Daily Archives: July 12, 2010

Security

Azure Appliance Security

Leave a comment

The Microsoft announcement that it is moving the cloud service into an appliance and semi-private service comes at the same time that the Amazon CTO calls private clouds “false clouds”.

Stepping aside from all the marketing about what is real and what is false, I think this move by Microsoft raises some great security and compliance questions.

First, I seem to remember Salesforce rumbling about this public-private service model as far back as 2005, around the time of the Google search appliance. The idea then was to take a web service and package it so it can receive updates but that’s it. This allows an entrance into a market that has a natural fear of getting into a service like cloud. It also helps reduce the expense of Salesforce trying to establish a meaningful cloud compliance or confidence message.

Microsoft is taking steps in this direction now. ComputerWorld reports that Muglia offers details on Microsoft Azure Appliance

Once settled in the data center, the appliance will be connected to Microsoft’s own instance of Azure. “We will maintain a flow of new software down to all of the appliances so they will be kept up to date,” he said, adding that the customer will retain control over factors such as when to apply updates and which services to deploy.

That sounds a lot like having another Microsoft product in a private environment that gets new software through the update service. Cloud? Ooops, nevermind I started to get into the definition again.

I am more interested to know what kind of logging, monitoring and access controls are in place. Naturally it is completely absent from the ComputerWorld article. The word “security” and the word “compliance” are not used a single time! Here is a good example question: does Microsoft, or Salesforce for that matter, maintain their own accounts with access to data in these appliances? That would make “change vendor defaults” for regulations and compliance very difficult to achieve.

History, Security

WMD Definition

Leave a comment

A comment on Bruce’s blog today pointed me to a law in North Carolina that says a sawed-off shotgun is a weapon of mass destruction.

It looks like an afterthought in the text of the actual law, G.S. 14-288.8:

(c) The term “weapon of mass death and destruction” includes:
(1) Any explosive or incendiary:
a. Bomb; or
b. Grenade; or
c. Rocket having a propellant charge of more than four ounces; or
d. Missile having an explosive or incendiary charge of more than
one-quarter ounce; or
e. Mine; or
f. Device similar to any of the devices described above; or
(2) Any type of weapon (other than a shotgun or a shotgun shell of a type particularly suitable for sporting purposes) which will, or which may be readily converted to, expel a projectile by the action of an explosive or other propellant, and which has any barrel with a bore of more than one-half inch in diameter; or
(3) Any firearm capable of fully automatic fire, any shotgun with a barrel or barrels of less than 18 inches in length or an overall length of less than 26 inches, any rifle with a barrel or barrels of less than 16 inches in length

One-quarter ounce charge? That seems amazingly low to me, given that the definition is for mass death and destruction. Is it really necessary to define a quantity for heavy or mass casualties, or do these terms reflect instead the intent of an attacker?

It reminds me of one particular controversy over casualty counts: the Nazi aerial bombing of a Spanish town in 1937 as immortalized in the Clash song Spanish Bombs.

This tragic attack is thought to be the origin of the term WMD due to the direct assault on civilians with three hours of bombing waves using newly developed “firebombs”.

…The only things left standing were a church, a sacred Tree, symbol of the Basque people, and, just outside the town, a small munitions factory. There hadn’t been a single anti-aircraft gun in the town. It had been mainly a fire raid.

…A sight that haunted me for weeks was the charred bodies of several women and children huddled together in what had been the cellar of a house. It had been a refugio.”

Eye witnesses estimated that aside from a series of bombs of 1,000 pounds a series of 3,000 two-pound aluminum incendiary projectiles were used.

In the form of its execution and the scale of the destruction it wrought, no less than in the selection of its objective, the raid on Guernica is unparalleled in military history. Guernica was not a military objective. A factory producing war material lay outside the town and was untouched. So were two barracks some distance from the town. The town lay far behind the lines. The object of the bombardment was seemingly the demoralization of the civil population and the destruction of the cradle of the Basque race. Every fact bears out this appreciation, beginning with the day when the deed was done.

Monday was the customary market day in Guernica for the country round.

Wikipedia claims the ratio was likely to be forty tons of bombs dropped as many as 1,700 dead, or 43 dead per ton of explosives. The town only had about 7,000 inhabitants. It then compares this number to bombing raids in WWII that averaged a ratio of about 10 dead per bomb.

The vast difference in ratios between Guernica and other bombing raids has led James Corum of the Army War College (mixed motives?) to argue that high casualty counts from bombs are propaganda:

From the 1930s to the present, the effect of airpower to produce casualties has been overestimated out of the ignorance of the press and the common perceptions of airpower. In some cases, the civilian casualties caused by air attack have been deliberately overstated in order to make a propaganda point. Recent conflicts such as the Gulf War demonstrate that the perceptions of heavy civilian casualties remain even if great care is taken to limit collateral damage in an air campaign. The recent wars show us that the deliberate falsification of civilian casualties from air bombardment is likely to remain as a major propaganda theme.

The propaganda theme?

Perhaps estimates are increased with the idea to show weapons with potential for mass destruction actually cause mass destruction.

It is not always so simple, however, as I have mentioned before. Looking at Guernica versus other bombing runs I am curious about the effect of defenses like balloons, better civilian preparedness, and other significant target differences. That takes me back to the core definition of WMD. Furthermore, propaganda seems to run both ways. Here is another angle, completely the opposite from the “propaganda point” argued above:

It is impossible to state yet the number of victims. In the Bilbao Press this morning they were reported as “fortunately small,” but it is feared that this was an understatement in order not to alarm the large refugee population of Bilbao.

Add that perspective to the fact that Nazis claimed the town was really damaged by retreating civilians and not the bombing raid.

In other words, history shows it is more revealing to investigate motives and means when trying to regulate WMDs. This is likely to be more on target than searching for an accepted measure of the causes for severe and mass destruction. The question then does become what is the intended use of an incendiary bomb, or a shotgun that has a barrel less than 18 inches?

Security

Edu Breaches Continue

Leave a comment

If you have attended one of my Top Ten Breach presentations you will know that the educational domains (edu) are a big target. I give several reasons:

  1. The databases keep extensive identity data — financial, health, etc.
  2. Attackers often have higher motivation than financial gain — pride
  3. They run flat organizations with distributed security models
  4. They like to share
  5. Idle compute resources are plenty

I could go on. DarkReading says the trend continues with University Databases In the Bull’s Eye

The education vertical has been hit by at least three other glaring database breaches at big universities across the country during the past few months

Come to my next Top Ten Breaches presentation this fall at the RSA Conference in London to hear what has changed from previous years.

Security

Cloud Breaches Cost More

1 Comment

Whoa, I missed this report by Ponemon. Larry really has a knack for trying to put a very specific number on the cost of a breach. Secure Computing says he has found that Data breaches to cost more in the cloud

Incidents that involved a third party — such as a cloud computing or software-as-a-service (SaaS) provider — had a higher average cost of $152 per record, compared to $109 for incidents that occurred and were handled in-house.

PGP CEO Phillip Dunkelberger told iTnews that organisations operating in the cloud incurred higher costs because of issues to do with territorial jurisdictions, and additional investigation and consulting fees.

I do not think crossing territorial boundaries is exclusive to the cloud. Furthermore, it makes sense that working with a provider adds an additional layer of legal representation and teamwork, but that does not translate directly into more load. Larger teamwork can also mean delegation and services are more efficient, which might offset some load.

Imagine a cloud adding breach response and legal consulting to the growing list of services, especially if they have prior experience and templates for notification. With a little twist and some preparation the cost just went down again.

Oh, wait, no Ponemon says that costs more too.

The report found data breach incidents to cost 25 percent more when the remedy was managed by an external consultant or firm.

An even more sobering statistic is found towards the bottom.

The report found malicious attacks and botnets to account for 44 percent of data breaches. 31 percent of incidents were attributed to system glitches and the remaining 25 percent to negligence.

Thirty-one percent of all cases involved mistakes by third parties such as cloud computing or SaaS providers.

That says to me a vast majority of breaches did not involve third parties. Alternatively, it says that bringing in a third party has a significant chance of causing a breach due to a “mistake”. That is better than malice, but still pretty high in terms of risk. It begs the question what percentage of providers assumed liability/responsibility for their mistake?