Akshay on the business of security

An all too familiar scene repeated itself two weeks ago. My good friend & CISO of a mid-sized technology company, lets call him Alok, went into a budget planning meeting and came out as a shadow of his former self. To be more precise a 85% version of the Alok that I know. He had just been handed a 15% reduction in budget.

Like most managers, Alok, started taking stock of his mini-empire and prioritizing things that he could do without. Luckily he had already expected a cut and so had planned ahead. Unluckily, he had planned for a 6% reduction not a 15% reduction. After some brainstorming and taking some tough decisions he had cut costs by 10%. Now began his quest for the elusive final 5%. His organization had started the transition from being a network security centric organization to a more application security centric organization around 15 months ago. So, a solution posed by one of his managers was to drop the security engineering process integration program and replace it with a set of static analysis tools they had just evaluated. This strategy had paid of handsomely for them in the network security field. Ron, one of the leading application architects in the organization was opposed to the idea. Thus started a turf war, which left some angry, most frustrated and everyone confused.

Unlike most managers, Alok reached out for advice. Read more…

- Akshay Aggarwal

You’ve probably heard of the famous  Heisenberg Uncertainty Principle  in Quantum physics. It states

“The more precisely the position is determined, the less precisely the momentum is known in this instant, and vice versa.”
--Heisenberg, uncertainty paper, 1927

This principle is related to the observer effect. In physics, the term observer effect refers to changes that the act of observation will make on the phenomenon being observed.

Ok, now to get to the point. Read more…

- Akshay

If you like this post, subscribe to the RSS feed

So I’ve been quite amazed by the amount of discussion and feedback i have received from colleagues and peers on my original post on creating fundamental change through competition. I will be posting some of the written replies that I received and which people have kindly consented to having me post. Read more…

- Akshay

So how do you take your average developer who scoffs at security from the careless and brash aka Kevin,  to the poster child  for good development practices aka  Kevlarr. Well, the Microsoft SDL team has the answer for you. The team recently started publishing a series of web comics detailing the travails of the dev team at Contoso who are under attack from the League of Malware. Along the way they battle with foes such as Spam Bot and Social Engineer while getting help from Vigil and Nforcer. Strip 11 of this interesting attempt to socialize security is below:

Socializing security is essential for organizations to drive culture change from FUD to an understanding of security needs. People are most complex part of the security puzzle. Most people take the easy way out and will avoid the things they fear or don’t understand.

- Akshay

One of the challenges that I have been focusing my team on this fiscal year has been creating new solutions that leverage the learning that Microsoft IT has had in deploying technology or solving problems. Microsoft IT generally has to deploy new technologies from Microsoft several months before they are generally available for general release in a process known as dogfooding. Often it needs to develop and deploy solutions multiple times as the product cycles through from betas to release candidates to the released version. Customers will find solutions that will leverage this deep expertise and experience useful in speeding up the architecture & deployments of their solutions.

In this series Microsoft IT Solutions, I will be detailing some of this innovation coming out of Microsoft’s InfoSec group. The first of the series is Full Drive Encryption using BitLocker®. I asked Richard Lewis, Security Architect on my team & the creator of this solution kit to describe the BitLocker FDE solution. Here is his description:

The InfoSec team recently created and delivered the BitLocker Service Kit for the Core I/O Service Line under the Security, Identity and Access Management (SIAM) portfolio. SIAM is a portfolio offering from Microsoft Services.  SIAM is divided into six offerings that address particular security IT capabilities – the BitLocker Service Kit was created under the Enterprise Data Security Optimization IT capability. Read more…

- Akshay

Today, it was revealed that a departing contractor left Fannie Mae with a parting gift – a Logic Bomb designed to take 4000 of the financial giants servers & their data. Since this news broke, a number of concerned CIOs have requested my team for some guidance on how to deal with logic bombs. So here is a quick lesson on these malicious attacks. Read more…

Today I had a thought provoking conversation with Dr. Peter Diamandis, Chairman and CEO of Zero Gravity Corporation & X Prize Foundation, on radical & fundamental change. Change that advances the status quo rather than relying on incremental change for gradual advance.

Arguably the Ansari X Prize (and others in the hopper) have achieved some breakthrough successes. Most notable achievements of the X Prize are:

• Achieving fundamental advancement in technology using competition driven philanthropy
• High rate of investment with respect to prize money. An example Diamandis provided was $100 million invested in Ansari X prize for a $10 million prize
• Booster to commercial adoption resulting from the advancement made. An example is the rapid kick start of transatlantic commercial air services after Lindbergh’s successful attempt at the Orteig Prize in 1927

Now this brings me to a theme of recurrent conversation between my friend Eric Rachner and I. It is my belief that there has not been a fundamental change in the field of information security in the last decade. Read more…

- Akshay

Business during economic downturns brings to the surface the tiny fractures that were unnoticeable during the good times. It is a fertile ground to relearn some of the lessons of the past & form wisdom for the future. I am going to try and capture some of the learning during this new series Business During Downturn.

The past few months have convinced me that individuals & organizations that pay close attention to the basics fare better going into a economic downturn. In particular, establishing and maintaining the sanctity of the chain of trust is very essential.  Read more…

Last week while feeding my caffeine addiction I came across an article in the New York Times titled Can’t Find a Parking Spot? Check Smartphone. In order to reduce traffic congestion and fuel consumption, the city of San Francisco is implementing a new system that will help detect empty parking spots in downtown. Now clearly this is a step in the right direction, both from an environmental and convenience perspective. I have spent a huge amount of time driving around SFO looking for a parking space, an experience that many of you may have shared. The city is investing $95.5 million on improving traffic condition though I'm not sure how much this pilot will cost.

"This fall, San Francisco will test 6,000 of its 24,000 metered parking spaces in the nation's most ambitious trial of a wireless sensor network that will announce which of the spaces are free at any moment.

Drivers will be alerted to empty parking places either by displays on street signs, or by looking at maps on screens of their smartphones. They may even be able to pay for parking by cell phone, and add to the parking meter from their phones without returning to the car."

This system will work involve an initial pilot of 6000 parking spots. Each spot will have sensors that will monitor whether it is free or not. These sensors will then form a network to communicate with each other. Drivers can access data on available spots through their smart phones. The city estimates that these sensor networks will last for around 10 years.

"To install the market-priced parking system, San Francisco has used a system devised by Streetline, a small technology company that has adapted a wireless sensor technology known as "smart dust" that was pioneered by researchers at the University of California at Berkeley.

It gives city parking officials up-to-date information on whether parking spots are occupied or vacant. The embedded sensors will also be used to relay congestion information to city planners by monitoring the speed of traffic flowing on city streets. The heart of the system is a wirelessly connected sensor embedded in a 4x4-inch piece of plastic glued to the pavement adjacent to each parking space.

The device, called a "bump," is battery operated and intended to last for up to 10 years without service. From the street, the bumps form a mesh of wireless Internet signals that funnel data to parking meters on to a central management office near the San Francisco city hall. "

A while ago, I had written about (Increase the TCO, Kill the Project) attacking systems not to violate data integrity or confidentiality but to increase the total cost of ownership (TCO). It would be interesting to see if the sensor network deployed to monitor parking spots may be vulnerable to attacks that aim to drain their batteries and thereby reduce their life span and increase the TCO for the system. I have not tested this hypothesis, I'm hoping that others don't either. Let no one stand between you and your parking spot.

Just got word that my talk Suddenly Psychic: Knowing everything about everyone was accepted at Microsoft's BlueHat Security Conference on October 16-17th. Sometimes when you go blue... you really go blue.

Over the course of the next few months my buddy Nitesh Dhanjani  and I will be presenting our research on how the business, psychological and behavioral aspects of our virtual and real-world personas impact our security and privacy. In particular, I am excited about two aspects of this talk. The first is the opportunity to explore techniques that were previously available only to large corporations or TLAs (three letter organizations) to gain intelligence. The second is to analyze the impact of our findings on the financial value of social networks and propose advances to current business models.

TITLE: Suddenly Psychic: Knowing Everything About Everyone

ABSTRACT:
Imagine a world where you can remotely influence other people's behavior. This talk will expose how information about people in the physical world, coupled with voluntary information from new communication paradigms such as social networking applications, can enable you to remotely read people's minds to influence their behavior.

Topics of discussion will include:

• Techniques on how individuals may be remotely influenced by focused marketing and messaging tactics, and how criminal groups and governments may abuse this capability.

• Reconnaissance and pillage of confidential information, including intellectual properties owned by businesses.

• Falsified profiles used to construct undeserved reputation as well as the risk of reputation tarnish.

• Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware. This topic will be extended to demonstrate the possibility of criminal abuse and the enablement of economic drivers.

• Decreasing the value of social networks through data poisoning attacks.

The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages. Perspectives on negative and positive uses will be presented in addition to academic discussions and thoughts on how to enable the upcoming online social age.

Update: We will also be at Hack in the Box in Kuala Lumpur in October

Many enterprise customers are increasingly evaluating the benefits of infrastructure outsourcing (ITO) to their businesses. In the past year, several CIOs have expressed concerns around the impact to the security and privacy of digital assets resulting from infrastructure outsourcing. In this post I will discuss the business drivers and security concerns around ITO and propose safeguards that enterprises can consider.

The drivers for infrastructure outsourcing stem from the impact of global delivery and economies of scale driven by standardization.  Additional benefits can be had from consolidating and sharing power-hungry data centers located in regions better suited to service the data centers' unique power needs.

Non-technology companies have been early adopters of the ITO model so as to focus on core businesses rather than technology support. In particular, financial services and government organizations have experimented to various degrees with the ITO model.  I am also observing a trend for companies actively pursuing M&A activities increasingly turning to this model as well. Clearly ITO has multiple benefits to businesses and this market can be expected to see healthy growth in the next few years.

The ITO model does have some challenges when it comes to the risk an enterprise faces from letting a third party have access to its digital assets. The areas of concern include:

• Regulatory compliance
• Intrusion monitoring and prevention
• Incidence response
• Validation of hosted environment
• Adherence to corporate standards and policies
• Liability resulting from an attack

While each organization will need to do compare the benefits and risk of outsourcing, there are some safeguards  that can mitigate the risk. I recommend that organizations examine the following third-party services:

1. Technical Compliance Management (TCM): These solutions aim at defining from an audit perspective the IT controls that need to be maintained for an organization. They can then periodically collect evidence of compliance for each compliance condition. TCM solutions evaluate system states in order to measure the level of adherence to standards and policies .
2. Security Deployment Assessments: These security assessments focus on evaluating the security posture of the infrastructure before any major system goes live. These may include checks against baseline configurations provided by the product vendors (like Microsoft's MBSA)  and IT policies
3. Periodic Vulnerability Scans and Pen-tests: In order to verify that the current state of the system are relatively free of known issues, vulnerability scans and pen tests can be used. This is definitely a recommended step but does not supplant the need for securely designed architecture
4. Managed Security Services: Some organizations have used managed security service providers to provide an additional layer of security to their outsourced infrastructure. These providers offer services including intrusion prevention/detection (IPS/IDS), firewalls etc. This may be difficult to negotiate with your vendor as it makes them dependant on managed security service providers. The trend will be for ITO providers and Managed Security Service providers to form strategic partnerships and offer comprehensive solutions.
5. "In the cloud" services: These services encompass email spam filtering, anti-virus services for desktops. These can be used to bolster any existing ITO providers offerings. Look for partnerships in this space as well.
6. Performance Reviews and Availability Services: Availability is a cornerstone of trustworthy computing and cannot be overlooked in any risk based discussion. Uptime will be a key metric for measuring the quality of service provided. Security services like load balancing, stress testing and active performance monitoring will be crucial to the reliability of the service.
7. Forensic Analysis: In case anything should go wrong, enterprises should invest in forensic analysis services to get to the bottom of an incident. This may also be needed from a liability perspective. It is generally advisable to identify a forensic analyst firm before hand and brief them about operational aspects to minimize on lead time to bring them up to speed during an incident.

Thanks to Roger Grimes and Mark Curphey to help me create a more comprehensive list of solutions.

Several enterprises are increasingly investing time and money in building application security tasks into their existing SDLCs. Some of them have also reached the conclusion that proactive approaches , like threat modeling, have more ROI than reactive approaches. As a result, some enterprises with nascent appsec programs have turned to threat modeling as a panacea for their security problems. However, threat modeling may not be the solution to their immediate problems. Now I recognize that this may be a controversial statement.

Recently, I have been involved in several situations where organizations with their heart in the right place have made threat modeling mandatory as part of the development process, with limited success. My point is that threat modeling as part of a mature SDLC is a desired end state though not necessarily the initial step. Let's examine this argument.

Firstly, threat modeling depends on several elements of a SDLC to be fairly mature. Most importantly it depends on requirement and specification gathering process to be rigorous. Also, an enterprise must have well defined standards and policies in place to act as input into the threat modeling process. Without these elements of the SDLC in place, the threat modeling process will be isolated and have a reduced impact.

Secondly, a threat model is a security plan only and is useless without any committed follow-up action as part of development and testing. Most enterprises do not allocate sufficient time and resources to implement the findings of the threat model. A large portion of organizations don't even have a security assessment team in place. These teams are consumers of the threat modeling process that actual carry out the most crucial task of reducing risk by implementing countermeasures.

Thirdly, it is practically feasible to create threat models only for new projects or those undergoing incremental changes. As a result, legacy applications do not benefit from threat modeling. This leaves a huge gap in the enterprises' risk profile.

Finally, most nascent application security programs need quick and demonstrable ROI. The threat modeling process ROI can take several months or even years to be quantifiable because it is an incremental process that is dependant on several other SDLC processes to be effective. There are other areas where investment can bring in more immediate ROI. These areas include security assessment team, security training for developers and definition of countermeasures for  common vulnerabilities.

For organizations with nascent application security processes, I recommend that they us the following framework to evaluate if they are ready to adopt threat modeling:

• Does a security baseline exist?
• Is the SDLC process fairly well defined and followed during development?
• Has the organization agreed upon countermeasures for common vulnerabilities?
• Are developers trained to avoid common vulnerabilities?
• Do developers do a self review of code for security vulnerabilities?
• Does a security assessment team exist?

If the answer to more than two of the questions above is no then the organization is probably not ready for adopting threat modeling.

I will be presenting at the OWASP conference in Denver, CO this Tuesday, June 10th. The presentation will focus on the value that organizations especially ISVs can derive from threat modeling of line of business applications. For some time now, I've been brainstorming with my team on the competitive value of proactive security approaches like threat modeling. This presentation will empower business decision makers to make an informed decision on whether threat modeling is right for their business.

See you there.

After about an hour of nodding his head vigorously in agreement with some of our lessons learnt, my customer jumped up and exclaimed, " Great!! Now where do I find another 20 people like these?" (pointing to my team)...

I thought about it a while and so Mr. B here is your answer: Information security education has been pursued by several tertiary education (i.e. universities) for several decades now. In 1999, the NSA got into the act and issued a list of  National Centers of Academic Excellence in Information Assurance Education (CAEIAE) to 7 universities:

James Madison University
George Mason University
Idaho State University
Iowa State University
Purdue University  (No longer a CAE)
University of California at Davis  ( I went to grad school here) 
University of Idaho

These CAEs are accredited for 5 years and have to reapply  for designation after that period. The CAEs were set up in an effort to promote higher education in information assurance, and in turn, increase the number of professionals with this critical expertise. NSA's establishment of this program was based on the growing demand for professionals with information assurance expertise in various disciplines.

The current list of universities in this list include the original universities (except Purdue) and the following:

California State University, San Bernardino
Georgetown University
Southern Polytechnic State University
The University of Tennessee at Chattanooga
University of Arkansas at Little Rock
University of Denver
University of Missouri – Columbia
University of Nevada, Las Vegas
West Chester University of Pennsylvania
West Virginia University
Air Force Institute of Technology
California State Polytechnic University, Pomona
DePaul University
East Carolina University
New Mexico Tech
Northeastern University
Nova Southeastern University
Oklahoma State University
Polytechnic University
The University of Texas at San Antonio
Towson University
United States Air Force Academy
University at Buffalo, the State University of New York
University of Maryland University College
University of Nebraska at Omaha

Watch this space for more on information security education and where to find the right people.

Previous Post

I will be discussing Microsoft IT's approach to secure application development, with a special focus on how we integrate security into the IT line-of-business SDLC, in a webcast this Thursday May 29th. This webcast will be part of the Microsoft's IT Manager Webcast series. This series aims to share deep knowledge focused on Enterprise IT orgs and ISVs.

Title: IT Manager Webcast: How Microsoft IT does Secure Application Development (Level 200)

Register Online 

Audience: Technology Decision Maker.
Duration:60 Minutes
Start Date: Thursday, May 29, 2008 11:00 AM Pacific Time (US & Canada)

Event Overview

Join this webcast to learn how Microsoft IT’s Application Consulting and Engineering (ACE) team secures Microsoft’s internal business applications.  The ACE team will share state of the industry, application security challenges, and how application security fits into the development lifecycle for IT.  Learn about the ACE team’s methodology and processes developed in the areas of application security and performance optimization.

You can find more details here.