Tag Archive for 'security management'

Thinking about Cloud Security & Vulnerability Research: Three True Outcomes

Published by alex on June 28, 2010 in Cloud Security. 0 Comments Tags: , .

When opining on security in “the cloud” we, as an industry, speak very much in terms of real and imagined threat actions.  And that’s a good thing: trying to anticipate security issues is a natural, prudent task. In Lori McVittie’s blog article, “Risk is not a Synonym for “Lack of Security”, she brings up an example of one of these imagined cloud security issues, a “jailbreak” of the hypervisor.

And that made me think a bit because essentially, we want to discuss, we want to know, “what will happen not if, but when vulnerabilities in the hypervisor, or cloud api, or some new technology bit of cloud computing actually are discovered and/or begin to be exploited?”

Now in baseball, sabermetricians (those who do big-time baseball analysis) break the game down into three true outcomes – walk, homerun, strikeout.  They are called the three true outcomes because they supposedly are the only events that do not involve the defensive team (other than the pitcher and catcher).  A player like Mark McGwire, Adam Dunn, or if you’re old-school, Rob Deer are described as three true outcome players because their statistics over-represent those outcomes vs. other probable in-play events (like a double or reach via error or what have you).  Rumor has it that Verizon’s Wade “swing for the fences” Baker was a three true outcome player in college.

In Vulnerability research and discovery, I see three true outcomes, as well.   Obviously the reality isn’t that an outcome is always one of the three, just as in baseball there are plenty of Ichiro Suzuki or David Eckstein-type players whose play does not lend itself to a propensity towards the three true baseball outcomes.  But for the purposes of discussing cloud risk, I see that any new category of vulnerability can be said to be:

1.)  Fundamentally unfixable (RFID, for example).  If this level of vulnerability is discovered, cloud computing might devolve back into just hosting or SaaS circa 2001 until something is re-engineered.

2.)  Addressed but continues to linger due to some fundamental architecture problem that, for reasons of backwards compatibility, cannot be significantly “fixed”, but rather involves patches over and over again on a constant basis.

3.)  Addressed and re-engineered so that the probability of similar, future events is dramatically reduced.

Now about a year ago, I said that for the CISO, the move to the cloud was the act of gracefully giving up control. The good news is that in terms of which of the three we see in the future, the CISO really has no ability to affect which outcome will exist.  But how cloud security issues are addressed long-term, via technology, information disclosure (actually the entropy of information disclosure), and contract language (how technology and entropy are addressed as part of the SLA) – these are the aspects of control the CISO must seek to impact.   Impact that is both contractual and on her part, procedural – expecting one of the three outcomes to eventually happen.

The technology and information disclosure aspects of that contract with the cloud provider, well, they simply must focus on the ability to detect and respond quickly.  Chances are your cloud farm won’t be among the first compromised when an eventual exploit occurs.  But, especially if the value of what you’ve moved to the cloud has significance to the broader threat community, that doesn’t mean (as Lori says) you simply accept the risk. Developing contingency plans based on the three true outcomes can help assure that the CISO can at least cope with the cloud transition.

For Blog/Twitter Conversation: Can You Defend “GRC”?

Published by alex on December 15, 2009 in Doing it Differently, Science of Risk Management and argument. 15 Comments Tags: , , , , , , , .

Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today.  I believe G & C are subservient to risk management. So let me offer you this statement to chew on:

“A metric for Governance is only useful inasmuch as it describes an ability to manage risk”

True or False, why, and what are the implications if true or false.

Please discuss.

#newschoolsecurity

The Eyes of Texas Are on Baseboard Management Controllers? WHAT??!!!

Published by alex on May 7, 2009 in Legislation and Uncategorized. 7 Comments Tags: , , , .

OR TEXAS HB1830S IS SWINEFLU LEGISLATION, IT’S BEEN INFECTED BY PORK!


**UPDATE:  It looks like the “vendor language” around Section Six has been struck!

Given Bejtlich’s recent promises, I thought we’d take a quick but pragmatic look at why risk assessments, even dumb, back-of-the-envelope assessments, might just be a beneficial thing.

As you probably know, the guys here at NewSchool and the guys at sister site EmergentChaos are very interested in the government regulation of cyberspace.  Oh, we also happen to be pretty good with the information risk stuff, too.  So I’m sure you wouldn’t be surprised that we spent some time looking over what one of the biggest, most influential states in the Union, Texas (Austin is also one of my most favorite places thanks to my friend Joe Visconti), is doing about legislating information security.  Currently they have a bill in consideration, HB1830S.  Highlights here:

http://www.legis.state.tx.us/tlodocs/81R/analysis/html/HB01830S.htm

HB1830S has some pretty good stuff in it.  The kind of legislation that tends to make sense, even if you are a “government hands off” kind of guy like I am.

Section 2 is about background checks and having policies and so forth.  This is wonderful, it addresses about the only control we have against Internal threat agents with significant privileges.

Section 3 seems to excuse information security information (like specific vulnerabilities) from the public record.  I’m all for some level of disclosure here (Something like the letter grades the federal government releases is fine), but really, the citizens of the state don’t need particulars.

Section 4 talks about what InfoSec information should be confidential and talks about vendor relationships.  After working on some state RFPs  (not Texas) and watching how specific requirement for a “Penetration Test” was awarded to someone who, in their RFP, specifically said that they were only going to only perform a “Vulnerability Assessment”, I appreciate these sorts of clauses.

Section 5 covers internal state reporting concerns for vuln data, great.

SECTION SIX WHAT THE !@#%^!@@#$* IS THIS???!!!

“Government Code, to require that the biennial operating plan describe the state agency’s current and proposed projects for the biennium, including how the projects will address certain matters, including using, to the fullest extent, technology owned or adapted by other state agencies, including closed loop event management technology that secures, logs, and provides audit management of baseboard management controllers and consoles of cyber assets.”

Let’s parse that and read it again:

“Government Code, to require that the biennial operating plan describe the state agency’s current and proposed projects for the biennium, including how the projects will address certain matters,…”

Looking good, it’s always nice to have a plan.

“…including using, to the fullest extent, technology owned or adapted by other state agencies,…”

Great! I’m all for sharing information among security professionals, that’s pretty much one of the fundamental pillars of the New School.

“…including closed loop event management technology that secures, logs, and provides audit management of baseboard management controllers and consoles of cyber assets.”

Wait, what?

Ok, I’ve heard of closed loop processing in Business Intelligence (A system is said to perform closed-loop processing if the system feeds information back into itself).  I’ve heard the phrase Closed-Loop in SOA.  But I’m sorry, the use of “closed loop event management technology that secures, logs, and provides audit management of baseboard management controllers” sounds like somebody lifted it from a vendor brochure.

Also, I know that this blog generally attracts some of the best and most forward thinking InfoSec readers/professionals – even if you disagree with us.  But if you need to go look up what a baseboard management controller  (BMC) is and does, to remind yourself, go right ahead.  I had to.

Now read the rest of HB1830S highlights there and put Section Six in context.

Is it just me, or does this seem like someone in Texas is trying to legislate the use of a specific vendor’s rather esoteric and specific security control?  I mean, even if BMC is really important in, say, SCADA systems – is there a reason that the dozens (?) of other agencies would have to waste their money on this?

And why legislate this specific technology?  Shouldn’t the agency security management be able to do their own risk assessments and prioritize based on the significant threats that, you know, they’re ACTUALLY SEEING?  And I’m not asking for Forests of Bayesian Belief Networks to establish risk and vulnerability information via Monte Carlo simulations here, I’m asking for a basic risk-based sanity check to make decisions, decisions based in reality, not fear.  I mean, a quick poll of Security pros on Twitter about the BMC and so far nobody has claimed to ever seen one piece of exploit code, more or less heard of an actual *incident*.  Now I’m sure that the State of Texas does a great job with Information Security and all, but I’m willing to bet good money that the BMC’s of their systems is the least of their security problems.

Bottom line, Legislating disclosure, policy, and even ensuring critical processes are in place is a useful endeavor, and the rest of HB1803 does a good job.  But legislating a specific technology is bad for a couple of reasons:

1.)  It removes management’s ability to expend resources on the actual problems they have. You are legislating without the context of risk, even poorly derived risk statements.

2.)  If it takes an act of legislature to force adoption, it will take a similar or more difficult act of politics to remove that technology when it’s outlived it’s usefulness (and one wonders if BMC securing technology would EVER be useful except in fringe cases).

Things Are Tough, Don’t Waste Taxpayer Money, Please!

HB1830S could be a good piece of legislation.  Strike the BMC aspect of Section Six and it becomes more than reasonable.  Heck, add “to the fullest extent POSSIBLE” or “to the extent that’s REASONABLE” and ask state CISO’s to provide Threat Event Metrics for the BMC if you want.  But please Texas, whatever this vendor is paying you in lobbying perks – it’s not worth the waste and hassle and the risk of derision from the parts of the Information Security community that actually happen to be concerned with public safety.