For paranoiac
Fractionate your information stream

Everybody will tell you that it’s good practice to change your password periodically. It’s definitely true. Any computer user must do it. Here I’ll say a thing that must be done by paranoiac.

Take a stream of information that you create over year. Take note that the stream isn’t continuous but partitioned like a stream of email messages sent over time. If you encrypt the stream with a public-key encryption algorithm; you’ll be able to aggregate many message from different sources. The thing is that if you don’t change you public/private keys, anybody who discovers your private key will be able to access your entire stream over time if he logged it. This is a real problem if such a thing append. It’s why the concept of information partitioning is important. You only need to change you keys each n day and if your attacker find your current private key he’ll not have access to the whole stream of information. It’s a way to add security within the security provided by the cryptosystem.

As I said, it’s for paranoiac only. It’s just a little thought that come up in my mind today, enjoy it.

Nuclear in the news today

There are two interesting piece of news concerning nuclear security. The first one is from the BBC. The Kyrgyz authorities had arrested 2 men that tried to sell 60 small containers containing plutonium-239. Who said that terrorists or other criminal groups don’t have the power to find and buy such material? This is possible that the news isn’t true. This is possible that the Kyrgyz government to prove something to the Russian or American government invented this. However, personally I think that such a situation is possible. Think about it 2 seconds. The CIA probably doesn’t have many agents in the central Asia zone since 1980 or 1990. The US army have a base in Uzbekistan but they are confined here. We need to rely on local governments for such investigation and probably the world security. The problem is that they have their own problems. Is that possible the Kyrgyz government had arrested them? If it’s true, praise them. Is that the first time that criminals try to buy/sell such products on the black market? I doubt. Why a country where 80% of their weddings are done with kidnapped women care about some criminals that sell/buy plutonium on their territories? The possibility exists; but I have doubts. What’s freaky is that we rely on such governments(there governments in central Asia) to do the work that concerns us. We need to change our mentality and put back our agents on the field where the things append. When I say “we”, I talk about the countries that care about their homeland security or countries that need to care about it.

[In addition to the post: 02 October 2004]
———————————————–

It was finally a false alarm. It suppose to be in reality 55 old-fashioned Soviet smoke detectors. I warn you in the first edition of the post that this was possible that this piece of news was not real or true. However most of the facts remind I said on the subject remain.

———————————————–

The other piece of news is from SecurityFocus. They talk about cyber attacks against nuclear facilities. There are some interesting things that they said and that I want to think about:The fact: “Last year the Slammer worm penetrated a private computer network at Ohio’s idled Davis-Besse nuclear plant and disabled a safety monitoring system for nearly five hours. The worm entered the plant network through an interconnected contractor’s network, bypassing Davis-Besse’s firewall”. The solution they found to resolve the problem: “News of the Davis-Besse incident prompted Rep. Edward Markey (D-MA) last fall to call for U.S. regulators to establish cyber security requirements for the 103 nuclear reactors operating in the U.S., specifically requiring firewalls and up-to-date patching of security vulnerabilities”. It’s sure that they have problems with their firewalls and vulnerability updates. But for the specific case of what append at Davis-Besse, the best firewall and latest updates would not stop the virus. Why? Because he propagated himself through the contractor’s network. The point here is to demand the same level of network security to their contractors. Any security system with a backdoor is not secure at all.

What if the contractor is bribed or menaced by a criminal group? Security is not just about firewalls and security updates. It’s more than that. You need to think about things that you don’t think about. It’s not just a process; it’s a way of thinking. It’s like doing a great discovery. You need a mind shift, imagination. You need to understand how your enemies work and think. You need to understand how your employees work, think and react in certain situation. Personally I see a great deal of psychology in security (any type of security), I’m I paranoiac? Security is not distributed in distinct parts, it’s a whole.

There is a hope when you finish to read the article:

“A working draft of the NRC guide reviewed by SecurityFocus would encourage plant operators to consider the effect of each new safety system on the plant’s cyber security, and to develop response plans to deal with computer incidents. Additionally, it would urge vendors to maintain a secure development environment, and to probe their products for backdoors and logic bombs before shipping.”

But as I said, this is not just a question backdoors and logic bombs in software. However they are in the good way because we can see that they are preoccupied by their sofware development companies and their interaction with them.

There is not any link between these two piece of news. But I think that it’s a good opportunity to think about the problem. There are probably many things that I don’t understand in the situation, but if I base my thoughts on what I perceive, there is a real problem for the world security.

Some thoughts and highlights on the Global Information Security Survey 2004 of Ernst&Young

There are some of my thoughts and highlights that I wish to share with you about the Global Information Security Survey 2004 of Ernst&Young.

First, there is the targeted population: more than 1230 enterprises in 51 countries. 22% of them have more than 1 billion in revenues and 56% of them more than 100 millions.

One of the things that I need to point you out in this survey is what I already observed and I posted on this blog since 3 weeks. This thing is the management-based approached of security. It’s the importance of the employees as a security layer in the infrastructure of the system. Unfortunately, senior management is more trusting than prudent. This situation seems to be the root of many problems.

As many people think, one of the best security layer that enterprises can have is his employees. Ironically, this same layer can also be the weakest link. The problem is that they need to be trained and educated in there role in the infrastructure as a security layer. If you do so, you’ll have one of your strongest link; otherwise, there is a good probability that this layer would be your weakest.

The main influence factor in the security of an enterprise is the senior management. It’s their decisions that will affect the security of their enterprise. If they don’t care, who will? This is the problem that I pointed many times before on this blog. First, we need to educate our top-level administrators and managers. After we’ll be ready to educate employees of other levels. However, the idea is not viable if senior managers are not aware of the situation.

The easiest and less expensive attack that we can perform to enter a system is by exploiting the human factor. An attacker only needs one negligent employee to attack the whole system and take into it. By knowing that, it’s now ease to understand why it’s so important to educate every employee of an enterprise, from the concierge to the Board of Director.

After this said; we can get a look at numbers.

Interesting numbers are them related with the human dimension of the security. You can see them at pages 13 and 14. Only 53% of the respondents train their employees in a security and awareness program. Don’t forget, it’s an important factor in the success of a security infrastructure. Only 56% train there employees to identify and report suspicious activities. Finally, 60% provide instruction to there employees to classify data. The problem with the former is that the biggest asset an enterprise tries to secure is their data.

Companies correctly identified insiders as the second highest rated threat. The problem is that they don’t do many things to cope with this reality as we can see in the results up there. As said in the survey:

“Employee misconduct involving information systems”
cited as a distant second behind “major virus, Trojan
horse or Internet worms,” the top threat to organizations
– Less than 30 percent listed “raising employee information
security training/awareness” as a top initiative in 2004

As you know, security is a process. This means that you need to periodically upgrade and change the security policies to cope with his changing environment. The problem is that 39% of the enterprises of the survey fail to periodically review their security policies for compliance. Moreover, close to 70 percent[15% monthly, 16% quarterly, 8% semi-annually, 10% annually, 39% ad hoc, 11% never] of the respondents’ board of directors failed to receive a quarterly report about the organization’s information security status.

According to Ernst&Young, top obstacles to effective information security in 2004 are Lack of security awareness by users, Budget constraints or limitations, Availability of skilled staff, Difficulty proving the value of information security and Pace of information technology change. The three firsts can be overcome by education. The first by the education of the employees of the enterprise. The second by the education of the senior managers and the third by talking with the universities and other educational institutions to help them bringing programs that cope with the needs of the private industries. Three obstacles; one solution: education.

99% of the respondents have antivirus software and respondents said that with an occurrence of 68% major virus, trojan horse, or internet worms was the result of an unexpected or unscheduled outage of their critical business systems in 2003. Why? Because of the insiders. They see an attachment in an email, the click on it. Another possibility can be the lack of system upgrade. Think about Codered or other major virus.

Another interesting numbers are the ones that talk about outsourcings. 28% of the respondents outsource information technology operation(s) to foreign-based solution providers. Take note that the percentage grows to 46% with companies with revenues over 1 billion. The problem is that only 20% of the respondents conduct a regular assessment of their IT outsourcer’s compliance with the host organization’s own information security regulatory requirements. Moreover, only 30% of the respondents conduct a regular assessment of their IT outsourcer’s compliance with the host organization’s own information security policies. This is unbelievable but this is true. Companies have some type of security policies, but they don’t necessary demand the same level of security for their foreign-based solution providers. I have some thoughts related with the security in outsourcing that I’ll write about in a future post. As said in the survey:

– 80 percent failed to conduct a regular assessment of
their IT outsourcer’s compliance with the host
organization’s information security regulatory requirements
– 70 percent failed to conduct a regular assessment of their
IT outsourcer’s compliance with the host organization’s
information security policie.

I encourage you to read the whole survey. It’s a really interesting reading and it succeed to cope the whole thing. Moreover the analysis done by Ernst&Young is short, accurate and readable without being boring. So, go on and enjoy the reading.

Social responsibilities toward violence

This is just a little thought about a piece of news that appeared on the BBC this week. This post is hard to write because anybody can read it, from anywhere on the planet, from any culture. The perception toward the violence depends greatly from a place to another, from a culture to another, from a social layer to another. I just want to warn you that it’s strictly a personal thought that don’t need to be shared; so read it with your eyes and if you not agree with it, then start a discussion and I’ll be happy to try to understand your point of view. Don’t be shy, I’m really open with others’ thoughts, it’s how I learn and it’s how I can adapt myself and survive in a new environment and situation.

So, have you read this article? This is just a story like many others. It’s in China but you can see the same thing anywhere else in the world. It’s not a question of race or religion, it’s a question of violence. It’s a question of people toward violence, pure violence. They had probably a motivation to do it, possibly none. The fact is not there. The question I need to ask is: Is everybody having a social responsibility toward violence? A couple of bums versus 80 other peoples. Two of them done a blood bath. Nobody reacted to the situation. They have knifes? Clients had chairs, keyboards, probably some type of poles, etc. There were security guards. Nobody moved. It’s sure that no one know how they will react in this type of situations before live it. Think about it. You, what would you have done in this situation?

Can we check other citizens been slashed in our face without reacting? Do we have the duty to try to do our best in these situations (and not just bow our head)? I think it’s a good society question. We need our society as secure as possible. They are not, they’ll never be. The thing is not to live in a completely secure world. The thing is to be aware of the problem, to study it and try to understand it. The real problem is that people play the ostrich and hide there head in the sand. They don’t wish to sea the reality. Personally, here in Canada, it’s how it work. People don’t need to get stock in the story of others people. Personally, I think we are wrong to think in this way. I think that we need to help other citizens if they are in danger. We need to help them at our best and not fear the prosecution. I also think that we need to learn this thought to citizens and to our future generations. Really, I’m dreaming, I don’t think that a majority of Canadians agree with me but it’s my point of view for the moment. What lack in Canada and probably in many other countries? The citizenship spirit.

If I wish to have the sense of security in my community, I think that this same community needs to have a citizenship spirit , be able and have the courage to help me if I’m in troubles. I’ll do it for them, but will they’ll do it for me?

You need a foundation before rising your house.
Avoid complexity when you talk of security, back to basis

I just get around a really interesting piece of news that talk about the last IT Security Summit conference of the Gartner research center. Normally peoples that talk in these shows talk about what you need in your enterprise to upgrade your security. Normally they talk about the last technology that you need to be up-to-date and a foot ahead of hackers. Victor Wheatman, vice president and research area director at Gartner said the opposite. His speech was about what enterprise don’t need in the field of computer security technology. He says that they need to go back to basis if they really care about their security infrastructure.

Wheatman also singled out “500-page security policies” and security awareness posters as things an IT manager would be better off not spending company resources on. “You do need security policies, but not ones so large that no one reads them. It is also important to have a business continuity plan. We got a lot of calls when the hurricanes came through Florida, but for the most part, that was a little too late.”

It’s the same as for physical security. If you are not the president of the United-States, you don’t need 10 bodyguards, an aerial surveillance and 15 hidden snipers when you walk on the street. You only need some awareness basic principles. A basic procedure like the code color of Jeff Cooper. More complex the procedure is, less people will follow it. It’s the same principles as them in self-defence. You’ll not use your kung-fu style if you are assaulted in a bar. You’ll use your gross skills that don’t need any reflection to use. You’ll not look at every person and think about all possible scenarios when you walk on the street. You unconsciously check for hints that can lead to a possible threat. It’s the same thing with a computer security policy; you need it as simple as possible for all of your employees. If you protocol is not simple and straight to the goal, your employees will not follow it. You can do one more elaborated for your system administrator, but not for your normal employees, this is not there job and they are a big part of your security infrastructure, take care of them! This fact is a question of human nature.

Another interesting thing that I noted in this article is this discussion:

Perhaps most importantly, an IT manager needs to demonstrate to the executives within the company how to take better advantage of the systems it already has through the use of security.

“We have an appalling absence of basic management metrics for our trade. If you can measure a problem accurately, you have the Holy Grail,” Smith said. “But what you also must have is a champion at the board level. Without senior-level support, nothing will ever happen and you are doomed.”

I already discussed of this in this article some weeks ago. It just connects my thoughts with this fact.