Archive for the ‘security’ Tag

Deprovisioning and the Insider Threat   Leave a comment

If you’re not paying attention to your access controls, especially when it comes to removing access for staff who should no longer have it, you’re setting yourself up for problems.

Deprovisioning, or removing accounts, is an important process in managing system access. The process usually depends on people to some extent, although automation can make the job a lot easier if your infrastructure is setup to handle it. At a minimum, your security processes should integrate with the separation process for both employees and contractors.

Here are a few touch-points that need to accomodate deprovisioning:

  • VPN and other remote access infrastructure (don’t forget your mobility solutions)
  • Any business applications or systems that can be reached directly over the Internet
  • Business partner networks, applications/Saas solutions or systems
  • Cloud management and cloud-operated virtual systems

Aside from the risk from disgruntled former staff, people who are still within the company should only have access to systems needed for their jobs and to which they are authorized. For example, a system administrator who moves from managing your messaging infrastructure to running a research network should not retain administrative privileges on your messaging infrastructure after they transition to the new role. (In my experience, this type of legacy access is pervasive but organizations should realize that it is a problem waiting to happen).

Retaining access during transition is one thing, but people retaining access as part of their legacy in the team opens the door for all kinds of problems. For example, even a well-intentioned ex-admin who makes a change to your messaging infrastructure after departing the job could cause operational problems due to incompatibilities with the current configuration. On the other hand, if the password for the ex-admin’s legacy account is cracked or stolen, their account could be used to perform malicious acts, which would then probably be attributed to the admin – even though they may have had nothing to do with the attack.

There’s no question that Shionogi’s situation would have been helped by ensuring a deprovisioning process was established. However, there were a couple other weaknesses that enabled the attack. For one, Cornish was able to install virtualization management software, which means he still had administrative rights. Secondly, most management consoles fail to include any features that ensures checks-and-balances to what can be done by one individual. If the system required someone to “approve” or finalize the deletion of the virtual systems, their problems could have been avoided entirely.

So the next time you’re talking with your software vendors and evaluating a systems management solution, consider whether¬†the solution integrates with your deprovisioning scheme and wheter the¬†solution enables separation of duties for staff performing critical functions.


Posted August 20, 2011 by jeffkeith in Security

Tagged with , , , , ,

Catch and Release Security   Leave a comment

A little break from brain-dead…

Catching a fish without harming it and then letting it go is a great experience. Face it, it’s a win-win situation: the fisherman is entertained in the chase and the fish lives on.

Security policy enforcement isn’t an area frequently associated with Steven Covey, but it can be.

Read the rest of this entry »

Posted February 22, 2011 by jeffkeith in Security

Tagged with , , ,

Brain-Dead on IP, part 2   Leave a comment

There are other ways to lose your company’s IP, like doing business in countries that require the disclosure of IP in order for products to enter their markets.

India and Japan just signed a bilateral trade agreement that will reduce tariffs on about 90% of trade for 10 years. One clause in the agreement requires companies that sell telecommunications equipment in India to disclose the source code to their products to the government. This isn’t so unusual (China has a similar requirement), but Japanese companies balked at the clause and it has since been put on hold. Maybe the recent arrests made some Japanese business leaders a bit less trusting of the Indian government’s ability to keep their source code out of private, and competing, hands?

On a side note, I wonder how much the alleged abuses in spectrum licensing in India influenced the rollout of 3G and 4G services in the country? According to the linked article, Average Revenue Per User (ARPU) “is just 198 rupees ($4.38) a month, down from 230 rupees a year ago” – with such a narrow margin for Indian providers, cutting and limiting costs in their operations is crucial for survival in the market. The motivation to acquire any useful technology without having to invest in it must be very high. If control over 2G spectrum allocations drove such a corruption scandal, I wonder what access to the Indian government’s source code repository could do?

When governments get involved in code escrow, as was proposed in the India-Japan deal or as required in China, companies in sensitive industries are put in a difficult position. On the one hand, a foreign government could pass along their IP to a local competitor who operates globally (which is alleged in China repeatedly – use Google for dozens of links). Aside from purely competitive risks, these decisions can also have an affect on international competitiveness and the security of the home country or society-at-large. Companies in the military and dual-use technology arenas are (hopefully) a bit more careful about these issues. (I am thoroughly convinced that export control laws have more to do with that restraint than any ethical standards among modern executive leadership).

In the regular public sector, however, decision-makers need to consider the potential harm to their domestic operations as well as potential social impacts that might occur under worst-case scenarios. As an example, Microsoft gave the Chinese government source code for various products like Windows, which the Chinese security establishment appears to be analyzing thoroughly for weaknesses (link courtesy of this interesting article).

Microsoft made the “profit-oriented” decision to disclose code in order to sell in China, and neglected the potential social impact issues. I’m excluding competitive issues because everyone knows that Microsoft’s products are usually pretty shitty before the first 100-or-so patches are applied, so nobody would really want to steal their code ;-).

Now, everyone who uses Microsoft’s products are potentially/eventually at risk of attack. (and let’s not forget the Chinese aren’t the only ones with the code link, link) Regular consumers of, say, Windows, don’t get access to the source code and are not generally able to evaluate Microsoft’s security, which props up another industry that has been failing for years to address problems. Governments who use Microsoft products are also vulnerable to newly-discovered attacks and each day we’re hearing more and more about those attacks also (here’s today’s hacked government link)

Interesting stuff, for sure.

to be continued…

Posted February 17, 2011 by jeffkeith in Security

Tagged with , , , , , , ,