Controls Map

With the recent release of ISO17799:2005 and CObIT4 I guess I need to rewite my controls map (not to mention the long list of privacy laws debated in California during 2005). I really like the ISO revision, but am still catching up with CObIT. One of the challenges of helping organizations stay on top of their controls is chosing the right blend of guidance and frameworks. I’m not saying you have to use a blend, but since they are never a perfect fit and different groups have their favorites (Auditors love COSO/CObIT, Engineers go for ISO, Ex-gov bring up the NSA and NIST, etc.) I find it helps to pull it all together into a shared map. For example:

SYSTEM INTEGRITY – Controls that ensure the integrity of the environment by utilizing proactive measures to prevent and detect unauthorized changes.

  • Gateway Filtering
  • Anti-virus
  • Encryption
  • Access Controls

  • ISO.17799 (8)(3) –
    Protection against malicious software
  • ISO.17799 (8)(7) –
    Exchange of information & software
  • ISO.17799 (10)(3)
    – Cryptographic controls
  • ISO.17799 (10)(5)
    – Security of system files
  • NIST.800-14 (3)(14) – Cryptography
  • NSA IAM (9) – Virus protection
  • AB 1950 (Wiggins) – California State Personal Information Security

Security vendors and trust

RSA 2006 is coming soon and so I am being literally barraged by security vendors hawking their wares. How do we sort the chaff from the wheat?

Here’s a hint: there is nothing more annoying that someone dangling an iPod in front of my face and asking me to tell them whether I am able to comply with some regulation. “Tell us if you violate the GLBA and we’ll give you an mp3 player” is downright insulting. It baffles me that someone who is basically anonymous would even ask that question and expect to get accurate data. And putting a picture of some cute person in front of me doesn’t improve things. Appropriate response: ignore or, if pressured, present bad data and walk away.

If you represent a security company, please help stop the madness. Random drawings based on contact information alone, for popular electronics, is one thing. Overtly saying “we’ll pay you to give us dirt on your employer” without establishing any modicum of trust should be grounds for being barred from security conferences.

Spy Rock

Come here my sweet pet

You’ve heard of the pet rock? Russian intelligence is accusing the British of using one to spy on them, according to the BBC. The article has a fun Q&A format, with answers like this:

from what we know it appears that those who allegedly stole the confidential information walked close to the rock and then uploaded data to the device beneath it. Later, others came and downloaded the data and walked off with it

“Sir, can I help you?”
“No, thanks, just taking my pet rock for a walk.”

Update: the Russians reportedly claim the rock cost “several tens of millions of dollars” to develop. Funny.

Pirates and Terrorists

US Warship tracks Somali Pirates Recent events in the waters off the Somali coast are probably a sign of things to come. Pirates there have been a serious problem for many years (although historically dwarfed by the waters near Indonesia or even Nigeria), and the modern Navy has tended to only intervene and respond to civilian vessels after a mayday. This means that the Pirates are essentially taking the opportunity to attack highly vulnerable and ill-prepared victims.

The main difference between pirates and terrorists seems to be that the latter is motivated by some political mission, whereas the former are just hoping to increase their wealth by force (motivated by greed). When we heard about the cruise ship that was hit with an a RPG, but managed to repel the attackers with a loud noise, we were led to believe there were just pirates afoot (and not internationally funded criminal syndicates with a political agenda).

While that’s likely, one has to wonder at what (economic) point does the market for pirates give way to the politics of terrorists? Al Qaeda, of course, has been rumored to be discussing the use of vessels, including large fuel tankers, at sea in the same fashion as they had used airplanes on 9/11. Makes sense that they would discuss any vehicle under the sun given the nature of suicide bombing and the need to rapidly and discreetly “insert” themselves into a civilian zone.

Relative spatial density of reported pirate incidents in the Gulf of Aden for 2008
Therefore, if the threat of pirates increases far enough and ships remain vulnerable, eventually terrorists will make the glaringly obvious connection. The question then becomes whether countermeasures will be able to detect and prevent sufficient numbers of attacks to catch all those that might be linked to terror motives, and whether the root cause should/can be addressed rather than the symptoms.

I picked up a morsel of news several months ago that SEALs were actively training to rescue a large ship that had been commandeered in the Indian Ocean. The shipping company decided to pay a ransom (e.g. pirate motives were satisfied) rather than have the US military take it back by force. It’s hard to say more without the full details but it seems lucky to me that all those attackers wanted was money. My guess is the Navy was thinking the same thing, and the Seals were probably extremely disappointed in having their mission cancelled, so it’s no surprise to now hear in the mainstream press that US warships have started engaging the threat more and more proactively. The AP report regarding the latest Somali case notes that:

The Churchill is part of a multinational task force patrolling the western Indian Ocean and Horn of Africa region to thwart terrorist activity and other lawlessness during the U.S.-led war in Iraq

“Thwart terrorist activity and other lawlessness” is exactly what I am talking about. Does this mean the US Navy is now set to enforce the law in International waters? And do they need to mention multinational forces and the Iraq war in order to justify enforcing the law? The article also mentions “The Navy said it captured the dhow in response to a report from the International Maritime Bureau in Kuala Lumpur on Friday…” but it remains to be seen why this pirate ship in particular was of interest to the US Navy and why this is making mainstream news.

Beyond the threats of lawlessness, we still must face the general issue of vulnerability of ships. Although I’ve seen some improvements, I have to say that things like electrified fences have serious draw-backs. Aside from falling into one yourself, it is a single control point and rather prone to failure (electricity is not plentiful or reliable at sea) as well as somewhat easy to work around (attackers might just move on to the next vessel, but if they are everywhere what would stop them from just developing insulation/shorting equipment?). While naval engineering has made great strides in making boats more seaworthy, this has not translated into innovation in private boating anti-piracy measures. When you think of the boating industry in general, do consumers want to spend money on teak fittings, extra shipping capacity, or surveillance cameras and ammunition? Thus, I think the best answer today actually is a reduction in threats, which means that (multi)national forces will have to find ways to cooperatively police the International waterways before the path of the pirates is joined by terrorists. I hate to say it, but it reminds me of the “great Naval powers”…what would Admiral Nelson do?

Attacks by country


2019: Updated to add UNOSAT maps to replace deprecated secure-marine.com links

the poetry of information security