Archive for March, 2010
Albert Gonzalez Gets 20 Years
Posted by Matt on March 28, 2010
Posted in Information Security | Leave a Comment »
Compensating Controls – PCI Style
Posted by Matt on March 16, 2010
http://www.csoonline.com/article/577363/PCI_and_the_Art_of_the_Compensating_Control
This article on CSO Online, by Branden Williams pulls an excerpt from chapter 12 of “PCI Compliance” by Dr. Anton Chuvakin and Branden Williams (Syngress, 2009). For a full sample chapter, see http://www.pcicompliancebook.info/
Check out the definition of Compensating Controls.
Posted in Controls, Information Security | Leave a Comment »
Jericho Forum Releases Self Assessment Framework for Security Products
Posted by Matt on March 16, 2010
http://www.opengroup.org/jericho/self-assessment.htm
This might be considered within a vendor assessment process, or perhaps a security assessment process when a particular product is being considered for purchase by an organization.
Posted in Information Security, Risk Assessment | Leave a Comment »
Recent Attacks Show Focus Should Be On FFIEC MFA’s “Layered Security”
Posted by Matt on March 12, 2010
For regulated financial institutions, it is becoming clear that the FFIEC Interagency Guidance on Multi-Factor Authentication is not current with the present threat landscape. Multi-Factor Authentication has long been understood to be an ineffective control against Man-In-The-Middle Attacks. The Guidance leads one to believe that true Multi-Factor Authentication is preferable over what the Guidance calls “Layered Security.” The latter includes such technologies as transaction monitoring for anomalous activity, IP address geolocation and other indicators of malicious activity. For details on the actual Interagency Guidance, see this page. See also, a sample MFA risk assessment.
Small business banking customers usually maintain large account balances to support and operate their businesses, including payroll and accounts payable. Small business banking customers are a current favorite of online theives because of these large accounts. Further compounding the problem is the reality that small businesses are most likely to lack critical information security precautions and controls. As such, small-businesses are much more likely to suffer malware infections on company PCs.
Security blogger Brian Krebs has this to say about the Zeus trojan:
“In every case I have investigated, the crooks had installed malicious software — usually the ZeuS Trojan — on the victim’s PC. This allows the criminals to control what the victim sees in his or her browser. ZeuS will re-write the bank’s HTML on the fly, and inject HTML elements into the bank’s page. Mind you, they are not altering the bank’s real site — just what the victim/customer sees.”
Zeus infects an information security company.
In conducting Multi-Factor Authentication risk assessments, pursuant to the FFIEC Guidance, and as expected and enforced by financial regulators, we need to consider the current wave of successful attacks against small business customers. Where the assets at stake are particularly lucrative, the “Layered Security” components of the MFA Guidance will likely be more effective than the use of true Multi-factor authentication. The key will be implementing a near real-time response to transaction monitoring triggers to stop any anomalous transactions before the money leaves the financial institution.
Posted in Controls, Information Security, News, Regulation, Risk Assessment, Risk Management & Compliance | Leave a Comment »
Multi-Factor Authentication Is Not Enough
Posted by Matt on March 12, 2010
Krebs on Security: Crooks Crank Up Volume of E-Banking Attacks
Posted in Information Security, News, Regulation | Leave a Comment »
Is the CISSP worth it anymore?
Posted by Matt on March 10, 2010
Updated 1/05/11
The Employment Value of Multiple Certifications, by BankInfoSecurity.com.
Check out this no B.S. employer perspective on hiring certified job candidates: “Interested in CISSP, SSCP, CISA, and PMP certification holders. (N.B., this is largely a courtesy to our clients; we do not expect that certification will make you an expert and neither should you.)”
Original Post, 10/23/09:
Life Cycle
Let’s consider the life cycle of a professional certification (at least in the IT field):
1- The sponsoring organization wants to market the certification and promote it so more and more people obtain it. This means an initial grandfathering process whereby the organization sponsoring the cert. can get (presumably) experienced and prominent practitioners to get the certification and give it some credibility.
2- The difficulty of the exams and requirements are slowly improved. This allows more for swift early adoption and then a quality check on the way to achieving critical mass, slowing the momentum so the certificate doesn’t peak too early. If a certification achieves instant and widespread fame, it will be considered cheap and watered down.
3- As the inevitable dilution of the certification’s value occurs, due to the number of barely qualified individuals holding it, organizations begin creating specializations or advanced classes of their general certification, to create a “new” certification that can start over with the certification life cycle.
4- As yesterday’s preeminent and prestigious certification becomes today’s standard, the uniqueness of those gaining the credential becomes lessened. Applying familiar bell curves to the population of skilled workers (10/80/10 or 20/60/20) the best and the average are all able to pass the test. If in fact, even some of the lesser skilled professionals can pass the test, the certifying organizations may have a cash cow but will be short lived because the certification will do little for hiring managers in discerning IT talent. Therefore, a test-based certification loses its ability over time to differentiate skills in the workforce, as more and more of the lesser skilled attain the certification.
5- Eventually, the certification becomes so unhelpful as an indicator of specialized skills, that the industry, which once benefited by its sifting effect of the pool of job applicants, no longer rely on it and stop asking for it altogether.
It would seem to me that the CISSP is somewhere in between #3 and #4 in the above life cycle.
Rote Memorization vs. Practical Skills
Like most certifications, the CISSP includes required sponsorship and minimum work experience. Presumably this is to help prevent just anyone from walking in off the street and passing the exam, further diluting the value of the credential. This practice doesn’t seem to be able to prevent the eventual dilution of the certification by mass distribution among those with minimal skills, although it probably slows the process.
The certifications that require practical performance are harder to pass, and therefore retain their prestige in the marketplace. One of the best examples of this is probably Cisco’s CCIE certification, which requires the test taker to actually troubleshoot and repair a broken or mis-configured network. The test is notorious. Cisco claims the lifetime pass rate of the CCIE is 26%, much lower than the California bar exam.
Another notoriously difficult certification to achieve is the GIAC Security Expert (GSE), offered by SANS. There are only 30 of them in the world, as of Sept. 30, 2010. The best thing about the GSE is that it is so difficult and expensive to obtain, (two years and ~ $15,000) the risk of it becoming a watered down laughing-stock in the IT Security industry is virtually nil. The down side is that it is still so obscure, and probably will remain so because of cost barriers, it isn’t going to score many points in the hiring process until late- round interviews, when you meet with the security gurus.
The most challenging aspect of these practical skills-based certifications is the actual performance of what you learn. You are literally dropped off in a real IT environment for a couple days and you can’t come out until all is well. Good Luck!
Money Talks, Posers Walk
There is a double-edged sword to how hard to make your certification, and I suspect it boils down to money. Here is the Hobson’s Choice to make if you are a certification authority introducing a new certification:
- Skills: The certification needs to be hard and thorough enough to demonstrate competency.
- Price/Cost: The certification must be priced to generate enough revenue to pay for the overhead required to create it, test for it and offer member services, while yielding a profit. However, it can’t be priced so high that cost becomes a bar to many people.
- Credibility: The certification must be earned by enough people that it gains a foothold in the marketplace and becomes a de facto measuring stick of the profession, or at least holds enough weight in industry that it becomes sought after by hiring managers.
This then becomes the dilemma: You can have any two of the three qualities above, but not all three. If you shoot for all three, your certification will be a one hit wonder that will become a fossilized certificate found between the strata of the IT archaeological record. Just like my Novell Netware 5 CNE.
(I purposely ignored the distinction between vendor neutral and vendor product-based certifications. It doesn’t seem relevant to the overriding issue of certification dilution. I understand that a CNE is worthless today b/c the Netware platform did not survive the Microsoft/Novell war, and because of release obsolescence.)
Here is an author who isn’t quite so “down” on the CISSP.
Here is a typical complaint regarding the CISSP. Interestingly, the author advocates professional licensing of information security professionals. He does not consider the fact that he would then have to triple his salary requirements in order to get malpractice insurance. The threat of litigation against professional misconduct is the single greatest force driving the exorbitant prices charged by licensed professionals (lawyers and doctors) who work under threat of tort litigation. (I’m not intending to get into a debate over tort reform here.)
The argument to professionally license security experts is analogous to the old argument running back into the 90′s to license software developers, at least those that write code in life support and critical systems, (airline traffic control, space exploration, medical devices, etc.) I remember vigorous debates on this topic in Dr. Dobbs Journal.
In summary, if you are seeking employment in, or a job transfer within the information security field, the CISSP is still a de facto requirement in many job descriptions. You’ll need the certificate to get past the HR threshold criteria. But don’t expect any security managers to think you are any better than their worst security employee, who probably also holds a CISSP.
Posted in Information Security | 4 Comments »
FDIC: Hackers took more than $120M in three months
Posted by Matt on March 9, 2010
Posted in 19004365 | Leave a Comment »
WSJ Coverage of the RSA Conference
Posted by Matt on March 9, 2010
Einstein cyber-defense system revealed
Michael Chertoff: Most people don’t understand cyber threats
Sophisticated Hackers Target Source Code Repositories; Seeking Intellectual Property
Posted in Information Security | Leave a Comment »
RSA Conference 2010 – Opening Keynotes
Posted by Matt on March 8, 2010
Art Covielo, CEO, RSA.
In Art Covielo’s keynote speech at the 2010 RSA Conference, he acknowledged the need for developing a secure, measurable and auditable cloud computing infrastructure. Cybersecurity has become political focal point, with the FBI, DHS and White House, to name a few, reacting to the CSNCI. Not only is malware a pandemic, it is becoming a legitimate threat to national security. At some point in the near future cyberwar and cyberterrorism could rival traditional war in its potential for economic and societal disruption. (Read More).
Scott Charney, Microsoft.
The cloud will demand end-to-end trust. Don’t forget about the massive installation base of shrink-wrap software out there. It is not going away overnight. Charney’s comment is surprising because it seems to highlight Microsoft’s inability to ever execute on Bill Gates decades old vision of a subscription-based, software as a service distribution channel for Microsoft products. Granted, for a majority of this time such delivery was hindered by bandwidth and infrastructure issues, such as slow penetration of broadband into consumer homes. (Read More).
Enrique Salem, Symantec.
Whoever can secure the cloud will win big. Those providers that can afford reasonable privacy measures will draw the most business. There is an explosion in non-Windows-based mobile devices, one of the next frontiers in computing. How these devices interact with the cloud and how privacy and security are enforced in this use cases is critical. These devices will want to access corporate and personal information.
The fabric of our social interactions is changing, as it moves into cyberspace, enabled by such phenomena like Facebook and Salesforce.com. We may be able to control what our employees say about our companies but not what our employees say about themselves.
Attacks are narrowing in focus. Siloed threats are going after confidential, corporate and government data. The top three losses are intellectual property, financial data and customer personal information. 100% of 2100 companies surveyed claimed a cyber loss. Instant messages with malicious links, emails w/ malicious links and malicious code are causing fooling many users. In 2008, Symantec published 1.6 million new signatures. In 2009, that number grew to 2.9 million!
Reputation will hinge on security.
Cryptographer’s Panel
Talk of a trust bubble: like the housing bubble and the dot com bubble before that, a trust bubble exists, buoyed by misplaced trust in both public and private sector to protect our personal information. This bubble may burst in the coming year if we plunge to quickly into reckless outsourcing of such critical data into the cloud.
Howard Schmitt: Role of the government in cybersecurity going forward, includes coordinating across all branches of government, at least the legislative and the executive branches, and keep the seeds planted in the minds of the president and his advisors. There is a long way to go. The near-term goals of the Commission are being worked on now, one of which was to appoint Schmidt. FISMA has shortcomings that need to be addressed. The OMB will release new FISMA performance metrics, more attention to control monitoring in real time. There will be someone appointed to a role for cyber privacy and protection of civil liberties. The administration is working on over 40 legal questions relating to the CSNCI report. There is also a large outreach and education/awareness effort being planned. October will be cybersecurity month. There is a framework for research and development being created to guide the public/private collaboration.
See http://www.whitehouse.gov/cybersecurity and download the cybersecurity initiatives in the CSNCI.
National Security Panel: Michael Chertoff, Richard Clarke, Mark Rotenberg
Cyber warfare is a growing threat the United States. The United States is not as prepared as we should be for a cyber attack of a large magnitude, against critical infrastructure, by a nation state. WE do get attacked everyday. All major companies and governments have been penetrated and terabytes of data have been lost. Much of this is intellectual property, lost to industrial espionage. According to Richard Clarke, forget about securing the Cloud, we can’t even stop hackers on our networks! As nation states continue to arm themselves for cyber war we will contine a cyber arms race. We have detected logic bombs laced throughout the nation’s power grid; it would foolish to assume we’ve not done the same thing to other countries. Massive data breaches flow to China and Russia. (Read More).
Posted in Information Privacy, Information Security | Leave a Comment »
RSA 2010 Summary By ComputerWorld
Posted by Matt on March 8, 2010
“Google attacks, Web 2.0 fuel FUD at RSA”
http://tinyurl.com/yh4n92b
Posted in Information Security, News | Leave a Comment »
