Security Renaissance

Ok — so I’ve been feeling ‘guilty’ about not blogging for some time…   How sick and egotistic is that?  But anyway, an ultra-hectic professional and home life has kept me busier than the proverbial “one legged man in a butt-kickin’ contest” for the past few months. 

Over those months, I’ve had several things that I *wanted* to blog about; but just never made the time.  One of the reasons is that, for the most part, there has been little to be truly excited about in the industry as a whole.  “Nothing new under the sun;” and all of that…  At least that’s what it seemed like to me.  But now things are starting to settle down and I’m having/making time again to get plugged back in.

So today I was reading Martin’s show notes and came across the SalesForce.com data breach story.  And, behold, I felt the urge to write again.  As I’ve been reading the news over the past few months, I have been thinking to myself that we have a problem…  Breach notifications are being reported so often now that they seem to be just creating a constant “white noise” drone.  Sure, there are the standouts like TJX — but really, most are just more of the same.  To the extent that I fear the public will just end up being numb to the notifications, and ambivalent to the poor practices that are the cause.  Each new notification just being another drop in the ever-deepening ocean of lost records.

But the SalseForce.com story is different due to the “spear-phishing” aspect.  And it highlights multiple security problems.  Two in particular are of note.  1:)  Users are still susceptible to phishing.  Yeah, I realize that this was a highly-targeted “spear-phish” — but the “don’t click the link” (or at least verify the link) adage should still hold; and 2:)  data breaches, even those which do not contain what we would consider PII, are dangerous.  Here, the data is reportedly being used to create additional phishing emails (some intended to drop malware such as keystroke loggers, etc…), bogus invoices, and so on.  In other words, the SalesForce.com breach wholly revolves around social engineering.

I think that it is notable that these issues revolve around end-users and, outside of any emails intended to dropped malware, cannot be addressed solely through technical means.  So, we again come back to end-user training and awareness.  It is imperative that we, as an industry, get a handle on how to better address this in our organizations.  It’s clear that what most companies are doing is just plain broken.

Here are my thoughts:

Engage employees in ways that are relevant to their life as a whole.  Address the “What’s in it for me?” question.

Explain the “WHY” behind seemingly obscure security policies or procedures.  As is made clear by the SalesForce.com incident, we can’t simply expect technology or process to address all potential security issues.  Instead, we need our front line defenses to act as living firewalls.  Thinking on their feet and able to apply an informed mindset across multiple situations.

Let employees know that it is part of their job – just as much as any other duty that they do.  (Yeah – I realize that mentality must be driven from the top down).  Make it part of the performance evaluation; so that they are aware that the will professionally advance or stagnate based on how seriously they take their duty to protect information.

Make it fun.  Find ways to reward the folks who are doing it right.  Let that encourage others to improve.

Believe it or not, the field of Information Security has changed! Foundational concepts, such as the traditional C-I-A triad (Confidentiality, Integrity, and Availability) are being challenged and supplanted by a more inclusive model known as the Parkerian Hexad [1]. The Parkerian Hexad augments the traditional C-I-A triad by adding three elements. The result is a set of security principles comprised of six elements.

The six principles of the Parkerian Hexad are:

• Confidentiality
• Integrity
• Availability
• Possession
• Authenticity
• Utility

The principles composing the Parkerian Hexad are non-overlapping; meaning that each principle is absolutely necessary to ensure that security is maintained. In addition, each principle may be violated independently of each other principle. However, the principles can be relationally linked to each of the three components of the traditional C-I-A model (see Figure 2) [2].

Below are definitions [3] for each principle along with a brief scenario of how that element may be breached independently of the other elements.

• Confidentiality: Limited observation and disclosure of knowledge.An example of an incident where confidentiality is compromised would be the early unauthorized release (leak) of information related to our latest marketing strategies – thereby allowing our competitors to prepare counter strategies.

• Integrity: Completeness, wholeness, and readability of information and quality of being unchanged from a previous state.A simple example of a loss of integrity would be an employee modifying the body text of an email so as to create a false record of events (i.e. to show that Jane Doe said something that she did not really say).

• Availability: Usability of information for a purpose.The explicit aim of a Denial-of-Service (DOS) attack is to compromise the availability of systems/data.

• Possession: Holding, controlling, and having the ability to use information. Possession is the ability to truly own and control information and how it is used. We normally think of this as unauthorized or unintentional copying of information.If, for example, an employee emails company information to a non-corporate email account, we no longer have sole possession. In extreme cases, a loss of possession could result in total loss of the information (e.g. loss/theft of backup tapes for which there is no other copy of the data).Notable examples of a loss of possession usually include the loss of laptop computers or PDA’s containing customer or employee data (e.g. SSNs, credit card numbers, personal health information, etc.).

• Authenticity: Validity, conformance, and genuineness of information.The quality of authenticity is readily understood. As the above definition suggests, it is the quality of being “the real deal.” When something does not possess authenticity, it is said to be fraudulent.Examples of a lack of authenticity include the reproduction of employee ID badges, calling into a help-desk and posing as another individual, and modifying records.

• Utility: Usefulness of information for a purpose.Utility simply means that we can use the data, system, or device in the manner for which it exists. For example if a database, table, or other information is somehow altered in such a way as to remain accurate but unusable for its intended purpose, it has lost utility.Examples involve the use of encryption to “kidnap” data for ransom. This is accomplished via encrypting the data without the owner’s consent. In this, and similar cases, the victim maintains ownership of the data; and the data, technically, has integrity.

There is one exception to the general statement that these principles do not overlap; a breach of confidentiality will always result in a loss of sole possession. Once confidentiality is compromised, the organization is no longer fully in possession of the data because it is known by another party.

Understanding and communicating this new model for Information Security will likely result in greater depth and clarity within security related conversations.

______________________________

1. The “Parkerian Hexad” model was introduced by Donn B. Parker in his book Fighting Computer Crime (http://www.amazon.com/gp/product/0471163783/104-3218063-3795135).

2. Donn B. Parker suggests this mapping in his chapter, “Toward a New Framework for Information Security,” from The Computer Security Handbook 4th Edition., John Wiley & Sons, 2002 (p. 5.8).

3. The definition statements for each element in the “Parkerian Hexad” are taken from The Computer Security Handbook 4th Edition., John Wiley & Sons, 2002 (pp. 5.9 – 5.10).

note: this post is an excerpt from one of the author’s essays for Norwich University’s MSIA program. 

There is a lot of talk about both surveillance and psychology these days. The following photo and quote taken from Boing Boing.

The quote below is from a recent New York Times Magazine article describing a psychology experiment conducted by Newcastle University in which those conducting the experiments taped alternating photos above an “on your honor” coffee station.

For 10 weeks this spring, they alternately taped two posters over the coffee station. During one week, it was a picture of flowers; during the other, it was a pair of staring eyes. Then they sat back to watch what would happen.

A remarkable pattern emerged. During the weeks when the eyes poster stared down at the coffee station, coffee and tea drinkers contributed 2.76 times as much money as in the weeks when flowers graced the wall.

The photo is especially interesting because it is using both positive and negative forms of social psychology simultaneously. It intends to reassure and provide a sense of safety to law abiding citizens; and it is intended to discourage miscreants.

This was a crazy week. Here’s a quick rundown:

Wal-Mart eavesdropping situation
On Tuesday, I submitted a feature to Computerworld providing speculation related to the recent Wal-Mart eavesdropping situation. For those following the situation, I refer you to 4 significant articles:

• The initial story
• My take on what may have happened (human nature run amuck)
• Fired employee speaks out
• LA Times analysis (which sites my initial speculation)

As I stated in my Computerworld article:

The world is in a security and privacy renaissance. Ethical questions related to government and employer surveillance are being raised and reraised. Security and privacy advocates exist on both sides of the debate — such is our post-9/11 society. My prediction is that the Wal-Mart eavesdropping story will be in 2007 what the HP ‘pretexting’ story was in 2006. The ensuing investigation will likely play out on a grand stage involving governmental agencies, privacy rights advocates, and legislative action.

Over the next several weeks, I’ll be providing my views on what this means for the security community. This is bigger than Wal-Mart — the security industry will be put in the position of having to explain the nature of and need for penetration testing, forensic investigation, and surveillance.

CSO Online

I now also have a blog at CSOonline. My new blog, Security Smack-down will primarily focus on delivering unfiltered opinion related to the security industry and trends. Security Renaissance and Computerworld will remain forums primarily aimed at education and awareness.

Security Catalyst Community

Lastly, I’d like to thank Michael Santarcangelo (the Security Catalyst) and others for welcoming me into the Trusted Catalyst Community. This is a group of passionate, security-minded individuals who are out to take the industry by storm. They all truly want to help folks understand and improve the security postures of their companies, communities, and households — realizing that the first layer needed in a defense-in-depth strategy is people.

If you are a security professional, or are interested in learning more about security, I encourage you to get involved in some of the Catalyst Community discussions.

Alexander Gostev at Kaspersky Labs has been doing a great job summarizing the evolution of mobile malware.  His latest installment is a wrap-up for 2006.  If you are into tracking trends in the mobile malware space, this is a must read.