Wednesday, December 15, 2004

Finally, a sensible security scheme | Tech News on ZDNet

Finally, a sensible security scheme | Tech News on ZDNet, and one that any enterprise could follow with a few simple changes. The basis for the article is the Visa Cardholder Information Security Program, which is designed to protected credit card information and transactions while being processed by merchants and card processing service providers. The Visa program has a number of tools, including a program description, a compliance audit procedure, training and list of certified consultants available to assist in meeting compliance requirements.

The most important tool for those that want to improve security in their own networks is the Security Audit Procedures and Reporting document (in pdf). At the high level the Visa program has 12 steps (taken directly from the web site):
  1. Install and maintain a working firewall to protect data.
  2. Keep security patches up-to-date.
  3. Protect stored data.
  4. Encrypt data sent across public networks.
  5. Use and regularly update anti-virus software.
  6. Restrict access according to "need to know" basis.
  7. Assign unique ID to each person with computer access.
  8. Don't use vendor-supplied defaults for passwords and security parameters.
  9. Track all access to data by unique ID.
  10. Regularly test security systems and processes.
  11. Implement and maintain an information security policy.
  12. Restrict physical access to data.
These are explained in detail in the Audit Procedure document, which sets out what should be implemented and how to verify compliance in a very easy and straight forward manner. The only change any enterprise needs to make is to replace the words "cardholder information" with whatever data is critical to their business. Visa developed this so that external partners had a security roadmap to follow. Note that it may be necessary to consult with Visa about using this, or a very similar program, as Visa holds the copyright. But at least the principle of giving external partners useful security guidance is of value.

Moreover, most enterprises would improve internal security if they followed these, or similar, guidelines themselves. Access to all business critical data is tracked by user, and all business critical data is encrypted while stored (at rest), and while in transit outside local area networks.

The reader should study the Audit Procedure document and work out what the elements of the security architecture are that are necessary to meet the requirements. There are obvious hardware and software elements. What resources are required to support the added complexities that face the knowledge worker, or the system administrator in this environment? Visa says that these are the requirements to do business with them, and there are significant financial penalties for failure to meet these requirements, even if the failure to meet these requirements does not result in a security incident and loss of information or money.

As much as I like these guidelines, I still feel there are critical elements that have not been addressed. Can you spot some of the weaknesses that would exist in an implementation of these guidelines? Next time I will revisit this with some suggestions for improvement.

posted by John Davidson at 19:08 189 comments

Tuesday, December 14, 2004

Desktop search new target for viruses? | CNET News.com

Desktop search new target for viruses? CNET News.com gives a warning that should be heeded by enterprise and home users alike. Do _NOT_ install any of the current crop of 3rd party Desktop search tool add-ons for Windows, under any circumstances. In the rush to get on everyone's desktop, security has been forgotten.

First they all require Internet Explorer to be used as a host environment. Other browsers are not useable as they employ ActiveX technology to leverage the browser as a client, rather than providing a standalone client that can communicate with the server portion of the tool.

Secondly there are problems with the context in which these technologies run. Because they have access to everything on the desktop it means that private information from one computer user may be visible to another user on the same computer. This could lead to lawsuits as a result of inappropriate exposure of data, especially in the workplace.

Clearly there is a need for a good desktop search tool. The current desktop search tools have extremely poor performance or require exorbitant resources in terms of either processor or diskspace. This crop of tools purports to fix some of these issues, but the mechanisms expose too much information. Enterprises and users need to emphasize that yes the tool is wanted, but that it must meet basic security concerns.

The requirements to be acceptable are:
  • Run as Local Service on Windows systems that support this account;
  • Have a standalone client or use a non-ActiveX technology (do not use Internet Explorer);
  • Do not return information about any data, file or email the user performing the query would not normally be able to see;
  • Use minimal processor cycles;
  • Do not return information about deleted content;
  • Tell the user how much harddrive space will required (estimated) at install time;
  • Have a consist manner of managing Remote Directories mounted as Network Drives across multiple users.

posted by John Davidson at 20:43 100 comments

Monday, December 13, 2004

Who says safe computing must remain a pipe dream? | Perspectives | CNET News.com

I find Bruce Schneier to be a voice of calm reason when discussing matters of US national security. He exposes rhetoric and overreaction with clear and concise arguments, explaining his position succinctly, and demonstrating why a particular measure will not achieve the desired results. The majority of his writings, except for the books, can be found on his website at http://www.schneier.com/.

However, in the case of his essay, Who says safe computing must remain a pipe dream? | Perspectives | CNET News.com I believe he fails to see what the real problem is.

First I agree with some of the recommended steps, while others I must also question. While it is not something that I do myself, I would agree that a normal home user should shut down the computer when it is not in use. His advice for laptops and PDAs is perfect. His advice on backups is also reasonable, though the expectation on how this is to be done is the crux of the real problem. The recommendation to limit the number of applications to only those that are actually used, and to keep them patched is ideal. The advice on browsers is also the same as what I recommend, not only for the home user, but also for the enterprise user. All ecommerce web sites should be used only after weighing the options, if it can be done easily offline then probably the security concerns should preclude doing it online, simply because even the best run, most secure site may give up critical personal or financial information of yours to a hacker, or you may mistakenly give that information yourself to a phisher. I agree with most of the advice about email except that I found Outlook 2003 to be acceptable. Each home user should have a firewall as recommended, but it is only the Window OS user who must pay, both Linux and Macintosh computers come with adequate firewalls for free. Even the newer versions of Windows, such as XP SP2 will have an almost acceptable firewall included. The rest of the recommendations may be good advice for a relatively experienced user, they are beyond the capabilities of most users to implement and follow.

Backups are more easily doable, by a home user, in Windows, than in any other operating system, but it is still too hard. Especially the process of doing a restore, when the inevitable happens. The backup and restore process was developed for the system administration professional, not for the home user. Performing backups in Linux requires considerable expertise, and is not possible on a Macintosh running OS X, without adding a third party product.

I use all 3 operating systems in my office, and have administered Unix system going back to 1985 in the enterprise environment. I actually decided to get very serious about information security when one of the first Linux computers I ever installed was hacked within 15 minutes of connecting to the Internet. My personal favorite OS is the Macintosh, especially from the point of view of security, but there is a significant premium at the entry level for the purchase of a Macintosh, in part because it contains a higher security value. I understand the recommendation to delete "command.com" and "cmd.exe", but would extremely wary of actually doing so, as these programs are not in themselves security vulnerabilities, and are in fact necessary tools. Similarly setting Windows Update to automatic is not a panacea as the process fails with a high regularity to correctly apply the necessary patches.

The advice on passwords is partially correct. It is nearly impossible to remember a truly secure password. I have to agree with Mr Gates here, passwords have past their best by date, but the technology to replace them is still some years away. So if a user creates a secure password, but needs to write it down the problem then becomes where to store it. It should never be in the same wallet as banking information, such as debit and credit cards are stored. Storing these items together is like storing a weapon with its ammunition - something is going to get shot, or substantial sums of money are going to be lost, which the bank will not replace due to user stupidity. Perhaps Bruce Schneier did not want to pump his own product, but he has created a password vault tool. I recommend you use it or something similar for storing passwords.

Every user should run antivirus software, and yes the updates should be installed as frequently as they are available. I object to the automatic update of virus data as the vendors are generally using tools to perform this update, which are themselves vulnerability vectors. Non-windows OS users should also run antivirus software, even if there are none or nearly no virus vulnerabilities in their OS, as a windows virus can be harboured in their OS and later transferred.

I disagree with the recommendation on antispyware software. There are not enough reputable firms participating in this effort and the ones that are reputable are not a complete solution. If the user does not know how to avoid spyware in the first place, they will not be able to adequately combat it even with the best of the current crop of tools. If spyware is a problem do not use that computer for any ecommerce or keep any information that is important or should remain private on that computer, or any computers also connected to that network.

The use of encryption is second nature to an individual such as Bruce Schneier, but for the uninitiated it is a black art, especially the free versions of PGP. The commercial versions are better, but the problems such as key recovery and backup issues make this impractical for the vast majority of users.

Fred Langa runs the Langa List, which is a twice weekly newsletter full of tips and advice. This newsletter is targeted at the a user who has some familiarity and comfort with the operation of a computer, but it is evident that even these users would have difficulty in following the recommendations of Bruce Schneier, but Fred regularly gives relevant advice to try and demystify the process.

There have been suggestions, none truly serious, where a user would be licensed to get access to the Internet following a competency test. If that were to be followed through on, then the concepts noted in this article could form the basis for the practical examination portion where a user demonstrates that competency. Failing a licensing process, computer manufacturers, including OS, software and hardware need to change their products so that security, not usability are the prime concern.

At the opening of this commentary I note that Bruce Schneier failed to understand the nature of the problem. I think the problem of information security for the home user is a result of the complexity necessary for correct operation of current computers. The Macintosh clear has the lead in being the least complex with the most security. Windows has the highest degree of user desired functionality, mainly at the expense of those users security and privacy. Linux has the absolutely worst mix from the point of view of a consumer, in that it is complex in terms of both functionality and security. Both Windows and Linux have begun to address some of these security issues, but considerably more needs to be done before the goal of safe computing becomes other than a pipe dream.

posted by John Davidson at 18:31 39 comments

Sunday, December 12, 2004

RED HERRING | Top 10 Trends: We know who you are

This article discusses why identity management will become important in the coming year. Unfortunately it views this as problem for the enterprise and ignores the much bigger problem of the home user. The home user will demand a system that provides both privacy and security, while allowing access to bank accounts, shopping, email - all without any exposure to risks currently accepted today.

This may not be the trend for 2005, but if enterprise tackles the issue then users will expect that the same solution they use at work, will also function just as well when they are at home. The problem here is that many of the possible enterprise solutions in use or development do not extend well beyond the work place. Two factor authentication will become the everyday practice, but this capability is difficult to extend to the Internet due to the cost of directory services and the need for security.

Microsoft is implementing a smartcard system, which uses a .Net based operating system running on the smartcard. This is different from the current crop of smartcards which generally run a Java OS.

posted by John Davidson at 16:49 12 comments

Saturday, December 11, 2004

Links for Windows Security

posted by John Davidson at 14:44 16 comments

Forgotten Security Principles

Network Connectivity

  1. Networks that are controlled by organizations external to your chain of command are not to be directly connected
  2. Networks that are controlled by organizations external to your chain of command may be connected through the use of a DMZ or Extranet established for that purpose
  3. External resources that must be accessed by a proxy server include (by protocol):
    1. http/https;
    2. ftp/sftp;
    3. smtp/imap;
    4. chat/irc/h.323/t.120;
    5. dns/ntp;
    6. ldap/lsass;
    7. sqlnet/mssql;
    8. soap; or
    9. rpc.

Network Authentication

  1. Authentication determines who an individual is.
  2. Strong Identification & and Authentication (I&A) is only available when two or more factors are employed in the process:
    1. something you have;
    2. something you know; or
    3. something you are.
  3. Authentication based on User Id and Password is only single factor, based on something you know ? the User Id and the Password ? and result in weak I&A
  4. The portion of authentication based on something you know must always be transmitted in a manner which precludes disclosure to all other personnel or network devices, including the authentication server
  5. Para 8, above, may be restated as ? User Id and/or Password must never be transmitted over the network in the clear
    1. Unacceptable authentication methods (when not used in conjunction with approved client-to-server encryption or hash methods):
      1. Microsoft Basic Authentication;
      2. Microsoft Forms Authentication;
      3. FTP Authentication;
      4. HTTP Cookie; or
      5. TCP/IP address.

Network Authorization

  1. Authorization determines what rights and capabilities an individual or process has.
  2. Personnel from organizations that are controlled external to your chain of command may be granted access to resources inside the DMZ
  3. Personnel from organizations that are controlled external to your chain of command may not be granted direct access to internal resources beyond the DMZ
  4. Personnel from organizations that are connected to your network via an Extranet that is controlled by personnel within your chain of command may be granted access to internal resources on the Extranet and on internal networks.
  5. Authorization controls must be employed on all internal network resources where personnel have write privileges
  6. Authorization controls must be employed on all internal network resources where personnel will have read privileges and the data being accessed is Protected A, or above, or all classified material, including all NATO information
  7. Personnel from organizations within your chain of command may only use resources on external networks through proxy devices controlled within the DMZ

Network Devices

  1. A router is not a firewall
  2. A firewall may be a router
  3. A firewall may contain numerous proxy servers for different protocols
  4. A firewall is not a guard
  5. Network Address Translation (NAT) is not a proxy server

Data Markings

  1. All classified documents, information or data, including those only on network resources, must contain appropriate markings as to classification and releasability:
    1. documents, including memoranda, letters, presentations, briefings, spreadsheets, web pages, email and graphics, must contain classification and releasability information at top and bottom of all pages, and there must be classification indicators for all titles, paragraphs, sub-paragraphs, tables and figures;
    2. documents on network resources should be named so that classification and releasability is understood without opening the document, or stored in directories dedicated for that particular classification and releasability and where the directory name indicates the classification and releasability;
    3. data rows in database tables or views should contain classification and releasability indicators;
    4. data columns should have classification and releasability rules associated with various data values allowed to facilitate appropriate marking of data rows; and
    5. email must have labels indicating classification and releasability information so that these details may be determined without directly accessing the contents of the email.
  2. All information contained within classified network resources must have classification and releasability markings when the information is classified or protected
  3. All protected documents, information or data, including those only on network resources, must contain appropriate markings as to protection level:
    1. documents, including memoranda, letters, presentations, briefings, spreadsheets, web pages, email and graphics, must contain protection level information at top and bottom of all pages;
    2. documents on network resources should be named so that protection level is understood without opening the document, or stored in directories dedicated for that particular protection level and where the directory name indicates the protection level;
    3. data rows in database tables or views should contain protection level indicators;
    4. data columns should have protection level rules associated with various data values allowed to facilitate appropriate marking of data rows; and
    5. email must have labels indicating protection level information so that these details may be determined without directly accessing the contents of the email.

Data Backup

  1. All information systems must implement procedures to backup data.
  2. RAID arrays do not remove the requirement for separate backup data.
  3. Backup data must be stored offsite, or in approved fire proof containers.

User Privilege

  1. No user should have any rights not directly required to perform approved functions.

Discussion of reasons why these have become forgotten

The main reason why these principles have been forgotten is that technology was not available to implement the requirement in an economical fashion.

posted by John Davidson at 13:59