Last week while feeding my caffeine addiction I came across an article in the New York Times titled Can’t Find a Parking Spot? Check Smartphone. In order to reduce traffic congestion and fuel consumption, the city of San Francisco is implementing a new system that will help detect empty parking spots in downtown. Now clearly this is a step in the right direction, both from an environmental and convenience perspective. I have spent a huge amount of time driving around SFO looking for a parking space, an experience that many of you may have shared. The city is investing $95.5 million on improving traffic condition though I’m not sure how much this pilot will cost.

“This fall, San Francisco will test 6,000 of its 24,000 metered parking spaces in the nation’s most ambitious trial of a wireless sensor network that will announce which of the spaces are free at any moment.

Drivers will be alerted to empty parking places either by displays on street signs, or by looking at maps on screens of their smartphones. They may even be able to pay for parking by cell phone, and add to the parking meter from their phones without returning to the car.”

This system will work involve an initial pilot of 6000 parking spots. Each spot will have sensors that will monitor whether it is free or not. These sensors will then form a network to communicate with each other. Drivers can access data on available spots through their smart phones. The city estimates that these sensor networks will last for around 10 years.

“To install the market-priced parking system, San Francisco has used a system devised by Streetline, a small technology company that has adapted a wireless sensor technology known as “smart dust” that was pioneered by researchers at the University of California at Berkeley.

It gives city parking officials up-to-date information on whether parking spots are occupied or vacant. The embedded sensors will also be used to relay congestion information to city planners by monitoring the speed of traffic flowing on city streets. The heart of the system is a wirelessly connected sensor embedded in a 4×4-inch piece of plastic glued to the pavement adjacent to each parking space.

The device, called a “bump,” is battery operated and intended to last for up to 10 years without service. From the street, the bumps form a mesh of wireless Internet signals that funnel data to parking meters on to a central management office near the San Francisco city hall. “

A while ago, I had written about (Increase the TCO, Kill the Project) attacking systems not to violate data integrity or confidentiality but to increase the total cost of ownership (TCO). It would be interesting to see if the sensor network deployed to monitor parking spots may be vulnerable to attacks that aim to drain their batteries and thereby reduce their life span and increase the TCO for the system. I have not tested this hypothesis, I’m hoping that others don’t either. Let no one stand between you and your parking spot.

Just got word that my talk Suddenly Psychic: Knowing everything about everyone was accepted at Microsoft’s BlueHat Security Conference on October 16-17th. Sometimes when you go blue… you really go blue.

Over the course of the next few months my buddy Nitesh Dhanjani  and I will be presenting our research on how the business, psychological and behavioral aspects of our virtual and real-world personas impact our security and privacy. In particular, I am excited about two aspects of this talk. The first is the opportunity to explore techniques that were previously available only to large corporations or TLAs (three letter organizations) to gain intelligence. The second is to analyze the impact of our findings on the financial value of social networks and propose advances to current business models.

TITLE: Suddenly Psychic: Knowing Everything About Everyone

ABSTRACT:
Imagine a world where you can remotely influence other people’s behavior. This talk will expose how information about people in the physical world, coupled with voluntary information from new communication paradigms such as social networking applications, can enable you to remotely read people’s minds to influence their behavior.

Topics of discussion will include:

• Techniques on how individuals may be remotely influenced by focused marketing and messaging tactics, and how criminal groups and governments may abuse this capability.

• Reconnaissance and pillage of confidential information, including intellectual properties owned by businesses.

• Falsified profiles used to construct undeserved reputation as well as the risk of reputation tarnish.

• Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware. This topic will be extended to demonstrate the possibility of criminal abuse and the enablement of economic drivers.

• Decreasing the value of social networks through data poisoning attacks.

The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages. Perspectives on negative and positive uses will be presented in addition to academic discussions and thoughts on how to enable the upcoming online social age.

Many enterprise customers are increasingly evaluating the benefits of infrastructure outsourcing (ITO) to their businesses. In the past year, several CIOs have expressed concerns around the impact to the security and privacy of digital assets resulting from infrastructure outsourcing. In this post I will discuss the business drivers and security concerns around ITO and propose safeguards that enterprises can consider.

The drivers for infrastructure outsourcing stem from the impact of global delivery and economies of scale driven by standardization.  Additional benefits can be had from consolidating and sharing power-hungry data centers located in regions better suited to service the data centers’ unique power needs.

Non-technology companies have been early adopters of the ITO model so as to focus on core businesses rather than technology support. In particular, financial services and government organizations have experimented to various degrees with the ITO model.  I am also observing a trend for companies actively pursuing M&A activities increasingly turning to this model as well. Clearly ITO has multiple benefits to businesses and this market can be expected to see healthy growth in the next few years.

The ITO model does have some challenges when it comes to the risk an enterprise faces from letting a third party have access to its digital assets. The areas of concern include:

• Regulatory compliance
• Intrusion monitoring and prevention
• Incidence response
• Validation of hosted environment
• Adherence to corporate standards and policies
• Liability resulting from an attack

While each organization will need to do compare the benefits and risk of outsourcing, there are some safeguards  that can mitigate the risk. I recommend that organizations examine the following third-party services:

1. Technical Compliance Management (TCM): These solutions aim at defining from an audit perspective the IT controls that need to be maintained for an organization. They can then periodically collect evidence of compliance for each compliance condition. TCM solutions evaluate system states in order to measure the level of adherence to standards and policies .
2. Security Deployment Assessments: These security assessments focus on evaluating the security posture of the infrastructure before any major system goes live. These may include checks against baseline configurations provided by the product vendors (like Microsoft’s MBSA)  and IT policies
3. Periodic Vulnerability Scans and Pen-tests: In order to verify that the current state of the system are relatively free of known issues, vulnerability scans and pen tests can be used. This is definitely a recommended step but does not supplant the need for securely designed architecture
4. Managed Security Services: Some organizations have used managed security service providers to provide an additional layer of security to their outsourced infrastructure. These providers offer services including intrusion prevention/detection (IPS/IDS), firewalls etc. This may be difficult to negotiate with your vendor as it makes them dependant on managed security service providers. The trend will be for ITO providers and Managed Security Service providers to form strategic partnerships and offer comprehensive solutions.
5. “In the cloud” services: These services encompass email spam filtering, anti-virus services for desktops. These can be used to bolster any existing ITO providers offerings. Look for partnerships in this space as well.
6. Performance Reviews and Availability Services: Availability is a cornerstone of trustworthy computing and cannot be overlooked in any risk based discussion. Uptime will be a key metric for measuring the quality of service provided. Security services like load balancing, stress testing and active performance monitoring will be crucial to the reliability of the service.
7. Forensic Analysis: In case anything should go wrong, enterprises should invest in forensic analysis services to get to the bottom of an incident. This may also be needed from a liability perspective. It is generally advisable to identify a forensic analyst firm before hand and brief them about operational aspects to minimize on lead time to bring them up to speed during an incident.

Thanks to Roger Grimes and Mark Curphey to help me create a more comprehensive list of solutions.

Several enterprises are increasingly investing time and money in building application security tasks into their existing SDLCs. Some of them have also reached the conclusion that proactive approaches , like threat modeling, have more ROI than reactive approaches. As a result, some enterprises with nascent appsec programs have turned to threat modeling as a panacea for their security problems. However, threat modeling may not be the solution to their immediate problems. Now I recognize that this may be a controversial statement.

Recently, I have been involved in several situations where organizations with their heart in the right place have made threat modeling mandatory as part of the development process, with limited success. My point is that threat modeling as part of a mature SDLC is a desired end state though not necessarily the initial step. Let’s examine this argument.

Firstly, threat modeling depends on several elements of a SDLC to be fairly mature. Most importantly it depends on requirement and specification gathering process to be rigorous. Also, an enterprise must have well defined standards and policies in place to act as input into the threat modeling process. Without these elements of the SDLC in place, the threat modeling process will be isolated and have a reduced impact.

Secondly, a threat model is a security plan only and is useless without any committed follow-up action as part of development and testing. Most enterprises do not allocate sufficient time and resources to implement the findings of the threat model. A large portion of organizations don’t even have a security assessment team in place. These teams are consumers of the threat modeling process that actual carry out the most crucial task of reducing risk by implementing countermeasures.

Thirdly, it is practically feasible to create threat models only for new projects or those undergoing incremental changes. As a result, legacy applications do not benefit from threat modeling. This leaves a huge gap in the enterprises’ risk profile.

Finally, most nascent application security programs need quick and demonstrable ROI. The threat modeling process ROI can take several months or even years to be quantifiable because it is an incremental process that is dependant on several other SDLC processes to be effective. There are other areas where investment can bring in more immediate ROI. These areas include security assessment team, security training for developers and definition of countermeasures for  common vulnerabilities.

For organizations with nascent application security processes, I recommend that they us the following framework to evaluate if they are ready to adopt threat modeling:

• Does a security baseline exist?
• Is the SDLC process fairly well defined and followed during development?
• Has the organization agreed upon countermeasures for common vulnerabilities?
• Are developers trained to avoid common vulnerabilities?
• Do developers do a self review of code for security vulnerabilities?
• Does a security assessment team exist?

If the answer to more than two of the questions above is no then the organization is probably not ready for adopting threat modeling.

For long, getting access to a common view of all of a patient’s medical records has been a shortcoming of the healthcare system. This is a curious situation since, patient records have been digitized  in several leading hospitals like the Mayo Clinic and the Cleveland Clinic for some years now. The technical mechanisms for transferring this data from one care provider to the next are also readily available. What is promoting (some say preventing) the exchange of medical information from happening is a law known as  Health Insurance Portability and Accountability Act (HIPAA).

HIPAA standards are meant to improve the efficiency and effectiveness of the health care system by encouraging the widespread use of electronic data interchange in the US health care system. The law defines the security and privacy standards for Protected Health Information(PHI). PHI is basically any information about health status, provision of health care, or payment for health care that can be linked to an individual and as is generally interpreted as pretty much anything medical related including name, medical record numbers, biometric data, payment information. Now all of this is great, but what really happens is that the entity holding your medical information will not share it with other entities unless it absolutely has to. This is because the liability to the originating entity from misuse of this data  is high.

Now that we have the background established, let’s get to the point. Recently Microsoft’s  HealthVault  and Google Health offerings have been released with a promise of making this data exchange easier and allowing the individual all the benefits derived from a complete view of their medical histories. Such services are generally known as health record aggregators.

Both market forces and the need for electronic data interchange for health records drive companies like Microsoft and Google to create these services. Users will be able to create health profiles, track prescriptions, track expenses and allow healthcare providers access to their records.  It is my opinion that this innovation is a necessary step in healthcare reform.

However, one very significant downside exists. The information uploaded to these health record aggregators is not currently covered under HIPAA. What this means is that any attack, breach of confidentiality or even potential harm from wrong data is not covered by the law. You are left to the best effort of the service provider. This increases the risk of disclosure of your private medical information. The law , today, is out of step with what technology can provide.

Some practical considerations also heighten this situation. Here are some guidelines that you may want to follow:

• Create a new Microsoft Live ID or Google account for your health information
• Do not use your “normal password” for this account. It needs more security
• Check with your medical service provider as to what information will be available to an aggregator
• Steer clear of any provider that shows you targeted ads based upon your medical information
• Opt out of sharing information with any partner sites
• Do not sign up for newsletters pertaining to your health info if you wish to keep it a secret
• Ensure that the providers policy states that they delete all your data if you wish to drop out of the service
• Question whether the healthcare data be sent to any offshore location (read more about this here)
• Ensure that the privacy statement states that the medical data will never be aggregated with other databases

So in conclusion, it is clear that there are significant benefits to having your medical data aggregated and available to you. Clearly the technology to do so exists. The laws have not kept up with this change in technology, leaving you with one choice to make… Are you comfortable having your medical records stored with minimal legal protection?

After about an hour of nodding his head vigorously in agreement with some of our lessons learnt, my customer jumped up and exclaimed, ” Great!! Now where do I find another 20 people like these?” (pointing to my team)…

I thought about it a while and so Mr. B here is your answer: Information security education has been pursued by several tertiary education (i.e. universities) for several decades now. In 1999, the NSA got into the act and issued a list of  National Centers of Academic Excellence in Information Assurance Education (CAEIAE) to 7 universities:

James Madison University
George Mason University
Idaho State University
Iowa State University
Purdue University (No longer a CAE)
University of California at Davis ( I went to grad school here)
University of Idaho

These CAEs are accredited for 5 years and have to reapply  for designation after that period. The CAEs were set up in an effort to promote higher education in information assurance, and in turn, increase the number of professionals with this critical expertise. NSA’s establishment of this program was based on the growing demand for professionals with information assurance expertise in various disciplines.

The current list of universities in this list include the original universities (except Purdue) and the following:

California State University, San Bernardino
Georgetown University
Southern Polytechnic State University
The University of Tennessee at Chattanooga
University of Arkansas at Little Rock
University of Denver
University of Missouri – Columbia
University of Nevada, Las Vegas
West Chester University of Pennsylvania
West Virginia University
Air Force Institute of Technology
California State Polytechnic University, Pomona
DePaul University
East Carolina University
New Mexico Tech
Northeastern University
Nova Southeastern University
Oklahoma State University
Polytechnic University
The University of Texas at San Antonio
Towson University
United States Air Force Academy
University at Buffalo, the State University of New York
University of Maryland University College
University of Nebraska at Omaha

Watch this space for more on information security education and where to find the right people.

Previous Post

I will be discussing Microsoft IT’s approach to secure application development, with a special focus on how we integrate security into the IT line-of-business SDLC, in a webcast this Thursday May 29th. This webcast will be part of the Microsoft’s IT Manager Webcast series. This series aims to share deep knowledge focused on Enterprise IT orgs and ISVs.

Title: IT Manager Webcast: How Microsoft IT does Secure Application Development (Level 200)

Register Online 

Audience: Technology Decision Maker.
Duration:60 Minutes
Start Date: Thursday, May 29, 2008 11:00 AM Pacific Time (US & Canada)

Event Overview

Join this webcast to learn how Microsoft IT’s Application Consulting and Engineering (ACE) team secures Microsoft’s internal business applications.  The ACE team will share state of the industry, application security challenges, and how application security fits into the development lifecycle for IT.  Learn about the ACE team’s methodology and processes developed in the areas of application security and performance optimization.

You can find more details here.

The other day I was subject to the assertion that the only asset an IT security organizations should care about is data. Now being in the application security business, I should have been jumping at this validation but couldn’t.

The IT security org needs to understand what threats the business faces from its technology systems. In many cases this is not a direct threat to the confidentiality or availability of data. Some attacks may be focused on other aspects of the systems like integrity or even cost.

Let me give an example. Some systems such as the adhoc sensor networks are deployed as an alternate to existing monitoring systems for the flexibility and cost reduction they offer. I wrote  a research paper with my friend Guillermo Marro detailing attacks on sensor networks.  These attacks focus on the power available to each sensor in the network. By manipulating the protocols, we were able to model attacks that would cause these networks to degrade rapidly. This would mean that the sensors would have to be replaced much before their time resulting in a dramatic increase in the total cost of operating these networks. This attack is not focused on the confidentiality of data but does may make the network too expensive to run.

Now that you’ve decided (or battled) to set up an application security program you realize that it actually needs to get funded.  You must master the art of delicately drinking from the fire hydrant of line of business applications.

In my experience helping organizations set up their application security programs funding was perhaps the most critical factor determining the level of impact that the appsec program would have. Lets go through the various permutations and combinations of these models and what they buy you:

1. Centrally funded cost center: This is the model most organizations follow where a bunch of centralized funds are used to hire some employees/vendors to come in and churn through the applications. This model does allow the organization to decide its overall spend on application security and set up dedicated resources for assessments. In some organizations this model has been successfully used to develop a centralized risk management system which can then be used to go after the most risky applications. In my experience the hidden problems in this model surface when an organization tends to use an immature risk assessment framework. Also, this model suffers when organizations do not take due care towards capacity planning and give way too many applications to a single analyst. This fractures their time and eventually nothing gets done
   So remember, use this model to manage your application security spending and use a common risk management framework. Beware of using a risk framework that does not correctly represent your organization risk profile or overwhelming your analysts.
2. Decentralized project based model:This model is useful for organizations which have large decentralized business units where it is very difficult to get the different BUs agree to a contribute funding to centralized resources. In this model the application security team is reduced to a recommendation body only and dilutes its enforcement capabilities. In my experience, this program has been successful in two scenarios - both of them at completely different ends of the spectrum. The first, where political issues between different organizations are difficult to bridge and funding from commitments from these organizations are next to impossible. The second is organizations where their is a high level of consensus in spend and standard of security to be maintained. Needless to say the first type of organization is all too common and the second type is all too rare.
3. Internal cross-charge consulting: This is an interesting model where the business units decide to uphold a common security standards and there is a general awareness of the need for application security. The application security program is set up as an internal consulting organization. This model is successful for large enterprise organizations that have several LOB applications in their portfolio and are fairly mature in their security processes. One of the biggest advantages of this model is that it can be scaled up and scaled down as needed. The organization does need to be vigilant and set up policies that will ensure that all projects budget for the security work.

There are several other hybrid models that organizations have explored including a combines network-application security team where people are cross trained in both discipline. You need to focus on the model that is best for your organization. The criteria to decide which model to chose should include:

• Risk-management framework maturity
• Investment that org in application security
• Is application security centralized or decentralized?
• What is the amount of enforcement capabilities the appsec org will have?
• Do you build in-house or outsource?

A host of other issues including availability of employees with the right skills, vendors, off-shoring, size of application portfolio, regulatory needs etc. will influence the funding model as well. One thing is for sure, without adequate funding for governance and operations, the appsec program will not be successful. Hope this helped!!

I will be speaking at the Front Range OWASP Conference ( FROCo08 ) in Denver on June 10th. The focus of the conference to share the experiences that the speakers had around solving technical and management issues surrounding application security. I’ll be sharing the podium with luminaries like Ed Bellis, Jeremiah Grossman, Melissa Tondi, Laz, Mike Walter & Robert Hansen.

My talk, Application Security Kung Fu: Threat Modeling your way to competitive advantage, will focus on how threat models can lead to better software translated to a competitive advantage. That will be followed by a security discussion  on integrating security into the SDLC. Looking forward to this discussion on the topic I have been passionately blogging about.