#ozsec - bringing the Australian Information Security Community together

Hello blogosphere!

I have been trying to learn to use #hashtags in twitter to spread the Australian Information Security Association message. The #AISA hashtag seems to be used by others on twitter, maybe it means something in Hindi?

So I went and invented the #ozsec hashtag I hope this can be used by the community to communicate australian infosec events, associations, security research and the like.

In case you didn't know here's a few interesting Australian Information Security facts (please let me know if I have got any wrong):

- the 1st free open source port scanner was invented in Melbourne by Julian Assange of wikileaks fame

- there are over 1000 members of the Australian Information Security Association

- there are over 421 members of the AISA Linkedin Group,which I started too :)

- there are world class security researchers in Australia like Mark Dowd, renowned for securing the Google Chrome browser, the only browser to survive Pwn2Own 2010

- AusCERT has been running the premier australian security conference for seven years now and has been in operation for 17 years.

- At least one of CA technologies identity management products is developed in Australia

- One of Microsoft's three main malware research and response labs is located in Melbourne.

- A number of australian universities offer graduate certificates in information security management (RMIT, ECU etc)

- The Risky Business Podcast made in Australia often has true thought leaders in infosec on it. HD Moore comes to mind as well as FX and Barnaby Jack.

- Selinux in Debian and redhat was developed by an Australian in Australia

- Defence Signals Directorate runs a Cyber Security Operations Centre

How are architects, security architects and security testers meant to play together?

Well here's my thoughts on how architects and security people responsible for security architecture should work together. Keen for feedback as always :). Note - I updated this post further to comments to highlight how security testing should work.

Application Owners - These are business people who own a business process and hence the business applications that support the business process.

Business Analysts - These are people who identify requirements from business stakeholders and ratify them with the Application Owner.

Solution Designers - These are the people who often write the use cases for the applications and have responsibility for the design of the applications.

Enterprise Architects - Along with producing the "enterprise architecture" these fellows liaise with the solution designers to determine requirements so that applications can be interconnected. For example network and middleware designs. Enterprise Architects produce solution blueprints for solution designers to follow for applications.

Enterprise Security Architect - Along with developing the "enterprise security architecture" which is a subset of the "enterprise architecture" and contains the "zone model" this person develops "security patterns" that can be overlaid over solution blueprints that provide standard sets of security controls. This person also is responsible for securing middleware and other shared infrastructure. It should be noted that the "security patterns" produced are vendor independent and are performance specification related. This enables the organisation to have a long term view of what they want and what direction they are heading in allowing them to drive vendors to deliver to meet their needs, rather than be driven by the offering of vendors.

Security Solution Designers - These people take the "solution design" from the solution designers and apply the "security patterns" from the enterprise security architect to develop the "high level design" for the solution. They also go to the next level of detail called the "security detailed designs". They select the vendors of the hardware and software to meet the requirements of the pattern and use their experience of "what works in the real world" to ensure that the planned application architecture and planned security architecture meshes together. Most importantly they perform the risk assessment, collate the requirements, select and document the security controls.

Security Engineers - These unsung heroes using their in depth training with the security products in use configure the security product hardware and software in accordance with the "security detailed designs".

Application Developers - These guys develop the application in line with the solution design and use cases written and updated by the business analysts. Hopefully they are well educated and policed so that they write secure code in line with the requirements in the "high level design" and "security detailed designs"

Functional Testers - These people test the application to make sure it meets the requirements in the "use cases" mostly put together by the Business Analysts and refined by the Solution Designers.

Non Functional Testers - these people test all the things that need to be tested that don't fit in a use case. For example conducting performance and volume testing, making sure high availability functions work as advertised by turning devices off etc.

Security Testers - These security people check that the security controls designed by the security solution designers and documented in the detailed design documents operate as intended. For example password strength is enforced, sessions are terminated when a logout function is activated etc. Its a good idea for these guys to also check that security requirements and security controls match up.

Penetration Testers - These wonderful people look for common application vulnerabilities, misconfiguration of operating systems, databases and application server software. Their job is to identify missing commonly expected security controls, see if they can bypass the existing security controls or find weaknesses in their implementation. It should be noted that the penetration testers job is not to perform the more rudimentary functional or non-functional testing of security controls but to be the "icing on the cake" to sanity check the design and put the security controls through their paces.

If you don't have these, well what's your problem?

If you are in the security function of a medium sized organisation and you don't have the following under control..... well here's the list and a place to start if you don't:
- job descriptions for members of information security function
- list of business units and a key contact in each you know
- list of critical business processes and key applications for each business unit
- schedule for risk assessments of processes and applications
- some completed risk assessments (incorporating security policy compliance checks)
- security policy framework (aka ISMS)
- endorsed security policy
- some endorsed standards (esp. acceptable use, password, secure configuration )
- some processes
- some procedures (esp. Firewall mangement )
- matrix of security controls and results with forward schedule
- schedule for pen testing program for critical applications
- copies of business unit risk registers
- vulnerability management solution and some completed scans
- log management solution and plan for enabling logging on end devices and associated alerts
- security awareness material for induction training
- enterprise security strategy with list of treatments that security function are running with
- governance reports to stakeholders

What should your security team look like?

When thinking about the structure of your central security function you should consider what best makes sense for your organisation and what functions should be allocated to full time employees, contractors and service providers.

There are roles that need to be held by full time employees as these roles need deep relationships with internal stakeholders and service providers for the security program to make progress.

• Information Security Manager - a full time employee will be able to act in the best interests of the organisation and maintain the relationships with senior stakeholders that are necessary for securing funding and approval of security standards.
• Information Security Governance Analyst - a full time employee will be able to build relationships with stakeholders in business units and gain an understanding of their business processes that is essential for co-ordinating risk assessments, security policy compliance checks and security control testing
• Information Security Technical Analyst - a full time employee will be required to liaise with projects and business units for penetration testing. It would also make sense to use a full time employee to conduct vulnerability management activities like vulnerability assessment scanning and oversee security patch management.

There are roles that can be nicely performed by contractors:

• Security architect - security architects are often required when an enterprise security architecture is being established or when there is a high volume of projects requiring guidance

There are functions that can be outsourced to service providers such as:

• penetration testing - it makes sense to outsource this function as the resource requirements will vary dependent on projects in the pipeline
• risk assessment and security policy compliance checks of projects and processes
• security control testing
• security operations - firewall management, IDS management etc.

Social Media Security

I know of a few organisations who are wishing to leverage social media to connect with their customers. I'd advise that they do a solid business focused and technical focused risk assessment before doing so. There are some major benefits that can result, but one should consider the risks and prepare to respond.
Some of the things they should consider and develop policy, standards and contingency plans could include the following:
- what social Media sites and services will you use, and what will you share and accept back? Do you want to set up a youtube channel? will you accept people re-mixing your video posts, what is going too far, how will you respond? Do you want to set up a twitter account? How will you respond to "trolling" and mocking copycat accounts (see @BPGlobalPR for a case study). If you set up a facebook company profile or user group, what will you put on there? Will you allow/respond/remove advertisers/head hunters etc.

-consider if the social Media platform can leak information about your personnel or systems to an attacker. Consider if personnel should be individually identifiable? Could someone who is mentally disturbed trace a person from a corporate social media account to their personal one and retrieve information as to their location, appearance etc. that could lead to a physical security problem.

- Consider if the target demographic are vulnerable or targeted by another group. For example consider the case study of when internet miscreants raided an epileptic web forum and posted scripts and images intended to give viewers a seizure. Is your target audience elderly, a persecuted minority, subject to foreign or domestic government monitoring/intimidation etc.

Thoughts on the infosec industry

Here's a few thoughts on the state of the security industry, please excuse the rampant use of automotive analogies as I'm blogging this from my garage :)

- Aftermarket products are sold to try and fix insecure operating systems and applications. They don't work all that well because the signature detection/prevention paradigm can be defeated by simple obfuscation or a custom developed exploit. It's sort of like trying to retrofit an airbag to a car with a button to press in case of an accident rather than designing a strong safety cell and crumple zones. If we were doing security well at the operating system, we wouldn't need firewall technology at all. If we did security well at the application level, no need for antivirus !

- we're not attracting the best and brightest to work securing organisations. The kids seem to want to learn to break rather than learn to build. Maybe we need "drag-strips" or hackerspaces for the fast and the furious who want to play.

- We're not so good about understanding and marketing to our target markets and putting together solutions that work. Why one ISO standard for everybody? Why not separate ISO standards aligned with the risk profiles of SOHO, SMEs, state government, banks, federal government and military

Best bang for buck security initiatives

If you are a CISO or even a security analyst what are some of the best ways to make a visible impression and change the risk profile of your organisation ?

Well here are some suggestions:
- conduct security awareness training customised to business unit processes.
- identify your key business processes and systems by interviewing business unit leaders
- perform a risk assessment of the top ten riskiest business processes and top ten systems for each.
- pick a key system, vulnerability scan its infrastructure and present the results with proposed fixes.
-identify a list of projects underway and risk assess the top ten riskiest
-engage someone to identify and test your internet facing web applications
- talk your infrastructure people into doing an inventory of devices on the network
- monitor outbound web traffic for botnet command and control communications
- benchmark patch levels of 3rd party apps on top of desktop standard operating system SOEs

Well that's the end of my brain dump ! Hope it helped you out with some ideas!