Why the US Cyber Chief is wrong: It’s not a tide of Cyber Criminality – there will be no ebb tide

22.03.2012 by Martin Kuppinger

Today I read an article about US investments in cyber security, with the US Department of Defense (DoD) budget requesting 3.4 billion US$ by itself. The US Cyber Chief, Army General Keith Alexander, commander of U.S. Cyber Command and director of the NSA (National Security Agency) is quoted as saying “Nation-state actors in cyberspace are riding a tide of criminality.

I believe he is wrong in one very important point: It is not about a tide, it is about a continuous rise. So it would have been better had he chosen the comparison to the (potential) long-term rise of the sea-level caused by global warming – with the important difference that the increasing cybersecurity challenge is not happening gradually over a period of dozens of years but more or less as a tsunami, almost immediately. We most likely will see some “decrease in increase” or, in other words, lower growth rates in cybercrime. But I don’t expect to see a decrease in absolute numbers within a foreseeable period of time.

And it is not only about nation-state actors in cyberspace, but about all actors in cyberspace which are causing that rise. States are affected because they are the target of other nation-state actors, but also of organizations like Anonymous or Lulz Sec, and for the classical attackers like script kiddies and other non-organized hackers. On the other hand, they are most likely not the target of that part of cybercrime which is related to organized crime. When looking at other organizations, they are more likely to become the target of all these types of attackers.

The good thing about quotes like the one mentioned is that they prove that at least some states (the U.S. probably more than many European countries) have understood the challenge they are facing. But to me it sounded somewhat too optimistic.

What we have to do is to act on this challenge, by systematically and strategically improving our IT security. That requires a holistic view on the topic. It requires a risk-based approach. We need to understand the risks and act according to these risks. We need to have plans if something happens anyway. It will cost a lot of money. But by doing it right, there is a huge potential for saving at least some of the money which otherwise is thrown out of the window with little or no impact on an improved IT security.

To learn more about Information Security, GRC, and the role IAM plays therein, visit EIC 2012, Munich, April 17th to 20th.


Encryption is only as good as the protection of its keys

21.03.2012 by Martin Kuppinger

This morning I received a press release pointing to a blog of John Grimm, who works at Thales e-Security. Thales e-Security is the part of the Thales Group, which specializes in encryption. They offer, amongst several other technologies, HSM (Hardware Security Modules) and Enterprise Key Management solutions.

The blog commented on the recent discovery of the Mediyes Trojan by Kaspersky Lab. Kaspersky is one of the leading vendors in the Anti-Virus/Anti-Malware segment. The touchpoint between them in the case of Mediyes is that the Trojan uses a digital signature based on a stolen private signature key. This key has been stolen from a Swiss company.

This new Trojan proves three points:

  • Every company is a target for attackers. No single company should feel safe just because it is either small or in an industry which appears not to be that attractive for attackers.
  • Attacks are getting increasingly sophisticated. Mediyes is just one example of this – they needed to obtain that key in a first attack to start the Mediyes attack.
  • Encryption relies on the security of keys.

The first two points are covered here, amongst other posts, articles, and podcasts of mine.

The third point is another important one. If the keys aren’t secure, everything relying on them is insecure as well. That is true for compromised CAs (Certificate Authorities), and it is true for every single private key you are using and every key used in symmetric encryption.

Thus it is mandatory to focus more on Enterprise Key Management and overall Information Security. Keys have to be well managed and secured. Not having an appropriate management and security for these keys – for every type of encryption, from digital certificates to symmetric encryption of your communication lines – leaves the doors wide open for attackers. It is necessary when starting with Enterprise Key Management to first of all know which keys are out there and how they have been protected (or not) until now. Then you can start improving the management of these keys.

Notably the term is Enterprise Key Management and not Storage Key Management or anything like that. It is not about looking at some keys, it is about looking at all of them.

To learn more about APTs (Advanced Persistent Threat), the changing threat landscape, about Enterprise Key Management and overall IT Security, you should attend EIC 2012  in Munich, April 17th to 20th.


15% of CIOs ban private devices – the Don Quixote approach on BYOD

19.03.2012 by Martin Kuppinger

I read news this morning quoting a survey by Coleman Parkes, an UK-based research company, saying that 15% of CIOs ban private devices to mitigate the BYOD risks. I personally don’t believe in that approach because it is just too likely to fail. It is like Don Quixote tilting at windmills, I’d say.

On first glance, banning private devices might seem the best choice. Using only devices you’ve provided yourself, evaluated and tested, well configured, seems to be the best approach when it comes to mitigating information security risks. But does this approach really work? Let’s focus on five questions:

  • Will the managers accept this?
  • How do you deal with remote workers?
  • How do you deal with external collaboration?
  • Are the devices really secure?
  • Do you provide what your business requires?

Managers are one of the user groups driving BYOD – we all know about that. Many of them like to have the newest gadgets. Many doors to BYOD have been opened wide by them. Certainly there are some organizations where the managers weigh information security higher than their own interest in the newest gadget (which they describe as an urgent business need). But there aren’t that many.

When looking at remote workers, which are common in many organizations, then it is also hard to enforce the pure play approach on allowing only devices provided by the employer. That means that the employer has to provide the entire work environment. That’s difficult, however it might work.

External collaboration is another issue, because that is about giving externals access to some sort of shared workspace, if you don’t want to rely on eMail communication only. That is also feasible, especially in the days of Cloud Computing – but then there are other issues to solve for information security.

A really interesting question in these days of “Data Leakage by Design” and inherent security risks (for example in Android), not to speak of questionable concepts on privacy that for sure also affect corporate users, is whether the corporate devices are really secure. For sure it is much easier to mitigate information security risks in an environment with a limited number of device types, operating systems, and applications. But many types of devices including virtually all of today’s smart phones won’t support the required level of control. How to really insure that no “malicious” (in the broadest sense) app is used? How to avoid users accessing the “wrong” web sites? Many organizations have invested a lot of money to achieve that goal in the days before BYOD became popular and seldom reached their targets.

Finally, business is requesting specific types of devices. You might argue that no one really needs a tablet or some types of smartphone. You even might be right. But that puts you in the classical position of IT being an inhibitor for doing business better. And overall, there is some value in new types of devices, even while many things are overhyped. But a restrictive policy never will be able to keep pace with the changes requirements of business users and the way these are communicating.

Fighting BYOD is, from my perspective, the loser’s way. It is the Don Quixote approach not only on BYOD but on information security at all. The fundamental problem with the approach is that it focuses on device security instead of information security. That is very (!) “old school”. Information Security – like the name implies – is about securing information and what is done with that information – at rest, in transit, in use.

You will learn a lot more about BYOD at European Identity and Cloud Conference 2012. There is also a KuppingerCole report on BYOD available.


TPM – why is this technology so rarely used?

16.03.2012 by Martin Kuppinger

During the last few weeks I have received a large number of press releases issued by Wave Systems. Reading the headlines, my impression was that this is just another vendor oversimplifying security. Headlines like “Change the status quo of security: Just switch on” caused that impression, given that behind these headlines you usually find a tool vendor with limited capabilities and big claims who tries to sell a little piece of software as the holy grail of IT security.

So I thought about using these examples as a starting point for bashing a little on that type of vendor. However, after reading beyond the headlines, I found an interesting story. Wave Systems is heavily promoting the active use of TPM chips, a security chip built into a very large number of PCs, notebooks, and other computing devices. Wave mentioned that 500 million TPM chips have been delivered so far. One technology that makes use of the TPM chip is Windows BitLocker, a built-in encryption technology in Windows. However, few users have BitLocker activated. In other words: There are hundreds of millions of devices out there which could be secured far better than they are. Interestingly, Apple built-in TPM chips between 2006 and 2009 and then stopped doing that.

TPM (Trusted Platform Module) is an industry-standard technology which allows to securely store sensitive information on a chip. It’s a very secure technology and it can be used for different use cases, beyond the encryption keys for the hard disk. The problem simply is that it is rarely used. BitLocker isn’t used by default. That is no surprise as most of the TPM hardware came out after the release of Windows Vista, the first version with BitLocker support.

Thus, I find the approach of Wave Systems to offer security solutions which make use of the TPM technology interesting – even more, because they also offer a product for managing BitLocker. Thinking about TPM as a central element in your security strategy makes a lot of sense, because that’s the built-in HSM (Hardware Security Module). So you should have a look at TPM (or look again, if you had one before).

Sometimes it really makes sense to read more than the headlines, especially if the headlines make you wonder. In the case of Wave Systems it was definitely worth to dive in a little deeper.


Microsoft vs. Google: The battle of the business models

12.03.2012 by Martin Kuppinger

This year’s CeBIT, the world’s largest IT fair, has the topic of “Managing Trust”. For some reason, the “Deutsche Messe”, the company behind CeBIT, decided to have Eric Schmidt as one of the speakers at the official opening ceremony anyhow. Right after the speech of Schmidt, Microsoft sent out a press release “Ralph Haupter comments on CeBIT opening”. Ralph Haupter is the General Manager of Microsoft Germany. The summary of this press release is simple: According to Microsoft, Eric Schmidt just missed the topic. He didn’t talk about managing trust but about some opportunities of the digital world of the future (as Google sees that future). From the Microsoft perspective, it is also about security, privacy, transparency, fair access.

I can’t remember any press release like that, with one vendor commenting that harsh a leading spokesperson of another vendor. Microsoft has positioned itself especially in Europe as an advocate of privacy and data protection laws. They recently announced new versions of their Office 365 contracts which fully take into account the EU requirements. So is this entire thing about privacy?

From my perspective, privacy is only a battlefield which Microsoft has detected in a bigger fight against Google. Microsoft has a long history around security and privacy and they had to learn their lessons the hard way. A good article on that could be found here.

Right now, Microsoft on one hand sees the opportunity to pass the buck (in German it would be passing the “Schwarzer Peter”) to another vendor, with Google being the hottest candidate besides Facebook and (yes!) Apple.

But it’s beyond playing that game- it’s about business. Microsoft believes in a business which is based on accepting privacy and data protection laws. With its strategy it focuses on shredding the image of Google as a provider to the enterprise. Microsoft earns its money mainly with paid services. They were pressed by Google to provide solutions like Office 365. Now they strike back. Microsoft wants to avoid Google becoming a real competitor for that type of business. And by pointing at the privacy issues, Microsoft rubs salt in the wound of Google. Overall, it is about the question whether a business which is based on ignoring privacy can be successful over time or whether companies are more willing to pay for models which rely on accepting the rules for privacy and data protection.

There still a lot of open questions: Bing costs a lot of money. How will Microsoft finance that without an advert model like Google? Yesterday a customer said to me that he switched from Google to Bing quite a while ago because he really hated to see trouser adverts for weeks once he had been looking for a trouser in the Internet. How close are some of the Microsoft Live offerings to what Google does? Currently I observe that Microsoft is carefully watching not to cross the line.

At the end, this fight is only one amongst many others. ACTA and copyright laws in general, QoS (Quality of Service) for some providers or not, software patents and many other discussions are in fact all about the same basic topic: How free is the Internet? And where should this freedom end? It’s also about “might is right” versus a more regulated and thus protective environment.


Non-working P3P privacy policies in browsers – whom to blame?

09.03.2012 by Martin Kuppinger

Another recent discussion was about Microsoft blaming Google and Facebook for circumventing IE privacy policies. There were many articles about that issue, two of them you’ll find here:

http://www.networkworld.com/news/2012/022012-microsoft-says-google-circumvents-ie-256358.html?hpg1=bn

http://www.networkworld.com/news/2012/022212-microsoft-browser-privacy-256444.html?source=NWWNLE_nlt_microsoft_2012-02-23

There are two aspects from what I understand. First of all, Facebook doesn’t care for privacy and Google at least not much. Facebook clearly states that it doesn’t have a P3P privacy policy and Google sort of says the same – their position is that these policies prevent users from using the opportunities of today’s Internet. Google’s position is that any user will want this (which I doubt). On the other hand, Microsoft IE fails in identifying these statements correctly. If IE would just define any P3P privacy policy statement that isn’t correct as having no such statement, Google and Facebook couldn’t “bypass” the IE privacy settings.

However blaming IE for not allowing the users to do the cool things users want to do is definitely the wrong approach. It is about allowing the user to choose what he wants to do. At least it is about accepting that users might opt for privacy. If P3P fails in this from the viewpoint of Google and Facebook, then we need another standard. But clearly, if the user expresses his will of keeping some privacy, actively bypassing this would be nothing else than an attack. I don’t really see a difference in acting that way to other types of attacks like phishing attacks and all the other types of malware we are confronted with on a daily basis.

The interesting question is now about what really is the case. Let’s look at some options. There are some cases around what Microsoft could do in IE:

1. Microsoft IE interprets P3P statements correctly

1a. Microsoft ignores incorrect P3P statements and allows access (to privacy-relevant information in the broadest sense)

1b. Microsoft interprets incorrect P3P statements and denies access (or asks the user)

2. Microsoft IE misinterprets P3P statements

On the other hand, there are some cases for companies like Facebook and Google providing P3P policies:

A. They don’t provide any P3P policy.

B. They provide something that has nothing to do with a P3P policy (like Facebook does).

C. They provide incorrect information about how they deal with privacy, but as a correct P3P policy.

D. They provide incorrect P3P policies.

D1. They do this accidentally.

D2. They do this to bypass the IE privacy settings.

It becomes obvious by just looking at the different cases that there are many situations. You can build a matrix and then decide on whom to blame. I want specifically to look at the situation of case 1b and case C. Having Microsoft IE ask the user for permission and thus inform him about a potential privacy violation would be the best approach from my perspective. In that case, IE would either ask the users in case A, B, and D or deny access to privacy-relevant information at all. So it is about case C – that would be the attack: Someone sending P3P policy information, but not acting according to that policy. Simply said: Case C from my perspective always is about attacking the user.

Honestly, I don’t have sufficient information to decide whom to really blame in the end. It looks as if IE could be more rigid regarding the way it deals with P3P policies. However, that might be inconvenient to some users (the privacy agnostic ones). But with a simple option to deactivate P3P “monitoring”, this could be circumvented. So some users might opt for giving away their privacy while others might opt for more control.

And that would again be about letting the user decide. And, like stated above: If the users opts for privacy, any active bypassing of this is illegitimate at best and potentially illegal.


Google’s Privacy Policy – the market will decide

08.03.2012 by Martin Kuppinger

There has been a lot of noise around Google changing its privacy policies. My esteemed colleague Dave Kearns said that they just consolidated them. I’ll stay with “changed”, due to the effect of this: Google now can do much more with the user’s data – if the user logs into any Google service. So my point is that discussions about changing or consolidating is splitting hairs. In fact they have changed the way they deal with privacy.

Google claims to have done this because their customers want it. I doubt that. Customers want Single Sign-On. But does anybody really believe that customers want Google to have a complete profile of virtually everything they are doing on the Internet? And does anybody really believe that customers are seeking for perfectly targeted advertising? [the choice isn’t “ads or no ads” but “targeted or non-targeted” and I believe people prefer targeted] The same customers that are zapping the TV channels during adverts? Or does anyone really believe a customer wants to “sign-on” to his search engine?

So that appears to just be a very lame excuse for something Google believes is the business model of the future. I have the strong belief that this is the business model of the past. In ten years from now, the real successful businesses will be the ones who build a model on providing value to the customer while ensuring their privacy.

Does this affect the customer? It depends. There is always a choice. My choice has been to finally delete Google from the list of my search providers in Internet Explorer. Given that I never have been really active in Google groups and other Google applications, I only relied on Google search. Now I’ve changed to Bing as the standard search provider and finally deleted all my Google accounts (which, by the way, is much easier and more intuitive than deleting a Facebook account).

From an analyst perspective, it will be interesting to see the mid-term effect that Google’s policy changes will have on the market. How will this affect the market shares in the search engine market? What about other markets Google is playing in? It will be also interesting to observe whether and how others like Microsoft can finance their investments into, for example, Bing without tapping into the privacy-violation-trap. And it will be interesting to observe to which degree (and in which regions) the customers will opt for privacy and vote with their feet.

By the way: Forget about deleting your Google history. You can delete the accounts and the associated data, but not what Google has collected in the past. It’s too late for that.

Regarding what Google is doing and what it means I recommend reading Kim Cameron’s recent post:

http://www.identityblog.com/?p=1204

Kim really brings it to the point – and the US Attorney Generals do as well. You really should read that post.

Also: The Data Privacy Council of the European Parliament, consisting of Privacy Officers of member countries, has declared the new privacy rules of Google as being not compliant with the European Privacy laws. They recommended in a letter to Larry Page to not apply these policies until this issue is finally clarified. Google rejected this. That might form the foundation for Google becoming the first prominent case under the new EU Privacy laws, allowing, probably starting in 2014, fines up to 5% of the annual revenue. That might even make Larry Page rethink the Google position.

When looking at the loud calls for new, draconian political policies, my view is simple: If there are alternatives, the ones opting for privacy can use them. However, if the will of the user then is ignored and settings are bypassed, I’m a friend of draconian penalties. So it might and should be allowed to sell services and pay with your privacy – but this model has to depend on user consent, there have to be options for deleting that data and thus changing the will, and doing it without this consent is just unacceptable. Interestingly, new approaches of Personal Life Management like www.personal.com also allow the use of private data and rely on that – but there is user consent and control. They might not be perfect yet and the business model still has to prove that it works. But it’s obvious that it isn’t mandatory to give up privacy (at least not beyond a specific point, sort of the Rubicon Google now has crossed) to gain the advantages of the “modern Internet” (e.g. the services users might want to have).


Services
© 2014 Martin Kuppinger, KuppingerCole