Monday, January 26

Aligning Online Security Interests

There was an interesting discussion regarding the larger societal problems associated with the use of insecure online services over at Wade Woolwine's blog. This is a follow-on to the discussion by Jeremiah Grossman - regarding the alignment of interests in web security.

This discussion centered around the topic of how to align interests related to protecting online information. I have separated this problem into what I think are three important parts,
  1. Definition of common goals,
  2. Evaluation of online services against these definitions, and
  3. Education of consumers/clients/users of the product standards and evaluations.
As a security professional, I often use the metaphor of information security controls as they mirror the emergency brakes used car, in the fact that they are used as risk mitigation. The faster you want to get from A to B, the more robust brakes you need. In addition for the purposes of this discussion, for vehicles in Canada there is also a minimum standard of brake required to even be allowed on the street, and this contrasts to the security of online services where there is no minimum standard required.

As I discuss each of these, I will try to compare it to the Canadian vehicle industry where a very robust system (not perfect though) exists to help educate consumers to make smart security decisions about the cars they drive based on their regulated safety features.

Defining common security goals

Unlike the auto industry, online security has had a difficult time defining common language and standards for what a 'safe' online service would consist of. Payment Card Industry has one standard which pertains to a very small subset of data, and other regulations such as the Health Information Act and the Privacy Act offer some indirect guidance. For Automobiles, the Government under the authority of Transportation Canada provides very specific language as part of the Motor Vehicle Safety Act (MVSA). As you would expect, this act has very definitive instructions on what is required in terms of controls within the different classes of motor vehicles in Schedule III in order to comply with the requirements.

In contrast, the only instance I can find of Canadian federal government definitions of online service security goals would be for Privacy Act, and Personal Information Protection and Electronic Documents Acts. These laws are focused squarely on the collection and use of personal identifying information through electronic and non-electronic means, and do not address the delivery of any online services affecting commerce, media publications or any other online service we interact with.

There are many questions related to establishing a common definition of security goals. What are the risks to Canadian society, people and businesses through the use of unsafe online services, and how do we measure them? Is the current privacy legislation broad enough and strong enough to be effective at protecting Canadian people and businesses from the risks of connecting to online and electronic services? Is there a justifiable need to define more specific standards for the safety of online services to allow for them to be independently evaluated like cars are?

Evaluation of Products and Services

Crash tests and safety ratings are a part of the development of every automobile sold in Canada. Canadian manufacturers of these products spend a great deal of money and effort ensuring that their products will pass the minimum standards and they provide self-certification that they comply with the legislated requirements. Although I couldn't find a study to show it, I would imagine that the majority of Canadians would expect correctly that a vehicle purchased in Canada would be already compliant with these standards and thus feel comfortable in the fact that when they step on the brakes that the car will stop.

Again in contrast, there is no way for a Canadian to know whether an online service that they are interacting with is compliant with any online regulation or certification established to protect their interactions and dealings with the service. I would also expect that in a similar poll of Canadians that most would admit to being skeptical of the security and safety of transacting with many online services - even the Canadian government's own services - and that in many cases prevents them in utilizing these online services.

Is this level of skepticism related to online interactions acceptable to Canadian society? And is individual demands for the safety of the online services enough? If demands for vehicle safety were left to the consumer alone, would this be enough incentive to ensure vendors protect us?

Enforcement and Education

Transport Canada also provides some handy guidelines which explain the methods in which the regulations are enforced. These are very carefully worded and provide an excellent description of the objectives, roles and responsibilities of the various Government agencies in ensuring compliance with the regulations.

This is again entirely different when we look at the world of online security, yet this is also to be expected as the legislation, regulation and standardization have not been established. At the same time it does not take that much imagination to conceive of a similar arrangement for ensuring the standardization of online services provided by Canadian entities. Could we not have a set of criteria to which Canadian based organizations, public and private, design their services to be protected against? Is is too far fetched to think that we could have a national safety mark that we could use to certify online services?


Although my comparison of the risks related to use of unsafe automobiles to the risks of using unsafe online services may not be comparable in terms of scale (the risk to life is obviously more important than the risks of information compromise) but I also believe that the alignment of interests including government regulation, if properly designed and implemented, could offer Canadian's a distinct advantage in terms of reputation in the online world.

I would also argue that without these protections afforded average Canadians will continue to be impacted as our use of online services grow.

But there are also significant challenges in educating both the policy-makers and the public on the risks to insecure online services - how many unreported breaches and abuses of information should be tolerated before we act in this way? Is there a common language that can be developed to ensure that the scope and mandate are clear?

I welcome comments and questions from others on this topic.

Completely Automated Brief History - Completely Automated Public Turing Test to Tell Computers and Humans Apart

Computer World has published an interesting and informative article regarding the Completely Automated Public Turing Test to Tell Computers and Humans Apart, or CAPTCHA as they are affectionately known.

While they discuss the value of bot-busting techniques, they also note one of my favorite stories about the spammers using human-based cracking, and my personal favorite of all of these for its effectiveness - getting people to do the heavy lifting for free!

Thursday, January 22

OS X Forensics Resources

With the recent and growing rise of Apple's market share and Microsoft's graceful decline forensic investigations will increasingly encounter Macs as part of the case. But does your existing toolset and methodologies take HFS+ unique characteristics into consideration? What about filevault and timemachine related structures.

Check out the Mac OSX Forensics site as a good place to start with the learning.

ISACA Publication - Defining Information Security Manager Position Requirements

For those Security Manager's that have subscriptions to the ISACA publications, their are a couple of interesting articles/publications that have been released. The first one - Defining Information Security Manager Position Requirements - provides a good description of the information security management role within organizations and what it takes and will take to succeed.

the JOnline publication also has included an article written by Kim Fath and John Ott that provides a basic description of the risks associated with application vulnerabilities. Although not a very original article it provides a good basic description of the issues.

Wednesday, January 21

Responsibility for Public Information Security Training

There have been a number of articles posted recently which point out statistics related to corporate responsibility for security practices, data breach disclosure laws which make it a requirement for customers to be notified of such breaches, etc.

Are Canadian Breach Disclosure laws adequate?
Canadian legislation not coming?

In my observation, there may be a greater risk to our online society from general data abuses and breaches to ordinary citizens, many of these risks appear to stem from our behavior and online habits as a whole. Although many of us educated in the methods used to exploit sensitive information can protect ourselves through;
  • checking website SSL certs,
  • or knowing (spam) what a phishing email looks like,
  • or running a few Google queries to check into the past of a person we're going to transact with
I would argue that the large (and growing) majority of Internet users are not even this savy. Do we really think that this population of users will learn these skills through osmosis? and that after many, many people are taken advantage of, this type of knowledge will become common place? I also take the position that even as security of our sensitive information becomes more prevelent, that the damage done to the overall reputation of the online world will have a much greater negative impact.

All doom and gloom? - not really there are a few organizations which are helping to educate people more quickly; - Government of Canada's Public Safety
Stay Safe Online - US Non-profit
Wiredsafety - Global volunteer organization

One of the questions that comes to mind is - is the amount of public/government attention to this problem adequate? I'll look at this issue in a bit more detail in part - 2 of this post.

Tuesday, January 20

3rd Largest Data Breach Reported

Another wonderful example of how "massive" data breaches can occur. It will be interesting to see how the fallout from this incident differ from the TJX event.

From Washington Post:

Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.

Baldwin said Heartland does not know how long the malicious software was in place, or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

“The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was grabbed.”

Wednesday, January 14

Security Strengths of Cloud Services

As the debate rages on the direction of 'cloud' computing - which is really just 2.0 word for "software-as-a-service' or SaaS - there are in my opinion a few security benefits which make cloud based services a more secure option for some.

1.  Common platform.  Using a single service platform has the advantage that if a vulnerability exists in the service, it only takes one remedial fix.  This is unlike unique implementations of similar products in each customer, where vulnerabilities can go unnoticed, unpatched, and exploited for long periods of time.  

This glass can also be half-empty though and a single problem or weakness can affect of the service customers.  But if my own experiences with using common platform products (like my macbook) are any indication, I would rather have a problem that all of the product's customers have and that will attract the required attention from the vendor at risk of losing them.

2.  Service agreements.  Mature formal service agreements which are designed to effectively control the services being provided and outline the expectations of both provider and customer are likely to be designed to be fair and open.  This results in communities of customers being able to influence the providers terms.  This includes provisions for security, availability, audit-ability, etc.

3.  Focus on Information.  Many of cloud computing's opposition will argue that if there can be no inherit trust in a 3rd-party system then how can there be any security afforded to the information itself.  I see this as quiet the opposite - if trust cannot be clearly defined, then a conscious decision to keep sensitive data off the service can be made.  This contrasts the current internal service model, where an organization's staff falsely promote the trust of insecure systems, and this results in data at risk without any knowledge of these risks.

4.  Extensions.  As FireGPG is evidence of, many innovator's are equipping cloud service users with tools to do so securely - or to build a layer of trust on top of these services.  This builds on the previous point in which the cloud can be explicitly defined as untrusted, and used for only what it can provide to the secure or trusted layer like transport and storage in the case of secured email.

5.  Buy the availability that you need.  Most services including the invaritable google apps platform provide easy to understand availability service levels.  GAPPS STATS.  While the previous strengths mostly focus on ensuring the confidentiality and integrity of information being manipulated, most cloud services are designed to be purchased depending on the amount of availability required.

The one reality is that the ever-connected nature of cloud services require a supporting level of connection to that particular portion of the Internet, as everyone knows from time-to-time there are interruptions to these connections which no one can control - we are still using the same network that has evolved from simple connections between defense entities and educational institutions.

I would be very interested in what other people's perceptions of the security/insecurity debate of cloud computing.  Here are a few examples a quick cloud search provides:

Monday, January 12

SANS Top 25 Programming Errors

Looks like appsec product vendors now have another angle to sell their gear as SANS has announced the release of their top 25 programming errors.

This is a fantastic list of issues that don't get enough airplay, and instead of focusing on the symptoms of the mistakes (aka OWASP top 10 web-app vulns) this list provides a sample of the root cause issues, although it could be argued that all of these common problems stem from a lack of security policy definition and enforcement regarding development.

At least for those organizations that like to use these types of lists as a form of policy tool, it will significantly reduce the number of issues that arise from development.

Tuesday, January 6

Forensics Links

Sorry about the gap in posts - its been an excellent holiday season and therefor not much time to read or write. Here is a couple of links to some excellent forensics papers which are almost required reading for security professionals these days.
  • An excellent reference for forensics work related to virtual machines has also been published by Brett Shavers here. A must-read for anyone doing forensic work related to VMs.
  • Finally, here is a link to a list of papers related to digital forensics along with a great forum for investigators to discuss related topics. - Forensic Focus
I know that it is easy for security professionals not working daily with forensics to miss out on some of the excellent material out there - I hope this helps catch people up.