Roger's Information Security Blog

This is another post based on notes from the Gartner Information Security Summit. Neil MacDonald gave a talk titled Five Alternatives to Desktop Lockdown: Balancing Control and Creativity.

Desktop Lockdown has failed.

But so has complete freedom.

So what do you do?

From an operational perspective, desktop lockdown was performed to reduce the number of disk images the helpdesk had to maintain. It reduced application conflicts and visits by the helpdesk. IFrom a security perspective, lockdown was performed to prevent malware and prevent users from disabling security applications.

Lockdown has failed for a number of reasons. In XP, the locked down experience is lacking. You can't change the timezone or install a printer driver. Its not workable for the traveling user.

Locking down computers failed because new technologies bypass local controls. For example it doesn't prevent the user from using Google Apps and other forms of cloud computing in a insecure manner. Being a standard user doesn't even prevent all software installs. Google Chrome installs as a standard user. Microsoft was pressured to make Silverlight install without administrative rights. As long as the software only writes to your user profile and your portion of the registry, it can install as a standard user. Malware writers will not be deterred by lack of admin rights.

Its almost a cliché at this point but the consumerization of IT has led to a new workforce. Generation Y digital natives. They may not be better at not falling for fake AntivirusXP but they expect full access all the time.

Does IT really know what people need to do their jobs? Locking down was supposed to be a means to an end, not an end itself. Protecting the data is the primary goal.

Saying that lockdown has failed, does not mean that complete freedom has succeeded.
The cost of managing end user computers are far greater for unmanaged computer. The risk of virus attacks is much greater with administrative rights.

So what do you do? The talk reviewed multiple alternatives.

Alternative 1De-Privilege Admins - UAC
UAC prompts to elevate rights when admin rights are needed.

As you already know, that can be annoying if you have a lot of applications that are poorly written and need admin rights. Also depending on the user this can barely be a speedbump in stopping malware.

Alternative 2White list
While basic whitelisting is currently available in Windows XP and later as well as most Endpoint Protection (AV) applications, newer offerings from companies like Bit9 make it easier to whitelist. They maintain the lists so you dont have to manually update each time a new version is released. They also can use reputation services that make a judgment about any new/unknown files.

One user when told we were considering this technology stated as an engineer they install all sorts of software and really important work would stop if he couldn't install every random file he found on the Internet.

Host Based Intrusion Detection Systems (HIPS) also fall into this category. They are much more complex, and can cause instability issues depending on how it is integrated.

Alternative 3Remote Presentation
In this scenario users log into a remote server such as vmware or terminal server. Of the local computer and the remote session one is managed and one is unmanaged.

This scenario requires solid network connectivity. It also isn't clear how the network is protected from the unmanaged computer.

Alternative 4 Multiple Virtual Machines running locally
Unlike the previous example, the user can work with remotely. The virtual machines are on the local computer.

The major drawback to this approach is licensing cost, patching, and extra hardware cost.

In the future the hypervisor may make it to the desktop for better performance, but we are not there yet.

Alternative 5Workspace Virtualization
In this alternative the risky applications are put into their own sandbox.
Ringcube, Creedo, and InstallFree are three vendors in this space.

Alternative 6 Hybrid
A few from column a and a few from column b.

Alternative 7Employee Owned PCs
I've read the articles on companies that are providing dollars for people to buy and support their own computer. I also read about a smaller company where the owner considered the computer like a toolbox. The craftsman provides his own tools. Not a great analogy because a craftsman power saw isn't going to get infected and DDoS the network. (Although cheap worker provided power tools could break spectacularly in a particularly liable fashion).

The analogy provided during the presentation was a road. A trucker provides the truck. He can buy the truck he wants, but it must meet certain requirements. Then while used on the road he must obey traffic laws. Officer Friendly is waiting to write a speeding ticket.

Those are seven alternatives to desktop lockdown. I think that application whitelisting will become the most mainstream the fastest. Although virtualization is moving fast. XP mode within Windows 7 is virtualization. I believe Macs have a virtual MS Windows. The question I would have is what gets virtualized. Every Internet facing application?

For the longest time, vender's made me feel like I was at the only company in America to allow Administrator rights to users. (Neil MacDonald, if you head this way I'd love to know what percentage of companies in general and Federal Contractors in particular lock down the computers by restricting admin rights as required by the FDCC). It is very interesting to hear about some other solutions. Obviously antivirus is not working but we still need to provide protections.

These are notes from the last session at the 2009 Gartner Security Summit; a tongue in cheek look at the worst best practices in IT.

We're all familiar with the upcoming change to IP version 6. The main impetus for performing this migration is the IP space crisis.

The reality is few enterprises have a lot of public IPs. The migration to IP6 is costly and fraught with questions.

This item I almost question including because I think its more widely believed that IP6 is not worth the trouble than believe it will be a cure-all.

By 2014, 20% of remote and mobile employees will connect via a IP6 enabled ISP. That necessitates our action.

These are notes from the last session at the 2009 Gartner Security Summit; a tongue in cheek look at the worst best practices in IT.

The real problem here isn't with all two factor authentication, rather it is with bad implementations. Inconsistent definitions of two factor authentication allow implementers to do whatever they want. Not every method is equally strong and it may be possible to pick two factors that are not as secure as another single factor authentication. The level of assurance and accountability in each factor of authentication should be considered.

In reality even a password by itself can be two factor. Its something you have (company laptop) or some place you are (work) in addition to something you know.

We've all logged into our bank where we've been asked something we know (our password) and something we know (personal info). When used like this, two factor authentication is security theater.

Use more than just a password when performing two factor authentication. Or the reverse, you must have a PIN when using a token for authentication. Otherwise authentication would be provided by the mere possession of the device.

The Gartner Information Security conference is over so I have a chance now to catch up on some blogging. I'm planning to spread my posts out over a few days.

The last session was a tongue in cheek (or sometimes just truthful) look at the worst "best practices". People have dumb ideas accepted as gospel. Times change and what was once an OK idea now just needs to go away. In addition to ideas, there are also technologies that aren't as useful as they are billed.

First on the list of questionable security best practices is Default to Deny. Default deny is ingrained in security culture. The discussion leader said that is the problem. What was meant as a technical rule became a cultural mantra. It was a repeated refrain during the conference, "Infosec is known as Dr No". We need to be aligned with the business first and foremost.

A " default deny" Infosec is one that is innovation phobic. When Infosec says "no" business will circumvent and now you're in a doubly worse situation. The activity is taking place, and its completely unmanaged. As an aside, my goal is to allow users to do it, but make it secure. In the case of IM, you get IM security and block IM that circumvents. You provide a VPN and block GoToMyPC.

The presenter argued that default enable supports innovation. You block known bad, you monitor the reset. And here's the worst part of the argument in my opinion. You use a honeypot to look at what the bad guy is trying to do to your open port and you learn. (This is a horrible argument because you are potentially destroying your companies security for your personal edification. Also honeypots can still exist in other network locations. Default allow on the firewall is not necessary for that.

Ultimately, this presenters goal wasn't Jericho. Removing default denys goal is expunging Dr No rather than removing the last rule on everyone's firewall.

The discussion was interesting as well:
1. If you think you're doing "default deny" you are wrong. The universal firewall traversal exploit (80/TCP) and the secure universal firewall traversal exploit (443/TCP) let through plenty. Beyond that users seem to work to circumvent default deny through other methods accidental and intentional.
2. This talk of needing to align ourselves with business is wrong. We 're a part of business.
3. If we don't assume badness and default deny, then we will be drilled by innovating bad guys who are always a step ahead.
4. Control is an illusion of your personal experience
5. How many companies have failed due to a Infosec breach? (I think this was an argument for default allow).
6. Sometimes you have to let them fail. I hear infosec people say this but what about due care? You can't just wash your hands and wait for them to shipwreck. Make sure you have a get out of jail free card.

My thoughts:
I hate the concept that if I can't prove something is insecure than it must be secure. You run into that all the time with patching or with any new service. To these people it is not enough to have a concept of how a service would be exploited, you have to demonstrate the exploit. It will be a challenge going into the future as services become more dynamic, technology more consumer oriented and access to data needed anywhere.

The second talk I attended on Sunday at the Gartner Information Security Summit was Debra Wheatman on How to Sell Yourself to Management. Debra is the Chief Career Strategist with ResumesDoneWrite.

At work one of our stated goals is "to grow and live the $company brand." In this talk Debra reminds us "You're always selling something." I should be worrying about my brand. Do I have PR agents who are repeating the news of my success? Am I consistently putting forward a good image?

The concept of a career map was new to me. Basically its determining where I am and establishing short term goals. Since finishing a Masters in Computer Science in 2006, I've been coasting a bit. My progress at work seems to have been side-tracked. Creating a career map sounds like the sort of thing that would help me think some things through. I am going to Google to get more on that.

You may find upon creating a career map, that your dream job or desired role doesn't exist in their organization. When this happens there are two possibilities; build a case for creating the post or get out. Changing the status quo is not easy.

The bulk of the time was spent on discussing the resume, the cover letter, and interviews. In spite of all I've read on resumes I got some new ideas. I have enough trouble writing a few sentences for the 'about me' on this blog or on linkedin.

Probably the thing I'll remember most from this talk was the suggestion that its ok to ask what their budget is. Its funny, they would essentially ask you the same question, yet it will be awkward when the applicant asks.

A new Gartner Magic Quadrant covering Data Loss Prevention was released this week. Eric Ouellet spoke on this at Pre-Conference for Gartner's Security Summit.

In spite of several years of DLP hype, Ouellet indicated that it is not yet at the sweet spot in the security product hype cycle. People who implement DLP often don't have fully formed goals, they leave the product in monitor only mode and they are disappointed with the results.

It is important first to define terms, Garnter has begun calling it Content Aware DLP. This is a DLP that is content or context aware. Many vendors say they have Data Loss Prevention. To a specific definition this is true, anything that prevents data from leaking is DLP. Under this definition vendors have claimed that USB port controls, Enterprise Digital Rights Management, hard disk encryption, and file tagging are DLP. None of those devices are aware of the content of the data. To differentiate those products from the traditional DLP product space, Gartner uses the term Content Aware DLP.

Two trends have occurred since I've looked at DLP last. Antivirus vendors have taken the lead (through purchase) and added client DLP agents to their suite. Also it is no longer Network based agents versus the desktop agent. It is necessary to have both unless you are only after a specific monitoring purpose.

With DLP I have always struggled with the use case. Its pretty easy to install and report on credit card or social security numbers. But how does the DLP find what is important to my company. I dont even know what should be protected. The limited FIPS data classification that we've done doesn't help either. I did learn that 90 percent of deployments are for compliance purposes (PCI, HIPPA) rather than for the protection of Intellectual Property.

The message I heard was 'if you don't know you need DLP, then you don't need it.' Too often people think they need it because its been written about in the tech press. If you are going to move forward, good general advice is don't let the vendors website write your RFP. Dont write in requirements you wont use. Certainly dont use requirements you wont use as a differentiator between vendors. Be aware of the false sense of security that DLP can provide.

Ouellet closed advising that DLP is like a magnifying glass and the corporation is Pandora's box. You're going to find out things you didn't want to know. Rather than being the impetus for budget justification, in some companies it has called the use of the existing budget into question.

I'm at the Gartner Information Security Summit in National Harbor for the first part of this week. The next few blog entries will be notes from the talks I attended.

I'm a bit surprised to be paying $18 a day to park outside the beltway. (National Harbor's website claims $11, I guess the hotel garage is more). It will be reimbursed, but still its annoying.

I wonder if there is a lot of crossover between people at this conference and people at Shmoocon? It gave me a chuckle anyway. Probably shouldn't break out the "I hack charities" t-shirt for this Gartner conference.

As I feared, the usual lack of power options was in full effect. In one room, I was able to right by outlets, in another only folding walls were nearby. I didn't see any power. Looks like my decision to not bring a laptop today was a good one. I'd love to use the tablet for handwritten notes, but at this point the battery life is barely an hour. My mini has some great battery life, but I'm not sure the small keyboard would allow me to take notes very fast. No big deal, its better to not have to protect a laptop.

I've blogged several times about the desire to disable the wireless card when the wired card is connected.

A comment on one of my older entries points out that there is free software to do this now.

http://www.wlanbook.com/disable-wireless-connected-lan-xp-vista/

http://www.wlanbook.com/bridgechecker/

I'm now using SEP11 for this but passing it on in case others are still looking for a solution.

My older articles:
New version of Autoswitch out
Disable Wireless when Wired Connected
SEP11 and Wireless Management
Disable Wireless on LAN Access