Wednesday, December 17, 2008

The security double whammy

A lot of the recent news is about how the recession will cause increases in cyber threats. Combining that with reduced investment in security, and you have a true double whammy. And some want to add icing to the cake by suggesting that employees will also become more tempted to steal data..

Nice - a triple whammy!

Organizations should be cognizant of the tradeoffs they are making from a risk management perspective. Even if one cannot get everything complete, use the old 80/20 rule to ensure the high priority and projects that will reduce the most risk get implemented. No use being penny wise and pound foolish...

Thursday, December 11, 2008

Crime and the economy

Seems like the prevailing wisdom is that when the economy is in tatters, crime rears up - a negative correlation, if you will. Apparently this is even more true for cybercrime - easier to make a few bucks when folks are scared about their savings, looking for bargains and the always popular, "too-good-to-be-true".

And criminal syndicates are taking advantage of this by providing "help" in ensuring their bank accounts are not in danger, new job opportunities targeting those who might have lost their jobs etc. Just read more of this from

Larger organizations are also not immune from this - what comes in as malware in only part of the threat and unfortunately seems to be the major focus. And folks are still pushing perimeter security and anti-malware as the main protection against this. I think we should be looking beyond - more defense in depth and more protection focused on the data itself.

Monday, December 8, 2008

New Cybersecurity post recommended

I think this is a long time coming - the idea of a more concerted effort and responsibility to fight all kinds of cybercrime. Be it commercial or against government classified data.

Global cyberspace is fragile and it will take a concerted effort to get the message out about the dangers and the grave responsibility that each organization trusted with information holds. The appointment of a national post in the new administration is welcome! I hope it happens and happens fast!

Wednesday, November 12, 2008

Scary criminal activity and data theft

Even though one knows that criminals are increasingly behind some of the larger data breaches, it not until we get hit on the head do we pay attention. I just read this recent article from USA Today about the latest attacks on corporate intellectual property - I tell you, this is serious stuff.
Any organization not taking this very seriously is doing a disservice to its stakeholders and shareholders.

The problem seems intractable - for every hole you think you have blocked two open up to allow these criminals to grab data. What does any organization do?

I think the answer lies in the data itself - one cannot go about protecting the periphery to protect the asset. One has to protect the asset itself - in this case the data. If the data itself is always encrypted, at rest as well as in motion (even when it is grabbed of the computer by malware), we might have a shot at preventing this.

Else we are putting our collective heads in the sand thinking that encrypting the laptop drive or USB device is enough...

Thursday, November 6, 2008

WPA encryption cracked..

Just read this about the "more secure" WPA encryption for Wi-Fi networks is now cracked. Read all about it here - apparently by the same guys who broke WEP (this is what hurt TJX). I guess the bar has been raised...

Thursday, October 23, 2008

A horse's ass approach to virtualization security - Part 3 - Data is the "constant"

The third in the series where I am trying to think through the current approaches to securing virtual environments...

See part one and two here...

Virtualization enables organizations to optimally manage their infrastructure resources. It can provide significant cost benefits (by sharing resources), flexibility (by just-in-time allocation of resources where they are needed), and agility (speed of provisioning resources). Therefore, organizations have been able to virtualize:

  • Devices/OS: Companies such as VMWare, Citrix, Microsoft, and Sun are providing hypervisor, virtual machine, and virtual device solutions where several virtual “devices,” “servers,” or “desktops” can mimic separate physical devices.
  • Networks: Virtualized networks enable dynamic collaboration by slicing bandwidth into virtual, isolated channels that can be assigned to a particular set of devices, real or virtual. Setting up new connections and collaborative environments becomes extremely easy.
  • Applications: Virtual applications can either be streamed down to execute on local desktops (Microsoft App-V or Altiris SVS) or executed remotely from server farms such as Citrix XenApp. This allows applications to be portable and accessible from anywhere while reducing inter-application conflicts.
However, organizations will never be able to virtualize the fourth element, I talked about in teh second blog post — the data itself. The focus of device, network, and application virtualization is about flexibility, resource sharing, and agility. This involves short life spans, since these elements are brought up to fulfill a specific short term task, and upon completion, they are brought down or even deleted. Data, however, has a lifetime beyond the short term and will therefore live on for further use or analysis in a non-virtual or subsequent virtual world.

This makes data the “constant” in a dynamically changing environment — even if the location of data itself is virtualized. Data will also have the longest lifetime of the four elements in the infrastructure and thus will have to live “outside” of the virtual environment. Therefore, from a security standpoint, it is imperative that data becomes the focus of protection - and we dont just continue protecting the infrastructure. Data is the critical asset, and since it travels across boundaries and lives longer than virtual elements, it can be easily compromised.

Wednesday, October 22, 2008

A horse's ass approach to virtualization security - The four horsemen

I opinioned a bit about the current approaches to virtualization security and how they might be failing to address current and future threats - let me explain further what I mean.

In the previous blog I gave a summary of my argument. In this second blog of the series I want to talk about the four elements that make up every computing environment
(i.e. the four horsemen :)): This will setup the argument I hope to make in my next blog.

  • Devices: These are the hardware and operating system combinations that host or store the execution environment.
  • Applications: Applications execute on host environments (devices + OS) and transform data into information useful for the business.
  • Data: Digital representation of information that is acted upon by applications.
  • Networks: Enable collaboration and the sharing of information across multiple devices and/or applications.
All four are absolutely essential to complete any transaction in the modern business world. However, to gain competitive advantage, organizations are looking to optimize the usage of these four elements. Technology, flexibility, and agility are becoming increasingly important in a fast-changing business world and have therefore led to the rise of virtualization.

In my next post I will discuss how these elements are being changed in a virtual environment and what impact it has on security.

Monday, October 13, 2008

A horse's ass approach to virtualization security

The interest and excitement around virtualization is palpable. However, it seems like the security approaches in this area are similar to the constrains that a horse's ass put on the space shuttle design.

Virtualization security solutions today primarily focus on protecting the virtual OS, the virtual networks, or the hypervisor software itself. More specifically, most current virtualization security technologies are focused on preventing hypervisor root kits, providing intrusion detection, anti-malware, anti-virus, network security, etc. In the physical world, this is similar to individually protecting hardware, operating systems, and the networks that connect them. That is, the focus is mainly on protecting infrastructure and perimeter, not data. Protecting that data, however, should be the single most important aspect of virtualization security.

Here is why: Any execution environment requires four elements: devices/hardware/OS, networks, applications, and data. With the advent of virtualization, physical devices/OS are being replaced by flexible, on-demand virtual “devices,” networks are being virtualized and applications are being streamed down from virtual environments. Therefore, the only remaining “constant” element is the data itself - which also has a longer lifetime than the ephemeral virtual environment. While protecting the virtual infrastructure is important, I believe the primary focus for protection should be the data – the true IT asset.

Virtualization is a game-changer for computing and has forced the IT world to rethink its infrastructure; now virtualization security has to be rethought as well. An information-centric approach to persistently protecting the data itself is the only way to really benefit from virtualization and keep the data truly secure.

Or thinking about it another way - why was Google's approach to navigate the web using search better than the initial Yahoo approach of hierarchical mapping? Coz Yahoo was mapping an old yellow-book approach to managing data, while Google took advantage of the new medium.

I shall try and elaborate on my thoughts in upcoming posts...

Wednesday, September 17, 2008

Getting fired due to a breach?

Just got an email inviting me to a seminar - hosted by SecureState. But what caught my eye was this statement,

"7 out of every 10 breaches ends with someone losing their job"

I was shocked! 70% of all breaches result in the firing of someone involved in the breach? Or is it the failure to defend this breach resulting in the CISO losing her/his job?

I had never seen this research before and did not know this problem was so acute. Be very interested to know the source of this research. The seminar information is here.

Will post again when I find out more...

Friday, August 22, 2008

The importance of key management

As encryption and data protection becomes more prevalent, dont forget the equal importance of managing those keys. This seems to be the message from Jerome Wendt.

I think there are two sides to the story here - while I agree that managing keys is important, I think this is something users SHOULD NOT be concerned about. This is something the vendors should be focused on solving and not leave it to end users to stumble over.

Key management is hard and it makes sense to solve it at the product level rather than leaving it to implementation variances.

Thursday, August 21, 2008

And the attacks keep coming...

Seems like the intensity and frequency breaches have just started to warm up! Even as we pat ourselves about the recent indictment of criminals we see reports of increased activity. Millions of cards stolen and more loss...

Brings us back to a hard question we have to ask ourselves - are we ready to tackle this seriously? Vendors, retailers, banks, government and consumers all have a huge stake in this (and don't forget, so does organized crime). However, it seems like organized crime is living up to its name - they seem a bit more organized about this. Not having looked at the numbers, but is feels like we are being pushed back and they currently have the upper hand...

Not a very PC thing to say, I know. However, we have to wake up to the reality and get more serious about this.

Wednesday, August 13, 2008

Twelve billion dollars!

Sounds like a Dr. Evil sound bite :). In fact this could be the potential impact of the 41 million cards stolen - according to security company Jefferson Wells. The amount is a result of simple multiplication - 41 million x $300 for each card lost. On the higher end, no doubt.

While I don't think the real cost is anywhere close to that (even by an order of magnitude), it is still a large number. Even at street price of $2 per card, someone must be making 41 million x $2 = $82M!

More scary to imagine, is where this stolen data is going, what kind of money they are making and what illegal stuff is being done with it.

Tuesday, August 5, 2008

Smackdown on data criminals

The long arm of the law finally flexed in a major indictment of criminals who were charged with hacking and stealing credit cards from major retailers.

Eleven folks were charged with the crimes ranging from conspiracy, computer intrusion, fraud and identity theft.

Interesting nuggets from the report:

  • They hacked nine major U.S. retailers, stole and sold more than 40 million credit and debit card numbers...
  • Apparently this is the single largest and most complex identity theft case ever charged in this country
"While technology has made our lives much easier it has also created new vulnerabilities. This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results. Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain," said U.S. Attorney Michael J. Sullivan.

I agree with the US Attorney - we need better ways to prevent such hacking. But one point is clear again in this case - those who hack work for increasingly sophisticated criminal enterprises and will deploy significant resources to steal as long as the returns are worth it.

Friday, August 1, 2008

Laptops can be seized at the US border

New rulings allow the Homeland Security to seize and analyze laptops as folks cross the border. Will this will increase the propensity of folks to encrypt their laptops or reduce it (thereby reducing suspicion)? I don't think businesses will look at this as another reason to encrypt - the majority would rather data not be stolen or lost than think about what a border agent might find on that machine.

For folks who have personal machines (maybe speaking for myself), I am not sure I would care much if a border agent looked through my laptop. But maybe I should - who knows what that information can be used for later?

Monday, July 28, 2008

Keeping corporate secrets - the data centric security approach

Just read the eWeek summary for the new book Blown to Bits... (btw, what's up with tag lines and subheadings in books - these seem to be filling up the font page!). The authors discuss the right mix of people, process and security technology that organizations can use to prevent such breaches...

Interestingly enough, the trends they talk about are very data-centric - "Secure the message as well as the medium" and "Address data at rest, in flight and in use"...

In particular I like this paragraph...

Could not have said it better - and I could not agree more...

Data breaches: Technology, process or management?

Being part of a technology company, one tends to think of solutions to data breaches as mainly to be solved by technology. Well, with a bit of process thrown in for good measure as well! Did not think much about the important role of management till now...

Just came across an interesting opinion by Jonathan Armstrong, a partner at Eversheds, a law firm. He contends that current best practices of management do not train executives how to respond to crisis - he talks about various types and data breaches is one amongst them.

I tend to agree to a point. However, I also think that it is the type of management and their core values that dictate how such a crisis be addressed. Is management concerned about the customer? Or is management just looking to save face? I can remember the Tylenol crisis and how well J&J handled it.

While I agree with Jonathan that the frequency of incidents have gone up and management needs to be trained better, I also believe if executives have the best interests of their constituents in mind, things will work out okay...

Wednesday, July 23, 2008

For your hacking pleasure - Cold Boot utilities released!

Interesting news over the weekend. Looks like one of the original researchers from the Princeton Cold Boot attack work, Jacob Applebaum, published all the utilities they used to break full disk encryption products.

We, at BitArmor, have talked a bit about cold boot and how we protect against it. Our CEO Patrick and a few of our senior engineers will be presenting at Black Hat on techniques to prevent this attack - check out his perspective as well from his Princeton days.

Monday, July 21, 2008

Virtualization and information-centric security

Many more of the customers I talk to are focused on virtualization as a core infrastructure strategy. They obviously want to know more about how this will affect how they look at security. While I am not the expert on anti-virus/malware, NAC, intrusion prevention etc, one area that I get excited about is the data protection implications of this trend...

As devices get abstracted and pushed to the background, it appears we are left, at the core, with applications and data. The interactions between the two dictate productivity, security et al. In this context, an information-centric security paradigm becomes even more important.

There are no devices to lock down (these will be virtual - appearing and dissapearing as required). Much of the data will be accessed from virtual containers. Therefore, protecting the data itself, regardless of the applications, the devices, the networks will become crucial in this evolving landscape...

Wednesday, July 16, 2008

Ecrypt the whole Net!

Now this is a big bite - the folks behind Pirate Bay are developing technology that will allow all traffic between equipped end-points to be encrypted. They are doing this to protect folks from the prying eyes of the authorities - new laws have been passed in Sweden that give the authorities rights to monitor email, web traffic and telephony of individuals. The EFF has a good post about this new law here.

Not sure how all this will be implemented, but will be interesting to follow...

Tuesday, July 15, 2008

Data protection commissioner?

Never thought a country would have an Information and Data Protection Commissioner - but looks like Malta is taking charge of their data. Interesting article on new laws, expansion of powers, and parliamentary discussions!

Wednesday, July 2, 2008

Protect everything? Is that a better DLP?

I was reading an interesting post about DLP at Securosis. Rich has deep expertise and an excellent way of explaining what the area is all about...

However, the post got me thinking - how do we reliably understand content in order to differentiate and protect what's important? Do we have easy to manage policies yet? Can the policies adapt easily based on chaning business? Is the technology ready?

I do see traditional DLP solutions being very complementary to data encryption products - one identifies it, finds it and the other can protect it. Nice and easy.

However, I am thinking that maybe an interim step might also be needed before we can get to nirvana of understanding content, proactive policies etc. What if we are able to protect all data (or even data that are on these file shares, laptops etc ) regardless of what is in them - and keep them persistently protected at rest and in motion? Think of it as the blunt approach - similar to using FDE to protect all the contents within a hard drive regardless of the sensitivity of an individual file within.

From a customer perspective, they don't want anyone without the right authorization to see any data - that's all. This can be achieved by persistent, data-centric or information-centric protection without any differentiation based on understanding the content.

Could/should DLP be redefined, thus?

Tuesday, July 1, 2008

2% of all laptops sold every year are stolen from airports?

Interesting analogy from NetworkWorld on rising rates of laptop loss, but it works! Apparently laptop loss is giving IHOP a run for its money. From the article...

"Some of the largest and medium-sized U.S. airports report close to 637,000 laptops lost each year, according to the Ponemon Institute survey released Monday. Laptops are most commonly lost at security checkpoints, according to the survey."

Over 630K laptops lost each year just within airports! From IDC's Quarterly PC tracker (Dec 2007) we see that over 31M laptops were projected to be sold in 2007. This means that over 2% of all laptops sold in the US were lost or stolen from airports!

Hard to believe. Am I exaggerating or is this for real? Makes me think about how cold boot can be a weapon of choice for criminals to gain access to sensitive data.

Monday, June 30, 2008

Data breaches and gas prices..

Seems like the growth rate is the same - IRTC (Identity Theft Resource Center) just released some interesting stats. Apparently number of breaches in the first half of 2008 have risen 69% over the same period in 2007. Maybe gas prices have increased a bit more, but not by much...

Also other interesting nuggets -

  • Almost 40% have not disclosed the number of records breached.
  • Theft, either internal or external, have been the primary reason for the breach.
Wonder why we are not hearing this on the presidential campaign? A unified and national policy approach to this epidemic would be welcome (as would lower gas prices!)

Wednesday, June 25, 2008

Share, but share insecurely?

In all the hoopla about IT admins getting into your stuff, (from the recent Cyber-Ark survey) most folks might have missed this interesting nugget...

"Majority are sloppy at handling and exchanging sensitive data Seven out of 10 companies rely on out-dated and insecure methods to exchange sensitive data when it comes to passing it between themselves and their business partners with 35% choosing to email sensitive data, 35% sending it via a courier, 22% using FTP and 4% still relying on the postal system. This shouldn’t be any big surprise when you learn that 12% of these senior IT personnel who were interviewed also choose to send cash in the post!"

Over 70% of companies share sensitive information within and without in an insecure way! Here we are, locking down data at rest within the company. However, as it leaves the safe haven - it is sent out in the clear!

This is where I think a more information-centric approach can help - protect the data rather than the devices and wherever the data goes, the protection follows. A bit like Mary's little lamb, if you get my drift...

Monday, June 23, 2008

The "IT admin bad guy"? Not sure I buy it much..

The recent survey on IT Admins misusing privileges might be accurate - but am not sure I buy it much. I'd like to see some of the questions as well :)

Most of the IT admins I have met with have a sense of the responsibility that comes with their power. True, there might be some bad eggs or apples in the bunch, but overall I think they are ethically sound people.

This is like implying that since the guard to the safe has access to it, he/she might be taking advantage of that ability. My view is that the state of technology is (or was) such that there is no way around it - there had to be someone who has access.

However, to get this monkey off the back of IT admins, all they have to do it install technology that creates isolation between content and infrastructure. IT admins don't lose anything - they get their work done, and they wont be scapegoats for leaked data or bear the burden because of a few rotten apples.

I spy - employees snooping around?

Apparently many employees ( nearly half ) have the habit of snooping around within the company. This according to a new research study by Cyber-Ark. Many gain access using privileged accounts such as administrator or root passwords, which the research found were not changed that often.

"Cyber-Ark said privileged passwords get changed far less frequently than user passwords, with 30 percent being changed every quarter and 9 percent never changed at all, meaning that IT staff who have left an organization could still gain access."

This is a bit unnerving - most organizations should be following compliance mandates such as SOX to isolate administrator access from content. And using technology to enforce this..

Medical records - the new frontier in data theft?

Looks like supply and demand and the good old laws of economics are catching up to data breaches as well. Seems like medical records is the new black - more criminals are focusing on getting access to this rather than boring credit card numbers, bank accounts etc.

There is a related scary part to this story - (other than the fact that medical records are under active threat)

The scary part is the huge numbers of available stolen credit card, bank account information out there - this is depressing prices all over the world for this data! The laws of supply/demand are taking over and making this a commodity. For example, not too long ago, prices for a valid credit card/bank card with a pin was $100 and now with the flood of such products, the prices have come down to $10-20 range.

The logical conclusion follows that criminals are becoming so good at getting access to sensitive data - this is causing flooding in the market! They are therefore now moving up the value chain to get to even more valuable data. Presumably, stuff they can sell for more than $100!

Friday, June 20, 2008

Medical records under threat

Just saw a disturbing article on how folks are targeting medical records. Apparently Finjan (a security vendor) was trolling for malware and came across a large chunk of data with patient information etc - and get this, it was available for purchase for the highest bidder!

By now all of us are aware that hackers are no longer kids looking for laughs or thrills - they are the new criminal organizations. These organizations make it a business buying and selling data - be it credit cards, bank account information etc.

I suspect medical information can be used for many things - identity theft, blackmail, maybe even insurance fraud. Who knows?

But the main point here is this - it does appear that medical and patient information has value to criminal organizations and this is something to worry about. They will do anything to get their hands on this...

Tuesday, June 17, 2008

Data security and the "chasm of protection"

I was thinking a bit more about the notion of data-centric or information-centric security and why this is absolutely the future of data protection...

Say you are a retailer. You have data in your POS devices, encrypted with the POS application as cards are read in. As this data is required by another application, it has to be first decrypted so this in-store application can read it. It may then encrypt it again as it stores on in-store servers. Now assume you have another application in the data centers that is used for card settlement. Another decrypt-encrypt cycle from the store to the data-center!

This scenario is not limited to a retail environment. Consider a similar cycle repeating itself in most companies as data is moved from location to location, analyzed and processed by multiple applications and on multiple devices and multiple internal and external networks - each time being decrypted, stored or transfered in the clear till it gets encrypted again. Each time this cycle repeats, there is a weakness that can be exploited - since there is a gap in the consistent protection of data.

Being data-centric however, brings in persistence and consistency in the protection of that data element, thereby removing this "chasm".

Monday, June 9, 2008

Adaptive security from the Gartner IT Security Summit

I was at the Gartner IT Security Summit in DC last week - very interesting sessions.

Liked the Neil MacDonald keynote on the second day. He talked a lot about the current challenges or point products, silos and the decreasing importance of the perimeter. He also talked about how security would evolve and his vision on model based security, proactive approaches to security and how we could learn from the adaptive mechanisms of a biological system. Very interesting.

Most of it made sense - however, it seemed hard to see how we could build adaptive/proactive security systems just yet. We are still figuring out security based on signatures and we cant build them fast enough - adaptive might mean too many gray areas in the short term. And it necessitates learning from mistakes - I think it will take a bit of time before we will fully trust this, seemingly AI models, for security.

The one topic that did intrigue me was his statement on protecting the information and not focusing on devices - near and dear to my heart this information-centric security view! This trend does seem clear - more on this soon...

Tuesday, May 27, 2008

The Blackberry keys

Lots of news over the past few days on the back/forth between the Indian government and RIM. And apparently the latest is a retraction - last week RIM apparently had said it would make the crypto keys available.

Apparently, the reason is that RIM itself does not have the keys - therefore they cannot hand it over. The company says, "The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for Research in Motion (RIM) or any third party to read encrypted information under any circumstances"

If this is true, I wonder if any government has these keys...

Thursday, May 8, 2008

Jeez - State department laptops missing..

This is bad news - folks with some of the most sensitive information seem to be willy-nilly with their laptops. How can we expect plain old corporate folks to take protection seriously?

And this snippet takes the cake "...about 400 missing laptops belonging to the Anti-Terrorism Assistance Program ..."

I wonder how many of these were targeted and stolen... If so, is a cold boot attack more likely against these types of assets?

Wednesday, May 7, 2008

To believe or not - new research from Ponemon

New research from Ponemon on consumer behavious post breach breach - apparently over 31% of those surveyed terminated ties with an organization that had a breach.

Not sure to fully believe it when consumers say such stuff (I did not mean the Ponemon research itself:)) - I think consumers say what they think is the right thing to say. I think folks are still lukewarm when it comes identities getting stolen, card numbers being breached. There is not yet enough pain directly resulting from this.

However, I do hope this is true though - high time we took such breach information more seriously.

Tuesday, May 6, 2008

More on functional encryption and two-level keys

Following up to my previous post on functional encryption. Just read another interesting article on the subject.

The gist of it is in using policy as a way of granting acess and reducing the reliance on a "trusted server". From the article..

"In a functional encryption system, keys are personalized and only one is needed for a person to gain access to all the data that should be available to them. In addition to simplifying the key process, this idea allows users—with proper access rights—to search encrypted volumes for specific information. "

The key used here is a personal key which contains attributes of a person which is used to unlock the document... Seems intriguing, but I am not sure how multiple people (or even groups such as HR) can be given access to a document based on such keys... Would like to understand this a bit more...

Monday, May 5, 2008

Dirty secret #2 - the perimeter is dead!

Just came across an interesting article in Network World on the dirty secrets of security vendors. While I agree with some, disagree with a few, it was #2 that caught my eye.

The author, Joshua Corman, claims, "There is no perimeter". Paraphrasing him -

Vendors say that the network perimeter must be defended, but most data that is actually lost doesn’t go through the firewall. Half of all breaches are the result of either lost laptops or lost thumb drives or other removable media. Businesses need to tighten up their business processes at least as much as they need to tighten up network perimeters, he says. “If you still believe in perimeters, you may as well believe in Santa Claus,” he says.

Not sure I believe in Santa Claus, but that's not the reason I agree with Mr Corman. I do believe that a data-centric or information-centric approach to security is the right one. Protecting devices, ports, networks, perimeters might become a thing of the past. Security vendors will evolve towards offering protection at the data level..

When? Now that's a completely separate discussion, though some are further along in reaching this goal than others....

Thursday, May 1, 2008

The insider threat - jobs at risk!

Looks like Her Majesty's Revenue & Customs does not take lightly to employees peeking at sensitive data - they have disciplined around 600 employees.

Lots of questions come up - intentional breach, stupid mistakes etc. If the data were protected with the right policies and access controls would this have been prevented?

My Dad always said when I leave stuff in my car seat - "Don't tempt folks. Even if they are not thieves, the sight of something valuable can turn people". I started believing this after my car was broken into and it turned out to be a neighbor kid.

I firmly believe that taking temptation away (in this case not having access to data you should not) is a great strategy. Insider threats are more troubling, since this is targeted at the most sensitive and valuable data - while the outsider threat depends a lot on luck to get to this.

Wednesday, April 23, 2008

Functional Cryptography the future?

Interesting concept this new research from UCLA called functional cryptography. Apparently the key is a function of peoples "attributes" and not having the specific key itself - as far as I can understand. I would guess that defining these attributes might be tough... Seems like they are addressing key management, authentication and aspects of sharing keys without going for a full blown PKI infrastructure...

Be interesting to find out more about this area.

However, one aspect of this did strike me as sysnergestic to my views of data centric/information centric security - the attributes and keys are held within the data itself and resides with the data...

Tuesday, April 22, 2008

The insider threat - Lending Tree

We spend so much time and processes protecting against the unknown external threat - it is time we also took the insider threat more seriously. Case in point - the recent news from Lending Tree about insiders giving out passwords to external entities.

Not that the above could have been easily circumvented by technology, but good process and education of employees would have helped. When trusted employees start sharing passwords, things become very dicey.

More process, threats of termination - interesting times ahead...

Monday, April 21, 2008

Errors in Quantum Cryptography?

Interesting research from Sweden - apparently researchers were able to unexpectedly find a flaw in quantum cryptography, the holy grail of 100%, bullet-proof encryption!

The researcher quotes - "We didn't expect to find a flaw". Makes one wonder if there is any technology that can claim it.

I think there are no foolproof solutions, only fools (maybe too strong a word, but the rhyming was too good to pass up!) who believe so...

Friday, April 18, 2008

Risks, cost of an attack versus price of encryption

Very interesting article by Charlie Martin in Computerworld exploring how expensive (or rather cheap) encryption really is compared to potential losses due to data loss...

Not sure he calculated the costs and probability of the cold boot attack quite right - I think the fact that over 40% of folks do not shut down their laptops while travelling makes this a higer probability. (This number came from a short survey we did in Pittsburgh with around 200 respondents - will provide more details in a forthcoming blog). Now cosider the fact that people think this can be done - this changes behaviour of thieves, methinks.

However, the general idea that Charlie has is spot on - the peace of mind, staying away from the headlines, the lowering of probability is what securing data is all about....

Tuesday, April 15, 2008

RSA and Information-centric security

Been a while since my last post - vacation and the RSA conference went by fast! I had a great time at the RSA conference, we had a great booth in the Microsoft partner pavilion and talked to a whole lot of people.

One of the most satisfying parts of the conference for me was its focus on information-centric security. Check out John Thompson, CEO of Symantec as he expounds on this during the opening key note. Very cool! This aligns a lot with what I also think is the future of security. We cannot have device-centric or perimeter focused security for much longer - data has to be protected at its fundamental level...

More soon as soon as I catch up with my email.. :)

Friday, March 14, 2008

To sleep, power off or hibernate - cold boot and user behaviour..

Interesting weeks - the last couple. Lots of folks debating whether the cold boot risk is real - is it too esoteric? Who do we know lugs around cans of liquid nitrogen to bring DRAM to 0 degree Kelvin!?! Maybe the guy who makes the Terminator movies...

I must admit the video was cool to watch - frozen chips... And therefore, most of the focus seems to have gone in that direction - thinking that one needs to cool the chips to extract the memory contents. But in reality, one needs only a USB drive with code to peek into DRAM - no need to even cool the chips! And Mr McGrew already has a tool - check out his comments "I did this as a small side project..." Nice!

Got me thinking on another topic - would be cool to do a survey on this. How many of us who lug around our laptops, travelling the country, shut it down? I personally never do - I only shut down my laptop when it starts to behave a bit erratic and slow. Else, I keep it on and when I travel just shut the lid.

I prefer sleep since it awakes quickly, hibernation seems to take longer. And with FDE enabled systems, this becomes more interesting:
-More RAM, larger hibernation file
-Larger hibernation file -> longer time to encrypt, i.e. close
-Larger hibernation file-> much longer time to decrypt and open

Hmm... I see sleep or power off as the only viable options for most folks with FDE!!

Now how does that compute with the risk scenario from the cold boot attack.. If I were an IT pro in a large organization, I would take a serious look at the power modes my mobile users use on their laptops...

Thursday, February 28, 2008

Warming the cold boot – a bit of braggin’ from BitArmor

By now, all of you are aware of the attacks on full disk encryption technologies described by Princeton researchers. In short, they describe how one can “steal” the contents of RAM and extract the encryption passwords kept in clear text. The research concludes that almost all disk encryption products have the same fundamental flaw that enables anyone, without custom-built and expensive resources, to gain access to the system. Rich Mogull has a good blog on how one should think through the ramifications.

This is scary news and rightfully so. We have seen encryption vendors approach this differently.

  • The don’t-worry, be happy approach: Some claim the attack is so esoteric, the customer need not worry – this is just research stuff.
  • Leave it to us approach: Some claim to have solved the problem, but with no indication of what that means or how they do it.
  • Increase your complexity approach: Some want you to increase the end-user complexity with process and unnatural actions to solve the problem. Not a good idea – every time we ask the end user to be responsible, we lose control and confidence that it was indeed secure. Transparency is the key to security..

We at BitArmor have taken another approach – the “solve the problem” approach. In fact, we had solved this problem, before it even became a known issue. Our CEO, Patrick McGregor is one of the researchers mentioned in the Princeton paper as having proposed architectural enhancements to prevent (the key word being prevent :))these attacks. From the paper:

“Others have proposed architectures that would routinely encrypt the contents of memory for security purposes [28, 27]. These would apparently prevent the attacks we describe..”

The “others” mentioned above, in case you were wondering, are McGregor et al… Check out his blog on his experience at Princeton...

Sorry if we seem to be bragging a bit – not often does a small startup from steeltown open up such a big can of whupass against a new broad new threat!

We have since applied (we had the technology already for a while) for multiple patents on technologies to solve these and similar attacks. Find out more on the BitArmor website ( for a high level look at how we deal with specific cold boot threats.

As soon as we can write up detailed information on exactly how we are dealing with the specific cold boot threats in our FDE (full disk encryption) as well as PFE (persistent file encryption) solutions, we will put it up here. Look for more information next week…

Tuesday, February 26, 2008

My Princeton Experience and Optimism for Encryption

As we all know by now, Ed Felten and his research group at Princeton have announced yet another landmark result in the realm of data security. For systems ranging from Java VMs to digital rights management to electronic voting machines – and now to disk encryption – the research group has shown that foundations for a secure world remain elusive to the industry.

I enjoyed the opportunity to collaborate with Dr. Felten on the SDMI cracking effort while I was at Princeton. In Felten's recent paper on cold boot attacks against encryption keys in DRAM, part of my Ph.D. thesis (which explored next-generation security architectures) is cited as a long-term solution. Indeed, for laptop encryption and trusted systems to truly realize their promise, hardware and software must be engineered with security at the core, not at the periphery.

The exposed flaws in many encryption solutions are disquieting examples of how difficult it is to engineer security systems for our impatient and diverse world. Routinely, software developers – as opposed to trained security architects – are being asked to design cryptographic systems with complex design parameters and even more complex security implications. The various attacks described in the cold boot paper show that security designers must improve their modeling of human behavior (and physics) when poised in front of their whiteboards.

Security is hard, but it is attainable! I’m optimistic that security engineering methodology will advance over time. Fortunately, today, a few companies are embracing a truly proactive approach for modeling threats and designing security systems.

This week, BitArmor will be making some key technical announcements on the strength of BitArmor software against attacks described in the Felten paper and beyond. Keep your eyes on this space...

Thursday, February 21, 2008

Disk encryption not enough?

Just saw this come off the wire - from on how disk encryption from Bitlocker and Apple's FileVault has been circumvented by a few researchers. If this is as simple as they make it sound, this is a bit worrisome. However, I am not ready to buy this fully, till I understand this a bit more.

For one, I was under the impression that Bitlocker protected against booting via an alternative OS (especially a system with a TPM chip on it) because it can perform bootup integrity checks. The article seems to claim this is one of the ways in... Hmm, not so sure...

Further questions:
Is this attack valid for all authentication scenarios such as TPM+Pin?
How easy is it to scan the RAM on a locked system?

There was another article recently in eWeek that talked about FDE not being sufficient protection. I personally think that we need defense against multiple scenarios - not sure if the defense-in-depth term can be used, but seems to fit the best...

Looking forward to understanding this a bit more...

Tuesday, February 19, 2008

Laptop = Cinderella, USB = Drizella? I.e. did the USB beat the rap?

Interesting article by Rich Mogull on how to protect USB keys. He seemed to have covered most of the ways one can protect data - I myself like to glue-gun approach! Just kidding, I am all for productivity while being secure.

However, this made me think of breach notification laws. As Rich pointed out and as I blogged about earlier, the sizes of USB keys are getting huge! I have one on my desk now at 8GB and a portable USB hard drive for 250GB! I presume that when one loses their laptops they have as big a chance of losing on of these hard drives or USB keys. And no one is as concerned, since they dont have to notify anyoneif they lose a USB key....

So answer me this - did the USB key and portable hard drive sneak past the breach notification lawmakers? Is the laptop, the Cinderella of the family that the lawmakers hate so much? And did the USB, Drizella, (which apparently is the stepsister's name according to Disney :)) get away?

And finally, is this analogy a really bad one? :)

Wednesday, February 13, 2008

Encryption - too much of a good (or bad) thing?

Seems like the new angst is about the problems of widespread encryption. Further comments on this by Shanmuga and Rich Mogull - who slams this (to put it mildly:)).

As technologies become widely used, it itself gets impacted by this usage and so do, in turn, the users - its a two way street. Widespread adoption of cell phones, the net etc caused huge changes in how people live and interact - this spurred further changes to these technologies as well. But the one constant of this change is that things become easier to use and more solid and reliable in its capability.

I don't buy the argument that widespread encryption will cause attacks via key management challenges - the key management challenge itself, I think, is overblown. All security companies worth their salt have good solutions for this- those that don't, will face the harsh reality of the market. In any case, technology is never going to solve your security problems - if you dont back it up with good processes...

Friday, February 8, 2008

CA breach notification law 2.0?...

More new laws! Recent news implies that California might enhance the current laws about data breach notification. They want to clear up how companies notify the affected parties - apparently there is too much jargon and legalese. Which leaves most folks not knowing what hapenned, how it hapenned and how they are affected.

We have talked about this on our blog - just saw that Tom Olzak also picks this one up.. I don't think this is making anything more stringent in terms of disclosure - it just lays down some ground rules on communication clarity. I am all for more clarity - had a tough time figuring out the nuances of a few disclosure letters myself!

Thursday, February 7, 2008

Best practices - notification of a breach

CSO magazine has a facinating article on notifying stakeholders of a breach. They compare and contrast two styles of letters to customers - interesting stuff. How does one provide details without overwhelming the reader who may not understand everything? Does one mention steps beign taken, other breaches in the industry?

I wonder how many folks within the company (as well as lawyers, PR folks) might be involved in this task? I assume this increases the visibility of data breaches across the company - mainly because of the number of senior folks involved. Bit late though, now that the horse has left the barn...

Tuesday, January 22, 2008

Late thoughts from CES - data leakage via gumdrops

A friend of mine just returned from the Consumer Electronics Show, where he saw NBC giving away 2GB flash drives at its booth in return for a badge swipe!

I remember when flash drives first came out: 8 or 16MB cost more than $100, and people gladly paid it. The price point has hockey-sticked downward, and with it, demand for more and more storage that fits in your pocket has skyrocketed. To me, however, there’s a more important focus: when 2GB flash drives are being tossed around like gumdrops, it means that the means of preventing access to files have to be rethought. And I’m not just thinking of flash drives.

The cat-and-mouse game that infosec pros have played with the bad guys has now extended to the good guys as well. It’s not a matter of them trying to do something wrong, per’s all a matter of convenience to the people inside an organization. If you gum up their USB ports to prevent the use of thumb drives, they’ll will use Gmail...or Hotmail. And if you block those sites, they’ll use another site you don't even know about until too late. (Has anyone seen

No, files leaving the cozy confines of the company cannot be totally controlled. However, if the files were protected, we may have a chance. Makes me believe that a data-centric approach to protection of information is an absolute must.... And through a combination of encryption, access control and retention. So that the information stays protected, even if there are more ways and means than ever before to gain access to the files.

Now, if anyone can figure out a way to load (or "leak") one of those 150” diagonal plasma screen TVs my friend saw at CES onto that 2GB flash drive, let me know. :)

Friday, January 18, 2008

Can security improve your bottom line?

Interesting question - and lots of opinions, I bet. Just read this interesting article on Network World where EMC's CSO, Roland Cloutier, argues for the proposition. To quote Roland...

“I challenge the theory that [security] is a necessary evil and I believe that if you do security well as part of your business processes that you will become a more competitive company..”

Notice the emphasis on business processes - this is where the real benefits come in. Security in itself can make you feel safer doing business, but the combined investment in security, infrastructure, business processes etc are what will make you stand out from the competition. Patrick had discussed how this applies in the context of PCI and comparing it to the benefits realized by companies who invested in Y2K.

At the end of the day I think well implmented security reduces transaction costs in business, reduces disruptions and therefore will be beneficial to the bottom line.

Now, all we have to do is quantify it! Hmm.. that might be a much harder challenge..

Wednesday, January 16, 2008

Wireless holes - protecting retailers from themselves

Interesting article in Network World on some of the holes many retailers have in their wireless infrastructure. Apparently, wireless security company AirDefense walked around New York City and ran their analyzer against many small retailers. They found that over a third did not have even basic and easily hacked WEP protection!

According to the article:

"..access to the unprotected access points and unencrypted traffic -- spilled well beyond the walls of the store. Attackers could set up shop outside, snoop on the WLAN traffic, and collect MAC addresses and other data that could be used to hack deeper into the store’s net, servers and data. "

Apparently the TJX scenario has not yet put feet to the fire for smaller retailers! Now, I agree that some technology solutions can be expensive - but surely, using inbuilt protection all wireless products come with can't be that hard?

Tuesday, January 15, 2008

Data-breach laws and business concerns

Seems like data-breach laws are getting expansive - California law now requires notification of leaked medical information.

Others, such as Massachusetts, are having a harder time convincing businesses. I do understand the challenge small businesses have - some of the security solutions they need to implement can be expensive. Howeever, the solution is not just technology. Better processes and compensating controls for small organizations will go a long way in reducing threats.

All this brings into focus the need for a national, standardized law. Our CEO, Patrick McGregor had some interesting points to make on this subject in this SC Magazine article.

Friday, January 11, 2008

To collaborate or not - this is NOT the question.

Just came across this interesting article in Network World by Kurt Johnson - Control Collaboration, don't inhibit it. No doubt concerns from Web2.0 and social media security risks also weighed in...

The article argues about best practices and has some good suggestions - however, I feel that the core challenge was not fully addressed. How do we really let data go free, but control it?

There are technology solutions (perimeter security, anti-malware, access control), process solutions (compliance - the challenge of managers now becoming compliance police? I doubt whether they would want to take on that responsibility) and people solutions.

The one aspect not touched upon explicitly is the data-centric perspective on meeting these challenges. I am a firm believer in de-perimeterization and think that we have to get to more granular controls at the data level with policies around encryption, access control and retention to effectively deal with these challenges.

Wednesday, January 9, 2008

Data leakage and being proactive about it..

My colleague, Hugh, has an interesting point in his article on keeping barrels out of the water. I agree that by the time information is out on the network and the IT Security folks don't know whether the data is sensitive or not, the battle is nearly lost. Access control and protection are vital. However, I also think classification is a huge issue as well.

Which brings us back to understanding data in an organization being the "a stitch in time" approach. We need to be able to classify, and identify interesting data. Don't get me wrong - this is a hard problem to address. Too much data, information about them being distributed, end users not being reliable to classify it, the changing business dynamics changing what is sensitive from day to day - all of these make it feel like a Herculean task. Nick Selby from the 451 Group also participated in an interesting Q&A on this.

Maybe the better approach is - start small (as always!). Much of it will be process focusses with help from the technologies currently emerging in this space. Be interesting to see how this area evolves in the future....

Sunday, January 6, 2008

What’s next in Data Leakage Prevention - Keeping your barrels out of the water

I recently attended the SANS WhatWorks in Stopping Data Leakage and Insider Threat Summit in Orlando. The Summit included a variety of sessions where vendors, industry experts, and end users talked about their experience with Data Leakage Prevention (DLP) products. There were also plenty of networking opportunities to talk one on one with presenters and peers. I applaud SANS on the program and highly recommend the WhatWorks series to anyone looking to implement one of the featured technologies.

The Summit provided me the opportunity to learn more about the various types of DLP products on the market today and while there is not one product that is right for every company, I liked what I heard from Vericept and Tablus. Vericept has one of the more mature products in this space and Tablus is poised to have a big impact as it is integrated into the RSA product suite.

There are different approaches to the data leakage problem. For example, some vendors sit at the edge of the network while others deploy an agent to the endpoint. Rich Mogull has an excellent whitepaper on how to choose a DLP solution. The one thing that all of the solutions have in common is that they are designed to keep sensitive data from leaving the enterprise or, as one presenter described it, to keep the barrels from going over the falls. He went on to say that while this is important, the best way to protect your data is to keep the barrels out of the water in the first place.

Data Leakage Prevention products solve a real problem today but you can expect much more than data monitoring and blocking from your DLP vendor in the future. In addition to monitoring outbound traffic, many DLP products are good at finding unstructured data much like a search engine and then classifying it as sensitive or top secret based on the criteria that your business outlines. While this requires various amounts of tuning and configuration, you will get a better understanding of where your sensitive data resides and who is using it.

However, finding and classifying your data is not enough. Forward looking DLP vendors are extending their products and developing partnerships to help you protect and manage the data they discover. These vendors are looking to implement data control polices to enforce access rights, the use of encryption, retention schedules, and even a time for the data to self destruct. This data-centric approach will allow companies to enforce their paper polices on electronic data and reduce the risks associated with the growing volumes of unstructured data.

The best way to protect your data is to manage it. You can spend a lot of time and energy trying to stop the barrels from going over the falls or you can keep the barrels out of the water in the first place by controlling access and enforcing usage polices.

Looking for more information about what DLP solutions can do for you? Check out what Nick Selby of The 451 Group has to say on his blog. Two of his recent posts on this topic are ADL doesn’t cure piles, either and Tying the Business Problem of Data Leakage to IT Processes - recovering from the deer-in-the-headlights moment.