Thursday, November 25, 2010

Internet Quarantine: Where IT Differs From Healthcare

As Bruce Schneier goes on the subject of quarantining potential threats away from regular users of the Internet, I think it's interesting to point a big difference between IT diseases and human diseases: we have the code. We have the specifications for the computer.
For closed source, the software maker has the code, which means that diseases or weaknesses can be fixed with more efficiency than any human condition.
For opensource, it's even better: everyone has the code, which means that everyone can look for a solution to a problem.

That's not to say that every Internet user is a qualified-IT-physician, it's just to underline that comparing IT and healthcare may not be so promising. Compared to medicine, IT professionals can fix a problem in no time and no money. Although there are problems of copyright in IT, it's nothing compared to those in pharmaceutical industry. The whole plan of the human body and interactions is still to draw. And we can spoil many computers, hours of computing, lines of code, reboots, for research without an ethical problem.

Wednesday, November 10, 2010

Please NO MORE Top 10 Security Measures!

I have a habit to collect web articles about security measures to apply for specific security situations. Those articles usually have a title like "Top 10 security measures for the administration of XYZ" or "Top 20 vulnerabilities in XYZ servers". And I now have a feeling that it's a bad thing to present a security approach that way.

Let's take a few examples:
What's good in these articles is that you can use them for what they are: a grid to think about your own security. But they don't provide exhaustiveness and, for that matter, they may not even be suitable for your own case.

That's a question of risk management (of course) but, putting away big words like these, you'd simply wonder why there are 5, 10 or 20 top measures and not 2, 6, or 11. The measures in these articles are gathered not to provide a level of security, or a level of security maturity, but to make for a long, publishable list. And that you should implement only the top 3 measures, or only measures number 2, 4 and 5 is left up to you. Not mentioning that you may not implement 2, 4 and 5 in this order but may very well begin with number 4 or 5.

What these articles lack is an identification of the precise risks addressed by these measures and the location of these measures on a security maturity scale.

Let's add an illustration to this (nasty) comment: Friends recently asked me to attempt penetration on a website that they wanted to secure. What I found was:
  • an easy access to htpasswd file,
  • obvious passwords that John the Ripper guessed in no time and
  • cleartext credentials to access the database.
If you look at the OWASP list, you'll find the corresponding measures at number 6 and 7. Yet, all Apache admins know that they are on maturity level zero. Furthermore, for that precise site, OWASP's number 1 (code injection) was almost irrelevant.

That's not to say that OWASP's work (or anyone's listed above) is not good. It is, and useful if used correctly. It's just to say that I'd prefer to see more "Beginner level 7 security measures for XYZ servers" or "What to do if XXX is critical for your company: From step 1 to step 4" articles.

Tuesday, November 2, 2010

Monthly ITsec Leadership Quotes and Articles: October 2010

A little late (in love, keeps one busy!)
  • Incident or Event Management: Keep it simple but real!, on the IT Security and Compliance Thought Leadership blog.
  • 25 Sure-fire Ways To Motivate Your Team Members, excellent reminder of the basics for team motivation and good atmosphere.
  • Security: Competence Never Compensates for Insecurity, aka Attributes of Leadership #17 on Joyce Schneider's blog.
  • [FR] A good security policy reflects the life of the company, by NetASQ's product director Jeremy d’Hoinne, addressing the future of firewalls, that is, something else, not firewalls. Traffic inspection, all-in-one appliances... Nothing new but I'm glad to hear that from NetASQ.
  • Transparency, accountability, and IT success (Michael Krigsman).
  • Help! No One Is Following Our Processes! on The Hitch Hiker's Guide to the ITIL Galaxy and Beyond.
  • How to Crush Dissent, on Rob Weir's blog.
  • Microsoft is a dying consumer brand, on, which is my feeling as, in very little time, Microsoft added up Vista, Zune, unwanted DRMs, Office 2007's frightening GUI, and missed the turn to smartphones and web applications...
  • "Companies up and down supply chains in numerous industries confront the same challenge: A well-intentioned individual action or demand aimed at making a business greener can create a long string of unanticipated consequences that collectively dwarf the benefits.", by Hau L. Lee in HBR, October. You could switch greener for any of: more secure, thinner, cheaper, more customer-friendly...
  • "Listen, don't broadcast", as a hint for a company's social media strategy, by Larry Kramer, same source
  • "One CEO I know fines people $1 for every e-mail he gets that he didn't need to see.", Rita Gunther McGrath, in HBR Onpoint, Fall 2010.
  • "If you think your people won't understand something, remember it's your job to explain it to them.", Stever Robbins, same source.
  • "[...] if things aren't going well, the teams are probably well aware of the problems. In fact, they've probably known about them longer than you have.", same author, same source.
  • "Most organizations penalize employees for the wrong outcome, even if they follow the right process. Perversely, others are rewarded for the right outcome, even when they flout the rules about process.", same author, same source.
  • "[...] the value of clear, honest, explicit communication rises exponentially with the size of the organization.", John Hamm, same source.
  • The whole article The Leadership Lessons of Mount Everest, same source, which I can't quote without reprinting it entirely. (Reprint R0109B)

Security ROFL 2

Firesheep and forcing SSL

All that Firesheep buzz lead me to discover that a Firefox extension wraps your web traffic into SSL if the remote site supports it. Very simple, neat, idea. (Thanks to NetworkWorld and thanks you Jicé for first noticing.)