Security Pie

Like many others, I was surprised from McCain’s selection. I’m not sure that I would advised that, but he did not call me. Googling for Sarah Palin, brings this interesting site, stating that she started her career as a hacker (some sort of…)

Sarah Palin, a libertarian and hockey mom from the fast-growing suburbs of Anchorage, began her political career — as an appointed member of the state’s Oil and Gas Commission — by hacking into the computer of another commissioner, Randy Ruedrich, chairman of the Alaska Republican Party. Palin was seeking the evidence that she would eventually use to charge him with an improper relationship with lobbyists. (Ruedrich would later settle state ethics charges against him by paying a $12,000 fine.)

Wired clears Sarah and explained that she was performing this act as part of her duty as chairwoman of the Oil and Gas Commission and its ethics supervisor.

We’ve seen hackers transformed, but we never had one (correct me if I’m wrong) changed into a VP of America candidate.

Sarah Palin holds a salmon

Image source:http://www.alaskaseafood.org/industry/enews/092607govpalinfish.jpg

We often find ourselves discussing the evolution of threats on the Internet. What initially began as nuisance by resource wasting websites evolved into server crashing mischievous hacking which evolved into real theft of data and resources. What started as scripts sent over email has evolved today into a complex echo system of insiders that get lured by emails into installing backdoor applications, zombies and key loggers. It is always interesting for me to see how nature resolves such issues in other systems, naturally (I apologize, I had to).

Why is it important? Perhaps it isn’t. But it always seems to me that nature tends to find the best (most cost effective) steady state that is achievable. Seek a better solution? Okay, but you will have to change the rules!

A recent animal planet special got me thinking about hacking in wildlife. Specifically, it was a story about a certain cane toad (Bufo Marinus) that was introduced in Australia in the 30′s to help combat a certain beetle that was eating the crops. As usual in these cases, since they have no natural predators, the toad population grew out of control. It is a problem of grand proportions that is sometimes referred to as the bane of Queensland.

Cane Toad (nice picture from frogwatch)

The cane toad is poisonous. The toad has glands on its back that secrete bufotoxin, a very potent poison that can kill or cause severe irritation in humans. Since it was newly introduced to Australia, it should take evolution many generations to develop an animal that can withstand the poison. Shouldn’t it?

Enter the crow. In Queensland, it has been observed that some crows have figured out the answer. Since the poison is on the toads back, the crows carefully position themselves behind the toad, and use the toad’s legs to flip it on its back. At that point in time, they can use their beak to puncture the soft underbelly and eat the tasty toad insides. As long as the stay away from the toad’s back, they are safe.

Crow and Raven

Who was the hacker crow that figured it out we’ll probably never know. How it figured the resolution we will also not know. But once that first crow figured it out, other crows watched and learned. And now word has passed into other crow communities across Australia. Australians now have a natural way to fight the menace of the cane toad (in addition to cane toad golf, cane golf cricket and other human inventions).

We build defenses and hackers find ways around them. Toads build defenses and crows find ways around them. Perhaps the term “cat and mouse” should be reevaluated to “toad and crow”.

Cheers.

BTW – in 2007 a group of crows in Australia’s Northern territories (NT) were spotted eating cane toads using another method. Picking them up carefully by the leg, flying up with them and killing them by throwing them to the ground. Cane Toad vulnerability #2 discovered. Seems like hackers in the natural world are everywhere. Toads beware!

Lack of clear communications between departments never ceases to amaze me. I have spent considerable time translating security requirements between different groups of the same organization. Security requirements have a propensity for corruption: I have countless examples where the CEO wants are rarely aligned with what the Security team delivers.

Of the different security disciplines, information security and specifically classification is the one requirement that tends to get corrupted the most and might seem almost out of reach to many.

My early career centered around the military. In those days, security was part of the fabric of day to day operations. Documents had to be labelled according to their classification and if you left a classified document on a desk, you risked being fined or thrown in jail for a few days. Security was a well communicated requirement and considered as a necessary cost-of-doing-business. Security operations would throw you in jail. However, it was the ‘business’ that set the goals.

Classification was decided owned by the business owners (operations), who had an acute awareness of just how valuable the information was to the tasks at hand, and to the reference competitors enemies. Classification was based on the level of damage that releasing the information would cause (be it financial, operational, information gathering or other).

(Note: For more information about national security classification practices, visit the Information Security Oversight Office or download their interesting Marking Classified National Security Information booklet.)

Organizations, who now see their competitive edges blunt ever more rapidly, are taking notice. CIOs, CISO and others are being tasked with producing information security practices with similar results within the commercial industry. A CISO colleague remarked that the CEO wanted their company to be “more like Apple”, alluding to the iPod manufacturer’s well know secretive culture. But, he also confided, no-one seemed to agree upon which of the terabytes of information was confidential.

In the best of cases, I work with CISOs who are tasked with figuring out how to effectively carry out a classification exercise. In many cases, however, the work is relegated to a security practitioner, who might have the technical understanding but has yet to understand how exactly the business earns a living. Having little buy-in from the business owners, the latter effort is doomed to fail.

Achieving alignment requires communication and some level of determination

Classification efforts must be owned and led by the business owners and should take into consideration the risk to the business. Security departments can and should assist by creating the nomenclature, infrastructure,  processes and systems required. Systems can and probably should be used to assist, but cannot replace the business owner in assigning risk to data or data types. I will discuss how systems can be used to facilitate faster classification in a seperate post.

Many CISO also find that business owners are reluctant to assist. Business owners have a justification: In many cases communication break down  between the busienss owner and the security team. Language differences, top-down vs. bottom-up viepoints all contribute to this, and some CISO utilize business savvy personnel or consultants to conduct discussions with the business owners. Over time, and with delivery of relevant solutions, business owners will have a reason to participate more freely with security teams.

Some security organizations have come to terms with the importance of maintaing business ownership of security requirements and have implemented a vertical organization that spans senior management (head in the clouds) to security analyser (feet on the ground) that allows full top level access to the business owners as well as direct influence on the technology and operations side of the house. This organization structures allows the security organization to get the real requirements from management and deliver effective solutions that answer corporate needs. For these organizations, the road to classification is much clearer.

-al

We know each other for many years, we also worked together and some of us (read: me) choose a different path while others (read: Arik) are relocated to the other side of the world. We are too opinionated and share similar hobbies. Everything we do is somehow related to information and data security. While we work for very respectable companies, each a leader in its domain, we felt that some of our thoughts should be expressed from a neutral  platform. We do not hide our identity but prefer to keep our employers aside.

This blog will be dedicated to everything we like. Welcome to our security pie.

Please stay tuned for more from the three crumudgeons.