Published: March 31 2010, 09:26 AM | no comments
by Sumner Blount

Share this post:  Email

Share

Published: March 30 2010, 03:15 PM | no comments
by Merritt Maxim

The passage of the health care reform bill in the US Congress has freed up time to debate other pending legislation, including several bills around cybersecurity.  Notably, last week, at a Commerce, Science & Transportation Committee hearing , US senators approved Cybersecurity Act S 773.  With committee passage, this bill can now proceed towards broader debate and a senate vote.   This bill also joins several other cybersecurity bills under debate in the US House of Representatives.

I won't go into all the details in the legislation (you can see it here), but one provision that was removed during the committee hearing this week was a provision that would have given the President of the United States the ability to stop all Internet traffic in the event of a major cyber attack or emergency.  Although this provision was removed, I have been thinking about it and pondering several questions. 

How would such an order be implemented? 

The Internet so widely distributed, how would authorities actually go about shutting down service providers?  And given that the order would occur during a cyber emergency when such communication vehicles (cellular and wired networks) may not be functioning, how would service providers actually receive the notice?

Can the Internet really be shut down?

Given that the original Internet was designed to withstand a nuclear attack, is it even possible or feasible to shut down the Internet?  Service providers re-route traffic all the time for bandwidth optimization reasons, so determining how this would work could be a major challenge.  This provision also makes me wonder how well this provision was understood and debated in the Senate Committee.

Should any individual have the ability to shut down the Internet?

If we accept that some mechanism could shut down the Internet, the person(s) possessing the ability to issue such an order would yield tremendous power.   Besides raising questions around how such an order would be issued and authenticated , it also opens a new target for hackers-how to impersonate senior US leadership and use that to issue erroneous orders to shut down the Internet. 

My scenario may not seem so far-fetched, given recent news about President Obama's Twitter account being hacked.  It also reminds me of the proposed idea to implement remote controls in airplanes so that law enforcement people could override the controls of terrorists/hijackers in this air.  Sounds great, until you realize that now all people need to do is compromise the remote control system and they can hijack planes without ever having to board them!  

This proposal opened up some very interesting technical questions, but I think my musings also prove that cutting this proposal was a wise decision.   I applaud the passage of S.773 and look forward to seeing it progress through both houses in the coming months.

Share this post:  Email

Share

Published: March 25 2010, 01:25 PM | 1 Comment(s)
by Shirief Nosseir

Continuing from my last blog where I touched on some of the challenges facing the management of privileged users, it was interesting to hear at one of Gartner's sessions at their European Identity and Access Management Summit earlier this month (something along the lines of) they see Privileged User Management (PUM) as one of the critical building blocks for enabling cloud computing.  I can only agree with this view.  PUM is proving to be essential for securing virtual environments sitting on-premise and managed by loyal employees, let alone cloud instances hosted by 3rd parties and managed by external privileged users (who might be even contracted by the service providers). 

For virtual platforms (as well as internal private clouds), the risk of not managing privileged users is too high to ignore compared to traditional environments.  Without virtualization, each critical server is typically dedicated to providing a single service only (DBMS, application server, business portal, etc).  In contrast, it is both the beauty and the curse of virtualization that we do run several server instances on the same physical machine, which now might host a complete application stack used to support an entire business area - for example, a Customer Relationship Management (CRM) system with all its databases, middleware, and other components.  This provides many benefits that we all know about including improved service quality, operational productivity, and cost and energy savings.  However one of the primary trade-offs is that it's more difficult to manage privileged users.  Consider how easy it is for a virtualization (hypervisor) administrator to - inadvertently or maliciously - cause a serious breach or business disruption (for example, instances of virtual servers are files that can be copied and then easily restarted at a convenient, off-premise location.  This is equivalent to stealing several physical servers from a site, then taking all the time to mine them for goodies).  Also let's not forget the need to ensure separation of duties (SOD) and maintain accountability across these virtual servers.

Many surveys show that most large enterprises have already adopted server virtualization, but what's interesting is that most of these organisations have only virtualized 10-20% of their servers (i.e., in limited and controlled production environments).  A recent Gartner research indicates that by the end of 2009, only 18% of servers that could be virtualized have been virtualised within enterprise data centers, and that this figure is expected to reach over 50% by end of 2012 (i.e., virtualization will become the de facto platform).  The research goes on to suggest that through 2012, 60% of virtualized servers will be less secure than their physical counterparts.  In addition, the research highlights the six most common virtualization security risks and how to combat them.  Two of these risks directly relate to controlling and monitoring privileged users, namely: (i) “Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking”, and (ii) “There Is a Potential Loss of SOD for Network and Security Controls.”  In other words, this extensive adoption of virtualization within organizations will clearly introduce a range of new challenges and require more mature security management practices with PUM at the forefront. 

Furthermore, automation is a must to realize the full potential of virtualization – managing privileged users with encrypted spreadsheets and secured envelopes will definitely not cut it anymore.  Actually, in many cases, even typical Privileged User Password Management solutions (i.e., PUPM technologies that primarily offer password vaults to manage shared accounts) will not be enough to manage such sophisticated environments - virtualization needs a comprehensive PUM approach where fine-grained access control (i.e., granularly manage who can do what and in which context) is consistently enforced and closely monitored across all heterogeneous virtual environments. 

One of the other six virtualization security risks listed in the Gartner research is “A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads.”  This reminds us to keep in mind that privileged users do not just pose an internal threat.  Traditionally, privileged user accounts are the most targeted by hackers.  As virtualization and cloud continue to grow and privileged users gain even more keys to the kingdom, it will make more economical sense for hackers to increase their focus on these accounts.  Ensuring that the principle of least privilege is applied (through fine-grained access control) will help limit the damage if an account is compromised.

For external/off-premise (private or public) clouds, PUM also becomes an imperative for cloud providers to demonstrate to customers their ability and confidence in applying the principle of least privilege, providing transparency and compliance, and streamlining their operations.

In my next blog series post I'll write about other key technologies for enabling organizations to transition to virtualization and cloud in a secure and pragmatic way.

Share this post:  Email

Share

Published: March 25 2010, 08:03 AM | 3 Comment(s)
by Joshua Brickman

In my first blog, I pointed out that although it’s a good idea, Common Criteria is expensive, not widely adopted beyond government, and could be improved by transforming to Protection Profiles for enterprise security management. Today the industry is on its way to doing just that – transforming Common Criteria.

The core of the problem with Common Criteria when it comes to enterprise security management (ESM) is there is nothing “common” about it. Each time we or any other vendor wants our products evaluated, we must rewrite a custom security target or requirements document.

Protection Profiles are what the industry is moving toward to simplify and reduce the cost of the Common Criteria  process.  Protection Profiles establish a set of standard features one would expect to find in a certain product. Call it a requirements document, if you want. These would allow government agencies to compare apples to apples and make better informed decisions when acquiring products. Today under Common Criteria, comparisons in the ESM space are not as straightforward because each product has its own security target document.

If Protection Profiles existed for ESM now, at least 64 products from CA, IBM, EMC, Oracle, Symantec, and Microsoft would be compliant.  At the 10^th International Common Criteria conference in Tromso, Norway, I gave a talk with Booz Allen Hamilton that laid out the plan to develop this new family of “Protection Profiles” for Enterprise Security Management.     The plan was lauded by the Common Criteria Development Board (CCDB) as the community-based approach they wanted other technology types to follow to update and build out these new standards.   Since this project started, a similar team was formed to update the Firewall Protection Profile. 

This month I participated in the Common Criteria Vendor Forum meeting with the Common Criteria Development Board at the 2010 RSA Conference.    I presented how we are leading a team of ESM Vendors in an effort to build out Protection Profiles to close the gap for Enterprise Security Management products.  

We just kicked off the Global Threat Analysis portion of the project.  A survey will be distributed world-wide to determine the priorities for this new standard.   Participants are the government agencies that buy our software.   The primary goal of the survey is to get our customers to set the priority among the six technology types in the ESM space:  Access Control, Centralized Policy Management and Distributed Enforcement, Identity Management,  Data Loss Prevention and Log Collection.  

In my next blog I’ll present the results of the survey and announce which technology the team will focus on for the first ESM Protection Profile which we hope to publish by the end of the year.

Share this post:  Email

Share

Published: March 25 2010, 07:57 AM | 1 Comment(s)
by Matthew Gardiner

There is a disturbing trend of governments buying data that was illegally taken from companies.  A recent article first published in the Wall Street Journal and made available on this Web site, details the story of a French IT person who was working for a large international bank and stole client data, attempted to sell the data to certain governments, then had it seized by the French - who by the way have decided to hang onto it as it might be useful.  This "system" is broken on so many obvious fronts.  How can anyone consider this a good way to conduct business? 

Governments should not be in the business of buying stolen data.  Could there be exceptions to this rule?  Perhaps, but only around real national security issues, like terrorism, not related to non-violent crimes, like tax evasion.  There are legitimate channels through which governments can get access to data, paying off IT guys who take it for them, should not be one of them.

It's obvious that organizations which handle highly sensitive data, must improve the way they manage this data and the associated systems.  There are almost daily stories of so called "privileged users," typically IT guys, who purposely or accidently violate their duties and gain access to data and systems that they shouldn't have.  If data like this didn't leak, then governments (or anyone else) wouldn't be in a position to buy or seize it for their own purposes.  Yes, easy to say, but this can actually be accomplished with commonly available systems and practices.

The bottom line is that the data should not have been stolen in the first place and most certainly should not be purchased by governments.

Share this post:  Email

Share