Friday, 17 April 2009

Digitial Rights Management, does it worth?

I remembered when I was in Egypt and advised my ex-employer to add DRM product; LockLizard; to our security products portfolio. I remember my reasons behind this at this time. At this time the content providers in Egypt was giving access to users who access the internet through their dial-up number, and they didn’t have any kind of control on content distribution afterwards. I thought by having a DRM product we can give Egyptian content providers a proper solution that can control content distribution and increases customer volume which; as I thought; will increase their profit and growth. There is no need anymore to restrict access to internet dial-up number. You can imagine how it is quite annoying from end-user prospective to switch between internet dial-up numbers to get access to needed content. Accidentally, I was reading “Ongoing Innovation in Digital Watermarking” and “How Viable Is Digital Rights Management?” in IEEE computer magazine. The two articles are great and show history and current trends in Digital Rights Management and why some companies move to naked digital rights management ;as Rajan Samtani called it; like Amazon, Sony BMG and iTunes store.

So, why movie producers still fighting piracy till now?
I thought like most of you that is because they are losing money and threaten filmmaker industry as mentioned in Washington Post , this article on helium.com and others went further by saying it is used for fund raising to drug dealings and terrorist groups.

Does it worth keeping this fight?
Let’s look at it from business point of view. Based on product life-cycle theory profit achieved in the beginning of the product for a period of time till market saturated, after that the profit starts to reduce as shown in this diagram. That is mean declined profit is the norm in globalised business in 21st century. I’m pretty sure filmmakers knew that more than me.

Today Pirate Bay founders sent to jail for supporting file-sharing and allow users to download music files and movies for free. I’m not supporting illegal file-sharing. But, I don’t understand why they still keep fighting piracy; I don’t think it worth effort anymore. They need to change current business model to keep growth and profit on.

References: Watermarking systems Engineering Good Copy Bad Copy

Saturday, 24 May 2008

Security Lessons Learned from Société Générale

In January 2008 was an incident in which the bank Société Générale lost approximately €4.9 billion closing out positions over three days of trading beginning January 21, 2008, a period in which the market was experiencing a large drop in equity indices. The bank states these positions were fraudulent transactions created by Jérôme Kerviel, trader with the company. The police stated they lack evidence to charge him with fraud and charged him with abuse of confidence and illegal access to computers. Kerviel states his actions were known to his superiors and that the losses were caused by panic-selling by the bank.

Jérôme Kerviel combined several fraudulent methods to avoid the controls in place [3]:

  • firstly, he ensured that the characteristics of the fictitious operations limited the chances of a control: for example he chose very specific operations with no cash movements or margin call and which did not require immediate confirmation;
  • he misappropriated the IT access codes belonging to operators in order to cancel certain operations;
  • he falsified documents allowing him to justify the entry of fictitious operations.
  • he ensured that the fictitious operations involved a different financial instrument to the one he had just cancelled, in order to increase his chances of not being controlled.

How the fraud was uncovered:

Friday January 18th

  • Abnormal counterparty risk on a broker is detected several days earlier. The explanations provided by the trader result in additional controls.
  • On January 18th, the trader’s superiors are informed and in turn they alert the management of the division.
  • In the afternoon of January 18th, it appears that the counterparty for the recorded operations is in fact a large bank, but the confirmation e-mail raises suspicions.
  • A team is immediately created to start investigating the situation.

Saturday January 19th

  • Management cannot obtain a clear explanation from the trader.
  • The large bank in question does not recognise the operations.
  • The trader finally acknowledges committing unauthorised acts and, in particular, creating fictitious operations.
  • The investigation team starts piecing together his real position.

How global economy potentially impacted:

On January 21, 2008, European stock markets suffered heavy losses of about 6%. The sharp fall, which was followed by an emergency cut in the federal funds rate by the United States Federal Reserve on the following Tuesday (US markets were closed on the Monday for Martin Luther King Jr Day), came as Société Générale tried to close out positions built up by Kerviel.

This has led to speculation that stock market turbulence caused the Federal Reserve Board to cut the rate. A Federal Reserve spokesperson denied the central bank knew of Société Générale's situation when it made its decision.

It is estimated that over the period the total trading in futures and the cash market for the Euro Stoxx 50 was €544 billion. This would make the unwinding of Kerviel’s position account for five per cent or less of overall activity. Société Générale's investment banking chief, Jean-Pierre Mustier, acknowledged that the three days of forced selling played a role in the market's overall decline, but characterized that impact as "minimal".[2]

Jeremy Epstein wrote a good article in IEEE security & Privacy magazine [1] about security lessons learned from Société Générale fraud by Jérôme Kerviel.

Jeremy highlighted security lessons that we should learn from this fraud. Some of them as follows:

  1. Low tech attacks are easier
  2. Logs are only useful if they’re examined

Societe Generale has taken several steps to tighten controls following an internal report into what went wrong in the Kerviel case. The report noted 74 red flags raised on Kerviel's trades that failed to sound the alarm — he was spotted only on the 75th." [4]

  1. Don’t rely on secrecy for security
  2. We’re looking at the wrong things
  3. Rights revocation must be tied to role assignments
  4. Social engineering is a threat
  5. Don’t believe everything you read

Kerviel apparently used his experience working in Société Générale's compliance department to exploit both human and technological weaknesses. He crafted fake e-mails detailing order requests from supposed clients” [5]

  1. Cutting staffing costs can backfire
  2. Features without assurance are ineffective

The bank says Kerviel faked hedging transactions across a range of financial instruments. They weren't spotted because Societe Generale's back office controllers monitored the trading of individual products separately. [4]

  1. Insider attacks (usually) have motivation

References:

1. IEEE Security & Privacy

2. Wikipedia

3. Société Générale

4. New York Times

5. BusinesWeek

Sunday, 17 February 2008

Information classification

It is very important topic and needs some attention as It is part from your information security management programme/framework. Initially when I started to identify the security controls required for each information I found it is subjective rather than objective opinion. I started to read more about the matter and I found that we need to have information security classification scheme in place which will extreme to make the judgement objective.

Information classification is the conscious decision to assign a level of sensitivity to information as it is being created, amended, enhanced, stored, or transmitted. The classification of the information should then determine the extent to which the information needs to be controlled / secured and is also indicative of its value in terms of Business Assets.


May be we need to know why we need to classify the information. Information classification helps us to know needed security controls and processes, Protecting less value information or public document/information isn’t like protecting confidential information.


Information classification challenges:

1- Difficulty to establish a practical information classification scheme.

2- Lack of guidance and best practice for communicating the level of confidentiality and integrity.

3- Difficulty to identify security controls for classified information.

4- Lack of understanding about how to run information classification programme.


What we need to do:

1- Develop information classification scheme

2- How to communicate built information classification scheme.

3- Build security control matrix based on information classification scheme.

4- Measure Information classification scheme effectiveness and efficiency.


First we need some sort of information classification scheme and currently I have the following classification as suggested from ISF survey:


Public, Internal, Restricted and Secret

But which factors we can use to determine accurate information classification:

  • Level of confidentiality.
  • Legal & regularity requirement.
  • Changes to the content over time.

Second start to make this classification model in use, by putting label on the document shows classification level of the document, build information classification awareness programme and make sure that SLA contains information classification responsibilities and accountabilities.

Third start to build security control matrix for each stage to the information, such as in the creation, processing, Transmitting, Storage and disposing of the information.

References:

1) Information Security Forum

2) Employee's Guide to Security Responsibilities

3) Security Education, Awareness, and Training from Theory to Practice , By C A Roper, Joseph J.

Wednesday, 23 January 2008

Information Security strategy

Let’s first define what Information Security strategy is:

Information Security Strategy is a plan of actions that takes the information security function from mission to vision.

Information security function is seen as a fire-fighting and overhead cost, for that there is a need to change this image and information security profile in the organisation.

Building an information security strategy is very important to the business for the following reasons:

  • Optimising resources and prioritising tasks for information security functions.
  • Risk management in the organisation become more effective.
  • Improve communication with organisation’s executives as strategy is the common language to them.
  • Raise information security profile in the organisation.

When we start to build our information security strategy we should put in our mind the following:

  • The information security strategy should align with and contribute to achieve the organisational strategy.
  • Information security strategy has three distinct aspects (supporting the business, defending against threats and raising the profile in the information security function)
  • Standard strategy tools and techniques (such as value chain analysis, risk analysis and strategic mapping) could be used to build it.


Reference:
ISF & IsecT dotcom

Tuesday, 25 December 2007

Performance Measurement for Information Security

Although measuring information security performance is required by law in USA such as the Clinger-Cohen Act, the Government Performance and Results Act (GPRA), the Government Paperwork Elimination Act (GPEA), and the Federal Information Security Management Act (FISMA). Also, I do believe that the driven factor for any thing is the business need or monetary value.

What do we need to measure for Information Security?

NIST specified three measure types which are:

  1. Execution of security policy.
  2. Effectiveness/efficiency of security services delivery.
  3. Impact of security events.

Performance Measurement for Information Security Challenges:

  • Inconsistent process, when you try this kind of process you will find it challenge to specify your performance targets to measure.
  • Identifying the goals and objectives of performance management. The best start will be from business/stakeholder interest.
  • Establishing Performance Targets. Setting performance targets for effectiveness/efficiency and impact measures is more complex because there isn’t a specific level of performance.

What do we need to implement this Performance Measurement?

  1. Collecting data.
  2. Analyze collecting data.
  3. Identify Corrective Actions.
  4. Develop Business Case.
  5. Apply Corrective Actions.

By building Performance Measurement for Information Security we facilitate decision making and improve effectiveness/efficiency of information security service delivery.

Reference: NIST & ISF “Security Health check Project”

Sunday, 16 December 2007

Critical Information Infrastructure Protection (CIIP)

In The ISNR 2007 Conference from 3rd-5th December in London they took about CIP challenges.

Definition of Critical Infrastrucre:

Critical infrastructure is a term used by governments to describe material assets that are essential for the functioning of a society and economy. Most commonly associated with the term are facilities for:

  1. Emergency services
  2. Energy
  3. Finance
  4. Food
  5. Government & public services
  6. Health
  7. Public Safety
  8. Telecommunications
  9. Transportation systems
  10. Water

In other words, critical infrastructure refers to those assets, systems, and functions so vital to the nation that their disruption or destruction would have a debilitating effect on our national security, economy, governance, public health and safety, and morale.

Let’s try to figure out from the above definition what is our Critical Information Infrastructure. You will find it depends on your business, for example critical infrastructure for supply chains/logistics is different, but the common will be Network communication.

So,

What is Critical-infrastructure Protection (CIP)?

It is the study, design and implementation of precautionary measures aimed to reduce the risk that critical infrastructure fails as the result of war, disaster, civil unrest, vandalism, or sabotage.

Critical infrastructure and information security have similar requirements, particularly in the area of availability. Let’s take USA CIP model to learn how to build Critical Information Infrastructure Protection (CIIP) model similar to it. From Wikipedia let’s have a look on US CIP life cycle which consists of six phases as following:

  • Analysis and Assessment (occurs before an event) - The Analysis and Assessment phase is the foundation and most important phase of the CIP life cycle. This phase identifies the assets absolutely critical to mission success and determines the assets’ vulnerabilities, as well as their interdependencies, configurations, and characteristics. An assessment is then made of the operational impact of infrastructure loss or degradation.
  • Remediation (occurs before an event) - The Remediation phase involves precautionary measures and actions taken before an event occurs to fix the known cyber and physical vulnerabilities that could cause an outage or compromise a National Defence Infrastructure, or NDI, or critical asset. For example, remediation actions may include education and awareness, operational process or procedural changes or system configuration and component changes.
  • Indications and Warnings (occurs before and/or during an event) - The Indications and Warnings phase involves daily sector monitoring to assess the mission assurance capabilities of critical infrastructure assets and to determine if there are event indications to report. Indications are preparatory actions that indicate whether an infrastructure event is likely to occur or is planned. Indications are based on input at the tactical, operational, theater, and strategic level. At the tactical level, input comes from asset owners. At the operational level, input comes from the NDI sectors. At the theater level input comes from regional assets such as allied intelligence, NATO, command intelligence, allied governments, and coalition forces. At the strategic level, input comes from intelligence, law-enforcement, and the private sector. Warning is the process of notifying asset owners of a possible threat or hazard.
  • Mitigation (occurs both before and during an event) - The Mitigation phase comprises actions taken before or during an event in response to warnings or incidents. DoD Critical Asset owners, NDI sectors, DoD installations, and military operators take these actions to minimize the operational impact of a critical asset’s loss or debilitation.
  • Incident Response (occurs after an event) - Incident Response comprises the plans and activities taken to eliminate the cause or source of an infrastructure event.
  • Reconstitution (occurs after an event) - The last phase of the CIP life cycle, involves actions taken to rebuild or restore a critical asset capability after it has been damaged or destroyed. This phase is the most challenging and least developed process.

Effective management of the CIP life cycle ensures that protection activities can be coordinated and reconciled among all DoD sectors. In many ways, DoD CIP, is risk management at its most imperative. Achieving success means obtaining mission assurance. Missing the mark can mean mission failure as well as human and material losses. For critical infrastructure protection, risk management requires leveraging resources to address the most critical infrastructure assets that are also the most vulnerable and that have the greatest threat exposure.

Reference:

Wikipedia & ISNR 2007 Conference

Sunday, 11 November 2007

Vendor liability & User Responsibility


We always hear this words "It is your responsibility" in case some one stolen money from your credited card or your password of your email.

Why we don't say the same words to software vendors if they have security vulnerability in their software make us lose a lot of money.

When we install any software, have to sign off EULA for software's vendor. But, we have to accept this license to install the software.
So, I think most of use tried to read this EULA agreement before sign it off. You could find a lot of EULA analyzer tools on the Internet could highlight the important points to you, such as Privacy, Vendor rights, your responsibility.

The point here, as long as we don't have any other options to install the software, the vendor must be liable of his software. By the end of last month, Symantec Web Security Response Webblog wrote about "
Privilege Escalation Exploit In the Wild", one week later they wrote a follow-up on this vulnerability. This vulnerability as written in "SECDRV.SYS Driver". Microsoft posted Microsoft Security Advisory (944653) about this vulnerability. Lets analysis the FAQ as posted in Microsoft Security Advisory (944653).

What is the scope of the advisory?

Microsoft is aware of a new vulnerability report affecting the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP. This affects the software that is listed in the “Overview” section.

What is secdrv.sys?
The driver, secdrv.sys, is used by games which use Macrovision SafeDisc. The driver validates the authenticity of games that are protected with SafeDisc and prohibits unauthorized copies of such games to play on Windows. The secdrv.sys is included with Microsoft Windows XP, Windows Server 2003 and Windows Vista to increase compatibility of the games on Windows. Without the driver, games with SafeDisc protection would be unable to play on Windows. SafeDisc remains inactive until invoked by a game for authorization to play on Windows.

The question which raises here, If this vulnerability exploited and Microsoft customers lost millions of money, would Microsoft/Macrovision liable for this?. The answer is NO.

Lets have a look on "Windows Server 2003 End-User License Agreements", by using EULA Analyzer or read this EULA you could find

23. LIMITATION ON AND EXCLUSION OF DAMAGES. You can recover from Microsoft and its suppliers only direct damages up to the amount you paid for the software. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
This limitation applies to
  • anything related to the software, services, content (including code) on third party Internet sites, or third party programs; and
  • claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if
  • repair, replacement or a refund for the software does not fully compensate you for any losses; or
  • Microsoft knew or should have known about the possibility of the damages.
It is unfair if the customers lost millions of dollar and they can claim only the amount they paid for the software. Ira Winkler ;The author of Spies Among Us; wrote a wonderful article on this point with a title "Vendor liability: A pointless argument?". Also, Art Coviello , RSA's president, in last RAS Conference 2007 which held in London made this interview with ZDnet.

At the end I see the software vendor should be liable for their software as users responsible of their mistakes.