The InfoSec Blog

http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html

This is better written than most ‘chicken little’ pieces, but please can we have ‘history’ of how most nations, including the USA, have engages in ‘industrial espionage‘.

I recall a presentation by CSIS that was making the point that Canada’s greatest threat on the Industrial Espionage scene was France, and France had been practising Industrial Espionage against the “English Speaking World” for centuries. And he had evidence to back that up from at lest Napoleonic times.

But then don’t forget that the “English Speaking World” stole such secrets from China as “Tea“:

For centuries, the secret of growing tea was one of China’s
most closely-guarded treasures. Along with silk, tea was an
extremely valuable agricultural commodity, prized as a luxury
item across Asia and into Europe.

In the mid-19th century, however, Briton Robert Fortune
dressed as a Chinese man (complete with queue) and set out
to discover the secret of tea-growing. He located the bushes
that produce tea, and stole seedlings that he transported to
British India. China’s tea monopoly was broken.

Robert Fortune (1812-1880) (Photo credit: Wikipedia)

Fortune’s explorations are detailed in a new book, For All
the Tea in China, by Sarah Rose. She frames this not
simply as a tale of Victorian exploration, but as early
industrial espionage – which, of course, it was.

I’m not saying this justifies anything, any more that the Opium trade or forcing products from the Industrialized West onto Asian markets, also part of or common historic context, justifies any reprisals.

I’m just saying Context is Everything and if you ignore history (especially when dealing with people for whom history is an important context) then you are setting yourself up for a sea of troubles.

Related articles

• For All The Tea In China – Sarah Rose (scottjb.wordpress.com)
• Different Ethical Issues Faced by the Global Software Companies (thinkingbookworm.typepad.com)
• Howes calls for cyber espionage inquiry (news.smh.com.au)
• Corporate Espionage Is Real – Even In The Pharma Industry (bioresearchonline.com)
• “Cyber Czar” wants Homeland Security to patrol America’s Internet borders (blacklistednews.com)
• Former Pentagon Official Says All Chinese Electronics In The US Could Have Built-In Trapdoors (businessinsider.com)
• FBI: Economic Espionage (gloucestercitynews.net)
• Trade Secrets and The Economy (psliplaw.wordpress.com)
• Richard Clarke: China has hacked every major US company (zdnet.com)
• FBI cracks down on economic espionage (wjla.com)
• Peter Thomas Senese’s THE DEN OF THE ASSASSIN Is A Geopolitical Financial Espionage Thriller Thrust In The World Of Cyber, Biological and Chemical Warfare (prweb.com)
• Chinese Economic Espionage: An Overlooked Concern (heritage.org)

Last month, this question came up in a discussion forum I’m involved with:

Another challenge to which i want to get an answer to is, do developers
always need Admin rights to perform their testing? Is there not a way to
give them privilege access and yet have them get their work done. I am
afraid that if Admin rights are given, they would download software’s at
the free will and introduce malicious code in the organization.

The short answer is “no”.
The long answer leads to “no” in a roundabout manner.

Unless your developers are developing admin software they should not need admin rights to test it. Read the rest of this entry »

Call me a dinosaur (that’s OK, since its the weekend and dressed down to work in the garden) but …

Surely COMPLIANCE is a binary measure, not a “level of” issue.
You are either in compliance or you are not.
As in you are either deal or alive.

Now it may be that some “standard” (such as ISO27001) has a number of clauses and its possible to be in compliance with some and not with others, and so fall into the delusion that you are “82% compliant” with the standard. This gets back to the silliness of exams where you are not expected to be able to answer all the questions and so the pass mark was 65%. In actuality its a recipe for disaster; if you’re only required to have 65% of the items complaint to “pass” then the standard is a joke.

It brings to mind the advert for the disinfectant that “kills 99% of all known germs“. OK, but that remaining 1% is highly deadly and highly infectious.. And then what about the Rumsfeld Class III germs?

No, really, would you let a military expedition or a group of mountaineers attempting to scale Mt Everest with only the “passing grade” – 65% – of the equipment (be if food, ammunition, ropes, insulated clothing, whatever) that they needed?

So there’s this marriage ceremony and the groom only manages to get 65% of the way to the church; is that a passing grade? Ask the bride what she thinks.

No, compliance is binary.

Compliance Bridge - Broad requirements so that clients are Ready, Willing and Able to comply. (Photo credit: Wikipedia)

Related articles

• Job Description for Quality Assurance Compliance (informationassurence.wordpress.com)
• Perils of Social Media and Compliance (arnoldit.com)
• Is ISO 27001 Worthwhile for Your Business? (deurainfosec.com)
• Leading ISO 27001 Roadmap Refreshed – Takes Guesswork Out of Information Security Certification Process (prweb.com)
• Four key benefits of ISO 27001 implementation (iso27001standard.com)
• Is ISO 27001 Right for Your Company? – New On-Demand Webinar Offers Answers from Pivot Point Security – A Champion of the Information Security Standard (prweb.com)

Someone asked:

If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
your employees.

Yes but as RSA demonstrated, it is a moving target.

You need to have it as a continuous process, educate new hires and educate on new techniques and variations that may be employed by the ‘social engineers’. Fight psychology with psychology! Read the rest of this entry »

On the ISO27000 Forum list, someone asked:

I’m looking for Risk statement for each ISO 27k control; meaning
“what is the risk of not implementing a control”.

That’s a very ingenious way of looking at it!

One way of formulating the risk statement is from the control
objective mentioned in the standard.
Is there any other way out ?

Ingenious aside, I’d be very careful with an approach like this.

Risks and controlsare not, should not, be 1:1.

The Risk Management Process for IT Systems according to ENISA, following ISO 27005 (Photo credit: Wikipedia)

Some controls are there to support other controls. And don’t forget that some controls are detective and a control that ‘detects’ the functioning of another control is perfectly valid.

We’ve often spoken of “baseline controls”, that is controls which should be in place “regardless”. Well OK, context matters. The baseline for a bank and there baseline for a power plant will differ, but they will also have a lot in common. One common branch might be a yes response to ‘are you connected to the Internet?’

A “Yes you are connected to the Internet” will produce a plethora of threats (note: *threats* not risks!) that will keep you busy all month working through to determine the risks, and for almost all of them the control will be “configure the firewall…”.

You do have a firewall as part of your baseline, don’t you?
(And you took it out of the box and installed it at a choke point, didn’t you?)

Another issue that often come up on this forum is that of assets.
Now if it was me, I’d start with the assets. There are a number of reasons for that. First and foremost, this is all about protecting those assets. They are also a lot easier to identify than threats or vulnerabilities

So we get back to “what is the risk of not implementing a control”.
The control objectives are, ultimately, to protect the assets, by various means. So you need to ask that question in terms of the assets.

Another way of looking at it is enumerate the assets and enumerate the controls and establish the relationships. Are there assets that don’t have controls protecting them?

diagram showing threat agents, attack vectors, weakness, controls, IT asset and business impact (Photo credit: Wikipedia)

I admit there is more to it than that; controls may be inadequate or superfluous. There is a tendency to implement easy ones.

Donn Parker has written some excellent papers on selecting controls.
They were published in the ISSA Journal back in 2010.

http://www.google.ca/search?q=parker+%22Security+Control+Selection+Principles%22

Related articles

• Is ISO 27001 Worthwhile for Your Business? (deurainfosec.com)
• Final results of COSO vs ISO risk management survey (normanmarks.wordpress.com)
• ISO 27001: An overview of ISMS implementation process (net-security.org)
• ISO 27001 and BS 25999-2: Why is it better to implement them together? (net-security.org)

You do do backups don’t you?  Backups to DVD is easy, but what software to use?

Why not simply k3b ?

But if it some down to it, there’s a decision tree you can and should work though.

• Do you want the DVD backup ‘mountable’?
  If it is then you can see each file and selectively restore using the normal file management tools (cp, rsync etc)
  If you use some sort of ‘dump’ format (tar, cpio, zip or proprietary) then you will need the corresponding tool to access the backup

My choice, based upon both K.I.S.S. and bitter experience is to go with the mountable.

• - How are you ‘snapshoting’ your files?
  If you are backing up a live system[1] then there is the risk that the backup is out of phase with itself as files get changed during the time it takes to make the backup.

My solution to this is to use the snapshot mechanism of LVM.

• - How are you managing the backup archives?
  Do you need a specific dated version of a file or directory?
  Would a VCS be more appropriate than a backup system?

Sometimes you need both. I maintain changes to config (mainly in /etc/) with a VCS – AND take periodic snapshots.

• Ultimately its not about making backups, even if that seems to be the
  most of the work, but the ability to restore.

A client found it easier to take whole image backups but once when having to restore a single file there was a finger-slip and he restored the complete machine state of three years previously, loosing all that days work plus the next day when the machine was out of service being restored to the last (previous) backup. The moral here is that your RESTORE strategy, as determined by your normal business functions and NOT by the convenience of the IT department, should determine your backup strategy.

• - How “automated” do you want this backup to be?
  Sometimes you’ll find the automation tail wags the normal operation dog.

My use of K3B means I do disk-to-disk-to-DVD. (Using LVM’s snapshots)
It also means I structure my file systems so that they can be imaged onto a DVD. It means I can retrieve single files or mount the DVD and use it in place of the file system. It also means that I can create arbitrary backups, cherry-picking the files and folders to backup.

I realise this is going to be inappropriate for many sites and business functions.

This is why I STRONGLY suggest that instead of simply asking for suggestions you work through what are the key, the critical and the nice-to-have features of your backup AND RESTORE functionality.

Any package you might choose is going to have constraints and assumptions about The Way Things Are. You need to be aware of those and need to consider if they fit in with The Way You Work. A backup system that works well for a data center of ISP might be totally inappropriate and troublesome for a SMB.

[1] Once upon a long time ago systems were shutdown or all jobs
suspended for the backup. This has disrupted projects for me a number
of times.

 So to have great (subjective) protection your layered protection and controls have to be “bubbled” as opposed to linear (to slow down or impede a  direct attack).

I have doubts about “defence in depth” analogies with the military that many people in InfoSec use.

Read what they are really talking about in those military examples: its “ablation”: that means burning up resources, like land (the traditional defence the Russian Empire used) or manpower (the northern states used in the US civil war) and resources (the USA in WW2).  They try to slow down a direct and linear attack, hopefully to a standstill.

As the Blitzkrieg showed in dealing with the Maginot Line, if you “go around it” the defence isn’t a lot of use.

Through the ages of war and politics and empire-hood and nation-hood and tribalism we’ve seen many threats and attacks and subversions used.

The reality is that many InfoSec defences are more like umbrellas, the assume that the attack in coming from a particular direction in a particular form.  What’s needed is more like an all-enclosing “bubble” rather than something linear with the ‘defence in depth’ model.  But that gets back to the problem of the perimeter.

Many wifi enabled devices are really “spies inside the defensive perimeter”.

There was a scare a while ago that various networking equipment was made by companies or fabricators in places that were or might be inimical or economic competitors and as such have subversive code hidden in them.  No doubt this will come around again when journalists have nothing better to write about or the State Department need to wave a big stick and scare the public — its form of showing that “its doing something”.

But how can we tell? The reality is that “security specialists” are finding errors – never mind deliberately malicious code – in all manner of devices: pacemakers, insulin pumps, automobile throttle controllers. Will they find “errors” that allow subversion in mainstream IT deceives like home wifi routers (aka the next generation of spambots), home PC software (that’s a no-brainer isn’t it!) never mind commercial databases.

I dedicate this to the memory of Ken Thompson
http://cm.bell-labs.com/who/ken/trust.html

The hack to make the HP printers burn was interesting, but lets face it, a printer today is a  special purpose computer and a computer almost always has a flaw which can be exploited.
In his book on UI design “The Inmates are Running the Asylum”, Alan Cooper makes the point that just about everything these days, cameras, cars, phones, hearing aids, pacemakers, aircraft, traffic lights … have computers  running them and so what we interface with is the computer not the natural mechanics of the device any more.

Applying this observation makes this a very scary world. More like Skynet in the Terminator movies now that cars have Navi*Star and that in some countries the SmartStreets traffic systems have the traffic lights telling each other about their traffic flow. Cameras already have wifi so they can upload to the ‘Net-of-a-Thousand-Lies.

Some printers have many more functions; some being fax, repro, and scanning as well as printing a document.   And look at firewalls. Look at all the additional functions being
poured into them because of the “excess computing facility” – DNS, Squid-like caching, authentication …

I recently bought a LinkSys for VoIP, and got the simplest one I could find. I saw models that were also wifi routers, printer servers and more all bundled onto the “gateway” with the “firewall” function. And the firewall was a lot less capable than in my old SMC Barricade-9 home router.

I’m dreading what the home market will have come IP6

I recall the Chinese curse: yes we live in “interesting security issue” times!

But in the long run of things the HP Printer Hack isn’t that serious.   After all, how many printers are exposed to the Internet.    We have to ask “how likely is that?”.
Too many places (and people) put undue emphasis on Risk Analysis and ask “show me the numbers” questions. As if everyone who has been hacked (a) even knows abut it and (b) is willing to admit to the details.

No, I agree with Donn Parker; there are many things we can do that are in the realm of “common sense” once you get to stop and think about it. Many protective controls are “umbrellas”, that its about how you configure your already paid-for-and-installed (you did install it, didn’t you, its not sitting in the box in the wiring closet) firewall; by spending the money you would have spent anyway for the model that has better control/protection — you do this with your car: air-bags, ABS and so on so why not with IT equipment? The “Baseline” is more often about proper decisions and proper configuration than “throwing money at it” the way governments and government agencies do.

he documentation required and/or needed by ISO-2700x is a perenial source of dispute in the various forums I subscribe to.

Of course management has to define matters such as scope and applicability and the policies, but how much of the detail of getting there needs to be recorded?  How much of the justification for the decisions?

Yes, you could have reviews and summaries of all meetings and email exchanges ..

But that is not and has nothing to do with the standard or its requirements.

The standard does NOT require a management review meeting.
Read the rest of this entry »

Read the rest of this entry »

http://www.schneier.com/blog/archives/2010/08/hacking_cars_th.html

A few alarming things here.
More nanny State :

In other words, the nanny state is forcing upon us expensive and insecure systems that aren’t as effective as a human being just doing what he’s supposed to, but we should just think of the children we’re “protecting” with this misguided effort.

Never mind the basic Orwellian aspects.

But the basic problem is the knee-jerk reaction of Congress combined with lack of understanding of science and technology and legislation that, by specifying method rather than objectives, plays, misguidedly, into the hands of one vendor.

They did this with emission control.
The Japanese could beat the original standard by engine design.
The did this with the old Honda CVXX.
GM wasn’t worried, they said it was a technique only for small engine cars. The Honda did it for larger engines. At the time GM had cornered the market in platinum, so they got Congress to write the law specifying the HOW in their favour. Of course that advantage no longer exists, but we still have the expense of the platinum ‘converters’.

Now we have more expense.

TPMS became mandatory because of public backlash after the Firestone/Ford Explorer debacle. The public saw cars flipping over on TV and called up Congress and demanded
that they “do something!”

In case you’re not aware, ISECOM (Institute for Security and Open Methodologies) has OSSTMM3 – The Open Source Security Testing Methodology Manual – http://www.isecom.org/osstmm/

There’s an interesting segue to this at
https://www.infosecisland.com/blogview/14651-How-to-Pen-Test-Crazy.html

Skip over his ranting about the definition of “hackers”

This is the meat:

Wewrote the OSSTMM 3 to address these things. We knew that penetration

OSSTMM Logo

testing the way it continued to be marginalized would eventually hurt
security. Yes, the OSSTMM isn’t practical for some because it doesn’t
match the commercial industry security of today. But that’s because the
security model today is crazy! And you don’t test crazy with tests
designed to prove crazy. So any penetration testing standard, baseline,
framework, or methodology that focuses on finding and exploiting
vulnerabilities is only perpetuating the one-trick pony problem.
Furthermore it’s also perpetuating security through patchity, a process
that’s so labor intensive to assure homeostasis that nobody could
maintain it indefinitely which is the exact definition of a loser in the
cat and mouse game. So you can be sure it also doesn’t scale at all with
complexity or size.

I’ve been outspoken against Pen Testing for many years, to my clients, at conferences and in my Blog. I’m sure I’ve upset many people but I do believe that the model plays up to the Hollywood idea of a Uberhacker,
produces a whack-a-mole attitude and is a an example of avoidance behaviour, avoiding proper testing and risk management such as incident response good facilities management.

I’ve seen to many “pen testers’ and demos of pen testing that are just plain … STUPID.  Unprofessional, unreasonable and pandering to the ignorance of managers.

In the long run the “drama-response” of the classical pen-test approach is unproductive. It teaches management the wrong thing – to respond to drama rather than to set up a good system of governance based on policy, professional staffing, adequate funding and operations based on accepted good principles such as change management.

And worse, it

• shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
• has no guarantees about what collateral damage the outsider had to do to gain root
• says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
• indicates that your management doesn’t understand or make use of a proper development-test-deployment life-cycle

Yes, classical hacker-driven pen testing is more dramatic, in the same way that Hollywood movies are more dramatic. And about as realistic!

“Crazy” is a good description of that approach. Read the rest of this entry »

One list I subscribe I saw this outrageous statement:

ISO 27001 requires that you take account of all the relevant threats
(and vulnerabilities) to every asset – that means that you have to
consider whether every threat from your list is related to each of
your assets.

“All”? “Every”?
I certainly hope not!
Unless you have a rule as to where to stop those lists – vectors that you are going to multiply – are going to become indefinitely large if not infinite. Its a problem in set theory to do with enumberability.

See
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/
for a more complete discussion of this aspect of ‘risk’.

See
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/
in which Jeff Lowder has a discussion of the “utility value” approach to controls

Because its the controls and their effectiveness that really count.

The issue of infinite, finite or even reasonable and usable enumberability means there _HAS_ to be a rule as to when to stop.
Its frightening in one way, you never know that the next item, the one you’ve stopped before, might actually be critical in some particular combination. But there _HAS_ to be a halting condition or you die from analysis paralysis.

If we call this rule “common sense” or “reasonableness” or some such then what we are really doing is admitting that Donn Parker was right with his “diligence” approach (See ISSA Journal articles via Google) and that is more effective as a means of determining controls than any of the formal Risk Analysis methods.

Because its the controls and their effectiveness that really count.

But ISO27K says you HAVE to do a RA, even if its impossible to do it properly and if it is the wrong method or if its not as effective as a non-RA approach to developing controls.

Because its the controls and their effectiveness that really count.

Or is it? Is having the certification because you’ve followed the process more important?

Related articles

• Amazon, ISO 27001 and Deception (flyingpenguin.com)
• Medgate Completes ISO 27001 Audit (prweb.com)
• Hacker Group is One of the First ISO 27001 Certified Ad Agencies and Appeals to Industry to Follow Suit in Protecting Client Data (eon.businesswire.com)
• ISO 27001 Annex A controls (iso27001standard.com)
• How to learn about ISO 27001 and BS 25999-2 (iso27001standard.com)
• Four key benefits of ISO 27001 implementation (iso27001standard.com)

A business might possibly choose not to have a BCP but they might be interested in doing a BIA
After all, the “impact” might be something positive resulting from some change.

Oh, the Irony!
Expeditious and cost effective.

I’ve audited BCPs and always found them lacking. They are difficult to build and often make assumptions that are necessary to get the plan done but are unreasonable in reality. Read the rest of this entry »

Image via Wikipedia

A friend and colleague who is also a security guru and much better qualified than me and who admits that he is not a huge fan of enterprise architecture frameworks doesn’t think that “enterprise architecture” is on a completely solid footing; he points out that it’s a major business for Gartner, following their takeover of Meta Group.

He asks “Anton, you’re a systems engineer and hence familiar with large-scale modelling and design: what’s your take on the widespread use of ‘architecture’? Is it over-egging the pudding?”

Probably.
Its certainly is a heavily abused term.  One that has been hijacked by marketing and owes more to articles in glossy magazines than engineering substance. Read the rest of this entry »

http://www.infoworld.com/d/developer-world/third-party-code-putting-companies-risk-302

This opens:

The use of third-party code in applications represents a big security
risk for companies, according to a study from security vendor Veracode.

but they go on in such a way as to make me wonder what they mean by ‘third party’. Some of what they discuss seems to come from the primary supplier. Now if the primary supplier contracted out work, how are you to know?

Companies often use code libraries that have been developed from either
open-source projects or outsourcing organizations that have been
contracted to create applications…

I wouldn’t be so quick to disparage open source projects. Some of them have demonstrated much better code quality, much better reliability and security than commercial products from first-tier vendors.

“Variable quality“? Well yes, but that goes for the products from first tier vendors. “Ship at the end of the month regardless”. Yes, I’ve seen that. “Release to satisfy the investors/wall street”. I’ve seen that too. Open Source doesn’t have those constraints. Read the rest of this entry »

In a discussion of Open Source vs Closed Source/Commercial …

Voice 1: Maybe because they’re not customers? (in the paying for a service sense)
Voice 2: Well, I don’t understand that model. I expect to pay for code that someone writes because otherwise I cannot expect someone to stand by the stuff when it doesn’t work.

Ironically I’ve never found that to be the case.

The stuff I pay for, cable service, hosting; and the stuff I use that someone else pays for (i.e the people I work for), commercial hardware, software and service; are the other way round to what you might think.

The support sucks! Read the rest of this entry »

If there’s one thing that upsets me when I see articles and posting to forums about policy, its mention of a “Password Policy”. I have to step away from the keyboard, go outside and take some deep breaths to calm down.

I get upset because policy is important and developing — and more importantly communicating — policy has been an important part of my career and the professional service I offer. Policies need to be easy to understand and follow and need to be based on business needs.

If you begin with a list of policies, you end up adapting the the reality of your business – the operations – to the list. You are creating a false sense of security. You need to address what you need to control, and that is Identity and Access.

Lets face it, passwords, as Rick Smith points out in his book “Authentication“, are not only awkward, they are passée – even Microsoft thinks so. More to the point, using passwords can be bad for your financial health.

They should be used with care and not as a default.

And they should most certainly NOT be entombed in a corporate policy statement. Read the rest of this entry »

Read the rest of this entry »

A member of a discussion list I subscribe asked for a Firewall Policy template.

A usual, I was alarmed enough by this to want to comment and drag it back to the discussion on “assets”.

I don’t think you should have a “Firewall Security policy”.
This is why.

A great book on firewalls once described the firewall as

The network’s response to poor host security

You can occasionally see articles on host-centric security drifting by …

A firewall is a “network PERIMETER protection device”.

Do you have a well defined perimeter to which you can apply enforcement policies, or is your ‘perimeter’ like so many businesses these days, a vague and nebulous concept that is weakly defined? One thing that is “in” these days is “De-perimiterization“. See “The Jericho Forum“.

The firewall model is inherently one of a ‘hard outer shell and soft vulnerable centre’. As I said, its based on the idea of poor host security. Good host security will mean that the hosts don’t have any un-necessary open ports. Scan you network. If there are no open ports why do you need a firewall?

Oh, right: port 80. And all the hundreds of services behind it.
In effect those are your ‘open ports’. Yes, there are firewalls that claim to do ‘deep packet inspection’.  Check what they actually do.

There are other uses for a firewall?   Well some people use it as a NAT device. Some people use it to control outbound connections – “data leakage”.   What they are really saying is that they haven’t built their information architecture in a robust and secure manner.  Back to the ‘poor host security’.  Perhaps you should be doing this sort of thing in your switch or router with ACLs.  Partition your network.

So why did I start by saying “assets”?
Some people think that the assets are the hardware.
Focusing on the hardware as opposed to the services, the information and the processes leads you to think in terms of things like ‘firewalls’ rather than in abstracts like “perimeters” and “access controls”.

By addressing a “Firewall policy” you are focusing on equipment rather than fundamentals.