Archives for January 2012

Cloud Provider security requirements

Grok Computer Security: I’ll tell you what I want, what I really, really want from a Cloud Provider.

Micheal Berman, the CTO of Catbird, summarizes his cloud provider requirements. For security, he is looking for:

  • Auditing: network and management
  • Control: policy and assurance
  • Metrics: continuous and interoperable
Are these capabilities to be provided by the cloud provider or should the enterprise adopt a solution it can use across multiple cloud providers? What about compatibility with private cloud deployments?


Abana 1 pc

Anticipating The Future of User Account Access Sharing

Anticipating The Future of User Account Access Sharing.

Insightful post by Lenny Zeltser regarding teenagers and adults sharing sharing accounts. i.e. sharing passwords.

Of course, those of us in security find this horrifying. Teenagers see this as a way of expressing affection. Adults in business do this to expedite accomplishing goals.

Can Security Awareness Training effectively communicate the risks of this behavior?

Encryption Key Management Primer – Requirement 3.6 « PCI Guru

Encryption Key Management Primer – Requirement 3.6 « PCI Guru.

Insightful article on PCI DSS requirement 3.6 – encryption key management, which is very complex when done manually. If you doubt it, read this article.

The PCIGuru also points out that “… for users of PGP or hardware security module (HSM), you will have no problem complying with the sub-requirements of 3.6.”


Financial Cryptography: Why Threat Modelling fails in practice

“…threat modelling will always fail in practice, because by definition, threat modelling stops before practice.”

via Financial Cryptography: Why Threat Modelling fails in practice.

Insightful post highlighting the difference between threat and risk.

Let us now turn that around and consider *threat modelling*. By its nature, threat modelling only deals with threats and not risks and it cannot therefore reach out to its users on a direct, harmful level. Threat modelling is by definition limited to theoretical, abstract concerns. It stops before it gets practical, real, personal.

Risks are where harm is done to users. Risk modelling therefore is the only standard of interest to users.


Wall St. Journal and NYTimes interest in Information Security

The subject of Information Security and its risks to the enterprise is becoming more mainstream. Last week, the World Economic Forum called out Cyber Attacks as a top risk. Today both the Wall St. Journal and the New York Times have significant information security articles:

Bassam Alghanims Email-Hacking Allegations Against His Brother, Kutayba, Exposes Hackers-For-Hire Trade –

Flaws in Videoconferencing Systems Make Boardrooms Vulnerable –


Adopt Zero Trust to help secure the extended enterprise

John Kindervag, a principal analyst at Forrester, has developed an interesting approach to securing the extended enterprise. He calls it the Zero Trust Model which he describes in this article: Adopt Zero Trust to help secure the extended enterprise.

First,  let me say I am not connected to Forrester in any way. I am connected to John Kindervag on LinkedIn based on a relationship from a prior company.

Second, the Zero Trust Model rings true for me in that the incident data available for review shows that we must assume that prevention controls can never be perfect. We must assume that (1) devices will be compromised including user authentication credentials and (2) some users interacting with systems will behave badly either accidentally or on purpose.

John uses the term Extended Enterprise to refer to an organization’s functional network which extends to (1) remote and mobile employees and contractors connecting via smartphones and tablets as well as laptops, and (2) business partners.

The Zero Trust Model of information security simplifies how information security is conceptualized by assuming there are no longer “trusted” interfaces, applications, traffic, networks or users. It takes the old model — “trust but verify” — and inverts it, since recent breaches have proven when an organization trusts, it doesn’t verify.

Here are the three basic ideas behind the Zero Trust Model:

  1. Ensure all resources are accessed securely – regardless of location
  2. Adopt the principle of least privilege, and strictly enforce access control
  3. Inspect and log all traffic

Here are Kindervag’s (Forrester) top recommendations:

  • Conduct a data discovery and classification project
  • Embrace encryption
  • Deploy NAV (Network Analysis & Visibility) tools to watch dataflows and user behavior
  • Begin designing a zero-trust network
The article provides some detail on each of these key ideas and recommendations.

Cyber attacks a top risk says World Economic Forum

Via Clerkendweller’s blog post about the 2012 edition of the Global Risks report from the World Economic Forum, Cyber attacks came in #4 among the top 50 global risks as a function of likelihood.

The report divides risks into five categories – Economic, Environmental, Geopolitical, Societal, and Technological. What I also found interesting is that within the Technological category, Cyber attacks scores highest as a function of likelihood and impact. See the chart below:

The report further defines “connectivity” as one of the “Three distinct constellations of risks that present a very serious threat to our future prosperity and security…” The report then goes on to identify the three types of objectives of cyber attacks using physical world “military strategy” and “intelligence analysis” analogies: sabotage, espionage, and subversion. Here are the examples they provide:


  • Users may not realize when data has been maliciously, surreptitiously modified and make decisions based on the altered data. In the case of advanced military control systems, effects could be catastrophic.
  • National critical infrastructures are increasingly connected to the Internet, often using bandwidth leased from private companies, outside of government protection and oversight.


  • Sufficiently skilled hackers can steal vast quantities of information remotely, including highly sensitive corporate, political and military communications.


  • The Internet can spread false information as easily as true. This can be achieved by hacking websites or by simply designing misinformation that spreads virally.
  • Denial-of-service attacks can prevent people from accessing data, most commonly by using “botnets” to drown the target in requests for data, which leaves no spare capacity to respond to legitimate users.

These do not map easily into our traditional method of categorizing threats as risks to confidentiality, integrity, and availability of information but may be useful because what’s really important is the focus on adversaries and the actions they take to threaten the confidentiality, integrity, and availability of our cyber assets.

Of course we need to focus on assets in the sense that we have to “harden” them to reduce the likelihood of a successful attack. But we cannot stop there due to the following.

The Connectivity case provides two axioms for the Cyber Age:

  • Any device with software-defined behaviour can be tricked into doing things its creators did not intend.
  • Any device connected to a network of any sort, in any way, can be compromised by an external party. Many such compromises have not been detected.
If these axioms are true, then we must go beyond hardening assets. We must also invest in technical controls that can detect obviously negative and anomalous behavior of assets.
Overall, a document well worth reading.