Michael N. Dundas

I have been reading up on a few of the auditing standards such as COBIT and PCI.   I have dealt with audits at clients in the past.  Financial institutions take them very seriously.  Given the nature of their business and the recent financial crisis last year this approach makes complete sense.

There is a need to ensure audit compliance across the entire banking infrastructure.   From a financial perspective, compliance with the various audits is a must if you wish to stay in business.  Of course, my background is in network security.  Network security is not the same as auditing.   Although I have not met anyone that would say if you pass a particular set of audits you are secure, I have noticed across the audit industry in general there seems to be a unstated understanding that if you do pass audits you are secure or more secure than if you don’t.

Passing an audit does not mean you are secure.  Here is one of a few, but simple examples I have come across.  One of the audits requires that your entire internal network has address translation from inside to outside.  Effectively, the idea is that if I as a outside user browse to http://michaeldundas.com, that address would appear to the requester as 216.240.0.43.

From the quick diagram above, you can see how the client thinks that it is directly connected to 216.240.0.43/32, and it is.  Based on the audit requirement of having complete address translation with the untrusted Internet, you would have to configure a device that would convert the IP address the client has, to a different IP address.

The second diagram shows a router configured with Network Address Translation (NAT) to convert the IP address in both directions.  In this way the client does not know the real IP address of the server.   Any attack that you could do without NAT, you can do even if NAT is there.  Anyone that is active in attacking servers knows this.  It offers no additional security, just extra work.

Auditing does have its place and is necessary.  Complying with audit requirements for many industries is not an option and your staff must understand that.  But don’t let yourself or your staff be fooled into thinking audits make you more secure.  Audits help but they are not a substitute for good and proper security.   Passing an audit does not mean you are secure.

I love wrist watches.  As a kid I had several, a mix of analog and digital.  From about 5 or 6 years of age, I would always be found wearing one of the watches I owned.  Even today, I have 3 wrist watches, a military certified one, a Raymond-Weil, and one given to me by a former employer when I left that has their logo on the face.   To this day I still keep abreast of the wrist watch market.  My watches work fine and yet and I keep toying with the idea of purchasing a Breitling.   I have a passion for the design, attention to detail, precision and expertise this company puts into their products.   Compared with the typical “get it out the door and fix it later” approach with many of today’s companies, what Breitling promotes is refreshing.  While I understand why most technology companies run their businesses with the “out the door” approach and the necessity in today’s market, it makes me feel sad inside.

I just finished watching a Ted presentation by Sir Ken Robinson.   It is a informative and entertaining presentation on how the education system of today does not need an evolution.  Instead it requires a revolution.  Much of what he says parallels what Seth Godin wrote about in Linchpin.  One of Ken’s analogies is how our children do not see the point of a wrist watch.  A single purpose device that is no longer necessary but people over the age of 25 typically wear a wrist watch simply because we always have.   I have to admit, I am well over the age of 25 and I still wear one.  I also have a PDA, tweet, blog, and am very current in the latest technology, networks and security.  I don’t need a wrist watch.  Not only do I still wear one,but I still want a Breitling.  Why?

I love their website.  It is current and artistic, constantly being updated.   It shows you the ‘flashy’ look of their products, yet those wishing to obtain technical details of a specific product can do so easily.  It doesn’t send you to a PDF, technical specifications and flashy displays are all integrated into the site design.  It is well thought out and well designed.  This is important.  It tells the viewer that is how they do everything including how they design their wrist watches.  The design of the site, shows their personal brand.  There are lots of videos of their jet team.  You might wonder what a jet team has to do with the wrist watches.  My wife joking said “That is why they have to charge so much for their watches.”   Just like the design of their website, the videos of the jet team re-enforce the Breitling personal brand.  Jet teams flying with accuracy, speed, timing, focus, trust, taking risk.  That is how they make their watches, their website, train their jet team, how they view their trade craft.  How they do everything.

I want a Breitling watch because I like watches and the attributes of the Breitling brand resonate with me. I feel sad sometimes with the “get it out the door” approach of many companies, because they ignore what I value.  Precision, speed, timing, attention to detail, trust are attributes I have valued since I was the age of 6.

This is probably the biggest ‘no no’ in security theory.  Don’t let an untrusted device onto your network.   Most security professionals know that is an ideal, but not really achievable.  Companies are forced to let  customers connect via the Internet with any system they choose to.  Browsers such as Firefox, Safari, Opera, Internet Explorer; Windows, Mac, Solaris, Linux for an operating system.  In most cases for the end user shopping it is all acceptable.

In an attempt to mitigate this problem, we use firewalls, Intrusion detection/protection systems (IDS/IPS), and other devices along with design principles to create Zones.  These Zones then have policy applied around them indicating levels of trust to be permitted into a particular zone.  All this is very similar to physical security principles, just stop and think about an airport.

Most large companies apply these theories described above on their internal network as well where they have enjoyed much more control.  Often an organization has a laptop they give you.  It has their chosen Operating System, their selected applications, and is locked down by a policy they have chosen and enforce via Active Directory or some other mechanisms.  Combine this with internal security devices, apply “Zoning” and appropriate policy and you feel safe — you have control of your internal network right?

But there are always the exceptions.  These exceptions represent the outside pressure to change your security stance.  A consultant or vendor is a good example.  In comes a consultant to do a 8 month project.  She needs access to certain aspects of the systems.  Access to employees calendars, access to critical systems for the project, external access to the VPN of her own company, external resources on the Internet that are ‘bocked’ by your particular policy.  She doesn’t use Windows, but her own flavor of Linux she created herself.   Taking a security stance you can say no, but that only works for a while.  Eventually a project comes along that is too critical, costs the company a lot of money to complete, and completion means bigger sales.  Now you and the security principles you enforce are perceived as a roadblock to accomplishing a key objective.  Inevitability, you are forced to make an exception.  It is at this point all your hard work is nullified.  Not only that, you loose the respect of others in the organization.  You are seen as a inhibitor, a constant roadblock, a team that no other teams wants to deal with.

This problem which has been around for years is accelerating and getting worse.  With PDAs, netbooks, iPads, iPhones, and every other network enabled device that is becoming common for everyone to have.  They are going to want to connect them to your corporate network.  You can resist for a while, but resistance is futile.  Like the common consultant example above, you will make exceptions and eventually the number of exceptions will be greater than the non-exceptions.  Bruce Schneier recently commented on this when he was interviewed at RSA.

More and more companies now have to get used to the fact that people are going to come in with the technologies they want and that is what they are going to use.  So we are going to see a lot more security around connecting random untrusted devices into a trusted network.

When you get to the younger generation, they are not going to work and get a computer that is less powerful than the one they use at home.  They are not going to be given a second cell phone.

“I’ve already got a cell phone, I’ve already got a PDA! … I’m not going to use two.”

We need to shift how we design security.  Rather then resist these new devices, we need to design our security on our internal networks and systems so that we can manage the security around these untrusted devices connecting to our networks while allowing these devices to function.  Resisting this will end up just like trying to resist the consultant or vendor, being forced to make an exception, being perceived as the team that is difficult to work with, and loosing the respect of your colleagues.  With the number of Android phones, iPhones, iPads, and other portable network devices coming onto the market, the exceptions to most security policies are about to sky rocket.

Is your organization working pro-actively to address, incorporate and manage untrusted devices in your internal network?

photo credit

Now that it is public knowledge that I have accepted a new position in the financial services industry, I have been getting questions from many people on my choice to leave the telecommunications industry.  It has been a decision I have been contemplating for at least 2 years now.  I initiated looking outside the telecommunications industry back in August 2009.  Technically, I was working for a vendor who provided telecommunications companies with hardware and services, but anyone that works for a vendor will tell you that the goals and beliefs of your customer are your goals and beliefs whether you want them to be or not.  Here are the main reasons I chose try a different industry.

Telecommunications companies are not concerned about security, or more specifically their customers’ security.  They are concerned about security that affects their systems or their brand image.  But if you are trying to get them to spend money on technology that will help secure their customers or make the Internet a better place, it is a much more difficult sell.  Basically, unless there is some way it will affect the customer directly or they will look bad if it becomes public or they experience downtime that might tarnish their image, they are not interested.   There are international differences with telecommunications companies and security, but even in these cases you can boil it down to laws or issues that will affect the customer directly in some way.  When they do engage in security, if the telecommunications company can spin it so it looks better for the them taking care of their customer, all the better.

The telecommunications industry should be regulated. Just as gas, hydro, and emergency services are regulated industries, so should the telecommunications industry.  The Internet is an essential service now, for those that disagree I encourage you to go and pull the plug on your Internet service during a peak time and see what happens.   These companies should have simple and clear business objectives.  You deliver bits of information.  Your job is to deliver packets to their destination as quickly and efficiently as possible.  The type of packet or data it contains is not your concern, just deliver it and charge accordingly.  And yes, charging accordingly should be regulated, just like electricity.  I am not suggesting there is not a need to prioritize certain traffic over other traffic, just that the telecommunications companies should not be concerned about that.

They are fighting against becoming a commodity. When I started at my previous employer, they were easily one of the top in their field and the best at what they did.  There was and still is a great group of people that work there to make that happen everyday.  Although there was competition, they were easily the leader.  Move ahead 5 years and there are many players that are as good.   Cisco, Juniper, offer comparable feature sets in their existing hardware and that didn’t exist before.  From a security perspective, some of their ideas were ahead of their time.  But they have been surpassed in this area now due to increased competition and smaller companies with a focus in specific areas.   The big focus in the industry over the last year or so has been wireless.  While wireless offers many opportunities, the competition is not as it was when broadband became popular.  Lessons learned from broadband will be applied to wireless by everyone.  The playing field is much more level now than it was in the past.

Net Neutrality. While a recent decision has the market declaring that net neutrality is dead, I don’t believe it is over.  Rather the fight has just begun.  Personally I feel the way to end the debate is to force everyone to pay for what they use, and regulate the industry and what they can reasonably charge, like other essential services.   Given the increase of encryption, privacy awareness, and detection avoidance practices, the current methods of deep packet inspection will become useless.  A different approach has to be developed.

These are the major reasons for wanting to leave telecommunications for the time being.  I did look at and consider other offers  in the telecommunications field and I may go back someday.  For now I’ll enjoy watching what happens from a distance.  In my new position, I will still be working with telecommunications carriers and vendors, just as a customer.   Albeit a customer with a lot of experience and knowledge from the other side.  In a future post I will write about my reasons for choosing the financial services industry.

Do you ever consider changing not just your current employer, but an entire industry?   What would make you consider such a switch if at all?

photo credit