This week I’m participating on a (ISC)2 Workshop for item writing and review for the ISSAP certification. This opportunity brought to me a very good view on how the exams are created and managed. Honestly, what I have seen until now completely changed the way that I see these certifications. The process is thorough and the questions pass through a review by several very good professionals. I know that passing a test, even one with good questions, is not a proof of professional competency, but it’s a good way to assess the basic knowledge of a candidate. Congratulations to (ISC)2!
I was reading this article from NetworkWorld about “Virtual Server Sprawl” and the problems it causes to security. Well, while I agree with the point of view presented there, I also think the the ease to deploy a new server brought by virtualization can also help us to control an old security problem: servers with too many functions.
Lots of people already said that VMs should be grouped by their sensitivity levels, and I agree with that. If organizations use virtualization to improve the segregation of duties of servers and keep the grouping concept, it will certainly help to improve network security. It was always sad to me to see those Web+DNS+SMTP servers. Now they can be kept on a single hardware, but with a higher isolation through virtualization.
I was extremely happy to read this post from Richard Mogull, where he says:
“Data Classification Is Dead
I know what’s running through your head right now.
“WTF?!? Mogull’s totally lost it. Isn’t he that data/information-centric security dude?”
Yes I am (the info-centric guy, not the insane bit), and here’s the thing:
The concept that you can run around, analyze, and tag your data throughout the enterprise, then keep it current through changing business contexts and requirements, is totally ridiculous. Sure, we have tools today that can scan our environment and, based on policies, tag files, but that just applies a static classification in a dynamic environment. I have yet to talk with a customer that really does enterprise-wide data classification successfully except for a few, discrete bits of data (like credit card numbers). Truth is that’s data identification not data classification.
Enterprise content is just too volatile for static tags to really represent it’s value.”
A few years ago I was advocating the same thing during a discussion with some friends, where I was complaining about how pointless the current data classification policies and procedures are when we think about the current state of applications, data sharing and web 2.0 stuff. I just don’t believe that information classification can happen in a dynamic organization in the way that is taught in, let’s say, a CISSP prep class. We really need to think out of the box when dealing with the challenges of priorizing security measures according to the value of information.
I’ll quote Richard again about data classification: “That, my friend, is not only dead, it was never really alive.”
Alan Shimel has blogged about a very common situation, that where a networking (or anything else) guy becomes the new security guy.
I’ve lost count of how many times I’ve seen that! The problem is, it’s not only common but it’s also impressive that several of these guys believe they know all about security from the moment they received the new job title.
I worked in a big security team where almost everybody there were not security professionals, they just end up “falling” into the security department. It was a huge nightmare to make them understand that they didn’t know the basic concepts and that some things have to change. Until people don’t understand that our job isn’t something like a new device that you learn how to set up we will keep seeing those cases and the results from them: breaches, breaches, breaches.
I was reading about the strike of the federal custom auditors here in Brazil. They are not inspecting cargo coming through the ports, so the containers arriving can’t be unloaded. Ok, it shouldn’t be a problem for exporting goods, as the problem is with imported goods, right?
Not necessarily. The strike is causing problems to exportations, as not only the storage areas at the ports are full but now there is also a problem of lack of empty containers! Isn’t it a interesting case for business continuity studies?
I really love the concept of Windows Server Core - an installation that includes only the minimal components needed to make Windows work as a Server - that Microsoft will include in WIndows Server 2008. The advantage of it is obvious, reducing the attack surface.
However, just now I found an interesting piece of data, someone looked into information from past security bulletins and noticed that from 25 past bulletins only 4 would apply for Server Core. Quite interesting, isn’t it? So follow the tip from this post and go ask your software provider if his product will work on a Server Core installation.
In times when we are talking about flaws in Adobe Flash, Apple Quicktime and so many others, it’s good to ask how are we doing to ensure that we are not running software with known vulnerabilities. Last August I blogged about Secunia PSI. I’m using it since them and it’s impressive how hard is to be updated with all the software running on our workstations. The scanning process is a bit resource intensive, so I choose to run it periodically (once a week) instead of keep it always running.
Today I ran PSI and it found some things that should be updated. Some of them were expected (Adobe Flash) and others I was not aware of, as VMWare Server, VLC Player and 7-Zip. This is a good example of how easy is to have vulnerable software running in our computer. PSI does a vey good job on detecting software that needs to be updated, so I recommend it to everyone. If you are not using anything to keep track of software updates, try PSI. You will be surprised.
A few days ago a new Adobe Flash vulnerability was found (in a very interesting work, I must say). I blogged about my concerns on ubiquitous software, like Flash players. We have been seeing the dangers of security vulnerabilities on this kind of software for years, beginning with Microsoft. Now that Microsoft is doing a good job on closing (and avoiding new) gaps, the attackers are taking the logical approach and changing targets to software that is as present as MS.
Adobe (Acrobat, Flash, now AIR) and Apple (Quicktime and iTunes) would be the next target, and it is being confirmed. I heard on RSA that Adobe has a good security posture as a company (Dan Kaminski mentioned during his presentation that Adobe was acting very proactive and fast about a vulnerability he found) , but I still haven’t found the same posture from Apple. Do we need to wait for a “iTunes worm” before Apple starts to take this matter seriously?
Mr. Alan Karp mentioned this piece of research from HP Labs during a RSA session:
“Polaris is a package for Windows XP that demonstrates that we can do better at dealing with viruses than has been done so far. Polaris allows users to configure most applications so that they launch with only the rights they need to do the job the user wants done. This simple step, enforcing the Principle of Least Authority (POLA), gives so much protection from viruses that there is no need to pop up security dialog boxes or ask users to accept digital certificates. Further, there is little danger in launching email attachments, using macros in documents, or allowing scripting while browsing the web. Polaris demonstrates that we can build systems that are more secure, more functional, and easier to use.”
The paper is quite simple and easy to understand, and but gives us some very important lessons. If Microsoft has tried a similar approach on Vista the UAC may have been more well accepted by users.
This kind of research should be the core of Security Innovation. Instead of trying to build “Anti-X”, “Anti-Y” stuff, we should concentrate on reviewing things that are badly designed and that can be fixed in a elegant way, the same as Polaris does.
The panel about the CyberStorm II exercise on RSA wasn’t very good on content (in fact, it was terrible), but there was one thing that caught my attention. There were other countries participating on the exercise, Australia, Canada, New Zealand and UK. Did you notice that only English speaking countries participated?
Last year I saw Mr. Mike Reakey, from Microsoft, showing the kind of communication that their Response Center receive. That includes messages entirely written with different unicode char sets. Now, if this is a challenge for Microsoft Security Response Center, can you imagine the problem that the language barrier would be in a worldwide cyber crisis situation? I think the next CyberStorm exercise should include countries with different languages, to assess the impact that it can have on incident response and communication procedures. I’m certain that it will be bigger than expected.
