Response to InfoSec X Prize Part 1

So I’ve been quite amazed by the amount of discussion and feedback i have received from colleagues and peers on my original post on creating fundamental change through competition. I will be posting some of the written replies that I received and which people have kindly consented to having me post.

Here is a response sent to me by my friend Olav Opedal with Microsoft’s Information Security group:

I believe the change has already happened, but you haven’t seen much of it translated into off the shelf products. The change that I see, is based on the use of applied mathematical solutions found in other science branches, such as using power-law distributions describing social networks to define who should have access to what along with physics heat models applied to network traffic. With this, I mean using real time multi-dimensional analysis of network traffic, user actions, content and context of transmissions etc to determine a probability of appropriateness of the actions. In other words using mathematical models to find the change point as soon as possible, and discard anomalies that has little effect on the CIA triangle. One thing that is clear, is that information must be given an economic value to enable a decision point to be set for action versus inaction.

So does all information need to be given economic value? If so, can all information be given economic value? This is an interesting train of thought to follow.

- Akshay

If you like this post, Subscribe in a reader

Baking Security In: A Comic Strip View of SDL

So how do you take your average developer who scoffs at security from KevinKevlarrthe careless and brash aka Kevin,  to the poster child  for good development practices aka  Kevlarr. Well, the Microsoft SDL team has the answer for you. The team recently started publishing a series of web comics detailing the travails of the dev team at Contoso who are under attack from the League of Malware. Along the way they battle with foes such as Spam Bot and Social Engineer while getting help from Vigil and Nforcer. Strip 11 of this interesting attempt to socialize security is below:image

Socializing security is essential for organizations to drive culture change from one based on FUD to one based on an understanding of security needs. People are the most complex part of the security puzzle. Most people take the easy way out and will avoid the things they fear or don’t understand. Every CIO should ask the what his/her organizations plans around socializing security are. So what are they?

- Akshay

If you like this post, Subscribe in a reader

Microsoft IT Solutions: Full Drive Encryption using BitLocker

One of the challenges that I have been focusing my team on this fiscal year has been creating new solutions that leverage the learning that Microsoft IT has had in deploying technology or solving problems. Microsoft IT generally has to deploy new technologies from Microsoft several months before they are generally available for general release in a process known as dogfooding. Often it needs to develop and deploy solutions multiple times as the product cycles through from betas to release candidates to the released version. Customers will find solutions that will leverage this deep expertise and experience useful in speeding up the architecture & deployments of their solutions.

In this series Microsoft IT Solutions, I will be detailing some of this innovation coming out of Microsoft’s InfoSec group. The first of the series is Full Drive Encryption using BitLocker®. I asked Richard Lewis, Security Architect on my team & the creator of this solution kit to describe the BitLocker FDE solution. Here is his description:

The InfoSec team recently created and delivered the BitLocker Service Kit for the Core I/O Service Line under the Security, Identity and Access Management (SIAM) portfolio. SIAM is a portfolio offering from Microsoft Services.  SIAM is divided into six offerings that address particular security IT capabilities – the BitLocker Service Kit was created under the Enterprise Data Security Optimization IT capability.

The BitLocker Service Kit provides Microsoft Services sales and delivery roles with the resources they need to sell and deliver comprehensive Full Volume Encryption solutions based on Windows Bitlocker Drive Encryption. Ultimately this Service Kit helps Microsoft Services accelerate their customer’s BitLocker deployment timeline and therefore Windows Vista deployment, decrease the risk of data loss, and increase customer satisfaction. Overall this kit contains over twenty different documents such as checklists, guides, worksheets, operation guides, architecture and design documents to help our sales and delivery consultants to deploy BitLocker in an optimized manner.

The resource who led creation of this service kit was also involved in the MSIT BitLocker deployment and is currently helping a large financial services organization deploy BitLocker to over 100,000+ desktops. Learning and feedback from the MSIT internal BitLocker deployment were instrumental in creation of this Service Kit and will continue to be used as InfoSec goes in the field and helps Microsoft customers with their BitLocker deployments. This kit demonstrates that IP from MSIT projects add value to our products & ultimately our customers. 

Drop me a note if you would like some additional details on this solution kit or the innovation process within Microsoft.

- Akshay

Note to Fannie Mae: Dealing with Logic Bombs

Today, it was revealed that a departing contractor left Fannie Mae with a parting gift – a Logic Bomb designed to take 4000 of the financial giants servers & their data. Since this news broke, a number of concerned CIOs have requested my team for some guidance on how to deal with logic bombs. So here is a quick lesson on these malicious attacks.

A Logic Bomb is a malicious piece of code inserted into a software system that executes when certain conditions are met most commonly a set date. A Logic Bomb that goes off on a particular date is called Time Bomb.

In this case the attack was successful because the contractor’s authorization to access systems was not revoked after he was let go. In technical identity management systems like ILM this is known as deprovisioning.

Logic Bombs are usually indistinguishable from normal code and are inserted into the system by a programmer who has authority to the system. They are a type of insidious attacks called insider attacks. These are the most difficult class of attacks to detect and mitigate. The CSI/FBI 2005 Computer Crime and Security Survey indicated that 56% of organizations reported some level of security breach from within their organization.  So a note to all you CIOs/CSOs, if you think that only your internet facing assets face a high risk of attack… think again.

What can you do to avoid a fate like Fannie Mae. Sadly your options are limited and dependent on a strict adherence to process. This is what you can do (in order of immediate to long term):

  • Deprovision user accounts for individuals who have been let go while they are on premises or even before you inform them
  • For programmers, create a copy of their files and code before they leave. These can be compared with copies of files and code after a few days to look for changes.
  • After a person with access to critical digital assets including systems and code leaves the org, invest in having a peer double check for logic bombs that may have been left behind
  • Change access credentials to critical systems periodically and consider two factor authentication.
  • Use an identity management system to manage provisioning & deprovisioning user accounts
  • Invest in a multi-tiered logging and auditing systems with separation of duties between the monitored and monitoring parties. This ensures a trail of evidence for prosecution in the case that you are indicted.

Plan ahead to deny the ability to the disgruntled to plant log bombs; failing that defuse the logic bombs,;failing that hit the deck and hope that the script has a bug.

- Akshay

If you like this post, Subscribe in a reader

The InfoSec X Prize: Fundamental Change Through Competition

Today I had a thought provoking conversation with Dr. Peter Diamandis, Chairman and CEO of Zero Gravity Corporation & X Prize Foundation, on radical & fundamental change. Change that advances the status quo rather than relying on incremental change for gradual advance.

Arguably the Ansari X Prize (and others in the hopper) have achieved some breakthrough successes. Most notable achievements of the X Prize are:

  • Achieving fundamental advancement in technology using competition driven philanthropy
  • High rate of investment with respect to prize money. An example Diamandis provided was $100 million invested in Ansari X prize for a $10 million prize
  • Booster to commercial adoption resulting from the advancement made. An example is the rapid kick start of transatlantic commercial air services after Lindbergh’s successful attempt at the Orteig Prize in 1927

Now this brings me to a theme of recurrent conversation between my friend Eric Rachner and I. It is my belief that there has not been a fundamental change in the field of information security in the last decade. Sure things have become better, people are more aware, tools are easier & more reliable & dozens of new vulnerabilities are being found everyday. A thinking practitioner of the craft will reflect and agree that though there have several neat innovation like the vulnerability marketplace, security development lifecycle etc., most of the effort is spent chasing technical bits & byte issues. Once, as we walked over to get dinner, Microsoft’s InfoSec Director Chris H. expressed this sentiment concisely for me, “Organizations have to constantly fight to demonstrate miniscule changes in their risk meter.”

So I got to thinking, what would constitute a fundamental change in infosec. Something worthy of an X prize (or a mini version of the X prize for sake of argument). Before I go into my idea, let me qualify that security being a state of a system, a conversation about it would be incomplete without defining the system. “Achieving security” is like aspiring to a noun. So here is my first stab at a problem worthy of the InfoSec X Prize

To win the InfoSec X Prize a  team must successfully create a system that will in real time analyze security alerts from the world’s largest internet retailer and  take corrective response with an accuracy rate of 99% when compared 10 man years of manual analysis by InfoSec experts.

I will be coming up with additional X Prize ideas and post them periodically. I would be very interesting in knowing what solution you consider worthy of such a prize. Drop me a note and remember that the following constraints would apply to the solution worthy of the Infosec X Prize  :

  • Must be achievable between 5-8 years of X Prize being instituted
  • Non-government/private organizations should be able to develop the solution
  • Solution should represent a revolutionary change in field of information security

- Akshay

Microfinance: One Calf At A Time

Today while reading the repercussions of the Madoff scandal, I received an email informing me that a microfinance (MF)  loan that I had made to a person in Central Asia to purchase livestock had been paid back in full and on time. In a week of bad financial news marked by financial greed at the top, it was heartening to realize the integrity of few at the bottom. 

As of now the microfinance industry (MFI) seems to be bucking the trend of the global financial crisis. Repayment is still fairly high at 97-98% (according to Women’s World Banking). It seems that the size of MF market is insulating it from a downturn – the MF market is several times smaller than the losses in the current global financial crisis. Another factor protects MFIs as they do not serve the poorest of the poor. MFIs in general are geared towards mobilizing the entrepreneurial poor who are more economically active.

As the crisis develops further, there is an increasing risk that the MFIs may also see a liquidity crunch owing to recession in the US & Europe, increasing default rates and difficulty in raising funds from investors. One trend seems certain though, the growth rate of the MFI will slow from the rapid expansions it has seen due to commercialization & product diversification. Hopefully this will give the industry some breathing space to mature further and come out of this crisis stronger.

In any case, that one email buoyed my spirit and while all may not be well, all is not bad either.

- Akshay

Business During Downturn: The Chain Of Trust

Business during economic downturns brings to the surface the tiny fractures that were unnoticeable during the good times. It is a fertile ground to relearn some of the lessons of the past & form wisdom for the future. I am going to try and capture some of the learning during this new series Business During Downturn.

The past few months have convinced me that individuals & organizations that pay close attention to the basics fare better going into a economic downturn. In particular, establishing and maintaining the sanctity of the chain of trust is very essential. The chain of trust is a relationship aspect of interdependent entities. It is based upon the credibility, accuracy and timeliness of business inputs like data, forecasting & assumptions which are then sent up the chain to act as inputs for decision making. An economic downturn breeds anxiety, performance pressures and uncertainty & so maintaining trust is essential for survival. I have recently felt the need for paying attention to 3 chains of trust in particular.

First is the trust between a salesman and sales management. Revenue forecasting is the key activity that helps the organization plan to survive and adapt to change. On the basis of this projection further trust (say with creditors) is established. The sales team need to redouble their efforts to adhere to the sales basics and stabilize projections within parameters acceptable to the org. I have observed that this is one of the biggest self-feeding problems. Wrong projections quickly add additional pressure to the relationship between a salesperson and their manager. Sales managers in turn find their relationship with their managers deteriorate leading to increased supervision, more administrative tasks, less flexibility… all the undesirables during a tough period. Sales people successful in good times but inaccurate in bad times find it hard to gain back the trust when conditions improve for the better.

Second is the trust between an organization and their suppliers/creditors. Some organizations misrepresent the situation to their creditors or set up false expectations with them. In my opinion, people forget that they are dealing with other people. People working for the creditor also have accountabilities and are much less likely to support you during a downturn and the subsequent upturn if they feel that they have been misled, their time abused or subjected to unnecessary stress. I saw a CEO deal with this effectively by instructing his staff to always answer a creditors inquiry in a timely manner, give a conservative payment schedule, share the assumptions that may positively or negatively impact the information and most importantly reiterate how they were committed to long-term relationship (and how their behavior was different than the competition). The CEO ensured the message was consistent across ranks and this had the added benefit of improving morale within his org. It better prepared his staff for taking calls from creditors. Everyone knows that talking to your creditor is like visiting your dentist.

Third is the trust delegated to the employees especially the sales force. Very often managers will ask employees to take tough decisions or be creative only to second guess the decision. This erodes the trust the employee has in his management and increases the sense of chaos. The manager needs to examine his issues around control & trust or to take back the decision making authority. The long term implications of this for a sales person is that they lose credibility with the client and eventually the client knows that negotiated agreements with the sales person are not the final negotiated position. Their boss will play game…

I’d be very interested in your observations and lessons in this economic cycle. Feel free to drop me a note.

- akshay

What my Wordle cloud says about me

I’ve been playing around with the idea of what the words we use say about us. Some of the research that has been keeping me quiet over the past few months is centered on mining information about individuals and organizations based upon raw communication feeds. More on that later. For now, here is my wordle cloud. As time goes by, I’m going to be analyzing how this cloud changes.wordle2

Meter This: Practical Application Of Power Drain Attack

Last week while feeding my caffeine addiction I came across an article in the New York Times titled Can’t Find a Parking Spot? Check Smartphone. In order to reduce traffic congestion and fuel consumption, the city of San Francisco is implementing a new system that will help detect empty parking spots in downtown. Now clearly this is a step in the right direction, both from an environmental and convenience perspective. I have spent a huge amount of time driving around SFO looking for a parking space, an experience that many of you may have shared. The city is investing $95.5 million on improving traffic condition though I’m not sure how much this pilot will cost.

"This fall, San Francisco will test 6,000 of its 24,000 metered parking spaces in the nation’s most ambitious trial of a wireless sensor network that will announce which of the spaces are free at any moment.

Drivers will be alerted to empty parking places either by displays on street signs, or by looking at maps on screens of their smartphones. They may even be able to pay for parking by cell phone, and add to the parking meter from their phones without returning to the car."

This system will work involve an initial pilot of 6000 parking spots. Each spot will have sensors that will monitor whether it is free or not. These sensors will then form a network to communicate with each other. Drivers can access data on available spots through their smart phones. The city estimates that these sensor networks will last for around 10 years.

"To install the market-priced parking system, San Francisco has used a system devised by Streetline, a small technology company that has adapted a wireless sensor technology known as "smart dust" that was pioneered by researchers at the University of California at Berkeley.

It gives city parking officials up-to-date information on whether parking spots are occupied or vacant. The embedded sensors will also be used to relay congestion information to city planners by monitoring the speed of traffic flowing on city streets. The heart of the system is a wirelessly connected sensor embedded in a 4×4-inch piece of plastic glued to the pavement adjacent to each parking space.

The device, called a "bump," is battery operated and intended to last for up to 10 years without service. From the street, the bumps form a mesh of wireless Internet signals that funnel data to parking meters on to a central management office near the San Francisco city hall. "

A while ago, I had written about (Increase the TCO, Kill the Project) attacking systems not to violate data integrity or confidentiality but to increase the total cost of ownership (TCO). It would be interesting to see if the sensor network deployed to monitor parking spots may be vulnerable to attacks that aim to drain their batteries and thereby reduce their life span and increase the TCO for the system. I have not tested this hypothesis, I’m hoping that others don’t either. Let no one stand between you and your parking spot.

Technorati Tags: ,

My BlueHat Talk: Suddenly Psychic

Just got word that my talk Suddenly Psychic: Knowing everything about everyone was accepted at Microsoft’s BlueHat Security Conference on October 16-17th. Sometimes when you go blue… you really go blue.

Over the course of the next few months my buddy Nitesh Dhanjani  and I will be presenting our research on how the business, psychological and behavioral aspects of our virtual and real-world personas impact our security and privacy. In particular, I am excited about two aspects of this talk. The first is the opportunity to explore techniques that were previously available only to large corporations or TLAs (three letter organizations) to gain intelligence. The second is to analyze the impact of our findings on the financial value of social networks and propose advances to current business models.

TITLE: Suddenly Psychic: Knowing Everything About Everyone

ABSTRACT:
Imagine a world where you can remotely influence other people’s behavior. This talk will expose how information about people in the physical world, coupled with voluntary information from new communication paradigms such as social networking applications, can enable you to remotely read people’s minds to influence their behavior.

Topics of discussion will include:

  • Techniques on how individuals may be remotely influenced by focused marketing and messaging tactics, and how criminal groups and governments may abuse this capability.
  • Reconnaissance and pillage of confidential information, including intellectual properties owned by businesses.
  • Falsified profiles used to construct undeserved reputation as well as the risk of reputation tarnish.
  • Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware. This topic will be extended to demonstrate the possibility of criminal abuse and the enablement of economic drivers.
  • Decreasing the value of social networks through data poisoning attacks.

The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages. Perspectives on negative and positive uses will be presented in addition to academic discussions and thoughts on how to enable the upcoming online social age.

 

Technorati Tags: ,