Thursday 27 November 2008

False Positives are Irritants: False Negatives Hide Real Risks

Discussions about false positives seem to be hotting up again. Often, solutions are proud to provide their customers with a “low false positive” rate. Alas each and every error is a costly one. Every false positive incurs the financial cost of an investigation – or the risk of ignoring it. I won’t go into the economics of it here (but a white paper is available discussing the cost of false alarms to a business). The reality of a false positive is that the continued annoyance results in the trust in the security device to seep away., False alarms desensitize us all (consider a car alarm going off in a car lot – we rarely take any notice of them). Worse still is simply turning off the cause of the alarm (most likely a signature put in place to protect) – and then the protection itself has gone!

However many false positives we receive, it is human nature to assume that “at least it is stopping all the bad things”. If the burglar alarm continues to squeal, surely it is keeping out the burglars. The unfortunate truth is that false negatives should be given the highest priority. Security systems that allow attacks through without alarming hide a huge risk.

When you are considering a system with a “low false positive” rate -- don’t forget to ask about their false negative rate. That is the one that determines whether the system provides any security at all!

Monday 24 November 2008

Card fraud: Skimming or Database Attack?

I have just come back from visiting a customer in the Gulf. The customer was not in the banking sector but it was brought to my attention an event in the region about a month ago where UAE banks were hit by a wave of card fraud. None of us want to have to replace our cards or our passwords unless we really have to, so it is quite startling when a number of different banks contact their customers to force them to make these changes. The rumors were that a gang had put up cameras and skimmers to capture card and PIN details. I am troubled by the interpretation that skimming was to blame. The security on ATMs, particularly around what data is held where (e.g. the PIN is never transmitted unencrypted) is very solid. With such a large number of different banks being “hit” and with so many PINs being stolen I wonder whether there was actually an intermediate system that was holding too much card data -- and that it was vulnerable.

Friday 21 November 2008

Coming of Age

Party time!

Secerno hit its fifth birthday this week and co-Founder/CTO Steve Moyle and I spent a few happy moments reflecting on half a decade that has flown by as the world has changed rapidly.

Five years ago, there was no database security market worth speaking of. Since then, the focus of both criminal activity and the security industry has lifted up the stack from the network to the application layer – and specifically to the database. Previously seen as bomb-proof, the all-important database is now recognized as a vulnerable component in the IT infrastructure – and the most valuable.

Which is where we came in. Five years on and there is now an answer to the question of how to stop the kind of focused database attacks that have started to plague companies around the world. These are often targeted, intelligent exploits that need to be stopped by specialist, intelligent defense. If all your database security does is tell you how the data was stolen, then it’s a forensic tool masquerading as security. If it doesn’t stop the attack, then it’s not a defensive player – it’s a commentator!

Five years on and the passion remains. We are starting to hear rumours of another major breach in the US. We’ll say more when we can. These things have to be stopped.

Database security is ready to come of age.

Paul Davie

Wednesday 19 November 2008

The Greater Good

There has been much interesting discussion in the press recently about individuals’ privacy rights and the threat to them from the development of now consolidated medical databases. In one of this week’s thought-provoking articles in The Guardian, the view is put forward that the privacy of millions of patients of the UK’s National Health Service could be swept aside by a government plan to let medical researchers have wider access to our personal files.

I’m in favour, of course, of medical advancement. Almost all of us are. It’s a necessity. But this project is just one of a series of public sector database consolidation projects. With each consolidation comes additional risk, as small, local communities in which all users are known, become replaced by national access systems with thousands of authorized users. Spotting the few careless or corrupt users then becomes a totally new challenge. The Contact Point project mentioned is the one that causes me most concern, as it contains data on the UK’s children, made available to every local authority in the land. Data security is primarily passive – coming via authentication and an audit trail, it appears. Chilling.

The companies building the architectures would gladly include the additional layers of security needed were the government to specify the highest level of database security for each project - but this is a new area and budgets were often tightly specified a while ago.

I'm a scientist by training and have worked with pharmaceutical and biotech companies for two decades. Their world is changing dramatically, with collaborations forming between competing drug companies, clinical research organizations, hospitals and academic groups to tackle complex therapeutic challenges. Data - often sensitive data - are washing around between all of them. Tracing who is using (and losing) data, is a huge new problem. But we need to remember that this type of data is the lifeblood of these important projects.

We need, reluctantly, to accept that data about us is out there in countless places – very few of us can practically avoid this. But we do need to be adamant that we own what defines each of us and that we retain the right to know how and where it is handled and especially, we have the right to know when it has been lost or stolen - whatever the UK Government and Information Commissioner's Office may say on the issue of breach disclosure.

I'm personally totally in favour of the right of any individual to opt out of having their medical (and other) data shared, though I may well, nervously, remain opted in myself. We have so much to gain from the medical advances that some of these projects are seeking to address. I guess it’s just a question of the greater good?

Paul Davie

Monday 17 November 2008

A Safer World

I was at the third Global Security Challenge event at the London Business School on Thursday. This is a well-organized conference that has grown from small beginnings and is a huge credit to the LBS students that organize and run it. They have secured fantastic business sponsors and some extremely high-caliber speakers for a competition to showcase the latest innovation in security in its widest sense, from new-generation lie detectors, to sensors, tracking systems and new encryption technologies.

I was particularly impressed with the presentation from Chris Darby, President and CEO of InQtel. In a talk presenting huge accumulated wisdom of great value to the budding LBS entrepreneurs in the audience, he summed up the security proposition neatly as “We all just want a safer world for our children”.

And so we do. Yet so much of day-to-day IT security is about coping with the minutiae of small breaches and subsequent irritations. The following evening I met up with Alf – a lifelong friend and small-businessman in Oxford, UK who has managed to keep his own business running on a shoestring for fifteen years. His week was made miserable when he was unable to book the transportation needed to meet his delivery commitments. It turned out his company credit card had been cloned and abused, creating the sort of short-term problems that can kill companies in times like these.

The question we pondered was “who knew about this?” Alf still doesn’t know how his card data was stolen, but could he have been informed before? I was disappointed to hear the UK Information Commissioner, Richard Thomas, supporting the Government’s view that US-style data breach disclosure legislation “would be a significant additional burden for businesses, and could cause public 'breach fatigue'". Well, from where Alf sits, the burden on his small business came from a data breach, and the thought that there might be another company out there that knew it might have lost his data but kept quiet about it is an infuriating one.

Protecting and validating identity was a big issue for global security and a business-threatening issue for Alf and other such hard-pressed businessmen. The idea that a European firm could lose data and not have to tell those affected still bewilders me. Are we really creating a safer world for our children when we allow those whose data security has failed to sweep this embarrassing fact under the carpet?

Paul Davie

Addressing the insider threat to Database Security

I was out and about on the European Conference circuit again last week. A trip to the Netherlands included an invited presentation at the ISACA Network Security Conference and a scout around the InfoSecurity Netherlands show.

My presentation – “Addressing the insider threat to Database Security” – was well attended with people having to stand in the doorway for the 90 minute session. After the talk, I was approached by a couple of security guys from Germany who wanted to know how they should implement separation of duties on a database (one of the recommendations in my presentation). I suggested they might like to ensure that the database operating system was managed separately from the database itself. This was a sensible enough scheme that they felt comfortable with. They asked whether it was secure. I then explained that it was quite straight forward to get remote operating system access through a badly written application (e.g. SQL Injection + netcat). This made their faces drop! Their moods improved when I said that Secerno DataWall™ neatly stops this.

A couple of the other ISACA presentations that I really liked were from Maksym Schipka of MessageLabs and Steve Orrin of Intel. Maksym gave a very thorough expose of the sophisticated micro-economics of the e-crime world:” Revealing the Secrets of the E-crime Underworld”. This is a world where anonymity rules and every supplier of a “service” is trying to scam every purchaser. I like the idea of “trusted intermediaries” who escrow bespoke malware and test the author’s claims before passing to the end ab-user – and taking a fee for the service. Steve from Intel gave a good session on the ins-and-outs of virtualisation and the security challenges and potential benefits: “From Virtualisation vs. Security to Virtualisation-based Security”. When we chatted after his talk he agreed that Secerno’s offering of a virtualised appliance was aligned with the ideas he spoke about.

I managed to get a few hours in Utrecht at the InfoSecurity Netherlands trade show. This was my first visit to that show and it seemed to be bustling. The usual larger security vendors were there including McAfee as well as many small specialist firms. It was good to see how many F5 resellers there were (F5 and Secerno products have a close relationship – more soon). The number of exhibitors was fewer than the InfoSecurity London show, but more than at the recent RSA Conference Europe – although of course the RSA Conference in San Francisco still trumps them all in terms of size. I was assured by a local journalist that it was bigger and better than last year. So this makes me wonder whether the recession is biting in continental Europe. One of the keynote speakers at InfoSecurity NL was David Litchfield from NGSSoftware. He is the world’s expert on database security having co-authored the “Database Hacker’s Handbook”. I was not able to attend his talk this time but I admire his work.

Saturday 1 November 2008

Steve’s musings from RSA Europe 2008

RSA Europe was held again at ExCel at the outskirts of London Docklands. Great venue – but the location is not really London and can disappoint some who travel from abroad. Also the timing was not great for UK-based InfoSec professionals with families –the show was held in school vacation time (half-term).

There were many familiar faces at the show: both at the exhibition and fronting many of the keynotes and other sessions. Art Coviello, President and CEO, RSA Security was pushing for “Thinking Systems”. This is quite close to my heart as my academic heritage links directly back to Alan Turing (who was the “motif” for the show) who spent much of his time contemplating thinking machines. Indeed, some core of these ideas can be found in the core of Secerno’s symbolic machine learning techniques.

RSA was a busy time for me – I was involved in three sessions and manning the Secerno stand along with the great networking that was provided in the evenings. My presentation “Regular expressions as a basis for security products are dead” went down well and even though it was reclassified as “Advance Technical” it did not deter an interesting audience. Some lively debate ensued after the talk. Although I could not make it, another talk mentioning SQL Injection was given – this was the talk on “SQL Smuggling”. I was not able to get to the talk, but the slides looked interesting. I know that the failures, pointed out by the presenter Avi Douglen, in outdated technologies does not apply to the Secerno SynoptiQ new generation technology.

My second “gig” was on Paul Fisher’s (Editor of SC magazine) CTO Panel. Although we were supposed to be blue-skying about “Beyond Tomorrow” it turned out that I was sat in the middle of two Malware CTOs who only wanted to think about malware AV and delivering this as a service. There were times when we were able to get the time horizons of the topics a bit further out. I did like Paul’s question about the Art’s “Thinking System”. I believe – and built that belief into our products - that security (and everything else in life) is a battle for knowledge. Thinking machines need to turn information into knowledge and then we can use that knowledge as a form of defence.

The final role for me was leading a special interest group “Securing Virtualised Assets”. Virtualisation drives down operating cost, but what does it do for security? The SIGs were a far more intimate affair with only 10 seats available around a table. It was pleasing to find security professionals who were being proactive in their company’s virtualisation efforts. It seems that there is confidence in how to tackle the security of back-office virtualisation projects. What was more edgy was how to do the same for the desktop. Interestingly, one of the attendees of my SIG was from Dell who had just announced that they were offering outsourced virtualised desktops.

Bruce Schneier’s address was as thought provoking as usual. He, like me, clearly sees that we are still the pioneers of computing as the field is still less than a century old. He drew analogies with industrialisation where output was important and pollution was seen as a necessary side effect. In the Internet era he likes to think of the massive data collection and the lack of care in its production and storage as being analogous to industrial pollution. One day, society will be forced to stop information pollution, and possibly need to go back and clean the information litter landscapes.

I chatted to Bruce after his book signing queues had died down. Last year, he left a message in the front of his book that he signed for me– and his message was “encrypted”. When I got home last year I gave it to my then 12 year old daughter to crack – “she got it in 5 minutes – right” said Bruce this year, in his rapid fire sentences. “Of course ...” was my reply.

Confession time...I did not tell him I had failed to crack it myself J.

No books for Bruce to sign from me this year. But Wiley, the publisher, did sell me Petzhold’s 2008 book “The Annotated Turing” on Turing’s famous 1936 paper on Computability and the Turing Machine. It is a good read – beautifully written – making the mathematics truly graspable.

At the exhibition the interesting new technologies were few and far between. I did quite like the concept behind the Yubico USB key fob providing one-time-authentication keys from a small USB device with a cute button. I chatted to the CEO of the Swedish company BehavioSec who provide behaviour “biometric” information making it possible to detect when keyboard activity is coming from a different user. I did manage to meet up with the MD of DISUK, Paul Howard who has a really neat solution to encrypting tape backups – put one of their SCSII encryption devices in the SCSII device chain –job done! Paul is a passionate gliding instructor which allows him to see the world from a different perspective at times.

The final keynote I saw was that from the UK's Information Commissioner, Richard Thomas. He seems to be getting traction and a larger budge to fulfil his mission to support both Data Protection and Freedom of information which is good. His view is that breach legislation needs to be risk based, not simply for every breach. His argument is that we should not worry about low volume, low impact breaches. Tell that to the individual that has to reclaim their stolen identities and refill their bank accounts – that they don’t need to be notified that their very identity is at risk.

Finally, the conference organizers were promoting Alan Turing as the “brand” for the conference. I wonder what Dr Turing would have made of his image and the promotional videos about the place. They even had a display of encryption devices including the Enigma that Turing played a part in breaking. In reality, the successes at code breaking were massive team efforts. No single person “cracked” the Enigma code. Oh – by the way – there were many other codes than Enigma that needed cracking during WWII – and they were! Turing, rightfully, is one of the very few fundamental computer scientists – but we should remember that he was not the only code breaker.

Steve Moyle