InfoSec Skills at Infosecurity Next Week
We’ll be appearing at Infosecurity Europe 2012 next week and we hope you’ll take a few minutes to come and say hello. Terry Neal, our CEO, will be there for the three days of the exhibition and will be manning the stand for half of that time, while meeting and greeting our clients, authors and partners the rest of the time. The rest of the InfoSec Skills management team will be there over the course of the three days, so there will always be someone on hand to discuss your needs.
If you are interested in being a course author, a reviewer, or even a student of one of our range of IT and physical security courses, please drop by and have a chat with one of our representatives. We’ll have a limited number of InfoSecReviews Awards magazines to give away, as well as our brand new 2012 course catalogue, so it will be worth your while.
How #InfoSec is Seen on Twitter
I used a interesting tool to try and see how popular the hashtag #infosec is on Twitter. Here is the result.
create infographics with visual.ly
Tony
The InfoSec Reviews Awards 2011 Magazine is Published
Welcome to the InfoSec Reviews annual awards magazine, where we pay homage to the exceptional work that’s been undertaken in the Information Security marketplace during 2011. This year’s inaugural InfoSecReviews.Com awards has focused primarily on security related books (and the book publishers) as this is where InfoSec Reviews started from back in the summer of 2011, however, next year we’ll be expanding the awards to include categories for products, magazines, websites and training, which we are really excited about.
So, what’s inside? This year’s magazine, as I said, focuses on books, and to mark this, we have managed to acquire some great articles and interviews that I’m sure you’ll find interesting. Mich Kabay, our weekly columnist who writes the Perception blog (www.infosecreviews.com/perception), has supplied an excellent article on how to write about Information Assurance matters. If you are a budding author, be sure to take a look, as there are some useful hints and tips in there that will help you on your way. We’ve also had an article in from the premier Information Security publisher, Syngress, on working and publishing in this market, which is well worth a read, and, we also have a couple of great interviews with some of the most well known writers in the market.
One of the most interesting things we did at the end of last year was to add a short survey into the nominations for best books that gave us some idea of how the information security book buying market was performing. The survey results make fascinating reading, even if you are not and author or a publisher, as the book buying market often highlights what’s important in a particular niche area.
I hope you enjoy reading the rest of the magazine and that the awards give you some ideas of what you might be interested in adding to your bookshelf over the next few months.
Tony Campbell
Editor-in-Chief
InfoSecReviews.com
Cyber Security Challenge Awards 2012
This weekend, myself and the rest of the crew from InfoSec Reviews attended the annual Cyber Security Challenge Awards ceremony in Bristol. The event was held at the @Bristol science museum and was a great venue (and the lunch was out of this world). Overall, it was a fantastic day, with an inspiring speech from Baroness Neville-Jones, where she analysed the state of our failing IT curriculum in schools, and especially its impact on the reduced output from universities in the cyber security disciplines (for UK consumption that is). Although Our universities have responded well to the challenge (and the Challenge) encouraging their students of security subjects to have a go at the trials, there is still a long way to go to make sure that the increasing demand for talent in this field is met through formal apprenticeships and university degrees. Interestingly, the majority of prizes went to kids of student age, which of course is a great way to incentivise these young minds into taking the right road down what could be a knife edge if they are not pushed towards the ethical side of hacking.
Next year’s CSCUK promises to be a bigger and better event, with more challenges, more sponsors, and a focus on professionalism and risk management; something they’ve not yet included in the mix.
InfoSec Reviews will be once again offering prizes and next year we intend to supply more books and even some other prizes (yet to be decided). This is one of the most worthwhile security activist groups in the country and we firmly support eveything they are doing for the community at large.
Tony
Physical Security Convergence with InfoSec
Are information security professionals missing a trick?
Penetration testing, hacking, digital forensics, security architecture, operational security, situational awareness, cyber-crime, risk management, identity management, PKI, platform security, NIPS, HIPS… etc.
These are all disciplines and components of the information security world that InfoSec professionals need to be aware of. However, it does not what list you create to represent our wonderful profession; it’s not complete until you add physical security. Especially at the CxO level, physical security is a key component of your company’s risk management strategy, yet at the CSO level it is often overlooked, left to the security guarding company you have employed or the facilities management company that runs your building. The government has a reasonable grasp of physical security, for sure, and a military mindset lends itself to physical measures being as likely to be considered (especially in deployed operational environments) as are technical measures, however, how do private companies, not typically security aware, fare? Not well, is the blunt answer. However, to put staff through appropriate Security Industry Authority (SIA) training is not expensive – a mere snip of the price of typical InfoSec courses – yet the resultant risk reduction through physical security awareness is invaluable. If you adopt an information security awareness programme, such as the Securing the Human course offered by SANS, you should compliment it with a physical security course which may lead to members of your team detecting rogue members of staff, the suspicious cleaner, or the shoplifters working as a team on the store’s floor plate.
When you look at the courses offered by industry bodies such as HABC, on first look it seems as if they only support specific security roles as the target of training, such as Door Supervisor and CCTV operator. However, the baseline course, Working in the Professional Security Industry (WIPSI), is actually a great introduction that delivers a level of awareness that comes with a Level 2 certificate to boot.
So, I recommend that CSOs should consider such a course as part of the overall security awareness training programme for their organisation, value for money is certainly extremely high.
Craig-Wood Gets it Right – So Does GCHQ
The GCHQ challenge has been solved by at least two people with the best part of a week still to go. The most informative description of the route to the solution (by Nick Craig-Wood) goes into considerable detail. Stage one required a block of data to be recognised as machine code and tinkered with to turn it into a valid executable program. This program hid on the stack a URL that, when called, fetched the second stage – “a description of a VM with an initial state, but no code to implement the VM.” Craig-Wood implemented a VM in Python, and after running it, found in a core dump a URL that fetched the third level of the puzzle. This turned out to be a Windows .exe file, relying on the cygwin cygcrypt dll to run. The task here was to obtain a key that the GCHQ server would recognise as valid and respond to with an acknowledgement of success. The whole exercise apparently took Craig-Wood about 12 hours, and I feel it was quite a cunning piece of work both on his part and that of GCHQ. Not a hugely difficult task technically at each stage – probably no more difficult intrinsically than analysing a typical piece of malware, but overall one requiring considerable intuition.
When this competition was first announced I was sceptical about its validity, as I’m very conscious of the general over-emphasis of the “überhacker” threat in the face of our continued failure to properly address our appallingly weak defences, and this looked from the publicity like just one more high-order geek test. But I think I get the point now, and it’s probably a good one. Unless I’m very far from the mark, GCHQ are seeking people with well developed imagination and intuition in addition to deep technical skills, and that is exactly the kind of people we increasingly need in infosec. Too many infosec practitioners are used to slavishly following “standards” and “best practice” (i.e. other people’s rather elderly ideas) without ever thinking for themselves. That’s one of the reasons why the defence fails so often, even in the face of threats that are not that sophisticated – and that’s the vast majority of real threats.
So more power to GCHQ for getting this right in the deeply technical arena. What I hope to see (and, I also hope, soon) is the same recognition of the need for imagination and intuition emerging in other spheres of infosec activity – both in the government and commercial sectors. When we have achieved that, we have a chance of taking control and making the electronic infrastructure truly robust against attack instead of responding reactively and being regularly wrong-footed by the most basic of attacks as at present.
BOOTNOTE
GCHQ got this right, but their web developers clearly didn’t. Among others, Charles Meaden has pointed out that the acknowledgement page was public and had been spidered by Google by December 1st. Did I say something about being wrong-footed by basics?
What Makes a Good Policy?
It’s indisputable that many corporate policies are “shelfware” – documents that exist but don’t do anything very useful. So what makes a good policy? There are three fundamental principles.
First and foremost, a policy must contribute at some defined level to the solution of a single specific (and real) business issue – not just its symptoms, and never a vague cluster of different issues at once. A classic example of one that fails is the “Acceptable Use Policy” that commonly restricts the private activities of staff on corporate IT. This usually consists of little more than a mish-mash of all the “bad things” the authors can think of, accompanied by a threatening prohibition against doing them. Activities that could harm the infrastructure rub shoulders in an unordered list with those that could cause corporate embarrassment or breach the law. To address each of these disparate issues effectively would need a separate policy, and each of them would have to specify the obligations of the IT department and others in addition to those of IT end users. This may sound complicated, but it’s essential if we actually want to solve the real problems personal use of IT can expose the business to. Or indeed any other business problem.
Second, every policy must be consistent with common standards, understandable and demonstrably possible to comply with. So individual policies must not be created in isolation – they must be part of a coherent policy governance framework that specifies the necessary common standards and definitions.
The ideal framework is a logically hierarchical inverted tree from broad corporate governance at the root to specific instructions at the leaves. So if a given policy deals with, say, passwords, it will be a consistent child of an authentication policy that deals with when, where and why you use different kinds of authentication. The authentication policy will in turn be a consistent child of a broader systems access policy, which itself will descend from a strategic information management policy. At each layer there will also be other siblings, so in addition to systems access, the strategic information management policy might have children covering data classification (“protective marking”), data quality, retention, privacy and so on. Policies at some levels of a sub-tree may refer horizontally or vertically to policies in other sub-trees, but there should be no more than four layers of policies in any sub-tree between your governance standards and your procedures. If there are, it’s worth reviewing your business analysis.
Third, a policy is not an end-user document. Even at the lowest level, the job of a policy is to inform the creation of procedures, which are the only things front line people should be concerned with day to day. The kind of “policies” we mostly have to sign off against when we’re hired actually do very little to protect the organisation. They tend to be “Polcedures” – scrappy mixtures of policy snippets and procedures – and are generally non-functional because, being written individually on the fly without enough specialist input from business process owners and not being part of a coherent policy framework, they tend to be shallow, unfocused and mutually (sometimes even self-) contradictory. As a result, their requirements are almost always viewed as externalities by those who should follow them, and get ignored when the pressure is on to deliver for the business or in pursuit of personal convenience. And incidentally they’re unlikely to be robustly enforceable, as they mostly wouldn’t stand up to legal challenge.
The diagram below shows the significant structural elements of an optimised policy governance framework, with the major branches of the example password management policy sub-tree emphasised. This structured framework assists both policy maintenance and efficacy. Even if some policy element within the framework proves less than optimum, it will have a consistent effect on all other policies that refer to it because the contributions it makes to them descend from its sole authority. So the source of the problem is easily identified and corrections can be made at a single point of adjustment. Without such a structure, you just have a disorganised pile of incoherent ad hoc documents that might pass audit because they exist, but won’t contribute well to the business problems you’re trying to solve. Such policy sets will also be difficult to maintain, as adjustments may have to be made in parallel in many different policies to prevent them getting ever more out of kilter with each other.
A Rational Policy Governance Framework
Policies at the strategic layer express the broad governance obligations of each of the organisation’s generic business functions. There should be no cross-links (direct connections between a policy in any given sub-tree and a policy in another sub-tree) within this layer.
Policies at the tactical layer specify the generic business processes required to fulfil each of the strategic policies. At this level there may be horizontal cross-links, e.g. where the policy in question draws on a standard defined elsewhere – such as those between information classification and systems access and between HR and monitoring in the diagram. There may also be downward cross-links to the instructional layer where a tactical policy (e.g. audit) informs instructional policies in another sub-tree.
Policies at the operational layer identify realisable sub-components of the generic processes specified in the tactical layer. No cross-links are allowed in this layer as its sole function is to act as a translation interface between specific business-oriented policies in the tactical layer above and their functional implementations in the instructional layer below. A well-specified operational layer is crucial to the success of a policy governance framework, as it’s the only way to ensure the solutions delivered by the implementation are a good fit to the business requirements they’re supposed to fulfil.
Policies at the instructional layer define the specific process management tasks required to fulfil each operational policy. This is the layer at which our familiar policies reside. All procedures relevant to a given instructional policy are identified here in terms of their objectives, but not their content. There may be downward cross-links to this layer, from the tactical layer alone, where standards or processes from other sub-trees need to be invoked (e.g. the need to pass an incident to HR or audit for investigation). But there must be no horizontal cross-links within this layer as instructional policies are maximally granular, dealing with specific discrete procedurally soluble problems.
Documents at the procedure layer are the sole authorities on what front line people actually have to do to comply with each instructional policy. It’s imperative that the procedures specified mesh well with the primary business processes to which they relate. That means different business groups, departments and functions may need different procedures, although they must all fulfil the requirements of the policy they support.
It’s important to recognise that adopting a framework such as this should not result in vast piles of extra paper. If that’s the outcome it hasn’t been done right. Typically, there should be no more than one strategic layer policy for each business function or department and one tactical policy for each business task each performs, and they don’t all necessarily have to be separate documents as some of them will be very concise. There will be a single operational policy for each sphere of activity within each task. These are the only additions above and beyond the conventional (instructional) policy set we are all familiar with, although there may be a few more of these than some of us currently bother to implement. The important thing, however, is the structure – a hierarchical tree of dependencies on sole authorities specified and defined from the root downwards.
Finally, the art of eliciting good compliance with procedures is in making the smallest possible changes to everyone’s existing processes while achieving the objectives of the policy. So where procedures supporting different policies affecting the same front line business process turn out to be sufficiently similar, the procedural implementation can be simplified in practice by merging them, provided their multiple sources are fully documented to allow traceability back to all the individual policies from which they’re derived. Complex governance can often be achieved via the implementation of quite simple procedures, but if you don’t document what you’ve done – and how you did it – you can’t manage the results, and if you don’t standardise on your definitions and processes you’ll never know what you did or whether it’s working.
InfoSec Reviews Awards 2011
We’re excited to announce our 2011 awards for Best Information Security Books nominations are now in. We’ve compiled a survey of the results that allows you to vote on the best books in each of the categories we have looked at.
Please take a moment out of your day to vote for your favorite books, authors or publishers and tell us a little about your reading habits.
You can give us your input here:
http://infosecreviews.com/survey/index.php?sid=38256&lang=en
Regards
The InfoSec Reviews Editorial Team
Credential Management in the Cloud: Spotlight
By Michael Ginsberg
Single sign-on and encryption policies are putting credential management – and in particular public key infrastructure (PKI) – under closer scrutiny these days. The spotlight has become more intense as we witness the meteoric rise in mobile devices for business usage, as well as the growing reliance on the cloud for application development and delivery.
Recent breaches have shown that password protection is not enough to protect sensitive information in the cloud or on mobile devices. So-called encryption features in mobile devices are local to the device, and do little to protect the data moving between the device and the application. In fact they can be bypassed so easily, it’s tantamount to locking a door and leaving the key under the mat for others to break in.
While PKI represents the ideal end of the security spectrum, deployment costs are typically high, making strong credential management for mobile a significant stumbling block for organizations today. Rather than investing in a full-blown and costly PKI infrastructure however, users can now turn to managed software-as-a-service (SaaS) platforms to address their credential management needs.
Introducing Mich Kabay
Mich Kabay’s Perception Blog
It is with much excitement that we welcome Mich Kabay’s blog to InfoSec Reviews; from now on to be known as Perception.
Mich has been the author of the Security Strategies newsletter at Network World for the last 11 years, posting in excess of 1200 articles, so we are honoured to offer him his new home here on our website. Mich’s first blog post for us, Credo, is already published for you to read (back on the main InfoSec Reviews site), and it’s a simple introduction to what’s to come over the following months. Just click the Perception link on top menu or on the main menu at www.infosecreviews.com
Perception will provide us with Mich’s unique viewpoint and commentary on the world of Information Security. As he says, the blog is aimed at everyone in the security industry; from CIOs, to programmers, from consultants to students – all are welcome to drink down his vast experience.
InfoSec Review is delighted to welcome Mich to our site and we encourage you to comment as much as you can on Mich’s work, as this is what will make the column its most valuable. And all that remains to be said is… over to you Mich…..
Here’s a bit about the man himself:
M. E. Kabay, PhD, CISSP-ISSMP
Professor of Information Assurance & Statistics,
School of Business and Management, Norwich University
Mich Kabay began programming computers in assembly language in 1965. In 1976, he received his PhD from Dartmouth College in applied statistics and invertebrate zoology and taught biology, statistics, and programming as a university professor in Canada and overseas. In 1979, he joined a compiler team for a new 4GL and RDBMS in the US, then joined Hewlett-Packard Canada in 1980 as an operating systems and database performance specialist, winning the Systems Engineer of the Year Award in 1982. He ran his own consulting firm from 1986 to 1998, specializing in operations management, facilities security, and corporate security policy development and implementation. He served as Director of Education for the National Computer Security Association from 1990 to 1999, and then worked with AtomicTangerine where he supported the International Institute for Information Integrity (I-4). He has been a speaker at the United States War College, the Pentagon, NATO HQ, and at NATO Counterintelligence training in Germany. He earned his CISSP designation in 1997.
He was inducted into the ISSA Hall of Fame in December 2004 and earned his ISSMP designation from (ISC)2 in November 2005. He joined Norwich University in 2001, served as Program Director of the Master’s Program in Information Assurance from 2002 to 2009, and was the CTO of the School of Graduate Studies in from 2005 to 2009.
Since 1986, he has published over 1300 articles in operations management and security, written a college textbook on enterprise security (McGraw-Hill, 1996), and served as Technical Editor of the 4th (2002) 5th (2009) and 6th (due 2013) editions of the Computer Security Handbook (Wiley).
His Web site is http://www.mekabay.com
Recent Comments