Sunday, August 25, 2013

Weekend Security Humor

Because sometimes you just have to post some.

I think it was the sheep carefully lining up that butt-shot as much as anything.

Best Practices: Built-In Security Failure

Years ago, Intel hired me to do hardware-related work in semiconductor fabrication, as part of a group called 'Improvement Engineering' in what was a hole in the New Mexico desert. So, yeah, it needed a lot of improvement in order to become the cleanest clean-room on earth.

We didn't use the term Best Practices which is so prevalent in the compliance (I did not say Security, as they are emphatically not the same thing) industry of 2013, and you shouldn't either. Best Practices implies received wisdom, and slow responses to rapidly changing threats. We spoke of BKMs, or Best Known Methods. The 'Known' cannot be emphasized enough. It implies a seeking, driving, dynamic approach that is often lacking today; it implies currently Unkown Methods, waiting to be discovered by motivated, data-driven people.

Examples of where it has been proven that there can be no better way (from hardware, software, or procedural perspectives) are rare. This is fertile ground. More specifically, it drives Continuous Improvement, and various other all-to-corporate buzz phrases, past and present, into corporate culture.

The Best Practices approach demonstrably is, and has been, failing, by every available metric.  Emphasize that, take a data-driven approach, and reward those who demonstrably improve the state of the Best Known Method.

Saturday, August 10, 2013

Privacy Advocacy Turns Out to Be Common

It is fairly common for security people to also be privacy advocates--it's security on a personal scale. So the NSA/Snowden thing is something I follow. And, while I don't really want this blog to become focused on something so politicized, some additional commentary is in order.

Here is a graphic I found particularly striking.

I am not a fan of Anonymous. The Guy Faulkes masks work, and they have been known to do what seemed useful cult-control. A large amount of media attention was a foregone conclusion, as was a commensurate amount of attention from law enforcement.

I can't approve of their methods, or admire their approach to operational security. If you are going to declare <Operation Whatever>, which often enough consists of a DDoS attack, don't use a tool like LOIC, which reveals the IP number of everyone you talked into the gig. Duh. Law enforcement did it's thing, and anons are being busted left and right. This will continue, and it is unfortunate that so many people were, in the end, victimized by Anonymous.

Idealism always carries a high cost, and it is usually dis-proportionally borne by the young and not yet cynical, so this is not a surprise.

It is a pretty sad state of affairs, as usual. Law enforcement is supposed to do it's thing. That's what we pay them for. If we, as a society, find the idea of the future of our children being ruined abhorrent, what needs to happen is fairly obvious. The law, and government accountability under the law, has to change.

It turns out that there are economic incentives to fix this. So even we cynics have some cause for hope. I'll either update this post, or point to new post(s) with updates. I'd prefer to just update this post.

Friday, August 2, 2013

Things are really busy right now.

I have a new project: documenting what I did, and the rationale for the choices I made, for one of the recent data analysis projects. I always write docs, but this is more in the spirit of a HOWTO for people that need some basic instruction on how data analysis pipelines (or workflows, if you will) are commonly constructed on Linux, and does not depend on humans clicking around, enduring the horrors of statistics in Excel, etc.

It's mostly about pre-processing data, feeding only what you need into a sane database (why give up three orders of magnitude in speed for the bits that will not have relational queries run), when to do matrix math, when to fire a decision-support plot because a threshold has been exceeded, etc.

Somewhat at variance with physics pipelines, it was written in bash, Python, R, and Go. I should do a post about that. But like I said, things are busy right now.

Fedora 17 reached EOL on 7/30/13

Why does that matter? Well, Fedora is regarded as upstream of Red Hat Enterprise Linux. RHEL, and derivatives such as CentOS, ScientificLinux, and Oracle Linux (though Oracle will never admit that). What that means is that Red Hat chooses a moment to grab the current Fedora distribution, and make some of the various bits more robust. Meaning supportable, at sane cost structures. That forms the basis of the forthcoming Red Hat Enterprise Linux. Running a current, or near-current, Fedora provides insight into the oncoming RHEL, which will be RHEL7, by the end of the year.l

This is useful, particularly as this will be the most powerful RHEL ever, by a wide margin. Mondo cloudy stuff is going to be in there. That should be another post; it is by no means all marketing.

But right now, I have to rebuild some lab machines. This isn't a huge deal--that's what labs are for. But it will keep me busy for a bit, because I have to characterize what I am doing.

How do you secure this stuff?

As Frank Zappa once wrote, "The crux of the biscuit is the apostrophe." Secure what? Against what threat? At what cost?

I have never been a fan of PCI-DSS. The standard cannot change rapidly enough to reflect changes in the threat envelope. Compliance costs are out of control, and it is not clear to me that there is any rational means of choosing any particular solution to a PCI-DSS line-item. Sometimes I hate to even talk about PCI-DSS; there are other requirements in other industries that are more interesting (medical record security comes to mind), and some things (design flaws in cryptographic protocols, etc.) apply to any industry.

The basics apply in any environment. Control access, authentication, and authorization, and the majority of your risk goes out the window. This is doable, even via bash scripting. From a Director Information Security at Fiserv (Acumen platform)

"we did get our PCI-DSS ROC and the assessors loved the hardening scripts and the way you listed the hardening steps by control number."

Write a master script that calls subscripts by control number. The downside is that it adds complexity; you will be touching some configuration files more than once. It works, and assessors love it. You do however, need a capable and auditable version control and build system. Git works fine, if you bolt on some additional tooling.

The point is that RHEL7 will offer more controls--you will have more power to meet any standardization, legal, or regulatory challenge.