Notes on Secure Mississauga 2007
Yesterday the group behind the CISSP certification, the ISC2 held a one-day security seminar with speakers discussing the state of IT security, threat modeling, privacy and disclosure laws and other interesting topics.
The ISC2 is holding several of these around the world this year… mainly as opportunities for CISSPs to add a few more education credits (you need 120 hours of continuing education credits every three years to keep the certification), and of course as a chance for vendors to toodle their horns.
This seminar was held at Microsoft’s Canadian headquarters in the Mississauga area of Toronto, which is a pretty amusing venue for a security event. However, I guess it’s fitting… the IT security industry exists today mainly as a direct result of that company’s fine products.
Global security survey
The seminar agenda is here. The event opened Adel Melek from management accounting firm Deloitte discussing findings from a security surveys the firm did in 2006 . Deloitte surveyed the chief security officers from about 400 of large companies around the world, specifically those in the sectors of financial, telecom / media , and life sciences (e.g. pharmaceutical and medical equipment manufacturers). You can read the surveys yourself (PDFs available here), but the most interesting messages from the talk I came away with were these:
- Senior management are finally paying attention to information security and privacy issues. Sadly, mostly this attention is to meet regulatory requirements and not due to growing intrusions and loss (according to the survey 83% of Canadian institutions suffered a breach in the previous year. Financial companies saw a 26% increase in breaches between 2005 and 2006.)
- Senior management largely have the perception that IT security practitioners do not placing enough value on company information and do not safeguard it properly. However, in the survey the majority only commit at most 3% of just their IT budget (not their total budget) to information security so you have to wonder who really undervalues information.
- 90% of all CISOs still only deal with information in digital form, not the overall security of company information. For example, information security plans rarely extend to paper document safeguarding and destruction. Adel predicted that soon that CISOs that limit their mandate to IT security only "will be dinosaurs".
Adel also emphasized several times that security is a science, not an art as most practitioners still perceive it. This is backed up by the survey finding that organizations are adopting standards and international frameworks to allow them to comply "smarter" (I assume this refers to continued adoption of standards like ISO 17799, ISO 20000 / ITIL and COBIT)
However, if IT security is a science, I think it’s a social science. Quantifiable measures and predictable results in IT security are elusive. Still, adopting more rigorous approaches like ISO 17799 are good news for everyone tired of the "cowboy" and "cult of personality" practices still found in most organizations.
Threat modeling
A few years ago Microsoft came up with "application threat modeling" as a methodology for reducing software security problems and Rohit Sethi of Security Compass gave a good overview of the technique at the seminar. For those familiar with threat risk assessments, threat modeling shares many similarities: like TRAs it is a systematic method of identifying security threats, attempts to assign priorities (high, medium, low) to each one, and examines safeguards to reduce risk.
Threat modeling focuses on each data item of an application or information system (e.g. name, password, credit card number), assigns a low-medium-high value for the confidentiality, integrity, availability of each. Threats to each are then identified (e.g by using MITREs Common Weakness Enumeration database) and assigned a likelihood value. The end result is a matrix that attempts to identify where safeguards are most needed in the software. Through the approach models data flows through an information system (such as a typical browser – web server – application server – database system) it excludes infrastructure risks such threats to the network and servers.
One tip from Rohit is developers tend not to understand Microsoft’s DREAD rating system (damage, reproducibility, exploitability, affected users, discoverability) and that it’s better to use the simpler Risk = Probability * Damage potential calculation.
From what I gathered it seems very much like threat modeling makes the same fundamental assumption of most TRAs: that it’s possible to identify all threats. That tends to lead to a band-aid approach where developers just write safeguards for specific known attacks, rather than concentrating on creating a sound architecture, generic input validations, and also building in anomaly reports for when unexpected things occur within the application, potentially alerting when an attack is in progress.
Cross border privacy
There was an excellent talk of privacy issues for e-commerce and other businesses operating across jurisdictions given by "recovering lawyer" Constantine Karbaliotis of Symantec. The talk covered existing Canadian privacy regulations such as PIPEDA plus existing U.S. state and federal laws regarding breach disclosure and personal data safeguarding. He highlighted how the foundation of Canadian and E.U. privacy laws is that personal information remains the property of the person, where in the U.S. it is considered a corporate asset to be bought and sold.
Constantine said that the guideline for doing business across multiple jurisdictions is to "always go for the higher standard", meaning apply the rules of the most restrictive jurisdiction when collecting and storing personal information. Easier said than done, I’m sure… for example the E.U.’s strict laws conflict with U.S. mandates to maximize shareholder value, including monetizing an "asset" like personal data. Recall the Toysmart debacle where a liquidators of a bankrupt company attempted to sell the "asset" of customer personal data, even in violation of the firm’s privacy policy and the Children’s Online Privacy Protection Act.
The horrors of the U.S. Patriot Act were also covered, including the goal that it applies outside of the U.S. He mentioned the excellent report of the B.C. Privacy Commissioner from 2004 and Treasury Board’s assessment from 2005. However, Constantine seemed to downplay it’s threat to privacy. The defense against it he said are to create a situation that makes it impossible for a an organization to comply with a request for information under the act, such as contracts with U.S. companies prohibiting disclosure, or "tripwire" safeguards in databases cause automatic alerts when accessed. I’m not convinced that when faced with a Patriot Act request that any U.S. CEO would choose prison time over a breach of contract with a non-U.S. firm, or violation of a law in a jurisdiction they’ll never visit.
Some interesting tidbits from the discussion:
- In matters of privacy breaches, the IT department always gets the blame even when it wasn’t their fault. For example, the first ChoicePoint breach wasn’t a failure of IT security- fraudsters posed as legitimate businesses and purchased the data, yet Choicepoint’s CISO was blamed.
- Regarding employee privacy, monitoring must be reasonable (e.g. installing a keylogger as the first step in investigating a suspected employee is excessive).
- Companies live or die based on their documented privacy policies.
- 75% of a company’s data, including privacy related data, is on paper or in unstructured files such as word processing documents.
- When outsourcing, your organization remains responsible when a breach occurs. It’s not good enough to require a company you outsource to "to comply with privacy laws".. you should also audit their practices to make sure.
The handouts also contained a handy chart summarizing various state breach notification laws, including which states exclude notification when the data involved was encrypted or redacted (e.g. only last 4 digits of a credit card number). The chart was apparently obtained from www.software-law.com but doesn’t appear to be available as a free download.
Other presentations
Naturally holding an event at a Microsoft facility means the host gets to have a few words. Microsoft employees gave two presentations: an overview of Vista security and an overview of their "secure software development", including more on threat modeling. The Vista presentation mostly just covered UAC and Bitlocker drive encryption, which we’ve all seen many times before so nothing worth commenting on there. And I admit skipped the software development presentation… to their credit Microsoft has improved the security of their products recently, but I don’t think they’re qualified to be acting as an authority on secure software development just yet.
Overall the speakers for this short seminar were excellent, better than what I’ve found at the usual tradeshow-oriented conferences. ISC2 has several more of these events planned in major centers in the U.S., Europe and Thailand (schedule here), each one with different speakers and topics. While it costs more, non-members can also attend any of these ISC2 events.
(By the way, it looks like some of the presentations at this event are going to be repeated in June at InfoSecurity Canada, though not all with the same speakers.)
Related posts:
2 Responses to “Notes on Secure Mississauga 2007”:
July 3rd, 2007 at 1:07 pm
“However, I guess it’s fitting… the IT security industry exists today mainly as a direct result of that company’s fine products.”
Gosh, would that be a plug for Open Source products?
MAD
July 3rd, 2007 at 2:08 pm
@MAD:
Naw… just just a playful dig at Microsoft’s track record. Though since you mention it, there’s no question I prefer working with the leading open source products (e.g. Apache, Postfix) over most secret source products. The best of the open source stuff tends to have a better security history and be far easier to lock down