RSS

Monthly Archives: July 2010

The Broken Window Theory applied to Information Security

28 Jul
An observer could peer straight through the bu...

Image via Wikipedia

The Broken Window Theory has two popular accepted approaches to it’s application.

The original was an economic theory proposed in the 1850s.  Essentially it stated that even something bad that happens (e.g. the breaking of a window) has a positive effect on the economics of a society (need to create another window and employee someone to install it).

There is a more contemporary theory that is focused on criminology originally proposed in the March 1982 edition of The Atlantic Monthly.  It basically states that, if a few broken windows go un-repaired, then from that there is a higher propensity for other windows to be broken.  From that, there is even more chance that other nefarious activities will be more prevalent in that location.

I’m going to take a leap here and compare the second theory with Information Security and reducing risk.

According to the theory, there are three factors that support why the condition of the environment affects crime (and the opportunity for crime):

  • social norms and conformity
  • the presence or lack of monitoring, and
  • social signalling and signal crime

In this first part, I’ll use Information Security examples to explain these factors:

Whether intentionally or not, the policies we create and enforce will affect the social norms of our computing environments.  If you do not enforce the needs of proper patch management or secure coding, you create a social norm where it is implicitly acceptable to not follow those policies.  Social norms tell us that people will do as the group does and will monitor others to make sure they act in the same manner.  If this holds true, then here inlines the answer to many departments problem.  Make sure you have a policy, it’s well enforced and communicated to your end users, and the end users will help expand your monitoring capabilities to ensure they are being followed.  Seems too simple right?

The second factor is the presence of monitoring.  Because of the nature of our environments, it’s not always possible for people to get feedback from those around them and you cannot rely on (or even expect) to have any norms being transmitted from others.  In this case, you turn to your tools.  Even though you may have created and communicated the appropriate policies, now you need some technical controls in place to enforce them.

These technical controls are the third factor (signals) that indicate to the end users that they are (or are not) compliant with their activities.  So add accurate, timely, and visible monitoring to your list.

The other key component to take away from the Broken Window’s theory is that addressing problems when they are small will give you the opportunity for easy, less expensive fixes to problems.  A sound Risk Management methodology would tell you that Addressing issues like patch management, policy violations, secure coding practices earlier, are less costly and less difficult than addressing them after they have been exploited and you are now dealing with a breach or data loss.

Sadly, the early economic theory of Broken Windows would state that all these things are good.  If a breach occurs many people will be employed conducting the investigation and doing research.  I feel I can confidently say that the business we own or work for would not be satisfied with us following that theory.  It would be far more acceptable to accept the social/criminology theory and begin to remediate many of our issues before they become larger problems.

 
Leave a comment

Posted by on July 28, 2010 in RISK, Security, social engineering

 

Tags: , , , , ,

Russian spies are just like your average end user?

07 Jul

Funny as this may sound, it’s seems to be the case with the recently arrested Russian spies.

This article from Network World points out some of the issues the users had and how those issues helped get them caught.

As an IT or Security Professional, how likely are these scenarios in your workplace:

  • A 27 character password was enforced.  So the password ended up written down on a post-it.
  • Frustrated with trying to get a program to work, you turn to a complete stranger for help.  If that stranger happens to be an undercover FBI agent, handing him your laptop just made his day.
  • Waiting 2 months to get a new laptop and have it configured then being told you can get it fixed in 6 months if it doesn’t work.  Then telling your co-worker (or co-spy) “they don’t understand what we go through over here”.  Sound familiar?
  • Users/spies turn to off the shelf programs so they don’t have to wait for their IT department to install.
  • Having all new systems but not be able to run the programs necessary as it crashed or timed out before the application could finish.
  • Users/spies set up peer-to-peer wireless networks (without encryption) so they could transfer files easier.  Made it a lot easier to intercept those files during transfer too.

They seem so comical that it’s almost hard to believe they aren’t movie plot lines for Steve Carrell’s next Get Smart episode.

 
Leave a comment

Posted by on July 7, 2010 in passwords, RISK, Security

 

Tags: , ,

Indian Government demands access to Gmail, Skype, and Blackberry data.

06 Jul

From SANS:

The Indian government is seeking to ensure that it will have access to
the content of communications sent over Gmail and the Skype and
BlackBerry networks in a readable format.  The government wants the
power to access communications as a means to combat terrorism.  Skype
and BlackBerry parent company RIM have been given two weeks to comply,
or they could find themselves banned in India.

Quick impressions:

While I’ve expressed concerns before over the decryption of Skype calls in China and Germany by the government, it has mainly been an issue of “is Skype business ready”.  While I’ve been okay with the use of Skype for personal communications, that is it.

Blackberry communications is another story.  A large percentage of the 41 million Blackberry users around the world are “corporate” users.  Which should mean that most of the data between those devices is work data (though we know quite a bit isn’t).  RIM supposedly has a symmetric key system while would mean that only the customer creates their own encryption key.  It would be very bad for RIM for this not to be the case and would cause a lot of issues with their customer base (many of which have chosen them for their secure messaging).

Gmail… again, this shouldn’t be your corporate mail system.  If Google willingly allows this, you can choose to opt out and choose another provider.  So while I’m not keen on the idea, at least you have the option.

http://www.pcworld.com/businesscenter/article/200257/reports_blackberry_skype_google_face_india_data_demand.html
http://www.business-standard.com/india/news/govt-may-get-access-to-foreign-firms%5C-networks/400107/
http://economictimes.indiatimes.com/Infotech/Hardware/BlackBerry-has-to-pass-security-muster-in-15-days/articleshow/6112344.cms?curpg=1
http://www.thehindubusinessline.com/2010/07/01/stories/2010070153420100.htm
http://asia.cnet.com/blogs/tech-curry/post.htm?id=63019606&scid=rvhm_ms

Related Articles
 
Leave a comment

Posted by on July 6, 2010 in BlackBerry, device policy, mobile, Security

 

Tags: , , , , , , ,