Information Security Reading List

Like information security in the real world, most (all?) information security books are about tactics, but what we also need is to understand where we are and where we are going. To do that, its important to read other fields and understand their ideas. Here is a brief reading list to explore some concepts that are useful, but relatively unexplored in information security.

1. Dhandho Investor by Mohnish Pabrai. I posted on how much I enjoyed this book in the past, and James McGovern did as well. Key thing here for us infosec types is to decouple risk and uncertainty and focus more on the former. I have often said, that I have learned more about security from reading Buffett and Munger than anything in information security literature. Pabrai is a fellow traveler on the Buffett Munger trail.

2. World is Flat - ubiquitous, but the best quote on why this work matters comes from Chris Ceppi he said to me that he thinks this book does a better job at explaining federated identity than any technical work. I agree.

3. Pentagon's New Map and Blueprint for Action by Thomas Barnett - these two books are absolutely critical to understanding 21st century security - how to think horizontally about security, deliver decentralized security services, and enable resiliency for the system as a whole. Barnett gives us a 21st century security builder model. The best work I have seen on the overlap of economic models and security models.

4. Brave New War by John Robb as I mentioned in my review Robb is the Black hat to Barnett's White hat. But when he does get perscriptive about dealing with the asymmetric threat problem that globalization has unleashed on us - the action items are all around survivability and resilience.

5. Starfish and the Spider by Ori Brafman and Rod Beckstrom - again a focus on decentralization, mapping services and skills; identifying and enabling catalysts, through trusted networks. Spiders die, starfish regenerate - think about that next time you are designing access control. Interestingly enough, Rod Beckstrom is now the cyber security czar, and I am very hopeful to see some good things come out of this appointment. Its very interesting to think about OWASP as a starfish organization. Totally decentralized, I believe one employee, a major global impact - the single best source for software security (not just web app security) - OWASP is a living testament to the positive power and impact that starfish organizations can have.

One thing these all have in common is decoupling and decentralization. In the field many times people automatically associate security with centralization, but this is often the wrong approach. Many times, the most cost effective, proportional approach is to take a decentralized path, these books give some ideas on how to do that.

More on Fallacy #4

Steve Jones on Rest and Distributed Computing Fallacies

One of the objections I've had about REST for a while is that it appears to ignore Deutsch's fallacies of network computing

1. The network is reliable.

2. Latency is zero.

3. Bandwidth is infinite.

4. The network is secure.

5. Topology doesn't change.

6. There is one administrator.

7. Transport cost is zero.

8. The network is homogeneous.

Now REST specifies 8, assumes 1, 2 and 3 and takes 4 to mean HTTP/S with Basic Authentication. Now to be clear I've seen people doing Web Services who believe in pretty much all 8 of these fallacies and they create crap systems. But with things like WS-RM and WS-Security at least there are answers to a few elements.

That basic auth is bypassable has been known for some time, thanks to Amit Klein. It would be nice to Restafarians move the conversation towards better security models like SAML and WS-Security. The current state for Rest is both disappointing and weak. The response side is pretty solveable using XML Signature and XML Encryption to sign and encrypt the responses (of course someone will need to tell the "you just leverage the existing infrastructure types" that we'll need to be deploying keys and certs to all the endpoints but at least the primitives are there on the response side), the request side remains problematic.

More on the Fallacies by Arnon Rotem-Gal-Oz, who incidentally if you are interested in building a secure service has an interesting Service Firewall pattern, which I refer to as a TIDE firewall - dealing with Tampering, Information Disclosure, Denial of Service, and Elevation of Privilege threats at the edge. I understand why Arnon left Spoofing off his list, but would like to see him add audit logging to deal with Dispute.

Consulting and Size

I have been asked a variant of this question about 5 times in the past 2 weeks - "how many people does arctec group have?"

So in case anyone else out there is wondering...We have been around for 7 years, ranging from 2-3 people. we are like the special forces - get in, get the job done, get out. hence focus on training, architecture, detailed design. Of course, we work on projects that are sometimes very large and if necessary we can help build out larger teams sourced from other places but our focus is excellence in training, architecture, and design not jamming 15 blue suited consultants into your cubes.

Not that there isn't room for larger consulting groups, just not our focus. When we started our company our model was more like a law firm or a real world architecture firm. In most cases, you don't hire a lawyer or architect because they have 30,000 people in their firm, you hire them because they have the expertise in the area you are trying to address. So its not "how many architects in your firm? mroe than a 1,000?" its more "tell me about your other clients/projects. show me some buildings you have helped build."

Building a Security Architecture Blueprint

This week I spoke at the Secure 360 conference on Building A Security Architecture Blueprint (slides). My thesis is that information is a strategic enterprise asset (in many cases it *is* the business), yet the typical enterprise approach to securing the information or even risk management, is rarely strategic. Last year, I wrote a Security Architecture Blueprint paper to describe one framework for putting a strategic context around information security program. The main idea is that instead of starting with security goals (cue the ritual CIA invocation), we start with considering security in the context of the stakeholders - business, development, operations, customers, and so on.

You can then use the framework to assign priorities and phasing for Information Security actions. So instead of letting the random auditor and their everpresent checklist that the final four assigns you drive your program, use a framework that incorporates the business and its goals. A number of people commented on my post on GRC -

Rich Mogull

Much of what we call GRC should really be features of your ERP and accounting software. ... It’s an additional, very highly priced, reporting layer. ...A GRC tool provides almost no value at the business unit level, since it doesn’t help them get their day to day jobs done.

Mike Rothman succinctly gets to the point with a one liner I am sure will become part of my repertoire:

It's about serving the business, NOT THE AUDITORS. If you protect information effectively (which is a key imperative for the business), then the auditors should be kept reasonably happy. And if not, screw them and fight them. Yes, the auditor can make your life a bit harder, but you don't work for them. Keep that in mind.

So my GRC post seemed to tap into a fair amount of GRC blogohostility , fair enough, but the main point is not slamming GRC, just the overfocus on GRC and substituting misdirected marketecture for real world architecture Hoff got to the heart of the point of what i was saying - its about assets

As I think about it, I'm not sure GRC would be something a typical InfoSec function would purchase or use unless forced which is part of the problem. I see internal audit driving the adoption which given today's pressures (especially in public companies) would first start in establishing gaps against regulatory compliance.

If the InfoSec function is considering an approach that drives protecting the things that matter most and managing risk to an acceptable level and one that is not compliance-driven but rather built upon a business and asset-driven approach

So I submit that you should not start with a compliance checklist, but instead build a security architecture blueprint that captures your stakeholders goals. Assess this against your policy and standards, and your security architecture capabilities. Out of this comes risk management decisions. And off we go into actually building and operating something - hopefully making some profits along the way.

So build blueprints, minimize time spent doing checkbox Olympics. The blueprint I worked on is just generic framework, you may have a different one. I know that the one that I designed is in use in many organizations and in each case I know of it has been tailored to local purposes. So its a beginning not an end, but those two things are more related than you think as someone from the financial services industry once said

In my beginning is my end ... in my end is my beginning

Where you start your security architecture and design matters, and directly effects where you end up.

Anyway, the conference was a lot of fun, I rarely get to do conferences in MN. I got meet Anton Chuvakin for the first time, and went to the presentation on the local OWASP Minnesota chapter - Robert Sullivan, Joe Teff and Kuai Hinojosa did a great job doing an overview of what OWASP is all about, demoing WebGoat and so on.

Price is what you pay, value is what you get

Nice work by Francois Paget (hattip Andrew Jaquith) pulling together underground economy's willingness to pay up for quality

Last Friday morning in France, my investigations lead me to visit a site proposing top-quality data for a higher price than usual. But when we look at this data we understand that as everywhere, you have to pay for quality. The first offer concerned bank logons. As you can see in the following screenshot, pricing depends on available balance, bank organization and country. Additional information such as PIN and Transfer Passphrase are also given when necessary:

Since financial services drives a lot of the information security industry it is fair to ask - are they doing a very good job at securing systems and data or are they just moving more risk on to the consumer? In 2008, should we be telling people to type usernames and password into web forms and the use those "secrets" (cough, cough) to make business decisions?

Weak identity = weak claim = weak access control.

From Ross Anderson's book (2nd edition)

Were I designing an online banking system now, I would invest most of the security budget in the back end.

Rote Based Access Control

I think RBAC is, next to firewalls and SSL, the biggest silver bullet misconception in infosec. I cannot count how many times I have heard managers say if we just had rbac all our identity problems would be solved. These same managers work in companies that reorg every 6 months and outsource anything that moves. Not that RBAC is useless, it can solve some problems, but introduces some too, Pamela Dingle

Roles are indeed in the domain of the “identity weenie” — but alone, roles are nothing but a maintenance nightmare - they exist to be leveraged. Rules on the other hand, are the problem of the “authorization weenie” and are written (for example) as a WAM policy that says “All Production Accountant Level II resources can access the accounting SharePoint instance”. When you collect roles into a profile and collect rules into a policy and then evaluate for a given user, resource, and point in time, what you eventually get is an entitlement, ie “Jenny should get into the accounting SharePoint instance”. The goal is to have transitive logic between roles and rules, such that two different people can take on the two different statements being made. Jenny’s Manager can authoritatively state (through a workflow approval) that Jenny is indeed a production accountant. The owner of the Accounting Sharepoint instance can authoritatively state (through an authorization policy) that all production accountants should have access to their site. ... What happens when the system detects the static presence of two conflicting roles? What happens if one role is “truer” than another at some point in time?

The other silver bullet fallacy the RBAC introduces is the idea that objects, subjects, and sessions can be bundled so nicely enterprise wide. People look at their nice org charts and assume that you just plug that into your directory and go. Works great in a domain with hard edges like a call center where discreet groups of people execute the same tasks the same away across many sessions. Not so good once you step above the rote task level. Interestingly "God level" access works well with roles too, but we are not supposed to be building systems with that stuff any more, right?

Learning from Ghana

Its always interesting to see where the developed world can learn from emerging economies. A lot of the best engineering work comes from having to deal with harsh constraints (opposite of architecture astronomics). I blogged awhile ago about using smart cards for digital cash in Africa

Looks like there is a new system in Ghana as well

E-zwhich smart launched

-ZWICH smartcard, a universal electronic system that facilitates easy access to and transfer of money has now become part of financial transactions in Ghana.

The new system which is also designed to remove the cumbersome and insecure processes of using cash, was launched in Accra yesterday by President J.A. Kufuor, with a call on corporate bodies and government agencies to use it to ensure transparency and integrity on payrolls.

E-zwich is an electronic payment system that allows one to make payments for goods and services or transfer money to others without having to carry physical cash.

Available at all banks countrywide, the system involves the loading of money onto the smart card after registering with any bank without necessarily having an accounts with that bank.

President Kufuor said the introduction of the system has the potential of transforming the payments landscape, the financial services industry and the general conduct of business in the country.

He said accessing the technology was an integral part of government’s overall vision of making Ghana the gateway to the West Africa sub-region and transforming her into a major financial hub.

The President said that globalisation has come with a major challenge of adopting best practices in all spheres of endeavour especially within the macro economy in order to survive in the market.

He said it was against that background that the government has pursued polices to develop and modernise the financial sector to enable it to play a key role in resource mobilisation for increased investment.

With the reforms and the stability of the macro-economy, President Kufuor said the nation was witnessing dramatic growth in the banking sector.

He pointed out, however, that inspite of the impressive growth of financial institutions, an estimated 80 per cent of the eligible population was still "un-banked" or "under-banked" and seemed not to have access to financial services.

Wonder when we will see US, UK, and other first world banks and brokerages catch up to Ghana and South Africa on these technologies? Is it really a good idea in 2008 to have everyone type their username and password into a web browser?

Sun in Microsoft's Rearview Mirror on Software Security

James McGovern muses:

Good to run across Sun employees such as Gerald at OWASP chapter meetings. Hopefully for the next event, he can figure out how to bring down a dozen or so folks from Sun labs. After all, they probably understand the need for writing secure code more than the Microsoft crowd. This makes me wonder if Pat Patterson has ever attended OWASP meetings on his side of town?

Would be great to see Sun get involved with OWASP, but I see no evidence that they understand the need for writing secure code more so than Microsoft. In fact I see every evidence that Sun is several years behind Microsoft on software security. Let's do the list - Howard/Leblanc's work, threat modeling, software security patterns and practices, SDL, SecPal, BlueHat, OWASP guidance work and that is all before we get to identity stuff. From what I see its a yawning gap. Would be great if Sun would re-discover its engineering roots at some point, but right now I don't think they are even in the conversation.

Air travel revenue

I know the airlines are struggling with revenues but instead of charging people for bring 5 more lb of luggage why not consider the entertainment business. Bill Simmons

Why is there no sports book in McCarran Airport in Vegas? The place is full of slot machines. Isn't a sports book the perfect gambling option for someone on a layover who doesn't want to play slots? -- Jeff, Valparaiso, Ind.

SG: You're making too much sense. McCarran needs a sports book, blackjack and craps, and it needs an area where you can walk around in a black leather jacket screaming "Serrano's got the disks! Serrano's got the disks!" without airport security tackling you.

There is no question you could charge people to reenact Serrano's got the disks.

Omaha Trip Report

Last weekend I went to Omaha for the Berkshire Hathaway (A, B) annual meeting, there were many highlights.

Around 30,000 people showed up to hear Warren Buffett and Charlie Munger hold court. I had read the meeting notes from the previous few years and was excited to hear what they had to say. Buffett could not have been more gracious, patient host (he revealed that he had been too shy to do public speaking when he was younger, he signed up for a Dale Carnegie speaking course, gave them a check for $100, went back to his apt and then stopped payment on the check, the next time he signed up he paid the $100 in cash) and Munger was very witty and insightful. Oh and Bill Gates was there, but I did not get a chance to ask him any WS-* questions.

I also got to briefly meet Bill Mann, who is one of my favorite analysts at the Motley Fool where he runs the Global Gains service (I wanted to meet Alex Dumortier but missed him, but running into one person in 30,000 was pretty good), I got to thank Bill for picking a couple of nice stocks. If you like learning about Argentinian land companies one month, Macau casinos the next, and Irish banks the following as much as I do then this service is for you. Bill took notes of his favorite quotes

Munger on investment banks

CM: It is crazy to allow things to get too big to fail, run with knavery. As an industry, there is a crazy culture of greed and overreaching and overconfidence trading algorithms. It is demented to allow derivative trading such that clearance risks are embedded in system. Assets are all “good until reached for” on balance sheets. We had $400m of that at general re, “good until reached for”. In drug business you must prove it is good. It is a crazy culture, and to some extent an evil culture. Accounting people really failed us. Accounting standards ought to be dealt with like engineering standards.

Munger on risk(!) - double layering of risk protection. These guys view risk so much differently from the herd, it is refreshing. Its about avoiding permanent capital loss. Its the assets stupid.

CM: You can see how risk averse Berkshire is. We try to behave in a way so that no rational person will worry about our credit. We also try to behave in a way that if people don’t like our credit we wouldn’t notice for months. That double layering of protection against risk is like breathing. The alternative culture is you call a man a Chief Risk Officer, but often he is man who makes you feel good while you do dumb things. Like the Delphic oracle, a dumb soothsayer, and how can he do dumb things if he has a PHD and can do all the advanced math! You crave a system such that you torture reality to fit a structure that doesn’t match with extreme situations in reality, you feel confident because you compute the risks, but you haven’t -- you have just clobbered up your own head.

Munger on nuclear war (heads up survivability people)

CM: Mexico had a 95% mortality rate from European settlers, the pathogens and such. So I think the species will survive. I hope that cheers you up.

On subprime

How do we better measure leverage and accounting of assets, integrity?

WB: It is a very tough thing. I still lean strongly towards fair value accounting – it is hard to use, but should we use cost? I think there are more troubles when you start openly valuing things at prices that don’t matter instead of best estimates even if inaccurate. I would stick with financials reporting assets at fair value. When you get into CDOsquared, the documentation is enormous. If you read a standard residential security – it consists of thousands of mortgages, then different tranches. Then take CDO and take junior tranches on a whole bunch of juniors – put them together and diversified in theory – a big error to start with. That was nuttiness squared. You had to read 15,000 pages to get a CDO, then 750k pages to evaluate one security in a CDOsquared. To let people use 100cents they paid vs. the 10cents it trades at in market is an abomination. Fair value discipline, mild as it may be, may keep managements from doing some stupid things. I lean toward the market value approach. When you get towards complex instruments, I don’t know how you value it. Charlie, back at Salomon I think you found one mismarked by $20m, right?

CM: A lot goes on in bowels of American industry which is not pretty. A lot of people got overdosed on Ayn Rand. They would hold that even if an axe murderer in a free market is a wise development. I think Alan Greenspan did a good job on average, but he overdosed on Ayn Rand that whatever happens in free market is going to be alright. We should prohibit some things. If we had banned the phrase, “this is a financial innovation which will diversify risk”, we would have been far better off.

They had all the Berkshire family companies represented and we walked the floor - Johns Manville, Shaw Carpet, DQ, the works and even Mars was there even though they had only joined the Berkshire family the week before

jOHN Steven demonstrated how a firewall works, crunchy on the outside smooth and creamy on the inside, at least until the whole thing melts

Finally, we went out to the airport to check out the Netjets planes

Long drive back to MN, due to Ned's Treo-ing we found an outstanding German restaurant outside Ames, IA just off the highway - The Old Hamburg. No Dunkels for me, because I was driving, but everything else was awesome. I worked off and on in germany for a number of years, and never had anything this good.

I have learned more about security from Buffett and Munger than reading anyone in information security, and it was a pleasure to see them hold court in person. I hope to attend many more.