Information Security Short Takes

Know the Difference - Backup vs. Archive

noreply@blogger.com (Bozidar Spirovski) — Mon, 10 Nov 2008 20:54:00 +0000

Information availability and IT operations require Data Backup. Legal and Compliance requirements dictate Data Archival. But many organizations make the mistake of equalizing Archive with Backup, which can lead to wrong choice of backup or archival media, very poor restore time and even loss of information.

Example Scenario
As part of an audit, an auditor reviewed the backup and archival system of a company. The company presented their backup systems, access controls and audit. When asked about archived data, they again pointed to the tapes containing their backup. But their backup tapes are rotated every 6 months, so the company does not have any archive from earlier then 6 months ago.
The company failed the legal Archival requirement.

Analysis
In order to properly design and architect a backup or archive systems, one must clearly understand the differences between backup and archive:

Backup
The key reason for the existence of backup is to provide an alternative data source in case the primary data source is corrupted or destroyed. A Backup process is creating a copy of the current state of data. It is understood and accepted that the state of the backed up data will change in the future under controlled circumstances. At that point the old backup will become irrelevant for operational purposes and the data will need to be backed-up again.

Criteria for selecting a backup solution

The backup needs to be accessible fast
The media should be reusable for maximum cost efficiency
The media should survive transport in less then ideal conditions (trunk of a car)
The backed up information should survive with full integrity and availability for several months on the backup media.
The backup should be able to span multiple media (if backup set is larger then media capacity).
The solution should be intelligent enough to enable different backup sets (full backup, incremental backup, differential backup etc)

Archive
The key reason for the existence of archive is to provide historical reference of information. The archive's process final product is a long term non-changeable copy of data or information. It is understood and accepted that the archive media must be resilient, capable of surviving over long periods of time (years) and must guarantee that the archived data remain unchanged during the entire archive lifespan.

Criteria for selecting archive solution

The archive media needs to be able to operate with different data collections while treating them at the same level of integrity - individual data records from a database as well as entire documents,
The access speed to an archive can be slow, but archive media should have an extremely high level of reliability (remember, archives can span several decades)
When creating an archive, always plan the lifetime of the archive, and make sure that the manufacturer will provide systems that can retrieve the stored data - having an archive that is unreadable because there is nothing to read it on is a terrible idea.
Data integrity must be maintained over the entire period of the archive existence - there is no point in having an archive if you can't trust that it's the same as it was when archived.
There should be an index of archive media to retreive relevant information from archive

Conclusion
Backup and archive solutions may be part of an integral system, but they perform a different function, so the actual media and individual systems will most likely vary.

While backup is still performed mostly on magnetic tapes, archive is usually performed on optical disks or microfilm. You may choose magnetic media for archive, but if you do, you need to plan that your archive tapes must be shielded from long term adverse influences, and you must maintain a functional reader for the tapes over the entire lifespan of the archive.

Talkback and comments are most welcome

Related posts
3 Rules to Prevent Backup Headaches
Business Continuity Plan for Blogs

New Helix3 Forensic CD - Welcome

noreply@blogger.com (Bozidar Spirovski) — Sun, 09 Nov 2008 20:56:00 +0000

E-fense has published a new version of their acclaimed Helix Forensic Live CD. It is now in version 2.0. Here are the first impressions of the new version.

Just as the old version, the new one contains two major components

A LiveCD (Based on Ubuntu) - A full blown forensic toolkit with a nice all-encompassing set of tools.
Windows set of tools - which allow the user to use a subset of forensic tools within a running windows system (most often during first response).

The Windows toolkit is maintaining the same interface as before, but the windows based application set is coherent, there are no missing applications. The previous version had a number of links in the windows toolkit that weren't working, which could cause a lot of grief at the wrong time.

Just a reminder of the Windows Helix Menu

The Linux LiveCD interface has seen a major overhaul. It is now based on Gnome, and the overall interface is much better organized.

The following screenshot depicts the new Helix boot menu

Unfortunately, probably in search of a better overall performance, it is departing the Forensic track and moving much more into mainstream - The toolkit is missing a lot of nice new Forensic tools that could have been installed and utilized. Hopefully, they'll be included in the next version.
There is one new major feature that was missing from the previous version - the LiveCD can now be installed on a hard drive - effectively creating a full blown Forensic investigation computer without the need to lug around a bootable CD.

The installer suffers from several bugs, so make sure you partition the target hard drive manually - the automatic option doesn't work

The following Screenshot depicts the installed version of Helix

The new version of Helix is much easier to use and overall a much more completed product. You can download the new version of Helix here. With the ability to install the software onto a computer and then add your own tools, you are able to make a very good forensic tool for everyday use.

The only drawback is that the E-fense's site is down quite often, so you may stumble onto problems while downloading the ISO image

Talkback and comments are most welcome

Related Posts
Tutorial - Computer Forensics Process for Begginners
Tutorial - Computer Forensics Evidence Collection

Strategic Choice - Proper Selection of Web Hosting

noreply@blogger.com (Bozidar Spirovski) — Wed, 05 Nov 2008 21:08:00 +0000

The time of expensive hosting and limited functionalities on web servers are long gone. Today, everyone and their mother is doing web hosting, with a huge hosting disk capacity at very acceptable prices. But even though most hosting providers differ only in the price on paper, things are much different in the real world.

You can get stuck with a poor hosting, a lot of non-functional elements of the site and even huge downtime on your site.
Here is a practical approach to selecting a good but Affordable Web Hosting provider. In order to properly evaluate them, you'll need to engage both your technical and business teams.

Make a table like the one on the following slide and start grading according to the following bullets

Business Support Quality - Through this category, you will evaluate how prepared the hosting provider is to meet your business expectations of hosting. When evaluating business support quality, you need to answer the following questions. Add two points for each Yes answer to your business support category grade:

Does the hosting providers' sales rep answer to calls and e-mails in a timely manner?
Does the hosting providers' sales rep try to understand what you are trying to achieve?
Is the sales rep discussing meeting your requirements?
Does the sales rep provide direct contact with a dedicated technical person for clarifications?

Technical Support Quality - Through this category, you will evaluate how prepared the hosting provider is to meet your technical requirements for hosting. When evaluating technical support quality, you need to answer the following questions. Add two points for each Yes answer to your technical support category grade:

Does the hosting providers' technical support person answer to calls and e-mails in a timely manner?
Does the hosting provider actually support the technical requirements of your site?
Does the hosting providers' technical support person answer your team's technical questions in a clear manner?
Does the hosting providers' technical support person ask for clarification on your requirements?
Does the hosting providers' technical support person warn you of any specific policies and limitations in their hosting solution that might hamper you?\
Does the hosting provider offer remote tools for web site technical side management (service stop/start, add-ons and libraries management etc..)

Hosting Solution Breadth - Through this category, you will evaluate what other services you might be able to utilize in the near future combined with web hosting. When evaluating hosting solution breadth, you need to answer the following questions. Add one point for each Yes answer to your solution breadth category grade:

Is the hosting provider prepared to take over DNS hosting?
Is DNS records management available to your technical staff via remote interface?
Is there a e-mail service available?
Can the e-mail service capture all e-mails for you if necessity arises?
Are they offering any other services as bundle or with additional payment?

Hosting Contention Ratio - Through this category, you will evaluate how many other sites you'll have to compete with for server resources, and how many different sites can impact your own in terms of security since they are on the same server. When evaluating contention ratio, you need to answer the following questions. Add one point for each Yes answer to your contention ratio category grade.

Is your site on a dedicated server?
Is your site on a server with no more then 50 large customer sites?
Is your site on a server with dedicated and isolated resources from other sites (virtual machine or chroot type of isolation)?

Error Recovery - Through this category, you will evaluate how will the hosting provider react to recover your web site should an error occur. When evaluating error recovery, you need to answer the following questions. Add one point for each Yes answer to your error recovery category grade

Is backup of the site performed daily?
Is backup of the site performed together with backup of the site's backend database
Is hacker attack detection/prevention present?
Will you get alerting/notice from the provider if suspect hacker activity is detected?
If site defacement occurs, can the hosting provider recover to a working site within 15 minutes of detection or notice bu you?
If site defacement occurs, is proper forensic investigation performed with results submitted to you?

After you've finished answering your questions, you'll have a table like the one below

Select the top 20% providers from the Total grades and add the pricing of their solution. The cheapest one will be your Affordable Web Hosting provider. You can afford to pay him, but you don't need to accept low quality.
Talkback and comments are most welcome

Related posts

Rules for good Corporate Web Presence
Creating Your Own Web Server
Tutorial: Making a Web Server
Web Site that is not that easy to hack - Part 1 HOWTO
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks

GPS Fleet Tracking - Risks or Benefits?

noreply@blogger.com (Bozidar Spirovski) — Wed, 29 Oct 2008 16:41:00 +0000

GPS Fleet Tracking is usually associated with taxi fleets, armored transport and police/security vehicles. In reality, a lot of companies use GPS tracking not just for their company fleet, but also for personal tracking of their top employees or sensitive equipment. And GPS itself brings a whole new challenges to information security.

The Functionality
The Global Positioning System (GPS) is a Global Navigation Satellite System developed by the United States Department of Defense. It uses a constellation of between 24 and 32 Medium Earth Orbit satellites that transmit precise microwave signals, that enable GPS receivers to determine their current location, the time, and their velocity (including direction).

The GPS Fleet Tracking uses a GPS receiver paired with a radio transmitter. The GPS receiver determines it's location, direction and velocity and transmits this information to a central monitoring system via the radio transmitter. The radio transmitter part is most frequently a GSM mobile phone device which transmits the data via GSM Data or GPRS data capability as TCP/IP packets.
The central monitoring system is a server that receives the packets sent by the GPS tracking devices, stores them in a database and presents them as an overlay on a map.

The following diagram presents the overall system:

The GPS receiver contacts the GPS satellites and calculates it's position, velocity and direction. At any given time, the GPS receiver has at least 3 satellites over the horizon to contact
The GPS tracking device sends the calculated information via the GPRS data link to the information hub
The information hub relays the received information to the GPS Tracking server
The user uses the monitoring station to follow the fleet or to review the information about any vehicle stored in the database.

BrickHouse Security has a very comprehensive selection of GPS Fleet Tracking solutions.

The Business Benefits
There are well known business benefits of using a Fleet Tracking system. Here are several:

Tracked vehicles are used much more responsibly and only for the intended purpose (no detours to buy groceries, or weekend trips to the lake).
Because they are used for the planned purpose, the fuel usage is much more optimal.
Ability to observe employee vehicle usage to establish their responsibility towards company assets.

The Physical Security Benefits
Apart from a clearly business perspective, GPS Tracking has security benefits

GPS Fleet Tracking enables stolen vehicles to be recovered very fast.
Paired with a panic button, it can be used for tracking and helping kidnapped or blackmailed key personnel (the chief officers and other key employees can be equipped with such GPS Tracking device)
Valuable or sensitive equipment or assets can be observed during transport to identify situations where the asset has deviated or been delayed in transport - a major indication of attempt at tampering or theft

The open and sensitive questions
Naturally, every new system brings new challenges for information security. Here are the most common ones connected to GPS tracking:

How do you secure your GPS tracking database - the GPS tracking data is sensitive to say the least. Anyone stealing that data can analyze the travel patterns of each vehicle and subject tracked and plan a possible theft or crime. Also, the GPS tracking data will identify the 'blind spots' where tracking is impossible, like tunnels, parking structures, even streets with train tracks above them - which are first choice for theft.
How do access the GPS tracking data? - if one cannot steal the information from the database, it can be stolen in transit. If the monitoring station and the servers are at a distance from each other, always use an encrypted channel to access this information.
Do you inform your employees of GPS Tracking systems? - Informing the employees that their vehicles are tracked is a double edged sword: If you do inform them, they should be more careful, but on the other hand some of them will go to great lengths to destroy the GPS device so they can go about their way as they used to. If you don't inform them, you can end up in court for a number of infractions - depending on the judicial system
Do you control against rogue GPS devices - just as you use GPS for a legitimate function, a criminal may use a rogue GPS device to simply collect information off your vehicles. There isn't a very easy to find such devices once they are planted, but it is much easier to control the access to the relevant vehicles to prevent a criminal from approaching them for a time that will enable him to plant the rogue device.

Conclusion
The GPS Fleet Tracking systems are very useful systems, and can enable the company to achieve considerable savings to their fleet management, as well as provide additional security leverage for personal and asset safety.

But at the same time, it introduces a new system with it's own IT and communications requirements, and another repository of highly confidential data.

So any company implementing a GPS Fleet Tracking system should clearly define its objectives and requirements, and seek out a professional integrator to deliver the entire solution, always bearing in mind that the solution must be both functional and secure.

Talkback and comments are most welcome

Controlling Firefox Through Active Directory

noreply@blogger.com (Bozidar Spirovski) — Sat, 25 Oct 2008 13:21:00 +0000

Firefox is a great browser. But it is being widely avoided by corporations, since it is difficult to manage Firefox through a corporate-wide security policy, like IE through Active Directory.

FrontMotion has published FrontMotion Firefox Community Edition - a Firefox with the ability to lockdown settings through Active Directory using Administrative Templates. The concept is interesting, but how well does it work?

Here is a review of the FrontMotion solution for Firefox and Active Directory Integration

The Test
FrontMotion has prepared an MSI package of Firefox, with several modifications to enable group policy integration, as well as the administrative templates for Firefox.
Download the administrative templates (firefox.adm and mozilla.adm) and add them to your Group Policy Editor.

You get the following configuration parameters in the Group Policy - Administrative Templates for both under user and computer configuration can configure the following elements in the Firefox Section

General Settings - centraly configure and enforce Home Page setting for the Firefox users/computers
Enable Automatic Image Resizing - self-explanatory
Disable Firefox Default Browser Check - self-explanatory
Cache - setting cache size and path
Set Default Download Location - downloads path setting
Proxy Settings - centrally configure and enforce proxy setting for the Firefox users/computers
Disable XPI Installs - block installing of Moziila extensions

A configured policy is presented on the following image.

Upon testing, we installed the Firefox Community Edition and applied the configured policy.

When we ran Firefox and tried to change the proxy, we were unable to, as can be seen on the image below.

It can be confirmed that the overall Active Directory Group policy functions well. However, the number of configurable parameters for Firefox is very small, especially compared to the flexibility provided by Microsoft for Internet Explorer

Conclusion
Integrating Firefox into Active Directory is a great progress. But the current level of the solution makes it more of a curiosity, since it will change it's functionality with every new build from FrontMotion. If Active Directory integration is merged into the main Firefox development track and properly developed, for instance for Firefox 3.2, it will be a great step for Mozilla against Microsoft.
Once corporations are confident that Active Directory support is properly adopted into the generic Firefox and is there to stay, I know a lot of administrators that will happily phase out Internet Explorer for Firefox.

Talkback and comments are most welcome

Related posts
TrueCrypt Full Disk Encryption Review

Protecting from Meddling Web Applications

noreply@blogger.com (Bozidar Spirovski) — Tue, 21 Oct 2008 06:29:00 +0000

The current trend of web2.0 (or AJAX) is to abstract all processing from the local computer resources and just present the final 'drawing' of the web application, which contains only forms or lightweight widgets that pose very low security threat. However there are a lot of software companies that are still sticking to some old school (read outdated and insecure) programming technologies for web applications, that can leave your security cracked wide open.

So, how do you protect from web applications that wish to meddle with your computer.

Example scenario:

A vehicle service company has created an online ticketing system for fast problem reporting and resolution. A rent-a-car company which uses the vehicle service needs to use the application for logging of faults to their fleet. At first use, the web application does not work on any computer at the rent-a-car company. After some analysis, the security administrator concludes that the web application requires to install an ActiveX control on the client PCs in order to work - a function explicitly denied by the security policy.
Since business comes before security, the rent-a-car managers decide that everything must be done in order for the service web application to work properly. Thus, the ActiveX control is set as trusted and everything is fine.

Two months later, the service company ticketing web server crashes. At the same time, during regular fleet inventory, the rent-a-car company concludes that 17 luxury rentals are missing and have not been seen for at least a week. The GPS locators of the cars are found at an abandoned parking structure connected to a car battery.

Suspecting the system administrators are in on the theft, the police brings in forensic teams that sift the system for incriminating evidence. They discover none, but find a trojan horse that tampers with database records in the ActiveX control downloaded from the web server of the vehicle service company.The vehicle service company is contacted for investigation and it is concluded that the web server is formatted. It crashed due to corruption of several system files on the web server on the day when the 17 cars went missing. The manufacturer of the Web Ticketing application is also contacted and his ActiveX control is analyzed. The original ActiveX control does not contain any foul play code.

After the incident, the rent-a-car company files a damages suit against the service company, and the vehicle service company fires the administrator for gross negligence.

Analysis:
The entire chain of events in this scenario is a simple case of non-core competence comedy of errors:

Both companies have a completely non-IT core business, and as such are most likely to use the cheapest product on the market, as long as it works.
Their security awareness is an afterthought.The rent-a-car company trusted a foreign application and installed it on their computers.
The foreign application was downloaded from the Internet, and there was no way to confirm that the application is unmodified.
At the same time, the vehicle service company hosted a web application using their resources without proper knowledge and implementation of security
ActiveX as a technology is risky - it has no technological security - it just relies on the user's permission to trust and install itself. After that the applications have unrestricted access to anything the user has access to - even hardware (keyboard, disk drives, network...)

Conclusion and Recommendations:
There are simple and effective strategic steps to alleviate the risks of this scenario

If you are in a role similar to the vehicle service provider

Focus on core competence and outsource the application hosting to a reputable IT hosting company
When purchasing applications - add a functional requirement for minimal interference to the client side systems
Request a periodical reporting on security of the hosted application from an independent source (auditor)
Request that all code and information transferred via the internet to be signed by an code signing certificate issued from a trusted issuer.

If you are in a role similar to the rent-a-car company

Have a strict security policy and don't allow foreign code within your network (create isolated tunnels, separate isolated stations or similar level of isolation)
Request a periodical reporting on security of the hosted application from an independent source (auditor)
Request that all code and information transferred via the internet to be signed by an code signing certificate issued from a trusted issuer

Talkback and comments are most welcome

Related posts

Information Risks when Branching Software Versions

3 rules to keep attention to detail in Software Development

8 Golden Rules of Change Management

Application security - too much function brings problems

Security risks and measures in software development

Security challenges in software development

Thrown in the Fire - Database Corruption Investigation

noreply@blogger.com (Bozidar Spirovski) — Thu, 18 Sep 2008 15:33:00 +0000

Analyzing an incident when the manufacturer claims that it's an operator error and the operator claims that it is an application error is one of the most daunting tasks of a security officer.
And this is a type of incident that the security officer will be called upon to investigate simply because the management needs an independent observer and has doubts both in the operator as well as the manufacturer. Here is what to do when thrown into the fire

Prerequisites

Do not let the manufacturer's expert be the one that leads the investigation. If he insists to be involved, make it clear that this is your investigation and that he has to ask permission for and explain any action he wants done on the database and application during the investigation.
Know a bit of SQL or bring someone that you trust that knows SQL.

Tools of the trade

Toad for Oracle and Query Analyzer
MS SQL Server Management Studio for SQL Server
Event viewer for Windows and
Syslog and text log files for Unix/Linux
Notepad, hi-res camera or screenshots for everything.

Incident Investigation Process

Gather as much information as possible - even gossip!

Talk to the witnesses of the incident.
Establish who else worked with the application during the incident discovery
Document the events that lead to the discovery of the problem and their timeline
Document any data involved in the process - account numbers, exact names, values, currencies - anything that can be found in the database. Do this for both the clean and and corrupt data
Gather screenshots of the application of the events that lead to the discovery of the problem

Establish a time interval of the incident

Choose a database backup closest to the time the incident has been identified and Request that a database restore be done and the users to verify that the restored database is in good condition.
If the database is 'good' then the incident occurred between that backup and now.
If the database is 'bad' repeat with an earlier backup
Repeat until you find the closest 'good' and 'bad' backups - the incident has occurred sometime in that interval

If possible, try to reproduce the conditions of the incident

Starting from the known 'good' state - a non-corrupt database ask the users to repeat their activities
Observe/Film the user while performing the activities in the application
Run a profiler/logger type of tool while the users are working to capture all backend activities on the database
Follow through until the application is closed and all sessions are torn down - there can be a closing script that is a problem

Identify key data repositories

Consult the documentation and captured queries if available to identify the tables that the corrupt data is kept in.
If there is no usable source, use trial and error: The tables are usually named in a logical manner related to their purpose - so match them to the statement of events to find which tables are relevant.
In order to confirm that the right tables are identified, find at least some of the documented data involved in the incident in these tables. Don't be disappointed if you miss at first - they MUST be somewhere!

Look through the audit and/or the logs of the database to identify which updates or changes were made in the database.

This is a very problematic step - some applications and databases will not have any audit, or a small amount of audit.
But almost all applications have a form of application trail - a table or set of tables that logs the action to be or was done, mostly because a lot of application actions are dependent on each other so they need to create a unique identifier (key) in one table to be referenced further.

Match the described timeline with the database logged actions as closely as possible.

Consult the witnesses of the incident during this process - tell them that you notice certain type of event at certain time - this reminder triggers memory - they'll remember more detailed actions of their work!Add log details and timestamps at each step of the timeline

Discuss Observable Trail With Manufacturer and Users

If you find a proof of a bug or human error you're in luck. Write a report and recommend corrective and preventive measures.
Most likely, you'll find a gap in the events right where the incident occurred (interval of minutes) but the trail of events will indicate what was the next step: whether the program malfunctioned or the user made a flagrant error. Then you need to confront the manufacturer and users with the problem. Ask for a recreation of the actions with both parties present and with full logging. The log will give the actual event.

NOTE: Non reproducible errors are possible - If the error cannot be reproduced, then that is a report also. But then you need to increase the logging level to maximal possible level until the problem resurfaces.

Related Posts
Tutorial - Mail Header Analysis for Spoof Protection
Tutorial - Computer Forensics Process for Beginners
Tutorial - Computer Forensics Evidence Collection
The SLA Lesson: software bug blues

Talkback and comments are most welcome

5 Reasons to Consult Your SysAdmin for New Systems

noreply@blogger.com (Bozidar Spirovski) — Wed, 10 Sep 2008 20:07:00 +0000

A lot of organizations isolate system administrators from new system implementations, lead by the premise that their admin teams need to focus on maintenance, and that they may not bring benefit to the implementation, especially when consultants are engaged to implement the entire new system.

But always bear in mind that system admins have very specific insight that any project manager will find useful.

Here are the 5 reasons why organizations should always include your system admins in all phases of system implementation:

SysAdmins know the infrastructure and the interactions between systems - every corporate IT infrastructure is a complex set of systems, firewalls, security rules and networking connections. The SysAdmin can provide invaluable information about what the new system will communicate to, under which conditions and by which rules - questions that need to be properly answered in any implementation.
SysAdmins know the utilized capacities of current systems - introducing a new system is never self-sufficient. The new system will add load to the switching infrastructure, firewalls, can require additional licenses for monitoring systems and possibly database servers. All these prerequisites need to be addressed in a timely manner, so the full implementation does not grind to a halt at the last mile because there are no available ports.
SysAdmins can assist in evaluating required capacity - Based on what is used in the current network, SysAdmins can provide very relevant observation on whether the offered hardware is appropriate in terms of processing power, memory and disk capacity usage.
SysAdmins can provide fresh insight into possible risks in implementation - While the risk analysis is part of the preparation for implementation, SysAdmins can provide good input on possible risks in implementation - they know the users and usage patterns, the client systems and the entire environment.
SysAdmins need to be in the loop for the new element - The SysAdmins need to know and understand the new element in the infrastructure, so they can prepare to welcome the element - prepare capacity on related systems, read about the product, properly organize day-to-day maintenance tasks for the new system.

System Management - When do the IT Admins Screw Up?

Talkback and comments are most welcome

Essential Management Semantics - Responsible vs Accountable

noreply@blogger.com (Bozidar Spirovski) — Fri, 29 Aug 2008 14:28:00 +0000

I've had a discussion at the office about who is responsible for a certain activity. And as expected, the junior colleagues got into a discussion of who is more and who is less responsible for the activity. The Information Technology Infrastructure Library (ITIL) defines two distinct roles:

Responsible and
Accountable

If you open Websters dictionary (www.websters.com) and look up the adjective "responsible" you get the following description: answerable or accountable, as for something within one's power, control, or management
If you do the same for "accountable" here is what you get: subject to the obligation to report, explain, or justify something; responsible; answerable.

It is a common sense to assume that "accountable" and "responsible" are synonyms. But both in Management and IT their meaning differs slightly and that makes all the difference:

Accountable is the PERSON (singular) who answers for the entire set of results in a performed activity or process.

Responsible are the PERSON or PERSONS (singular or plural) who answers for the quality of a subset of tasks performed within an activity or a process.

So, there can be many responsible persons for the proper performance of a process, but should ALWAYS be only ONE person accountable for the entire process.

Bonus Question

Q: When something does not get done right, who gets blamed. The Accountable or the Responsible:

A: The Accountable has the task to identify which Responsible is failing his job and take measures to fix the problem. In the long run however, if the problem is not fixed and the entire process fails, the Accountable will be called to answer.

The Management Skills Blog has an excellent example on accountability versus responsibility

System Management - When do the IT Admins Screw Up?

San Francisco WAN Lockout - Pointing Fingers at Everyone Responsible

Talkback and comments are most welcome

iPhone Failed - Disaster Recovery Practical Insight

noreply@blogger.com (Bozidar Spirovski) — Thu, 28 Aug 2008 20:24:00 +0000

A lot of Disaster Recovery procedures are considered failed simply because they took longer then originally planned and documented. And a lot of these procedures take longer not because of poor equipment or incompetence. On the contrary, they take longer because the responsible people are focusing primarily on the effort to fix the problem. Here is a practical example:

On Tuesday my iPhone failed. And since its warranty is long gone i decided to fix it myself. I finally got it fixed at Wednesday night.

In my zeal to repair it, I forgot the first rule of business continuity - recover functionality within acceptable time frame. And for iPhone, just for any other mobile phone, the main functionality is TELEPHONY!!! I was unavailable for the most part of Tuesday and during parts of business hours on Wednesday.

In the end, the problem was solved, and my iPhone is working again. But then all missed calls came raining down, and that kicked me back into reality, and gave me a real perspective of what I needed to do: find a low end replacement phone instead of meddling with low-level format, firmware flashing and DFU modes. That way, I would have been contactable, and be under much less pressure to quickly fix my iPhone.

In perspective, the same behavior can be seen in many organizations during IT disaster recovery. Disaster recovery is organized and coordinate by IT people - mostly very capable engineers. And yet, a large number of Disaster Recovery actions are delayed by the effort of these good engineers focusing primarily on fixing the engineering problem - not fixing the business problem.

In a Disaster Recovery situation, the timer of recovery is known as Recovery Time Objective (RTO). That is the time interval starting from the moment ot disaster in which operation must be recovered to limited but essential functionality.

A good DR manager - regardless of his position and education does his work with a stopwatch. The time he can allow the engineers to try to fix the problem does not have a formal name so let's call it Fixing Time. It is the time difference between RTO and the tested time required to activate the Disaster Recovery systems.
Once this Fixing Time passes, Disaster Recovery preparations must start. If the problem gets fixed before completion of DR system activation, all is well. If not, RTO has been met. Oh, and the engineers can relax from the urgency pressure and work on fixing the original problem for as long as it takes

Back to my iPhone example - what was my timing? A phone RTO should be the recharge time - 2 hours. Getting a replacement phone is a walk to the store and buying the cheapest prepaid model or borrowing a spare form a friend - 30 minutes. So I needed to keep my cool, and try to fix the problem for only 1.5 hours before looking for an alternative. After that, I could have spent a week on the iPhone - no pressure to fix it fast.

Related posts

3 Rules to Prevent Backup Headaches
Business Continuity Analysis - Communication During Power Failure
Example Business Continuity Plan for Brick&Mortar Business
Business Continuity Plan for Blogs
Example Business Continuity Plan For Online Business

Talkback and comments are most welcome

Cloud Computing - Premature murder of the datacenter

noreply@blogger.com (Bozidar Spirovski) — Mon, 25 Aug 2008 07:50:00 +0000

Last week Amazon announced it's new cloud computing service - The Amazon’s Elastic Block Store (EBS) . It's a remote storage service, with excellent storage/cost ratio which is even advertised as replacement for large storage systems of the enterprise. Naturally, the ever controversy seeking journalists hurried to declare time of death to the enterprise data center and included this view:

Though most businesses are quite comfortable in using external utility
services for electricity, water, and Internet access — and we even use banks to
hold and pool our money with others “off site” — we are still largely unready to
move computing off-premises, no matter what the advantages

It is correct that certain elements are used as external utilities, but let's compare services from a realistic point of view

Electricity as a service - because everyone is entirely dependent on electricity, the grid itself is designed to be resilient, have fast fail over time, survive major catastrophic events at power plants or within the grid, and even re-route additional supplies from other countries if need be, at horrible costs but it does work! Oh, and for the simple case of a grid glitch, we'll spend a $500 on a UPS and another $5000 on a diesel generator and we're all set!
Data storage as a service - For data storage services, information is needed here and now - exactly like electricity. If we are to outsource our cloud information storage to a provider, that may be well and good as long as it works. However in the information security world, there are three key concepts. Our cloud data storage must guarantee commensurate levels of

Confidentiality - in cloud computing location is an ambiguous concept. So data will exist on different storage elements, at different physical locations, will traverse millions of miles of physical networks not related to or in any way responsible to the customer, as long as it's there. Who will guarantee that confidentiality is maintained? Oh, and I forgot - you ACCESS the data via the Internet. Whenever a confidentiality breach does occur it can always be blamed on your Internet connectivity and breach of security at the access provider, not the storage service provider
Integrity - will probably be maintained, since there are very simple ways of doing comparison and keeping a small subset of control information with each set of data - as long as fragments don't get lost, in which case we have a problem of...
Availability - in cloud computing information is everywhere, and gets collected and presented at the user's request. If for any reason this data cannot be reconstructed and verified it is lost. And again, the access to the information is through the Internet - which is not service with guaranteed availability, since it depends on international mesh network controlled by a multitude of independent entities. Unless you spend top dollar on dedicated data links nobody will sign a strong SLA for Internet access - it's impossible to achieve.

But why don't we have a local backup, just like the UPS? Of course we can, it's known as an enterprise data center!

While there are strides made in the right direction of cloud computing it's current level of usability is restricted by the "best effort" concept of the entire network on all sides. So the users of cloud computing are the ones that find it acceptable to:

have delays in access to information
have some data lost and
information leakage will not make a significant impact.

In the meantime, the enterprise data centers are still humming strong

Datacenter Physical Security Blueprint

3 Rules to Prevent Backup Headaches

Talkback and comments are most welcome

Fedora Servers Compromised

noreply@blogger.com (Bozidar Spirovski) — Sat, 23 Aug 2008 06:08:00 +0000

According to this announcement from yesterday, Fedora servers were compromised.

Here is a scary part of the announcement:

One of the compromised Fedora servers was a system used for signing
Fedora packages

That particular server had very little to do with Internet, and should have been properly isolated, even on a completely separate network from Internet accessible servers.

So, the readers should be careful with the current Fedora distro and packages download and install. I would wait for the next official release.

This event goes to show that large companies, regardless of industry can make poor security choices. And because large companies with high profile are a great publicity target, these poor choices are easily found by hackers

Anyway, respect to RedHat for the announcement. A lot of companies will simply sweep such an event under the rug.

Related posts
Portrait of Hackers

Talkback and comments are most welcome

Competition Results - Computer Forensic Investigation

noreply@blogger.com (Bozidar Spirovski) — Fri, 22 Aug 2008 10:48:00 +0000

The Computer Forensic Investigation Competition is closed, and here are the results

What was there to be found:

Tshark sniffer - part of the wireshark suite in /moodle/enrol/paypal/db
NetCat tool for backdoor creation - renamed as MyTool.exe - in /moodle/auth/ldap
An MP3 of Sergio Mendes & Brasil 66 - Mas Que Nada renamed as html document - in /moodle/auth/imap
A TrueCrypt rescue disk ISO renamed as MyDoc.doc in /moodle/lib/geoip/Documents/
OSSTMM Penetration Testing Methodology with penetration details in deleted file osstmm.en.2.1.pdf in /moodle/enrol

Finding the above was suffucient to win the competition. Alternatively, instead of OSSTMM you could find the below two items

A decoy metasploit developers guide pdf in /moodle/lib/geoip/Documents - actually, that document has nothing to do with direct hacking unless you discover the
metasploit framework remnants of a deleted metasploit framework in /moodle/lib/geoip/Documents

Who did the investigation (in chronological order of reporting the findings - earliest first)

Lawrence Woodman - Found 4 incriminating pieces of evidence. Missed the real penetration tutorial and focused on the dummy - Metasploit.
Tareq Saade - Found 4 incriminating pieces of evidence. Missed the real penetration tutorial and focused on the dummy - Metasploit.
Bobby Bradshaw - Found 3 incriminating pieces of evidence. Missed both and the dummy penetration testing documents (Metasploit and OSSTMM) and missed the Truecrypt Recovery CD Iso
Daniele Murrau - Found all incriminating evidence. The utilized toolset is Autopsy as part of Helix distribution
Lesky D.S. Anatias - Found all incriminating evidence. The utilized tollset is PyFlag and Sleuthkit

Other Participants - did not qualify for final review because they did not send details of methodology nor findings (no particular order)

Phil (no last name) - reported finding 2 pieces of evidence, but did not send methodology used nor details of findings
snizzsnuzzlr (obvious nickname) - reported finding 5 pieces of evidence, but did not send methodology used nor details of findings
Fender Bender (obvious nickname) - reported finding 3 pieces of evidence, but did not send methodology used nor details of findings
Sniffer (obvious nickname) - reported finding 2 pieces of evidence, but did not send methodology used nor details of findings

And the winner is - Daniele Murrau

Here are his conclusions and methodology as a downloadable PDF

We are also naming two honorary mentions

For speed - Lawrence Woodman, who produced a nearly full analysis in a tremenduosly short time, but most probably missed the OSSTMM and the metasploit remnants because he was in a hurry
For thoroughness - Lesky D.S. Anatias, who discovered ALL evidence, including the metasploit remnants

No Privacy - Saw You Cheating on Image Search

noreply@blogger.com (Bozidar Spirovski) — Thu, 21 Aug 2008 09:08:00 +0000

What is the next big privacy issue? Image Search. But not the current image search, which actually searches through the file names and meta data, but actual, pattern matching image search.

The issue of pattern matching between images regardless of perspective and color has been an academic issue for a long time, and has found application in OCR systems, fingerprint identification and some high cost expert systems. For the enthusiasts, here is a good article on the math behind image search Bayesian geometric hashing and pose clustering .

While the technology has been in research for more then 20 years, the current trend is turning towards image and video search, not for academic reasons - but for profit. Paul Murphy did a critique on the current state of search and the golden opportunities .

Yes, matching an uploaded image to a database of images and videos and returning similar items is a very valuable and profitable technology - just imagine the amount of commercials that can be targeted in such a way!

So it is safe to say that with the current advances in processing power, storage and network bandwidth, image search will happen, quite fast. It will probably deliver a lot of benefits apart from profits for the search engines, like

Pattern matching for obscure symbols or painting styles across many publications and museums
Searching for your lost brother on the Internet by uploading his child image
Even in kidnapping cases, for searching across the vast data sets of video surveillance in hotels, train and bus stations, airports, etc..

But it will also enable a huge amount of privacy breaches and dangerous situations, like:

Jealous girlfriend/boyfriend may use the search to sift through MySpace and YouTube videos of parties looking for possible indiscretions of the partner
Sexual deviants may use the online video and image archives to search for their preferred type of targets
Criminals will be able to look for a multitude of photos and blueprints of a possible target (a local bank building) by having only several photos and a sketched schematic of the publicly accessible part of the building
Identity theft attackers to find actual persons the target is working with or being familiar with, to prepare a better attack

We are becoming a very networked world, with direct and online access to ever vaster set of information.
So just be prepared to tell the truth to your wife when you come home from work, because soon she'll be able to Google you at the local bar with friends instead of a late night at the office

Related posts
Internet Social Engineering - Avoid Con Tricks
8 Tips for Securing from the Security expert
Risk of losing backup media - real example
8 Steps to Better Securing Your Job Application

Talkback and comments are most welcome

When Will Your Mobile Phone get Hacked?

noreply@blogger.com (Bozidar Spirovski) — Wed, 20 Aug 2008 07:16:00 +0000

With the price reduction and the improvement in technology, the mobile devices are the next big communication platform. But also, they are the next big hacker target.

The history

Starting with WinCE, Linux and Symbian the trend of "computer-like" mobile phones just started. Yes, these platforms had their flaws and security problems. But at the time of their appearance there were two mitigating factors to an all-out attack or exploit

The devices had only voice and very low speed data capabilities at high prices - very few people used their devices as more then an electronic address book, and surfing the web was out of the question given their technical capabilities and data transfer prices
The devices high price prevented most people from owning them - again, this reduced the attack deployment and spreading capability so an attack vector on them was easily quenched.

The present

Enter iPhone, or as many users called it, the "Jesus Phone". Suddenly, everyone wants one, and Apple has happily sold more then 10 million units worldwide.

Oh, and the business ideas of Steve Jobs to lock the iPhone helped to develop a very powerful user and hacker community, suddenly information on exploiting techniques were shared between enthusiasts.

To fight on the market, everyone and their mother produced an iPhone killer - both in interface and in functionalities.

With hot spots and unlimited data plans all over the place, people are using these devices to read their e-mail, surf the web, even download and upload files.

Does anybody see a resemblance to a laptop?

The future

Enter Android - smart phones will become cheaper! The open platform concept ditches the "Security by obscurity" element, so now a lot of people will have a look into the vulnerabilities of smart phones.

In the war for customers, the providers will offer more and more hot spots and cheaper data plans.

At the moment, I'm turning off my iPone wireless, since it cannot reach a hot spot. In a year, probably my data plan will be such that i don't care whether I'm online or offline. So I'll be online! And there will be millions of users like me, and all of them can become potential targets for hacker attacks.

The effort to solution

One should expect that security becomes a great part of platform development. Android security is already lacking and they are trying to fix it .

But it's not only the android that should be treated as such. Windows Mobile, Symbian, Darwin... ALL should treat terminal (mobile device) security as a crucial part of the platform development.

This goes for the manufacturers that will be using these platforms to create their handsets - at the end of the day, nobody will say that Android was hacked, instead, Nokia, Motorola or HTC will be hacked.

And so far this element of security has been often forgotten or ignored by the manufacturers

So, in summary, I'm expecting your mobile phone to be hacked in the next year. I'll revisit the topic then, to lament on the past

Talkback and comments are most welcome

Where is that XP Install CD?

noreply@blogger.com (Bozidar Spirovski) — Tue, 19 Aug 2008 08:04:00 +0000

Today, Christopher Dawson has a post at ZDnet titled Don’t downgrade me to XP!. His take on the Vista subject is that we should bite the bullet and go with Vista, since XP is already 7 years old, so installing it on new equipment and running it for 4 years will bring it to an age of 11 years - way too much in an industry where anything older then 4 years is ancient!

But turning back to reality, let's analyze who might benefit of using Vista instead of XP

First the proposed benefits: Apparently, Vista has

better security
better application support
is more modern and far easier to use.

The users have already said their part:

Vista and XP are on par at security, the only remaining benefit being that XP support is ending.
Application support in vista is lacking, and a lot of drivers were funky even 1 year after Vista was released
The interface although modern, is a huge resource hog, and hampers a lot of users

So, who will benefit from Vista?

Not the corporate users - corporations are riddled with legacy applications, have very stringent procedures for upgrade and are generally very careful when adopting anything. In such an environment, implementing Vista will require

additional training for the users
significant testing to verify that all corporate applications are working
big chunk of change to bring all available hardware up to Vista hardware requirements

Not the power users - power users have specific applications they use and they expect that the apps run as fast and as smooth as possible. Installing Vista will very probably:

reduce performance of their application
possibly hamper operation of their application
make them re-learn part of their computer use - which takes time that they can use much more productively

Not the gamers - Unless insisting on DirectX10, XP still delivers a better performance bang for the same buck of hardware, which is very important for gamers, since they are on the road of draining every last frame per second from their hardware. Some of the older readers will remember installing special memory managers to take maximum advantage of ALL computer resources. Users like this DON'T WANT a resource hog like Vista

In summary, although XP is 7 years old, Vista hasn't delivered any significant improvements which would justify it's use. XP still delivers much better productivity

So the only ones that will take up Vista are the ones that really don't mind productivity changes:

Newbies - anyone just starting out in computing, so they don't have any specifications and expectations to meet, nor are particularly oriented towards any specific application.
Testers - the people that must have it, in order to prove that their product works with Vista
Technology enthusiasts - the people that want and need to have the latest and greatest product, whether to learn it or to show off.
Low power computer users - any users that use most basic computer functions like word processing, simple spreadsheets, e-mail and calendar and web surfing.

The above list translates to home users and Quality Assurance and parts of R&D departments. Sorry Christopher, but even after 7 years of use, XP still looks much better then Vista.

Reality check: We WILL Move to Vista once XP support has ended and the next major flaw is found. But, in the meantime, I just got a new laptop...Where the hell is my XP Install CD?

Talkback and comments are most welcome

Is the Phone Working? - Alternative Telephony SLA

noreply@blogger.com (Bozidar Spirovski) — Fri, 15 Aug 2008 09:08:00 +0000

Telephony costs are one of the main targets of cost cutting in many large companies. In this effort, the companies are turning to alternative voice providers, who offer much cheaper calls and more flexible services. But, these new operators are using new technologies and are relatively new on the market, so the buyer should approach the alternative telephony service with care and apply proper Service Level Agreement.

What we are used to?
In a traditional telephony, the voice reliability is taken for granted, and all equipment is designed to offer very high availability. Also, capacity is not an issue, since each incoming circuit to a switch is dedicated, and the switching capacity of the Telco Switch is calculated via well known formulae (Erlang models) to provide switching of all initiated calls.

PSTN availability was measured at 99.99% (maximum of 4 minute outage per month, or a total of 52 minutes outage per year!) in 1993 and that number is closing to 99.994%. Compared to this, classical IP data services are struggling with passing the "two point five nines" (99.5%) which is equivalent to 3.6 hours outage per month or nearly 2 days per year.

For all medium to large businesses (especially in operating a retail business) telephony is a "default" service, one that must ALWAYS work, one that is really taken for granted.

The potential challenges with an alternative voice provider
When a company decides to use the services of an alternative telephony provider several issues may appear. The alternative telephony provider may bypass the ILEC operator (Incumbent Local Exchange Carrier) to minimize costs, and quite often, they may arrive at your premises via a data link to attach to the company's PBX. Once we walk into the realm of data transfer, things get much different:

The data link is terminated on a lower reliability active equipment (usually router or L3 switch) - To mimimize costs, this device will not be of a too high class, and it's hardware reliability will be around 98-99%
The data link can be prone to faults on a physical level - alternative telephony operators are not too big on infrastructure protection and want fast deployment, so it can happen that the operator's cable is strung on power lines, placed in central heating ducts under the city, or in extreme examples, are even illegally dug-in in soft ground areas (parks, recreation tracks, green patches) where they are unmarked and easily fall victims to any other construction or renovation activity.
Data links are by default based on best effort technologies - so IP data packet drops, retransmissions and delays can occur.

All this translates to a whole new ballgame in terms of controlling the services offered by your alternative voice service provider.

Establishing proper criteria for service quality

So in order to properly manage the alternativ voice services, one must define what criteria should be measured.

Keep the good old data SLA - this is to control the overall data link quality, which is easiest to measure
Establish measurement on Established, Failed and Dropped calls - via the router infrastructure connecting you to the alternative telephony provider. This measurement will be enabled through vendor specific router functions, most often through syslog event analysis.
Define the guaranteed volume of simultaneous calls that the provider will deliver - measure the delivered volume of calls in terms of comparing the values of established, failed and dropped calls from point 2.
Define and Apply penalties both on overall link quality (point 1) since it will affect all calls, and on volume of realised calls (points 2 and 3) since they relate to actual ability to use the service as contracted.

Related Posts
9 Things to watch out for in an SLA
5 SLA Nonsense Examples - Always Read the Fine Print

Talkback and comments are most welcome