I've had to switch comments and trackbacks off on the blog at the moment. Turns out that my little converted NAS box that I've moved over to is great at static content but not so good a CGIs, so when comment/trackback spammers hit it a lot it overheats!
Going to look into maybe moving the blog to a hosted solution, so hopefully get all back to normal when that happens...
Edit: I've tried something which *may* sort the problem so comments back on for now...
I've had the blog running in a virtual machine for a while since the power supply on my server blew, but that's it back onto dedicated hardware now..
In fact it's a nice little debian server using a Buffalo Linkstation Pro reflashed with FreeLink.
Pretty good deal as you get a perfectly good linux server based on a 130 pound piece of hardware. I've got two of them running now, one as a web server and one as a file/print server. There a lot smaller an quieter than running full-tower cases in the office!
Rational Security: Bye Bye, SPI (Dynamics...)
Well that's SPI getting acquired now by HP to follow on from IBM buying Watchfire
There may be loads of companies left in the security community waiting to get bought up, but there's only really Cenzic left of the original top 4 web application scanning tools left, and some other up-and-coming scanners like Acunetix WVS maybe as well.
Rational Security: Profiling Data At the Network-Layer and Controlling It's Movement Is a Bad Thing?
Well I'm gong to try and answer Hoffs question on standards I think need to exist before ADAPT or any other data classification and security programme will work... But first thing a question of my own.. Where does he get all those cool graphics!
Anyway so we're tagging all our data. For that to happen I'm thinking that the tags need to be attached to each "document" that flows over the network. Now we've got a wide variety of documents in place we've got all our MS office docs. we've got XML files we've got binary blobs from proprietary programs, we've got encrypted files. Many of these have no native facility to insert any sort of metadata tag. So without that how do we attach a meaningful tag to the data? If we modify the document in infrastructure after it's been constructed our device which does this will need to understand every data/file format that we want to tag, and I think that's a very tricky thing to do.
So I think that in order to do this effectively you need a standard which all programs which construct documents will use to tag their data, so that all the infrastructure devices can read those tags and act on them...
Now the question I've got for Hoff is ... transparent to users.. how will that happen and the tags will still be meaningful to the business? To do that it seems to me that the device/network will need to make assumptions about the appropriate tags for all of a users data? From my experience users will create and process documents at a variety of sensitivities and classifications in a given day, and the only person who understands the significance of their documents is the user themselves.
IT Security, the view from here: Comment on comment about comments.
ok I think that Rob and I will need to agree to disagree about this. I think that I've been talking at cross-purposes with him a bit initially here but I will say that I probably still don't agree with him.
The idea of data classification is a great one, in theory, but I've just not seen companies be able to implement and manage it at all well. The main problem is the support of products. That's got to be in place before you can begin to classify your data properly (in my opinion) and unless it's an industry standard in the early days it can't work as you'll not be able to apply it across all information repositories, at which point you've got holes in the protection provided.
In addition to support of products is user buy-in. What's the selling point to an end-user department in a corporate for the additional overhead for them to classify all their documents?
On the point that Rob makes, about DRM not being involved in data centric security. Well, sounds like my misunderstanding. From reading the Jericho stuff which mentions DRM in it's "commandments" about data-centric security and Hoff mentioned it in his oringial post, so I obviously got the wrong end of the stick, although without DRM I'm kinda curious about how you stop a system which either doesn't understand your classification or deliberately tries to bypass it from reading data to which it's not entitled...
To close on this a couple of experiences I've had with Data classification and marking. I wrote some policies for a UK corporate on this a couple of years back and I remember going round the table and everyone adding stuff in about double-enveloping and all that other good information marking stuff, and just hitting intractable problems about things like how you classify data on things like E-Mail and MS Word which realistically everyone uses and also realising that to make this work is to ask a lot from a load of users who don't and don't want to understand anything about security. Now maybe products will come along which make this all really easy and transparent to the users but, well I remain to be convinced...
Re-reading my previous post on data-centric security Hoff made the correct comment that I'd gone to the extreme end and it didn't quite flow from his post.
Fair point, I jumped a couple of hurdles a bit too quickly and it probably didn't make where I'm coming from clear, so I'll try and cover things a bit better now.
ok first basic point, I'm not a fan of *some* of the Jericho forums ideas (I like most of the others just fine, in principle anyway). Specifically the DRM/acces to data bit. In principle it sounds great, but I don't think that it's practible to implement in most organisations with their masses of un-organised data an ever increasing requirements for easier connectivity and data flow.
Now Rob makes the point very forcefully that models like Bell LaPudala have described the kind of Mandatory Access Control world that DRM implements for quite some time. Yep they have, but outside of miltiary or police environments I've never seen these implemented. My feeling is that the reason for this is that in these systems users need to be actively involved in data security, they need to classify information as it's created and they need to understand the requirements on them to maintain the classification of data.
I don't think that most corporates will buy into systems that work in that way. I think that the overhead of training and maintaining systems that implement MAC is beyond what most companies want.
So .. am I anti-security? Nope I'm extremely pro-security. My feeling is however that the best way to implement security is in ways which it's invisable to users. Every time you make ordinary business people think about security (eg, usernames/passwords) they try their darndest to bypass those requirements.
Personally I'm a great fan of network segregation and defence in depth at the network layer. I think that devices like the ones crossbeam produce are very useful in coming up with risk profiles, on a network by network basis rather than a data basis and managing traffic in that way. The reason for this is that then the segregation and protections can be applied without the intervention of end-users and without them (hopefully) having to know about what security is in place.
So to use the phrase that I've seen in other blogs on this subject, I think that the "zones of trust" are a great idea, but the zone's shouldn't be based on the data that flows over them, but the user/machine that are used. It's the idea of tagging all that data with the right tags and controlling it's flow that bugs me.
So that's where my points in the previous post came from, and I still reckon their correct. Data tagging and parsing relies on the existance of standards and their uptake in the first instance and then users *actually using them* and personally I think that's not going to happen in general companies and therefore is not the best place to be focusing security effort...
The Security Development Lifecycle : Oil Change or Culture Change?
Really interesting point here on the Microsoft SDL blog about executive buy-in being critical to getting focus on security. I think that it actually applies to pretty much all security spending.
The thing that came home to me reading this is. It's not that company executives don't want their organisations to be secure, I'm sure they do. It's that when it comes down to the detail of "where will I not spend money and effort so I can do this piece of security work" that the problems start.
It's a really difficult sell to say " well Mr CIO we suggest spending X on security which will mean that one (or more) of your other projects won't happen this year due to the resource cost of doing the security work" unless that CIO realises how important security is and also trusts the people who are giving him that message.
Using the example of implementing a SDL. It's not just the cost of the tools and consultancy to implement it, it's the developer time that's not writing new features or fixing customer bugs while they learn about SDL and get the appropriate training.
So how do you do this magic convincing act... not sure (probably why I'm not a CSO at the moment!) . With Microsoft it happened 'cause they had a very large number of high profile security problems which led their CEO to ensure that the improvements occurred. I'm not sure I've heard many other stories of companies that have really changed their attitude to security in the same way without that kind of problem, but I'd hate to think that incidents are the only way to get a good security stance!
Rational Security: For Data to Survive, It Must ADAPT...
EDIT: I've had a couple of comments on this posting that I was bad mouthing Hoff with this post. Not my intention and I apologise if it came across like that. I actually agree with most of what he says, just not the bit about data centric security/information classification
All this data-centric security stuff sounds really good in principle, but to be honest I'm not buying it, for a couple of reasons.
One: there's no widely agreed on DRM open standard that companies are applying now. For data-centric security to work all systems which process the data have to be able to understand the security meta-data that's applied to it and be able (if permitted) to process it. To be honest I just don't see that happening even in the medium-long term. And without that the idea won't fly. Imagine telling a senior exec that he can't get his board report on his handheld device 'cause it doesn't support [standard X] yet so can't read the DRM-encrypted file.
Two: More importantly the idea of assigning security levels to individual data items or collections of data items seems really un-manageable to me. Take Office/E-mail security at the moment. Ultimately for most corporations the majority of their data will at some time reside in a (MS) Office and/or email format at some time. Now at the moment most companies manage access to that in an incredibly coarse-grained fashion with whole data shared getting assigned to large groups of users and even that is seen as not being flexible enough by a lot of end users...
Three: Data-centric security has been trialled recently in a large multi-company multi-system environment that everyone's heard of and it's been a complete disaster, which is DRM on music files. Users absolutely hate it and have spent large amount of effort bypassing it, it's created a monopoly because of the lack of industry standards and even the record companies seem to be backing off from it...
Looks like the slides are up for most of the OWASP conference presentations over here
A couple that I thought were particularly interesting were
Alex Lucas on the Microsoft SDL which gave some good insight on all the work that Microsoft are putting into improving the security of Vista. I've never been a huge Microsoft fan but they're definately moving in the right direction on the security issue.
Also Brian Chess on static source code review. This one gives some good insight into what static source code analysis can and can't do for a security review. It looks to me like Fortify and Ounce will be moving into the same kind of space that SPI, Cenzic and Watchfire are in for web application testers. No-one thinks you can just run those tools and call it a day, but they're pretty valuable in improving the coverage of the test and catching certain classes of vulnerability, leaving the tester to focus on things like business logic flaws that automated tools can't find.
Windows Server 2008 Features Address Linux Rivalry
Interesting article which talks about the modular nature of Windows server 2008. From the content of this article I think it's fair to say that Microsoft will have addressed the last big architectural problems with their software security that I can think of, once server 2008 is available.
Previous versions of Windows server have had items like Internet Explorer and Windows Media player installed by default with no easy way to remove them, which led to additional patching and security requirements for the operating system and an increased attack surface, even with the lock down on some of the functionality they provided that happened in server 2003.
Now from this article it appears that Windows server 2008 will reduce the attack surface of the OS by allowing it to be much more modular. And for the first time you can have a windows server without a GUI!!
In the past I've always doubted that Microsoft would do this as from a marketing perspective bundling has always been a strong point for them.
When you combine this with the very strong story that Microsoft has on secure development techniques I'd say that the latest generation of their products are likely to be the best in their fields for security...
