Spliced feed for Security Bloggers Network

Bad Behavior - Thoughts on the Malicious Insider [BlogInfoSec.com]

Posted: 30 May 2008 06:00 AM CDT

Following every high-profile insider security breach, there is usually a slew of vendors who will triumphantly point out that, had they installed their product, the victim company would have avoided the whole painful problem. The adverse publicity, the implementation of new Draconian controls, the reprimanding and firing of “my best employees,” the souring of relationships with customers and business partners, and being subjected to continuous audits - all these horrors might never have happened “if only they had had the right products in place.”

But let’s be honest about it (even if only to ourselves). In the first place, nobody really knows the scope of the insider threat. Numbers of around 70 or 80 percent of total incidents are attributed to insiders. I happen to think that the number is much higher, probably of the order of 95+ percent - and here is why. If you were to look at the ways in which various incidents are reported, an interesting pattern emerges. Outsider attacks are more likely to be picked up, and stopped from turning into actual incidents, through the use of tools such as intrusion detection and prevention systems (IDSs and IPSs). Insider incidents, on the other hand, are more likely to be discovered by chance because the perpetrator got careless or greedy or both, and his or her activities were noticed by an alert employee or in the course of an audit review.

Now I ask you, what percentages of actual nefarious activities are identified for external versus internal transgressions? I would guess that 50 percent or more of external attacks and only about 5 percent of internal misdeeds are captured. So let’s assume we know of 70 internal incidents and 30 external incidents, this being the approximate breakdown that one might expect. However, if you accept my guesses, the total populations are calculated to be 1,400 internal incidents and 60 external incidents. This would mean that some 96 percent of incidents are internal, but we only find out about one in twenty or so.

OK, so we have tools that are really good at calling out known anomalies. But if we believe that the ratio of known to unknown internal incidents is very small, say 5 percent, then we see our problem as not being able to capture so many more suspicious internal activities.

But fear not, there are many vendors appearing over the horizon, each with a particular method for resolving a particular problem. Is this bad? No, not really. In fact, it is good to see so many creative approaches. We have to start somewhere, and a number of these products are pretty good and have enormous potential. The noteworthy point is that there is no single silver bullet here. We need a variety of tools using pattern recognition and artificial intelligence (I prefer the term “adaptive systems”) in order to tease out patterns of irregular behavior from the morass of noisy data. I have seen one product that applies the brilliant technology used in the human genome project to determine the whereabouts of a few drops of sensitive data in an ocean of corporate information. Other innovative approaches learn what is considered to be normal behavior and give the alarm when that behavior changes significantly. Some products capture data in motion, others data at rest. Some track sensitive data leaving an organization, others within the organization’s boundaries.

Despite these differences, the tools have many things in common. The key issues with many of these products are the following:

It can take a considerable effort to set up a product and to teach it the difference between right and wrong
Watertight policy and procedures for monitoring and reporting incidents need to be established.
Even when the results are filtered they can be extensive and overwhelming
The enforcement task can be daunting once irregular behavior has been identified

As we enter a new era of more difficult-to-detect exploits, we need monitoring tools, defenses and preventative methods that are up to the escalating threats. It is no longer enough to identify and act upon known exploits. Increasingly we are seeking out technologies that can second guess criminals, even when the bad guys are “trusted” employees, contractors, business partners or even customers. Such products need to understand the nuances of normal behavior in order to minimize false (or unprovable) accusations and ensure that practically all provably nefarious activities are identified and resolved.

Old-line signature-based methods are becoming less and less effective against increasingly successful exploits that operate under the normal radar. While they still have a role, traditional antivirus products alone cannot do the task at hand. Hence the proliferation of more sophisticated behavioral products. However, with the latter often being more difficult to deploy, there is much work to be done before they become as plug-and-play as the marketplace is demanding.

So what do we do in the mean time?

First, it would be a good idea if we all shared amongst ourselves the anomalies that we find and monitor. That way we don’t all keep on reinventing the wheel, as it were. After all, the bad guys share all the time, to the extent that the (good?) hackers have even set up their own social network “House of Hackers.”

Second, we should encourage those systems that prevent people from getting into trouble rather than those that catch the perpetrators after they have done something bad. The great benefit is that you avoid all the unpleasantness of investigating and punishing someone, and punishing yourself by having to fire and replace otherwise excellent workers.

And third, you should invest in today’s products even if they are not quite ready for prime time, since you are likely to achieve some unanticipated advantages. If too few of us encourage this approach it will take forever to get tools to the level at which we really need them, by which time we’ll be even further behind the crooks. So buy them, try them, and perhaps you will realize some short-term benefits while waiting for the systems to mature.

Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately.

what you see is what ... wait ... not really [Belgian Security Blognetwork]

Posted: 30 May 2008 05:46 AM CDT

WTF ? I'm seeing ghosts here :-))---

Belgium.be is not vulnerable anymore for SSL based attacks [Belgian Security Blognetwork]

Posted: 30 May 2008 04:10 AM CDT

Our friends at Scanit said that based on their research into vulnerable SSL enabled webservices in Belgium, they had found that the old belgium.be was vulnerable for such attacks. For some these middleman attacks were theoretical because they would ask a lot of resources, for others it was just a best practice to enforce a strong SSL protocol on your visitors that was even not too hard to implement.

For me it is just one thing you do because you don't want to be bothered with it. There is every hour of the day other stuff that asks for all your attention.

So it seems they not only upgraded the content, but also the security. Thumbs up for that.

The study by Scanit.be was published here a few weeks ago.

Hearings EVOTING in Belgium in the parliament [Belgian Security Blognetwork]

Posted: 30 May 2008 03:37 AM CDT

Next tuesday 10h

Gedachtewisseling over de elektronische stemming.

(Voortzetting). (Rapporteurs : de heer Dirk Claes (S) en mevrouw Corinne De Permentier).

Hoorzitting met de volgende experten :

de heer Edouard Vercruysse, Union des Villes et Communes de Wallonie (UVCW);

mevrouw Hildegard Schmidt, Vereniging van de Stad en de Gemeenten van het Brussels Hoofdstedelijk Gewest (VSGB);

de heer Herman Callens, Vereniging van Vlaamse Steden en Gemeenten (VVSG);

mevrouw Anne-Emmanuelle Bourgaux, ULB;

de heer Kommer Kleijn, Voor een Ethiek van de VerkiezingsAutomatisering (VoorEVA);

de heer Axel Lefebvre, expert;

-	de heer Rop Gonggrijp, Nederlands expert.

It will be a good thing - because to hear what has happened and is happening in Holland. We thank the parliament for taking some time to listen to those experiences and thoughts also. Vooreva will present the Belgian opposition to evoting.

Proxy ARP by default ? [Belgian Security Blognetwork]

Posted: 30 May 2008 02:57 AM CDT

not a biggie but if you decide to move from any vendor to the Cisco ASA platform. You might be in for some deep digging. At least we were :-)

Apparently Proxy ARP is enabled on ALL interfaces by default. In our case that resulted in ALL printing to cease on the local subnet (let me point out that was the first perceived problem).

So, watch out when you fire up your ASA .

buy all music at Russian prices on Belgian domain [Belgian Security Blognetwork]

Posted: 30 May 2008 02:10 AM CDT

... over the Internet of the iSound.com materials is authorized by the license # LS-3М-06-60 of the Russian Multimedia and Internet Society (ROMS). ...
www.isound.be/Help

All the music you want at dumping prices

ScreenHunter_04 May. 29 12.55

with a Russian copyright

ScreenHunter_05 May. 29 12.56

you can find them on a Russian server

ScreenHunter_06 May. 29 13.01

It maybe interesting to not that the site isound.be looks just the same as justmusicstore.com

Some people may think that it may not be safe to use your creditcard on a Russian server.....

Who you gonna run to? [Network Security Blog]

Posted: 30 May 2008 12:59 AM CDT

Alan Shimel faults me for saying sometimes you just have to walk away, in reference to TJX firing Cryptic_Mauler (the upper/lower case stuff is too much for me to type again and again). Alan talks about illegal behavior, turning your employer in to the authorities, standing up for your morals to do what’s right. Of course, he ignores the fact that nothing TJX is being accused of is illegal; stupid, yes, but not illegal. And the fact is there’s no one to turn TJX in to, not in the government and certainly not at the PCI Security Council or the major credit card companies.

Cryptic_Mauler was in an untenable situation: his employer was practicing the worst sort of security, they didn’t want to change, there’s no one he could report them to. Alan wishes there were someone CM could have reported TJX’s woefully inadequate security practices to, but if such a entity exists, I’ve never heard of one. The best thing he could have done was report the problem to TJX’s acquiring bank, but unless you’re really into credit card processing, the chances are you’ve never even heard of an acquiring bank let alone have any idea of who to call.

I like Alan, but asking me why I didn’t list reporting TJX to the authorities as an option is like asking me when was the last time I spoke to the Easter Bunny! Neither one exists! (my kids don’t read this, so I can say that). It’s fine to talk about taking the high moral ground when you’re living in a fantasy world, but the reality I live in doesn’t have anyone Cryptic_Mauler could have gone to to report TJX. I really wish it did, I could have used them myself in the past.

And why doesn’t the PCI Security Council have some way of reporting offending companies? I’ll hazard a guess and say they’ve probably talked about establishing just such a capability and decided against it in the strongest possible way. After all, if they had a way for someone to report violations to, that’d make the Council responsible for acting on those reports. And that’s something they really, really don’t want. But that’s only a guess.

What's the deal with the Barracuda offer for Sourcefire? [StillSecure, After All These Years]

Posted: 29 May 2008 11:50 PM CDT

By now you probably saw that Dean Drako and Barracuda have made an offer of $7.50 a share (in cash) for Sourefire. This values Sourcefire at about 200 million dollars and is a 13% premium over the Friday closing price. Of course this is well below Sourcefire's historical highs, but than again who is worth what they were a few months ago. I have a chart on the left that shows stock prices.

So what is behind this deal? I think it is all about ClamAV and the Trend Micro suit. As readers of my blog know, Trend Micro sued Barracuda a few months ago for patent violations around the way Barracuda uses ClamAV in its appliances. I think Dean was looking to Sourcefire as the owners of ClamAV to step up and help in the defense of the suit. I believe to date, that has not happened and Dean is upset with it. In fact Dean actually mentions that suit and Sourcefire's lack of response on it as one of the two reasons why Barracuda's acquisition would make sense. For the other reason Dean takes a swipe at the Sourcefire management team, saying "We believe that the recent FIRE stock price reflects the execution challenges faced by the company's management to date."

I am not sure where Dean comes up with the 200 million to complete this deal, but assume he has lined up financing. However, at this price I don't think this is more than a stunt. If Barracuda goes beyond $7.50 a share to $10.00 a share or so, it gets real interesting. Maybe this puts Sourcefire in play and someone else comes forward with another offer, who knows. But right now I think Dean is just looking to stir the pot.

When do you have an obligation to go public? [StillSecure, After All These Years]

Posted: 29 May 2008 09:13 PM CDT

No, not IPO public, but public about disclosing employer secrets which could provide a risk to the public. My friend Martin McKeay has written an article over the recent firing of an employee of TJX for disclosing in a public forum continued poor security practices by TJX. The same TJX I might add that as a result of slipshod security practices caused 100s of thousands of dollars, if not millions of dollars in bank fraud to occur.

Many have categorized CrYpTiC_MauleR, the employee who disclosed the information on hackers.org, as a "whistleblower". The term whistleblower is a term of art and in many circles will invoke some special immunity for the person who disclosed the confidential information. However, usually the disclosure of this information is made to a person or entity with the power or at least willingness to take corrective action. In this case, I think that is the missing pre-requisite. Just disclosing this information on a public message board does not meet the burden of defining this as whistleblowing. I think Martin is right on there. He says CrYpTiC (If I can call him that), was not a whistleblower in the strictest sense of the word and is not due any protection. He is just another person who violated his employment terms and his termination by TJX was perfectly justified. Let me say that I don't disagree with Martin about TJX having the right to fire CrYpTiC. They certainly do.

I have a problem with Martin when says that CrYpTiC should have done what he has done and that is keep your mouth shut and move on to the next opportunity. I think depending on the level of wrongdoing, not only is that wrong, but by willfully withholding certain information from the authorities it could make you guilty as an accomplice! Think about it Martin, if you knew your employer was committing a crime and you just quit your job rather than report that crime, you are an accomplice. When does the responsibility for the general good, outweigh your obligation to your employer. Is sticking your head in the sand and moving on while letting illegal or irresponsible behavior go on the right posture? I say not.

I think CrYpTiC felt strong enough about what TJX was doing was wrong that he posted it publicly. Though he did it anonymously and did not think it would be traced back to him, he felt strong enough that what TJX was doing was wrong and he wanted the world to know. When he made that decision, he also made the decision that letting the world know the truth was more important than his job at TJX. I am sure potential future victims of TJX fraud that will now be spared that loss would thank him for it.

Martin, there comes a time where keeping your mouth shut and moving along does not cut it. You have a duty to alert the proper authorities for the greater good of the public. The question is when does your duty to disclose surpass your duty to keep your employers information private? I think that is a personal question that all of us have to answer ourselves. Clearly criminal activity should be disclosed, otherwise you risk criminal exposure. Beyond that it is a judgment call. But saying not to disclose and just move on is appeasement at its worst.

The real question is why doesn't the PCI council or the government have a forum for people like CrYpTiC to go to in the future. That is what is needed!

Do you have an example for FUD Watch? [StillSecure, After All These Years]

Posted: 29 May 2008 08:47 PM CDT

My friend Bill Brenner has landed as Senior Editor at CSOonline.com. His latest article is introducing something called FUD Watch. Bill has had enough of his mailbox being full of every chicken little saying the sky is falling with the latest security threat. He gives on of many examples but is asking for others. An obvious one is the recent Symantec call for everyone to stop using Flash. Than today, it retracted saying that in fact the latest version of Flash was not vulnerable.

Do you have a good example of FUD? If so you can share it with Bill at bbrenner@cxo.com. In the meantime, we will be watching for some continued good stuff from Bill.

Keynote Speakers for The Last Hope Announced [Liquidmatrix Security Digest]

Posted: 29 May 2008 08:46 PM CDT

Just a heads up — Liquidmatrix Security Digest will be at The Last Hope. There may even be some shwag available.

For Immediate Release

The very first of the speaker slots for The Last HOPE have been announced with many more to come next week. We have had more submissions than ever and will need to add an additional track in order to accommodate the best of them. What follows are some of the highlights to date.

- Steven Levy, author of Hackers: Heroes of the American Revolution and chief technology writer and a senior editor for Newsweek.

- Adam Savage, co-host of the popular TV show Mythbusters and “a maker of things.”

- Kevin Mitnick, “the world’s most dangerous hacker” in the eyes of the government and mass media, imprisoned for over five years, and now a successful computer security consultant.

- Jello Biafra, a tradition at the HOPE conferences, former lead singer of The Dead Kennedys and one of America’s most interesting social activists.

- Steven Rambam, private eye extraordinaire, who can find out anything about anybody and has always been willing to share his knowledge of privacy with the hacker community. (The FBI prevented his 2006 talk from being given by swooping in and arresting him moments earlier. The case against him was later found to have no merit.)

These five speakers are only the tip of the iceberg. By the time the dust settles, we expect to have over 100 presentations in four tracks. While time is now quite short, if you feel you have an amazing talk idea or panel suggestion, you can still email us at speakers@hope.net. We will try and schedule as many good talks as we can cram into the weekend.

The Last HOPE will take place from July 18-20, 2008 at the Hotel Pennsylvania in New York City.

To preregister, visit http://store.2600.com/lasthope.html
To submit a speaker proposal, email speakers@hope.net
To become a vendor, email vendors@hope.net
To volunteer to help us run the conference, email volunteers@hope.net
To visit the official Last HOPE website, go to http://www.hope.net

Contact: HOPE Staff +1 631 751 2600
hope@hope.net

… and since I’m temporarily in charge — shwag is only available to those who recognize me.

Tags: the last hope, hacker conferences, 2600 magazine

Security Brieflet (the late edition): May 29th [Liquidmatrix Security Digest]

Posted: 29 May 2008 06:57 PM CDT

A couple of interesting stories over the course of the day…

Comcast Defaced (for a short while)

I can’t say that I’m all that saddened… it is Comcast after all.

Banks don’t disclose all breaches

I’d love to argue this one, but I’ve known too many bankers.

Back with more Liquidmatrix Love in the morning folks, the night is young and I’ve got work-related documentation to produce.

Tags: information security news, opinion

Hack of the day : Fedis hacked since long time [Belgian Security Blognetwork]

Posted: 29 May 2008 05:06 PM CDT

Fedis is the official organisation that defends the interests of the distribution sector and is so busy in those turbulent inflation and inflamatory times that they forgot to secure their server and didn't see that their server has been hacked since weeks.

http://www.fedis.be/index.html which gives - gave

reminder these hacks are being found in zone-h.org and by Googling, we don't hack anything, reporting it is already taking enough time from my life

Disclosing in a public forum is not whistle blowing [Network Security Blog]

Posted: 29 May 2008 04:02 PM CDT

Last week TJX fired one of their employees for disclosing on ha.ckers.org that TJX is using blank passwords and other very insecure procedures. Posting in what he thought was an anonymous manner, CrYpTiC_MauleR was tracked down by management at TJX through his ISP, asked what he felt is wrong with the TJX network and fired. And as bad as I feel for him personally, I think TJX did the right thing.

Don’t get me wrong, I have very little sympathy for a company like TJX. They had one of the biggest credit card breaches in history, they’ve been put through the ringer and they still have the temerity to allow such bad practices as blank passwords and running servers as admin. I’m hoping TJX’s acquiring bank, PCI assessor and Visa/Mastercard get wind of these issues and call them on the carpet for it. But I don’t excuse the actions of Cryptic_Mauler.

I’ve read most of the thread on sla.cers.org, and this appears to be an issue of venting frustration, not whistle blowing. If Cryptic_Mauler was talking to federal investigators or maybe even a reporter, I might call it whistle blowing, but by disclosing it in a security forum, it was simply a way of pointing the finger at the stupidity of his employer. It’s not a case of full disclosure either, since that usually refers to
vulnerabilities in a product or OS, not poorly designed security
implementation by your employer. He had no expectation that this disclosure would somehow improve the situation at TJX, he just wanted someone else to know about the issue. And maybe hope that someone could embarrass TJX into changing.

We’ve all been in situations where we have employers doing stupid things. We do our best to communicate with management about the problems and hope they react appropriately. The problem is, our perception of ‘appropriately’ and management’s is often very different. What we see as a horrible security hole, they may see as another minor problem that would take major money to fix. Or just as something that they don’t want to think about right now.

There’s no reporting mechanism built into the Payment Card Industry standards. To the best of my knowledge, there’s no clear cut method to report a company that has bad practices to the credit card companies or the government at all. There’s not even a press person you can talk to about the issues with to bring it to public awareness. It’s frustrating because, despite their known issues, TJX is probably far from the worst offender and there needs to be a way to make these people sit up and take notice. But that’s no excuse for posting the issues with the TJX network in a public forum.

Cryptic_Mauler isn’t a security professional. He wasn’t even a part of the IT team. But he was an employee of the company and as such was held to certain expectations. Keeping internal company issues internal is one of those expectations. I don’t like how TJX is apparently handling their problems, I don’t like that they aren’t responding more positively to internal criticism, but I don’t see that they could have taken any other action in this circumstance.

I’ve had to resign from a job before because the company wasn’t being responsible in my opinion. I’ve seen companies in the past that shouldn’t be allowed to have computers let alone an ecommerce site. I’ve been at companies that I wondered how they stayed in business, not even considering their security concerns. But I always tried to react ethically and within the bounds of my moral obligations. I’ve learned that I can do what I can do and sometimes I have to walk away and let someone else deal with the problem. Public disclosure doesn’t fit in my world view of ethics and morality.

It’s frustrating dealing with a company that doesn’t want to change. It’s hard not having leverage to make the changes that you see need to be made. How you react to that frustration is up to you. Do you scream in public like Cryptic_Mauler, keep going until you find someone who can make the change or do you move on to another opportunity? I hope Cryptic_Mauler can find a new position somewhere else; I hope the limited notoriety this incident gives him will help him further his career. But I think he made a mistake in publicly disclosing TJX’s problems, one I hope doesn’t continue to haunt him.

There Is No Silver Bullet ! [Belgian Security Blognetwork]

Posted: 29 May 2008 02:07 PM CDT

You know I earlier posted my pov on anti-malware and how it may 'disappear' in the future. I feel it still serves a role, as a feature on gateway products (talk proxy-servers, content filter solutions and/or perimeter firewalls) or as a service like it is now to be found in managed e-mail washingmachines. The question is always : how will the industry manage licensing for these services ? And will it be possible to cover the costs to maintain their global teams of analysts ?

It is basically the same for most of the technology security 'solutions' today.

online typosquat testforms are not complete [Belgian Security Blognetwork]

Posted: 29 May 2008 10:09 AM CDT

If you thought that you had enough by just relying on these online forms like the one from combell

than you will have to think again

First not all combinations of numbers are included in the examples they are giving - so you will miss some that are even more evident

Secondly you must really retype your own domainname and take three typical mistakes

typing erroris with the letters next to those you would type

for example baby.be can become babu.be babr.be bqby.be etc

the most important factor here is that it is not too evident

Secondly you must take into account dyslexic mistakes

for example byba.be instead of baby.be

thirdly you must take into account language mistakes, especially with people who don't speak your languages or if they operate in a multi-langual environment

for example béby.be

everything should be tested, and retested and for that you will have to buy them for a year - the problem is that if you buy them and set them free, they will arrive in the list of disposed domainnames which will attract the attention of domainspeculators, surely if they see that you have bought them yourselves or with your real agent

You can use them for inspiration, but not as a final call

As if you needed more reasons to use NoScript: Flash [Network Security Blog]

Posted: 29 May 2008 09:50 AM CDT

I’ve made no secret of the fact that I’m a big fan of Firefox and the NoScript plugin. I don’t want anything running in my browser that I don’t explicitly approve of. And now with the big rise in sites compromised with the latest Flash exploits, there are more reasons than ever to use NoScript. I don’t use Flashblock myself, but it also comes highly recommended for dealing with this issue.

The interesting thing to me is that this attack is a combination of SQL injection against the servers and a payload containing the Flash exploit. If the compromised sites had made the effort to use good coding practices and checked for SQL injections, this wouldn’t be a big deal. Another alternative would have been a web application firewall. This is 2008, not 1998, SQL injection is low hanging fruit on the security tree and most of the sites compromised should have something in place to stop SQL injections. But they don’t, so we have a nice outbreak of Flash exploits.

Security Focus stated that there were approximately 20,000 compromised web pages as of Tuesday. That sounds like a lot until you figure out the math and realize that this may mean 2000 or less machines compromised, depending on the average number of pages per system. I guess 2000 doesn’t get the clicks nearly as well as 20,000 does.

Security Briefing: May 29th [Liquidmatrix Security Digest]

Posted: 29 May 2008 09:19 AM CDT

Wheeeeee… I’d like to take this moment to again bitch and moan about how much work this is — I don’t know how Dave finds the time and I’m not a morning person and I feel really bad and I’ve been busy and I don’t have enough coffee and… yeah. I got nothin. Have a Rockin’ Thursday! Thanks to all of our new subscribers that joined us yesterday. Welcome!

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

MacOS X 10.5.3 - Big Updates, Update Now! or else the bad guys will pwn your iCal.
Defacement or Failure in Containment? Play some Russian Roulette with me! don’t believe what you see… sometimes.
Securiosis tells us when Whole Disk Encryption isn’t enough
Canadian government ACTAs to shoot itself in the foot… again. How do you say “Chilling Effect” when you’re up to your ass in melting ice-caps and pissed off polar bears?
Let a million Hackerchildren bloom - OLPC style baby
Ask /. all about security theatre HA… I didn’t get Frist Psot!!!!11!!!!
Totally wicked xkcd all about security holes xkcd is the userfriendly for the post-dot-bomb world

Tags: News, Daily Links, Security Blog, Information Security, Security News

Webinar Alert: They’re Letting Us Speak Again! [RiskAnalys.is]

Posted: 29 May 2008 08:30 AM CDT

Our friends at Cisco have asked Jack Jones to be part of their InfoSec Leadership Forum Webinar Series. He’ll be talking about FAIR and risk in a two part series and I really think you’ll enjoy watching.

The good news is that you’ll even get a free copy of The Zero Day Threat from Iron Port just for signing up. The bad news is, they opened registration yesterday afternoon and it’s already half full. Here’s the link, get on it!:

http://tinyurl.com/5wgh2s

The Final Step in a Homegrown IDM Solution (pt. 3) - So, let’s start hammering [BlogInfoSec.com]

Posted: 29 May 2008 06:00 AM CDT

To recap briefly, we have identified and analyzed all our primary sources of user data and the system and service providers who consume those data. We have funding, developers, and a project plan to follow. We understand our provisioning process, have identified or built a directory of user attributes, and have generated policies and procedures to initialize and terminate users.

In short, we are finally ready to build our IDM system. The key to our success is crafting a web service that generates identities and binds a user to one. Because we are going to some pains to create and assign these identities and because your associates may over time be located in different geographies, be sourced by different systems or play different roles, there is significant benefit, from operational and compliance perspectives, to reconstruct their history with the organization. A single identity is your only hope of accomplishing this aggregation.

As you design your service, identify the attributes that are most distinctive about each associate. In certain instances, a government-issued identifier, like the Social Security Number (SSN-USA) or Social Insurance Number (SIN-Canada) may be available. These numbers are useful because they are unique identifiers assigned, managed, and maintained by a trusted source. Unfortunately, given the proliferation of and sensitivity to identity theft, use of such identifiers is severely constrained, even in those jurisdictions where they are available. However, as mentioned in a previous post, one of the advantages of building your own robust identity system is that you can both protect the identifier and prevent its proliferation elsewhere in your organization. Strong access controls ensure more sensitive attributes are only available on a business need to know basis.

Be aware though, that even a government identifier is no panacea. In my former experience building an enterprise identity system, our analysis of source systems identified multiple instances of SSNs and SINs with the same values requiring that we include a country code field to distinguish them. Our North America HR system was not so prescient and was forced to create “fake” identifiers for our Canadian staff with the same values as an American counterpart, leading to unfortunate technological gymnastics at tax reporting time.

So, use a government identifier where available. But for all the instances, particularly in a global organization or where the Privacy Office has run completely amuck, you will need more attributes. Within reason, more is better because each additional attribute, assuming it is from a trusted and maintained source, reduces the number of false positive results your service might identify. Examples of other useful attributes are:

First Name
Middle Name (Middle Initial is much less useful)
Last Name
Suffix (Jr., Sr. etc.)
Date of Birth (year is helpful but access to it could be limited by privacy concerns. Month and Date are a must, though)
Maiden Name
Gender (sometimes also limited but very useful particularly where name is not an evident indicator)
Previous company employment (only useful if historical data are accessible from your source systems and mergers over time haven’t completely obscured formerly independent components of the organization)

You may have identified others but ensure that they are valid, maintained, and enduring. For example, college of attendance or current address could change over time, though place of birth would not; however, providing data integrity for the latter can be a challenge (e.g., I could be born in Dorchester, Massachusetts or Boston - the former is part of the latter and is often used by residents as their city name). Once you have gathered your attributes, determine their level of criticality. Other than date of birth, most other attributes, at least, theoretically can change. Assign a weighting to each attribute.

Each source system, either in batch or transactionally (we used both approaches simultaneously, depending on the system’s capabilities), sends an agreed upon data set for each new record. Your web service retrieves the records and compares them to your data store of existing identities. Ideally you have leveraged your most complete and accurate directory for this, or have used multiple vetted sources to build your own. For each attribute matched, assign the record the point value of the attribute type (e.g.,, 10 for government identifier and date of birth, 9 for last name) and once all the matches have been made compare the score to the expected score if every attribute matched perfectly. Set a baseline for a definite match, realizing that not all attributes may be the same because of typing errors or missing fields. If using a transactional approach return as XML the existing organizational identifier for that person and provide some way - we used a dialog box - of letting the user doing the data entry to review and accept the proposed update.

Give the user an “opt-out” option in case their review suggests the proposed identity is not for the record in question. For instance, consider having a capability to flag records of deceased staff and VIPs so their records are never part of a results set. An opt-out choice should also generate an alert to identity program staff that there may be an issue with the matching protocol.

If there are several potential matches, rank them by score and have at least the top three to five results displayed to the data entry user and allow them to pick one or none. In this case, opting out should prompt the data entry user to create a new id, thereby initiating a new call to the identity store that returns the next incremental identifier. When no matches exist, a new identifier is automatically returned.

Batch processes would work similarly but some sort of exception reporting would be necessary identifying the various types of matches and probably some sort of holding area would be necessary to ensure that source system records are not updated until proposed matches have been accepted and new identity creation initiated. We actually found that the transactional approach was more manageable assuming the source system was able to consume the XML. Those systems also need a way to ensure that their newly created records could not migrate to downstream systems until the identities are assigned. That constraint ensures full compliance with a managed identifier for all.

In future columns on provisioning, governance,contractor management, and access control reviews, I will describe how to best leverage the unique identifier throughout the organization. By building our own identity management system, we were able to completely change for the better the operational and security culture of a complex global organization. I hope you experience the same benefit. Please feel free to share your stories.

The Daily Incite - May 29, 2008 [Security Incite Rants]

Posted: 28 May 2008 10:17 PM CDT

May 29, 2008 - Volume 3, #52

Good Morning:
I've got a big problem and I'm not sure what to do about it. Basically, my kids like crap TV. I am not one of these crazy parents that thinks all TV is bad. I think there is a lot of value in some of the shows they used to watch, like Dora and Blue's Clues. But help me understand what they are learning from shows like SpongeBob and the Power Rangers?

SpongeBob goes down in flames My 7 (almost 8, just ask her) year old knows how to use the DVR. So now I'm totally screwed because she can read the guide, figure out what crappy show she wants to watch and then she proceeds to record 5 of them. That's how I became familiar with the Fairly Odd Parents. Arghhhh.

Why can't we just go back to the good old days? When Superheros were super heroes. When they had a message in each of their stories about fighting evil and doing the right thing and supporting your community. I guess somewhere buried under a ton of campy eye candy that message kind of resonates from Power Rangers, but the villains are so wacky and the stories so contrived that it's very hard for me to watch.

So I've become the parent that goes through the DVR list every couple of days and cleans out the crap. I never wanted to be that guy, but it my kids brains are going to atrophy at the ripe old age of 7, then I'd rather it be with a show at least I can tolerate. There it is, it's all about me - for a change.

I guess there is a generation gap, as much as I'm trying to be a "cool dad." I let the kids listen to Hannah Montana and the High School Musical soundtracks. Some of the songs are kind of catchy and the movies have decent messages. I wonder if my folks every "understood" the TV that I watched back in the early 70's. A friend reminded me of the great, educational TV I used to watch. Like Hong Kong Phooey, H&R Pufnstuf and the Land of the Lost. I loved those shows and I wasn't even stoned. They were classics I tell ya! Yes, classic piles of crap. And then I got older and graduated to timeless classics like the A Team. Right - more crap.

So the moral of the story is that the more things change, the more they stay the same. You'll still have some shows that are decent and others that are crap. And your kids will like the crap and it will make you crazy. I guess like it made my folks crazy when I did a B.A. Baracus on my kid brother's head.

Have a great weekend.

Photo: "spongebob effigy" originally uploaded by blurradial

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

Drawbacks or not, security will be embedded into the network
So what? - Farnum totally unloads on this video interview of TPTI's Brian Smith, which I think it pretty entertaining. I guess there is no Tejas love between those folks. I guess I'm much more sanguine about the whole discussion. I've seen this movie before and I know how it ends. Regardless of what TPTI wants to believe. And that means more and more security capability will end up in the network. Will everything be in the network? Not for another two generations or so - best case, but this ongoing migration is going to create a problem for those folks that just do one aspect of network security. That's right, TPTI and Sourcefire need to expand their product visions rather dramatically because doing network security and not having a network device is going to be problematic over time. FIRE is focusing on management with their 3D stuff and that is certainly one direction to go in. It's not clear what direction TPTI is going to go in, once they are liberated. Fact is, the 3Com deal has likely killed their ability to compete. When they are spun out, it's not clear what their balance sheet is going to look like, and if they don't do some deals to broaden their product family QUICK, they are dead meat. But hey, don't shed a tear for those guys. $430 million a couple of years ago was a huge (actually way too huge) number, so they already got their money. It's 3Com shareholders that are left holding the bag.
Link to this

What does "safe" mean anyway?
So what? - Prior to the ScanAlert/McAfee deal I was one of the (few) voices that were very critical of these poor man's web site certifications. It is nice to see a lot of other security folks piling on and bringing up a lot of these issue. NetworkWorld does a decent job summarizing a lot of the challenges of these offerings. But I want to (once again) play a bit of a counter indicator to what the rest of the business is thinking. There is clear value in the process of scanning your network and applications every day. That's good stuff. You can get a bit of an early warning of an issue and move quickly to remediate. Of course there will be a lag between when an attack happens and when you can test for it. It's called "zero day" sports fans. My issue remains providing some kind of "cert" that indicates some level of safety. You can post a little badge that says "I was scanned today." Kind of like the little sticker that you get when you vote. But to claim "HackerSafe" or "Vendor X Secure" is a load of crap. So I'd certainly like to see more companies, especially small retailers using these services. At the same time, I'd like a better clarification on the web site badges to indicate that scanning <> security. Is is too much to ask to have my cake and eat it too?
Link to this

Your data has a staph infection
So what? - It's funny, I was just talking to a company earlier this week about the healthcare vertical. I don't think that's really a good market for security. Clearly their security performance leaves a bit to be desired. For single sign-on and identity management, where there is a clear ROI - sure. But security, not so much. Why? Because once you get beyond the 5 biggest managed care providers, you have a huge number of very small institutions. These institutions are being squeezed by insurance and big pharma and patients that don't pay their bills. These folks don't have a lot of money to spend on security, not until they have to. And when would they have to? After a data breach? Not so much. HIPAA is still an empty suit. There have been zero public executions, even after these data breaches. There is no TJX and a community is a captive audience. I can see it now: Someone is in the ambulance and tells the driver to direct them to another facility because their local hospital has crappy data protection policies. I suspect that isn't really an option in most cases. So there is no incentive to really fix the problem, and we scratch our heads and gnash our teeth that it isn't fixed.
Link to this

The Laundry List

If security is so hot, why wasn't it mentioned even once in TechTarget's earnings call? Right, it's not that hot and we'll see that later this year. That's one guy's opinion anyway. - Seeking Alpha earnings call transcript
PCI 6.6 needs both code reviews and web app firewalls? Why not flog a Barney webcast from companies that sell both. Some days I really hate marketing. - Protegrity release
Dan Geer a VC? He joins In-Q-Tel, but we'll see in what capacity. It would be a horrible waste to have him negotiating term sheets or looking over marketing plans. - Zero Day blog
Passlogix jumps on the on-demand SSO bandwagon as well, but will customers trust their authentication to be carried around on a thumb drive or to live in the cloud? Probably, but I don't suspect they'll spend a lot of money on it. - NetworkWorld coverage