by Jay Heiser | October 6, 2014 | 1 Comment
The blogosphere and the punditerati are all in a tizzy this week with the titillating news that a major financial services firm has reported that a bunch of their services were compromised, and the attackers have purportedly stolen…the phone book. In other words, somebody obtained a list of publicly available names and email addresses.
Let’s not minimize the potential significance of a widespread hack on a set of digital components within our critical financial infrastructure. But if it remains the case that the only information stolen is a set of publicly available names and email addresses, then the impact on individuals will be low.
Instead of dwelling on the OMG factor of this latest newsoid, maybe this could be an opportunity to revisit the basic assumptions underlying a system that finds it increasingly awkward to attempt to prevent access to an exponentially expanding amount of data. It is impossible to protect data types that are explicitly designed to be publicly known and shared, such as personal names and email addresses. These are just not secrets.
If knowledge of an individual’s name or email address enables an attacker to perform a useful form of attack, then such attacks are inevitable. Publicly-known and long-term names are not robust authentication factors, and that includes identifiers such as Social Security numbers and credit card numbers. Shared secrets are oxymoronic.
I’m not ready to fully admit that ours is a world without secrets, but it is difficult to avoid the conclusion that most data is going to have to take care of itself. We just cannot protect everything, and the more often a piece of data is used, the less useful it is in protecting our money. If our personal financial integrity is dependent upon protecting reusable long term identifiers, then we are doomed. The practical approach towards safe existence in an increasingly complex and hackable digital world is to explicitly not try to protect everything, concentrating instead on smaller and more robust quantities.
The inevitability of identifier compromise has long been recognized, which is why robust systems have a revocation mechanism. Credit card numbers can be relatively quickly revoked and then replaced. Personal names and email addresses cannot. Symmetric encryption mechanisms give us the ability to verify possession of a secret without the need to actually share that secret, greatly reducing the exposure of ‘names’ to attack.
We have the technology, architecture, and experience–not to build systems that are ‘hack proof’, but instead to take the much more realistic approach of anticipating compromise, and building systems that have less to steal. We just need the courage to solve the right problem, but this week’s news and net suggests that instead, we’re going to double-down on the futile task of pretending that we can protect indefinitely large amounts of data.
We do not need to protect more data; we need to protect less.
Category: risk management security Tags: authentication, hack, hacking, PKI, secrets, security
by Jay Heiser | August 4, 2014 | 2 Comments
C: we are concerned about putting our email into the cloud.
C: Somebody might look at it.
J: Somebody can already look at it, even when you do host your email server in house. SMTP is a data leakage protocol, that isn’t designed to secure your data, but is intended to disseminate it as widely as possible. Email has always broadly exposed your data across the Internet, with both deliberate and accidental addressing of sensitive messages resulting in a steady stream of undesirable data leakage.
C: So what do you suggest?
J: For a start, an enterprise-managed File Synch and Share service would be a much more controlled way to share sensitive data. If you truly have data that you are concerned about leaking, then you can protect it with anybody number of higher end data sharing services that will maintain end to end encryption, and even control cut/copy/print/save on the end point.
C: Oh, we wouldn’t want to do that. We couldn’t transition away from email to EFSS, and we certainly won’t pay extra for something secure.
J: So what do you want to do?
C: We want to keep doing what we’ve always done, but we want to pay less for it, and if there is a failure, we want to be able to blame someone else.
J: I don’t think anybody sells a service like that.
Category: Cloud IT Governance risk management security Tags: email, email security
by Jay Heiser | June 19, 2014 | 1 Comment
Code Spaces, a vendor that claimed to provide secure Source Code hosting and project management support, has just been forced to admit to their customers that they’ve been sabotaged by a cyber extortionist, and they probably cannot fully recover. They put all their hopes, and all their customers’ data, into a single cloud, and it burst.
While not an especially large service provider, the remains of their site on the Wayback machine mentions a number of blue chip clients. I have to wonder how many Code Spaces customers didn’t bother to keep a copy of their code somewhere else.
At the time of this writing, Code Spaces has an explanation, with the unhappy news As such at this point in time we have no alternative but to cease trading and concentrate on supporting our affected customers in exporting any remaining data they have left with us.
Business failure and client data loss are always unhappy events. It is particularly distressing when it happens to a cloud-based service that advertises “redundant, high specification servers with guaranteed uptime and availability.” Guarantees are empty paper when the data is permanently gone because the vendor failed to adequately protect it from hackers, and failed to adequately back it up. And if a vendor is no longer financially viable, service levels and contracts become moot.
As I stress in my latest research note, Everything You Know About SaaS Security is Wrong, the users of cloud services need to take responsibility for the care and feeding of their own data.
Category: Cloud IT Governance risk management security Tags:
by Jay Heiser | April 11, 2014 | 2 Comments
Change all your passwords. Now. And then do it again in a week. Of course, there’s no evidence that any passwords have been exploited, but isn’t the lack of substantive evidence a suspicious fact in and of itself? It can be if you want it to be.
My favorite presentation at the RSA Conference was from Nawaf Bitar who introduced the immediately popular hashtag #firstworldoutrage. It neatly captures the idea that when a people are relatively comfortable and secure, they will start inventing things to be vocally outraged about.
As a case in outrageous point, I was disappointed with much of the recent media commentary on the GM ignition switch issue that misleadingly characterizes the fix as a simple matter of replacing a $.50 component. In a recent article, “In Defense of GM: No one is asking the right question: Was the company’s risk assessment about the faulty ignition switch reasonable?” I actually had asked that question, and the article provides a compelling explanation that it wasn’t worth the money to fix what is a statistically insignificant source of fatality.
So I ask the same ‘acceptable risk’ question about Heartbleed. Is this truly a Spinal Tap moment in the infosec world in which every single Internet citizen needs to take heroic measures to change the majority of their passwords? While it has been demonstrated that the vulnerability can be used to collect random chunks of data from Internet servers, including password and username pairs, it has not been shown as a practical mechanism to capture large amounts of passwords.
Now that everybody knows about this bug, the race is on to close the SSL holes before they are significantly exploited. There’s no question that the code needs to be fixed, but it is going to cost the collected IT world a lot of time and money to identify all the vulnerable systems, and patch them.
The urgency of password change for the millions of Internet citizens is less obvious. What will be the net social cost of every Internet citizen changing a dozen passwords? I have over 250 myself, most of which probably haven’t even been used during the 2 year vulnerability window (Neustar told Gartner this week that the average is c. 50 passwords/user) I wonder how much the overall support cost will be to recover from the inevitable password change failures? Will it all have been worth it?
One cost will be the cultural impact of one of the Internet’s biggest incidents of ‘crying wolf’. Most people assume that a wolf was sighted just outside the doors of Facebook. When the digital dust finally clears, my expectation is that very few password exploit incidents will be documented, but that will be old news for a world looking for new forms of outrage on a daily basis. But if we do experience more incidents like this, people will start asking questions about whether or not these ignition switches always need to be changed, and over time, they will lose whatever appetite they have for the fun of warning their Facebook friends that they better change all their passwords
What this incident has turned into is yet another example of the inherently flawed nature of passwords. A more unusual lesson to derive from this incident is that the global Internet rests upon widely shared code that represents the potential for more single points of failure. Major public cloud service providers, financial service firms, social networking services, hardware devices, and countless other Internet-enabled technologies not only turned out to be dependent upon the same SSL source code, but like much of the open source code that defines our digital world, it was developed by a small group of part-time volunteers. That seems an insufficiently substantial foundation to support the global expectations of privacy, confidentiality, and reliability. Perhaps that’s why they call it the cloud.
Category: risk management security Tags: heartbleed, security
by Jay Heiser | April 8, 2014 | 5 Comments
Its too bad that Dick Cheney’s awkward little epistemological speech has been so thoroughly politicized, turning an important risk management principle into an opportunity for derision. Intelligence analysts, and IT analysts, need to be acutely aware of the limits of their knowledge, especially when making decisions about the how to take advantage of public cloud services.
Anybody making risk decisions about public clouds needs a strong understanding of the degree to which they can trust the information they have about those services. To apply this particular Theory of Knowledge principle to Public Cloud Services:
1) Known Knowns: If data is encrypted before it is uploaded, we know that it is encrypted. If the data is not encrypted, we know that it can be read by anyone who accesses it, which leads to the second category.
2) Known Unknows: If our clear text data is in someone else’s site, we know that it is vulnerable. What we cannot ever know for certain is whether an unauthorized person takes advantage of that vulnerability. Its a level of ambiguity, but an understood one.
3) Unknown Unknowns: If there were some sort of vulnerability that we had never conceived of, it would be in this final categority. The fact that you haven’t even thought it might exist, means that you don’t know what to look for to ensure that it is controlled. An example might be a cloud service provider that exposes your email boxes to external surveillance in order to conduct load balancing and facilitate service continuity.
In retrospect, if a cloud service provider claims to be spreading your data across multiple locations (which virtually all of them do), before storing your data in that service, it would make sense to ask them what mechanism they use to transmit your data between those locations, and how they protect it in transit. I see a lot of cloud service provider questionnaires, but I don’t ever remember this particular issue coming up.
An example has recently come to light of an ongoing confidentiality failure involving a CSP copying customer data between their data centers. For many cloud buyers the news of this unexpected form of exposure has moved this particular risk from category 3, into category 2. Now we all know that we don’t know how our data is protected when it is being replicated between CSP data centers.
We can only hope that not every virtual backend is flapping open in a packet storm.
Category: Cloud IT Governance risk management security Tags:
by Jay Heiser | September 25, 2013 | 2 Comments
Although the actual events took place at widely varying times, the summer of 2013 has witnessed the public release of 3 major ‘inappropriate use of the cloud’ incidents.
On July 28, Oregon Health & Science University (OHSU) felt compelled to notify 3,044 patients that while there was no reason to believe that their data had leaked, or been misused, it was in a place that it shouldn’t be, and they wanted to apologize. Several physicians had decided that their personal GoogleDrive accounts would be an appropriate place to share data, and while this undoubtedly was a convenient place to compare notes on their patients, they hadn’t undertaken a HIPAA BA with the service provider.
The following day, July 29, NASA’s Office of Inspector General released a report that “found that weaknesses in NASA’s IT governance and risk management practices have impeded the Agency from fully realizing the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk.” (NASA has a LOT of data in the public cloud.) Citing a laundry list of weak cloud control practices, including not asking the permission of the non-existent Cloud Czar, the OIG further stated that “in four cases NASA organizations accepted the cloud providers’ standard contracts that did not impose performance metrics or address Federal privacy, IT security, or record management requirements,” concluding from this that “As a result, the NASA systems and data covered by these five contracts are at an increased risk of compromise.” (see page iv) I agree that most standard contracts are extremely non-committal about levels of security service, but such a direct correlation between risk and contract verbiage seems….well, cloudy to me.
A month later, on August 28, the US Federal Trade Commission issued a complaint against LabMD for a 2007-8 incident in which the Limewire client had been installed on one of their servers, resulting in personnel data being compromised through that P2P system. Reminiscent of the OHSU incident, it is yet another case of people of good will who are just trying to get their job done by using spreadsheets to supplement the weakness of IT-provided systems. It appears that Limewire was the private toy of the sysadmin, and not used to support the spreadsheet-based workgroup, but unfortunately, the directory they used was shared to that service. Unusually for a ‘privacy breach’, it seems that personal data was actually obtained by somebody who tried to use it to commit financial fraud. 5 years after this undisciplined use of the cloud on the part of a sysadmin, LabMD is now required to spend the next 20 years allowing a CISSP to assess their posture.
Category: Cloud IT Governance Tags: Cloud, clouds, compliance, regulatory compliance
by Jay Heiser | September 18, 2013 | 1 Comment
You’ve got 2 weeks to get several Petabytes of data from a dissipating cloud. Will you get it all back safely? Hundreds of Nirvanix customers are asking themselves that question right now.
Although their web site remains blissfully mum about this unfortunate development, The Wall Street Journal is only one of several media organizations reporting that Storage as a Service provider Nirvanix has run out of money, and will cease service in 2 weeks.
Given that many of their customers are large media companies, I have to assume that they have an awful lot of data stored their. 2 years ago, a Nirvanix press release bragged that USC would be moving 8 Petabytes of data to the Nirvanix Deep Cloud Archive(tm).
What kind of a data storm do you get when a thousand customers all simultaneously start trying to copy out petabytes of data? How much technical support can a company offer when they are going bankrupt? Can you reasonably expect that their staff will be motivated to stay on, and undertake any necessary heroic efforts that might be needed to help you recover your data? Where are you going to put that data?
I continue to get a lot of questions from Gartner clients about cloud security. While there are issues associated with the confidentiality of your data in the cloud, for the majority cloud customers, the potential loss of confidentiality is just not the biggest form of cloud risk. Cloud Computing turns your software into a just-in-time supply chain maintenance issue. If a vendor goes bankrupt, or suffers a catastrophic failure, your data disappears immediately, and there may not be anybody around to help you find it.
What’s your contingency plan?
Category: Cloud risk management security Tags:
by Jay Heiser | September 13, 2013 | 2 Comments
I’m feeling the walls of our linguisitic purity come crashing down, battered by the waves of language evolution. In short, I’m ready to acknowledge an increasingly popular usage, and start using the trendy term ‘Cybersecurity’.
Such terminological transitions are no new thing in a space that could still legitimately be labeled as ‘computer security’. Working for a beltway bandit in 1995, I have vivid memories of a passionate beer-fueled discussion over the relatively new term ‘information security’, and whether that was an appropriate designation for an increasingly significant discipline, or just a pretentious and hyped new label.
Since that time, my friends in the military-industrial ghetto have recharacterized the holistic approach to ensuring that nothing bad happens to stored communications as ‘information assurance,’ and arguably arriving several years later, the commercial world has an essentially equal set of expectations for the term ‘information risk management’.
Meanwhile, Gartner is fielding a record number of calls on ‘CYBER’ security topics. Unsurprisingly, the answers vary when we try to dig deeper into the underlying questions. When I asked one Cybersecurity vendor just what they thought the term meant, they explained that it referred to ‘computer security–with the Internet’. Given that I’ve been on the Internet, and involved in security topics, since 1987, I just didn’t find that a satisfactory answer at the time. Yet, the more I think about it, the more it rings true.
In today’s parlance, ‘cyber’ clearly equates to ‘digital’. With all due respect to Norbart Wiener, and his groundbreaking work in the field of cybernetics, a prefix inspired by the Greek word for ‘steersman or rudder’ has been hijacked by 30 years of speculative fiction, losing its association with the esoteric concepts of ‘control’ and ‘systems’.
For the overwhelming majority of people, ‘cyberspace’ refers to the Internet, and by extension, anything with an IP address. Cybersecurity essentially applies to the realm of all that is digital, be it an office computer, a personal table, operational technology, or next year’s digital refrigerator. While the term certainly implies the role of Internet connectivity, that distinction is becoming less significant for the inhabitants of an ‘Internet of things’.
The good news is that we no longer have to be worried about paper. The self-identified practitioners of ‘Information Security’ have spent the last 20 years grappling with the dilemma of the printed page, and to a lesser degree, with the implications of human memory. Cybersecurity means freedom from the thankless task of trying to protect information outside of the digital realm.
Computer Security is dead; long live computer security. I wonder what they will come up with next.
Category: risk management security Tags: cybersecurity, security, terminology
by Jay Heiser | June 14, 2013 | 1 Comment
Gartner security analysts are being bombarded with questions about CYBER security. Is this cyber reality, or cyber hype?
A few years ago, we had seriously entertained the idea of creating a sort of ‘IT Buzz Term Hype Cycle’, that would map overused prefixes across trigger, hype, disillusionment, and productivity. At the time, ‘I-‘ had reached the peak of hyperfication. Its not hard to envision a future in which the prefix ‘cyber’ goes the way of the dodo, trapped forever in a linguistic graveyard with the suffix ‘dot com’.
In Gartner, we actually do have a concept of cybersecurity, incorporating operational technology into a broader concept of digital domain protection. It is also fair to say that many uses of the term cybersecurity connote, if not denote, the concept of offensive digital warfare. I want to go on the record right now and say that we specifically do NOT recommend that commercial and non-profit users of digital technology develop hackback capabilities.
We live in a constant state of verbal inflation. I started my career in computer security, lived through long painful discussions on whether or not information security was a valid term, and have watched, without actually encouraging, adjectival divergence into information assurance, cybersecurity, and cyberassurance.
All of these terms originally arrived with the best of intentions, bringing new concepts and connotations to a complex and changing cyber world. They inevitably turn into positioning playthings, as commercial entities and government agencies use the latest buzzterms to position themselves as being leaders—in something. Its anybody’s guess whether these various terms will evolve into sharply defined meanings not just for small specialty domains, but for the IT world in general.
For the time being, if you want to ask us about cybersecurity, we are going to ask you to provide more details. Are you military? Are you considered critical infrastructure and are you responsible for OT? What is it that you want to protect from whom?
Fresh terminology doesn’t necessarily mean that the old concepts were stale.
Category: risk management security Tags: buzzwords, cyber, hype, Hype Cycle
by Jay Heiser | June 3, 2013 | 1 Comment
Life in the cloud would be so much easier if there were only some sort of ‘cloud risk seal of approval’. Most public cloud services seem to offer a reasonable risk proposition, but its extremely difficult to provide defensible evidence of this. A comprehensive and well-accepted ‘standard’ would go a long way towards bridging this gap.
Working towards the revision of the Hype Cycle for Cloud Security (which will be published in July), I wrote the following text: “Current standards only have a relatively small amount of material relating to the design, build and test phases of technology, which means that they are not yet able to fully address all risk-relevant aspects of a provider’s offering.”
In our internal peer review process, analyst Khushbu Pratap noted “This is because the move to cloud was meant to get rid of this headache. The service beneficiaries continue worrying about assurance in these areas. Cloud has taken away the whole implementation and maintenance piece but outsourcing cloud assurance is still a risky bet.”
I think that very neatly summarizes the inherent dilemma of using a commercial cloud service provider.
Category: Cloud security Tags: certification, Hype Cycle, standards