|
|
Thursday, August 05, 2004
|
|
| |
I watched "Fog of War" last night. Very insightful commentary by Robert McNamara about human beings, countries, and war. He made some quick remarks about how the general public responded to Ford's introduction of seatbelts as well as other safety features in the 50's - they had no interest at all. Struck home with me.
8:13:07 PM 
|
|
|
|
|
Wednesday, August 04, 2004
|
|
| |
I was asked to sit on a panel at the CIO Conference a few weeks ago, and here is what I said (as quoted in an article on searchCIO.com):
Three things you need to know about security
"We're stuck with a notion that security is withholding our progress, when in reality -- when properly applied -- security allows you to go faster, because it gives you the controlled environment you need in order to succeed and implement new applications.
"Second, security is supposed to be boring. It's the cop walking the beat. To whatever extent the Internet brought about this idea of fighting spies and espionage, white hats and black hats, and all those exciting things -- that's completely wrong. The only people doing that are the ones who are failing to do all the boring, mundane, operational things that keep all that 'exciting' stuff away. [Security] is your standard, process-oriented approach to any control infrastructure. It's not supposed to be sexy or exciting. It's all about coming in to work every day, doing the right things and continuing to do them over time.
"Thirdly, successful security means we're changing the future. We deal in a world of uncertainty and probability, and we're trying to decide what we should be doing if we were going to be attacked or hacked tomorrow. Based on that decision, we then implement our security controls. If we're successful, we don't get attacked tomorrow -- so we changed that future. I consider Y2K the biggest security success of all time, because there were actually lines of code being changed to thwart this notion of what would go wrong. Success means nothing happened."
So, what do you think? Did I miss anything?
5:05:18 PM
|
|
Who said this:
"No matter how hard he flees, he will always be pursued by an awful commonness. And that is what makes him a winner."
...and who did he (first clue) say it about?
12:53:05 AM
|
|
|
|
|
Friday, July 23, 2004
|
|
| |
I mentioned here that it seemed contradictory to me that someone can advocate both privacy and full disclosure in the same breath. I have thought a bit more about it and have become even more convinced that this is worth pursuing.
The old saying "some information just wants to be free" apparently does not apply to personal information that is protected in various laws and regulations, like personal health information, activity-based information (i.e. what porn sites have I been visiting), financial information, and even demographic information (my email address). But of course the real issue with privacy is... disclosure. As in, who is allowed to disclose this information, and to whom?
Disclosure is this other piece of information - we disclose all sorts of information both inside the security space - vulnerability information, hacker instructions, etc. and outside - how to break other systems, publicly available (yet nicely packaged) information about sensitive locations, etc.
In general, those who are vocal about disclosure are adamant that the information is currently available and so the packaging and distribution don't matter. Those who are vocal about privacy (the same people? ;-) are adamant about protecting this information...which is currently available anyway. Hmmm, can someone help resolve this for me?
4:16:30 PM
|
|
Clarity is often gained by offering multiple dimensions of an issue, problem, or topic. For example, a quick way to think about endpoint security is to consider the question of whether the endpoint is managed or unmanaged and whether it is connected or disconnected. Our options, then, are:
- Managed/connected - a state where these days we seem to worry much more about the network than any single endpoint, due to concerns about worm propagation. When we have control over the endpoint (managed), we can do things like install personal firewalls, antivirus, and a monitoring agent. Since it is also connected, we can evaluate the state of one or more of those three items and determine whether they have been providing the necessary protection.
- Unmanaged/connected - the best examples of these systems are kiosks and customers. These are intended to be valid users but because they are unmanaged they may also be rogue devices. Certainly, contractor connections fall into this category as well. In general, these scenarios are extremely dangerous in today's environments, and we are addressing them in two primary ways - first, through network-based security to identify rogue devices, and second, by interrogating the client via an activex component or other type of quick download.
- Managed/disconnected - we seem to be generally neglecting this category as of late, perhaps because it has been a part of our environments for so long. As laptops continue to dominate the endpoint landscape, personal firewalls and antivirus solutions are being modified to cope with the different networked environments that are being accessed.
- Unmanaged/disconnected - in general, we don't care about these and have no way to protect them anyway.
Just some thoughts.
3:54:18 PM
|
|
|
|
|
Friday, July 16, 2004
|
|
| |
FUD stands for fear, uncertainty, and doubt. Gene Amdahl is credited with originating the term (see here for more info). In the security space, we like to say that "FUD sells." I have come to the recent conclusion that FUD actually doesn't sell. In the security space, what sells is RAL, or regulation, annoyance, and loss. Let's look:
- Regulation - many new regulations spawn at least some routine spending on consulting to evaluate the enterprise and develop some notion of compliance. Regulations provide the framework and the teeth to actually get folks to consider the implications of security. They also tend to drive people who focus on them towards a "least common denominator" method of security which may be effective at protecting against the threat of regulatory fines but often will not protect against the threat of compromise.
- Annoyance - heck, who doesn't hate spam? Spam, worms, viruses - all very common in today's networked world. People spend money on them because they are annoying.
- Loss - it often takes an attack to wake up an enterprise. This is unfortunate, but true.
All of these things provide "comfort food" in some sense to enterprises who struggle with the notion of FUD - that is, that you just never know how, when or where your risks are with any degree of certainty (we can do a heck of a lot better than we are doing today, however). In general, RAL is reactive and tactical.
11:09:12 PM
|
|
|
|
|
Thursday, July 08, 2004
|
|
| |
Okay, I know this is a bit of a stretch, but I do want to point another thing out about privacy. Basically, we complain about our privacy every time something (usually tech) or somebody makes it easier to collect and distribute information about us. Most recently, I have been reading a bit about RFID and privacy. So the technology is evil because our privacy is at risk.
On the other hand, many times the same people also support things like "full disclosure" of information when it is available. But they ignore the value provided (to the bad guys) when it is used to collect and distribute this information. The basic response here is "they would have gotten the information some other way anyway."
I guess my basic complaint is that they worry about how easy technology makes some things in the case of privacy, and yet in the case of some other information (how to build a nuclear bomb) they completely discount the value associated with collection and distribution.
Of course, there are many better examples in history that demonstrate the value proposition associated with the person willing to go through the effort of collection.
It's late. I will need to think about this a bit more...
12:21:54 AM
|
|
I know there are lots of definitions of privacy-related information out there (PII and PHI are two big ones) but I would like to provide a quick taxonomy (mostly for my own purposes). I think of three different types of information that affect privacy:
1) Identity information (who I am) - general information about who a person is as well as demographic information (address, phone number, etc.). This type of information is necessary to disclose in various ways and can be used for activities like identity fraud.
2) Identifying characteristics (more about me) - information that provides insight into the person that is generally unknown. Included here is fnancial information, health information, and other sensitive information.
3) Identifying activities (what I do) - actions that provide insight into the person. For example, the clubs someone frequents, online activities, etc.
Humans leak this personal information all the time. From a biometrics perspective, we do it without knowing it (check out CSI for details). In our personal activities, we provide insight into who we are. Everything around us - our garbage, the color of our house, the music coming out the window - all tell something about who we are.
12:12:14 AM
|
|
|
|
|
Monday, June 14, 2004
|
|
| |
Well, I am definitely missing the whole point about why Microsoft should release XP SP2 to pirates. Not only might it invalidate future claims of piracy ("they gave us the update so we assumed it was sanctioned software") but it also doesn't make a lot of sense.
2:37:40 AM
|
|
For a while now, the security profession has been discussing and debating the notion of cyberterrorism. The idea generally revolves around taking down some significant portion of the Internet and the world would come crashing to its knees.
To date, I have tended to take the saide that says cyberterrorism is pretty difficult simply because there is no visible, imminent death and destruction involved. People are not afraid of the Internet, nor do they care enough about it to be affected if it went down (most people, that is).
The linked article is interesting because it is an indicator that perhaps we have been looking in the wrong direction - 180 degrees, in fact. It is not denial-of-service attacks we should be concerned with, it is the opposite - the availability of the Internet allows for the dissemination of records (like videotapes) of "terroristic" acts without running the risk of being caught in a public place. It is much simpler to perform these acts.
So it is in the interest of cyberterrorists to actually keep the Internet up and running. Go figure.
12:04:55 AM
|
|
|
|
|
Saturday, June 12, 2004
|
|
| |
This article has mentioned me saying:
Pete Lindstrom, analyst at Spire Security, agreed, saying most companies in the IDS space are making firewalls smarter and more aware of intrusions.
“There’s so much noise out there on the Internet that it’s nice to eliminate some of that,” Lindstrom said.
Just to clarify a bit - IPS solutions are evolutionary firewalls and I expect firewalls to "disappear" into the network IPS space over the next 3 years. These solutions will be generally effective at dealing with the most popular attacks.
IDS, on the other hand, needs to push forth with its new techniques for identifying threats. These include correlation (in conjunction with Security Event Management solutions) and statistical models that identify anomalies.
11:42:14 PM
|
|
Post to test new laptop usage. Note that entire blog is being run from a 256mb usb flash drive.
11:30:41 PM
|
|
|
|
|
Wednesday, May 19, 2004
|
|
| |
Another organization with another framework, the same as all the other's. Good news, too - another organization endorses this other organization's plan because it is just like theirs. Yippee!
Let's get real, here. This stuff, in general, is fine - we want some public exposure for "paying tribute to security gods" but in reality, don't want to sacrifice. We go to church on Sunday and sin the rest of the week, right?
Here is their framework:
- Information security requires CEO attention in their individual companies and as business leaders seeking collectively to promote the development of standards for secure technology.
- Boards of directors should consider information security an essential element of corporate governance and a top priority for board review.
- IT suppliers and end-users of these products and services have a shared responsibility for improving cyberspace security.
- The Federal government plays an important collaborative role in information security by sharing information about threats and vulnerabilities, helping companies overcome legal barriers and encouraging appropriate corporate actions.
- Public policy initiatives on cyber security should take a balanced and comprehensive approach that reflects the shared responsibility of end-users and IT suppliers.
- Market solutions to cyber security are preferred over statutory and regulatory mandates.
- Public disclosure of corporate information security practices should be voluntary.
4:54:49 PM
|
|
|
|
|
Tuesday, May 18, 2004
|
|
| |
As mentioned earlier, here is the column I wrote about source code security.
11:25:09 PM
|
|
|
|
|
Tuesday, April 13, 2004
|
|
| |
CNET article on Fortify software. They apparently have a solution that performs source code security reviews automatically. It appears to be a hot area. Look for my column in next month's Information Security Magazine for more details on some other players.
12:44:58 AM
|
|
This XML security article sums things up well.
12:40:58 AM
|
|
If we only spent less (yes, less) time making us "more secure," it would probably make the world "more secure." Go figure.
12:37:39 AM
|
|
Great article on the cutthroats in the security space. Toss out any altruism for "better security" - it is plain ol' "Smackdown" time! But wait, they are going to continue w/ the ridiculous "doing it for our own good" mantra... Check this out from the Wall Street Journal article (sorry, gotta pay at the site for the full article):
"Dan Ingevaldson, director of Internet Security Systems' X-Force research arm, denies competitive motives played a part in the release. Both companies make what are known as intrusion-prevention systems, fairly new technologies for stopping hacker attacks. "X-Force does not take our direction from marketing," he said. "We take our direction from hackers," who are showing new interest in exploiting flaws in security products, Mr. Ingevaldson said. "We're going to see if we can find the vulnerabilities before hackers do.""
"We take our direction from hackers" - So not only is he trying to beat the hackers to finding the flaws, but they know what they are in advance. I wonder if Dan understand's the significance of this statement. By the way, without "direction" from hackers, I bet the statistical likelihood that they could find the same vulnerabilities that a hacker would before the hacker does is nearing zero. There are just too many vulnerabilities out there.
""There is no campaign to go after our competitors," said Chief Operating Officer Firas Raouf, adding: "Vulnerability research should not be exclusive to non-security products. It's just part of the overall [goal of] making networks more secure, and we should not be treating each other with velvet gloves.""
So, does finding vulnerabilities "make networks more secure" if nobody patches? Forget about what they should be doing for a second, because you have no control over it. You know, if history can provide insight into the future, we have to assume that even more vulnerabilities will be found, so right now everybody is sitting with systems that are vulnerable... and we have to learn to deal with that. So any single new vulnerability gets us no closer to being "more secure" (after all, we are dealing w/ uncertainty here) it only exposes a weakness that can be exploited. Put this way, it is sort of silly that we scramble to find and fix known vulnerabilities, isn't it? (But we have to do it).
12:20:21 AM
|
|
|
|
© Copyright
2004
Pete Lindstrom.
Last update:
8/5/2004; 8:39:45 PM.
This theme is based on the SoundWaves
(blue) Manila theme. |
|
| August 2004 |
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| 1 |
2 |
3 |
4 |
5 |
6 |
7 |
| 8 |
9 |
10 |
11 |
12 |
13 |
14 |
| 15 |
16 |
17 |
18 |
19 |
20 |
21 |
| 22 |
23 |
24 |
25 |
26 |
27 |
28 |
| 29 |
30 |
31 |
|
|
|
|
| Jul Sep |
|
