Risk Horizon Blog

Kindle Fire Will Not Buy Us Much

Gregg Dippold — Sun, 02 Oct 2011 22:34:35 +0000

There is a post over at Volokh Conspiracy where the author Stewart Baker believes that the Kindle Fire users will ultimately be more secure because Amazon is acting as a big http proxy and by running everything through Amazon’s cloud it will reduce the risk of end point compromise. Instead of relying on your own ability to protect your device, Amazon will do it for you assuming that they are more knowledgeable than you in information security related matters. I am not nearly as excited for the following reasons:

1. Without physical security there is no security. If one has physical access to a device it is quite possible to subvert for nefarious purposes. Amazon cannot control that and if done well they will not be able to detect it. Ask Apple about all those jail broken iPhones. Additionally, many exploits rely on social engineering. All the hardware in the world cannot stop you from making an error.

2. A big filtering proxy in the cloud is just another filtering proxy. At some point its pattern recognition systems will have false positives enough times that users will work overtime to get around them; that, or Amazon will have to loosen up the filtering. One commenter pointed out correctly that AOL tried this before.

3. Amazon Fire will have its own broswer, which will have its own browser flaws and security problems. That is inescapable. Roll your own browser and you have to do your own code audits too, every change introduces new risks and possible regression errors.

4. Risk will be more non-linear. We may have fewer security problems but the impact of one will be far more severe. A heavily defended system is always complex and when a complex systems goes down it is frequently catastrophic in consequence.

5. Security is expensive. The more complex the system the higher the cost to defend it. Security is frequently one of the first areas relaxed when costs are creeping up. This is normally followed by a security failure of some kind, the firing of the security personnel, an increase in security spending on technological solutions and a return to the beginning. Think of this as the security personnel scapegoating life cycle. Amazon will not be immune.

In the end, the entire Amazon Kindle Fire ecosystem is just another system requiring defending with the same kinds of problems as other systems. I do not share the author’s optimism.

Central Control System Risk

Gregg Dippold — Wed, 22 Sep 2010 11:30:30 +0000

Whenever we have a system whose function is to provide better risk management or security, that system itself will have a control element. These systems can be attacked and service they provide disabled.

Take, for example, a network intrusion detection system; is the control console system protected? Is the back end database on it’s own server or is it part of a shared environment? Are the updated signatures delivered over a private physical network or at least a separate VLAN? Are the administrators themselves audited periodically?

What I have seen many times is that the worst security in a company is on the security group’s control systems. Not because the security group is lazy or incompetent but because they simply do not have the resources to adequately safeguard their own systems. They are assigned additional duties without additional personnel or it was left out of the budget. It can happen to the best. There have been numerous luminaries in the information security field who have been hacked. Sometimes earning a living takes all your time and there is nothing left for securing your own systems.

If you cannot afford to add the correct number of internal personnel for your Identity Management Solution, Intrusion Detection System, Content Filtering Software etc. you should contract someone who can and then audit them, regularly.

The Threat is Consistent

Gregg Dippold — Tue, 21 Sep 2010 11:00:36 +0000

Those whom wish you ill or would gladly steal from you care little about the global economic downturn. They are not sending out fewer exploits as attachments to spam, they have not stopped looking for ways to transfer money from your bank account or use your office PC’s as zombies. When money is tight you need to defend yourself intelligently. Your number one priority should be keeping your software patched. Your second priority should be scanning any externally facing web applications for common vulnerabilities. If you don’t have the skills, hire someone who does. Finally, take the time to educate your employees on safe computing practices. Again, If you lack the skill bring in a professional trainer.

How Much Security is Enough?

Gregg Dippold — Mon, 20 Sep 2010 12:00:57 +0000

How secure is your company? Are you spending too much or not enough on security? How would you know? We don’t have a 1,000 years of statistical data to build orderly models with nice normal distributions (if in fact this is the underlying distribution, most likely not.)

Much of what is spent is to fix an irritation or meet a regulation. I know a company that first introduced anti-virus into the enterprise because the CEO was angry at all the emails that filled his inbox due to an email virus. In this case it was purely reactive. When I was a senior security analyst inside a large multinational, we are able to go three straight years without a worm or email virus getting into our network. This was at a time when Microsoft vulnerabilities were a constant cascade and Microsoft responded to everything released on bugtraq like it was a malicious lie. We managed this on a relatively small budget and a user base with admin access over their local machines. It is possible to have tight security without spending a fortune. Despite this, I knew we were not spending enough on security because we had little to no defense against the insider threat. The best defense against the insider threat is an ethical corporate culture and good hiring practices, an area often overlooked. Of the triad in security, prevention, detection and clean up, prevention is frequently the most expensive when using technology. Prevention is a lot cheaper if you don’t hire losers in the first place or you don’t build up resentment by stealing from your employees with understaffed teams, overworked associates and no bonuses except for the C suite.

At this point lacking a wealth of statistical data, most companies can’t say if they are spending too little or too much unless they ask an outside expert. If they ask the question inside the company, they will most likely get the answer weighted for self preservation, if they are asking at all.

Moving

Gregg Dippold — Sat, 18 Sep 2010 20:35:25 +0000

I decided to move the Risk Horizon weblog over to WordPress. I just got tired of the comment spam and maintaining it. My cross posts from Risk Intelligence are still viewable there.