Informazioni personali

Cerca nel blog

Translate

giovedì 21 luglio 2011

Risk and Security: how much to spend? first step:define the process - 005

We can now, after this long intro, try to do a little test to see if we can really define a good method to determine how much to spend for security needs.

First of all we should try to define which process we want to consider. I opted for the Email systems because this is, generally speaking, a strongly neglected and misunderstood  area of IT process.

While mail is widely used and accepted as a communication media worldwide there are a few implementations that consider email security as a whole process involving users, data, and business value. the usual consideration we find around email is:

  • why our mailbox is so little
  • spam is annoying
  • it is not a big issue if we stay without email for a while
  • ….

well we should try to understand what email system really is.

I will use a top down approach trying to highlight all the issues and references that could have an impact in business and in the security space.

Then we will try to understand what security approach and technologies would be more useful and we could discover some unexpected relationships.

Sending and E-mail

What means allowing someone to use email?
What is email impact to our business?
What is the value of this service?
And the value of the data processed?

Those are questions that we all should be able to answer when dealing with a mail systems. The choice we do will impact our business widely in terms of productivity and customer satisfaction so we should not underestimate this.

So first of all let’s try to define what we’re talking about.

Basically sending an e-mail is a process that allow a User A to send information to a User B.

From a user perspective this require to give some info to the email client in order to be able to allow the message to be correctly delivered.

the User A experience is based on 4 basic steps:

access to email client
bein able to put the destination address and the recipient address
add the info to the email
send the message

Accordingly the User B should be able to recieve the message, open it and read it. At the end B should also be able to eventually answer to the message.

Right at this level we can start doing some consideration around the email system:

Who can access this service?
Who should provide this service?
Could we allow multiple services?
Do we neeed to control the information sentrecieved?
Do we need to control sender and recipients?
Do we need to define devices allowed to send messages?
Do we need to define a perimeter to sendrecieve messages?
Do we need to define SLA related to this service?

of course answering those questions could open new subquestions, for example:

“Who can access this service?” should imply at least:

  • can we recognize the users?
  • what is the general knowledge of those users? do they need training?
  • can we force an identification?
  • can we log them?
  • do we have to store the data sent?
  • is there any legal implication?
  • how we control unwanted access? is this a problem?
  • ….

and for the other questions:

Who should provide this service?
  • can we provide it internally?
  • Could we externalize the service?
  • do we need to hold locally some data?
  • are there any legal implication?
  • ….

Could we allow multiple services?
  • Do we offer just one service (internal mail)?
  • Do we allow the use also of personal email systems (Like Google, yahoo, Live…)?
  • Can we implement control policy on any system?

Do we neeed to control the information sent received?
  • Do we manage sensitive information?
  • Is there any kind of communication that would be dangerous to be sent out by employee?
  • Do we receive sensitive information with this media?
  • how we control the trustworthiness of information received?
  • is any legal implication?

Do we need to control sender and recipients?
  • do we need to impose limit to access the mail systems?
  • do we need to prove our sender identity o the recipient?
  • do we need to check if someone is sending message on behalf of someone else?

Do we need to define devices allowed to send messages?
  • can we expose mail through a web-mail interface?
  • can we allow mail being read on mobile devices?
  • do those devices have to be company owned or could be of any kind?
  • do we force a VPN connection to access email?

Do we need to define a perimeter to sendrecieve messages?
  • can anyone sendrecieve email?
  • are any limitation for role or location?
  • can we define subset of needs that require special care (ie. legal dept, HR, contracts…)?
  • ….

Do we need to define SLA related to this service?
  • what are expected SLA expectation?
  • can we define sla for the several aspects of the service as delivery time, storage, access, uptime…..?
  • ….
Wow
As we can see there are a lot of interesting question that can be raised when we talk a put mail, and we just do not entered the real deployment of the process, we just set up a black-box between sender and recipient.
Some of those question would be better addressed going deep into the process and once exposed the link between email and other business processes. but right now we understood that an apparently easy process like providing and email system should rise several security concerns.
So let not try to understand what is the value of this process related to our business.
Once we understood that sending email involve sending data, we should try to evaluate what kind of data and the value of this data are processed.
In nowadays environment Email systems are one of the most important (although neglected) asset. We actually use email to send any kind of communication, with different level of importance.
From personal note, to projects, presentations, confidential communication, also legal or HR communications and business contract and offers are sent by email.
But E-mail systems is also used for hold and storage those information, basically our mail-servers and the relative client interfaces are used as a not structured database that hold our intellectual property.
Studies estimate that over 90% of company intellectual properties are stored in email systems. 
So would this worth a protection?
in order to better define the process we should also try to understand risk that this systems is exposed to, but to do so we should, first of all, try to understand some little technical implication of email systems.
to be continued ..

Risk and Security: how much to spend? first step:define the process - 005

We can now, after this long intro, try to do a little test to see if we can really define a good method to determine how much to spend for security needs.

First of all we should try to define which process we want to consider. I opted for the Email systems because this is, generally speaking, a strongly neglected and misunderstood  area of IT process.

While mail is widely used and accepted as a communication media worldwide there are a few implementations that consider email security as a whole process involving users, data, and business value. the usual consideration we find around email is:

  • why our mailbox is so little
  • spam is annoying
  • it is not a big issue if we stay without email for a while
  • ….

well we should try to understand what email system really is.

I will use a top down approach trying to highlight all the issues and references that could have an impact in business and in the security space.

Then we will try to understand what security approach and technologies would be more useful and we could discover some unexpected relationships.

Sending and E-mail

What means allowing someone to use email?
What is email impact to our business?
What is the value of this service?
And the value of the data processed?

Those are questions that we all should be able to answer when dealing with a mail systems. The choice we do will impact our business widely in terms of productivity and customer satisfaction so we should not underestimate this.

So first of all let’s try to define what we’re talking about.

Basically sending an e-mail is a process that allow a User A to send information to a User B.

From a user perspective this require to give some info to the email client in order to be able to allow the message to be correctly delivered.

the User A experience is based on 4 basic steps:

access to email client
bein able to put the destination address and the recipient address
add the info to the email
send the message

Accordingly the User B should be able to recieve the message, open it and read it. At the end B should also be able to eventually answer to the message.

Right at this level we can start doing some consideration around the email system:

Who can access this service?
Who should provide this service?
Could we allow multiple services?
Do we neeed to control the information sentrecieved?
Do we need to control sender and recipients?
Do we need to define devices allowed to send messages?
Do we need to define a perimeter to sendrecieve messages?
Do we need to define SLA related to this service?

of course answering those questions could open new subquestions, for example:

“Who can access this service?” should imply at least:

  • can we recognize the users?
  • what is the general knowledge of those users? do they need training?
  • can we force an identification?
  • can we log them?
  • do we have to store the data sent?
  • is there any legal implication?
  • how we control unwanted access? is this a problem?
  • ….

and for the other questions:

Who should provide this service?
  • can we provide it internally?
  • Could we externalize the service?
  • do we need to hold locally some data?
  • are there any legal implication?
  • ….

Could we allow multiple services?
  • Do we offer just one service (internal mail)?
  • Do we allow the use also of personal email systems (Like Google, yahoo, Live…)?
  • Can we implement control policy on any system?

Do we neeed to control the information sent received?
  • Do we manage sensitive information?
  • Is there any kind of communication that would be dangerous to be sent out by employee?
  • Do we receive sensitive information with this media?
  • how we control the trustworthiness of information received?
  • is any legal implication?

Do we need to control sender and recipients?
  • do we need to impose limit to access the mail systems?
  • do we need to prove our sender identity o the recipient?
  • do we need to check if someone is sending message on behalf of someone else?

Do we need to define devices allowed to send messages?
  • can we expose mail through a web-mail interface?
  • can we allow mail being read on mobile devices?
  • do those devices have to be company owned or could be of any kind?
  • do we force a VPN connection to access email?

Do we need to define a perimeter to sendrecieve messages?
  • can anyone sendrecieve email?
  • are any limitation for role or location?
  • can we define subset of needs that require special care (ie. legal dept, HR, contracts…)?
  • ….

Do we need to define SLA related to this service?
  • what are expected SLA expectation?
  • can we define sla for the several aspects of the service as delivery time, storage, access, uptime…..?
  • ….
Wow
As we can see there are a lot of interesting question that can be raised when we talk a put mail, and we just do not entered the real deployment of the process, we just set up a black-box between sender and recipient.
Some of those question would be better addressed going deep into the process and once exposed the link between email and other business processes. but right now we understood that an apparently easy process like providing and email system should rise several security concerns.
So let not try to understand what is the value of this process related to our business.
Once we understood that sending email involve sending data, we should try to evaluate what kind of data and the value of this data are processed.
In nowadays environment Email systems are one of the most important (although neglected) asset. We actually use email to send any kind of communication, with different level of importance.
From personal note, to projects, presentations, confidential communication, also legal or HR communications and business contract and offers are sent by email.
But E-mail systems is also used for hold and storage those information, basically our mail-servers and the relative client interfaces are used as a not structured database that hold our intellectual property.
Studies estimate that over 90% of company intellectual properties are stored in email systems. 
So would this worth a protection?
in order to better define the process we should also try to understand risk that this systems is exposed to, but to do so we should, first of all, try to understand some little technical implication of email systems.
to be continued ..

martedì 19 luglio 2011

Back on Track

Image via WikipediaI haven’t post much lately,  sorry but I’ve been quite busy and times at work have been hectic. I’m in a short vacation those days but I’ll start posting something 🙂
Thanks for the ones who commented on my blogs.
cheers
Antonio

lunedì 4 luglio 2011

"La Notte della Rete"

Non sarà una vigilia tranquilla per l’Agcom: sarà, piuttosto, “La Notte della Rete”. Il 5 luglio, a 24 ore dall’approvazione della Delibera definita “ammazza-Internet” dai blogger italiani, artisti, esponenti della rete, leader politici, cittadini e utenti del web si troveranno a Roma per una no-stop contro il provvedimento.
Per maggiori informazioni sul provvedimento dell’Agcom vai alla pagina: www.agoradigitale.org/nocensura

L’evento si svolgerà martedì 5 luglio dalle 17.30 alle 21 presso la Domus Talenti a Roma ( via delle Quattro Fontane, 113 ) partecipa anche tu alla nostra mobilitazione. Fai sentire la tua voce!

Fra i presenti già confermati:
Olivero Beha, Rita Bernardini, Emma Bonino, Pippo Civati, Nicola D’Angelo, Juan Carlos de Martin, Tana de Zulueta, Antonio Di Pietro, Dario Fo, Giovanbattista Frontera, Alessandro Gilioli, Peter Gomez, Beppe Giulietti, Fabio Granata, Margherita Hack, Carlo Infante, Giulia Innocenzi, Ignazio Marino, Gianfranco Mascia, Gennario Migliore, Roberto Natale, Luca Nicotra, Leoluca Orlando, Flavia Perina, Marco Perduca, Marco Pierani, il Piotta, Donatella Poretti, Enzo Raisi, Franca Rame, Fulvio Sarzana, Marco Scialdone, Guido Scorza, Mauro Vergari, Carlo Verna, Vincenzo Vita, Vittorio Zambardino.

Come fare per dare il tuo sostegno all’iniziativa:
Mancano poco piu’ di 48 ore all’approvazione del regolamento. Non c’e’ piu’ tempo da perdere!

Luca Nicotra
Segretario dell’Associazione Agorà Digitale

sabato 2 luglio 2011

Talking Points - Security week review


File:Icon announcer.svg
 

Talking Points

Security week review

The end of an era? Or, may be, just the beginning?
Good morning my friends as we all all aware Lulzsec closed its operation after 50 days of astonishing activities.
Is that really the end? or just the beginning?
While a group seems to fade, another one revamp, Anonymous taken the Lulzec legacy and both Operation Payback and AntiSec seems to strikes again and again. Brazil, USA, Italy, Spain Greece, Americas and Europe, Asia and Africa seems there is no border for Cyber Aktivists and Cyberwarfare.
So if LulzSec closed operations (but it is really what happened?) nothing has really changed in the CyberSpace.
Cybercrime is here to stay!
But if the Age of Lulzsec turns to be History we finally find again on our news the good old Cyber-crime. May be someone was thinking that the only problem was Cyber terrorism, but, come on, you still think that cyber-criminal are not a constant presence in our world? if so Think twice 🙂
It comes out that researcher found the biggest botnet ever TDL-4; so my friend, the bad guys are still there.
And was not only botnet to generate headache in our IT departments, A recent Cisco Report showed how Phishers and spammers are shifting their activities from mass distribution to more specific and more remunerative targeted attacks.
Mixing Mail, as a main vector, and malware, mostly deployed with a “drive by download” methodology starting from the Mail itself, those targeted attacks are becoming more insidious and more evil.
But anyone can be fooled, if RSA did you think you’re better?
But those targeted attacks are delivered not only by ususal E-mail but also using the newest communication media, like social networks and portals. So if google deleted 93000 fake advertisements the King, Facebook, is always the preferred target. Malware campaign using the Facebook messages are spreading all days long. and do no think you do not need protection, there have been reported infected apps as well. Speaking of which we cannot avoid to remember that application world is still a very difficult area for security, so not only Facebook suffer security issues, but I have to say also mobile applications developed for the always more used so called smartphone and smart devices (tablets).
Mobile or not Mobile, this is the question….
it is not the fact Google is still fighting to clean up android market, but the use we do of mobile devices is spreading concerns among experts. we use it for work and access sensitive data, we use it for leisure and access personal data. those devices are full of useful information for cybercrooks and can be also used as a trojan horse to reach our networks from the inside. And do not even think that someone is immune, both major OS have dangerous flaws, and “he’s worse than me” apologeting does not stop the bad guys.
As i read once: “the good news is that there is only the 0.01% of chances to be targeted, the bad is that I’m in those 0.01%”
Lot of reports so also on mobile security, that does not means we do not have to use them, but just we have to learn how to use them.
besides I’m doing a little survey here to understand how we feel about mobile, you’re more than welcome to partecipate 🙂
June ending a new month start
It has been a long roller coaster ride this month, that certified a lot of changes in our perceptin of what is moving outside there.
We started to learn that Acktivism and hackers are back, Data are the preferred target for cybercrooks, cyber criminality work for money and live for money, any device can be source of risk, and the jailbreaking and hacking are not just geek activities but things we have to face every day.
So let’s us remember the June month protagonists.
Special mention to:
Anonymous and LulzSec
but we should remember the other guys with colored names like The Jester, Web ninjas, Chinga la migra …. 
The Hacks to remember
Some of the Hacks this month signed deeply the perception of what our world is becoming so let start mention
Google Mail Hack: China Vs a Private company, Mail always important (even more), Politicians and public officials using a private account to exchange private info…wow a lot of amazing stuffs here
Sony: From PSN to Picture, how to not do security, not to understand what it is happening, and how not to assume responsibility for it’s own mistakes, looks like life (or a soap opera)
Citi: yes we’ve been hacked, credit card data stolen but we do not tell to anyone, may be if nobody knows nothing happened… seems the Citi group justification. alas it comes out…
IMF: Damn it, i was trying to ask a 12 billion dollar loan for myself, geez if the most important financial entity can be hacked we should really be cautious. can you imagine what kind of sensitive data they handle? and just to wonder, you do knows hacker started the journey with spear phishing?
Acer: This case we can honestly ask Why the”Pakistan cyber army” group needed to attack them?
Sega: Why games company? may be because of their database are full of interesting data, like usernames, email, passwords, credit cards numbers (wait, that was Sony PSN).. Sega has not been the only one of course, seems games company are a preferred target. Funny enough, LulzSec deny any involvement and promise revenge against Sega Hackers.
Arizona Deparment of Public Safety: LulzSec, Anonimous? Both? can you feel the irony of the Antisec operations here?
Infragard, CIA, FBI: yes the more the better, also what should be the temple of  security can be hacked by some motivated teenagers…. we should really think about it, what would happen when well motivated professionals play the game?
i could continue of course but then you would think I’m here to scare you, well partially right 🙂
All this should make us think: if the security landscape is changed why our security activities are still the same?
all for this week
have a great time and enjoy your weekend
cheers
Antonio