Security and Risk Management Strategies Blog

Had a customer inquiry on what my recommendation was for Windows administrative rights on desktops.

My recommendation, and Microsoft’s recommendation is for enterprises to set up managed Windows workstations (i.e. organization-owned and controlled) in the “standard user” configuration.

The pre-requisite for this policy is an IT support infrastructure capable of pushing software and/or configuration changes out to client workstations, either through a tool such as Symantec/Altiris or Microsoft System Management Center, or through remote installations by IT staff depending on the situation and the number of users requiring the changes.

Standard user configuration may need to be tweaked for different types of users, for example, mobile users requiring wireless access or the ability to change time zones. Vista and Windows 7 offer more flexibility than XP; often with XP it has been necessary for administrators to unduly weaken the standard user configuration for “power users.”

There are a few cases where exceptions generally must be made:

1) Client-side application developers or testers that need to frequently adjust operating system settings, and install/reinstall software
2) Knowledge workers or market researchers that can justify a legitimate business need to frequently need to install/reinstall software
3) Users that do not have access to IT support infrastructure

If the IT support infrastructure is lacking or the policy is not strongly enforced, categories (2) and (3) can grow fairly large.

All that said, it may be that the locked down desktop will fall into the minority of what enterprises have to deal with as trends such as telecommuting, partnering, outsourcing, crowdsourcing, and consumerization gather force.

In the coming months, I'll be researching a topic along the lines of "Endpoint Virtualization to the Rescue: Protecting Against Unmanaged Desktops and Mitigating Information Sprawl."

This post is a quick followup on Trent Henry's "This Green Bar Will Save Your Life!" and a subsequent call with Verisign to discuss the merits of Extended Validation SSL certificates.

If you look at the Verisign EV SSL case studies it's pretty clear what the selling point is. Lines such as "48,000% ROI" and 30% more conversions" should be enticing enough to many a merchant. The thinking, of course, is that a customer will be more trusting of the merchant's online presence (i.e. less likely to abandon a purchase). Even if the ROI isn't quite so high this may well be a case of an investment so small - to larger merchants - that it doesn't hurt to try, or perhaps a case of not wanting to be seen as an organization that "doesn't care about security because it doesn't use the green bar."

So although I'm not sold on the exact numbers I do get the economics - the ROI potential is rosy, but what about the ROSI? Let's set aside for a minute the browser-side and server-side issues with cross-domain content as discussed in Trent's post and shown by the PayPal XSS vulnerability last year, as these are not solvable with just EV SSL (I've commented on the need for better browser controls here) We'll focus on the usability side: how well does this help users resist "plain" phishing.

Two case studies we discussed on our call did actually note an increase in phishing resistance for the consumers, but - like the economic studies - these were not controlled for other variables. One was a laboratory experiment, and we cannot derive results for long-term effects. And while the other was a real-life study, EV SSL was deployed along with a consumer security awareness campaign and other controls - it's particularly difficult to determine the efficacy contribution of a single control in such a case.

In other words, I find these studies promising but inconclusive. I'm certainly not looking to diss the idea of EV SSL. In fact, from a usability perspective I think the green browser bar is a gigantic leap forward from the padlock icon. However, I'm not at all sold on the security benefits beyond the increased consumer trust (if you want to call that a security benefit) that brings more money to the merchants. My hope is that we'll see some more, better studies on this subject and work towards a better browsable future - after all you can only manage what you measure.

Blogger: Phil Schacter

Going into this year’s RSA show I had some concerns that the economy and travel budget restrictions would further devolve the show into primarily a vendor networking event. My somewhat lowered expectations were surpassed with a turnout that was only slightly less than last year, and learning experiences that leveraged the time and place of the RSA show as a gathering of the security community. As usual my email InBox was spammed by invitations to vendor-sponsored hospitality events, vendor meetings to discuss show announcements, and information on meetings by various industry groups during RSA show week.

While still dwarfed by Interop, the RSA show is a focused meeting of 10 to 15 thousand security practitioners and is symptomatic of a healthy industry segment, and a community of organizations that recognize the value of keeping current on developments and defenses to protect their information, applications, systems, and network infrastructure. In addition to 30 pre-scheduled meetings with specific vendors there were many other casual conversations and reconnecting with people you haven’t seen since last year’s show, or last year’s Catalyst conference. The overall sense of these conversations is that the market demand for security is strong and growing stronger. Security vendors are growing their revenues during a weak economy. Organizations making purchases of security products and services are negotiating harder and it’s clear that no one is paying full list price anymore.

Nothing revolutionary on the show floor (what I saw of it in between meetings with vendors). Lots of focus on web threat vector, security services in the cloud, hybrid models involving some cloud-delivered pieces, virtualization security, security services that can be hosted in a virtual environment or blade in a multi-function box, and lots of appliances of all manner of description. Many of the established security vendors you’d expect to see, and lots of smaller ones trying to attract attention in the US market – either by finding good channel partners or by attracting a larger vendor interested in acquiring the company and its technology.

I’ve also come to the conclusion that everyone that attends the RSA show has a different experience. Some unique mix of networking, education, and exposure to the commercial aspects of a trade show. The special events that occur during show week include meetings by Concordia Group, Cloud Security Summit, Trusted Computing Group, Mini-Metricon, and others provide an opportunity to learn, interact and get involved. The conference keynotes and educational sessions provide access to knowledgeable experts, but with a heavy dose of vendor messaging. But let’s not forget that this is also a trade show for the IT security industry, and a chance to survey the latest offerings from hundreds of vendors. Finally, and perhaps the best aspect of RSA show week is the networking and cross-pollination of ideas that occurs between security professionals, on both sides of the vendor relationship. It’s an exhausting show with long days, but from my perspective well worth the energy and time investment.

Blogger: Eric Maiwald

Intel sponsored a study (released on April 22, 2009) by the Ponemon Institute on the cost of lost laptops. The sample size for the study was not large (138 cases) so the value of any statistical conclusions is questionable right from the start.

The initial analysis and conclusion is startling – the average cost of a lost laptop is $49,246 when you factor in all of the costs (including not only hardware replacement but investigations, data breach, intellectual property loss, and local costs). But if you dig into the information provided in the report and in Appendix 1, there is more to the story. So…to steal a line from Paul Harvey, let’s look at the rest of the story.

While the average cost may be over $49,000, bar chart 1 shows the quartile cost results. The averages of the first three quartile costs are all below $4,000 and it is only the average of the fourth quartile that skyrockets to over $186,000. Table 1 shows a break out of the average total cost in terms of the components that were used to calculate the overall cost of the loss of a laptop. It clearly shows that the largest cost factor (over $39,000 of the total $49,000 cost) is data breach cost which is calculated (not measured) based on a $202 per disclosed record average cost identified in an earlier Ponemon study. Intellectual property cost is a distant second at just about $6,000.

Now, let’s go look at the table in Appendix 1. Three lines (with three big numbers and huge variations) jump out at me. First is the line regarding data breach cost – minimum $0, maximum $973,400. That is a huge swing over 138 cases. The second line is the line regarding intellectual property loss – again the minimum is $0 but the maximum is huge $250,000,000 (that’s $250 Million!) - an even bigger swing over 138 cases. The last line is near the bottom, Other legal or regulatory costs (expected) – minimum $0 and maximum $36,000. So what does this tell us? It looks an awful lot like there were a small number (maybe one or two) of cases where data was breached and/or intellectual property was lost. But for most cases no data was breached and no intellectual property was lost. I think this conclusion is borne out by bar chart 4 which shows the average intellectual property loss by industry, Three industries (totaling 23% of the total cases) had much higher intellectual property loss averages than the other industries.

So what can we conclude looking at this study? I don’t think you can conclude anything. I guess my biggest complaint is that Ponemon shows averages but not the distribution of the samples. We can see the minimum and the maximum sample for various cost categories but that does not tell us much. By looking at the average in comparison with the minimum and maximum, I think we can draw the conclusion that most of the samples were closer to the minimum than the maximum but that is about it. We can also conclude that the median would fall between the 2^nd and 3^rd quartile averages (probably around $3,000) which is less than 10% of the reported average. Readers should not go hanging their hats on this study as justification for any type of decision.

Blogger: Ramon Krikken

This blog post is based on a draft of the U.S. Senate Bill “The Cybersecurity Act of 2009” and the provided by the Senate Committee on Commerce, Science, and Transportation. There are many potential aspects of this to be discussed, but this post focuses on the requirement to “Provide for licensing and certification of cybersecurity professionals.”

If you read the introduction of the bill, it becomes pretty clear why the government is taking this interest. Statements such “[The U.S. is] unprepared to respond to a ‘cyber-Katrina’” and “if the 9/11 attackers had chosen computers instead of air planes as their weapons and had waged a massive assault on a U.S. bank, the economic consequences would have been ‘an order of magnitude greater’ than those cased by the physical attack on the World Trade Center,” are clearly meant to illustrate the clear and present danger that our “cyber-weaknesses” present.

Whether you consider this FUD or fact is a different question, but it certainly is true that part of our economic wellness (and our collective or individual safety, when we look at defense, utilities, energy, and aerospace for example) depends heavily on information technology and the information it stores, processes, and transmits. If the consequences are considered that grave, and the probabilities more than unlikely, it could certainly make sense to require real professionals on the job. Certification and licensing seems like a good mechanism to control this, I’m just afraid the government might get it wrong – good intentions go bad, sacred cows are not easily slaughtered … just like lobbyists.

“The” information security professional does not exist. Just as it takes many different engineers to build something, it takes many different security specialties to get things secure enough. To pretend that the average security professional harnesses all required knowledge is silly – in fact, I object to the notion that security (or at least large parts of it) could be executed well enough without intimate knowledge of that which is being secured. So what certification(s) would be used?

Aside from the specialization, there should also be a consideration of skill. If the consequences are indeed as grave as outlined in the bill, I’ll take the cyber-equivalents of the military and special forces, not the shopping mall guard and airport security, please. So a good percentage of CISSPs –  the ones with only the book-smarts  – are now out of the race (no offense to knowledgeable security professionals with a CISSP – I have one myself, too). And of course, the CISSP was never intended to be the end-all and be-all of critical infrastructure cyber-protection training, but the current overall education and training system does leave me to wonder how this will be executed.

Perhaps we have general practitioners and specialists, like in medicine. Maybe we can have apprentices, journeymen, and masters like in some of the skilled professions.  Would throwing the ISC², ISACA, SANS, and a whole host of other certifications in a blender do us some good? I don’t know the answer, but I do hope the committee(s) will take a real hard look at what it takes to be any type of information security professional in a critical infrastructure protection role.

Blogger: Eric Maiwald

We used to talk about doing business over open networks as the big security concern. In fact, we had a topic by that name at Catalyst 2008. Given the further proliferation of key loggers and other malicious software (that is becoming more stealthy and customized), I think we need to start talking about doing business in completely hostile environments. It is not only the network that is open and filled with eavesdroppers but it is also the client endpoint. Key loggers can capture passwords and other sensitive information unbeknownst to the user. We also have cases of malicious software operating in servers and capturing sensitive information there (see the Heartland case). Where is it that our data is safe?

When I first came to Burton, I talked to Dan Blum (Principal Analyst in SRMS) about what I called “Star Trek Security.” What I meant by it was that information seemed to be free for the taking. If you watch Star Trek, it seemed any time the Enterprise came across an alien ship, the aliens could download any information they wanted (usually by scanning the ship or the database but sometime by pulling it directly out of the crew’s minds). Crew members could gain access to any information whenever they needed to (even if unauthorized) and it was only when some abnormal measure was taken that any data could be controlled. Similar themes are now shown on TV shows like NCIS where superstar agents can “hack” into any database they need to get into or break (or bypass) any encryption mechanism at will. It seems that these fictional situations are not all that fictional.

I wonder if we are seeing the results of too much dependency on preventative controls. No control is absolute and we lived for a long time on the difficultly of circumventing our preventative controls. But as the rewards to breaking or bypassing these controls increase, the level of effort exerted to do so also increases. The end result is that we find our controls circumvented or broken on a regular basis. Defense in depth does not seem to matter nor does compliance with standards such as PCI. Any attempted penetration can succeed given sufficient funds to hand to an employee with access.

Perhaps we need to think about how business can be conducted in this type of world. Rather than concentrate on controlling access to information, maybe we need to think about detecting and limiting the misuse of the data. For example, if I can’t prevent my credit card number from being compromised, perhaps I can detect when an attempt is made to misuse it. This is obviously a simple example and the issue becomes more difficult when we talk about sensitive financial information or trade secrets. But it seems to me that we need to move beyond the idea that we can assume any type of “secure” environment (on the network, on the client, or on the hosts).

Well … maybe not.

SSL: great idea; not always well executed. Certificate Authorities (CAs) that issue SSL certificates for websites are supposed to carefully vet the requester, to make sure the business is valid (lookup in D&B, for example), that the administrator actually works for the company in question (HR query), and that the DNS domain is owned by that enterprise. Once all these hoops are jumped through, the cert is issued.

It turns out, however, that it’s much easier and cheaper simply to check whether a given domain name is legitimate (for varying values of “legitimate”) and the person requesting a cert can receive email at that domain. This is what several CAs started to do for SSL—especially during price wars a half-decade ago—and is why https://phish-all-day.example.com could have its SSL cert despite nefarious intent.

Extended Validation (EV) certificates were supposed to solve this problem. By introducing a governance organization (the CA/Browser Forum http://www.cabforum.org/), creating new rules for vetting, refactoring Certificate Policies (CPs), and requiring stringent audits of CAs, EV-SSL-requesting businesses were supposed to receive special scrutiny to avoid fraud and mayhem in cert issuance. Furthermore, and importantly, browsers implement a candy-colored URL status bar 

to show users whether they’re browsing an EV-cert-equipped website or not (in truth, browser implementations to date are simply green or not-green specifically for EV-cert status; additional candy-coating is applied for reputation filters and other stuff). A side effect of this newfound rigor is more $$ charged for certificates.

Less fraud is a good thing, yes? Here’s the bad news: EV certs can be bypassed. As reported by The Register, “Websites that use an enhanced form of digital authentication remain just as vulnerable to a common form of spoofing attack.” www.theregister.co.uk/2009/03/28/ev_ssl_spoofing/) More than one person has stated that the green bar really doesn’t matter to users; it’s just a way for CAs to make more money. And although I believe in good intentions of the CA/Browser Forum, it seems that they went after the high-end revenue-generating solution and missed some essentials.

My Security Strategies for the Recession (http://www.burtongroup.com/Client/Research/Document.aspx?cid=1575) were published as Burton Group Methodologies and Best Practices research.

In general, I found that while IT security budgets were holding up well in late 2008 and early 2009 for most organizations, caution is warranted as economic outlooks have worsened. From day to day, seemingly manic depressive economists, forecasters, and investors dither over whether the ice is thawing or worse is yet to come.

Increasing threats and business changes will join budget constraints to challenge security managers to improve and adapt. Security Strategies for the Recession recommends approaches for setting security priorities, cutting costs, and preparing for an eventual economic rebound.

For another update on IT spending, see the blog entry from Craig Roth, our collaboration and content service director.

http://ccsblog.burtongroup.com/collaboration_and_content/2009/02/2009-it-spending.html

Blogger: Eric Maiwald

The latest US Federal Government stimulus package included new rules for health information. You can read the details in the American Recovery and Reinvestment Act of 2009 (see page 144 or search for HITECH).

According to the law, physicians will now be required to track a patient’s medical information anytime it is disclosed to a third party – even if the patient has given permission for that disclosure. While this provision does not go into effect until January 1, 2014, patients will have the right to request disclosure information from up to three years in the past. That seems to make it a requirement that the disclosures be tracked from 2011.

While the tracking provision will cause medical institutions to incur additional costs, the breach provisions of the act may be of greater concern. The act is similar to state laws that require disclosure of any breach of personal identifiable information (PII). For medical information that is breached, the medical practice will need to contact the individuals and post about a breach affecting 10 or more patients on the practice’s web site. If the breach is larger (500 patients or more) the medical practice will have to inform local media and the government.

In reading through the act, I didn’t find a specific exception for encrypted information like we have seen in many of the state PII breach notification laws but I did find that the disclosure only applies to “unsecured protected health information.” Now unsecured protected health information means “protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under paragraph (2).” If the Secretary does not provide the guidance, further definition is provided so that the term will mean “protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.” It seems likely that encryption will be such a technology standard.

So what does this mean? I think that over the next few years we will start to see stories in the media about lost computers belonging to hospitals and other medical practices. We will also see an increase in the use of encryption by the medical community.

[Blogger: Trent Henry] 

I attended a conference this week at which a speaker said, “In today’s complex regulatory landscape, every scrap of information is important—save it all.” This sounds vaguely familiar to words spoken by IT teams (and sometimes their counsel) who are worried about electronic discovery: Since we have to preserve evidence in case of litigation, we better be on the safe side and never get rid of anything.

Bad choice.

First of all, there’s no need to save information that isn’t germane to your business or doesn’t have a specific regulatory mandate. Auditors don’t expect it, regulators don’t expect it, and neither do judges. So, whether it’s log data, electronic mail, or documents in a content management repository, take a hard look at what you're keeping. If the business isn’t asking for it, chances are it should be on a tighter retention schedule.

Second, I’ve heard the mantra “storage is cheap,” but looking at some enterprise’s bills, I’m not convinced. Furthermore, there’s a growing market of storage management solutions whose goal is to drive up storage utilization and minimize hardware costs. Data de-duplication projects are popular with executives—no sense having 1,000 identical copies of that 2MB e-mail attachment—so why exacerbate the problem by trying to keep the wrong stuff in the first place?

Third, we all have skeletons in the closet. There’s no reason to air them unnecessarily. I’m not saying that if you consciously violate service-level-agreement terms you should destroy the logs that prove it; or that if you have evidence of wrongdoing at your company you should cover it up. But once a contract is complete, it’s unlikely you need to retain it long-term. And you certainly don’t need to keep sensitive metadata—like document comments describing negotiation tactics or alternative pricing.

So, rather than “log everything,” repeat after me: “Don’t oversave.”