While most consumers knock on vendor doors to raise awareness and demand better security, PayPal is flexing their muscle in a different way. They are going to force their users to only use approved web browsers. While this may seem disruptive, it is actually a rather old technique used by software vendors. Every piece of software you buy today, consumer or enterprise, comes with a list of approved and required components. If the user chooses to use a non-approved configuration, the vendor denies support. This is a natural progression of the Internet. Providers of services need not only protect their bottom line by making such demands, but also in the long run will protect the consumer. That is exactly what PayPal is doing and this is good business for everyone.

The next disruptive technology to hit consumers and enterprises will be the single site browser. This will be web browser-like client software that can do nothing but be used for a single website. Think of this as traditional client/server application. If you need to use your financial system, you launch browser X; then if you need to use the ERP system, the user launches browser Y. At the outside of the spectrum, this feels like a 10-year step backwards in user productivity and IT operations management. In all likelihood though, what we will probably see is still a single browser, but one that is intelligent enough to lock all network traffic to single known and trusted site. In this scenario, the user would need to logoff and switch context between system X and system Y; all the while the browser ensures no errant information gets transmitted to any other system.

Can it be pulled off? Given the very open nature of the Internet and HTTP, it's rather easy to impersonate web traffic to look as if the user is using Internet Explorer instead of Firefox. Exactly how and if service providers act on this initiative will be interesting to watch. We do already have one other service for comparison. iTunes from Apple is essentially the same situation. If a user wants to use the iTunes music store, they need to use iTunes. So far, that limitation hasn't seemed to limit Apple's revenues.

So what about the openness of the Internet? What about the market created by browser wars? Are we going to see fewer browsers? Look at this way, the more we demand features and functionality, the more the market will evolve.

nCircle is at RSA this week and we have remote control helicopters. Lets face it, people like to get free stuff at conferences. So come by the booth and learn how to get yourself one of these very cool RC helicopters.

And while I have your attention, we also have two employees speaking this week.

When: Friday, April 11 at 9:00 AM - 9:50 AM
Title: Using Game Theory to Outmaneuver Your Opponent
Location: GREEN ROOM 102
Speaker: Tim Keanini

Technology Showcase Presentation
When: Wednesday, April 9 at 11:30 AM
Title: Effective Scanning for Production Web Applications
Location: Booth 2603 (lower right corner of the show floor)
Speaker: Tim Erlin

In Newsweek, Daniel Gross said there is a growing "crisis of confidence" when it comes to Wall Street. The evidence is readily available - the fall of Bear Sterns, the sub prime mortgage mess and consumer confidence declines to new lows. For the second year, Audit Integrity provided their annual data to Forbes and they have likewise published the data as the "most trustworthy companies". Audit Integrity claims to have an objective means of analyzing a company to deliver an accounting and governance risk score. What that means is simply stated something like, "those companies that play by the rules and take few risks when it comes to creative accounting get a higher score". The higher the score is supposed to equate to a higher level of trust.

While it's the market data that gets the majority of the headlines these day, it's the use of the careful words now being used that gets my attention. Words like: confidence, trust, trustworthy, fear. Sound familiar? They are the exact same emotional words we use in information security.

And while this blog isn't intended to discuss financial market stability, it is about risk management. For us in the information security world, open your eyes; there is a giant event happening outside the bubble of your office. Trust is at an all time low. If you've been in any services oriented group, infrastructure or operational setting for a while you've probably already witnessed what happens when trust is lost - its never regained to the levels it was once before.

To accept a vendor's information security practices, is to some degree to say, "I trust you". Is that an accurate use of what just happened? Or, are you as the person held responsible for ultimately keeping your company's information secure, actually thinking,

"Our information security due diligence process that took months (and way too much money) derived some kind of fallible rating that didn't fall into the bottom of the failure category. As such, we can do business, but I'm going to hand over reams of documents and disclaimers to some legal team which now has the job of limiting our risk by contractual risk avoidance disclosures".

We don't enjoy apathy or lackluster personal performance. And we don't relish the requisite current toolset either. Yes, we have regulation. Yes, we have defined standards and we also have auditors, reports, disclosures and exceptions. And yes, we are suppose to use all that to provide the business guidance in determining the best route to deliver the upside, reduce risk and keep costs down.

While Audit Integrity's list of the America's Most Trustworthy Companies might seem hard to grapple for an information security professional, the idea itself provides hope to this infosec person that, one day I might see a similar list of the America's Most Secure Companies. Though, infosec still has many years of maturity before we can start deriving standards based scoring anywhere on par with the financial models. Hopefully, though, we can learn from this crisis of confidence and not repeat history.

Undoubtedly you've heard about the iPhone SDK. While Apple DDoS's their own developer site with thousands of people trying to download the SDK, enterprise security managers are bracing for round 2 of iPhone security vs the yearning corporate executive.

Putting myself in its proper place

Lets face it; the shiny objects at todays town hall meeting wasn't the Exchange integration or the remote wipe feature. It was all about applications and their sheen. Salesforce.com, Electronic Arts, Sega and AOL all orchestrated today's focus away from enterprise security and into Apple's foray of cool. Lets also face it; enterprise security is only fashionable for a very small target audience. I'm in the minority.

Obviously, though, the minority does have a voice with Apple. The engadget live blogging of today's events show Phil Schiller taking the stage at 10:04AM. By 10:19AM he was done demonstrating all the enterprise integration and security. The enterprise voice lasted 15 minutes; the SDK and iPhone apps from 3rd party developers went on until 11:03AM.

Does Apple really get it?

Does Apple really understand what it takes to sell something to an enterprise? An enterprise has tens of thousands of IPs, hundreds of network ingress and egress points, thousands of ways for intellectual and private property to be absconded. Let us not forget the deluge of regulations, oversight committees and conformance to hundreds of international governance restrictions. For most enterprises, they are not running in a resource positive mode with overflowing headcount sitting idle, eager to consume another mobile device. In order for the iPhone to make headway in the enterprise it will have to up heave an existing technology. The most likely candidate for the smartphone junk drawer will be Windows mobile device, not the blackberry.

The RIM is here to stay

Phil Schiller's slide showing the 'old' Exchange integration vs the new method clearly was meant to show ActiveSync's dominance over GoodLink and Blackberry. Both of those 'inferior' technologies require an intermediary server, whereas ActiveSync is a direct push technology. However, the Blackberry enterprise managers look at it quite differently. They see the Blackberry Enterprise Server not as a stumbling block, but as a full-fledged necessary component of the overall mobile device risk management solution.

Apple trusts Microsoft?

How many Mac vs PC advertisements have you seen? Isn't the PC bloated, a Petri dish of viruses and represents everything uncouth? But here is the catch, while we wallow in wait for Apple to release the nitty gritty of how the iPhone enterprise security controls function, Phil Schiller shows a slide that's right out of the Microsoft ActiveSync security deck. Could the iPhone's enterprise security offering be nothing more than adaptation of the Windows Mobile security options? If that is the case, Apple in some strange twist of events, will be relying on Microsoft for security conformance.

Whatever might happen, myself like hundreds of other security managers reached out to our user base today. We all sent the predictable email out to the entire company reminding them that despite today's town hall meeting, the iPhone still is not yet an approved device (not yet).

I ripped this blog title off from CSO Online.

In December of 2006, I predicted that we would see a nationally recognized information security rating system come to fruition in 2007.

In today's financial markets investors rely on analyst reports and metrics. Often time simply referred to by the company providing the metric - Moody's, Morningstar, Fitch and others. As an investor, these rankings and metrics generally weigh heavily in decision factors. However, we have no security index or rating systems. If as a consumer, you had a choice to take a loan from two companies with varying different security index ratings, you might think twice. Would you want to risk your personal information being negligently handled in return for a lower rate or take a slightly higher rate knowing your information is safer?

Well, 15 months later, Moody's will be announcing their own Vendor Information Risk Rating Service soon. That according to this article in CSO Online.

As a security manager, I can't wait for the day when this tactic is mainstream. The amount of time, resources and lost opportunity given to individually assessing each vendor security practices drives me nuts. Lets hope Moody's does this well. Even more so, lets hope that every independent and trusted rating company jumps on the bandwagon to drive competition in this new marketplace.

(This is part of a regular series where I discuss free information security products, tools, methodologies, hardware, etc. For a description of this column and to read other Free Lunch menus, check out the category archive)

The onslaught of bots and spammers gave birth to a new tool to differentiate human from android. Alan Turing would be proud to see just how much technology we have devised. One such technology is that of the CAPTCHA - it's the text and numbers graphic we need to input in order to sign up for a service or make a comment at a blog. ReCAPTCHA takes this technology to solve more than one problem.

On May 24th 2007, Carnegie Mellon announced a new method to improve its methods of transforming written text into its digitized form. ReCAPTCHA's motto "Stop Spam. Read Books", describes it best. The idea is simple and elegant. Using the familiar CAPTCHA system, it presents the user both a known and unknown CAPTCHA graphic. The user, not knowing which is which, enters the text for both. If the user correctly solves the CAPTCHA then the CMU system gives a high probability to the letters in the unknown picture. While digital scanners and OCR have advanced, there are still cases where humans are needed to translate graphics into text. ReCAPTCHA is one method to solve this problem.

Besides helping out the CMU book digitization project, ReCAPTCHA has a unique technical upside - nothing is stored on your server. Many of the existing CAPTCHA systems require a server-side process to generate and store graphics. Instead ReCAPTCHA uses a public/private key system with client-server architecture to track challenges and tokens.

Product Rating

Features:
Ease of Use:
Documentation:
Community:
Overall:

Overall, ReCAPTCHA is an interesting implementation of CAPTCHA systems. While its use may not be directly apparent in your security architecture, consider using it anywhere you want to increase the likelihood of there being a human at the other side of the conversation. nCircle recently implemented ReCAPTCHA on our blog and I'd recommend others to do the same.
Enjoy the free lunch.

Additional Resources

What is CAPTCHA how does ReCAPTCHA work

ReCAPTCHA API documentation

ReCAPTCHA and CMU Press Release

Sarbanes Oxley, ISO 27002, GLBA - what do they all have in common? Yes, each contain, at least in part, an information security standard or regulation. From an applicability perspective with respect to business size, relatively few small or medium size businesses are directly mandated to conform to these or other standards and regulations. Even though it is the upper end of the medium size business and large business throughout, which are affected by mandated standards, the smaller companies are still being affected by a trickle down movement.

The trickle down effect was originally coined as a marketing term to describe the availability of consumer goods among socioeconomic classes. As new, highly desired, products were put in the market, their initial high price tag meant only those with discretionary cash could afford it. Eventually, overtime the product becomes more penetrated into all markets as the price drops. Thus trickling down to its full market reach. Those familiar with Reagonomics will find the term "Trickle-down economics" one of common rhetoric - providing more working capital to the top tier businesses trickles cash down to the lower working class. Many other trickle down models have been explored; one, which seems to be in play today, is that of information security.

The typical profile of an nCircle customer is one of a multinational, global enterprise as well as local, state and federal government agencies. These are the entities for which regulation like SOX, FISMA and GLBA are targeted. It's also the same subset, which employ standards such as COBIT and ISO 27002. Each of our customers has lengthy contractual security agreements that each of their vendors must adhere to. These in turn, have been driven by their required regulations and standards. nCircle likewise returns the effort by ensuring its vendors employ meaningful security measures. The outcome is a security trickle down affect.

Selling to these enterprise and federal organizations have altered the way my team addresses security at nCircle. While our strategic and tactical methods for controlling risk met every stipulated requirement, we lacked organized and fresh documentation. Today, our policies, procedures and records are much better kept. We have an official InfoSec team, executive approved SLAs and up-to-date standard procedural documentation.

What's more interesting are the ways in which our customer's requirements influence nCircle's vendors. Any potential vendor to nCircle must disclose their information security practices to us. We take a graduated approach depending on what information the vendor may have access to. Depending on what risk the vendor might pose to us, and likewise to our customers, the third company must answer anywhere between 20 and 100 questions before they are evaluated by the InfoSec team. We are proud to see these vendors step up their own information security practices to meet our requirements.

While it might be hard sometimes to look beyond the security breaches of Fortune 500 companies and federal agencies to see that security is moving in a positive direction, the same is still said of the Reaganomics era. The actions of our customers, of nCircle and of our vendors when it comes to driving information security can, by some degree, be attributed to a trickle down effect. There is no doubt in my mind that a handful of our vendors would be left behind if it weren't for them wanting nCircle's business. The technical tools, policies and procedures that a company uses to reduce risk is still a valid competitive value add. Security is getting better and one driving factor is that of a trickle down effect.

MacWorld recently published an article stating that analysts have exaggerated security concerns of the iPhone. Some of the statements in the article regarding the security of the iPhone and the overall security of mobile computing deserve further commentary. While I for one have taken it "on the chin" for not jumping on the I-Heart-The-iPhone bandwagon, the purpose of this follow up is to set a stage for an open discussion on overall smartphone risks to the enterprise.

(Those statements printed by MacWorld and in the voice of Andrew Jaquith are quoted below).

Policy Always Includes Security

"There are reasons not to support the iPhone - you don't want to support IMAP or the flavor of VPN that the iPhone uses - those are policy decisions," said Jaquith. "Security is not the reason."

Policy, whether it be directly related to security or not, must always include risk and thus security. It may be policy that your supported IT applications don't include specific types of VPN or email connectivity by IMAP, but to completely take security off the table when talking policy is shortsighted.

Sensitive Data is on the Device

One argument researchers have against the iPhone is that it has no data security features. Jaquith counters that the iPhone does support SSL and TSL and there is little sensitive data on the iPhone that needs to be encrypted.

When it comes to information security, its far better to assume that the iPhone will enter the enterprise network and users of all types will store sensitive data on the device. When looking at the iPhone from a non-business perspective, users are sure to store private data on the device for the purposes of reducing their own life's complexity. Items such as an ATM PIN, passwords, social security numbers, voicemail password and more are all commonly found on cell phones. Let us not forget the Paris Hilton incident years ago when the data on her Sidekick was stolen. Turning the perspective to using the iPhone as a business enabler, certainly the email and contacts of any business are confidential and may be considered competitive information. Its certainly better to assume data encryption be required, than to learn the hard way later.

Gartner's Dulaney pointed out that the iPhone doesn't have remote wipe (the ability to wipe the phone's data if lost) and it doesn't have a firewall. Again Jaquith said it just doesn't matter because of the type of data the iPhone has on it and none of the iPhone's processes require open TCP/IP ports.

How does the lack of having listening ports on a device equate to the lack of remote administration tools being less of an issue? Gartner is correct here; the lack of any centralized and remote policy enforcement of the iPhone makes it considerably less of a valid option for enterprise smartphone usage. Furthermore, when examining the currently released landscape of iPhone vulnerabilities, all exist in the MobileSafari web browser. A client-side exploitation does not require the device to have open ports nor will a firewall provide any mitigating factors.

Security Thru Obscurity

The Yankee Group also contends that opening any needed ports to allow email connections not going through VPN can be done on non-standard ports, minimizing any risk.

Moving standard services to non-standard ports is not an accurate risk reduction methodology. Discovering IMAP bound to an odd port is an extremely easy job for free tools readily available. Scanning all 65,000+ ports takes less than a day and once you have the data, it's just as easy to redirect all your remote attack tools to a different port.

Custom Apps and File System Access

In addition, all custom applications that run on the iPhone are web-based, and users do not have access to the underlying file system.

Due to a great desire for an iPhone SDK, Apple instead chose to deliver a fully functional browser called Mobile Safari. According to Apple, this permits developers to write full Web 2.0 AJAX applications. The downside is that third party security vendors also can't deliver the applications that the enterprise desires, namely integrated applications including AV, AntiSpyware, data encryption and firewall. Furthermore, access to the file system on an iPhone is now relatively easy. If you have physical access to the device, one can run a free tool called Jailbreak. We also recently discovered, from the research by Charlie Miller and his team at ISE, that all applications run as root. This means once an application becomes exploited, the injected code snippet has access to all applications and data on the iPhone.

Summary

"Security worries about the iPhone are overblown," said Jaquith. "To boost employee productivity, enterprises would be better served thinking about how to accommodate the iPhone. It's the best phone and iPod I've ever used."

The iPhone and all smartphones on the market today are incredibly powerful devices. These pocket computers rival computing power of the most powerful devices just 10 years ago. Security worries about any smartphone device should not be taken lightly. While the iPhone may just be the latest device to hit the market, how the enterprise decides to take full advantage of mobile computing is much more an important topic.

To learn more about my top list on managing smartphones, read my prior post on "Supporting smartphones in the Enterprise".

Quick note for anyone at BlackHat this week.

nCircle is a sponsor at BlackHat USA 2007. There is a contingent of us at the show. Stop by the booth and say hello.

Network lockdown checklist

NetworkWorld reports that numerous classified government documents along with corporate confidential information is being leaked by use of peer-to-peer networks. Included in the list of documents found are: "The Pentagon's entire secret backbone network diagram, complete with IP addresses" and "physical terrorism threat assessments for three major U.S. cities". The fright night doesn't end there, many corporate documents were also discovered, including: board minutes; launch plans, growth targets and patent information.

Their networks are setup well, but their configuration management is Swiss cheese

Too much energy is being placed on network perimeter defenses. Those who still believe that a good perimeter wall solves the problem need not look any further for proof to the contrary.

Eric Johnson is a professor at the center for Digital Strategies from Dartmouth College who testified at the House Committee on Oversight and Government Reform regarding this issue of inadvertent information disclosure.

Quoting from the NetworkWorld article:

"I spend a lot of time with CISOs and CIOs who think they have locked down their networks and made it difficult for people to join P2P networks," Johnson said. But those controls fail when employees take work home and then connect their systems to a P2P network. "CISOs can do a great job hardening their own networks but controlling what thousands and thousands of individuals do is impossible," he said

Mr. Johnson paints the picture perfectly; the problem is not with the networks, but with the overall configuration and compliance strategy. There is a classic use case when it comes to managing PCs that prove the difficulty of the situation.

The use case

The IT department configures and deploys systems based on a common operating environment. This includes hardware, an operating system and software all configured to a known gold standard. When that device leaves the hands of IT, it instantly changes and it changes in so many unpredictable ways. Even with a good set of centralized administrative controls like Group Policy Objects on Windows, extraneous business needs lead to weaker controls. For example, many enterprises permit the user local administrator access to the system in order to install patches or run legacy applications. Not to mention that not every organization is running Windows 2003 server with Vista on the end points. These reasons and many others open the door for persons to install applications, make changes and overall quickly divert from the IT gold standard.

Continuous Compliance

Beginning with the gold standard is a must, but more importantly once the device leaves the nest of IT, it must be continuously monitored. This is one job of the vulnerability, configuration and compliance strategy.

According to the story at hand, the information was inadvertently leaked using peer-to-peer file sharing applications. If the device were under continuous configuration monitoring, then the application such as LimeWire, Kazaa or other would have been discovered and reported to the security operations team for investigation.

This is the latest security challenge and every organization must tackle the possibility of loss of confidential information and intellectual property. Continuous monitoring has to be addressed as a component of a layered proactive strategy.