News Flash: Security is an Architecture

Another “ground-breaking column” in Network Magazine, (do we still say “in” when it is “on” the web page?). No, I am being unduly sarcastic. As I will suggest, it is not their problem, but ours. The column, by Art Wittman is Security Is an Architecture, Not an Appliance. The premise: “The idea that security starts and ends with a prepackaged firewall is simply misguided.” His column is right on target. But, don’t we know this already? (And I suppose we do, but many people do not.) A search for “Firewalls are not enough,” turns up 649 hits, including a paper I wrote that originally appeared in the Proceedings of the 17th National Computer Security Conference… in October 1994 and another I wrote—the cover story—for Information Security Magazine, “Firewalls: Are We Asking Too Much?That was in May, 1999.

What new information does Wittmann’s add? None, really. And to be fair, it is really just meant to be a lead-in to the magazine’s current (not sure what month—I cannot tell from their web page) current issue that discusses host-based IPS technologies.

This seems to me to be part of the trends I related in “History Lost” and “The Same Old Drum Beat.” Yes, application-specific controls are needed. Yes, firewalls are not and never have been enough. Nevertheless, we apparently have and continue to communicate to those with less clue than we have (see Seven Things to Help Keep Sanity and Equilibrium) that they are. I suspect, as I have for quite a few years, that the problem stems from the dilution of the network security clue-pool with those who took a course or two, got certified, and hung out a “security” shingle. As I rapidly approach a half-century of life, I am not suggesting anything radical. Just that the lack of practical experience may be part of the problem, and—as I suggest elsewhere—may be what leads us to repeatedly cover the same ground. I am not just ranting here, but I have no solutions to offer except that people do their homework. Some of our latest discoveries were already discovered many years ago.

Erling Jepsen wrote from Denmark with these observations and pointers:
I’m doing my masters thesis on security aspects of Service oriented architecture (SOA) and this is one thing that I’ve started to wonder myself. SOA introduces a new set of challenges to security. One is that organizations can not anymore tie themselves down behind a DMZ, because the people who are accessing our data could be sitting inside or outside the organisation and because there would be external partners also requesting information – a whole new. The Jericho Forum calls this de-perimeteriazation.

In order for security to properly match the extra abstraction layer, which SOA has adhered to, it will itself have to rise – so I think formulating a security architecture would be interesting.

Just my 5 cents of comments (or 25 re as the equivalent is here in Denmark)
Thanks for the pointer, Erling. I never heard of The Jericho Forums before.

Massive Credit Card Exposure

If you read any Internet-technology-based news, you know that a recent security breach may have exposed 40 million credit card numbers. The actual number is probably smaller. And I suspect that the so-called “security vulnerabilities in the processor’s systems,” according to MasterCard, will provbably turn out to be well-known vulnerabilities or practices considered less-than-best.

So, what’s a person to do? Do you stop using MasterCard and use Visa? That is hardly practical. But, we can start demanding that credit card companies enforce high security standards with the companies that support them.

Bruce Schneier writes about it in his blog.

The Register’s story is here and InfoWorld does here.

Pete Lindstrom from Spire posted a terrific column on Credit Card Numbers vs. SSNs.

Read Matthew Friedman’s comments and analysis in his securitypipeline column.


Audit Those PCs

Are file-sharing programs a security matter? Today, the Associated Press reports “Confidential Data From Japanese Nuclear Plants Leaks Onto Net”. The culprit was a virus-infected PC “loaded with file-swapping software.” It included “photos of power generation facilities and workers’ medical files–data that should not have been loaded onto a personal computer…”

No duh, as they say.

Have a policy about what is on your PCs, know what is on them, and deal with infractions.

Axel Eble blogged the following (at balrog.de/security/archives/2005/06/24/99_re-audit-those-pcs):
While I agree with what he says about having policies and dealing with infractions current viruses and worms bring their own file sharing software. It’s not even necessary to have something pre-installed.
True, of course. I dashed the original off before leaving the office. I neglected to add, that this is yet another example of where egress filtering in the firewall might have helped. Also, perhaps some of the things we discussed in January 2005 in Malware—the threat is real would help.

Suggestions from my Credit Card Company

I (almost) never read the extra pages included in my credit card bill. This is the case now when I get electronic notifications as before with paper bills. But, I guess after the latest MasterCard news (mentioned here), I was doing more reading.

The company adds the following:
There are simple steps you can take to protect yourself from fraud while online, such as never sending personal or financial information by email. (We’ll never ask for it.) For more information, please review the recommendations of the U.S. Government and others at the following sites:
http://www.nipc.gov/warnings/computertips.htm http://iisw.cerias.purdue.edu/home_computing/topten.php
Now, the NIPC one no longer works. NIPC disappeared (as far as I can tell) into the Department for Homeland Security. CERIAS is always a good bet for anyone interested in computer security. So, while I wish their list was more up-to-date (and I wish they pointed to my site :-)) I’m glad they are thinking about this. But, then, most people do what I do and throw away those “extra” pages.


Marcus Ranum Interview

Colleague and friend Marcus J. Ranum is interviewed in this SecurityFocus piece.