I am really against banning social media – especially with the reasoning of the work performance. To me, this is a management job, not a technology job and by banning social media to make people more productive – I doubt that this is really successful.
Now, I read this article: Why Banning Social Media Often Backfires which is definitely worth reading! as it goes down the road I just mentioned above.
Roger
I recently came across a paper called Shadows in the Cloud, which is actually a follow-up report of Tracking GhostNet: Investigating a Cyber Espionage Network, an investigation of the attacks on the office of the Dalai Lama and some governmental bodies. The report is written by two bodies who had the privilege to investigate those attacks: the Information Warfare Monitor and the Shadowserver Foundation.
Even though the report is out since quite some weeks, I think it makes sense to dig in it here as there are a few fairly remarkable conclusions and statements in there. One of the key things we should think about globally is an International Incident Sharing Database (see the end of the post).
Sharing and Collaboration
If you are a regular reader of my blog posts, you know that I am a big supporter of international collaboration and I am clear about the need of a common set of rules to establish this collaboration. If you read through the paper, you see in different areas that they were challenged during the investigation. On page 8 that state that On our side, we felt unsure about the protocol around information sharing, and were in an awkward position to be able to give information over to governments and affected parties directly without being entirely clear about whom would be responsible and whether or not our interlocutors were appropriate authorities. The notification problems around Ghostnet informed our approach to the Shadows in the Cloud investigation, including being more conscious from the outset of documenting our notification procedures. Think about that for a second. You investigate a security incident e.g. in your company. During the investigation you realize that you are not the only victim but that there are others, being it companies or governments. What do you do with this information? Whom do you contact? How can you be sure that this information gets into the right hands? A fairly hard question to answer and finally, what kind of information are you allowed to pass on? Additionally, Information sharing, generally speaking, is immature and underdeveloped, often hampered by proprietary concerns surrounding the commercial market for cyber security services (page 10) and Information sharing among victims of network intrusions and espionage is rare (page 10). Well, what I see fairly often is, that incidents do not happen as they are not supposed to happen. Rarely somebody talks openly about what happened to them.
In order to combat such attacks, the legal collaboration is key (again :-)). As otherwise, it points to the possibility of a perfect storm that may result from a lack of international consensus, ill-developed and implemented security practices, a paucity of notification mechanisms, and the growing confluence of cyber crime, traditional espionage, and the militarization of cyberspace (page 10). This simply tells us that we will lose the fight without international legal collaboration and harmonization as well as the willingness of the public and the private sector to share information.
Technology
From a technical perspective, they started to use Internet-based services. For example, they used Twitter to control the botnet as well as free mail services like Gmail and free blog services like Baidu. This is to enhance the command and control infrastructure of a botnet, something I was never aware of but is actually a logical enhancement of what we know already. The next point, when it comes to technology is the software they seem to have exploited: We observed the group using PDF, PPT, and DOC file formats to exploit Adobe Acrobat and Acrobat Reader, Microsoft Word 2003 and Microsoft PowerPoint 2003 – old software, software which was designed to cope with completely different threats than the ones existing today! And even is they decided to stay on the previous versions: The Microsoft Word 2003 and PowerPoint 2003 files were mostly older exploits, which have been circulating in the underground hacker community for some time. In other words: It is about patch management again… But to be fair, they fell victim of some vulnerabilities in PDF which were not patched at the time of the attack.
Source
Finally let’s think about the people behind the attacks. It is a joint understanding that the attacks originated from China. The Chinese government was accused to be the source behind it but they denied it and it has never been proven otherwise. Generally – not only in China – it can be expected that there is a close collaboration between governments and the hacking or as the report states: The degrees of the reported relationship vary between “authorize” to “tacit consent” to “tolerate” (Henderson 2007b).
Conclusions
What can we learn from the report? Actually nothing new, it just re-enforces my view of the world:
And now to the final point I am thinking of since quite a while. The airline industry suffered initially from quite some technical incidents. The way the industry finally dealt with it was, to establish a sharing of incident information (as well as near misses) and a global body taking care of the airline safety (and the willingness of the governments to collaborate and share). The same actually started now in certain countries in the healthcare sector.
When it comes to Information Security we all deny incidents unless they become public – because we fear an impact on our reputation. We have to start thinking differently. We need a place where we are able to (anonymously?) file incident which happened or ways somebody was attacked to be shared between security professionals. That’s the only way where we can learn collectively and increase the pace of the products becoming better at defending and security professionals improve their skills in protecting the critical information. The critical question is who can own such a database? It has to be an organization which is trusted internationally and therefore cannot be state-owned. It could be an international association or and inter-governmental organization. Ideas are very welcome as I am convinced that there is a huge need of an International Incident Sharing Database.
Roger
I am one of the grounded people. Luckily for me, I would have had to fly out today and am now “stuck” at home. It is not so fortunate for the event organizer which has a significant amount of sessions he has to do on LiveMeeting now. On the other hand, maybe that this is the future for a lot of travels we do, as when I talk to customers on LiveMeeting, often they are fairly happy and it costs me 1.5 hours instead of 1.5 days and then the expense to be added.
However, this is not the reason for this post. When I look at what happens with the Volcanic ash, it is actually fairly scary to me. Governments, based on the assessment of the aerospace industry and the pilots, decided to close the different aerospaces due to safety reasons. And to be clear: The government’s job in this situation is the safety of the passengers. It seems to be completely true that this assessment is probably fairly cautious as there is not enough experience and data with such a situation and people who have to take this decision want to be on the safe side – and I want them to stay there as I will fly again when they open the airports… Airbus as an example has clear Flight Operations Briefing Notes on Volcanic Ash Awareness – the question is from which is the critical concentration – something we do not know. And now, the problem starts. Initially the decision was clear and “well taken” by all the different people – even the grounded passengers. But then the commercial factors come into play, which I definitely understand. It might well be a question of survival for some airlines. So, the politics as well as the businesses take part of this discussion and try to influence the authorities to remove the ban – here it gets dangerous in my opinion. It will be interesting to see where this leads but imagine the scenario where the government opens the aerospace and a plan crashes because of the volcanic ash…
Let’s take that to the business. Is this not a common scenario? We have the job to ensure the security of our company’s information but there are commercial as well as political issues to consider. Unfortunately (or fortunately), business has the power to overrule a decision taken by security based on their risk assessment. Most often, however, this decision is not live threatening – so the impact might not be as sever as with the airline industry at the moment. In order to overcome this problem, it leads me back to what I say very often: We have to bridge the gap between how we assess risk and the way “people” look at those risks. We have to find a common language and a joint understanding of the problem – something I think is not given with the volcano above.
So, most often – as with the volcano – it is more a communication problem than an engineering problem. Additionally it is a problem of too many people assessing risks they do not understand. I heard it very often from ordinary people that governments are overly cautious – stated by people who understand as much of flying a plane as I do, nothing.
If you take the learning for you as a security professional: You have to make sure you understand the risks as far as possible. Additionally you have to make sure the decision makers understand the risks and the consequences if the risk materializes – and they have to understand it in their own language.
Roger
We just opened the Beta for Windows Intune, your new PC management and security solution in the cloud. Here is a screenshot if the web console:
So, go and sign up for the Beta: http://www.microsoft.com/online/windows-intune.mspx
Roger
If would like to start with an important statement: This is the first blog post I made with a disclaimer to start with. The content of this post is not an official Microsoft position and might not reflect the Microsoft opinion!
Let’s have a chat about piracy. When I look at my neighborhood, I often (very often) have discussion about how legal it is to copy software and use cracked software and copied DVDs and copied music. In Switzerland, we have a piracy rate on software of approx. 25% – this is where I live and this is one of the richest country on the globe. If you take this figure: How would you feel if every fourth hour you are working is not paid? I would go ballistic! This would be unacceptable to me.
Still, a lot of people think that it is not really a problem if they use resources – illegal resources – which are freely available on the Internet. A lot of people think that it is just a peccadillo to copy. Being it books, music, software. And then I posted recently on Twitter about “What is your view? I think it is a good idea: Illegal downloaders face web ban http://ow.ly/xGaK” and got a lot of harsh reactions. I hope that a lot of those people will – in the future – work at least one hour every four for the community as they seem to expect this to happen for the software industry.
Now, let me take another position: I think it is great that we introduced a limited offer (do not ask me why it is limited) of a Windows 7 Family Edition to be installed within your household at max. three times – this covers a huge need of families and they might often have copied or cracked it instead. Whenever I can avoid it, I do not download technically protected music – and let me tell you why (please if you quote me, quote me in context): Why should I pay for music to be used on only my MP3-player? I am listening music from my PC during work, my business notebook during travel, my Zune during flights, my car during travel and last but not least my Mediacenter. If the music is copyright protected, this does not work. I am allowed to copy it but not to break any copyright protection. So, this model sucks. I understand that a artist wants money for the music and I am definitely willing to pay for it (see my point above – I do not work for free neither) but I want to consume it whenever I want, wherever I want. If I use not technically protected music, I can leverage it across all my systems. Otherwise I cannot – and this sucks. Is this a reason to hack it – no. Is it a reason not to buy it – definitely.
I see the need of the entertainment industry to protect its assets. On the other hand I see the requirements of the consumers, which are often ignored. What scares me much more is the way we raise children. Growing up in a household, where copying of illegal content is just a normal thing, whit what values do this kids grow up? Basically with a mindset that stealing is illegal if we deal with physical goods but not really illegal for not physical good? So, stealing is just a little bit illegal. Or is just illegal if it fits us personally?
Therefore, the British approach above to ban illegal downloaders might be drastic but is it that far fetched? Is it really going too far? What do we do with trespassers in the physical world and why is this different on the Internet?
A final remark: If you quote me, please quote me in context. Additionally I want to state again, that this is my personal opinion!
Roger