Monthly Archive

This weekend laugh is a bit out of the extraordinary. Not sure I like this Chris, but I must admit he has humor I can relate to. 

You have been warned - this weekends laugh is a bit different than the usual stuff. 

But I do believe that you will laugh as long as no one spots you! 

A while back I came across my next Security Profile. He is from Estonia. He is not afraid of taking even the Estonian Security Police heads on. And he covers a lot of topics including security.

Jaanus Kase is a fun read combined with great insights. He also lets you in on a different cultural background – different from us who grew up in the west.

A former Skype marketing guy, Jaanus is speaking freely on topics of his interest.

On explaining what Information security is in his point of view, he is hard to stop.

Jaanus came into the information security area by working at a security product vendor (Cybernetica - www.cyber.ee). Later he moved on to a company focusing on ID-cards and digital signatures (Sertifitseerimiskeskus - www.sk.ee). His background is diverse, and adds to his wide definition of the topic.

On defining

K: Jaanus, how do you define Information Security (IS)?

JK: IS is actually a pretty simple thing. And yet it is very important, as we must all deal with it as individuals and employees, whether we want it or not. It used to be very simple in the Middle Ages -- you stayed at a village and had a limited circle of people to interact with. Whereas these days, information is increasingly digital, be it your bank data, your health records or confidential work data. And information can be moved globally at an instant. So it's important to be conscious about what and where you post or store.

Regarding the meaning of IS, the classic definition continues to work very well. IS is defined as a mixture of confidentiality, integrity and availability. Confidentiality means that secret information should remain secret and the information owner should define who can access it and who can't. Integrity means that information shouldn't be changed by unauthorized parties. And availability means that information should be available to those who need it at all times according to the access policy of the specific info.

Global impact

K: Do you have any examples of how this impacts business?

JK: This may sound like an academic discussion, but recent events of the world and Estonia have driven the message home to many people in the world. We were targeted by an organized cyberattack in April and May.

Discussion continues about how exactly it was organized and what is its long-term and political impact, but from a technical perspective, it was definitely an IS event. For example, bank systems were targeted, rendering card payments in retail stores suddenly unavailable for a short period during the business day.

I believe this event suddenly made a lot of people both in Estonia and elsewhere yet again realize that we live in a networked world where the threats are very different from what they used to be. It used to be so that you could see and touch the enemy and could physically attack and destroy him in a conflict, if we talk about war. Now conflicts are more virtual and asymmetric.

Age of information security

K: This sounds like war?

JK: This sounds a lot like the rationale about "war on terror" and it's indeed all kind of the same thing.

So IS these days has an all-encompassing global impact and yet is able to reach every individual in different ways. So if we say that we live in an information age, you could also call it the age of information security.

IS has the same impact as, for example, physical security. It is understandable for most businesses that they need to lock their doors and windows and maybe maintain on-site manned security and CCTV surveillance and such, and maintain proper policies and procedures.

It's a bit less obvious about IS policy and procedures, but from business perspective, it's exactly the same thing. In both physical and IS, there are many different measures you can take to protect your assets, and they have wildly different prices.

So it becomes a simple question about cost-benefit analysis to determine the appropriate thing to do. And it's not only limited to businesses -- the same kind of analysis applies to every individual when securing their homes and online records.

Psycology in attacks

K: What challenges do you see emerging?

JK: One challenge is that cybercrime definitely continues to be active, and continues to go towards "social engineering" type of things, and not only pure technical attacks. When the IT industry was younger, it was often effective to do online attacks to businesses and try to e.g steal credit card information by cracking the servers.

By now, the cyberdefenses have become pretty good and it is more effective for attackers to try to subvert their way in to end users' computers with the help of what's generally called "malware" (the differences between types of malware continue to blur).

This may be needed to get access to resources in that particular business, or it may be an operation to extend criminal botnets. And it becomes harder and harder to distinguish "good" and "bad" contacts in case of e.g. email -- the phishing mails have become really really good.

Converging technology

JK: Another challenge has to do with "convergence" and with technologies like VoIP. Not one particular VoIP product, just the concept in general. It used to be so that in a company, your IP network, phone network and CCTV networks were all separate and redundant. This meant that even if one went down, others remained up, and they didn't interfere with each other.

But these days, there is a trend to move everything to IP (wired or wireless). This makes a lot of sense as it makes e.g the physical setups simpler and provides great cost advantages, but it also means that a whole new class of risks and threats are introduced that businesses now need to understand and manage.

Thank you Jaanus for sharing your valuable insights with us! 

You meet Jaanus at his blog: http://www.jaanuskase.com/

I believe you will enjoy it!

Dear anonymous (I would much rather prefer to say Dear John),

First - I post this as a blogpost instead of a reply to your comment on my post about Jamparii. 

Thank you for your input. As I know you are not only claiming to do what you say, but actually are trying to build your own tool for business networking, I would much rather that you did enter your own name, John.

However, what you are pointing at is true in all new ventures. It does take capital to build success. And there are several different paths to choose from. Jim has chosen one path, and John, you took another path.

My experience tells me that the path of money alone is not enough. To build a successful networking site, you need quality. You need content. You need active users. And you need a value proposition to your users.

Linkedin, Xing and Facebook are three successful networking tools, but they are very different. Ecademy and Viadeo are others. Myspace and Orcut are there too. Just to name a few of your competitors. They offer value. Distinctive value. And they have success. 

You need to present a clear value to me before I will even consider your new tool. No matter how you choose to finance you venture. Scam or not.

This is about risk as well. Do you have what it takes to break the bank? Did you consider all options? Have you done your homework, so you know how to position yourself?

What if you fail? What if it takes twice the time to break even? Or three times the time? What if you only secure half the funds you need? What if only one tenth of the required users actually signs up? 

So the question to you two competitors - do you have the BUZZ?

The next Security Profile is a guy from the Baltics. His background include Skype, as well as the ID-industry.

What I like about Jaanus is the stuff he covers on his blog - it is not only security - he covers a lot from politics, to humor to security. 

The profile will be posted tomorrow. Meanwhile, consider getting acquainted with Jaanus at his blog! 

I have been using a very nifty little RSS reader the past 6 months. It is called Snarfer. It is free, and did not fill my view with ads, nor does it map all my behaviors - or at least so it seems.

As it is a software product, it is regularly updated. It is also a fairly new tool as I understand, and are still working on the main functionalities. Some nice features I loved was (yes, past tense) keyword searching, blog searching and Internet searching. It gave me one place to monitor the world!

And I just loved it!

So when the tool told me it was due for an update, I went ahead. Downloaded version 0.9.x, and ran the updater.

And on my screen flashed a series of error messages.

Something went wrong. No matter what I did, I could no longer use my favorite reader. And I am now out of control. I can no longer monitor my fellow bloggers. I am no longer able to constantly be alerted of topics of my interest.

I AM BLIND!

I will consider downgrading - if it is possible.

This is only a simple example of what can happen when you are patching and updating your systems. Yes, I use Snarfer a lot, but imagine if this had been your CRM tool. Or your billing system. What if your production facility no longer can use the CRC software?

Just try it for yourself. Try to calculate the costs of your main production tool is down one day. What will be the results? What are the costs - direct and indirect? What are you willing to do in order to avoid such an outage?

No wonder why patch management becomes critical.

Ps - please post your tips on a killer RSS-reader! But - no online tools, please, I need to bring my stuff with me when traveling!

----- UPDATE

Thanks to Snarfer for great support - my favorite RSS reader - including my web-searches and search agents are back up and working! Not bad for a free software, if you ask me!

And thank you my readers for helping me considering other options. Stefan, using Firefox just rocks! 

Sloggi, the company of great underwear - want to undress your passport number according to a Norwegian article. 

Sloggi runs a world-wide campaign  to boost their sales. As any sane multinational would do. They do it with a twist. And they use Internet.

They want you to photograph your butt and upload it to their website. If your butt is found attracting enough, people may vote you to become a new model. What a bummer.

I guess they got the idea from the sites like Penest.no, where young girls sell pictures of their booty for points. 

In the article, Sloggi spokeswoman Sofie Lindahl-Jensen, says they have very good controls of making sure users are over 18.

"They [users] have to register with an e-mail address and a cellphone".

I am positive that I do not have to inform my readers how easy it is to fake that? Even the journalist of the article knows how to do it.

Well, it's not over yet. After being confronted with sharp reactions from Datatilsynet (Norwegian Data Protectorate), and the fake profile with a strangers behind, the same Sofie Lindahl-Jensen assures the readers that new measures to control the age are being implemented. 

How?

"We will use passport numbers to compare with the national passport databases to check their age.." 

No, you will not. Sorry. As the police says: 

"Unless they are paying off some rouge policeofficers, they will not get that access. That data is illegal to obtain."

Sloggi, we may question your methods. We may question your security. We may even question your motives. And we may believe you are stupid and incompetent.

YOU (Sloggi) should NEVER remove that doubt by admitting you have no clue what so ever about security. If you are in doubt - say nothing. When the journalist has gone, call someone for help. 

NEVER, EVER let us realize you are clueless. 

Bummer. Or was it Butthead?

This Friday it is time to introduce you all to one of my favorite blogs out there. The warrior who runs this blog just calls himself shrdlu. In his own words: 

"I'm an IT security manager who has worked in various places around the world and in the US. If I told you more, well ... you know."

He has humor. And he is able to use his everyday experiences and turn them into the funniest stories.

His blog simply rocks! 

And since it is early Friday - you have all day, plus the weekend to laugh your way through his stories.  

Kenneth Belva posted a plea on his blog the other day. 

Kenneth says:

"I always assumed that blogging is public and that any email correspondence between bloggers should be kept private"

 I fully agree with Kenneth. But out of my more than decade of internet experience, I know first hand that ANY communication you share with anyone on the 'net might be published against your will. Even if you add the Lawyers Confidentiality note. 

The reason is that it is so easy. Cut'n'paste is a very common way to reuse information today. Add e-mail forwarding, replying with history, or accidentally sending to a thirdparty. All these techniques are available to anyone - permission or not. Accidentally or on purpose.

Based on the above, we might conclude that Kenneth should know better. But I will not do that. I argue that Kenneth should be able to trust the other person(s) of the e-mail communication. Especially since the party in speech is a fellow security blogger. 

As (information security) bloggers are only people, I guess we just have to expect the type of behavior Kenneth describes:

"This is not normally my modus operandi because I usually assume that most respect email privacy. It’s a good thing I asked because the reply was that if I wanted confidentiality, I should have asked for it before the exchange!  "

Kenneth, I agree with you. We should assume e-mail communication to be kept private.

I do not think we can expect it. We can ask for it, and hope the other party is respecting our wishes. But we can never take it for granted. 

I have been asked to contribute to Risks|Opportunities website as author. I am targeting one to two articles per month, covering information security, compliance and corporate governance.

My first article is here.

The Risks|Opportunities website targets managers, business people and the like, thus many of my readers will find it useful.  

There has been a lot of buzz around the Skype outage lately. Skype is saying this is not a security problem, and the industry is not totally agreeing.

IMO, this is a typical security event. Not IT-security perhaps, although it might be as well. It is about information security in the broad meaning. It is about service quality. About reputation. About business continuance. And most of all - it is about respect of the customers.

To me this is all very simple.

You set a goal (Skype: global leader of VoIP - or any other hairy goal).

You determine your strategy to get there (Skype: Free for all, add paid services, high quality, P2P).

You analyze potential risks that may get in your way (Skype: Competitors, lack of bandwidth, SERVICE outage - local/global).

Review the probability and potential costs of each risk (Outage: loose customers short and long term, loose credibility, loose revenue).

Set up countermeasures relevant and adequate to the risk and its impact (Outage: back up power, backup Super-nodes, different location and NICs).

Prepare a PR&info-plan for each possible (and unlikely) event (Skype: make sure you know what happened. Never blame anyone unless you can prove it. Prepare one story, stick to it).

Voila. There you have it. This is not rocket science. It only takes a little care, a little planning and a little sense. Add a violent fantasy, and an open mind, and you will be getting a pretty good list. It most likely will never be able to cover every aspect out there. But it sure will help you when disaster strikes - because you are prepared.

This list only uses Skype as an example. It is not conclusive, only covering a few possible areas, and speculating as to the relevant Skype issues.

If you turn the table to the users - they need to do the same homework. Some 30% of Skype users use it for workrelated communication. How do they experience this type of outage?

This is all about security. Securing the continuance of the company. Securing the trust of your customers. Securing the future, revenue stream and profit.

After all, you are in it for the money - make sure you protect your assets!

---------------------Edit:

I just came by this post by David Whitelegg CISSP CCSP (what a name, huh? - Pun intended). It pretty much sums up how to treat security IMO. 

This weekend (while I am off fishing trout in the mountains - thanks Scheduling), you can amuse yourself with the Security Excuse Bingo game. 

Running out of excuses? Well, just bingo! 

Thanks to Bruce (again) for your sense of humor, and Matt Blaze for the bingo. 

In the blog IT Security – the view from here, Rob Newby has proven his place among the great security bloggers out there. You may not always agree with Rob, but you soon realize he never puts forward a notion without making sure he knows what he is talking about.

Rob can make you tear your hair off your head, he can make you angry. (Rob does not realize it, though. Which is good IMO – he says what he has to say, regardless of the reaction. You just have to admire that).

He makes you nod in agreement, and roll on the floor with laughter. Myself, I particularly enjoy his analytical mind.

And as a true British bulldog, he is not afraid of attacking. Like when he hit the WSJ.

So Rob and I had a nice chat on MSN the other day. It was like English tea, but without the tea. And no scones either. He is a great resource for the security community, with deep knowledge, interest and most of all – his passion for making things right.

Rob told me he is a lover of crosswords. He still does the Daily Telegraph crossword everyday whilst living on the Costa Brava. I guess that is where he picks up all the fancy language then.

Add to that a degree in Physics – nuclear physics:

R: Any work in science is incredibly interesting, but can be quite limiting. I worked in a medical environment, where the budgets are small, the experiments expensive. So you learn to model experiments, use computers, often very old kit, and get the results you need by some method or other. I spent 6 months in a lab trying to detect gamma-ray photons with a reverse biased diode before discovering that NASA had done it and published the results in the IEEE magazine.

K: Sounds a bit frustrating, if you ask me.

His studies took him to IT.

R: I learnt a lot about problem solving, especially with technical equipment, troubleshooting, and how to automate boring tasks through programming. I realized I preferred the computing side to the pure physics after a while.

K: Guess what.

No.

He did get his degree. But that was it for Rob. He knew his interest was within IT. As he say:

R: It was no loss to physics I assure you.

K: He continues:

R: After University I got my first job in IT, on a helpdesk at an Investment Bank. We dealt with traders all day, "my printer doesn't work, FIX IT NOW!".

"Yes sir, is it plugged in?". Phone slams down. Etc.
I left after too much abuse from people with limited intellectual capacity.

K: He moved on quickly to different positions, finally ending up in Spain. His love is with encryption, but at present he is trying his hand with data integrity at a start up in Barcelona.

One thing I like with Rob is his true interest in the topic. Once he starts, well, need I say more?

R: Information Security as a concept is exactly what it says, the security of information. The future of security is in the data itself, but of course this means making sure authentication is strong and access controls work properly.

The data needs securing with proper confidentiality and integrity controls, and we need to be able to access it instantly, with complete visibility and easy management.

It's a tall order, but it's being solved already by the big names.

K: He explains:

R: IS as regards business is made up of 4 important facets:

i. Protection

ii. Policy

iii. Awareness

iv. Evolution

These factors loosely relate to how my generation has typically learnt about security. I think the most effective security practitioners tend to start as technical support/engineers, working mainly on technical issues based around protection on the network.

Without some form of protection, usually technical controls, a policy is only as effective as the strongest link, i.e. those who abide by the letter of the law.

The protection needs to be there for the weak links, those who deliberately or accidentally break the rules and need putting back in line.

Technical controls rarely solve policy issues, but without them, the policy is useless.

K: How does your blog fit into the picture?

R: I'm really encouraged by the number of other bloggers out there contributing to the awareness effort now, even if a lot of it isn't spot on (including my own), at least people are discussing it. That's the most important part of IS for me, discussion and evolution.

K: You seemed to be frustrated in not getting out to blog about BlackHat this year, what did you miss?

R: Events like the recent BlackHat and DefCon, although they are now being touted as "sell outs" because they are full of vendors, are important because information on attacks is being disseminated.

I was interested to see that much of the content at this year's shows was not new attacks, but new ways of using attacks to create problems. We aren't keeping up technically with the bad guys, even though there seem to be a million vendors trying to find a space.

We desperately need to evolve, but we're already trying to squeeze money from a market that is drying up because we're not moving fast enough.

K: So what impact does that have on business from an IS perspective?

R: Any discussion of IS impacts on business would not be complete without at least a mention of risk. To properly understand risk can take a lifetime, and I am by no means an expert.

One of my absolute favourites in the blogging community is Alex Hutton over at Risk Analysis, he's put me right on more than one occasion and he's not afraid to speak his mind. This is what security needs, rather than standing on soapboxes and shouting about what's right, quiet questioning and flexible beliefs.

The only problem with IS being based solely on risk is that the introduction of a new security product or process into a corporation is founded in finance. The balance of this is being slowly tipped by the introduction of regulations and laws which apply a higher level of risk for breaches.

This is driving security as a business at present, and therefore the evolution of security products, which I explained already as being crucial to the whole security process. Unless regulations are focused in the same areas as the attacks, security will not evolve evenly. The only way these regulations can address the attacks properly is by evolution, which can only take place with proper debate and awareness.

K: So do you think solutions and standards will evolve at the same rate? What are the market trends?

I think businesses will have a continuing battle trying to decide which vendors to invest in. Security is converging, the big vendors like CA, Symantec have their own proprietary systems, and now Microsoft and Google are in on the act, there is added complexity, not to mention money being thrown into the issue.

I can foresee a lot more standards being introduced so that security systems can all talk to each other in a similar way.

SOA is taking us in that direction. I think we will see open source become more popular because of it's use of SOA, and consultants in this area should do well.

As the larger companies take over this will probably be a route many existing security practitioners decide is more interesting.

As I implied previously, GRC (governance risk and compliance) will become big business, because it will be a big driver.

There are new regulations being introduced all the time, SOX and PCI DSS in the US, this year we will see MiFID in the UK and Europe. Again, I can see compliance consultants making big business here as a result.

Something that is interesting me a lot at present is The Long Tail and the security problems it poses. I’ve been discussing it for the last week with Mark Curphey and Jon Robinson (also of the SBN) and I’m still no clearer. Mark has something up his sleeve, but isn’t revealing it.

We will be using many more individualized processes out to many more customers, with customized products and therefore customized security on an individual level. This will come down to data security at the end of the day instead of trying to apply everything at the network level.

We need to see how users adapt to creating their own Web 2.0 before we can start to secure it however, and at the moment there are a lot of holes. This is somewhere where I think the large companies like MS and Google will make their security solutions, as it is difficult for the smaller companies to make a difference here now.

Thank you Rob!

Visit IT-security – the view from here

--> Off-topic post warning <--

This summer has been wet. Pouring rain almost every day. I was hoping August would be better in terms of sunshine and less rain. I am still hoping, and it seems I better wait another 10 months for summer.

I am very busy with business development these days, focusing on compliance, corporate governance and information security in Northern Europe. It is a thrill - but I must admit - right now, I'd rather crawl in the sofa, with a good Wiliam Gibson or Neil Postman novel.

The soft voice of Kathie Melua and Shakira from the speakers.

Add to that a nice, big cup of homemade, hot chocolate. Made from dark chocolate bars, with fat milk and whipped cream on top.

A touch of chocolate powder on top for the color.

And Voila!

That is what I'd rather do today! Please tell me about your day and summer! Bring on a little sunshine!

Data integrity is one of the building blocks of security. The others are availability and confidentiality. 

Many of the people I meet are not security professionals. For them to understand the importance of integrity, I use examples.  Until recently, that was the only way to get any interest in the topic. Now, thanks to regulations and corporate governance, integrity seems to get more attention also from the management side of things. But still it seems to be hard to grasp the importance of it.

I admit that integrity of logs are important. IMO, they are mostly important to the technical side of things, and to the auditors. Unless of course you get caught red-handed one day, then the managers will find integrity of the log to be important too.

 ---

The managers I meet usually has their focus on business. Creating revenue, maximizing profit, lowering cost of operation. For them to see the value of integrity, you need to focus on their everyday life. Focus on their tasks, and relate the integrity to that. What will it do to you if you no longer can make sense of the CRM system? How can you manage your team if you no longer trust the information at hand? 

For exec managers it is easier to see the value of being compliant. But my experience shows that also at this level the true value is created by relating it to their everyday tasks. What happens if you can no longer trust the financial reports?  What if the information at hand is wrong and manipulated, but you do not know? If you suspect errors in the data, how can you make sure there are non (or find out how they came about?)

Trusting your information is key. If you cannot trust it, what value does it have to you? Speculating can only do you so good. Knowing is always better.

Rob is not making me pull my hair off today - he has a very good summary of integrity. It uses good examples and focus on different solutions and discusses the issues each solution rises.  

There has been quite some stir in the NAC world lately. Or at least on the vendor side of things.

Now Mitchell Ashley and Alan Shimel of Stillsecure has invited Dominic Wilde of Nevis Network and Michelle McLean of ConSentry to a podcast discussion! 

Who is holding the rodder? Mike Rothman at the Security Incite is!

So - is there peace in the NAC-camp? Listen for yourself!