Security as a Strategy (SaaS)

Virtualized Security: an Oxymoron

Virtualization technology has been making its way into IT departments for years. It started in the datacenter as a means to consolidate servers and has seen increasing viability in an appliance form factor (virtual appliance). Simply, an appliance software solution has everything in one integrated bundle needed to accomplish a singular function.

So the OS, database, web server and application logic are all integrated and cannot be split part for other uses (this is a quick and simplistic explanation). You have virtual appliances made using virtualization technology, hardware appliances that integrate software with the hardware, and software appliances that load on bare bones servers.

The one area virtual appliances have not made much headway is in network security. Network security is still dominated by hardware appliances which today offer superior performance, scalability and function. However, many vendors are starting to tout current or soon to be available virtual appliances for security.

Hmmm. Security that is virtualized... which means it's not really there. Makes one pause for a moment and wonder if this is a good thing or should "buyer beware." To make sure my views aren't biased I visited the blog of Chris Hoff, currently Director of Cloud and Virtualization Solutions, Data Center Solutions at Cisco System, and a security industry honcho.

His views seem to mirror what I've found in working with companies in both the security and the appliance solution space. Here are some issues per Chris Hoff:

• Most of the virtual network appliances, especially those "ported" from the versions that usually run on dedicated physical hardware (COTS or proprietary) do not provide feature, performance, scale or high-availability parity; most are hobbled or require per-platform customization or re-engineering in order to function
• The resilience and high availability options from today's off-the-shelf virtual connectivity does not pair well with the mobility and dynamism of de-coupled virtual machines; VMs are ultimately temporal and networks don't like topological instability due to key components moving or disappearing
• The performance and scale of virtual appliances still suffer when competing for I/O and resources on the same physical hosts as the guests they attempt to protect
• Virtual connectivity is generally a function of the VMM (virtual machine manager) (or a loadable module/domain therein.) The architecture of the VMM has dramatic impact upon the architecture of the software designed to provide the connectivity and vice versa.
• Security solutions are incredibly topology sensitive. Given the scenario in #1 when a VM moves or is distributed across the pooled infrastructure, unless the security capabilities are already present on the physical host or the connectivity and security layers share a control plane (or at least can exchange telemetry,) things will simply break .
• Many virtualization (and especially cloud) platforms do not support protocols or topologies that many connectivity and security virtual appliances require to function (such as multicast for load balancing)
• It's very difficult to mimic the in-line path requirements in virtual networking environments that would otherwise force traffic passing through the connectivity layers (layers 2 through 7) up through various policy-driven security layers (virtual appliances)
• There is no common methodology to express what security requirements the connectivity fabrics should ensure are available prior to allowing a VM (virtual machine) to spool up let alone move
• Much of the basic networking capabilities are being pushed lower into silicon (into the CPUs themselves) which makes virtual appliances even further removed from the guts that enable them

What does this mean?  If you want real security in an appliance form factor, you can't beat a hardware appliance. At least not today.

Securing a Fool’s Paradise

"Italy convicts 3 Google execs in abuse video case," was the title of the AP news story. Briefly, some thugs beat, punished and humiliated an autistic person. And then were foolish enough to video tape the attack and post it online. The old adage holds true. You give a fool enough rope he'll hang himself and invite the world to see.

Corporate officers of Google were then held responsible for not removing the video fast enough. The irony of this case is that the video tape was used to convict these criminals, yet Google was also convicted for showing it. And without the tape the criminals would never have been caught.

We get more evidence each day that the web has become a virtual paradise for the advancement of business, government and community as well as for the expression of criminal intent. In the midst a question arises. What type of security should be provided for online, public platforms that meet community as well as individual privacy needs?  And who is responsible for this security? 

In many, if not most organizations, employees sign an Internet usage policy that acknowledges the company's right to monitor computer usage. Both incoming and outgoing communications can be monitored. In the public domain, you have to assent to the terms of service (TOS) for using online services (e.g., Facebook, YouTube) and agree you will be a good citizen. If another citizen reports bad behavior your use of the service could be terminated.

Herein lies the issue. In corporations, the liability for bad employee behavior can be assigned to the organization since the employee is a representative. But in public domains, there are no employees, just users. Some with good intentions and others born of a criminal mind. Is assent to TOS enough to remove liability from a corporation that provides a public service?

To explore this further I went to the folks at EFF to see what they had to say about this. This is the description of EFF: "From the Internet to the iPod, technologies are transforming our society and empowering us as speakers, citizens, creators, and consumers. When our freedoms in the networked world come under attack, the Electronic Frontier Foundation (EFF) is the first line of defense."

A little soupy but it works.

The body of content by EFF suggests they believe there has to be a balance between individual rights (free expression, privacy), corporate rights (innovation, profit) and the good of society (trade, communications, decency).

If more liability is assigned to a public service provider, then less individual privacy is the consequence. The entity will be forced to monitor individual usage of service to reduce its risks. Or will limit or even withdraw the service because of the cost of liability.

 We can't have our cake and eat it too.

Smart Grid Invites Hope and Fear

I took the challenge to wade through 300 pages of NIST's (National Institute of Standards and Technology) second draft of NIST IR 7628, Smart Grid Cyber Security Strategy and Requirements. My head is still ringing. 

What is it?

The nation's electric power infrastructure is called the grid. It is believed the grid will not be able to generate sufficient power for all citizens in the future. Therefore the government wants to enable more efficient distribution of energy and use of natural resources by the utilities and consumers. And the way to do this is by modernizing the electric utility distribution model using information technology. Hence the Smart Grid.

Smart Grid Vision

The NIST plan lays out a complex web of intelligent consumer devices from washing machines, water heaters and electric car batteries, connected to a computer network within the house or building; which is then connected to intelligent meter type devices; connected to a network of utilities and service providers (solar, wind, coal, nuclear, natural gas, hydroelectric); which are then connected to financial trading houses which set market prices that affect energy rates.

Imagine a network of millions of intelligent devices, homes, buildings, utilities, distributors, financial markets and service providers all connected. The Internet redux.

Except in this situation there is the massive ability to control, shut off and turn on devices central to daily living, school, industry and work. Both consumers and service providers using Smart Grid technology will be able to regulate the use of energy by individual devices within the home and also local storage of power. Storage options can range from an electric car battery to batteries which store energy generated from solar panels or wind turbines. You will also be able to regulate usage and energy storage based on real-time market prices.

So as a result of Smart Grids the public can conserve energy, lower energy costs, lower carbon emissions, and have less reliance on foreign oil (automobiles). Yet while the goals are worthy, after watching movies like the Terminator and The Matrix, I couldn't stop thinking this massive network will lead to a Doomsday scenario. Computers taking over the world.

However, this is not what keeps NIST and others up at night. The fear is that this massive network based on off-the-shelf computer technology, presents a frightening cyber security challenge. And the threats could be from terrorists, natural disasters, internal malcontents as well as consumers themselves.

Difference in security for Smart Grids vs. corporate IT

A traditional IT-focused understanding of cyber security is that protection is required to ensure confidentiality, integrity, and availability of the network and data.  The priority is confidentiality first, then integrity and availability.

For industrial control systems, including power systems, the priorities of the security objectives are availability first, integrity second, and then confidentiality (consumer data). Cyber security in the Smart Grid includes both power and cyber system technologies, processes in IT and power system operations and governance.

Because the Smart Grid includes systems from the IT, telecommunications, and energy sectors, the risk assessment process is applied to all three sectors as they interact in the Smart Grid. It is an enormous undertaking. But once the Smart Grid is secure, it will be the harbinger of daily life in the future.

Attack of the Red Dragon: China Claws Google

In their official corporate blog last month, Google reported attacks originating from China on certain Gmail accounts. Further investigation revealed the Gmail accounts belonged to Chinese human rights activists. And then they found that accounts of dozens of U.S., China and Europe-based Gmail users, who are advocates of human rights in China, were accessed via phishing scams or malware placed on users' computers.

When Google.cn (China) was launched in 2006 it agreed to censorship by the Chinese government. However, based on these latest attacks and increasing limits on free speech on the web, Google is re-evaluating their position. It is a possibility, dependent on their talks with the Chinese government they will cease operating in that land.

What are we to do when a sovereign government breaches security and attacks its own people? Who do you turn to for recompense? What additional security measures can one take?

Google is already warning all users to deploy anti-virus and anti-spyware programs, to install patches for their operating systems, to update their web browsers and to be cautious when clicking on links appearing in instant messages and emails.

But is this enough? In the old days when the government snooped on you they wire-tapped your phone, camped outside your house with long lens cameras, sifted through your trash and followed you around. It took a lot of effort and expense to spy on someone. Now in the cyber age, the snoopers are faceless and attack millions with little effort. What can one do?

Individual and corporate security measures will safeguard you to a certain point. But when a government attacks, ultimately it is the human response, the people at every node of the network who safeguard our freedoms. Unplugging will not be an option unless we desire to return to the Stone Age. Thus behind every security measure there must be people willing to stand for what is right.

How to Attack Gas, Water & Nuclear Plants

The Department of Energy (DOE) has a goal to secure control systems used in the energy sector from malicious cyber attacks-attacks that could lead to potentially catastrophic disruptions in our critical infrastructures. As part of this effort, DOE created a document called "Roadmap to Secure Control Systems in the Energy Sector." As I was reading it I came across some interesting nuggets about previous attacks on utilities (Source: GAO 2004, Reed 2005). Some things you may not hear on David Letterman.

• 1. Unsuspected code hidden in transferred product (USSR, 1982)

While the following cannot be confirmed, it has been reported that during the Cold War the CIA inserted malicious code into control system software leaked to the Soviet Union. The software, which controlled pumps, turbines, and valves on a Soviet gas pipeline, was programmed to malfunction after a set interval. The malfunction caused the control system to reset pump speeds and valve settings to produce pressures beyond the failure ratings of pipeline joints and welds, eventually causing an enormous explosion.

• 2. Hacker exploits cross-sector interdependence (Massachusetts, USA, 1997)

A teenager hacked into and remotely disabled part of the public switching network, disrupting phone service for local residents and the fire department and causing a malfunction at a nearby airport.

• 3. Insider hacks into sewage treatment plant (Australia, 2001)

A former employee of the software developer hacked into the SCADA system that controlled a Queensland sewage treatment plant, causing a large sewage discharge over a sustained period. He was caught and sentenced to two years in prison in 2001.

• 4. Worm exploits interconnected business and operations networks (Ohio, USA, 2003)

The SQL Slammer worm infiltrated the operations network of the Davis-Besse nuclear power plant via a high-speed connection from an unsecured contractor's network (after the corporate firewall had previously blocked the worm). After migrating from the business network to the operations network, the worm disabled the panel used to monitor the plant's most crucial safety indicators for about five hours and caused the plant's process computer to fail; recovery for the latter took nearly six hours. Luckily, the plant was off-line at the time.

These stories were used to illustrate the concern by the U.S. government about the potential for cyber attacks on the energy sector. And as smart grid technology evolves that will tie everyone and everything together in a futuristic, postmodern indulgence of technology in daily life-we will need all the security we can get.

GAO. 2004. Government Accountability Office. Critical infrastructure protection: Challenges and efforts to secure control systems (GAO-04-354)

Reed, T. 2005. At the abyss: An insider's history of the cold war. Random House

Obama’s Focus on Secure Collaboration

The failed attack on a U.S. airliner on December 25, 2009 prompted U.S. President Barack Obama to focus on the state of collaboration between U.S. intelligence and security agencies. President Obama stated, "The bottom line is this: the U.S. government had sufficient information to have uncovered this plot and potentially disrupt the Christmas Day attack. But our intelligence community failed to connect those dots, which would have placed the suspect on the no-fly list. In other words, this was not a failure to collect intelligence, it was a failure to integrate and understand the intelligence that we already had."

The President's ire has led to focus on an initiative by the Office of the Director of National Intelligence (ODNI) to create a "common trust environment" for collaboration and sharing of information within the U.S. intelligence community.

In the words of Director J.M. McConnell, "The information sharing strategy is focused on developing a ‘responsibility to provide' culture in which we unlock intelligence data from a fragmented information technology infrastructure spanning multiple intelligence agencies and make it readily discoverable and accessible from the earliest point at which an analyst can add value. "

"This new information sharing model will rely on attribute-based access and tagged data with security built-in to create a trusted environment for collaboration among intelligence professionals to share their expertise and knowledge."

Shift to role and policy-based network security

The foundation of this initiative is a shift from traditional firewall and identity-based security to role-based policy management of the network. Policy-based security can, on the fly, adjust security measures to allow the right users - to have the right access - to the right information - from the right place - at the right time.

We find policy-based security controls in Network Access Control solutions and flow-based network switches which give security managers granular control of the network. You can manage who has access to specific databases, at what time of day, from which location, from what department, what functional (role) responsibility and even from what type of device.

In a dynamic environment such as that found in government intelligence agencies, it is policy-based security that will enable true collaboration amongst disparate parties dealing with sensitive information.

Now intelligence analysts will be better able to "connect the dots" and go beyond the boundaries of traditional culture that led to silos that inhibited information sharing. These organizations had established their own security classification rules and procedures, resulting in inconsistent use and understanding of security markings.

ODNI's goals statement summarizes this concept:

• Define a uniform identity structure and uniform attributes to enable identity management, develop uniform standards and guidance for identity management, and support decentralized, agency-specific implementation
• Establish identity management standards for authentication, authorization, auditing, and cross-domain services
• Develop information security policies to support logical and physical data protection efforts
• Create a common classification guide for the Intelligence Community
• Establish a risk management approach that supports the common trust and information environment while still protecting sources and methods as well as sensitive information from disclosure

Organizations struggling with collaboration and the free flow of information across geographic boundaries, multiple trading partners and distributed business units may find an answer in role and policy-based network access solutions. If it works for the CIA, FBI and DHS it may just work for you.

Risky Behavior: Securing Credit Card Data

Over 234 million consumer credit card records with sensitive information have been breached since January 2005, according to Privacy Rights Clearinghouse.org. The seriousness of this problem begs us to examine the gap between meeting industry compliance requirements and the securing of confidential data.

A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk: 81% store payment card numbers; 73% store payment card expiration dates; 71% store payment card verification codes; 57% store customer data from the payment card magnetic stripe; 16% store other personal data.  Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC)

As a result of this behavior by merchants, vulnerabilities were created in the card-processing ecosystem. Information security breaches occurred in point-of-sale devices; personal computers or servers; wireless hotspots, ecommerce applications; paper-based storage systems; and unsecured transmission of cardholder data to service providers.

To combat this trend, a PCI Data Security Standard (DSS) was created by the PCI Security Council whose founding members include: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. To any security manager, these standards are very familiar as they mirror corporate best practices for network security. Here are the 12 requirements for PCI DSS.

Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Change your passwords often.

Requirement 3: Protect stored cardholder data. Anything stored should be encrypted and cardholder data should not be retained or if retained then only for a limited time period.

Requirement 4: Encrypt transmission of cardholder data across open, public networks. Use strong cryptography and security protocols such as SSL/TLS or IPSEC.

Requirement 5: Use and regularly update anti-virus software or programs. Many vulnerabilities and malicious viruses enter the network via employees' e-mail and other online activities.

Requirement 6: Develop and maintain secure systems and applications. Security vulnerabilities in systems and applications may allow criminals to access cardholder account numbers and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches.

Requirement 7: Restrict access to cardholder data by business need-to-know. To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities. Role-based authentication is helpful here.

Requirement 8: Assign a unique ID to each person with computer access. Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.

Requirement 9: Restrict physical access to cardholder data. Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted.

Requirement 10: Track and monitor all access to network resources and cardholder data. Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management.

Requirement 11: Regularly test security systems and processes. Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time.

Requirement 12: Maintain a policy that addresses information security for employees and contractors. A strong security policy sets the tone for security affecting an organization's entire company, and it informs employees of their expected duties related to security.

Global Security Threats in 2010

Professor Howard A. Schmidt, White House CyberSecurity Advisor and CEO of Information Security Forum, was speaking recently on the emerging threats created by the global economic upheaval. As businesses of all size expand, via the Internet, to engage with sales, production and distribution partners around the world, new threats become imminent.

Political - Espionage, previously things of the Cold War and Hollywood entertainment have become a reality due to the ability of almost anyone to use the Internet to unearth and piece together confidential information on individuals, governments and corporations. What is illegal behavior in the U.S. may not be illegal in the other countries your business operates in.

Legal - Theft and misuse of other company's intellectual property and brand names is commonplace and laws differ across each border. Identity theft we hear about regularly on the news. Electronic evidence can now be retrieved from all sorts of communication devices and protocols between employees and the world. What you say, where you say it and how you say it must now be monitored.

Economic - Organized crime has evolved from the days of extorting storekeepers for "protection" to well-planned thefts of credit card information and kidnapping of customer hard drives via the Web. Emerging nations are using technology as a way to help their struggling economies but in the midst of that growth, criminals exploit the rudimentary architectures and security vulnerabilities.

Socio-cultural - High unemployment has exacerbated the increase of disgruntled employees and thus creates an environment for increased employee data theft, fraud, embezzlement, corruption and risk.

Web enablement of society - As more and more devices that are part of daily life become web-enabled the possibility of security incidents that have life threatening impact becomes real. An example is IP-enabled pacemakers. These devices contain a radio transmitter which connects wirelessly to receiving equipment to report on the condition of the patient's heart. Any problems are instantly reported to the doctor, and regular checkups can be done by remotely interrogating the home-based equipment. Imagine the impact on a person's life if the network were to be compromised.

5 steps to reduce global risk

The things you can do to reduce risk in this global economy, according to Professor Schmidt, include:

• 1. Get the basics right - Identify critical and sensitive information that requires special handling and secure management. Continually re-assess your risks, identify and deploy security controls and re-examine your security function activities.
• 2. Throw out assumptions - Look beyond historical data that might say "we've never had a security breach" because complacency is the point where your risk grows greatest. Question your long-held beliefs about security and about the nature of threats from employees and business partners.
• 3. Plan for uncertainty - Prepare for a whole new world where wireless communication is the norm. And where cyber criminals lurk in the alleys off each transmission. Develop and rehearse responses in the event of a security incident, much like disaster recovery drills.
• 4. Become a risk champion - Adapt to changes in your organization's risks. If previous security plans were based on old technologies that have since been updated, then update your security strategy and plans as well.

Build for the future - Maintain your capabilities to respond to incidents; collaborate with others and have an end-to-end strategy.

Building a Better Password

A recent Newsweek article discussed the state of website passwords and asked the question "how do you build a better password?" What we learned is that the majority of accepted password methods, used on various websites, add a lot of complexity but not more security.

Computer researchers at Carnegie Mellon University are finding that many of the recent security advances in the banking, e-mail, and other critical systems you log into every day are adding more burdens to users but can still be hacked.

For example, mnemonic passwords which are created when one thinks of a phrase, and combines the first letter of each word are quite common. The article gives this example; "The famous Ghostbusters line "Dogs and cats, living together!" becomes, with a few substitutions, "D&c,lt." However, most people use common well-known phrases to create mnemonic passwords. As a result, scientists in a crude test were able to crack four percent of mnemonic passwords, suggesting that motivated hackers could do even better.

The other way most people create passwords is to rely on a single password and use simple variants for most websites. The problem with this approach is if that password is cracked at just one site, a savvy hacker can break into your personal information stored at other sites.

To discourage the latter from happening experts will tell you to create unique passwords for each website. And if you forget a password, no problem, just enter the right answer to one of several "security questions" that only you know. But a May 2009 study from Microsoft Research and Carnegie Mellon pulled the rug from under that approach by finding that subjects could guess their acquaintances' AOL and Yahoo challenges more than a quarter of the time. And, according to the study, one in five subjects forgot the answers to their own security questions in six months!

Instead of a mnemonic password, research suggests that users are better off constructing passwords out of a phrase itself-a passphrase. Newsweek gives this example; "a short but hard-to-remember string like "J4fS<2" can be broken by what is called a brute-force attack (in which a computer attempts "a," then "ab," then "abc," and so on) in 219 years, while a long but easy-to-remember phrase like "du-bi-du-bi-dub" will stand for 531,855,448,467 years. "

The main point here is a simpler approach to creating a password can be stronger than the accepted wisdom of combining letters, numbers and symbols.  So break out those old Sinatra songs, "do be do be doo... strangers in the night..." there could be some great passwords in them.

Do We Still Need Employee Monitoring Software?

Several years ago software that monitored employee use of the Internet was big news. We heard how thousands of workers, on company time, visited pornographic sites, downloaded music and videos or just spent inordinate amounts of time surfing the web.

Sexual harassment cases and lawsuits came up when folks saw offensive materials on their co-workers computers. Bandwidth charges were going up and network performance going down. In addition, there were statistics that said over 87% of hacking and confidential data losses were from company insiders. Workers just couldn't be trusted.

The question is: "Has the situation evolved?" While there are more restrictions, guidelines and penalties for inappropriate use of company assets and handling of confidential materials, has employee behavior changed? And therefore, do we still need surveillance software for our employees? The answers are no and yes, respectively. Behavior hasn't changed and yes we still need monitoring software.

Recent surveys indicate a majority of employers monitor their employees. They are motivated by concern over litigation and the increasing role that electronic evidence plays in lawsuits and government agency investigations.

Internet monitoring software has now evolved into larger security and surveillance suites. You can monitor and trace employees' use of e-mails, the Internet, computer files, keystrokes, chats in all popular instant messengers, logins and logouts as well as "shadow copy" which allows network administers to create copies of files that are transferred to USB devices by workers.

Solutions include the following:

Record logging: record everything from key strokes, websites visited, FTP downloads, P2P downloads, and even screen captures of what is on a user's computer

Email Logging: emails sent and received as well as attachments and Instant Messenger discussions can be monitored and recorded

Internet Filters: block ports on your network servers normally accessed by certain Internet protocols, as well as specific websites, bulletin boards, P2P downloads, foreign languages, and content using keyword filters

Anti-spyware/anti-virus: block downloads which are identified as potentially harmful as well as viruses, worms, malware, spam, drive-by downloads and phishing attacks

While most transgressions in the workplace are committed by a few, the impact on the organization of a single breach of trust could be great. Therefore we continue to monitor, safeguarding the halls of our institutions.