I recently had the opportunity to speak at a conference organized by the STeP-IN forum (http://www.stepinforum.org/) on Application Security Testing. I spoke about two attributes used in psychometrics “attitudes” and “personality traits” with regards to software developers and security testers. The presentation is available at http://www.aujas.com/presentations.html.

During the conference various speakers spoke about the need to look at security earlier in the SDLC, we talked about security standards etc. which would lead to reduction in the cost of security testing. It’s well accepted that the cost of fixing software buys (including security bugs) rises exponentially as the development lifecycle progresses. One of the attendees asked an interesting question, he said “this is a conference for testers, and what you are saying will reduce the work for us and might impact our jobs”.

This question reminded me of the book “Hidden in Plain Sight” by Erich Joachimsthaler, which gave examples of companies which failed to look at or accept the future and the change it brought. One such example was SONY, which pioneered the concept of music on the move or portable music with the Sony Walkman. For years it was an undisputed leader in the market segment. SONY was also big in the music industry with interest across the industry segment. The advent of the Apple iPod and digital music, simply destroyed SONY’s market leadership in this space. While SONY also created products in the digital music space, it was not prepared for the paradigm shift digital music, iTunes and the iPod brought in the consumer behavior. Incidentally Apple was not from the music industry !

As the story goes, in 2005, senior Sony executives were shocked to see Sir Howard Stringer, then chief of Sony's US operations, listening to an Apple iPod while riding an elevator in the company's US headquarters.  The New York Times summarized Sir Howard's cheekiness as a "visible if unstated rebuke to the technologies [at Sony] for falling behind the curve in downloadable music by concentrating on various proprietary formats for storing and playing music."

Likewise it’s not going to help any of us turn a blind eye to the changes happening around us and not adapt to it. Security testers cannot hold on to their jobs of “testing” by hoping that developers will continue to write buggy software. They need to evolve and look at their role not as “testers” but “enablers” to release secure software.

Some day somehow the industry will find ways to develop secure software, hence testers should try and influence and add value that change, since it’s the most obvious thing to do. Like the very apt title of Eric Joachimsthaler book “Hidden in Plain Sight”.

The impact and adoption of Social Networking as a media of communication, information sharing, interaction etc. is a given in today’s world. Facebook now talks about having 400 million users, 50% of which access the service every day! LinkedIn the so to say “professional social networking service” has 60 million users. Since inception in 2003, LinkedIn took 1.4 years to reach the first million and the last million was reached in only 12 days. India has over 3 million users on LinkedIn and yes India is the fastest growing user base across the world.

There have been several discussions around the security of the social networking sites, user risks, should the services be allowed by organizations etc. To me the benefits and adaptation of these services is so high that it would eventually be classified as a must have service on the internet, very much like email. Hence it would not be possible for organizations to block or curtail users from using social networking services.

Most if not all social networking service providers are taking active measures to protect their services and users, e.g. is the Safety Center of Facebook, which provides secure usage tips to several types of user profiles. Most of us follow the basic secure usage guidelines like:

• Don’t disclose private information
• Changing passwords
• Not accepting invites from unknown people
• Antivirus protection
• Checking privacy policies of the service providers
• Checking default configuration and settings etc.

However I think we need to focus a lot more on what I term as the “legitimate mistakes” which we commit. I call these legitimate as there seems to be nothing apparently wrong with what we have done, but it still leads to a security risk. I would provide few examples to illustrate the point.

During a specific project one our security specialist was testing a customer’s core application website.  The website was configured well with proper security on the deployment environment. Hence the specialist was not able to find the usual vulnerabilities which he could exploit. His interim report said that site is secure and he doesn’t think that there are any vulnerabilities. However the next day he reverted that he was able to crack the admin password and hence the complete web service were exposed. The method he used as the first step to the credentials was very simple but effective. He used another low profile website of the customer and tried to login with the administrators name. He used the “forgot password” option, the security question for which was “Where did you go for your honeymoon”. He then searched for the administrators account on Facebook, got to know his wife’s name, who in turn had posted their honeymoon pictures on Flickr. It was easy for him to guess that they had gone to Kumarakom for their honeymoon.

From the administrators point of view, he doesn’t seem to have done anything wrong from a secure usage standpoint and nor his wife. Maybe her Flickr album should not have been public. This is an example of a “legitimate mistake”.

Lets take my own example, the only social networking service I use is LinkedIn. I use it not only for connecting with my professional contacts but also for “serious” services such as hiring, initiating contacts with business prospects or partners, using the TripIT add-on to plan my travel and to know who are in the vicinity etc. I have derived several benefits from LinkedIn e.g. lower higher costs, initiation professional contacts leading to business or partnerships, better utilization of time during travel etc. But time and again I tend to use LinkedIn to exploit “legitimate mistakes”.

E.g. when I see someone joining a job group, I can guess that he/she might be looking for a change. When I see one of my contacts connect with someone from competition, I know it’s time to act. I can review the profile of potential contacts to know their background, or I can go to the part where it tells me who has seen my profile and come to know who has been checking on me. I am sure others are exploiting my “legitimate mistakes” as well.

In summary the message is clear, none of us can stay away from social networking services, it’s important to use a service which seems secure and credible. It’s also important to follow the basic secure usage guidelines. However we still need to look at the “legitimate mistakes” we might make and be more careful and aware. All good services need users to consider “responsible usage” seriously, it’s always easier to watch out for the big mistakes, the smaller ones slip through and sometimes cause major damage.

We have always talked about the need for a proactive approach to security and its effectiveness and benefits in managing risks. E.g. it’s always more effective and economical to build secure software rather than testing and fixing it after development or in production. In fact we even learned in school with lessons which said “Prevention is better than cure”.

In risk management we come across controls which are:

Preventive: Controls which ensure than exposure don’t or can’t occur

Detective: Controls which help us capture exposures if they happen or are happening

Corrective: Controls which enable us to correct exposures

Nowadays there is lot of focus on Detective controls which includes deployment of technology solutions which detect and capture unwanted network activity, access attempts, patterns etc. Needless to say these investments and focus is fine, but we need to move our risk management posture more towards the preventive side. Which is we must do more to ensure we don’t have weak areas which can be exploited.

I recently read the book “Superfreakonomics” by Steven Levitt and Stephen Dubner. I am usually apprehensive of sequels as they never match up to the original, but gladly this book was a good read. I came across two examples in the book which illustrate the point about preventive controls.

After the 7/7 terrorist attacks in London there was a team formed to use statistical information to identify terrorists. Data points used to identify suspects were banking usage patterns such as:

-          They make large deposits in cash and withdraw small amounts

-          PO boxes are used as addresses and they often change

-          There are regular wire transfers to other countries but always below the threshold for Bank   triggering requirements

-          They never use savings accounts or fixed deposits even though the account had idle money

-          Transactions don’t show normal living expenses and regular out flows such as insurance payments etc.

As one can imagine it would be difficult to come up with a algorithm to make the system accurate. Let’s say a system is developed with 99% accuracy and that there are 500 terrorists in the UK, 495 of them would be identified which would be great. The problem is that with 50 million adults living in the UK the system would also wrongly identify 1% of them which is 500,000 people. This would be huge problem to manage, which is similar to the “False positive” issue in the information risk management world. Hence the best detective control system or technology would always have a false positive issue which would significantly reduce the benefits from the system.

Another example is the detective control deployed at airports which require us to remove our shoes at the security check / scan. This started after one Richard Reid tried to ignite a shoe bomb; fortunately he failed but statistically succeeds in killing equivalent of 14 lives a year in the US!

Let’s say it takes on an average one minute to remove the replace the shoes in the airport security line. In the US this happens for about 560 million times a year, which is equal to 1,065 years. Average US live expectancy is 77.8 years, which yields a total of 14 person-lives a year.

The above examples may sound dramatic (statistics and economics can be used to communicate any message depending on which side you are!). However the underlying theme makes sense, we have to focus on proactive approach to security to be more effective and economical in comparison to other approaches.

I had the opportunity to watch “3 Idiots” which in my view is one the best Hindi movies of all times. Several things in the movie stood out, the basic theme from Chetan Bhagat’s book, the amazing adaption and modifications by Raju Hirani, the concept of “be the best in what you do and success will follow”, the astonishing transformation of Aamir Khan to a 22 year old student etc.

One interesting element of the movie is the use of “All is well” and the story behind it. Rancho (Aamir Khan) uses the words “All is well” whenever he is in trouble (including the highly melodramatic child birth!)  and explains the logic behind it. When he was small they used to have an old watchman who used to roam around the streets shouting “All is well” and every one used to sleep peacefully. Only later did they realize that the watchman was actually night blind! The “All is well” shouts used to give great level of comfort to all and as he says it’s required to fool the heart once in a while.

In lot of ways we risk managers are like the watchman. Our job is to provide assurance to our organizations that “All is well”. This “All is well” feeling is seen by the general users and employees of the organization by the “visible” controls and their implementation. We often come across controls which are not “real” but more “visible”, maybe more deterrents than controls. E.g. the checking of underbellies of cars by guards at shopping malls or hotels. These guys seldom have any clue on what they are looking for; they are doing it just because someone has instructed them to do so. Worst of course is when we are asked to open the boot, they shove a metal detector inside and wait till it makes some noise and then let you pass!

In an ideal situation we should have controls which are specific, manage the risks effectively, are visible, are easy to manage, are not too expensive and don’t cause too much inconvenience. Since most of us don’t operate in the ideal world, it’s important to balance the real and visible controls. It is important to visibly inform the users that security is taken seriously and any deviation would be captured. It’s not about getting it 100% right; it’s about having something in place instead of nothing. As they say “it’s better to be approximately correct, that completely wrong”. Needless to say only having “visible” controls would be disastrous, it’s about having the right balance.

It’s our responsibility to provide assurance and the “All is well” feeling to our organization and users. Hopefully we would be doing it consciously and not as the night blind watchman of 3 Idiots.

For those of us working in the information risk management space, times are challenging. For the last 12 to 14 months, the focus was on how we can get more out of our information assets while controlling the risk management costs. Now that the economy is showing signs of revival, we might get challenged with new forms of risk as organizations become aggressive and would try to regain lost ground and market share.

One key element which we need to manage always are our relationships, many times we hear ourselves say “My management doesn’t understand the value of risk management and security” or “My users just look at convenience and any controls we define are met with resistance” etc. Hence relationship management is important for us to be successful in our function (like most others I guess).

At a high level following are our interfaces or “Configuration items (CI)” (a term borrowed from ITIL!).

§  Management: They look at the strategic view­ – e.g. how do I grow market share?

§  Business Operations: They look at the tactical view – e.g. how do I ensure this customer 
                             is happy?

§  Employees: They look at the convenience view – e.g. I need access to this resource 
               and now.

§  Security: They look at the control view – e.g. Do exactly as I say!

Each of the above CI’s would need to align for an organization to runs its business and manage risk effectively. As Risk managers and CSO’s how do we ensure this happens and everyone contributes?

Srimad Bhagavatam speaks about Catustayam—the four diplomatic principles:

§  Saama: The process of pacifying

§  Daama: The process of giving money (rewards)

§  Danda: The principle of punishment

§  Bheda: The principle of dividing

We need to effectively apply the right principle to the right CI at the right time for the right situation to get the desired result. Hence a matrix needs to be built mapping the four CI’s and the four principles, examples of which I have attempted to explain in a presentation.

The presentation is available online at:

http://www.aujas.com/presentations.html