Welcome to my site...

A chinese lion statue

Thanks for visiting my website. You can learn more about me and all the many projects I am involved with my browsing this site. Below you will find the most recent articles published in all the different sections of my website. If you want to view articles on a specific area, please cick on one of the category links above. You can also follow the other links to learn more about me and my non-technical interests.

I'm glad you decided to drop in, feel free to leave comments on any article or to use the contact page to get in touch with me.

Challenges and Concerns for Implementing OCTAVE Allegro in a University Environment PDF Print E-mail
Security - Enterprise Security
Monday, 12 January 2009 00:00

 

The following is a mock report that was developed for the implementation of OCTAVE Allegro in a university environment. Octave Allegro is a security assessment methodology developed by the SEI. It could very easily apply to any college or other organizations. This report provides a good example of how to evaluate any security tool and the challenges that need to be considered before rushing out and implementing a new methodology. The format of this example is a formal report from the IT department to the President of the university.

 

 

Executive Summary

This report presents the challenges that the university will encounter in implementing OCTAVE Allegro as our information security assessment methodology. For each challenge recommendations are presented for overcoming or reducing the impact upon the implementation of the OCTAVE Allegro program. The challenges addressed cover basic underlying issues of such a project including where we may encounter resistance and where we are currently lacking in our current security procedures. While broad topics are addressed, there is a focus on the specific issues which affect the university: The first topic addressed is the steps that must be taken in order to prepare the university community to adopt the process and OCTAVE Allegro mindset. Next, the challenge of our information systems organizational structure is addressed; currently, not all information systems are controlled through one top-down management process. In addition, the report addresses the concessions that may need to be made to the spirit of openness found in the university for the sake of security. The report then considers how third party involvement affects our information security risk, both through outsourcing and third party partnerships with other institutions and organizations. Lastly, the report considers the efforts that will be needed to make sure that OCTAVE Allegro continues to be a useful program for the university. The concerns presented herein will help prepare the administration for a successful launch and continuation of the OCTAVE Allegro program for the university.

Introduction

OCTAVE Allegro has been selected as the university’s information security risk assessment methodology. OCTAVE Allegro provides a guided approach which if focused on minimizing investments in time, training, and complexity of the risk assessment process. While OCTAVE Allegro presents many benefits, we must be prepared for the challenges it will present the university as well. This report is designed to evaluate some of the challenges that should be expected given our environment and provides suggestions for addressing these concerns. The goal of the report is to increase awareness of the side effects of implementing OCTAVE Allegro in order to ensure that our investment in OCTAVE Allegro and our overall information security program will succeed. The associated costs and benefits for each concern are presented and should be evaluated by the administration to ensure the initial and continued success of the program. By following the recommendations presented the administration will be able to begin an OCTAVE Allegro program that will be a great asset for the university, and in addition will improve the university’s overall information security view and security practices.

Structure of Report

This report will outline many of the concerns implicit of the OCTAVE Allegro process and in addition will address issues which are applicable specifically to the environment of the university. The remainder of this report will be arranged in the following manner: Each concern will be given a subheading and will then be explained. Each concern will be directly followed by commentary, recommendations, and cost analysis where appropriate. After addressing the challenges and concerns the report will conclude by evaluating the value of the recommendations for the OCTAVE Allegro program and the general security efforts of the university.  

Challenge: Paradigm Shift: Technical focus to business focus

Traditionally, security for information systems and technology was considered as a technological problem. This entailed looking for code errors, open ports, and performing penetration testing. Even today there is a belief that security in this domain should be addresses through the above approaches. However, in the OCTAVE Allegro method, there is a strong emphasis on viewing technology as a business problem. This mindset, while new for many, provides a more useful approach to information security. In fact, the transition to security as business problem makes great sense; an organization should only obtain, maintain, and protect a security asset that is useful to achieving some business objective and should not address security only for security’s sake.

This mental realignment can cause major problems for adoption and acceptance of the OCTAVE Allegro process. The university’s IT staff currently relies heavily on the results of internal and external audits. This results in a mentality where the staff will diligently search for security holes and fix them in a timely manner, but does not encourage proactive consideration of security to achieve business goals. Further compounding this mentality, the university has never stressed business training in its hiring processes or training programs. In addition, our current culture does not rely heavily on interviews or interactions with end users or even managers. As a result, this new approach will likely meet very strong resistance. Since OCTAVE Allegro is an ongoing process, it is important to get a very strong adoption rate early on from the IT staff. The second consequence of the IT staff mentality is that general employees may not want to become involved in the planning process. While the IT staff members generally serve as the custodians of information containers and assets, they are not frequently the owners under OCTAVE Allegro. In other risk assessment approaches, the end users or owners are not typically considered as integral to the risk assessment process; however, their involvement in OCTAVE Allegro is crucial. Thus, the general employees of the university will also need to be motivated to get involved and stick with the program over the long term. This can be extremely hard at a university, especially when dealing with professors who are already overburdened with classes and research. These individuals frequently do not maintain regular business hours, which can make coordination between users, the IT staff, and others involved with the OCTAVE Allegro program very difficult.

The major recommendation here would be a series of awareness campaigns and then training sessions. A period of six months for awareness should be sufficient. The awareness campaigns will facilitate involvement and understanding when the training programs begin. Training would then be followed by collecting feedback in order to modify the process to fit the specific needs of the university. The training workshops must involve both the IT and general employees in order to encourage interaction and teamwork. While the authors of OCTAVE Allegro believe that training is minimal and that OCTAVE Allegro can be self directed, this may not be true in our case because we have not historical focused on risk assessment and management. OCTAVE Allegro is only easy to transition to if a base understanding of risk management exists and risk management programs are already in place. Major policy rewrites and reengineering of the university’s systems may also be necessary in order to better align them with the OCTAVE Allegro framework. The reengineering efforts would include activities such as modifying servers, applications, request forms, and inventory management systems.

Based on discussions with other who have implemented OCTAVE Allegro within similar university environments and historical costs for similar projects at this university some related cost estimates have been prepared. The first estimate is for training, at a rate of $2,500-3,500 per person over the six month training period, with retraining costs at an additional $500-750 per person, per year. At this time, it is unclear exactly how much reengineering and policy rewriting would cost. The actual costs would be clarified more clearly during the training and workshop period, however, based on past experience for similar efforts at the university the costs could be upwards of $1,000,000 and could take over six months to implement once planned.

Challenge: Confederation of the university environment

The university does not truly function as one concise unit. In reality, each college operates fairly independently. This is very true in the realm of IT. For example, a large portion of the university is supported by ITS, while the College of Business, College of Computing & Information Sciences, and the College of Engineering operate their own IT support infrastructures. As a result, it is very hard to align business and security objectives across all of these organizations within the enterprise.

This confederated structure causes some problems in organizing the university’s OCTAVE Allegro efforts. Because there is a high degree of autonomy, the individual groups could cause multiple points of resistance and fights for power in the process. OCTAVE Allegro does not function well when distributed across multiple control structures as it is desirable to have one unified policy and management center. Furthermore, assets likely will not be seen in a universal manner among these various organizations which can result in the profiling efforts being either insufficient or too broad. One might consider allowing individual OCTAVE Allegro programs to run within each organization as a simple solution. However, the purpose of OCTAVE Allegro is to give the administration a global view of information security risk throughout the university. Without a unified global effort the results may have significant omissions or overlaps which will impede the usefulness of the project. The unified global view made possible by a single program will allow the administration to make intelligent budgetary and administrative decisions based on the OCTAVE Allegro results. Furthermore, containers as defined with OCTAVE Allegro, such as students, staff, and databases often cross organizational boundaries thus necessitating a university level coordinated approach.

To address this confederation issue, the best course of action would be to establish an OCTAVE Allegro management team. This team should comprise people from all of the various organizations as well as business and legal staff to plan out of OCTAVE Allegro activities. In this way all of the groups’ interests can be represented and there will be minimal resistance to the process. The group will be responsible for centrally coordinating the OCTAVE Allegro activities in order to ensure that all groups implement the processes in a compatible manner. Consistency across the organization and over time is paramount to success with OCTAVE Allegro. This should not result in any additional costs beyond what is outlined elsewhere in this report. The synergy may also help in other areas of overall information technology and systems management.

Challenge: Openness of the university environment

The environment at a university is generally very open; in general the university strives to promote greater access while security objectives require just the opposite. As a result, it can very hard to establish ownership of assets as it if often ambiguous or worse yet, could be constantly changing. Generally, great shifts occur each term in regards to scheduling, responsibilities, and organization. As a result, asset ownership may be transferred very frequently, which results in more frequent reviews and updates to the OCTAVE Allegro questionnaires and records.

In a traditional business enterprise, departments and roles are generally fixed over a very long period of time. On the other hand, a university moves to new projects, acquires and researches new technologies, and involves a large number of changing owners over a long period of time. OCTAVE Allegro seeks to associate owners, controls, and containers with information, however, information tends to flow very easily among professors and students as well as outside parties. As a result, it may be difficult for individuals to identify or even desire to classify information which should be protected. Furthermore, it is not always clear for all individuals, especially students, who or what is a container or a custodian of an asset at any given time. When students become involved in projects, usually it is for a limited time; then ownership is transferred to another individual. It may be close to impossible to have students be active participants in OCTAVE Allegro, without making an entire system highly restrictive, which may meet very strong resistance.

New policies must be written in order to address classification of information assets. In these policies, the university will better define what types of information assets require protection and what can be open. In addition, stronger efforts must be made to control and monitor containers controlled by individual faculty and students which are therefore not maintained and controlled by the IT support staffs. Faculty should not be allowed to set up their own personal IT environments for research or teaching without being included in the assessment as they could present potential risks which were not previously known. To this end, the university must increase its service offerings to these faculty and students so they do not set up rogue systems which fall outside of the university’s control or knowledge.  Students, staff, and faculty must be trained to become more conscious of the types of information that should be monitored in the OCTAVE Allegro process. The training outlined earlier should help individuals better understand the process in order to ensure that the participants in OCTAVE Allegro do not spread their efforts to broadly or attempt to circumvent the process.

 In terms of cost, it may be necessary to increase the university’s IT infrastructure to include additional computing resources for research and teaching. This may also entail increasing support staff. At this time it is not feasible to present estimates. Through further investigation and interviews the program coordinators will be able to determine the needs of the various organizations within the university. The training costs have already been outlined above for faculty and staff. Students who interact with the systems for short periods will only require minimal training for compliance and will usually fall under some staff or faculties authority to train as required and should not represent any significant costs.  

Challenge: Alignment with Third Parties

As a university, this institution is always forging new relationships with third parties. This includes industrial partners, visiting scholars, and other educational institutions. OCTAVE Allegro recognizes that custodianship is not always internal, and therefore requires that the university understand all of these complex external relationships and how they affect the safeguarding of its assets.

Other organizations which do not practice OCTAVE-based strategies may not understand the processes or how and why they must be involved. In addition, it will not be possible to have the ability to enforce oversight over these external assets. By imposing the university’s OCTAVE Allegro efforts on these third parties, some partnerships may be discontinued by the third party. Therefore, some services that were previously outsourced may have to be internalized. Such issues will need to be evaluated on an individual basis and will depend upon the university’s relationships with each separate third party.

As far as outsourced services, the university must make efforts to understand a few important aspects. For any given outsourced service, it must be determined if the work is further outsourced to a third party beyond the university’s knowledge. Once it is known where the outsourcing chain ends, the university can attempt to work with these individuals to ensure that they are in line with internal OCTAVE Allegro needs and requirements. However, if they are not forthcoming with the necessary information or are not willing to work with the university through providing the necessary information, it will likely be necessary to look elsewhere for the necessary service, whether internal or again outsourced to a different vendor. As for temporary or third party users such as business and external scholars, it should be possible to bring them in line with our OCTAVE Allegro policies without much effort unless there is significant interaction with the university’s internal information systems and assets. In such cases, responsibility and ownership can be delegated to internal members with whom these outside individuals interact. Again, it will be necessary to review and update policies to make sure that internal information assets are stored and maintained within containers over which some internal entity exercises control and not within any containers belonging to some outside organization.

At this time it is not feasible to present any cost estimates. Further investigation into the university’s outsourced services is required. The identification of all containers, including the external ones, is required for OCTAVE Allegro; however, these investigations themselves do not result in any significant additional costs. It may not be until after the university has begun implementing OCTAVE Allegro that vendor or external relationships can be considered, therefore the associated costs cannot be predicted until such time.  

Challenge: Ongoing process considerations

OCTAVE Allegro is an ongoing process that not only takes up the time of the IT staff, but also other employees and possibly students as well. As a large, diverse organization it may become difficult to manage all of the paperwork and organization that OCTAVE Allegro requires. While OCTAVE Allegro requires significantly less paperwork than earlier OCTAVE methods and other risk assessment methodologies, it is still a significant and time consuming process. As the activities of individuals are constantly changing in the university environment, it may become difficult to establish risk accountability with individuals outside of the IT support systems.

One of the most crucial issues is the involvement of the students. While in many contexts, they are considered customers, they could become owners of information assets or become containers for such information. It is much harder to involve students in the activities of OCTAVE Allegro as their position within the greater enterprise changes very rapidly and they cross many departmental and other organizational boundaries. In other words, students do not have a direct reporting authority in the university’s business structure. Thus, it is much harder to control the actives of students and force any responsibility upon them. For general consideration, OCTAVE Allegro activities do not require mass coordination; all assets and owners do not need to be identified at the exact same time. This being the case, individual responsibility is increased. Because so many individuals will be involved it may be hard to monitor and enforce the timely execution of OCTAVE Allegro activities. Because OCTAVE Allegro is an ongoing process, the information can become useless if changes are not recorded and profiles are not updated regularly.

In addition to the changes outlined earlier, the university will need to reevaluate its current systems and policies in order to ensure that OCTAVE Allegro is monitored and executed on a continuing basis. Specific to this initiative may be assigning specific individuals within departments and other organizations that are responsible for managing OCTAVE Allegro for their unit of the enterprise. By assigning these managerial responsibilities the administration can monitor OCTAVE Allegro and ensure its continued usefulness. In order to support OCTAVE Allegro’s management, it may be necessary to increase the IT staff or hire consultants in order to support the necessary activities and to provide long term guidance to individuals as they implement OCTAVE Allegro. These individuals will be needed because it cannot be expected that users will take the time to read and fully understand OCTAVE Allegro themselves. This group of OCTAVE Allegro specialists may be temporary or permanent depending upon their need and their impact on the overall process. The university should also develop and maintain a digital system specifically designed to maintain and record OCTAVE Allegro information across the entire university in order to centralized information. This will allow for a global view when required, auditing of the data, and will facilitate maintenance and back-up efforts.

Until we move forward with OCTAVE Allegro it will not be clear how many people will need to be hired or contracted. The awareness campaigns and training workshops before roll out should help decrease the need for more personnel; however, it will be necessary to wait until these preliminary steps have been completed. The development of an OCTAVE Allegro management system could be a significant project costing between $500,000-$1,000,00 based on internal numbers from previous large projects of a similar nature.

Conclusion

OCTAVE Allegro is a suitable strategy for the university’s risk assessment and management activities. It will improve the administration’s ability to manage information risk and will allow individuals and groups to execute risk management in an ad-hoc and distributed manner without direct oversight of every step in the program.

This report has presented some of the major challenges and the underlying causes that may be encountered when planning for and rolling out the OCTAVE Allegro program for the university. The challenges have been addressed from both technical and administrative standpoints and the paths to overcome or reduce the impact of these challenges are discussed. Many of the challenges would be incumbent upon any security project for the university, such as limited control and access in an academic environment. Other problems are more specific to the OCTAVE Allegro process such as coordination of the actual audit activities with third parties and the additional training which is necessary when more non-technical individuals are involved. Addressing these challenges will provide many additional benefits. For example, rewriting policy and providing training will help ensure that there is a greater understanding of security concerns among users, and in addition will help increase security consciousness among users. As a result the university may notice a reduction in information security incidents or users circumventing security measures. Furthermore, by reevaluating the university’s third party relationships and outsourced services external security and privacy risks that may not have been previously considered will be reduced. Lastly, by modifying policies and practices the university will have a much more timely view of information security risks which will enable more proactive evaluation and mitigation planning. By investing resources now and throughout the program’s lifetime the university can ensure the continued success and improvement of OCTAVE Allegro program. In addition, the investments for OCTAVE Allegro will also impact other areas of security within the university and will help with understanding and planning future security projects and initiatives.

 

References

1. Stevens, James F. Information Asset Profiling. Networked Systems Survivability Program, Software Engineering Institute. Pittsburgh, PA : Carnegie Mellon University, 2005. CMU/SEI-2005-TN-021.

2. Caralli, Richard A., et al. Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. Software Engineering Institute. Pittsburgh, PA : Carnegie Mellon University, 2007. CMU/SEI-2007-TR-012.

3. Whitman, Michael E. and Mattord, Herbert J. Management of Information Security. Second Edition. Boston : Thomson, 2008. ISBN: 978-1-4239-0130-3.

4. Allen, Julia H. Risk-Centered Practices. Build Security In. [Online] Software Engineering Institute, December 1, 2008. [Cited: January 7, 2009.] https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/deployment/575-BSI.html.

 

 

 

 

Tags OCTAVE Allegro :: risk assessment :: information security
 
Rogue Certificate Vulnerability Through MD5 PDF Print E-mail
Security - Enterprise Security
Saturday, 03 January 2009 20:10

 

Summary

This article [1] by Kelly Jackson Higgins explains a recently developed attack which can allow an attacker to circumvent SSL certificate security. SSL public certificates are used to provide proof that a website belongs to some owner and further allows for secured communications between an end user and the secure web server for which the certificate was issued. These certificates have become instrumental in providing secure communications over the Internet and to establishing trusted application environments. This attack could allow attackers to forge certificates by hijacking the signing authority of a certification authority. As a result, it is possible to impersonate a legitimate website.

This major threat to Internet security exists because many certificate authorities still use MD5 hashing, as opposed to SHA-based hashes which are still considered to be secure. MD5 hashing is no longer secure because of a known algorithmic weakness which is exploited through collision. The article notes that the certificate authorities will be moving to more secure hashes soon, but there is no deadline or oversight in this action. Further compounding this problem, existing certificates which are not set to expire for some time are also vulnerable; it would be a very difficult process to revoke and replace these existing certificates which will not be expiring soon.

The author explains that combined with a DNS attack created by Dan Kaminsky, attackers could redirect users to a phishing website and then use fake certificates in order to appear legitimate. The web browser would report that this is an organization’s legitimate website, even when it actually is not. In non-technical terms, the secure lock displayed by a user’s web browser could be displayed on a phishing website. As a result, even a highly technical user could be tricked. Such an attack would also be very difficult to detect. The article also explains another situation where an attacker could monitor encrypted traffic. This threat could come from hackers, but may also be used at the government level in order to monitor encrypted traffic. 

It should be noted that the attack is not trivial to perform. The security researchers used a large cluster of PlayStation 3s in order to calculate the collision attack. While some attacked the announcement of this zero-day attack, no source code was released, and major vendors have been notified about this attack previous to public disclosure. 

Relation to Enterprise Security

This vulnerability and related exploits is of great importance to enterprise security because it diminishes trust relationships needed for secured communications over the Internet. Secured communications may be used in VPN solutions or data exchange between organizations. Furthermore, some organizations may use vulnerable certificates in order to provide secure communications channels to their customers (e.g. banks and other financial institutions). SSL certificates are also commonly used in securing business-to-business transactions; for example, securing web services interactions [2][3]. SSL certification over the Internet is not limited to specific cases, but is used anytime secured communications are required. Through this vulnerability, both internal and external data, credentials, and communications can be intercepted. This presents major challenges to providing CIA and privacy. 

Furthermore, this article demonstrates the need for proactive security measures. The MD5 hash was proven to be insecure many years ago [4]. The certificate authorities represent the core of the Internet public key infrastructure (PKI), and thus were responsible to update to more secure methods. Until now, the possible threat was much lower because there was no major real world exploit known. However, it was still a well known fact that MD5 was insecure and susceptible to some attack. While it is likely not trivial to convert to a stronger hash, if planned properly the project could have been implemented properly over time. Instead, the certificate authorities will now have to rush to find a solution. As the author states, SSL and the Internet PKI are major institutions of the Internet. It logically follows that they would be likely targets for attackers. When considering security for one’s own organization, it is important to be diligent and proactive. This means keeping up to date with news and vulnerability reports (CVEs, etc.) as well as developing an action plan in response to these news items.

Analysis/Discussion 

This attack is very recent and only seems to have received coverage in technical circles. I imagine that once news of this attack reaches mainstream Internet users pandemonium will ensue. Users are constantly being told to watch out for spoofing and phishing attempts, and have come to trust the in-browser verifications. I imagine that many users, even those who attempt to check for certificate validity will be fooled and will become victims of identity theft or fraud. Many users will likely not hear about this attack or will not upgrade their systems when fixes become available. As a result, it may be very difficult to prevent long-term, large-scale exposure to this vulnerability.

For a better understanding of the attack, I visited the authors’ explanation [5].The report details how the attack works and explains the background issues related to the attack. The attackers were able to easily predict the needed information from the RapidSSL certificate authority because they used very predictable mode of certificate generation: The validity period lasts for one year, starting 6 seconds after the user click the final “OK” button and the serial numbers were found to be sequentially incremented. Thus, they could generate a collision and buy many certificates around the time the collision would occur, giving a high likelihood of exploiting the vulnerability. It should be noted that the entire process was non-trivial and could have failed if other customers happened to be purchasing during the necessary time window. It took the authors many attempts to time and to execute everything perfectly, and they incurred a minimal dollar cost (under $700 USD). They do not believe that their attack can easily be replicated at this time, but hoped to demonstrate the need to update the Internet PKI. The end of their report has recent responses from vendors and software authors showing a speedy response and progress in addressing this problem.

The attack author’s also provide some history about the MD5 vulnerability. According to their research, MD5 was created in 1991, with the first weakness pointed out in 1993, with the first documented collision reported in 2004. After further research in 2005 and 2007, it became evident that MD5 was no longer viable because the collision attack could be highly customized and could compromise certificates not created in a laboratory setting. The authors created the attack documented in order to prove that MD5 should be replaced in all applications. The PKI was a logical choice since it would bring about greater attention than in some other applications. Hopefully, this research will have trickledown effect so that software authors will upgrade to SHA-2 or other more secure hashing algorithms. The researchers also explain that while SHA-2 is currently seen as very secure, NIST is already looking for a successor algorithm by 2012. It should be assumed that any given security measure will eventually be compromised. Thus, significant investments should be made to replace security controls before they become obsolete. 

Bibliography

1. Higgins, Kelly Jackson. New SSL Hack Imperils Secure Websites. darkReading. [Online] December 30, 2008. [Cited: January 4, 2009.] http://darkreading.com/security/attacks/showArticle.jhtml?articleID=212700234.
2. Hada, Satoshi. SOAP security extensions: digital signature. IBM developerWorks. [Online] IBM, August 1, 2001. [Cited: January 4, 2009.] http://www.ibm.com/developerworks/webservices/library/ws-soapsec/.
3. Loftus, Jack. The pros and cons of securing Web services with SSL. Search SOA. [Online] July 26, 2004. [Cited: January 4, 2009.] http://searchsoa.techtarget.com/news/interview/0,289202,sid26_gci995388,00.html.
4. Wang, Xiaoyun and Yu, Hongbo. How to Break MD5 and Other Hash Functions. Shandong University. Jinan, China : s.n., 2005.
5. Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger. MD5 considered harmful today. HashClash. [Online] January 2, 2009. [Cited: January 4, 2009.] http://www.win.tue.nl/hashclash/rogue-ca/.

 

 

Tags hashclash :: rogue-ca :: md5 collision :: ssl :: certificates :: PKI :: RapidSSL attack
 
Commentary on the Seven Deadly Sins of Network Security PDF Print E-mail
Security - Enterprise Security
Thursday, 18 December 2008 14:23

 

Summary

In Brenner’s article [1] on network security, he highlights what he considers to be the major mistakes or misjudgments made by IT administrators when evaluating, planning, and performing security activities. While the author focuses his “seven deadly sins” on network security, they are certainly applicable to enterprise security in general. The first sin is “not measuring risk”. The author describes this sin as not consciously evaluating security concerns as business problems. This results in a mindset where an organization believes that an investment in firewalls and virus scanners is sufficient means of addressing any and all possible security concerns. The second sin is the belief that regulatory compliance is equivalent to security management. For example, an organization is easily led to believe that if they meet all regulatory measures that they either are secure or are not responsible to take further action. The third sin is when the enterprises views security as a technology problem without regard to human factors. Even the most secure system can be defeated through human ignorance, incompetence, or malicious intent. The fourth sin is improper configuration and management of access controls for systems. Loose configurations result in users having elevated privileges from a business perspective and lead to holes for attackers. The fifth sin is “lax patching procedures”. The author cites a Verizon report [2] which shows that most attacks result from vulnerabilities that have had patches for a longer period of time, such as Sasser. The sixth sin is lax logging and monitoring; that while these tools may be running, they are not used or their reports are analyzed sufficiently. The last of the seven deadly sins is that modern networked systems have become too complex to effectively manage. The author’s complaint here is that organizational networks continue to grow and often the network engineers “bolt one device onto the next” in ways which lead to complex management and configuration. 

Relationship to Enterprise Security

This article provides a useful, high-level view of security challenges faced in the enterprise. While written with network security in mind, most of the concepts can apply to many other domains of enterprise security. The first two sins deal directly with how the organization views security issues as business problems. First, security is not taken seriously in all situations; nor is the business impact well understood. As a result, risk is not properly assessed and is not sufficiently minimized. Purchasing and installing security software and hardware is not sufficient; technology does not understand business problems and cannot easily determine which assets require a particular level of security. The second sin is of critical importance to the modern enterprise. While the business must comply with regulatory measures, these measures were not designed to provide complete security nor were they developed as technical step by step guides. Enterprises are composed of both humans and information systems; as a result the third sin is of crucial importance. While technological measures can be put in place, users may try to circumvent them to increase convince or may accidently disable some security feature. Furthermore, policies must be developed in order to minimize human impact while at the same time employees must be educated on how to use information systems in a secure manner and on the overall importance of security to the organization. 

The other sins on the list relate to proper management of security tools and procedures. The importance of timeliness is one of the key concepts in this article. Patches need to be tested and deployed within a fairly short period of time. It is unacceptable to put off patching or eliminating a security concern for an extended period of time. Once the security staff becomes aware of a problem, action must be taken to remedy the situation; failure to act will likely be considered negligence if a known security hole is used to perpetrate an attack. In addition, if the organization has tools to detect and locate problems, they should actively be monitoring these logs or reports and plan appropriate action. For example, a traffic log may show malicious traffic, but without human analysis and review logging is useless for the organization. Lastly, the author discusses the KISS (keep it simple stupid) principle. As discussed in class, enterprise systems are not trivial, which adds additional layers of complexity on top of already complex information systems. Therefore, the security staff should work hard to ensure that they are not making their own jobs harder. In general, information systems management needs to be compartmentalized into small, manageable pieces. A system which is left to grow more complex results in higher costs and in terms of security greatly increases the difficulty of protecting such a system. 

Analysis/Discussion

This article is very useful for the CIO or IT security team. It brings awareness to many concepts which may not be obvious in most cases. Security is often viewed as a technology problem, when clearly it is business problem (just because a security protect exists for some system does not mean that system is worth the investment and other associated costs). It is not important to secure the “network”, but it is important to secure the enterprise. This subtle difference in philosophy makes all the difference. For example, regulatory compliance creates a minimum of security and represents the government’s beliefs on what is important in terms of security. The government’s concerns are not exactly a perfect overlap with every individual organization’s needs and goals; therefore, an enterprise must expand their security program to address regulatory requirements as well as the organization’s own needs and goals. While human factors and efficient procedures are often cited as reasons for poor security, the concept of regulatory compliance versus security is an idea which is not commonly discussed. However, with the complexity and cost of meeting compliance, it is not hard to imagine that organizations stop their security efforts after meeting compliance. For many in management positions, security and compliance is seen as an impediment to carrying out normal business operations. However, the smart enterprise realizes that security is crucial to continued success and will lead to better overall management and understanding of the information systems within the organization. Compliance is not about protecting the organization, it is concerned with protecting those external to the organization. With this in mind, the enterprise security team will understand that they, not the government, are ultimately responsible for developing the plan of action used for ensuring the security of their assets, information, and systems. 

Bibliography

1. Brenner, Bill. The Seven Deadly Sins of Network Security. CSO Online. [Online] December 10, 2008. [Cited: December 11, 2008.] http://csoonline.com/article/470095/The_Seven_Deadly_Sins_of_Network_Security?page=1.
2. Baker, Wade H., Hylender, C. David and Valentine, J. Andrew. 2008 Data Breach Investigations Report. The Verizon Business Risk Team, Verizon Business. 2008.

 

Tags verizon :: networking :: firewalls :: patches :: human factors
 
Conflicting Parties and Privacy Policies PDF Print E-mail
Security - Enterprise Security
Monday, 08 December 2008 14:52

 

Summary

Tim Wilson’s article [1] on privacy policy development and implementation describes the conflicts that arise between business units, executives, and external parties during privacy policy development, as well as the difficulties in implementing a privacy policy once developed. The main example cited in the article was a conflict between the Chief Privacy Officer (CPO) and the marketing group. The CPO’s goal is to protect individuals, and generally wants to maintain the least amount of data necessary for any given individual. At the same time, marketing organizations want the most information per individual possible in order to best target there audience. Other parties who may be involved include customers, who do not want organizations to have too much information and law enforcement whose investigations are often dependent upon access to such personal information. The article notes that there does not seem to be any easy way to address this problem, but that awareness that many different stakeholders should provide input and receive consideration in the privacy policy is important.

The second topic of the article is that problems can arise in implementing and enforcing a given privacy policy. Even if all parties are in harmonious agreement, it may not be possible to implement the resulting policy. For example, there may not be any existing tool or configuration option in existing software to meet the needs of the policy. Another issue cited in the article is that budget limitations may prevent the implementation. Enforcement can also be hindered through resale of customer data. Customers may remove themselves from one organization’s records, yet still receive information through that organization’s third party partners, in effect invalidating their previous opt-out. This scenario may violate the security policy, but preventing it may not be possible or require expensive changes to everyday operating procedures.

 

Relationship to Enterprise Security

While privacy is not officially part of the CIA (confidentiality, integrity, availability) principle, it is still an important aspect of the security mindset. As defined in lecture, privacy is “the right of an individual to control the disclosure and use of their personal information”. Safeguards must exist on both systems and data itself in order to protect such private information. The enterprise is responsible for safeguarding a great deal of personal and private data, both for employees and customers. For example, a company maintains contact information for customers and partners, as well as payroll information for employees. Because this data is most likely stored in information systems, it falls under the IT security staff to protect it. In addition, privacy will continue to grow in importance as the number of contract employees and external users of organizational data increases. For example, it is imperative to protect internal user data from outsourced operators that interact with the internal systems.

This article also deals with the development of policy. This is important for enterprise security because decisions are never simple and cannot be made arbitrarily; rather, good policy evaluates the needs of all stakeholders. The development of a coherent policy which is actually able to be implemented is crucial to the success of the enterprise security team. The policy sets out the rules and desired outcomes, and is used as the basis for all action-decisions in order to preempt and react to security incidents. Stakeholders could include various executives, departments, and regulators. The policy developers must consider all stakeholders and then prioritize (government regulations may out rule the marketing department’s desire to hold information for a lengthy period of time). Because enterprise security is primarily concerned with the interactions of technical systems and humans, policy can be seen as defining the protocols and rules of interaction.

 

Analysis/Discussion

The results of the study and article are not surprising. It is increasingly difficult in large modern organizations to have harmony and similar view points throughout the enterprise. One would not expect employees in the accounting department to understand all the complexities of setting up the technological controls on the accounting software provided by the IT department. As a result, policy development can be very slow and can see very strong resistance when one or more group’s desires cannot be met. Needs assessment interviews may need to be conducted, and policies should be reviewed and updated on a regular basis. 

Enterprise security, for IT, was not a top priority until very recently. Now that it has become a top objective for most organizations, best practices and standardization will continue to emerge. While best practices do not present the terminal solution for everyone, a simplified understanding will allow a greater number of IT administrators to protect their organizations. To be successful at higher levels of management in IT, it is important to understand how the IT goals will meet the business objectives of the organizations. This requires a full view of the business and must take into account external view points.

I took some time to review the original report [2] by HP Labs cited in the article. If I was in the position to create a policy, I would find this report very useful, and I believe the interview cases could apply to many other real world operations. The report is focused on customers and end users not the direct privacy concerns of the organization, which may be more obvious to most security and privacy administrators. I think it is very important to consider these “citizen” or “customer” concerns; while an organization may put a strong emphasis on protecting its own information, it should take care with others information as this could result in regulatory penalties, lost customer, and lost business partners. Internal trade secrets may be important, but the aggregate value of this third party information would tend to have a higher total value and may be a more desirable target than organization secrets for an attacker.

 

Bibliography

1. Wilson, Tim. Conflicting Interests Pose Huge Challenge To Privacy Policies . DarkReading. [Online] United Business Media LLC, November 7, 2008. [Cited: December 5, 2008.] http://www.darkreading.com/security/privacy/showArticle.jhtml?articleID=212001183.
2. Nickel, Cyndi, Sander, Tomas and Bramhall, Pete. The Driving Motivations of Stakeholders in the Delivery of Privacy by Enterprises. s.l. : HP Laboratories, 2008. HPL-2008-153.

 

 

Tags enterprise security :: privacy
 
Evolution of the Public Network & Its Protocols (Report) PDF Print E-mail
Networking - Internet and Public Networks
Thursday, 02 October 2008 00:00

Below is a formal report, if you would prefer you can view a much more simple PowerPoint presentation of this topic here.

 

The ever increasing number of internetworked devices and data intensive applications creates great strain on global infrastructure and backbone networks. These functional demands require enormous amounts of data to move at near instantaneous speeds. Thus, the public network (which is the aggregate of backbone and service provider internetworks) requires continued evolution to keep pace with ever increasing flow of data. It is important to have an understanding of how data traverses the public network; the separation between organizational segments and individuals increases as globalization creates new long distance and international connections among people. The decisions made by the public network designers will dictate the speed of business and communication. This survey will analyze trends in design and protocols on the public network over time. By analyzing the strengths and weakness of individual technologies, rational behind emerging technologies can be better understood. This survey will help the student and IT administrator gain insight into the greater networking world, which will assist in effective decision making in terms of service acquisition and application deployment.

Over time, the nature of traffic traversing the public network has become increasingly diverse. Initially, traffic was uniform and highly predictable. Telephone conversations and television transmission generally have static bandwidth requirements; spikes and peak times (nights, holidays, announced events) are usually predictable. However, the emergence of the Internet and corporate site interconnects over public networks has greatly changed the nature of traffic flows. Internet traffic is bursty and often involves multiple conversations between distinct transmitters and receivers over the same paths. Shifts, spikes, and other changes are less predictable because they often are responses to news, recent events, or other factors that the provider cannot anticipate. Also, while most traffic years ago was local (80% local, 20% long haul), the inverse is true today were most traffic is long-haul and is directed between a few major cities (Greenfield, 2002, p. 9). As a result of these changes the public network requires new protocols to meet the changing traffic requirements. Not only has the type of traffic changed, but now there are increasing demands for quality of service (QoS) and new traffic intensive services are emerging.

One of the earliest popular technologies for the public network was Asynchronous Transfer Mode (ATM). ATM was initially developed by a French Telecommunications company in the 1970s as the foundation for their cable television infrastructure. ATM was well suited for both voice and video because it is connection-oriented and offers a higher QoS compared to a protocol such as Ethernet, which has no built-in QoS and is connectionless. Another distinction between ATM and Ethernet is that ATM has a small fixed-length packet; this design reduces delay and jitter, a problem associated with changes in delay (Greenfield, 2002, p. 34). While these characteristics are strengths for voice and video, they cause problems for data based traffic. The current TCP/IP protocol used on the layers above ATM does not map well to the fixed-size of ATM resulting in wasted bits being sent for every 50 bytes of data. In addition, “running IP over ATM requires an enormous amount of [expensive] additional software” (Greenfield, 2002, p. 35). In implementation, ATM achieves maximum performance when its virtual circuits (the logical connections that result from being connection-oriented) are fully meshed. As a result, there is significant routing overhead as the network scales upward (Greenfield, 2002, p. 192). ATM’s popularity is on the decline; however, the phasing out and replacement of this technology has been slow due to the large investment and support made by providers during its inception.

While ATM was designed to handle relatively uniform and simple traffic flows, synchronous optical networking (SONET) claims to be designed as a generic carrier for both smooth and burst traffic. SONET was developed and is used in the United States; it was later incorporated into Synchronous Digital Hierarchy (SDH) as a global standard. The difference between SONET and SDH deals with data rates used in the rest of the world, but for the most part the two are very similar. The overall technology will be discussed based on SONET in this survey. SONET is an optical multiplexing technology that is used for interconnecting multiple points in the public network. Unlike ATM, it is synchronous and based on time division multiplexing. The synchronous nature allows for higher speeds and does not require as much overhead, such as bit stuffing, used in asynchronous communications (Tektronix, p. 5). An important aspect of any technology used for the public network is management and traffic engineering abilities. A SONET frame can contain a great amount of overhead, which allows for “simpler multiplexing and greatly expanded operations, administration, maintenance, and provisioning (OAM&P) capabilities” (Tektronix, p. 16). SONET can carry very large payloads (50MB+) and was designed to easily scale the traditional hierarchal data streams used in telecommunications such as T1 and T3; this greatly simplifies the multiplexing and demultiplexing process because data streams are not divided in an irregular manner. Unlike other optical multiplexing technologies, SONET can exists in topologies besides point-to-point (hub, point-to-multipoint, ring).The ring design is the most common because it offers a high degree of protection and resiliency with a minimal investment in physical wiring (Greenfield, 2002, p. 134). SONET incurs a lower total cost of ownership (TCO) because it is a recognized standard, which increases vendor interoperability. In addition, SONET requires less equipment than other similar technologies which also lowers costs (Tektronix, p. 40). As a general backbone structure, SONET provides many benefits. However, there is limited flexibility in SONET. SONET equipment cannot easily provide lines and different speeds, forcing customers to purchase more than is sufficient for their needs. Another major problem is that when a link is established between two points two symmetric links are created; however, Internet traffic is inherently asymmetrical and bursty, which leads to wasted bandwidth for data traffic. (Greenfield, 2002, pp. 139-140).  Despite its shortcomings, SONET has remained popular due to its relative low cost and management features.

As new technologies continue to replace legacy ATM and SONET networks, the business case dictates that their financial costs should not outweigh their functional benefit. One such technology that has garnered great attention is Dense Wave Division Multiplexing (DWDM) for optical networks. Its popularity can be attributed to its ability to provide improved performance using elements of the current public network infrastructure. In a DWDM system, multiple carriers (different wavelengths/colors) transmit independently of each other and can have different traffic characteristics. A system is considered DWDM if it has eight or more carriers in a single fiber. The goal is to maximize the number of available carriers in the existing installed fiber (Horak, 2001, p. 2). Because each carrier is separate, optical switching allows for the signal to be rerouted without electro-optical conversion. DWDM enables very high data rates, easily hundreds of gigabits per second, over one physical medium. While DWDM equipment is significantly less expensive then SONET, there are of course some disadvantages. Each carrier can only accept one type (e.g. PCM Voice or TCP/IP data) at a given time, different streams cannot be mixed. This is ineffective because it leads to underutilization and undercuts QoS because all traffic on a carrier is given the same consideration en route (Horak, 2001, p. 3). While DWDM presents many technical advantages, the costs of replacing highly functional SONET networks may serve as a deterrent. The reader should note that networks can be designed that use SONET over DWDM.

Another technology which hopes to build upon existing infrastructure is Resilient Packet Ring (RPR). RPR was designed to incorporate the best aspects of SONET and Ethernet. One the critical goals of RPR was to create a technology that could serve all types of communications, not solely data or voice. To meet QoS demands there are three traffic classes: Synchronous (high quality voice), guaranteed, and best effort traffic (Greenfield, 2002, p. 157). RPR can easily integrate into the ring architecture that exists with SONET networks. RPR uses at least two rings, operating in opposite directions, which allows for faster end-to-end delivery by taking the shortest path. Another interesting ability of RPR, compared to SONET, is spatial reuse, which is a process where the bandwidth used by one transmission can be reclaimed by another after the first transmission is stripped from the ring. Compared to Ethernet, there is much less intermediary processing of traffic (Green & Schlicht, 2002). RPR’s greatest strength is that it can easily and inexpensively interface with SONET and Ethernet infrastructures and substitute for one or the other depending on the situation.

            While many new technologies are being developed for the public network, there are many who would like to see ubiquitous Ethernet deployed end-to-end. Ethernet’s popularity and low cost make it popular; however, it is poorly suited for the public network. As stated earlier, traffic engineering and QoS are important for a mixed multimedia public network, and are not standard features of Ethernet. In addition, Ethernet works best in a meshed environment; however, it presents little advantage in the current networks which are physically rings (Greenfield, 2002, p. 156). Ethernet could possibly be used at the WAN level, but would require extra provisions and overhead to be added for traffic of a connection-oriented nature. However, Ethernet is enticing because it would reduce the number of layers and conversion for end-to-end transmission (Kerner, 2008). For the time being providers will likely continue to use multiple technologies to build out their networks.

            The issues concerning the build out and evolution of the public network are numerous. Realistically, there will be no decisive “winner” because providers will make purchasing and implementation decisions based on many factors including cost, user demands, and predictions of the future nature of traffic. TCP/IP continues to grow in importance. If VoIP and IPTV can completely replace traditional telephone and cable television traffic may become more uniform. This could lead to simplified decisions for protocols in the future. With the physical medium being capable of ever higher speeds, overhead and latency become less important. RPR to this point has not been highly adopted, but shows the greatest potential for success. It easily integrates with the public network’s physical infrastructure and can handle multiple traffic flows. Its low price and relative ease of connection to Ethernet make it a strong contender. While it would be desirable, even at high speeds Ethernet lacks the robustness and management capabilities that the public network requires. A successful technology would easily interface with Ethernet and must provide a high level of management and yield a low TCO.

 

 

 

References

 

Eogogics Inc. (2005). Tutorial on Optical Networking. Retrieved September 5, 2008, from Eogogics Knowledge Center: http://www.eogogics.com/talkgogics/tutorials/optical-networking

Green, M., & Schlicht, L. (2002, September 3). Maximize the Metro With Resilient Packet Ring. Retrieved September 16, 2008, from CommsDesign: http://www.commsdesign.com/showArticle.jhtml;jsessionid=OBV1GC3HCJ2AAQSNDLPSKH0CJUNN2JVN?articleID=16505799

Greenfield, D. (2002). The Essential Guide to Optical Networks. Upper Saddle River, NJ: Prentice Hall PTR.

Horak, R. (2001, April 3). SONET vs. DWDM. Retrieved September 16, 2008, from Call Center Magazine: http://www.callcentermagazine.com/GLOBAL/stg/commweb_shared/shared/article/showArticle.jhtml?articleId=8704557&pgno=1

Kerner, S. M. (2008, January 11). Ethernet Traffic Doubles, While ATM and SONET/SDH Dip. Retrieved September 16, 2008, from Optically Networked: http://www.opticallynetworked.com/news/article.php/3721101

Optical Networks: DWDM and SONET. (2008). Retrieved September 16, 2008, from The Insight Research Corporation: http://www.insight-corp.com/reports/opticalnetworks.asp

Tektronix. (n.d.). Synchronous Optical Network. Retrieved September 5, 2008, from www.noc.garr.it/docum/Pos/sonet-textronix.pdf

 

 

Tags resilient packet ring :: ethernet :: sonet :: DWDM
 
<< Start < Prev 1 2 3 4 5 Next > End >>

Page 4 of 5