Security and Risk Management Strategies Blog

Blogger: Diana Kelley

Remember when Enron and WorldCom were melting down? When the venerable Sarbanes and Oxley came up with their now infamous bill? As an IT security professional did you have any inkling that these events would forever change our IT lives? Few of us did – until section 404 became woven into the fabric of most security professionals' lives.

SOX was meant to protect investors by providing them with real numbers in the annual report. Numbers that could be used by investors to realistically assess the health and financial projections of the corporations they were investing in. For IT folks it became an exercise in access control, logging, firewall, and identity management. Few would support the assertion that Enron, Andersen, or WorldCom fell because their IT systems were not being managed properly – because a firewall wasn’t configured properly or a mail server went down. While some of the misdeeds associated with what happened could have been preserved by IT mechanisms (forced email archiving, for example) – the bottom line is that if CEOs and CFOs are feeding bad data into the books and then forcing deletion of the real records, there’s not a lot the IT departments can do about that.

Well, here it is, the end of 2007 and it seems we’re going back to the future with bad information to investors. This time around the problem centers on risky subprime lending, CDOs (collateralized debt obligations) and SIVs (structured investment vehicles). For more information on CDOs, Peter Eavis of Fortune provides a much clearer explanation than I could. These structures resulted in billions of dollars of loss at Merrill-Lynch and Citibank this fall and in the departures of Merrill's and Citi's CEOs. Reports indicate that Bank of America and HSBC are also at risk for significant losses.

Did investors have any clue that the FIs were at risk for such heavy losses? It looks like the answer is no because the full risk exposure associated with CDOs was maintained in off-balance sheets even though the FI is ultimately responsible if losses occur in association with the CDO.

Which to me would mean it was always a risk exposure and should have been on the balance sheet. But what do I know? I’m neither an economist nor an accountant.

But I am an IT security professional and I’m smelling something brewing here. If we in IT had a major hit from SOX/404 – is it possible that the CDO meltdown is going to result in more work, regulations, and compliance fire drills for IT? I think it just might. For example, IT may be enlisted to help ensure that the databases or spreadsheets where the officially "off balance" information was kept is available and access to this data is being audited and monitored. With any luck, though, we should be able to leverage our SOX work if some new regulations hit the books post 2007-CDO crisis.

For savvy IT teams, I recommend getting ahead of the curve by reviewing the audit and monitoring for accounting systems and key financial databases. Also, review access control and identity management for employees and partners that have access to those systems. And finally, especially for FI IT teams – check on monitoring and archiving for all key communications channels. This includes SMS messages, email, VoIP, and IM. If proper controls are already in place for protection – new legislation or audit rules should be a matter of doing a mapping of existing controls to them.

We’re living in a reactive world where legislation is written when new loopholes are exposed. This may be how financial and tax law is created – but in IT we don’t have to be in perpetual response mode. Be proactive about documentation and controls – and strive to be ready to map and support, rather than scramble and slide, when the next decree comes down.

Blogger: Bob Blakley

In Plato's cave, the things we see are just shadows cast by an archetype, which we cannot see, outside the cave. We have to infer the archetypes by examining the shadows.

Here's an archetype:

a. An individual uses a product for its intended use and observes that in that intended use the product is hazardous.

b. The individual publicizes the fact that the product is hazardous.

c. Consequences ensue.

Now let's look at two shadows of this archetype.

1.

a. Shelby Esses of Jacksonville, Ark. gives her son Jack a number of SpinMaster Aqua Dots - a toy designed to let children create pretty designs.

Jack swallows the Aqua Dots and loses consciousness. Jack is hospitalized and it is discovered that the Aqua Dots are coated with a substance that is metabolized into a poison.

b. In due time, this incident is reported to the US Department of Health and the media.

c. The product is recalled. Its Australian distributor (Moose Enterprises), its American distributor (Toronto-based Spin Master) and its Chinese manufacturer are publicly identified and may be subject to legal action or government sanctions.

(links:
http://www.nytimes.com/2007/11/08/business/worldbusiness/08recall.html?_r=1&oref=slogin

http://www.cnn.com/2007/US/11/08/toys.daterapedrug.ap/)

2.

a. Dan Egerstad, a Swedish security researcher, configures a Tor exit server and observes sensitive traffic flowing in the clear through this server.

b. Dan publicizes the hazard to security and privacy by revealing the information he has observed flowing through his server.

c. Dan Egerstad is arrested. There is no evidence that the users of Tor servers have changed their behavior, Tor has not been recalled or revised, the Tor site has published no advisory, and no one appears to contemplate action against Tor's designers.

(links:
http://www.schneier.com/blog/archives/2007/11/dan_egerstad_ar.html
https://www.torproject.org/)

Arresting security researchers for publicizing flaws isn't new; just ask Chris Soghoian or DVD Jon. Winston Churchill recognized the problem, and the solution. He said "I decline utterly to be impartial between the fire brigade and the fire".

Security researchers are not the enemy. Jailing them is based on the assumption that the enemy is dumber than we are, and will not figure out how to attack systems unless we tell him. This assumption is false.

Operating under this assumption and jailing security researchers will have the effect of ensuring that the good guys cannot work together to build an effective defense, while bad guys can work together to build effective attacks.

If society decides that these are the rules they want us (security researchers) to play the game by, we will play the game by these rules - because we're the good guys, and we believe in following the rules.

But if we play the game by these rules, we will probably lose. And so will you.

You pays your money and you takes your choice, but you only gets what you pays for. Think about how you want to treat your fire brigade. Your life - or at least your bank account - might depend on it one day.

Blogger: Trent Henry

It's official: Symantec is buying Vontu.

Burton Group started covering content filtering solutions in 2003, when the solution space was very new. As filters branched into both the network and endpoint, watching for content-in-motion as well as content-at-rest, we began to see the term data leakage prevention (or protection) applied. Recent DLP solutions have brought improved linguistic analysts capabilities that we hadn't effectively seen before.

Although the broader industry long questioned the value of DLP tools, Burton Group felt that--although immature--such technologies completed an important part of the information protection portfolio. Specifically, they served as the detective counterpart to preventive data controls like encryption and access/authorization management. And, now that DLP tools have four years of development under their belt, they also have preventive elements.

We've illustrated the desirability of leakage prevention in our latest update to the content-control templates in Burton Group's Reference Architecture. Here's a simplified snapshot for data-in-motion:

(Although many tools can play a role in protecting content, note the highlighted role of network- and host-based filters.)

In addition, these tools are are moving beyond confidentiality protection to address other security objectives. For example, some are playing a role in finding sensitive information at rest, which can be important not only for data protection but also for business requirements like e-discovery. Note the increasing sophistication of the architecture, with tools playing a role in retrospective information classification and analysis:

This week marks the latest in a flurry of acquisition activity in DLP. Symantec, whom we've been saying lacked this important element in its product suite, snapped up Vontu for $350 million (or, more accurately, announced plans to do so). Of the vendors covered in our original network content filtering report, here's the acquisition scorecard:

• Vontu - (to be) bought by Symantec
• Oakley - bought by Raytheon
• Provilla - (to be) bought by Trend Micro
• Tablus - bought by EMC/RSA
• Onigma - bought by McAfee
• Port Authority - bought by Websense
• (Another forgotten acquisition was AmikaNow by Entrust, which later was abandoned)

In keeping with Burton Group's notion of the "long tail of risk" (a version of which can be found on ZDNet), we're seeing these small, innovative companies satisfy an architectural gap in bigger-vendor products. Acquisitions are the means of normalizing the preventive/detective portfolio for data protection. If the acquiring companies execute well--and we have some suggestions for them on this front--then the result will be better information security platforms for enterprises.

The bottom line? We like this acquisition. It makes a huge amount of sense for Symantec in filling out its strategy around information-centric security. By providing capabilities to protect content in motion and to keep an eye on sensitive data at rest (like information stored in Enterprise Vault), Vontu helps satisfy a pressing architecture need.