Art of Information Security

As you may have noticed there has been no activity on Art of Information Security for a long time. Things got really busy in my work and personal lives, and well, something had to give.

One of those changes is a move to the Security and Risk Management Strategies team at Gartner. I will be blogging on Gartner.com at blogs.gartner.com/erik-heidt. So, if you have been a fan of the content on Art of Information Security please keep an eye there.

My current coverage areas include:

1. IT GRC practice strategy
2. IT Risk Management (and measurement)
3. Assessing cloud risk decisions
4. Cryptographic controls and key management
5. Application security

All the best.

Cheers, Erik

Kevin Flanagan and I delivered a presentation on Cryptography at this year’s RSA 2010. Now, doing a cryptography presentation at RSA is a bit like putting a target on yourself that says “please shoot me down!”. Well, the presentation was very well received, and the RSA conference folks have asked Kevin and I to do a encore presentation via Webcast.  A few quick facts:

This is not your math teacher’s Cryptography presentation !
The core of this presentation is about discussing the various points in an application where a cryptographic control, primarily encryption, can be applied. Kevin and I walk through an expanded version of the 3-tier application architecture. We go beyond discussing the encryption controls available to the web server, application server, and database backends, to expand our scope to include the PC, storage, backup, and file systems. At each point we will discuss the kinds of controls that can be applied, the risks that those controls help manage, and risks which are ofttimes overlooked and remain.

This presentation is more focused than the RSA Version from March.
In our presentation in March we tried to also include an introduction to Key Management. This proved to be too much to bite off, so we have pruned that material from the presentation that is planned for the Webcast. Kevin and I may be submitting a presentation proposal for RSA 2011, 100% dedicated to Key Management. (Feedback on that idea would be of great value… Feel free to comment below.)

In fact, I am always interested in feedback from readers of AoIS. So, if you tune in the the WebCase, please drop me a note. I personally find web and teleconference presentations much more difficult than in the in-person kind…

When and Where ?
The Webcast in this Wed (June 23, 2010) at 1:00 PM EST, 10:00 AM PST, 5:00 PM GMT.
Here is a link to the registration: Webcast: Cryptography: Issues and Insight from Practical Implementations

Once again the RSA Conference is giving Dan Houser and I the opportunity to provide a one-day Identity Management Architecture tutorial. One-day tutorials can be added to your RSA Conference registration for a small fee. These sessions are designed to provide more depth and detail on particular important topics.

This year’s program is titled “Foundations for Success: Enterprise Identity Management Architecture”, and the content follows the successful pattern of past years. The morning will focus on establishing a base of understanding, and the afternoon will be spent covering modules selected by the attendees (the description from the RSA website is attached below).

This year I am especially excited as I am leading a major Information Security infrastructure initiative that involves the complete build out of the Information Security stack for a new company (actually a $2.4B spin-off). I have just completed full requirements, RFP, and the product selection cycle for an Identity Management solution. At the time of the class, I will be at the mid-point of the provisioning system’s deployment, and will have Password Vaulting in production. This project has been a source of great challenges and new insights, all of which I hope to bring with me on March 1st (well, the insights anyway).

Identity Management is at the core of a successful Information Security program. In many ways, it is the primary technical control for policy enforcement and oversight. In addition to the important role Identity Management plays in risk management and oversight, many of your business partners think of Identity Management “as” Information Security. The question of “how do I get access to X” is a question near and dear to the heart of your business partners. Many of the security controls we all work with day to day are largely invisible to business partners, but password problems, access request delays, and audit findings are very visible to them.

Information about the tutorial is available form the RSA 1-Day Tutorials page, but here is a copy of the tutorial description:

Tutorial ID : TUT-M21

Foundations for Success: Enterprise Identity Management Architecture

Identity and Access Management is the foundation for access controls in the Enterprise, a mission-critical IT function that is both the lifeblood of your business, and a frustrating and difficult beast to tame. Your IdM infrastructure is more complicated, with more moving parts, and more partners across the enterprise, than any other security related service.

This interactive session, taught by experienced IdM veterans and practitioners, provides an architectural view to resolving identity challenges, and will provide detailed and informative discussions on directory services, web access management, Single Sign-on, federated identity, authorization, provisioning and more. The morning session will provide an overview of the foundations of IdM, while the afternoon will provide a customized, detailed and interactive session to focus on the specific identity disciplines they find most challenging.

This workshop will cover:

• Principles of Identity and Access Management and implementation strategies

• Infrastructure architecture — critical underlying processes to run a successful enterprise

• Web-based authentication & Web Access Management

• Selling Identity strategy in the C-suite

• Directory Services – Enterprise, meta-directories and virtual directories

• Provisioning – managing the processes of Identity and Access Management

• Identity mapping and roll-up

• Detailed Single Sign-on strategies: Getting off Identity islands

• Detailed Federated Identity discussion and case studies

• Gritty Reality of Federation SSO: Lessons learned from 14 major federation projects

• Multi-factor authentication: biometrics, tokens & more

• Functional IDs – real world considerations of this often forgotten access control

• User Access Audit: Proving only authorized users have access

• Auditing the identity systems

Key Learning Objectives:
Participants should have a basic background in Information Security, IT systems, and identity management. After the class, participants should feel well grounded in identity management, understand the broad landscape from both a technical as well as a business perspective, and have gained practical insight into the strategies which will enable them to meet identity challenges in their organization.

Cheers,
Erik

Time is critical in security systems; specifically, having systems know the time  is very important. Adequate clock synchronization is important for:

• Operational Integrity (things happen when they are supposed to happen – backups, tasks, etc.)
• Reproducibility of events (meaningful logs and records)
• Validation of SSL certificate expiration (or other tokens, etc.)
• Correct application of time restricted controls
• Etc.

So, the big question is, what is “adequate clock synchronization”, and how do we achieve it ?

But First, What Time Is It ?

Time itself is of course a natural phenomenon. Just like distance, volume, and weight, the measurements for time are artificial and man-made.  The dominant time standard (especially from a computer and therefore Information Security perspective) is Coordinated Universal Time (UTC). This could probably have been called Universal Compromise Time, as it turns out that getting the whole world to drop their cultural biases, deployed technology, etc. and move to a single time system has been a long and complicated road (and it isn’t over yet).

One major component of UTC is an agreement on what time it in fact is, and how that is determined. Also, there are  questions surrounding how to adjust leap seconds, leap years,  and other “measurement vs reality” anomalies.  Time (and its measurement) is quite complex in itself, but for the purposes of Information Security (system operation, log correlation, certificate expiration, etc.), the good news is that UTC provides a solid time standard.

Now, all we need to do is synchronize our clocks to UTC !
(and adjust for our local time zone…)

Network Time Protocol (NTP)

Network Time Protocol (NTP) is a well established, but often misconfigured and misunderstood, internet protocol. NTP utilizes Marzullo’s Algorithm to synchronize clocks in spite of the fact that:

• The travel time for information passed between systems via a network is constantly changing
• Remote clocks themselves may contain some error (noise) vs UTC
• Remote clocks may themselves be using NTP to determine the time

In spite of this, a properly configured NTP client can synchronize its clock to within 10 milliseconds (1/100 s) of UTC over the public internet. Servers on the same LAN can synchronize much more closely . For Information Security purposes, clock synchronization among systems and to UTC, within 1/5 or 1/10 of a second, should be sufficient.

Classic Misconfiguration Mistakes (and how to avoid them)

The misconfiguration mistakes that folks make tend to be the result of:

• Overestimating the importance of Stratum 1 servers
• Over-thinking the NTP configuration

NTP Servers are divided into Stratums based on what time source. A Stratum 1 server is directly connected to a device that provides a time reference. Some examples of reference time sources include:

• Atomic Clocks
• GPS
• CDMA
• WWVB, DCF77, MSF60

NTP servers which synchronize with a Stratum 1 time source are Stratum 2 servers, with the Stratum number increasing by one for each level.

Big Mistake – Using a Well Known NTP Reference

The most frequent mistake people make when configuring NTP on a server is assuming that they need (or will get the best time synchronization) by using one of the well known atomic clock sources. This tends (thought not always) to be a bad idea because it overloads a small number of servers. Also, a server with a simpler network access path will generally provide better synchronization than a more remote one.

When configuring the NTP protocol, it is a good idea to specify several servers. The general rule of thumb is 2-4 NTP servers. If everyone specifies the same servers, then those servers become overloaded and their response times become erratic (which doesn’t help things). In some cases, an unintended denial of service attack is caused.

Both Trinity College of Dublin, Ireland and the University of Wisconsin at Madison experienced unintended denial of service attacks caused by misconfigured product deployments. In the case of the University of Wisconsin at Madison, NETGEAR shipped over 700,000 routers which were set-up to all pull time references from the university’s servers. NETGEAR is not the only router or product manufacturer to have made such an error.

Enter the NTP Pool…

“The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable easy to use NTP service for millions of clients without putting a strain on the big popular timeservers.” quoted from pool.ntp.org

Basically, the NTP pool is a set of over 1500 time servers, all of which are volunteering to participate in a large load-balanced virtual time service. The quality and availability of the time service provided by each of the NTP servers in the pool is monitored, and servers are removed if they fail to meet certain guidelines.

Unless a system itself is going to be an NTP server, then use of the NTP Pool is your best bet 100% of the time. It is a good idea to use the sub-pool that is associated with your region on the globe. Here is ta sample configuration: (/etc/ntp.conf file)

server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org

It may not be necessary for your to run the NTP service itself. Running the ntpdate command at boot and then in a cron job once or twice a day may be sufficient. The command would look like:

ntpdate 0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org

If you do need to install ntp on Ubuntu, the commands are:

sudo apt-get install ntp

and then edit the /etc/ntp.conf file and add the server lines from above. On my OSX workstation, the entire /etc/ntp.conf file is:

driftfile /var/ntp/ntp.drift

server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org

Overthinking the Configuration

The “server” parameter in the configuration file has a number of additional directives that can be specified. These are almost never needed, but can generate a lot of extra traffic on the NTP server. Avoid over thinking the server configurations and avoid using prefer, iburst, or burst.

When Should I Run NTP Service Rather Than Use The NTPDate Command ?

There is almost no downside to running the NTP service. It is very low overhead and generates almost no network traffic. That being said, the only downside to running the ntpdate command a few times a day, is that the clock can drift more. If I were performing an audit, and the shop-practice was to use ntpdate on everything except infrastructure service machines (directory servers, syslog concentrators, etc.), I would accept that practice. I would be more concerned about how time synchronization was being managed on HSMs, directory services, NIDS, firewalls, etc.

When Should I Run My Own NTP Server ?

There are two cases when you should consider running your own server:

• You have a large number of machines that need time services
• You wish to participate in NTP Pool

A Stratum 1 time server appliance or a GPS/CDMA card can be purchased for costs similar to a rack mounted server (of course you will need two). If that is just out of the (budgetary) question, then I would look for the time servers to use authenticated time sources. NIST and several other Stratum 1 NTP providers have servers which are only available to folks who have requested access, and are authenticating to the server. If time accuracy is critical to risk management, and GPS/CDMA is not available, then I would push for authenticated NTP.

Option 3 is acceptable in the vast majority of situations, including cases where logs and events are only correlated locally, or where no compelling need exists.

NTP and Network Security

NTP uses UDP on port 123. This traffic should be restricted in DMZ or other secure network zones to only route to authorized NTP servers. Tools like hping can be used to turn any open port into a file transfer gateway or tunnel.

One option is to set-up a transparent proxy on your firewalls and to direct all 123/UDP traffic to your NTP server or to one you trust. (The risk of the open port involves providing a data path out of the organization, not rogue clocks…)

Resources and More Information

• Wikipedia on NTP
• A Brief History of NTP Time: Confessions of an Internet Timekeeper
• Marzullo’s Algorithm

Cheers,

Erik

Welcome to the second part of Art of Information Security’s interview with seasoned Information Security marketer Heather Deem (part 1 link). In the first part Heather discussed the importance of having reasonable time and resource expectations. In this part we will start off by discussing some low cost marketing techniques.

Erik: Are there any ‘free’ (but effective) marketing activities that organizations can pursue?

Heather:  All Marketing activities have some cost in terms of development or execution time, however, the following activities can be considered “free” or low cost:

Webinars: If the company has an internal content expert available to develop and deliver educational presentations (industry or technology focused, not vendor specific content), and if the company has an enterprise-level web conferencing subscription, the marketing team can host webinars for relatively free.  Partnering with channel partners for joint promotions can also help both companies educate and propel their prospects through the sales cycle.

By-lined or contributed articles: Developing industry-relevant articles for trade journals can be another relatively low cost activity to gain credibility and exposure.  Similar to webinars, this requires an internal content expert to develop the article and either internal PR or an agency to pitch stories to the media.

Erik: What have been some of the biggest misconceptions about marketing that you have experienced in your work with start-ups and growth companies?

Heather:  Two misconceptions spring to mind: the value of producing quality marketing materials, and the time and resources required to roll-out a program that has real impact.

I’ve seen companies who don’t hesitate to spend thousands of dollars to attend a tradeshow or who don’t bat an eye at an egregious entertainment bill submitted by sales, yet they balk or refuse to invest in a graphic designer to create a polished looking datasheet or direct mail piece, or refuse to spend time and money on developing the proper marketing materials for moving prospects and customers through the sales cycle.

The second misconception surrounds the required level of strategy, planning and resources required for successful marketing programs. Some executives underestimate the time required to plan a marketing program or what is required for execution in terms of personnel time, media lead time, engineering contribution to whitepapers, etc.

To develop truly integrated and impactful marketing programs, the marketing team needs to work through and understand the challenges faced by the sales team, the needs of the target market and align these key inputs to develop the appropriate campaigns to support the marketing goals.  Prior to executing these campaigns, companies typically need to develop new or update existing marketing materials to support these campaigns. The entire process can take a month or more.

Erik: So, how can organizations promote marketing and messaging into the culture so that everyone is involved?

Heather:  Establishing clear and effective marketing messaging and materials is the first step.  This includes both internal and external websites, datasheets and presentation content. For example, develop a concise positioning and messaging document for sales, channel partners and other company staff. 

I would also encourage the Marketing team to take advantage of all-hands meetings and either monthly or quarterly internal email updates to educate personnel on the latest marketing activities and messaging development. 

Marketing or corporate executives should also address any marketing challenges that surface and instruct employees on how to respond publically.  For example, if a known competitor is using under-handed sales tactics such as falsifying information about your company or product, executives should clearly indicate how sales and marketing is addressing the issue and reinforce that the corporate communication policy does not condone negative messaging or competitive bashing in retaliation.  Similarly, if a company is dealing with a sensitive press issue, employees should be educated on the appropriate public response. Even if they are not considered company spokespersons, they need to be educated on what or what not to say.

Erik: What do organizations need to do, to determine if their marketing is effective?

Heather:  The two exercises I would recommend are: mapping the marketing programs to the marketing goals for post-program evaluation and soliciting frequent feedback from analysts, customers and channel partners.

Prior to each marketing campaign, map the marketing goals to the campaign or activity and measure the actual results post-program.  This will typically require a pre-defined lead follow-up plan and collaboration between sales and marketing.  Metrics to include may be Cost per Lead, Response Rates, Website Hits, Lead Quality, Opportunities Developed, Opportunities Closed, etc.  Of course these efforts will only be as good as the level of accountability required of both marketing and sales to input and maintain prospect and customer data throughout the sales cycle.

Measuring the effectiveness of messaging and marketing materials can be achieved through feedback from the sales team, prospects/customers, channel partners, and analyst feedback.  It is very important to reach out to all of these audiences to gain a fresh perspective on your messaging and content from time to time.  If possible, try to incorporate feedback from each of these groups, since each group brings a unique perspective.

Erik: Heather, you have worked with a number of start-ups. How early in the genesis of a new organization should a marketing plan be developed? 

Heather:   Even if a start-up doesn’t have a dedicated marketing budget, a marketing strategy and plan should be developed before any customer facing activities are initiated.  If hiring a marketing professional (either employee or consultant) is not an option, then this effort can be lead by one of the executives.  The key is to develop a baseline strategy covering product pricing, positioning, messaging and the go-to-market strategy.  Even a rudimentary go-to-market strategy will serve as a foundation for guiding sales and developing marketing materials.  As the company goes to market and gains additional intelligence on customers and competitors and as product enhancements are rolled out, this strategy should be reassessed and revised.

In addition to the marketing strategy, an initial marketing plan should be developed.  While a marketing budget may not be established, you still need to devise a plan for the development of marketing materials such as the website, collateral (datasheets, solution overviews, technical manuals), presentations, whitepapers, demos, product packaging.  Factoring in public relations efforts, such as the development, the out-reach and the response to media and analyst relations should also be considered, even if the company is not planning a formal PR program.

Thought should also be given to how prospect and customer data will be managed.  Even if the company has yet to deploy a CRM system, it is important to plan an efficient process on how this data is maintained, how leads and customers are managed and how this data can be ported to a CRM solution in the future. If the strategy for  managing customer data is not instituted with the sales team from the get-go, management will never really gain solid data to support the business metrics and marketing will loose invaluable data for establishing and managing marketing programs.

Erik:  What are the first steps for companies, especially resource-strapped start-ups, to take in starting their marketing efforts?

Heather:  Refer to my answers regarding the top marketing activities and “nearly free” marketing activities.  Development of even a baseline marketing strategy, marketing plan and marketing materials assessment will go a long way in laying the foundation to drive effective yet budget conscious marketing programs. 

I will also offer a free one-hour “Ask the Expert-Marketing Consultation” to the readers of Art of Information Security blog.   During this session companies can jump start their marketing by gaining free marketing advice specific to their website or marketing plan and bounce ideas off a marketing expert who specializes in the IT Security industry.  Schedule your free session through the contact page at www.candescomarketing.com

Many Thanks to Heather !

Thanks for taking the time for the interview, and for the offer to Art of Information Security’s readers. I hope that it will help provide a more rounded perspective to folks we are struggeling with organizing or understanidng their marketing needs. 

Heather can be contacted through Candesco Marketing.

Cheers, Erik