28.10.2011 by Martin Kuppinger
Some days ago I received a new HTC Pro Windows Phone, now running with Windows 7.5, the “Mango” release. Overall, I really like that phone. It is smart, it is very easy to configure. I never had a phone which was up and running with access to all mail accounts, calendar, and tasks so quickly. It works pretty seamless with Office 365. OK, having Skype on the phone would be great, in particular given that Microsoft owns Skype.
So far, so good. But then you start this phone and are asked for the PIN. But if you just cancel the PIN entry, you have full access to everything which is on that phone. In the out-of-the-box configuration, there is not even a password required. You have to opt for this and change the settings so that the phone requires a password.
I know that there is a balance between usability and security. However, I’d like to have more options for security and I’d like to at least be prompted for decisions about the security when setting up the phone. And there are options you can build in these phones for more security. Biometrics like fingerprints wouldn’t be that difficult to add. Secure stores for sensitive information (sort of TPM++) should be feasible.
But currently it is still about usability first and then —- nothing for a very long period of time. Only minimal security. It still looks like security and mobile phones are totally different worlds, being in parallel universes. The bad thing: You might find some software tools (“apps”) to increase security. But there could be hardware security built in at reasonable cost, there could be done much more. But vendors are just still ignoring mobile security. And while mandatory security might be inconvenient for many users, optional security (which is still easy to use) might be of value to many of them.
27.10.2011 by Martin Kuppinger
In a recent briefing with CrossIdeas, the MBO of the former Engiweb, an Italian software manufacturer in the area of Access Governance and Dynamic Authorization Management, they demonstrated an interesting feature: Doing recertifications based on relevance. Recertification of access rights is a key element of regulatory compliance. This is done frequently on a pretty standardized schedule. Doing this once or twice a year is the typical approach. For some specific systems or groups of users, we frequently see that the intervals are shorter, e.g. some risk-oriented approach is not uncommon. However, cynics might say that the main purpose still is to make the auditors happy.
CrossIdeas now has implemented an approach they name “relevance”. Based on several criteria like the number of SoD violations, the system identifies the most relevant users for recertification. Currently it supports six different parameters. The weight of these parameters can be easily changed using sliders. The least relevant users then can be removed – again using a slider – from the result set (a relevance map), leaving only the relevant ones in there. Then recertification can focus specifically on them.
This feature isn’t a full replacement for standard, regular recertification campaigns (which are supported by CrossIdeas IDEAS – the latter the name of their product) as well. Relevance is, from my perspective, a nice concept which brings value to customers because they can easily implement focused recertification campaigns for the most relevant users in addition to standard recertification. That then not only makes the auditor happy, but helps in better mitigating access risks. Not that standard recertification doesn’t help – but there is room for improvement and CrossIdeas has demonstrated an approach to do that which will be available in the new release due later this year.
19.10.2011 by Martin Kuppinger
Yesterday, news about a new trojan have spread. The trojan is called Duqu or, correctly, W32.Duqu. It appears to be based on Stuxnet code, thus it is targeted against industrial automation equipment. However, unlike Stuxnet the new Trojan isn’t targeted to sabotage industrial control systems but steals data. So it is most likely just the precursor to the next Stuxnet-like type of attack. Duqu was, from what we know, targeted against selected organizations mainly in the area of software development for industry automation. It does some espionage there, collecting information which then might be used in the next attack wave. It appears that Duqu deletes itself after 36 days.
Interestingly, Stuxnet used digital certificates which had been “stolen” before. Duqu used other digital certificates which seem to have been directly generated in the name of other companies, bypassing the security of CAs. That relates well with current attacks on CAs, with DigiNotar being the most prominent victim (and now out of the business) and other indicators.
The server in India which has been used by Duqu to provide information back to its creators is now blacklisted by its ISP and thus no longer works. However, chances are that there are more instances of Duqu and Duqu-like trojans either out there or on their way.
Duju proves two assumptions:
- Industrial automation increasingly becomes a target of attackers – and Stuxnet was only the first of its type (which has been detected)
- Attacks are increasingly sophisticated – APTs aren’t a fairytale, they are real
The consequence is that not only the business IT environments need adequate protection but industrial environments as well – they might even need better protection. And if feasible, technical isolation of these networks is a pretty good idea. No net, no (online) attack. Besides this, there is no reason to assume that you are safe against attacks, whichever precautions you take. Thus it is about being proactive at any stage – preventing attacks, identifying attacks, dealing with attacks.
Some valuable information around that has been provided in a recent KuppingerCole webinar – have a look at the webcast.
09.10.2011 by Martin Kuppinger
Last week, IBM announced the acquisition of Q1 Labs. The same day, McAfee acquired its plans to buy NitroSecurity. Not that long ago, HP bought ArcSight. Obviously, SIEM vendors seem to be very attractive to the large players in IT. SIEM, the acronym of Security Information and Event Management, consists of two disciplines. One is about managing the security information from different sources, the other is about real-time analysis of that information to identity events.
Given the increasing security threats (no, it aren’t just challenges anymore), having approaches in place which help in identifying security issues in time, is essential. Relevant data is found in a large number of sources. Collecting, aggregating, correlating, and analyzing that data is supported by SIEM tools. However, with incredible masses of data, two issues become evident:
- SIEM requires a strong knowledge about security to be able to understand security information from different systems and their relationship.
- The art of SIEM is to – at best- identify exactly the critical situations which need to be handled. Not more, not less.
Given that real IT security experts are a rare species (at least compared to the demand), it isn’t easy to address the first point. Working with MSSPs (Managed Security Service Providers) might be one option. However, IT security has to play a much more prominent role in education, even while that will close the gap between supply and demand only slowly, if at all.
The other point is that SIEM is not mainly about tools. SIEM tools are only as good as they are used. If you end up with too many events you have to analyze manually, you haven’t won anything. If you end up with a situation in which some critical events aren’t detected, you have lost. Configuring SIEM tools optimally is an endeavour which takes its time and which requires a lot of up-front thinking. It is about identifying the controls you should have in place, it’s about understanding your security risks and the potential attacks, it is about understanding the relationship of different steps of more elaborated attacks like APTs (Advanced Persistent Threats).
So, as popular as SIEM might be: SIEM tools are nothing else than tools, until someone configures them right. So moving towards SIEM is not mainly about buying a tool, but about the controls, the configuration, the use of these tools. So don’t feel save once you’ve bought a SIEM tool – feel a little saver once you’ve done your work around that tool. But never feel save!
09.10.2011 by Martin Kuppinger
This weekend, the German CCC (Chaos Computer Club), an institution which probably is best described as the “white hat” association in Germany and being prominent for a long time for identifying security issues, informed the public about severe issues with the so called “Bundestrojaner”, a trojan used by the German BKA (sort of the counterpart to the FBI) in some cases to hack computers of suspects and to collect internet telephony data.
There are two severe issues identified. The first one is that the trojan is able to do a lot of things which are just illegal. The German Federal Constitutional Court has ruled the German state regarding what is allowed and what not. In fact, only tapping of voice communication is allowed, and even that only within tightly defined boundaries. However, the trojan can for capture keyboard data, take over control of the webcam, and some other things. Interestingly, these things have been explicitly forbidden by the Court.
The other issue is simply that the Bundestrojaner is inherently insecure. It doesn’t authenticate communication and thus can be easily hijacked. So, a suspect could hijack the Bundestrojaner which has been placed at his system, for example. Regarding to current news, some communication of the Bundestrojaner even uses servers based in the US.
I won’t judge about the necessity of things like a Bundestrojaner, but I think the direction given by the German Federal Constitutional Court is reasonable. However, if Germany introduces such tools, they at least should do it right – with respect to the limits defined by the court and with respect to security.
By the way: This evening, the ministry of the interior (“Innenministerium”) denied the use of the trojan that had been analyzed and criticized by the CCC. Notably, they denied the use (not the existence). Let’s see what happens next. Overall, the concern I had from the very beginning regarding the “Bundestrojaner” has been fortified.
06.10.2011 by Martin Kuppinger
Some two weeks ago I’ve been at the EMC EMEA Analyst Summit in France. In one of the session Chuck Hollis, VP Global Marketing CTO of EMC Corporation (what a title, isn’t it?) made a very good comment when of the presenters talked about the needs for
- agility and speed
- service level fulfillment and improvement
- cost optimization
of IT when providing services. He pointed out that IT looks at this typically in the order of cost – service level – agility, while business looks at agility – service level – cost. I really like that.
You might argue that business always is talking about IT being too expensive. Yes, they do. But there are reasons for that. On reason is that business still frequently doesn’t really has an answer on the “what’s in for me?” question. If business doesn’t see a value (and supporting the need for agility, e.g. enabling business to become better, is sort of the big theme behind the business value) it looks at costs. No surprise at all. However, if IT provides what business really wants, then the discussion is much less about cost.
With other words: IT has to understand what business really needs. Look at the business services they want, at the business value, and how IT supports agility and speed. Ensure the service levels. And then try to do it at optimized cost.
Honestly: That isn’t a groundbreaking insight. Many of us are talking about this since years. But do we act accordingly? Not always. Always having in mind that the order better should be agility – service level – cost than the other way round might help us to become better in Business/IT alignment.