Over those months, I’ve had several things that I *wanted* to blog about; but just never made the time.  One of the reasons is that, for the most part, there has been little to be truly excited about in the industry as a whole.  “Nothing new under the sun;” and all of that…  At least that’s what it seemed like to me.  But now things are starting to settle down and I’m having/making time again to get plugged back in.

So today I was reading Martin’s show notes and came across the SalesForce.com data breach story.  And, behold, I felt the urge to write again.  As I’ve been reading the news over the past few months, I have been thinking to myself that we have a problem…  Breach notifications are being reported so often now that they seem to be just creating a constant “white noise” drone.  Sure, there are the standouts like TJX — but really, most are just more of the same.  To the extent that I fear the public will just end up being numb to the notifications, and ambivalent to the poor practices that are the cause.  Each new notification just being another drop in the ever-deepening ocean of lost records.

But the SalseForce.com story is different due to the “spear-phishing” aspect.  And it highlights multiple security problems.  Two in particular are of note.  1:)  Users are still susceptible to phishing.  Yeah, I realize that this was a highly-targeted “spear-phish” — but the “don’t click the link” (or at least verify the link) adage should still hold; and 2:)  data breaches, even those which do not contain what we would consider PII, are dangerous.  Here, the data is reportedly being used to create additional phishing emails (some intended to drop malware such as keystroke loggers, etc…), bogus invoices, and so on.  In other words, the SalesForce.com breach wholly revolves around social engineering.

I think that it is notable that these issues revolve around end-users and, outside of any emails intended to dropped malware, cannot be addressed solely through technical means.  So, we again come back to end-user training and awareness.  It is imperative that we, as an industry, get a handle on how to better address this in our organizations.  It’s clear that what most companies are doing is just plain broken.

Here are my thoughts:

Engage employees in ways that are relevant to their life as a whole.  Address the “What’s in it for me?” question.

Explain the “WHY” behind seemingly obscure security policies or procedures.  As is made clear by the SalesForce.com incident, we can’t simply expect technology or process to address all potential security issues.  Instead, we need our front line defenses to act as living firewalls.  Thinking on their feet and able to apply an informed mindset across multiple situations.

Let employees know that it is part of their job – just as much as any other duty that they do.  (Yeah – I realize that mentality must be driven from the top down).  Make it part of the performance evaluation; so that they are aware that the will professionally advance or stagnate based on how seriously they take their duty to protect information.

Make it fun.  Find ways to reward the folks who are doing it right.  Let that encourage others to improve.

The six principles of the Parkerian Hexad are:

• Confidentiality
• Integrity
• Availability
• Possession
• Authenticity
• Utility

The principles composing the Parkerian Hexad are non-overlapping; meaning that each principle is absolutely necessary to ensure that security is maintained. In addition, each principle may be violated independently of each other principle. However, the principles can be relationally linked to each of the three components of the traditional C-I-A model (see Figure 2) [2].

Below are definitions [3] for each principle along with a brief scenario of how that element may be breached independently of the other elements.

• Confidentiality: Limited observation and disclosure of knowledge.An example of an incident where confidentiality is compromised would be the early unauthorized release (leak) of information related to our latest marketing strategies – thereby allowing our competitors to prepare counter strategies.

• Integrity: Completeness, wholeness, and readability of information and quality of being unchanged from a previous state.A simple example of a loss of integrity would be an employee modifying the body text of an email so as to create a false record of events (i.e. to show that Jane Doe said something that she did not really say).

• Availability: Usability of information for a purpose.The explicit aim of a Denial-of-Service (DOS) attack is to compromise the availability of systems/data.

• Possession: Holding, controlling, and having the ability to use information. Possession is the ability to truly own and control information and how it is used. We normally think of this as unauthorized or unintentional copying of information.If, for example, an employee emails company information to a non-corporate email account, we no longer have sole possession. In extreme cases, a loss of possession could result in total loss of the information (e.g. loss/theft of backup tapes for which there is no other copy of the data).Notable examples of a loss of possession usually include the loss of laptop computers or PDA’s containing customer or employee data (e.g. SSNs, credit card numbers, personal health information, etc.).

• Authenticity: Validity, conformance, and genuineness of information.The quality of authenticity is readily understood. As the above definition suggests, it is the quality of being “the real deal.” When something does not possess authenticity, it is said to be fraudulent.Examples of a lack of authenticity include the reproduction of employee ID badges, calling into a help-desk and posing as another individual, and modifying records.

• Utility: Usefulness of information for a purpose.Utility simply means that we can use the data, system, or device in the manner for which it exists. For example if a database, table, or other information is somehow altered in such a way as to remain accurate but unusable for its intended purpose, it has lost utility.Examples involve the use of encryption to “kidnap” data for ransom. This is accomplished via encrypting the data without the owner’s consent. In this, and similar cases, the victim maintains ownership of the data; and the data, technically, has integrity.

There is one exception to the general statement that these principles do not overlap; a breach of confidentiality will always result in a loss of sole possession. Once confidentiality is compromised, the organization is no longer fully in possession of the data because it is known by another party.

Understanding and communicating this new model for Information Security will likely result in greater depth and clarity within security related conversations.

______________________________

1. The “Parkerian Hexad” model was introduced by Donn B. Parker in his book Fighting Computer Crime (http://www.amazon.com/gp/product/0471163783/104-3218063-3795135).

2. Donn B. Parker suggests this mapping in his chapter, “Toward a New Framework for Information Security,” from The Computer Security Handbook 4th Edition., John Wiley & Sons, 2002 (p. 5.8).

3. The definition statements for each element in the “Parkerian Hexad” are taken from The Computer Security Handbook 4th Edition., John Wiley & Sons, 2002 (pp. 5.9 – 5.10).

note: this post is an excerpt from one of the author’s essays for Norwich University’s MSIA program. 

The quote below is from a recent New York Times Magazine article describing a psychology experiment conducted by Newcastle University in which those conducting the experiments taped alternating photos above an “on your honor” coffee station.

For 10 weeks this spring, they alternately taped two posters over the coffee station. During one week, it was a picture of flowers; during the other, it was a pair of staring eyes. Then they sat back to watch what would happen.

A remarkable pattern emerged. During the weeks when the eyes poster stared down at the coffee station, coffee and tea drinkers contributed 2.76 times as much money as in the weeks when flowers graced the wall.

The photo is especially interesting because it is using both positive and negative forms of social psychology simultaneously. It intends to reassure and provide a sense of safety to law abiding citizens; and it is intended to discourage miscreants.

Wal-Mart eavesdropping situation
On Tuesday, I submitted a feature to Computerworld providing speculation related to the recent Wal-Mart eavesdropping situation. For those following the situation, I refer you to 4 significant articles:

• The initial story
• My take on what may have happened (human nature run amuck)
• Fired employee speaks out
• LA Times analysis (which sites my initial speculation)

As I stated in my Computerworld article:

The world is in a security and privacy renaissance. Ethical questions related to government and employer surveillance are being raised and reraised. Security and privacy advocates exist on both sides of the debate — such is our post-9/11 society. My prediction is that the Wal-Mart eavesdropping story will be in 2007 what the HP ‘pretexting’ story was in 2006. The ensuing investigation will likely play out on a grand stage involving governmental agencies, privacy rights advocates, and legislative action.

Over the next several weeks, I’ll be providing my views on what this means for the security community. This is bigger than Wal-Mart — the security industry will be put in the position of having to explain the nature of and need for penetration testing, forensic investigation, and surveillance.

CSO Online

I now also have a blog at CSOonline. My new blog, Security Smack-down will primarily focus on delivering unfiltered opinion related to the security industry and trends. Security Renaissance and Computerworld will remain forums primarily aimed at education and awareness.

Security Catalyst Community

Lastly, I’d like to thank Michael Santarcangelo (the Security Catalyst) and others for welcoming me into the Trusted Catalyst Community. This is a group of passionate, security-minded individuals who are out to take the industry by storm. They all truly want to help folks understand and improve the security postures of their companies, communities, and households — realizing that the first layer needed in a defense-in-depth strategy is people.

If you are a security professional, or are interested in learning more about security, I encourage you to get involved in some of the Catalyst Community discussions.

As of today, the resources section now has the following papers.

• Analyzing the Paris Hilton T-Mobile hack
• The emerging mobile malware threat (long essay)
• Ethical Considerations for IT and Security Professionals
• Mobile Malware (short essay)
• Cryptography in a very small nutshell

– Perry

Today I’ve been reading and pondering another article by Bruce about how psychology plays into people’s perception of risk.  The following chart, from his article, speaks volumes:

Conventional Wisdom About People and Risk Perception

This chart just scratches the surface of the overall content in his article.  I encourage you to check it out.

We see examples of this in our lives and in the media everyday.  One of the things that we have to guard against, as security professionals, is exploiting this to our advantage.  My playing off of people’s irrational fears, we will only lose credibility. 

If, in our companies and our communities, we are able to show people how to examine risk logically, we will ultimately gain trust. 

We don’t have to be fear-mongers to be successful.

With systems such as this, several questions and concerns come to mind. As such, I posed the following “top-of-mind” questions in my Computerworld post:

[C]an someone doctor image files to falsely implicate someone?  Is the software that is receiving and processing the images/videos vulnerable to embedded code within the media files?

Again – a huge leap forward.  I just hope that the folks in charge of the systems looked before leaping.

So, this begs the question: “Is there a multifactor authentication method that is transparent to end-users?” And the answer is, “yes.” The technology is referred to as “keystroke dynamics,” and it extends the authentication paradigm a bit. That is, you usually hear about authentication factors such as:

• Something you know (e.g. Password)
• Something you have (e.g. token)
• Something you are (e.g. biometric)

Keystroke dynamics, as well as signature and speech dynamics, add to that list “Something you do.”

Keystroke dynamics systems check the specific characteristics of how someone enters his/her password (i.e. speed, pauses). So, in effect, keystroke dynamics systems are keyloggers who have turned from the Dark Side.

In theory, the use of such systems allows users to simply continue entering a single password – the way they do now. Yet, because individual and unique characteristics are being measured, many of the traditional weaknesses associated with passwords can be overcome. For example, normal “problem areas” such as password sharing and shoulder surfing may be mitigated because other parties cannot mimic the “dwell time” (length of time that the key is pressed) and “flight time” (speed between individual keystrokes) dynamics of the actual user.

Though I’ve not yet done any tests with this technology, I do see it touted as an affordable, reliable alternative to biometrics.

Links for further reading/research:

General info:

• http://en.wikipedia.org/wiki/Keystroke_dynamics
• http://articles.techrepublic.com.com/5100-1009-6150761.html
• http://avirubin.com/fgcs.pdf
• http://et.wcu.edu/aidc/BioWebPages/Biometrics_Keystroke.html
• http://www.computereconomics.com/custom.cfm?name=postPaymentGateway.cfm&id=1185

Vendor products:

• http://www.biopassword.com/index.php
• http://www.imagicsoftware.com
• http://www.deepnetsecurity.com/

Here are a couple links.  No further commentary needed.

Portable Hard Drive Missing From Department of Veterans Affairs

VA Loses Another Hard Drive, Vet Data At Risk