I’m expanding my blog writings to include posts on topics that I am currently thinking about. These will be more, ideas floating in my head than an analysis, and so I will call them Streams of Consciousness. These will complement my regular in-depth analysis on topics.
Categories: Streams of Consciousness
Categories: Business, Customer Support, Information Technology, Security
The chronicles of McAfee’s shoddy security updates have been well chronicled. If you haven’t been following this, let me summarize the situation for you. McAfee sent out a security update that led millions of uninfected machines to think they were infected leading McAfee to commit hara-kiri on themselves.
Clearly, this did not make any of the impacted customers happy. But what’s even more interesting is that McAfee blamed this on broken quality assurance processes. They changed their testing process to make it less rigorous. Now, at any other time this may have been fine. When this happens during the time that Toyota is subject to the largest recall of its history due to shoddy testing and their band image is taking a beating, it seems brain dead to roll out a untested, less rigorous QA process.
Again that was far from the end of it. McAfee’s customer service then went out an made things worse. I’ve had many incidents of customers sharing horror stories from this incident with me. The following comment on an article by Larry Seltzer summed up the collective experience:
My main problem with this situation (and the main problem echoed by numerous other IT professionals I’ve talked with) was with McAfee’s response. Faced with a MAJOR mistake that was impacting people on an international scale, what did they do? Did they send out an e-mail notification to warn of the problem and advise us how to fix systems that had been impacted? No. Did they have a large, easy to find link right from their home page to help us QUICKLY find out what the problem was and how to fix it? No. Even after it was reported in the major media, they acted like it was no big deal and had just a little link in a location where it was very easy to overlook and worded to look like it related to something that was no big deal, this made it easy to overlook when you’re pressing trying to quickly find a solution for angry customers.
Lesson for you to take away. Catastrophic business situations will arise due to carelessness on your part. If you haven’t done an analysis of consequence for these situations, you will trip. And when you get up, you may not look pretty.
If you like this post, subscribe to the RSS feed
Jack Louis of Outpost24 passed away on Sunday as a result of a house fire in Sweden. He was known for the security scan tool Unicornscan. Some of you may remember him from Sockstress, a vulnerability that can trigger denial of service on any system listens for remote connections using TCP. Jack and my paths had crossed a few times in both competitively and intellectually fulfilling ways.
Categories: Innovation, Security, X Prize
So I’ve been quite amazed by the amount of discussion and feedback i have received from colleagues and peers on my original post on creating fundamental change through competition. I will be posting some of the written replies that I received and which people have kindly consented to having me post.
Here is a response sent to me by my friend Olav Opedal with Microsoft’s Information Security group:
I believe the change has already happened, but you haven’t seen much of it translated into off the shelf products. The change that I see, is based on the use of applied mathematical solutions found in other science branches, such as using power-law distributions describing social networks to define who should have access to what along with physics heat models applied to network traffic. With this, I mean using real time multi-dimensional analysis of network traffic, user actions, content and context of transmissions etc to determine a probability of appropriateness of the actions. In other words using mathematical models to find the change point as soon as possible, and discard anomalies that has little effect on the CIA triangle. One thing that is clear, is that information must be given an economic value to enable a decision point to be set for action versus inaction.
So does all information need to be given economic value? If so, can all information be given economic value? This is an interesting train of thought to follow.
If you like this post, Subscribe in a reader
Categories: Comics, Microsoft, SDL, Security
So how do you take your average developer who scoffs at security from the careless and brash aka Kevin, to the poster child for good development practices aka Kevlarr. Well, the Microsoft SDL team has the answer for you. The team recently started publishing a series of web comics detailing the travails of the dev team at Contoso who are under attack from the League of Malware. Along the way they battle with foes such as Spam Bot and Social Engineer while getting help from Vigil and Nforcer. Strip 11 of this interesting attempt to socialize security is below:
Socializing security is essential for organizations to drive culture change from one based on FUD to one based on an understanding of security needs. People are the most complex part of the security puzzle. Most people take the easy way out and will avoid the things they fear or don’t understand. Every CIO should ask the what his/her organizations plans around socializing security are. So what are they?
If you like this post, Subscribe in a reader
Categories: Consulting, Information Technology, Innovation, Microsoft, Security
One of the challenges that I have been focusing my team on this fiscal year has been creating new solutions that leverage the learning that Microsoft IT has had in deploying technology or solving problems. Microsoft IT generally has to deploy new technologies from Microsoft several months before they are generally available for general release in a process known as dogfooding. Often it needs to develop and deploy solutions multiple times as the product cycles through from betas to release candidates to the released version. Customers will find solutions that will leverage this deep expertise and experience useful in speeding up the architecture & deployments of their solutions.
In this series Microsoft IT Solutions, I will be detailing some of this innovation coming out of Microsoft’s InfoSec group. The first of the series is Full Drive Encryption using BitLocker®. I asked Richard Lewis, Security Architect on my team & the creator of this solution kit to describe the BitLocker FDE solution. Here is his description:
The InfoSec team recently created and delivered the BitLocker Service Kit for the Core I/O Service Line under the Security, Identity and Access Management (SIAM) portfolio. SIAM is a portfolio offering from Microsoft Services. SIAM is divided into six offerings that address particular security IT capabilities – the BitLocker Service Kit was created under the Enterprise Data Security Optimization IT capability.
The BitLocker Service Kit provides Microsoft Services sales and delivery roles with the resources they need to sell and deliver comprehensive Full Volume Encryption solutions based on Windows Bitlocker Drive Encryption. Ultimately this Service Kit helps Microsoft Services accelerate their customer’s BitLocker deployment timeline and therefore Windows Vista deployment, decrease the risk of data loss, and increase customer satisfaction. Overall this kit contains over twenty different documents such as checklists, guides, worksheets, operation guides, architecture and design documents to help our sales and delivery consultants to deploy BitLocker in an optimized manner.
The resource who led creation of this service kit was also involved in the MSIT BitLocker deployment and is currently helping a large financial services organization deploy BitLocker to over 100,000+ desktops. Learning and feedback from the MSIT internal BitLocker deployment were instrumental in creation of this Service Kit and will continue to be used as InfoSec goes in the field and helps Microsoft customers with their BitLocker deployments. This kit demonstrates that IP from MSIT projects add value to our products & ultimately our customers.
Drop me a note if you would like some additional details on this solution kit or the innovation process within Microsoft.
Categories: Application Security, Finance, Microsoft, Risk, Security, Strategy
Today, it was revealed that a departing contractor left Fannie Mae with a parting gift – a Logic Bomb designed to take 4000 of the financial giants servers & their data. Since this news broke, a number of concerned CIOs have requested my team for some guidance on how to deal with logic bombs. So here is a quick lesson on these malicious attacks.
A Logic Bomb is a malicious piece of code inserted into a software system that executes when certain conditions are met most commonly a set date. A Logic Bomb that goes off on a particular date is called Time Bomb.
In this case the attack was successful because the contractor’s authorization to access systems was not revoked after he was let go. In technical identity management systems like ILM this is known as deprovisioning.
Logic Bombs are usually indistinguishable from normal code and are inserted into the system by a programmer who has authority to the system. They are a type of insidious attacks called insider attacks. These are the most difficult class of attacks to detect and mitigate. The CSI/FBI 2005 Computer Crime and Security Survey indicated that 56% of organizations reported some level of security breach from within their organization. So a note to all you CIOs/CSOs, if you think that only your internet facing assets face a high risk of attack… think again.
What can you do to avoid a fate like Fannie Mae. Sadly your options are limited and dependent on a strict adherence to process. This is what you can do (in order of immediate to long term):
- Deprovision user accounts for individuals who have been let go while they are on premises or even before you inform them
- For programmers, create a copy of their files and code before they leave. These can be compared with copies of files and code after a few days to look for changes.
- After a person with access to critical digital assets including systems and code leaves the org, invest in having a peer double check for logic bombs that may have been left behind
- Change access credentials to critical systems periodically and consider two factor authentication.
- Use an identity management system to manage provisioning & deprovisioning user accounts
- Invest in a multi-tiered logging and auditing systems with separation of duties between the monitored and monitoring parties. This ensures a trail of evidence for prosecution in the case that you are indicted.
Plan ahead to deny the ability to the disgruntled to plant log bombs; failing that defuse the logic bombs,;failing that hit the deck and hope that the script has a bug.
If you like this post, Subscribe in a reader