This year’s program is titled “Foundations for Success: Enterprise Identity Management Architecture”, and the content follows the successful pattern of past years. The morning will focus on establishing a base of understanding, and the afternoon will be spent covering modules selected by the attendees (the description from the RSA website is attached below).

This year I am especially excited as I am leading a major Information Security infrastructure initiative that involves the complete build out of the Information Security stack for a new company (actually a $2.4B spin-off). I have just completed full requirements, RFP, and the product selection cycle for an Identity Management solution. At the time of the class, I will be at the mid-point of the provisioning system’s deployment, and will have Password Vaulting in production. This project has been a source of great challenges and new insights, all of which I hope to bring with me on March 1st (well, the insights anyway).

Identity Management is at the core of a successful Information Security program. In many ways, it is the primary technical control for policy enforcement and oversight. In addition to the important role Identity Management plays in risk management and oversight, many of your business partners think of Identity Management “as” Information Security. The question of “how do I get access to X” is a question near and dear to the heart of your business partners. Many of the security controls we all work with day to day are largely invisible to business partners, but password problems, access request delays, and audit findings are very visible to them.

Information about the tutorial is available form the RSA 1-Day Tutorials page, but here is a copy of the tutorial description:

Tutorial ID : TUT-M21

Foundations for Success: Enterprise Identity Management Architecture

Identity and Access Management is the foundation for access controls in the Enterprise, a mission-critical IT function that is both the lifeblood of your business, and a frustrating and difficult beast to tame. Your IdM infrastructure is more complicated, with more moving parts, and more partners across the enterprise, than any other security related service.

This interactive session, taught by experienced IdM veterans and practitioners, provides an architectural view to resolving identity challenges, and will provide detailed and informative discussions on directory services, web access management, Single Sign-on, federated identity, authorization, provisioning and more. The morning session will provide an overview of the foundations of IdM, while the afternoon will provide a customized, detailed and interactive session to focus on the specific identity disciplines they find most challenging.

This workshop will cover:

• Principles of Identity and Access Management and implementation strategies

• Infrastructure architecture — critical underlying processes to run a successful enterprise

• Web-based authentication & Web Access Management

• Selling Identity strategy in the C-suite

• Directory Services – Enterprise, meta-directories and virtual directories

• Provisioning – managing the processes of Identity and Access Management

• Identity mapping and roll-up

• Detailed Single Sign-on strategies: Getting off Identity islands

• Detailed Federated Identity discussion and case studies

• Gritty Reality of Federation SSO: Lessons learned from 14 major federation projects

• Multi-factor authentication: biometrics, tokens & more

• Functional IDs – real world considerations of this often forgotten access control

• User Access Audit: Proving only authorized users have access

• Auditing the identity systems

Key Learning Objectives:
Participants should have a basic background in Information Security, IT systems, and identity management. After the class, participants should feel well grounded in identity management, understand the broad landscape from both a technical as well as a business perspective, and have gained practical insight into the strategies which will enable them to meet identity challenges in their organization.

Cheers,
Erik

Add Some Architecture to RSA 2010

If you are attending RSA 2009, and plan to be in San Francisco all day on Monday, take a look at the available Pre-Conference 1-day Tutorials (RSA has added a number, and there are many to choose from). There is an additional fee for these Tutorials but based on the feedback from last years class, it was worth it.

Neither Dan nor I work for a vendor or supplier in the space.  We both work for Fortune 500 corporations that have real-world Identity and Access Management challenges (with real-world obstacles). If you are a Linked In member, profile (link) has some endorsements related to this class, as well as other presentations.

Cheers, Erik

Max the Identity & Access Management in Your RSA 2009…

More information is available her:  Stockholm University article.

The thing I find most interesting about this is that the US Supreme Cort has already determined that Lie Detectors are unreliable. From Wikipedia article on the polygraph:

In the 1998 Supreme Court case, United States v. Scheffer, the majority stated that “There is simply no consensus that polygraph evidence is reliable” and “Unlike other expert witnesses who testify about factual matters outside the jurors’ knowledge, such as the analysis of fingerprints, ballistics, or DNA found at a crime scene, a polygraph expert can supply the jury only with another opinion…”.

One of the things I find most interesting about the challenge of “testing” lie detectors is that no testing, such as the tests performed my Emily Rosa to debunk Therapeutic Touch, have ever been offered with can objectivity demonstrate the that they even work.

Cheers, Erik

Lie Detector Libel

The Beauty of Virtualization
AoIS is hosted by Linode, which is a Linux virtual host service provider. The beauty of this was the fact that I could:

• Spin up a new host in 10 min
• Configure and test the box, without interrupting the “hot” server
• Move the configuration, data, sites, etc.
• Test, test, test
• Transition the IP addresses

All of the advantages of having a clean freshly build physical server, but with a pro-rated cost of under $5 !

FYI… As this is a security blog, you can image that I am somewhat obsessed with OS system protection, more on that soon…

Cheers, Erik

AoIS upgrade to Ubuntu 8.10 Complete !

I had the pleasure of working with Rebecca on a paper earlier this year. Rebecca and I were among the collaborators on a  paper focused on generating organizational support for Information Security Awareness efforts (link to paper) for ENISA (The European Network and Information Security Agency). The effort greatly benifited from her participation. And after collaborating with her is it clear to me why should would have been nominated for and received the high marks she did in the Computer World survey.

Rebecca is also the author of Managing an Information Security and Privacy Awareness and Training Program. I purchased a copy of this book while working on the ENISA paper, and wow is it a detailed guide to managing these programs. Rebecca has included information from the high-level “concepts” down to detailed sample checklists and plans.

Congratulations again !

FYI, for additional information:

• LinkedIn profile and bio
• Rebecca Herold & Associates, LLC.

Cheers, Erik

Congratulations Rebecca !

The CISSP is undoubtably one of the most, if not the most, important professional certifications in Information Security. Many organizations and practitioners rely on it as evidence of a solid foundation and track record in Information Security. But the CISSP is only one of the many ways that the (ISC)² attempts to fulfill its mission of developing the Information Security profession.

Board membership is a role of governance, guidance, and passion. Let’s briefly explore how Dan’s track record and past contributions demonstrate his qualification for this post, and possibly your vote.

Passion

Dan is someone who has a passion for promoting and developing the talent needed to continue to grow and mature our profession. Anyone who has seen Dan speak at conferences, local chapter meetings, or in one of his classes knows how passionate Dan is! But anyone who takes the time to approach him knows that he is no ideologue or zealot; Dan is always interested in improving his own understanding, and then sharing that knowledge with others.

Dan has a long track record as a contributor – as a “giver” – to the profession. In addition to teaching over a dozen CISSP review courses, he has also served on multiple (ISC)² committees, is one of the authors of the ISSAP Body of Knowledge (cryptography), and has published primary research on professional certifications. He is also the founder of the monthly Columbus, Ohio Information Security MBA (Masters of Beer Appreciation) meeting – a professional roundtable that attracts practitioners from across the state.

Governance and Guidance 

In addition to past experience serving on (ISC)² committees, which I assume led to the current board’s nomination, Dan has served on numerous Boards of Directors including local and regional community organizations, ISSA chapters,and several Toastmasters clubs. 

Personal Experiences

I have known Dan for almost three yeas. Dan and I have collaborated on a number or projects, including a half-day Cryptographic Controls Seminar and a full-day Identity Management Architecture class. It is my feeling that when you collaborate, work closely, and travel with someone, you really get to know them. You get to do more than hear about their College Sweethearts (which, for Dan, is Rebecca, his wife of 21 years), but you also get to understand their ethics, how they really conduct themselves, how they deal with stress, etc.

Given the entire picture, the understanding that I have of Dan Houser, I can think of no one better suited to representing, guiding and developing the (ISC)². I have voted for Dan, and I hope that you will consider doing the same.

Here is the voting link for (ISC)²: https://webportal.isc2.org/custom/votenow.aspx

Cheers, Erik

CISSPs… Lend me your ears…

• Keep the software up-to-date

This may sound almost patronizingly obvious, but hold on a second. Every day hackers use unpatched servers or services of one kind or another as the bread and butter of their trade (stealing data, creating Bot networks, selling hacked server access to phishers, etc.).

Step four would also be to make sure that your operating system is up-to-date. Automating that is almost always possible, but is dependent on what operating system you are using. Google “X automated security update”, where X is your OS.

BTW, I found the jump to 2.5 very smooth and have encountered no problems – Thanks, Wordpress!

Cheers, Erik

Number One Wordpress Security Step

Blended Attacks Targeting Both Physical and IT Domains
In 2007, criminals demonstrated their evolving ingenuity by employing blended attacks to obtain sensitive information and evade detection. The most significant example of this trend was a string of attacks on Stop & Shop supermarkets in Rhode Island. Attackers broke into and vandalized supermarkets, leading police to believe the events were largely petty crimes. But during the break-ins, attackers tampered with the stores’ card readers to collect credit card information.

Of course, upon reading this there was a stream of attack ideas that occurred to me such as using a break-in as a cover for things like installing WIFI access to networks, card skimmers, key loggers, etc. Shortly after reading the Cisco report, I ran into a post on Black Bag (a physical security blog) about a TV show called Tiger Team. The TV show is about a team of penetration testers who (in addition to being very impressed with themselves) test complex physical security systems. I reviewed the first two episodes (which I have to confess I enjoyed), which are available via streaming video.

Interestingly, in the first two episodes (which is all I have watched so far…) the team always used a blended attack. There is a social engineering and digital attack as a prelude to the actual ‘theft’ in both episodes.

I think few people will face attackers of this sophistication, but the series is interesting nonetheless.

Cheers, Erik

Blended Attacks and “The Tiger Team”

I would love to know what kinds of questions you have and would like to see addressed.

In addition to your question, please provide a little context, such as:

- What are the drivers for your use of cryptographic controls (data protection, compliance, etc.)?
- Will your deployment be externally audited?

Cheers,
Erik

Cross posted on Linked In.

What do you want to know about Cryptography in the Enterprise ?

GTAG’s

The Institute of Internal Auditors has been releasing a white paper series on issues related to IT Risk Management and Information Security. The paper’s are titled as GTAGs, which is an acronym for Global Technology Audit Guidance. The project is very ambitious, trying to break down major technical topics, the IT risks associated with them, and the controls that are available in a concise format accessible to senior risk executives.

Of the nine that have been released to date, several caught my eye. Here are the ones I would like to highlight:

• Auditing Application Controls
• Change and Patch Management Controls
• Identity and Access Management
• Information Technology Outsourcing
• Managing and Auditing Privacy Risks
• Managing and Auditing IT Vulnerabilities

You can find the library of papers at The IIA’s GTAG portal. New materials are released regularly.

In Other News…

Earlier this month I participated in a Webinar titled “Getting More Encryption for Less”. At the end of the call there were a few interesting questions during the Q and A session, one of which I wanted to recap here…

Question: Will Federal Privacy Regulations include Cryptography Standards for “Safe Harbors” ?

• Discuss what a Safe Harbor is, using California Security Breach Information Act (SB-1386) as an example
• Introduce NIST, FIPS, and FIPS 140-2

Cheers, Erik

Art of Information Security Episode 002: GTAGs and Safe Harbors

A key component in a lot of fraud and scams is Social Engineering of one kind or another. Social Engineering is also a a huge threat to Information Security controls of all kinds. The tool to combat it is user awareness. I applaud FakeChecks.org for their efforts.

Cheers, Erik

Get Rich Quick at FakeChecks.Org – N O T

But don’t think I am going to ‘rest on my laurels’…

The last month has been incredibly busy, and I have a ton of content that I want to work on but I keep getting pulled in different directions. Episode 2 is going to be an audio only podcast which I hope to have released over the weekend…

I have a number of topics that I am mulling over for Episodes 3 and beyond, which include:

- Basics of Information Security and Risk Management series

- Quick intro to some of the open source host protection tools I have been working with

- Discussion of my favorite open source security tool… (openSSL)

- and I am dying to start discussing some real world cryptography topics…

(Just to name a few…)

What I would really like to do is find out what topics you are interested in, so that Art of Information Security can have relevant and compelling content. To address this need I have created a feedback section on the site, located in the main menu bar (or click here). Also, your comments, posted either on Art of Information Security or via email, are always welcome.

BTW: Last week I participated in a webinar entitled Getting More Encryption for Less with Paul Stamp (Forrester Research), Jim Porell (Chief Architect IBM System z), and Paul Turner (VP, Product and Customer Solutions, Venafi). (Click here to listen to a replay.) Also, I will recap the Q & A portion of the webinar in Episode 2.

Best regards, Erik

Episode 2 and Beyond – A Few Teasers…

Here is a link to the RSA Europe 2007 podcasts…

There are 16 conference participants with whom RSA did podcasts.

Check them out…

RSA Has Posted Podcasts From The Conference…

It appears that someone was taking notes at my presentation on Oct 22nd. My presentation was featured in the RSA Conference Daily (article link) summary.

Cheers, Erik

Someone Was Taking Notes…

Some conference highlights follow…

Bruce Schneier Keynote

The second day of the conference opened with a Keynote from Bruce Schneier. If you ever have a chance to hear a presentation by Bruce – Do Not Pass It Up ! In addition to being a really good presenter, Bruce invests a lot of time into really thinking about and researching the mechanics of security. His keynote was entitled “Reconceptualizing Security”. I have four pages of notes from his presentation. Here are a few of the topics he touched on:

• Great discussion of “feelings” vs “reality” of security
• Examination of the language and cognitive challenges regarding risk
• Discussion and some revision of Bruce’s ideas regarding “Security Theater”
• Explanation of Lemon’s Markets
• Are many security products sold in a Lemon’s Market ?

DEF-105: 12 Common Java Security Traps

Brian Chess gave two presentations at the conference. Unfortunately, I was only able to attend one. This presentation focused on common, and significant, security problems that must be addressed during development.

Brian referenced two resources in his presentation, both of which I plan on researching:

Fortify Taxonomy: Software Security Errors

• This is an attempt to partition the entire space of software security flaws…

Open Source Software Vulnerability Project

• Application of the Vulnerability scanning tools developed by Brian’s company to Open Source projects to aid in the discovery and remedy of software security errors.

HT-108: Revenge of the Rodent: Did Your Mouse Turn Evil?

Ronald Heil’s presentation about malicious things that can be done with trusted devices, such as the mouse, was brilliant. Ronald reengineers a common computer mouse, using off-the-shelf components, and turns it into one that can be used to:

• Load malicious code onto a target computer
• Store data stolen from the user (for later retrieval)
• Provide attacker with remote control and data access (via Bluetooth)

DEV-109: Is Web 2.0 a Hackers Dream?

This was the third Caleb Sima presentation I have attended. Each one has been fantastic and better than the previous one.

This presentation focused on some of the application security pitfalls that Web 2.0 technologies, such as AJAX, are vulnerable to. Caleb’s presentations always mix static information with actual demonstrations of concepts. During this presentation he demonstrated a number of JavaScript application security faux pas.

A key thesis in the presentation was that Web 2.0 programing techniques, like AJAX, are dramatically increasing the attack surface of applications though movement of code to the client, were it can be easily examined and manipulated. Several examples of ‘bad logic’ or code to move to the client were given, and included:

• Security code (coupon code validation logic, admin status flagging, etc.)
• Input validation
• Range control and boundary checking logic

Summary

The above summaries are highlights. I attended all of the sessions on days two and three, and found them all to be very valuable and high quality. I was particularly impressed by the great English language skills of the presenters from non-English speaking countries. I do not know if I will have the opportunity to attend the European event in the future, but I would certainly recommend it.

Cheers,

Erik

RSA Europe 2007 Trip Summary