Is Social Networking a Fad?

In the last 24 months social networking has seemingly come to a head of steam.  Facebook, MySpace and Bebo have been around for a number of years, but in addition we now have the likes of LinkedIn for professional networking and any number of micro-blogging and commentary sites.  This is not to mention Twitter...

Social Networking is really what the internet was invented for.  Shame it's taken the best part of 15 years to come together.  Many people now see email as a dying breed of communication, probably due to the increased 'spam', increased volume and lack of clarity it brings.  If only 65% of your emails are useful to you, you're wasting 35% of your "mail" time.  Full stop.  Time is one thing social networkers do NOT like to waste.  Everything has to be quicker, smaller and more customized.  Rapid execution is the key underlining factor.

If they're here to stay, do they need to innovate?

This bubble of attention and innovation with regards to small, simple and rapid execution based socnet sites is seemingly unstoppable.  Or is it?  Everything comes to a head at some stage, based on the product life cycle.  New sites are being created every day and any angel or VC funder is seemingly not worth their salt unless they have a social interaction or collaboration site on their CV.

The big benefit of any social networking is the mass volume of through put.  Be that members, people signed up, people viewing adverts....etc.  The gamble requires large volumes.  Without, it's just a network.  That doesn't really work.  So just a net then?  Can those volumes continue?  Well I think probably yes, but what will probably change is the level of intellectual property being invested in the original site.  By this I mean instead of just allowing large volumes of people to interact - the worker ant syndrome - the site would provide more intellectual grouping and dissemination of data and information.  This would remove the choices the individual social networker would need to make, again saving time and effort to collaborate and share.

Security Over Configuration?

Many recent software development frameworks use the term "Convention over Configuration".  The main idea behind this, is to remove the need for a programmer to explain every detail of an application and instead only specify what the unconventional aspects will be.  This should in theory, remove coding unnecessary aspects of the application that otherwise should be taken for granted.  This results in faster development, simplified code and ease of management.  Anything that doesn't fit the 'convention' needs to be 'configured'.

I wonder if this approach could be applied to the view of security, not only from a software perspective, but in general every day life?  Security in terms of software is often seen as an add-on, an extra, something to do at the end or if something erroneous occurs.  This shouldn't be the case.  Security should be built from the ground up from a technical perspective and from a process perspective should be considered equal to things like business continuity or the organizations marketing strategy.  So instead of security being an extra, should it be seen as default?

From an IT perspective, many view tight security simply as using a strong encryption method or implementing a password complexity policy.  Here I feel we are missing the point.  Security is all about strength in depth.  The use of rings or circles of protection the same as a fortified castle or strong hold would have been in times of "yester-year".  Information should be treated in just the same way, with protection coming from all levels including network security, application security, internal process and infrastructure security, right through to physical protection such as lock and key. 

But security at these different branches of an organization, is often seen as being time consuming, costly and returning nothing in the form of investment from the bean counters point of view.  This ironically, will probably lead to costly and short term projects that are a response to a security breach or a policy manifestation induced by not implementing the appropriate security controls in the first place.

It may take time, but information security will become more mainstream as organizations see the real value of being secure such as brand confidence, efficient process and reduced fire fighting.  Until then, security will have to be treated as a 'configuration' item for most people.

Is Your Smart Phone Security Smart?

With the ever increasing popularity, sophistication and internet-ready nature of many mobile phones, comes an increased risk from data loss, identity theft and general costly misuse.  Over 5000 mobile phones are allegedly stolen each day in the UK, not to count the many attempts at 'hacking', 'cracking' and remote attacking.

A mobile phone is no longer just that.  It's a web browser.  It's a camera.  It's a calendar and personal organiser.  It's a data store.  In combination with the several thousand apps available for the various platform types, it's also a utility capable of once cumbersome and time consuming tasks, games and activities.  Hence the newly termed 'smart' phone.  This object in your back pocket is basically a tiny laptop.

Most smart phones will generally have some basic security measures built in, such as a console lock which is pin protected.  Is this used?  Is it ever changed?  A recent survey by Vodafone suggested that 50% of users don't change the pin regularly.  The pin itself is more of a physical measure to act as a deterrent to thieves and opportunistic call making.

However, there are other risks other than physical.  What about hacking?  Most smart phones can connect to a wifi network just like a laptop, but a phone is more likely to be carried and moved and therefore in contact with multiple networks through out the course of a day.  Most phones allow wifi scanning and auto-connection, especially to well known network and hotspot names.  Once connected the phone will more than likely attempt to download email messages, update social networking activities and so on.  All of which pose a threat, either from packet sniffing of the network traffic or even introducing remote malware and phone manipulation from the untrusted network.

Due to the high value of phone data - thinking primarily personal contact information - the risk of malware proliferation is high, not to mention the cost of stealing individual contact records.  The rise of the smart phone for business use and the 'always-connected' culture, leads to many phones being used for email.  Whilst from a security perspective sometimes only the header is downloaded, many use IMAP causing a local copy of the mail to be stored on the memory card of the phone, increasing the risk of theft or duplication.

The rapid increase in the number of mobile phone applications or apps, has lead to concerns surrounding software quality and assurance.  Whilst many vendor supplied app portals like Apple's iTunes store or Nokia's Ovi Store provide a vendor and basic product vetting process (use of signing, QA etc) it is still very easy for an indie-developer with no history to create a multi-thousand customer app.  Independent portals such as GetJar also allow a quick and simple way for developers to promote tooling without a great deal of testing performed from a security perspective.

As phones become increasingly powerful and start to resemble the 'netbooks' of tomorrow, the reliance of a fully fledged mobile operating system will allow more sophisticated anti-viral and anti-malware techniques to be employed.  Hopefully this will enhance mobile security, and not reduce the vigilance and approach of the user.

Security - Where's the Problem, People or Technology?

As part of my job I am fortunate (at times) to be able to travel to different locations including new countries and cities.  This is mainly within Europe but sometimes the Middle-East and North America.  Most parts of the travel itinerary are booked automatically through my employer using a web based travel portal.  This generally contains basic personal information such as name, date of birth and next of kin often required not only for air line bookings but also border security.

Last week I was fortunate to be back in Spain, Madrid to be precise.  A lovely city, great food and friendly people to work alongside.  My one concern was the handling of my personal information during the trip.  Since 2004, in the aftermath of the Madrid bombings, EU states now require Advanced Passenger Information data to be collected prior to an individual traveling to and from EU states like Spain.  This is non-negotiable as far as I am aware and no information is publicly available as to how this information is stored and processed.  This is just 'one of those things' you have to do and to be honest it doesn't raise any major concerns with me.

My big worry came at my hotel.  This was a generic city centre business hotel, accustomed to handling large volumes of foreign travelers both on business and pleasure.  Upon arrival my passport was asked for (pretty usual request) as well as my name - again pretty usual for checking into a hotel!  I then received my room card and a ticket for my breakfast and hotel charges.  The next day I took a closer look at the ticket.  I was amazed.  The card contained pretty much my entire international identity as well as my credit card data!

The ticket contained my passport number, date of birth, full name, nationality as well as my full credit card number and expiration date.  That's a whole lot of information to be placed on a piece of paper that could easily end up in a waste paper bin, the back of a taxi or the station floor.  I raised this to the receptionist the next day to which the generic response of 'company policy' was returned.  I was amazed.

Perhaps it's not necessarily the technology used to protect information and identity details, it is the people and process that manage and use the data which place it at risk.

Microsoft AD Analytics in OIA

Active Directory has become synonymous with corporate authentication over the last decade.  Most organizations with over a hundred users will generally have a directory service based authentication framework and in many organizations that tends to be AD.  The reasons for this are plentiful I'm sure, but not the scope of this entry.

The popularity of AD has several impacts.  Firstly, the increased usage, as with any piece of software, is a catalyst for a growing support community including things like best practice papers, forums, consultancy firms and so on.  However an increasing reliance on AD often leads to key system administration concerns such as how to manage the users, groups and resources housed within the directory. 

Key concerns for any administrator and increasingly audit and compliance officers is how to manage things like the number of orphan accounts, redundant accounts, terminated accounts, redundant groups, misaligned groups, share management, share ownership and so on.

Oracle's Identity Analytics product allows the analysis of all of the enterprises' resources including directories, databases, mainframes and other user repositories.  User, group and share data can be automatically imported into OIA's warehouse where orphan account data can be automatically reported against.  Using a hierarchical based approach to viewing user entitlements, OIA can represent a users relationship right from their AD account, the groups associated with the account and in turn the folder, file and associated server access control entries on that data.

This allows a certification and data analysis process to take place in order to remove redundant user and group data in order to increase security and reduce risk.

As many organizations continue to establish an Active Directory platform, they tend to focus new systems and applications on AD as the main authentication and sometimes authorization point.  This can lead to further issues with group and data ownership and the misalignment of permissions increasing the need for a deep dive analytics and certification solution.

Safe Chips Anyone?

Last week saw the announcement that chip giant Intel is to procure McAfee in a £5bn deal.  With this came many intriguing comments and questions about how Intel will utilize the deep engineering skills at McAfee as well as the large brand loyalty created by many of the anti-virus and anti-malware products now at their disposal.

Intel have commented that they see the coming months and years as a critical point in the cybersecurity landscape with increasing attention now being placed on protection at the hardware, software and applications level.

Security at the desktop level has primarily been focused on virus and malware protection for the last 12-14 years since the large Windows based virus's from the late 90's.  In addition, firewall protection also became apparent at the desktop level, with many desktop operating systems now providing a basic software based firewall.

However with the increasing focus on Cloud Computing and anything-as-a-service, security at the stack level is becoming more prominent.

Are Your Chips Safe...?

In addition, many chips used in mobile technology such as smart phones and even reading devices, may require additional protection due to the perceived lack of protection at a software level for such devices.

An interesting acquisition which will undoubtedly start to alter the market place in CY11.

Hacker - hero or villain?

I recently watched a documentary on UK satellite TV that seemingly portrayed the life of a computer hacker as glamorous, edgy and cool.  The hackers interviewed were all American, male, typically geeky with a fake hate of institutionalism and popular culture.

Many argued they 'hacked', or 'cracked' as some term it, simply for the enjoyment and prestige of being able to 'beat' large corporations or public organizations, that have spent vast sums on securing information systems and networks.  The thrill of a one-man-band crusade and coming out on top, spurs many individuals on to continually attempt to break and overcome security controls.  They argued that in fact they were helping the internal security teams by simply identifying where weak controls exist, before 'real' damage could occur.  Who and what caused the 'real' damage still seemed unquantified by the hacker community interviewed by the program maker.

Are You The Next Hacker Hero?

In defense of that argument, the term 'ethical hacker' has become popular in recent terms to define individuals and consultancy practices that do perform penetration and vunerability testing.  Their aim is help organizations find weaknesses in the security defense layers either from a network, protocol, application or process level.  Certifications such as the CEH or CHFI testify to this as being a sustainable niche industry and in-demand part of information security.  The 'official' hacker on the one hand often derides the term 'ethical', arguing that although the courses and certifications give the individual a technical back ground in the skills needed to overcome protective security controls, the 'ethical hacker' often doesn't have the drive, motive or natural ambition to overcome and beat the underlying mentality of protectionism.

But does the hacker or even the ethical version, actually provide a worthwhile service in the asset protection arena?  Many security related projects, either from a provisioning, firewall or application development stand point are often viewed as costly, non-profit impacting and more as a luxury rather than an essential.

As with most things, the more people are involved in developing a following or a practice, it will start to become mainstream and become professionalized and controlled.  Many would probably disagree, but the underlying reason for this is to make money.  As more and more people become skilled in the tool box of the hacker, we will probably become better equipped are preventing lower level attacks that several years ago would have been difficult to counteract.

But with most things, they evolve and the tools and skills or the hacker will evolve too, which in a perverse way keeps information security professionals in work, and certifications in high demand.

The Threat of the Insider

Most organizations and indeed security vendors have traditionally focused on the outsider threat when it comes to company security.  By this I'm referring to external hacker threats or threats from the internet and public untrusted networks.  These areas are generally out of the control of the organizational, unable to be manipulated by internal security controls and procedures.  Historically therefor the emphasis was placed on protecting the internal corporate network and resources from users, hackers and services that originated from outside the control of the organization.

Firewalls, Intrusion Detection Systems, Intrusion Prevention Systems and SQL Injection Attacks are amongst the commonly used vocabulary when referring to security from a best practice, education and vendor perspective.

However in recent years the concept of the insider threat has increased.  By this I refer to a systems attack generally originating from someone from within the organization.  Attack in this sense could be classified as anything that could impact the Confidentiality, Integrity or Availability of company information held within the internal network.  A breach in any one of the three main components of information protection could result in information disclosure, security risk, brand damage or compliance misalignment.

But why would a threat emerge from someone within the organization?  The first part is to identify the motive.  This could be be driven by a disgruntled employee, a recently terminated contractor or someone who has identified a process flaw that allows them to perform a fraudulent act.  The second component is the capability.  Whilst hackers require the knowledge of a system vunerability, a pseudonym user and password hacking tools, they will also need to perform blind research of services and process within the organization in order to make a damaging impact on the information held within.  An existing employee however, already has a genuine username and password, deep knowledge of sytems and business process as well as the potential to execute.

Most insider threats can be reduced by restricting user access to the concept of least privilege.  This is not a new idea.  An employee should only have access to the the most basic levels within the systems they require to perform their job.  This access should be managed, continually reviewed and audited.  Terminated users should have their access removed immediately and transferred  users (who have moved between jobs within an organization) should have had their access updated as soon as possible to reflect their new responsibilities.

Not all insider threat comes from active employee attacks.  Some is often based on bad business practice that an individual is simply following as part of their job.  Security education can play a large part in helping to identify insider threats resulting from poor security practice.  For example, access control systems could restrict only senior managers to have access to personal HR files.  However, who cleans down the printer at the end of the day to remove wasted print outs?  These print outs could well have been generated by a user with privileged access but the business process or lack of management could be resulting in a potential security breach further down the information chain.

Successful Certification

Certification in identity management is generally used to confirm or revoke existing user accounts and HR information.  The focus being on existing accounts is used to distinguish between general access request approval workflows and post approval workflows.  During the access request phase a manager or IT owner will approve or reject whether someone should have additional access to a system.  This is not a new concept and was managed perfectly well, long before this process was automated using provisioning solutions.

Certification or attestation is more concerned with analysing users who have already been granted access to a current system.  This periodic post approval process is more to do with seeing if previous access request actions are still needed.  This also leads to other analytical steps such as identifying users who may have moved jobs, or left the organisation.  Another useful bi-product of analysing existing users is to locate what's known as 'orphan accounts'.  These 'orphans' are simply application accounts that can no longer be linked back to an actual HR record.  This is likely if the employee has been terminated but their access still exists.  Not only are these orphan accounts an un-managed security risk, they could also be wasting costly licenses if not being used.

A general approach to certification is to perform an initial identification of which business areas and applications need certifying.  Not all parts of the business may require the same level of analysis and only critical applications that face regulatory compliance may need attention.  Once the scope of analysis has been completed data from the users and systems involved needs collating, centralising and correlating.  Here we can identify orphan accounts, missing HR information and other data anomalies.

The actual certification process is generally performed by non-IT managers from the business.  As a result a clear training, messaging and internal marketing campaign is needed to make sure the correct stakeholders are involved and understand their role.  Escalation processes also need creating in order to develop process flows to make sure the certification cycle is complete accurately and on time.

The resulting rejection or certification of accounts also needs centralising and processing using a reporting and dashboard technique.  Good visibility of metrics such as number of certified users, time to complete, number of rejections, exceptions and so on needs to be available.

Once revoked user accounts have been identified a clear and understandable de-provisioning process needs to be created, managed and maintained.  This will require IT understanding of the systems in scope in order to develop a process to remove revoked users and entitlements.  This needs documenting, publishing and adhering with strong and realistic time scales for the actions to be performed.  Once performed, positive feedback is then needed in order to confirm the user accounts and their entitlements have been removed.

All in all, the process requires good messaging, inscope work packages, correct stakeholder buy in and regular performance management to enable the certifications to effective and create a tangible ROI.