Friday, January 30, 2015

Is this the 80/20 of Security?

For the past 10 years or so, I have been teaching what has been considered the IT prep course for the major exam students right in Canada to get their CA designation. Now with the merger of the accounting designations in Canada, the revised CPA Competency has altered the focus on IT and reduced it. However, the upside of this, is now the course I teach can be more about what's useful from a practical perspective. In the past I taught security as a list of controls:

  • Security Architecture/Boundary
  • Policies and Standards
  • Asset Classification & Management
  • Risk Assessment
  • Personnel Qualification & Trustworthiness 
  • Responsibility & Accountability
  • Security Awareness
  • User Access Management
  • Physical Access Controls 
  • Network Access and Communication Control 
  • Logical Access Controls 
  • Intrusion Detection & Response
  • Eliciting Compliance
  • Monitoring & Learning
But I thought how do you think about security conceptually? So I thought about using the SysTrust definition of a system as the way to group the key InfoSec controls. Here's what I came up with:

What do you think? 

Below are some notes from the deck that elaborates on the above.

Risk Assessment
  • Key components of risk analysis? Risk = Impact X Likelihood

  • Governance, responsibilities & accountabilities 
  • Develop security function 
  • “tone at the top”: CEO has ultimate responsibility
  • CISO versus no CISO: 
  • Would you trust a bank without a CISO? How about a hotel?
  • Board & Management
  • Security integral part of IT governance
  • Funding security function
  • Average 6 to 7% of the IT Budget
  • Manage security risk that emanates from relationships with third parties
  • Policies & standards
  • Policies and standards:
  • Serious about security: take steps needed
  • Consult ISO 27001/2, etc. 
  • Have a methodology, define risk appetite, etc.
  • Manufacturing versus cloud computing provider 
  • Other
  • Define security roles
  • Define security responsibilities for everybody
  • Role for internal audit 

  • Background Checks
  • Human resource procedures to verify background work history of new hires.
  • Check qualifications
  •  Employees first line and last line of defense
  • E.g. Insider threat
  • Incentives: fire bottom 20% = problem?
  • Acceptable Use Policy
  •  Acceptable Use Policy
  •  Provides limits as to how computing facilities can be used, e.g. LAN, laptops, PDAs, etc
  •  Level personal of use
  • Controls
  •  Awareness/Orientation training/Sign statement
  •  Block sites (hotmail, gmail, facebook, etc)
  •  Monitor usage 
  • Security Awareness & Training
  • New employee training
  • Need to communicate policies and standards to employees, customers (e.g. online banking), suppliers, service providers (e.g. SLA), etc
  • Marketing Security: Remind employees regularly 
  • Provide easy access to policies
  • Policies need to be properly worded (should vs must)
  • Workshops/Tutorials on security: e.g. encrypting USB
  • Awareness posters, screensavers
  • Automate security
  • Termination
  • Terminate all access upon on letting an employee go
  • Must make part of HR processes
  • Asset Classification
  • Data Classification
  •  Sensitivity: impact of  unauthorized disclosure; privacy, confidentiality
  • Public, internal, confidential, highly confidential
  • Inventory & Asset Management (Data > Devices)
  • Devices and information held; incl. outsourced entities
  • Classification drives who can access and modify the information
  •  Cost-benefit analysis: encrypt what needs to be encrypted
  • Monitor access to sensitive systems, files, databases,   
  • Encryption
  • Used to prevent data alteration, unauthorized viewing, verify authenticity
  • Depend on mathematical algorithms to transform data, 
  • "Key" is the  data that is that is used to make an encryption or decryption unique 
  • Rely on mathematical algorithms
  • private key system - receiver must know what key is used to encipher message. Such keys must be protected
  • public key system - use 2 keys
  • encipher  is made public
  • different key used to decipher
  • Encryption Standards
  • Algorithm + Key
  • DES, AES:  Private Key (symmetric) Algorithms
  • RSA:  Public Key Algorithm
  • PGP:  Open source equivalent of RSA
  • 128, 256 bit technology (length of key - longer keys are harder to break with brute force methods)
  • In a good approach, the security should be in knowledge of the key, not the encryption algorithm
  • Wireless: WEP is no good, use WPA, e.g. TJX
  • Data Retention and Disposal Policy
  • Data should be retained based on reg/stat/oper
  • If retain longer than required could be breached
  • Data should be destroyed after its no longer needed
  •  Secure overwriting, degaussing, (not formatting!)
  •  Physical destruction (e.g. incineration, shred, etc)
  •  Integrate into asset disposal/sale process

  • Network: Firewall 
  • Firewall
  • “Filters” traffic from inside to outside & outside to in
  • Permits traffic based configuration
  • Protected against tampering
  • Packet filter
  • Intrusion Detection/Prevention
  • Intrusion Detection System (IDS)
  • Firewall: Permit/Blocks, IDS Analyzes activity
  • Analyzes user activity: threat score
  • Sends alerts to security admin: problem with false positives - may dismiss actual threat 
  • IPS can log off users
  • IDS: Can it detect encrypted attacks?
  • Link to SDLC?
  • Physical access controls
  • Safeguard against physical abuse, damage and destruction.
  • Isolation and restriction - use locks, effective key management, video, sensing devices
  • Tailgating: Man-trap, awareness
  • Locations of Systems: away from fire water sources (e.g. kitchen)
  • Hardening
  • Physical Access Control Considerations
  • Cost
  • Number of Type I (False negative) and Type II (False positive)
  • Average response time
  • Ability to manage multiple users
  • Satisfy ergonomic issues (E.g. retinal scan is quite invasive)
  • Virtual Private Network (VPN)
  • Virtual Private Network
  •  Encrypted/authenticated access to the network,
  • Modem lines create problems
  • Callback modems: modem will call back a pre-specified number
  • Access management
  • What are the trade offs?
  • Access management
  • Privilege management
  • Log and review this type of access
  • Enables Segregation of duties
  • Separate user and information system roles, separate within information system group
  • Development and data entry
  • Separate within user role as to incompatible functions
  • initiation and authorization of transactions, recording of transactions, custody of assets, and reconciliation  
  • Logical Access Controls
  • User ID:
  • Linked to name, 
  • Based on job:
  • No association:  Problem?
  • Logical Access Controls
  • Authentication - user is who says he/she is
  • Passwords
  • Random vs user generated
  • Rule based: What are the rules?
  • Phrases: Cat jumped over the lazy dog in Sarnia Cjotldis1
  • Plastic magnetic-strip cards 
  • Example?
  • Smart cards 
  • Example?
  • Biometric devices - fingerprints, hand geometry, eye retina patterns; consider Type I/Type II
  • Access control software- allows controlled access - locks out illegitimate users, e.g. Active Directory for Windows
  • Increased use of single-sign-on: authenticate once across multiple platforms
    • Pro: ease-of-access
    • Con: break one password, can break into multiple systems
  • Could also use profile management 
  • Allocate standard access privileges to users based on their group, rather than individual basis, e.g. AP clerk can access AP, network, office suite, etc
  • Reduces admin costs and allows easier access and rule setting
  • Anti-Virus Controls  
  • Anti-virus software
  • Installed and configured properly
  • Update regularly 
  • Won’t help against zero day
  • Ensure automated scans are scheduled.
  • Scan network
  • Scan desktop
  • Run at sign-on

Friday, January 23, 2015

Windows 10: Microsoft Strategic Plays hidden in its free OS upgrade!

In a previous post, we posted the integration of Cortana into the upcoming release of Windows 10. Well, the excitement continues - Joe Belfiore walks us through a number of features:

This includes:

  • Continuum: Not only is the start menu back, but the start menu adjusts for desktop mode and (touch) tablet mode. 
  • Cortana: He confirms what we saw last time, but he couldn't risk a dig at Siri. But to be fair, Cortana has more of the "virtual digital assistant" features which incorporate artificial intelligence and machine learning to, as he shows, book appointments and reminders. 
  • Built-in Apps: Microsoft is offering calendar, photo, maps, video, mail and xbox apps. 

Although these key features are exciting, the bigger deal is how Microsoft is working to recapture market share from its competitors. 
  • Free upgrade if you have Win7, 8, or 8.1! Yes, that's right for a year people upgrade for free to W10! This obviously good news for consumers. However, it appears that businesses can also upgrade which could be the real benefit: Microsoft effectively is facilitating the move to the next version thereby reducing the risk that companies will stick with an OS for decade (i.e. like they did with XP). The free upgrade also will go a long way to build bridges with customers who were unhappy with start menu disappearing in Win 8. 
  • Windows Phone and XBox integration: The apps mentioned work across devices. Although it is not clear, it appears that to get the most out of the W10 features, you need to get a W10 phone. Although this seems like a long shot, it shows that Microsoft is not giving up anytime soon on the mobile phone space. XBox integration enables Microsoft to further capture space within the living room entertainment space, competing with the likes of Roku, Apple TV and the Google Chromecast. 
  • Bringing social to the web browser:  Losing market share to Google Chrome over the past few years, Microsoft appears to be striking back with Project Spartan, The browser offers enhanced usability features (tabs, reading,etc), but also has a a productivity play where users can annotate websites and then share their annotations via social apps.    
The new Windows 10 looks pretty amazing and now that it's free I really can't wait to try it! 

Wednesday, January 21, 2015

Amazon to Canadian Customers: These features are for US Only

Over the break, I decided to abandon my Samsung S4 and move to the Note 4. I made the mistake of buying the first cell at an independent cell shop thinking that I would get ahead on contracts. But it had chronic issues with getting the IMEI to work and then the speaker didn't work either. Never had these problems before when buying on contract. So back on contract I go.

Device is beautiful:

I had the first iteration of the device, the Note 1. This is much better and the pen seems to be much improved in terms being able to write by hand. Much crisper screen as well. Anyways, I digress.

Given the decent size of the device, I figured this would be the perfect opportunity to try out the immersion reading feature. Immersion reading enables you to hear and read the book at the same time, giving you the benefits of both the audio learning and the visualizing the text.

Much to my dismay I figured out after hours of trying to make this work that it didn't. Why? Because I am in Canada.

However, it was only after confirming my suspicions with this post that I realized the truth: Canadians are locked out of yet another one of Amazon's services. Now the real issue is why doesn't Amazon openly say this on the website? In fact, I even corresponded with the help and assumed that they would warn me that this feature does not work. As you read the posts, I was not the only one that was frustrated by this state of things

The incident reveals a couple of things. Firstly, Amazon is a US focused company, it does not serve Canada well. For example, it's prime video service is only in the US. This is just another example. I wonder why Chapters has not exploited this?

Secondly, it exposes the weakness with mass service model used by Amazon as well as cloud computing companies, it can serve the masses but not the unique needs of particular clientele.