Everyone wants information security to be easy. Wouldn't it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don't try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense
I think the key to fortune cookie advice is ‘common sense' in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Here is my Fortune Cookie advice for June:

A perfect security program does not make your environment invincible! It would be astronomically too expensive. The 'perfect' security program achieves the optimal balance of spending, loss prevented, and acceptable losses (residual loss).

Now if I can just figure out how to stuff these little cookies...

Am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

Fortune Cookie Security Advice - May 2008

Measuring the value of information security programs is difficult and a problem for the entire industry. In the second of the three part series, Intel discusses a practical approach to determine value of information security initiatives. Intel security professionals Tim Casey, Enrique Herrera, and Matthew Rosenquist discussed the success of Intel’s security value methodology outlined in the Whitepaper - Measuring the Return on IT Security Investments

Listen to how Intel utilizes this strategy as one means to measure the value of security programs. The whitepaper is available for download.

The 30 minute discussion can be replayed here:

The last of the three part series, Future State of Security Measurement, will occur on Wednsday June 4th. Everyone is welcome to participate or just listen in. Details can be found here:
http://communities.intel.com/openport/blogs/it/2008/05/12/how-do-you-measure-something-that-doesnt-happen

Good security conversations benefit all involved. The more we share, discuss, and challenge each other, the more we advance our industry. Thankfully, I have the benefit of working closely with a brigade of information security professionals and we banter at every opportunity, for the sheer pleasure and insights. In that same spirit, we hosted our first Blog-Talk radio session. This was a general discussion of the problems of measuring security.

The 30 minute discussion can be replayed here
Two other internet chats are planned. Everyone is welcome to participate or just listen in. Details can be found here.

Crazy as it may sound, digital appliances and accessories can infect your computers with viruses and worms. It is happening more and more. Although not near a tipping point, an evil cloud is rising.

Unlikely Threats
It is concerning enough we have to worry about USB drives, WiFi hotspots, mobile phones, PDA's, printers, email attachments, file downloads, search engines, and surfing just about any website. But now we must keep a suspicious eye on our new net-enabled refrigerator, digital picture frames, music playing sunglasses, and even the toaster.

Recent articles shows how consumer devices integrated with network enabled computers are sources for malware infections. It is not shocking software CD/DVD's, or USB Drives might have nasty code lurking. Suspicion is the norm anytime we are connecting or installing something directly to our trusty computer. In those situations, we take proper precautions. But what about media players, GPS devices, and most recently wireless digital picture frames? These devices may not directly connect via traditional cable. Does the average consumer realize when they flip the power button they may be turning on a wireless device infected with malware seeking to infect anything within range?

The toaster is out to get you!
It is not just the geek toys anymore. Not to long ago, an enterprising individual took it upon himself to hack a regular toaster, just to prove it could be a source of malware. A toaster! Very impressive, but what is next?

As computers are integrated into everything and are being upgraded with more power and connectivity, the threat landscape grows. Our cars, major appliances, personal electronics, accessories, and even clothing are potentially at risk. We are dragging these items into the digital world and in doing so, overlaying cyber risks on them.

Although not widespread, more and more stories are emerging and the list of products grows longer. At some point we will be forced to re-evaluate the standard threat categories to include some non-traditional vectors. Personally, I am waiting for shoe manufacturers to implant computers in their products so we can have "walk-by attacks". Can't wait.

Some news reference links:
http://www.securityfocus.com/news/11499
http://www.pcworld.com/article/id,141295-pg,1/article.html
http://www.theregister.co.uk/2008/01/14/sans_threat_list/

Intel IT developed a model for measuring Return on Security Investment (ROSI) in our manufacturing environments that produces a much higher level of accuracy than other methods currently available. Our model has enabled us to make business-driven decisions about security programs, resulting in savings in excess of USD 18 million per year in avoided losses.

Whitepaper now Available! Measuring the Return on IT Security Investments

Quantifying value for security programs is difficult at best. Intel successfully developed and employed a method to measure the value of security programs across our worldwide factories. Although not the silver bullet to measure all security programs, it does show in some circumstances, value can be quantified to the level needed to make sound business decisions.

This is one of many different methods which Intel leverages to determine value of security programs. The difference is being able to tie in hard numbers for prevented losses and the ability to predict future impacts with reasonable accuracy. Other available methods rely on more qualitative descriptions of value and lack a dollar and sense measure. Although no single methodology fits all situations, Intel has found a niche for this insightful metric which is an empowering view of security value.

Other related blogs:

Practical Aspects of Measuring Security

Getting a Return on IT Security Investment

Managing the Effort to Measure Security

The Problem of Measuring Information Security

The Four Dirty Questions of Measuring Information Security

Ethics represent the very cornerstone by which any security organization is built. Without them, a security team is doomed. They will not be respected only feared, they will not be supported only ridiculed or ignored. It is a downward spiral of failure for security organizations practicing unethical behaviors. Management and customers will lose faith, leading to a loss of funding, access and representation. Resources, tools, and overall capability will diminish, leading to loss of effectiveness and value, further advancing the loss of faith by management and customers. Concealment, inconsistency, indifference, or treading in the gray areas of ethics is just prolonging the inevitable trip on the downward slide to defeat. So how can it be, many security professionals have a casual attitude and apathetic commitment toward ethics?

I have been reading some disturbing stories about security professionals being unethical and in some cases fired or arrested for their activities. They stories aren't hard to find. Trusted security people breaking into systems and networks, deciding not to report criminal activities, or ignoring inappropriate activities to avoid complications are common examples of poor ethos. People violating policies they are employed to enforce and uphold is downright despicable. In many cases, what are worse are the comments left by readers, condoning inconsistent behaviors on behalf of security. Comments like "pick your battles", "follow your conscience", or you should only be ethical if others are, is very upsetting.

Reader Beware
I am a fanatic about ethics. I firmly believe ethics, following a code of conduct, is the foundation of every professional security organization. Without consistent ethical behavior, a security team is destined for failure, will open the organization to increased liability and sour future investments in security.

Okay, let me be the first to admit, I have it easy. The security professionals I have the pleasure to know and work closely with are of the highest moral caliber. I am fortunate to work in an organization which embraces the principles of ethics. We derive our support from the corporate principles which are ingrained within the company as a whole and are driven out to all corners. My company (I am a shareholder too) spends time to train, discuss, and reinforce ethics with all employees.

I support ethics in all vocations, but some are more important than others. Security personnel must be held to a higher standard, just as judges and law enforcement must be viewed as incorruptible. Ethics must also reign supreme in financial and medical industries as well. Nothing less is acceptable. We too, as security professionals, should be put under the microscope and make firm commitments to consistency and the highest level of behavior. Our organizations place trust and faith that we will be honest, capable, and perform our duty in an unwavering manner.

Intel's Security Operations Center - Code of Conduct
When I spun up Intel's Security Operations Center, every employee was trained on ethics and we developed a Code of Conduct to insure the expectations were clear and as a team we would all conduct ourselves in a conservative manner.

Intel's Security Operations Center - Code of Conduct
1. Provide diligent and competent service to principals

• Provide timely, professional, and productive response to our customers, peers, vendors, business partners, and management
• Act honestly, justly, responsibly, and legally
• Act impartially to all groups, persons, and organizations

2. Protect and conserve Intel property, resources, and reputation

• Preserve and protect the value of corporate systems, applications, and information
• Operate fully within the law, observe corporate policy, and align efforts with standard operating procedures
• Disclose waste, fraud, abuse, and corruption to appropriate management or oversight bodies

3. Promote and preserve company trust and confidence of the team

• Take care not to injure the reputation of the team through malice or indifference
• Be truthful and accurate in representation and all communications
• Respect the trust, access, authority, and privileges the company grants you
• Promote, comply, and reinforce company security policies, procedures, and intentions
• Avoid conflicts of interest or the appearance thereof

Everyone is ethical, right?
Ever ask somebody if they are a good person or ethical? I will bet you will hear some variation of the same answer, "yes. Of course I am!". How many people openly admit or believe they are not ethical? So are you? Yea, exactly what I thought you would say.

So, Mr/Ms Ethical, you wouldn't be averse to answering a few ethics related questions? These are a subset of questions I ask when delivering the ethics class to our Security Operations Center. They should be easy for an ethical security minded professional such as yourself...

• 1. You are conducting a confidential investigation of Employee ‘A'. An employee outside the team, asks "Are you investigating Employee ‘A'?"

You Answer:
A. Yes, we are
B. No, we are not
C. Maybe
D. I'm not sure/I don't know
E. Other: _____

• 2. Policy prohibits any team member from installing software on Server ‘A'. In an emergency situation, senior management instructs you to install a critical piece of software on Server ‘A' to benefit the company.

You cite policy and:
A. Install the software
B. Refuse to install the software
C. Document the request and install the software
D. Document the request and refuse to install the software

• 3. You are aware state law prohibits any team member from removing software on Server ‘A'. In an emergency situation, your management instructs you to delete a critical piece of software on Server ‘A'.

You cite state law and:
A. Delete the software
B. Refuse to delete the software
C. Document the request and delete the software
D. Document the request and refuse to remove the software

• 4. Your manager instructs you to do something which is contrary to normal operating procedures. What do you do?

You cite the normal operating procedures and:
A. Do what is asked and report the incident to senior management
B. Refuse to do what is asked and report the incident to senior management
C. Document the request and do what is asked
D. Document the request, refuse to do what is asked, and report the incident to senior management

Life is vague. Ethics don't need to be.
We all find ourselves in unique circumstances which are complicated and tricky. Applying a code of conduct illuminates the right ethical path. Allowance of ‘flexible ethics' and ‘gray area' practices are ultimately self destructive and leads to instability and demise. Make a stand.

So what are the answers to the above questions? Well, as we all indicated we are ethical, their really is no need for me to provide the answers. We all know them.

Enough fluff, smoke, and flash: get to the point. Why have security?

At the end of the day, it is all about loss. If you don't like experiencing loss then you must do something to avoid, minimize, or control it. Welcome to the world of Security.

Let's first get something out of the way. If you are seeking to eliminate all loss, I admire you enthusiasm, but you are out of your mind. Totally eliminating loss would be wildly expensive and in most cases impossible. How much would it cost to eliminate all auto theft in the world? Much more than is feasible, as just about any solution you propose would have some weakness and require additional measures, which in total would exponentially increase the cost as you near 100% effectiveness. It would become more cost effective to find a better replacement for cars, and destroy them all, rather than prevent all future thefts. Optimal security is not about 100% protection, rather a balance of spending, prevention, and acceptable losses.

The Profile of Loss
Back to reality. Security is about preventing loss and some would argue managing loss or the risk-of-loss. Well, it is splitting hairs, but I would agree with both as they are one in the same. When we talk about loss it encompasses all the tangible costs and impacts as well as the intangibles of missed opportunities, reputation, and goodwill. Only a few types of loss can easily be measured and most cannot easily be mentally grasped, much less quantified.

Security strives to prevent the ‘Loss' of reputation, financial assets, customer goodwill, operations uptime, computing resources, personnel productivity, intellectual property, liability protection, and the list goes on. Some of these are obvious such as a worm which brings your operations to a grinding halt for two days. Others are not as obvious. Losing Personally Identifiable Information (PII) of customers would open the liability of lawsuits, potentially incur governmental fines, tarnish the corporate reputation, sour customer goodwill, and invoke long term recovery costs. Failure to meet Sarbanes-Oxley requirements may result in and having to cope with a CFO indictment and the associated difficulties of finding a temporary replacement while your executive spends an extended vacation in a federal penitentiary. A single security incident can inflict many different types of losses which in turn may vary wildly in overall impact.

The Evolving Security Landscape
All security programs exist in an evolving state. The enemies get smarter, move faster, and grow. The technology by which information flows rapidly changes. The very organization being protected and the assets within evolve over time. Regulations, customer expectations, experts' recommendations, and industry best-known-methods morph on a continual basis at a dizzying rate. The effectiveness and efficiency of security varies due to these external drivers as well as internal reasons.

So what does security look like over time? What are the key indicators? Here is my perspective. An organization will experience loss, period. If people are involved and any type of value is inherent, loss is expected. No surprise here. To get a better insight, let's apply the Greed Principle.

Greed Principle
From a security perspective, greed is a double edged sword, both good and bad. Greed drives people to do bad things and break the rules for their benefit, but good as it gives continuing opportunities for security to catch these people. The Greed Principle simply states "Losses will increase if unchecked". This principle manifests itself in many different ways but basically, if someone is successful at finding a way of stealing $10 from you, they will continue unless something intervenes. In fact, they will increase the amount they steal over time. If it worked for $10, why not try $15 and so on. As greed is a strong emotional driver for the bad-guys, it provides more and more opportunities to the good-guys to detect them. Hence ‘greed' being both good and bad.

The greed cycle may be disrupted. Intervention may be in the form of additional controls, prevention, deterrence, social pressure, or direct interdiction just to name a few. Many different mechanisms can influence an attacker. Ultimately, unless something changes, greed guarantees losses will increase over time.

Instituting a decent security program is a surefire way to disrupt the unchecked losses. Even a completely mindless security measure can have a great impact. Ever wonder why sales associates say ‘hello' to you when you enter a boutique shop? Even if they don't have time to help you directly, they will make eye contact, greet you with a smile, and say hello. Is this for better customer service? Well yes that is one side benefit, but the primary function is to reduce the shoplifting. Most small stores don't have the money to maintain a security staff and shoplifting can be a major problem (last I checked, retail prices are ~15% higher to cover the costs of security and residual losses). The simple recognition of someone entering a store has shown to dramatically reduce the chances they will steal. In larger retailers, where they have a security staff, you may not get such a greeting (unless you wander into a predatory commission sales area).

The Security Maturity Model
Initial landing of a security program will affect the losses from attacks. But there is a price, namely the cost of security. Security spending bubbles before stabilizing in the maturity phase where it becomes more effective by lowering losses and more efficient by optimizing spending. Management usually has a firm hand in the reduction of spending, as they play an important part in keeping tension in the system.

So what do you get for your money? The amount of loss which did not occur, because of the influences of security, is the Loss Prevented. More loss prevented the better. But it is relative as the cost of security plays into the efficiency calculation. Basically the (Loss Prevented) - (Cost of Security) is one measure of value. A negative number is mostly unfavorable, indicating you are spending more on security than you are preventing. I wouldn't recommend that model unless what is being protected is irreplaceable (life safety, unique items, etc.).

Lastly, one other factor must be discussed. Sadly, the organization will still experience loss, regardless of how much you spend on security. This is Residual Loss. Nobody really likes to talk about this ugly fact of life. It is important. This is the gauge by which the organization determines what is acceptable.

Reasonable Expectations
Every security program must continually evolve to align to a changing landscape of attacker, methods, and alterations in the environment being protected. Over the long run, a good security program will get better and cost less.

I have rattled the ‘optimal security' saber before in previous blogs and it continues to hold true: Optimally, an organization should spend the amount of money on security which prevents enough loss to bring the residual losses to an acceptable level. Only management can decide exactly where the sweet-spot exists for any given moment.

As the industry moves towards the next big leap, virtualization, I can't help wondering will this be a security professionals dream or nightmare?

Disruptive technology:
I generalize virtualization as the necessary separation and compartmentalization of resources so things can be moved, consolidated, and managed better, across a wide swath of hardware platforms, users, and networks. It is a "disruptive technology" (not a bad term) which represents a fundamental change in how computer systems will operate, communicate, and be designed. It is a leap forward and represents greater agility, more functionality, and lower costs. The interesting security question is, what are we leaping into?

In the virtualization world you can name your poison....er, pleasure: Server, Client, Hardware, Operating System, Software, even data portability virtualization exists or is in development. I am not going to differentiate or explain the differences. Instead I am taking the strategic point of view. All these areas will be developed and instituted in some fashion. The details are far from being worked out. From a security perspective, it is the big picture that is important at the moment.

History has shown that the attackers have the advantage of ‘initiative' in technology, over the defenders. Basically, the attackers innovate and security then responds. But will this hold true for virtualization?

The Security Dream:
Virtualization holds the promise of security paradise by making systems more robust, hardened, simpler, and enabling new capabilities to make security more effective and cost efficient.

• Virtualization allows a much greater consolidation of hardware resources. Multiple OS, applications, and databases on a platform equate to less platforms to protect. Consolidation and portability for efficiency sake, may result in less network traffic to monitor, scan, and secure
• Virtualization allows for effective security sandboxes to be employed for un-trusted or questionable applications and processes
• Segregation of resources for applications, processes, OS's, and users means a compromise in one will be easier to contain due to compartmentalization. This makes it tougher for an attacker to break a weak link and begin to elevate their control over a system
• Application restoration is a snap and full systems restoration becomes easier when a client does bite-the-dust
• Systems and applications can be designed to operate with multiple environments of trust: very secure, secure, marginally secure, and not-so-trusting secure, all on one box (or the informal version: I trust you with my sister secure, I trust you with my wallet secure, I trust you as far as I can throw you secure, and I trust you will steal from me the first chance you get secure)
• Virtualization will drive standardization of application design and data types making them easier to secure
• Failover systems become less painful to design and implement at many different levels
• System upgrades become seamless as jobs can be moved temporarily to other systems and then returned without disruption
• Virtualization and other supporting technologies will drive advances in real-time security state monitoring, potentially across the enterprise and deeply into applications, OS's, data, and users
• My personal favorite is that eventually we will have the ability to monitor for suspicious activities from a trusted person, versus just looking at applications or data. Think insider threats. This will be the first significant advance in a long time for this problem

The Security Nightmare:
Virtualization may be the very bane of security for decades to come by circumventing every type of security technology and enabling new capabilities for attackers to do real damage, thus forcing an entire redesign and reinvestment of security.

• At the highest level, virtualization offers pure stealth to an attacker. Currently, malware must hide, lay dormant, or be very quiet in order not to be detected. This limits what the bad guys can do. They must trade capabilities and impact for stealth. Not so with virtualization. Malware could have the best of both worlds
• Total Control - it's mine, you can't find me, and if you do, you can't make me leave! I can see everything, I can control everything, and I can do anything! Mine, mine, mine! Control can extend well beyond a single system and permeate across the virtual domains, with the persistence requiring an entire group of machines be burned down and rebuilt with great care
• Now for the sledgehammer effect. Virtualization technology will undermine every current type of security control (the short list):
  • Anti-Virus, HIPS/HIDS, and Host Firewalls - Cannot detect or monitor an attackers activities in a higher plane of control, making them ineffective while still giving the illusion of security
  • Patching - Controlling virtual instances, more importantly creating false ones, will have patches installed on fake instances, leaving the real one vulnerable and under the intruders control
  • Security scanning, used to check the system's state-of-security, can be fooled. Reporting back that all is fine when it is not
  • Encryption - At the right level, an attacker will be able to see before encryption, after decryption, and have your keys to decrypt at their whim
  • Security monitoring devices and agents can also be deceived, by showing them what they expect to see and nothing else
  • User Privacy will be compromised at many different levels and open the risks of aggregation across multiple data sources
  • Adware/Spam filters can be subverted
  • Secure channels can be monitored by attackers and setup between compromised systems
  • Security forensics may become a nightmare for many years due to the complexities inherent to virtualization and the fact that a high level compromise invalidates the integrity of logs
  • Even NIDS/NIPS & Network Firewalls become less effective. Hardware consolidation translates to less traffic on the backbone network and more in-between systems on a platform and within a local subnet. This gives less information to these network monitoring devices and lowers the chances they will detect malicious activity
• The very same ‘sandbox' which can be used to isolate risky activities can be employed against security applications and processes, limiting their ability to control and protect the system
• Virtualization adds more complexity and therefore risking more confusion when it comes to system management. Especially for patching and system scanning. Keeping track of who owns what is bad enough today. But at least if you track down a server owner, you can normally have a quick decision on when to patch and reboot. In the future, the server owner, may not know who owns the virtual instances running on their machine. So how does one coordinate downtime, patching, or other change control issues? These delays may extend the window of vulnerability giving attackers more options and targets
• Less systems but more diversity and ambiguity gives places to hide and more opportunity to find a vulnerability
• Virtualization portability will drive the standardization of application design and data types, making them predictable and easier to locate and compromise
• Very complex designs which continually change are extremely difficult to restore and recover. Additionally, cascading failures can occur bringing down multiple systems whereas in a stovepipe environment they would be more insulated

Take the High Ground - Sun Tsu "Art of War"
The ultimate sweet spot for any computer attacker is to gain the deepest level of control, which in turn can control all other virtual instances. This is the proverbial high ground which can see and control everything, yet not be seen if it does not want to. Attackers are already making great advances and shown the initial ability to take the high ground. Defenders are quick on their heals, finding ways of detecting and defending this vital area.

Who can make the final determination in this battle? Intel and other hardware designers, of course! You can't get any deeper than the hardware. Imbedded security controls will be the key to victory. But here is the twist. You may have assumed I meant the victory to the glorious and honorable path of security. You are wrong. It is just the key to victory, period. Security and administrative controls are just functions with great power. Whoever controls those functions will be the victor.

Sometimes, the computer industry itself is its own worst enemy. Infighting on standards, rushing products to market, designing security as bolt-on afterthoughts, ill designed security solutions, etc may cause temporary self destruction. Even when a security function is developed, there is no guarantee it will be embraced by the industry or the consumer. It will take a small army of very smart people across the hardware, OS, application, and security services to design robust controls which present a value proposition necessary for widespread adoption.

In the end, the age old battle will continue to rage on between the attackers and defenders. Virtualization is simply the next battlefield. A new landscape to which these players will innovate, respond, jockey for position, and struggle for dominance. The rules and possibilities have yet to be defined. All we know about computer security will be thrown on its side and everything we do now will need to be rebuilt from the ground up. Virtualization is a brave new world, sure to bring both dreams and nightmares.