<![CDATA[Data Protection, Management and Leakage]]> http://www.securityratty.com/feed/e2df9ecf21aa911d948d8de71199a681 Tue, 05 Aug 2008 17:05:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Scary criminal activity and data theft]]> http://www.securityratty.com/article/4cc20c103a4b1c2d1f74f87763ddbed5 http://www.securityratty.com/article/4cc20c103a4b1c2d1f74f87763ddbed5 attacks on corporate intellectual property - I tell you, this is serious stuff.
Any organization not taking this very seriously is doing a disservice to its stakeholders and shareholders.

The problem seems intractable - for every hole you think you have blocked two open up to allow these criminals to grab data. What does any organization do?

I think the answer lies in the data itself - one cannot go about protecting the periphery to protect the asset. One has to protect the asset itself - in this case the data. If the data itself is always encrypted, at rest as well as in motion (even when it is grabbed of the computer by malware), we might have a shot at preventing this.

Else we are putting our collective heads in the sand thinking that encrypting the laptop drive or USB device is enough...
]]> Wed, 12 Nov 2008 12:28:00 +0000 data larger data breaches grab data answer lies recent article collective heads intellectual property asset criminals Scary criminal activity and data theft <![CDATA[WPA encryption cracked..]]> http://www.securityratty.com/article/9e224d968a1e2e6e9dc272abb6cf17c3 http://www.securityratty.com/article/9e224d968a1e2e6e9dc272abb6cf17c3 here - apparently by the same guys who broke WEP (this is what hurt TJX). I guess the bar has been raised...
]]> Thu, 06 Nov 2008 18:09:00 +0000 wpa encryption wi-fi networks apparently bar tjx wep secure guys WPA encryption cracked.. <![CDATA[A horse's ass approach to virtualization security - Part 3 - Data is the "constant"]]> http://www.securityratty.com/article/af1e0093472ebbd2f739b12a4817fa7e http://www.securityratty.com/article/af1e0093472ebbd2f739b12a4817fa7e
See part one and two here...

Virtualization enables organizations to optimally manage their infrastructure resources. It can provide significant cost benefits (by sharing resources), flexibility (by just-in-time allocation of resources where they are needed), and agility (speed of provisioning resources). Therefore, organizations have been able to virtualize:
  • Devices/OS: Companies such as VMWare, Citrix, Microsoft, and Sun are providing hypervisor, virtual machine, and virtual device solutions where several virtual “devices,” “servers,” or “desktops” can mimic separate physical devices.
  • Networks: Virtualized networks enable dynamic collaboration by slicing bandwidth into virtual, isolated channels that can be assigned to a particular set of devices, real or virtual. Setting up new connections and collaborative environments becomes extremely easy.
  • Applications: Virtual applications can either be streamed down to execute on local desktops (Microsoft App-V or Altiris SVS) or executed remotely from server farms such as Citrix XenApp. This allows applications to be portable and accessible from anywhere while reducing inter-application conflicts.
However, organizations will never be able to virtualize the fourth element, I talked about in teh second blog post — the data itself. The focus of device, network, and application virtualization is about flexibility, resource sharing, and agility. This involves short life spans, since these elements are brought up to fulfill a specific short term task, and upon completion, they are brought down or even deleted. Data, however, has a lifetime beyond the short term and will therefore live on for further use or analysis in a non-virtual or subsequent virtual world.

This makes data the “constant” in a dynamically changing environment — even if the location of data itself is virtualized. Data will also have the longest lifetime of the four elements in the infrastructure and thus will have to live “outside” of the virtual environment. Therefore, from a security standpoint, it is imperative that data becomes the focus of protection - and we dont just continue protecting the infrastructure. Data is the critical asset, and since it travels across boundaries and lives longer than virtual elements, it can be easily compromised.
]]> Thu, 23 Oct 2008 16:51:00 +0000 devices virtual devices virtual virtual applications subsequent virtual world virtual environments non-virtual virtual machine data A horse's ass approach to virtualization security - Part 3 - Data is the "constant" <![CDATA[A horse's ass approach to virtualization security - The four horsemen]]> http://www.securityratty.com/article/8fa3354e9fe6c665bdd3e918f53590e1 http://www.securityratty.com/article/8fa3354e9fe6c665bdd3e918f53590e1 current approaches to virtualization security and how they might be failing to address current and future threats - let me explain further what I mean.

In this blog I want to talk about the four elements that make up every computing environment
(i.e. the four horsemen :)):
  • Devices: These are the hardware and operating system combinations that host or store the execution environment.
  • Applications: Applications execute on host environments (devices + OS) and transform data into information useful for the business.
  • Data: Digital representation of information that is acted upon by applications.
  • Networks: Enable collaboration and the sharing of information across multiple devices and/or applications.
All four are absolutely essential to complete any transaction in the modern business world. However, to gain competitive advantage, organizations are looking to optimize the usage of these four elements. Technology, flexibility, and agility are becoming increasingly important in a fast-changing business world and have therefore led to the rise of virtualization.

In my next post I will discuss how these elements are being changed in a virtual environment and what impact it has on security.
]]> Wed, 22 Oct 2008 09:31:00 +0000 business world modern business world virtualization virtualization security business security environment execution environment applications A horse's ass approach to virtualization security - The four horsemen <![CDATA[A horse's ass approach to virtualization security]]> http://www.securityratty.com/article/6d6310950dd47b0806138e4729f21f01 http://www.securityratty.com/article/6d6310950dd47b0806138e4729f21f01 horse's ass put on the space shuttle design.

Virtualization security solutions today primarily focus on protecting the virtual OS, the virtual networks, or the hypervisor software itself. More specifically, most current virtualization security technologies are focused on preventing hypervisor root kits, providing intrusion detection, anti-malware, anti-virus, network security, etc. In the physical world, this is similar to individually protecting hardware, operating systems, and the networks that connect them. That is, the focus is mainly on protecting infrastructure and perimeter, not data. Protecting that data, however, should be the single most important aspect of virtualization security.

Here is why: Any execution environment requires four elements: devices/hardware/OS, networks, applications, and data. With the advent of virtualization, physical devices/OS are being replaced by flexible, on-demand virtual “devices,” networks are being virtualized and applications are being streamed down from virtual environments. Therefore, the only remaining “constant” element is the data itself - which also has a longer lifetime than the ephemeral virtual environment. While protecting the virtual infrastructure is important, I believe the primary focus for protection should be the data – the true IT asset.

Virtualization is a game-changer for computing and has forced the IT world to rethink its infrastructure; now virtualization security has to be rethought as well. An information-centric approach to persistently protecting the data itself is the only way to really benefit from virtualization and keep the data truly secure.

Or thinking about it another way - why was Google's approach to navigate the web using search better than the initial Yahoo approach of hierarchical mapping? Coz Yahoo was mapping an old yellow-book approach to managing data, while Google took advantage of the new medium.

I shall try and elaborate on my thoughts in upcoming posts...
]]> Mon, 13 Oct 2008 21:52:00 +0000 virtualization security virtualization virtualization security solutions virtual virtual infrastructure approach on-demand virtual devices ephemeral virtual environment data A horse's ass approach to virtualization security <![CDATA[Getting fired due to a breach?]]> http://www.securityratty.com/article/f93f9f522b0797344d247e610cf77fb1 http://www.securityratty.com/article/f93f9f522b0797344d247e610cf77fb1
"7 out of every 10 breaches ends with someone losing their job"

I was shocked! 70% of all breaches result in the firing of someone involved in the breach? Or is it the failure to defend this breach resulting in the CISO losing her/his job?

I had never seen this research before and did not know this problem was so acute. Be very interested to know the source of this research. The seminar information is here.

Will post again when I find out more...
]]> Wed, 17 Sep 2008 08:53:00 +0000 breach seminar breaches breaches result herhis job job seminar information research source Getting fired due to a breach? <![CDATA[The importance of key management]]> http://www.securityratty.com/article/6ab0395cc513f2091d59236a66c10f7c http://www.securityratty.com/article/6ab0395cc513f2091d59236a66c10f7c Jerome Wendt.

I think there are two sides to the story here - while I agree that managing keys is important, I think this is something users SHOULD NOT be concerned about. This is something the vendors should be focused on solving and not leave it to end users to stumble over.

Key management is hard and it makes sense to solve it at the product level rather than leaving it to implementation variances.
]]> Fri, 22 Aug 2008 08:56:00 +0000 key management implementation variances users product level keys equal importance data protection jerome wendt stumble The importance of key management <![CDATA[And the attacks keep coming...]]> http://www.securityratty.com/article/dc3336423e75b4771497f1797bc8bfe3 http://www.securityratty.com/article/dc3336423e75b4771497f1797bc8bfe3 increased activity. Millions of cards stolen and more loss...

Brings us back to a hard question we have to ask ourselves - are we ready to tackle this seriously? Vendors, retailers, banks, government and consumers all have a huge stake in this (and don't forget, so does organized crime). However, it seems like organized crime is living up to its name - they seem a bit more organized about this. Not having looked at the numbers, but is feels like we are being pushed back and they currently have the upper hand...

Not a very PC thing to say, I know. However, we have to wake up to the reality and get more serious about this.
]]> Thu, 21 Aug 2008 16:29:00 +0000 hard question recent indictment crime frequency breaches huge stake upper hand retailers pat bit And the attacks keep coming... <![CDATA[Twelve billion dollars!]]> http://www.securityratty.com/article/a29d689a1e0dae9d7152dedb093cf36b http://www.securityratty.com/article/a29d689a1e0dae9d7152dedb093cf36b potential impact of the 41 million cards stolen - according to security company Jefferson Wells. The amount is a result of simple multiplication - 41 million x $300 for each card lost. On the higher end, no doubt.

While I don't think the real cost is anywhere close to that (even by an order of magnitude), it is still a large number. Even at street price of $2 per card, someone must be making 41 million x $2 = $82M!

More scary to imagine, is where this stolen data is going, what kind of money they are making and what illegal stuff is being done with it.
]]> Wed, 13 Aug 2008 10:37:00 +0000 million million cards security company jefferson card lost card street price simple multiplication illegal stuff evil sound Twelve billion dollars! <![CDATA[Smackdown on data criminals]]> http://www.securityratty.com/article/2fb6d43eeb3824a910e01d61357c7f4a http://www.securityratty.com/article/2fb6d43eeb3824a910e01d61357c7f4a major indictment of criminals who were charged with hacking and stealing credit cards from major retailers.

Eleven folks were charged with the crimes ranging from conspiracy, computer intrusion, fraud and identity theft.

Interesting nuggets from the report:
  • They hacked nine major U.S. retailers, stole and sold more than 40 million credit and debit card numbers...
  • Apparently this is the single largest and most complex identity theft case ever charged in this country
"While technology has made our lives much easier it has also created new vulnerabilities. This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results. Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain," said U.S. Attorney Michael J. Sullivan.

I agree with the US Attorney - we need better ways to prevent such hacking. But one point is clear again in this case - those who hack work for increasingly sophisticated criminal enterprises and will deploy significant resources to steal as long as the returns are worth it.
]]> Tue, 05 Aug 2008 17:05:00 +0000 identity theft major major indictment complex identity theft retailers major retailers attorney attorney michael deploy significant resources Smackdown on data criminals