May, 2009

Guest post by David Aminzade – Regional Director Tufin


Three years ago I bought a house in the south of Italy and since then I have been trying to immerse myself in the local culture. It recently occurred to me that actually there was a great deal of similarity between the nuances and national characteristics of Italy and the challenges faced by security professionals today

A love of Spaghetti

A rule base that has evolved over several years with several vendors’ products and many different security administrators will certainly resemble the characteristics of spaghetti. When you start pulling on one end you never know what the consequences are.

Even in the south of Italy companies now-a-days need to improve the efficiency of their firewall operation and make what they have go faster and further as budget for hardware or software upgrades are under close scrutiny. The ability to understand which rules are most frequently used, enable the security professional to improve performance by ensuring a close match between rule ranking and rule usage. This is even more the case when non used rules and shadowed rules can be clearly identified. These classes of rules only add complexity, degrade performance and increase business continuity risk.

All road signs are only suggestions

For all of you who have driven in the south of Italy you will know that all traffic laws, which by the way are still contained in the Italian criminal not the civil code, are merely suggestions to be adhered to or ignored depending on the situation.

Such is often the case when people are writing new or changing existing security rules. We all know that we should include a comment or a clean up rule but sometimes expediency makes us ignore these good practice guidelines.

The need to meet with a growing number of compliancy requirements either internal audit reviews, external audit demands such as SOX or Basel II or from industry specific requirements such as PCI-DSS is far more costly if a history of indiscipline has existed.
It is of little use spending money to optimise your firewall infrastructure and enable automatic compliance if you do not deal stop subsequent non compliance. The ability to flag non compliance to the relevant IT/security/compliance/business manager protects your investment, maintains your firewall estate’s performance and ensures cost free ongoing compliance.



Sleeping in the afternoon

One local habit that I have taken the most easily to is sleeping in the afternoon. The opportunity to wind down and take a nap after a nice lunch is a great way to recharge your batteries. I think that this should be added as a criterion for any new security investment. “Does this investment allow me to take a nap in the afternoon?” ?

In summary it is clear to me that companies are looking for ways to remove cost from firewall administration whilst adding performance. The ever increasing demands of compliance from all quarters means that the delivery of compliance needs to be automated and assured. To ensure ongoing OPEX reduction and operational efficiency, rule changes going forward need to be assessed against and internal or external best practice standard automatically and violations flagged to the responsible manager.

Ciao Amici

I just read this very interesting post on self destructing botnets.

The post refer to security experts saying that the kill switch may be used to remove evidence, and to buy phishers time to get away with information - i.e. stealing the info, then kill the net and create havoc.

I say think like a criminal here. When you have stolen the data, there is really no need to create havoc just to postpone the discovery of the theft. Actually, I believe that by pushing the killswitch, the criminal are actually getting more attention than if he did not. If I had such a botnet installed, I would use it to gather intelligence over time. I can see only two reasons to push the kill switch:

• The botnet has served it's purpose, and you'd like to remove the evidence (still, I would put it to sleep, not kill it...
• Prove that I control the net, and can take it out unless you pay ransom. But - I would only take out a portion to prove it, and the rest only if they do not pay up.

What reasons do you think a botnet master would use to flip the killswitch?

A sweet laugh from the Infosec cynic! Finally, someone is able to get some wise words out of MJ!

Mark Kadrich. CEO of The Security Consortium. Author of End Point Security. His resume includes Symantec, Sygate and brands like AltView and Conxion. You may read more about Mark.

Mark is a person who cares for security. Not the pushing of boxes, but for the process that security is. He is also a very fun guy, and extremely knowledgeable.

Please tell us about TSC, Mark.

“TSC provides companies with testing, research, counsel and leadership services where we provide a means to balance security against business objectives. Our Pre-assessment service for PCI-DSS is a great example. It is a tool-box to identify issues early on.

We have seen in the past several cases where a company was certified as PCI-DSS compliant, and after a breach, Visa simply said ‘sorry guys, you were no longer compliant at the time of the breach’”

Mark gets animated. His voice carries the warmth of a father who cares very much for his kids. As he goes on, paying attention is very easy.

“The challenge with all standards is the fact that you get certified at a point in time. You take a shot, a benchmark of the reality, and that is what gets certified. But in business, things move quickly, and very quickly, that benchmark is left behind. Still your certification is attached to that very benchmark.

Just consider patches and updates. Imagine your certification, your PCI-DSS compliance, is stamped January 10th. Three days later, you have to update the firmware on your firewall. Or you update your servers because Microsoft has provided new updates. What happens?”

Marks take a deep breath.

“I’ll tell you what happens. You are no longer compliant! Your certification was for the snapshot, the benchmark you made January 10th. But once you’ve updated your firmware or serves, that snapshot is no longer accurate; as a result, your systems are no longer compliant to that benchmark. “

He is silent. For a fraction of a second.

“As long as you stay under the radar, you are fine. As long as you get no breaches, no one really cares. But the moment you get a breach, the very moment you need to show off to the world that you did everything you could do to prevent the breach, that is when the truth dawns upon you. You realize that you are no longer compliant. And Visa blames you, your customers blame you, and you get fined. Just imagine the costs!”

Huge numbers fly by my eyes. The unfairness of standing alone when you need the support the most ponders me. And Mark is not done yet:

“Imagine if you spend a small percentage of what you originally spent to get compliant for a pre-assessment test. You would be able to align your security to your business objectives. You would be able to identify the technology to support you and your mission. You could step up the ladder, and use the technology as a tool, an enabler, not as a slave master dictating how you should run your business.

I am a process control geek. And process is our focus at TSC. We believe that implementing the right security process is the way to achieve the best security. Technology is used to support the process, not the other way around.

Aligning the process with the business objects is the core. “

As Mark takes a short break, I imagine the challenges this approach would meet at some of the companies I visit. They truly believe that technology alone is the security saviour. And most of the time, they discover too late that technology are merely tools to enhance their internal works.

“Yes, it is a challenge. Change is always a challenge, as resistance to change exists in any organization. And often you can see that organizations put all their beliefs in the technology alone, for example by using end-to-end encryption between two locations. It makes it harder to eavesdrop, but it also enables a hacker to hide in the encrypted tunnel.”

Mark is very focused on the fact that you cannot rely on a standard alone. It must be adopted and implemented into the organization by focusing on the business objectives of that very organization. The whole purpose of the standard is to provide a framework to build processes with.

After an hour discussion, laughing and learning, I have to end the call. I get a distinct feeling that I will continue to talk and learn from Mark Kadrich. And I expect to see a lot more from him in the future. 

I had a very nice chat with Mark Kadrich last week. Mark is the CEO of The Security Consortium, a company that focus on reducing costs of their clients by pre-assessment services.

Any project manager you meet – be it security, ICT, civil engineering or any other form of project management – she will tell you that the more you have prepared in advance, the lower the risk and costs of the project.

As an example, let us look at building a road. The pre assessment is the initial phases, where you look at alternative routes, and calculate the costs, the excavation necessary, and so forth. In our example, the cost is 10M$.
Later, when building the road, unstable masses are discovered, adding a cost of 100M$ to the already restrained budget. By spending 100% more money and time in the pre-assessment phase – thus increasing the 10M$ to 20M$, the unstable masses would have been discovered earlier. And discovering the unstable masses early on would open up a whole array of choices – moving the road, using different techniques, building a bridge, or perhaps even cancel the project.

The same applies to security. Often, you find yourself running around, putting out fires, instead of focusing on preventive measures.

Mark Kadrich and The Security Consortium to the rescue! The interview will be posted Friday 22th May – please come back then!

Again, I got some questions related to choosing the right path into InfoSec. Please, if you have different opinions, tips, or ideas, please share them in the comments below!

You may also be interested in my first post on the topic.

-------------------------

Hi Mr Roer,

I'm sorry to bother you again. I wish to ask you one question if you may kindly guide me.

How is the future of Cyber Forensics, as I have secured admission to Forensic Informatics course from Strathclyde, Glasgow. A lot of people are telling me the course is good as its more into research and is application oriented. The course also has 3 months of internship alongwith.

Can you please let me know if Forensics might limit my horizons to a particular domain or is it really upcoming and worthwhile to step into. Considering I am not a programmer what would be better for me Forensics or Security management of an organization ?

I'm thankful for all your time :)

-------------------------

My answer:

thank you very much for your continued questions! I hope I can be of help to you, today or sometime in the future. I am glad to help.

As for forensics, IMO, it is one of the more interesting areas of info sec tech. And, I truly believe it to be an up-and-coming area, as police and law enforcement really lack competence in this area, thus they need help to secure, track and identify breaches. In addition, many companies prefer to solve such issues on the "inside", thus requesting external, non-governmental forensic experts to help them secure evidence.

You may also use deep knowledge in forensics to counter attacks, and most importantly, to set up preventive matters, traps and other honey-smelling pots. In addition, you will be able to truly appreciate the value of logs, logging, and access control mechanisms; and the difference in identification, authentication and authorization.

Further, with forensics, you will be able to use your competence in a wide array of areas - including for example systems monitoring, architecture, investigation, systems design. With the development of new technology, you also have the option to specialize in narrow, specialized areas too. And with forensics in your past, you will be a valuable asset to any security management team IMO.

I do not know the course at Strathclyde, but if people say it is good, then I would suggest that they are right.

As before, this is more a question of what you would like to achieve, and then choosing a topic.

I wish you best of luck! And thank you for asking!

----------------------

Do you have any comments? Like to add something? Please share in the comments!

Do you have any questions? Please ask me! Use the contact form, or the comment fields below :)

While we don’t have much officially being said, we do have some Facebook employees speaking their mind directly, and most are pro-Holocaust deniers. Product Manager Ezra Callahan describes the posts by Brian Cuban and myself as “incomprehensible reasoning.” Ezra is not a Facebook spokesperson, but Randi Zuckerberg, who is a Facebook Spokesperson, says of Ezra’s note “Really well-written, articulate, and insightful note by Facebook employee Ezra Callahan on being a Jewish employee and supporting Facebook’s policy to not remove groups that deny the Holocaust.” That sounds like a stamp of approval to me.

Ezra’s arguments in a nutshell:

- Facebook is a “company run by a prominent Jew” and can’t “possibly show preferential treatment to one offended group over others”
- The Holocaust is just one of many human tragedies: “There are quite a few other especially-horrifying events in humanity’s recent past that likely merit the same level of consideration”
- Providing a forum for Holocaust deniers lets people see how “stupid” they are

Here’s where I’m going to take a ninety degree turn. I’m not going to address these issues head on. Brian Cuban is doing that already, and provides logical counterpoints to these arguments.

But I actually think even engaging in this debate is dangerous. The Holocaust is in its own special category of fucked up human behavior. Not because of the millions of Jews that were killed in the actual Holocaust - sadly that’s just how we roll as a race. No, the problem is that Holocaust deniers make their arguments for one simple purpose - they want to finish what was started and wipe Jews off the planet. We all know this is the elephant in the room, it’s just that the lawyers who write terms of service don’t really know how to deal with that. Nipples are bad, even if clearly not posted for sexual reasons. Holocaust denial is ok, even if clearly posted in order to spread hatred of Jews. That’s not something lawyers can tackle.

I don’t make that statement lightly, nor do I expect everyone to agree. But in the last few days I’ve read a lot (a whole lot) of Holocaust denial literature on the Internet, and it is extremely scary stuff. The whole point of it is to suggest that Jews are engaged in a massive conspiracy to fool the world. These are the same types of conspiracy theories that led to the Holocaust in the first place.

When you engage with Holocaust deniers to talk about where the lines are drawn you’ve already lost. Ezra and the rest of Facebook is playing the game on their terms.

Holocaust denial is a seed. A seed that will grow into a fully bloomed second Holocaust if ever allowed to germinate. And Facebook is providing the fertile ground and watering needed to do just that.

That’s why a dozen or so countries, all of which otherwise support free speech, have enacted laws against Holocaust denial. People love to hate, even smart people with significantly more than a “shred of common sense” as Ezra puts it. So many smart people think there is a Jewish conspiracy to rule the world. They can’t help but believe it. And giving those people a place on Facebook to share and expand those ideas is just too dangerous a thing to do. They know they can spread hatred of Jews if they stick mostly to just denying the Holocaust. And if a few members get out of hand every once in a while, they can just say that the group exists only to talk about whether the Holocaust happened or not, and certainly not to spread hate. See the images on my post from yesterday to see how these messages go.

Sure, we can’t shut down the dark places on the Internet where people are free to hate Jews and post pictures of breast feeding mothers. But Facebook can take a stand and say it won’t happen in their back yard. Holocaust denial is hate speech, and it cannot be given a place to take root.

This isn’t a slippery slope, Facebook. It’s evil. Pure evil. Don’t plant a flag on the wrong side of the line. Stand firm against racial and religious hatred, even if you don’t have to. You’ll look back in fifty years and be proud that you did. Because no matter what your terms of service say, this isn’t porn. It’s the Holocaust. And it happened.

------------------------ end

Title: CISSP in 21 days – boost your confidence and get a competitive edge to crack the exam
Author: M. L. Srinivasan
Publisher: Packt Publishing (ISBN: 978-1-847194-50-3) (link to book at Amazon, link to book at publisher)

I have been reading on this book for a short while. I have two conclusions:

1.    it uses a very easy to understand, simple language, which makes it very straight forward to read and understand
2.    the CISSP exam and requirement are not at all as tough as I though (I know this is a chock, but, no, I am not CISSP)

Mr. Srinivasan has a name that I have a challenge with, but that is also the only thing I do not immediately understand in this book. In fact, the book is so easy to understand and relate to that I honestly consider doing a CISSP just for the fun of it!

I do believe that certifications like the CISSP is important in the security area, but I also believe that it is not something you brag about. If you are hands on, then this certification serves as a reference point the rest of us can relate to. It may also be a nice paper to show in your boss’ face when asking for a raise. Except from that, to me, being hands-on and truly understanding the implications of your actions are vital to any security engineer. Thus, if you can prove to me that you know what you’re doing, I will not request to see your CISSP.

What is more, if you do have a CISSP to show for you, but lack the understanding and consideration for the delicacy of security, I will disregard you anyway.

Back to the book now.

If you are planning to take the exam, this book will be of value to you. As mentioned above, it is even of value to me, realizing how much I really know in the different aspects of security.

The book is laid out in a very structured way, following a path that is laid out to make the exam easier for you. Keep in mind that if you have no clue about security, and lack the experience, this book is not going to help you. But if you do know your stuff, and have access to detailed material on topics of your interest, then the book will definitively help you structure and review your knowledge.

In all, I suggest you give this book a try when you go for your CISSP exam!

And good luck!


--> Update from the publisher! Now an extended version of chapter 15 is available for download too!  <--