

In praise of OSSTMM

Posted by Anton Aylward

In case you're not aware, ISECOM (Institute for Security and Open Methodologies) has OSSTMM3 - The Open Source Security Testing Methodology Manual - http://www.isecom.org/osstmm/

There's an interesting segue to this at
https://www.infosecisland.com/blogview/14651-How-to-Pen-Test-Crazy.html

Skip over his ranting about the definition of "hackers"

This is the meat:

Wewrote the OSSTMM 3 to address these things. We knew that penetration

OSSTMM Logo

OSSTMM Logo

testing the way it continued to be marginalized would eventually hurt
security. Yes, the OSSTMM isn't practical for some because it doesn't
match the commercial industry security of today. But that's because the
security model today is crazy! And you don't test crazy with tests
designed to prove crazy. So any penetration testing standard, baseline,
framework, or methodology that focuses on finding and exploiting
vulnerabilities is only perpetuating the one-trick pony problem.
Furthermore it's also perpetuating security through patchity, a process
that's so labor intensive to assure homeostasis that nobody could
maintain it indefinitely which is the exact definition of a loser in the
cat and mouse game. So you can be sure it also doesn't scale at all with
complexity or size.

I've been outspoken against Pen Testing for many years, to my clients, at conferences and in my Blog. I'm sure I've upset many people but I do believe that the model plays up to the Hollywood idea of a Uberhacker,
produces a whack-a-mole attitude and is a an example of avoidance behaviour, avoiding proper testing and risk management such as incident response good facilities management.

I've seen to many "pen testers' and demos of pen testing that are just plain ... STUPID.  Unprofessional, unreasonable and pandering to the ignorance of managers.

In the long run the "drama-response" of the classical pen-test approach is unproductive. It teaches management the wrong thing - to respond to drama rather than to set up a good system of governance based on policy, professional staffing, adequate funding and operations based on accepted good principles such as change management.

And worse, it

  • shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
  • has no guarantees about what collateral damage the outsider had to do to gain root
  • says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
  • indicates that your management doesn't understand or make use of a proper development-test-deployment life-cycle

Yes, classical hacker-driven pen testing is more dramatic, in the same way that Hollywood movies are more dramatic. And about as realistic!

"Crazy" is a good description of that approach.

Requirements for conducting VA & PT – Take 2

Posted by Anton Aylward

Soe people ae under the mistaken impression that a Pen Test simulates a hacker's action.  We get ridiculous statements in RFPs such as:

The tests shall be conducted in a broader way like a hacker will do.

LOL! If a real hacker is doing it then its not a test :-)

Seriously: what a hacker does might involve a lot more, a lot more background research, some social engineering and other things. It might involve "borrowing" the laptop or smartphone from one of your salesmen or executives.

Further, a real hacker is not going to be polite, is not going to care about what collateral damage he does while penetrating your system, what lives he may harm in any number of ways.

And a real hacker is not going to record the results and present them in a nicely formatted Powerpoint presentation to management along with recommendations for remediation.