Previous month:
August 2012
Next month:
October 2012

September 2012

Czarist policies to improve security in the new millennium

Image by dolescum

If Peter I the Great (1672-1725) were to be reincarnated today as a modern day security administrator, the Russian czar would no doubt drag his user community kicking and screaming into the new millennium in much the same ruthless manner as he did with his reluctant and backward Mother Russia towards the end of the 17th century.

In some respects, the timing couldn't be better.

Czar Peter wouldn't need more than a glance at the sad state of enterprise security to conclude the time is come again for the cold, unforgiving touch of absolutism if security is ever to be taken seriously. Perhaps we need some serious consequences for our appropriate use policies and a healthy dose of fear of reprisal from an apathetic and persistently non-compliant user community, and who better than one of the most fearsome and autocratic rulers of the last millennium to guide us into the new?

Let's imagine how enterprise security might be implemented, Peter's way.

Strong authentication

Appreciating almost intuitively the important role authentication plays in modern security, Peter I would find it remarkable (deplorable, actually) that such primitive methods as secret passwords continue to play any role whatever in authentication: he would ban these immediately. Biometrics would clearly appeal to Peter I, although he might choose unconventional ways to revoke biometric credentials when an employee is terminated: the body part is the root of the biometric, ergo it belongs to the enterprise. And biometrics would be everywhere: at desktops, on laptops, at entrances to corporate facilities, offices, cafeterias, restrooms and parking lots. Even vending machines. Peter would want to know everywhere you go, and when. For the good of the enterprise.

Peter I would quickly grok--yeah, Peter'd grok long before he'd click the START button--how biometrics, complemented with the right PKI and smart card technology, could provide a powerful national, corporate identity. A tiny chip that stores every behavior, feature, idiosyncrasy, no matter how irrelevant: how cool is that?

Key escrow? Under Peter's control, of course: surely the divine rights of kings and czars is enough to lay claim to root of authority?

Managing content

Kings and czars are accustomed to and quite comfortable with proactive content monitoring, a thinly veiled euphemism for what Peter I would call surveillance. Having learned the importance and difficulty of keeping close watch on the streltsy, his sister Sophia, his forsaken wife Eudoxia, even his son, Alexis, Peter I would delight at how a strategically deployed content monitoring application can gather more intelligence, more effectively, than an army of secret police (better to save these precious resources for interrogations, anyway). He'd approve security policies asserting unconditional rights to use all information gathered for the good of the enterprise. No act or indiscretion would go unrecorded, and since storage is cheap, everything would be warehoused for now and future information mining. Employee privacy rights? Nyet, comrade. You want rights? We have this pogrom program: the policy, my dear Dmitri, is my way or the highway.

Once monitors are in place, how better to apply content filtering applications than to limit web sites employees may visit and to censor what employees read? And it's much more discrete than burning books and raising monasteries! Well, most employees can read, and while Peter was all in favor of reading, thereís strong evidence from his superficial enforcement of Europeanization that he would favor such controls.

Protecting assets

Any monarch turned administrator who spies extensively also worries about maintaininq and safeguarding sensitive information. Canít forget lessons learned dealing with those annoying steltsy and those 17th century bleeding-heart liberals, Astrakhan and Bulavin! Extensive use of network and host vulnerability scanners are wonderful modern-day replacements for security sweeps secret police routinely conducted during Peter's reign. Audits are also important. Our own 20th century data show us that insiders, left to their own devices, cause a great deal of the mischief and loss of networked information. Learning this, Peter I might remark, "employees are no better than the serfs and urbanites who provoked revolts in 1705-1708, now are they?" Peter I would argue vehemently that firewalls are useful still, especially if deployed obsessively, at every conceivable enforcement point. And complemented by such probes and intrusion monitors to call attention to even the slightest anomaly. One never knows when a branch of the army or the engineering department might change allegiances.

Benevolent, or malevolent?

History reveals that despite his Draconian practices, Peter exhibited certain almost benevolent behaviors. Once he had imposed his iron hand over Russia, he implemented state-supervised education, reformed government, raised industry, and introduced Western technology. The latter is especially true if we count flintlocks, mortars, and multi- cannon warships as technology of the times.

During my research, I found an interesting eulogy of Peter I: ìAs a ruler, Peter often used the methods of a despotic landlord--the whip and arbitrary rule. He always acted as an autocrat, convinced of the wonder-working power of compulsion by the state. Yet with his insatiable capacity for work he saw himself as the state's servant, and whenever he put himself in a subordinate position he would perform his duties with the same conscientiousness that he demanded of others.î

Was all Peter asked from his people that they do diligence to the state that provided for them? If so, is this so much to ask from a user community? Are any among the Draconian practices Peter would undoubtedly impose beyond reason for an enterprise security administrator to employ?

OK, that biometrics revocation notion is over the top.

A more introspective question anyone tasked with administering network security should ask is ìHow many of these lie in our future, whether or not we find them Draconian or Machiavellian? As you arm your company with the latest arsenal of identification-confirming, eavesdropping, watch- and safe-guarding applications in the name of improving security, ask yourself if you have invested a commensurate amount of time, technology and money into policy and oversight.

This post was originally published January 2000 in TISC Insight.

APWG Web Vulnerabilities Report, Act II

On behalf of the APWG Internet Policy Committee, I've prepared a report based on information submitted by victims of web site compromise attacks, where the victims' sites were subsequently used to host phishing pages.

Selected quotes from the press release will give you a sense of what you'll find in the report:

"attackers confidently exploit legitimate websites with the same methods and that they succeed because victims are not implementing recommended best practices, countermeasures and responses."

"The survey results indicate that LAMP - Linux, Apache, MySQL, PHP - remains the most frequently targeted hosting environment. However, closer examination of the responses reveals that attackers most frequently leave PHP shell code (i.e., a backdoor written in the PHP scripting language), phishing kits (web pages or scripts that are used to execute the phishing attack itself), or a mechanism to send email to animate a phishing attack. "

"The majority of victims continue to report that they were unaware that their website had been compromised until an external party notified them."

The report can be downloaded here.