Wings of Hermes – Berin's Infosec Blog

Infosec the world and everything

It’s interesting to watch the changing attitude to patching on workstations. I’m probably a bit behind the eight ball on this stuff – patching has never been a favorite subject of mine (I get frustrated with the amount of time and effort patching can take up with no real visible value created). But what’s interesting is the move from patching being something that has to be done very carefully to something that is just “par for the course”. Organisations expect to have to do it so you no longer get the push back we used to get.

It’s a bit like AV – when it first became commonplace, there was an update once a week (or even once a month!) and change control was required to get it out there. Now it just happens as often per day as is necessary. The danger of course is that it’s now easy to forget about it. The first you know that something isn’t working right in your organisation is when you get an outbreak of something nasty. (Welcome security metrics!)

I wonder how long it will be before patching is as invisible on workstations? We must be getting close – I’m watching apps on the iPhone update very regularly – not that big a jump to see it be that regular (and transparent) on Windows.

Or is that wishful thinking?

Isn’t the iPad phenomenon interesting! I’m firmly in the camp that it’s a “good thing”, and having played with one I think it’s wrong to compare it with a laptop – the whole concept is different. It’s not about having a small form factor fully functional computer – it’s about having a small device that is instant on and gives you access to web/cloud services and media.

I find the instant on is important. In the house I tend to avoid turning on the computer if I have to look up something quickly. It’s too much hassle. The iPad/iPhone (or similar devices) are instant on – net access conveniently and quickly.

From a security perspective I find the iPad/iPhone fascinating. On one hand the in built security functions are ordinary. Device lock is a 4 digit PIN, there is no automatic encryption of flash and if you’ve tried to program one (I have) things like the cryptographic libraries are somewhat hard to find any information on.

On the other hand, the construction of the application environment is great. I love the fact that each application is sandboxed from the others. I think in version 4 of the OS there will be shared data of some kind – but I’ve not got my head around that yet. It starts to make the perfect access device.

I’m using my iPhone now for all my banking needs. Why?

  • The only virus I’ve seen was the the Rick Astley concept virus. I’m sure there will be others, but at the moment there is less of a focus on the iPhone for malware. (And I’m not planning to jailbreak any time soon.)
  • The sandbox environment makes it less likely a badly behaved/insecure application can undermine the entire phone. Not by any means infallible, but not a bad start.
  • The device is simpler than a computer running a full operating system. Simpler = less to go wrong = easier to secure.

So on one hand you have a device that has little in the way of enterprise security features you might expect in a laptop (full disk encryption, password management etc.). But on the other you have a simple device that for accessing cloud or web type services – where the data is not stored on the device – which is perfect.

So all in all – I’m in favour. I like the whole concept and I think the more iPad like devices we see, the better it’s going to be for security – with the caveat that the device is about access not storage. So to sum it up:

  • If your need is access to sensitive information/data/applications without local data – the iPad is a great device.
  • If your need is storage and local handling of sensitive data/applications – stick with a laptop for now!

And this is interesting as well. The old question of how do you know the person you are talking to online is who you think they are.

Although you gotta ask – why would anyone just hit accept on a friend request from someone they didn’t know? Education in this space just has to get better I think.

I’ve been following the whole Facebook privacy saga with great interest. It’s good to see that Facebook are about to put in some fixes. Some would argue a little too late – but then the business of Facebook is about dealing in people’s private information, so I would have been surprised if they jumped to action any quicker than they absolutely had to.

As a security practitioner, the whole Facebook (and social media) phenomenon scares me a little. At the moment the bulk of the discussion is about how people don’t want their personal information shared. But the reason it scares me is that the personal information being discussed is what web sites for large organisations (e.g. banks) have been using to authenticate people for a long time. The average password reset questions are things like “what is your mother’s maiden name” or “what is the colour of your car.

Well you can find the answers to these questions (and more!) on social media sites. And with members in the 100s of millions, that’s a lot of information for fraudsters to mine.

So my doomsday scenario – what happens when someone hacks the Facebook database?

Didn’t take long – for a site that is a link of another site that is not high up in Google – 2 and a bit weeks. Scary how quick they are!

I was reminded this week about just how bad complexity is for security people. And the problem is complexity is getting worse in our networks. Virtual systems have a lot to answer for here I reckon. I firmly believe that the first question any person should ask when running up a virtual system should be would I install this on a new physical device if there was no virtual version. If that answer to that question is “no” then for God’s sake do not run it up on a virtual system. There is too much of “because I can” going on in the virtualisation world.

Take virtual firewalls. They were all the rage for a while – and the vendors still tout them left right and centre. I like them in very specific circumstances, but in places where the security peeps have been given free range, they cause uncountable problems. You start having problems working out what traffic is going through what firewall – and which rule should this be on starts being an interesting question.

And don’t even start me on what it does to the network topology.

On the other hand – if you would separate it onto a physical box anyway – then virtual firewalls are fantastic. Interface wise it’s exactly like you installed a new box, but infrastructure wise it’s a significant saving.

Just don’t run it up for the sake of it….

I’ve been thinking about a concept lately that came up in a discussion around security’s “Hierarchy of Needs”. Most people would be familiar with the basic concept from Maslow’s Hierarchy of Needs – the idea being that all humans have a set of needs, and the higher level needs can never be truly satisfied until the more basic needs are. As an example, fulfilment of friendship or work satisfaction needs are unlikely to be important if the more basic requirements of life such as being fed/watered/sheltered are not being met.

(I’m sure I’m doing Maslow a complete disservice – but you get the idea).

So – what is the parallel for security?

Most security professionals these days will tell you that the key to security is working with the business to understand and quantify risk to allow the business to make its own informed decisions.

I think that’s true – and yet in some ways the average security professional doesn’t actually live by it. (Risk management people do – but I generally view security people as having (and needing) a different philosophy to risk people.) The average security person in a large organisation will tell you that you have to patch and you have to run anti-virus. If the business is not funding these things then we’ll generally trot out the line “it’s a business decision” – but if we are honest with ourselves we don’t believe it.

In fact in any large organisation (and all of this really holds true in large organisations – the argument breaks down for smaller ones as I think it actually does turn into a risk equation) there are certain things you have to do. And I think that comes from the fact that as an organisation grows in size, the probability of a bad event happening from lack of basic security approaches unity. And given a security event coming from lack of basic security generally means the organisation stops functioning, then almost by definition the risk is at an unacceptable level.

So what does this mean? I think security people need to get better at separating out what are basic controls from what are things we are actually comfortable letting the business accept as a risk.

Note that word comfortable – I’m not saying we should dictate to the business – but that in our own heads we need to separate what we are comfortable with from what we are not. That still sounds perilously close to telling the organisation what it needs to do, but I think that as a security manager, if you aren’t doing that for basic stuff in a large organisation then fundamentally you are not doing your job.

It shouldn’t be about “if the CEO says we don’t need to patch then it’s OK” it should be about the security person going to the CEO and saying “we just have to do this – anything less is a failure in our duty of care to the company”.

And to be honest – I’m not sure I’d want to work in a company that didn’t want to patch. Or at least manage the risk somehow – I’d be OK with any control that manages the vulnerability issue – as long as it’s being managed.

The Hierarchy

So how does this match up to the hierarchy of need? Well I’d argue that if you are running security, there is not a lot of point talking about “Business Risk Management” if you do not have a handle on patching (using our example above).

Do the basic requirements have to be perfectly under control? No – but if the aren’t and you are spending all of your time building the perfect risk management framework then I think you are getting your focus wrong.

So in terms of the hierarchy of need I’d picture something like:

One other thing to note is that what constitutes a basic security need (or in fact anything in any of the layers) will change from organisation to organisation. That’s where the risk analysis comes back into it’s own. Some things will be deemed too high risk to compromise on. Others can be managed in consultation with business owners. An interesting Corollary

Looking at the three levels they give an idea of where security is a “value add” to the organisation. The most basic security needs are your “ticket to play” (and should be enshrined in policy). The next level is the sound security management that the organisation feels it needs to do.

But the top level is where security can really value add. By helping the business accept risk in potentially competitive areas, security can give the organisation an advantage. A security team that is too strict can cause a lot of damage in this area by holding an organisation back.

Well – it looks like the time has come to play with blogs and thoughts. Given my interests are primarily around information security – my guess is that this will turn into a set of random thoughts on the topic!