RSS

Monthly Archives: June 2008

Cyber Security Conference, Part Two of Six

This is the second content post of my summary of the day’s events at the DGI Cyber Security Conference and Expo.  Click here for the overview post of the conference.

The next speaker was Samuel Chun who is the Director of Cyber Security Practice of the EDS Government Solutions.  Mr. Chun was, in my opinion, one of the best speakers at the conference.  His speech had information that was interesting to me, and he didn’t put the crowd to sleep.  He talked a little bit about EDS as a company.  EDS, in his words, is truly a global company.  They do work with governments in all the habitable continents in the world.  This is pretty cool and very different than a lot of government defense contractors here in the U.S. that only do work with domestic clients.

Mr. Chun detailed the top five security challenges that EDS has been seeing as of late in global government.  Before talking about the security challenges, he cleared up a few things, including definitions.  There are many definitions for the term cyberspace.  The one that was used for this presentation is “A domain characterized by the use of electronics and the electromagnetic spectrum to store, modify and exchange data via networked systems and associated physical infrastructures.”  He also spoke of the fact that the increase of globalization will lead to new threats and opportunities to public and private sectors in cyberspace.

The first challenge is Perimeter Diffusion.  In the past few years, we have seen an explosion of remote users and devices tapping into networks from outside the physical network.  Devices like VPN’ed laptops, Blackberries, iPhones, Smartphones and other such technologies are constantly expanding the footprints of organizations.  Mobile electronic devices require an additional span of control, especially since high-speed wireless broadband access is now widespread.  The existing definitions of network perimeters have become useless and obsolete, and companies are having a difficult time catching up.  Unfortunately, there also seems to be a lowered expectation that physical and virtual security in these expanding networks to be secure.  The bottom line is that the more a company expands its network, the more opportunity there is for attack and exploit.  Obviously encryption is incredibly important in this section.  New encryption techniques are hardware and software based, and innovative hybrid techniques combine the two.  Elliptical Curve Cryptography for asymmetric key exchanges will become the standard in the coming years due to the reliability and superiority of this new kind of crypto.

The second security trend is that of Cross Domain Collaboration.  The internet has made many jobs easier, including collaboration over long distances.  Even though it may seem as though working with coalitions and allies is a long-established tool, there seems to be an ever increasing trend to exploit the same tool with the internet in parallel.  Currently, the sharing of information between two different entities is difficult, even with advances in interoperability and related technologies.  What scares a great deal of companies is that information may be passed into the wrong hands.  This fear prohibits true, streamlined synergy and reduces confidence in using technology that can be used for good.  Many EDS clients have an incredible need for flexible, peer to peer organizations and groups.  This need can even allow competitors to turn into temporary allies.  Although competitors turned allies seems like an uncomfortable propositions, it allows customers for trusted, cross-domain information exchange.

Thirdly, Mr. Chun highlighted the challenge of Assurance of Identity.  The need for better identity management by governments mitigates issues in the following sectors: terrorism, coalitions and federations, immigration and lastly, fraud and abuse.  In the civilian and corporate worlds, programs are in place that focus on design and issuance.  In a smaller circle of organizations and corporations, they are taking these programs one step further to set up logical access and federation.  Instead of IT staff having to set up a new user account when a new contractor comes on the job site, the worker can present a card which details key information.  Permissions can be automatically set based on your relationship with organizations, companies and people.  This cross-domain capability and flexibility is being looked at closely by tech vendors to key in on identity and access management.  Mr. Chun summarizes this section by saying that the “assurance of identity (authentication, authorization and non-repudiation) is a fundamental [and lasting] requirement for cybersecurity.”  A program called Federal Identity Management (FIM) has the potential to be a major enabling technology for domestic and global collaborations.  Most major tech security vendor companies are working on FIM solutions.  Essentially, a federal identity can be used across multiple autonomous domains.  Entitlements and access are based on identity attributes rather than intra-domain roles.  This approach allows for the accommodation of orthogonal roles.  Another great thing about this system is that it allows for multiple formats of authentication like Kerberos, X.509 and AD to be used interchangeably.  A technology called SAML (versions 1.0 and 2.0) is becoming de facto standard for cross-domain authentication and access.  Big companies like Microsoft have built in SAML into some of their products, but no current product has taken complete advantage of the flexible technology.

In looking at the fourth security trend of Perimeter Security vs. Core Security, we refer back to the first cyber security challenge in this presentation.  Since we are seeing a trend of the ballooning of networks due to mobile devices, it is only natural to question our age-old practices of network defense.  Instead of having a strong network perimeter by having the latest in firewall technology and packet scanning technology, you can take actions within the network to minimize risk.  We can do this by placing emphasis on “inappropriate propagation and derivation, differentiating between admission and access, securing applications and services in addition to infrastructure.”  Drawing inferences between the parallel between what Mr. Chun is saying and what Mr Gibbons said in first presentation is easy.  They each stress individual application security and other core security capabilities rather than firewalls. Tools for strengthening app security are easy to find and implement.  Black Box testing is now the standard for testing software.  The White Box Testing of yesteryear is still mandatory, but now involves manual code reviews and embedding applications security code.

The final problem is Consolidation.  In government IT (as well as corporate), members of the industry see a thirst for the consolidation of networks.  The consolidation saves all kinds of things- money, the environment, computing resources (among other things) and is has easy to demonstrate citizen value.  Like I reported above, the less connections that you have, the less things you have to secure.  (To see the Trusted Internet Connection government initiative, check out part six of this series.)  Virtualization is the most effective and frequently used technical approach to consolidation.  A major problem with virtualization is that when you consolidate servers (hardware and software), you are also consolidating identities.  Even this has cybersecurity implications.  We must balance the consolidation of servers and identity with availability and resiliency.  This is especially true when keeping critical infrastructure apart from non-critical infrastructure.  Another weird thing about individualization is that you must have the governance processes as the technology itself is extremely expensive, but it is very easy to implement.

Please give your comments on this fantiastic prensentation.  I hope it was as interesting to read the summary as it was for me to actually view the presentation.

 
Leave a comment

Posted by on June 30, 2008 in General, Security

 

Tags: , , , , , , , , , , , , , , , ,

The Need For A Better Windows OS

I’ll admit it.  I spend a long time on the Internet each day reading about the latest gadgets and technology trends.  Some could argue that I’ve spent too much time doing this, but in the field I plan to enter very shortly, I feel it is necessary.  One of the more interesting things that I’ve been keeping track of over the past few weeks is the development of new Operating Systems.  It was announced a few months ago that the new version of Windows (Windows 7) will debut a new kernel called WinMin– a completely rebuilt core operating system.  Shortly thereafter, my hopes were dashed as it was announced that Windows 7 will instead be built off of the existing Windows Vista architecture.  Such a rework would have been wonderful for performance, and a simple restructuring is always good for behemoth software applications.

What was most disappointing about Vista was that Microsoft had a solid 6 or 7 years to release a truly stunning product.  The end result was that we didn’t get anything worth writing home about.  Sure, there are a few more security features, and it looks a little better than XP, but it offers little in the way of an actual performance increase.  I can still remember the angry customers at the major consumer electronics retail store that I worked at after the release of Vista.  They wanted to return the OS after installing it because they found out that their computer was too slow to run the new OS.  In my six months of employment there, I had never seen so much disdain for any one product by customers.  One of my coworkers would point people in the direction of the Apple Center of our store when people asked where they could find Windows Vista.  Although it was purely a geeky joke, there was some truth in it.  Customers would probably save money in the long run if they bought a Mac.  The headaches that some people had due to Vista were enough to allow Apple to enjoy a greater marketshare.

Since we’re on the topic of Apple products, I would like to mention a new Apple initiative that will prevent OS X from suffering the same fate as Vista.  Leopard OS X is a great Operating System and represents a decently sized change from the version prior to it (Tiger).  For the next version of OS X (Snow Leopard), Apple is taking an incredible initiative to improve their OS.  Instead of focusing on new features and gimmicky crap, they are reworking the core of the OS.  Developers have gone through and optimized the size and performance of popular applications (article here).  Additionally, developers are making the OS truly x64 bit to take advantage of Intel processors.  Up until now, computers don’t really take advantage of having multiple cored processors.  Since it is not uncommon to have quad core or even an oct core, there is a big need to harness all the power.  Apple is introducing Parallel Programming into the core of Snow Leopard so all applications can take advantage of the technology.  Additionally, computers with dedicated GPU can use the idle processing power of the graphics chip to assist the CPU.

It is refreshing to see a company spend time in improving upon an existing platform that will benefit both customers and the company in the long run.  If Microsoft spent a few CPU or product cycles on this effort, customers would definitely take notice.  People would remember why Microsoft was able to secure its giant stranglehold on the IT industry, and not be angry about it.

So please Microsoft, make people happy.  You will be doing yourself a favor in the long run.  Don’t let the fact that reworking an OS can sometimes lead to massive failure.  Take a chance, make the next Windows OS something you can be proud of.  Make the next OS something I can be proud of, rather than me having to explain, for the one thousanth time why PC’s are better than Macs.  Leave your suggestions on how Vista and the next Windows OS can be improved.  I would very much like to hear what you have to say.

 
3 Comments

Posted by on June 29, 2008 in Emerging Technology, General, Security

 

Tags: , , , , , ,

Cyber Security Conference, Part One of Six

This is the first content post of my summary of the day’s events at the DGI Cyber Security Conference and Expo.  Click here for the overview post of the conference.

The doors opened at 7:30 for conference attendees.  I walked in, checked in and got a very official name badge with my name and organization affiliation (Penn State University) and also a program.  I found a seat close to the front and grabbed a quick breakfast provided by DGI.  I had some time to kill, so I talked to a few people about what they do and why they were attending the conference.  The IRS had a huge contingent that all sat around me; I think they all were security/system architects.  After more waiting, the first session got underway.

The keynote speech was given by J. Michael Gibbons who is the Principal for Security and Privacy Services for Deloitte Consulting.  Prior to that position, he served as the Chief of Computer Crime Investigations for the FBI.  Most of his speech’s content was filled with experience from his FBI days.  The name of his session was “Cyber Security: Using A Historical Perspective To Provide Insight on Current Threats.”  Mr. Gibbons went over the major types of computer attacks  He detailed that hostile code has been the norm for computer security breaches for a long time now, and the only thing that has changed is the delivery method.

He reports that email attachments are still the main (and easiest) vector to deliver such an attack.  With 3/4 of all email being spam messages, it is still commonplace for people to click emails that are from people that they don’t trust.  Although spam filtering technologies have made massive progress in the last few years, it is still not enough to protect users completely.

A term that I had never heard of was mentioned by Mr. Gibbons during the portion of his speech on phishing.  The term “spearphising” is a phishing attack directly at a specific person that is usually a high-level member of an organization.  Between November of 2004 and November of 2005, we saw an incredible increase of phishing attacks.  This even caused the FBI to take notice of this new threat.  Instead of hackers stealing your identity, the victims are actually handing it over willingly.

Mr. Gibbons also discussed keylogging in very general terms, and more specifically on it’s impact on online banking.  Keylogging can be accomplished through both hardware and software, and both methods are highly lucrative.  For the hardware keyloggers, a device is placed between the keyboard and the computer (which often looks like a USB cord extender) and logs keystrokes in its own memory.   Software keylogging is where a program is run silently in the background of your computer and keeps tracks of what you type and where you type it.  Sophisticated keyloggers send out the information over the net to the originators of the attack.  Obviously, the impact on online banking is that intruders can steal your account information and either steal your money in the account or sell the information to the highest bidder.

The next attack that was shared was a complex trojan infection.  In this attack, you merely have to visit a compromised website in order to be a victim.  Hostile code hides in the iframe of the webpage and silently infects your system.  Unfortunately, these attacks are becoming more and more common.  The good news is that there are steps that can be taken to minimize this risk and many others.

Perhaps the best point of the speech was the fact that security must start with the developer.  Automated tools are now widely available to test software for security vulnerabilities.  These tools have been developed to find a whole horde of exploits such as SQL Injections, Buffer Overflows, Javascript Execution, Active X Attacks, Cross Site Scripting, Content Spoofing, Authentication Theft, Brute Force Attacks, DDoS, Direct Indexing Attacks and Session Expiration Attacks.  The use of these tools is imperative, especially in today’s online environment because so many applications are now accessible online, rather than locally.  The more connections you have with other computers, the more susceptible you are to attack.  Secure coding for software development is the silver bullet for preventing many of these attacks.

Another excellent point is that security professionals must emulate the hacker community.  Hackers employ techniques such as real-time data exchange, trusted channels of communications, anonymous workgroups, file and vulnerability exchange, portable code, reusable code and quid pro quo to extend thier devasating efforts upon the world.  Even after years of attempting to study the hacker community and their incredible workflow and sharing methods, security professionals are not able to duplicate the process for themselves.

The fact is that zero-day attacks are what hurts the IT industry the most.  We need, more than anything else, real-time intelligence on these problems.  The problem is that intelligence is difficult, and sometimes impossible to come by.  In light of this fact, Mr. Gibbons reflected that user education and training is the most valuable tool of protection and prevention- much more than any type of software or hardware.

The next speech was shared by Dr. George Datesman who is a Senior Manager over at Noblis and Rich Kellet who is an IT Security Officer with the General Services Administration.  Their topic dealt with how to identify, develop and retain IT security candidates and contractors.

Mr. Rich Kellet talked about what NIST 800-53 really means.  NIST 800-53 is a document put out by the National Institute of Standards and Technology that explains how to set up government IT systems in terms of security.  According to Mr. Kellet, a former attorney, 800-53 specifically focuses on management, operations and technology of a secure IT setup.  800-53 means an even greater cost for contracting.  Other notable NIST documents are 800-18 (plans for developing security plans) and 800-37.

Dr. George Datesman spoke on how there is a moving shift in federal IT security rules across the board.  First, the identification of IT security jobs is crucial to consolidate infrastructure and organiaztion.  Requirements set forth by FISMA, the OMBA-130 identify generally accepted practices and standards.  The problem is that there are many other government regulatory documents that deal with the same thing.  Dr. Datesman expressed the need for a central, highest common denomonator document that takes care of the relationship between IT, security and government.

Check back to this blog for more coverege on the 2008 DGI Cyber Conference and Expo.  There are at least six more exciting articles coming.

 
Leave a comment

Posted by on June 28, 2008 in General, Security

 

Tags: , , , , , , , , , , , , ,

DGI Cyber Security Expo & Conference

On Wednesday June 25, 2008 I attended the Digital Government Institutes’s (DGI) Cyber Security Conference & Expo.  The event was held in the Polaris Room of the Ronald Regan Conference Center and World Trade Center building in Washington D.C.  The day was packed solid from 7:30 am to 3:30 pm and featured eight different speakers talking about a variety of cyber security topics.  Additionally, there was a networking session during the continental breakfast and the lunch breaks.  Also in attendance were vendors from industry like Cisco, Deloitte, EDS, (ISC)2 and Unisys.  For the posts following this introductory one, I will details sections of the conference.  As I fill out my notes for each speaker with some resources I am still waiting on DGI from, I will post a new section.  Check back here for updates on the conference.

To hold you over until I update the blog, here is the list of topics, speakers and their respective titles:

  1. Keynote: Cyber Security: Using a Historical Perspective to Provide Insight on Current Threats
    • J. Michael Gibbons, Principal, Security & Privacy Services, Deloitte, and former Chief of Computer Crime Investigations, FBI
  2. Sifting Through Credentials: How to Identify, Develop and Retain IT Security Candidates and Contractors
    • George Datesman, Ph.D., Senior Manager, Noblis
    • Rich Kellet, ISSM / IT Security Officer, USA.gov Technologies, Office of Citizen Services and Communications, GSA
  3. “No Man Is an Island…” A Global Government View of the Top 5 Cyber Security Trends
    • Samuel Chun, CISSP, Director, Cyber Security Practice, EDS US Government Solutions
  4. A Proactive Approach: A Road Map to Cyber Security
    • Rick Mellendick, Senior Architect, Cyber Operations Lead, Bearing Point
  5. Five Security Issues Likely to Emerge in 2008
    • Phil Myers, Director, Enterprise Security Group, Deloitte
  6. All Roads Lead to Rome: How Cyber Terrorists are Exploiting Key Gaps
    • Tom Kellermann, VP of Security Awareness, Core Security
  7. Trusted Internet Connections and IT Security
    • Michael Smith, Program Manager, ISS LOB, Dept. of Homeland Security, National Cyber Security Division
  8. Preparing for Risks Today and Tomorrow
    • James Bennison, Senior Information Assurance Architect, Northrop Grumman Information Technology
 
3 Comments

Posted by on June 26, 2008 in General, Security

 

Tags: , , , , , , , , , ,

In Order To Prepare You…

…I’ve decided to let you know what’s coming down the pipeline for Digital Frontier.  Today, I attended the Digital Government Institutes Cyber Security Conference and Expo.  The event was held in Washington D.C. in the Ronald Regan Convention Center.  As some of you may know, I will be getting four, apparently very wise teeth pulled tomorrow at noon.  I plan to allocate my recovery time to two things.  First, and most important to readers, is a summary of the speakers of the Conference I attended.  All eight speakers had terrific (and very scary) things to say.  Second, and most important to me, I will spend actually recovering by sleeping as much as possible.  Apparently I am not allowed to eat real, solid food for seven whole days.  Clearly I was heartbroken to find this out, especially since Jello isn’t exactly my cup of tea.  So please, enjoy solid foods over the next seven days for the both of us.  I would greatly appreciate it.  Additionally, please do me the favor of checking out this site for new posts about the conference and a few other articles I have lined up to write about.  Thank you for your continued interest in the seemingly random things I write about.  It makes me feel great to see the blog stats every day, especially when they are up from the day before.

 
Leave a comment

Posted by on June 25, 2008 in General

 

Tags: , , , ,

A Few Quick Things

I haven’t posted in a while.  It’s not like I haven’t had time, I was just too lazy to do research for another interesting article you all have come to expect.  This post will probably not be one of those interesting articles, but I just wanted to write down a few things.

  1. The number of blog visits are up by a lot.  Thank you to everyone who has been visiting.  Seeing the number of page views go up over the last two weeks has really kept me in the game in terms of research (even though there are no new posts).
  2. I have a couple of big things coming up over the next week or so.  I’m going to the Digital Government Institute Cyber Security Conference and Expo at the Ronald Regan Building in D.C. on Wednesday.  I’ll be sure to take lots of notes and relay great information unto you via this blog.  The day after the expo, I’ll be getting my Wisdom Teeth out which should prove to be lots of fun.  I’ll probably crank out quite a few posts if I’m forced to be immobile for a few days.
  3. I’m looking for speakers for the upcoming Fall and Spring semesters to come speak to the Security and Risk Analysis Club.  If you are interested, please email me: sjs5196 {at} psu {dot} edu.  If you have experience in anything that I talk about on this blog, or anything to do with terrorism or infrastructure, you are a perfect candidate for speaking to us.  If you have something else you’d like to talk about, I’m open to suggestions.
  4. SRA Resources is going to be getting an overhaul by the end of the summer (hopefully).  The SRA Club is redesigning its website to reflect our growth and we hope to implement a more effective way of sharing the same information.  We plan to use Microsoft Sharepoint Services (and related product family) or organize the club webpage.  We will, hopefully, find a solution for the indexing and permanant storage of the info currently on SRA Resources  If you have suggestions, I’m all ears as we are still in the planning stages of developing this.
  5. Firefox 3 is now available!!  Mozilla saw over 8 million downloads of the new web browser during release day.  I am going to do a story on the new (and welcome) security features of Firefox Three.  I encourage you to download it.  I’ve been using it since Firefox 3 Release Candidate 3, and I have loved it.  Unfortunately, up until I got the final release, my blog, along with some other pages would not render correctly.  Now everything looks perfect!  So please, support the open source community and keep yourself safe with Firefox 3.  Download it here!
 
1 Comment

Posted by on June 18, 2008 in General, Security

 

Tags: , , , , , , ,

GPS Tracked CATA Buses

It is well known to any Penn State student that the Center Area Transit Authority’s services are particularly useful for getting clear across campus or avoiding walking in inclement weather.  Their bus service is much more efficient, extensive, and effective than many other university and metropolitan services.  The one thing that I have always wondered is whether they could hook up GPS (Global Positioning Systems) to the buses so riders can have a real time view of where the buses are in relation to them.  This is particularly useful for when there is inclement weather and the bus service schedule is running behind.

When a Google search provided little information about the progress, or even a description of the project, I emailed CATA directly.  I got in contact with Eric Bernier who is the Service Development Manager for CATA.  The information he relayed to me was very exciting.  First, the project is still going strong.  They have hardware connected to all the buses and the infrastructure for communication is in place.  He told me that they did not anticipate the number of serious bugs due to the complexity of the entire system.  They do, however, have a working draft of the project.  It currently updates once every minute for information about all the “Letter and Link Buses”  What the service is missing is information for the Blue and White loop, which are perhaps the most used bus route in State College.  I have inquired about the two missing bus routes, and will update this post when the information becomes available to me.

The draft website seems to be pretty functional.  The link to the working draft is here.  When this service is up and running, it should be delightfully useful.  I forsee tons of riders using this and hopefully they will exand and extend the service.  In the future, some kind of text message based alert system could be introduced.  For this system, a rider would send a query to the system with information about what stop they are interested in and which bus route.  The system would then return how many minutes are left until the next bus stops at the desired location via text message.  Additionally, I see this platform being very “mashable”.  Enterprising students could add functionality to the prexisting setup since it appears to be done via Google Maps.  In terms of specifics of extending this platorm, students could make it show delays, traffic jams, provide a live video feed of a given bus stop, and any number of really cool things.  This can only work well if they allow people to view the raw data with the web service.

UPDATE: July 29, 2008

Eric Bernier replied to my message from a while ago with updates on the tracking situation for the blue and white loops:

Right now the two LOOP routes operate on headway based system using a countdown clock.  This was done to maintain the spacing between buses versus a fixed schedule.  We are trying to find a way to still project arrival times for those routes even though they don’t have fixed schedules.  We hope to have something worked out soon.

 
2 Comments

Posted by on June 10, 2008 in Emerging Technology, General

 

Tags: , , , , , ,