Tuesday, November 18, 2008

Ten not-so-good practices for avoiding data loss during layoffs

Richard Stiennon blogged about 'best' practices for data protection during these difficult economic times. I can see where they come from and I can comprehend the business logic behind them, I do have a problem with most of the suggested 'best' practices ... lemme explain

1. Restate and re-publish your organization policy on confidential information. Require everyone in the company to sign it.

if you have a policy and it is not signed off on, you're a dork. Assume you have some disgruntled employees, after requiring everybody to sign off on the policy you will have a shitload of disgruntled employees. These people will know what you are up to. People are not stupid cows, you're just covering your bases. How are you gonna pick up the pieces when recovery starts ? You're throwing all your HR management principles out of the window. Good luck

4. Identify and restrict access to key data such as employee records, resumes, customer lists, and financial statements.

well yeah ... if it's touch or go, this is a project worth spending your valuable money on. For one it's gonna f* up your business processes if handled in haste and you'll spend money that you could better use in places where they actually benefit the business at this moment.

5. Log, monitor and audit employee online actions

I'm not even going into privacy isses here. but logging and monitoring would assume you have a baseline to compare anomalies against. Again, starting 'now' because times are precarious is too late and it's also wasting precious resources which (when laying off people) are only gonna get scarcer.

7. Use extra caution with system admins and privileged users.

if you have over-privileged users, and that's what you're talking about here, you haven't been really on-par with your security efforts. Extra caution is not gonna help you much, it is also not a very measurable security control.

All in all, I'm mostly appalled by the disrespect these 'best' practices show for the people that worked their ass off for you in the past years. Yes, the people that pulled all nighters for meeting deadlines and those people that in your (the average managers) eyes represent costs (-$$).
If this is the time to justify security controls, you're one bad-ass CISO, CSO or whatever title you carry.

I'm not saying security controls (including those in the above-mentioned article) are not worth it, but NOW ? I'm sorry, it's too little, too late.


Friday, November 14, 2008

Belgian wardriver not punished

When earlier this year a wardriver was arrested for using an unprotected network, everybody thought a precedent would be set. About 6 months later (yes, the Belgian justice system is fast like that), he was convicted but he does not have to serve time (about 1 year).

How did he get caught ? A passer-by found it suspicious that someone was using his laptop from a car and called the cops.

The whole case leaves me with some questions :
How did the cops make sure he wasn't using a 3G card for internet connectivity ?

How did they confiscate and forensically investigated his laptop to prove that he had been using that specific network? Did they actually do that ?

How did they forensically investigate the router/WAP to prove that he had been connected to that specific network? Did they actually do that ?

If not, I don't think they can have a legal case. If the case wasn't build with forensic evidence and just on testimony by 'the neighbour', the network owner (residential network) and/or the wardriver, I do get a little concerned.

Unfortunately I don't have access to legal cases ... I would love to go through those details ...

Monday, November 10, 2008

Selling Vodka or selling security solutions ... an analogy.

As I was waiting in line @ the nightshop I was pondering and it hit me hard. In front of me was a man, drunk as a skunk, completely wasted. He needed 10 minutes to collect his change from the counter after buying a bottle of Vodka. This was one of those moments ... Why did this shop clerk sell 75cl of Vodka to a person that was clearly completely unaware of himself ? I know there are laws here in Belgium that should prevent this from happening but Belgian law is a little like a corporate security policy, there's a vast amount of paper covering Belgian law, but there's not a lot of it that's actually enforced.

The analogy is clear. As a reseller or an integrator, we try to deliver quality service to our customer. That's our added value, it's basically who we are, what makes us different from the shop next door. Or does it ?

I feel, more often than not, that the quality that sets us apart is sacrificed for the sell. While we realize that a certain product (within our portfolio) is not as good a match as another product we don't master, and it may fit the requirements today but maybe not 1,5 years from now, it will get sold. And the customer will have to live with the consequences. This doesn't hurt the relationship because the project definition doesn't mention those future requirements and 1,5 years from now ... Mr X will probably not think about that past project, so everything is a-ok.

To me it isn't. While we tout that "IT should align with the bizniz" and "We, as integrator Y, think of YOUR business first", we don't very often put our money where our mouth is. The sell counts, it adds to todays bottom line of OUR business, the fact that the customer will have to overhaul that specific part of his infrastructure/solution in 24 months or something, buying new gadgets, training his people, aligning the new stuff once again with his business (or worst, aligning his business with his new stuff) ... might be the least of our worries.

Is ethic important to you while doing business? Especially security business ? What's your thoughts ?

My thoughts : ethics in doing security business is #1 , making money is one thing, making money and jeopardizing businesses is something completely different.

Friday, November 7, 2008

countering spam with a vengeance.

You know them, heartwarming stories that try to tear you up about kids, sick people, adoptions gone awry ... whatever. It never seems to stop, until I received this one.

In 1986, Peter Davies was on holiday in Kenya after graduating from Northwestern University .

On a hike through the bush, he came across a young bull elephant standing with one leg raised in the air. The elephant seemed distressed, so Peter approached it very carefully.

He got down on one knee, inspected the elephants foot, and found a large piece of wood deeply embedded in it. As carefully and as gently as he could, Peter worked the wood out with his knife, after which the elephant gingerly put down its foot. The elephant turned to face the man, and with a rather curious look on its face, stared at him for several tense moments. Peter stood frozen, thinking of nothing else but being trampled. Eventually the elephant trumpeted loudly, turned, and walked away. Peter never forgot that elephant or the events of that day.

Twenty years later, Peter was walking through the Chicago Zoo with his teenaged son. As they approached the elephant enclosure, one of the creatures turned and walked over to near where Peter and his son Cameron were standing. The large bull elephant stared at Peter, lifted its front foot off the ground, then put it down. The elephant did that several times then trumpeted loudly, all the while staring at the man.

Remembering the encounter in 1986, Peter could not help wondering if this was the same elephant. Peter summoned up his courage, climbed over the railing, and made his way into the enclosure. He walked right up to the elephant and stared back in wonder. The elephant trumpeted again, wrapped its trunk around one of Peter legs and slammed him against the railing, killing him instantly.

Probably wasn't the same fucking elephant. This is for everyone who sends me those heart-warming bullshit stories.

Wednesday, November 5, 2008

can we escape from password hell ?

You know the drill, ever so often (30 days ? 45 days ? 3 months ?) you are required to change your password in each and every business application. Sometimes you're lucky and some applications share a common directory, good for you but most often this is not the case. If this drill is accompanied with a requirement for complex Pa$$w0rd5 , sticky notes are your saviour whether your CISO likes it or not. And we're back to square one, welcome to password hell.

In comes the holy grail : (enterprise) SSO. Finally there's an application that takes over the management of all your passwords, leaving you with one (preferably complex) password to logon to your computer and no headaches afterwards. But is this really true ? What are the caveats ? What should you look for in an eSSO solution and what are the problems you might face during rollout ?

What is eSSO ?
enterprise Single Sign-On solutions allow you to reduce the # of times your users have to provide a username and password to an application (any application ?). Most of the solutions work through technology that 'recognizes' logon screens which is matched to a specific userid+password combination in a password safe.

Who are the competitors (I only list the top 4 in the Gartner magic quadrant
  1. Imprivata
  2. Citrix
  3. Passlogix
  4. Evidian
* disclaimer : I do not comment on the specific vendors solutions. It is up to the reader to
select the solution that best fits his/her needs.

What does it offer ?
a) your users don't have to worry about changing several passwords anymore. They keep one single password that allows them access to their workstation, then the eSSO software takes over. Simple, easy peasy (or maybe not).
b) Obviously this will reduce the time your helpdesk people spend on password resets, how much that is greatly depends on your organisation. Quantifying this cost is often difficult.

And now ?
We don't really care about users do we ? Why would we want a solution that makes their life easier? Well there's a number of reasons.

A. You might be driven by compliance regulations. While your applications might not support detailed user access logging, your eSSO solution can do that for you, uniformely over all your applications.
B. Your users' drawers (desks !!) look like craigslist.com for passwords. Passwords are traded, especially during holiday seasons, when specific responsibilities are informally delegated. Some solutions allow formal delegation among users without disclosing the password. This is a powerful tool and worth considering.
C. You have decided to implement an Identity and/or Access Management solution, while eSSO certainly isn't IAM, it may prove an important part of the puzzle. A properly deployed eSSO solution will get you buy-in from the workfloor and allow you to embark on the long and hard journey that your IAM roll-out will be.
D. You actually care about your users, productivity and the protection of your information resources.

Ok, so tell me now, where is the bad stuff you refuse to tell me ?

Different vendors, different solutions. Almost all of them will offer you a replacement for the microsoft GINA (msgina.dll), which means they come and mess in the basic login process of your windows environment. Call it a corporate wide Man in the Middle attack if you will, it is what it is. Take a good look at this GINA during PoC, because some might not have all functionality implemented (I've seen GINA replacements that didn't include a password expiration/rotation function !!!). Additionally, take a careful look at what your needs are. If you take this project on, define your goals and don't submit to scope creep (your worst enemy), nifty features might be tempting, but featurism can get you (and your project) killed. It's better to work in short cycles, adding functionality in every cycle than ending up in a high-speed vortex that leaves you and your users with a broken solution.

Appliances, appliances, they look shiny and tempting. Yet, that box represents a single point of failure. Yes you can have 2 boxes and make them redundant, how redundant depends on the solution, do they support Active/Active failover ? Some of the solutions work with middleware installed on a server while all properties are stored in the LDAP directory of your choice. Cool, your corporate directory is already redundant and there's no black box to be worried about. Transparency FTW !!! Consider it.

Make an application inventory and start of with a PoC for your most critical applications. Most vendors will tout to support any application. They don't.
Java applications are the most work-intensive. There's some very special magic to be performed to make them work with SSO. Sometimes simply installing the SSO client can already break all your Java-based apps (don't get me started over Oracle Forms, Oracle Frommels for the Dutch speaking).

To conclude this installment, there's the possibility of adding 2-factor authentication (2FA) to the solution. Yes, I'm talking the "something you have/know/are" combination, but not in the RSA, Vasco, (add OTP vendor here), sense of the word. Most of the companies I know use RFID badges for Access Control, it is fairly easy to also use them in any eSSO solution so users need their card and their password (or a pincode) to logon. I know RFID is broken beyond repair, I know it has been haXored, don't worry ... I'm aware.
Make sure you only use them for identification and let the authentication of the user depend on either the "something you know" (password/pin) or "something you are" (biometry) factor.

I will elaborate on the possibilities of 2FA in eSSO solutions later this week, talking about smart cards, active and passive RFID, eID and PKI. For now, I hope you enjoyed the read. Stay safe !

Sunday, November 2, 2008

The French crack down on illegal downloads

On Friday, the EUObserver came with an interesting article on a new French law (http://euobserver.com/9/27026) that will introduce a cut-off from internet access for people that are caught 3 times illegally downloading copyrighted content.

To me, it's mind-boggling how the recording industry lobby has been able to push the French in accepting such a law. There was an amendment requesting to replace the cut-off by a fine but that was not accepted because "
The principle of a financial penalty changes the philosophy [of the bill], from instructive to repressive". And that in times where e-government is becoming more and more of a reality. Would we really allow a citizen or a family to be cut off from the intertubez for a year (yes, 365 jours !!) ? Is making them pay XXX euros less repressive ?

That's what you get when your prez marries a recording artist (* I'll leave the interpretation of the word artist to the readers discretion).