Security|Life|Musings

Evidence-based opinions

2011-11-04T03:56:00.000-07:00

I came across a couple of interesting web-sites over the last couple of weeks that I think are worth sharing. The first of these relates to work conducted by the Australian governments Defence Signals Directorate (DSD). Through analysis of the vulnerabilities and exploit attempts reported to them, the DSD has drawn up a set of 35 mitigations that would have helped to prevent exploitation. In fact, just implementing the top 4 strategies would have "prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010". What are these top four strategies?

 patching third party applications;
 patching operating systems;
 minimising administrative privileges; and
 application whitelisting.

The first 3 should be just good practice. The 4th one can be more difficult to get past by the business. In any case, it's nice to see a set of mitigation strategies based off real analysis rather than simple reliance on 'best practice'. The DSD documents can be found over at:

http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm
http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm

Definitely worth a read.

What else has caught my eye? Well, I have no choice but to give a shout-out to the competition. PwC have released their 2012 Global State of Information Security Survey and have provided a nifty way of exploring the underlying data - available over at:

http://www.pwc.com/gx/en/information-security-survey/giss.jhtml

As ever, the GISS is a worthwhile read and the highlights for me relate to the cloud security aspects:

 It's tight, but there are now more respondants saying that they use cloud services than there are saying that they do not. The Do Not Knows could still tip the balance either way though!
 SaaS still holds a hefty lead as the most commonly implemented service model, followed by IaaS and then PaaS.
 Of those who have implemented cloud services, over half believe that the move to cloud has improved their security. Less than a quarter believe that the move has weakened their security.

I've been blathering on for a while that a move towards cloud services can have security benefits as well as the more often documented downsides. It's re-assuring to see that a majority of those moving towards the cloud believe that the positives actually outweigh the negatives.

Securing Cloud Services

2011-10-20T05:50:00.001-07:00

One of these times I really must put myself in a position where I don't have to apologise for the tardiness of my posting. Oh well, let's take my general neglect of this blog as read and move on :-)

So why am I posting now, after letting the Diginotar hack, the release of BEAST and all sorts of other interesting security events pass without comment? Mostly because of two of the things that have been keeping me busy over the last few months - security architecture and cloud computing.

I'm very keen on the use of enterprise architecture techniques and methodologies to drive traceability between security risks, security requirements and the delivered components. In my view it's the best way to deliver systems that are as secure as the business stakeholders require them to be - no more and no less. It's also a great way to consolidate security services and drive consistency of approach across an organisation. So one of the things keeping me busy has been preparing the materials needed to expound the benefits of security architecture to our would-be clients. As an example, please take a look at http://bit.ly/n2Ddwa.

Which brings me on to the second thing. For my sins, I have agreed to write a book on securing cloud services. Having become frustrated by the lack of real practical guidance out there, I'm setting out with the intention of helping cloud consumers to design cloud services that meet their security requirements. Obviously there's a limit to the amount of detail that I can cover. I'm targeting architects and designers rather than coders and so there's no Azure or APEX code in there. But I believe that there is a gap in the market for a book that explains how organisations can deliver their security services across the various cloud service models of IaaS, PaaS and SaaS. Am I wrong? I'll guess we'll find out in Q1 2012.

De-bunking anti-virus vendor claims

2011-08-12T06:09:00.000-07:00

Just in case you haven't seen it yet, I'd recommend you take a look at the paper put out by Tavis Ormandy discussing the findings from his reverse engineering of the Sophos anti-virus product; the paper's available from:

http://lock.cmpxchg8b.com/Sophail.pdf

It's clear from the tone of the paper that the author had a few issues with Sophos but I don't think the tone should distract from some of the serious weaknesses (particularly in the area of buffer overflow protection) that the paper describes.

What I'd really like to see now would be similar investigations of the claims of the other major anti-virus products out there - are Sophos alone in having these issues or is it endemic across the A-V industry?

It would also be helpful if Sophos put out a more technical response to Tavis' paper rather than the somewhat bland post to be found at:

http://nakedsecurity.sophos.com/2011/08/05/tavis-ormandy-and-sophos/

'til next time...

So, do we actually care?

2011-07-22T05:44:00.000-07:00

One of the consequences of the recent rash of published hacking incidents is that we may now have a contemporary sample size that's almost big enough to draw some meaningful conclusions about how much the general populace (and business) actually cares about information security. Incidents associated with Anonymous, LulzSec, Sony, RSA, News International and others are all now in the public consciousness. But will there be any real long-term impact of these hacks? For example:

How many mobile phone users have now set unique PINs on their voicemail rather than relying on the default values?

How many organisations have ditched their RSA tokens in favour of competing technologies?

How many PS3 users have abandoned the PlayStation Network for good? Or have they all (like me :-) been bought off by a few free games and promises that it'll be better next time?

If consumers don't actually care about security, what are the real drivers for continuing to invest in it? Do we really have to fall back on compliance as the sole driver?

It's fortunate for the security industry that there are still financial services organisations, IP-centric industries, gaming firms etc where the security of their systems and data is necessary for their continued survival.

But hey, I could be wrong and perhaps the recent incidents will drive new and improved behaviours - guess we'll just have to wait and see...

LulzSec

2011-06-22T00:57:00.000-07:00

LulzSec - doing it for the lulz. Looking at the attention and drama they've created, can anyone say that they haven't succeeded?

Time for RSA to come clean

2011-06-03T03:53:00.001-07:00

Right. I've been patient. We've all been patient. But now I think it's time that RSA come clean about exactly what they lost when they were compromised earlier this year. We've now had reported attacks against Lockheed Martin, L-3 Communications and Northrop Grumman all of which have been linked with the use of SecurID tokens as an attack vector. Is the reporting correct? No idea. Is damage being done to RSA regardless? Oh yes.

What harm can come now from RSA posting details of what was compromised? I'm aware that RSA are in talks with their bigger customers but I don't think that this is enough. It certainly doesn't help me if I'm considering implementing a new two-factor authentication solution; why on earth would I consider SecurID at this time?

Final points to consider. It's probably fair to state now that whomever compromised RSA has used that information to attack their first tranche of targets. The surprise element is now gone and top tier targets should now be on the lookout for similar incursions. So what's the value now to the attackers in keeping whatever they got from RSA close to their chests? I daresay there'll be a bit of probing of some of their second tier targets (banks anyone?) before the attackers decide that they've realised most of the value of their initial RSA compromise. Depending on how mischievous they feel, I wouldn't necessarily be surprised to see the compromised RSA materials appear on the Internet in the near future - if only as a means to cause significant pain and disruption to the rest of the RSA user base. Do state-sponsored hackers still do it for the lulz? Guess we'll find out soon enough.

*********UPDATED************

Open letter from RSA to their customers:

http://www.rsa.com/node.aspx?id=3891

Still no real details though. Ho hum.

PSN hack

2011-05-10T01:04:00.001-07:00

O... M... G...

http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/

I'm surprised they weren't hacked sooner.

The content of the article does raise some really interesting questions about their compliance with PCI-DSS and how they got through the process...

Thoughts on Infosec and the AWS outage

2011-04-26T06:19:00.000-07:00

I managed to sneak in a quick afternoon visit to Infosec last Wednesday. I'll admit the free (and, quite honestly, excellent) lunch that I'd been invited to by the chaps over at IRM was influential in making sure that I didn't miss the show completely this year. Good food, interesting conversation. Thanks Phil :-)

I'm not entirely sure what I made of this year's show. To my eyes, it seemed quite busy in terms of attendee numbers and a number of the brave souls manning the stands seemed to be losing their voices by the time I got there after lunch. Which means it's probably safe to assume that they'd been kept occupied pitching their wares and handing over the usual treasure trove of pens, t-shirts and cheap puzzles. However. Other than finding out some more positive details on the Forum Systems products and coming across a promising new cloud security vendor (CipherCloud - check 'em out!) I'm not sure that I got too much out of the exhibition. Primarily the same old(er) faces pitching the same old(er) solutions and, unfortunately, the same can probably said of the education streams. Can't help thinking that the information security scene needs an injection of new DNA to breathe some new life, enthusiasm and ideas into what seems to be becoming a somewhat jaded, self-serving and self-congratulatory sector. The irony of my posting that last statement on a blog has not escaped me :-)

Whilst I'm being a little negative, the big story from the cloud computing world has been the downtime over at AWS which even made it on to the BBC web-site: http://www.bbc.co.uk/news/technology-13160929. We're still awaiting details of the problem (other than that there was a problem with EBS volumes and dependent services) but the biggest surprise(?) was that the issue spanned supposedly isolated availability zones within the affected region. I'm really hoping that the promised "post-mortem" discussing this event provides sufficient detail to enable AWS customers to design for resilience with a full understanding of exactly how isolated availability zones really are...

Latest cloudy ramblings

2011-04-08T08:27:00.001-07:00

See, I'm making the most of my recently discovered free(ish!) time by popping up in Computer Weekly talking about the adoption of cloud services by SMEs. Link below:

http://www.computerweekly.com/Articles/2011/04/06/246204/CW-Security-Think-Tank-Whats-holding-up-the-cloud.htm

Some interesting differences in tone and opinions amongst the contributors to this Think Tank piece. When it comes to the use of hybrid cloud models I think I tend more towards the opinions expressed by Christofer Hoff over at http://www.rationalsurvivability.com/blog/?p=3016 rather than the view expressed by the chap from Gartner that cloud providers should be targetting SMEs with hybrid cloud services.

Hybrid is fine if you're talking about mixing your delivery of capabilities across on-premise and cloud, I've always had more of a problem with Hybrid as a way of delivering increased capacity on demand in that it's always seemed the worst of both worlds from a security perspective, i.e. you need to worry about the security problems associated with both models rather than just the one!

And, as Hoff says, "If your Tier-1 workloads can run in a public cloud and satisfy all your requirements, THAT’S where they should run in the first place!"

Fair warning

2011-03-25T10:12:00.000-07:00

Wow. Where did Q1 go? Not on blogging obviously :-)

Well, after four years on one assignment I finally get to try something new from the end of next week. It's been a primarily fun and worthwhile four years and I've met some good people in that time (just in case any of my current colleagues are reading!) but it's been tough and I'm looking forward to a new challenge. I'm also looking forward to an assignment that will give me a bit more time to concentrate on this blog and posting a little more regularly than once a quarter.

So, what prompted me to come out of blogging hibernation? High profile hacks! By which I'm thinking HBGary Federal, RSA and Comodo. I can't remember a time when three such hacks happened in such a short space of time and received this amount of publicity. Which is the most interesting? Hard to say. HBGary Federal was interesting because of the contents of the email spool that Anonymous released and the somewhat embarrassing implications for the likes of Bank of America and Morgan Stanley.

Is RSA interesting? Hard to tell as they've been very quiet about what was actually accessed during their compromise and so their customers are in limbo. So, it's interesting in so far as a high profile security firm got 0wned; likely to be more interesting once it becomes apparent what was purloined by the attackers. C'mon RSA, help us all out here!

But the Comodo hack; now that is certainly interesting. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html for details. Almost certainly laying the foundations of a larger hack and demonstrating why the core security measure for most Internet users (SSL) should not be relied upon as strongly as it currently is - it certainly shows that certificate authentication is worthless without strong registration processes and capable registration authorities. To be fair however, and in direct contrast to RSA, Comodo have at least been forthright in explaining the implications of the hack and the certificates issued.

Anyone can get hacked, including those we trust to secure the Internet, so here's hoping that more organisations follow the Comodo approach to notification than the RSA approach.

See you in Q3 :-)

ENISA's latest paper on cloud

2011-01-21T08:38:00.000-08:00

I don't usually like to criticise the efforts of others to provide useful (or at least informative) guidance however the latest paper from ENISA on Security and Resilience in Governmental Clouds has provoked me into something of a reaction. And that reaction is meh.

To expand further...

If you're not familiar with cloud computing, it's probably a good document to pick up and have a read through in order to get an idea of what the whole cloud thing is about. But there's nothing startlingly new or original in here - the decision framework is new but I wouldn't say startling. I think some of the flows are troublesome as well as it happens. I'm really not confident that the order of risk assessment, choose deployment model (or "IT Architecture" in ENISA parlance) and then identifying threats is particularly applicable in the real world. I'd have preferred something more along the lines of identify business requirements, identify threats, identify potential solutions, narrow down choice based on trade-off between risk and business benefits, prepare RfP etc... I guess I'm a little uncomfortable with attempting to put security as a blocker right at the start of the process; perhaps I'm just a bit too heretical to work in security these days.

My other problem with the paper is that it suffers from the usual naivety in terms of clumping together all IaaS, PaaS and SaaS providers into the 3 buckets and assuming that you have the same risks regardless of service provider. They fall into the same trap as most of the material in this space by practically treating IaaS, PaaS and SaaS as specifications rather than broad categories. As an example of the problem - if you look at the PaaS offerings of Microsoft Azure, Force.com, Heroku, Google's AppEngine and Terracotta and tell me that you can apply the same risk profiles to platforms offering Ruby, Apex, Java, Python and .NET and administered in a variety of ways using differing authentication and authorisation mechanisms then I'm not playing with you anymore and I'm going to tell your mum. Don't even get me started on the diversity you'll find with SaaS - how can you apply the same risk profiles to services that range from accounting through to collaboration through to authentication or whatever?

But as I say, if you're not familiar with the subject and want to get a grounding then it's not a bad document. But if you are familiar with this space, I'd say read it so that you're not left out in cloud conversation* but overall... meh.

* yes, there is such a beast as cloud conversation, unfortunately it does tend to go pretty much as summarised by Dilbert http://www.dilbert.com/strips/comic/2011-01-07/

Security architecture. And cloud computing.

2010-11-29T05:51:00.001-08:00

Just a quick plug for my latest article over at Computer Weekly:

http://www.computerweekly.com/Articles/2010/11/25/244113/Security-Zone-Cloud-computing-puts-the-spotlight-on-security.htm

To be honest, I started off with every intention of writing a generic article about the value of security architecture within which there would be no mention of cloud computing at all. But I couldn't help myself. The fit was too natural. So I prattle on about why security architecture is so valuable (e.g. demonstrable traceability from risk and/or requirement through to deployed solution) and then why this is particularly relevant to cloud deployments in terms of ensuring consistency across delivery models: solutions should share business requirements and business risks regardless of IT delivery model, you just tweak around the logical and physical elements once you know which model you're going for...

Go on, take a look. Feel free to leave comments here if you're so inclined.

Cyber security, national security and the CSR

2010-10-22T06:35:00.000-07:00

Well, it's certainly been an interesting week. Firstly we discover that cyberattack ranks right up at the top of the risk list for the UK alongside more familiar terrorist activities. We also discover that there's an extra £650m worth of public funds being set aside to improve our cyberdefences. Setting aside some fairly natural cynicism that pushing the (relatively) cheaper option of boosting our cyberdefences (compared to a fully functional aircraft carrier for example) is nothing more that a nifty political sidestep, I must admit to some interest in seeing where this extra cash is going to go. I can't help feeling a little fear that this money could be wasted in a couple of ways:

i) Supporting the numerous organisations that we already have dealing with cybersecurity in the UK, e.g. CESG (and CSOC), the Cabinet Office (and the OCS), etc and increasing the overall bureaucracy

ii) Purchasing more firewalls and intrusion prevention systems and other easily packaged and easily procured technologies.

The core problems facing HMG and the wider CNI relate to a lack of understanding of the true threats and likely attack vectors together with an unfortunate lack of effective governance for cybersecurity issues. I'm fairly sure that the risk appetites of any number of organisations would shrink dramatically should individuals of the correct seniority be held personally accountable for any security incidents. Of course, in order to get to this position there needs to be the appropriate will and desire to enforce such individuals to take on this responsibility and then money spent on the education of these newly willing volunteers to ensure that they can actually make informed decisions. In the interests of fairness, I think there's also a case to be made for educating many security professionals so that they can discuss threats, vulnerabilities and risks in a manner that can be understood by senior business types - technologies don't really matter so much as the potential business impact. We need to understand the technologies to minimise risk, they need to understand the business impacts so that they can tell us which risks we should be concentrating upon. None of this is news to most of you, and it's been tried before (particularly post Hannigan), but there's still a lot more to be done.

Fingers crossed that this money finds it's way to those who know what needs to be done and not simply thrown at technology - I know it's lot easier to procure a firewall than it is to procure a well-informed Senior Information Risk Owner but I also know which has the most beneficial effect in the long term...

Authentication in the cloud

2010-09-20T09:46:00.000-07:00

One of the more common criticisms of cloud computing is that the available authentication mechanisms are weaker than those available to more traditional deployments. Today's announcement by Google that it will now support a form of two-factor authentication for it's Google Apps service is a welcome rebuttal to such criticisms:

http://googleenterprise.blogspot.com/2010/09/more-secure-cloud-for-millions-of.html

Whilst I'm on this topic I should also point out that Amazon Web Services have been offering multi-factor authentication functionality since late 2009 via the use of Gemalto tokens which generate one-time codes - details available here:

http://aws.amazon.com/mfa/

Of course, what you don't want to end up with is a scenario where you have to carry multiple devices (phones, tokens etc) capable of generating security tokens for each cloud service you deploy. One way around this would be to consider the use of SAML and a single authentication provider for all of your cloud services. Take a look at the CRYPTOCard Managed Authentication Service - you may like what you see!

https://www.cryptocard.com/mas/index.php?option=com_content&view=article&id=39&Itemid=2

And as none of my blog posts seem to be complete without a link out to more of my ramblings, you may be interested in what a number of luminaries (and me) have to say about value added cloud services over at:

http://www.computerweekly.com/Articles/2010/09/06/242626/Security-think-tank-Value-added-cloud-security-services.htm

Bits n Pieces

2010-07-29T08:05:00.000-07:00

First things first. If you're interested in cloud security, you may want to download the whitepaper now available from Capgemini over at:

http://www.capgemini.com/insights-and-resources/by-publication/putting-cloud-security-in-perspective/

Now I'll admit to writing that piece and so this is really just a blatant plug. Happy to take comments on the paper though.

Other things... still frustrated by a variety of different attitudes to security, maybe I should try and catalogue them....

Best Intentioned (but ill-informed)
Those who do what they do with the best of intentions, e.g. "well we did that to improve the security", but have no real expertise in the subject area and were too busy to ask anyone else and so end up going down a sub-optimal path.

Rationale Reverse Engineers
"Well, it's too late now and we can't possibly implement that solution. It wasn't really that important anyway was it? Not if you think about it like this..." Nuff said.

The Optimist
"Well, who'd do a thing like that? Nobody's interested in attacking us" Eeek. The Optimist has always been around and I daresay will always be around. I always feel guilty pointing out the realities and tarnishing such naive innocence.

The Robot
Blind obedience to policy or procedure. Even if that policy or procedure is not directly relevant to the problem at hand.

The Pessimist
"Well, if this were to be happen we'd be dead in the water. So we can't do anything." All risk is bad. Possibly even more dangerous from a business perspective than the optimist. If you tend to believe in Darwinism and any applicability to the business environment then it's the organisations that are most able to change that thrive. Change and Pessimists do not mix well.

The Perfectionist
You're only secure if there is no way in. Lock down everything. Ensure that every line of code in your organisation is perfect. Often find work as penetration testers.

The Policy Monkey
A bizarre breed who produce policies with blatant disregard for the organisation concerned, the applicability, technical relevance or feasibility of their output. Often expensive but very good at producing materials for balancing wonky tables.

Have to point out that the categories in the above list are not directly correlated to individuals in my current day job and are generic charicatures. Just in case anyone's reading. :-)

Innovation

2010-05-12T13:15:00.000-07:00

After a hectic couple of months I've finally found a little time to put up a new post...

One of the tasks I've had to complete recently was that of acting as a judge in a competition to find innovative solutions to a certain security problem. This has caused me to consider the entire concept of innovation and it's relationship with security; primarily because a couple of the entries I had to judge presented me with something of a conundrum. The conundrum being: were these entries truly innovative or nothing more than snake oil? Was my lack of confidence in these proposals due to poor presentation, poor content or my own inability to understand something truly innovative? How do we distinguish between true innovation and snake oil? If something is truly innovative, what realistic metrics do we have at hand to justify any kind of value judgement? And, if something is truly innovative, that means that it's also going to be new and unproven and therefore scary to security types. Like me.

So, what do we do about innovation and security? We can't ignore it. We always have new problems, or battlegrounds (e.g. the cloud which tends to be a new battleground for old fights), that are crying out for new solutions. What I don't think we have are particularly pragmatic ways of adopting new solutions with any degree of confidence - existing assurance schemes (think Common Criteria) are just not appropriate for adaptable solutions to fast-moving problems. Anyone out there got anything useful around managing innovation in a security context?

Musings on security architecture

2010-03-18T11:11:00.000-07:00

Time for something a little more intellectual than usual. Here's a list of Do's and Don'ts when it comes to Security Architecture. Purely personal opinion. Feel free to argue. Feel free to agree. Feel free to ignore.

Do collect all of your security requirements from your business stakeholders, your regulatory environment, your wider enterprise and industry standards

Don't present me with an endless list of requirements saying the same thing but in slightly different ways. Consolidate your requirements set but maintain traceability by stating where your consolidated requirements originated

Do obtain sign-off from the relevant business stakeholders that the requirements are correct

Don't tell me that the Head of Security has approved the requirements and so we're good to go...

Do perform a comprehensive risk assessment of the system/service in question

Don't come back with a set of risks so abstract as to be useless - "An attacker may gain unauthorised access to my data" - well yes, but what's the business impact? What's the data? Who is the attacker? And are you talking physical or logical access? And are there any relevant attack vectors available to the threat actors you're worried about?

Do obtain business sign-off that the risk assessment is valid and caters for the risks that they care about

Don't tell me that the Head of Security has approved the risk assessment and so we're good to go...

Do define a set of security services based on your requirements and your risk assessment

Don't give me any services that cannot be traced back to a requirement or a risk. We're not doing this for the sake of it... It may be 'best practice' but do you need 'best practice' or is what you have good enough?

Do consider how your security services interact and how they are used by the relevant actors

Don't get bogged down with fully elaborating a security architecture - mental masturbation may be fun, but it's not productive. Do what you need to do to validate that your architecture is appropriate and is as complete as it needs to be.

Do consider any wider enterprise architectures that you are operating within. Your work may just be a view on a wider architecture

Don't simply assume re-use of existing services defined in a wider architecture without validating that they meet your requirements and are available for your use

Do tell other people about your work - an architecture is worthless unless it's used to influence design, build and run. Don't lock yourself away in an ivory tower and then complain that you're being ignored.

Don't exaggerate the importance of your work - architecture is a tool, sometimes a piece of art as well, but most importantly a tool.

Do remember that you're working in the real world. Whatever you're working on most likely has to be deliverable and affordable.

Don't be precious. This is just a general comment :-).

Well, that's my quick brain dump of do's and don'ts typed up as I sit here on a train heading home. I've probably missed lots of really important stuff - I may even have got some stuff wrong. In your opinion. Let me know.

Web-cast musings

2010-03-12T04:15:00.000-08:00

Was it great? No.

Was it utterly cringe inducing? No.

Better than expected? Probably.

What am I wittering on about? I did my second BrightTALK web-cast yesterday which was all about trying to show how cloud security need not sit (and indeed should not) apart from wider enterprise security frameworks. Given the topic I was expecting half of my audience to 'get it' and the other half to absolutely hate it; as it turned out the feedback was mostly positive albeit there was one member of the audience who only gave the presentation 1 star out of 5. But as I say, I was probably expecting more mixed ratings than I received and a number of 5 star ratings means it's currently standing at a 4.2/5 rating - which I'd certainly have taken before the gig! Main lesson for me is to try and not fit a 60 minute presentation into 40 minutes as I was aware that I was rushing through the content...

The really nice thing about BrightTALK is the ability to ask the audience to vote on questions of your choice. One of my questions gave a really interesting outcome - the question was around which service model the audience viewed as the most complex to secure. Both IaaS and SaaS scored 44% with PaaS only scoring 12%. I found this particularly interesting being as I was about to go on and say how I felt that PaaS was actually the most complex model to secure! Perhaps I should have run the vote again after the webcast... Now, I believe the low score for PaaS is probably because it's the model that's the least well understood - it's not as straightforward to understand as either IaaS or SaaS - rather than my audience believing it to be intrinsically more secure. But I could be wrong. Any comments out there? Do we need to expand more on what PaaS actually is?

Cloud and Enterprise Security Architecture

2010-02-08T00:28:00.001-08:00

So, I let myself get volunteered to do another web-cast for BrightTALK.

I'm giving the first presentation at their 3rd Cloud Security Summit on the 11th of May. My last web-cast was a fairly generic overview of the security risks associated with cloud computing. My next presentation is a bit more ambitious... I'm aiming to try and bring cloud computing security within the context of wider enterprise architecture. It's either going to be great or one of the more cringe-inducing web-casts on the Interweb :-)

I would like to take a little time to explain the philosophy behind this upcoming presentation. I’ve been thinking for a while now that those of us working in the cloud space need to work harder to bring the technologies into the mainstream – whilst the hype around cloud computing was really useful in bringing it to the forefront, I fear it is now counterproductive to mainstream adoption. By treating cloud as somehow different, or apart from traditional IT delivery, all we are doing is making it appear scarier than it need be to potential consumers. After all, it
is human nature to be wary of things that are different or unknown. What I aim to do is to show that we can bring cloud computing into the wider architecture context of an enterprise – yes cloud brings some unique opportunities and unique challenges, just not necessarily more so than other means of IT delivery. In-house, traditional out-sourcing, cloud – all have their own quirks and are all unique in their own special ways…

So please, tune in to http://www.brighttalk.com/webcasts/8490/attend on the 11th and see whether I manage to pull it off or fall flat on my face!

It really is true!

2010-01-22T04:22:00.000-08:00

After years of saying that security is a genuine enabler to business and not just a blocker (or speedbump) on the way, I was fortunate enough to get some proof of my statements recently.

I'm currently working on an information sharing solution between various disparate organisations - most of these organisations have now agreed to share more, particularly sensitive, information (of immense business value) based on their confidence in the security model. Result!

Only a short post today but I thought I ought to have something a bit more positive up here than my last post - especially if it's going to be a while til the next one :-)

Is it just me?

2010-01-07T03:33:00.000-08:00

As much as I would have liked to start 2010 with a nice positive post, I'm going to have to start with a bit of a whinge. What is it about the subject of security that means that everybody working in IT believes that they know how to do it? I rarely see non-DBAs telling their DBAs how their databases should be partitioned but I'll regularly see non-security types discussing security with great authority but little in the way of informed opinion!

So, I'm happy to accept the charge that part of the brief of the security professional is to educate the masses - but I do find it incredibly frustrating that the masses seem pre-programmed with the belief that they already understand security and risk management...

Is it just me?

Amusing vulnerability

2009-12-01T00:26:00.000-08:00

I came across one of the more entertaining recent vulnerability announcements this morning - take a look at http://www.kb.cert.org/vuls/id/261869. I think it falls into the "well it's obvious now I think about it" category however I hadn't really thought about it... In summary, the way that clientless VPN servers re-write URLs breaks the same origin policy - pretty obvious if you've ever used one of these products and looked at the various URLs that get returned. This means that "bad things" can happen - take a look at the advisory. I'd suggest that any organisation using these kinds of clientless VPNs to provide remote access functionality prevent Internet browsing through these servers; after all, if a user can get to the VPN server he/she has Internet access so why do they need to go through the VPN server?

Why do I view this as entertaining? Well, it's always a little ironic when security products present attack vectors and I'm a big fan of irony. I also know several organisations that make use of this technology and I can't wait to point them to the link...

AWS in the Enterprise

2009-11-05T07:56:00.000-08:00

I managed to get to the Amazon Web Services in the Enterprise event earlier this week. It was a well attended event, with an audience predominantly suited and enterprisey in appearance. Despite an equipment failure (dodgy projector), which necessitated some juggling around with the schedule, I think Amazon managed to get their messages across with respect to the way that their services are currently being used to generate real business value. As ever with these kinds of events, it was the customer presentations that generated the most interest as far as I am concerned. Vendor presentations are fine and dandy but I’m much more interested in what real organisations are doing and the lessons that such organisations have learned during their initial experiences. The presentation from Bob Harris of Channel 4 was particularly encouraging – especially the statement that AWS is now their default platform of choice for web facing applications; C4 projects now need to justify any decision not to use AWS. Bob also provided an interesting anecdote of a senior technical architect from a major SI making a particularly ill-informed comment regarding the security implications of using S3. Lesson here is to be even more diligent than usual when choosing your SI if working in the cloud space. I will admit to a vested interest here :-).
Overall, I think the message that most people will take away from the event is that the AWS platform is maturing and that confidence is increasing amongst enterprises that tricky issues such as compliance and security can be managed. The other message that AWS clearly wanted to get across is that early adopters are likely to obtain a substantial competitive advantage over their more timid competitors due to increased agility and speed to market. We’ll have to see how that one plays out…

Hostage to fortune

2009-10-30T09:46:00.000-07:00

So in my previous blog I provided my thoughts from the Cloud World Forum event. During that event I was asked what I believed the cloud market would be like in 5-10 years time. Well I had a stab at an answer at the time but I've had more time to think now and I think I'd revise my answer a little. As much as I hate offering up a hostage to fortune, I think it may be fun to check back in a year or two to see just how wrong I am :o)

First things first. I'll be using the NIST definitions for cloud computing - check them out, they're good and they're vendor-independent. [One beef I did have with the speakers at the Cloud WF was that they all insisted on giving us their own definition of cloud computing. We really should be over that by now... Particularly when they all mentioned the Internet and then a number went on to talk about private clouds.]

Let's have some initial assumptions:

i) IaaS will become more interoperable and portable - either provider-supported through the use of standard APIs (check out http://www.occi-wg.org) or by default through meta-cloud providers reverse engineering closed APIs.

ii) PaaS and SaaS vendors will have a big question to answer around the granularity of the services that they offer.

iii) Consumers will have some serious thinking to do with respect to the amount of lock-in (and subsequent pricing consequences) they are willing to endure.

So in my future IaaS will become seriously commoditised with consumers able to switch loads or other basic IT needs as and when necessary through the use of meta-clouds or other mechanisms for managing multiple cloud providers. I think that's a given. [I'm not going to talk about private or community clouds much in this post, let's just assume that most internal IT systems will be delivered by either private or community cloudy resources - let's face it, there's not much that won't be virtualised in 5 years time other than the obvious usual suspects, y'know those guys still running Cobol on legacy kit...]

The PaaS and SaaS space is much more interesting. In an ideal world, these kinds of providers would completely open up and offer very granular services, presumably charged per transaction or subscription, that consumers could use on a per-service basis from outside of the provider environment. Enabling SOA via cloud services. That would be good. What I fear is that PaaS providers in particular will be very close minded in their thinking and actually encourage the PaaS lock-in that has many cloud commentators (including this one) worried. Why would they do this? Well, once a consumer is effectively locked-in there'll be every temptation to start upping the prices - as long as the pain to the consumer is less than migrating away from the PaaS it's a definite win for the provider. Ah, but competition will prevent this I hear you say. Well, only if the competition isn't doing the same thing!

So that's my view of how the future will pan out. Anyone care to share theirs?

Cloud World Forum

2009-10-23T06:49:00.000-07:00

I attended the rather grandly titled Cloud World Forum in London yesterday. Have to say that it was an excellent event, certainly more business focussed than other events such as Cloud Camp (which is always good fun if more IT oriented) or the rather disappointing CloudStorm event a couple of weeks ago.

Highlights and interesting tidbits from the event:
o Kate Craig-Wood of Memset, Intellect and the BCS is now co-leading the technical architecture stream of the Cabinet Office data centre consolitation work
o Asite are a public cloud service that have apparently obtained HMG accreditation for use by the Environment Agency. Unfortunately the presenter left before I had a chance to quiz him on the accreditation aspect!
o Lots of good presentations from the likes of Gartner and BT and some interesting panel sessions, particularly interested in the Gartner research that showed security was still the leading concern with organisations yet to adopt cloud computing. Also interesting that the main drivers for those organisations that have adopted cloud computing were cost and functionality. Who'd have thought it? ;-)
o If you have an interest in collaboration then certainly check out www.huddle.net - collaboration tools, video conferencing etc all in one user-friendly cloud-based offering.
o BT's virtual data centre is an interesting proposition - they do not run VMs for more than one customer on a physical blade. Of course, from a paranoid perspective you may still have de-commissioning concerns when the blade is returned to the wider resource pool. Not dug into the real low-level details here.
o Mimecast have released a Forrester Consulting report into the "total economic impact" of their solution. Yes, the report is specific to Mimecast, however the methodology of the report is of interest and it's useful to have a (vaguely) independent, albeit funded, report showing a detailed ROI argument for a cloud-based service. The report should be downloadable from the Mimecast web-site but I don't think it's there yet.

Downsides:
o Terribly dull presentation from VMWare, Cisco and EMC. Everybody else talking about business benefits, these guys droning on for a long time about IT and infrastructure issues. Bored everyone to tears. Content was actually not bad from a technical perspective but was wrong for the event and the delivery was way too dry. [Example of the problem with the presentation, when talking of moving to cloud services "...got to start with server virtualisation" - well, only if you're talking IaaS and I'd personally start with identifying what you want to do from a business perspective!]
o Still a general ignorance with respect to security - lots of mentions of it during the day but no real understanding of how to manage risk in a cloud environment. [One panellist even described escapes from VMs as 'a bit of a myth' - a bit problematic given that exploits have been published which do just that...]
o Slightly disappointing presentation on cloud security from Cryptocard which was basically yet another demonstration of using Cain and Abel to intercept passwords (*yawn*) and an overly broad statement that 2 factor authentication solves all authentication issues in a cloud environment. Yes, they would say that being as they sell 2FA solutions but it's blatantly not true!

Overall - good event, will definitely try to attend next year's. The attendees were left with the feeling that cloud computing is here, is real and is delivering benefits to the early adopters.

Resources for the busy security pro...

2009-10-15T07:38:00.000-07:00

I'm going to step away from cloud computing for a change and go back to the main day job - security. Like many security pro's I'm a busy guy but at the same time my clients (and I) expect me to remain up to date with the latest happenings in the security space. Over the years I've whittled down the number of Internet resources I keep track of - I'm going to talk about a couple that I still check on a daily basis in this post.

Firstly: http://archives.neohapsis.com/

There are loads of security mailing lists - the site above is a convenient method for keeping track of the most useful ones. I'd recommend their Yesterday, Today, Full-Disclosure and DailyDave archives. There are other aggregators but I've been using this one for years and I'm a loyal soul...

Secondly: http://www.monkey.com/~jose/secblogs.html

As with mailing lists, there are loads of security blogs and loads of blog aggregators. I tend to use the one above as it aggregates blogs I'm interested in and provides a manageable number of links per day - I don't feel overwhelmed by the sheer volume of posts!

Hope you find them useful. If you have any other resources that you think would help a busy security guy keep up to date (in a quick and manageable way!) please add some comments.

Cloud Security Summit

2009-10-01T06:51:00.001-07:00

I presented my first ever web-cast yesterday as part of the BrightTALK Cloud Security Summit. An interesting experience and strangely enjoyable. I found the BrightTALK platform fairly straightforward to use, although the voting system could be a little more slick. It's a little uncomfortable whilst you're presenting as you've no way of knowing whether you're carrying your audience with you - fortunately the ratings have been quite positive and so I think I got away with it :-)

If you're interested in cloud security, my web-cast can be found here:

http://www.brighttalk.com/webcasts/5688/play

If you have any questions or want to leave any feedback, feel free to comment :-)

CloudCamp London 5

2009-09-28T12:41:00.000-07:00

I was lucky enough to attend the 5th London Cloud Camp last week. Once I got my lightning talk out of the way it was an enjoyable event combining an opportunity to catch up with an old friend, make some new contacts and engage in some interesting conversations! [I think my talk went pretty well other than being a little rushed - my own fault for trying to fit a 10 minute talk into a 5 minute slot!]

After the talks we broke into Vendor Tracks and Open Space discussions - one of the attendees suggested a session around security which I volunteered to moderate. I've written up these discussions and the write-up is shown below. If any of the attendees feel I missed anything out or have misrepresented the conversation please feel to comment or drop me an email. Enjoy!

London CloudCamp #5 Open Space – Security (Room 3)

Chatham House rule applies!

i) Public sector in the Cloud

Discussion began with whether the Public Sector would adopt cloud due to their security requirements. It was noted that the UK Government is planning a G-Cloud as part of the Data Centre Consolidation Strategy – this was also a recommendation into the Carter Review (Digital Britain). Attendees were also pointed towards the blog of John Suffolk, the HMG CIO – http://johnsuffolk.typepad.com. It was thought unlikely that public clouds would be suitable for processing of protectively marked information (i.e. RESTRICTED and above) – although it may be possible to use them for storage and transport if data is encrypted and decrypted on-premise. There was thought to be more likelihood of public clouds being used within local government where security requirements are less stringent due to their data typically being at PROTECT. The main sticking point from a security perspective was currently thought to be around the lack of assured products to support domain separation.

ii) Certificate based authentication

There was a discussion as to whether cloud computing made it difficult to use server certificate based authentication due to the need to tie certificates to domain names or IP addresses. It was not thought to be a problem with IaaS (where this can be controlled by the consumer – if the right technologies are used). Thought to be problematic with PaaS and SaaS.

iii) PCI-DSS and ISO27001

There was a question as to the overlap between PCI-DSS and ISO27001. The group believed that there is significant overlap between the two standards but that PCI-DSS was more prescriptive and so compliance with ISO27001 did not mean compliance with PCI-DSS. PCI-DSS has specific requirements around handling of cardholder data, vulnerability assessments etc that are more granular than those within ISO27001. The recent blog post including the AWS statement that it was not possible to be completely PCI-DSS level 1 compliant using only their EC2 and S3 services was discussed. It was noted that you can simply hand off payment processing to a third party payment processor or keep such processing in-house. It was also noted that there is a separate PCI standard covering the development of payment processing applications.

iv) Privacy

We had a brief discussion around privacy legislation – one of the attendees noting that Germany is about to enact a notification law such that any organisation suffering a data breach must notify all affected customers (either by individual letter or by taking out a 2 page advert in a national newspaper).

v) Use of cloud resources for illegal purposes

We had a particularly interesting conversation around the use of cloud computing resources for illegal purposes – for example the distribution of cracked software keys. This discussion was illustrated through real examples of previously identified instances of such activity. This does raise interesting questions about whether cloud providers should be monitoring for such activity or whether they, like telco's, should act simply as carriers.

vi) Data leakage

The idea that data could be split throughout the cloud to make re-constitution more difficult was discussed. It was thought that this was already one of the benefits of cloud computing – should a service provider lose a disk, it is most likely to contain fragments from a number of clients rather than a substantial chunk of a single organisation's data.

Miranda Mowbray's obfuscation tool and the Vanish tool (Washington State University) were mentioned as being of interest to those looking to keep sensitive data under control. Both noted as being primarily of academic interest at this time.

vii) Virtual Desktop Infrastructures

There was some discussion of VDI in the cloud. Noted that the public sector may “browse-down” from a more sensitive domain to a lesser domain, e.g. to offer Internet access via terminal services but that "browse-up” was frowned upon.

viii) Security Benefits

It was thought that the cloud model can offer some security benefits – e.g. Increased/improved security monitoring, patching, security expertise and physical security. Likely to be of more benefit to SMEs but could also be of benefit to larger organisations (most of whom should already have invested in the necessary functions).

ix) Security as a Service

The prospects of security as a service were discussed. It was noted that businesses such as MessageLabs have been doing this for years! Security filtering in the cloud is a valid service. Could also expect to see identity providers in the cloud in the future.

Cloud miscellany

2009-09-21T13:48:00.000-07:00

It's been a busy few weeks hence the lack of posts here. Admittedly one of the things taking my time was a week by the seaside so I've not been that hard done by!

But back in the real world it's been interesting at work with respect to how many of our current bids and engagements are now considering delivery, at least in part, via cloud computing models. There seems to be a real shift to treating cloud computing as just another part of the delivery model a la outsourcing, right shoring etc. I have to say that I thoroughly approve of this change - technology for the sake of technology, or even change for the sake of change, is never a wise thing unless of course you're in a particularly bad place and are due a change in luck! What we do have to remember is the potentially game-changing nature of certain cloud computing characteristics - in particular increased agility - which means that we need to be careful not to limit our imaginations to doing just the same things but in a different way. Don't forget to think different, but most importantly don't forget to think!

BrightTALK Cloud Security Summit

2009-08-21T04:57:00.001-07:00

I've been lucky enough to ask to web-cast at the BrightTALK Cloud Security Summit on the 30th of September - if anybody fancies listening to me rabbiting on about security in the cloud, you'll be able to attend by clicking on http://www.brighttalk.com/webcasts/5688/attend

There are some well-known and well-respected figures presenting during the summit - details of the other presentations and presenters can be found at:

http://www.brighttalk.com/summit/cloudsecurity

Come along, I'm sure it'll be fun. I may even have thought of some interesting voting topics by that point as well - I'd welcome suggestions if anyone out there would care to volunteer some?

I hate that question...

2009-08-10T12:23:00.000-07:00

So I've found another question that irritates me. It's this one: "What's the most secure; SaaS, PaaS or IaaS?". There are lots of things wrong with this question - firstly, define what is meant by secure. Secondly, define your perspective - are you a provider or a consumer. Thirdly, assuming you're a consumer, define what you're doing in the cloud - it's a big concept, there's lots you can do and lots of ways of doing it! And so on and so on...

I think it's a naive question to ask and that it's even sillier to come out with an answer (unless you've spent the time to understand a very specific situation). There are lots of different perspectives and lots of different classes of organisation with different needs and capabilities. For example, if you're a small business with little experience with an application then it's likely that a SaaS provider will provide a more secure (albeit multi-tenant) solution than you could build yourself. However, if you're a large enterprise then I think a fair argument could be made that you could build a more secure, single tenant application on your own platform on a shared IaaS cloud infrastructure than the multi-tenant equivalant offered by a SaaS provider. Of course, the observant amongst you may have noticed that I said "more secure" without actually defining secure - look at the name of the blog, I'm musing :0)

Upshot, as with most things, know your requirements and choose the solution that's the best fit. This cloud stuff really is not rocket science. (Unless of course you're NASA: http://nebula.nasa.gov :-)

Enabling confidence in the cloud

2009-08-06T00:50:00.000-07:00

My latest Computer Weekly column is now on-line:

http://www.computerweekly.com/Articles/2009/08/05/237195/enabling-confidence-in-the-cloud.htm

In other news: I gave a presentation on cloud computing to some senior executives of a major HMG department yesterday. I have to say that I was encouraged by the nature of the questions being asked by the audience - they demonstrated both a solid grasp of the underlying concepts of cloud computing and also a genuine interest in understanding the commercial and business benefits that the cloud model offers. I think that's one of the strengths of cloud computing - the business benefits in terms of flexibility and removal of some of the barriers to business innovation are obvious, the trick is going to be to derive the appropriate assurance models and drive the necessary cultural changes. Time for everyone to learn some new skills methinks :-)

Securing data in the cloud?

2009-07-24T02:19:00.000-07:00

One of the big concerns for would-be users of cloud services at the moment is around the protection of their private or sensitive data from other users of the service or the providers of the service. Data can hang around for a long time once it's in the cloud or even just on the Web. There have been some interesting developments in this space, albeit of an academic nature i.e. stuff to take a look at but not necessarily to use in real life!

Firstly, back at Cloud Camp London 4, Miranda Mowbray of HP presented a mechanism for obfuscating data on-premise and then processing only that obfuscated data within the cloud. The unobfuscated data is then only available within the secure (*cough*) on-premise location. There are some problems with Miranda’s approach from the point of view of an enterprise whereby the cost of a data compromise could outweigh the cost of a frequency analysis (or even better a chosen plaintext) attack, however it may have some value for the more casual user or for less sensitive data. It was stated that Miranda hoped to open source the project but I don’t believe that’s happened yet – an abstract of the HP Labs technical report can be found at http://www.hpl.hp.com/techreports/2009/HPL-2009-156.html but no link to the full paper unfortunately.

Secondly, there’s the Vanish project of the University of Washington - http://vanish.cs.washington.edu/index.html. It’s an interesting method for ensuring the inaccessibility of data after a set period of time that utilises the churn of peer to peer hash tables to ‘lose’ elements of a distributed encryption key over time. Once the key is no longer available, the data is no longer accessible. I can see how this may be of value to individuals looking to ensure their individual privacy – I’m really not as convinced that this is acceptable in the corporate or government worlds given their discovery and reporting requirements. But I’m no lawyer – take a look for yourselves!

Hmmm… it’s going to be an interesting space – at least until someone can come up with a practical mechanism implementing homomorphic encryption. I’m not holding my breath :0)

(http://www.schneier.com/blog/archives/2009/07/homomorphic_enc.html)

CloudCamp London 4

2009-07-11T13:04:00.000-07:00

I got to attend the latest Cloud Camp in London last Thursday night (there has to be some advantages to working the less civilised parts of the UK :-)...

Highlights for me were the lightning talk from Mark Cusack from Rainstor outlining some very interesting ideas around storing data in the cloud for compliance purposes when retiring database applications and the Microsoft talk on Azure. In particular the .NET Service Service Bus demo was both pretty cool and pretty scary at the same time. I can certainly appreciate the benefits from being able to quickly and easily publish web services securely via the .NET Services Service Bus (c'mon Microsoft, call it Azure Service Bus and save our typing fingers!) however securing the services in transit is not the be all and end all. What scares me is the almost certain eventuality of employees deciding to write their own wrappers around internal services that should never be exposed outside of the organisation and using the Service Bus to make such services available over the Internet. But, hey, the network traffic's encrypted over an authenticated channel so everything's ok... no?

I've previously blogged about the need for organisations to start monitoring for potential unauthorised use of cloud services. I'd like to emphasis that need again - and organisations shoud also consider blocking access to the .NET Services service bus until they have a suitable policy in place regarding use of such services.

UK Government Cloud?

2009-06-29T00:02:00.000-07:00

So, it looks like the UK Government really may go for cloud. The Carter Report, "Digital Britain", includes a number of references to cloud computing and particularly the use of cloud computing in Government - the fabled G-Cloud. I've quoted a paragraph from the report below.

"The establishment of a G-Cloud will however require investment in
technical development and physical facilities, and the CIO Council and the
Intellect Public Sector Council are now developing the strategic business
case to justify funding the G-Cloud. Provided that this business case can be
properly developed, the adoption of the G-Cloud will be a priority for
Government investment to secure efficiencies, even within the very
constrained framework for public expenditure, over the next 3 years."

The nice thing about this paragraph is that they've even put some timelines in there - 3 years. I don't know about you, but I always feel that things are more likely to happen once people put numbers in timelines rather than aspirational references to the future.

The Carter Report, coupled with the well-publicised posting by John Suffolk to the Cloud Computing Interoperability Forum (CCIF) (see http://groups.google.com/group/cloudforum/browse_thread/thread/c75cde1d7c519363) is all very positive for the adoption of cloud within HMG. But what really makes me believe this is a serious initiative? Well, according to several reports in the IT press Martin Bellamy (formerly Head of Connecting for Health) has moved to the Cabinet Office primarily to look after the G-Cloud strategy - a significant investment by HMG at this time of budget cuts. Watch this space :-)

[Disclaimer: I am a small part of the CIO Council/Intellect Public Sector Council work referenced above so may well have an interest or two here].

Nessus web app tests

2009-06-24T11:17:00.000-07:00

Well well well. For years now I've enjoyed laughing at pen test firms who answer the question "So what do you use to do your web app testing?" with "Nessus". But, looking at the blog post linked to below:

http://blog.tenablesecurity.com/2009/06/enhanced-web-application-attacks-added-to-nessus.html

it appears that Tenable have stepped up their game somewhat to deliver some useable web app security tests. I have to state that I haven't had chance to try out this new functionality but it certainly looks to be an improvement on the old cgi checks. Maybe I'll have to stop laughing now and just chortle a little instead... (it's still not the tool of choice for serious web app testing - as Tenable acknowledge. Horses for courses.)

Cloud proliferation

2009-06-05T06:59:00.001-07:00

In some ways I believe that the adoption of cloud computing services within enterprises will take a very similar form to that which we saw for wireless networking a few years back. And for very similar reasons - convenience, cost and the lack of reliance on central, often unresponsive, IT departments.

So what should we do about it? Well, rather than let it get out of control which (let's be honest!) happened to a number of organisations with respect to wireless networking, organisations should be

i) adopting policies governing acceptable cloud usage and
ii) monitoring network traffic to ensure that no unauthorised cloud usage is occuring.

More to the point organisations should be doing this now - regardless of whether they have any organisational desire to embrace cloud services. Just because a central IT function does not fancy the prospect of cloud computing, there is no guarantee that projects and programmes will not strike out independently. Time to get a grip now, don't you think?

Latest article

2009-05-30T13:46:00.001-07:00

No posts for a couple of weeks now - mainly as I was on holiday for one of them :-)

As a gentle way back in to the blogosphere, my latest column was in Computer Weekly this week and it can also be found on-line at:

http://www.computerweekly.com/Articles/2009/05/13/236008/security-zone-penetration-testing-define-your-objectives.htm

My main thrust in the article is that penetration testing should not always be the first option with respect to obtaining a realistic view of the actual implemented and operated security posture of an organisation. I am of course aware that there are situations where nothing other than a full-blooded pen test will be appropriate but there are other times where a simple configuration review will provide more bang per buck. I'm expecting a bit of a bashing over the definition I provided for penetration testing but what's the point of writing articles if you can't have a bit of fun!

Talking to lawyers. For fun :-)

2009-05-15T13:54:00.000-07:00

An interesting week.

I was fortunate enough to be invited along to present at the Society for Computers and Law conference on Information Governance which was held last Tuesday. I was part of a panel session discussing the current increased focus on data security - initial indications are that the session was well received. I think it's important that we security types occasionally step outside of our usual haunts and talk to those in related fields.

For example, Lorna Brazell's presentation on how Identity is defined within law was particularly enlightening. I think security professionals tend to view the law as something relatively fixed rather than something that is also evolving and finding its place in the modern information society. The final presentation of the day on the legal requirements related to cloud computing seemed a good example of where lawyers and security professionals could work together to the benefit of both parties. Overall, a good event and one I'm glad I attended - and not only because of the bottle of bubbly generously donated by the SCL to each of the speakers :-)

Is CC evaluation worthwhile?

2009-05-07T12:34:00.000-07:00

I had cause to read through the VMWare ESX Server 3.0.2 EAL4+ certification documentation earlier today and it has given me a bit of a problem. Not a real-world work problem, more of a general problem with the evaluation process and it's value.

Reading through the Security Target, the following assumption immediately jumped out at me (ok, it's a few pages in so immediately is a bit of an overstatement):

"The threat agents are assumed to:

have public knowledge of how the TOE operates
possess a low skill level
have limited resources to alter TOE configuration settings
have no physical access to the TOE
possess a low level of motivation
have a low attack potential"

Now let's pretend I'm working for a Government client with Foreign Intelligence Services as an attack source - low skill level? Low level of motivation? Low attack potential? I should be so lucky... Oh well, at least the evaluation included some penetration testing - let's take a look at the certification report:

"The evaluator conducted a port scan of the VMware® ESX Server and VirtualCenter. Only the ports required for operation of the TOE were found to be open. The evaluator used a publicly available tool to scan the VMware® ESX Server and VirtualCenter for generic vulnerabilities, and none were found. In addition, the evaluator performed direct attacks on the VMware® ESX Server and VirtualCenter, attempting to bypass or break the TOE’s access control security mechanisms."

Is it me, or is that a little light for a penetration test? I'm not particularly re-assured.

Of course, the big problem is this: organisations (private and public sector) looking to deploy EAL4+ certified products are usually those with highly skilled, highly motivated threat actors. If some EAL4+ certifications do not cater for these threat actors what is the real value of those certifications?

(At least here in the UK, HMG organisations can turn to the CTAS process for assurance of specific technical barriers.)

It's getting real now...

2009-04-24T06:52:00.000-07:00

Well it's been an extremely interesting couple of weeks with respect to cloud security.

(Yes, I know there've been some other happenings in the wider world - Obama releasing TS documents, Darling admitting the UK will be broke for the next decade etc etc but let's concentrate on the really important stuff :-)

The Open Group's Jericho Forum released it's Cloud Cube paper on cloud security which describes possible cloud 'formations' according to four different dimensions - Internal/External, Proprietary/Open, Insourced/Outsourced and Perimeterised/De-Perimeterised. I don't believe that there's anything earth-shatteringly novel contained in the paper however the model itself will, I think, prove extremely valuable as a common reference point when discussing cloud computing.

The other major event has been the release of the first deliverable from the Cloud Security Alliance - a guidance paper on the critical security issues with respect to cloud computing. On first glance it looks like a fairly comprehensive paper that could perhaps be used to populate the framework provided by the Jericho Forum Cloud Cube model. And with names like Chris Hoff and Jeff Forristal (better known to some of you with memories longer than a goldfish as rfp) involved you can be sure that the content is going to be at least sensible and likely very good.

In conjunction, I think these two papers put the industry in a much better place to have sensible and informed discussions using a set of hopefully commonly understood definitions - something that's been sorely lacking in the past.

No More Free Bugs?

2009-04-14T00:59:00.000-07:00

Charlie Miller (famed in part for his past successes at the CanSecWest pwn2own contests over the last couple of years) has started an email thread over on the DailyDave mailing list regarding the No More Free Bugs initiative. The rationale behind this initiative can be found over here:

http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/

Whilst I have every admiration for the past work of people involved with NMFB such as Miller, Alex Sotirov and Dino Dai Zavi, I can't help feeling that this initiative is either doomed, misguided or both. I can understand why security researchers may feel that they get a rough deal through a lack of financial recompense for the time, effort and frustration they go through when finding and exploiting a vulnerability and then managing a responsible co-ordinated disclosure with vendors. However, there is no real commercial incentive for vendors to want to pay for this service – sure customers may end up with a more secure product due to the work of security researchers but at the same time, customers may not have been aware that they had an insecure product without the work of the security researchers (a much better position for the vendors, if not the customers!).

The NMFB guys are keen to avoid being dragged into a debate about disclosure but I'm not sure how you can avoid the topic when talking about paid-for security research. For example, I really don't see the benefit that vendors would gain from paying for bugs and then advertising the details of the vulnerabilities via full disclosure. Maybe I'm just cynical but I can't avoid believing that such paid-for bugs may be fixed on the quiet with paying customers never finding out about the risks that they had been exposed to... unless a few guys are still happy to publish details of reverse engineered patches for free. There's also a pretty vicious circle out there – if bugs are no longer disclosed, end users will stop worrying about them and any commercial drivers that do exist will start to wither away reducing the value placed on discovered bugs.

It's an imperfect world out there, and the current situation with respect to the handling of security vulnerabilities is certainly far from perfect, but I'm afraid that I don't believe that moving to a paid-for approach to security research will improve matters in the long run.

CloudForce

2009-04-07T13:10:00.000-07:00

Last week the ExCel centre in London was host to the leaders of the G20 as they continued their attempts to save the global economy. This week, the ExCel centre was host to Marc Benioff on his CloudForce world tour as he attempts to save the global IT economy. Ok, that's maybe a bit tenuous...

On a more serious note, I got a lot more out of the CloudForce event than I was expecting, almost all of it positive. The event started off well (any event being introduced by the music of the Foo Fighters is off to a flyer in my book ;-) with the keynote being delivered by Mr Benioff himself with a few guest spots filled by satisfied customers together with a sprinkling of highly impressive demonstrations of the capabilities of salesforce.com. I was particularly keen on the customer service abilities of what was termed the "Service Cloud" - customer service integrated across a number of different channels from the traditional call centre through to integration with Twitter and Facebook all delivered over the cloud. Impressive.

The afternoon was made up of a series of presentations split into a number of different tracks - I'll have to admit that I spent all of my time in track 3 which was dealing with technology issues rather than the more business and sales-enabling tracks available elsewhere. The first session included an extremely informative presentation from Paul Cheesebrough of the Telegraph describing how his organisation was moving processing into the cloud - and not just with Salesforce.com; they are also using Amazon Web Services for intensive analytics and Google Apps for email and collaboration services. What I found enlightening was how easy it appeared to be for the Telegraph to move data from the salesforce.com cloud into the AWS cloud for analytics work. I find the possibilities opened up by this kind of information technology incredibly exciting.

The second session was around integration of salesforce.com with backend ERP systems - three options were presented:

i) move ERP data to the cloud
ii) copy the data to the cloud and make occasional call-backs to the backend for consistency checks
iii) have the cloud act as a mash-up presenting data hosted on-premises

Very important area, but frankly one that I find a little dull. Of course, with my security hat on, I can see a lot of opportunities for work in this area trying to decide which approach is appropriate for different categories of data and then deciding on appropriate means for transferring, managing and securing data. The latter options also have some interesting implications regarding how you secure access from the cloud into the on-premises systems. Limiting this to web service traffic and implementing something like a Vordel XML gateway may be one approach to making sure that nothing leaks out that shouldn't.

The final session was a salesforce.com presentation on the technologies underlying the force.com platform. Definitely appealed to the geek in me but I would have preferred more detail on the security mechanisms under the hood rather than simple statements around the use of the OrgId to segregate data belonging to different customers.

What were my major takeaways from the event? (Other than the numerous flyers and freebies?)

The Force.com infrastructure is ISO 27001 certified as well as SAS70.
Salesforce.com appear to be very good at what they do.
When they say multi-tenant, they really, really mean it.
The promised cost and resource savings can actually be realised
Perhaps the penalty of greater lock-in to PaaS and SaaS providers is worth paying if they can provide (and can continue to provide) excellent facilities and levels of service. Certainly something to consider further.
Salesforce.com appear to be very open and accomodating to having their security measures reviewed by clients - something of which I heartily approve.

If they come back next year, try to go along. Not only is it a good gig, it's free!

Open Cloud Manifesto

2009-04-03T09:32:00.000-07:00

I'm a little late to the party on this one. Perils of having to actually work for a living. The open cloud manifesto over at

http://opencloudmanifesto.org/

has been getting a fair amount of coverage in the past week, primarily for the politics around the organisations that have not signed up to the manifesto and the way in which the manifesto was drawn up.

Looking at the list of supporting organisations and those that have chosen not to associate themselves with the process at this stage, there's a fairly clear (and fairly obvious) divide between those organisations that will be providing the kit supporting cloud computing (IBM, VMWare, Cisco etc) and those organisations that provide services over cloud infrastructures (Microsoft, Google, Amazon etc). Now, if I was being cynical I'd have to ask myself which organisations have the most to lose from open, interoperable clouds? The infrastructure players don't particularly care - the service providers will always need the tin. The service providers? Well, I daresay they don't necessarily see lock-in as all bad... but then, how can I be cynical when it's such a lovely sunny day with hardly a cloud in sight? :-)

Database State report - FAIL

2009-03-24T14:29:00.000-07:00

Let me start by stating that, in general, I'm a pretty even-tempered chap. It usually takes a lot to make me grumpy, excepting those days when I'm hungover or suffering from a lack of sleep. Today I am neither hungover not tired however I am more than grumpy. I'm positively angry. The reason? The Rowntree report entitled Database State – available from

http://www.cl.cam.ac.uk/~rja14/Papers/database-state.pdf

I've rarely seen such an unbalanced piece of FUD - and I've been working in IT Security for over a decade! I don't doubt that the intentions of the authors are noble but would it have been too outrageous to ask them to leave their personal agendas behind and take a more mature approach to the subject? (The subject by the way being the legality and justifications underlying a number of UK Government databases. I'll stick up my hand and admit an interest having been working in HMG IT security since 2001 and being employed by a major supplier to HMG since 2002. I must also stress here that the opinions in this blog are my own – this is my blog not theirs :-)).

Wherever a pejorative could be used in the report, it is. Wherever a picture could be painted grey, it's painted as the darkest shade of black. Examples of interpretive liberties include:

“In Scotland, where the SCR project has been completed, there has already been an abuse case in which celebrities had their records accessed by a doctor who is now facing charges.”

I'm sorry but how is this a negative for the system? The guy got caught. That suggests that the system is working to me. What's the alternative – prevent all doctors from accessing data without explicit consent? It may just be me, however if I were taken to a hospital unconscious I would much rather have my records available and accessed rather than have those providing my care debate whether my privacy was more important! The sensible compromise is to provide access to those who need it (subject to role based access control) and audit (and discipline) any violations of the acceptable use policies. Shockingly enough that's what's happening. Besides which, it's not as if privacy violations do not happen when the data is held locally – I could link to a number of stories where local health trusts have inappropriately accessed records of celebrities held locally or displayed other poor practice such as this story today:

http://www.theregister.co.uk/2009/03/24/hospital_data_breach_notice/

Another example of biased picture painting - the following quote from the Deloitte report into the ContactPoint database is used as an indication of bad security:

“It should be noted that risk can only be managed, not eliminated, and therefore there will always be a risk of data security incidents occurring.”

That's more of a statement of the bleeding obvious than a criticism of data sharing. Given the calibre of the authors I'm sure they could have done better than this.

Another tendency of the report that I find objectionable are baseless statements such as:

“For these reasons, the use of SUS in research without an effective opt-out contravenes the European Convention on Human Rights and European data-protection law. It is also considered morally unacceptable by millions of UK citizens.”

Really? I'm surprised the report was ever finished if they've been off polling everyone in the country for their moral perceptions of government IT. Oh. They didn't? And then there's this statement referring to the Police National Database:

“Soft intelligence includes opinion, hearsay, tips from informants and even malicious accusations; letting such things leak from the world of intelligence into that of routine police operations is dangerous, and some intelligence officers think it a mistake.”

Hmmm... I wonder if that 'some' is 10% of intelligence officers? 20%? 90%? 3? That bloke down the pub next to New Scotland Yard? This kind of comment is fine in conversation but surely not in a report that's supposed to be taken seriously.

What is lacking in this report is any discussion of the background to the creation of the databases it criticises. For example, the ContactPoint database was initiated following the tragic death of Victoria Climbie. The Police National Database was initiated following the Bichard enquiry into the deaths of the Soham schoolgirls. Lack of information sharing was a factor (not a cause!) in the deaths of these children. What price privacy vs personal safety? I don't have the answer but it would be a good debate to have rather than the pantomime we currently see between HMG and privacy campaigners.

I find some of the recommendations to be naive. In particular, Recommendation 4,

“By default, sensitive personal information must be kept on local systems and shared only with the subject’s consent or for a specific lawful purpose. Central systems must be simple and minimal, and should hold sensitive data only when both proportionate and necessary.”

Have the authors actually seen the local systems in places like NHS surgeries and trusts or within the police service? If so, are they really comfortable that our data is more secure in such systems than in centrally managed databases? The use of a distributed federated information sharing model is often suggested as an alternative but this is the worst of both worlds – almost unfettered access to information in dribs and drabs controlled by manual procedure with no central ability to monitor misuse. (Apologies I seem to have slipped into overgeneralisation and hyperbole – must be contagious.) Sigh...

Now, please don't get the idea that I'm an avid supporter of all HMG databases and information sharing schemes. I'm not. There are two in particular that I'm really not convinced have any justifiable business case or overall positive effect for the citizen. What I do believe in is informed debate, unfortunately any debate on the security of HMG systems is never going to be fully informed – the security requirements for the most sensitive systems will be protectively marked and therefore (rightly) will not be made available to those who do not have a need to know. Commenting on the security of systems when you don't have access to the facts is verging on foolish and leads to mistakes such as referring to a “SECRET” level of clearance in the recommendations when there is no such clearance level. Pedantic I know but a display of basic ignorance of HMG security mechanisms which is worrying.

What can we do? Have debate but have sensible debate. Perhaps if we start by banning the use of overly emotive terms such as “database state” or “big brother” on one hand and the over use of “part of the fight against terrorism” as a justification for intrusion into the lives of citizens on the other we might get to a common position where information can be shared where necessary to protect life and safety whilst maintaining an acceptable degree of privacy. But where's the fun and headlines in that?

Just like buses...

2009-03-14T06:31:00.001-07:00

No posts for a week and then two in one day...

Thought I'd post some more cloudy musings

i) It's not all new – we've been doing computing on shared resources since forever. I remember working at one of the high street banks who were running their production and development environments on the same MVS mainframe

ii) What is new can be new in subtle and interesting ways, examples:

the hypervisor; like it or not the hypervisor is a definite point of failure for security controls
network security – you'll find that some of your firewalls and IDS are a little useless when all of the comms take place within a single piece of hardware (caveat, some software firewalls are supported in virtual environments but I'm guessing there are still a few niggles to be ironed out. And you can get IDS that operate inside the hypervisor – simplification - checkout http://www.catbird.com/)
the potential hypervisor problems mean that your threats have just increased – you now need to worry about the threats facing all the systems processed within the same virtualised infrastructure – how can you do this if you don't know who's sharing the kit?
incident management – what happens when a client has an incident on shared hardware? How do you limit the exposure to co-located services?

iii) private and closed community clouds are good, let's not just dismiss them as an edge case

iv) cloud computing is going to drive Jericho-style deperimeterisation at an increased pace; move the protection closer to the data

v) compliance is still going to be a pig. But then what's new?

vi) Organisations need to be honest with themselves with respect to their current physical and technical security controls before scoping out what they expect from a cloud provider – clouds should not necessarily have to be better than the existing controls, simply acceptable from a cost/risk ratio perspective

vii) oldie but goodie – organisations need to decide what they want to do (with whom and with what data) before deciding that cloud is the answer

viii) It's probably the most interesting security problem out there at the moment from policy and technology perspectives.

So that's an unconference....

2009-03-14T05:48:00.000-07:00

I attended the CloudCamp event in London last Thursday night. Here are my thoughts:

i) Between 600 and 700 attendees. I think those kinds of numbers show that it's not really correct to view cloud as fringe or up and coming - it's here and it's real. Not everyone was there just for the free beer and pizza ;-)

ii) It was not simply vendors pitching to vendors. The Enterprise Cloud discussion track after the lightning talks clearly included attendees from large organisations either already doing cloud or in the process of considering cloud. One example was that of an investment bank who run their Monte Carlo simulations in the cloud.

iii) Nice thing about the event - vendor pitches are banned. Some of the lightning talks came perilously close but the lack of blatent pitches in the discussion tracks made for a better quality of discussion.

iv) Some interesting topics covered in the cloud talks around federation, particularly regarding http://www.arjuna.com/agility and http://bitbucket.org/dotcloud/dotcloud/wiki/Home (the latter being academic and open sourcey at present but interesting nonetheless).

v) The fate of Coghead - http://www.coghead.com/ - vividly demonstrates the dangers of SaaS vendor lock-in. If you're going to do cloud you're probably better going lower down in the the stack to IaaS where there is less lock-in. (It should be easier to migrate your Linux VM plus hosted apps in multiple clouds than moving your Force.com or GoogleApps proprietary assets!).

vi) It's not just vendor lock-in to worry about - you also need to consider data lock-in. What happens when you have so much data in the cloud that you can't get it back out again? For example, you may have insufficient local storage or insufficient bandwidth to extract the data in the required timeframe. Interesting problem, possibly an argument for distributing storage amongst different clouds so that you don't amass too much in one place - but this does cause other issues. This is the kind of problem that makes this cloud stuff so much fun!

CloudCamp!

2009-03-06T07:33:00.000-08:00

I came across this post

http://www.doxpara.com/?p=1274

over at Dan Kaminsky's blog earlier this week. It links to an excellent set of slides that Kaminsky gave at CloudCamp in Seattle. It's really enthusing to see guys like Kaminsky getting excited by Cloud Computing - it would be really easy for the 'name' security researchers to give the Cloud concept a good kicking (it's an easy target) but Kaminsky (unsurprisingly) shows a good understanding of the pros and cons of Cloud and comes down firmly on the side of Cloud being a positive way ahead for IT service delivery. I'm hoping that there are going to be some equally good presentations at the upcoming CloudCamp event here in London on the 12th March.

Feel free to get in touch if anyone out there wants to meet up for a beer or two at the event!

Public vs Private Sector security

2009-02-20T07:49:00.000-08:00

So, I was looking through the various blogs hosted over at Computer Weekly when I came across a discussion on Stuart King's Risk Management blog. See

http://www.computerweekly.com/blogs/stuart_king/2009/02/public-sector-vs-private-secto-1.html

Stuart and his co-blogger Duncan Hart have started one of those discussions that you should never start. A subject almost as delicate as religion, politics and questioning the choice of allegiance of that big group of blokes in the football shirts. The question? Whether security is better in the public or private sector. Ouch.

It's one of those discussions bound to stir up opinions – often uninformed and vitriolic. It's a good excuse for those in the private sector to dig out the well-worn cliches and condescending attitudes with respect to public sector security whilst those in the public sector can come back with their own traditional ripostes. My own opinion – I have to admit a little bias here having spent the last few years predominantly in the public sector – is that the two areas are so vast as to make such trivial comparisons worthless. You can find good security in the public sector as surely as you can find weak security in the private sector – yes, I'm looking at you utility and manufacturing organisations (amongst others).

I spent the early part of my career doing penetration testing and vulnerability assessments across a wide spread of sectors and I found as many problems in certain private sectors as I did in HMG. Yes, you will tend to find pretty good security in those organisations where a lack of control will tend to result in a monetary hit but there was certainly no guarantee.

HMG have at least taken steps to improve security with the release of the Security Policy Framework and other initiatives aimed at making the (usually) adequate guidance that was previously embodied within the Manual of Protective Security more widely available Think ISO27001 with extra doses of physical security, personnel security and various other goodies. Together with the public Good Practice Guidance on offer from both CESG and the CPNI and there's a wealth of information available – never mind the stuff that does not make it into the public domain. More importantly still, following the Hannigan Review of Data Handling Procedures in Government, there is an added impetus to making sure that the mandatory minimum requirements within the various HMG standards are enforced. It may take time, but information assurance in the public sector is on the way up.

Can the same be said for the private sector?

Given the length of this posting, I'll leave that topic for another day.

Round-up

2009-02-09T01:27:00.000-08:00

So what caught my eye over the last week or so?

A couple of interesting stories concerning the exploitation of a couple of well-known organisations - Kaspersky and phpbb:

http://hackersblog.org/2009/02/07/usakasperskycom-hacked-full-database-acces-sql-injection/
http://hackedphpbb.blogspot.com/

It's good to the level of detail provided by the attackers of how exploitation took place, and the level of proof provided that the events occurred roughly as described.

I also came across a couple of informative papers, one by Bas Alberts of Immunity providing a useful critique of the Microsoft Exploitability Index and a paper by David Chappell which provides an overview of the Microsoft Azure cloud computing platform. Both available from Microsoft:

http://download.microsoft.com/download/3/E/B/3EBDB81C-DF2F-470B-8A64-981DC8D9265C/A%20Bounds%20Check%20on%20the%20Microsoft%20Exploitability%20Index%20-%20final.pdf
http://download.microsoft.com/download/e/4/3/e43bb484-3b52-4fa8-a9f9-ec60a32954bc/Azure_Services_Platform.pdf

Enjoy...

UPDATED: Kaspersky have now announced that they are bringing Dave Litchfield in to perform an audit of their database - and to publically share his findings. Now the public sharing of the results if security audits is certainly something I would like to see more of! It's a great way of establishing trust - provided that the auditor is someone well-respected by the community you are seeking to establish trust between.

2009-02-01T03:56:00.000-08:00

Well, here we go then. Time to enter the wild and wacky world of the security blogger. Whilst I search for fresh inspiration, I'll use this first post to link to some of my past writings over at Computer Weekly:

http://www.computerweekly.com/Articles/2007/12/14/228602/virtualisation-is-not-a-theoretical-risk.htm

http://www.computerweekly.com/Articles/2008/04/09/230220/database-administration-security-strategy.htm

http://www.computerweekly.com/Articles/2008/09/03/232119/metrics-programmes-need-right-design-to-justify-security.htm

http://www.computerweekly.com/Articles/2009/01/23/234393/security-zone-cloud-security-pie-in-the-sky.htm

No promises of regular updates or ground-breaking thinking, but hopefully there'll be something of vague interest here every so often. And if you're one of those types who hates blogs that mix business and personal lives, please move along - I really can't be bothered to maintain two of these things!

Until next time...