issa journal may 2012
TRANSCRIPT
May 2012Volume 10 Issue 5
Wi-Fi Positioning Systems: Beware of Unintended Consequences
Social Media Policy and the LawUnderstanding Private Cloud Security
Perspectives on the Practice of Security Architecture
Using Component Categories and
Relationship Mapping in Security
Architecture
The curriculum is modeled on the guidelines and recommendations provided by:
• The Committee on National Security Systems (CNSS) 4000 training standards
• The (ISC)2 Ten Domains of Knowledge
• ISACA
Our Information Assurance programs are grounded in security but also focus on delivering the essential combination of IT and business acumen — creating a link between the server room and the boardroom.
KEEP YOUR CAREER ON TRACK
The program can be taken on campus or completely online
LEARN MOREwww.regisdegrees.com/ISSA | 877.791.7188
Regis University offers a Graduate Certificate as well as a Master’s Degree in Information Assurance. With both programs, you have the option to take classes online or on-campus. Regis University is also designated as a Center of Academic Excellence in Information Assurance Education by the National Security Agency.
MASTER’S DEGREE
• Two year program • Specialize in cybersecurity or policy management
GRADUATE CERTIFICATE
• Can be completed in less than a year • Four classes (12 credit hours)
3
Table of ContentsFeature
12 UsingComponentCategoriesandRelationshipMappinginSecurityArchitectureBy Kevin Stoffell – ISSA member, National Capital, USA Chapter
Five categories for grouping both technical and non-technical security architecture elements are presented that are consistent with the security control types found in most major control frameworks. Mapping of element relationships between the categories ensures traceability from policy down to individual technical functions and enables the architect to perform a more effective gap analysis of the entire architecture.
19 Wi-FiPositioningSystems:BewareofUnintendedConsequencesBy Ann Cavoukian and Kim Cameron
This article explores the unintended consequences associated with the use of location data being established, shared, and used, using Wi-Fi Positioning Systems.
23 SocialMediaPolicyandtheLawBy Jon Banks – ISSA member, Metro Atlanta, USA Chapter
Organizations cannot escape social media’s ubiquitous presence and the unique challenges it creates. This article will examine various laws and regulations that must be considered when creating our social media policies to avoid these legal risks.
30 UnderstandingPrivateCloudSecurityBy Yuri Diogenes – ISSA member, Fort Worth, USA Chapter and Dr. Tom Shinder
This article covers the main elements that should be addressed from the security perspective while architecting and designing a private cloud infrastructure.
35 PerspectivesonthePracticeofSecurityArchitectureBy Tohru Watanabe – ISSA member, New York Metro, USA Chapter
This article reviews the current state of the practice in an effort to enhance the practice of security architecture.
©2012 Information Systems Security Association, Inc. (ISSA)
The ISSA Journal (1949-0550) is published monthly by the Information Systems Security Association, 9220 SW Barbur Blvd. #119-333, Portland, Oregon 97219.
Articles
Also in this issue
5 FromthePresident
6 HerdingCatsThe Invisible Mr. Security Guy
7 Sabett’sBriefIt’s the IP, Stupid!
8 EthicsandPrivacyWaging War in the Digital Age
9 CareerCornerHidden Requirements
10 AssociationNews
24 BookReviewSocial Engineering: A Must-Have Book and Skill
40 toolsmithBuster Sandbox Analyzer
43 Conferences
47 CryptoCornerLemons or Lemonade?
The curriculum is modeled on the guidelines and recommendations provided by:
• The Committee on National Security Systems (CNSS) 4000 training standards
• The (ISC)2 Ten Domains of Knowledge
• ISACA
Our Information Assurance programs are grounded in security but also focus on delivering the essential combination of IT and business acumen — creating a link between the server room and the boardroom.
KEEP YOUR CAREER ON TRACK
The program can be taken on campus or completely online
LEARN MOREwww.regisdegrees.com/ISSA | 877.791.7188
Regis University offers a Graduate Certificate as well as a Master’s Degree in Information Assurance. With both programs, you have the option to take classes online or on-campus. Regis University is also designated as a Center of Academic Excellence in Information Assurance Education by the National Security Agency.
MASTER’S DEGREE
• Two year program • Specialize in cybersecurity or policy management
GRADUATE CERTIFICATE
• Can be completed in less than a year • Four classes (12 credit hours)
ISSA Journal | May 2012
4
The information and articles in this magazine have not been subjected to any formal test-ing by Information Systems Security Association, Inc. The implementation, use and/or se-lection of software, hardware, or procedures presented within this publication and the results obtained from such selection or implementation, is the respon-sibility of the reader.
Articles and information will be presented as technically correct as possible, to the best knowl-
edge of the author and editors. If the reader intends to make use of any of the information presented in this publication, please verify and test any and all procedures selected. Techni-cal inaccuracies may arise from printing errors, new develop-ments in the industry and/or changes or enhancements to hardware or software compo-nents.
The opinions expressed by the authors who contribute to the ISSA Journal are their own and
do not necessarily reflect the official policy of ISSA. Articles may be submitted by members of ISSA. The articles should be within the scope of information systems security, and should be a subject of interest to the mem-bers and based on the author’s experience. Please call or write for more information. Upon publication, all letters, stories and articles become the prop-erty of ISSA and may be distrib-uted to, and used by, all of its members.
ISSA is a not-for-profit, inde-pendent corporation and is not owned in whole or in part by any manufacturer of software or hardware. All corporate in-formation security professionals are welcome to join ISSA. For information on joining ISSA and for membership rates, see www.issa.org.
All product names and visual representations published in this magazine are the trade-marks/registered trademarks of their respective manufacturers.
So, is my phone spying on me?
Again?
Last year we were alerted to a little piece of embedded software the carri-ers use to maintain
the quality of their networks – Car-rier IQ. Ostensibly collecting only signal data between the device and cell tow-ers, a researcher demonstrated it was, in fact, collecting a whole lot more.
Okay, let’s up the ante.
How does my phone know where it is? Location is determined by GPS signals, cell tower signals, or nearby Wi-Fi access points utilizing Wi-Fi Positioning Sys-tems (WPS). Ann Cavoukian and Kim Cameron describe the Wi-Fi option in “Wi-Fi Positioning Systems: Beware of Unintended Consequences,” which got my “they’re watching me” hackles up.
WPS identifies wireless access points by MAC address and location. So, when I request location data while walking past a wireless hotspot, the WPS database
ISSA JournalEditor: [email protected]
Advertising: [email protected]
866 349 5818 +1 206 388 4584 x101
Editorial Advisory BoardMike Ahmadi
Candy Alexander, Distinguished Fellow
Michael Grimaila, Fellow
John Jordan
Mollie Krehnke
Michael Machado
Joe Malec, Fellow
Donn Parker, Distinguished Fellow
Joel Weise – Chairman, Distinguished Fellow
Branden Williams, Fellow
Services DirectoryWebsite
866 349 5818 +1 206 388 4584
866 3495818 +1 206 388 4584 x103
866 349 5818 +1 206 388 4584 x103
866 349 5818 +1 206 388 4584 x102
866 349 5818 +1 206 388 4584 x101
gets queried with its MAC address. If it’s there, I get my location. WPS now has my MAC address and location as well.
So, here’s where the paranoid in me takes over. As I go about my life, pass-ing this hotspot and that, are my move-ments are being tracked? Is my home router now in WPS as well? Can some-one determine when I’m home or when I’m not? Or where my home is? I just en-tered my coordinates in a random find-your-location page and it gave me my address - 30 seconds.
But then the rational part of me takes over and says, “Nah, my data is safe from prying eyes and sticky fingers. No problem.” And it sure is nice to know where I am.
On a brighter note, Russ McRee, long-time toolsmith author, has been awarded Honorable Mention in the American Society of Journalists and Authors 2012 Outstanding Articles Awards. See page 11 for details. Congratulations, Russ!
– Thom
HeadquartersISSAInc.9220 SW Barbur Blvd. #119-333, Portland, OR 97219 • www.issa.org
Toll-free: 866 349 5818 (USA only) • +1 206 388 4584 • Fax: +1 206 299 3366
Welcome to the May JournalThom Barrie – Editor, the ISSA Journal
ISSA Journal | May 2012
From the President
I don’t know what makes Corinthian leather special, but somehow, I feel like I really need it. I’m sure it’s bet-
ter than the leather I already have – it must be – but I’m not sure why. (Right about now, I’m guessing you’re hearing Ricardo Montalban in your head, “r-r-rich, Corinthian leather…”)
“How are you solving your big data problem?”
I wasn’t aware that I had a big data prob-lem, but now that I think about it, the data is big – it must be a problem. Al-though I’m not sure if I’m supposed to be worried about data elements that are big, or perhaps that I have to watch a bazillion files that are running around my network... Or maybe in my highly instrumented infrastructure of fire-walls, servers, IDS/IPS, DLP, and other security tools, perhaps I do need a way to aggregate, correlate, identify, and un-derstand events in my enterprise… That does sound like a problem.
Marketing plays a huge role in the prod-ucts we buy. The challenge we face as a community is less about the things we buy, but more importantly around how we leverage those tools to solve signifi-cant problems. The sensitivity and focus on information security continues to be at an all-time high – in the media, in the boardroom, and in our daily practices. Focusing on the end goal – protecting our companies, our countries, and our families – will help us extract the maxi-mum value from the tools we buy.
Speaking of marketing – branding more specifically – hopefully, you’ve noticed the beginning of our new branding ini-tiative. Last month, we presented our updated tagline: Developing and Con-necting Cybersecurity Leaders Globally. Along with the tagline, our Marketing Committee tackled the task of updating our logo – they did a great job! The new logo captures the essence of the ISSA – a global community protecting those
things we find most valuable. The last phase of our brand-ing effort will be a redesign of our web presence and our in-teraction with our member community. These updates will be completed over the next few weeks.
If you haven’t done so yet, save the dates for the ISSA International Conference – October 25-26, 2012. This year’s theme: The Magic Kingdom – Embracing a Changing World. New opportunities abound in the midst of amazing trans-formations in technology, business, and culture. Inspired by Disney’s innovative vision, the cybersecurity community will gather at the Magic Kingdom to look at change as a chance to achieve ex-cellence. Disruptions like big data, cloud computing, massive collaboration, and business transformation make it pos-sible for us to blaze new trails and build effective foundations. This is an exciting time to be in the information security field. Details on the conference can be found at www.issaconference.org.
Finally, our International Board elec-tions will be starting June 1. General, Government Organization, Corporate Organization, CISO Executive, and Lifetime members in good standing as of May 31, 2012, will be eligible to participate in the election. Ballots will be emailed to the address in each ISSA member‘s profile. Please take a moment to review your member profile to assure the ballot reaches you properly.
I am continually reminded of the power and passion of our members. Please join me in thanking all of the chapter offi-cers for their continuing dedication, all who volunteer to support the ISSA, and, you, the ISSA members, for all that you contribute to our global community.
Cheers! Kevin
International Board OfficersPresident
Kevin L. Richards, CISSP
VicePresidentAndrea C. Hoy, CISM, CISSP, MBA
Secretary/DirectorofOperationsBill Danigelis, CISSP
Treasurer/ChiefFinancialOfficerKevin D. Spease, CISSP-ISSEP
Board of Director MembersDebbie Christofferson, CISM, CISSP,
Distinguished Fellow
Mary Ann Davidson, Distinguished Fellow
Geoff Harris, CISSP, ITPC, BSc
Steve Hunt, CPP, CISSP, Distinguished Fellow
Pete Lindstrom, CISSP
George J. Proeller, CISSP, CISM, Distinguished Fellow
Nils Puhlmann, CISSP-ISSMP, CISM
Ira Winkler, CISSP, Distinguished Fellow
Stefano Zanero, Ph.D., Senior Member
DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
Hello ISSA membersKevin L. Richards, International President
The Information Systems Security Asso-ciation, Inc. (ISSA)® is a not-for-profit, international organization of informa-tion security professionals and practi-tioners. It provides educational forums, publications and peer interaction oppor-tunities that enhance the knowledge, skill and professional growth of its members.
With active participation from individu-als and chapters all over the world, the ISSA is the largest international, not-for-profit association specifically for security professionals. Members include prac-titioners at all levels of the security field in a broad range of industries, such as communications, education, healthcare, manufacturing, financial, and govern-ment.
The ISSA international board consists of some of the most influential people in the security industry. With an international communications network developed throughout the industry, the ISSA is fo-cused on maintaining its position as the preeminent trusted global information security community.
The primary goal of the ISSA is to pro-mote management practices that will ensure the confidentiality, integrity and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved.
ISSA Journal | May 2012
5
6
The Invisible Mr. Security Guy
There are so many ways we can take
this column from that intro, but here’s where I want to go today. The topic of the issue is Security Architecture, and it’s looking totally different with every passing day. If you have been in the in-dustry for longer than ten years, think about how you used to focus your ac-tivities on one main firewall and a ro-bust antivirus system to keep things running (aside from the random chaos monkey ripping core infrastructure of-fline). If you have been around for five years, think about all this compliance stuff we’ve had to deal with, primarily lead by PCI DSS and in some cases the health care acts in the US and privacy acts in Europe. If you’ve been in for just a couple of years, think about hacktiv-ism, advanced threats, and organized cybercrime that dominated 2011.
Security architecture is always in a strange place. Either its playing catch-up with new and innovative attacks, or its draconian nature undermines its abil-ity to be functional to the business. The former tends to be much more of the norm as companies rely on basic stuff like compliance to allow them to redi-rect a few dollars toward more advanced things like advanced attacks. Draconian security exists in places like financial services and governments, but isn’t it in-teresting how some controls force people to think creatively about ways to defeat them? Does “Just email the attachment to my Gmail account” or “rename the .exe to .txt so my company’s filters won’t block it” sound familiar?
Another interesting phenomenon that’s happening is our physical control over
resources is increasingly disappearing as we create efficiency in our systems by operating in an abstraction of the physical layer. If we can’t put our finger on the machine that is running some IT application anymore, how do we build architecture to secure it?
One challenge I am pushing people to take on is thinking about how security can be consumed transparently (i.e., built-in) by the end user. That forces the issue of securing information, wherever it may be. We have the technology – and it’s affordable! Ten years ago, very few companies used things like secure en-claves outside of physical processes in a physical world. Finding a company with an additional firewall in between a grouping of servers in 2002 could be the equivalent of seeing a leprechaun rid-ing a unicorn on a rainbow. Today? It’s pretty common.
What about encryption for data at rest? In 2002 it didn’t happen that much ei-ther (albeit more than secure enclaves). Computing resources were much more expensive back then when you tried to accomplish things like encryption, but now embedded devices do it just fine.1 There is almost no reason to trust any computing resource this day and age be-cause we can architect solutions to en-able business without blind trust. Ask yourself this: do you trust any network you connect to? Do you click through SSL Certificate warnings? Do you throw caution to the wind and avoid SSL all to-gether? Most of you probably don’t, but I guarantee someone close to you does.
It’s time for us to change our ways. We need automation, deep visibility into
1 When they mind their ps and qs that is…
our systems and activities; we need the ability to build risk decisions into our infrastructure and to alter our posture in an automated and agile way. And the most important part, we can’t be jerks about it! We have to seamlessly integrate security into our businesses such that they don’t even know we were there. Security must be architected to be con-sumed transparently.
There’s an old business adage that re-minds us that consumers want simplic-ity. They don’t want to jump through hoops to do business with any com-pany. Business people don’t want to jump through hoops every time secu-rity shows up. They just want things to work; they want them to work well; and they need to focus on what they do best (which isn’t information security). If you’re banging your head against the desk every time you read something like this, consider that your approach may be all wrong. When’s the last time you sat down with business leaders and just let them talk about their business and what’s important to them? It’s painful at times, but building that rapport is criti-cal to your unlocking the Security Ninja achievement!
About the AuthorBranden R. Williams, CISSP, CISM is the Global CTO of Marketing at RSA, the Security Division of EMC, and regularly assists top global retailers, financial in-stitutions, and multinationals with their information security initiatives. Read his blog, buy his book, or reach him directly at http://www.brandenwilliams.com/.
By Branden R. Williams – ISSA Fellow and member, North Texas, USA Chapter
Herding Cats
Hey Mr. Security Guy… It’s time.
ISSA Journal | May 2012
Sabett’s Brief
information shar-ing may, after many years of debate, become a reality under any compro-mise that winds up getting struck be-tween the Senate and House cybersecu-rity legislation. Despite critics who have said that information sharing won’t work, an approach seems to be within reach that would: (1) protect private ac-tors against unknown liability, (2) al-low government to react more quickly and effectively to incoming threats, (3) provide more complete information to both, and (4) protect privacy concerns. Second, the continued focus on cyberse-curity would seem to offer even greater opportunities for companies that take security and privacy seriously to differ-entiate themselves in the market. Final-ly, and perhaps most importantly, the public recognition by the government of IP theft as one of its greatest con-cerns means no company should take this threat lightly. No one is immune to threats from the broad array of attack-ers, whether advanced persistent threat (APT) actors or cyber activist groups. And with that, I’m now off to explain to my daughter why it’s OK for daddy and mommy to use the word stupid…
About the Author Randy V. Sabett, J.D., CISSP, is Counsel at ZwillGen PLLC (www.zwillgen.com), an adjunct professor at George Washing-ton University, and a member of the ISSA NOVA Board of Directors. He was a mem-ber of the Commission on Cybersecurity for the 44th Presidency and can be reached at [email protected]. The views ex-pressed herein are those of the author and do not necessarily reflect the positions of any current or former clients of ZwillGen or Mr. Sabett.
My wife and I continually re-mind our 6-year-old daugh-ter that “stupid” is not a nice
word, so I know I’ll have some explain-ing to do when she sees the title of this month’s column. In my defense, I am using a modified version of “it’s the economy, stupid” to illustrate a point. Much of the work we do involves the in-tersection of privacy and security, with PII, PHI, and all other kinds of PI as the main focus. I would submit, however, that too many people are forgetting about (or, perhaps, ignoring) cyberse-curity intrusions that lead to intellectual property (IP) theft.
In an appearance before the Senate Armed Services Committee last month, Gen. Keith Alexander, Director of the NSA (DIRNSA) and the Commander of the US Cyber Command (CYBER-COM), painted a somewhat bleak pic-ture of our nation’s cybersecurity pos-ture. Gen. Alexander observed that “[d]angers are not something new in cyber-space, of course.” He noted, however, that attacks on both critical infrastruc-ture and corporate networks were be-coming more severe and, in a very sober-ing and alarming tone, he stated “[t]he theft of IP is astounding.” This echoed Sen. Lewin’s opening remarks, where he recounted that “the relentless indus-trial espionage being waged against US industry and government, chiefly by China, constitute[s] ‘the greatest trans-fer of wealth in history.’” Various public accounts support this (including recent reports of the ten-year network intru-sion into Nortel networks).
Observing that “[c]yberspace has a scope and complexity that requires inter-agency, inter-service, and inter-national cooperation,” Gen. Alexander described a host of challenges facing CYBERCOM. To address these issues,
he described a number of different ef-forts and stressed the need for private sector involvement, including informa-tion sharing both with government and intra-industry. Many of these efforts are reflected in currently pending legisla-tion.
As of this writing, there are two main bills on cybersecurity in the Senate and four in the House. To a greater or lesser extent, all address the issue of IP theft resulting from cybersecurity breaches. Echoing a view shared by many, Rep. Mike Rogers, chairman of the House Permanent Select Committee on In-telligence and co-author of the Cyber Intelligence Sharing and Protection Act (CISPA), has stated publicly that “dangerous economic predators, in-cluding nation-states like China, use the Internet to steal valuable information from American companies and unfairly compete with our economy. The cost is staggering. Years of effort and billions of dollars in research and development, strategic business plans, communica-tions, and other sensitive data – all are lost in seconds. The victims span all sec-tors of our economy, from small busi-nesses to large pharmaceutical, biotech, defense, and IT corporations.”
The question of the hour in Congress is whether an appropriate balance can be struck between the many competing interests. The most vocal opponents of cybersecurity legislation raise privacy intrusions as the greatest concern. The authors of CISPA, the lead bill on the House side, have been feverishly revis-ing their bill to address these concerns. Similar concerns have been raised with the Senate bills, though less work ap-pears to have been needed to address privacy concerns.
Ultimately, what does all of this mean for the private sector? First, meaningful
By Randy V. Sabett – ISSA member, Northern Virginia, USA Chapter
It’s the IP, Stupid!
ISSA Journal | May 2012
7
8
The ISSA International Ethics Committee is an active group of ISSA members missioned to maintain a framework for ethics relating to practices that support the ISSA Code of Ethics, provide guidance on ethical behavior for Information Systems Security professionals, and provide education and
outreach that increase awareness and promote positive actions.
Ethics and Privacy
It was an attack straight out of a Hollywood thriller. A computer worm spread throughout the world, de-livering its payload only when the true target had
been found. Capable of exploiting four previously un-known vulnerabilities and gaining the trust of an oper-ating system by way of digital signatures, it was clearly not the work of an amateur. Finally, it would find its tar-get – an Iranian uranium enrichment facility – where it would proceed to change the speed of up to one thou-sand centrifuges, destroying them in the process. The world would meet Stuxnet, the first clear demonstration of what some call cyberwar.
It’s no secret that militaries around the world are devel-oping cyber weapons. Young talent is recruited to poke and prod enemy systems, looking for ways to infiltrate the digital stronghold. Control or destruction of enemy computers is seen as the virtual equivalent of storming and conquering a hill. Critical infrastructure of all kinds is now controlled by computers. Control the computers and you control the enemy.
Smart adversaries won’t attack just the computers; they will attack an objective. The objective of Stuxnet was not the centrifuges, but to delay or stop the development of Iran’s nuclear program. An enemy’s surveillance drone could be shot down, or it could be reprogrammed into a missile and turned back at them. Remote-controlled military robots are now capable of carrying machine guns, giving first-person shooter an entirely new mean-ing.
War has rules. The Hague and Geneva Conventions set forth frameworks for conduct: how prisoners of war should be treated, the use of chemical weapons, impact to civilians, and access by religious and medical non-combatants. Ratified during a time when the concept of a modern-day computer worm was unthinkable, these rules have been fairly self-evident. It’s a human who per-forms the torture, fires the missile, or releases a chemical weapon.
Just as security transcends technology, so do ethics. In no other era could ethics be more essential than in wartime, and in no other context could security profes-sionals find themselves more challenged. The questions are many and profound: Is it ethical to develop a worm
that will destroy or delay the up-and-coming nuclear capability of a sover-eign nation? What if there is a bug that causes unexpected damage, and what if that damage affects a civil-ian hospital? Where are the borders? Can the attack be contained? Can the virus or worm be called back when the peace treaty is signed?
Finally, what are the ramifications in an age when a ma-chine can make basic choices for itself? Is a dispassion-ate, algorithm-based decision by a robot to kill a civilian a violation of the rules of war? If so, who is at fault? Is it the brilliant nineteen-year-old government-contracted pro-grammer? Is it the systems administrator? Or is it the ro-bot itself, only to then be tried, convicted, and sentenced to a life making spare parts for automobiles?
The line between a traditional and a virtual war will con-tinue to become blurred. The wars of tomorrow will be fought on many fronts. Soldiers will use heads-up displays, drones will continue to roam enemy skies piloted half a world away, and worms will wiggle their way into enemy systems. There remains, however, one constant: Humans will be behind the technology, whether in the initial stages of development or deploying it onto the battlefield. This is where the ethical framework must exist.
Thoughts?
See page 34 for a comment on Connect.
About the Author Michael Starks, CISSP, CISA, is a Sys-tem Security Engineer for OmniAmerican Bank. He is a member of the ISSA Profes-sional Ethics Committee, the OSSEC HIDS team, and is a founding member of the ISSA Rochester, NY Chapter. His personal blog is at http://www.immutablesecurity.com, and he can be reached at [email protected].
Waging War in the Digital AgeBy Michael Starks – ISSA member, Fort Worth, USA Chapter
This column appeared in the March 2012 ISSA Journal.
ISSA Journal | May 2012
When beginning a search for an information security pro-fessional, our first step is to
have an in depth conversation with the hiring manager. Regardless of the level of the position, this initial discussion centers around the organizational chart, the responsibilities of the role, and ex-pectations for success. Hiring managers typically have a job description prepared with specific deliverables that the posi-tion is responsible for executing or man-aging. I’m sure you have seen many of these descriptions posted internally to your organization or externally on job boards. Many security job postings fo-cus on the technical requirements. What many people fail to recognize is that this is just the price of admission and far from a guarantee that the job is yours. Although many people focus on these written requirements when interview-ing, it is your ability to fulfill the hidden requirements that will ultimately land you the job.
The hidden requirements are traits that you have to make evident to your cur-rent employer or have the ability to con-vey to a potential employer. I speak often about differentiators, your ability to ar-ticulate the value you add to the overall success of your team and your company as a whole. One of the greatest differen-tiators is the soft skills that you bring to the table. It is essential that you recog-nize the importance of conveying these skills to a potential employer.
Make sure that you can identify and ar-ticulate a relevant situation or task, the action you took, and the result it had in relation to the following unwritten requirements. Although each corporate culture, specific position, and hiring manager may prioritize them different-ly, these three qualities are always differ-entiators in landing the job.
By Joyce Brocaglia
Hidden Requirements
Career Corner
Continued on page 39.
Organizationalagility
When we talk about people, process, and technology, there’s a reason why people come first. If you can’t positively influence the people, all the processes and technology in the world aren’t going to do it for you. You might be asked how do you socialize your security program? They want to know how you achieve results without having direct authority or staff. You must be able to give ex-amples where you were able to leverage your influence and get positive results. You must be able to highlight your or-ganizational agility – knowing who to influence, knowing when and how to get things done through formal and in-formal channels. Whether or not you are interviewing, assess the strength of your organizational agility and work on making it better.
Effectivecommunication
The only way you can communicate effectively is to articulate the business value. Know your audience and talk in a language that they are going to under-stand. One of the most difficult tasks for a technical information security profes-sional to master is messaging. Learn to deliver the appropriate message to the appropriate audience. Focus on tailor-ing your security posture to the specific needs and risk appetites of the business. Utilizing shared goals and common ground will build credibility and gain consensus.
Abilitytodeliver
Almost every organization is over com-mitted and under staffed. At the end of the day you have to prove your ability to manage, execute, and complete tasks successfully. Companies look for a track record of successful accomplishments in their leaders. Be able to articulate how you were able to make security an
enabler, not a road block. Provide spe-cific examples of dif-ficult situations that you rose to the chal-lenge and overcame adversity.
I have also found that there are certain personal attributes that companies pri-oritize when hiring information secu-rity professionals:
• Leadership: You must be passionate about your ideas and beliefs, will-ing to display the strengths of your convictions. You must be optimistic and flexible, and you must truly care about your team.
• Confidence: In both yourself and in the importance of your mission.
• Businesssavvy: This is the ability to understand the particular business you are in, its mission statement, and goals relative to how your security posture aligns with them.
• Humility: Security roles are complex and require collaborating with many people with diverse skills. Appreciate that your opinion is not the only per-spective.
• Passion: If you aren’t excited about your work, why should anyone else care?
• Personal integrity: Integrity is the foundation upon which our industry is built
• Tenacity: With the ever increasing range of challenges we all face, the tenacity to succeed in the face of tall odds is an absolute requirement.
• Sense of humor: Because having a sense of humor is often inspiring to your co-workers.
Whether you are interviewing or not, do a little soul searching and ask your-
ISSA Journal | May 2012
9
10
Association News
Spring Selection Cycle Opens for Senior Member and Fellows
Applications for Senior Member and nominations for Fellow and Distinguished Fellow are currently open and will be accepted until June 14, 2012, at 11:59
p.m. US Pacific time. The submission guidelines and forms have been updated for this selection cycle; please consult the Fellow Program Guidelines and use the current forms to en-sure you comply with all requirements. See www.issa.org/page/?p=269 for forms and details.
The Fellow Program recognizes sustained membership and contributions to the profession. No more than 1% of mem-bers may hold Distinguished Fellow status at any given time. Fellow status will be limited to a maximum of 2% of the membership. There is no limitation on the number of mem-bers who may be granted Senior Member status.
Qualifications
SeniorMember• 5 years membership• 10 years relevant professional experience
Fellow• 8 years of association membership • 3 years of volunteer leadership in the association • 5 years of significant performance in the profession
such as substantial job responsibilities in leading a team or project, performing research with some mea-sure of success, or faculty developing and teaching courses
DistinguishedFellow
• 12 years association membership • 5 years of sustained volunteer leadership in the asso-
ciation • 10 years of documented exceptional service to the se-
curity community and a significant contribution to security posture or capability
If you have questions, please contact [email protected].
Meet the Candidates for Your International Board of Directors
Sixteen of your colleagues have been nominated as can-didates for your International Board of Directors and are willing to give of their time to ensure ISSA con-
tinually strives to serve you better. Three candidates for In-ternational President and 13 for five Director positions were announced this week by Patricia Myers, chair of the Nomi-nating and Election Committee.
President
• Debbie Christofferson
• Dave Cullinane
• Ira Winkler
Director
• Candy Alexander
• Eric Cowperthwaite
• Mary Ann Davidson
• John Dickson
• Garrett Felix
• Rick Moy
• Michael Peters
• Nils Puhlmann
• Brian Schultz
• Glenn Tenney
• Roy Wilkinson
• Vern Williams
• Stefano Zanero
Watch for the candidates’ profiles in next month’s issue. Your unique voter credentials will be sent to you on June 1. To vote you must be a General, CISO Executive, Lifetime, assigned Corporate, or Government Organizational member in good standing and have a current email address in your member-ship profile.
ISSA Web Conference
LiveEvent:May22,2012Time:9amUSPacific/12pmUSEastern/5pmLondonGenerouslysupportedbyWombatSecurityTechnologies
Even the best technology can be circumvented all it takes is timing and a good story. Melisa, I Love You, The World’s Best Virus Scanner: what do these all have in common? They all circumvented security by tricking the users. As technol-ogy improves and the value of circumvention increases, the
weakest link will become the end user. And don’t kid your-self – APT has proven they will be targeted. This session will discuss the human element and its impact on security.
To register for this event, visit www2.gotomeeting.com/reg-ister/275275850.
For a full listing of the 2012 ISSA Web Conference Series, visit www.issa.org/page/?p=57.
You’ve Got Humans on Your Network: Securing the End User
ISSA Journal | May 2012
Association News
Journal Author Receives National Writing Award
ISSA Senior Member and toolsmith au-thor Russ McRee has been awarded the American Society of Journalists and
Authors (ASJA) 2012 Outstanding Articles Award – Honorable Mention for “Memory Analysis with DumpIt and Volatility,” ISSA Journal, September 2011.
“I am very pleased to have received Honorable Mention from ASJA,” stated McRee. “The toolsmith column in the Journal is successful in large part thanks to the dedication and zeal of the tool developers and their commitment to making the In-ternet and computing environments safer. I learn much from them in the process and hope it is conveyed to the readership in that light.”
McRee has been writing the toolsmith column monthly since October 2006, exploring a vast array of security tools while infusing the tireless pursuit of the bad guys with passion and wit. “Much appreciation is owed to the ISSA Journal for years of support and guidance,” added McRee. “Recognition by the ASJA makes what is already my privilege all the more reward-ing.”
ASJA was founded in 1948 and serves as a professional or-ganization of independent nonfiction writers, currently with more than 1400 members. "Prize-winning entries in the ASJA Awards reflect such writing and stylistic excellence that we authors read them and think ‘I wish I'd written that!'" said Salley Shannon, ASJA's president. "We created the awards not just to honor outstanding work, but to inspire us."1
Congratulations, Russ!
1 ASJA 2012 Awards – http://www.asja.org/media/nr120323.php.
New Logo Unveiled for ISSA International
As security profes-sionals, we live in an ever-evolving world. Our field is growing while
gaining visibility and stature. Our career paths have been guided through our affiliation with ISSA. We have developed our expertise and become leaders in our specialties. As a re-sult, last week the International Board of Directors approved a new logo that reflects our current forward-looking security community and complements the recently-adopted tagline, “Developing and Connecting Cybersecurity Leaders Global-ly.” The new visual identity retains the familiarity that many associate with ISSA international. The new tagline and logo are our way of evolving with you, the information security expert, and those flocking to our profession.
Tell Us How You Are Embracing a Changing World and Win a Pass to the International ConferenceISSA Members,
I am looking forward to seeing you at the 2012 ISSA Inter-national Conference. On October 25-26 we will gather at the Disneyland Hotel in Anaheim, California, for discussions fo-cused on our conference theme, “The Magic Kingdom - Em-bracing a Changing World.” I’m sure we have all seen change in our organizations over the last year; migrations to cloud, organizational mergers, increased knowledge about cyber-security threats by business leaders, and consumer devices brought into the enterprise environment. Although not al-ways our first reaction, these fundamental shifts are an op-portunity to use our hard-won knowledge to design systems and policies to improve the business functions and make our organizations safer.
“When we were developing the theme for this year’s event, I looked back at all the changes my organization has faced, and I’m sure we are not alone.” Eric Cowperthwaite – CSO, Providence Health and Services and Content Committee Co-Chair (2011 and 2012). “We must find ways to support our organization as it transforms its business models in the 21st century. Much of that is centering on adopting very in-novative, forward-looking technologies: cloud computing, virtualization, big data, mobile devices. We can’t stand in the way of that; it’s critical to our business, but we still have to secure the organization. That’s what this year’s conference is all about.”
ISSA members are leading the charge to improve security while embracing the change of this new era of big data, cloud computing, massive collaborations, and business transfor-mation. We would like to feature your stories at the 2012 conference. How have you embraced change by looking be-yond the challenges and making your businesses faster, bet-ter, smarter and, most importantly, safer?
Summarize your story in Connect at https://connect.issa.org/thread/2087 (posting must be made before May 18, 2012 to be considered for the contest/500 words or less). Four lucky winners will be given a free conference pass* and will have their stories featured in the ISSA International Confer-ence marketing.
We all look forward to hearing how you are embracing change,
Stefano Zanero Board of Directors ISSA International ISSA International Conference Chair (2010-2012)
Visit www.issaconference.org for additional details on the conference. *The prize does not include travel or lodging for the conference. Winners will be voted on by the conference planning committee. Committee members are welcome to contribute a submission; however, by submitting they will be ineligible to vote on contest winners.
ISSA Journal | May 2012
11
121212
ISSA DEVELOPING AND CONNECTING
CYBERSECURITY LEADERS GLOBALLY
AbstractThe use of architectural component categories and relation-ship mapping can provide a useful tool for the security ar-chitect. Five categories for grouping both technical and non-technical security architecture elements are presented that are consistent with the security control types found in most major control frameworks. Mapping of element relationships between the categories ensures traceability from policy down to individual technical functions and enables the architect to perform a more effective gap analysis of the entire architec-ture. The relationship mapping also identifies requirements for architecture elements based on their interactions with other elements.
How can we efficiently categorize the components of a security architecture? What components actually make up an integrated, mature security architec-
ture for an organization? How do those components relate to each other and to the organization as a whole? In this article I will provide an answer (not the answer, as there are as many
answers as there are organizations in the world) to these questions and others while providing a methodology to ana-lyze an organizational security architecture. You can return significant value through an analysis of the relationships be-tween various security architecture components through the identification of capability/process gaps that may exist, as well as providing a road map for the resolution of those gaps.
Methods will be discussed for categorizing the security ar-chitecture components into five general categories (technical functions, human capabilities, structural descriptions, process/planning, and policy/governance). The component categories provide a framework for conducting a capability gap analy-sis and identification of organizational strengths and weak-nesses in security functions, as well as identifying potential duplication of effort. The categories are designed so that each security function within the organization must be supported in some fashion by components in each of the five categories, either directly or indirectly. The lack of a supporting com-ponent in one category for any security function will likely indicate a shortfall, while multiple supporting components may indicate unnecessary duplication of effort.
Using Component Categories and Relationship Mapping in Security Architecture
Five categories for grouping both technical and non-technical security architecture elements are presented that are consistent with the security control types found in most major control frameworks. Mapping of element relationships between the categories ensures traceability from policy down to individual technical functions and enables the architect to perform a more effective gap analysis of the entire architecture.
Using Component Categories and Relationship Mapping in
Security Architecture
By Kevin Stoffell – ISSA member, National Capital, USA Chapter
ISSA Journal | May 2012
13
Using Component Categories and Relationship Mapping | Kevin Stoffell
Philosophy of termsIt seems at times that the information security industry is re-quired by secret by-law to change terms every five years or so. Even in the last 15 years, we have morphed through “infor-mation security,” went on to “information assurance,” swung part of the way back to “information security,” with subtle hints that “mission assurance” is about to become main-stream with many others thrown in from time-to-time in one industry or another. For consistency throughout this article, I will use the term security to encompass the concepts of Confi-dentiality, Integrity, and Availability, and not restrict the use of the term to confidentiality-related issues. Depending on the goals of the organization, the security architecture may have little or possibly no purely confidentiality-related func-tions and be concerned primarily with availability, whereas in another confidentiality concerns will reign supreme. Feel free to mentally insert integrity or availability wherever you see security. For those readers that have been around for a while, feel free to roll in non-repudiation or authentication into the term usage as well.
A philosophical note on architectureWhat is a security architecture? While this question may seem trivial, I would challenge you to ask five non-architect securi-ty professionals and would wager you will receive at least two or three significantly different answers. You will receive two or three different answers only because at least two out of any five people you ask will certainly reply with some variation of “diagrams and supporting artifacts” and another couple will probably provide a more complete answer along the lines of “the technical structure that provides security services to the organization.” Neither of these answers is wrong; however, they are both significantly incomplete.
I propose, at least for this discussion, that we consider the following:
A complete security architecture is (1) an integrated set of technical and human functions, (2) the structural and relational descriptions of those functions, (3) the process and planning elements surrounding and supporting the functions, as well as (4) the policy and governance applied by an organization for control and direction.
All of the security-related functions (human, automated, and governance) can be grouped together into the five component categories (technical functions, human capabilities, structural descriptions, process/planning, and policy/governance) to aid in mapping relationships and performing a gap analysis of organizational capability.
I will discuss these component categories of an integrated se-curity architecture in more detail in the following section, but for now consider the proposal that components in each of the five general categories exists in any organization with an Information Technology security mission, regardless of the emphasis placed on that mission. Unfortunately, in many or-ganizations one or more of the component categories is ascen-
dant and tends to obscure or limit the focus applied to other categories. For instance, the technical capabilities (widgets, devices, applications, interfaces, etc.) are often the primary focus of the security efforts. We are long past the point where most security professionals think a new widget will magically secure their environment, regardless of what the vendors at the trade shows say. However, many still persist in thinking that a group of loosely con-nected or even stand-alone security products will solve our problems without fully considering the non-tech-nical elements required to support them.
A good, well thought out, suite of technological com-ponents is a vital portion of any integrated security architecture. There is sim-ply no way to operate an effective security program without a significant num-ber of technological de-vices and functions. What I am asking you to consider is that while the technological elements of a security architec-ture are critical to the overall success of the program, a well-designed, integrated set of products that complement one another is vastly superior to a much larger quantity of semi-random technologies chosen based on one or more unique functions. Also consider that the technological elements must be supported by the other architecture components that are very much non-technical in nature to be effective. The cost of effectively operating cutting-edge technical compo-nents is normally very high in terms of human skills required and organizational processes necessary to take a technical component from simply “turned on” to effectively operat-ing. Unfortunately, I have personally witnessed a number of organizations having a lot of very complex and nominally ef-fective technical components that were pulled out of a box, usually by a vendor representative, and turned on with basic configurations, but are providing questionable value since the organization simply did not have the operators necessary to reconfigure or tune the systems, nor did they have the es-tablished organizational processes (e.g., change management program, threat intelligence, etc.) in order to manage the sys-tems well over time.
Components of an effective security architectureAs noted in the introduction, there are five basic categories of security architecture components. It is certainly possible to combine some of the categories, or further decompose the component categories into more granular components, but I have found that grouping security-related components and
We are long past the point where most security professionals think a new widget will magically secure their environment, regardless of what the vendors at the trade shows say.
ISSA Journal | May 2012
14
Using Component Categories and Relationship Mapping | Kevin Stoffell
cesses. While documentation for the sake of documentation is typically counterproductive, many organizations fail to properly estimate how much actual documentation is needed to support security functions. Not having important con-figuration information recorded can delay disaster recovery efforts more than missing hardware, and lack of appropriate diagrams during incident response can cause response fail-ures or delays just as easily as poorly trained responders. But selecting the right level of detail in documents and artifacts can be assisted with an examination of the relationships be-tween other components in order to develop a list of required documents/artifacts and what they must contain.
4 - Process and planning componentThe process and planning architecture component comprises the organization’s planning efforts and supporting processes that enable security functions.
The systems engineering, program management, acquisi-tions, and many other processes not directly associated with the traditional security department functions are critical to support an effective security architecture. Many of these supporting processes have either direct or indirect relation-ships to the security architecture that must be understood and leveraged. A very common failure in many organizations is when the security department does not fully understand the acquisitions or system engineering processes. This is es-pecially prevalent in very large organizations where the ac-quisition process may be “black box” where requirements go in and some widget eventually comes out. In cases like that, incomplete requirement specification often leads to product selection within the acquisitions chain that fully meets the specified requirements, yet misses some function or require-ment that would be obvious to the security professional but completely opaque to the acquisitions professional. One of my least favorite tasks has been to sit in a room with a repre-sentative from the acquisitions department and one from the legal department and attempt to articulate complex security requirements in both acquisition “speak” and legal “speak.” Unfortunately, it is an absolutely necessary task in many large organizations (or the government) where acquisitions are controlled by an acquisition or purchasing department.
5 - Policy and governance componentThe policy and governance component consists of all organiza-tional strategy, policy, or governance structure that directs, im-plies, or supports security functions and security management.
Examples of components in this category would be the or-ganization’s risk governance and tolerance, acquisitions poli-cies, and the obvious information security policy. Many orga-nizational policies or mission statements will state goals that imply security requirements even though they are not specifi-cally security policies. In this area, the security architect like-ly has little direct control, but with a proper understanding of relationships within the organization, may be able to exert some influence on even non-security-related policy, assum-
functions into these categories tends to make the most or-ganizational sense. These categories are also consistent with many of the common supporting processes (e.g., Systems Design and Engineering, Program Management) and Infor-mation Assurance (IA) control frameworks to allow mapping of dependencies, requirements, and constraints among the components. You will find that the controls defined by many of the common security control frameworks can be easily mapped into these component categories.
1 - Technical functions componentThe technical functions of the security architecture consist of the sum of all security functions provided by the systems, devices, and applications in the organization.
You will notice that this definition is not restrained to partic-ular systems (e.g., those run by the security department), but all systems that have security functions. All security func-tions inherently have some operational cost and maintenance cost, even if very low. Many require specialized knowledge or skills to operate or maintain effectively and are often main-tained via a human-based organizational process. In all cases, technical security functions must fit into the organizational governance structure in some fashion to ensure consistency of application across multiple systems with the same func-tions, to ensure compliancy to regulatory requirements, and to ensure effective performance based on the organizational security posture. Additionally, most technical security func-tions will have some description/documentation require-ment to either maintain configuration control or for recov-ery/reconstitution purposes.
2 - Human capabilities componentThe human capabilities component of the security architecture consists of the human resources and skill sets available to the organization for the performance of security-related duties.
Again, this is not limited to one portion of the organization, but is intended to be inclusive of all elements in the orga-nization that perform security functions or critical support-ing processes of the security architecture. This extends from the junior system administrator for some technical security functions to C-level management for policy decisions, and all layers in between. Every individual involved in the security functions or related processes of an organization needs some level of security awareness and knowledge that can often be difficult to quantify.
3 - Structural descriptions componentThe structural descriptions component consists of the sum of the documentation, diagrams, and artifacts describing security-related functions and processes within the organization.
The reason I term this category as structural descriptions and not diagrams is that it is much more than just the technical drawings. This category encompasses the relationships be-tween organizational business units, information exchanges both technical and human, and dependencies between pro-
ISSA Journal | May 2012
15
Using Component Categories and Relationship Mapping | Kevin Stoffell
ing the security architect or security manager is able to relate security requirements to financial or mission risk.
Relationship mappingWe have discussed five component categories for security architecture. While useful for categorizing security-related functions, what value do the component categories provide? They provide a useful structure for mapping relationships within the organizational security architecture. In this area I will issue a challenge to the reader. Take any security-related technical function (e.g., user authentication) related to con-fidentiality, integrity, or availability. Make an effort to prove that function has no relationship whatsoever with something from each of the other four component categories. While I fully expect most people will be able to find at least one exam-ple of a security-related technical function that fails to have a relationship to at least one of the component categories, it may be harder to find than you may assume. For any non-trivial security function, if you think there is no relation-ship, it may be that you are not looking hard enough. In cases where I have personally located a truly independent technical function, there usually followed a discussion concerning the purpose of that function and what value it provided to the or-ganization, with the phrase “because that is how it has always worked” or some variation thereof in the conversation. The most common example of this is when a technical security function is enabled due to a security guide or other gover-nance requirement from outside the organization. Often a check-box is checked or a technical function otherwise en-abled with no supporting change to policy, documentation, process, or personnel training, and the long-term effective-ness of the technical function is questionable at best without that support.
User authenticationFor an example, I will choose a very basic security techni-cal function that normally functions nearly autonomously: user authentication in an environment that uses Microsoft Active Directory. While this is a relatively simple function to implement, at least from a purely technical perspective, we start seeing some complexity when we consider the relation-ships to the other four component categories that need to be addressed in the overall security architecture. First, we will consider the human skills involved in managing the Active Directory (AD) account base effectively. Notice the effectively qualification on the last statement. You can largely set it all up once, with heavy automation on account creation, and pretty nearly forget about it. Some organizations do this and sim-ply clone existing accounts to include full permissions and group memberships whenever a new account is required. Of-ten these same organizations do not periodically review the existing account base and remove unnecessary accounts or permissions.
While the skills required to effectively manage the AD ac-count base are not particularly high (we will omit the skills
required to effectively manage all of AD for the purposes of this example, which can be considerably higher), user ac-counts must still be created, modified, and deleted to enable user authentication, even though the authentication process itself is completely automated. The account administrator position must have appropriate training/skill requirements associated to ensure the individuals involved at least under-stand the basic Windows security model of permissions and group assignments, the general concept of role-based access,
ISSA Journal | May 2012
16
Using Component Categories and Relationship Mapping | Kevin Stoffell
vulnerabilities can be introduced by weaknesses in the ac-count creation process itself. If the documentation covering allowed permissions for user roles is nonexistent or incorrect, excessive permissions might easily be granted for either rogue accounts or legitimate accounts that might be used incorrect-ly. Simply giving a new employee the same permissions as an existing employee might also generate either an intentional misuse from the insider threat or a completely unintentional failure if the new employee is not yet trained on the systems being operated and causes unintentional data loss or data in-tegrity failures.
Figure 1 details the example relationship mapping using a graphic. For more complex mappings, the use of a commer-cial architecture tool and an appropriately adapted architec-ture framework (e.g., DODAD, FEAC, etc) is advised. In a full implementation, a set of defined relationships would be used for mapping between components.
Value of the analysisAs an analysis tool, mapping dependencies between the ar-chitecture component categories can provide a direct value to the security architect. Referring back to the challenge I issued earlier to locate a technical security function and provide it has no relationship to at least one of the other four catego-ries, I will now issue part II of the challenge. If you were able to locate something without a visible relationship to one or more of the other components in your organization, ask the question: Should it have a relationship, and if not what value does it provide? In some very rare cases the answer might be no to the relationship portions and high to the value portion, but I suspect you will find that the answer is typically yes the relationship portion if there is any value to the function.
and be sufficiently skilled and expe-rienced to actually understand any automation placed on the account creation/modification routines. Ad-ditionally they should have either personal knowledge or a resource available to them in order to un-derstand something of the business requirements of the organization so they can ensure a user actually has the proper access. In too many cases I have seen an account admin being told to just clone an existing employ-ee account for a new employee, usu-ally with no understanding on the part of the manager that requests it nor the account administrator what effective permissions have now been assigned to an employee on day one with the organization. If the permis-sion level granted is too low, it likely results in minimal impact since ad-ditional rights can be requested. However, when is the last time you had an employee request rights be removed because he or she was granted too high of a permissions level?
If we take a quick look at the interactions between the com-ponent categories, we see there is a relationship to the human resource requirements for training and experience (compo-nent 2), not just technically, but in the organizational busi-ness processes itself. We see a potential need for some type of documentation (component 3) that identifies appropriate permissions and rights for users assigned to particular busi-ness functions, as well as some documentation or artifact detailing the human side of the account management ac-tions. We see the need for some type of account management process (component 4) that identifies who can authorize a new account with associated permissions, and some series of technical and approval steps required for account creation, modification, and deletion. Finally, there is an implied re-quirement that an account policy exists (component 5) that specifies roles and responsibilities and the requirement for some configuration guidance to be applied to Active Direc-tory.
Overall, this is a pretty basic function, but we have easily identified direct or indirect dependencies between a fully automated (once configured) technical function and mul-tiple other architecture components. A weakness in any one of the dependencies has the potential to be a security weak-ness in the automated technical function. For instance, if organizational policy covering account management fails to identify strict approval authority and roles, from whom does the system administrator take account requests? That leaves the door wide open to a social engineering attack to generate rogue account requests or an insider attack generating phony accounts to cover unauthorized employee actions. The same
Technical Functions
Human Capabilities
Structural Descriptions
Process and Planning
Policy and Governancy
User Admin Role Security Auditor Role
User Authorization(automated)
Create, Edit, Delete Accounts
User Account Database
Authorized Accounts List
Authorized Account Validators
Role to Permission mapping
Account Management Process
Account Policy
EnablesEnables
Enabl es
Audits
Enables
rioorrii
Enables
Upd
ates
Authorizes PPP
Enables
Governs
A utho rizes
Governs
Executes
Authorizes/Governs
Figure 1 – Sample relationship map.
ISSA Journal | May 2012
17
Using Component Categories and Relationship Mapping | Kevin Stoffell
port a required technical function for certain devices. In the particular case I drew this example from, there was actually no existing relation-ship between security governance and the product acquisition process in the organization – the acquisition process was concerned with func-tional requirements only – and this problem identified a particular de-ficiency that resulted from not have the relationship between security governance and product acquisition firmly in place.
The goal of relationship mapping is to ensure that all technical security functions are supported by the en-abling elements in the other compo-nent categories and that a clear chain of relationships exists between the technical functions and the overall organizational policy and gover-nance. There should be no orphans
within any of the component categories that do not have some relationship either within elements of the same category or with another category that cannot be traced to both technical functions and policy. This provides two distinct values to any organization.
First, you can ensure that your technical functions are sup-ported by human resources, documentation, management/maintenance processes and authorized/governed through policy. This not only can identify the functions that do and do not provide value, but may identify a gap in one or more of the other component categories that needs to be addressed.
Second, if you have a known or suspected gap in one or more of the four non-technical component categories, mapping the technical functions to the appropriate elements in each of the categories will provide a road map of what is missing from the overall architecture. For example, if you have no account policy in your organization, once you have mapped all of your technical security functions related to accounts or user authentication, the orphan technical functions that do not map to an existing policy or governance chain become can-didates for a new policy or modification of an existing policy. While it is certainly not necessary to address every techni-cal function directly in a high level policy, you do need to ensure some governing authority or lower level process is set forth in policy to manage every technical function and pro-vide authority to a manager to provide detailed guidance or governance for specific types of technical security functions.
The relationships provide a guide to the required contents for structural descriptions, processes, and policy, as well as provide input to the training programs for human skill de-velopment. When a role such as user administrator has been mapped to all technical functions associated to that role and
As an example, a common security technical function rec-ommended for activation on Windows networks in many se-curity configuration guides is Server Message Block (SMB) signing. It is a very useful security function that mitigates certain types of client-to-server man-in-the-middle attacks. Within a Windows network it can be activated by a simple setting within Group Policy. It can absolutely be configured by a single individual making changes based on a security configuration guide, and likely run for years with no prob-lems in many environments. In some organizations, a set-ting like this might initially be considered independent of the other categories. However, to be effective and maintained, the system administrators certainly need to understand it is there and what it does for troubleshooting purposes, the setting needs to be documented and audited to ensure it re-mains functional, and the acquisition process needs to con-sider interoperability with this setting in the acquisition of new products.
I encountered a scenario several years ago where this par-ticular setting was integrated into the system administration operations side of an organization, but not by the acquisi-tions process, even though the requirement was identified in policy. This resulted in some very important technical com-ponents (storage appliances in this case) not being compat-ible with SMB signing in a Windows network, resulting in quite a few wasted man-hours due to incorrect identification of technical requirements. This can be easily traced to a fail-ure of the acquisition entity to incorporate existing policy/guidance into the acquisition process for product selection. As you can see in figure 2, this can be shown as a failure in the governance relationship between equipment acquisition process and the mandatory security configuration guidance. This resulted in a failure of the acquisition process to sup-
Technical Functions
Human Capabilities
Structural Descriptions
Process and Planning
Policy and Governancy
Group Policy Administrator
Security Auditor Role
SMB Signing
GPO settings
GPO Management Process
Mandatory Security Conguration Guide
GGGGGG
Enables Audits
Enables
Updates
Govern s
Executes
Governs
Equipment Acquisition Process
Govern
s
EnablesAudits
Figure 2 – Example of an incomplete relationship map.
ISSA Journal | May 2012
18
Using Component Categories and Relationship Mapping | Kevin Stoffell
relationships are made between supporting elements between all the component categories, the relationship map of the various functions will show both the required skills and re-sources that must be available to the role, as well as interfaces with various processes.
Unfortunately, a recurring theme I have seen in mapping technical functions to human resources, documentation, processes, and policy is the lack of technical function owner-ship and governance. Due to the plethora of technical func-tions embedded in both security-specific and general use IT products, many functions are left in the default state, or configured to whatever extent the system administrator has the capability to accomplish. Especially in the case of security products, different vendors often have overlapping function-ality embedded, and for most practical suites of products you may have multiple products that perform the same functions or are capable of doing so. This potentially creates a scenar-io where the organization is duplicating effort unnecessar-ily where two products are running duplicate functions. In other cases system administrators may assume the security function is being provided by another system and disable the function in their system without realizing the function does not carry over to their system or is not, in fact, running else-where. The architectural relationship mapping allows easier identification of duplication or gaps.
SummaryWe have looked at five categories into which security archi-tecture components can be grouped. We have discussed the value of mapping relationships between components across the categories and performing an analysis of those relation-ships. This methodology, when adapted to a particular ar-chitect and environment, can provide significant value in the organization of the security architecture and significantly limit the likelihood of omissions. These categories and rela-tionship mapping techniques provide a valuable tool for the architect when conducting a gap analysis of the technical and non-technical elements of security architecture. Additional-ly, they can provide a road map for the development of miss-ing or insufficient elements of the architecture.
About the AuthorKevin Stoffell, CISSP- ISSAP, ISSEP, ISSMP, CAP, CISA, CEH, CSEP, PMP, is a Cyber Security Architect for the Battelle Memorial Institute working primarily in the federal government and military sec-tors. He has over 16 years experience in the information security field. He was assigned to both the Acquisition and Cyber Defense commands within the Marine Corps prior to retiring. He may be contacted at [email protected].
PROTECT, DETECT & DEFEND AGAINST CYBER CRIME
Build specialized career-advancing strengths in fighting cyber crime with these online degree programs:
M.S. in Cybersecurity with Specializations in:
• Intelligence
• Forensics
B.S. in Cybersecurity with Concentrations in:
• Cybercrime Investigations and Forensics
• Information Assurance
CALL: 315.732.2640VISIT: www.onlineuticacollege.com/ECJS
ISSA Journal | May 2012
19
ISSA DEVELOPING AND CONNECTING
CYBERSECURITY LEADERS GLOBALLY
Abstract This article explores the unintended consequences associated with the use of location data being established, shared, and used, using Wi-Fi Positioning Systems (WPS). WPS relies on wireless access points for location coordinates and makes use of the Media Access Control (MAC) address to a local area network. Since each access point is assigned a unique MAC address, which is designed to be persistent over the lifetime of the device, a number of identity and privacy issues may arise from unintended uses of this information.
Taking advantage of the rapid growth of wireless ac-cess points (Wi-Fi) in urban areas, Wi-Fi Positioning Systems (WPS) emerged as an idea to solve situations
where GPS signals may be weaker, or where the use of GPS puts too much strain on the device’s battery. By relying on Wi-Fi access points, WPS allows for more rapid and accurate determination of a given phone’s location.
Despite the advantages to mobile phone users that WPS has introduced, recent events involving several major mobile platform operators have prompted increased scrutiny over the extent of location data collected by smartphones and disclosed to third parties who fall outside the telecommu-nications regulatory environment.1 This paper explores the unforeseen and unintended uses of pre-existing architecture involving the collection and use of Wi-Fi device identifiers to create Wi-Fi Positioning Systems.
The unforeseen uses of pre-existing architectureThe Media Access Control Address2 (or, more commonly, MAC address) is an essential design feature for the proper
1 Yukari Kane, “House Presses Apple, Google, Others on Location-Tracking Practices,” The Wall Street Journal, April 26, 2011.
2 Also referred to as the Extended Unique Identifier or “EUI-48.” A mix of numbers and the first six letters of the alphabet (e.g., 00-1F-3F-D7-3C-58).
operation of this architecture. The MAC address was created as an identifier for local area network devices by IEEE Project 802 in order to “identify items of real physical equipment, parts of such equipment, or functions that apply to many in-stances of physical equipment”3 (See figure 1).
Figure 1 – 802.11 frame highlighting MAC address.
A prominent way in which the MAC address is being used for purposes other than the support of networked commu-nication is the development of Wi-Fi Positioning Systems. WPS functions by mapping the locations of Wi-Fi access points, indexed by their MAC addresses, and comparing these against the access points visible to an end-user device to determine the device’s location. A vast array of these access points has been constructed from individuals and business-es, in addition to the “hot spots” available in airports, hotels, coffee shops, public libraries, etc. Companies that provide the positioning technologies, such as Google and Skyhook Wire-less (used for applications such as Google maps) make their location databases linking hardware IDs to street addresses publicly available on the Internet. If someone captures or al-ready knows a specific MAC address, Google and Skyhook’s services can reveal a previous location where that device was located. This can in practice reveal personal information in-cluding home or work addresses or even the addresses of res-taurants frequented.4
3 See IEEE Standards Association. Guidelines for Use of EUI. Accessed January 13, 2011. http://standards.ieee.org/regauth/oui/tutorials/UseOfEUI.html.
4 Declan McCullagh.“CNETNewsPrivacy Inc.Exclusive:Google's Web mapping can track your phone.”CNET, accessed March 12, 2012, http://news.cnet.com/8301-31921_3-20070742-281/exclusive-googles-web-mapping-can-track-your-phone/.
This article explores the unintended consequences associated with the use of location data being established, shared, and used, using Wi-Fi Positioning Systems.
By Ann Cavoukian and Kim Cameron
Wi-Fi Positioning Systems: Beware of Unintended Consequences
Sample MAC Address00:58:F0:F2:bC:92
Header
FrameControl
DurationID
OtherControls
MACAddresses
ChecksumFrame Body (Payload)
802.11 Frame
ISSA Journal | May 2012
20
Wi-Fi Positioning Systems | Ann Cavoukian and Kim Cameron
It is important to understand that the privacy and data rules that apply to telecommunications companies may not cover the collection of WPS data. Telecommunications companies have always been able to locate devices to provide telecom-munications coverage under a regulated environment; this tracking is network-based.8 However, many new location-based services, such as WPS, are enabled by third parties who fall outside this regulatory environment, which again introduces new privacy issues. For example, US law requires a telecommunications carrier to obtain customer approval before using, disclosing, or providing access to “customer proprietary network information,” which includes location information and phone numbers.9 However, Wi-Fi location technology providers may not necessarily be considered a telecommunications carrier.10
Locating end-user devices with a WPS databaseOnce a sufficient number of Wi-Fi access points have been uploaded to a location data-base, this information can be used to locate end-user devices. When an end-user device uses a WPS service to re-quest its location, it first identifies Wi-Fi access points in its range. Af-ter submitting the MAC addresses of these points to the WPS database, the known posi-tions of one or more of these points is retrieved, allowing the device’s location to be triangulated. The accuracy of WPS thus depends on the number of Wi-Fi access points entered into the reference database.
These queries can also be used to update and/or refine the WPS location database, as any access point that is either not in the database, or which was previously associated with a different geographic location, will be identified during this process and the point’s new location calculated. In this way,
8 In Canada, as of February 1, 2010, and pursuant to Telecom Decision 2003-53 and Telecom Regulatory Policy CRTC 2009-40 the CRTC generally requires that all Canadian wireless service providers implement a form of wireless enhanced 9-1-1 (E9-1-1) service whereby the telephone number, cell site/sector information, and longitudinal and latitudinal information regarding the location of wireless E9-1-1 callers are automatically conveyed to the appropriate E9-1-1 call center or public safety answering point.
9 Telecommunications Act of 1996 § 222(c); see also §222(d) for exceptions, including for emergency services. N. King, “Direct marketing, mobile phones, and consumer privacy: Ensuring adequate disclosure and consent mechanisms for emerging mobile advertising practices” Federal Communications Law Journal 60 (2008): 229.
10 Testimony of M. Altschul before the Committee on Energy and Commerce, House of Representatives on February 24, 2010.
In addition to the MAC address, the Service Set Identifier (SSID) is an additional identifier for Wi-Fi access points (those devices, such as wireless routers, that provide Wi-Fi access to end-user devices). Often referred to as the “network name,” this SSID is included in a “management beacon” which communicates information about the network (con-nection speeds supported, identifiers, etc.) to all nearby de-vices. While the Wi-Fi Access Point’s SSID broadcast feature can be disabled, the SSID will nevertheless appear in some of the management packets transmitted on that wireless net-work.5
WPS data collection and useWPS can be divided into two primary stages: the collection of MAC addresses of Wi-Fi access points and their associated locations into a database, and the use of this database to lo-cate end-user devices. Though these two functionalities will, in practice, occur simultaneously and inform each other, for clarity we will separate the two in the discussion that follows.
Collecting and locating Wi-Fi access points for a WPS databaseThe collection of MAC addresses from Wi-Fi access points can be achieved in two ways: active and passive scanning.6 Active scanning involves sending out a probe to nearby ac-cess points and recording the network access device identi-fiers.7 Passive scanning typically records the periodic beacon frames transmitted by each wireless access point. Those who build WPS databases for commercial purposes by geo-tag-ging Wi-Fi access point data are dubbed “location aggrega-tors.” These aggregators provide third parties with access to their WPS databases for location-based application develop-ment and advertising.
The potential for unintended uses of the MAC address in-creases significantly if additional data is added to that cap-tured by a WPS system. Identifying, classifying, and storing information about uniquely identified devices in WPS data-bases raises the possibility of data linkage. Data, and databas-es, cannot be considered in isolation; in fact, it is frequently in combination with other information that data will become a significant privacy concern. It is known, for instance, that multiple services exist which can convert any numerical lo-cation (such as latitude/longitude) of a Wi-Fi access point to an identifiable location (an address, for instance). Once this has been established, the address could be combined with White Pages information (if the location is a house) to infer the name of the access point’s owner.
5 Ibid.
6 Article 29 Data Protection Working Party. Opinion 13/2011 on Geolocation Services on Smart mobile devices (adopted on 16 May 2011).
7 Active software such as NetStumbler, dStumbler, and MiniStumbler actually broadcast probe request frames to elicit responses from APs. See Yu-Xi Lim et. al. “Wireless Intrusion Detection and Response” (Proceedings of the 2003 IEEE, Workshop on Information Assurance, United States Military Academy. West Point, NY, June 2003) accessed January 25, 2011, http://users.ece.gatech.edu/owen/Research/Conference%20Publications/wireless_IAW2003.pdf.
00:58:F0:F2:bC:92
Wi-Fi PositioningSystems DB
00:58:F0:F2:bC:9238.88952, -77.03527
①
②
③
④
⑤
00:58:F0:F2:bC:92
00:58:F0:F2:bC:92
38.88952, -77.03527
Where am I?
38.88952, -77.03527
ISSA Journal | May 2012
21
Wi-Fi Positioning Systems | Ann Cavoukian and Kim Cameron
ing the original intention of the architecture.13 When design-ing a technical architecture, the potential for unintended uses should form part of a privacy threat/risk analysis.14 In-formation architects need to embed privacy into the design of WPS systems.
Service delivery in mobile communications consists of a di-verse range of providers that includes device manufactur-ers, the operating system and platform developers, network providers, application developers, data processors, and even users themselves.15 By taking a Privacy by Design (PbD)16 ap-proach to the development of technical architectures, the many players in the mobile space can play a contributing role to ensure end-to-end privacy. PbD advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ide-ally become an organization’s default mode of operation. The objectives of Privacy by Design – ensuring privacy and gain-ing personal control over one’s information and, for organi-zations, gaining a sustainable competitive advantage – may be accomplished by putting in practice the seven foundation-al principles: (1) Proactive not reactive; preventative not re-medial; (2) Privacy as the default setting; (3) Privacy embed-ded in the design; (4) Full functionality – positive-sum, not zero-sum; (5) End-to-end security – full life cycle protection; (6) Visibility and transparency – keep it open; (7) Respect for user privacy – keep it user-centric.17
In the case of MAC addresses and Wi-Fi Positioning Systems, creative thinking must be employed to find ways of embed-ding privacy directly into the architecture. Working with the broader research community, location aggregators and location-based technology/application developers should re-search and implement alternatives that protect the privacy of individuals, and provide individuals with a choice in whether their devices can be used in the creation and updating WPS architecture.
ConclusionThe area of location privacy, involving an individual’s ability to control who, when, how, and what granularity of personal-ly identifiable location data is made available to others, is well established in the literature. However, additional discussion
13 International Working Group on Data Protection in Telecommunications (IWGDPT). Common Position on privacy and location information in mobile communications services. “The enhanced precision of location information and its availability to parties other than the operators of mobile telecommunications networks create unprecedented threats to the privacy of the users of mobile devices linked to telecommunications networks.” November 19, 2004.
14 Eric Rescorla. “Can We Have a Usable Internet Without User Trackability?” Accessed November 5, 2010. http://www.educatedguesswork.org/iab-privacy.pdf.
15 ASU Privacy by Design Research Lab and Information and Privacy Commissioner, Ontario Canada. The Roadmap for Privacy by Design in Mobile Communications: A Practical Tool for Developers, Service Providers, and Users 2010. http://www.ipc.on.ca/images/Resources/pbd-asu-mobile.pdf.
16 On October 29, 2010, Dr. Ann Cavoukian’s concept of “Privacy by Design” was unanimously adopted at the 32nd annual International Conference of Data Protection and Privacy Commissioners, a worldwide assembly of regulators in what has been described as a “landmark” resolution.
17 Ann Cavoukian, “Privacy by Design in Law, Policy and Practice,” 2010 available online at www.ipc.on.ca.
the updating of the network of reference points can be crowd-sourced, making the WPS database “self-healing.”
As with Wi-Fi access point owners, owners of end-user de-vices may not be aware of the data being disclosed by their devices, or may not wish to have their location queries used to update a commercial database. As such, there are privacy concerns which may arise in the construction of WPS data-bases.
The unknowing informant modelUnder the crowdsourced database updating model, it is known that users of WPS services may unwittingly be aiding the proprietors of the services to update and refine their da-tabase, based on the list of Wi-Fi access point MAC addresses submitted with each query. This model may not concern everyone – after all, it leads to improvement in the service’s locating capabilities. But consider if even more information were being provided to the WPS service. Suppose it were the case, when a mobile user was querying for location, that he or she was also able to unknowingly detect the MAC addresses of mobile devices in range in addition to Wi-Fi access points.
The MAC address becomes more than simply a device identi-fier. Instead, it identifies devices that are closely associated with people – including their personal computers and mobile phones. These identifiers are persistent, remaining constant over the lifetime of the device. They are “identifiers that are extremely reliable in establishing identity by virtue of being in people’s pockets or briefcases.”11 They become, in turn, personal identifiers – and, due to the static nature of the MAC address, they are identifiers that tend not to change for the life of the device.
Identifying and avoiding unintended usesThe popularity of Wi-Fi networks, in combination with the clear text transmission of identifiers for those networks, cre-ates a ubiquitous infrastructure that may now be used for purposes far different from the original intent. For instance, De Montfort University in the United Kingdom is consider-ing the use of their on-campus Wi-Fi networks, in combi-nation with chips in ID cards, to track student attendance.12 The MAC address and SSID were first developed to ensure the proper functioning of wireless network components; they can now act as geo-location points, enabling location-based services and mobile virtual communities thereby transform-
11 Kim Cameron. “The Laws of Identity smack Google,” Kim Cameron’s Identity Blog, May 27, 2010, http://www.identityblog.com/?p=1100 See also, Peter Scharr, Smartphones always under control?,” July 10, 2010, http://www.bfdi.bund.de/EN/PublicRelations/SpeechesAndInterviews/blog/SmartPhonesUnterKontrolle20100709.html?nn=1269676. Additionally, smartphones often transmit current characteristic data of surrounding WLANs to the service provider so that the corresponding WLAN-data bases can be appropriately supplemented and updated. In this way, the smartphone user will become – without his knowledge – the data collector for service providers.
12 See. “Students’ concern over ‘Big Brother-style’ surveillance.” This is Leicestershire. Accessed June 6, 2011. http://www.thisisleicestershire.co.uk/Students-concern-Big-Brother-style-surveillance/story-12718136-detail/story.html.
ISSA Journal | May 2012
22
Wi-Fi Positioning Systems | Ann Cavoukian and Kim Cameron
is required in this area where the individual’s mobile device becomes an unknowing active contributor to the location ar-chitecture. In assessing the design of WPS architecture and location-based applications, the issues canvassed in this pa-per should be seriously considered, such as the concern for re-identification of location data, the sensitive nature of location information, the physical safety of individuals, and onward disclosure without the user’s knowledge, or worse – contrary to his or her privacy preferences.
References—ASU Privacy by Design Research Lab and Information and
Privacy Commissioner, Ontario Canada. “The Roadmap for Privacy by Design in Mobile Communications: A Practical Tool for Developers, Service Providers, and Users,” 2010. http://www.ipc.on.ca/images/Resources/pbd-asu-mobile.pdf.
—Cameron, K., “The Laws of Identity smack Google,” Kim Cameron’s Identity Blog, May 27, 2010, http://www.identity-blog.com/?p=1100.
—Cavoukian, A.,“Privacy by Design in Law, Policy and Prac-tice,” 2010 available online at www.ipc.on.ca.
—Kane, Y., “House Presses Apple, Google, Others on Location-Tracking Practices,” The Wall Street Journal, April 26, 2011.
—King, N., “Direct marketing, mobile phones, and consumer privacy: Ensuring adequate disclosure and consent mecha-nisms for emerging mobile advertising practices” Federal Communications Law Journal 60 (2008): 229.
—McCullagh, D.,“CNETNews Privacy Inc.Exclusive:Google’s Web mapping can track your phone.”CNET, accessed March 12, 2012, http://news.cnet.com/8301-31921_3-20070742-281/exclusive-googles-web-mapping-can-track-your-phone.
—Rescorla, E., “Can We Have a Usable Internet Without User Trackability?” Accessed November 5, 2010. http://www.educatedguesswork.org/iab-privacy.pdf.
—Scharr, P., “Smartphones always under control?” July 10, 2010, http://www.bfdi.bund.de/EN/PublicRelations/SpeechesAndInterviews/blog/SmartPhonesUnterKon-trolle20100709.html?nn=1269676.
About the AuthorsAnn Cavoukian, Ph.D. is Information and Privacy Commissioner of Ontario, Canada. Recognized as one of the world’s leading privacy experts, Dr. Cavoukian developed Privacy by Design, now the gold standard in data protection and privacy, in the 1990s. She may be reached at [email protected].
Kim Cameron is a leading expert in digital identity, and the creator of the influential “Laws of Identity.” A founder of ZOOMIT Corporation, and later Chief Identity Ar-chitect at Microsoft, he is an advisor on identity architecture and issues.
JANUARYLegal and Privacy Issues
FEBRUARYLooking to the Future
MARCH Advanced Threat Concepts
and Cyberwarfare
APRILSmart Grid / Control Systems Security
MAY Security Architecture
JUNE Cryptography Update – What’s New
and on the Horizon?Editorial Deadline 5/1/12
JULY Standards, Compliance, and Governance
Editorial Deadline 6/1/12
AUGUST Mobile Security
Editorial Deadline 7/1/12
SEPTEMBER History of Information Security
Editorial Deadline 8/1/12
OCTOBER Risk Analysis / Risk Management
Editorial Deadline 9/1/12
NOVEMBER Black Hats, Malware, Organized Crime – and
What This Means to Security ProfessionalsEditorial Deadline 10/1/12
DECEMBER Storage – Security and Forensics
Editorial Deadline 11/1/12
[email protected] • WWW.ISSA.ORG
For theme descriptions, visit https://www.issa.org/page/?p=282.
ISSA Journal 2012 CalendarSearch Past Issues – www.issa.org/Members/Journal.
ISSA Journal | May 2012
23
ISSA DEVELOPING AND CONNECTING
CYBERSECURITY LEADERS GLOBALLY
AbstractOrganizations cannot escape social media’s ubiquitous pres-ence and the unique challenges it creates. Our attempts to regulate social media for security and compliance require-ments must now be balanced with the need to protect our organizations from the unintended legal consequences of overregulation. This article will examine various laws and regulations that we must consider when creating our social media policies to avoid these legal risks.
On September 2, 2011, a National Labor Relations Board (NLRB) Administrative Law Judge (ALJ) ruled that a non-profit organization unlawfully dis-
charged five employees for complaining about their jobs on Facebook. The judge found that the employees were illegally discharged because the Facebook discussion was concerted protected activity under Section 7 of the National Labor Re-lations Act1 (NLRA). The judge ordered the organization to reinstate the employees and awarded them back pay.2
Whether we like it or not, laws and regulations permeate every aspect of the information security profession, and the rapid growth of social media in the workplace has not escaped this legal reach. Unfortunately, our efforts to address the unique security and compliance challenges posed by social media can in many ways conflict with these laws and regulations. The result is our social media policies might be exposing our organizations to serious legal consequences.
As I always state before every article and presentation, I am not a lawyer but an information security professional with an Executive Juris Doctor degree in Law and Technology. The
1 29 U.S.C. § 151–169.
2 Hispanics United of Buffalo v. Ortiz, 3-CA-27872, September 2, 2011.
following is not a legal consultation but rather is intended to help information security professionals gain an apprecia-tion and understanding of the laws and regulations that af-fect their social media policies and encourage them to seek further information from their legal counsel. Although this article will only examine US laws and regulations as they af-fect social media policies, the same analysis and discussion could be applied when examining the laws and regulations of other countries as they relate to social media.
Throughout this article, consider what other documents your organization has that may be impacted by this material, such as policies, procedures, standards, guidelines, employment contracts, employee handbooks, and any other document that specifies what employees can and cannot do – both at work and outside of work.
The United States ConstitutionWhen discussing social media policies or any topic related to privacy, I always like to start with a discussion on the First and Fourth Amendments of the United States Constitution and clear up some mistaken notions that many people have about their rights under these two amendments.
The First AmendmentThe First Amendment reads in part, “Congress shall make no law...abridging the freedom of speech, or of the press;...” Most people in the United States have incorrectly interpreted this to mean that they have the right to say anything they want in any environment without repercussions. What most Ameri-cans do not understand is that this right only prohibits the federal, state, and local governments from restricting your free speech. (Actually, there are a few ways the government can limit your free speech such as dictating the time, place, or manner of your speech, but a discussion of these exceptions is
Organizations cannot escape social media’s ubiquitous presence and the unique challenges it creates. This article will examine various laws and regulations that must be considered when creating our social media policies to avoid these legal risks.
By Jon Banks – ISSA member, Metro Atlanta, USA Chapter
Social Media Policy and the Law This article appeared in the
March 2012 ISSA Journal.
ISSA Journal | May 2012
24
Social Media Policy and the Law | Jon Banks
These people had the right to say what they wanted, and the government didn’t punish them. Their employers did!
Make sure your employees understand that the First Amend-ment protections do not apply to them in the workplace.
The Fourth AmendmentThe Fourth Amendment reads, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
outside the scope of this article.) The First Amendment does not give you freedom of speech protection from non-govern-mental organizations (e.g., employers).
Look at a couple public examples:
• Gilbert Gottfried was fired as the voice of the Aflac Duck when he sent jokes about the Japanese tsunami via Twitter.
• Hank Williams, Jr. was replaced as the opening scene in Monday Night Football by the NFL for political comments he made in reference to the President, Vice President, and Speaker of the House playing golf to-gether.
The constant in privacy and security is people. In Social Engineering: The Art of Human Hacking (Dec. 21, 2010), Christopher Hadnagy brings this home in detail. He
even has a website1 dedicated to this and helped develop the Social Engineering Toolkit (SET) as a framework for applying the information. If you are someone involved in daily life, you are into social engineering – as target and as engineer. Advertis-ers, marketers, con men, politicians, co-workers, all apply this knowledge. Some do so as part of their legitimate jobs; some as a way of life; and some unconsciously. If you want to know how it works, this book is an excellent start.
As security improves in software, those who exploit it move to easier targets – the people.
The book is aimed at two audiences: those in the security field and those who may be victims of social engineering (SE). With the latter, he intends to make the reader more aware of the tech-niques, to avoid being “engineered” or conned. With the former, he demonstrates the approach of gathering information on a tar-get, typically an organization such as a corporate client (in an assessment), but equally applicable to use on individuals such as senior executives.
Hadnagy recommends the tools available with the BackTrack distribution of Linux, which is optimized for penetration test-ing, hacking, and social engineering. In particular, he refers to Dradis and BasKet as good tools to store the information you obtain while investigating a target. He uses BasKet, centered around the type of data collected. If you work on a team, Dradis offers a multi-user tool that you may prefer. One caution later in the book is to analyze the data for authority. Bad data can trip up an otherwise useful SE gig. Likewise, you need a way to orga-
1 http://www.social-engineer.org.
Social Engineering: A Must-Have Book and SkillBy Greg Playle – ISSA member, Colorado Springs, USA Chapter
Book Review
nize the data for reference; with quite a bit of data generated in a full-on en-gagement, you need something better than a text editor.
He covers Google hacking and calls out Johnny Long as one source. He mentions whois searches to gather information on the target’s online profile, surfacing information of use in tech-nical hacks. From there he treats social media, blogs, and so on, with a reference to how social media can be used to target some-one for burglary (when they announce they’re on vacation).
One point is that several nations have passed laws to make it ille-gal to create, distribute, or possess materials that allow someone to break any computer law, such as port scanners. Be careful what tools you take along as you travel. Remember that officers of the law, and others such as TSA, are bereft of a sense of hu-mor.
Hadnagy treats eliciting information from people via their basic motivations, as well as specific concerns, to make the elicitation work. In this, he echoes Johnny Long’s work, explaining that the communications must be natural to the situation, the people, and the topics of interest; the enquirer must know enough about the target to make his approach believable; and the enquirer must seek only a little information with each enquiry, to avoid tipping the target. The best possible way to elicit information is to listen; I’ve seen more people gather more information with that approach than any “directed conversation.” If this seems counter-intuitive, pick up a book on “active” or “directed” listening and try a few of its techniques or flip to the section starting page 158. Hadnagy discusses preloading the target with ideas or thoughts, without the target’s knowledge. He goes on to give a step-by-step approach to being a successful elicitor.
ISSA Journal | May 2012
25
Social Media Policy and the Law | Jon Banks
an employee, have a reasonable expectation of privacy, but this is also not an absolute as will be shown below. For this reason, many organizations tell their employees they have no expectation of privacy in the workplace when using so-cial media and other communication technologies. Although outside the scope of this article, a very thorough discussion of computer searches and seizures as they relate to reason-able expectations of privacy can be had by reading Search-ing & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.3
3 Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Third Edition, September 2009. http://www.cybercrime.gov/ssmanual/index.html
In much the same way most people misconstrue their rights under the First Amendment, so, too, they fail to properly comprehend their rights under the Fourth Amendment. Most people think the Fourth Amendment confers on them an absolute right to privacy, an inference first made in a dis-sent opinion in Olmstead v. United States (1928), written by Supreme Court Justice Louis Brandeis. However, the Fourth Amendment only protects you from government searches and seizures. It does not guarantee you an absolute right to privacy from your employer in the workplace.
Whether the government can seize something in the work-place without a warrant depends on whether or not you, as
There is quite a coverage of pretexting, or “creating an invented scenario to persuade a targeted victim to release information or perform some action.” A well-deserved caution is that pretexting is not merely “lying” but is actually “living” that role. All that research done up front pays off in a believable pretext. Hadn-agy provides the psychological basis for pretexting successfully, as well as the steps to take in preparation. There are sources of sound tracks, spoofed phone numbers, and such required for a pretext to succeed. As in each chapter, he also gives case stud-ies along the way, showing both successful and unsuccessful ap-proaches. He also covers the legality of pretexting that is required learning for the practitioner.
The psychological principles include various modes of thinking (visual, hearing, and feeling, corresponding to the visual, au-ditory, and kinesthetic modes of learning). These modes apply in specific situations; an example shows how a salesman would “program” the target to remember particular points. He treats microexpressions, based on research in the 1990s by Dr. Paul Ekman. One key point is where Hadnagy explains his approach to learning to read microexpressions and encourages the reader to look up Ekman’s work and website. He discusses other tips and techniques for both interpreting someone’s behavior and in malicious application exploiting someone. There is also Neuro-Linguistic-Programming (NLP), again with recommendations for source material.
His section on “Building Instant Rapport” is a must-read, in par-ticular the subsection on meeting people’s needs to build rap-port. He details how a social engineer abuses this rapport by ma-nipulating expectations and creating a presupposition that the target will comply with the SE’s intended course of action.
Hadnagy discusses powers of persuasion and influence to co-opt the target. He outlines the fundamentals and provides eight tactics for influencing people. One of the most successful tac-tics relies on the principle of reciprocity, which builds a sense of indebtedness in the target. The SE does something nice for the target and counts on the target’s willingness to return the favor. Typically, this is giving something of value to the target. This is successful nearly every time by sending a relevant gift to the se-nior staff member with a note asking them to browse a particular
website and review a PDF file, then promising to follow up with a phone call. That PDF existed but was poisoned, dropped a pay-load on the target’s machine, and Hadnagy got instant access to the corporate network. He borrows a refrain from Tom Saw-yer’s painting of the fence: people find things more attractive if they are hard to get; the things do not need to be inherently valuable. The SE also succeeds by framing expectations and the surrounding environment so the SE does not create a cognitive dissonance that alerts the target. Then Hadnagy covers manipu-lating the target and gives an excellent example of the way cor-porations manipulate the public’s perception of their actions; again, a must-read section. There are case studies of corpora-tions creating demand for their products, which should make the reader question all advertising.
There are all kinds of tools the social engineer uses, ranging from lock picks and shims to secret recording devices and infor-mation search software (Maltego). He also introduces the So-cial Engineer Toolkit and demonstrates how to combine the two with malicious payloads to “tunnel back out” from the target’s network. There are a variety of other tools to present the correct information for the SE gig, including spoofing caller ID.
He wraps the book up with case studies of particularly sensitive engagements, including finding a hole in a network that already had a hacker in it and social engineering the hacker.
Put together Johnny Long’s No Tech Hacking, Frank Abnagle’s Catch Me If You Can, and Hadnagy’s Social Engineering and you’ll view society in a whole different way. This book should be part of every security professional’s reading.
About the Author Greg Playle, CISSP, IAM/IEM, C|EH, C|HFI, FITSP, a senior principal engineer at Serco-NA, provides network and information assurance/computer network defense services to the United States federal government. Greg has a Masters in Systems Engineering from the University of Southern California, a Masters in Software Engineering from Colorado Tech University, and over 30 years ex-perience in computer security. Greg may be reached at [email protected].
ISSA Journal | May 2012
26
Social Media Policy and the Law | Jon Banks
NLRA usually discuss whether the employees’ actions were protected, concerted activity.
When doing an analysis of an alleged violation of the NLRA, the Board, ALJ, or the court will first try to determine if the employee’s comments and use of social media was a concert-ed activity. Concerted activity has been defined as:
• With or on the authority of other employees, and not solely by and on behalf of the employee himself
• Circumstances where individual employees seek to initiate or to induce or to prepare for group action
• Truly group complaints8
To satisfy the concerted activity requirement, the comments posted on social media have to be more than one person com-plaining or griping and must be directed to other employees of the organization, and these comments must be an attempt to create a discussion of protected activities (as will be de-fined in the next paragraph). For example, if one employee posts a comment on Facebook about a protected activity and another co-worker responds to the comment, this would be considered concerted activity. Also, even if no other cowork-ers respond to the comment about protected activity but the intent of the Facebook posting was to initiate or induce other co-workers to respond, this, too, would be considered con-certed activity.
While there is no definitive list of what activities are consid-ered protected by the NLRA, some activities that have been deemed protected include:
• Comments about working conditions
• Discussions about supervisory actions
• Comments about wages, terms, and conditions of em-ployment
Many organizations in the their social media policies and other documents sometimes prohibit some protected activi-ties such as wage discussions. You may want to revisit your policies and other employment documents and see if they prohibit these types of protected activities.
The NLRB Office of General Counsel issued an “Operations Management Memo”9 (hereafter NLRB Memo) dated Janu-ary 25, 2012, addressing various topics related to social me-dia and the NLRA. An example taken from the NLRB Memo is illustrative of protected, concerted activity occurring in a social media context. In one case, an employee was termi-nated for posting critical comments about the employer on Facebook. After the employer transferred the employee to a less lucrative position, the employee went home and posted expletive comments to Facebook stating that the employer had made a mistake. In response, several current and former co-workers responded supporting the employee’s position and echoing the employee’s frustrations with the employer’s
8 Meyers Industries (Meyers I), 268 NLRB 493, and Myers Industries (Meyers II), 281 NLRB 882 (1986).
9 Operations Management Memo from the NLRB Office of General Counsel – http://www.nlrb.gov/news/acting-general-counsel-issues-second-social-media-report.
The issue of reasonable expectation of privacy was addressed by the Supreme Court in Ontario v. Quon.4 Quon, a police officer, argued he had a reasonable expectation of privacy in his text messages sent via an employer-provided device. The Supreme Court ruled that the government employer could still conduct a search if it was for:
• A non-investigatory, work-related purpose
• The investigation of work-related misconduct
Although this case concerned government employees, the Supreme Court stated, “the search would be ‘regarded as reasonable and normal in the private-employer context.’” It is important to note that the Court added, “…[E]mployer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.”
Again, it is important to ensure your employees understand their privacy rights as an employee when using social media or any communications technology in your organization and that these policies are clearly communicated.
National Labor Relations ActNow, despite the lack of protection afforded employees by the First and Fourth Amendments as it relates to social media in the workplace, employees are not without significant le-gal protections. The most prolific of these protections comes from the National Labor Relations Act (NLRA), which is ef-fectuated by the National Labor Relations Board.
While the NLRA covers a wide range of employees, some em-ployees are exempted from this law. These exempted employ-ees generally include government employees, agricultural workers, domestic servants, independent contractors, super-visors, and railway and airline employees.5 See the NLRA for a complete listing of exempted employees.
Even if your organization and employees would not be cov-ered under the NLRA, writing your policies to be congru-ent with the NLRA is a pretty good idea. Many times when courts do not have a legal precedent to follow in a case, they will look to similar legal precedents in other jurisdictions. So, if your employees are not covered by the NLRA, a court might still look to the NLRA when making a decision as it relates to social media in the workplace.
Protected, concerted activityThe two most important sections of the NLRA are Section 7,6 which defines employee rights and Section 8(a)(1),7 which prohibits employers from interfering with employees’ Sec-tion 7 rights. Section 7 reads in part, “Employees shall have the right...to engage in other concerted activities for...mutual aid or protection,...” As a result, most rulings involving the
4 560 U. S. (2010)
5 29 U.S.C. 152
6 29 U.S.C. 157.
7 29 U.S.C. 158(a)(1).
ISSA Journal | May 2012
27
Social Media Policy and the Law | Jon Banks
environment – that the employees not identify themselves as employees of the organization. Furthermore, employers have imposed restrictions on employees’ use of company logos, trademarks, service marks, etc., in social media postings un-less prior permission is received from senior management or the legal team.
However, the NLRB considers this prohibition to be a viola-tion of an employee’s Section 7 rights. The NLRB has gone on to state that an employee’s use of trademarked and copyright-ed name and logos in connection with Section 7 activity did not infringe upon the employer’s rights to these trademarks and copyrights.
Note that while the topic of employee identification and their use of logos, trademarks, etc., in social media is discussed in the NLRB Memo, a telephone call made by the author to the NLRB found that the particular case this commentary is based on, LabCorp,11 is still pending final disposition as of the writing of this article. Therefore, more exact details of this case are not presently available from the NLRB. However, the Office of General Counsel does cite another case in their commentary on this topic, Pepsi-Cola Bottling Co.,12 which also stated employees had the right to use company logos and
11 NLRB Case 28-CA-023503
12 301 NLRB 1008, 1019-20 (1991), enfd. 953 F.2d 638 (4th Cir. 1992)
treatment of employees. The employer later fired the employ-ee over the Facebook postings. However, the NLRB ruled that the employee’s Facebook postings, and the discussion it gen-erated among other employees, clearly involved complaints about working conditions and the employer’s treatment of its employees and clearly fell within the Board’s definition of protected, concerted activity.
Overly broad, vague, and ambiguous languageAlong these same lines, overly broad, vague, and ambigu-ous language in our social media policies can get our orga-nizations into legal trouble. Many policies are either written broadly to encompass all activities or use vague and ambigu-ous language or terms mainly because it is easier to cast a wide net rather than attempting to define and list each indi-vidual activity that is and is not permitted. Consider some of these vague, ambiguous terms that are normally used in social media and other policies:
• Reasonable• Appropriate• Inappropriate• Professional• Unprofessional• Confidential• Proprietary• Sensitive• Non-public
Many social media policies and employee handbooks have been found to be overly broad and in violation of Lutheran Heritage Village-Livonia.10 Under Lutheran Heritage, a social media or employee handbook rule is considered unlawful if it explicitly restricts Section 7 activities. Furthermore, if a rule does not explicitly restrict Section 7 activities, the rule can still be found illegal if:
• The employees would reasonably construe the lan-guage to prohibit Section 7 activities
• The rule was promulgated in response to union activ-ity
• The rule has been applied to restrict the exercise of Section 7 rights
Recent NLRB rulings have stated that without defining exact-ly what types of activity were included in vague and ambigu-ous terminology, a violation of employees’ Section 7 rights still occurred because there was no way for the employee to know that their Section 7 rights are still allowed. The use of “savings clauses,” a statement stating that the vague and am-biguous terms did not include Section 7 activities, was also found to be inadequate under the NLRA.
Employee identificationMany times, employers will require that when employees use social media – either in the workplace or outside the work
10 343 NLRB 646, 647 (2004).
SAVE 50%and receive Free
standard shippingwhen you orderonline and enter
Promo Code081MA.
Offer expires 7/31/2012
CRC_081MA_ISSA ad_Layout 1 4/17/12 1:51 PM Page 1
ISSA Journal | May 2012
28
Social Media Policy and the Law | Jon Banks
line endorsements including, but not limited to, social media when promoting or endorsing your organization’s products or services.
Ownership of social mediaFinally, if you allow or require social media use in your or-ganization, your social media policies need to address who will own the social media. This issue of ownership is a new legal wrinkle involving social media and came about as a re-sult of a recent dispute between a former employee, Kravitz, and his employer, Phonedog.15 While working for Phonedog (part of the legal debate is if Kravitz was an employee or con-tractor of the company), Kravitz used a Twitter account to communicate information to customers. When Kravitz left Phonedog, he changed the account name and password on the Twitter account to reflect he had left the company and kept the followers. Kravitz maintains that the account was always his personal property while the company claims the followers were proprietary and trade secrets.
As of this writing of this article, this case is still pending. However, to avoid such legal complications in your own or-ganization, your social media policy should articulate who owns any social media accounts and content used for busi-ness purposes and what will happen to these accounts upon employment termination.
ConclusionAs information security professionals, we are not the only ones challenged by the issues social media create. Social me-dia issues are even challenging our courts. Justice Kennedy, writing for the majority in Quon, highlighted this challenge by stating:
“Rapid changes in the dynamics of communication and in-formation transmission are evident not just in the technology itself but in what society accepts as proper behavior.... [I]t is uncertain how workplace norms, and the law’s treatment of them, will evolve.”16
Despite these challenges, you still need to consult with your legal counsel to determine what changes need to be made to your social media policies and other employment documents to protect your organization.
About the AuthorJon J. Banks, EJD, CISSP, CEH, Project+, is an information security leader with 14 years of diverse experience including secu-rity engineering, analysis, and operations; governance and compliance, and Big 4 IT advisory. He holds an Executive Juris Doc-tor degree from Concord Law School and is interested in senior leadership roles in IT and security. He can be reached at [email protected].
15 Phonedog v. Kravitz, 3:11-cv-03474 (N.D. CA, 2011)
16 Ibid. at 11.
trademarks under Section 7, although this was not a social media case.
DisparagementEven disparaging comments made about the organization or its management can be protected under the NLRA. When considering whether disparaging and egregious employee communications should be protected, the NLRB has had to modify two traditional tests it normally employs to accom-modate the unique nature of social media which allows the public to be party to the communications.
The first test, called the Jefferson Standard,13 is typically used when employee communications are intended to appeal to third parties. The Board considers whether the communica-tion is in reference to a labor dispute and the level of dispar-agement the communication has to the employer’s products or services. The Board uses the Atlantic Steel14 test when the communication is between employees and supervisors and contemplates the extent that the communication disrupts or undermines discipline within the organization. This test considers several factors including the place of the commu-nication, its subject matter, the nature of the outburst, and whether the outburst was caused by the employer’s unfair la-bor practices. The modified analysis of the Board takes the disruption of the workplace factor of Atlantic Steel and com-bines it with the disparagement analysis of the Jefferson Stan-dard – although the other factors of Jefferson and Atlantic can be considered, based on the circumstances of each case. In many cases, prohibiting disparagement in social media poli-cies is unlawful.
For a more comprehensive discussion of the NLRA as it re-lates to social media, including NLRB decisions as they re-late to specific examples of social media, please see the NLRB Memo.
Federal Communications CommissionFederal Communications Commission (FCC) regulation 16 CFR § 255.5 reads in part, “When there exists a connection between the endorser and the seller of the advertised product that might materially affect the weight or credibility of the endorsement (i.e., the connection is not reasonably expected by the audience), such connection must be fully disclosed...”
This regulation also addresses disclosure of an employer-employee relationship but for a different reason than for Sec-tion 7 activities. Here, the FCC requires that any employee or other agent of an organization that promotes or endorses a product or service of the organization must disclose the fact that he is an employee or agent of the organization. This way, third parties will know of the relationship and possible bias in the endorsement. Therefore, employees of your orga-nization must know and understand that they must identify themselves as an employee of your organization in any on-
13 NLRB v. IBEW, Local No. 1229 (Jefferson Standard), 346 U.S. 464, 472 (1953).
14 Atlantic Steel Co., 245 NLRB 814, 816-817 (1979).
ISSA Journal | May 2012
Disneyland Hotel • Anaheim, California - USA October 25 & 26, 2012
Mark your calendar for the 2012 ISSA International Conference
for more information visit:
www.issaconference.org
Special Events - Calling all Chapter Leaders: Chapter Leaders Summit* – October 24 - CISO Executive members and guests: 4th Quarter CISO Forum* – October 27 *Open to qualified attendees only.
New opportunities abound in the midst of amazing transformations in technology, business, and culture. Inspired by Disney’s innovative vision, the cybersecurity community will gather at the Magic Kingdom on October 25-26 to look at change as a chance to achieve excellence. Disruptions like “big data”, “cloud computing”, massive collaboration, and business transformation make it possible for us to blaze new trails and build effective foundations. We are enabling our work forces to be mobile and productive while protecting sensitive data. We build systems and policies that impede our foes and guard our constituents. This is an exciting time to be in the information security field and we are all vital in making our businesses faster, better, smarter and, most importantly, safer. Sessions will include:
The Magic Kingdom - Embracing a Changing World
Register Before July 20 for Special Rates
• Cloud • Application Security • Infrastructure • Legal Updates • Mobile Security • Critical Infrastructure • Threat Updates • Securing the End Users • Big Data • Incident Response • Business Skills • Governance and Compliance
- ISSA Members just $199 USD - Non Members $325 USD, includes ISSA Membership
International Conference
30
ISSA DEVELOPING AND CONNECTING
CYBERSECURITY LEADERS GLOBALLY
AbstractThere are a lot of reasons why cloud computing is getting so much media and industry attention, but one of the main reasons why companies are adopting cloud computing is the financial advantage. While public cloud seems to be the preferred choice for small and medium businesses, there is another cloud infrastructure model that is growing in large enterprises – the private cloud. The private cloud can have a substantial impact on the way information technology (IT) operates; it redesigns the data center by providing agility to the business, enables better resource utilization, and fuels higher availability. However, as with the public cloud, in a private cloud security concerns are still a major challenge. Al-though many cloud architects argue that private cloud does not present security concerns since it is owned and operated by the company itself, the reality is that there are many secu-rity elements that must be addressed before adopting, archi-tecting, and designing a private cloud. This article will cover the main elements that should be addressed from the security perspective while architecting and designing a private cloud infrastructure.
Why care about security in a private cloud infrastructure?
Even if you take private cloud out of the equation, data center security and operations must be well planned and executed in order to enhance the overall security
strategy. According to a report issued by Varonis,1 internal threats are still the major concern for corporations in 2012, and with private cloud adoption the vast majority of the users
1 Varonis Top Predictions for Data Governance in 2012 http://www.varonis.com/go/resources/whitepapers/Varonis-Top-Predictions-for-Data-Governance-in-2012.pdf.
will be authorized, authenticated, and have access of some type to the infrastructure. With private cloud adoption this risk is likely to increase because if an internal intruder suc-cessfully exploits a vulnerability in the private cloud infra-structure, he can potentially affect all other tenants as shown in Figure 1.
Figure 1 – Without security controls in place a compromised tenant can affect others.
In the private cloud, the importance of a well-architected and executed security design has not changed; the only dif-ference is adjusting to this new model. In a traditional data center environment, the demarcation of security responsi-bilities between the data center operator and the service user was relatively well defined. Generally, the responsibility was aligned with ownership of the particular physical compo-
This article covers the main elements that should be addressed from the security perspective while architecting and designing a private cloud infrastructure.
By Yuri Diogenes – ISSA member, Fort Worth, USA Chapter and Dr. Tom Shinder
Understanding Private Cloud Security
ISSA Journal | May 2012
31
Understanding Private Cloud Security | Yuri Diogenes and Dr. Tom Shinder
nent, whether that was a server, a networking device, or the overall network infrastructure; if the IT department owned and administered the server, then that department also man-aged and updated security on that asset. With cloud models, security responsibility has altered in that departments may be responsible for a portion of the security on the service that they pay for, depending on the service provisioning model in use.
A key differentiator in public cloud environments is that ser-vice is provided on a shared tenant basis and multiple tenants use portions of the same pooled infrastructure and services. In the private cloud the tenants will be the departments of the company as shown in Figure 2. The public cloud implemen-tation then applies authentication, authorization, and access controls to create logical partitions between the tenants so that individual tenants are isolated from each other and can-not see other tenants’ data.
Figure 2 – Shared tenant model in private cloud infrastructure.
Similar to the multi-tenant scenario in the public cloud, in the private cloud each department or business unit within the company must be isolated from others even when their services are located on the same host operating system and server. There is nothing new on this requirement; even today large enterprises do have some sort of isolation to enhance security, privacy, and performance between departments. Generally organizations do have good reasons to implement such isolation, such as between different business units or between the accounts department and the rest of the orga-nization. Consequently, a private cloud model may also be a shared tenant model with similar requirements for effective security partitioning between different business units as with public cloud implementations.
Virtualized environmentsAlthough there is a natural tendency to correlate cloud with virtualization, the reality is that virtualization is not an “ab-solutely” essential component of private cloud architectures. Companies that are moving to a private cloud infrastructure
can use blade server arrays or other compute configurations to provide cloud-based services. However, the advantages of improved server utilization and greater operational flexibil-ity that virtualization platforms provide have led to very high uptake of this technology in cloud environments.
Virtualization introduces a very different threat landscape from a security perspective. This happens because virtualiza-tion changes the way an organization secures and manages its data center. Since workloads are mobile and can move from host to host based on optimization algorithms that require no human involvement, security policies linked to physical location are no longer effective, so security policies must be independent of network or hardware topologies.
Additionally, in order to provide effective security in virtual-ized environments, it is necessary to have virtualization of the security controls themselves. As these virtualized con-
trols become available, they should as a minimum meet the following criteria:
• Fully integrate with the private cloud fabric
• Provide separate configuration interfaces
• Provide programmable, on-demand services in an elastic manner
• Consist of policies that govern logical attributes, rather than policies that are tied to physical in-stances
• Enable the creation of trust zones that can sepa-rate multiple tenants in a dynamic environment
Security in a virtualized infrastructure must be adap-tive and natively implemented into a fabric where re-sources are allocated dynamically. Any security func-tionality that is tied to a server, an IP address, a MAC address, port, or other physical instance will no lon-ger be as effective as in purely physical environments
due essentially to the decoupling of services and the physical hardware seen in a virtualized environment.
Private cloud security challenges NIST (National Institute of Standards and Technology) pub-lication 800-145,2 The NIST Definition of Cloud Computing, defines the five essentials characteristics of cloud computing:
• Resource pooling
• On-demand self –service
• Rapid elasticity
• Broad network access
• Measured service
These essential characteristics also apply to both public and private cloud models and for four of them there is at least one core security concern that must be addressed during the
2 NIST Definition of Cloud Computing http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.
ISSA Journal | May 2012
32
Understanding Private Cloud Security | Yuri Diogenes and Dr. Tom Shinder
In order to address these security concerns it is important to:
• Monitor errors in security provisioning
• Have a cleanup process deprovision resources, re-move access, and destroy any residual data that might be present
• Return to the cloud in the same base state as all assets in the respective resource pools
Rapid elasticityRapid elasticity enables organizations and business units to scale their operations up and down quickly to meet demand. Because the compute, storage, and network resources are pooled and can therefore be shared between tenants, users can request as little or as much of each resource as needed within their budgetary constraints. The management system can then rapidly allocate these additional resources either through manual requests or by automated, demand-led pro-visioning.
The security concern that a user (tenant) has regarding rapid elasticity is that a rogue application, client, or denial of service (DoS) attack might destabilize the data center by requesting an overly large amount of resources. The challenge here is to reconcile the perception of infinite resources while keeping control of the resources to avoid such problems.
In order to address this security concern it is important to:
• Monitor and manage resource utilization
• Use automation to avoid human error
• Enforce policy-based quotas to restrict overuse of the resources
Broad network accessAlthough some cloud architects will argue that broad net-work access only applies to public cloud, the reality is that this is not true. Even without cloud computing consider-ations, large enterprises already require broad network ac-cess, which is why for the past ten years VPN technologies have evolved to be more easily implemented and transparent to use. In a private cloud infrastructure remote users will still need to have remote access to those resources located in the private cloud.
Consumers of your private cloud services may be authenti-cating to an application provided by a public cloud provider using federated identity to authenticate from your internal directory service. Your internally-hosted private cloud imple-mentations may also be using web services from a third public cloud provider. In consequence, failing to consider the broad network access picture is, therefore, inherently limiting.
The cloud architect security concern regarding this mecha-nism is how to ensure that an appropriate level of security applies regardless of client location and regardless of form factor. This requirement applies to both cloud management and application security.
designing and planning phase of your private cloud infra-structure.
Resource poolingResource pooling is the mechanism by which cloud environ-ments can increase utilization levels, reduce costs, and make use of cheaper resources such as commoditized servers and inexpensive hard disks. The user’s (tenant’s) primary secu-rity concern regarding this essential characteristic is related to how secure his data is, who else can access it, and if the data is safe even if something untoward occurs.
In order to address this security concern, the cloud architect will need to design the private cloud security infrastructure to:
• Prevent leakage between tenants by isolating them
• Use AAA (authentication, authorization, and access control) and RBAC (role-based access control)
• Use least privilege approach while delegating permis-sions
On-demand self-serviceThe essence of cloud provisioning is self-service. When combined with rapid elasticity, self-service enables cloud implementations to provide dynamic and timely responses to requests for more or fewer resources. However, simplic-ity and convenience of on-demand self-service can also be its weakness. Because cloud environments are often virtualized, any errors in assigning security permissions during the pro-visioning process could, for example, result in other tenants being able to access the newly provisioned environment.
It is very important to understand that many organizations do have IT operations in place (such as ITIL v3) that already require different levels of service agreement between divi-sions and IT. When you move to the private cloud, those service agreements should be reviewed so they are consistent with what can be provided by the new private cloud platform. It is quite possible that you will enhance the Service Level Agreement (SLA) for many operations due to the flexibility and agility that private cloud offers.
The cloud architect’s major security concern as it relates to on-demand self-service is how to control who has access to private cloud services and how to monitor and audit these services. The open questions shown in Figure 3 must be an-swered and ex-plicitly covered in the SLA.
Figure 3 – Details about on-demand self-service that must be on the SLA.
ISSA Journal | May 2012
33
Understanding Private Cloud Security | Yuri Diogenes and Dr. Tom Shinder
center. You can then use on-demand self-service, broad net-work access, resource pooling, rapid elasticity, and measured services as buckets in which to place your security design is-sues specific for private cloud.
Additional resourcesFor more information about private cloud security:
—A Solution for Private Cloud Security: Service Blueprint, http://social.technet.microsoft.com/wiki/contents/arti-cles/6643.blueprint-for-a-solution-for-private-cloud-securi-ty.aspx.
—A Solution for Private Cloud Security: Service Design, http://social.technet.microsoft.com/wiki/contents/ar-ticles/6644.design-guide-for-a-solution-for-private-cloud-security.aspx.
—A Solution for Private Cloud Security: Service Opera-tions, http://social.technet.microsoft.com/wiki/contents/articles/6645.operations-guide-for-a-solution-for-private-cloud-security.aspx.
We encourage you to review all three of these documents pri-or to and during the design and planning phases of your pri-
In order to address this security concern it is important to:
• Access device state
• Implement application level access control
• Implement security controls to avoid data leakage lo-cated on user’s own device
SummaryCloud computing is having a major impact on our industry and how we think about security. While private cloud is of-ten considered to have security concerns similar to those ad-dressed in a traditional data center, there are a few issues that are unique to private cloud security, and others that represent similar data enter security issues, but with an increased em-phasis when applied to the private cloud. Of all the security issues that you need to address in the private cloud, one of the most important is that of isolating tenants in a multi-tenant environment. Isolating tenant services from one an-other needs to be enforced at all levels of the private cloud infrastructure, including compute, storage and networking. You can use the five essential characteristics of cloud com-puting as a pivot for addressing the security issues that cloud computing introduces over those seen in the traditional data
The ISSA Los Angeles Chapter has created a donation fund of up to $20,000 for IT employees and executives of nonprofits to attend, at no charge, the Fourth Annu-
al Information Security Summit on Wednesday, May 16, 2012, at Hilton Universal City Hotel in Los Angeles. The theme of the one-day summit is, “The Growing Cyber Threat: Protect Your Business,” which includes the business of operating non-profits. “We are offering 100 free registrations to our nonprofit friends because we know how important it is that the critical work of nonprofits moves forward unimpeded by criminal at-tacks,” said ISSA-LA President Stan Stahl, PhD. “Nonprofits are prime targets of cybercriminals who steal personal identi-ties and bank funds. Additionally, nonprofits typically have thousands upon thousands of individual pieces of data, sensi-tive data that belongs to the people in our community and which cannot be secured if staff members and executives are not aware of how to deal with the danger they face. The idea of extending a hand to nonprofits is in line with ISSA-LA’s credo that “It takes the village to secure the villagesm.”
According to a new study by the Center for Civil Society at the UCLA's Luskin School of Public Affairs in September 2011, the latest date for which data is available, there were 31,600 registered 501(c)(3) public charities in Los Angeles County, generating more than $35 billion in economic activity and employing over 230,000 people. At least 10% have budgets over $1 million. A significant number of large nonprofits have
budgets of more than $10 million. Most of the donations today are made over the Internet and kept on the organizations’ da-tabases. This information needs to be properly protected and secured.
The Summit is the only educational forum in Los Angeles spe-cifically designed to encourage participation and interaction among all three vital information security constituencies: (1) business and organization executives, senior business manag-ers, and their trusted advisors, (2) technical IT personnel with responsibility for information systems and the data they con-tain, and (3) information security practitioners with responsi-bility for ensuring the security of sensitive information. Reg-istration is open to anyone interested in learning more about information security but is particularly recommended for business and nonprofit executives and senior managers; busi-ness professionals in law, accounting, insurance and banking; technical IT personnel; and information security practitio-ners.
The Information Security Summit is part of ISSA-LA’s impor-tant community outreach program. The goal of the program is to help the community stay safe from cybercrime by enabling the necessary collaboration between business, nonprofit, and community leaders, technical IT professionals, and the infor-mation security community. Nonprofits interested in register-ing for the event should email [email protected] to receive the appropriate registration codes.
ISSA-LA Donates $20,000 for Nonprofits to Attend the 4th Annual Information Security Summit
ISSA Journal | May 2012
34
Understanding Private Cloud Security | Yuri Diogenes and Dr. Tom Shinder
vate cloud infrastructure. You can also download slide deck that we delivered at ShareCloud Dallas 2012 that covers this subject, available at http://gallery.technet.microsoft.com/A-Solution-for-Private-0739e4a1.
About the AuthorsYuri Diogenes, CISSP, C|EH, C|CSA, CompTIA Cloud Essentials Certified, CompTIA Security+, MCSE+Security, currently works as Senior Technical Writer in the Server and Cloud Division Informa-tion Experience at Microsoft. Yuri is the co-author of the Microsoft Forefront Threat Management Gateway (TMG) Administrator’s Companion from Microsoft Press, co-author of the Forefront book series also from Microsoft Press and currently it is writing a Windows 8 Se-curity book for Syngress in partnership with Tom Shinder. Yuri is a candidate for a Master of Science Degree in Cybersecurity Intelligence & Forensics from UTICA College. Yuri can be con-tacted at http://blogs.technet.com/yuridiogenes or you can also follow him on Twitter (@yuridiogenes).
Dr. Tom Shinder is a 15-year veteran of the IT industry. Prior to entering IT, Tom was a practicing neurologist with special interests in epilepsy and multiple sclerosis. He then began his career in IT as a consultant, and worked with many large companies, in-cluding Fina Oil, Microsoft, IBM, HP, Dell and many others. He then started his writ-ing career toward the end of the 1990s and has published over 30 books on Windows, Windows Network-ing, Windows Security and ISA Server/TMG. For over a decade, ISA Server and TMG were Tom’s passions, and he ran the popu-lar web site www.isaserver.org, in addition to writing 8 books on ISA/TMG. Tom joined Microsoft in December of 2009 as a member of the UAG DirectAccess team and started the popular “Edge Man” blog that covered UAG DirectAccess. Tom is cur-rently a Principal Knowledge Engineer in the Server and Cloud Division Information Experience Group Solution’s Group and his primary focus now is private cloud – with special interests in private cloud networking and security. You can follow him on Twitter (@tshinder).
Brett Osborne says:
When we speak about cyberwar, we should reference the con-ventions. I’ll add Westphalia and the United Nations Convention on the Law of the Sea to the list.
Militaries should know the definition of war and what globally accepted norms of warfare are. After the two world wars, aggres-sions that primarily attack civilian targets was banned. The Inter-net is massively civilian in nature and is extra-territorial. i.e., not part of any sovereign nation-state.
Let’s also define the so called aggressions: do any qualify as “war”? Overwhelmingly not. Most of these activities fall into one of several categories:
• Piracy/Anarchy – one who fights for other than a sovereign state. These are your Anonymous and Leakis – harass and em-barrass. Probably arrested by civilian authorities, though there is some history of military law.
• Criminal – this covers a wide range from simple thief, bank robbers, and other thugs. They also work to exploit a person’s identity or image in addition to financial gain. Criminal activity is normally covered by existing law enforcement and jurispru-dence.
• Espionage – spying is spying. Nations do it. Companies do it. International definition and law is quite succinct here also. Mostly arrested by civil authorities, but also some military law may be involved.
Weapons of cyber? Yes, anything can be militarized, weap-onized, or have dual purpose. Look at the lists for arms control
(Export Administration Regulations, Inter-national Traffic in Arms Regulations). Infor-mation technology is no different.
Collateral damage? Yes and No. Yes, al-most everything that can be targeted on the Internet can and should be considered civilian. Remember, militaries are only supposed to attack military targets. A very nanometric percentage of Internet assets may be national or military. But these are overwhelmingly gateways to protected, isolated networks or systems. So, militaries should not be attacking over the Internet (nations may conduct espionage, which is not warfare).
But for truly well-targeted, refined attacks (regardless of the source, for now), they will be very unlikely to cause collateral dam-age. Stuxnet reportedly was designed to attack nuclear industrial equipment, which apparently it did very well. The vast major-ity of other systems infected with Stuxnet were not significantly impacted. Crude, simplistic, non-targeting attacks probably will cause widespread damage. Any DDOS attack is an example.
So what should we do and propose? LEAD!
• Define aggressions – include crimes, exclude “cyberwar.”
• Demilitarize and set multilateral agreements – Geneva Cy-ber Convention? UN Policy for Law of the Internet? Security Council Resolution?
• Defend with coordinated multinational/multilateral monitoring and enforcement – chase pirates and criminals regardless of where they are.
Waging War in the Digital AgeBy Michael Starks – ISSA member, Fort Worth, USA Chapter Ethics and Privacy, March 2012
Waging War in the Digital Age appeared in the
March 2012 ISSA Journal.
Response in Connect”Waging War in the Digital Age“ is reprinted this issue, page 8.
ISSA Journal | May 2012
35
ISSA DEVELOPING AND CONNECTING
CYBERSECURITY LEADERS GLOBALLY
AbstractSecurity architecture is a common topic for discussion among security practitioners. Discussions range from what it is to what a security architect performs in his practice. Secu-rity architecture involves people, processes, and technology and a successful program aims to provide protection against compromise. Security architects are tasked with a wide vari-ety of responsibilities ranging from hands-on technical tasks to hands-off consultative roles. Concurrently, security itself is a nebulous concept. This article reviews the current state of the practice in an effort to enhance the practice of security architecture.
Introduction
Security architecture is a common topic for discussion among security practitioners. Security practitioners who focus on technology architecture are often re-
ferred to as security architects. Security architects are tasked with a wide variety of responsibilities that range from hands-on technical tasks to hands-off consultative duties such as translation of business requirements into a technologically acceptable form across all industry verticals, geographies, and sizes. Though security architecture has become a com-monly used term, a consensus definition is still absent. The lack of a consensus definition has caused cascading effects to include miscommunication both inside and outside the information security community and results in work efforts that are often not aligned with the intent of the requestor. Such miscommunications are common in HR and recruiting functions where lack of consensus definition also results in lack of standardization of job duties, requirements, and sal-ary information.1 When miscommunications become a fre-
1 A search for “security architect” on Salary (www.salary.com) and Bureau of Labor Satistics (www.bls.gov) yields zero exact hits.
quent artifact of discussions, the result is reduced efficiency and loss of credibility for the security architect. Loss of credi-bility, especially for a security architect, serves as a hindrance at a minimum and can result in lack of professional success on the other end of the extreme. Such potential malady can be avoided if one is mindful of the lack of consensus defini-tion and semantic challenges between intra- and inter-per-sonal communication and exercises additional care to ensure intent is properly communicated.
Lack of organization of the professionSecurity architecture has been covered with fair regularity in the ISSA Journal. Past discussions on the topic have been presented from different perspectives to include the philo-sophical, conceptual, and practical.2 Across the different per-spectives, security architecture has been likened to a model, a framework, a puzzle, and as a balance between “too little” and “too much.”3 While some perspectives are unique, there is overlap in many cases as to what security architecture is, the practice of security architecture, and how the acceptable levels of architecture should be measured. In several cases, authors have recounted the loose definition of security archi-tecture and security architects in the information security community and suggested new or restated existing defini-tions and descriptions in an effort to level set with the audi-ence. For example:
2 “Price, S. M., “Conceptual Principles for the Security Architect,” ISSA Journal (August 2011); Williams, R., “Designing a Security Architecture,” ISSA Journal (December 2004); Price, S. M., “A Defense-in-Depth Security Architecture Strategy Inspired by Antiquity,” ISSA Journal (March 2010); Helmich, P., “Security Architectures,” ISSA Journal (May 2003); Stawowski, M., “Network Security Architecture,” ISSA Journal (May 2009); Weise, J., “Security Architecture and Adaptive Security,” ISSA Journal (July 2008).
3 Tomhave, B., “Architecting Adequacy: When Good Enough Really Is,” ISSA Journal (March 2010).
This article reviews the current state of the practice in an effort to enhance the practice of security architecture.
By Tohru Watanabe – ISSA member, New York Metro, USA chapter
Perspectives on the Practice of Security Architecture
ISSA Journal | May 2012
36
Perspectives on the Practice of Security Architecture | Tohru Watanabe
Paul HelmichA security architecture can generally be considered to de-fine and describe the organization of technical security mechanisms used to implement an organization’s security policy.4
Ron Collette and Mike Gentile The role of the security architect is to act as a conduit be-tween related, yet different, disciplines, while maintaining a focus on security; one or more individuals who possess the ability to articulate and comprehend information, process it, formulate solutions that conform to the secu-rity policies of the organization, and communicate them to the target audience in an understandable manner.5
Anthony Thorn, et alA security architecture is a cohesive security design, which addresses the requirements (e.g., authentication, autho-rization, etc.) and in particular the risks of a particular environment/scenario and specifies what security controls are to be applied where. The design process should be re-producible.6
4 Helmich, P., “Security Architectures,” ISSA Journal (May 2003).
5 Collette, R., and Gentile, M., “The Security Architect: Bridging the Gap Between Business, Technology and Security,” ISSA Journal (April 2006).
6 Thorn, A., Christen, T., Gruber, B., Portman, R., and Ruf, L., 2010. “What is a Security Architecture,” Information Security Society Switzerland, accessed March 12, 2012, http://www.isss.ch/fileadmin/publ/agsa/Security_Architecture.pdf.
The author’s initial exploration of the topic of security ar-chitecture resembled the overexposed and redundant past approaches. Recycling of content may be useful to keep an idea top of mind but does not engage the community to in-trospectively assess the current state of the practice. Slade’s law of computer history suggests “those who do not learn the lessons of computer history are doomed to buy it all again - repackaged” and a recycling approach focused too exclusively on repackaging the past.7 With the intent to avoid recycling content, a new reality that better addressed the conundrum facing many information security practitioners emerged. The practice is full of terms, acronyms, and definitions that are often inconsistent across security architects. Lack of con-sistency is characteristic of any emerging field that has not organized around a governing body to form a profession. Central to the characteristics of a profession are a common knowledge base, competency, learning, ethics, and member-ship with an association of peers.8 Though there are profes-sional organizations that attempt to centralize the attributes common to a profession, security practitioners are faced with a growing number of choices for organizational affiliation. For example, SANS affiliates and credential holders are more likely to have background in hands-on aspects of security ar-chitecture when compared directly with an individual affili-ated with (ISC)2 based purely on a comparison of common bodies of knowledge and certification focus areas of the two organizations.
Professional organizations for security architectsSecurity architecture practitioners are commonly affiliated with one or more professional organizations to include ISSA, ISACA, (ISC)2, SANS, EC-Council, Comp-TIA, and ASIS. Each organization offers its members access to resources, certifications, educational curriculum, and networks. Simi-larly, each organization maintains its own common body of knowledge (CBK), learning opportunities, and code of eth-ics. As each organization focuses on variations of the avail-able information security practice areas, there are unique but discrete differentiations that members must be mindful of. Such differentiation often requires members of two or more organizations to exercise due care relative to management of multiple continuing professional education (CPE) require-ments and code of ethics as well as additional administrative effort required to maintain good standing with each organi-zation. For example, ISSA, ISACA, (ISC)2, and ASIS members must pay an annual fee to each organization. In addition, individuals who hold certifications from different organiza-tions must earn CPE credits for each discrete certification. Though there is cross over in educational activities, the cre-
7 Slade, R. M., 2010. “Everything New Is Old Again,” in Information Security Management Handbook (6th Ed, Volume 4), ed. Harold F. Tipton and Micki Krause. Accessed March 4, 2012, Skillsoft.
8 Griffiths, M., Brooks, D. J., and Corkill, J., November 2010. “Defining the Security Professional: Definition through a Body of Knoweldge,” Proceedings of the 3rd Australian Security and Intelligence Conference, accessed March 12, 2012, http://ro.ecu.edu.au/asi/5.
This Month’s
ISSA Web ConferenceRregister for this event: www2.gotomeeting.com/register/275275850
You’ve Got Humans on Your Network: Securing the End User
Live Event: May 22, 2012Even the best technology can be circumvented.
All it takes is timing and a good story. Melisa, I Love You, The World’s Best Virus Scanner – what do these all have in common? They all circumvented security by tricking the users. As technology improves and the value of circumvention increases, the weakest
link will become the end user. And don’t kid yourself – APT has proven they will be targeted. This session
will discuss the human element and its impact on security.
Other conferences: www.issa.org/page/?p=57
ISSA Journal | May 2012
37
Perspectives on the Practice of Security Architecture | Tohru Watanabe
dential holder must exercise care to ensure proper account-ing of time earned. As an example, CPE requirements for the Certified Information Systems Security Professional (CISSP) certification are broader than that for Certified Information Security Manager (CISM). Therefore, educational activities with a focus on security management may count as towards both CISM and CISSP, but activities not relevant to security management such as an update on cryptographic technolo-gies may count towards CPE for CISSP but not for CISM.9
Theory and practice of security architectureFollowing the discussion of the professional landscape, the next step is to review the practice of security architecture through the lens of action science to identify any gaps be-tween theory and practice. Action science is an organization-al development intervention designed to help people “im-prove their interpersonal and organizational effectiveness by exploring the hidden beliefs that drive their actions.”10 The fundamental technique is to compare espoused theo-ries with theories-in-use. The delta between the two theories will reveal the gap. Even though the technique is not directly relevant to the security practice, a comparison of espoused theory of security architecture as a practice compared with the actual practice of security architects yields a gap that is representative of the reality facing security professionals.
While survey is a common method to measure espoused the-ories, sampling of job postings for a security architect yields qualitative and quantitative qualities valued by hiring man-agers. A review of sample job postings across verticals and or-ganization size reveals the broad and disorganized nature of knowledge, skills, and abilities (KSAs) of an ideal candidate with a single exception: the security architect is a senior-level position that requires a minimum of seven years relevant ex-perience.11 Aside from the experience requirement, job de-scriptions were extremely varied. When the verbiage of the job description was processed through Wordle12 to create a word frequency cloud chart, the result reveals the overuse of the term “Security” followed by “Solutions,” “Informa-tion,” “Technical,” “Enterprise,” and “Systems” (see figure 1). Though several individual job descriptions included specific technologies, the overabundant re-use of words hints at the potential of lack of specificity for experience, certification, technologies, or frameworks. Such a result could also result from lack of synergy between Human Resources and the hir-ing department.
9 ISC2 - “Maintaining Your Credentials in Good Standing,” https://www.isc2.org/uploadedFiles/Credentials_and_Certifcation/About_Our_Credentials_and_Process/CPE.pdf; ISACA - “Maintain Your CISM,” http://www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/Maintain-Your-CISM/Pages/default.aspx.
10 Raelin, J. A., “Action Learning and Action Science,” in Organization Development, ed. Joan V. Gallos. (San Francisco: Jossey-Bass, 2006), 203.
11 Based on a random sampling of 24 job postings on Dice and LinkedIn for “Security Architect.”
12 Wordle is a tool for generating “word clouds” from text that you provide. The clouds give greater prominence to words that appear more frequently in the source text, http://www.wordle.com.
Given that security architecture jobs do not require a com-mon baseline KSAs, inter-organizational communications between security architects could result in differing levels of miscommunication. Such miscommunication both directly and indirectly results in reduced efficiency, loss of productiv-ity, or harm. There are many examples of negative impact to include vendor-customer communications. As an example, organizations rely on vendors for products and services and there are many instances where vendor-customer relation-ships degrade based on semantic differences of an emerging technology. The mutuality of vendor-customer relationships often rests on the communication of needs and requirements between the two entities. In some instances, semantic differ-ences result in misunderstandings with consequences rang-ing from annoyances to financial loss for either or both par-ties. For example, semantic differences occur when security architects communicate with individuals outside the secu-rity community. The word “secure” is a term that has been widely used and abused to describe a desired state with little regard for the potential for semantic differences between two or more parties. As an example, a corporate DMZ may be considered secure when a secure remote access solution is in place. In reality, the presence of a secure remote access solu-tion alone does not provide any assurance of its effectiveness without additional consideration to include configuration and implementation compared against desired objectives.
Knowledge, skills, and abilities of a security architect Security remains a nebulous concept for practitioners.13 Such an ambiguity in the definition of security may help to explain the multitude of diverging definitions of the practice of secu-rity architecture. The cliché, “ask five security architects to define security will yield 10 answers” may have some truth to it. First, a review of security credentials reveals an acro-nym soup of credentials to distinguish security practitioners includes, but are not limited to, CISSP (Certified Informa-
13 Collette, R., and Gentile, M., “The Security Architect: Bridging the Gap Between Business, Technology and Security,” ISSA Journal (April 2006); Helmich, P., “Security Architectures,” ISSA Journal (May 2003); Thorn, A., Christen, T., Gruber, B., Portman, R., and Ruf, L., 2010. “What is a Security Architecture,” Information Security Society Switzerland, accessed March 12, 2012, http://www.isss.ch/fileadmin/publ/agsa/Security_Architecture.pdf.
Figure 1 – Word Frequency Cloud Chart.
ISSA Journal | May 2012
38
Perspectives on the Practice of Security Architecture | Tohru Watanabe
tion Systems Security Professional), CISA (Certified Infor-mation Systems Auditor), CCSP (Cisco Certified Security Professional), OSPC (Offensive Security Certified Profes-
sional), CEH (Certified Ethi-cal Hacker), CPT (Certified Penetration Tester), GSEC (Global Information As-surance Certification Secu-rity Essentials Certification), CCSE (Checkpoint Certified Security Expert), and Secu-rity+. Each credential cer-tifies a candidate against a CBK relative to the accredit-ing organization, which may be a non-profit or for-profit organization.
While overlaps in CBKs of-ten do exist, every credential
requires demonstrable knowledge and understanding of a set of security CBK, and some organizations further require candidates validate additional pre-requisites such as practi-cal experience in the field prior to issuance of the creden-tial. Other credentials may require hands-on demonstration to validate KSAs against the CBK. When compared to the academic model of standardization of CBK where member schools of must follow the same baseline curriculum (i.e., As-sociation to Advance Collegiate Schools of Business (AAC-SB), American Bar Association (ABA), Accreditation Board for Engineering and Technology (ABET), American Medical Association (AMA), or American Psychological Association (APA), an individual with a CISSP may demonstrate a dif-ferent perspective on security architecture topics when com-pared to another with a CPT.
Such disparity serves to decentralize the community and to some extent, devalue each credential and credentialing orga-nization. As an example, an aspiring security architect with desire to certify her KSA of penetration testing has several choices for certification including CPT, CEH, OSPC, and GPEN. Ancillary negative impacts affect job seekers who may
be qualified but otherwise lack resources to attain requisite certifications. Consequently, employers may experience dif-ficulty filling a vacancy due to the increased specificity of available credentials and the resulting self-selection based on a credential mismatch.
Traditional architecture frameworks Enterprise architecture is an architectural discipline started in 1987 with the development of the Zachman Framework.14 The Department of Defense (DoD) soon followed suit with an enterprise architecture framework known as the Techni-cal Architecture Framework for Information Management (TAFIM).15 From the TAFIM, The Open Group Architecture Framework (TOGAF) followed in 1995.16 The first enterprise security architecture framework was developed in 1995, then published in 1996 by John Sherwood. SABSA (Sherwood Ap-plied Business Security Architecture) provides a high-level framework for security practitioners to reference when build-ing an enterprise security architecture.17 Sherwood (2005) intentionally avoided specific descriptions and technical de-tails to ensure longevity of the framework.
While the SABSA offers a framework for security architects, the lack of specific descriptions and technical details adds to the difficulty in understanding and properly applying the framework in the design of enterprise security architectures. As an example, the SABSA model layers the six questions used in the Zachman framework, “what, why, how, who, where, and when,” against the six unique views into the operation of a business, “the business view, architect’s view, designer’s view, builder’s view, trade man’s view, and facilities manager’s view.” When mapped together, each of the 36 cells makes up the components for developing an enterprise security archi-tecture.18
14 Wikipedia, “Enterprise Architecture Framework.” Last modified March 19, 2012, http://en.wikipedia.org/wiki/Enterprise_Architecture_framework.
15 Ibid.
16 Wikipedia, “The Open Group Architecture Framework.” Last modified April 19, 2012, http://en.wikipedia.org/wiki/The_Open_Group_Architecture_Framework.
17 Sherwood, J., Clark, A., Lynas, D., 2005. Enterprise Security Architecture.
18 Ibid.
An individual with a CISSP may demonstrate a different perspective on security architecture topics when compared to another with a CPT.
www.ISSA.org/Resources/Careers.html — ISSA Career Center
Looking for a New Career Opportunity or that Perfect Addition to Your Staff? ISSA’s Career Center offers a community to connect employers
and those seeking new opportunities. Current opportunities include: Criminal Justice (Cybersecurity or Forensics) Faculty Opening • Security Engineer - Information
security • Information Security Analyst III • Information Security Specialist • Information Security Professional • Senior Threat Risk Assessment Specialist • Systems Security Analyst • Director of Information Technology • DLP Security Analyst • Senior Security Engineer
ISSA Journal | May 2012
39
Perspectives on the Practice of Security Architecture | Tohru Watanabe
Given the comprehensive nature of the SABSA framework, the average implementation requires anywhere from one to one and a half years including resources dedicated to the de-velopment, management, and maintenance of the enterprise security architecture framework.19 Many organizations do not have the resources to devote to such an effort, leaving the adoption of the SABSA approach to select organizations with the desire to tackle the effort. As an example, 8.3% of Secu-rity Architect job descriptions included reference to SABSA or TOGAF.20
A gap and solutionThere is a gap between the comprehensive enterprise security architecture frameworks adopted by a minority of organiza-tions and the splintered state of security architecture affect-ing the rest of the organizations that have not implemented traditional frameworks. A review of a guide published by The Open Group reveals a method to bridge the gap. The Open Enterprise Security Architecture lists three components of en-terprise security architecture: governance, technology archi-tecture, and operations.21 Given the three components, the existing ambiguity could be better structured by tying past attempts to structure security architecture as part of the tech-nology architecture that comprises the enterprise security ar-chitecture. Explicating this approach separates the technol-ogy components from governance and would simplify future discussions of security architecture. The traditional concept of security architecture becomes the technical security archi-tecture while enterprise security architecture provides the umbrella to manage the hierarchy of governance, technology architecture, and operational components. As an example, a security architect without full coverage of governance, tech-nology architecture, and operations should be considered a technology security architect rather than an enterprise secu-rity architect. In essence, the objective is to include a qualifier to security architecture to distinguish between a minimum of two types of security architects.
In addition to the added hierarchical structure, such an ap-proach simplifies intra- and inter-organizational communi-cation to include hiring functions. For example, a requisi-tion for a technical security architect should focus primarily on the underlying technologies that implement the security policy while the enterprise security architect oversees the governance, technology architecture, and operations for the program. Concurrently, organizations that do not require separation of the two roles can choose which part of the role is essential and communicate the structure to candidates. For example, a smaller organization may choose to consolidate the governance and policy management function of an en-terprise security architect into a higher level role while hiring
19 IMF Academy, “SABSA Foundation,” http://www.imfacademy.com/areasofexpertise/security_management/SABSA_Foundation.php.
20 Based on a random sampling of 24 job postings on Dice and LinkedIn for “Security Architect.”
21 The Open Group, April 2011, “Open Enterprise Security Architecture,” http://pubs.opengroup.org/epubs/samples/9789087536725SMPL.pdf.
a technology architect to manage the hands-on operational components. Conversely, a medium matrixed organization may retain a number of enterprise security architects, each focusing on a different role. Lastly, a larger organization could invest in the implementation of a traditional enterprise security framework and manage the enterprise security ar-chitecture roles within the respective framework.
ConclusionIn conclusion, the security architect faces numerous chal-lenges in their practice to include a myriad of organizing entities, credentials, and objectives. The effective security architect must understand the impact of the current state of profession as well as a logical hierarchy of security architec-ture in organizations. The gap between organizations with the resources to adopt traditional enterprise security archi-tecture frameworks and those organizations that have not implemented traditional framework leaves sufficient room for a simpler approach of separating technology components from governance. By differentiating security architects’ focus to governance or technology, a greater number of organiza-tions can build, manage, and maintain a security architec-ture program with greater consistency and improve the over-all security posture of the organization.
About the AuthorTohru Watanabe, CISM, CISSP, helps or-ganizations define requirements and in-tegrate products and services to protect information assets. Tohru has over 16 years’ experience in IT, holds a Bachelor’s in Business Administration, and is work-ing to complete a Master’s program. In his free time, Tohru enjoys piloting a variety of fixed-wing aircrafts, exploring entrepreneurial interests, and traveling. He can be reached at [email protected].
self how you measure up on the unwritten requirements scale. The time to think about where you need improve-ment is now. Corporations are shifting cultures and placing much more value on technology professionals who also display strong soft skills and business acumen. Improving these skills makes you more valuable to both your current company and your potential future em-ployer.
About the AuthorJoyce Brocaglia is the CEO of Alta Associates, the leading recruiting firm specializing in information security, IT Risk Management, and GRC, and founder of the Execu-tive Women’s Forum (www.ewf-usa.com) a community of leading experts in IT Risk, Security, and Privacy. Joyce may be reached at www.altaassociates.com and [email protected].
Hidden Requirements continued from page 9
ISSA Journal | May 2012
40
PrerequisitesWindows Sandboxie 3.64 or later1
On April 10, 2012, a new version of Sandboxie was released, and on April 16 so too was a new version of the Buster Sandbox Analyzer,2 which uses Sand-
boxie at its core. Voila! Instant toolsmith fodder.
It’s been a few months since we’ve covered a malware analy-sis-specific tool, so the timing was excellent.
Buster Sandbox Analyzer (BSA) is intended for use in analy-sis of process behavior and system changes (file system, regis-try, ports) during runtime for evaluation as suspicious. You’ll find it listed among the Sandbox Tools for Malware Analy-sis on one of my favorite Internet resources, Grand Stream Dreams.3
As always, I pinged the developer and Pedro Lopez (pseud-onym) provided me with a number of insightful details.
He releases new versions of Buster Sandbox Analyzer on a fairly regular basis,4 version 1.59 is current as I write this. There’s an update mechanism built right into BSA; just click Updates then Check for Updates. Pedro has recently improved static analysis, and he’s always trying to improve dynamic analysis as he considers it the most important aspect of the tool.
For future releases the TO-DO list is short, given over two years of constant development. The following features are planned:
• A feature to analyze URLs in automatic mode.
• Utilizing the information stored in the SQL database, a feature to generate statistics including used com-pressors, detected samples, and others.
Pedro continuously looks for new malware behaviors to in-clude and improvements for the features already implement-ed. Your feedback is welcome here, readership.
Pedro was first motivated to create the tool thanks in large part to Sandboxie. “Before I start coding Buster Sandbox Analyzer back in late 2010, I knew of Sandboxie already. I started using this great software around 2008 and had coded
1 http://www.sandboxie.com/.
2 http://bsa.isoftware.nl/.
3 http://grandstreamdreams.blogspot.co.uk/2012/04/malware-analysis-resources.html.
4 http://bsa.isoftware.nl/frame8.htm.
other utilities using Sandboxie as a file container, so I knew already of the potential to write other types of programs for use with Sandboxie. I created Buster Sandbox Analyzer be-cause I didn’t like that all publicly available malware analyz-ers were running under Linux. I like Linux-based operating systems but I’m mainly a Windows user, so I wanted a mal-ware analysis tool running under Windows. I knew Sandbox-ie was perfect for this task and with the help of Ronen Tzur (Sandboxie’s author) it was possible to do it.”
Pedro cites several favorite use cases but two are stand outs for him:
1. Use the tool to know what files and registry modifications were created by a program. While this use case is not al-ways directly related to malware analysis, it can be used by any user that wants such information regarding program behavior.
2. Use the tool to learn if a file (executable, PDF document, Word document, etc.) exhibits malware-specific behavior.
Goes without saying, right?
Pedro reports that Buster Sandbox Analyzer suffers from a lack of user feedback (help change that!). He’s not really sure how many people have used it to date or how many use it regularly but does recall one success story from a user on the Wilders Security Forums:
“I was shopping on Usenet for some tax software... I found it and ran it in the sandbox. As is my practice, I explored the installed files. Everything worked well. No obvious signs of infection, no writing to Windows, no start/run entries, and no files created in temp folders. But I still wasn’t satisfied. I used Buster’s program and reran the install...The program logs were literally laced with created events, DNS queries to Russia, and many hidden processes. Needless to say, I kept it in the sandbox.”
One message to convey to you, readers: a few versions ago Pedro introduced multi-language support; there are transla-tions for Spanish, Russian and Portuguese (Brazil), while a translation to German may be available soon. He would like to have translations for Italian, French, Japanese, and Chi-nese and would be grateful if someone can contribute trans-lations for these languages.
Given the likelihood that this article will be read by security professionals, Pedro welcomes anyone who tries out BSA and has suggestions, ideas, feedback, bugs, etc., to send them to his attention at malware dot collector at gmail dot com.
By Russ McRee – ISSA Senior Member, Puget Sound (Seattle), USA Chapter
Buster Sandbox Analyzer
toolsmith ISSA Journal | May 2012
41
toolsmith: Buster Sandbox Analyser | Russ McRee
Configure BSARefer to installation and usage documentation on the BSA site as your primary source, but you may find the BSA guidance at reboot.pro5 helpful but a bit dated. Consider it documenta-tion reloaded. Actual installation of both Sandboxie and BSA is really straightforward, but there are some configuration tricks worth paying attention to. After reading reboot.pro be sure to add the following to the Sandboxie default configura-tion file:
InjectDLL=C:\BSA\LOG_API.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y
Even more importantly, this assumes you’ve installed BSA in C:\bsa. If you choose differently, you must modify the Sand-boxie configuration file accordingly. Avoid the Program Files directories on later versions of Windows given the need for administrative permissions to write there.
I’m a big fan of Windows shell integration with any tool that offers it. Under Options | Program Options | Windows Shell Integration select Add right-click action “Run BSA” and “Ana-lyze in BSA.”
From Options set Common Analysis Options to include saving packet captures under Packet Sniffer via Save Capture To File. Be sure to select the correct adapter here as well. Note: BSA utilizes NetworkMinerConsole.exe for PCAP analysis.
Also set your Report Options from the Options menu. I prefer HTML; you may also select PDF and XML. You may also like the SQL options where you can write to a SQL database for analysis and report results.
Be sure to check out the additional features under the Utilities menu, including submittal to online analyzers, file tools including disassembly, hashing, hex editing, renaming, signature check, scanning, and strings. There are also “explorers” for memory, PCAPs, PE files, processes, and registry hives as seen in figure 1.
5 http://reboot.pro/14602/.
Experiment and fine tune your settings. To then remember settings and load them automatically when the tool starts, select Options | Program Options | Save settings on exit. You can also save multiple configuration files via Options | Pro-gram Settings | Save Settings As so as to make use of different analysis patterns.
Lastly, and I imagine you knew I was going to say this, I run BSA in a Windows XP virtual machine and on a bare metal install of Windows 7 running SteadierState. Some malware not only knows when it’s running in a VM but it knows when it’s running in Sandboxie. If you suspect that’s the case, you can hide Sandboxie during a BSA run via Program Options | Hide Sandboxie.
Using BSAI wanted to test BSA in two different capacities, one with a browser-borne exploit and one with a “normal” PE.
I am privileged to receive a daily report inclusive of a number of drive-by exploit vehicles so I am always rich in options for exploration, and
hxxp:// www.ugpag.cd/index.php?option=com_content&view=article&id=49&Itemid=75
was no exception.
To examine, I started BSA via bsa.exe in C:\BSA, tuned my BSA configuration to include some additional reporting op-tions, clicked Start Analysis, right-clicked Internet Explorer and chose Run Sandboxed (given that Sandboxie is also in-tegrated right into the Windows shell), and finally browsed to the ugpag.cd site. Once I willingly stepped through a few browser blocks (yes, I’m sure I want to do that), the “infec-tion” process completed and I chose Terminate All Programs by right-clicking on the system tray Sandboxie icon followed by Finish Analysis in BSA.
A few key elements jumped right out during BSA analysis and findings.
First, the site spawned an instance of Windows Media Player in order to “play” hcp_asx as seen in figure 2.
Figure 1 – BSA Explorer features.
Figure 2 – Pwned site spawns Media Player for hcp_asx.
ISSA Journal | May 2012
42
toolsmith: Buster Sandbox Analyser | Russ McRee
Second, when reviewing Re-port.html, I quickly spotted two evil URLs (lukastroy.in & zdravyou.in) under Network Services. Also note the process/window informa-tion as seen in figure 3.
A quick URLquery.net search for the URLs called gave me everything I needed to know.
Yep, BlackHole exploit kit. That was easy.
I used a Banload sam-ple (MD5: D03B-F6A E5654550A8A0863F-3A265A412) to validate BSA PE analysis capabilities. As expected, they were robust. The File Disassembler utility immediately discerned that the sample was UPX-packed. Fig-ure 4 points out a number of revealing elements.
Of interest is the fact that a connection is made to
hxxp://alessandrodertolazzi.hospedagemdesites.ws (187.45.240.69)
in Brazil with attempts to download mac.rar. Banload/Banker commonly originates from Brazil, so this comes as no surprise. This sample is a bit dated so the evilware hosted on Alessandro’s site is long gone, but you get idea. If you op-timize your BSA reporting options to include Virustotal re-sults, the changes to file system section will include all the detections for created files as seen in figure 5.
The opportunities for exploration are many with Buster Sandbox Analyzer, and the fact that it’s free and regularly developed is of huge benefit to our community. Among the features you may find noteworthy and useful are BSA’s ability
to automatically analyze a folder in a batch process as well as dump analyzed processes. BSA has moved to the top of my list for sandbox analysis, plain and simple.
In conclusionThe combined strengths of Sandboxie and Buster Sandbox Analyzer make for a truly powerful combination and invalu-able malware analysis platform. There’s no reason to not start exploring right away. As always, do be careful playing with live samples and remember to provide feedback to the BSA project; your support is welcome.
Ping me via email if you have questions (russ at holisticinfo-sec dot org).
Cheers…until next month.
Acknowledgements—Pedro Lopez, lead develop-er, Buster Sandbox Analyzer
About the AuthorRuss McRee leads the incident management and penetration testing functions for Micro-soft’s Online Services Security team. He advocates a holistic approach to information se-curity via holisticinfosec.org and volunteers as a handler for the SANS Internet Storm Center. Reach him at russ at holisticinfosec dot org or @holisticinfosec.
Figure 3 – BSA reporting reveals BlackHole URLs.
Figure 4 – BSA API logging reveals Banload behavior.
Figure 5 – BSA reporting provides Virustotal results with created file.
ISSA Journal | May 2012
43Expanded listings – www.issa.org/News/Events.html
Conferences
Los Angeles specifically designed to encourage participation and interaction among three vital information security con-stituencies: business leaders, technology professionals and information systems security leaders. Speakers include Alan Paller, Ira Winkler, Chris Coffey, and Lance Spitzer.
For more information: www.issala.org.
ISSA CISO Executive ForumDenver,CO:May16-17,2012Boston,MA:August2-3,2012Anaheim,CA:October26-27,2012
For details on the CISO Forum: www.issa.org/ciso/?p=96.
*CISO Executive Memberships are subject to approval. Appli-cants and guests must be executive level information security professionals; reporting directly to the CEO, CFO, CIO, and be responsible for internal security for their organization. For complete membership criteria: www.issa.org/ciso/?p=96.
Denver Chapter Hosts The Rocky Mountain Information Security Conference May17-18,2012SheratonDenverDowntown,1550CourtPl,Denver,CO
Cost: Thursday, optional full-day training - $250; Friday, main conference: student/government/military - $100, ISSA/ISACA member - $200; Non-member - $250.
The Rocky Mountain Information Security Conference (RMISC) is the only conference of its kind in the Rocky Mountain region. The RMISC is a convenient, affordable knowledge-builder for IT security, audit, and compliance professionals at all levels. The RMISC provides the perfect blend of education, networking, and opportunities that are critical to your success in today’s economy and security cli-mate! Pre-conference full-day workshops provide in-depth training with courses for management, technical, and audit professionals. For more information and for registration: www.rmisc.org.
Fifth Annual Central Ohio InfoSec SummitMay17-18,2012HyattRegency,DowntownColumbus
Cost: $175.
Join information security practitioners and executives from throughout the region as we bring together the leaders in our profession for two days of intense lecture and study across various tracks. You will choose from highly technical, techni-cal, management, and executive level sessions, as we tackle the latest industry trends, issues, and solutions. Attendance at this event will qualify an individual for 14 CPE’s. The summit will be held in the same location as last year, Hyatt Regency, Downtown Columbus. Keynote presentations from nation-
ISSA EventsIT Security Summit New Mexico (ITSSNM) – “The Perfect Storm”May3,2012SantaFeCommunityCollege
Whether your organization has recently consolidated your infrastructure using virtualization or you want to better un-derstand the current security threats, you won’t want to miss the ITSSNM in Santa Fe.
The ITSSNM will be a dynamic forum where government, academia, and private industry Information Technology and Information Assurance professionals will have the opportu-nity to network, exchange information, and engage in dis-cussions on IT Security best practices, trends, and emerging technologies.
For more information and registration: www.fbcinc.com/e/ITSSNM/default.aspx.
Portland Chapter Hosts: NW ISSA Security SummitMay3,2012OregonConventionCenter–Portland,OregonCost:$65.Discount:$50forISSA/ISACA/(ISC)2members
The NW ISSA Security Summit is a full day special event at InnoTech Oregon. Designed for and by security profession-als, this conference offers in-depth conference sessions on the latest issues and trials facing IT Security in the NW. To register: www.innotechconferences.com/oregon/about-2/registration.
ISSA Turkey Grand Security ConferenceMay11-12,2012MicrosoftTurkeyOffice/BellevueResidencesLevent-IstanbulCost:Free
Join us at this Middle East security conference hosted in Is-tanbul by ISSA Istanbul Grand Security. For more informa-tion about this event: itgsc.issatr.org/. To register: itgsc2012.eventbrite.com.
Fourth Annual Los Angeles Information Security Summit: Protect Your Organization from the Growing Cyber ThreatMay16,2012UniversalHilton,UniversalCity,LosAngeles,CaliforniaCost:$199.DiscounttoISSAmembers:$125.
Never before has it been so important for our community to learn about the dangers of cybercrime and what they need to do to protect their organizations from loss. Not just for the information security professional, the Summit will build on our chapter’s tradition of being the only educational forum in
ISSAEVENT
ISSAEVENT
ISSAEVENT
ISSAEVENT
ISSAEVENT
ISSAEVENT
ISSAEVENT
Have a chapter event to post? Let us know – [email protected].
ISSA Journal | May 2012
44
Conferences
Expanded listings – www.issa.org/News/Events.html44
Industry EventsSecureWorld Expo Charlotte, May 2-3, 2012 • Philadelphia, May 23-24, 2012
SecureWorld Expo brings together the security leaders, ex-perts, senior executives, and policy makers who are shaping the very face of security. SecureWorld helps IT professionals earn required CPE training credits. Located in different re-gions throughout the U.S, SecureWorld is at the convergence of Information Security, Physical Security, GRC, IT Audit, Computer Forensics, Business Continuity, Consumerization, Cloud Security, Privacy, and Security Awareness.
ISSA MEMBERS are offered a $100 discount off the $265 conference pass which includes access to the Conference Sessions, Conference Breakfast Keynote, Exhibits and Open Sessions with Lunch Keynote, and 12 CPE credits. Register online ISSNWS12.
SecureWorld + Extended Training 2012 includes 4+ hours of intensive training worth 16 CPE credits and full access to the complete SecureWorld conference program. SecureWorld + pass is only $495 with a special ISSA member discount, regis-ter using code ISSNWS12.
For conference details and to register go to www.secureworl-dexpo.com/.
Infosecurity Montevideo 2012 Thursday, May 3, 2012 Centro de Convenciones y Eventos de la Torre de los Profe-sionales, Montevideo, Uruguay Cost: Free
INFOSECURITY 2012 a Week of Security in Montevideo – Cloud and Mobile Security. This event includes senior level strategies for protecting information, cyberwar for corpora-tions, cloud security – protecting information outside of your organization, privacy – a problem without a solution?, pro-tecting your executives or protecting yourself from them?
For more information regarding this event contact the ISSA Uruguay chapter: http://uruguay.issa.org/contacto.
Security Development Conference May 15-16, 2012 Washington DC, USA Discount to ISSA members: $200; Discount code: ISSA@sdc2012%!29.
The inaugural Microsoft Security Development Conference 2012 will bring together industry professionals to network and learn from security experts about secure development practices. SDC 2012 will include information for leaders in software engineering, process and business management who are responsible for implementing or accelerating the adoption and effectiveness of secure development practices in their organizations.To register or for more information: www.securitydevelopmentconference.com/main.aspx.
ally renowned speakers include: Howard Schmidt, Richard Clarke, Curtis Levinson, Rob Rachwald, and William Hages-tad to name a few .
For registration and more details: www.centralohioissa.org/?page_id=936.
North Alabama Chapter Hosts: 4th Annual Cyber Security SummitJune 7, 2012 Von Braun Convention Center, Huntsville, Alabama
The North Alabama chapter of ISSA is pleased to announce the 4th Annual North Alabama Cyber Security Summit co-presented by Cyber Huntsville. This one day event attracts 450+ attendees and over 45 exhibitors providing opportuni-ties for business and intellectual engagement among attend-ees on topics related to Information Assurance and Cyber Security.
For more information and registration: www.cyber-security-summit.org.
ISSA International ConferenceOctober 25-26, 2012 Disneyland Hotel Anaheim, CA – USA
New opportunities abound in the midst of amazing trans-formations in technology, business, and culture. Inspired by Disney’s innovative vision, the cybersecurity community will gather at the Magic Kingdom on October 25-26 to look at change as a chance to achieve excellence. Disruptions like “big data,” “cloud computing,” massive collaboration, and business transformation make it possible for us to blaze new trails and build effective foundations. We are enabling our work forces to be mobile and productive while protecting sensitive data. We build systems and policies that impede our foes and guard our constituents.
This is an exciting time to be in the information security field and we are all vital in making our businesses faster, better, smarter and, most importantly, safer. Imagine the possibili-ties.
Special events held in conjunction with the International Conference:
• Chapter officers plan on arriving in Anaheim early to at-tend the Chapter Leaders Summit on October 24*.
• CISO Executive members and guests please join us for the 4th Quarter CISO Forum on October 27*, immediately following the International Conference.
*Open to qualified attendees only.
For more information: www.issaconference.org.
ISSAEVENT
ISSAEVENT
ISSA Journal | May 2012
ISSA Code of EthicsThe primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA has established the following Code of Ethics and requires its observance as a prerequisite for continued membership and affiliation with the Association. As an applicant for membership and as a member of ISSA, I have in the past and will in the future:
• Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles; • Promote generally accepted information security current best practices and standards; • Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities; • Discharge professional responsibilities with diligence and honesty; • Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the
Association; and • Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or employers.
Signature ________________________________________________________________________ Date ____________________________
ISSA Privacy Statement: The ISSA privacy statement is included in the Organization Manual, and is provided for your review at
www.issa.org/privacy.htm.
To enable us to better serve your needs, please complete the following information: Your Industry (Select only ONE number from below and enter here) _________ A. Advertising/Marketing J. Engineering/Construction/Architecture S. Manufacturing/Chemical B. Aerospace K. Financial/Banking/Accounting T. Medicine/Healthcare/Pharm. C. Communications L. Government/Military U. Real Estate D. Computer Services M. Hospitality/Entertainment/Travel V. Retail/Wholesale/Distribution E. Security N. Information Technologies W. Transportation/Automobiles F. Consulting O. Insurance X. Energy/Utility/Gas/Electric/Water G. Education P. Internet/ISP/Web Y. Other __________ H. Computer Tech-hard/software Q. Media/Publishing I. Electronics R. Legal
Your Primary Job Title (Select only ONE number from below and enter here) _________ 1. Corporate Manager/CIO/CSO/CISO 9. Operations Manager 17. Engineer 2. IS Manager/Director 10. Operations Specialist 18. Auditor 3. Database Manager, DBA 11. LAN/Network Manager 19. President/Owner/Partner 4. Database Specialist, Data Administrator 12. LAN/Network Specialist 21. Financial Manager 5. Application Manager 13. Security Specialist 22. Administrator 6. Applications Specialist 14. Contingency Planner 23. Educator 7. Systems/Tech Support Manager 15. Sales/Marketing Specialist 24. Other______8. Systems Programmer/Tech Support 16. Independent Consultant
Your Areas of Expertise (Circle all that apply) A. Security Mgmt Practices E. Security Architecture I. Operations Security B. Business Continuity/Disaster Recovery F. Applications/Systems Development J. Physical Security C Network Security G. Law/Investigations/Ethics K. Telecommunications Security D. Access Control Systems/Methods H. Encryption L. Computer Forensics
I heard about ISSA from (circle one): Conference Poster ISSA Website Business Reply Card An ISSA Member :_____________________________________ Other ____________________
Would you like to receive free product information and special promotional offers via mail from the industry’s leading vendors? n Yes n No
ISSA Membership ApplicationReturn completed form with payment. * Required Entries
ISSA Member Application 4/12
* Name _________________________________________________________ Job Title ____________________________________
* Employer _______________________________________________________ * Email ______________________________________
Certifications ____________________________________________________ * Daytime Phone _______________________________
* Address 1 ______________________________________________________ Evening Phone _______________________________
Address 2 ______________________________________________________ Fax _______________________________________
* City ___________________________________________________________ * Country ____________________________________
* State/Province ___________________________________________________ * Zip/Postal Code ______________________________
* Account Verification: What is the last high school you attended? ______________________________________________________________
Note:Inordertoobtainpersonalinformationandaccountaccessoverthephone,ISSAMemberserviceswillaskforAccountVerification. Annualgeneralmembershipduesof$95peryearinclude$28foraone-yearsubscriptiontotheISSAJournal.
Membership Fees*Membership Category _______________________________ (listonreverse)
*Chapter(s) _______________________________________ (Requiredwithin50milesoflocalchapter)
ISSA Member Dues (onreverse) $ _____________
Chapter Dues x Years of Membership $ _____________(onreverse)
Additional Chapter Dues $ _____________ (ifjoiningmultiplechapters-optional)
Total Membership Due $ _____________
Donation to ISSA Foundation $ _____________
Total Due $ _____________
Full payment must accompany this form. Mail check/money order (payable to ISSA) to:
ISSA Headquarters 9220 SW Barbur Blvd #119-333
Portland, OR 97219
Phone +1 (206) 388-4584 • Fax +1 (206) 299-3366
www.issa.org
Or fax credit card information. Please see other side.
Risk Radar: Real-World Rogue AV | Ken Dunham
At-Large............................. 25
Asia PacificChennai............................... 0.Hong.Kong........................... 0.Philippines......................... 20..Singapore.......................... 10.Sri.Lanka............................ 10.Sydney................................. 0.Tokyo................................. 30.Victorian.............................. 0.
Europe Middle East & AfricaBrussels.European............. 40.Egypt.................................... 0.France................................ 00.Irish................................. 155.Israel.................................... 0.Italy..................................... 65.Netherlands........................ 30.Nordic.................................. 0.Poland................................. 0.Romania............................... 0.Saudi.Arabia........................ 0.Germany............................ 30.Spain................................. 60.
Switzerland........................ 80.
Turkey................................ 30.
UK. ...................................... 0.
Latin AmericaArgentina............................. 0.
Barbados............................ 25.
Brasil................................... 5.
Chile.................................. 30.
Colombia............................. 5
Ecuador................................ 0.
Lima,.Perú........................... 5.
Puerto.Rico........................ 35
Uruguay............................... 0.
North AmericaAlamo................................ 20.
Alberta............................... 25.
Amarillo............................. 25.
ArkLaTex.............................. 0.
Baltimore........................... 20.
Baton.Rouge...................... 25.
Blue.Ridge......................... 25.
Bluegrass............................. 0.
Boise.................................. 25.
Buffalo.Niagara.................. 25.
Capitol.Of.Texas................. 35.Central.Alabama................... 0.Central.Florida................... 25.Central.Indiana................... 25.Central.New.York................. 0.Central.Ohio....................... 20.Central.Pennsylvania......... 20.Central.Plains.................... 30.Central.Virginia.................. 25.Charlotte.Metro.................. 30.Chicago............................. 30.Colorado.Springs............... 25.Connecticut........................ 20.Dayton............................... 25.Delaware.Valley.................. 20.Denver............................... 25.Des.Moines........................ 30.East.Tennessee................... 35.Eastern.Idaho....................... 0.Eastern.Iowa......................... 0.Fort.Worth.......................... 20.Grand.Rapids....................... 0.Greater.Augusta................. 25.Greater.Cincinnati.............. 10.Greater.Spokane................. 20.
Hampton.Roads................. 30.Hawaii................................ 20.Inland.Empire..................... 20.Kansas.City........................ 20.Kentuckiana....................... 35.Lansing.............................. 20.Las.Vegas........................... 30.Los.Angeles....................... 20.Madison............................. 15.Mankato............................. 20.Melbourne,.FL................... 25.Memphis............................ 30.Metro.Atlanta..................... 30.Middle.Tennessee.............. 35.Milwaukee.......................... 30.Minnesota.......................... 20Montana............................. 25.Montgomery...................... 35.Montreal.............................. 0.Motor.City.......................... 25.Mountaineer....................... 25.National.Capital................. 25.New.England...................... 20.New.Hampshire.................. 20.New.Jersey......................... 20.
New.York.Metro................. 55.North.Alabama................... 15.North.Dakota...................... 25.North.Oakland.................... 25.North.Texas........................ 20.Northeast.Florida............... 30.Northeast.Indiana............... 10.Northeast.Ohio................... 20.Northern.New.Mexico........ 20.Northern.Virginia............... 25.Northwest.Arkansas........... 15.Oklahoma........................... 30.Oklahoma.City................... 25.Omaha................................. 0.Orange.County................... 20.Ottawa................................ 10.Palouse.Area...................... 30.Phoenix.............................. 30.Pittsburgh.......................... 30.Portland............................. 30.Puget.Sound...................... 20.Quebec.City......................... 0.Rainier............................... 20.Raleigh............................... 25.Rochester........................... 15.
Sacramento.Valley.............. 20.San.Diego.......................... 30.San.Francisco.................... 20.SC.Midlands...................... 25.Silicon.Valley..................... 30.South.Florida..................... 20.South.Texas........................ 30.Southeast.Arizona.............. 20.Southern.Indiana................ 20.Southern.Maine................. 20.Southern.Tier.of.NY.............. 0.St..Louis............................ 20.Tampa.Bay.......................... 20.Tech.Valley.Of.New.York..... 35.Texas.Gulf.Coast................ 30.Toronto............................... 20.Tri-Cities............................ 20.Triad.of.NC......................... 25.Tucson,.AZ......................... 10.Upstate.SC........................... 0.Utah................................... 15.Vancouver.......................... 20.Ventura,.CA........................ 30Yorktown............................ 30
ISSA Chapters & Annual Dues Changes/additions – visit our website – www.issa.org
ISSA Membership Categories and Annual Dues
ISSA.Member.Application.2/12
General Membership: $95 plus chapter duesProfessionals.who.have.as.their.primary.responsibility.information.systems.se-curity.in.the.private.or.public.sector,.or.professionals.who.supply.information.systems.security.consulting.services.to.the.private.or.public.sector;.or.IS.Audi-tors,.or.IS.professionals.who.have.as.one.of.their.primary.responsibilities.in-formation.systems.security.in.the.private.or.public.sector;.Educators,.attorneys.and.law.enforcement.officers.having.a.vested.interest.in.information.security;.or.Professionals.with.primary.responsibility.for.marketing.or.supplying.security.equipment.or.products..Multi-year.memberships.for.General.Members,.are.as.follows.(plus.chapter.dues.each.year):
. 2-Year:.$185; 3-Year: $270;.5-Year: $435
Government Organizational: $90 plus chapter dues This. membership. offers. government. agencies. the. opportunity. to.purchase.membership.for.an.employee..This.membership.category.belongs.to.the.employer.and.can.be.transferred.as.reassignments.occur..When.an.employee.is.assigned.to.this.membership,.he.or.she.has.all.of.the.rights.and.privileges.of.a.General.Member.
Student Membership: $30Student. members. are. full-time. students. in. an. accredited. institu-tion. of. higher. learning.. This. membership. class. carries. the. same.privileges.as.that.of.a.General.Member.except.that.Student.Members.may.not.vote.on.Association.matters.or.hold.an.office.on.the.ISSA.International.Board..There.is.no.restriction.against.students.forming.a.student.chapter.
CISO Executive Membership: $995The.role.of.information.security.executives.continues.to.be.defined.and.redefined.as.the.integration.of.business.and.technology.evolves..While.these.new.positions.gain.more.authority.and.responsibility,.peers.must. form.a.collaborative.environment. to. foster.knowledge.and.influence.that.will.help.shape.the.profession..ISSA.recognizes.this.need.and.has.created. the.exclusive.CISO.Executive.Member-ship.program.to.give.executives.an.environment.to.achieve.mutual.success..For.more.information.about.CISO.Executive.Membership.and.required.membership.criteria,.please.visit.the.CISO.website.–.http://ciso.issa.org.
Credit Card InformationChoose.one:...n..Visa. n..MasterCard. n..American.Express.
Card.#.___________________________________Exp..Date._____________
Signature._____________________________________________________
ISSA Foundation:.A.tax-deductible.contribution,.as.allowed.by.US.tax.code,.can.be.made.in.addition.to.your.ISSA.Membership.Payment..For.more.information.on.the.foundation.and.its.programs,.visit..www.issaef.org.
Donation.Amount.$.______________________________________________
Signature._____________________________________________________
At the 2011 RSA Conference, Pe-ter Gutmann, a researcher in the computer science department of
the University of Auckland, gave an in-teresting talk about the history of X.509-based public-key infrastructure (PKI) that described how a series of mistakes by PKI vendors dramatically limited the use and acceptance of the technology.1 Understanding past failures can help us avoid making the same mistakes again in the future, so let’s take a closer look at one explanation for why PKI failed to deliver all that it first promised.
Some of the problems that PKI experi-enced can be explained by economist George Akerlof ’s insight into why some markets fail. Akerlof shared the 2001 Nobel Prize in economics for his analy-sis of how markets in which the seller has more information than the buyer has can collapse.2 The most famous example of his argument explains why problems can arise in the market for used cars.
Suppose that all used cars are worth $10,000 if they are in good repair, but half of them (“lemons”) actually need $2,000 worth of repairs. What happens if buyers can’t tell the difference between the good cars and the lemons? In this case, buyers should expect to spend an average of $1,000 (50 percent of $2,000), for repairs on a typical used car. So in this case, the imperfect knowledge of the buyers would set the market price of used cars at $9,000, or $10,000 minus the expected additional cost of $1,000.
1 Session STAR-304, "PKI Markets: Lemons and Lemonade," based on his previous article, P. Gutmann, "PKI: It's Not Dead, Just Resting," Computer, Vol. 35, No. 8, pp. 41-49, 2002.
2 G. Akerlof, "The Market for 'Lemons': Quality Uncertainty and the Market Mechanism," Quarterly Journal of Economics, Vol. 84, No. 3, pp. 488–500, 1970.
But at this price, those who have cars that are actually in good repair will not be inclined to sell them. After all, their cars are worth $10,000, but they can only get $9,000 for them. This means that the cars offered for sale at $9,000 will tend to be the lemons. The lower quality of the cars offered for sale will eventually result in the lowering of buyers’ expec-tations and a corresponding lowering in the market price for used cars, and this downward spiral in quality and price could even cause the market for used cars to collapse entirely.
Information security is similar to the used car market in some ways. In partic-ular, there is often a considerable differ-ence in knowledge between buyers and sellers, and encryption products may be one of the best examples of where this can happen. Encryption vendors often employ specialists that have an extreme-ly deep understanding of encryption technology. Most users of encryption technology, on the other hand, typically don’t have as good an understanding of the technology. But their job is typically to use the technology to solve business problems, not to understand the de-tails of exactly how and why it works, so that’s what we’d expect to see.
Gutmann described that in the absence of easy ways to tell high-quality PKI products from the low-quality ones, us-ers of PKI developed some quick-and-dirty tests to help them do this, and an important one of these involved check-ing to see how well a particular PKI product worked with the certificates created by other vendors’ products.
But then bugs crept into leading PKI products, bugs that made them cre-ate certificates that should have been rejected as being invalid. And because the technology was fairly arcane, it was
hard for people to tell that the improperly-created certificates should have been considered invalid.
How did the other the vendors react to this problem? They actually changed their products to let the bad certifi-cates pass their tests for validity. If they hadn’t done this, they would have been perceived as being inferior because they couldn’t work well with the buggy cer-tificates. And as the number of bugs in certificate validation increased over time, the result was a downward spiral in quality that was much like the one that Akerlof described.
The net result of this was that many of the advanced features of digital certifi-cates turned out to be too unreliable to use. A digital certificate still crypto-graphically bound an identity to a par-ticular public key, but the additional policy information that a digital cer-tificate could carry ended up not being very useful because of the unpredict-able way that applications would han-dle it. This meant that PKI technology couldn’t deliver its promise of creating a security infrastructure that could be used to support the implementation of online business processes. And it may have happened because it was hard for people to tell whether they had lemons or lemonade.
About the AuthorLuther Martin is the Chief Security Ar-chitect for Voltage Security. You can find his daily thoughts on information security at http://superconductor.voltage.com and can reach him at [email protected].
Lemons or Lemonade?
Crypto Corner
By Luther Martin – ISSA member, Silicon Valley, USA Chapter
ISSA Journal | May 2012
47
DATE: 4/24/12SIZE: 8.25” x 10.75” .125” bleed
ADVERTISER: CA TechnologiesPUB: ISSAISSUE:
560 Harrison Ave., Suite 503 | Boston, MA 02118 617.338.4441
CA Technologies congratulates the 2012 Gala Honorees
Copyright © 2012 CA. All rights reserved.
Security at the point of collaboration. In today’s fluid, global marketplace, business success takes agility, collaboration and innovation. But how do you secure collaboration without constraining it? Content-Aware Identity and Access Management solutions from CA Technologies reduce risk across enterprise, virtual and cloud environments, allowing you to embrace the emerging technologies that help drive innovation.
+ JOIN US for our webcast: “Securing Access to SharePoint: Best Practices for Secure Collaboration.” Learn more and register at security.com
CA_onlinesec_issa_final.indd 1 4/24/12 4:39 PM