Innovative Visions

I’ve been working a couple of different projects recently which have kept me quite busy. Both involve data storage, but each is handled differently. The primary question at the bottom of both projects is should the client store its data on site or outsource that task? There are going to be positive and negative factors no matter what scenario you pick, so the question you have to ask is: How do we optimize the design for your business model and strategy? Is this model in line with your security policy (please tell me you have one by now)…Also, keep in mind that Congress may finally take a stand on how businesses secure customer data and of course, Symantec’s John Thompson constantly reminds us of its importance.

The old-school method of data storage is to process (with local servers) and back it up to tape on site, then store those tapes off site in a secure location (preferably not the back of your car or CEO’s timeshare, as we’ve stressed before). This is still very effective, but may not satisfy your data availability needs. If you need to find a tape and have it shipped to you, then retrieve that five year old email you needed yesterday, it may not work so well.

As another option, you can outsource your processing, storing and backing up of all of your data off site (i.e. hosted by a trusted, third party and accessible to you at all times). While losing some control, this may be very convenient, but depending on the amount of data we’re talking about, remember that often you will pay monthly, per gig.

As I mentioned, there are obvious pluses and minuses to each scenario. There is also a third option, growing in popularity, which combines these two designs and will leave you with a better solution overall. That is, house your servers on site (managed locally or remotely, doesn’t matter) and host your data internally as well. Then, by partnering with that trusted third party, have them image and store a backup of all data (also called vaulting, but could also be dynamic and real-time) so that in the event of an emergency, hardware/software failure or other “mix-up”, your data is secure and accessible at all times.

This last option has become more and more popular with the reduced cost of disk space and more efficient methods of backing up over the WAN. It enables you to control and manipulate your data locally, but have it housed offsite as well for security and availability. And as EMC’s chief, Joe Tucci, said this week: “You will see EMC playing there.” This speaks directly to the subject, considering EMC is the world’s largest hardware/software storage vendor and it is considering making storage a service.

After last week’s discovery of the latest Vista security bug, Microsoft tried to repair its image a bit by announcing how exactly some of its security recommendations were written: with a little help from our friends over at the NSA (and the American taxpayer). Joris Evers, of CNET News.com, wrote today about the secretive, federal spy agency’s involvement in recommendations associated with Vista’s rollout in large enterprises. However, after the NSA (often referred to as “No Such Agency”) actually admitted to the Washington Post today that it was involved in a fairly non-specific manner, this presents another concern. Tony W. Sager, the NSA’s chief of vulnerability and operations group described the activities as two teams (good and bad) waging a hacking war against each other and then sharing the results and recommendations with Microsoft’s developers.

I know the NSA has a stake in ensuring the security of Vista (as they did with XP and 2003 Server to some extent as well), however who’s to say it isn’t putting in loopholes and backdoors for its own use? There are more concerns which will become more complex and more apparent as we go on, but which are critically demanding our attention as protectors of our companies’ information.

Also included in the CNET article are a number of very useful links relating to the secure deployment of Windows Vista. In addition, here is the official Windows Vista Security Guide, but please check out these articles for detailed information on this announcement. Oh… and take my suggestion and wait a bit to migrate your organization to Vista until at least the next service pack is released.

This security bug and any associated political/economic windfall from the taxpayers’ money being used to help develop a private company’s product bound to boil to the top at some point. So, keep your eyes and ears open and we’ll sort it out one of these days.

It happened again. Actually, it happened three months ago and the company (Nationwide) just decided not to report it. What is this again? Oh yeah, during a home break-in three months ago in the U.K., the laptop belonging to an employee of Britain’s largest building society, was stolen with the names and account numbers of 11 million customers on it… 11 million!! Why oh why is this information on that laptop? Are they really that stupid to risk this simple breach in security? I’ve said it over and over again. Please don’t keep your customers’ sensitive information on your laptops or desktops. All of this data should be stored and secured centrally (along with a secure, remote back-up). Not only is this model more efficient, but it’s also secure. That’s the least you could do…

However, most of the outrage and media attention is focused on the amount of time it took to report the theft.

‘”A three-month delay is appalling. People should be able to trust that if a problem has happened they will be told about it straight away.”’

While this lapse in time and judgment is “appalling” it shouldn’t be the major concern in this situation. The CEO of this company was quoted as saying,

“We have tightened up our already high security procedures and this should ensure it couldn’t happen again.”’

Well, why weren’t the proper procedures put in place to start with? He is saying their security procedures were already “tightened”? Come on, Mr. Philip Williamson… Can we really believe that?

John Thompson, the Chairman and CEO of Symantec, gave an interesting talk at an event in Tokyo last week. Thompson, and some of his deputies, discussed the changing security threat posed with changing times.

Bill Robbins, head of Symantec’s Asia Pacific business, “explained in an interview that this changing threat would mean businesses will have to spend more time and energy on making sure that data is not just secure but also recording which users are accessing and manipulating information stored in corporate databases.” Martyn Williams, the Tokyo correspondent for IDG News Service, has written a nice, short article on the subject.

As we’ve seen many, many times as of late, attacks on your secure information inside of your data centers is not always the most attractive target. That user who leaves his notebook in the car with all of your customers’ sensitive information is bound to be a more likely candidate for attack. And again, why do you still allow that user to keep that data locally anyway?!?!

Robbins goes on to say, “from a hacker perspective if they get your credit card number from the biggest company in the world or the 48,000th biggest company in the world it’s still the same value to them.”

The following quote is from a user on Digg.com, speaking in reference to a Reuters’ article on a new study on passwords.

“It figures. Where I work we have at least 9 different programs that require a password. None of the systems interconnect so each one has to be set separately. Most people just set them all the same, but they don’t all reset at the same time, so that is difficult to maintain. In order to save myself a lot of trouble I HAVE to write my passwords down. I know most of the people I work with do the same thing. It’s too difficult to change 9 different passwords every month and keep it straight in your head.”

The writer is not alone in his thinking. The results of this new study, produced by Nucleus Research and KnowledgeStorm, show “that more than one third wrote down their password, despite the clear security risk it poses.”

The writers of this study go on to make a very good point. All companies should be looking considering Biometrics instead of the outdated, insecure process involving passwords. If you’d like more information on Biometrics, your security policies and how they can help your company, please don’t hesitate to contact us. The press release for the study can be viewed here.

We must backtrack on our comments about Firefox’s JavaScript flaws from Monday. While the possibility of this happening and the various descriptions made by my Front-End Developer, Gareth, still hold true, apparently it was made up. Below you can view the explanation we’ve heard regarding this “alleged critical hole.”

(Text included below.)

http://www.heise-security.co.uk/news/78970

“The allegedly critical hole reported yesterday in Firefox’s JavaScript implementation has turned out, not surprisingly, to be a hoax. Mischa Spiegelmock, who made the claim at the Toorcon hacker conference, told Mozilla’s security chief Window Snyder, “The main purpose of our talk was to be humorous.”

While it is possible to create a stack overflow, the only result he has been able to produce is a browser crash. Neither he, nor anyone else, has managed to execute code via this hole. Spiegelmock claims to know nothing about the other 30 holes reported in the media. The Mozilla team nevertheless plans to look into the matter in order to detect and remedy any flaws.”

The following was written by my web designer, Gareth Ballester, in response to an article I found discussing Mozilla’s security problems with it’s ever more popular browser, Firefox. The September 30^th article from CNET discusses how a couple of hackers have found some serious JavaScript flaws in Firefox… remember that Firefox is the “secure” browser when compared to Internet Explorer…

“Stack overflow and buffer overflow are the method of 99% of vulnerabilities in software today, including web browsers. Basically, an application has multiple layers and function calls (it’s object-oriented). Each layer and function has to validate the data it receives, and in turn, the data it passes to the next layer/function has to be validated. Programmers don’t validate it at every point in the system to save development time, or they don’t always think of it.

So every operating system and every application, including browsers, undoubtedly has multiple “Achilles’ heels” or weak points that could be overflowed. If you pass X amount of data to a function and then tack on some malicious code on the end, but X is the expected amount of data, the receiving function will then put that value in memory. If you put it in the right spot in memory, it can execute. In the past 5 years this has become more and more evident. It wasn’t so much of an issue before the web gained popularity as a place for “applications” and not just static pages.

This is why Windows Vista has a million more layers of security and why processors now have an execute bit (or it’s called an NX… not my specialty), so even the CPU can defend from viruses. Every single communication between different processes on a system has to identify itself in a non-spoofable way (basically, be “trusted”), and validate the data being passed.

I can see why the hackers didn’t take the $500. If you release the info to the public it will just force Mozilla to take it more seriously and fix it faster.

I could see discovering vulnerabilities like this in JavaScript now that JavaScript is being utilized to a greater extent to develop AJAX/web 2.0 applications. If you’re programming an advanced AJAX application, and you get some kind of error, there’s a chance you overflowed something by accident and then you could take that knowledge and use it maliciously.”

NPR’s Marketplace aired a broadcast on May 2^nd discussing corporations’ security, theft issues and the measures being taken (or not). http://marketplace.publicradio.org/shows/2006/05/02/PM200605024.html The report was fairly thorough in nature, but neglected to expand any more on some of the measures which can be taken to properly secure company and customer data, much less the full costs associated with these thefts.

In the report they discuss the magnitude of this problem:

“About 18,000 Bank of America customers got a memo back in May saying their Social Security numbers were on a laptop stolen out of an employee’s car. That same month a laptop was stolen from a branch of Omega World Travel, containing the credit card info of 80,000 Department of Justice workers. Not to be outdone, Bank of America had another laptop stolen in August. In November, 161,000 Boeing employees were told that a laptop containing their Social Security numbers was lifted. Geddit? Boeing? Lifted? In February, Ernst and Young was hit. In March it was Fidelity. As I was writing this paragraph, Boeing called again to say that, since we talked, another laptop was grabbed away from an HR rep at an airport. We’re talking, at least, 14 different companies, three state governmental agencies, five hospitals and nine colleges and universities.”

But they only briefly discuss one of the main issues at hand. Can any company or person ever guarantee sensitive information will not be compromised? Of course not. But there are some very basic steps which can be taken now to seriously impede those trying to capture social security numbers, credit card numbers, health records, etc. From the story, “…(Jonathan Zittrain, a co-founder of the Berkman Center for Internet and Society at Harvard Law School) says there are pretty sure-fire ways to protect sensitive information. Like, encrypting it, or leaving the data on the main server and remotely tunneling through the Internet to work with it.”

The ability to store sensitive information on centrally managed (and protected) servers is really quite basic these days; not to mention a critical part of your security policy (one of many great resources with more information is the SANS project: http://www.sans.org/resources/policies/).With secured and encrypted wireless connections, SSL VPN tunnels and the ability to update, store and back up remotely over the WAN, why is there still sensitive information being stored on company/personal laptops or being transported on tapes by anyone other than Wells Fargo?

Marketplace aired a follow-up interview with the CEO of a major healthcare provider on May 11^th. He and his company have won awards for how they’ve dealt with the theft of information; after the fact. They have also lobbied heavily with Congress in order to change the laws by which companies have to adhere in order to notify customers of information theft. “At the moment, Congress is considering a few bills that would require companies to do what McIntyre did: Notify customers in the event of a security breach.” http://marketplace.publicradio.org/shows/2006/05/11/PM200605115.html

But what about prevention? These laws are still vague in nature. Please remember that as a company responsible for the security of your customers’ confidential information you cannot wait and be reactive to this problem. The legal and financial costs are far too great to ignore. This is a problem which has to be dealt with proactively for it to be at least mildly effective.