The PPT deck from my ESD301 Cloud Security: Locking Down the Endpoint with Measured Boot and UEFI presentation at the Microsoft Security Development Conference 2013 in San Francisco yesterday can be found here.

To all of the attendees – thank you! I heard later from the conference organizers that we had a better Q&A session than all of the other ones combined…

No Comments » Permalink

Here’s a short and sweet blog post about DARPA’s need to stay ahead in cyber-security emerging technology. DARPA is the US Defense Advanced Research Projects Agency.

JW Secure is proud contributor to DARPA’s mission to quickly deliver the latest cyber security technologies into the hands of users: our BIOS Integrity Measurements Heuristics Tool for DARPA Cyber Fast Track is now a component of our StrongNet device authorization solution.

No Comments » Permalink

What does the Bring Your Own Device (BYOD) trend in IT mean in terms of new security considerations for the typical enterprise? And what should the Business Decision Maker (BDM) be doing about it?

In summary: embrace BYOD, enable your business, and allow your employees to be more productive anywhere and from any device. But don’t forget to do your risk management homework.

BYOD Security and the Enterprise

Never before has the proverbial information worker had so much computing power – smartphone or tablet – always on hand. And never before has it been as easy for IT to support the business with ready access to the data and tools necessary to enable new revenue sources and faster decision making. The decision to embrace BYOD is an easy one: employees, partners, and vendors are likely already using their own computing devices to communicate and collaborate. The question is, what can be done to establish and enforce practical data security policies for a fast-changing, heterogeneous computing environment?

Here’s a typical BYOD security cautionary tale: Widgets Co stores its documents on SharePoint and recently migrated to Office 365. The migration has been a boon to the Widgets business teams: they have more control over the look and feel of their team SharePoint pages, they can support a variety of client devices, and allow remote employees, frequent travelers, and vendors to collaborate. Plus, outsourcing is saving time and money for the in-house IT team, allowing them to focus on more strategic efforts such as enabling new LOB scenarios.

Recently, though, a senior executive, distracted after leaving a meeting in a foreign city regarding a potential merger between Widgets and Acme, left his tablet in the back of a taxi. Since he’s not sure what documents had been downloaded, or when, it’s tough to assess the potential impact of the unauthorized data disclosure if the device falls into the wrong hands. Either way, the timing of the loss couldn’t be worse: if Acme, its competitors, or even members of the foreign government were to learn details about Widget’s internal discussions about the proposed merger, it could put Widgets in a bad place, and likely result in the termination of the executives leading the effort.

What can the BDM do to avoid this scenario? Read on.

Next Steps for the Business Decision Maker

The first recommendation may come as a surprise, but this is the real opportunity for the decision maker: don’t miss out on the opportunity to enable “anywhere” data access. Wherever your employees happen to be, and whatever device they happen to be using, consider how to let them be most productive. That doesn’t mean throw the barn doors wide open to your most sensitive corporate assets. Instead, it means make a reasonable plan for taking advantage of the latest collaborative tools, cloud services, and the security controls they provide. If you don’t, your competitors will be moving more quickly than you to enable faster decision making, new lines of business, and even attracting better and brighter employees who thrive in a more dynamic environment. First and foremost, the focus of the BDM must be on enabling the business.

The second recommendation brings us back to the planning part, and is where risk mitigation comes into play: with the business goals in mind, work with your CIO, CISO, and IT team to establish data security policies to enable them. Make sure the basics are being covered: user authentication, authorization, auditing, and data encryption. In other words, who should have access, and to what? How are those rules being verified? And how can we protect sensitive data – whether in the cloud, on-premise, on the move, or in the back of a taxi – and still foster a competitive, collaborative environment that keeps us ahead of the competition?

The most competitive businesses are constantly looking for ways to gain new advantage from their existing IT investments. Look to IT security to be a business enabler. The latest enterprise software tools and cloud services enable more sophisticated security controls than any previous technology generation – use them!

Bring Your Own Device Security: A Happy Ending

Returning to the example of Widgets Co, suppose data loss prevention policies are established across all IT applications:

• Data is encrypted at rest and in transit
• All mobile devices require password/PIN unlock

With those policies enforced, the lost tablet of the senior executive is a non-issue, the strategic merger between Widgets and Acme stays on course, employees stay productive, and the business prospers!

No Comments » Permalink

The announcement regarding optional multi-factor authentication to Microsoft online accounts, including Office 365 and Xbox, is a welcome one. Stolen passwords, whether via phishing, guessing, or accidental disclosure by the vendor, is a major threat against data security.

In summary, the feature allows you to associate your cell phone number with your Microsoft account. Then, periodically, in addition to typing in your password, you’ll be sent a secret code via text message. Typing in the secret code along with your password completes the sign-in process. In theory, the bad guys can’t compromise your account unless they also take control of your cell phone and/or phone number.

There are still threats. Could an insider at the phone company collude to compromise a high-value account? Yes. Could a bad phone app intercept incoming text messages and copy them to a hacker? Potentially. Could a phishing attack trick the user into typing a valid code and password into a fake form? Guaranteed.

Still, I recommend enabling this feature, since it raises the security bar quite a bit higher than what you get from just a static password.

No Comments » Permalink

Learn more about threat modeling in the March 2013 edition of the JW Secure Informer newsletter.

No Comments » Permalink

Excellent news for people who like to encrypt sensitive data: the JW Secure SecurEntity encryption library for Microsoft Entity Framework has been released to CodePlex and NuGet. The latest version, 1.3,  includes the following changes:

• Added thumbprint lookup capability for encrypted strings.
• Upgraded to Entity Framework 5.0 and .NET 4.5

Yes, this version gives you the best of both worlds: encrypted data + search.

No Comments » Permalink

BYOD, or Bring Your Own Device, refers to the trend in enterprise IT to rely on users to supply their own computing hardware in the form of smartphones, tablets, and, to a lesser extent, laptops. While there is an ostensible cost savings to be had in capital expenditure, and businesses can realize productivity in making it as convenient as possible for employees to always be connected, BYOD is mostly just a response to an external reality: as smartphones become more capable, consumers use them for almost all computing tasks side from “heavy” content creation (e.g. programming; video editing). Plus, while checking work email can be a primary task for a consumer smartphone, even on the weekend, the latest generation of users communicate via SMS, Facebook, and Twitter. All of those communication needs are met using public, free apps.

In that context, providing knowledge workers with a separate, corporate-managed, mobile computing device is moot. Nobody needs it.

But if you’re responsibilities include IT security management or compliance then you should already be squirming. There’s a balance to be struck, and it’s unlikely to be the same for any two businesses. On one hand, you have to support the latest communication, collaboration, and information exchange modalities if you want to attract and keep the best people and stay ahead of your competitors. On the other hand, there is a fiduciary obligation to deploy security control systems that, at minimum, help keep honest people honest when it comes to data storage and exchange.

Recent competition in the mobile sector has really paid off for consumers: the latest devices from Apple, Google, and Samsung are incredibly cutting-edge and yet incredibly usable. That impressive combination is in fact an inspiration for us security folks. One one hand, heterogeneity is hard for the IT security manager, since disparate mobile platforms expose different security controls. On the other hand, the raw power and extensibility present in these devices mean that the sky is the limit, both for the IT security manager in terms of developing and applying controls, as well as for the business manager in terms of dreaming up new scenarios for increasing business capability and velocity.

So how to secure all those mobile devices for corporate data access? Let’s use the Four Pillars of Endpoint Security model as a guide:

Endpoint Hardening – technologies such as platform attestation allow server-side resources to extract high-assurance security claims from mobile devices . This helps to keep sensitive data off of malware and rootkit infested devices and can also be used to enforce client attributes such as the use of hardware-based disk encryption. The latest generation of mobile devices supports a variety of high-integrity security features, including TPMs, SIMs, and other hardened cryptographic and data protection features.

Endpoint Reliability – the ability to make mobile devices self-healing is still a work in progress, but all of the major platforms have recognized the increased support cost, and negative user experience, that comes from supporting a wide-open application ecosystem in which discerning good software from bad is impossible for the layman. Curated app stores help endpoint reliability, although they don’t guarantee it. This is moving in the right direction, but enterprises with sophisticated security needs must still necessarily distinguish between managed (e.g. a AD domain-joined laptop) and unmanaged (typical smartphone) devices when it comes to granting information access. Enforcing patching and platform updates is key to maintaining endpoint reliability; technologies exist to do this across all platforms.

Network Prioritization – link encryption is a must-have. All web applications should enforce TLS; all clients support it. Don’t waste bandwidth on unencrypted or untrusted requests.

Network Reliability – many of the same proven security technologies and practices apply equally across traditional enterprise computing assets: routers, servers, laptops, and desktops. Don’t forget that (a) they need to be utilized and (b) they’re constantly increasing in sophistication. This applies whether the assets are mobile, private cloud, or public cloud.

In summary, BYOD security is a tenable problem. Contact JW Secure for a demonstration of our BYOD security solutions.

No Comments » Permalink

Cloud computing has changed some things: scalability, for example, and the cost model for web application hosting. But when it comes to security, the basics still apply. There are four tenets of security:

• Identity
• Authentication
• Access control
• Authorization

Let’s look at each in turn. To help make the discussion concrete, here’s a fictitious example. Suppose Airbus and Boeing are collaborating on a new Joint Strike Fighter. Rather than exchange huge engineering design documents via between worldwide teams every night, which is what projects of that scale used to entail, the teams will collaborate using a more modern and manageable mix of:

• Centralized document repositories, such as SharePoint
• Security token server, such as ADFS (Active Directory Federation Services) or Shibboleth
• Password-based and multi-factor authentication technologies, such as smart card or one-time password

Identity refers to how principals such as users are represented. For example, within Airbus’ Active Directory (AD) domain, users are represented as SIDs. But those SIDs have no meaning in Boeing’s AD. So in this federation scenario, identity might be represented by user email address plus other metadata such as project group membership.

Authentication refers to how identity is established. For example, a user in possession of a smart card provisioned with a trusted X.509 certificate, plus knowledge of the smart card PIN, will use the card to authenticate, thereby establishing his or her identity within the system.

Access control refers to the ability of the system to selectively allow or deny principals to perform actions on protected objects. Access control enforces authorization rules.

Authorization refers to the – usually increasingly complex – process by which access control rules are expressed. For example, on the JSF project, it may be necessary to define authorization rules granting auditing staff read-only access to documents on cost expenditures and accounting staff read/write access to those documents.

In order to support complex, collaborative projects such as a design of a JSF, security software has become increasingly complex. For example, the most sensitive data may only be accessible to users with specified project group membership, with certain national citizenship, and from provably secure client hardware. But how to define an authorization language that allows such rules to be expressed by a typical system administrator? The rules can get even more complex: suppose Airbus trusts identity data regarding JSF weapon system group membership originating from Boeing, since Boeing is contributing to that system. But claims regarding propulsion system group membership from Boeing must be ignored, since that subsystem belongs to Airbus.

Looking at the current state of the art, the capability of expressing such rules exists in the form of standardized technologies such as SAML and XACML. While some ramp-up is required, especially when it comes to complex collaborations, sophisticated line of business application integration with those standards is available.

No Comments » Permalink

I just posted about The four tenets of security. My next book, The Four Pillars of Endpoint Security, puts a new twist on those security basics. The Four Pillars of Endpoint Security, listed next, complement the four tenets:

• Endpoint Hardening
• Endpoint Reliability
• Network Prioritization
• Network Reliability

The four pillars are timely. Take, for example, the recent distributed denial of service attacks by Iran on several US banks. The attacks made use of large botnets, or compromised internet-connected computers, from all over the globe. In that context, Endpoint Hardening should entail, primarily, making client operating systems harder to compromise and incorporate into botnets. Secondarily, one hopes that server operating systems can be made more capable to resist DDoS attacks.

Regarding Endpoint Reliability, compromised botnet hosts should self-heal. Why not? The bot behavior is anomalous, and hardware enforcement of known-good system software is available.

The third pillar, Network Prioritization, should be employed to throttle hosts that don’t have authorization to send certain traffic to certain servers. For example, there are countries from which network traffic destined for US banks should be completely and permanently blocked as a matter of national security. That doesn’t mitigate the risk from compromised US-based hosts, but it reduces the effective size of the botnet.

Finally, Network Reliability plays a couple of roles. Networks themselves, including dedicated firewall equipment, must continue to perform in the face of brutal traffic spikes. In addition, network reliability is an important consideration for user-friendly mobile and web application design. Good mobile app design, using techniques such as data caching and tiered access, can make outages feel more seamless.

No Comments » Permalink

Here’s a summary of the steps we used to setup System Center Configuration Manager 2012 (SP1) in the cloud for our Dynamic Access Control demonstration for RSA 2013.

1. Create a new Windows Server 2012 instance with SQL Server (Standard SKU or higher). We’re using the Elastic Compute Cloud (EC2) on Amazon Web Services (AWS). Be sure to allow approximately 50 GB of disk space just to get through the initial install. Rename the server, if appropriate, and join it to your Active Directory domain.
2. Once the server is joined, if you renamed it, you’ll need to rename the local SQL Server instance as well. See Rename a Computer that Hosts a Stand-Alone Instance of SQL Server. Don’t forget this; because it will cause ConfigMgr setup to fail, but not until several minutes into the install. Painful.
3. Logged into your ConfigMgr server as a domain administrator, extend the AD schema. See How to Extend the Active Directory Schema Using ExtADSch.exe.
4. Configure SQL Server and the SQL Server Agent services to run as Local System. This is not a security best-practice, but is the easiest approach for the lab. Also, don’t forget to grant both Local System and the domain administrators sysadmin access using SQL Server Management Studio.
5. Run the ConfigMgr pre-requisite checker tool. See Technical Reference for the Prerequisite Checker in Configuration Manager. You have to fix all of the errors it finds, of course, but don’t forget to check the warnings as well. Some of them can actually bite you, such as manually creating a system management node in your AD schema (or giving the ConfigMgr server Full Control to the root System node).
6. Once ConfigMgr is installed, enable discovery of users and computers. In the administration console, find the \Administration\Overview\Hierarchy Configuration\Discovery Methods\ pane for the default site and turn on the various discovery options.
7. Enable distribution of the ConfigMgr agent. See How to Install Clients on Windows-Based Computers in Configuration Manager.
8. Configuring Reporting in Configuration Manager

No Comments » Permalink