The "A"

Information Security sits in a strange area somewhere between Business and IT in a little space that really hasn't been properly defined. It is exciting here.

Generally, most people in Information Security today did not start out as pure Information Security people, they evolved. And where they evolved from gives one a clue as to their mindset and how they see themselves.

Some come from an Audit background and you'll recognise these guys from their love of lists and frameworks - they dream of Cobit controls and little boxes that are waiting for ticks. Somehow they have tons of documentation and they know it all and can find it all. They generally drive Volvo's and like order.

But most InfoSec guys come from an IT background and it shows. I guess that, having said that, most hackers come from an IT background too. And it shows.

Now, lets consider the C-I-A triangle thingum. Quick lesson for those who don't know it - there are three aspects of information that Information Security wishes to preserve - the Confidentiality, the Integrity and the Availability. From my experience, most IT people are governed by Availability - the "A". In fact, when an IT contract is drawn up - there is no SLI or SLC but there will always be an SLA. With very specific terms, measurements and penalties.

If the Firewall crashes and has to be rebuilt. What will the IT manager be most interested in? The A - how fast can you get the traffic moving again?

So we have tools to measure uptime in 99.999999999999999s and such and anything that can cause network downtime (or if the network is up and the services such as mail are down - same difference) is taken care of. Spam, worms, viruses etc.

I guess that hackers (those that define what we do) are also IT background people. They seem to be more concerned with big-bang, widely deployed DoS attacks and stealing IT resources. At least, they used to be, until they discovered that they could make money from stealing information. Actually, I may be naive but I don't believe that the hackers we have today are the same as those we had in the past... I believe that we have a new generation of hackers - criminals who merely use the Internet to steal money because that it where the money is easiest to steal.

The problem is that we were lucky in a way that our old tools worked against the threats that we had - firewalls, antiviruses, etc etc. They don't work against people breaking into our networks and stealing information. For that we need a new generation of Information Security people (or the old generation to update their game)...

Here is a quick poll to see which generation you are in:

1. What is the one piece of information on your network that your competitors would love to see?
2. What is the percentage of mails coming into your network that are spam?
3. What mail is going to competitors?
4. What is the process for someone to order a pencil?
5. What is a blog?
6. Who in your organisation uses facebook for business?
7. How many of your PCs have up-to-date antivirus?
8. What is the worst virus out at the moment?
9. Do you believe that your Firewall is configured correctly?

The answers are as follows:
1. This is ESSENTIAL to know if you want to be in the next generation. And you can't guess this. You may think that it is something financial but most financial information can be guessed by your competitors anyhow. You may think it is a recipe or special way of doing something but any established company has had their recipe ripped off anyhow and can beat any new competitor by competitive pricing. It may be new product information. It may be staff information. It may be the CEO's contact list. Don't guess - find out.

2. Who cares? Certainly not the CEO. Maybe the CIO. "We are saving you x amount of bandwidth and your users x amount of time" is nice but won't save the business from closing down due to data loss. Operationalise this and get on with your job.

3. Good to know. I'm sure that if you told your CEO/CIO "Last week we detected 5 large emails going to our competitors from inside our R&D department" you'd have his full attention.

4. Good to know. Who does the ordering? Who does the okaying? Who does the paying? If you know all of this then you know how business works. And when things go wrong - you'll be able to help.

5. And do you want your staff to use them? And if they do, what can they put on them? What are they puting on them?

6. This is an interesting question because Facebook is usually an issue of "The A" (productivity). But it can be an issue of C and I.

7. Who cares? Again, this is an operational issue. Viruses that jump onto your radar are usually ones that attack "the A" but its the ones that are pushing information out of your organisation that are sneaky enough not to have sgnatures and not to be discovered. You will have PCs without up-to-date antivirus and you will have viruses. The trick is not to let your information be stolen by viruses. Also, keep backups so if a PC does get wiped out - you can get the information back again (but this is an operational issue again).

8. Trick question - the answer is - the one you don't know about. Old generation InfoSec guys can rattle off names of viruses that are all in the top 10 at the moment.. New generation viruses are targetted and usually do their worst before a pattern is out.

9. Old generation answer - yes. New generation answer - who cares? Information flows all over including in and out of the Firewall. Firewalls also usually rely on port security but most everything runs on port 80 anyhow so the Firewall should be configured but it doesn't kep us safe - more work needs to be done for that.

I find that it is not very easy to move from old generation to new generation InfoSec. The main difference is that old generation was very technical and appealed to the technical nature of computer geeks. The new generation is business oriented and requires more interaction with people, more meetings, more time with people. Ouch.

There will always be a place for technical people in Information Security but as the tools mature and "just work" there is less demand. And a background in technology is very useful when the technical guys try to "BS" you.

And "the A" is very important too. Protecting your network from being brought down. Protecting information from disappearing. Stopping viruses. Etc. But the new generation will need to consider "the I" and "the C" as well because the attacks against these and the importance of protecting information against disclosure or manipulation will increase.

This post was done to add my voice to what Rich says so quickly and concisely in the securosis blog.

I was right!

Allen does the dance-of-I-was-right...

*ahem*

In my blog in July, I predicted that we would be seeing a perfect storm as cyber criminals start to see diminshing returns on PII (credit card info, mothers maiden names and the kind of things they have been going after up until now) and thus start looking at the business information that they have been ignoring.

According to usatoday, internet thieves are making big money stealing corporate info.

"Elite cybergangs can no longer make great money stealing and selling personal identity data. Thousands of small-time, copycat data thieves have oversaturated the market, driving prices to commodity levels. Credit card account numbers that once fetched $100 or more, for instance, can be had for $10 or less, says Gunter Ollmann, chief security strategist at IBM ISS, IBM's tech security division."

As I said in my original article - the only problem with this is the establishment of a market. The cyber-criminals have established a very viable underground trading system but they now need businessed to want to dip their toes in something that is highly illegal. It seems this is happening.

The scary thing is how much information is actually being pulled out of the organisation. The criminals are literally dumping everyone's My Documents directory with no real aim to a storage facility outside of the organisation and yet the companies are not aware of this.

My advice? Take measures now while the enemy are just getting established. How you manage to protect your employees' and customers' PII will determine how well you survive the next part of the battle - your company secrets.

Also, don't be tempted to get information on your competitors from shady people. They may just be doing the same thing to you.

PS1: (PII = personally identifiable information - anything that can be linked to a person and is usually stuff you don't want the public to know like your credit card details, address, salary, health, etc)

PS2: Thank you to TaoSecurity for the story. Read Richard Bejtlich's post for more information. His take on the story is that it is all to do with money. Of course it is, if you think information security is about antivirus and firewalls then you are truely wrong.

Talking Engagement

So, it finally happened. I was invited to talk at an Information Security Conference and I went and talked.

My talk was about the risks of information leaving the organisation but I decided to add in the risks of information not leaving the organisation.

This may sound counter productive but in these though times your IT department should really be looking at using services such as GMail, your Marketing department should be looking at using Facebook, Twitter, Blogs etc. Your HR department should be looking through LinkedIn for new staff.

If your Security Department is too tough on information leaving the organisation then you are missing out on opportunities. Of course, if you are too lax then information will make its way out and that can't be good for the company either.

Information Classification is key. As is awareness.

My speech was very well received, achieving over 8/10 for the different areas and I have been invited back to speak again.

I must admit that my speech was aimed at business decision makers and not technical people and yet the people who showed up were more technical people. There are very few companies in South Africa (with my employer being a noted exception) that treat Information Security as a business issue and not (only) a technical issue.

I'm not really one to tooth my own horn but I wrote this blog entry to thank a number of people who made my speech possible.

Firstly thank you to the two blogs that I feel are on the forefront of Information-centric Security - Securosis and Rational Survivability. I used some material from both sites and some that was sent to me by Richard Mogull from Securosis.

I used some speaking tips that I got from Presentation Zen so I didn't put everyone to sleep (even though my speech was at the danger time of 3:30pm when everyone is tired and wants to go home) and I used some (free!) graphics from Stock Exchange.

When I was preparing for the speech, I revisited some of my old Blog posts which I think I need to repost as I have some more ideas about them.

Happy (Belated) First Birthday!

.... to my ADSL application.

Last year in October a salesperson at Telkom phoned to let me know that my phone exchange supports ADSL and do I want to upgrade my line to have ADSL?

I did the maths and worked out that it would be cheaper for me to have ADSL and have the benefit of all-time-on access to the Internet.

So, I applied and a few days later my application was processed and I had an application number. It all got to the point where I had the modem connected and ready when a technical person at the exchange noticed that "no, the exchange is potentially ready for ADSL but was not, in fact, ready."

"But, good news, there is a project to upgrade the exchange to be ADSL capable. It should be done by latest end of December 2007."

That became end of January, end of February, end of April... then it jumped to end of June.

Now it is scheduled to be completed by the end of April 2009.

The way things are looking - I'll probably be celebrating the second birthday of my ADSL application this time next year... many happy returns.

Symantec's vision...

And so it begins...

Symantec bought out MessageLabs and is (in their own words) "combining MessageLabs’ deep expertise in the SaaS market with Symantec’s rich portfolio of technologies".

The interesting thing is that Symantec does not really lead in the anti-virus market (in terms of quality, not market share. All antivirus products are about the same) or antispam (MessageLabs is excellent here).

So, what could they possibly bring to the party that MessageLabs doesn't already have?

DLP.

MessageLabs has DLP but it is very simple and not really worth very much. The framework is certainly there though. Add some good DLP and voila - you have a product that is worth something.

Google's New Browser

So, Google have released a new browser called Chrome...

What does that mean from an Information Security perspective?

Not very much and a lot, depending if you are looking at the short term or long term.

So, lets get into the short term - there is a new browser. It will have bugs and vulnerabilities. These will be exploited.

Most of the browser is based on webkit which is sorta what kde uses and sorta what safari uses and sorta what a number of cell phones use. It is becoming browser number 4 after IE, mozilla/firefox and opera. This means that hackers (online criminals) will start to notice the browser (if they haven't already). Assuming that the open source promise (many eyes make fewer bugs) stands true and that Google will be quick with patches then this is merely part of the daily application vulnerability race. And if Google is quick with paches then this browser should not be any more unsafe than the others.

There are a few extra security features in this browser - that is always a good thing. For more information read here. Of course the feature that is most interesting - "each-tab-running-separately" has been compromised.

So short term - move along, nothing to see here. Lets move on to the long term...

What is most important in my mind for the long term is the "why" of this browser - why would Google want to jump into a market where they can't be the biggest or the best or even a very effective niche player? Especially since they have a good relationship with Firefox and their product is almost entirely webkit? And their browser is essentially all open source so all the good bits will be analysed and added to Firefox anyhow or improved upon and added to Firefox.

The answer is simple - Google want their browser to fail.

Huh?

Well, that may a bit unfair but they really don't care either way.

Google is the search engine leader. They are also slowly becoming the Internet. This blog is hosted by Google, its feed is hosted by Google. If I need to host video, pictures, sound etc then I would probably choose Google - they are really good at hosting and why bother looking elsewhere when I already have a Google account?

So, almost all of my public information is hosted by Google. What about my private information?

Well... no.

That is all stored safely on my laptop for four reasons -

1. I don't trust Google.
2. I don't trust the Internet.
3. The tools for creating private documents are so much better than the online ones.
4. I can get to my documents when I am offline.
5. The Internet is too slow.

But a lot of my computer day is spent in Microsoft Office. That is a lot of advertising opportunity lost. And if Google can access my personal files then they will have a better idea of what adverts to send my way. Which in turn will make their advertisers happier and Google stock go up.

And all it would take is sorting out the above 5 points.

I was going to go into each one but this post is already getting quite long. Just note that the three features that are most important in Chrome are:

• Security and stability
• Offline application mode
• Fast running and standards based application engine

In other words - helping making it easier to use Google's online applications. Most of the factors are going to be taken care of with Chrome and its kids.

What will happen is that Firefox will catch up with Chrome but Google won't care what you use to access their online applications - just as long as you access them. And that is their game plan.

What this leaves is the final question - all things being equal - is your information more at risk on Google's servers or on you laptop at home?

That is a good question but one we should be looking at.

The Perfect Storm

Its time to get your raincoats and lifeboats - the perfect storm is finished brewing - it is about to rain down upon us.

This may sound dramatic but I think that I may not be conveying the amount of pain that Information Security is about to receive. We will certainly have to step up our game.

Symantec and Verizon have done some interesting research into the underground hacker community and their findings are rather interesting. A bit scary too.

There is an entire community of totally different players that all work together to get from the point where a nerdy kid finds a vulnerability to where a hacker uses that to get into a PC, steal personal information and credit card details, sell them or use them and move on.

So far, it seems, that the community has been quite lazy and have just discarded company information to get to the credit card information and personal information (ID numbers, social security numbers, addresses etc).

This has provided us in Information Security with a perfect opportunity. We have been able to observe how hackers work while they have been taking information that is not our own. Companies that have credit card information have been the ones that were most under attack but those that don't handle credit card information have largely been ignored by hackers except for some members of staff who have been caught out but then they have only lost their own personal information.

There just really isn't a (black/underground) market for information that is not credit card or personal finance related.

However, it was always my feeling that the credit card/personal finance market would become saturated at some stage and the loosely-bound-but-still-very-organised-and-co-ordinated underground market would start to look elsewhere.

Essentially, the infrastructure is there for wide-scale information theft but the will wasn't there. I have thought this for a while my question was always - when will the will be there? When will Jack-the-hacker decide that credit card theft is no longer worth his time and start to deal in company information ?

Adrian Lane from Securosis thinks that the falling prices in the underground economy is humorous. I disagree. I look at it as very scary and the final puzzle-piece.

I think that the perfect storm is about to be unleashed.