No posts for a couple of weeks now - mainly as I was on holiday for one of them :-)
As a gentle way back in to the blogosphere, my latest column was in Computer Weekly this week and it can also be found on-line at:
http://www.computerweekly.com/Articles/2009/05/13/236008/security-zone-penetration-testing-define-your-objectives.htm
My main thrust in the article is that penetration testing should not always be the first option with respect to obtaining a realistic view of the actual implemented and operated security posture of an organisation. I am of course aware that there are situations where nothing other than a full-blooded pen test will be appropriate but there are other times where a simple configuration review will provide more bang per buck. I'm expecting a bit of a bashing over the definition I provided for penetration testing but what's the point of writing articles if you can't have a bit of fun!
Saturday, 30 May 2009
Friday, 15 May 2009
Talking to lawyers. For fun :-)
An interesting week.
I was fortunate enough to be invited along to present at the Society for Computers and Law conference on Information Governance which was held last Tuesday. I was part of a panel session discussing the current increased focus on data security - initial indications are that the session was well received. I think it's important that we security types occasionally step outside of our usual haunts and talk to those in related fields.
For example, Lorna Brazell's presentation on how Identity is defined within law was particularly enlightening. I think security professionals tend to view the law as something relatively fixed rather than something that is also evolving and finding its place in the modern information society. The final presentation of the day on the legal requirements related to cloud computing seemed a good example of where lawyers and security professionals could work together to the benefit of both parties. Overall, a good event and one I'm glad I attended - and not only because of the bottle of bubbly generously donated by the SCL to each of the speakers :-)
I was fortunate enough to be invited along to present at the Society for Computers and Law conference on Information Governance which was held last Tuesday. I was part of a panel session discussing the current increased focus on data security - initial indications are that the session was well received. I think it's important that we security types occasionally step outside of our usual haunts and talk to those in related fields.
For example, Lorna Brazell's presentation on how Identity is defined within law was particularly enlightening. I think security professionals tend to view the law as something relatively fixed rather than something that is also evolving and finding its place in the modern information society. The final presentation of the day on the legal requirements related to cloud computing seemed a good example of where lawyers and security professionals could work together to the benefit of both parties. Overall, a good event and one I'm glad I attended - and not only because of the bottle of bubbly generously donated by the SCL to each of the speakers :-)
Thursday, 7 May 2009
Is CC evaluation worthwhile?
I had cause to read through the VMWare ESX Server 3.0.2 EAL4+ certification documentation earlier today and it has given me a bit of a problem. Not a real-world work problem, more of a general problem with the evaluation process and it's value.
Reading through the Security Target, the following assumption immediately jumped out at me (ok, it's a few pages in so immediately is a bit of an overstatement):
"The threat agents are assumed to:
Now let's pretend I'm working for a Government client with Foreign Intelligence Services as an attack source - low skill level? Low level of motivation? Low attack potential? I should be so lucky... Oh well, at least the evaluation included some penetration testing - let's take a look at the certification report:
"The evaluator conducted a port scan of the VMware® ESX Server and VirtualCenter. Only the ports required for operation of the TOE were found to be open. The evaluator used a publicly available tool to scan the VMware® ESX Server and VirtualCenter for generic vulnerabilities, and none were found. In addition, the evaluator performed direct attacks on the VMware® ESX Server and VirtualCenter, attempting to bypass or break the TOE’s access control security mechanisms."
Is it me, or is that a little light for a penetration test? I'm not particularly re-assured.
Of course, the big problem is this: organisations (private and public sector) looking to deploy EAL4+ certified products are usually those with highly skilled, highly motivated threat actors. If some EAL4+ certifications do not cater for these threat actors what is the real value of those certifications?
(At least here in the UK, HMG organisations can turn to the CTAS process for assurance of specific technical barriers.)
Reading through the Security Target, the following assumption immediately jumped out at me (ok, it's a few pages in so immediately is a bit of an overstatement):
"The threat agents are assumed to:
- have public knowledge of how the TOE operates
- possess a low skill level
- have limited resources to alter TOE configuration settings
- have no physical access to the TOE
- possess a low level of motivation
- have a low attack potential"
Now let's pretend I'm working for a Government client with Foreign Intelligence Services as an attack source - low skill level? Low level of motivation? Low attack potential? I should be so lucky... Oh well, at least the evaluation included some penetration testing - let's take a look at the certification report:
"The evaluator conducted a port scan of the VMware® ESX Server and VirtualCenter. Only the ports required for operation of the TOE were found to be open. The evaluator used a publicly available tool to scan the VMware® ESX Server and VirtualCenter for generic vulnerabilities, and none were found. In addition, the evaluator performed direct attacks on the VMware® ESX Server and VirtualCenter, attempting to bypass or break the TOE’s access control security mechanisms."
Is it me, or is that a little light for a penetration test? I'm not particularly re-assured.
Of course, the big problem is this: organisations (private and public sector) looking to deploy EAL4+ certified products are usually those with highly skilled, highly motivated threat actors. If some EAL4+ certifications do not cater for these threat actors what is the real value of those certifications?
(At least here in the UK, HMG organisations can turn to the CTAS process for assurance of specific technical barriers.)
Subscribe to:
Posts (Atom)
