Securitrons and the Thunk Test

Best Practices, Management, Security Policy, Standards 1 Response »
Jan 212010

An increasing amount of security work these days is very academic and theoretical, rather than hands-on.  The development of risk management (a.k.a. “covering your ass”) as a serious factor driving security awareness over the past ten years has led to a massive amount of paper-generation and abstraction, going hand-in-hand with ever-more-complex attempts to needlessly quantify security realities.

Partially this stems from the desire to apply financial metrics to risk and security, partially from the need of managers lacking a strong technical background or the ability to acquire this to have easy-to-understand, purely numerical descriptions and graphs of where their money is going.

One of my colleagues recently came up with the concept of an abstract measure of security investment (time, effort, grief, etc.) — the securitron.  As in (hold hands zombie-like out front and repeat in a robot manager voice), “we’re going to need more securitrons!  Throw two hundred additional securitrons at this project!”

For some reason, this came up again during a meeting to discuss increased efficiency of risk management paperwork.  The upshot of this meeting, as with pretty much any business meeting consisting of over three people (and not taking place by the coffee machines, where most productive work gets done), was (a) use your own damn judgment, that’ s what you’re paid for, these are only suggestions, (b) if you still have questions, ask your colleagues, that’s why we sit together, and (c) when will this damn meeting end?

However, an interesting point did arise — the idea that security, risk management, and compliance work tends to end up with reams of paper that may or may not ever be read.  This was the case with all medical regulatory and compliance work I’ve ever done, as well as with pretty much every experience I’ve had in financial services since 2000.

The conclusion?  My personal view is that documentation and paperwork does not make much sense unless it’s in an easily accessible format (e.g. a well-organized database schema accessible by very flexible views to whomever wants to use and evaluate the data.)

Another very important point that my colleague raised, though, was the concept of the “thunk test” — i.e. if a security policy is dropped on a desk and makes a “thunk”, it’s too big to be of any use.  Nothing that heavy can possibly have the elegance and simplicity to be easily enough understood for practical everyday application.  At the risk of advocating the development of tired business doublespeak, I could see a use for a plainly worded non-mealy-mouthed type of goals and rules statement (“don’t leave passwords lying around.  Never talk to strangers.  Don’t pet strange dogs”) for security organizations that actually fits on a single piece of A4 paper (or at least in a document that makes no more than a soft whisper as it’s dropped.)

Now, we are working on finding a good name for a measure of the quantitative relationship between securitrons and reams of paper.

Posted by john at 10:54 am

Modularizing Security Functionalities

Architecture & Design, Best Practices, Development, Standards No Responses »
Mar 272009

Okay, I made up “modularizing”, but I think it nicely fits the idea of this article.

I am a huge fan of the concept of abstracting functions — i.e. clearly defining what it is you are trying to accomplish with your various bits of software & hardware, defining clear categories for their functionalities, separating them, either physically or logically, and ensuring that everything communicates via clearly defined, standards-compliant interfaces and APIs.

During several early projects of mine, I noticed that the temptation was strong for managers to create all-in-one tools in order to sell the widest package of application functionality conceivable.  This is bad design, if only because different uses and scenarios can have different requirements; addressing these may have unintended network effects on other components of a product, thereby slowing down the whole analysis, development and QA process.

One of my clients has taken the path of a pluggable, modular configuration tool for some of their systems; this is a good model insofar as it allows clear access to different components from a single interface, but the components themselves are not interdependent.

For the purposes of this article, I’d consider using very basic distinguishing criteria like “network / communications device”, “end-user application”, “remote support tool”, whatnot — and in the scope of this article, “security device” and “other.”  I realize that these are fairly theoretical, academic distinctions, but it’s my firm belief that the idea applies in real life. Such a matrix can be multidimensional — criteria could include, on the one hand, what the application is used for, and on the other, how it is deployed or managed, OS type, manufacturer, etc.

For example, one of my projects involved the development of a small network security appliance for a specialized scenario (protecting proprietary devices subject to strong regulatory requirements.)  There was constant pressure from sales & marketing to avoid having multiple physical boxes; the field service types also wanted to prevent having to maintain additional distinct hardware.  This was a good example of when it was right to not listen to our customer and push them to accept the idea of having another little small piece of hardware; integrating the security into pre-existing products would have required a huge amount of adaptation, porting, maintenance, testing and other effort, over multiple architectures, teams, countries, whatnot.

“Security” is a compelling argument for the separation of protective functions from what’s being guarded; there may not be a clear, identifiable exploit that you are addressing, but, using the example of network defense, knowing that your authentication, detection, encryption and filtering tools are autonomous from each other reduces the possibility of single points of failure.  I’m not arguing for an eggshell model of security (crunchy on the outside, squishy on the inside), but it makes things much easier to be able to address an application server’s security requirements without the need to assume that whatever security you implement on an application level is all you will have.

An even more significant reason to keep things separate (physically, via dedicated, standards-compliant hardware, or virtually, via VMs) is cost reduction — support and development are simplified.  Despite the appearance of increased complexity from more components, if you are able to quickly and easily swap out a defective element, or create added functionality whose impact on an unrelated system is controlled through a standardized network interface or code API, you no longer have to worry about breaking things that should be out of scope for whatever it is you’re doing at the moment.

Posted by john at 1:27 pm

SSL / SSH and MTU Problems

Crypto, Network Security, Standards 2 Responses »
Feb 162009

A colleague of mine recently encountered mysterious issues with SSL connections that dropped large numbers of packets, while cleartext pages loaded fine.  After a bit of digging, he found that decreasing his DSL router’s MTU size from 1410 to 1400 seemed to do the trick.

I did some looking around, and found this page from Primus Telecom (Australia) that describes the problem well.

When you access a website or essentially do anything on the Internet, your computer places the information into packets, the size of which is determined by the MTU (Maximum Transmission Unit). On an Ethernet network the default MTU size is 1500 bytes, which is what most routers on the Internet will accept, the problem however occurs when we introduce protocol overheads.

Because there are a number of different protocols your data packets may be encapsulated into, the size of the MTU can increase at different places in the network. If the packet is already close to 1500 bytes when it leaves your ADSL router, it may become larger than 1500 by the time it gets to its destination, which means it will be fragmented, or split up.

Encryption protocols generally can’t handle packet fragmentation, though this is more by design, rather than as a fault, as fragmentation may introduce a point of insecurity, and allow the encryption to be broken or intercepted.

The overhead mentioned consists of datagram encapsulation, for example, and is added by routers along the way.

When using SSL / SSH, the sending machine will set the IP “do not fragment” (DF) header bit to “1″.  Ideally, traffic is sent via the largest size that does not fragment; RFC 1191 describes a technique to use the DF header to discover the PMTU (path MTU, this maximum size.)  Lowering it on first hop after your sending machine will do the trick, though.

Posted by john at 11:17 pm

IT Security of In Vitro Diagnostic Instruments and Software Systems

Best Practices, Development, Healthcare & Medical, Standards No Responses »
Nov 052006

Standard issued by the Clinical Laboratory Standards Institute (CLSI), document ID “Auto-11P”. One of several recent attempts to specify standards for IT security in medical devices. Covers network security, separation of privileges, development best practices, as well as review techniques. Many of its elements are very basic (e.g. explanations of encryption and authentication technology, what is a firewall, etc.) and rely on common sense, but then again the medical and IVD fields are about 10 years behind the technology curve as security is concerned.

The doc is targeted at 3 sensible groups; vendors (i.e. R&D and support staff), end-users and customer IT managers. There is provision made for the idea of protecting against data theft, although the prime issue in this area is data corruption by malware and other attacks. As you are probably aware, the main problem facing medical device manufacturers is the inability to consistently patch systems to respond to newly discovered threats and vulnerabilities; every “change” to the nature of a system requires a complex and expensive re-validation process.

Naturally, the solution to this is “don’t develop purely oriented towards functionality”. In plain English, don’t scrounge around for technology that just happens to be available, such as Windows XP, without proper design criteria and a fundamental evaluation and risk assessment process (what will the long-term cost be due to the fact that we used crappy technology to start out with…) I’m hoping that the suggestions and requirements in this doc will narrow down the solutions chosen for development platforms such as diagnostic data stations to technologies considered secure and reliable by other industries–which have more experience in secure development.

Unfortunately, as it’s a commercial document I can’t post the text here, but it is available at http://webstore.ansi.org/ansidocstore/dept.asp?dept_id=57 and via CD-ROM subscription from CLSI.

From the press release at http://www.clsi.org:
“Newly proposed Clinical and Laboratory Standards Institute (CLSI, formerly NCCLS) document IT Security of In Vitro Diagnostic Instruments and Software Systems; Proposed Standard (AUTO11-P) specifies technical and operational requirements, as well as technical implementation procedures related to security of IVD systems (devices, analytical instruments, data management systems, etc.) installed at a healthcare organization. This document provides a framework for communication of IT security issues between the IVD system vendor and the healthcare organization.”

Posted by john at 5:38 pm
© 2010 Chakraborty Software Suffusion WordPress theme by Sayontan Sinha