CIA Security

Digitial Rights Management, does it worth?

2009-04-17T19:04:00.018+01:00

I remembered when I was in Egypt and advised my ex-employer to add DRM product; LockLizard; to our security products portfolio. I remember my reasons behind this at this time. At this time the content providers in Egypt was giving access to users who access the internet through their dial-up number, and they didn’t have any kind of control on content distribution afterwards. I thought by having a DRM product we can give Egyptian content providers a proper solution that can control content distribution and increases customer volume which; as I thought; will increase their profit and growth. There is no need anymore to restrict access to internet dial-up number. You can imagine how it is quite annoying from end-user prospective to switch between internet dial-up numbers to get access to needed content. Accidentally, I was reading “Ongoing Innovation in Digital Watermarking” and “How Viable Is Digital Rights Management?” in IEEE computer magazine. The two articles are great and show history and current trends in Digital Rights Management and why some companies move to naked digital rights management ;as Rajan Samtani called it; like Amazon, Sony BMG and iTunes store.

So, why movie producers still fighting piracy till now?
I thought like most of you that is because they are losing money and threaten filmmaker industry as mentioned in Washington Post , this article on helium.com and others went further by saying it is used for fund raising to drug dealings and terrorist groups.

Does it worth keeping this fight?
Let’s look at it from business point of view. Based on product life-cycle theory profit achieved in the beginning of the product for a period of time till market saturated, after that the profit starts to reduce as shown in this diagram. That is mean declined profit is the norm in globalised business in 21st century. I’m pretty sure filmmakers knew that more than me.

Today Pirate Bay founders sent to jail for supporting file-sharing and allow users to download music files and movies for free. I’m not supporting illegal file-sharing. But, I don’t understand why they still keep fighting piracy; I don’t think it worth effort anymore. They need to change current business model to keep growth and profit on.

References: Watermarking systems Engineering Good Copy Bad Copy

Security Lessons Learned from Société Générale

2008-05-24T11:16:00.007+01:00

In January 2008 was an incident in which the bank Société Générale lost approximately €4.9 billion closing out positions over three days of trading beginning January 21, 2008, a period in which the market was experiencing a large drop in equity indices. The bank states these positions were fraudulent transactions created by Jérôme Kerviel, trader with the company. The police stated they lack evidence to charge him with fraud and charged him with abuse of confidence and illegal access to computers. Kerviel states his actions were known to his superiors and that the losses were caused by panic-selling by the bank.

Jérôme Kerviel combined several fraudulent methods to avoid the controls in place [3]:

firstly, he ensured that the characteristics of the fictitious operations limited the chances of a control: for example he chose very specific operations with no cash movements or margin call and which did not require immediate confirmation;
he misappropriated the IT access codes belonging to operators in order to cancel certain operations;
he falsified documents allowing him to justify the entry of fictitious operations.
he ensured that the fictitious operations involved a different financial instrument to the one he had just cancelled, in order to increase his chances of not being controlled.

How the fraud was uncovered:

Friday January 18th

Abnormal counterparty risk on a broker is detected several days earlier. The explanations provided by the trader result in additional controls.
On January 18th, the trader’s superiors are informed and in turn they alert the management of the division.
In the afternoon of January 18th, it appears that the counterparty for the recorded operations is in fact a large bank, but the confirmation e-mail raises suspicions.
A team is immediately created to start investigating the situation.

Saturday January 19th

Management cannot obtain a clear explanation from the trader.
The large bank in question does not recognise the operations.
The trader finally acknowledges committing unauthorised acts and, in particular, creating fictitious operations.
The investigation team starts piecing together his real position.

How global economy potentially impacted:

On January 21, 2008, European stock markets suffered heavy losses of about 6%. The sharp fall, which was followed by an emergency cut in the federal funds rate by the United States Federal Reserve on the following Tuesday (US markets were closed on the Monday for Martin Luther King Jr Day), came as Société Générale tried to close out positions built up by Kerviel.

This has led to speculation that stock market turbulence caused the Federal Reserve Board to cut the rate. A Federal Reserve spokesperson denied the central bank knew of Société Générale's situation when it made its decision.

It is estimated that over the period the total trading in futures and the cash market for the Euro Stoxx 50 was €544 billion. This would make the unwinding of Kerviel’s position account for five per cent or less of overall activity. Société Générale's investment banking chief, Jean-Pierre Mustier, acknowledged that the three days of forced selling played a role in the market's overall decline, but characterized that impact as "minimal".[2]

Jeremy Epstein wrote a good article in IEEE security & Privacy magazine [1] about security lessons learned from Société Générale fraud by Jérôme Kerviel.

Jeremy highlighted security lessons that we should learn from this fraud. Some of them as follows:

Low tech attacks are easier
Logs are only useful if they’re examined

“Societe Generale has taken several steps to tighten controls following an internal report into what went wrong in the Kerviel case. The report noted 74 red flags raised on Kerviel's trades that failed to sound the alarm — he was spotted only on the 75th." [4]

Don’t rely on secrecy for security
We’re looking at the wrong things
Rights revocation must be tied to role assignments
Social engineering is a threat
Don’t believe everything you read

“Kerviel apparently used his experience working in Société Générale's compliance department to exploit both human and technological weaknesses. He crafted fake e-mails detailing order requests from supposed clients” [5]

Cutting staffing costs can backfire
Features without assurance are ineffective

“The bank says Kerviel faked hedging transactions across a range of financial instruments. They weren't spotted because Societe Generale's back office controllers monitored the trading of individual products separately.” [4]

Insider attacks (usually) have motivation

References:

1. IEEE Security & Privacy

2. Wikipedia

3. Société Générale

4. New York Times

5. BusinesWeek

Information classification

2008-02-17T21:40:00.009Z

It is very important topic and needs some attention as It is part from your information security management programme/framework. Initially when I started to identify the security controls required for each information I found it is subjective rather than objective opinion. I started to read more about the matter and I found that we need to have information security classification scheme in place which will extreme to make the judgement objective.

Information classification is the conscious decision to assign a level of sensitivity to information as it is being created, amended, enhanced, stored, or transmitted. The classification of the information should then determine the extent to which the information needs to be controlled / secured and is also indicative of its value in terms of Business Assets.

May be we need to know why we need to classify the information. Information classification helps us to know needed security controls and processes, Protecting less value information or public document/information isn’t like protecting confidential information.

Information classification challenges:

1- Difficulty to establish a practical information classification scheme.

2- Lack of guidance and best practice for communicating the level of confidentiality and integrity.

3- Difficulty to identify security controls for classified information.

4- Lack of understanding about how to run information classification programme.

What we need to do:

1- Develop information classification scheme

2- How to communicate built information classification scheme.

3- Build security control matrix based on information classification scheme.

4- Measure Information classification scheme effectiveness and efficiency.

First we need some sort of information classification scheme and currently I have the following classification as suggested from ISF survey:

Public, Internal, Restricted and Secret

But which factors we can use to determine accurate information classification:

Level of confidentiality.

Legal & regularity requirement.

Changes to the content over time.

Second start to make this classification model in use, by putting label on the document shows classification level of the document, build information classification awareness programme and make sure that SLA contains information classification responsibilities and accountabilities.

Third start to build security control matrix for each stage to the information, such as in the creation, processing, Transmitting, Storage and disposing of the information.

References:

1) Information Security Forum

2) Employee's Guide to Security Responsibilities

3) Security Education, Awareness, and Training from Theory to Practice , By C A Roper, Joseph J.

Information Security strategy

2008-01-23T15:05:00.000Z

Let’s first define what Information Security strategy is:

Information Security Strategy is a plan of actions that takes the information security function from mission to vision.

Information security function is seen as a fire-fighting and overhead cost, for that there is a need to change this image and information security profile in the organisation.

Building an information security strategy is very important to the business for the following reasons:

Optimising resources and prioritising tasks for information security functions.
Risk management in the organisation become more effective.
Improve communication with organisation’s executives as strategy is the common language to them.
Raise information security profile in the organisation.

When we start to build our information security strategy we should put in our mind the following:

The information security strategy should align with and contribute to achieve the organisational strategy.
Information security strategy has three distinct aspects (supporting the business, defending against threats and raising the profile in the information security function)
Standard strategy tools and techniques (such as value chain analysis, risk analysis and strategic mapping) could be used to build it.

Reference: ISF & IsecT dotcom

Performance Measurement for Information Security

2007-12-25T22:47:00.000Z

Although measuring information security performance is required by law in USA such as the Clinger-Cohen Act, the Government Performance and Results Act (GPRA), the Government Paperwork Elimination Act (GPEA), and the Federal Information Security Management Act (FISMA). Also, I do believe that the driven factor for any thing is the business need or monetary value.

What do we need to measure for Information Security?

NIST specified three measure types which are:

Execution of security policy.
Effectiveness/efficiency of security services delivery.
Impact of security events.

Performance Measurement for Information Security Challenges:

Inconsistent process, when you try this kind of process you will find it challenge to specify your performance targets to measure.

Identifying the goals and objectives of performance management. The best start will be from business/stakeholder interest.

Establishing Performance Targets. Setting performance targets for effectiveness/efficiency and impact measures is more complex because there isn’t a specific level of performance.

What do we need to implement this Performance Measurement?

Collecting data.
Analyze collecting data.
Identify Corrective Actions.
Develop Business Case.
Apply Corrective Actions.

By building Performance Measurement for Information Security we facilitate decision making and improve effectiveness/efficiency of information security service delivery.

Reference: NIST & ISF “Security Health check Project”

Critical Information Infrastructure Protection (CIIP)

2007-12-16T23:15:00.000Z

In The ISNR 2007 Conference from 3^rd-5^th December in London they took about CIP challenges.

Definition of Critical Infrastrucre:

Critical infrastructure is a term used by governments to describe material assets that are essential for the functioning of a society and economy. Most commonly associated with the term are facilities for:

Emergency services
Energy
Finance
Food
Government & public services
Health
Public Safety
Telecommunications
Transportation systems
Water

In other words, critical infrastructure refers to those assets, systems, and functions so vital to the nation that their disruption or destruction would have a debilitating effect on our national security, economy, governance, public health and safety, and morale.

Let’s try to figure out from the above definition what is our Critical Information Infrastructure. You will find it depends on your business, for example critical infrastructure for supply chains/logistics is different, but the common will be Network communication.

So,

What is Critical-infrastructure Protection (CIP)?

It is the study, design and implementation of precautionary measures aimed to reduce the risk that critical infrastructure fails as the result of war, disaster, civil unrest, vandalism, or sabotage.

Critical infrastructure and information security have similar requirements, particularly in the area of availability. Let’s take USA CIP model to learn how to build Critical Information Infrastructure Protection (CIIP) model similar to it. From Wikipedia let’s have a look on US CIP life cycle which consists of six phases as following:

Analysis and Assessment (occurs before an event) - The Analysis and Assessment phase is the foundation and most important phase of the CIP life cycle. This phase identifies the assets absolutely critical to mission success and determines the assets’ vulnerabilities, as well as their interdependencies, configurations, and characteristics. An assessment is then made of the operational impact of infrastructure loss or degradation.

Remediation (occurs before an event) - The Remediation phase involves precautionary measures and actions taken before an event occurs to fix the known cyber and physical vulnerabilities that could cause an outage or compromise a National Defence Infrastructure, or NDI, or critical asset. For example, remediation actions may include education and awareness, operational process or procedural changes or system configuration and component changes.

Indications and Warnings (occurs before and/or during an event) - The Indications and Warnings phase involves daily sector monitoring to assess the mission assurance capabilities of critical infrastructure assets and to determine if there are event indications to report. Indications are preparatory actions that indicate whether an infrastructure event is likely to occur or is planned. Indications are based on input at the tactical, operational, theater, and strategic level. At the tactical level, input comes from asset owners. At the operational level, input comes from the NDI sectors. At the theater level input comes from regional assets such as allied intelligence, NATO, command intelligence, allied governments, and coalition forces. At the strategic level, input comes from intelligence, law-enforcement, and the private sector. Warning is the process of notifying asset owners of a possible threat or hazard.

Mitigation (occurs both before and during an event) - The Mitigation phase comprises actions taken before or during an event in response to warnings or incidents. DoD Critical Asset owners, NDI sectors, DoD installations, and military operators take these actions to minimize the operational impact of a critical asset’s loss or debilitation.

Incident Response (occurs after an event) - Incident Response comprises the plans and activities taken to eliminate the cause or source of an infrastructure event.

Reconstitution (occurs after an event) - The last phase of the CIP life cycle, involves actions taken to rebuild or restore a critical asset capability after it has been damaged or destroyed. This phase is the most challenging and least developed process.

Effective management of the CIP life cycle ensures that protection activities can be coordinated and reconciled among all DoD sectors. In many ways, DoD CIP, is risk management at its most imperative. Achieving success means obtaining mission assurance. Missing the mark can mean mission failure as well as human and material losses. For critical infrastructure protection, risk management requires leveraging resources to address the most critical infrastructure assets that are also the most vulnerable and that have the greatest threat exposure.

Reference:

Wikipedia & ISNR 2007 Conference

Vendor liability & User Responsibility

2007-11-11T21:57:00.000Z

We always hear this words "It is your responsibility" in case some one stolen money from your credited card or your password of your email.

Why we don't say the same words to software vendors if they have security vulnerability in their software make us lose a lot of money.

When we install any software, have to sign off EULA for software's vendor. But, we have to accept this license to install the software.
So, I think most of use tried to read this EULA agreement before sign it off. You could find a lot of EULA analyzer tools on the Internet could highlight the important points to you, such as Privacy, Vendor rights, your responsibility.

The point here, as long as we don't have any other options to install the software, the vendor must be liable of his software. By the end of last month, Symantec Web Security Response Webblog wrote about "Privilege Escalation Exploit In the Wild", one week later they wrote a follow-up on this vulnerability. This vulnerability as written in "SECDRV.SYS Driver". Microsoft posted Microsoft Security Advisory (944653) about this vulnerability. Lets analysis the FAQ as posted in Microsoft Security Advisory (944653).

What is the scope of the advisory?

Microsoft is aware of a new vulnerability report affecting the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP. This affects the software that is listed in the “Overview” section.

What is secdrv.sys?
The driver, secdrv.sys, is used by games which use Macrovision SafeDisc. The driver validates the authenticity of games that are protected with SafeDisc and prohibits unauthorized copies of such games to play on Windows. The secdrv.sys is included with Microsoft Windows XP, Windows Server 2003 and Windows Vista to increase compatibility of the games on Windows. Without the driver, games with SafeDisc protection would be unable to play on Windows. SafeDisc remains inactive until invoked by a game for authorization to play on Windows.

The question which raises here, If this vulnerability exploited and Microsoft customers lost millions of money, would Microsoft/Macrovision liable for this?. The answer is NO.

Lets have a look on "Windows Server 2003 End-User License Agreements", by using EULA Analyzer or read this EULA you could find

23. LIMITATION ON AND EXCLUSION OF DAMAGES. You can recover from Microsoft and its suppliers only direct damages up to the amount you paid for the software. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
This limitation applies to
anything related to the software, services, content (including code) on third party Internet sites, or third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if
repair, replacement or a refund for the software does not fully compensate you for any losses; or
Microsoft knew or should have known about the possibility of the damages.

It is unfair if the customers lost millions of dollar and they can claim only the amount they paid for the software. Ira Winkler ;The author of Spies Among Us; wrote a wonderful article on this point with a title "Vendor liability: A pointless argument?". Also, Art Coviello , RSA's president, in last RAS Conference 2007 which held in London made this interview with ZDnet.

At the end I see the software vendor should be liable for their software as users responsible of their mistakes.

Security Assessment Roadmap

2007-11-01T13:27:00.000Z

In my last role with my ex-employer when my manager asked me to develop security assessment service. I made some Google search and I found the best way is to establish a framework, also because working under a formal process model make the task easy and development after that efficient,. I found the NSA developed INFOSEC Assessment Methodology (IAM). I started to read more about it and I found a brilliant book which helped me a lot from Syngress which is “Security Assessment: Case Studies for Implementing the NSA IAM”.

After that I started to use these resources to start to build our Security Assessment framework and I have just decided to share this information with my peers who interested in IT Security. Here is what I got.

Let’s assume we are going to make security assessment for company called “XYZ”

Introduction

XYZ company network may expose vulnerabilities to attackers in many ways. A key area is information exposure. Many details about XYZ Company that an attacker can gather can be used to assist in an attack. This includes technical data, such as what public services XYZ company offer, as well as Non-technical items, such as who your business partners are. The next area of importance is connectivity. Can attackers send and receive information to the systems within XYZ company network? This is dominated by the impact XYZ company s’ firewalls (and filtering routers) have on connectivity into XYZ company network, but it can also be affected by the controls XYZ company have in place to allow workstations and notebook computers to connect to XYZ company internal network. The last major area that needs to be examined is whether the services XYZ company network relies on contain exploitable vulnerabilities.

The roadmap for making security assessment consists of the following core phases with corresponding deliverables:

Planning

Determine the scope of our assessment at XYZ Company. Decide how we will conduct it. Develop written rules of engagement to control the assessment and, most important, gain proper written approval to perform it. Assemble our toolkit to perform the assessment.

Reconnaissance

Obtain technical and non-technical information on the XYZ Company and known public hosts, such as mail, web, and DNS servers…etc.

Network service discovery

Determine which hosts and network devices at XYZ Company can be accessed from the outside. For each of these systems, determine what services are running on them.

Vulnerability discovery

Probe externally accessible systems and remote services to determine whether they expose known vulnerabilities to the outside. Analyze initial results to eliminate false positives.

Verification of perimeter devices

Evaluate firewall and router configurations at XYZ Company to ensure that they are well configured. Verify that firewalls at XYZ Company do not pass traffic that should be blocked. Verify that anti-discovery and anti-DoS controls are in place and work as expected at XYZ Company. Test intrusion detection/prevention sensors to ensure that they detect, log, and alert on suspicious activity.

Remote access

Verify security controls of known remote access systems, including remote access servers, wireless access points, and VPNs. Search for unauthorized (rogue) modems and wireless access points at XYZ Company.

Exploitation (optional)

Attempt to use exploitation techniques against the discovered vulnerabilities. Based on the goals of the test, this may be an iterative activity. Successful exploitation may lead to additional access on the network, which may open the opportunity up for further exploitation.

Results analysis and documentation

Analyze discovered vulnerabilities to determine their overall effect on the level of risk to the network's security at XYZ Company. This is normally based on the vulnerabilities' impact to the affected system, the criticality of the system, the likelihood that the vulnerabilities will be exploited, and the effort required to remediate the vulnerabilities. Produce an assessment report that provides a list of prioritized vulnerabilities by level of risk and provides recommended steps to resolve the individual and root causes for the vulnerabilities.

Recommendations

A final report will be compiled with recommendations and possible solution to be implemented at XYZ Company to leverage security and/or defend against breaches.

Reference: NSA & Syngress

Facebook Safety - 1

2007-10-21T23:51:00.000+01:00

I'm very interested with web 2.0. I red a lot of papers about the security challenges and Identity Management or what some call Identity 2.0

But I haven't finished my research yet. What I'm going to do is sharing some of the information which I have. I think this one will be first of coming Facebook security issues which I will try to raise here.

I choose a Facebook for reasons which are:

* Active users: 47 million (as of October 2007)
* Monthly new user average: 4 million
* Daily new user average: 150,000
* Page views: Over 15 billion per month
* Searches: Over 500 million per month
* Search index size: 200GB
* Largest networks: London, UK 1,268,000 and Toronto, Canada 859,000
* Traffic rank: 7th
* Photos: 1.7 billion (which averages to about 44 photos per user)

Also, on March 2, 2007, a poll conducted by eMarketer.com of American youths in the United States discovered Facebook was the most viewed site among all respondents with more females aged 17-25 (69%) visiting the site than males (56%). Try to check this and this also.

The fact here it become important to look at this service from security prospective. Alot of concerns such as Facebook Privacy Policy, Facebook opens profiles to public, Facebook Safety and Facebook Query Language.

My going articles will be just giving an example about security issues in Facebook. We will start by Facebook Safety.

Chris Kelly is Facebook's Chief Privacy Officer. He wrote on Facebook blog two days ago.

But right now, we want to make clear some of the things we are working on to prevent abuse from happening through Facebook. We are automatically moving complaints about nudity or pornography, and harassing or unwelcome contact to the top of our queue for Customer Support to address within 24 hours. We are limiting certain search functionality as it applies to minors. We are making sure that minors know explicitly when they are in contact with someone who is an adult.

Also, he added

As we continue to build out our proactive and reactive systems, we still believe that this is a partnership with you, our users. Practice smart internet safety; get to know our privacy options. Whether you're a minor or an adult, you should learn how to be smart online. No one wants anything bad to happen as a result of something on Facebook; we can all do our parts to make sure it doesn't.

So, I have decided to be smart online and made some google search on how to hack Facebook and I found a lot of links explain how to hack Facebook video application as an example. As facebook claims, the Facebook Video Application does not allow sharing videos outside of Facebook. Users will not be able to export or download videos from Facebook. But, the fact you can bypass this with a piece of cake. Userscripts.org has a very good article on how you could do this,you could check it. I tried it with my self and I downloaded my friends clips and some others. That means if bad guys got these clips he could modify it put some embarrassing things on it and resend to your friends.

That is explain you can't trust what Facebook claims, please watch this presentation.

BC & DR Planning Tips

2007-10-18T19:29:00.000+01:00

What’s the difference between disaster recovery and business continuity planning?

Disaster recovery is the process by which we resume business after a disruptive event. The event might be something huge-like an earthquake or the terrorist attacks on the World Trade Center-or something small, like malfunctioning software caused by a computer virus.

Given the human tendency to look on the bright side, many business executives are prone to ignoring "disaster recovery" because disaster seems an unlikely event.

Business continuity planning suggests a more comprehensive approach to making sure the business can keep making money. Often, the two terms are married under the acronym BC/DR.

What does a disaster recovery and business continuity plan include?

All BC/DR plans need to encompass how employees will communicate, where they will go and how they will keep doing their jobs. The details can vary greatly, depending on the size and scope of a company and the way it does business.

The critical point is that neither element can be ignored, and physical, IT and human resources plans cannot be developed in isolation from each other. At its heart, BC/DR is about constant communication. Business leaders and IT leaders should work together to determine what kind of plan is necessary and which systems and business units are most crucial to the company. Together, they should decide which people are responsible for declaring a disruptive event and mitigating its effects. Most importantly, the plan should establish a process for locating and communicating with employees after such an event. In a catastrophic event (Hurricane Katrina being a recent example), the plan will also need to take into account that many of those employees will have more pressing concerns than getting back to work.

How do I get started?

A good first step is a business impact analysis (BIA). This will identify the business's most crucial systems and processes and the effect an outage would have on the business. A BIA will help companies set a restoration sequence to determine which parts of the business should be restored first.Here are 10 absolute basics the plan should cover:

1. Develop and practice a contingency plan that includes a succession plan for your senior management.

2. Train backup employees to perform emergency tasks. The employees you count on to lead in an emergency may not be available.

3. Determine offsite crisis meeting places for top executives.

4. Make sure that all employees-as well as executives-are involved in the exercises.

5. Make exercises realistic enough to tap into employees' emotions so that you can see how they'll react when the situation gets stressful.

6. Practice crisis communication with employees, customers and the outside world, for example spoken person to the media.

7. Invest in an alternate means of communication in case the phone networks go down.

8. Form partnerships with local emergency response groups such as firefighters and police to establish a good working relationship. Let them become familiar with your company and site.

9. Evaluate your company's performance during each test, and work toward constant improvement. Continuity exercises should reveal weaknesses.

10. Test your continuity plan regularly to reveal and accommodate changes. Technology, personnel and facilities are in a constant state of flux at any company.

Is it really necessary to disrupt business by testing the plan?

Read this example which gives you an example of a company that thinks walk-through and paper simulations aren't enough. Preparedness test usually the cost effective test for your BC/DR plan.

What kinds of things have companies discovered when testing a plan?

- Some companies have discovered that while they back up their servers or data centers, they've overlooked backup plans for laptops.

- One company reports that it is looking into buying MREs (meals ready-to-eat) from the company that sells them to the military. MREs have a long shelf life, and they don't take up much space.

- The issue of where employees go immediately after a disaster and where they will be housed during recovery should be addressed before something happens, not after.

- USAA discovered that while it had designated a nearby relocation area, the setup process for computers and phones took nearly two hours. During that time, employees were left standing outside in the hot Texas sun. Seeing the plan in action raised several questions that hadn't been fully addressed before: Was there a safer place to put those employees in the interim? How should USAA determine if or when employees could be allowed back in the building? How would thousands of people access their vehicle if their car keys were still sitting on their desk? And was there an alternate transportation plan if the company needed to send employees home?

What are the top mistakes that companies make in disaster recovery?

1. Inadequate planning

2. Failure to bring the business into the planning and testing of your recovery efforts.

3. Failure to gain support from senior-level managers. The largest problems here are:

a. Not demonstrating the level of effort required for full recovery.

b. Not conducting a business impact analysis and addressing all gaps in your recovery model.

c. Not building adequate recovery plans that outline your recovery time objective, critical systems and applications, vital documents needed by the business, and business functions by building plans for operational activities to be continued after a disaster.

d. Not having proper funding that will allow for a minimum of semi-annual testing.

Can we outsource our contingency measures?

Disaster recovery services-offsite data storage, Hot site, Warm , Cold site, mobile site are often outsourced.

The type of offsite determined by recovery point objective (RPO) & recovery time objective (RTO).

How can I sell this business continuity planning to other executives?

The advice is to address the need for disaster recovery through Business Impact Analysis (BIA). Work with your legal and financial departments to document the total losses per day that your company would face if you were not capable of quick recovery. By thoroughly reviewing your business continuance and disaster recovery plans, you can identify the gaps that may lead to a successful recovery. Remember: Disaster recovery and business continuance are nothing more than risk avoidance. Senior managers understand more clearly when you can demonstrate how much risk they are taking."

How do I make sure the plans aren’t overkill for my company?

By implementing Business Impact Analysis (BIA) you could build effecitve and effecient BC/DR plan because the driven factor here is how much the copmany loss in case disaster or intruption of normal business processes. companies have to weigh the risk versus the cost of creating such a contingency plan.

Reference: CSO Online

Cyberwar race

2007-10-15T23:16:00.000+01:00

I wanted many times to write about Cyberspace ware but I didn't have enough time to do this.

Lets review what happened for two months ago. On the BBC I red that the United Nation site hacked from hacktavism group. The speeches of the Secretary-General Ban Ki-Moon has been replaced with the following lines:

Hacked By kerem125 M0sted and Gsy
That is CyberProtest Hey Ýsrail and Usa
dont kill children and other people
Peace for ever
No war

After that I red also on the BBC's site about Estonia attack. It is consider the first Cyberwar.

For month ago I red on FT's site that Chinese military hacked into Pentagon.

Also, the last Black Hat USA 2007 in Las Vegas. The speech of Jim Christy was on Cyber Crime and he asked cooperation between Black Hat community and Governments.

And since 3 days ago the The Air Force Association (AFA) unveiled their report "Victory in Cyberspace".

have you noticed some thing from all of these events?

Yes, It is moving fast and became Hidden ware and that will have a lot of consequence things:

such as, selling security exploits as Wabi-sabi's auction site.

Security researchers/expert once find security vulnerability they prefer to sell it and I red story before I couldn't find its link again,once I get it I will post, for security researcher found IE vulnerabilities in IE and he tried to sell it and he did under condition which is this vulnerability applicable to certain version of MS Windows and IE. He didn't know the buyer but he guessed it is military agency.

He sold it with $80,000 upon his speech academic career will not make him gain this a mount of money.

Challenge-Response authentication isn't enough

2007-08-29T15:43:00.000+01:00

I have a question raised in my mind since I came to UK. Why do banks still use challenge-response authentication as a identification on the phone.

What is Challenge-Response?

challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.

When I came to UK I tried to get Bank account and I got Bank account with one of the street banks in UK. But, I found they have a weak authentication system for their e-Banking service,like accept only alpha numeric characters as passcode, and their customer service staff using challenge-response to identify the caller.

Here is how they doing their Identification on the phone:

Customer Service (CS): Hello Sir., may I take your account number please.

Me: It is XXXX-XXXX-XXXX CS: How could I help you Sir? Me: I need ..... Please CS: May I know your surname please? Me: Galal CS: I'd like to go through some security questions with you before I process with your request. Me: Okay CS: What is your date of birth? Me: XX-XX-XXXX CS: what is your post code? Me: XXXX-XXXX CS:What is your house number please? Me:XXXXX CS: May I know what is the last transaction you did from your account,please? Me: I withdrawn £1 pound for 2 days ago. CS: That is enough sir, You have been identified and I will process with your request right now.

As we see, it is completely not enough to identify caller on the phone. Why?

Referring to “Identification & Authentication” blog you will know that identification should be combined with strong authentication process. Also,most of the asked questions could be gathered easily from many sources.

1- Social Engineering with your current employer to gather this information about you. 2- If you applied for voluntary work or any social activity as I did, they have most of these information. 3- from social sites like Facebook and Myspace...etc. 4- Threats raised after attacks on sites like Monster.com or other sites which contains users informations'.

But you may say to me , All of the above doesn't have the information about your last transaction.

Yes, you are right, But it's also could be compromised. How?!!

Well, By using some of social engineering techniques which explained well in “The Art of Deception” by Kevin Mitnick.

Using of challenge-response authenication is simple especially via phone and also easy for end users to have answers for the asked questions but it isn't enough to use it as the only method of identification nowadays.

SELinux & Access Controls - 3

2007-08-25T09:39:00.000+01:00

What is SELinux ?

SELinux was originally developed by the NSA. SELinux is an operating system based on Linux which includes Mandatory Access Control . With SELinux you can define explicit rules about what subjects ( users, programs ) can access which objects ( files, devices ). You could think of it as an internal firewall, which gives you the ability to separate programs and thereby ensuring a high level of security within the operating system. SELinux is implemented as a LSM, and utilises the LSM kernel interface.

So,What is LSM ?

SM ( Linux Security Modules ) is an extension of the Linux kernel which allows security systems to be easily added to the kernel.The LSM homepage is at lsm.immunix.org

Why should I run SELinux?

Because SELinux gives you the ability to secure processes from each other within the system. For example, if you have a web server on the Internet which is also serving Email and DNS then you would not want a vulnerability in the web server process allowing the attacker access to corrupt your DNS server. SELinux is one of the very few practical operating systems available which can provide such a level of protection.

What does SELinux do that others can't ?

In a conventional Unix/Linux system, access control is under the control of the user. The user choses the other users that may access the files that the user owns. SELinux is under the control of the security administrator. This includes the files that the user owns. Even if the user wants a specific other user to have access to a file, if that user is not in a domain containing the other user (ie, both are in the same domain) then the other user still cannot access the file. The difference is in mandatory access vs discretionary access. As far as the system files go, if all are carefully given approprate ACLs, then they can be protected. However, if the root accout is hacked, the files are still vulnerable. If a SELinux system is hacked, unless the hack itself contains an all powerful label/domain, the hack still doesn't have access to all of the files. Only those belonging to the domain of the hacked daemon.

How is SELinux works?

Security like file permissions or user account passwords are Discretionary Access Control (DAC) systems. They are referred to as “discretionary” because every object (files and directories) has an owner, access to objects is based on user identify, and users (the object owner or root) are able to–at their discretion–grant access to other users. In contrast, SELinux is a Mandatory Access Control (MAC) system. Access to objects is controlled by a system-wide policy, regardless of the ownership of any object, enforced by the kernel. Users, including the root user, cannot grant other users access to their objects in violation of the policy. Using a MAC security system requires a different mindset. When people first encounter a permission violation enforced by SELinux, they often try to diagnose the problem by checking the ownership of the file and the read/write/execute permissions on the object. But even if the ownership and permissions are correct, the access is still blocked. The user and file/dir ownership is not the deciding factor with SELinux, the policy is.

Why is this distinction important? Here’s an example. Let’s say that you’re running an http server for a retail web site paired with a mysql database containing customer data (including credit card information). The software that runs the web site has a security vulnerability. If someone breaks into the server, what’s the risk to your system? it’s just the web sever, right? Wrong! Suppose the attacker is able to obtain a root shell. With root on a non-SELinux system, he can access your credit card database. Once the attacker gains access through the web server, the whole system is at risk. If this same system was protected by SELinux, the user might be able to use the vulnerability to break into the web server, but he would be prevented from touching the database or any other parts of the system, even if he got a root shell. SELinux would only allow the http process to communicate with the database through the named pipe. In other words, with SELinux, you don’t trust the application–which may be buggy, insecure, or compromised–to secure itself. You rely on the SELinux policy.

This diagram illustrates the httpd web server example:

Fig 1. httpd web server example

SELinux provides security to a system in a way similar to a ship or submarine’s design. They are divided into multiple water-tight compartments. If the ship springs a leak in any one compartment, only that compartment will fill up with water.

The following diagrams illustrate this difference:

Fig 2. Discretionary and mandatory access control diagrams

Reference:

1- The UnOfficial SELinux FAQ

2- RedHat Magazine – SELinux step-by-step by Dan Walsh

3- NSA – what is new in SELinux

Identification and Authentication

2007-08-20T20:31:00.000+01:00

What is the I&A?

It is the process by which the user provides his claimed identity to the system and the credential needed to authenticate this identity and the system validate both information provided. If the information is correct then the user gain access as legitimate user otherwise he denied getting access.

What are the common vulnerabilities of I&A?

Weak authentication method.
The potential for users (like System Administrators) to bypass the authentication mechanism.
Lack of confidentiality and integrity for the stored authentication information..
Lack of encryption and protection of information transmitted over the network.
User’s lack of the risks associated from sharing his authentication information.

Is I&A different?

Yes, Identification is completely different from Authentication because of the following:

Meaning of each of them is different.
Methods and techniques supporting them is different.
Requirement in terms of secrecy and management of each one is different.
The identity has attributes such as, name, validate date but the authentication doesn’t have attribute.
The identity doesn’t normal change, while authentication tokens bound to secrecy must be regularly changed.

What is the type of I&A?

Logon IDs and Passwords
One Time Passwords, Token Devices
Biometrics

Palm
Hand geometry
Iris
Retina
Fingerprint
Face
Signature recognition
Voice recognition

Reference: ISACA

DNS rebinding

2007-08-17T01:50:00.000+01:00

Imagine visiting a blog on a social site or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption.

What is the hell of this?

It is DNS Princeton or rebinding.

DNS rebinding attacks subvert the same-origin policy and convert browsers into open network proxies. The basis of the attack is rather old. It was described by the Princeton University in 1996.

What is the same-origin policy?

The same origin policy prevents document or script loaded from one origin from getting or setting properties of a document from a different origin. The policy dates from Netscape Navigator 2.0.

Mozilla considers two pages to have the same origin if the protocol, port (if given), and host are the same for both pages. To illustrate, this table gives examples of origin comparisons to the URL http://store.company.com/dir/page.html.

URL	Outcome	Reason
http://store.company.com/dir2/other.html	Success
http://store.company.com/dir/inner/another.html	Success
https://store.company.com/secure.html	Failure	Different protocol
http://store.company.com:81/dir/etc.html	Failure	Failure Different port
http://news.company.com/dir/other.html	Failure	Failure Different host

There is one exception to the same origin rule. A script can set the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at http://store.company.com/dir/other.html executes this statement:

document.domain = "company.com";

After execution of that statement, the page would pass the origin check with http://company.com/dir/page.html.

However, using the same reasoning, company.com could NOT set document.domain to othercompany.com.

What are open network proxies?

Generally, a proxy server allows users within a network group to store and forward internet services such as DNS or web pages so that the bandwidth used by the group is reduced and controlled. With an "open" proxy, however, any user on the Internet is able to use this forwarding service. By using some open proxies (the so-called "anonymous" open proxies), users can conceal their true IP address from the accessed service, and this is sometimes used to abuse or interrupt that service, potentially violating its terms of service or the law; open proxies are therefore often seen as a problem. It is possible for a computer to be running an open proxy server without knowledge of the computer's owner. This can be the result of misconfiguration of proxy software running on the computer, or of infection with malware (viruses, trojans or worms) designed for this purpose.

What this attack can do?

Circumvent firewalls to access internal documents and services.
Sending spam and defrauding pay-per-click advertisers.
Obtain the (internal) IP address of the hosting web browser
Port scan the LAN to locate intranet http servers
Fingerprint these http servers using well known URLs
And (sometimes) to exploiting them via CSRF (Cross-site request forgery).

How DNS Rebinding Works

DNS rebinding allows an attacker to completely bypass the same origin policy. It does this by dynamically switching the target IP address for a host name the attacker controls. One scenario might work like this:

You connect to egyptrose.com, which resolves to IP 69.17.8.14 with a very short TTL, 1 or 2 Sec,.
69.17.8.14 delivers some Javascript code to your browser to execute in 15 seconds approximately, but check the reference for accurate time period.
The DNS server in control of *.egyptrose.com immediately points attacker.example.com to 192.168.2.1
15 seconds later, the Javascript on your browser connects to egyptrose.com, in compliance with the same origin policy, and retrieves a web page from your internal server at 192.168.2.1
The DNS server resets egyptrose.com to 69.17.8.14 and after some period of time, your browser reconnects and sends 69.17.8.14 its findings.

Socket in FLASH

FLASH has the Socket class in the new version of FLASH Player ( version 9.0 or higher, ActionScript 3.0 ). --Quoted from the documentation-- The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols. ---- This is really great for the attackers. With Anti-DNS Pinning + Socket, the attackers can... - Scan any IP addresses and any ports in intranets ( and the Internet ). - Make the users browser send shellcodes to any hosts. - Make the users browser send spam emails. - Use the users browser as a proxy ( stepping stone ). - Break any IP address based authentication. - Exploit protocols other than HTTP. ... and maybe more.

. Java Applet Java Applet is relatively secure because the Java VM "pins" DNS by default. Sun's engineers know DNS Spoofing attack. InetAddress Javadoc --Quoted from the documentation-- The positive caching is there to guard against DNS spoofing attacks ... networkaddress.cache.ttl (default: -1) A value of -1 indicates "cache forever". ---- But in some situations( LiveConnect or Using browser with proxy enabled ), Java Applet is vulnerable to the Anti-DNS Pinning attack as well.

Defending Against DNS Rebinding

There have been a number of suggestions made as far as:

· defending your network against this kind of attack, including disabling the Flash plug-in, JavaScript and any other plug-ins.

· using a personal firewall to restrict browser access to ports 80 and 443

· And making sure all your web sites have no default virtual host, but instead require a valid Host header.

· For information about defenses, please read this paper “Protecting Browsers from DNS Rebinding Attacks”

References:

Passing your company security policy

2007-08-04T13:56:00.001+01:00

This is a great article by VAUHINI VARA. He highlighted a very important problem and the weakest link in the IT Security which is the human behavior. The company start to build its security policy and security controls but employees always looking for bypassing these policies. Also this video from Mark Lobel of PricewaterhouseCoopers describes the most common things employees do on the internet to jeopardize company security.

How to send giant files?

Use online services such as YouSendIt Inc., SendThisFile Inc. and Carson Systems Ltd.'s DropSend, which let you send large files.

How to use software the your company won’t let you download?

There are two easy ways around this: finding Web-based alternatives or bringing in the software on an outside device..

The first is easier. Say your company won't let you download the popular AOL Instant Messenger program, from Time Warner Inc.'s AOL unit. You can still instant-message with colleagues and friends using a Web-based version of the service called AIM Express (AIM.com/aimexpress.adp).

The other approach to this problem is more involved but gives you access to actual software programs on your computer. There is a company called Rare Ideas LLC (RareIdeas.com), which offers free versions of popular programs such as Firefox and OpenOffice. You can download the software onto a portable device like an iPod or a USB stick, through a service called Portable Apps (PortableApps.com). Then hook the device up to your work computer, and you're ready to go. (But if your company blocks you from using external devices, you're out of luck.)

How to visit websites your company blocks?

By using proxy web sites -- so you can see the site without actually visiting it. Proxy.org, for one, features a list of more than 4,000 proxies. Another way to use Google's translation service, asking it to do an English-to-English translation.

How to clear your tracks on your work Laptop?

How to search for your work documents from home?

First, you'll need to set up a Google account on both machines by visiting Google.com/accounts. (Be sure to use the same account on both computers.) Then go to Desktop.Google.com to download the search software. When it's up and running -- again, do this on both machines -- click on Desktop Preferences, then Google Account Features. From there, check the box next to Search Across Computers. After that point, any document you open on either machine will be copied to Google's servers -- and will be searchable from either machine.

How to store work files online?

Use an online-storage service from the likes of Box.net Inc., Streamload Inc. or AOL-owned Xdrive. (Box.net also offers its service inside the social-networking site Facebook.). Another guerrilla storage solution is to email files to your private, Web-based email account, such as Gmail or Hotmail.

How to keep your privacy when using webemail?

When checking email, add an "s" to the end of the "http" in front of your email provider's Web address -- for instance, https://www.Gmail.com. This throws you into a secure session, so that nobody can track your email. Not all Web services may support this, however.

To encrypt IM conversations, meanwhile, try the IM service Trillian from Cerulean Studios LLC, which lets you connect to AOL Instant Messenger, Yahoo Messenger and others -- and lets you encrypt your IM conversations so that they can't be read.

How to access your work email remotely when your company won’t spring for a Blackberry?

In Microsoft Outlook, you can do this by right-clicking on any email, choosing Create Rule, and asking that all your email be forwarded to another address. Then, set up your hand-held to receive your personal email, by following instructions from the service provider for your hand-held.

How to access your personal email on your Blackberry?

How to look like you are working?

Hit Alt-Tab to quickly minimize one window and maximize another.

Reference: The Wall Street Journal

Public Wi-Fi hot spots

2007-08-04T12:20:00.000+01:00

Most of us nowadays can get internet access while we are in the Airport or in Cafee shop. thanks for the Wi Fi for this great feature and cheap also. But who care about security threats by using this service. In 2001 I started to think about this issue asked my self how to secure users activities while they using public Wi-Fi hot spot. I suggested using Enterprise authentication system and I made a master degree in this topic and my thesis title is "Wireless Enterprise Authentication System using Kerberos & LDAP".

In the last Black Hat event in Las Vegas. One of the co-founder of errata security announce for a tool that could sniff data while user using public Wi-Fi, This tool called FERRET.

What FERRET –Data seepage monitor- is it?

sniffs more than just passwords.
sniffs legitimate operations rather than intrusions.
Sniffs Protocols: DHCP, SNMP, DNS, HTTP, AIM, MSN-MSGR, Yahoo IM, …
Allows you to browse the data easier by using Ferret Viewer.

He used what he called Data seepage and his definition it is Information that is broadcast or available via simple inquiry or spoofing that may not by itself seem critical but become more important as pieces of a larger puzzle. He has a wonderful presentation which explain with a demo how by using this concept you can get access to users' personal information. Reference: Errata Security

Fake Caller ID

2007-07-30T04:18:00.000+01:00

How to authenticate the caller and how to make sure he is the legitimate person who we know?

SpoofCard allows you to make calls and display any number on the caller ID and change your voice also to be male or female in the real time of the conversation and record your call.

Wow…

It is really amazing. Imagine you could call any one and change your called ID to any numbers you like and your voice also. I can’t understand how this service is legal, Legal !!, Yep..

So, how could you protect yourself from this hack?

Well, I don’t know. Really it is very hard. The only advice here is never ever give personal information on the phone,like your credit number,.

I imagine if some one used me number and my voice also to make fake calls and illegal activities and at the end I’m who will charge.

The question here. How could we differentiate between real numbers and fake one?

As I know the mobile application will retrieve the name of the number appears on the screen from the address book because it use index to refer to name the number.

For example:

Number: 0102655411

Index: 1

Name: Ayman M. Galal

Number: 0100000000

Index:2

Name: Teto Feto

So, when some one call you and the number your mobile received is: 0102655411. It searchs the address book for any match number and it will retrieve the name of Index =1

A lot of threats from this service which already appears. Some banks lost a lot of money because some hackers used the services and made calls to the bank customers' and obtain their credit card and private information with a peace of cake.

It is like old days for open relay on the mail systems. Their should be connection between the number appears on the screen and the caller SIM card.

Reference: SpoofCard

Honeytokens

2007-07-30T02:42:00.000+01:00

It is like the Honeypots with a distinguished difference which is no need to the computer. A honeytoken can be a credit card number, Excel spreadsheet, PowerPoint presentation, a database entry, or even a bogus login.

The concept of honeytokens is not new. In Cliff Stoll's book "The Cuckoo's Egg," he explains how he traps the German attacker. A honeytoken is just like a honeypot, you put it out there and no one should interact with it. Any interaction with a honeytoken most likely represents unauthorized or malicious activity.

How do you detect the unauthorized access to a database when that database has thousands of records, with hundreds of authorized users? Maintaining who is authorized to what can be complex, with false positives becoming a huge problem. Honeytokens can be used to solve and simplify this problem.

By simply you insert bogus information like credit card number in your Database for example and monitor if some one access this number which he shouldn’t it gives you indication that you have an intruder and more attention should be taken.

It is advisable to be used with the current existing Information Security tools. Also, it could good tools to catch misbehavior from the internal employees. For example, we could plant honeytokens in senior management's email. The plan being, an internal employee may be reading management's email to gain access to privileged information. To track such unauthorized activity we create a bogus email, or honeytoken, and plant that in management's email. The email could look like this:

To: Chief Financial Officer

From: Security help desk

Subject: Access to financial database

Sir,

We have updated your access to the company's financial records. Your new login and password to the system can be found below. If you need any help or assistance, do not hesitate to contact us.

https://finances.ourcompany.com

login:ayman.galal

password: AyMaN@GaLaL

Security Help Desk

If an attacker is cruising through emails and comes across this, he most likely will attempt to access the financial server thinking he could retrieve highly confidential information. The web site of ‘finances.ourcompany.com’ is really a honeypot watching the network for unauthorized activity. The moment someone try to access this site he actually accessing your honeypot server. Once he starts to use the login in the email you have just sent. You know you have someone reading senior management's email. The moment such a connection happens; you immediately initiate a trace back to identify the attacker’s computer.

Reference: Security Focus

The IT Audit Process

2007-07-22T23:50:00.000+01:00

Before we start talking about IT Auditing we need to clarify some information about types of the internal controls and implementation types.

Types of Internal Controls:

Preventive Control
Detective Control
Corrective Control (Reactive Control)

Type of implementation of Internal Control:

Administrative implementation
Technical Implementation
Physical Implementation

We need to answer these questions: what to Audit? , what type of Audit? And how to implement it?

What to audit?

This point is very important because it will determine the consequence steps in your audit process.

What is the type of audit?

The type of Audit:

Centralized IT functions
Decentralized IT functions
Business applications
Regulatory compliance

After determine what to audit and the type of the audit you need to rank our audits, which one is most important, frequency for doing it and the rotation of our audits.

How to implement it?

The IT Audit stages consist of:

Planning, the goal here is to determine the objectives and the audit scope. We could determine that by using

Hand-off from the audit manager
Preliminary survey
Customer requests
Standard checklists
Research

Fieldwork and documentation, it is very important to document all your process and look for ways to independently validate the information given and the effectiveness of the controls.

Issue discovery and validation, you should discuss your findings with them the customer before raise or report it. That makes your findings more accurate and effective.

Solution development,

The recommendation approach (risky approach)
The management-response approach (fighting approach )
The solution approach (recommended one because the customer get involved on it)

Report drafting and issuance, it should includes

o Statement of the audit scope

o Executive summary

o List of issues, along with action plans for resolving them

Issue tracking

Reference:

McGraw-Hill, IT Auditing: Using Controls to Protect Information Assets, by Chris Davis, Mike Schiller and Kevin Wheeler

Cyber Insurance in Information Security

2007-07-21T22:03:00.000+01:00

To be honest once I saw the title of this article I ignored in the beginning but I got surprised when I tried to look in the figures represented in the article. The annual gross premium revenue for cyber insurance policies has grown from less than US$100 million in 2002 to US$300 to 350 million by mid 2006 (The Reference). The author of the article claims by expanding the market the Insurance companies could drive the Information Security industry and make it more sustainable and controlled. I followed one of his reference which is “Computer Security: It’s the Economics, Stupid,” by B. Schneier.

Mr. Schneier explained well some facts regard the investment in information security from software vendors and private sector. He said:

“most organizations don’t spend a lot of money on network security. Why? Because the costs are significant: time, expense, reduced functionality, frustrated end users. On the other hand, the costs of ignoring security and getting hacked are small: the possibility of bad press and angry customers, maybe some network downtime, none of which is permanent. And there’s some regulatory pressure, from audits or lawsuits, that add additional costs. The result: a smart organization does what everyone else does, and no more.”

And he added also:

“The same economic reasoning explains why software vendors don’t spend a lot of effort securing their products. The costs of adding good security are significant—large expenses, reduced functionality, delayed product releases, annoyed users—while the costs of ignoring security are minor: occasional bad press, and maybe some users switching to competitors’ products. Any smart software vendor will talk big about security, but do as little as possible. “

Mr. Schneier said a very good statement that is

“Network security is a business problem, and the only way to fix it is to concentrate on the business motivations. We need to change the costs; security needs to affect an organization’s bottom line in an obvious way. In order to improve computer security, the CEO must care.”

He is absolutely right. I consider Information Security should be business enabler and be aligned with the organization business objectives and the business strategic. But because his paper is very old since 2002 in Workshop on the Economics of Information Security (WEIS). Nowadays the new regulation targeting the liability as he suggested in his paper. Also, COBIT 4.1 or ITIL v3 all of these frame work have the same objective which is the Information Security should be aligned with over all organization business objectives and strategy.

Reference: IEEE Security & Privacy magazine, (Vol. 5, No. 3)

SELinux & Access Controls - 2

2007-07-21T15:18:00.001+01:00

A role is chiefly a semantic construct forming the basis of access control policy. With RBAC, system administrators create roles according to the job functions performed in a company or organization, grant permissions (access authorization) to those roles, and then assign users to the roles on the basis of their specific job responsibilities and qualifications. which means you could you reflect your organisation structure to Roles. For example, an operator role might access all computer resources but not change access permissions; a security-officer role might change permissions but have no access to resources; and an auditor role might access only audit trails.

The standard “ANSI/INCITS 359-2004” consist of two parts:

Reference Model

Functional Specification of the model components

The reference models are:

Core RBAC defines a minimum collection of RBAC elements, element sets, and relations in order to completely achieve a Role-Based Access Control system. This includes user-role assignment and permission-role assignment relations, considered fundamental in any RBAC system. In addition Core RBAC introduces the concept of role activation as part of a user’s session within a computer system. Core RBAC is required in any RBAC system, but the other components are independent of each other and may be implemented separately.
Hierarchical RBAC adds relations for supporting role hierarchies. Hierarchical RBAC goes beyond simple user and permission role assignment by introducing the concept of a role’s set of authorized users and authorized permissions.
Static Separation of Duty Relations adds relations among roles with respect to user assignments. Because of the potential for inconsistencies with respect to static separation of duty relations and inheritance relations of a role hierarchy, the SSD relations model component defines relations in both the presence and absence of role hierarchies.
The fourth model component, Dynamic Separation of Duty Relations, defines relations with respect to roles activated as part of a user’s session.

RBAC verses MAC & DAC:

Some says it is adjunct of them and some says it replacement of them.

RBAC & Groups:

When we create groups in Microsoft Windows 2000 for example, we could easily add users to these groups. So, we consider the groups as collection of users. Also, as when assign permission we grant it to groups or individual users. But we face a big challenge when we need to specify where exactly certain group have been granted permissions but if we use RBAC it will be extremely easy task. As we mentioned before Role is a collection of users and permissions so determine which user and permission granted specified role become easier task across the enterprise. Also, Role consider as a policy component which regardless the implementation will have the same rule set. But, on the other hand group as implementation specified.

RBAC & Access Control List (ACL):

In ACL the access rights of the object is stored with in the object itself, which made weakness in the access control system and complicate the access management. Suppose you granted access rights to some individual uses and groups, and these access rights stored with the object, and later on you revoked these rights from group. You may find the security assurance here become difficult to achieve especially when your systems getting bigger and bigger because you may left some individual users have access rights.

References:

Information Security & ROI debate

2007-07-18T00:27:00.001+01:00

I red for three days ago what Richard Bejtlich wrote on his blog. Before this blog I refused his idea and put my reply with a little bit explanation. But, really I became confused. Richard said it is wealth saving instead of wealth return. But, What is the difference as long as this will keep your initial investment and your revenue secure. I mean you may earn £500 by investing £1000 but you could lose this revenue if you didn't secure it. The other point is Information Technology as a whole increase the ROI by reducing(saving) the operations cost. I may agree on the regulation certifications' aren't ROSI because it mandatory by LAW and we should consider it in the operation cost.

Now, Where is what I got. Kenneth F. Belva sent Dr. Lawrence Gordon and Dr. Martin Loeb asking their opinion and here what they sent to him: ' Dear Ken:

Thanks for your e-mail message concerning the question: Does Information Security have an ROI? It is important to realize that there is a very large body of academic and practitioner oriented literature in accounting and economics (going back to at least the early 1900s) that addresses the more fundamental issues of:

(1) ROI vs. a real economic rate of return (usually called the IRR), and (2) maximizing the ROI (or IRR) is, in general, not an appropriate economic objective.

The above noted, it is conceptually possible to compute the ROI for information security investments, but there are significant measurement problems with such a metric. Accordingly, those who argue that you can compute an ROI for information security investments are technically correct. However, those who argue that an ROI for information security investments has significant measurement problems and therefore should not be computed, certainly raise a valid concern.

Rather than trying to derive the ROI of security investments, a much better strategy is to work on the related issues of deriving an optimal (or at least desirable) level of information security investments and the best way to allocate such investments. This strategy is the focus of the Gordon-Loeb Model (for a brief summary of the focus of this model, and a link to the actual paper,goto (http://www.rhsmith.umd.edu/faculty/lgordon/Gordon%20Loeb%20Model%20cybersecurity.htm).

Sincerely, Larry ' I think this answer will close this debate.

SELinux & Access Controls - 1

2007-07-17T23:09:00.000+01:00

There are two types of Access Control which are:

Discretionary Access Control (DAC)

In the DAC systems every object in the system has an owner who initially created the object. The access policy for the object is determined by its owner. The owner decides who is allowed access to the object and what privileges they have.

MAC - Mandatory Access Control

In this access control type the policy determined by the system, not the owner. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects.

The Access Control Models which could be used are :

Lattice Models
Bell-LaPadula Model
Biba Model
Take-Grant Model
Clark-Wilson Model

Well, what is the objective from this talking. It is introductory to SELinux (RBAC) . Today I faced a big problem when I tried to load module in the kernel and when I rebooted the machine it didn't start-up. I solved the problem by disabling SELinux from the kernel and the machine started up again. So, decided to understand SELinux well. I used to work with it with the default setting and policy but today I found it is very important to understand it more and give it more attention. I collected good materials and I hope within this week I could put what I got in a simple way in this blog.

Reference: Wikipedia

Long-Term Archive and Notary Services (ltans)

2007-07-15T22:59:00.000+01:00

Description of Working Group:

In many scenarios, users need to be able to ensure and prove the existence and validity of data, especially digitally signed data, in a common and reproducible way over a long and possibly undetermined period of time.

Cryptographic means are useful, but they do not provide the whole solution. For example, digital signatures (generated with a particular key size) might become weak over time due to improved computational capabilities, new cryptanalytic attacks might "break" a digital signature algorithm, public key certificates might be revoked or expire, and so on. Complementary methods covering potential weaknesses are necessary.

Long-term non-repudiation of digitally signed data is an important aspect of PKI-related standards. Standard mechanisms are needed to handle routine events, such as expiry of signer's public key certificate and expiry of trusted time stamp authority certificate. A single timestamp is not sufficient for this purpose. Additionally, the reliable preservation of content across change of formats, application of electronic notarizations, and subsequent notary services require
standard solutions.

The objective of the LTANS working group is to define requirements, data structures and protocols for the secure usage of the necessary archive and notary services. First, the requirements for the long-term archive will be collected. Based on that information we will develop a protocol to access archive services supplying long-term non-repudiation for signed documents and define common data structures and formats. Upon completion of the archive-related specifications, we will address 'notary services' in a similar way. The term 'notary services' is not clearly defined. The working group will determine which functions need standards, including transformation of documents from one format to another without losing the value of evidence, electronic notarization,and further verification of legal validity of signed documents. We will determine the needs via the requirements paper and act upon the results accordingly. Work done by the IETF Working Groups PKIX, S/MIME and XMLDSIG will be used as the basis to define those structures and protocols. For example, the Internet-Drafts "Archive Time-Stamps Syntax (ATS)" and "Trusted Archive Protocol (TAP)" and RFC 3029, "Data Validation and Certificate Server Protocols (DVCS)", contain applicable concepts.

Long-term Archive Protocol (LTAP)