Saturday, March 27, 2010

iSEC recommendations following the Aurora attack on Google

I finally found some time to read the iSEC Partners recommendations about the attacks on Google and other companies, originated in China, in January this year.

This post is just to underline the very good reading it is for people in IT. I like it because:
  • It does not look for a silver bullet but lists several points that need be addressed.
  • It points out, as so many posts on this blog, that you first need to human understand and monitor what you do, before implementing costly solutions.
  • It also points out that you need to work on the security of the endpoints (users' machines), especially on updating regularly client software.
Well, just go and read it, it's six page long.

Wednesday, March 24, 2010

Tuesday, March 23, 2010

What is a CISO? [2/2]

Security is not about putting an appliance somewhere into the network, it's about mastering what you do. It means strictness, control, review, enhancement. That's not what the typical IT guy wants to do everyday. He wants to serve users with the lowest amount of personal work, which at first glance means without security. That's why security may primarily look like a constraint.

But it's not. Security is not only a constraint, it's an enabling mechanism. When you have good security you can do more things. A simple illustration is that you can drive very fast on a motorway because you have good brakes. If you didn't have them, you'd never allow yourself to drive faster than 60mph.

So, when I talk about giving staff a sense that security is not only a constraint, I mean underlining to them how much you can achieve with security that you couldn't without. Let me draw a few examples from live situations I've seen in companies or heard about on the Internet:
  • When you have precise inventory management over computers and printers, you may be able to recharge other services more equitably.
  • When you have a precise 1 identity for 1 account policy, strictly implemented, you may go one step further by implementing an SSO.
  • When you are able to tweak and audit the work of your contractors for remote maintenance, you may be more willing to ask for remote maintenance.
  • When you have backup systems, up to the task, for all of your main services, you can grant your admins an additional week off.
  • On the same level, when you don't spend hours running after viruses, you can spend those hours on implementing new things.
  • When you have a solid web proxy and a sound policy for it, you can grant Internet access to more employees.
  • When you have an automated RBAC system, you can ensure users are served in a shorter time at their arrival in the company.

The thing is, security guys know this way of thinking about security but they most often communicate around obligations, constraints and legal requirements. That's why it looks as if security is a constraint. (Think about Dilbert's preventer, Mordac!)

(
That way of thinking is something I didn't see in Bruce Schneier's book Beyond Fear, however interesting that book is. (See Scott Granneman's notes about the book.) Bruce suggests a five step method to assess the value of a security measure:
  1. What assets are you trying to protect?
  2. What are the risks to those assets?
  3. How well does the security solution mitigate those risks?
  4. What other risks does the security solution cause?
  5. What costs and trade-offs does the security solution impose?
But Bruce forgets about number 6: What do you get with that security measure besides protecting the assets?
That's why I think his view about a national ID card is flawed. When you live in a country with a national ID card as I do, you see that it allows businesses starting from the smallest shop to have a good idea about the identity of buyers, in case they would not pay. Sure the ID card is not impossible to fake, it's simply too hard for the passer-by
to fake.
)