tag:blogger.com,1999:blog-82361829257470314612024-03-13T12:36:01.062-07:00Thinking About SecurityWilliam Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.comBlogger176125tag:blogger.com,1999:blog-8236182925747031461.post-27497643605116921082024-03-07T10:16:00.000-08:002024-03-07T10:16:46.443-08:00Prefer eSIMs<div style="text-align: left;"><span style="font-family: helvetica;">The SIM (Subscriber Identity Module) is a finger nail sized integrated circuit (IC) that fits into a slot on your wireless phone. It stores a number called the International Mobile Subscriber Identity (IMSI) and its related key. </span></div><div style="text-align: left;"><span style="font-family: helvetica;"><br /></span></div><div style="text-align: left;"><span style="font-family: helvetica;">The IMSI is what associates your mobile phone with your telephone number and your mobile service provider. It is "provisioned" by your service provider when you open your account and place it in your phone. If you get a new phone all you need to do is move the SIM to the new phone in order for your number to ring on the new phone. Your number travels with the SIM.</span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">Your phone also has a unique identifier, the</span><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"> International Mobile Equipment Identity, or IMEI. When you make a call, the system sees both the SIM and the IMEI.</span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;">Your service provider also has an account number for you that they use to record all the information about your plan, your charges, payments, and balance or credits due. This number is unique and binds you and your carrier. It remains the same across phones, phone numbers, and SIMs. </span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;">Many of us use our phones as evidence of our identity in systems of strong authentication (at least two kinds of evidence, at least one of which is resistant to replay). This takes two forms. We may have a "soft token" (e.g., Google Authenticator, Microsoft OKTA, Symantec VIP Access) on our phone. This is an app that generates a one time password every minute. The app is synchronized with a server in the Internet. Another app, for example for your bank account or other business application, may prompt for the OTP at logon time. It will submit the number you supply to the server to ensure that you have the soft token. Possession of the phone, "something you have" and can use, as one form of evidence in a system of strong authentication.</span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;">Alternatively, you may register your phone number with an application provider. At logon time, the provider may send a OTP message (SMS) to your phone which you can copy and paste into a prompt at logon time. Only someone receiving the text, that is can receive text at that phone number, can successfully logon to the application. This is marginally more convenient than the soft token; it is also marginally less secure. It depends upon the application provider having the right phone number associated with your account, and your wireless service provider having your phone number associated with your phone. </span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;">Herein lies the limitation of this measure. If an attacker can dupe your wireless service provider into re-assigning your number to his device, then he can receive the OTP message. Because this attack usually involves the wireless service provider also giving the attacker a new SIM, this attack is known as "SIM swapping." A similar attack involves duping the application provider into changing the wireless phone number associated with your account to that of the attacker. Both of these attacks require duping support personnel. (See also "port-out" attacks.)</span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;">Note that support personnel are trained and motivated to be supportive. If they think that they are talking to you, they will do whatever they are asked. Of course, they are also trained and motivated to be sure its you but there are lots of them and their training may be spotty.</span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;">This is where the eSIM comes in. Instead of storing the IMSI on an IC, in late model phones it can be stored in a High Security Module (HSM) on the phone. Instead of being provisioned by support personnel at your wireless provider, it is provisioned by you either by running an app on your phone or scanning a QR code. </span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;">The app comes from a network service provider (e.g., AT&T, Verizon, T-Mobile) or a contractor (e.g., Consumer Cellular, AARP, Mint Mobile, Nomad) with those that do. It is to be hoped that you are a little more concerned with your identity than any of these service providers. </span></span><span style="background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-family: helvetica;">These contractor service providers, that do not operate their own networks, may compete on the basis of price, coverage, data plan, or a combination of these. While some may provide a SIM card for old phones, for late model phones they use eSIMs.</span></div><div><span style="background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-family: helvetica;"><br /></span></div><div><span style="background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-family: helvetica;">In any event, if your phone suddenly stops working, you may be the victim of a SIM swap. Contact your service provider immediately. Do not hesitate.</span></div><div><span style="background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-family: helvetica;"><br /></span></div><div><span style="background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-family: helvetica;"><br /></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div><div><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: #f0f2f7; caret-color: rgb(51, 51, 51); color: #333333; font-size: 16px;"><span style="font-family: helvetica;"><br /></span></span></div>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-90229846308882111292024-02-12T11:08:00.000-08:002024-02-12T11:08:25.975-08:00Surveillance, Legal and Otherwise<p><span style="font-family: helvetica;"> A New Jersey Court recently held that a "communication data warrant" was insufficient to compel Facebook to hand over a user's posts. Rather, under New Jersey's Wiretap and Electronic Surveillance Control Act, they would require a "wiretap" order.</span> <span style="font-family: helvetica;">While both orders are "warrants" as required by the Fourth Amendment to the US Constitution, under NJ law the standards and permissions are different for the two orders. Said another way, it is the intention of the New Jersey legislature that surveillance in (near) real-time is more intrusive than a mere search warrant and must be more limited. The intent of the law is to resist abuse, not only by NJ investigators but also by the federal government.</span></p><p><span style="font-family: helvetica;">While the US Code contains no such explicit distinction, both law and precedent require that warrants be explicit as to what methods may be employed and what evidence is sought. A warrant is not a <i>carte blanche, </i>a license to do anything the officer wants. In practice judges expect law enforcement to use the "least intrusive means" to investigate. </span></p><p><span style="font-family: helvetica;">Governments around the globe, and law enforcement in particular, employ surveillance to detect and investigate communications that they wish to discourage. Some, like ours, recognize the potential for abuse and seek to resist it. None absolutely eschew its use. In some authoritarian states it is routine, a means of exercising power and control over the populous. </span></p><p><span style="font-family: helvetica;">The most frequent justifications for surveillance are crime, specifically CSAM and terrorism. The rules are often "collect everything, forget nothing, admit nothing." Data collected for legitimate purposes constitutes a temptation, not to say an invitation, to other uses. </span></p><p><span style="font-family: helvetica;">While the US Constitution requires probable cause for both searches and seizures, in practice seizures are routine and warrants are required only for searches. While under the Constitution the test is "reasonableness," in practice and precedent the threshold for requiring a warrant has become whether or not the subject has an "expectation of privacy;" reasonableness is no longer even considered. </span></p><p><span style="font-family: helvetica;">In the US the requirement for a warrant is routinely bypassed by purchasing "surveillance as a service" in the open market. Investigators simply pay a small fee to so called data brokers. This is much more efficient than creating a government database. </span></p><p><span style="font-family: helvetica;">In summary the protection against unreasonable search and seizure guaranteed in the Fourth Amendment to the US Constitution have been whittled away. While there is little evidence that the current administration is engaged in massive surveillance, it happened under the GWB administration. There is little left to protect us against abuse by future administrations. </span></p><p><span style="font-family: helvetica;"><br /></span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-78003797003823313782024-02-12T09:24:00.000-08:002024-02-12T09:24:35.894-08:00The Role of the Chief Information Security Officer (CISO)<p><span style="font-family: helvetica;">There is a great deal of discussion of late about the liability of the Chief Information Security Officer for security breaches. </span><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: Roboto, sans-serif; font-size: 15px;">Seems to me that the biggest problem with CISO is a misunderstanding of the role. CISOs are staff, not line. They are not responsible for security, line managers are. They are not responsible for preventing breaches, line managers are.</span></p><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: Roboto, sans-serif; font-size: 15px;" /><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: Roboto, sans-serif; font-size: 15px;">They are responsible for recommending the expression of enterprise risk tolerance and security policy but not for setting them; that is a governance decision to be made by the board of directors. They are responsible for articulating strategy but not for adopting or implementing it. They are responsible for coordinating implementation of strategy across functions and departments. They are responsible for recommending essential and efficient security measures but not for implementing them. They are responsible for recommending standards, for measuring against them and reporting on them but not for complying with them. They are responsible for measuring enterprise IT risk and for reporting on it to general management. </span><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: Roboto, sans-serif; font-size: 15px;" /><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: Roboto, sans-serif; font-size: 15px;" /><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: Roboto, sans-serif; font-size: 15px;">The wise CISO negotiates his success before taking the job. When his recommendations are not adopted, he documents the risk, asks the responsible line manager to sign the risk acceptance document, records the risk acceptance, and asks that the decision be revisited annually or when there is a change in responsible management. </span>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com1tag:blogger.com,1999:blog-8236182925747031461.post-17162552779951034512023-11-06T12:09:00.004-08:002023-12-19T13:34:18.531-08:00Artificial Intelligence<p><span style="font-family: helvetica;">Artificial intelligence, AI, is a new user interface to the computer. Large language models (LLMs) make the computer easier to use. They permit us to describe the result that we want in natural language. improving productivity and enabling new applications. AI will improve intellectual productivity as much as the internal combustion did for manual productivity. In response to internal combustion, and more specifically the tractor, we shortened the work week from 72 hours to 44 and invented vacations and retirement. In the process, we killed off two generations of young men and still suffered 25% unemployment. Said another way, increases in productivity are disruptive. </span></p><p><span style="font-family: helvetica;">The computer, with or without AI, is a tool. Tools vary in quality, utility, usability, and use. The user is responsible for the selection of the tool, the purpose to which it is put, and for all the properties of the result. This is true whether the user is an individual or a group. An enterprise must be responsible and accountable for everything that results from its application of this powerful technology. We call this security and we forget any part of it at our peril. </span><span style="font-family: helvetica;">We must not impute authority or autonomy to the tool; we must not </span><span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; background-color: white; caret-color: rgb(77, 81, 86); color: #4d5156; font-family: helvetica; font-size: 14px; text-decoration: underline;">anthropomorphize the tool</span><span style="font-family: helvetica;">. "The craftsman does not blame his tools." We must hold people accountable for how we use this powerful new tool. </span></p><p><span style="font-family: helvetica;">In the near term we should focus on embedded application specific implementations of AI. We should follow the example of IBM, a pioneer in the field. IBM trains the engine, think Watson, on application specific curated data; they build in governance and transparency from the ground up.</span></p><p><span style="font-family: helvetica;">Public policy must soften the impact of the disruption. This will include shortening the work week to spread the work and the leisure. It should include a guaranteed minimum income to ease transition from old jobs and skills to new ones. Finally, it should include changes in tax policy from labor to capital, people to robots, and production to consumption, to more securely and equitably finance the social safety net. </span></p><p><span style="font-family: helvetica;"><br /></span></p><p><span style="font-family: helvetica;"><br /></span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-56365524724530011022023-07-10T12:48:00.000-07:002023-07-10T12:48:12.479-07:00Common System Design Flaws<span style="font-family: helvetica; font-size: large;">I recently came upon </span><span style="font-family: helvetica; font-size: large;"><a href="https://tinyurl.com/SystemDesignFlaws">https://tinyurl.com/SystemDesignFlaws</a> It was written as a chapter of the Handbook of Information Security 2001. I offer the link to any who would like to see the whole paper but recap the flaws and the recommendations for avoiding them here.</span><div><span style="font-family: helvetica; font-size: large;"><br /></span></div><div><span style="font-family: helvetica; font-size: large;">The flaws covered by name are:</span></div><div><br /></div><div><span style="font-family: helvetica; font-size: large;"><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span>• Complexity</span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span>• Incomplete Parameter Checking</span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;">• Incomplete Error Handling</p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;">• Ineffective Binding</p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;">• Inadequate Granularity of Controls</p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;">• Gratuitous Functionality</p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;">• Escape Mechanisms</p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;">• Excessive Privilege</p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;">• Failure to a Privileged State</p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;">• Unsafe Defaults</p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;">• Excessive Reliance on Application Controls</p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;">• Others</p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><br /></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;">Examples and illustrations of these common flaws are discussed at length in the paper. </p></span></div><div><span style="font-family: helvetica; font-size: large;"><br /></span></div><div><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">The following recommendation should be considered when crafting and staging applications. By adhering to these recommendations the programmer and the application manager may avoid many of the errors outlined in this chapter.</span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;"><br /></span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">• Enforce all restrictions upon which you rely. </span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;"><br /></span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">• Check and restrict all input parameters to the intended length and code type. </span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;"><br /></span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">• Prefer short and simple programs and program modules. </span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;"><br /></span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">• Prefer programs with only one entry point at the top or beginning and only one exit at the bottom or end. </span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;"><br /></span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">• Prefer reliance upon well-tested common routines for both parameter checking and error correction. Consider the use of routines supplied with the database client. Parameter checking and error correcting code is difficult to design, write, and test. It is best assigned to master programmers. </span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;"><br /></span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">• Fail applications to the safest possible state. Prefer failing multi-user applications to a halt or to logon rather than to a new instance of the application or the environment (e.g., operating system). </span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;"><br /></span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">• Limit applications to the least possible privileges. Prefer the privileges of the user. Otherwise, use a limited profile created and used only for the purpose. Never grant an application system-wide privileges. (Since the programmer cannot anticipate the environment in which the application may run </span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">and the system manager may not understand the risks, exceptions to this rule are extremely dangerous.)</span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;"><br /></span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">• Bind applications end-to-end to resist control bypass. Prefer trusted single system environment. Otherwise use a trusted path (e.g., dedicated local connection, end-to-end encryption, or a carefully crafted combination of the two). Include in an application user’s privileges only that functionality that is essential to their use of the application. Consider dividing the application into multiple objects requiring separate authorization so as to facilitate involving multiple users in sensitive duties.</span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;"><br /></span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">• Controls should default to safe settings. Where the controls are complex or interact in subtle ways, provide scripts (“wizards”), or profiles.</span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;"><br /></span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">• Prefer localized controls close to the data, e.g., prefer file system to application, database manager to file system. Prefer authentication of users (or using processes) close to the user (e.g., on the mobile client.)</span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;"><br /></span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">• Use cryptographic techniques (e.g.,digital signatures) to verify the integrity of the code and to resist bypass of the controls. </span></p>
<p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;"><br /></span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;">• Prefer applications and other programs from known and trusted sources in tamper-evident packaging. </span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span style="font-family: helvetica; font-size: large;"><br /></span></p><p style="font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant-alternates: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><br /></p></div>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-6923188436982569072023-05-15T12:04:00.008-07:002023-07-10T11:47:24.957-07:00Cyber Resilience<p class="p1" style="-webkit-text-size-adjust: auto; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><a href="https://tinyurl.com/yc6s5sdt"><span style="font-family: helvetica; font-size: medium;"><b>https://tinyurl.com/yc6s5sdt</b></span></a></p><p class="p2" style="-webkit-text-size-adjust: auto; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-size: 17px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px; min-height: 22px;"><span class="s1" style="font-family: UICTFontTextStyleBody;"></span><br /></p><p class="p1" style="-webkit-text-size-adjust: auto; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size-adjust: none; font-size: 17px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleBody;">Mr. Basu's observations are at odds with mine. <span class="Apple-converted-space"> </span>If enterprise was more focused on prevention, than for example on insurance, we would not have the successful extortion industry that we see today. <span class="Apple-converted-space"> </span><br /><br />In the early days of IT we called the security measure of last resort, "backup and recovery." <span class="Apple-converted-space"> </span>It focused primarily on human error and disasters, limited to a data center or an enterprise. <span class="Apple-converted-space"> </span>As the technology matured and we became increasingly dependent on IT, we called it "business continuity." <span class="Apple-converted-space"> </span>It focused on running the business in the face of both natural and man-made risks. <span class="Apple-converted-space"> </span><br /><br />Today, when our entire infrastructure is dependent upon vulnerable, not to say fragile, interconnected systems of energy, communication, and finance, we call it "resilience." <span class="Apple-converted-space"> </span>It focuses on "Black Sky" events. <span class="Apple-converted-space"> </span>The risk is to "national security," not to say survival. <span class="Apple-converted-space"> </span><br /><br /></span></p><p><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 17px;">While I grant Mr. Basu the importance of resilience, I suggest that the most efficient way to achieve it is by prevention, by dramatically improving the quality and robustness of our systems.</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 17px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 17px;">We need to increase their resistance to both natural events and malicious attacks by a decimal order of magnitude.</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 17px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 17px;">Fortunately for us, doing so, both individually and collectively, is efficient. </span></p><p><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 17px;">We know what to do:</span></p><p></p><ul style="text-align: left;"><li><span style="font-family: UICTFontTextStyleBody; font-size: 17px;">Strong Authentication</span></li><li><span style="font-family: UICTFontTextStyleBody; font-size: 17px;">Least Privilege Access Control</span></li><li><span style="font-family: UICTFontTextStyleBody; font-size: 17px;">Process-to-Process Isolation, logging, and authentication</span></li><li><span style="font-family: UICTFontTextStyleBody; font-size: 17px;">Structured Network</span></li><li><span style="font-family: UICTFontTextStyleBody; font-size: 17px;">Application Layer End-to-End Encryption</span></li><li><span style="font-family: UICTFontTextStyleBody; font-size: 17px;">Privileged Access Management</span></li><li><span style="font-family: UICTFontTextStyleBody; font-size: 17px;">Redundancy</span></li><li><span style="font-family: UICTFontTextStyleBody; font-size: 17px;">Data, Application, System, Network, and Enterprise Persistence, Continuity, and Recovery</span></li><li><span style="font-family: UICTFontTextStyleBody; font-size: 17px;">Law Enforcement</span></li><li><span style="font-family: UICTFontTextStyleBody; font-size: 17px;">Other</span></li></ul><span style="font-family: UICTFontTextStyleBody;"><span style="font-size: 17px;">We lack the vision, the intention, and the will.</span></span><p></p><p><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 17px;"> </span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 17px;"> </span></p><p> </p><p><br /></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-962126143374311872023-04-04T11:20:00.000-07:002023-04-04T11:20:03.049-07:00Digital Credentials<span style="font-family: helvetica;">The Organization for Economic Co-operation and Development (OECD) is seeking feedback on a recently published draft of guidelines for digital credentials. The guidelines are intended to make digital credentials widely acceptable and accepted, even across national borders, for example a digital passport. </span><a href="https://www.nfcw.com/2023/03/28/382786/oecd-seeks-feedback-on-digital-identity-recommendations/">https://www.nfcw.com/2023/03/28/382786/oecd-seeks-feedback-on-digital-identity-recommendations/</a><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">Let me start by noting that this is not a proposal for a single or national credential. I have always feared such a credential because it could be used by an authoritarian regime to control, or even restrict, rights to, for example, work, travel, healthcare, education, or food, clothing, and shelter. Rather, I have always preferred a pluralistic system with multiple issuing authorities, granting different, if limited, privileges and employing different criteria for the granting of the credential. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">In today's world, if one wants to recognize and authenticate a stranger, one might well use a drivers license, issued by the state in which the person resides and including an image, date of birth, and a name and address, and a credit card issued by a bank. Two credentials issued by different authorities in the same name. Similarly, one might use drivers license and a passport. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">For example, in my Apple digital wallet I have ten different credentials issued by ten different authorities. Most are merely digital copies of physical credentials. All of these can be identified visually, though some relevant information may be hidden for reasons of security and privacy. For example, on debit and credit cards, part of the Primary Account Number (PAN) may be hidden. Most can be read digitally by means of NFC and/or QR tags. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">At the time of this writing, residents of three states can include their drivers license in their Apple Wallet. Three more states issue their own electronic licenses. Note that a policeman presented with an electronic license will be able to automatically verify it, check its currency, and check for any outstanding "wants or warrants," in real time. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">In a different "wallet app" I have nine digital images, front and back, of card credentials only one of which is also in my Apple Wallet. These credentials can only be read visually but nothing is hidden. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">In a folder in DropBox I have digital images of twenty credential documents issued to me by various authorities beginning with my birth certificate, and including my social security card, my high school diploma, my college degree, my record of military service, and my passport. While any one of these might be a forgery or fraudulently obtained, collectively they reliably document everything significant about my identity. Of course, the only identifying information that all these documents share in common is my name.</span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">These documents are recorded in the Portable Document Format, that is as PDFs. A PDF file, I.S.O. Standard 32000, preserves text, fonts, format, vector graphics, raster images, color, and even discoloration, all properties of the original useful in authenticating the copy and resisting forgery, Even the Internal Revenue Service (IRS) accepts PDFs as authentic. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">Which brings up the issue of a unique identifier. A few of us enjoy a unique name, one that we share with no one else, but most of us share even our full name with others. This is the problem which the Social Security Number solved. Modern information technology does not need it to uniquely identify us but it remains useful as tie breaker when other identifiers result in a collision. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">What and how much information does it take to uniquely identify us. First our name, place of birth, and date of birth, uniquely identifies us. No one else born on your birthday in the same place as you were was given the same name as you. Similarly, name and address are unique; no one else with your full name lives where you do. While there were a few errors of assignment in the early days, the ten digits of the SSN are sufficient, not only to give one to each of us but also to include a little information about where it was assigned. Though collisions are possible, it is likely that there is no one else living in your postal code with the same birth date as you. Similarly the last four digits of your SSN will distinguish you from all those others that might share your name. <span></span></span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">Now if you clicked on the link at the start of this post, you know the properties of electronic credentials that the OECD thinks are valuable. I have a different list. By definition they are for paperless credentials. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">One starts with wanting the credentials to be readable, first visually but also electronically. Visually because that is how we have always reconciled credentials and electronically for convenience in exchange with those who wish to rely on or verify the credential. Most mobile computers, i.e., phones, can read a QR tag. A tag might contain the unique number of the credential, for example a license number or account number, or it might contain a link (URL) to a copy of the credential. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">One would want the credential to be portable across wallets or devices. This might be by means of purpose built apps or by more general and flexible capabilities such as URLs, SMS or e-mail. Many digital objects have a "share" button to make portability both convenient and flexible. One might want a copy on paper, a desktop or laptop, a digital wallet, "wearables" like watches or rings, or in the cloud. Similarly one would like the credential to be authentic and easily verified. Note that one accepting a digital credential may be interested in both its currency as well as authenticity; online realtime access to the issuers database will always be useful and in some applications necessary. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">We are very close. Form, use, and acceptance are becoming routine. I have paid for dinner with my American Express Card by clicking on a QR tag on the check. I have also paid with the image of my card in the wallet on my iPhone, giving the iPhone to the waiter just as I would have given the physical card. The image of the card was accepted without question or comment. Similarly, I voted using the image of my drivers license, again accepted without question or comment. I recently boarded a train using an electronic ticket. The ticket included a QR tag to be read by the conductor's mobile. It demonstrated that I had a reservation and had paid for a particular seat on a specific train. While I might have printed out a paper copy, and some travelers were using one, the conductor checked all using the QR tag, paper or digital. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">The key to all of this is reliable, routine, convenient, and universal acceptance. Note that in the example scenarios above, one might have been embarrassed if the digital credential had not been accepted. We need maturity and standards, to include those that we already have like PDF, QR, NCF, and SMS, as well as such as those proposed by the OECD.</span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">Finally, a word about privacy and security. Trust and acceptance will rely at least in part upon those mechanisms that resist both forgery and misuse as well as those that resist application fraud. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">While the PDF standard preserves many of the properties that resisted forgery in the traditional credentials, they do not preserve them all. For example, it does not preserve texture and materials such as we use to resist counterfeit currency. On the other hand, digital implementations give us the ability to use cryptographic mechanisms such as hashes and digital signatures. We already have experience using these mechanisms in such applications as code signing and digital currency. While in the early applications, so far we have not seen instances of forgery, we know how to address them should the properties preserved by the PDF standard prove inadequate. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">We will resist misuse by controlling access to the credentials using secure digital wallets, strong authentication, and biometrics. To misuse the copies of my American Express one must first possess the copies and meet any conditions for their use such as biometrics or PINs implemented in the device in which they are stored, e.g., mobile phone or cloud storage. We can also lock the credential to the device so as to resist "screen scraping." </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">Finally, trust in credentials, digital or otherwise, will depend in part upon the issuing authority, representations made by the authority, and the rigor with which the authority issues the credential. Having already told you more about this subject than you likely wanted to know and more than I intended when I began to write, I will defer that discussion to a later post.</span></div>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-3399924931728994222023-03-01T11:29:00.000-08:002023-03-01T11:29:28.587-08:00Check Fraud? <p><span style="font-family: helvetica;"> I recently saw a great video <a href="https://www.bankinfosecurity.com/how-to-fight-check-fraud-look-beyond-technology-a-21299?rf=2023-02-27_ENEWS_SUB_BIS__Slot1_ART21299&mkt_tok=MDUxLVpYSS0yMzcAAAGKMqJfI2i87GCnqQPTeoRoYMCf1EEHC1AJ4qh708AIYOhT0Q8JFA_5fWC2pELiMEUqWwUPXl7I0l13QQJQKJapHyHw3oF_eWabtx5ta8nuZ8aR4A">https://www.bankinfosecurity.com/how-to-fight-check-fraud-look-beyond-technology-a-21299?rf=2023-02-27_ENEWS_SUB_BIS__Slot1_ART21299&mkt_tok=MDUxLVpYSS0yMzcAAAGKMqJfI2i87GCnqQPTeoRoYMCf1EEHC1AJ4qh708AIYOhT0Q8JFA_5fWC2pELiMEUqWwUPXl7I0l13QQJQKJapHyHw3oF_eWabtx5ta8nuZ8aR4A</a> by Karen Boyer, Sr. VP of M&T Bank on how to fight check fraud, a topic that I recently addressed. However, the problem that she addressed was not so much "check fraud" as frauds involving checks. </span> </p><p><span face="Roboto, sans-serif" style="caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: helvetica; font-size: 15px;">I see two different problems here, and faster reversibility is not addressing either. First is stolen legitimate checks deposited to fraudulent accounts. This is a classic "know your customer" problem. This problem is aggravated by the banks' desire for new accounts and initial deposits. One can set up an account, deposit a stolen check to it, and transfer or withdraw the funds, all without ever having gotten close to a bank officer or even a human, non-automated, decision.</span></p><p style="-webkit-text-size-adjust: 100%; border: 0px; box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: Roboto, sans-serif; font-size: 15px; line-height: 21px; margin: 0px 0px 15px; padding: 0px;">The second is alteration, amount or payee, of an otherwise legitimate check before deposit to a fraudulent account. "Know your customer," positive pay, and online banking all apply here. (I no longer have to wait for a statement in the mail to recognize fraudulent activity to my account, as I did seventy years ago when I first began to write checks. I can see it daily.)</p><p style="-webkit-text-size-adjust: 100%; border: 0px; box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: Roboto, sans-serif; font-size: 15px; line-height: 21px; margin: 0px; padding: 0px;">All that said, these powerful controls no longer appear to be sufficient. The demand deposit system used to have, and relied upon, controls to ensure that banks only did business with people and institutions from whom they knew they could recover. In the name of popular banking and fast availability of funds, many of those controls have been watered down. </p><p style="-webkit-text-size-adjust: 100%; border: 0px; box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: Roboto, sans-serif; font-size: 15px; line-height: 21px; margin: 0px; padding: 0px;"><br /></p><p style="-webkit-text-size-adjust: 100%; border: 0px; box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: Roboto, sans-serif; font-size: 15px; line-height: 21px; margin: 0px; padding: 0px;">Ms. Boyer cautions banks to "monitor accounts." I encourage depositors to use online banking to do the same. While the depositor is not responsible for fraud, someone has to recognize it, the earlier the better.</p><p style="-webkit-text-size-adjust: 100%; border: 0px; box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: Roboto, sans-serif; font-size: 15px; line-height: 21px; margin: 0px; padding: 0px;"><br /></p><p style="-webkit-text-size-adjust: 100%; border: 0px; box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: Roboto, sans-serif; font-size: 15px; line-height: 21px; margin: 0px; padding: 0px;">When I think up a solution, I will get back to you.</p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-12189379860493621572023-03-01T10:45:00.000-08:002023-03-01T10:45:39.556-08:00Apologia<p> <span style="font-family: helvetica;">As of March 15, 2023 I will no longer be associated with InfraGard. The FBI has set conditions for continued association that I am not willing to meet. It behooves me to explain my position. </span></p><p><span style="font-family: helvetica;">The InfraGard web site was recently compromised. The FBI has been less than forthcoming about the compromise but they have admitted that personal data of their constituents, including e-mail addresses and employment, have been compromised. They have not offered any compensation or remedies to said constituents.</span></p><p><span style="font-family: helvetica;">As a matter of policy I do not do business with management in which I have lost confidence. Specifically I do not continue to use web sites that have proven unable to protect my personal data. The FBI has made it a condition of continued InfraGard membership that members must routinely use the compromised web site and that they do so no later than March 15, 2023. I will not meet that condition.</span></p><p><span style="font-family: helvetica;">More over the FBI requires that members provide additional personal data to the web site so that they can reverify one's identity and conduct a criminal background check. There can be only two reasons for such procedures. First Colonel Blimp is once more covering his derriere. Second, he has lost confidence in the database, believes it to be contaminated with fraudulent entries. If they do not trust it, I certainly do not. </span></p><p><span style="font-family: helvetica;">They have announced that they intend to turn personal information over to a third party for authentication. Not only do they expect me to trust the management that has already demonstrated that they cannot protect my data, they expect me to trust an additional unnamed party, a party that is already in the data collection and exploitation business. I have no interest in improving the quality of their data. </span></p><p><span style="font-family: helvetica;">Most of you are far too young to remember the House UnAmerican Activities Committee and their actions. Careers were destroyed. One of the things that we learned from their proceedings was that mere friendship, association, was sufficient to create a presumption of guilt and to place the burden of proof on the accused. If the InfraGard database disclosed nothing else, it disclosed associations. (I would not want my e-mail used to query a (just for example, the NSA) database. None of us is more than six degrees of separation from a foreigner, terrorist, or criminal. The three degrees of association that the authorities will admit to might implicate hundreds of thousands.) </span></p><p><span style="font-family: helvetica;">It is clear that we, the FBI and I, no longer enjoy mutual trust. However they expect me to reestablish my <i>bona fides</i> before they have demonstrated theirs. It was not I that failed and created this situation. Given the rather one-sided relationship between the FBI and their InfraGard constituency, it does not surprise me that they want the constituents to bear the cost of remediating their database.</span></p><p><span style="font-family: helvetica;">I am late into my ninth decade. My continued association with InfraGard is limited at best. Moreover, I enjoy mutual trust with a large number of colleagues, trust that preceded the founding of InfraGard. I do not expect others to follow my example but I did think it useful for me to give warning and share my reasoning. </span></p><p><span style="font-family: helvetica;"><br /></span></p><p><span style="font-family: helvetica;"><br /></span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com1tag:blogger.com,1999:blog-8236182925747031461.post-50633802790767057292023-02-08T09:22:00.001-08:002023-02-18T08:50:15.638-08:00On Resisting Check Fraud<p> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">When I first began to bank in the 50s, we did not have pre-printed personal checks or account numbers.</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">The only identification on a personal check was the signature.</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">The operators who processed the checks, identified the account from the signature.</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">While this was an error prone process, they were very good at it.</span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleBody; font-size: 18.4px;"><br />At the time, most checks were written by businesses. <span class="Apple-converted-space"> </span>We printed the checks on special paper, in multiple steps and fonts. <span class="Apple-converted-space"> </span>The amounts and signature facsimiles were often mechanically pressed into the paper rather than simply printed. <span class="Apple-converted-space"> </span>All of this was intended to make checks, particularly business checks for relatively large amounts, difficult to forge. <span class="Apple-converted-space"> </span><br /><br />Much has changed since then. <span class="Apple-converted-space"> </span>The introduction of MICR was the impetus for account numbers and pre-printed personal checks. <span class="Apple-converted-space"> </span>This not only reduced errors but also fraud. In the modern world, we use direct deposit for routine payments to those parties whose banks and account numbers are known to us. <span class="Apple-converted-space"> </span>While we still think of these as "checks," i.e., payments from demand deposit accounts, most are electronic and are never reduced to paper. <span class="Apple-converted-space"> </span>Even individuals may use "online banking," rather than writing checks, to make payments. While some of these payments may result in the preparation of a paper check, it will not contain a signature for authentication.<br /><br />Today, paper checks, when used, are often printed on plain paper in one step including the facsimile of the signature. <span class="Apple-converted-space"> </span>The bank does not rely on the paper to know that the transaction is authorized but on an out of band confirmation known as "positive pay." <span class="Apple-converted-space"> </span>In this system the check is sent to the payee and a message noting the amount and check number is sent to the bank on which it is drawn. <span class="Apple-converted-space"> </span>When the check is presented to the bank for collection it must reconcile to the message. <span class="Apple-converted-space"> </span>Actually, the paper is never presented to paying bank but is converted to an electronic facsimile by the bank of first deposit. <span class="Apple-converted-space"> </span><br /><br /> In the seventy years since I wrote my first check, I have only had one transaction turn on the authenticity of the signature. <span class="Apple-converted-space"> </span>This was last year on the pre-printed check to pay my real estate tax. <span class="Apple-converted-space"> </span>Admittedly, it really was a bad example of my signature. <span class="Apple-converted-space"> </span>I was impressed that someone was watching and checking. <span class="Apple-converted-space"> </span><br /><br />Reconciling signatures must be a very scarce skill these days. <span class="Apple-converted-space"> </span>That said, in addition to knowing their customers, banks are responsible for ensuring that transactions, e.g., checks, are properly authorized. <span class="Apple-converted-space"> </span>For business accounts, we now use "positive pay;" we do not rely on anything on the paper. <span class="Apple-converted-space"> </span>However, for individuals we take the risk, rely on the signature, return any questionable items, i.e., reversibility, or confirm out of band. <span class="Apple-converted-space"> </span>All of these involve cost. Therefore, we use them in combination to minimize cost and risk.</span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-52311864634359460232023-02-02T10:28:00.002-08:002023-02-06T08:16:33.291-08:00On Over Classification<p class="p1" style="-webkit-text-size-adjust: auto; font-size: 19.3px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleBody; font-size: 19.34px;">In the US government, we have a pervasive problem of over classification. </span><a href="https://www.cnn.com/videos/tv/2023/01/27/exp-gps-0129-fareeds-take-us-classification-system.cnn">https://www.cnn.com/videos/tv/2023/01/27/exp-gps-0129-fareeds-take-us-classification-system.cnn</a> <span style="font-family: UICTFontTextStyleBody; font-size: 19.34px;">This results from a number of factors. </span> <span style="font-family: UICTFontTextStyleBody; font-size: 19.34px;">First, almost any author or officer can Classify data, that is specify, among other things, how much is to be spent to protect the data. </span> <span style="font-family: UICTFontTextStyleBody; font-size: 19.34px;">Said another way, he specifies how much others must spend to protect the data but may not incur the cost of protection himself. </span></p><p class="p2" style="-webkit-text-size-adjust: auto; font-size: 19.3px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 25px;"><span class="s1" style="font-family: UICTFontTextStyleBody; font-size: 19.34px;"></span><br /></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 19.3px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleBody; font-size: 19.34px;">Second, the authority to classify, does not include the authority to change the classification. <span class="Apple-converted-space"> </span>Once the data has been labeled, often with a rubber stamp, it is too late to change it. <span class="Apple-converted-space"> </span>The implicit assumption is that the decision, once made, is irrevocable. <span class="Apple-converted-space"> </span>The decision is reviewable, even by a higher authority, but following a procedure specified for the class. </span></p><p class="p2" style="-webkit-text-size-adjust: auto; font-size: 19.3px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 25px;"><span class="s1" style="font-family: UICTFontTextStyleBody; font-size: 19.34px;"> </span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 19.3px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleBody; font-size: 19.34px;">Third, and as already noted, the classification includes a specification about the procedure that must be followed to lower the classification. <span class="Apple-converted-space"> The higher the classification, the more rigorous and expensive the process.</span> <span class="Apple-converted-space"> Since the cost of declassifying may be equal to or even greater than the cost of declassifying, declassifying is rare. </span></span></p><p class="p2" style="-webkit-text-size-adjust: auto; font-size: 19.3px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 25px;"><span class="s1" style="font-family: UICTFontTextStyleBody; font-size: 19.34px;"></span><br /></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 19.3px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleBody; font-size: 19.34px;">In enterprise things are a little different. <span class="Apple-converted-space"> </span>The authority to classify includes the authority to re-classify or declassify. <span class="Apple-converted-space"> </span>The classifier's authority comes from his role, it is not arbitrary. <span class="Apple-converted-space"> </span>Classification is normally limited in time. <span class="Apple-converted-space"> </span>Because sensitivity decreases with age, because we are normally protecting plans and rarely sources, by default classification ends automatically, usually in no more than three years, unless renewed. </span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com1tag:blogger.com,1999:blog-8236182925747031461.post-83011629223164617022023-02-02T10:07:00.001-08:002023-02-02T10:41:09.953-08:00On "Sensitive but unclassified."<p> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 19.34px;">In government "Classified," with a capital C, is a term of art.</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 19.34px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 19.34px;">It refers to data which the classifier believes requires some level of protection, rather than to the decision about the data.</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 19.34px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 19.34px;">This results in this strange expression.</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 19.34px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 19.34px;">To say that something is "sensitive but unclassified" is to classify it the sense of the literal English meaning of the word but not in the meaning of the term of art.</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 19.34px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 19.34px;">It is an attempt to get around the fact that the government has coopted the word Classified for its own use.</span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-43815377425512043662023-01-22T08:12:00.000-08:002023-01-22T08:12:57.090-08:00Can anybody tell me?<p> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">Was there a written contingency plan for the failure of the NOTAM application?</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">Did it really say "shut down the industry?"</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">Had that plan been shared with the owners and users of the system?</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">Did they concur in it?</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">Obviously the flying public did not know.</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">What other remedies were considered and rejected in arriving at this plan?</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">Did the plan contain an estimate or an assumption as to the failure rate of the system?</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">Did the plan enumerate the failure modes.</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">Was operator error one of the enumerated modes or was it simply accounted for under "other."</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span> <span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;">Can anybody tell me?</span><span style="-webkit-text-size-adjust: auto; font-family: UICTFontTextStyleBody; font-size: 18.4px;"> </span></p><p class="p3" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 23.8px;"><span class="s2" style="font-family: UICTFontTextStyleBody; font-size: 18.4px;"></span><br /></p><p class="p2" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-family: UICTFontTextStyleBody; font-size: 18.4px;">Can anybody tell me how much the shutdown cost? <span class="Apple-converted-space"> </span>How does that cost relate to the cost of the system?</span></p><p class="p3" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 23.8px;"><span class="s2" style="font-family: UICTFontTextStyleBody; font-size: 18.4px;"></span><br /></p><p class="p2" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-family: UICTFontTextStyleBody; font-size: 18.4px;">One report suggested that there are roughly 30,000 records in the system but that perhaps as many as 5,000 are no longer current. <span class="Apple-converted-space"> </span>Can anybody tell me how many changes are made to this database in a day? <span class="Apple-converted-space"> </span>How many changes occurred during the shutdown? </span></p><p class="p3" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 23.8px;"><span class="s2" style="font-family: UICTFontTextStyleBody; font-size: 18.4px;"></span><br /></p><p class="p2" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-family: UICTFontTextStyleBody; font-size: 18.4px;">Another report suggested that the flight plan for an international flight might contain as many as 100 pages of NOTAMs. <span class="Apple-converted-space"> </span>Can anyone tell me what the signal to noise ratio is in the database? </span></p><p class="p3" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 23.8px;"><span class="s2" style="font-family: UICTFontTextStyleBody; font-size: 18.4px;"></span><br /></p><p class="p2" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-family: UICTFontTextStyleBody; font-size: 18.4px;">Please tell me that there was a plan and that it worked as intended rather than that this was a massive failure of management and governance. <span class="Apple-converted-space"> </span>Can anyone help me here? <span class="Apple-converted-space"> </span>These questions seem to deserve, not to say demand, an answer. </span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-42684839058406114462022-12-16T13:07:00.002-08:002023-05-01T08:11:27.505-07:00Passkeys<p class="p1" style="-webkit-text-size-adjust: auto; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleEmphasizedBody; font-size: 18.4px;">By now you have probably heard about the "death of passwords," or at least alternatives to them. Passkeys are one such alternative. Apple, Google, and Microsoft </span><span style="font-size: medium;"> </span><span style="font-family: UICTFontTextStyleEmphasizedBody; font-size: 18.4px;">are rolling them out. </span><a href="https://tinyurl.com/PasskeySupporters">https://tinyurl.com/PasskeySupporters</a> <span style="font-family: UICTFontTextStyleEmphasizedBody; font-size: 18.4px;">They are intended for use in remote login to web based applications. (While apps can use passkey, many are already passwordless.) PayPal, Kayak, Best Buy, eBay, GoDaddy, and Google are among those that are offering Passkeys as a preferred alternative means of user authentication.</span><span style="font-family: inherit;"><span style="font-size: 18.4px;"> </span></span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span style="font-family: UICTFontTextStyleEmphasizedBody; font-size: 18.4px;"><br /></span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleEmphasizedBody; font-size: 18.4px;">Passkeys resist the security problems with passwords. They eliminate both the choice of password requirement and the forgotten password problem. They resist brute force and replay attacks. Social engineering (e.g., so called "phishing") attacks no longer work. While the user may still be duped into logging on, the process that that uses does not leak reusable information. </span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleEmphasizedBody; font-size: 18.4px;"><br /></span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleEmphasizedBody; font-size: 18.4px;">(However, Passkeys may still leave one vulnerable to session stealing (MitM) attacks. This is a limitation that they shares with most remote authentication methods. Note that unlike the reuse of passwords, MitM attacks do not include the ability to initiate sessions, only takeover sessions initiated by the legitimate user. They also require the ability, usually by duping the user, to insert a process between the user and his target application.)</span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleEmphasizedBody; font-size: 18.4px;"><br /></span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleEmphasizedBody; font-size: 18.4px;">Passkeys are an application of asymmetric key cryptography. The private key is stored on a user side device and is used to sign a challenge (random value sent from the application side.) Every time one chooses to sign on to an app or a web application with a passkey, one must authenticate to the device by biometric or PIN. </span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleEmphasizedBody; font-size: 18.4px;"><br /></span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleEmphasizedBody; font-size: 18.4px;">Thus Passkeys offer strong authentication. One must possess the device holding the private key, something that one has, and the biometric, something that one is, or PIN required to open the device and again at time of use. The exchange of the challenge and response resists replay. </span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-family: UICTFontTextStyleEmphasizedBody; font-size: 18.4px;"><br /></span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span style="font-family: UICTFontTextStyleEmphasizedBody;">Most often, and at least in the short run, apps that implement Passkeys will leave their use at the option of the user. It will be offered as an option, either at enrollment time or when signing on. If one accesses an account from multiple devices, one may create a passkey for the account on multiple devices. Apple plans to store keys in the cloud, as does now with passwords, so that one key can be used across multiple Apple devices sharing access to one Apple account. </span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span style="font-family: UICTFontTextStyleEmphasizedBody;"><br /></span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span style="font-family: UICTFontTextStyleEmphasizedBody;">When attempting to logon to an account that expects a passkey from a device that does not already have access to a key, one may be offered a QR code to sync to a device that does have access to a (or the) key. Both the security and the convenience are maintained. </span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span style="font-family: UICTFontTextStyleEmphasizedBody;"><br /></span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span style="font-family: UICTFontTextStyleEmphasizedBody;">Indeed security and convenience are what Passkeys are about. They make it easier to do the right thing than the wrong thing. Smart enterprise applications will offer them as an option and smart users will choose them. Some enterprises will mandate them. They offer us one more opportunity to increase the cost of attack against our networks, systems, applications, and data while improving convenience. </span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span style="font-family: UICTFontTextStyleEmphasizedBody;"><br /></span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><span style="font-family: UICTFontTextStyleEmphasizedBody;">What are your questions?</span></p><p class="p1" style="-webkit-text-size-adjust: auto; font-size: 18.4px; font-stretch: normal; line-height: normal; margin: 0px;"><br /></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com1tag:blogger.com,1999:blog-8236182925747031461.post-10037089226375042922022-02-25T13:07:00.001-08:002022-03-07T06:47:42.009-08:00Software Supply Chain<p><span style="font-family: helvetica;">Microsoft has published a paper on </span><span face=""Segoe UI", SegoeUI, "Helvetica Neue", Helvetica, Arial, sans-serif" style="-webkit-text-size-adjust: 100%; caret-color: rgb(23, 23, 23); color: #171717; font-size: small;"><b>Best Practices for a Secure Software Supply Chain</b>. </span><a href="https://docs.microsoft.com/en-us/nuget/concepts/security-best-practices">https://docs.microsoft.com/en-us/nuget/concepts/security-best-practices</a></p><p><span style="font-family: helvetica;">You should not be surprised that it says <i>Caveat Emptor. </i>It is all about how the buyer of software must manage the risk of any corruption in the supply chain. It is silent on the supplier's, e.g., Microsoft, responsibility. It simply assumes that some supplier in your supply change will ship you corrupt code, essentially with no accountability.</span></p><p><span style="font-family: helvetica;">The issue first gained notice when a supplier, SolarWinds, having failed to manage the content of its product, shipped malicious code to all of its customers. It's response, like that of Microsoft, was "Y'all be ca'ful, heah." </span></p><p><span style="font-family: helvetica;">Suppliers must be held accountable for all the code that they ship. We have become so accustomed to poor quality code, and the huge cost of "patching" that comes with it, that this idea seems somehow foreign. However, this issue is about code content, not quality. </span></p><p><span style="font-family: helvetica;">I do not propose to so reform the market that suppliers would be held accountable for implementation induced vulnerabilities in their code, for its suitability for its intended use, for its merchantabiity. I only want them to be held accountable for malicious code, whatever its source, that they ship. Managing the content of one's product, where it came from, may be related to, but simpler than that of ensuring that it is free of dangerous errors. </span></p><p><span style="font-family: helvetica;">I recently asked a colleague, a famous attorney, partner in a prestigious Washington law firm, why he thought that SolarWinds had not been sued for its gross negligence? His answer was that the injured parties were enterprises, that they did not see themselves in the role of plaintiff. </span></p><p><span style="font-family: helvetica;">So called "software engineers" must be held accountable to the same standards that we hold all other "engineers." Suppliers in the software supply chain must the held to the same standards as we hold other suppliers. Software should not be synonymous with dangerous. </span></p><p><span style="font-family: helvetica;"><br /></span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-85025373631530126492022-01-31T11:44:00.000-08:002022-01-31T11:44:33.739-08:00Cost of Attack<p><span style="font-family: helvetica;">For about a year now I have been arguing that we need to raise the cost of attack against our systems. This is best justified by observing the rate of successful extortion attacks against our systems. Few seem to be adequately resistant to such attacks. </span></p><p><span style="font-family: helvetica;">However, I am also mindful of the admonition of William Thomson, the First Baron Kelvin, who told us that if one cannot measure it, one cannot recognize its presence or its absence. So, if one is to advocate for increasing it, one should be able to talk about how to measure it. I use the mnemonic <b>W.A.I.S.T. </b> These stand for work, access, indifference to detection, special knowledge, and time to detection and mitigation. </span></p><p><span style="font-family: helvetica;"><br /></span></p><p><span style="font-family: helvetica;">The first letter stands for <b>WORK</b>. The cost of attack will almost always include some effort on the part of the attacker, though, of course, some of this may be automated. Take for example, a brute force attack against a password or a cryptographic key. The cost is that of a trial multiplied by the number of necessary trials. The number of trials required is a function of the number of bits, digits, or characters in the password or key. One can increase the cost to the attacker by increasing the number of bits in the password. (One can also reduce the value of success by changing the password or key after one use.)</span></p><p><span style="font-family: helvetica;">For example, the cost of attack agains the Data Encryption Standard was defined as the cost of an exhaustive attack against the key. While prohibitively high at the time of the publication of the standard, it was falling in proportion to Moore's Law, as was the cost of encryption. Thus the DES implementers proposed Triple DES which raised the cost of attack by 2^56, is standardized for use until 2030 and will still be useful for some applications far beyond that. </span></p><p><span style="font-family: helvetica;">Note that the work of one person may be encapsulated in tools and procedures. The cost of attack has decreased, been made more efficient, by attacker specialization and commerce. One rogue may specialize in capturing credit card numbers while another may buy the numbers to monetize them in fraud. </span></p><p><b style="font-family: helvetica;">ACCESS</b><span style="font-family: helvetica;"> is the second element of cost. The attacker must have some kind of access to the target system. Today that may be a network connection but in the early days, it meant physical access. At a minimum an attacker must at least be able to send a message to the target system and observe its effect. One can raise his cost by the use of physical isolation, "air gaps," gateways, firewalls, strong authentication, or encryption. Note that strong authentication greatly increases the cost to the attacker while the ubiquitous mobile has been reducing its cost to the defender. </span></p><p><b style="font-family: helvetica;">INDIFFERENCE</b><span style="font-family: helvetica;"> to detection is a little more subtle but so called "ransomware" illustrates it well. Today's attacker believes that there is a low probability that he will be reported, investigated, identified, or punished for his attack. We can increase his cost by increased monitoring, surveillance, and law enforcement.</span></p><p><span style="font-family: helvetica;"><b>SPECIAL KNOWLEDGE</b> is often key. It includes things such as user credentials, how applications work, such skills as programming, knowledge of the victims network architecture and others. Interestingly enough, while it is often the most important thing that the perpetrator brings to the attack, it may be the one she herself least appreciates. One will often hear hackers talk about the low cost of an attack, completely discounting the special knowledge and skill, often acquired over years, that they bring. The attack looks cheap to them but would require much more of the other elements in the hands of another.</span></p><p style="text-align: left;"><span style="font-family: helvetica;">The defender may increase the cost of the special knowledge of the attacker by better operational security, so called OPSEC, choosing, identifying, changing, and protecting mission critical information</span><span style="font-family: helvetica;">. We resist the acquisition of special knowledge about our systems, applications, and data by operating in a manner designed to resist the leakage of information about them that might be useful to an adversary. These may include using code words, and changing key information. Think TORCH, ULTRA, and MAGIC from WWII. Think camouflage and disinformation. Think product, application, and server names; better to call them "apple" and "orange," than "next generation product," "payroll" and "payables." Think "trade craft." </span></p><p><span style="font-family: helvetica;">Finally there is </span><b style="font-family: helvetica;">TIME</b><span style="font-family: helvetica;"> to detection and mitigation. While some breaches can succeed in hours to days, others may require weeks to months. Again ransomware attacks are of special interest. The time from attack initiation to successful compromise of the victims entire network has been shrinking from weeks to days, in part from the tools, skills, knowledge, improved efficiency of the attackers. The defender can reduce the time available to the attacker by improved surveillance, detection, and threat intelligence. </span></p><p><span style="font-family: helvetica;">Perhaps the most efficient way to reduce the time to detection and mitigation is <a href="https://whmurray.blogspot.com/search?q=out+of+band+confirmation">out-of-band confirmation</a> of all sensitive activity. Kenneth Chennault, the President of American Express, told the President of the United States, that by confirming credit card charges using instant messaging, AmEx was often able to detect fraudulent transactions within sixty seconds. </span></p><p><span style="font-family: helvetica;">Note that these elements are fungible; an excess of any one, especially special knowledge, may decrease the need for the others. If the attacker already has knowledge of a vulnerability, credentials, or applications, then the amount of work or time to detection required may be considerably less. Increasing the cost of any one, increases the total cost. Increasing them all proportionally mayincrease that cost exponentially. </span></p><p><span style="font-family: helvetica;">Three cautions:</span></p><p></p><ul style="text-align: left;"><li><span style="font-family: helvetica;">"An ounce of prevention is worth a pound of cure."</span></li><li><span style="font-family: helvetica;">"Never spend more mitigating a risk than tolerating it will cost you." --Robert H. Courtney, Jr.</span></li><li><span style="font-family: helvetica;">At least collectively and over time, even criminals are rational; they will not pay more in the cost of attack than they can expect in the value of success.</span></li></ul><span style="font-family: helvetica;">Raising the cost of attack is efficient; the cost of attack goes up faster than the cost of the measures to achieve it. While there is an upper limit, we are nowhere close to it. The value of success has been going up very fast and the cost of attack has not risen proportionately. The situation is now urgent and we have some catching up to do. </span><p></p><p><span style="font-family: helvetica;"><br /></span></p><p><span style="font-family: helvetica;"><br /></span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-6335894220568757822022-01-12T11:56:00.005-08:002022-01-12T11:56:52.255-08:002021 The Cybersecurity Disaster Year<p> <span style="font-family: helvetica;">2021 has proved to be a disaster year for Cybersecurity. </span><span style="font-family: helvetica;">Events have demonstrated just how porous our cyber infrastructure is. </span><span style="font-family: helvetica;">Perhaps for the first year in history, compromises have grown faster than the increase in use, uses, and users might have suggested. </span></p><p><span style="font-family: helvetica;"><span style="-webkit-text-size-adjust: auto; background-color: white; caret-color: rgb(68, 68, 68); color: #444444; font-family: "Helvetica Neue", Arial, Helvetica, Geneva, sans-serif; font-size: 16px;">CISA, the FBI and the NSA have warned in a joint advisory that Russian threat actors are actively exploiting and seeking to cause disruption to IT and OT networks, especially around critical infrastructure. The advisory outlines technical details of at least 18 vulnerabilities and malware attacks.</span></span></p><p><span style="font-family: helvetica;">It may well have been worse than we know. </span><span style="font-family: helvetica;">We know that many, not to say most, of our systems were vulnerable, to the corrupt supply chain (e.g. SolarWinds) or to vulnerable open source software (e.g. log4j), at least for the time it took us to appreciate and mitigate the exposures. Few of us know that that window of opportunity was not used to covertly install backdoors into our networks for later exploitation. It is at least possible, not to say likely, that hostile forces took the opportunity to stockpile compromises that they did not immediately have the motive or resources to exploit. </span></p><p><span style="font-family: helvetica;">it seems unlikely that our adversaries, particularly nation states, missed the opportunity presented to them by these exposures. SolarWinds was an attack, planned and resourceful. While we can identify and remove the SolarWinds code, it is near impossible to know about, identify, or remove covert back doors installed using it. </span></p><p><span style="font-family: helvetica;">How can we mitigate the risk that such covert backdoors represent?</span></p><p><span style="font-family: helvetica;">First, we must implement process-to-process isolation. We can no longer operate a flat enterprise network. We must structure the network so as isolate high risk applications, such as user owned devices, browsers, and e-mail, from sensitive data and services. We can do this in part physically structure in the network, and in part by end-to-end application-layer cryptography.</span></p><p><span style="font-family: helvetica;">We must implement strong process-to-process authentication ("zero trust") not just horizontally, that is system to system, but also vertically, up and down the stack. For example, the application must authenticate the database manager and the database manager must authenticate the application processes that use it. It is urgent that we isolate covert compromises, backdoors, and vulnerabilities, before they are exploited and so that they do not put the entire enterprise at risk. </span></p><p><span style="font-family: helvetica;">Second, we must implement a policy of "least privilege." While such a policy involves somewhat more administrative burden than the all too common <i>laissez faire </i>policy, security does not need to be free to be efficient. It must only be cheaper than tolerating the risk. If the covert backdoor has no privileges, it can do no harm. </span></p><p><span style="font-family: helvetica;">Third, we must demand that software come with a digital bill of materials. When a vulnerability is found in widely used software, we must be able to quickly determine whether or not and where, we may have instances of that vulnerable software installed. We should not have to beat the bad guys at scanning for the vulnerability.</span></p><p><span style="font-family: helvetica;">Fourth, we must hold developers and suppliers of products that include software responsible for the content of that software, if not for its quality, at least for any malicious code which they ship. While we may tolerate poor quality software and the now expensive patching regime forced on by that poor quality, that is not the same as tolerating malicious code which the supplier did not even write. </span></p><p><span style="font-family: helvetica;">I am tempted to go on but I want you to focus on the first and second. </span><span style="font-family: helvetica;">These are policies that are specifically implicated by the risk that our networks are already compromised but they are not limited to that risk. They are efficient because they address the entire range of cyber risks. </span></p><p><span style="font-family: helvetica;"><br /></span></p><p><span style="font-family: helvetica;"><br /></span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-24036005407214170222022-01-06T19:17:00.000-08:002022-01-06T19:17:42.731-08:00Customs and Border Protection Facial Recognition Program<p> <span style="font-family: helvetica;">Customs and Border Protection (CBP) compare a traveler's face to the photo on their passport to authenticate their identity and associate the traveler with the information in the passport. Historically, this comparison has been done by the CBP agent. The traveler presented his passport to the agent who opened it to the traveler's photo and compared the traveler's face to the photo. This has been a time consuming, somewhat cumbersome, and error prone process. </span></p><p><span style="font-family: helvetica;">Now this process has been automated. The traveler faces a digital camera and a computer compares the traveler's face to faces in its database, the database of photos that were submitted along with applications for passports (or visas). If a match is found, the traveler has been identified. This process is more complete, faster, more convenient, uniform, and less error prone than relying upon the capability or skill of a human agent. </span></p><p><span style="font-family: helvetica;">For travelers who have just been on a cruise, this identity check is all that is required. Having been so identified the traveler can go straight to baggage claim. International air travelers may still be interviewed by an agent who will ask all the questions that agents have always asked, such as where the traveler has been, where they are going, and the purpose of their trip. The computer will show the agent all the information that is associated with the traveler in the database. </span></p><p><span style="font-family: helvetica;">Tests of this technology conducted over months suggest that the technology correctly identifies about 98% of travelers entering our shores. Any exceptions are resolved by an agent using the same methods and procedures CBP has always used. </span></p><p><span style="font-family: helvetica;">While CBP has taken steps to incorporate some privacy principles into its program, the Government Accounting Office (GAO) has criticized its notices to travelers about the technology and particularly their failure to adequately notify travelers that they may opt out of the program and enter through the archaic procedures.</span></p><p><span style="font-family: helvetica;">The American Civil Liberties Union (ACLU) is "alarmed" about the program. They fear that "DHS has already laid out - and begun implementing - a clear plan to expand face surveillance." Of course, this program is not surveillance but merely automation of an established application. The ACLU is concerned that facial recognition technology in general is "riddled with bias and inaccuracies," and "the program will likely result in harms ranging from missed flights to lengthy interrogations or worse." Here the proof is in the pudding. So far, travelers endorse the program for its speed and convenience. </span></p><p><span style="font-family: helvetica;">The ACLU also fears that facial recognition technology "threatens to supercharge DHS's abusive practices." Certainly there have been abuses at the border. I caution clients to be prepared for them. However, most have been abuses of their authority by individuals. While I have faulted DHS and CBP for their failure to caution against these abuses, I have found no evidence that they were the result of policy or programs. In my sixty years in information technolgy, I can recall no useful technolgy that was not been abused or misused. </span></p><p><span style="font-family: helvetica;">As a security practitioner, I have preferred facial recognition, and speaker recognition, to such mechanisms as fingerprint (recently shown to be less reliable than we have believed for a century </span><a href="https://tinyurl.com/fingerprintreliability">https://tinyurl.com/fingerprintreliability</a><span style="font-family: helvetica;">) or even the precision of DNA. Facial and speech, are the only two "biometrics" that can be recognized by ordinary people, even infants, better than computers. We are wired for it. Indeed, it is only recently that computers have achieved parity with people in recognizing. All the other biometrics have relied upon experts to interpret them for us. </span></p><p><span style="font-family: helvetica;"><br /></span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-70730252814603796022021-10-06T13:08:00.000-07:002021-10-06T13:08:28.162-07:00<p><span style="font-size: medium;"> <span style="font-family: helvetica;"><i>Bank Info Security </i>carried a report today that said:</span></span></p><blockquote style="border: none; margin: 0 0 0 40px; padding: 0px;"><p style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; box-sizing: border-box; caret-color: rgb(51, 51, 51); color: #333333; font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0px 0px 18px;">Speaking at security firm <a href="https://summit.mandiant.com/event/322e097f-3238-480e-b3b2-0eb857f4287a/summary" style="box-sizing: border-box; color: #4693d9; text-decoration: none; transition: all 0.3s;" target="_blank">Mandiant</a>'s Cyber Defense Summit, Anne Neuberger, who serves as the deputy national security adviser for cyber and emerging technology in the Biden administration, and Gen. Paul M. Nakasone, the commander of U.S. Cyber Command and director of the National Security Agency, outlined today's threat landscape, highlighting the ability of malicious actors to penetrate federal and corporate networks.</p><p style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; box-sizing: border-box; caret-color: rgb(51, 51, 51); color: #333333; font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; margin: 0px 0px 18px;">Both federal officials underscored the threat of ransomware on everyday commerce and its ability to alter and shape foreign policy. Asked to predict whether network defenders will be forced to combat ransomware five years down the road, Nakasone answered frankly, "Every day."</p></blockquote><p><span style="font-family: helvetica; font-size: medium;">The two crimes that established the reputation of the FBI were "white slavery" and "protection." The latter of course was extortion. We do not hear much about either any more. We should hope for the same result from law enforcement for ransomware. I will continue to hope and work for political pressure. I do not accept that government can simply wash its hands of the problem. </span></p><p><span style="font-family: helvetica; font-size: medium;">That said, even if I am right, it is not likely to happen anytime soon. It is clear that today's cybersecurity is not sufficient in the light of the rate of successful ransomware attacks. I have argued that we need to raise the cost of attack against our systems roughly ten fold. Start with strong authentication and work toward the so called "zero trust" model in which every process restricts access to itself, protects itself from any process that can see it, and authenticates every process with which it interacts. </span></p><p><span style="font-family: helvetica; font-size: medium;">In addition one must implement new backup and recovery strategies. Current strategies were based upon the assumptions that we would have to recover a small number of files from errors, device failures, or once in forty year catastrophes. We now need strategies that enable us to recover entire enterprises in hours to days. At a minimum plan to recover each essential application, not merely files, and to do it in the time appropriate for that application. For some mission critical applications that time may be measured in minutes to hours.</span></p><p><span style="font-family: helvetica; font-size: medium;">Plan for a successful attack on third parties on which you are dependent. Consider single points of failure and plan on how to use alternate sources. </span></p><p><span style="font-family: helvetica; font-size: medium;">It is a target rich environment and not every enterprise will be breached but one should plan for an attack as often as every year or two. This is a "bet your business" risk and hope is not a strategy. </span></p><blockquote style="border: none; margin: 0 0 0 40px; padding: 0px;"><p style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%; box-sizing: border-box; caret-color: rgb(51, 51, 51); color: #333333; margin: 0px 0px 18px;"><span style="font-family: helvetica;"> </span></p></blockquote>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com2tag:blogger.com,1999:blog-8236182925747031461.post-43908215802956415082021-08-19T08:36:00.002-07:002022-01-04T10:17:51.579-08:00End of the Magnetic Stripe <p><span style="font-family: helvetica;">In 1956 my senior colleagues in "Advanced Product Planning" at IBM Research wrote a "blue sky" paper in which they visualized our modern token based retail payment system. They could not foresee the personal computer, the mobile computer, or the Internet but they did get cards right. Frankly, I do not think they gave enough thought to the fraud that might come with it. It was to be another generation before we began to worry about "Data Security and Privacy" as we called what we now call "cyber security."</span></p><p><span style="font-family: helvetica;">While it is long over due, there is finally a plan with a date certain for removing the magnetic stripe from credit and debit cards. </span><a href="https://www.mastercard.com/news/perspectives/2021/magnetic-stripe/" style="-webkit-text-size-adjust: auto;">https://www.mastercard.com/news/perspectives/2021/magnetic-stripe/</a> <span style="font-family: helvetica;"> I have argued for a plan with a schedule </span><a href="https://tinyurl.com/paymentindustrysecurity">https://tinyurl.com/paymentindustrysecurity</a> <span style="font-family: helvetica;">and I should not whine about how far out it is. This is a major change and those few merchants who cannot yet process EMV, much less contactless, deserve some time to catch up. However, 13 years seems a little much. </span></p><p><span style="font-family: helvetica;">As with other innovations in this space, the plan is for the US to trail the rest of the world. We were the last to get EMV and we will be last to get rid of the mag-stripe. T</span><span style="font-family: helvetica;">here will continue to be a lot of fraud exploiting this fundamental vulnerability in the window in this plan, but better late than never.</span></p><p><span style="font-family: helvetica;">Perhaps there is some difficulty in getting rid of this obsolete mechanism that I do not understand. Mastercard is clearly not bringing to this effort the pressure that it brought on the industry to adopt EMV or the Payment Card Industry Data Security Standards (PCI DSS). </span></p><p><span style="font-family: helvetica;"><b>Comment</b>: </span><span style="font-family: helvetica;"> Now I feel better. A colleague reminded me that we do not have to rely upon the brands to eliminate the magnetic stripe; the consumer may do it for use Cards may well have disappeared long before Mastercard's unrealistic timeline for removing the mag-stripe. </span></p><p><span style="font-family: helvetica;">I am close to cardless already. I carry one card; however, I rarely have to use it; I usually pay with my watch. I use my card at my dentist and, of course, in restaurants. (In Europe they do not even need cards in restaurants. On a recent ferry trip, I asked if I could use Apple Pay. The bartender simply put his wireless point of sale device on the bar, just like in European restaurants.) </span></p><p><span style="font-family: helvetica;">Because of the way I carry the one card, on two recent excursions into NYC, I simply forgot it. When the waiter presented the check, instead of putting down my card, I simply put down my iPhone with an image of my card. The waiter took it away without comment and returned it without comment. I signed the credit card receipt and we were done. </span></p><p><span style="font-family: helvetica;">Most of my retail transactions are done with my watch. For e-commerce, I prefer merchants who offer PayPal, Apple Pay, or Google Pay. Many already do. More will do so as they learn that it protects them from fraud, perhaps at a higher, but efficient, transaction rate. </span></p><p><span style="font-family: helvetica;">As I think about, it is almost too late to worry about the mag-stripe. The brands can do more to resist fraud by promoting check-out proxies, than by eliminating the mag-stripe.</span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-87885351997052935962021-05-25T11:30:00.001-07:002021-05-25T11:30:48.220-07:00Should Paying Ransom be Illegal?<p> <span style="font-family: helvetica;"><b>Today Bank Info Security raised this question at: </b> </span>https://tinyurl.com/on-paying-ransom</p><p><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;">It seems clear that, at least collectively, we are highly vulnerable to breaches and extortion. In order to take part of the profit out of such extortion we need to raise the cost of attack against our systems ten fold. Not only will that take time but it may also require additional motivation; too many enterprises are electing to accept, rather than mitigate, the risk. We know how to increase security; we lack sufficient motivation. </span><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;">It seems equally clear that paying ransom may be good for the enterprise and the perpetrators while putting the infrastructure, society, and national security at ever higher risk. We need to discourage such payments. This includes not being able to assign the risk to underwriters, as AXA has already said. Such insurance creates a "moral hazard." </span><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;">Historically, I have opposed "punishing the victim" as a means of encouraging better security. We managed to discourage the old "protection" rackets without resorting to that. However, something must be done; society cannot leave the acceptance of existential risk to any of thousands of enterprises. </span><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;">Consider sanctions for paying extortion that escalate over time on a steep, but announced, schedule. This could increase the motive to improve security while allowing the time necessary to do it. </span><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;">Finally, as with the protection rackets, there must be a law enforcement component to our response. We cannot put all of the responsibility for protecting society from this risk on the potential victims. Part of this response might include funding law enforcement out of fines imposed. Another part might include so regulating digital currency as to make it easier to "follow the money." We may decide that we cannot tolerate anonymous receipt of funds.</span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-72233968516219108222021-05-14T10:06:00.000-07:002021-05-14T10:06:02.559-07:00The Biden Executive Order<p><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;"><b>There is nothing like long lines at the gas pumps to get the attention of government. This is an initiative that is long overdue. There is a great deal to do. Cyber is the infrastructure that we use to operate all the others, particularly to include energy and finance, and it is all too fragile and porous for the reliance that we have upon it. </b></span></p><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;">It is good to see that "zero trust" made the list. The concept goes back to the mainframe and many of us have been actively promoting it for the internet for years. It is important to use it both horizontally, that is system to system and service to service, and vertically, through the layers of the application. </span><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;">Zero Trust requires strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) both user to system and process to process. One cannot trust a process whose identity is not reliable. If strong authentication is not the single most effective and efficient measure at our disposal, it is certainly among the top three. It deserves its own mention. </span><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;">Zero trust also implies resistance to lateral compromise within the enterprise. It should not be possible to compromise an entire enterprise simply by getting one user to click on a bait message in an e-mail or on a web-site. In addition to resistance to fraudulent credential replay, we need structured networks. I would like to see end-to-end application-layer encryption but, at least in the short run, I would settle for network segmentation and layering. </span><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;">I am glad that it addresses software quality. However, the practice here is so shoddy and the contributors so many that simply saying we will address it through government purchasing power will not be enough. Nor can we rely on training alone. We need systems and development processes that make it much easier to do it right than to do it wrong. </span><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;">I would like to have seen the order address accountability and transparency for privileged users. Edward Snowden should not have been able to run rampant through a network that one would have expected to be "secure." It is ironic that the place that we are most likely to see shared credentials is among privileged users. Wherever there are two or more privileged users per shift, we need privileged access policy and management systems. </span><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;">We cannot continue to allow just any amateur to connect anything they like to the public networks. While it may require legislation, we must require that only mechanisms built by professionals to infrastructure standards (e.g., built for the ages, fails in an orderly and safe manner, resistant to easily anticipated misuse and abuse) can attach directly to the public networks. As we need structure networks within the enterprise, we need structure within the Internet. </span><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;">We also need to have accountability for suppliers who distribute (malicious) code that they did not write. This too may require legislation but a class action suit against SolarWinds would be a start. </span><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><br style="box-sizing: border-box; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;" /><span style="background-color: white; caret-color: rgb(42, 46, 46); color: #2a2e2e; font-family: "Helvetica Neue", arial, sans-serif; font-size: 14px;">The Biden Executive Order is a start but only a start. There is much to do. Let us get on with it.</span>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com1tag:blogger.com,1999:blog-8236182925747031461.post-12412506387279528552021-04-07T13:01:00.002-07:002021-05-19T12:07:32.133-07:00Policy -- What must it do?<span style="font-family: helvetica;">I recently received a link to the electronic annual report of a company from which I receive service and in which I have a small investment. I was pleased that it contained a button labeled "Cybersecurity Policy." Needless to say, I clicked on this button. This is what it said:</span><div><span style="font-family: helvetica;"><br /></span></div><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><div style="text-align: left;"><span style="font-family: helvetica;">"</span><span face=""Open Sans", sans-serif" style="-webkit-text-size-adjust: 100%; background-color: white; caret-color: rgb(42, 42, 42); color: #2a2a2a; font-size: 18px;">We go to great lengths to protect our computer systems and equipment from the threat of a cyberattack. Our comprehensive network is designed to protect us from both internal and external threats. We’ve expanded our use of next-generation intrusion detection and prevention tools to further protect our customers’ personal information. And we’re regularly training our employees to stay aware of potential cyber threats."</span></div></blockquote><p><span style="font-family: helvetica;">I confess to having been more than a little disappointed. This is more a statement of good intentions and practices than a policy. None of my expectations of a "policy" were met. </span></p><p><span style="font-family: helvetica;">As both a practitioner of security and a customer of, and investor in, the enterprise, I would expect a policy, at a minimum, to: </span></p><p></p><ul style="text-align: left;"><li><span style="font-family: helvetica;">require that managers protect the assets that they control. </span> </li><li><span style="font-family: helvetica;">express the organizations tolerance for risk or</span></li><li><span style="font-family: helvetica;">some measure of the level of security to be achieved, and</span></li><li><span style="font-family: helvetica;">require measurement and reporting of results, i.e, achievements and failures</span></li><li><span style="font-family: helvetica;">other</span></li></ul><span style="font-family: helvetica;">Said another way, I would expect a policy to communicate to managers and employees what general management wants them to do and how much to spend doing it. This statement, labeled "policy," fails to do that. </span><p></p><p><span style="font-family: helvetica;">The first and fourth bullets may be difficult to execute, while the second and third are difficult to express. Such expression should ensure:</span></p><p></p><ul style="text-align: left;"><li><span style="font-family: helvetica;">a consistent level of effective and efficient security across the enterprise,</span></li><li><span style="font-family: helvetica;">that precious resources get appropriate protection, </span></li><li><span style="font-family: helvetica;">while expensive measures are reserved only for those assets that require them.</span></li></ul><span style="font-family: helvetica;">These results cannot be achieved without direction from general management. Such direction is called "policy." Policy is an important and useful tool for management and leadership. </span><p></p><div><span style="font-family: helvetica;">Note that management's tolerance for cybersecurity will differ by industry, application, and maturity of the business. A "startup" may have a very high tolerance for cyber risk, in part because their business risk is high. A mature company in a sensitive industry, such as finance, transportation, or energy, might be far less tolerant. </span></div>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com0tag:blogger.com,1999:blog-8236182925747031461.post-35658858289019906962021-03-08T14:16:00.001-08:002021-03-08T14:16:23.492-08:00Audit Trail<p><span style="font-family: helvetica;">We do a much better job of designing our access controls than we do designing our audit trail. We should start by identifying what an audit trail should do for us. It should enable management to determine:</span></p><p></p><ul style="text-align: left;"><li><span style="font-family: helvetica;">how every record or object (e.g. program, file, record) got to look the way it looks currently,</span></li><li><span style="font-family: helvetica;">how every record or object looked at any given time in the past,</span></li><li><span style="font-family: helvetica;">and enable us to fix accountability for every significant event or change to a single process or individual. </span></li></ul><div><span style="font-family: helvetica;">The result should be reliable and resistant to fraudulent modification. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">This requires that, not only must there be logs and journals of every relevant event, but that they be related in such a way as to support each other. There should be logs or journals on both sides of any interface where control passes from one process or person to another. For example, an application should log every request that it makes of the database manager and of the result that it gets back. The database manager should record every request that it receives and what response it returned. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">Logs and journals should be protected from late, or potentially fraudulent, modification. Consider reconciliation of the results of the independent processes on both sides of the interface, "write-only" processes or storage, or blockchains. The correction of errors should be memorialized by new correcting entries, never by changing earlier entries. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">Log and journal records should include the action taken, the user or process on whose behalf it was taken, the date and time, and a reference or sequence number to make the entry unique. In order to be able to establish how any record looked in the past, the record of the current change to a record should include reference by time, date, and sequence number of the next most recent change. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">Finally, the logs or journals should include images of the object both before and after the change. While in some cases it may be sufficient to keep only the after image, since the after image in the record of the previous change is the same as the before image, keeping both improves integrity and further resists fraudulent change. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;"><br /></span></div><p></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com18tag:blogger.com,1999:blog-8236182925747031461.post-33579200998730573952021-03-08T13:09:00.001-08:002021-03-10T07:38:22.294-08:00Separation of Duties<p><span style="font-family: arial;">One of our most efficient controls over insiders is to involve multiple parties in sensitive duties. We assign roles and duties in such a way that: </span></p><p></p><ul style="text-align: left;"><li><span style="font-family: arial;">individuals, simply by doing their job, act as a control upon others </span></li><li><span style="font-family: arial;">increases the probability that errors will be detected and corrected</span></li><li><span style="font-family: arial;">such as to limit temptation or the ability to commit fraud</span></li><li><span style="font-family: arial;">such that cooperation would be required to both convert an asset and conceal that conversion. </span></li><li><span style="font-family: arial;">so as to improve transparency and accountability </span></li></ul><span style="font-family: arial;">We separate management from staff, that is, execution from setting objectives, measurement, and reporting. </span><p></p><p><span style="font-family: arial;">We separate the Information Technology function and application development from their managers and users. </span></p><p><span style="font-family: arial;">Within Information Technology we may separate:</span></p><p></p><ul style="text-align: left;"><li><span style="font-family: arial;">Data Entry</span></li><li><span style="font-family: arial;">Operations</span></li><li><span style="font-family: arial;">System Architecture</span></li><li><span style="font-family: arial;">System Programming</span></li><li><span style="font-family: arial;">Application Design</span></li><li><span style="font-family: arial;">Application Coding</span></li><li><span style="font-family: arial;">Program Testing</span></li><li><span style="font-family: arial;">Maintenance </span></li><li><span style="font-family: arial;">Management</span></li><li><span style="font-family: arial;">Other</span></li></ul><p></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;">The little monks, specifically Luca Pacioli and his colleagues, that documented the idea of double-entry bookkeeping in the late 15th Century, suggested certain minimum rules that we use today as tests. </span></p><p><span style="font-family: arial;">They suggested that the individual who creates and authorizes an account should be separate from the ones who processes transactions within the account. For example, the person who assigns the account number for a new customer or vendor, and enters the descriptive information like name, address, Duns number, credit information etc. should be separate from the person who processes debits and credits. Normally, managers or officers authorize new accounts while clerks, cashiers, or tellers process orders, payments, deposits and withdrawals. </span></p><p><span style="font-family: arial;">Applying these tests to program development suggests that:</span></p><p></p><ul style="text-align: left;"><li><span style="font-family: arial;">authorizing, naming, and specifying a program</span></li><li><span style="font-family: arial;">be separated from coding</span></li><li><span style="font-family: arial;">testing</span></li><li><span style="font-family: arial;">acceptance</span></li><li><span style="font-family: arial;">operation</span></li><li><span style="font-family: arial;">execution</span></li><li><span style="font-family: arial;">use</span></li><li><span style="font-family: arial;">and maintenance </span></li></ul><p></p><p><span style="font-family: arial;">can be usefully separated.</span></p><p><span style="font-family: arial;"><br /></span></p><p><br /></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><br /></span></p>William Hugh Murray, CISSPhttp://www.blogger.com/profile/10610200025154669270noreply@blogger.com1