Reflections on Security

Blog moved

2010-08-09T21:10:00.002-04:00

I have moved this blog to Wordpress.

Reflections On Security

Close call...

2008-12-24T13:18:00.007-05:00

One of the goals I set for myself this year was to obtain the ISSMP certification in information security management. Between work and a family with two small children, there wasn't much time for study. I almost ran out of time, but it looks like fortune smiled upon me: today I received notification of successful completion of the certification exam and my new ISSMP status as of December 13, 2008. Phew! Just in time!

Book Review: Privacy and Health Care

2008-12-22T22:29:00.012-05:00

Working for a health care organization, I must admit that I have at times wondered what all the hoopla regarding medical privacy was about. What is the harm in freely sharing patient information, and why is access to it so tightly regulated?

Privacy and Health Care is a collection of six essays on this difficult subject. Having been exposed to the different viewpoints and the reasoning behind them, I now have a much better understanding of the issues surrounding health care privacy. The most surprising revelation for me was the number of seemingly good reasons for allowing third party access to patient medical records. The relatively rare instances of harm coming to individual patients as a result of inappropriate disclosure would, on the face of it, seem like a reasonable price to pay for the overwhelming benefits to medical research and other legitimate uses.

Yet for all the purported benefits and efficiencies of such free access, the primary purpose of the health care system is to help the patients get better. If they avoid seeking much needed treatment for fear of medical disclosure, or do not feel free to be fully honest with their doctor about their conditions, then the health care system will fail in its primary role. And that is why preserving patient privacy is so important.

Book Review: Outsourcing Information Security

2008-12-11T21:07:00.010-05:00

Whenever the topic of outsourcing comes up, many find it difficult to think rationally. Much of the time, the decision of whether (and what) to outsource hinges on factors that are too difficult to estimate, and the hidden agendas or preconceived notions of the decision makers come into play.

Such is the case with most information security risk management decisions as well: subjectivity reigns. Combine the two together, and what do you get? The world of information security consulting firms and managed security service providers.

Outsourcing Information Security by C. Warren Axelrod is a very high level overview of this world. While the discussion is too shallow and generic to be of much use in a practical sense, it does serve as an introduction to the risks and rewards of outsourcing information security.

Book Review: Security Engineering

2008-11-17T13:07:00.014-05:00

For the past two months, I have been busy reading the 2008 Second Edition of Prof. Ross Anderson's Security Engineering: A Guide to Building Dependable Distributed Systems. It is, without a doubt, destined to become a classic and will influence my thinking on the subject for years to come. Although written at a level suited to non-specialists, the book has a lot of meat to it, and is packed with deep insight and wisdom gained from the author's years of real-world experience. I have been recommending the book to colleagues at work, and for those who are not willing to part with their hard-earned money, the first edition (2001) is freely available in electronic format from the author's web site.

Book Review: Against The Gods - The Remarkable Story Of Risk

2008-09-12T17:49:00.008-04:00

To many practitioners, information security is a form of risk management. Since it is impossible to protect a complex system against all conceivable security threats, an approach based on the assessment of risk is employed to distinguish between the threats that are worth worrying about and those that aren't. But what exactly does the concept of risk represent? How does one measure (never mind control) risk? This is an age-old problem mankind has been struggling with for centuries.

Against the Gods: The Remarkable Story of Risk is a historical overview of the advances made in the struggle to measure and control uncertainty. While the author's viewpoint is primarily from the perspective of risk to investments made on the stock market, the lessons learned are of value to security professionals as well. Contrasted with the sophisticated methods employed by financial institutions controlling their exposure to the unpredictable ups and downs of the global economy, the risk management methods currently available to security managers seem crude and laughable in comparison. If we are to make any headway in the battle against identity theft, data breaches, malware, and all the other information security woes that currently plague us, we need better risk management tools, so that our limited security budgets can be spent more effectively.

Book Review: Understanding UNIX/Linux Programming

2008-08-19T15:47:00.015-04:00

I've posted a review of Understanding UNIX/LINUX Programming: A Guide to Theory and Practice by Bruce Molay on Amazon. While not a security topic per se, a solid grounding in systems programming is a prerequisite for vulnerability researchers and other technically oriented security professionals. Arguably, there is no better introduction to the subject than this book.

San Francisco Network Engineer Goes Berserk

2008-07-16T21:49:00.006-04:00

The news today is reporting that the City of San Francisco computer systems have been hijacked by a rogue network engineer. The highly-paid employee of the city's technical department had been exhibiting increasingly erratic behavior which culminated in his locking out all administrative access to the systems and refusing to divulge the password. The 43-year-old individual had been hired in spite of a felony record for aggravated robbery 25 years prior.

Two thoughts come to mind. First, the glaringly obvious: Knowingly hiring an individual with a criminal history for such a sensitive position was probably not a good idea. Second, it is essential to ensure that people in trusted positions are worthy of that trust. If ethics and work-life balance take a back seat to technical competence in a prospective job applicant's value system, wise employers look elsewhere.

Book Review: Security Metrics

2008-07-16T12:39:00.005-04:00

My Amazon review of Andrew Jaquith's Security Metrics: Replacing Fear, Uncertainty, and Doubt has been posted. I wasn't as enthusiastic about it as many others were, and in my review, I explain the reasons why. Nevertheless, I found the thorough discussion of security metrics useful enough to give the book three stars. Managers charged with running an effective information security program should check it out.

Verizon Data Breach Study

2008-07-03T21:13:00.007-04:00

Verizon Business Security Solutions has released a study of breach data from more than 500 forensic investigations conducted by their incident response team.

This is exciting because it represents an opportunity to examine trends from an objective data source instead of relying on the usual biased surveys and vendor-influenced trade publications. A fine example of the "new school" approach to information security.

Book Review: The Psychology of Information Security Awareness

2008-06-24T01:45:00.012-04:00

I've just posted a review of Timothy P. Layton's Information Security Awareness: The Psychology Behind the Technology on Amazon. There is a worthwhile premise within, but the book misses the mark by failing to build on it in any meaningful manner. You won't miss much if you read the "Coles Notes" version of this one.

Snooping on terrorists with BlackBerries

2008-06-17T16:51:00.012-04:00

The government of India wants to monitor messages sent over the BlackBerry wireless network, because terrorists could be using these handheld devices to coordinate attacks. They are demanding that Canadian vendor Research In Motion hand over "master decryption keys" (which are very unlikely to exist) or lower the encryption level from 256 bits to 40 bits, presumably so that the Indian government can recover the keys by brute force. What I don't understand is, wouldn't the terrorists use PGP to encrypt their e-mails anyway? Terrorist or not, who in their right mind would depend on a foreign vendor for something like this?

Book Review: The New School of Information Security

2008-06-14T20:12:00.021-04:00

One of the more interesting information security books I have read recently is The New School of Information Security by Adam Shostack and Andrew Stewart. You can read my four star Amazon review of the book. It is a quick, enjoyable read and definitely recommended.

Why information security is fascinating

2008-06-11T22:29:00.005-04:00

I read a lot. And I mean A LOT. At any point in time, I have dozens of technical books, white papers, journals, blogs, and news articles competing for my attention. Of course, I rarely get to them all, but I try to pick up at least one nugget of useful information from each reading session.

My father once told me that one should strive to know everything about one thing and something about everything. Words to live by, although neither part is achievable in any significant measure (well, I guess you COULD become an all-knowing expert in something trivial, but that wouldn't be satisfying).

The field of information security appeals to me precisely because it is so well suited to the pursuit of this ideal. It is a subject area of incredible depth and breadth. Take cryptography, for example. The art and science of secret writing has a rich history dating back all the way to the ancient Egyptians and Babylonians. The Greeks and the Romans used simple transposition and substitution techniques for military communications. Medieval cryptographers developed ever more sophisticated methods of encryption, yet each one eventually yielded to the ingenuity and sheer persistence of medieval cryptanalysts. Later came the age of machine cryptography, with the German Enigma being the most famous example. The first mechanical computer was invented to aid in the cryptanalysis of machine ciphers. The digital information age ushered in an era of computer cryptography, rendering manual and machine encryption obsolete.

One could write volumes on the history, theory, practice and applications of cryptography, yet it is only one small aspect of the much broader field of information security. Should you ever attain utter and complete enlightenment in all things cryptography, your immense intellect would not want for lack of additional pursuits. Authentication and access control. Physical security. Network and telecommunications security. Application and database security. Digital forensics and incident response. Malware research. Each represents a rich area of specialization and in-depth study.

Sadly, life is too short to get to them all.