Schneier on Security

Wael • July 12, 2012 2:01 PM

@ Marti Raudsepp

"kernel mode execution rights to the attacker -- the highest possible."

I *think* there are higher...

Ascending order:
Hypervisor level (think Ring -1 as opposed to kernel's Ring 0)
Firmware level (BIOS for example) (Ring -2 :) )
Microcode level.

If you have Kernel level access you do not necessarily have FW level access or Microcode level access, although it gets you a "ring" closer.

Wael • July 12, 2012 7:05 PM

@ Dirk Paret

Yup! Role Misappropriation again.

IT is the delegated owner for protecting the corporate's assets. They must not delegate that task to a non-owner, such as the user. IT sending an email to the users saying "Please do not plug USB sticks you find in the parking lot in corporate computers" is equivalent to delegating the protection task to the users. This email should act to raise the awareness, not to prevent the Vulnerabilities. Other controls need to be in place BY IT ...

Wael • July 13, 2012 2:00 PM

@ Dirk Praet

My response was in support of your statement, not correcting it. I should have been more clear.

@ pgagge
I also lost a response to you, that somehow is not showing. Was a long one and I did not save to locally...

Wael • July 13, 2012 2:04 PM

@ Moderator

Is there a pending post from me in the queue? Posted about 20 min ago to @ pgagge?

Wael • July 13, 2012 6:39 PM

@ pgagge

Excellent response...

if the corporate *information* assets (as opposed to the physical servers, networks and dull stuff like that) are owned by IT, with the sole responsibility for protecting and determining who should have access, the corporation is in big trouble.

Not necessarily. Hire the right team or complain about consequenses. IT is in charge of implementing who should have access. They are given a list of users and thier needs. Sometimes they do decide who should have access to what.

Almost all modern corporations are dependent for their profitability and survival on the availability and integrity of huge amounts of information. It may be processed by a lot of technology, but that does not make IT departments experts in the value of that information. (Some try to be. They may evolve away from the traditional IT role.)

IT doesn't need to be experts in the value of the information. They only need to know that it has to be protected. They will get mandates and instructions or information from various departments that quantify the security level needed.

USB sticks, cloud storage services, email to pick three: all are threat vectors, but also productivity boosters when used correctly.

"when used correctly":

Who decides that? User, IT, or common sense?
I say IT makes the rules and policies and tries to enforce these policies and controls. And the User complies, if s/he has common sense. IT also has to assume users are not to be trusted. It's IT's neck on the line if a user inserts a USB disk on corporate network, and brings the network down
for a few hours. Who is going to stand tall in front of the Man to explain to him the situation?
User or the IT head?
CEO to CIO: What happened? I hear that credential have been compromised and the press is after us.
CIO: Ummmm. Ummm. This guy found a USB stick in the parking lot and...
Is that gonna fly?

The final defence against external threats is always the admittedly variable common sense of the end users. That's not 'delegating' a responsibility: the responsibility *starts* on the business side, with whoever owns the information assets.

In most corporate environments I have seen, the user owns nothing. Everything belongs to Corporate and they tell you that. That also includes waivering your rights to privacy. They tell you they will monitor all communication channels.The ownership of information is indisputable, and thier lawyers make that crsytal clear. The Coporate legal entity owns the information, and IT is the entity entrused with protecting this information. Users are asked to "comply". I am basically saying instead of just "ask", "enforce" as well.

"IT should be able to block and mitigate a set of known threats, but won't be able to stop them all efficiently without hindering the business from getting done. Reasonable security (as opposed to the mythical perfect security) is obtained only by IT and end users collaborating."

Collaboration means users conforming to IT policies, it means alerting IT to threats they become aware of. Collaboration does not mean the user is to be entrusted with protecting an asset s/he does not "own". We can talk about examples from real life. I am sure you have heard about people who lost thier unencrypted laptops with huge amount of information that caused thier employer a lot of money, negative press releases and embaracment, along with other heartburns.
So Mr. Salesman has a database with tens of thousands of customers, thier usernames, ID's, Social Secrity numbers, ages, etc. IT has protected this database on thier servers with all "known" mechanisms and controls. Mr. Salesman, wants to be productive, is on the road all the time (road worrior), and doesn't like the idea of VPN, slow connections; the inconvienice and productivity you talk about. So he copies this database locally on his laptop -- his common sense allows him to do that. And does not encrypt it -- ignoring IT's policy that all company information on mobile devices must be encrypted.

The guy forgets the Laptop in a train, a Taxicab, or somewhere - he doesn't rememeber. IT finds out, or worse (as sometimes is the case) someone makes this information public. You can guess the rest from there (or read about it)

Two question here:
1- who is at fault here?
2- How could such incidents be reduced (I don't say prevented) in the future?

So the user is surley accountable. Mr. Salesman violated the company's policy, and needs to be "wisdomised" (rhymes with another word derived from Sodom and Gomorrah). His accountability stops here. IT on the other hand, is not only accountable, but responcible. They should have had the controls in place to prevent such a scenario, and these controls are not "Rocket Science".

Regarding "as opposed to the mythical perfect security"...
Short background, Clive Robinson's style rubbed off on me :)
So I stated before that security (in my mind) is:
"The painless ability to protect the asset through complete awareness and total assured control by the owner of the asset"
I also said that "absolute security" does not exist -- that is clear from the definition. So this is the definition I use when I am analysing a security incident or when working on a security solution. It's not set in stone, and is open for improvments, critisisms... You can also totally disregard it. So in Elcetrical Engineeering, they used some models. These were ideal and did not exist (or existed under rare conditions) in real life. These models were used to simplify design and analysis of complex circuits. For example there is the "ideal current source" and the "ideal voltage source". You can replace ideal with "perfect" as well. I tried to do the same for Security. What parameters would allow an ideal or perfect "Security" model to exist? It was on this blog that I found the two "ideal" models: The Castle and the Prison. The Castle and the Prison could be related to each other like Voltage and Currect are (through a brick resistor, or Ohms law :)). Some have said this is purely theoretical, but I find such approach to be systematic and methodical. I am starting to digress towards C-v-P again, so I had better stop here.

Wael • July 13, 2012 11:49 PM

@ pgagge -- Supplimentary...

The IT I am talking about includes
Corporate security.