Tom Olzak

Archive for the ‘Application Security’ Category

They have the tools, just not the will…

In Application Security, Computers and Internet, Content Filtering, Cyber-warfare, Cybercrime, Data Security, Detection Controls on July 10, 2015 at 12:44

As the number of government records stolen increases, we continue asking why so much data was stolen over the past year without detection.  The answer seems to lie in an article by Michael Cooney.  It seems the U.S. government has a detection tool called EINSTEIN, but it is only partially implemented across scattered government networks.

One of the weaknesses in the EINSTEIN implementation is the lack of any behavior analysis.  For the most part, the government is only using signature-based detection.  This is a huge controls vulnerability.

What will it take for our bureaucratic quagmire of a government to implement the right controls.  Yes, all organizations are viable targets for attack.  However, detecting the attacks (e.g., anomalous network/system behavior, unexpected movement of data, etc.) is paramount to a good defense.  Looks like much of the U.S. government either doesn’t get it or doesn’t care.

Another Encryption Perspective

In Access Controls, Application Security, Cyber-warfare, Cybercrime, Data Security on July 9, 2015 at 14:36

Hacking Team solutions aren’t the only ways government has to access encrypted information.  Most large government agencies have their own tools that perform the same tasks: capturing encrypted data when it’s not encrypted.  All data must be decrypted to be used or processes.  That is when it is most vulnerable.  So why the debate?  Ii discuss this in a blog entry posted today.

Shadow IT: Treat the cause, not the symptom

In Application Security, Business Continuity, Cloud Computing, Critical Infrastructure on July 8, 2015 at 04:00

I just posted an article at about the business risks associated with shadow IT.  Many organizations see shadow IT as a disease to be cured.  However, as I write in my post, shadow IT is a symptom of a deeper issue.  It is this issue, related to IT remaining stuck in the past, that must be addressed.

Is Encryption a Right?

In Access Controls, Application Security, Encryption, Government on July 8, 2015 at 04:00

With governments beginning to make noise again about weakening encryption, several security professionals have come out against any moves to do this.  But does government have the right to take away our right to privacy?

Absolute privacy can be a national security issue.  But so is weakening business and critical infrastructure security in the name of protecting society.  The question I’ve been asking myself is whether strong encryption is a right: a right no government has the “right” to take from us.

In the U.S., our government has repeatedly resisted demands to limit the strength of encryption via things like backdoors and weak algorithms.  In the 1990’s, when these issues were dealt with, many believed the “crypto wars” were over.

“But they may not have realized that we would be on the brink of a similar battle over the right to use strong encryption some 15 years later. That’s why the key takeaway from the conflict is that weakening or undermining encryption is bad for the U.S. economy, Internet security, and civil liberties—and we’d be far better off if we remembered why the Crypto Wars turned out they way they did, rather than repeating the mistakes of the past” (Danielle Kehl, 2015).

It’s time to resolve this.  Congress and the People need to decide whether absolute privacy is a right in view of the internal and external threats we face as individuals, as organizations, and as a nation.  When deciding, we should keep in mind the following:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized” (4th Amendment of the U.S. Constitution).

Whatever we decide, a balance must be struck between security and our right to manage our lives as we see fit without interference by government.  The only exception is when living as we choose causes harm to others.

Facebook employees should know better

In Business Continuity, Cloud Computing, Computers and Internet, Data Security, Insider risk, Java on February 15, 2013 at 20:27

While I believe that posting any private information to a social networking site is… well… nuts, I also believe we should have a reasonable expectation of privacy.  This means companies like Facebook must do a good job of protecting themselves from potential attacks.  So why were laptops used by Facebook employees targets of a recent zero-day attack?

Yes, it was zero-day.  We can’t foresee all possible attack vectors.  The threat agent used a hole in Java to infect the laptops.  Further, the Java exploit was setting on a developer site.  Doh!  Didn’t see that coming, Facebook?  You should have.

Java is full of holes.  It is an exploit waiting to happen, and it is not the first time attackers circumvented the Java sandbox to get at the underlying platform.  Some, like Andrew Storms at nCircle Security, believe Java needs a complete overhaul (via Gregg Keizer, Computerworld).

 “Oracle should just take a mulligan and redesign Java before everyone completely loses faith in it…”

Apparently, Facebook didn’t get the memo.  Why would a social network company allow its employees to visit risky sites and then connect back to a network where customer and other sensitive data reside?  Why would any organization?

For more information on end-user device security, see Chapter 6 – End-user Device Security.

%d bloggers like this: