Products. years of security

Transcription

1 Perspective: 20 Contents Introduction...1 Information security... 2 Access management... 4 Biometrics...7 Digital forensics Network &. platform security...14 Wireless The future...18 years of security There is a wealth of insight, reminiscence and brilliant looks into the future here. However, as in everything, time introduces both macro and micro changes. For example, instant messaging is a comparatively new concept and Web 2.0 barely has been born. Cloud computing, which arguably has been around under different monikers for decades, is so young that most people don t yet fully understand what it is, what it can do for us or what its risks are. We would be hard-pressed to have a discussion on these and a few other topics that stretch back 20 years. Twenty years in our business is an eternity. And if we couple 20 years of information assurance with 20 years of information technology, the stew thickens and becomes even tastier. For example, even the name of what we do has changed materially several times. What started out as computer security has evolved through network security, enterprise security and information security to get where it is today. SC Magazine has tracked this evolution for the past 20 years and for a lot of that time I have been writing in these pages. I have had a chance to combine 30 years of consulting, 40 years of writing, and 10 years in academia into an experience that has been enriched by writing here. We have seen these products evolve. We ve seen market segments, methodologies and security requirements ebb and flow. The contributors to this special section are a mix of experts, visionaries, long-time market-watchers, CEOs, educators, researchers and CISOs. But they all have one thing in common: They have been on this rollercoaster with you and me, and their perspectives on where we came from, where we are and where we are going outstrips anything I have ever seen in a single publication. I could not have assembled this feature without the help of Judy Traub, our intrepid editorial assistant. I had planned to give her an extra month to help pull together the pieces for our upcoming December innovators issue. Alas, the best laid plans and all that. Judy dove in and pulled resources from her vast store and suddenly we had a first-rate feature for our product section. So, enjoy this walk or, sometimes, run down memory lane and perhaps we ll do this again in another 20 years. Peter Stephenson, technology editor 1 SC November

2 INFORMATION SECURITY The practice of information security by Tom Peltier Thirty-two years ago, I began a frustrating, scary, exciting and rewarding career in computer security. The first conference I attended on computer security in 1978, addressed such issues as policy development, disaster recovery planning, data center physical security and the new technology of access control systems (ACF2, RACF and TopSecret). The environment we were working with was typically a computer laboratory with a big mainframe system. In 1981, everything changed with the introduction of the first affordable portable computer system. No longer would the business units be tethered to the whims of the information technology departments. Anyone could go to their local Nerds r Us store and get the hardware and software they needed to create their independent information processing environment. This move to a decentralized base forced computer security professionals to change focus and begin to stress the need to secure information whereever it was found, regardless of the format. The job title became information system security officer (ISSO). With the emergence of the client-server infrastructure, the ISSO function began to move out of the IT departments. As the technology leaped forward, the ISSO struggled to implement basic security mechanisms. However, with this decentralization, we saw the responsibility for information protection switch from IT and back to the business units. A greater emphasis was placed on creating corporate policy and having the business units implement their own supporting standards and procedures. Security awareness training came into its own during this period. The local business units were often charged with assigning a local security coordinator who would be responsible for implementation of the local program. In 1991, the industry took a big step forward in obtaining legitimacy by implementing the certified information system security professional (CISSP) exam certification. Industry experts established a common body of knowledge that would provide for testing to establish competency of the individual. For almost 20 years now, the CISSP certification has provided businesses with an assurance that the holder of the certification meets an industry-accepted level of knowledge. The key factor in the success of any information security program has been the level of acceptance of the management and users. The focus on managing risk seems to have aided in this acceptance. Instead of implementing controls and countermeasure by decree, the new emphasis on risk identification and management includes all parties with a vested interest. We are beginning to see many organizations move away from information security and are now working on enterprise risk management. At CSI 2009 in October, the 36th edition of the Computer Security Institute s annual conference, a risk management summit discussed that very topic. In 30 years, the industry has evolved from computer security to information security to information protection and now, perhaps, to enterprise risk management. What we are called is not as important as ensuring that the services we provide are continued and accepted. Tom Peltier has been an information security professional for over 30 years. During this time, he has shared his experiences with fellow professionals and has been awarded the 1993 Computer Security Institute s (CSI) Lifetime Achievement Award. He has had six books published on policy development and risk assessment. Revolution or evolution? by Michael Corby The vision from 1989 Computer systems as we know them were in their infancy in the waning moments of the 1980s and the early years of the 1990s. Systems were still largely segregated by manufacturer. IBM shops had no DEC equipment anywhere, and vice versa. HP systems were found in manufacturing plants and the world of CAD/CAE was dominated by standalone graphical units that were the engineering versions of the memory typewriter. Security was being promulgated in the form of model architectures and the Rainbow Series, computer security standards published by the U.S. government Within the next 10 years, we were enveloped in the dot-com boom. Technology permeated every aspect of our lives. What were we envisioning from the information security domain? In many instances, what we were looking to do was revolutionary. We saw that virus code and other malware were gaining in popularity and Scott McNealy from Sun Microsystems warned that there is no longer any digital privacy. Sometimes we have seen a revolution, sometimes we have seen a slower crawl forward. Human resources and staffing In 1989, security professionals were either writing crypto code November 2009 SC 2

3 for the military or were hanging backup tapes in a data center. Today, we are blessed with more than a dozen ways of measuring the security competence of our staff. Verdict: Revolution Network architecture In 1989, open systems were beginning to babble to each other. Communications was over-leased lines or internal networks. Nobody ever used dial-up public communications for sensitive data (if you knew what data was actually sensitive). Secure network architecture is now available on the shelf at the office supply store. Verdict: Revolution Systems development The good old five-phase approach (or six-, depending on your school of thought) to designing systems was de rigueur in Application teams went through stages of scope, design, programming, unit testing (and system testing) and implementation. Once all this was done, someone may have asked: What about backup and recovery? The method is the same, only some of the questions have changed. Verdict: Evolution Monitoring and forensics In 1989, logs were generated and maybe printed. Tracing events were rare, but also largely unnecessary. Today, compliance laws and industry regulations have tightened the need for monitoring and active event investigations. Verdict: Revolution Summary In these and other areas, we have made substantial progress in information security over the past 20 years. There is more to come. Here s my prediction: Over the next 20 years, security will be embedded in all information management technology. Data segregation will be the usual architecture and trace logs, and factual responses to the query, How did that happen?, will be commonplace. Hackers and malware will exist, but will be just an annoyance. Hmmm. Didn t I say that in 1989? Michael Corby has over 40 years of experience in IT strategy, operations, development and security. He is a founder of (ISC)², the organization that established the CISSP credential. 20 years of governance by Howard Schmidt Governance, according to Wikipedia, relates to decisions that define expectations, grant power or verify performance. It is a word that has had much use and has been interpreted in different ways over the years. But, when it comes to information security, governance is a relatively recent, but important, addition to the modern vocabulary. In the past, information security was primarily about technology and the tools needed to resolve IT related problems rather than deliver security solutions to support and enable the business. It was a backroom function and rarely was it discussed in the boardroom. But, necessarily and very appropriately, things have changed. High profile accidental or intentional attacks against IT, combined with a series of natural disasters, helped to put IT security governance in the spotlight. It was quickly recognized as a key component in dealing with issues such as data privacy, loss prevention and protecting business and brand integrity. Company executives in B2C and B2B businesses alike, saw good governance in IT security as a way to protect customers, employees, suppliers and partners. Governments also took positive action by introducing new legislation to raise awareness and ensure a benchmark level of regulatory compliance to defined standards of governance. The best known of these initiatives include the Sarbanes-Oxley Act in the United States and the EU Data Privacy Act. This focus on information security governance was reflected in a new breed of executives bearing titles such as chief information security officer (CISO), chief risk officer (CRO) and chief privacy officer (CPO). These senior positions provide a clear line of responsibility and corporate structure for IT security governance. Furthermore, IT security governance has also become part of the corporate culture and mindset as companies promote the real value of compliance and good governance. Regulatory compliance combined with a strong commitment to governance, significantly enhances the IT security function and underpins the success and integrity of any business. One thing is very clear: Strong governance has to be driven from the top down and, with growing awareness and ownership in the boardroom, the future for IT governance looks positive. Howard Schmidt is president and CEO, Information Security Forum. Formerly, he was vice-chair, President s Critical Infrastructure Protection Board; VP-CISO, ebay; CSO, Microsoft; professor of research, Idaho State University; and adjunct professor, GA Tech, GTISC. 3 SC November

4 Information security policy development by Rebecca Herold In 1991, as an IT internal auditor, I performed the very first enterprise-wide information security audit for my organization, a multinational financial and insurance organization with approximately 20,000 employees. After this comprehensive four-month project, I was asked to implement all the recommendations I made within the audit, primarily, the creation of the information protection function/department within the organization. The first thing I did in the new department was create information protection policies based on all the risks I identified from the audit. At the time, there were very few information security policies available. I created my organization s policies largely based on the results of my audit basically a risk assessment (though that term was not used much then). I was happy to find that a year or so after BS7799 [a British standard] was first published in 1995, that I had hit on virtually all of the topics it listed, along with the topics listed in the first publication of COBIT, best practices issued by the ISACA and ITGI in One of the earliest pioneers to provide guidance for developing information security policies was Charles Cresson Wood, who has published many books and articles covering the topic. As far back as 1981, with his Policies for Deterring Computer Abuse and the just released version 11 of his Information Security Policies Made Easy, which was first published in 1991 and is now used by over 50 percent of Fortune 500 companies. Until the introduction of BS7799 and COBIT in the mid-1990s, the National Institute of Standards and Technology (NIST) was largely the most referenced public source for information security policy guidance, starting as early as their June 1974 Guidelines for Automatic Data Processing Physical Security and Risk Management. Most organizations did not really put a lot of effort into information security policy development in the 1980s, or even well into the 1990s. The person assigned the responsibility for creating information security policies back then was often an IT administrator who had some extra time on their hands. And then the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) were enacted in the last half of the 1990s, loudly followed by the Sarbanes-Oxley Act (SOX) of 2002, putting policy development importance squarely in the cross-hairs of executive suites. The importance of not only information security policies, but also privacy policies, was elevated to higher levels within most organizations. Information security policy development necessarily evolved from being a largely cookbook type of exercise (viewed as a necessity to help keep security settings consistent and to keep employees from doing bad things with computers) to now being realized as an exercise that must be based on business risk and compliance in order to be effective for business. The need for documented risk- and compliance-based information security policies is here to stay. Rebecca Herold, CIPP, CISSP, CISM, FLMI, The Privacy Professor, has over two decades of information security, privacy and compliance experience. She s been named as a Computerworld Best Privacy Adviser multiple times and also as a Top 59 Influencer in IT Security by IT Security magazine. She is currently leading the NIST Smart Grid standards committee privacy impact assessment. ACCESS MANAGEMENT Access management evolves over 20 years by Tomas Olovsson Access management has not always been what it has become today. In the early days of computers, it was more or less identical with physical access to the premises. Projects were entered in batches into large mainframes by operators, and end-users seldom got in contact with the computers. It was not until the mid-60s when time-sharing systems, such as IBM TSS-360 and DEC TOPS-10/20, were born that access control and separation between users became important and systems required passwords to let users in. The next important step in the evolution was taken in the 70s with the Unix/Multics multi-user system. Unix introduced the concept of allowing users to give away their access rights permanently to a program (the -s flag). This made it possible for other users to execute applications and access data, which would have been inaccessible with the users normal access rights. Applications could now make decisions about what data end-users could access, not just the operating systems. This provided great new functionality, but with the cost of increased complexity and security problems would, of course, commence. Then, not much happened in this area for 20 years. It is true that other systems borrowed or invented similar mechanisms. Access control lists (ACLs) were introduced, but nothing really new arrived on the scene. Access management was for many years November 2009 SC 4

5 just a matter of properly distributing usernames and passwords between a few, sometimes not even communicating, servers. However, during the last 10 to 15 years, internal networks and the internet have developed extremely fast. Applications and systems have become connected in ways never seen before. Suddenly, there was a need to synchronize accounts on not just a handful of systems, but to tens, hundreds and even to thousands of applications within an organization. New authentication mechanisms were also introduced everything from token devices, smart cards and certificates to biometric identification methods. Single sign-on became important and role-based access control (RBAC) with detailed auditing and logging was suddenly necessary, even required by law. And today, one of the latest buzzwords in this area is security in the cloud, with people and applications spread out all over the globe. Now, we have yet another access management challenge in front of us. Tomas Olovsson is co-founder and CTO of AppGate Network Security, and associate professor at Chalmers University of Technology in Sweden, with research focus on network security. Encryption: 20 years ago by Bruce Schneier These days, we live in a world of cryptographic abundance, but the 1980s were different. Encryption products were rare, obscure, eclectic, confusing, poor or more likely all of the above. Through a combination of export restrictions, patriotic pleas, threats and secret agreements, the National Security Agency (NSA) effectively controlled the encryption market, ensuring that it was never mainstream. Research, on the other hand, was blossoming. The Annual International Cryptology Conference (CRYPTO) started in 1981, Eurocrypt in Mathematics conferences accepted cryptography papers and more appeared in engineering journals. Many of the results now seem basic, but back then we were only just starting to understand algorithms and protocols, public-key cryptography and cryptanalysis. There were a few books: notably by Konheim (1981), Denning (1982), Patterson (1987), Davies and Price (1989), and, of course, David Kahn s The Codebreakers (1967). When I wrote Applied Cryptography, in 1992, everything publicly written about cryptography fit onto a single shelf. I wrote the book that I wished existed an accessible introduction to the field. Seventeen years and a couple of hundred thousand copies later, I regularly meet people whose interest in cryptography was sparked by that book. The changes came fast in the 1990s. Cryptography export controls were relaxed and eventually repealed. The FBI tried, and failed, to force vendors to install backdoors in their products so they could eavesdrop more easily. Research continued to boom as the graduate students of the 1980s got graduate students of their own. There were more ideas, more conferences, more products. And, most of all, finally, there was demand: the World Wide Web, electronic commerce, corporate networks. Now, we all use cryptography daily. It s on our operating systems, our web browsers, our phones and our programs. There are so many cryptography conferences that no one can attend them all. I can t fit my current cryptography library onto three massive bookshelves, and I don t have anywhere close to everything published. At the same time, we ve learned that security needs more than cryptography. Security is a chain, and it s only as secure as the weakest link. Compared to applications, operating systems and network security, not to mention human factors, cryptography is already the strongest link in any security chain. We might have beaten the NSA in the battle for cryptography, but the war for privacy and security continues. Bruce Schneier s new book, Cryptography Engineering, will be published in spring You can read his other writings at An historical perspective on password management by Eugene Schultz In the mid-1980s, no issue was bigger than password security, and for good reason most break-ins into systems at that time involved exploiting weak, default and/or null passwords. Other kinds of attacks were almost unheard of then (social engineering attacks excepted). Policies often required strong passwords, but with the exception of minimum password length settings in operating systems, no technology for enforcement existed. System and security administrators were at the mercy of users, who were constantly urged to select strong passwords, but seldom did. In the late 1980s, several significant password management technologies surfaced. Password filters prevented users from entering passwords that did not meet password goodness criteria. Password crackers enabled system administrators to monitor cracked, weak or default passwords, so that account owners could then be required to change them. Thus, enforcing password policy provisions using technology became possible. Lamentably, however, few organizations used password filters, 5 SC November

6 and worse yet, password crackers have been used more often and more effectively by attackers than anyone else. The 1990s marked the emergence of remote vulnerability scanners. Although most of the tests carried out by these tools probed for vulnerabilities in operating systems and system services, some of them also tested for weak passwords in well-known accounts. Unfortunately, these tools did not test password strength in other accounts. They therefore have made little difference on password management. Every Windows operating system since Windows NT (July 1993) has password filtering based on combinations of letters, numbers and special symbols. However, research studies have shown that passwords filtered according to these criteria are not significantly harder to crack than unfiltered ones. The relatively recent advent of rainbow tables, millions of pre-computed candidate passwords for password crackers to try, has revolutionized password management. System and security administrators can now crack a large percentage of passwords in minutes and force users to select better ones. Many organizations do not employ this technology, however, leaving their systems open to traditional simple password attacks. Exploiting weak passwords has been a major threat vector since passwords were first used. Free technology that allows enforcement of password policy is widely available. So why are there still so many weak passwords? You can lead a horse to water, but you cannot force it to drink. Dr. Eugene Schultz is the CTO at Emagined Security, an information security consultancy based in San Carlos, Calif. He is the author/co-author of five books, and has also written over 120 published papers. On the last 20 years of vulnerability management by Rebecca Bace When I think of how things have changed (and remained the same) over the last 20 years in the security trenches, it s tempting to come up with a tote sheet for the decades. On the positive side, the degree to which our modern lives are staged on IT networks is a testament to the ability of the security community to present at least a facade of acceptable risk to the masses. Even as I note that we don t have sufficient acumen to protect what we ve put online, I also without apology assert that the transparency that vulnerability management solutions brought to the practice of system security (added to IDS s ability to spot problems in the making) had a positive influence on security and the online world. On the negative side, there s a lot left to do in both the realms of IT and security management at large. We need to better understand how to harden systems in ways that are reliable and cost-efficient. We need to acknowledge that complex systems are inherently imperfect and include monitoring and control mechanisms to spot when imperfections are being exploited to the detriment of information owners. We need to understand how to flex models of expected behavior to accommodate local norms, while assuring that users can safely function online. None of these measures will come as easily as we think they should. That does not mean that they aren t critical to our modern world. Perhaps, taking a look at the Japanese auto industry of the 1970s would be useful to us it s time to focus on improving the quality of IT systems and the management processes associated with their care and feeding. In the best of worlds, this will give us the market edge that finances the next quantum leap in both IT and security. Rebecca Bace is a security strategist with more than 25 years spent in a variety of roles. She currently focuses on taking early stage firms to market. Big changes in vulnerability assessment by Ron Gula During the past 20 years, there have been very big changes in the vulnerability scanning industry. Keep in mind that 20 years ago, vulnerability scanning was really made famous when Dan Farmer released the SATAN tool. Even though he released a script named repent to turn SATAN into SANTA, the initial reaction to this type of tool from most managers was one of shock. Twenty years later, we have a thriving and growing vulnerability scanner industry with many competing vendors and technologies. It started out with a focus on which scanner could enumerate the most vulnerabilities in the least amount of time. Often, these scanners were run by consultants or auditors who were not embedded in IT. As threats became more sophisticated, enumerating badness was not good enough. Instead, scanners had to evolve to work within an IT infrastructure and perform robust patch management and configuration auditing. This allowed security auditing tools to speak the language of an IT administrator while still simulating the hacker threat. As this usage of the network scanner changed, the type of testing performed by organizations evolved to capture this. I remember helping some early magazine tests for Nessus and filling out forms that asked: How many Windows patches do you check? Waiting until the last day to submit this form made a user s scanner appear as if they d checked off more than some- November 2009 SC 6

7 one else. The industry has come a long way since then. Because of cheap bandwidth, as well as the increase in speed of network vulnerability scanners, the ability to offer scanning as a subscription service also evolved. For a low cost, organizations could procure a one-time monthly or yearly scan of their perimeter. This allowed the IT administrator at an organization to obtain risk information without having to run their own auditing infrastructure. For organizations involved in webbased e-commerce, this was a very good combination. And right now, on the verge of 2010, most scanning vendors are looking at how the world of virtualization and cloud computing will change the need for scanning. New combinations of software-as-a-service, passive network monitoring, continuous scanning, and scanning embedded within the cloud are well equipped to offer various forms of auditing virtual sprawl and cloud-based applications. Ron Gula is CEO of Tenable Network Security. The evolution of penetration testing by Matt Hines As one of the oldest IT vulnerability assessment methodologies invented, yet one of the most rapidly evolving IT security practices today, penetration testing remains a process that continues to mature in direct parallel with the systems and applications which it has, and will be used to assess. Over the course of the 1970s and 80s, pen testing was an internal practice, used primarily within military and academic research centers to validate security mechanisms and to corroborate the presence of hypothetical flaws, both in production and R&D computing environments. In the early 1990s, as the seeds for the forthcoming internet and IT revolutions were being sewn, penetration tests began to see expanded use in gauging the overall security of many products and services, dovetailing with the arrival of the earliest purpose-built hacking tools and dedicated professional services. However, even with large and specialized consulting firms marketing pen testing audits to their customers, the process was still almost entirely manual, consisting of undocumented and unrepeatable methodologies that relied on the individual experience and skill sets of practicing experts. Despite being nearly three decades old, penetration testing realized perhaps its most significant advancement with the turn of the century and the arrival of more sophisticated, financially motivated cyberattacks, gaining greater adoption to help manage matters of IT-driven risk. This era also saw the emergence of the earliest commercial automated penetration testing solutions, which have evolved significantly over the last decade and represent one of the most important elements of the practice s continued development. As today s cybercrime epidemic, specifically electronic data theft, continues to proliferate at a furious pace, penetration testing has finally truly found widespread recognition outside the realm of specialized organizations and consultants. It is now a central element of proactive IT risk management through the use of both services and an array of rapidly maturing technologies. As concepts of IT risk management and security measurement evolve out of their own nascence, driven in part by regulatory compliance, penetration testing will only become a more pervasive, critical component of those strategies, based on its ability to isolate vulnerabilities directly exposed to real-world attacks. Before joining Core Security Technologies as marketing manager in 2008, Matt Hines covered the IT industry for over a decade as a reporter and blogger for publications including InfoWorld, eweek, CNET News.com and Dow Jones Newswires, with a specific focus on the security space since BIOMETRIC The search for the better biometric mousetrap by David Lease It seems as though we are always looking for the better mousetrap nitrogen-enriched gasoline; all-in-one laundry sheets for the washer and dryer; combination soap, shampoo and shave cream; and other products that make our lives somehow better. This constant search for the next best solution is true in biometric security technologies as well. When I started working on identification technologies in the mid-1980s, we already had a pretty big database of fingerprint cards that were cataloged and organized like library cards. If you had crime scene prints and wanted to identify a suspect through an existing set of prints, we d manually search through hundreds of fingerprint cards comparing attributes of submitted prints to prints already on file. Over the years, we worked to find ways to make fingerprint-matching faster and more reliable. Today, fingerprints are digitized and the comparison is automated, but it s still nothing like what s on TV or in the movies. Unfortunately, most biometrics are useful only for authentica- 7 SC November