Category Archives: News and Info

AoIS Resurrection… to blogs.Gartner.com

As you may have noticed there has been no activity on Art of Information Security for a long time. Things got really busy in my work and personal lives, and well, something had to give.

One of those changes is a move to the Security and Risk Management Strategies team at Gartner. I will be blogging on Gartner.com at blogs.gartner.com/erik-heidt. So, if you have been a fan of the content on Art of Information Security please keep an eye there.

My current coverage areas include:

1. IT GRC practice strategy
2. IT Risk Management (and measurement)
3. Assessing cloud risk decisions
4. Cryptographic controls and key management
5. Application security

All the best.

Cheers, Erik

((AoIS Webcast)) Cryptography: Issues and Insight from Practical Implementations

Kevin Flanagan and I delivered a presentation on Cryptography at this year’s RSA 2010. Now, doing a cryptography presentation at RSA is a bit like putting a target on yourself that says “please shoot me down!”. Well, the presentation was very well received, and the RSA conference folks have asked Kevin and I to do a encore presentation via Webcast.  A few quick facts:

This is not your math teacher’s Cryptography presentation !
The core of this presentation is about discussing the various points in an application where a cryptographic control, primarily encryption, can be applied. Kevin and I walk through an expanded version of the 3-tier application architecture. We go beyond discussing the encryption controls available to the web server, application server, and database backends, to expand our scope to include the PC, storage, backup, and file systems. At each point we will discuss the kinds of controls that can be applied, the risks that those controls help manage, and risks which are ofttimes overlooked and remain.

This presentation is more focused than the RSA Version from March.
In our presentation in March we tried to also include an introduction to Key Management. This proved to be too much to bite off, so we have pruned that material from the presentation that is planned for the Webcast. Kevin and I may be submitting a presentation proposal for RSA 2011, 100% dedicated to Key Management. (Feedback on that idea would be of great value… Feel free to comment below.)

In fact, I am always interested in feedback from readers of AoIS. So, if you tune in the the WebCase, please drop me a note. I personally find web and teleconference presentations much more difficult than in the in-person kind…

When and Where ?
The Webcast in this Wed (June 23, 2010) at 1:00 PM EST, 10:00 AM PST, 5:00 PM GMT.
Here is a link to the registration: Webcast: Cryptography: Issues and Insight from Practical Implementations

Cheers, Erik

Add Some Architecture to RSA 2010

Once again the RSA Conference is giving Dan Houser and I the opportunity to provide a one-day Identity Management Architecture tutorial. One-day tutorials can be added to your RSA Conference registration for a small fee. These sessions are designed to provide more depth and detail on particular important topics.

This year’s program is titled “Foundations for Success: Enterprise Identity Management Architecture”, and the content follows the successful pattern of past years. The morning will focus on establishing a base of understanding, and the afternoon will be spent covering modules selected by the attendees (the description from the RSA website is attached below).

This year I am especially excited as I am leading a major Information Security infrastructure initiative that involves the complete build out of the Information Security stack for a new company (actually a $2.4B spin-off). I have just completed full requirements, RFP, and the product selection cycle for an Identity Management solution. At the time of the class, I will be at the mid-point of the provisioning system’s deployment, and will have Password Vaulting in production. This project has been a source of great challenges and new insights, all of which I hope to bring with me on March 1st (well, the insights anyway).

Identity Management is at the core of a successful Information Security program. In many ways, it is the primary technical control for policy enforcement and oversight. In addition to the important role Identity Management plays in risk management and oversight, many of your business partners think of Identity Management “as” Information Security. The question of “how do I get access to X” is a question near and dear to the heart of your business partners. Many of the security controls we all work with day to day are largely invisible to business partners, but password problems, access request delays, and audit findings are very visible to them.

Information about the tutorial is available form the RSA 1-Day Tutorials page, but here is a copy of the tutorial description:

Tutorial ID : TUT-M21

Foundations for Success: Enterprise Identity Management Architecture

Identity and Access Management is the foundation for access controls in the Enterprise, a mission-critical IT function that is both the lifeblood of your business, and a frustrating and difficult beast to tame. Your IdM infrastructure is more complicated, with more moving parts, and more partners across the enterprise, than any other security related service.

This interactive session, taught by experienced IdM veterans and practitioners, provides an architectural view to resolving identity challenges, and will provide detailed and informative discussions on directory services, web access management, Single Sign-on, federated identity, authorization, provisioning and more. The morning session will provide an overview of the foundations of IdM, while the afternoon will provide a customized, detailed and interactive session to focus on the specific identity disciplines they find most challenging.

This workshop will cover:

  • Principles of Identity and Access Management and implementation strategies
  • Infrastructure architecture — critical underlying processes to run a successful enterprise
  • Web-based authentication & Web Access Management
  • Selling Identity strategy in the C-suite
  • Directory Services – Enterprise, meta-directories and virtual directories
  • Provisioning – managing the processes of Identity and Access Management
  • Identity mapping and roll-up
  • Detailed Single Sign-on strategies: Getting off Identity islands
  • Detailed Federated Identity discussion and case studies
  • Gritty Reality of Federation SSO: Lessons learned from 14 major federation projects
  • Multi-factor authentication: biometrics, tokens & more
  • Functional IDs – real world considerations of this often forgotten access control
  • User Access Audit: Proving only authorized users have access
  • Auditing the identity systems

Key Learning Objectives:
Participants should have a basic background in Information Security, IT systems, and identity management. After the class, participants should feel well grounded in identity management, understand the broad landscape from both a technical as well as a business perspective, and have gained practical insight into the strategies which will enable them to meet identity challenges in their organization.

Cheers,
Erik

Max the Identity & Access Management in Your RSA 2009…

If you are attending the Pre-Conference 1-day Tutorial, Building an Enterprise-Strength Identity & Access Management Architecture, that Dan Houser and I are co-teaching at RSA 2009 please take a moment to drop me a note (using the “Contact Erik” link from the site). This years class is going to be much smaller than last year and should allow for more interaction. As a result, I would like to take the opportunity to maximize the value of that increased interaction, and knowing what topics are top-of-mind for participants in advice will help. 

If you are attending RSA 2009, and plan to be in San Francisco all day on Monday, take a look at the available Pre-Conference 1-day Tutorials (RSA has added a number, and there are many to choose from). There is an additional fee for these Tutorials but based on the feedback from last years class, it was worth it.

Neither Dan nor I work for a vendor or supplier in the space.  We both work for Fortune 500 corporations that have real-world Identity and Access Management challenges (with real-world obstacles). If you are a Linked In member, profile (link) has some endorsements related to this class, as well as other presentations.

Cheers, Erik

Lie Detector Libel

I noticed a posting on Slashdot (link) this morning regarding a gag order on an article that was to be published in a peer reviewed scientific journal but has been suppressed. The article was critical of lie detector technology, and evidently provided information debunking it.

More information is available her:  Stockholm University article.

The thing I find most interesting about this is that the US Supreme Cort has already determined that Lie Detectors are unreliable. From Wikipedia article on the polygraph:

In the 1998 Supreme Court case, United States v. Scheffer, the majority stated that “There is simply no consensus that polygraph evidence is reliable” and “Unlike other expert witnesses who testify about factual matters outside the jurors’ knowledge, such as the analysis of fingerprints, ballistics, or DNA found at a crime scene, a polygraph expert can supply the jury only with another opinion…”.

One of the things I find most interesting about the challenge of “testing” lie detectors is that no testing, such as the tests performed my Emily Rosa to debunk Therapeutic Touch, have ever been offered with can objectivity demonstrate the that they even work.

Cheers, Erik

AoIS upgrade to Ubuntu 8.10 Complete !

My apologies for the slight outage of Art of Information Security last night, I had an almost flawless transition from the older version of Linux to Ubuntu 8.10.

The Beauty of Virtualization
AoIS is hosted by Linode, which is a Linux virtual host service provider. The beauty of this was the fact that I could:

  • Spin up a new host in 10 min
  • Configure and test the box, without interrupting the “hot” server
  • Move the configuration, data, sites, etc.
  • Test, test, test
  • Transition the IP addresses

All of the advantages of having a clean freshly build physical server, but with a pro-rated cost of under $5 !

FYI… As this is a security blog, you can image that I am somewhat obsessed with OS system protection, more on that soon…

Cheers, Erik

Congratulations Rebecca !

Rebecca Harold (aka The Privacy Professor) has just been recognized by a Computer World survey as one of the “Top Privacy Advisors in 2008 (link to article)“. Congratulations Rebecca !

I had the pleasure of working with Rebecca on a paper earlier this year. Rebecca and I were among the collaborators on a  paper focused on generating organizational support for Information Security Awareness efforts (link to paper) for ENISA (The European Network and Information Security Agency). The effort greatly benifited from her participation. And after collaborating with her is it clear to me why should would have been nominated for and received the high marks she did in the Computer World survey.

Rebecca is also the author of Managing an Information Security and Privacy Awareness and Training Program. I purchased a copy of this book while working on the ENISA paper, and wow is it a detailed guide to managing these programs. Rebecca has included information from the high-level “concepts” down to detailed sample checklists and plans.

Congratulations again !

FYI, for additional information:

Cheers, Erik

CISSPs… Lend me your ears…

Art of Information Security endorses Dan Houser for (ISC)² Board of Directors

The CISSP is undoubtably one of the most, if not the most, important professional certifications in Information Security. Many organizations and practitioners rely on it as evidence of a solid foundation and track record in Information Security. But the CISSP is only one of the many ways that the (ISC)² attempts to fulfill its mission of developing the Information Security profession.

Board membership is a role of governance, guidance, and passion. Let’s briefly explore how Dan’s track record and past contributions demonstrate his qualification for this post, and possibly your vote.

Passion

Dan is someone who has a passion for promoting and developing the talent needed to continue to grow and mature our profession. Anyone who has seen Dan speak at conferences, local chapter meetings, or in one of his classes knows how passionate Dan is! But anyone who takes the time to approach him knows that he is no ideologue or zealot; Dan is always interested in improving his own understanding, and then sharing that knowledge with others.

Dan has a long track record as a contributor – as a “giver” – to the profession. In addition to teaching over a dozen CISSP review courses, he has also served on multiple (ISC)² committees, is one of the authors of the ISSAP Body of Knowledge (cryptography), and has published primary research on professional certifications. He is also the founder of the monthly Columbus, Ohio Information Security MBA (Masters of Beer Appreciation) meeting – a professional roundtable that attracts practitioners from across the state.

Governance and Guidance 

In addition to past experience serving on (ISC)² committees, which I assume led to the current board’s nomination, Dan has served on numerous Boards of Directors including local and regional community organizations, ISSA chapters,and several Toastmasters clubs. 

Personal Experiences

I have known Dan for almost three yeas. Dan and I have collaborated on a number or projects, including a half-day Cryptographic Controls Seminar and a full-day Identity Management Architecture class. It is my feeling that when you collaborate, work closely, and travel with someone, you really get to know them. You get to do more than hear about their College Sweethearts (which, for Dan, is Rebecca, his wife of 21 years), but you also get to understand their ethics, how they really conduct themselves, how they deal with stress, etc.

Given the entire picture, the understanding that I have of Dan Houser, I can think of no one better suited to representing, guiding and developing the (ISC)². I have voted for Dan, and I hope that you will consider doing the same.

Here is the voting link for (ISC)²: https://webportal.isc2.org/custom/votenow.aspx

Cheers, Erik

Number One WordPress Security Step

So, what is the most important step you can take to keep your WordPress blog secure?

  • Keep the software up-to-date

This may sound almost patronizingly obvious, but hold on a second. Every day hackers use unpatched servers or services of one kind or another as the bread and butter of their trade (stealing data, creating Bot networks, selling hacked server access to phishers, etc.).

So, why are there so many unpatched (or under-patched) servers and services?
  • Lack of awareness that a patch or update is available or needed
  • Lack of urgency regarding maintenance
  • Attitude that you are immune to these types of problems, and don’t need to worry about them

The good news is that the WordPress community has resolved the first two problems.
(Folks with the last issue are the reason there will always be script kiddies…)

Here is the quick and dirty path to keeping your blog up-to-date:

(1) Subscribe to the WordPress Development Feed
If you log into your WordPress blog’s administrative interface, you will be notified if a new version is available. But if you are in a low-activity time with your blog, you still want to know when maintenance is needed. The best way is to subscribe to the WordPress Development Feed in your RSS feed reader (You may also want to subscribe to the RSS feeds for the plug-ins you are using.).

(2) Install and Use the WordPress Automatic Update Plug-in
I have two blogs, and have used this plug-in for my last three software updates (including the move to 2.5 yesterday), and have been very happy with how well the plug-in works. Now, I do automated daily backups of my blog db and files. So, I would recommend that you perform your own backup before using the script so you know you can recover if the unthinkable happens (Always make sure you are using the latest version of the plug-in before starting an update.).

(3) WordPress 2.5 Now Includes Built-In Plug-in Updates
I do not think that your site will yet email you when your plug-ins need to be updated (2.5.1 please?), but with 2.5 you can 1-click update your plug-ins, if they are registered with WordPress.org.

Step four would also be to make sure that your operating system is up-to-date. Automating that is almost always possible, but is dependent on what operating system you are using. Google “X automated security update”, where X is your OS.

BTW, I found the jump to 2.5 very smooth and have encountered no problems – Thanks, WordPress!

Cheers, Erik

Blended Attacks and “The Tiger Team”

The following caught my eye during a review of the Cisco 2007 Annual Security Report, on page 16:

Blended Attacks Targeting Both Physical and IT Domains
In 2007, criminals demonstrated their evolving ingenuity by employing blended attacks to obtain sensitive information and evade detection. The most significant example of this trend was a string of attacks on Stop & Shop supermarkets in Rhode Island. Attackers broke into and vandalized supermarkets, leading police to believe the events were largely petty crimes. But during the break-ins, attackers tampered with the stores’ card readers to collect credit card information.

Of course, upon reading this there was a stream of attack ideas that occurred to me such as using a break-in as a cover for things like installing WIFI access to networks, card skimmers, key loggers, etc. Shortly after reading the Cisco report, I ran into a post on Black Bag (a physical security blog) about a TV show called Tiger Team. The TV show is about a team of penetration testers who (in addition to being very impressed with themselves) test complex physical security systems. I reviewed the first two episodes (which I have to confess I enjoyed), which are available via streaming video.

Interestingly, in the first two episodes (which is all I have watched so far…) the team always used a blended attack. There is a social engineering and digital attack as a prelude to the actual ‘theft’ in both episodes.

I think few people will face attackers of this sophistication, but the series is interesting nonetheless.

Cheers, Erik