Security and Risk Management Strategies Blog

Blogger: Dan Blum

Bringing together a diverse, multinational group of IT experts Burton Group’s European Catalyst conference illuminated a number of global IT security issues. As my plane lifts off into the sky above the coast of Barcelona, many still reverberate, concerning compliance, security and authentication.

The Unlikely Complexity of Log Management

One of our most intense speakers – Jay Leeks of Nokia – spoke on log management. At first blush this does not seem to be a topic of great architectural and legal complexity, but as Jay leads you through his global log management project learnings, an intricate landscape is revealed. For in the global company logs are much more than the drainage pipes of IT; they are repositories of much significance to multi-jurisdictional privacy, evidentiary and management functionality.

In Finland where Nokia has its headquarters, sender IP addresses in the headers of emails are considered private information. Inside the envelope of a company email envelope, the employee still has some privacy rights in many jurisdictions, though generally not in the United States. Likewise there is variance in retention requirements, with some countries demanding certain information items be retained, but others demanding they be destroyed after a period of time. Scope of regulatory jurisdiction is often unclear; it may cover information that is stored in the country, information about citizens of that country wherever it may be stored, or both. Nokia’s global log architecture is decentralized to allow for flexibility in what is stored, and where and how it is managed; but information can still be aggregated or searched centrally for enterprise-wide reporting purposes.

Nokia’s lawyers have said the full brunt of regulatory duress falls only on the raw log data, not on the ephemeral and normalized representations constructed later by security event and information management (SEIM) systems. Yet raw log data cannot be arbitrarily disposed of like so much sewage, for we know that only well-preserved original logs collected during the normal course of business are admissible in court proceedings.

No Fees? No Worries.

Though the U.S. may still be one of the more benign environments for managing your logs, it has become a harsh and unforgiving environment for credit card processors – especially those who experience a breach (or just run afoul of their Payment Card Industry (PCI) auditor). Yet Europe remains relatively indifferent to the apparently urgent topic of PCI Data Security Standard (DSS) compliance.

To see why this is, one need only follow the money. After the TJX breach, the credit card companies began raising the fees of credit card processors who cannot satisfy their PCI auditors. A 1% increase in an organization’s credit card fees can cost millions or billions of dollars or euros – enough to justify many, many security countermeasures to avoid the fee. But the higher fees fall only on processors in the U.S. and generally not in Europe.

What is the difference? A Ponemon, White and Case survey found that 94% of European companies reported (confidentially) that they had experienced a breach in the past three years, compared with only 86% of U.S. companies. But whereas the U.S. has a free-wheeling market for instant consumer credit and makes heavy use of card-not-present transactions over the phone and over the Internet, use of credit is much more restrained in Europe. Also, European companies have tight use restrictions on personal data and perform much less data collection due to stronger privacy regulations in the EU.

Just as Windows used to be an environment (unintentionally) designed for computer viruses, the U.S. consumer market still seems to be an environment that could have been designed expressly for identity theft. How far will the country go? During the baseball playoffs, Visa was running commercial showing how easy and convenient credit cards are becoming and making cash transactions look like discordant anachronisms at the checkout line. It would be interesting to know if similar ads are running in Europe, and whether Europe will ever follow the lure of easy credit as far as the U.S. has. According to Ponemon, if they do so without adding more of the U.S.-style controls, they'll suffer an even worse outbreak of ID theft…

Even before that point, European complacency over PCI may not last, as the EU is mulling its own breach notification requirements. If these become law, we shall soon learn whether or not the Ponemon survey is accurate. For our part, Burton Group suspects security weaknesses are universal.

Blogger: Trent Henry

There's a lot of cool stuff out there.

I'd known for a long time that my alma mater had lectures and other educational podcasts freely available on iTunes, but late last week I ran across iTunesU (www.apple.com/education/itunesu/) for the first time. A treasure trove of learning materials, one could spend a lifetime exploring anthropology to zoology. (Well, maybe not quite that much content is available yet, but it's on the way....)

Being the faithful Cardinal, I browsed offerings from The Farm and quickly ran across "Forty Years of Computer Science: A Retrospective" with luminaries like John McCarthy and Don Knuth (the latter of whom endeared himself to me when once asked how to pronounce his typesetting program TeX, he answered, "you know you've pronounced it correctly if there is spittle on your monitor afterward.") These are amazing people who have contributed amazing things to computing. And many other lectures in Science & Technology are similarly intriguing.

But then it occurred to me: where's information security?

I poked around iTunes a bit more and found no academic treatment of the topic, although there were a few (non-iTunesU) podcasts on the subject. So I broadened my search a bit. I went to the Open Courseware Consortium (ocwconsortium.org) to see what free college-level educational materials were available for our discipline. Looking at the offerings from member organizations, I found a few courses, all from MIT:

• MIT: "Network and Computer Security"
• MIT: "Cryptography and Cryptanalysis"
• MIT: "Selected Topics in Cryptography"
• MIT: "Advanced Topics in Cryptography"

Given the plethora of other topics, that's an awfully small list. Is this just weird happenstance, or is it a more general indication that information protection isn't given much of a place at the higher-ed table?

I knew that UC Davis's computer security lab and Purdue's CERIAS were strong degree-granting programs, so after researching their sites a bit more I learned about the NSA's "National IA Education & Training Program" (www.nsa.gov/ia/academia/), which maintains a list of Centers of Academic Excellence in information assurance. They reference over 80 programs across the United States. That was comforting. It shows that some amount of educational focus is going on. Still, looking more carefully, I found that although universities like Georgia Tech and Johns Hopkins actually grant degrees, many of the schools only offer courses as a small multidisciplinary extension to other programs.  My concern returned.

Perhaps, like system administration, information protection is viewed more as art than science. Is it OK for practitioners to pursue undergraduate CS degrees with limited exposure to infosec, and then get on-the-job security training over time? Or, just as likely, is information protection well served when someone receives an entirely non-technical degree and then haphazardly finds their way to this field? My own journey was certainly circuitous. I planned to study International Relations and enter the diplomatic corps, but computer science drew me in, and I coupled it with sociology/education to create an interdisciplinary degree (I was going to be all about educational software--it didn't happen). But a stint in network engineering turned me on to security, and I haven't looked back. I don't think my story is all that unique. And I'm not sure this ad-hoc approach is the best way to further our domain.

I'm not saying that all security practitioners should have degrees in information assurance/security/protection/whatever. Rather, I'm arguing that we should call for improved education programs in this discipline, to provide the next generation of practitioners and researchers essential background. In other words, information protection should be taught as a primary area of study. This call is not only to academics; it goes out to the private sector as well. Although the US Department of Homeland Security offers a DHS Scholarship and Fellowship Program (www.orau.gov/dhsed), the only vendor support I could find was Symantec's ongoing Graduate Fellowship program, in which they fund select candidates' research endeavors. We need much more of this type of support from the vendor community.

In short, it's time to put educational resources and rigor behind information protection. It's important stuff. And we should see that reflected in students and practitioners of the future.

(Bonus blog question; Given the ostensible link between information protection and computer science, how many security-related Turing-Award recipients have there been? [You have to look beyond the obvious 2002 award to RSA namesakes Ron Rivest, Adi Shamir, and Len Adleman...])