RealSecurity

BlackHat has been around for a while and become very popular as a platform for researches to expose their interesting research in the discovery of foundation-shattering vulnerabilities. Although this type of exposure occurs in other “hacker” events, the media focus on BlackHat is unparalleled making it a well publicized event. Although it’s just getting started, a couple disrupting things have already been presented.

Security in the mobility space is not all that new. We’ve seen our fair share of worms, spam, and attacks against cell phones, PDA’s, and smart phones. Over the years various products and solutions have surfaced in an attempt to address these challenges with varying degrees of success. Nevertheless, as cell phones become more and more sophisticated gaps in security are becoming alarmingly huge.

There is no shortage of technology in the information security industry. As time passes, there are fewer and fewer cases of truly interesting and compelling solutions that have the potential to revolutionize the industry. However, they do come along on occasion; with no fan fair and hidden in the back of some massive vendor expo hall, but sneak up on you and the next thing you know is you can’t live without it. So, expect to be buying F-Response in the near future.

I will tell you right up front that I’m not a cloud computing expert. I “get it” as most people do and can see the pros and cons. You don’t have to be a brain surgeon to connect the dots of virtualization, stacking, web services, “X”aaS, and the like to see that the cloud is extraordinarily compelling to business and is the future of IT as we know it. Seeing that most people have connected the dots, it’s no surprise that security in the cloud (or lack thereof) is seen as the most significant barrier to adoption. As a result, security solutions for the cloud are beginning to come out of the woodwork. This is expected and needed – progress in this space is good. However, I’m not seeing anything necessarily revolutionary and simply, well, more of the same. The problem isn’t these standard security solutions that are tweaked to support the cloud aren’t meaningful; it’s just simply they are addressing an old problem and not really the more fundamental problems businesses are thinking about and beyond.

NIST, specifically the Computer Security Research Center (CSRC) has become a significant security force in the public and private sectors. With the series of Special Publications covering everything from FIPS and PKI to Keys and physical security – and everything in between – NIST has provided a substantial collection of valuable materials. Some of these take off and become core industry practices, while others remain in relative obscurity. A recent addition from NIST has all the making of something that could become very interesting - Security Content Automation Protocol (SCAP), or SP 800-117.

There are a lot of security standards and practices defined within the industry. Moreover, there are enough regulatory demands facing a broad range of companies and organizations to fill the ocean. Nevertheless, what always seems to be missing or rarely heard of is the maturity of the security program. I think companies are missing out on something that could be of enormous value to the business and the security group.

Why does the cloud represents such a huge issue for security? Let's talk "high-level" and very general for a little. First and foremost, what is "the cloud"? In pretty simple terms, a cloud is a collection of technology (systems, networks, processors, applications, etc.) that are provided to users and companies as a service decoupling the computing experience from the computer and all this implies. Later, we’ll see this fundamental element as the challenge to security and the relationship to data (and information) and trust.

There has been a great deal of discussion concerning cloud computing. In the past we called these hosting solutions, managed services, and other less sexy things. However, I'll admit that today's cloud computing concepts go way beyond what we've seen in the past and have set in motion a technical revolution that has the potential to change the very foundation of what we have come to understand as computers and the Internet. As a result, information security will become far more important than it ever has. However, what will it look like? How will it function? Is security going to evolve and if so, will it in time?

Epidemiology is a fascinating subject, one I believe the information security industry can learn from. An interesting element is the sharing of information concerning viruses. When Bird-Flu (H5N1) was decimating the Indonesian community, local scientists studied and obtained critical RNA data on the virus, which provides the key on formulating a vaccine. However, they didn’t share this information with the rest of the world right away. Why? And what can security learn from this?

Many enterprise organizations are typically focused on infrastructure security, such as firewalls and IDS. This is understandable because of history and compliance pressures. However, there are regulations touching on the application layer driving certain technologies and many of those same organizations are performing code review, application testing, and evolving secure software development practices. But, not only is this not enough, but as organizations attempt to move to the cloud they are going to hit huge challenges and will likely force-fit their needs – right or wrong – into the provider. The result will ultimately be the migration of poor security philosophies into the cloud and the overall stagnation of what the cloud can provide. We need to per deeper into how applications function given the vast level of abstraction that is occurring and the implied trust that exists.

Is it me or does the topic of password security pop up regularly? It’s like a broken record. To be fair, security in general is having difficulty evolving, so why shouldn’t discussions concerning passwords surface regularly, we’re not really changing anything. Nevertheless, there has been a surge lately and I feel somewhat compelled to comment.

It looks like Microsoft finally admitted it knew about the IE6 & IE7 bug in ActiveX control "msvidctl.dll" file that supports streaming video content which is vulnerable to arbitrary code execution with the privileges of the current user for more than a year. On the surface this vulnerability doesn’t sound any more spectacular than others like it in the past. However, people are steaming over the delay, but I think there are a number of interesting moving parts worth noting.

Released today, an unclassified report on Bush's Presidential Surveillance Program (PSP) written by the Office of Inspector General of the DoD, DoJ, CIA, NSA, and Office of the Director of National Intelligence. In short, Congress mandated an investigation to ultimately determine the legal precedence of the PSP, which involved massive collection of communications within and beyond the US.

With Google’s announcement they’re entering into the world of operating systems with Google Chrome OS has generated some controversy – mostly around security. Statements such as, “And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates. It should just work.” are very bold indeed. Essentially, Google is going to eliminate security problems that have haunted the Internet since its inception. You know what? I say go for it G-men, more power to you. But, please know the world of bad guys don’t take such claims lightly.

Last month MasterCard (MC) changed the requirements for level 2 merchants to include an on-site assessment as opposed to performing a self-assessment. The definition of level 2 by MC is processing more than 1M and equal to or less than 6M transactions a year. However, there is an added feature by MC stating that level 2 can be defined by competing brands, such as Visa, Amex, Discover, etc (note: actually MC defines this for all the levels). These changes immediately translate to a dramatic increase in the number of merchants globally that now require a report on compliance (ROC) as opposed to simply completing the self-assessment questionnaire (SAQ). Nevertheless, I think this runs much deeper when one looks at the history and progress of PCI.

I see a lot of questions about security pop up asking everything from what’s the best way to secure a PDA to controlling the use of USB ports on laptops. In every case, without exception, there is always someone who pontificates on the need for a policy. Ok, granted a policy can be more than a document stating what is expected and separating good from evil for all to partake. Policies can be technical manifestations, like group policies in Microsoft, Linux, and other systems that set requirements, like minimum password length, but that’s not what I’m talking about. I’m talking about the oldest security-punt of all time, the fall-back point of, “Do you have a policy for that?” Referring to some document that everyone from the CEO down had to approve of when all I wanted was to stop the use of USB ports. Polices are important, but they’re only one part of the picture and not the first step.