• Home
• About

Recent Posts

• Metadata - When Will We Learn?
• Disaster/Recovery Emergency Solution
• WindowsPE - To The Rescue!!
• The Importance of Being Security-Minded
• Microsoft Office ‘knows’ about Viagra and Prozac – but very little else.
• Recycle vs. Binns - Tide Has Turned!
• Microsoft Find That, ‘The Policy of Stupidity’, Holds True
• Proof Enough That WiFi Can Hack “Secure Email”
• How To Make Super-Bugs Fight For Their Lives
• Nokia - Still Making Flakey Firmware

Archives

• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• November 2006

Topics

• Aygo
• Biology
• Business Proccesses
• Green
• Law & Ethics
• Medicine
• Microsoft
• Nokia
• Pharmacy
• ReadyBoost
• Security
• Technology
• Uncategorized

Meta

• Log in
• WordPress

About Me

I'm all here...

Blogroll

• Bruce Schneier - Security Guru
• Ross Anderson - Security Guru
• The Security Genius of… - Joanna Rutkowska - Security Guru
• Top Gear’s Stig says, “You’d have to be starkers not to!” - Carling don’t make TV. But if they did, this would be the best TV in the world

Search

Metadata - When Will We Learn?

By Stephen | September 27, 2007

I’m quite a big fan of Formula-1 Grand Prix racing, and have been keenly watching and reading of the unfolding saga of McLaren’s supposed stealing, and subsequent use of; Ferrari’s F1 car designs. I’m not so much wanting to go over the politics of it, or even the idiocy of Ferrari not having appropriate information-controls in place - that’s their business. Though I’m sure all F1 teams are now reviewing how they can improve their internal information-controls, and maybe institute some good RBAC policies, or even DRM.

What’s more interesting, is that the fact that there is data-leakage emanating from the published official report by La Fédération Internationale de l’Automobile (FIA). The official document which discloses exactly what when on in their court-room proceedings, has been released as an Adobe PDF. To prevent anyone who should not be privvy to sensitive and often corporate information; from knowing about details, they elected to black out part of the report - which in original form, can be downloaded here.

This original report contains information such as how much McLaren’s Chief Designer was paid - “He was paid around 300 000 to 400 000 pounds per annum.” Not too shabby, personally I think he deserves a pay rise.

It’s also stated that, “We found that theExtraordinary Meeting Fédération Internationale de l’Automobile Paris, 13 September 2007 47 forward push was better for us, under all circumstances. If you consider the technical schedule that
I distributed both this time and last, it includes a large section on weight and weight-saving, specifically at the rear of the car. For us, the policy this year has been to move forward as quickly as we can. This has been limited not by where we wanted to be, but where we could reach. The engineering has been influenced in large part by this. In response to questions earlier, that is what occupied Mike; it was the focus of most of the projects in which he was involved.”

And Patrick Lowe also states, “Yes. As you know, we had a small issue with our gearbox introduction in Hungary. This was a reat example of that policy.”

Pedro De La Rosa - McLarens Chief Test Driver is also stating that, “No, but I must tell you why. When Mike told me the figure, it was so radically different from ours hat there was no way that our care could ever achieve that. The whole philosophy of our car was to move the weight forward. We had managed to take some weight from the gearbox. There was no point. At the previous stage, I thought the information might be important and that we could try it in the simulator, but then the figures were so different.”

The report then goes on to quote: “Nigel TOZZI You wrote, “They have a double-rear master cylinder with a spring, which initially delays rear braking, then increases it graduallyâ€?. You are passing on to Mr Alonso exactly what you said you had been told by Mr Coughlan three days earlier, though you say that you had not understood it.”

And there are other bits…… However, if you download the original document (and most certainly, any version of it which is officially listed on their website), you won’t see it: It’s been blacked-out or latterly, deleted.

The FIA decided to sensor the potentially sensitive data using time-honoured method: The black-out pen.

Before publishing the PDF, the put black-bars over the obviously sensitive data to stop prying eyes who should not be privvy to this information - the likes of you and me, from reading it. So how come I and you can? Well, that’s because of something called meta-data. Meta-data is the bits of crud your document picks up as you create it: Things like, who’s edited the file, who created it, time is was altered, all sorts of nonsense. This crud can be very, very revealing, as what happened in the crafting of the UK’s supposed “Dodgy Dossier” of events leading to the Iraq War of 2003. The document can reveal more information than you initially think when reading what has plainly been written on the text of the document. And in this instance, Adobe’s Acrobat document reveals much more. If you download the original FIA PDF which is listed above, open it, then highlight all the text (click your mouse cursor in the middle of the text, and use CTRL+A then CTRL+C), copy it to a text application - such as Notepad, with a CTRL+V - and all of that “hidden” text will miraculously appear. It’s such an old obvious flaw - I’m surprised that the FIA didn’t employ folks who are privvy to this “hack”. It goes back quite a way, in fact in May 2005, the US military had it’s fingers burnt when it released just such a document. This blew things out of the water since it later transcribed that Nicola Calipari the brave Italian man who died, turned out to be part of Italian Military Intelligence.

The only way to prevent meta-data is by using very basic applications to create your documents, such as Notepad or Wordpad. It mightn’t look pretty - but it’s a damn-sight more secure if your dealing with sensitive information that you wish to make available.

S.

 [edit: I've come across another instance of this recently, and it's much more sensitive. I truely believe the only option is to go backwards with applications end-users have in their day-to-day work: That's all of us!]

Topics: Security, Technology | 1 Comment »

Disaster/Recovery Emergency Solution

By Stephen | September 14, 2007

http://www.theregister.co.uk/2007/09/13/ubuntu_jeos_vmware/

Somebody has come up with solution I’ve been thinking about in my head for a while now. Ubuntu JeOS [pronounced: "Juice"] is a tiny minimalist Operating System which is just sufficiently large and contains sufficient components to allow an application to be run on top of it from within a VMWare insance. Makes sense? Kinda. What that basically means is that, in common terms, you may have your Server hardware running say, Debian Linux, then you use VMWare’s Server Product to run your application on top. But in fact, you don’t - you run an instance of JeOS on top of the VMWare’s Server Product instead, and your application lives within that. Seems complex? It is. It’s actually not intended to be used in this role at all. What they intend you to do, is use VMWare’s ESX Server platform - in some flavour, which is a tiny-thin layer with fits in-between the physical hardware layer of your server, and JeOS. That’s it! Just the one tiny, efficient “Operating System cum VMWare Server” layer. In hindsight, we could call this ESX Server a “HAL“, and as such it represents pretty much it.

But what if we sort of did it in reverse? What if we built a system with JeOS on the hardware to virtualise our Operating System? What I’m thinking here is more along the lines of running our chosen Operating System, such as Windows XP, as close “to the metal” as possible, but in a virtualised instance and just have a thin, self-configuring, hardware-adaptable, virtualisation layer which will allow us to run our instance of Windows XP on any hardware platform that runs the virtualising-layer (Think along the lines of ESX Server running on a Desktop PC, and it’s virtual instance isn’t a Server or JeOS - but Windows XP Professional).

“Why would you want to do that?”, I can feel the reader ponder. Well, how about if you put that self-configuring virtual instance on a USB Flash Drive. Any semi-decent 4GB USB Flash Drive (which is as cheap as chips) would work. Get your brand-spanking PC, pop in the USB Flash Drive and boot from the USB Flash Drive as an option in the BIOS. You’d then be able to run your Windows XP Desktop in RAM from the USB Flash Drive which is hosting it from within VMWare’s ESX or linux+VMWare Player.

Sounds pointless? Well, let me illuminate the thought. At InfoSec ‘07, there was a talk on a company being able to virtualise and distribute virtual instances of servers all over their WAN for Disaster/Recovery needs. They were working on ways of doing so on Desktops without having to rely on Citrix Thin-Clients (running in software on users home PC’s, or as thin-client hardware). But the network resource drain would be considerable - even for trivial tasks such as word-processing or email, and the Server Farm they had would be put under considerable strain having to run instances of hosting Citrix terminals. So, this chap hadn’t yet formulated his cunning plan. The idea stuck in my mind, and has festered ever since. Around June, I’d worked out how to remove this problem as a Disaster/Recovery Solution by using USB Flash Drives containing pre-built VMWare Workstation images and a tiny Debian Linux layer which would act as the HAL. The idea is simple: Pre-build your Windows XP workstation in a VMWare instance which can then run on any VMWare package (you couldn’t use Microsoft’s Virtual PC - because there is no equivalent which runs on linux). This Windows XP workstation image should be exactly like the build you deploy to your Desktops from your Domain Build. Users should be able to log on to this Virtualised Instance in exactly the same way they would with your normal Desktops. Now you need to build your “HAL” which is your tiny version of Debian Linux with all the bumpf ripped out. You still need it to be sufficient so that it can auto-detect which hardware it is running on, auto-configure itself to it, run X-Windows and have VMWare Player pre-installed and configured. Then you need to add SYSLINUX to the USB Flash Drive to configure it to load your Debian Linux instance, have that autoconfigure, then run VMWare Player in RAM which is running your Windows XP Desktop.

Sounds overly complicated? Well, not after the first build it isn’t. As long as your Debian Linux layer can auto-detect and configure the hardware, that will allow you to create a “production” USB Flash Drive image, which to recap, works as follows:

1) Get a generic PC from the local PC Store (because your premises have just been blown up - and you’ve lost your office).

2) Log on to your intranet from a trusted source (remember: if you don’t own the box - you don’t own the data!)

3) Download the USB Flash Drive image from your intranet (or extranet) and install this on a shiny new USB Flash Drive you’ve just bought.

4) Pop this into your new PC, and within a couple of minutes - you’re staring a fully fledged Microsoft Windows Domain-Build of Windows XP - with common applications installed, ready for you to log on and work from.

5) Reproduce this for how ever many hundreds of Desktops you need to run, and within an hour - your back up and running!

This is a potentially useful idea. It has big advantages:

1) As long as your normal infrastructure has been virtualised and replicated to numerous sites - the loss of one site should not be critical.

2) You don’t need to pay for a “Warm Site” - any cold site, or even a co-location would do. In any event, it could even be plausible to send staff home with a USB Flash Drive containing your image, and allow them to boot their “work PC” from the USB Flash Drive. If you have your VPN ready in software within the Windows XP image (say, OpenVPN) then you would have no trouble logging onto your Domain.

3) As long as you have kept upto date with drivers on your Debian Linux, you can simply not worry about any other hardware configurations on the PC’s you end up with.

4) You don’t need to purchase any hardware in advance: Simply buy whatever PC’s are in your local PC Supermarket, and a bunch of USB Flash Drives which are the same size as your imaged USB Flash Drive.

5) It’s quick: You don’t need to have to wait for the PC’s to build - they run from VMWare into RAM.

6) Adaptable to whatever host Operating System you want to run in VMWare: Linux, Windows XP, WinXPe, even Vista.

7) In case of little on-board RAM on the host PC - you could create a “swap partition” on another part of the USB Flash Drive that the Debian-Linux layer could copy to RAM if there is sufficient RAM. If not, it could use the pre-built swap partition on the USB Flash Drive. Some of these are pretty quick now (read ReadyBoost article from earlier), and would certainly do as temporary fix. It could even be possible to do this using it as Windows’ PageFile if RAM was an issue. (Remember, this is being hosted in RAM, so the more you have, the much faster your Desktop will be).

8 ) No strain on your now loaded-Servers: There is not need to host Virtual Instances on the Server-side as Citrix Host’s or otherwise.

9) It’s secure, as long as your USB Flash Drives are kept in a secured area of your Intranet/Extranet with limited, audited, protected access (just make sure there are numerous designated persons who can access this area - if some are unavailable to work, then you should have others who can readily take over)

10) It’s cheap/free. You are only paying for the licence-fee for whatever Operating System you need to. In the case of the NHS in the UK - it’s free, since they have a global license with Microsoft.

Anyway. I hope this is something that could be considered if you are reviewing your D/R Solution - particularly in light of how flexible and cheap this solution can present. Remember that in the case of home-users who you may wish to include in this solution - their broadband access may be limited to those horrible USB-dongles that they plug into the phone-line (works as an ADSL terminator and all the networking-protocols are done in software on the host-PC: Stupid, Insecure, Dangerous, but cheap for the broadband providers who use it: Orange, CarphoneWarehouse, etc…) So, remember to ensure that this is still possible even using your Debian-Linux layer. Always ensure that your USB Flash Drive is updated in your usual Patch-Cycle: That includes the virtualised instance of the Desktop OS, the VMWare Player application, and of course and most critically, your Debian Linux layer. Keep your versioning simple, and updated on whatever network infrastructure you use - there’s no point in having systems engineer walking around with v2.1 on his USB Flash Drive and only v1.0 on the intranet!

Good luck -and think about how to virtualise any other systems you have: It can save energy, hardware costs, and your business in times of need.

S.

Topics: Business Proccesses, Green, Microsoft, Security, Technology | No Comments »

WindowsPE - To The Rescue!!

By Stephen | September 12, 2007

My main laptop is an HP Pavillion. It’s a bit of a workhorse, Gaw bless-’im, and as such gets exposed to all sorts of crap. I should, by rights, test new apps on a secured-isolated system first - but when I’m mobile and in need of a “quick-fix” of something, then this isn’t really possible. Yes, I could run the app in a VMWare system - but in many instances, I would be going overboard in my paranoia. If something is from a relatively reputable source, then I would nearly always trust it. Besides, I’m running Vista Ultimate on this machine - which is so huge and bloated, it’s difficult to see the malicious stuff for the underlying OS.

I’ve been running AVG Anti-Virus, and Windows Defender, religiously, to try to ensure that this laptop/notebook stays relatively clean - and it has. Until now.

I first suspected something was amiss when AVG reported that the shell32.dll and ntoskrnl.exe were different from what was expected from the previous integrity-checks. AVG didn’t say anything was wrong, as such - just that these two core systems were different from what they used to be: ie, they had been “patched”. When an binary file has been “patched”, that pretty-much means that something has hacked in to patch it in the first place. Something that wanted not to be found by normal anti-malware tools, like Windows Defender.

Great. So I then decided to see if I could get SysInternal’s RootKitRevealer to run - I’ve had problems with this running on Vista for a while, it starts then bombs out. Luckily, RKR ran fine from RunAs within Vista, and appart from it’s screen not being able to draw on Vista’s Desktop (I had to keep clicking into RKR’s own GDI screen it has called from Windows), we were in. Oh dear. Oh dear, oh dear, oh dear…. There were more than a few things that were being “hidden” from Vista. The most critical was the patching of the Random Number Generator, which is the clever part of ensuring that the security you use via passwords, digital-certificates and other security-tokens, is secure. Clue one. Then there were the patches in the Registry which forked to things that really, shouldn’t be there. And finally, things that were starting that I couldn’t find where they came from, which often means - RootKit.

Yup. Nasty RootKit was hiding away in my system somewhere, and I could not find it, nor did I now trust any part of my laptop. I already know about ACPI/PCI RootKits, and since some of the rendering of borders of the application windows on the Vista Desktop were slightly corrupt, I had a suspicion it could well be a firmware-RootKit.

ngssoftware are a prime UK Security Consultancy, and have several tools and products out that enhance systems security, aid in compliance, and reduce risk (they are supremely Security-Minded). One of there papers is below - it’s well worth reading.

http://www.ngssoftware.com/research/papers/BH-DC-07-Heasman.pdf 

So. I now have an infected laptop, with potentially infected BIOS. First things first: Get the data off, get it into a cleaning-system to “wash” it of malware (this is never complete, and so the data contained on this system can never be fully trusted again. Hence, content is usually copied, but no executable code or proprietary file-formats are re-used). That bit’s easy - boot the Linux RealTime boot CD, and copy the data to an external drive. This is done so that the data is pulled-off, “offline”. ie, the  Vista system itself has not booted and none of the execuatble content is running. But wait! How can I be sure that the ACPI/PCI RootKit is not running!? Well, before I booted my Linux CD, I first ensured that the BIOS had been overwritten by a new one. That was actually a problem. HP only release Windows-executable forms of BIOS updates for my laptop/notebook - not DOS or Linux versions. So in essence, I had to boot “Windows” to load in a new version of the BIOS firmware. If I’d done this, as you would expect, from Windows/Vista running from the hard-disk, then I would have allowed the ACPI/PCI RootKit to run as it normally would - by patching services and executables ran from the hard-disk. Tricksy. By doing this, it would hook into the new BIOS which was being uploaded and re-infect itself automatically - the cunning swine! So I needed to boot Windows, without actually “booting” Windows….

What did I need? I needed WindowsPE! WindowsPE, or just WinPE is Microsoft’s answer to a RAM-based instance of running Windows. My version is from Vista, and thankfully, something I built a while ago on a different Vista system which has only been used for some general playing around with Vista - and so I know it is “clean”. Anyway. I gave it a crack, and booted the laptop with the WinPE boot-CD, with the USB Flash Drive containing several versions of the laptop’s BIOS onboard, plugged in at the same time. Going to the E: drive where the USB Flash Drive lived, I then uploaded a really old version of the BIOS, rebooted, choose default settings for the BIOS, and then repeated the process for another version of the BIOS. Then again, and again. All in all, I did it with five versions of the BIOS for this laptop/notebook - all installed using WinPE from the computers non-volatile RAM, which would prevent any nasty’s being hooked from a hidden part of the hard-disk, such as an Alternate DataStream source.

Ha! Done! Now I “know” my BIOS is clean - which I’m hoping will include the on-board firmware for the NVidia on-board graphics (it’s all glued in together now, so I’m quite confident on this). So this allows me to nuke the hard-drive with some low-level formatting, before re-installing another OS. Vista IA64 seems to be the next step, so I’ll give that a go.

I just wonder how common this is on business-PC’s, and if TPM is the only solution.

Stay “clean”.

S.

Topics: Microsoft, Security | No Comments »

The Importance of Being Security-Minded

By Stephen | September 4, 2007

Download the PDF version: TheImportanceofBeingSecurityMinded.pdf

At InfoSec ’07 Bruce Schneier gave a talk on “Do We Really Need a Security Industry?” It’s understandable the perspective he’s coming from – his inclusive single-source one-stop-shop is something that Counterpane, his company can produce now they are part of BT. Bruce has also put forward to the House of Lords in the UK; that legal liability needs to be shifted towards the manufacturers and suppliers of hardware and software2 - though to be honest, the term “systems” would be broader description capturing all potential failures.
I’ve been mulling over this for some time, and my initial thoughts were: “Of course!”; “Makes sound economic sense”; “Rationalisation of the security industry into Systems Providers would be great!”
Then I fell out with the idea. There are several reasons why I think this is, and more you could probably come up with yourself. But the basic gist is this: “security is not a product – it’s a process”. It’s a famous quotation that any Security Practitioner would recognise – it was coined by Bruce himself. By out-sourcing your infrastructure provision – which includes security protecting your data; you’re in effect “buying the security product”. This is where it gets tricky. Yes, you are out-sourcing to a third-party supplier who by rights, must be following the mantra of implementing security processes. But it’s a product none-the-less. It could well be the same product that your prime competitor is buying, identical in every way but in faces who turn up to implement it. The configuration would be the same, the same hardware, the same firmware, the same software, the same applications, the same release-versions; the list just goes on….
There’s the flaw: It’s all the same.
Humans are by nature, lazy. You can argue that point forever, but by and large what is good enough to be created once, then it’ll be re-used again. And again. And again. Until in fact, it is deemed flawed or redundant and needs to be upgraded or replaced. Now, what happens if we all do move to single-source providers of our information systems? Well, corporations will have a single source of complaint when something in their information systems infrastructure goes wrong; they have one bill to pay; and they have one single resource to have to control. In the grand scheme of things, it’s a winner for service providers and companies alike. But I fear that amalgamation.
In industries all around, since forever perhaps, there has been vast consolidation. As the most obvious example in the UK right now, look at the Broadband Providers. At the start of the “broadband revolution” there were a multitude of providers, really huge numbers of providers and sub-providers, perhaps as many as a hundred. All different to some extent, with competitive advantages to be gained by the customer: the end-user. Some had great service, with top-notch hardware and bags of capacity. Some had help-desks where you could reach someone 24/7. Some had signature-based filtering on their routers which would stop malware from reaching the broadband endpoint in your house – to some extent.
Now, in essence, there are pretty much three providers: Sky, Virgin Media, and BT (with Orange, Carphone-Warehouse, and Tiscali trying to hold their own). Some still haven’t gotten around to de-listing their old names, such as Nildram to Pipex, Pipex to Tiscali - so users of say, Nildram, don’t probably know they are actually provided by Tiscali now. As long as it works, end-users don’t care.
The providers have done this because they can see the market: They see that THIS is the way that they can control huge revenues by delivering content to people. It’s the only way of delivering true on-demand media in whichever form: Video/Voice Communication, On-Demand Subscription/Global TV, and something called, The Internet. At some point, these providers will be the prime lucrative form of generating and controlling the vast majority of advertising revenue – which they will demand charges for. So, to capture as many people as possible, they buy their competitors. And guess what, one of them even bought out their end-user hardware provider also, so now they can mass-produce a single machine that will go into people’s homes - a third of people’s homes. This machine must be connected to the internet, or at least, the providers’ network which is connected to the internet – which amounts to the same thing. Now a third of the population running one identical internet device, on one identical network; has to be cause for concern. Again, this machine will have the same hardware, firmware, software, configuration, etc. as all the rest. And that’s the flaw. It imparts a single point of failure to one-third of the UK’s home internet users. It’s a massive target for criminals and malware perpetrators who will begin almost immediately to try to exploit this single huge target. They will. And at some point, they will succeed. So why hasn’t that happened in the past? The simple answer is complexity.
The Broadband Box that will be delivered to one-third of end-users at home will have huge amounts of code, a complex operating system, and custom applications. It will need to, because it’ll have clever jobs to do.
Unsure? Take a look at a common or garden Netgear ADSL+WiFi you can buy now. Now go look at their support website for that product. See anything interesting from a Security Practitioner’s perspective? Yep – updates. Lot’s of them. There are patches, and many of them for security reasons. Ever applied any? Did you know they were even there?
Have you experienced a data-leakage resulting from running an older firmware on one of these boxes? Who knows? I’ve said before, manufacturers of these sophisticated embedded devices should have their own equivalent of “Patch Tuesday”, and include some obvious method of updating users: A mandatory email, a Pop-Up sent from the embedded-device, heck – even flashing Red LED on the front of the device would be better than nothing (though could be tricky to see if you keep the box tidied away in a cabinet).
You can’t predict what is going to happen in the future – you can make educated guesses, but it’s mathematically impossible to model potential flaws that may occur in your systems down to the nth level. That’s why so much security is retrospective – it’s about learning for the next time, adding that to your current security model, and putting better systems in place by identifying weakness, and reducing risk.
Now imagine your current PC/Server setup. Most likely it’s running Microsoft Windows – whatever flavour. Yep, you will have some other stuff in your business: A few Mac’s in the Art Department; a few Linux Servers; some Linux, SunOS, or WinXPe Thin Clients; some Linux or VxWorks embedded on your WiFi Access Points; Cisco IOS on your network devices; Google Linux on your internal Search Engine; even some goofy HP OS that runs the Server software in your Networked LaserJet Printer. [I hope you have these on your Patch-List, by the way].
Back to that PC/Server: By far and away, the vast majority of malware will be targeted at those Windows systems – and you have stacks of them. They’re the core function of your information systems. Even if they are not, whatever else you’re using in similar numbers presents the same risk.
Now those Windows systems aren’t targeted by hackers and malware perpetrators for nothing: The latest Trojanised-Worm isn’t built by specialist criminal hackers because they don’t like the name “Bill”, or think that the Microsoft logo is dated. No, they do it because that’s where the money is – that’s the way they can hack in. This is not because Microsoft’s products are the most insecure – nowadays nobody argues that they are pretty secure. It’s because of one single flaw: It’s all the same. Out-of-the-box default security is what is commonly used by many individuals and companies. Even those within governments or healthcare are relatively “raw” and differ little from what came shipped on the PC/Server. Do you think someone would harden the printer configuration, change default settings in the router’s table for access, and fiddle with the SQL server’s defaults? Unlikely. It’s the same generic platform’s that are the choice of the successful hacker. The same Services enabled in the Windows client system that allow an extra dimension to be added to their attack-surface. The same reason why Microsoft’s IIS used to be the laughing stock of web-security: Because the defaults were awfully insecure.
By having a single large target we create an opportunity for hackers to concentrate a lot of resource on a single point of failure – even if it doesn’t exist right now, they have the objective in mind to find a flaw and exploit it. That’s the issue.
Our differentiation protects us to a great extent from the really bad worms that existed in the early 2000’s. Slammer, et. al. most probably couldn’t exist in the way we have information systems now. Yes there are flaws discovered in Microsoft products nearly every month. Yes there are flaws discovered in Linux, Cisco IOS, and all the other things we run. But there have not been any massive failures, unlike in the past – and a lot of that is solely to do with incredible growth of the Security Industry and the independence of Security Practitioners, yet professionalism they exert. What one group of practitioners see as a failure, others see as an opportunity to learn and guard against. Whilst it’s true - closing the stable door after the horse has bolted is a waste of time: It’s only a waste of time for that one horse. Besides, next time you might not only see that the stable door must be shut, but also that it must be over two feet tall to stop the horse leaping over it if it chooses. It’s a process. It’s a learning process. It’s retrospective – yet pro-active. This is what being a Security Practitioner is all about – it’s a more significant fundamental than ensuring the boxes are all ticked, it’s about being Security-Minded.
Being Security-Minded is essential for being a CISSP. If you weren’t, I guarantee you’ll find it nearly impossible to pass the CISSP exam, because the questions posed are not simply “tick-box questions”. They’re, dare I say it: “Out of The Box “questions. They are challenging not just your knowledge – not just your understanding, but your imagination, your cunning, and your awareness. This is what being Security-Minded all is about, and this is what Bruce himself says he looks for when employing someone. If you are Security-Minded, you will see that the lack of differentiation will cripple a significant sector if the homogenous security-product is provided by just a few Service Providers. You’ll know straight away, that there will be significant configurations that are alike, even down to default passwords. This is the norm. This is what happens when companies merge and their IT departments are amalgamated. If it happens between a couple of companies merging their IT departments, it most certainly will happen when there is a cost-benefit ratio to be gained by forming “strategic-alliances” with chosen suppliers. Which of course, basically means someone supplying a security product to you, will give you a bigger discount in terms of a greater number of boxes shifted – and you only need to learn one product.
This amalgamation is bad for security, and absolutely critical for the Security Industry. Don’t go down this route, don’t homogenise, don’t become box-shifters and box-tickers. Let’s keep our independence and our professionalism; our different ideas and ways of doing things. I sincerely hope that companies will seek professional advice, and out-source any provisions they need in respect to setting-up and implementing their systems. But get your security from someone who isn’t tied to the same people who put a PC on your users’ desks, servers in their racks, and giving firewalls passwords. Get someone who’ll look at it independently and some who’s going to be Security-Minded throughout. Or better yet – build your own people who’ll have a vested interest. After all, it’s their job the business succeeds.

1 http://www.schneier.com/blog/archives/2007/05/do_we_really_ne.html
2 http://www.schneier.com/blog/archives/2007/08/house_of_lords.html

Topics: Business Proccesses, Security | No Comments »