Thursday, February 25, 2010

What is a CISO? [1/2]

What is a CISO? Saperlotte ! [in French in the original text, ed.]
People have tough questions sometimes. Or rather tough Google searches, as it seems that people often stumble across this blog when asking Google for an answer to this question.

CISO, Chief Information Security Officer, is a management and leadership position that often reports to the CIO or to the CEO. There are also CISO positions that report to the CSO, to the CCO or to the CQO. Even sometimes to the CFO. That's merely a hierarchical view of the question because, most of the time, the CISO has to work with all of these people and reports to several of them depending on the occasion. As a summary, the CISO is a C-level who reports to C-levels...

He's a manager because he handles projects, teams, planning and budgets. He's a leader because he needs to get things done that are of primary importance only to him. Said otherwise, most people in an organization can get very successful at their work without ever reading a security policy, let alone understand it, let alone help enforce it. So the CISO has to play his cards with some subtlety and some charisma to achieve results.

He's in charge of multiple things, but I summarize it this way:
  • Integrity of data in the information system,
  • Availability of services provided by the information system,
  • Availability of IT services provided by external partners,
  • Confidentiality of exchanges,
  • Elimination of recurrent problems to decrease operational costs,
  • Durability of services provided by the information system, in provision for changes in technologies or business needs,
  • Conformity of IT practices with legal constraints.

The CISO has to write corporate policies and directions that support the previous goals, that need be approved by the board of directors. One hard part (for any C-level, I should say) is to propose long-term, innovative yet efficient, realistic, goals. And to communicate around it, because such documents are definitely not written to remain on a shelf.

The CISO has to deal with a number of "typical" phenomena about security questions, that happen in all organizations. Different CISOs react differently. Examples of such facts are:
  • Irrational fears and sudden irrational fears,
  • FUD used by vendors of security products,
  • What I call the "TV effect", with the words of the presenter having more influence on the final user than those of the CISO,
  • Over-enthusiastic users or managers,
  • "Security theatre", the use of illusions that give users a false feeling of security, very common in security products,
  • What I call the "side effect of security theatre", when users and, worse, managers ask for more security theatre because it feels great,
  • The 3rd of Clarke's laws, "any sufficiently advanced technology is indistinguishable from magic", which clearly applies to ITsec, which means that most people simply believe you're doing magic,
  • Managers rarely believing in magic as a profitable corporate asset,
  • Legal department of most organizations having no skill regarding IT laws[...]
Next article on insight, philosophy and giving staff a sense that security is not only a constraint.

Note: If you're any surprised that I wrote "he" and never "she", that's because I never met a woman in this position. But I'd be pleased to.

Sunday, February 21, 2010

The US destroying the Internet?

Every now and then I read or watch a scenario about the US destroying or dramatically altering the Internet, for security purposes or for commercial purposes. For me, even if that were feasible, that would be silly and I think that's never going to happen.
If the US were to destroy or reduce the availability of the Internet, others would rebuild it, anew, differently.
  1. The US would get a considerable loss of earnings from a worldwide project probably not developed in English (Chinese?), not developed by American companies.
  2. They would lose their technical skills. New skills would be required for the new technologies of the new network.
  3. They would lose the target of their current spying methods, quickly moving to the new network.
  4. They would not be able to create such spying methods for the new network, because they would not be the primary actor, centralizing infrastructure, skills and budget.

Saturday, February 20, 2010

RSS feeds for IT and ITsec

In bold characters those that I actually enjoy reading each and every time.


"General" IT:


I also have my own feed Assaults on the Internet neutrality [*] gathering articles from all that I read on the web about governments and ISPs messing with the neutrality of the Internet.

Security predictions for 2010 and a few wishes

As usual, nothing posted on this blog is related to my job at my employer. These are merely thoughts gathered from readings on the web and personal considerations.

(If you're wondering why I didn't post this in January, think that holidays spent in Sicily, Romania, Hungary and Serbia are worth being late. I really love the Carpathians.)
  1. Linux systems will become an interesting target for hackers because of Google's OS.
    The free software community will react fast to vulnerabilities. If Google is up to the task, they will integrate the changes very fast and it will result in Linux systems being the most secure. Competitors will finally be forced to take vulnerabilities more seriously. That's the optimist hypothesis. The pessimist one is Google not being interested in building better security and not reacting faster than the others.
  2. Microsoft will (finally!) propose a centralized software installation and update manager, quickly adopted by the big software companies, reducing the number of heterogeneous installation modes, late updates and so on. Something apt-like, in a Microsoft-way, of course.
    It's either this or Microsoft platforms will be progressively abandoned for integrated products such as iPhone or platforms with that functionality such as Linux (servers) or Mac OSX (clients).
  3. Viruses will spread to Mac and iPhones up to the same level as that under Windows.
  4. Generalization of new authentication modes including smart cards with microchips, user/machine certificates, fingerprints on laptops, will happen.
    There will be a fashion for it and a lot of blunders will be made in the beginning.
  5. There will be reports about IT services clouding the wrong parts of themselves: critical infrastructure, already very profitable services, legally protected information...
  6. There will be an overflow of non-browser software using SSL.
    Each of them has its own libraries and each blunder or vulnerability in the use of SSL will have to be addressed in each of these libraries. This is not addressable in a correct time. For this reason, there will be new products or services around gathering all this SSL traffic and forwarding it in an actually secure way.
  7. Social harvesting will rise to unprecedented peaks. Because of poor legal harmonization (or even concern, for that matter!) in various countries, automated social harvesting services will be made available.
  8. Governments from developed countries will try to censor, filter and/or index the web. They will fail for two major reasons:
    • The web is too huge for any current government to master it, or even understand it.
    • The free software community will sidestep any technical measure towards censorship.
  9. There will be stories, news, rumours, about Google having connections with the US intelligence agencies. Google's business is a source of information just too much important nowadays for intelligence agencies to neglect it. I won't tempt any prediction about Google's reactions.
  10. PCI DSS-like standards (simple checklist, minimalist, technical, yet very efficient) will be published about various matters of ITsec. Or maybe I just read too many people interested in that.

And now a few wishes:
  • That people stop thinking I work on viruses when I say I work on ITsec.
  • That IT managers (non-security) stop thinking there is a fixed list of requirements for security and each of them requires purchasing a "security product" and each of these products works standalone.
  • That service managers start budgeting time for service reviews and corrections, not only service implementations.
  • That Adobe distinguishes between PDF designed for review and printing and PDF designed for automated administrative tasks in complex forms. This may prevent a lot of problems to come.
  • That my government stops being such a liberty killer about IT.
  • [...]
  • That my readers consider the strange situation of using an Excel-controlled Visual Basic script to interact with an AS/400 terminal emulator, written in Java, inside a Citrix session running on a Windows Server "cluster" inside a VMware architecture. (You can have screenshots and photos of the AS/400 on IBM's website, for instance, there.) That was my only nightmare these last years. Does virtualization never end?

Thursday, February 18, 2010

Have you heard about CSRF?

Cross-Site Request Forgeries are probably the simplest kind of attacks against unprotected websites. It simply works with a site A that the attacker owns (hacked or hers) visited by the victim, making a request to a site B where the victim is authenticated. As the victim (or rather her browser) is already authenticated on B, the request succeeds and the site A gets the content, and is free to make whatever it wants of it.

For example, in one tab or window, you'll be having a look at your bank account (B). On another tab or window, you'll be visiting a random page, say a blogging page (A). The page A contains code that makes a request to the bank site. The bank knows you're currently connected and thinks it's a regular request. And responds to it. So A receives informations about your banking accounts and does whatever it's meant to do with it.

When I discovered about this kind of attacks, I couldn't suppress a roar of laughter. That's so easy that I wondered how dumb I was not to have thought about it myself.

I can remember two years ago foretelling my friend and former co-worker Gabi Popa that it would become a major problem in web apps. Now, both the OWASP (since 2007) and the MITRE put it in the top five of the worst problems of web apps.

I think it's a problem that's going to last for a long time because the source of the problem can be identified both in the web apps and in the web browsers, resulting in a "no-one moves first" situation (delaying the moment when the developers of one side will roll their sleeves up and act.)