Is Defence in Depth dead?

 “Networks are no longer safe if a company takes the egg-shell approach of simply using perimeter-centric hardware devices, anti-virus and anti-malware software and other approaches to keep intruders out" - William Boni, VP and CISO T-Mobile USA – Jan 2012.

 I am a great believer that good security comes from a multilayer approach. You don't lock your front gate and leave all the doors open, right? So why should IT security differ? This article looks at an interesting list of the "Top 20" critical security controls published recently by Centre for the Protection of National Infrastructure (CPNI). CPNI was formed from the merger of the National Infrastructure Security Co-ordination Centre (NISCC) and the National Security Advice Centre (NSAC), formerly part of MI5 the UK's Security Service and have responsibility for providing Information Assurance guidance for the UK's national infrastructure.

Here is the list:

1. Inventory of Authorized and Unauthorized Devices
2. Secure Configurations (Hardware & Software)
3. Secure configurations for hardware and software on laptops, workstations, and servers
4. Continual Vulnerability Assessment
5. Malware Defenses
6. Application Software Security
7. Wireless Device Control
8. Data Recovery Capability
9. Training 
10. Secure configurations for network devices such as firewalls, routers, and switches 
11. Limit network ports, protocols and services
12. Controlled use of Admin privileges
13. Boundary Defense
14. Maintenance and Monitoring
15. Need to know permissions
16. Account monitoring and control
17. Data Loss Prevention
18. Incident Response
19. Secure network engineering
20. Penetration Tests

Conclusion

Being in security for the past 4 years I have audited and tested the security defenses of 100+ organizations and I can honestly say I have never seen any one organization conducting satisfactory controls in all these areas, if any at all. Therefore, I suggest any organization review this list and either use it as a basis for their IT Security Policy (if they have one) or conduct a simple audit of their systems against this list. If you have gone as far as classifying the information that flows in and out of your organization you may want to use this list per classification.

My particular favorites are Training and Penetration Tests. This maybe a I have conducted many Social Engineering and Penetration Tests, but these really standout for me. Penetration Testing is a key indicator that the other 19 controls are working, and any tests they do not include elements of Social Engineering really are not true tests of the threats faced by organizations today. Just look at RSA.....


References:
http://www.cpni.gov.uk/advice/infosec/Critical-controls/

Cryptography has been "broken"...or has it...

A new year started and why change good habits - or maybe this is a New Years resolution? I’m just back from the second New York Metro ISSA Chapter meeting of 2012. Here is my quick wrap-up.

Pushing a strong line up the meeting was geared up to discuss the not so interesting topic of cryptography, as well as the challenges of PKI deployment. With many research papers appearing stating to have "broken" various hashing and encryption ciphers the first speaker, John Callas from Entrust, put this into perspective.

Currently one of the finalists in the NIST's SHA3 competition, John's 45min slot covered a top level of view of threats to cryptography - hence Quantum Computing. John reassured the audience the current suite of encryption ciphers are pretty solid despite the recent exposures found in the popular AES cipher. Where a biclique attack was found to disclose 2 bits faster than traditional brute forcing attacks (http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf). "Broken" in cryptography is the result of any attack that is faster than brute force. The biclique technique described allows attackers to recover keys up to five times faster than brute-force. AES may not be completely broken, but it's broken nonetheless.

Conclusion

With weaknesses starting to appear what can we do to protect ourselves? Encryption should be looked on as another layer of security. We all know Defense in Depth is a staple part of any good secure system design and we must not loose sight of the fact that anything that has been encrypted can be decrypted so key management is really where attention to detail is crucial.

For those of you that are unaware The Information Systems Security Association (ISSA)® is a "not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members."

This is my first experience of the ISSA New York Metro Chapter and of the ISSA, having only joined the ISSA in November 2011. I can honestly say this is one of the most informative events I have found in New York and look forward tot he next event.