May 2008 Archives

Separation of duty is one of the most powerful tools an information security professional has. But that is exactly what it is: a tool; not a goal.

My family and I live in a very safe suburban neighborhood. The incorporated village has its own police force, and most of the village's budget is spent on it. Much to my surprise, we have been becoming more and more aware of suspicious activities in a house in our area; cars pull up at the strangest hours and leave again within 5 minutes. Usually someone walks over from the car to the house, a handshake is exchanged and the visiting party leaves. Sounds like there is some trade in "stuff" going on.

As with most people, we are not too happy that this is happening on our doorstep. We have repeatedly called the local police department and even had house visits by detectives who were trying to figure out, from our witness statements, what might be going on. The last house visit ended with the detectives reassuring us to call whenever.

Today is a nice day. It is 78 °F (25 °C) and sunny here in Garden City, NY. Today, I decided to actually take a lunch break and stroll over to Subway for a bite. On my way out, I snatched the latest copy of ISACA's Information Systems Control Journal. Although I did not get much past the guest editorial by William C. Boni, titled Mobility Changes (Almost) Everything! (membership required) it was worth a good read. Mr. Boni writes:

"The notion of treating an organization's network as if it is a discrete environment and developing security solutions to guard against the threat of outsiders is dangerously outmoded and an incomplete concept. We need to understand that this pernicious and outdated concept still affects our approach to protection, and many people continue to operate as if physical location is a reliable measure for protecting organizations against risks of information theft or loss."

ISACA Information Systems Control Journal, Volume 3, 2008

Very few active practitioners of the information security trade will disagree that the perimeter is fading, and that we are facing an increasingly mobile workforce. I blogged about this before, and I doubt that this will be my last post on the topic.

The essential truth that dictates most of my working day is better is worse than good enough.I had become aware of this phrase back in my college days, when one of my professors used it often; usually in the context of some form of process modeling or data modeling exercise.

The real value of this phrase is in understanding what you need and what you do not need. Implementing unnecessary controls is bad; try to become better is worse than accepting a situation that is good enough.

This post's title hardly needs any clarification, and I'll try to keep this post brief. As information security professionals, we generally play a defensive role. Very few of us are given the opportunity and the means to play the game as an attacker. Those of us who do generally enjoy it tremendously and learn a great deal from it.

Being a defender is hard; after all, as a defender you need to anticipate all possible attack vectors that an attacker might deploy against you.

An attacker, on the other hand, can take the time to do reconnaissance, scan our environment, and analyze his findings. Our defenses are visible before they are put in play, an attack is not. Then, based on the analysis, the attacker can focus his attack on what he identified to be the weakest spot in our defensive controls.

As a result, we need to strive to implement our controls (preventive, detective and corrective) as effectively as we can: we must execute with precision and excellence.

The same is true for incident response. Once an incident has been declared, we need to ensure that our containment and eradication efforts do not make the situation worse than it already is, and we need to do so quickly.

We again need to execute with precision and excellence.

If there ever is a place for perfectionists, it is in designing a defensive position.

I spend too much time thinking about the roles and responsibilities in information security. Fortunately, I am not alone in this. Richard Bejtlich just posted an interesting article. I like the graphic he uses, and I support his analysis.

In Richard's vision, it seems that the role of the information security professional is much more that of a specialist than many practicing professionals believe they are. It also clearly outlines that because of our specialism (specialism as in: focus on a narrow area), we are ideally suited to play an (in-house) consulting role.

Excellent post. Go read it.

An interesting new form of phishing attack combines elements of email phishing and telephone phishing. This "hybrid phish" informs users that their bank accounts have been suspended after a fraud alert was triggered. It instructs the recipient to call a telephone number to unlock their accounts.

The phishing message looks like this:

The security guy always says "no" is a phrase that is heard all too often. Unfortunately, it is usually a phrase based on the reality in which people work. Even if it is not actually the case, often people will think it is. Perception is reality.

Information security has a bad name. We are the people who always tell others that they cannot do certain things in ways that they feel they need to do them. Often, we do not even give them real reasons: because that would not be secure is not sufficient. As a child, there is nothing as frustrating as a parent saying: because I told you so.

When addressing requests of users, the most important thing to remember is that an information security professional is a service provider, and service providers never say no. It is in our best interest to keep our users happy, to guide them and to educate them about how to go about certain things. If we really feel that a request is unreasonable, we should be able to convince the requestor of that, and have him withdraw that request himself.

International travel is stressful to many people. As am I writing this entry, I am at roughly 37,000 feet above the group on board of a KLM Boeing 777-200. Today's flight will take me from the Netherlands, back to the United States.

The flight attendants just handed out The Forms, and people are freaking out. Not because they worry about giving up their information, but because they are uncertain about what to put in the open spaces, afraid of the consequences when they make a mistake, and generally apprehensive about the unknown.

Another post from the train. This time I am on my way from Utrecht to Leiden. Leiden is one of the oldest cities in the Netherlands, and proudly houses one of the most well-known universities in the country.

Very often, information security professionals are extreme perfectionists. The nature of our work requires us to be that. Defending against an unknown threat means that we have to be ready for any attack; missing one element or implementing one control in a vulnerable way will expose us to risk that eventually will manifest itself.

However, we also need to realize that perfection is not expected from us. Moreover, one might say that the organizations we work for expect that we will not be perfect. Obtaining a high level of assurance that we will not be faced with an attack is extremely costly, and might be more expensive than the organization is willing to pay. After all, if the cost of protection out ways the potential loss, most business will choose not to protect.

Perception is reality.

As I write this entry, I am on an intercity train going from Tilburg to Utrecht after a 3 hr meeting. Coming back to my home country after having been away for a while, I always forget how beautiful the country really is. Large open spaces, lots of green, a lot of water and pretty scenery. I have been pretty much up for 29 hours (only slept for 3 hrs or so) and feel fairly jet lagged. Readers who do the West-East crossing regularly can probably identify with how I feel at this point :)

Anyhow; I am in The Netherlands to attend the 2008 SURFnet customer relationship event and I will be presenting the work we are doing on AIRT. AIRT is a web-based platform distributed under the GNU General Public License that aims to assist computer security incident response teams with the bureaucratic aspects of their work. AIRT's goal is to minimize the work on incident administration through automation, allowing handlers to focus on the work that really matters.

What does this have to do with Security through obscurity? Absolutely nothing, but since I was writing a blog entry, I might as well throw in a shameless plug for a project on which I spend a considerable amount of time ;).

For the last few days, I have been thinking about doing a series of blog posts around the theme Essential Truths in  Information Security. In these posts, I will discuss a number of lessons that I learned while working in information security.

Today's truth is: Understand what you protect. For an information security professional to be successful, just understanding how to protect a resource is not enough. A deeper understanding of your organization's assets is at least as import: what are the resources that you are trying to protect? How important are those resources to the organization? What kind of controls are appropriate?

I have spent the last few days at the EDUCAUSE/Internet2 Security Professionals Conference. Of all the conferences that I have attended over the years, this might have been the best. Not only were the logistics very well taken care of (I did not detect many problems), the sessions that I attended were relevant, interesting, and of an acceptable quality.

In addition, I was able to put a face to many of the names that I have seen in the past year, and I have enjoyed it a lot. Attending the conference was definitely worth my time (and my employer's money). Well done, EDUCAUSE!

I am heading off to the EDUCAUSE/Internet2 security professionals conference this weekend. The event starts Sunday and completes Tuesday around noon. While getting my packing list checked off (business cards, itinerary, confirmations, reservations, schedule, etc) I was getting ready to pack my laptop, power supply, cable lock, external drive, etc.

Then I stopped.

Why would I carry all this stuff?