Preventative -v- Detective Security

There's an Italian proverb which reads 'vivere da malato per morire sano' - living like an invalid to die healthy.  Whilst that is looking at one lifestyle extreme, looking after your body is generally seen as a positive if you want to live a long and healthy life.  Prevention is indeed, generally seen as being better than the cure.  The same concept applied to information systems can produce some interesting results.

From a non-security perspective, I would say, most management approaches and project budgets, are focused on the reactive.  IT has historically, not always been seen as an efficiency provider for the business, with budget often only being assigned, when it's acknowledged that the business front line would be negatively impacted if a system, project or team would were not present.  From a security perspective, I think reactionary policy is still deep in the mindset too.

Reactionary Security

When you casually think of information security tools and products, how many are naturally related to post incident or reacting?  Security Information and Event Management (SIEM) and logging tools are generally post-incident, as if the event has been logged it's surely already occurred.  File Integrity Monitoring (FIM) another post-incident approach.  Anti-virus and anti-malware software, could arguably be reactive, as you are checking signatures for a known attack, indicating the software has already been spotted if an alert is triggered.  The flip side to something like anti-virus, is that although something malicious has been spotted, you are preventing the real impact, which would occur if the malware were left to spread.  Identity and Access Management (IAM) could be deemed to purely proactive however, as the process is attempting to restrict access before an issue could occur, either through malicious or non-malicious means.  

Ethical hacking and penetration testing is another more proactive industry, but often, these services are not engaged until after an organisation or application has been attacked and breached previously.  Budget release, especially for cyber security related technologies, is often easier, after an organisation has been attacked.

Moving to Proactive

Security has several issues from a proactive implementation perspective.  Like anything, a detailed return on investment, including both tangible and non-tangible benefits, is required in order to sanction a project which wont necessarily deliver something immediately.  Proactive security is more of a mindset and long term strategy, which can often be hindered if an organisation is then attacked after implementing a more proactive approach.

The implicit embedding of security in all software, projects and processes is often key to shifting to a more proactive standpoint.  This can be difficult at several levels.  Developers operating in the software development life cycle, are often more focused on time to delivery and software quality, with approaches such as Agile and eXtreme Programming (XP) not necessarily making security a high priority.  Security can often be seen to slow down the development process and take attention away from use cases the client wants completing.

From a business process perspective, security can often be seen as inhibitive or restrictive.  Again, time is a factor, but also, non-technical personnel are quite rightly more focused on their individual business use cases:  delivering products, realising revenue opportunities and keeping customers happy.  Unless, security is silently embedded into a process, it too can be see as time consuming and non-essential.  Until, of course, a breach of attack occurs.

Security awareness is often a key part of the progress towards a more proactive approach.  Awareness not only at every day non-technical personnel, via regular on line training and workshops, but also at the board level too.  Security metrics can be used to help promote the idea that security up front is often more cost effective and business efficient than spending thousands on post-incident consultancy and investigative products.

Cyber Security Part V - Critical Infrastructure

The final part in the cyber security series, will focus on the issues critical infrastructure environments face.  Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS) are two of the standard environments that can constitute a critical environment.  Whilst many financial services environments can be described as critical, critical infrastructure is more focused on the key assets described by a government as being essential to the standard function of the society and economy.  This would include key utilities such as electricity and water supply, public health institutions and national security groups such as policing and the military.

In recent years they have been subject to specific and prolonged attacks, opening up long standing vulnerabilities.

Difference of priorities: CIA to AIC

The standard information security triad consists of confidentiality, integrity and availability.  The priorities for many business information systems will follow the CIA approach in that order.  Confidentiality is still the number one priority, with things like access management, network perimeter security and data loss prevention strategies still the number one budget grabber.  The main driver behind such decisions, is often related to the protection of intellectual property, client records or monetary transactions.  The output of many service related organisations, obviously takes on a more intangible nature, placing a greater reliance on digital management, storage and delivery of the processes and components that make that organisation work.

From a critical infrastructure perspective, I would argue the priorities with regards to the security triad, alter, to focus more on availability, with integrity and confidential being less important.  An electrical generation plant has one main focus: generate and distribute electricity.  A hospital has one priority: keep people alive and improve their health.  These types of priorities, whilst relying on information systems substantially, are often managed in a way that makes their delivery more important than the component systems involved.

This difference in attitudes towards how security policies are implemented, can have a significant impact on vulnerability and exploit management.

Vulnerabilities - nature or nurture?

Vulnerability management from a consumer or enterprise perspective is often applied via a mixture of preventative and detective controls.  Preventative comes in the form of patching and updates, in an attempt to limit the window of opportunity from things like zero-day attacks.  Detective defence comes in the form of anti-virus and log management systems, which help to minimise impact and identify where and when a vulnerability was exploited.  The many basic steps often associated with enterprise protection, are often not always available within critical infrastructure environments.  

Critical infrastructure is often built on top of legacy systems using out dated operating systems and applications.  These environments often fail to be patched due to the lack of downtime or out of hours permitted work.  ICS and energy generation systems, generally don't have a 'downtime' period, as they work 24 x 7 x 365.  Outage is for essential maintenance only and preventative patching wont necessarily fall into being an essential outage.  Due to the age and heterogeneity of such systems, a greater focus on additional patch management would seem natural.  Many critical infrastructure environments are also relatively mature in comparison to modern digital businesses.  Mechanisation of industrial and energy related tasks is well over a century old, with computerization coming only in the last 35 years.  This maturity, has often resulted in cultural and personnel gaps when it comes to information security.  

Basic security eroded

Some of the existing security related policies that have been implemented in critical infrastructure environments are now starting to erode.  The basic, but quite powerful and preventative measure, of using air gapped networks to separate key systems from the administrative side of the organisation, is now being eroded.  The need for greater management information, reporting and analytical systems, has lead to cross network pollution.  The low level programmable logic controllers (PLC's), used for single purpose automation of electromechanical tasks, are now being exposed to the potential of the public network.  Through the connection of desktop and laptop devices to previously secured networks, has brought the risk of infection from internet related malware a lot higher.

Recent attacks and a change in culture

The two major exploits, focused specifically on critical infrastructure related environments in the last couple of years, have probably been the Stuxnet and Duqu attacks. Whilst the motives for these attacks are maybe different to the standard monetary or credibility drivers for malware, they illuminated the potentialfor mass disruption. As with any security attack, post-incident awareness and increased focus often result, with several new attempts at securing critical infrastructure now becoming popular. There are several government lead and not-for-profit organisations that have contributed to security frameworks for critical environments.  Kasperky labs also recently announced plans to develop a new build-from-the-ground-up secure operating system, with a focus on critical environments.

Whilst previously only focused on the availability and delivery of key services and products, critical infrastructure environments, now have to manage the increasing threat posed by cyber attacks and malware exposure.


Protect Information Not Data

In an ideal world, should we not be protecting information instead of data?  This is an interesting concept.  We backup data.  We secure data.  We create and manage access control lists that allow the subject, access to an object.  The object is generally classified as data.  We talk about 'big data'.  Moving data to the cloud and so on.  But is the data component actually that important?  Obviously certain individual pieces of data are very important.  Certain documents, files and so on, have significant importance and exposure levels.  But on the whole, is an organisation run on data or information?

I guess we need to define both of the key terms here.  What is 'data' and what is 'information' and more importantly what are the differences?

What is 'data'?

A basic technical definition would be that data is the low level bits and bytes of an object.  This object on its own, comprises of basic, raw and unorganised facts.  The actual word would have a Latin equivalent of 'datum' to mean 'that which is given'.  As humans - or managers, analysts and so on - we need to interpret the data for it to become useful.  For example, backing up an email file such as .pst, is pretty useless in providing email reading and writing capabilities, without being able to interpret that file via an email client.  The same can be said of data.  Without the interdependence with other data sources and analytical tools and frameworks, data has limited use.  If you were given an exam score of 65, that 65 on it's own is pretty useless, without knowing the pass mark, maximum score, comparative scores, averages and so on.

So what is 'information' then?

I'd describe information as being data that has been interpreted, organised and given some context.  Once the context has been identified and applied to a singular piece of data, that can then be communicated and reported to others, making it useful information.  That information in turn can be used to develop intelligence over time.  An organisation as a whole, whether that's a manufacturing or service based company, will really function on information.  Information creation will start through interpreting the raw data, where information management takes over via analysis and collaboration and ultimately ending up with information dissemination either internally or to clients with products messages delivered.

The point of an information management system

The information management system (IMS) is ultimately the mechanics between the raw data and something useful at the end.  IMS's will take an input, perform some processing and deliver an output.  In addition you'll probably have some control and feedback components too.  An IMS will also contain an important couple of ingredients: people and processes.  Whilst many organisations would love automate as many people related tasks as possible, raw humans still have a pretty important role to part in any information chain.  They can add adaptability and rationality to decision making - as well as the opposite in some cases too.  But human knowledge is still an huge part of an organisations successful output.

Protecting the entire information chain

This brings me back to the main point.  Don't just protect the individual data component of the information chain.  Without the other ingredients, including people and processes, the data itself can have limited use.  Backup and recovery techniques should really look to contain the people and process related aspects, even if those components are not initially easily committed to tape the same as a database.  From a security perspective, an organisation should be protected from multiple levels, which would also include the processing and output components.  Processing could include collaboration tools  and techniques, analysis and reporting too.  Output is often an area which is often protected from the outside in - ie lets stop people seeing stuff we don't want to them see.  It should also be focused on internally, to make sure information going outbound is sufficiently restricted, managed and recoverable.

Infosec Product Release Review - 16th Nov

An overview of recently released information security products, services, frameworks and policies from the last 7 days:

NETGEAR Debuts More Powerful Version Of Popular VDSL

13 Nov 2012
In addition, like other members of the ProSecure UTM family of security appliances, ... As the second entry in the NETGEAR ProSecure UTM S product line, the UTM25S ... Inc. an InformationTechnology services company based in New York.

Cloud Security Alliance Releases Security Guidance 1.0

14 Nov 2012
The Cloud Security Alliance (CSA) has released version 1.0 of the "Security ... Additionalinformation about Trend Micro Incorporated and the products and ...

Who Do You Trust?

This is a tough question, whether it's focused on technology or real life.  'Who can you trust?' is often an easier angle to take, but ultimately that is a precursor to the main scene.  Peeling the onion a little, you can focus on bite sized chunks and respond with, 'trust with what?'.  If it's my life then the picture changes substantially.  I might trust Google with my search engine results, but perhaps not with diagnosing a disease.

The context will obviously help to determine the scope of who and what are trusted, but the decision making process will generally take on the same route.  We ultimately start off with a blank canvas of pre-decision making, slightly marked by some bias and framing, before ending up with a person, product or service that we then utilise to perform an action we can not perform ourselves.  Once that 3rd party has been chosen, we often fail to perform the checks again, placing our trust in them implicitly and explicitly.  This when issues can arise.

Skyfall - Cyber War Becomes Cool

I went to see James Bond's 23rd outing in Skyfall yesterday - for a second time this week I admit, I do love a bit Bond.  The film is great - go and see it! - and intertwines the new world action film, with all the old world British spy touches that has made Bond the longest running movie franchise of all time.

Gone were the gimmicky gadgets of old, with megalomaniacs trying to run the world, destroy the world or recreate the world, and in came a cyber terrorist with a personal vengeance.  Technology has always played a part in Bond.  The British secret service, Bletchley Park and GCHQ have all had their fair share of computer-related innovations, from encryption through to surveillance, so seeing a control room full of screens 'processing' unintelligible code and instructions is nothing new.  However, this time around, it was more the concept of cyber war that was more prominent as opposed to the technology.

Cyber Security Part IV - Consumer Protection

This is the 4th part of the cyber security series I started, and I want to focus on the consumer a little more.  Cyber attacks have been well documented in their ability to damage large organisations, government websites and critical infrastructure.  However, there is still a large volume of non-technical home and mobile users who are ending up as the victim of on line attacks and identity theft.

"The use of more portable devices, including smart phones, has increased user convenience, but also opened up a can of worms when it comes to security.  Smartphones are not really phones.  They're computers, that happen to make calls"

Cash, Credit Cards, Convenience and Security

I was recently asked by Microsoft to make a comment regarding the concept of 'User Convenience -v- Security' from a software perspective.  Security is often seen as restrictive or inhibitive, so is generally not the first thing many (non-technical) users think about or implement.  Also, from an SDLC perspective, security is often seen as an add-on and left to the QA and audit teams to implement before an application or piece of software is released into the wild.  Convenience in both counts, takes hold, reducing security to a post-incident action.

Convenience Wins Out

The same can be applied to many things.  Convenience versus safety is another angle.  How many of us don't bother with the seat belt on a roller coaster, flight or car journey if it's too tight and uncomfortable?  If it's restrictive we avoid it, even though in those examples, our lives could be at stake.  A broader view could look at the market for insurance.  The inconvenience component is the cost up front.  This could restrict us from spending our cash on something more instant and rewarding, instead of the potential for a payout in the future when things don't quite go to plan.

Social Networking Security Management

Like it or loathe it, social networking is omnipresent.  From the youthful party picture posting, to professional networking and virtual discussion boards, your on line personality and data sharing can be both powerful and an exploitable vulnerability.

The usefulness of many social networking sites is often increased, the more of your personal information you make available.  This in recent years, has seen many criticisms of the likes of both Facebook and Google+ for how they manage and make use of your personal identifiable information (PII).  Whilst there can be risks will publishing any personal data on line, careful management and protection of such data makes social networking less risky and more powerful than ever before.