Wednesday, July 27, 2011

Custom requirements: Making vendors do things our way. Is it doing is harm?

Here is one of the great truisms of data security. It is like the weather joke “you know what they say about the weather here in (insert city name here) if you don’t like it wait 5 min and it will change!” They say it in every city I have ever been to. There is the equal social narcissism of “Here at (insert company name) we can break anything! We have the most complex software environment I have ever seen”
This perspective is kicking our tails
Back in the old days we often needed to push vendors and their products to meet our Business needs. In 1994 I worked at a company called Dr. Solomon’s Software. We had a heck of a time finding a CRM software. It needed to work well with our systems, could capture the data we needed, and we had to be able to get the data out again in a form we could use. After selecting one (no I won’t say which one) we had a DBA on staff for months after tuning and tweaking it. There were times when inputting data (I was tier II support in those days) it would freeze or fields would be un-selectable.
I think any of us who came through the 90s had moments like that with one technology or another. We had to use (and sometimes even pay for) software that felt terribly beta. I admit to working for a Company President at a slightly later company that said often: Ship it as is! F#$% it! We can fix it in a service pack. We need to get this out there.
As is the theme here, times have changed. Products and developers have been given the pest part of two decades to get it right. The metaphorical service pack has long sense shipped.
 I was with a friend at a major airline where she worked in the IT department. They were looking at a number of upgrades, migrations and a few places that they wanted to change vendors. It was real day-in-the-life of the IT department stuff. We came then to the part about custom requirements. There was an ocean of tiny custom needs that the airline had. Each software vendor had to meet them all make final consideration.  Those site specific things proved to be the bulk of the evaluation time and would be a major amount of the implementation costs
 We had a long look at that list of custom requirements. When we took a deep breath and considered most of them against the truly refined nature of the modern software offering they just did not matter. Small changes in process ( they are sometimes politically difficult I grant) could be made that would actually make the software run better, cost us less, and make our jobs easier
This led to a long conversation on the evolution of custom requirements. What methods did we decide on in the early 2000s that have become superseded by better software or methodology like VM and cloud computing?  What methods to we need to adjust our culture to using better?
To take this argument to data security from more general IT I have seen many clients that had an incident between 5 and 10 years ago they are still over reacting to. I have had to talk down 2nd and 3rd generation security directors from their institutionalized avoidance strategy of threats that haven’t been viable for years.  To make things worse the Captain Ahab like obsession with the “last war” often leaves us vulnerable to threats that escape our notice due to over-focus.
The Vendor and solution provider community have gotten pretty darn good. I am not saying to blindly trust that vendors have a better way. That would be equally insane to ignoring them.  Vendors are as self-serving as the rest of us. Often they have barely seen the client’s environment and don’t want to work harder than they need to. I am saying any time we as users of IT technology, especially security technology, see the majority of solution providers disagreeing with our doctrine we need to reconsider our doctrine.

Thursday, July 14, 2011

Stopping Change Control from becoming Change Prevention.

It seems to be some kind of rule of human nature. It is fear of change meets the Iron Law of Bureaucracy (Every task will always expand to fill the time available) Our Change Control efforts that were once required so the light-speed changes in IT technology didn’t run over our business. How many times has it evolved to become a millstone around our collective necks? How much have we emotionally invested in this control?
On this particular topic I think we need to start with a definition. Taking that from Wikipedia:
Change Control is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without forethought, introducing faults into the system or undoing changes made by other users of software. The goals of a change control procedure usually include minimal disruption to services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing change.
It seems to me that there are two warring factors in terms of change control (aside from the Iron Law of Bureaucracy VS. high speed change argument). For purposes of argument I will call it the “Works fine” vs. “Really cool” argument.
If proof was needed proof that the pace of Traditional IT change has slowed we only need to look at Windows XP. Its successor, Vista, was largely rejected by industry and as a generality we use our old OS’s for 7 years. Because it worked fine. There was no compelling reason to upgrade until Win 7 came along and even then we were stately about the upgrade.
 We could look at our mail systems, they work just fine.  Everything is incremental organizational improvements. The calendar, messaging system and all the rest have been good enough for years. CRM, ERP, GRC, a lot of the traditional systems work fine.
Our users are human beings though. We are constantly being marketed to by really cool new toys.  The new form factors (smart phones and tablets) and new media Twitter, Google +, Facebook and IM (New Communication methods) are in saturation mode in their push on us.  Tethering off the Android and the IPhone makes every user at every desk their Own ISP, going right past our expensive firewalls and IPS. And all these new technologies are so cool!
So the Change Control problem is this: We have developed an organization and an industry that is oriented at looking at better ways to do our traditional activities. It works at a stately speed to do a thorough job. It is perfectly designed and organized to look at when to change the web browser version a year or two after they come out, but not at all on how to control data across smart phones.
For data security managers (or military officers) there is a great rule I learned in there early days as a restaurant manager: never give an order you know won’t be followed. If we tell our users they can’t have mail on their Android they will do it anyway. If we try and implement draconian controls we will make enemies of our users and they will end run around us.  By doing this we have made ourselves ineffective. Our user will work around our normal and reasonable controls as well as our knee-jerk slowness to adapt. As soon as our employees decide to that the IT department is the enemy everything we do is for nothing.
Change control
Data Security and Change Control.  Maybe we need to go back a bit to our 1995 way of doing things and unclench our fists on some things that have become our purview. I would like to offer a revolutionary thought:
As long as, as an enterprise, we control the data nothing else matters. By use of PKI, VDI, Whitelisting, or the similar if we hold control over proprietary company data (and not try to control an employee’s posting to their kids on FB). We don’t need to care at all about the methods that are used to handle that data, as employees treat that data with respect. Data Security of our precious assets does not need to be about controlling the user’s whole data life
Change control as a minimalist concept base on the use and control of data. Not applications, not operating systems.  This can be accomplished in a way that allows the cool, secures the data, and doesn’t break the bank. There are those that will say that unless we manage for every vulnerability in the system we can’t control the data. In 2011 this is no longer true.
·         Application whitelisting ( hell yes)
·         VDI. All  work data saved to the SAN
·         Network IPS
·         Simple forms of DLP like string matching (because if an employee wants to circumvent even really good DLP they will)
Control the data not the asset
We can (and do) argue the technology. The boil down is this:  by backing off our emotional investment in hard control of method and mechanism we can have a better work environment for less money and effort.

Wednesday, July 6, 2011

We need to be a partner not a slave to our auditors.

Compliance drives a large portion of our IT spend and our IT efforts. In 2011 it is just a fact of life. We were all scared to death back during the Enron/Anderson thing and by the tide of regulations that followed. Serious enough SOX violations can mean going to jail. Beyond that the PCI fines that can be levied on a company for violations can (in theory) reach 250,000 per occurrence.  We need to take all these regulations deadly serious… but here is where we run into the disconnect.
I have met very few security or administration professionals that have actually read the regulations they are complying with, I mean really read them.  Most overworked and under resourced security administrators just read the auditors requirements.
The Entire PCI DSS requirements doc is under 25 pages and they are low density pages. GLBA is less than a page.  Granted some of the others (Notably FISMA) are a lot more comprehensive. Most of what the large body of regulatory requirements asks for is near identical to what an average CISSP would design anyway. In retrospect I think the fusillade of regulations caused us to panic. No one wanted to be seen as not addressing the problem so we over reacted badly. This over reaction gave us two significant problems.
1)      Compliance drives Security, not the other way around.
2)      In our confusion and frustration we hire an auditor and believe everything they say
Neither of these seems to be particularly bad at first glance, A bit concerning maybe but not awful. After digging in a bit it grows more problematic.
Regulations will always be trailing edge. We can’t regulate something until we know about it. We don’t regulate something until there is a problem with it. So by the time a threat vector becomes subject to regulation it is already full blown and pervasive. By letting compliance drive security we are in a perpetual game of catch up with and always letting the malefactors have a head start.
The decisions to follow out auditors recommendations should fix this. They are IT Security professionals and have the time and intensity to spend on creating a proactive threat mitigation program. In a perfect world it would work just like that. In practice auditors are just like every other business in the world: they are all about maximizing their profits. This maximizes the amount of work they recommend and the amount of paper they produce.
Do not mistake me for being anti-audit or anti auditor. I am not. What I am against the abdication of though and responsibility that is becoming standard.

Our Auditors must become our partners in compliance and security, not our masters. We, as IT professionals, need to read our Compliance standards, understand them, and question the plans for compliance. 

 We need to push back against excessive controls that do not actual address the issues. In my time with clients in the field I have seen zealiotious adherence to really odd controls under the blanket logic of “it is required for PCI” or something similar. The compliance standards are invoked like magic words. If I then pull out my copy of the PCI DSS and show that whatever truly odd control is exhibited that day is not in the standards at all I am greeted by an awkward silence. I have seen equally odd reasons for gaping security holes: “We can’t fix that, we have to do it that way for compliance”.
Neither Security nor Compliance is rocket science. We may need to stab some sacred cows and may have to change a few business processes so we aren’t fighting ourselves. Above all we must remember that we as the IT Security industry have a responsibility to design and implement the best solutions we can. Neither Audit nor compliance changes this basic fact.

Saturday, July 2, 2011

Signature Anti-virus isn’t dead, it just should be.

Anti-virus is required by all our regulatory standards as well as good sense. The mechanism of achieving it is obsolete in a way that it is just weird that we don’t notice.
If we actually read the regulatory standards (PCI, HIPPA FISMA, etc.) they say we need to use antivirus technology and keep it up to date. I have not found a place anywhere in the body of regulations that says what technology we need to use for the antivirus.  As an IT security community we owe it to our integrity to actually read the compliance standards we are adhering to.
Back in the dark ages in a place called Dr. Solomon’s Software (I loved that job) we had really good  signature AV that we updated once a month. It took care of the Trojans and Word macros that we saw back then and the update fit on a floppy (remember floppies?)  The total resource utilization was around 30k of memory even on our Win 95 machines that was a trivial amount of resources.
At the time of this writing My Virus Scanner gets 68 M of ram and between 100 and 500 k a day update and full update is more than 100M, this is after a major engineering effort just lowered it to 60M late last year. DATS are massive and just getting bigger.  Updating them is a massive and cumbersome undertaking. The latest iteration has the AV client communicating on UDP on a near continual basis. And we think this is a good idea why? Regardless of the vendor we choose AV management has become a full time job
Signature AV also has dozens of black eyes on its success record. Everybody I know in IT (with a single exception) has outbreak stories. Everybody has had their signature AV fail to protect them even after massive efforts
So Signature AV is like having a club bouncer at a sheik party that only stops people who the bouncer recognizes as bad guys, or looks a lot like bad guys (heuristics). Wouldn’t it be better to just have a guest list, and only allow people you know and people with an invitation?
The most surreal reason that Signature AV is still alive is all the alternate technologies (buffer overflow Whitelist, Firewall, VDI, Network Control) are lower resource utilization and lower touch as far as the amount of maintenance time and management framework and can be operated a lot cheaper
These days I am leaning toward Dynamic Application Whitelisting, things like Solidcore, CoreTrace or Savant. Everything is either trusted as known or has a hash (SHA-1, or MD5) or a Certificate to introduce it. All other apps (worms, Trojans, virii, etc.) are stuck at the door. This way users can still install ITunes (if we let them) but we don’t have to worry about them “installing: the video of Osama bin Laden’s execution Video.
Another good idea is have the employees work on a VDI with all the data stored n the SAN on the far side of a good nIPS. The VDIs are destroyed at the end of each use so there are literally no meaningful ways for the users to infect the data or the compromise the work asset (VM). The host for the VDI we just put our Application While listing on and protect from key loggers and screen scrapers.
Buffer overflow protection is good but is a percentage win. Most threats these days use a social engineering vector. Host firewalls are a kind of throwback technology; it is also a percentage win but does nothing about threats with a vector of user spoofing or Social attack. Whitelisting web pages has become mature as well. Browser plugins (thinks like Site Advisor) that block users from getting to bad sites is a nice incremental win against social engineering.
In an innovation industry like ours why exactly  can we not kill of the 1992 technology with an arm load of better options?