ISSA Journal May 2012

Volume 10 Issue 5
Wi-Fi Positioning Systems: Beware of Unintended Consequences Social Media Policy and the Law Understanding Private Cloud Security Perspectives on the Practice of Security Architecture
May 2012
Using Component Categories and Relationship Mapping in Security Architecture
KEEP YOUR CAREER ON TRACK

Regis University offers a Graduate Certificate as well as a Masters Degree in Information Assurance. With both programs, you have the option to take classes online or on-campus. Regis University is also designated as a Center of Academic Excellence in Information Assurance Education by the National Security Agency.
MASTERS DEGREE Two year program Specialize in cybersecurity or policy management
GRADUATE CERTIFICATE Can be completed in less than a year Four classes (12 credit hours)
The curriculum is modeled on the guidelines and recommendations provided by: The Committee on National Security Systems (CNSS) 4000 training standards The (ISC)2 Ten Domains of Knowledge ISACA Our Information Assurance programs are grounded in security but also focus on delivering the essential combination of IT and business acumen creating a link between the server room and the boardroom.
The program can be taken on campus or completely online
LEARN MORE www.regisdegrees.com/ISSA | 877.791.7188
Table of Contents
Feature
ISSA Journal | May 2012
12 Using Component Categories and Relationship Mapping in Security Architecture

By Kevin Stoffell ISSA member, National Capital, USA Chapter Five categories for grouping both technical and non-technical security architecture elements are presented that are consistent with the security control types found in most major control frameworks. Mapping of element relationships between the categories ensures traceability from policy down to individual technical functions and enables the architect to perform a more effective gap analysis of the entire architecture.
Articles
19 Wi-Fi Positioning Systems: Beware of Unintended Consequences
By Ann Cavoukian and Kim Cameron This article explores the unintended consequences associated with the use of location data being established, shared, and used, using Wi-Fi Positioning Systems.
30 Understanding Private Cloud Security

By Yuri Diogenes ISSA member, Fort Worth, USA Chapter and Dr. Tom Shinder This article covers the main elements that should be addressed from the security perspective while architecting and designing a private cloud infrastructure.
23 Social Media Policy and the Law

By Jon Banks ISSA member, Metro Atlanta, USA Chapter Organizations cannot escape social medias ubiquitous presence and the unique challenges it creates. This article will examine various laws and regulations that must be considered when creating our social media policies to avoid these legal risks.
35 Perspectives on the Practice of Security Architecture

By Tohru Watanabe ISSA member, New York Metro, USA Chapter This article reviews the current state of the practice in an effort to enhance the practice of security architecture.
Also in this issue

5 6 7 8 9 From the President Herding Cats
The Invisible Mr. Security Guy
Sabetts Brief
Its the IP, Stupid!
Ethics and Privacy

Waging War in the Digital Age
Career Corner
Hidden Requirements
10 Association News 24 Book Review

Social Engineering: A Must-Have Book and Skill
40 toolsmith
Buster Sandbox Analyzer
43 Conferences 47 Crypto Corner

Lemons or Lemonade?
2012 Information Systems Security Association, Inc. (ISSA) The ISSA Journal (1949-0550) is published monthly by the Information Systems Security Association, 9220 SW Barbur Blvd. #119-333, Portland, Oregon 97219.
editor@issa.org
Welcome to the May Journal
Thom Barrie Editor, the ISSA Journal
ISSA Journal
Editor: editor@issa.org Advertising: advertising@issa.org 866 349 5818 +1 206 388 4584 x101
o, is my phone spying on me? Again?
gets queried with its MAC address. If its there, I get my location. WPS now has my MAC address and location as well. So, heres where the paranoid in me takes over. As I go about my life, passing this hotspot and that, are my movements are being tracked? Is my home router now in WPS as well? Can someone determine when Im home or when Im not? Or where my home is? I just entered my coordinates in a random findyour-location page and it gave me my address - 30 seconds. But then the rational part of me takes over and says, Nah, my data is safe from prying eyes and sticky fingers. No problem. And it sure is nice to know where I am. On a brighter note, Russ McRee, longtime toolsmith author, has been awarded Honorable Mention in the American Society of Journalists and Authors 2012 Outstanding Articles Awards. See page 11 for details. Congratulations, Russ! Thom
Editorial Advisory Board

Mike Ahmadi Candy Alexander, Distinguished Fellow Michael Grimaila, Fellow John Jordan Mollie Krehnke Michael Machado Joe Malec, Fellow Donn Parker, Distinguished Fellow Joel Weise Chairman, Distinguished Fellow Branden Williams, Fellow
Last year we were alerted to a little piece of embedded software the carriers use to maintain the quality of their networks Carrier IQ. Ostensibly collecting only signal data between the device and cell towers, a researcher demonstrated it was, in fact, collecting a whole lot more. Okay, lets up the ante. How does my phone know where it is? Location is determined by GPS signals, cell tower signals, or nearby Wi-Fi access points utilizing Wi-Fi Positioning Systems (WPS). Ann Cavoukian and Kim Cameron describe the Wi-Fi option in Wi-Fi Positioning Systems: Beware of Unintended Consequences, which got my theyre watching me hackles up. WPS identifies wireless access points by MAC address and location. So, when I request location data while walking past a wireless hotspot, the WPS database
Services Directory
webmaster@issa.org 866 349 5818 +1 206 388 4584 chapter@issa.org 866 3495818 +1 206 388 4584 x103 member@issa.org 866 349 5818 +1 206 388 4584 x103 execdir@issa.org 866 349 5818 +1 206 388 4584 x102 vendor@issa.org 866 349 5818 +1 206 388 4584 x101
Website
Chapter Relations
Member Relations
Executive Director
Vendor Relations
Headquarters ISSA Inc. 9220 SW Barbur Blvd. #119-333, Portland, OR 97219 www.issa.org Toll-free: 866 349 5818 (USA only) +1 206 388 4584 Fax: +1 206 299 3366
The information and articles in this magazine have not been subjected to any formal testing by Information Systems Security Association, Inc. The implementation, use and/or selection of software, hardware, or procedures presented within this publication and the results obtained from such selection or implementation, is the responsibility of the reader. Articles and information will be presented as technically correct as possible, to the best knowledge of the author and editors. If the reader intends to make use of any of the information presented in this publication, please verify and test any and all procedures selected. Technical inaccuracies may arise from printing errors, new developments in the industry and/or changes or enhancements to hardware or software components. The opinions expressed by the authors who contribute to the ISSA Journal are their own and do not necessarily reflect the official policy of ISSA. Articles may be submitted by members of ISSA. The articles should be within the scope of information systems security, and should be a subject of interest to the members and based on the authors experience. Please call or write for more information. Upon publication, all letters, stories and articles become the property of ISSA and may be distributed to, and used by, all of its members.
ISSA is a not-for-profit, independent corporation and is not owned in whole or in part by any manufacturer of software or hardware. All corporate information security professionals are welcome to join ISSA. For information on joining ISSA and for membership rates, see www.issa.org. All product names and visual representations published in this magazine are the trademarks/registered trademarks of their respective manufacturers.
From the President
DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
Hello ISSA members

Kevin L. Richards, International President
International Board Officers

Kevin L. Richards, CISSP Andrea C. Hoy, CISM, CISSP, MBA
President
Vice President
Secretary/Director of Operations
Bill Danigelis, CISSP
Treasurer/Chief Financial Officer

Kevin D. Spease, CISSP-ISSEP
dont know what makes Corinthian leather special, but somehow, I feel like I really need it. Im sure its better than the leather I already have it must be but Im not sure why. (Right about now, Im guessing youre hearing Ricardo Montalban in your head, r-rrich, Corinthian leather) How are you solving your big data problem? I wasnt aware that I had a big data problem, but now that I think about it, the data is big it must be a problem. Although Im not sure if Im supposed to be worried about data elements that are big, or perhaps that I have to watch a bazillion files that are running around my network... Or maybe in my highly instrumented infrastructure of firewalls, servers, IDS/IPS, DLP, and other security tools, perhaps I do need a way to aggregate, correlate, identify, and understand events in my enterprise That does sound like a problem. Marketing plays a huge role in the products we buy. The challenge we face as a community is less about the things we buy, but more importantly around how we leverage those tools to solve significant problems. The sensitivity and focus on information security continues to be at an all-time high in the media, in the boardroom, and in our daily practices. Focusing on the end goal protecting our companies, our countries, and our families will help us extract the maximum value from the tools we buy. Speaking of marketing branding more specifically hopefully, youve noticed the beginning of our new branding initiative. Last month, we presented our updated tagline: Developing and Connecting Cybersecurity Leaders Globally. Along with the tagline, our Marketing Committee tackled the task of updating our logo they did a great job! The new logo captures the essence of the ISSA a global community protecting those
Board of Director Members

Debbie Christofferson, CISM, CISSP, Distinguished Fellow Mary Ann Davidson, Distinguished Fellow Geoff Harris, CISSP, ITPC, BSc Steve Hunt, CPP, CISSP, Distinguished Fellow Pete Lindstrom, CISSP George J. Proeller, CISSP, CISM, Distinguished Fellow Nils Puhlmann, CISSP-ISSMP, CISM Ira Winkler, CISSP, Distinguished Fellow Stefano Zanero, Ph.D., Senior Member The Information Systems Security Association, Inc. (ISSA) is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. With active participation from individuals and chapters all over the world, the ISSA is the largest international, not-forprofit association specifically for security professionals. Members include practitioners at all levels of the security field in a broad range of industries, such as communications, education, healthcare, manufacturing, financial, and government. The ISSA international board consists of some of the most influential people in the security industry. With an international communications network developed throughout the industry, the ISSA is focused on maintaining its position as the preeminent trusted global information security community. The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved.
things we find most valuable. The last phase of our branding effort will be a redesign of our web presence and our interaction with our member community. These updates will be completed over the next few weeks. If you havent done so yet, save the dates for the ISSA International Conference October 25-26, 2012. This years theme: The Magic Kingdom Embracing a Changing World. New opportunities abound in the midst of amazing transformations in technology, business, and culture. Inspired by Disneys innovative vision, the cybersecurity community will gather at the Magic Kingdom to look at change as a chance to achieve excellence. Disruptions like big data, cloud computing, massive collaboration, and business transformation make it possible for us to blaze new trails and build effective foundations. This is an exciting time to be in the information security field. Details on the conference can be found at www.issaconference.org. Finally, our International Board elections will be starting June 1. General, Government Organization, Corporate Organization, CISO Executive, and Lifetime members in good standing as of May 31, 2012, will be eligible to participate in the election. Ballots will be emailed to the address in each ISSA members profile. Please take a moment to review your member profile to assure the ballot reaches you properly. I am continually reminded of the power and passion of our members. Please join me in thanking all of the chapter officers for their continuing dedication, all who volunteer to support the ISSA, and, you, the ISSA members, for all that you contribute to our global community. Cheers! Kevin 5
Herding Cats
The Invisible Mr. Security Guy

By Branden R. Williams ISSA Fellow and member, North Texas, USA Chapter
Hey Mr. Security Guy Its time.

here are so many ways we can take this column from that intro, but heres where I want to go today. The topic of the issue is Security Architecture, and its looking totally different with every passing day. If you have been in the industry for longer than ten years, think about how you used to focus your activities on one main firewall and a robust antivirus system to keep things running (aside from the random chaos monkey ripping core infrastructure offline). If you have been around for five years, think about all this compliance stuff weve had to deal with, primarily lead by PCI DSS and in some cases the health care acts in the US and privacy acts in Europe. If youve been in for just a couple of years, think about hacktivism, advanced threats, and organized cybercrime that dominated 2011. Security architecture is always in a strange place. Either its playing catch-up with new and innovative attacks, or its draconian nature undermines its ability to be functional to the business. The former tends to be much more of the norm as companies rely on basic stuff like compliance to allow them to redirect a few dollars toward more advanced things like advanced attacks. Draconian security exists in places like financial services and governments, but isnt it interesting how some controls force people to think creatively about ways to defeat them? Does Just email the attachment to my Gmail account or rename the .exe to .txt so my companys filters wont block it sound familiar? Another interesting phenomenon thats happening is our physical control over 6
resources is increasingly disappearing as we create efficiency in our systems by operating in an abstraction of the physical layer. If we cant put our finger on the machine that is running some IT application anymore, how do we build architecture to secure it? One challenge I am pushing people to take on is thinking about how security can be consumed transparently (i.e., built-in) by the end user. That forces the issue of securing information, wherever it may be. We have the technology and its affordable! Ten years ago, very few companies used things like secure enclaves outside of physical processes in a physical world. Finding a company with an additional firewall in between a grouping of servers in 2002 could be the equivalent of seeing a leprechaun riding a unicorn on a rainbow. Today? Its pretty common. What about encryption for data at rest? In 2002 it didnt happen that much either (albeit more than secure enclaves). Computing resources were much more expensive back then when you tried to accomplish things like encryption, but now embedded devices do it just fine.1 There is almost no reason to trust any computing resource this day and age because we can architect solutions to enable business without blind trust. Ask yourself this: do you trust any network you connect to? Do you click through SSL Certificate warnings? Do you throw caution to the wind and avoid SSL all together? Most of you probably dont, but I guarantee someone close to you does. Its time for us to change our ways. We need automation, deep visibility into
1 When they mind their ps and qs that is
our systems and activities; we need the ability to build risk decisions into our infrastructure and to alter our posture in an automated and agile way. And the most important part, we cant be jerks about it! We have to seamlessly integrate security into our businesses such that they dont even know we were there. Security must be architected to be consumed transparently. Theres an old business adage that reminds us that consumers want simplicity. They dont want to jump through hoops to do business with any company. Business people dont want to jump through hoops every time security shows up. They just want things to work; they want them to work well; and they need to focus on what they do best (which isnt information security). If youre banging your head against the desk every time you read something like this, consider that your approach may be all wrong. Whens the last time you sat down with business leaders and just let them talk about their business and whats important to them? Its painful at times, but building that rapport is critical to your unlocking the Security Ninja achievement!
About the Author

Branden R. Williams, CISSP, CISM is the Global CTO of Marketing at RSA, the Security Division of EMC, and regularly assists top global retailers, financial institutions, and multinationals with their information security initiatives. Read his blog, buy his book, or reach him directly at http://www.brandenwilliams.com/.
Sabetts Brief Its the IP, Stupid!

By Randy V. Sabett ISSA member, Northern Virginia, USA Chapter
y wife and I continually remind our 6-year-old daughter that stupid is not a nice word, so I know Ill have some explaining to do when she sees the title of this months column. In my defense, I am using a modified version of its the economy, stupid to illustrate a point. Much of the work we do involves the intersection of privacy and security, with PII, PHI, and all other kinds of PI as the main focus. I would submit, however, that too many people are forgetting about (or, perhaps, ignoring) cybersecurity intrusions that lead to intellectual property (IP) theft. In an appearance before the Senate Armed Services Committee last month, Gen. Keith Alexander, Director of the NSA (DIRNSA) and the Commander of the US Cyber Command (CYBERCOM), painted a somewhat bleak picture of our nations cybersecurity posture. Gen. Alexander observed that [d] angers are not something new in cyberspace, of course. He noted, however, that attacks on both critical infrastructure and corporate networks were becoming more severe and, in a very sobering and alarming tone, he stated [t]he theft of IP is astounding. This echoed Sen. Lewins opening remarks, where he recounted that the relentless industrial espionage being waged against US industry and government, chiefly by China, constitute[s] the greatest transfer of wealth in history. Various public accounts support this (including recent reports of the ten-year network intrusion into Nortel networks). Observing that [c]yberspace has a scope and complexity that requires inter-agency, inter-service, and international cooperation, Gen. Alexander described a host of challenges facing CYBERCOM. To address these issues,
he described a number of different efforts and stressed the need for private sector involvement, including information sharing both with government and intra-industry. Many of these efforts are reflected in currently pending legislation. As of this writing, there are two main bills on cybersecurity in the Senate and four in the House. To a greater or lesser extent, all address the issue of IP theft resulting from cybersecurity breaches. Echoing a view shared by many, Rep. Mike Rogers, chairman of the House Permanent Select Committee on Intelligence and co-author of the Cyber Intelligence Sharing and Protection Act (CISPA), has stated publicly that dangerous economic predators, including nation-states like China, use the Internet to steal valuable information from American companies and unfairly compete with our economy. The cost is staggering. Years of effort and billions of dollars in research and development, strategic business plans, communications, and other sensitive data all are lost in seconds. The victims span all sectors of our economy, from small businesses to large pharmaceutical, biotech, defense, and IT corporations. The question of the hour in Congress is whether an appropriate balance can be struck between the many competing interests. The most vocal opponents of cybersecurity legislation raise privacy intrusions as the greatest concern. The authors of CISPA, the lead bill on the House side, have been feverishly revising their bill to address these concerns. Similar concerns have been raised with the Senate bills, though less work appears to have been needed to address privacy concerns. Ultimately, what does all of this mean for the private sector? First, meaningful
information sharing may, after many years of debate, become a reality under any compromise that winds up getting struck between the Senate and House cybersecurity legislation. Despite critics who have said that information sharing wont work, an approach seems to be within reach that would: (1) protect private actors against unknown liability, (2) allow government to react more quickly and effectively to incoming threats, (3) provide more complete information to both, and (4) protect privacy concerns. Second, the continued focus on cybersecurity would seem to offer even greater opportunities for companies that take security and privacy seriously to differentiate themselves in the market. Finally, and perhaps most importantly, the public recognition by the government of IP theft as one of its greatest concerns means no company should take this threat lightly. No one is immune to threats from the broad array of attackers, whether advanced persistent threat (APT) actors or cyber activist groups. And with that, Im now off to explain to my daughter why its OK for daddy and mommy to use the word stupid
About the Author

Randy V. Sabett, J.D., CISSP, is Counsel at ZwillGen PLLC (www.zwillgen.com), an adjunct professor at George Washington University, and a member of the ISSA NOVA Board of Directors. He was a member of the Commission on Cybersecurity for the 44th Presidency and can be reached at randy@zwillgen.com. The views expressed herein are those of the author and do not necessarily reflect the positions of any current or former clients of ZwillGen or Mr. Sabett. 7
Ethics and Privacy Waging War in the Digital Age

By Michael Starks ISSA member, Fort Worth, USA Chapter
This column appeared in the March 2012 ISSA Journal.
t was an attack straight out of a Hollywood thriller. A computer worm spread throughout the world, delivering its payload only when the true target had been found. Capable of exploiting four previously unknown vulnerabilities and gaining the trust of an operating system by way of digital signatures, it was clearly not the work of an amateur. Finally, it would find its target an Iranian uranium enrichment facility where it would proceed to change the speed of up to one thousand centrifuges, destroying them in the process. The world would meet Stuxnet, the first clear demonstration of what some call cyberwar. Its no secret that militaries around the world are developing cyber weapons. Young talent is recruited to poke and prod enemy systems, looking for ways to infiltrate the digital stronghold. Control or destruction of enemy computers is seen as the virtual equivalent of storming and conquering a hill. Critical infrastructure of all kinds is now controlled by computers. Control the computers and you control the enemy. Smart adversaries wont attack just the computers; they will attack an objective. The objective of Stuxnet was not the centrifuges, but to delay or stop the development of Irans nuclear program. An enemys surveillance drone could be shot down, or it could be reprogrammed into a missile and turned back at them. Remote-controlled military robots are now capable of carrying machine guns, giving first-person shooter an entirely new meaning. War has rules. The Hague and Geneva Conventions set forth frameworks for conduct: how prisoners of war should be treated, the use of chemical weapons, impact to civilians, and access by religious and medical noncombatants. Ratified during a time when the concept of a modern-day computer worm was unthinkable, these rules have been fairly self-evident. Its a human who performs the torture, fires the missile, or releases a chemical weapon. Just as security transcends technology, so do ethics. In no other era could ethics be more essential than in wartime, and in no other context could security professionals find themselves more challenged. The questions are many and profound: Is it ethical to develop a worm
that will destroy or delay the up-andcoming nuclear capability of a sovereign nation? What if there is a bug that causes unexpected damage, and what if that damage affects a civilian hospital? Where are the borders? Can the attack be contained? Can the virus or worm be called back when the peace treaty is signed? Finally, what are the ramifications in an age when a machine can make basic choices for itself? Is a dispassionate, algorithm-based decision by a robot to kill a civilian a violation of the rules of war? If so, who is at fault? Is it the brilliant nineteen-year-old government-contracted programmer? Is it the systems administrator? Or is it the robot itself, only to then be tried, convicted, and sentenced to a life making spare parts for automobiles? The line between a traditional and a virtual war will continue to become blurred. The wars of tomorrow will be fought on many fronts. Soldiers will use heads-up displays, drones will continue to roam enemy skies piloted half a world away, and worms will wiggle their way into enemy systems. There remains, however, one constant: Humans will be behind the technology, whether in the initial stages of development or deploying it onto the battlefield. This is where the ethical framework must exist.
Thoughts?
See page 34 for a comment on Connect.
About the Author

Michael Starks, CISSP, CISA, is a System Security Engineer for OmniAmerican Bank. He is a member of the ISSA Professional Ethics Committee, the OSSEC HIDS team, and is a founding member of the ISSA Rochester, NY Chapter. His personal blog is at http://www.immutablesecurity.com, and he can be reached at issaarticle@michaelstarks.com.
The ISSA International Ethics Committee is an active group of ISSA members missioned to maintain a framework for ethics relating to practices that support the ISSA Code of Ethics, provide guidance on ethical behavior for Information Systems Security professionals, and provide education and outreach that increase awareness and promote positive actions.
Career Corner Hidden Requirements

By Joyce Brocaglia
hen beginning a search for an information security professional, our first step is to have an in depth conversation with the hiring manager. Regardless of the level of the position, this initial discussion centers around the organizational chart, the responsibilities of the role, and expectations for success. Hiring managers typically have a job description prepared with specific deliverables that the position is responsible for executing or managing. Im sure you have seen many of these descriptions posted internally to your organization or externally on job boards. Many security job postings focus on the technical requirements. What many people fail to recognize is that this is just the price of admission and far from a guarantee that the job is yours. Although many people focus on these written requirements when interviewing, it is your ability to fulfill the hidden requirements that will ultimately land you the job. The hidden requirements are traits that you have to make evident to your current employer or have the ability to convey to a potential employer. I speak often about differentiators, your ability to articulate the value you add to the overall success of your team and your company as a whole. One of the greatest differentiators is the soft skills that you bring to the table. It is essential that you recognize the importance of conveying these skills to a potential employer. Make sure that you can identify and articulate a relevant situation or task, the action you took, and the result it had in relation to the following unwritten requirements. Although each corporate culture, specific position, and hiring manager may prioritize them differently, these three qualities are always differentiators in landing the job.
Organizational agility When we talk about people, process, and technology, theres a reason why people come first. If you cant positively influence the people, all the processes and technology in the world arent going to do it for you. You might be asked how do you socialize your security program? They want to know how you achieve results without having direct authority or staff. You must be able to give examples where you were able to leverage your influence and get positive results. You must be able to highlight your organizational agility knowing who to influence, knowing when and how to get things done through formal and informal channels. Whether or not you are interviewing, assess the strength of your organizational agility and work on making it better. Effective communication The only way you can communicate effectively is to articulate the business value. Know your audience and talk in a language that they are going to understand. One of the most difficult tasks for a technical information security professional to master is messaging. Learn to deliver the appropriate message to the appropriate audience. Focus on tailoring your security posture to the specific needs and risk appetites of the business. Utilizing shared goals and common ground will build credibility and gain consensus. Ability to deliver Almost every organization is over committed and under staffed. At the end of the day you have to prove your ability to manage, execute, and complete tasks successfully. Companies look for a track record of successful accomplishments in their leaders. Be able to articulate how you were able to make security an
enabler, not a road block. Provide specific examples of difficult situations that you rose to the challenge and overcame adversity. I have also found that there are certain personal attributes that companies prioritize when hiring information security professionals: Leadership: You must be passionate about your ideas and beliefs, willing to display the strengths of your convictions. You must be optimistic and flexible, and you must truly care about your team. Confidence: In both yourself and in the importance of your mission. Business savvy: This is the ability to understand the particular business you are in, its mission statement, and goals relative to how your security posture aligns with them. Humility: Security roles are complex and require collaborating with many people with diverse skills. Appreciate that your opinion is not the only perspective. Passion: If you arent excited about your work, why should anyone else care? Personal integrity: Integrity is the foundation upon which our industry is built Tenacity: With the ever increasing range of challenges we all face, the tenacity to succeed in the face of tall odds is an absolute requirement. Sense of humor: Because having a sense of humor is often inspiring to your co-workers. Whether you are interviewing or not, do a little soul searching and ask yourContinued on page 39.
Association News
Meet the Candidates for Your International Board of Directors
Spring Selection Cycle Opens for Senior Member and Fellows

pplications for Senior Member and nominations for Fellow and Distinguished Fellow are currently open and will be accepted until June 14, 2012, at 11:59 p.m. US Pacific time. The submission guidelines and forms have been updated for this selection cycle; please consult the Fellow Program Guidelines and use the current forms to ensure you comply with all requirements. See www.issa.org/ page/?p=269 for forms and details. The Fellow Program recognizes sustained membership and contributions to the profession. No more than 1% of members may hold Distinguished Fellow status at any given time. Fellow status will be limited to a maximum of 2% of the membership. There is no limitation on the number of members who may be granted Senior Member status.
ixteen of your colleagues have been nominated as candidates for your International Board of Directors and are willing to give of their time to ensure ISSA continually strives to serve you better. Three candidates for International President and 13 for five Director positions were announced this week by Patricia Myers, chair of the Nominating and Election Committee. President Debbie Christofferson Dave Cullinane Ira Winkler Director Candy Alexander Eric Cowperthwaite Mary Ann Davidson John Dickson Garrett Felix Rick Moy Michael Peters Nils Puhlmann Brian Schultz Glenn Tenney Roy Wilkinson Vern Williams Stefano Zanero Watch for the candidates profiles in next months issue. Your unique voter credentials will be sent to you on June 1. To vote you must be a General, CISO Executive, Lifetime, assigned Corporate, or Government Organizational member in good standing and have a current email address in your membership profile.
Qualifications
Senior Member 5 years membership 10 years relevant professional experience Fellow 8 years of association membership 3 years of volunteer leadership in the association 5 years of significant performance in the profession such as substantial job responsibilities in leading a team or project, performing research with some measure of success, or faculty developing and teaching courses Distinguished Fellow 12 years association membership 5 years of sustained volunteer leadership in the association 10 years of documented exceptional service to the security community and a significant contribution to security posture or capability If you have questions, please contact fellow@issa.org.
ISSA Web Conference

Live Event: May 22, 2012 Time: 9am US Pacific/ 12pm US Eastern/ 5pm London Generously supported by Wombat Security Technologies Even the best technology can be circumvented all it takes is timing and a good story. Melisa, I Love You, The Worlds Best Virus Scanner: what do these all have in common? They all circumvented security by tricking the users. As technology improves and the value of circumvention increases, the
Youve Got Humans on Your Network: Securing the End User

weakest link will become the end user. And dont kid yourself APT has proven they will be targeted. This session will discuss the human element and its impact on security. To register for this event, visit www2.gotomeeting.com/register/275275850. For a full listing of the 2012 ISSA Web Conference Series, visit www.issa.org/page/?p=57.
10
Association News
New Logo Unveiled for ISSA International
s security professionals, we live in an ever-evolving world. Our field is growing while gaining visibility and stature. Our career paths have been guided through our affiliation with ISSA. We have developed our expertise and become leaders in our specialties. As a result, last week the International Board of Directors approved a new logo that reflects our current forward-looking security community and complements the recently-adopted tagline, Developing and Connecting Cybersecurity Leaders Globally. The new visual identity retains the familiarity that many associate with ISSA international. The new tagline and logo are our way of evolving with you, the information security expert, and those flocking to our profession.
Tell Us How You Are Embracing a Changing World and Win a Pass to the International Conference
ISSA Members, I am looking forward to seeing you at the 2012 ISSA International Conference. On October 25-26 we will gather at the Disneyland Hotel in Anaheim, California, for discussions focused on our conference theme, The Magic Kingdom - Embracing a Changing World. Im sure we have all seen change in our organizations over the last year; migrations to cloud, organizational mergers, increased knowledge about cybersecurity threats by business leaders, and consumer devices brought into the enterprise environment. Although not always our first reaction, these fundamental shifts are an opportunity to use our hard-won knowledge to design systems and policies to improve the business functions and make our organizations safer. When we were developing the theme for this years event, I looked back at all the changes my organization has faced, and Im sure we are not alone. Eric Cowperthwaite CSO, Providence Health and Services and Content Committee Co-Chair (2011 and 2012). We must find ways to support our organization as it transforms its business models in the 21st century. Much of that is centering on adopting very innovative, forward-looking technologies: cloud computing, virtualization, big data, mobile devices. We cant stand in the way of that; its critical to our business, but we still have to secure the organization. Thats what this years conference is all about. ISSA members are leading the charge to improve security while embracing the change of this new era of big data, cloud computing, massive collaborations, and business transformation. We would like to feature your stories at the 2012 conference. How have you embraced change by looking beyond the challenges and making your businesses faster, better, smarter and, most importantly, safer? Summarize your story in Connect at https://connect.issa. org/thread/2087 (posting must be made before May 18, 2012 to be considered for the contest/500 words or less). Four lucky winners will be given a free conference pass* and will have their stories featured in the ISSA International Conference marketing. We all look forward to hearing how you are embracing change, Stefano Zanero Board of Directors ISSA International ISSA International Conference Chair (2010-2012) Visit www.issaconference.org for additional details on the conference.
*The prize does not include travel or lodging for the conference. Winners will be voted on by the conference planning committee. Committee members are welcome to contribute a submission; however, by submitting they will be ineligible to vote on contest winners.
Journal Author Receives National Writing Award
SSA Senior Member and toolsmith author Russ McRee has been awarded the American Society of Journalists and Authors (ASJA) 2012 Outstanding Articles Award Honorable Mention for Memory Analysis with DumpIt and Volatility, ISSA Journal, September 2011. I am very pleased to have received Honorable Mention from ASJA, stated McRee. The toolsmith column in the Journal is successful in large part thanks to the dedication and zeal of the tool developers and their commitment to making the Internet and computing environments safer. I learn much from them in the process and hope it is conveyed to the readership in that light. McRee has been writing the toolsmith column monthly since October 2006, exploring a vast array of security tools while infusing the tireless pursuit of the bad guys with passion and wit. Much appreciation is owed to the ISSA Journal for years of support and guidance, added McRee. Recognition by the ASJA makes what is already my privilege all the more rewarding. ASJA was founded in 1948 and serves as a professional organization of independent nonfiction writers, currently with more than 1400 members. "Prize-winning entries in the ASJA Awards reflect such writing and stylistic excellence that we authors read them and think I wish I'd written that!'" said Salley Shannon, ASJA's president. "We created the awards not just to honor outstanding work, but to inspire us."1 Congratulations, Russ!
1 ASJA 2012 Awards http://www.asja.org/media/nr120323.php.
11
ISSA
Using Component Categories and Relationship Mapping in Security Architecture

By Kevin Stoffell ISSA member, National Capital, USA Chapter
Five categories for grouping both technical and non-technical security architecture elements are presented that are consistent with the security control types found in most major control frameworks. Mapping of element relationships between the categories ensures traceability from policy down to individual technical functions and enables the architect to perform a more effective gap analysis of the entire architecture.
Abstract
The use of architectural component categories and relationship mapping can provide a useful tool for the security architect. Five categories for grouping both technical and nontechnical security architecture elements are presented that are consistent with the security control types found in most major control frameworks. Mapping of element relationships between the categories ensures traceability from policy down to individual technical functions and enables the architect to perform a more effective gap analysis of the entire architecture. The relationship mapping also identifies requirements for architecture elements based on their interactions with other elements. answers as there are organizations in the world) to these questions and others while providing a methodology to analyze an organizational security architecture. You can return significant value through an analysis of the relationships between various security architecture components through the identification of capability/process gaps that may exist, as well as providing a road map for the resolution of those gaps. Methods will be discussed for categorizing the security architecture components into five general categories (technical functions, human capabilities, structural descriptions, process/ planning, and policy/governance). The component categories provide a framework for conducting a capability gap analysis and identification of organizational strengths and weaknesses in security functions, as well as identifying potential duplication of effort. The categories are designed so that each security function within the organization must be supported in some fashion by components in each of the five categories, either directly or indirectly. The lack of a supporting component in one category for any security function will likely indicate a shortfall, while multiple supporting components may indicate unnecessary duplication of effort.
H
12
ow can we efficiently categorize the components of a security architecture? What components actually make up an integrated, mature security architecture for an organization? How do those components relate to each other and to the organization as a whole? In this article I will provide an answer (not the answer, as there are as many
Using Component Categories and Relationship Mapping | Kevin Stoffell
Philosophy of terms
It seems at times that the information security industry is required by secret by-law to change terms every five years or so. Even in the last 15 years, we have morphed through information security, went on to information assurance, swung part of the way back to information security, with subtle hints that mission assurance is about to become mainstream with many others thrown in from time-to-time in one industry or another. For consistency throughout this article, I will use the term security to encompass the concepts of Confidentiality, Integrity, and Availability, and not restrict the use of the term to confidentiality-related issues. Depending on the goals of the organization, the security architecture may have little or possibly no purely confidentiality-related functions and be concerned primarily with availability, whereas in another confidentiality concerns will reign supreme. Feel free to mentally insert integrity or availability wherever you see security. For those readers that have been around for a while, feel free to roll in non-repudiation or authentication into the term usage as well.
dant and tends to obscure or limit the focus applied to other categories. For instance, the technical capabilities (widgets, devices, applications, interfaces, etc.) are often the primary focus of the security efforts. We are long past the point where most security professionals think a new widget will magically secure their environment, regardless of what the vendors at the trade shows say. However, many still persist in thinking that a group of loosely connected or even stand-alone security products will solve our problems without fully considering the non-technical elements required to support them. A good, well thought out, suite of technological components is a vital portion of any integrated security architecture. There is simply no way to operate an effective security program without a significant number of technological devices and functions. What I am asking you to consider is that while the technological elements of a security architecture are critical to the overall success of the program, a welldesigned, integrated set of products that complement one another is vastly superior to a much larger quantity of semirandom technologies chosen based on one or more unique functions. Also consider that the technological elements must be supported by the other architecture components that are very much non-technical in nature to be effective. The cost of effectively operating cutting-edge technical components is normally very high in terms of human skills required and organizational processes necessary to take a technical component from simply turned on to effectively operating. Unfortunately, I have personally witnessed a number of organizations having a lot of very complex and nominally effective technical components that were pulled out of a box, usually by a vendor representative, and turned on with basic configurations, but are providing questionable value since the organization simply did not have the operators necessary to reconfigure or tune the systems, nor did they have the established organizational processes (e.g., change management program, threat intelligence, etc.) in order to manage the systems well over time.
A philosophical note on architecture

What is a security architecture? While this question may seem trivial, I would challenge you to ask five non-architect security professionals and would wager you will receive at least two or three significantly different answers. You will receive two or three different answers only because at least two out of any five people you ask will certainly reply with some variation of diagrams and supporting artifacts and another couple will probably provide a more complete answer along the lines of the technical structure that provides security services to the organization. Neither of these answers is wrong; however, they are both significantly incomplete. I propose, at least for this discussion, that we consider the following: A complete security architecture is (1) an integrated set of technical and human functions, (2) the structural and relational descriptions of those functions, (3) the process and planning elements surrounding and supporting the functions, as well as (4) the policy and governance applied by an organization for control and direction. All of the security-related functions (human, automated, and governance) can be grouped together into the five component categories (technical functions, human capabilities, structural descriptions, process/planning, and policy/governance) to aid in mapping relationships and performing a gap analysis of organizational capability. I will discuss these component categories of an integrated security architecture in more detail in the following section, but for now consider the proposal that components in each of the five general categories exists in any organization with an Information Technology security mission, regardless of the emphasis placed on that mission. Unfortunately, in many organizations one or more of the component categories is ascen-
We are long past the point where most security professionals think a new widget will magically secure their environment, regardless of what the vendors at the trade shows say.
Components of an effective security architecture

As noted in the introduction, there are five basic categories of security architecture components. It is certainly possible to combine some of the categories, or further decompose the component categories into more granular components, but I have found that grouping security-related components and
13
functions into these categories tends to make the most organizational sense. These categories are also consistent with many of the common supporting processes (e.g., Systems Design and Engineering, Program Management) and Information Assurance (IA) control frameworks to allow mapping of dependencies, requirements, and constraints among the components. You will find that the controls defined by many of the common security control frameworks can be easily mapped into these component categories.
1 - Technical functions component

The technical functions of the security architecture consist of the sum of all security functions provided by the systems, devices, and applications in the organization. You will notice that this definition is not restrained to particular systems (e.g., those run by the security department), but all systems that have security functions. All security functions inherently have some operational cost and maintenance cost, even if very low. Many require specialized knowledge or skills to operate or maintain effectively and are often maintained via a human-based organizational process. In all cases, technical security functions must fit into the organizational governance structure in some fashion to ensure consistency of application across multiple systems with the same functions, to ensure compliancy to regulatory requirements, and to ensure effective performance based on the organizational security posture. Additionally, most technical security functions will have some description/documentation requirement to either maintain configuration control or for recovery/reconstitution purposes.
cesses. While documentation for the sake of documentation is typically counterproductive, many organizations fail to properly estimate how much actual documentation is needed to support security functions. Not having important configuration information recorded can delay disaster recovery efforts more than missing hardware, and lack of appropriate diagrams during incident response can cause response failures or delays just as easily as poorly trained responders. But selecting the right level of detail in documents and artifacts can be assisted with an examination of the relationships between other components in order to develop a list of required documents/artifacts and what they must contain.
4 - Process and planning component

The process and planning architecture component comprises the organizations planning efforts and supporting processes that enable security functions. The systems engineering, program management, acquisitions, and many other processes not directly associated with the traditional security department functions are critical to support an effective security architecture. Many of these supporting processes have either direct or indirect relationships to the security architecture that must be understood and leveraged. A very common failure in many organizations is when the security department does not fully understand the acquisitions or system engineering processes. This is especially prevalent in very large organizations where the acquisition process may be black box where requirements go in and some widget eventually comes out. In cases like that, incomplete requirement specification often leads to product selection within the acquisitions chain that fully meets the specified requirements, yet misses some function or requirement that would be obvious to the security professional but completely opaque to the acquisitions professional. One of my least favorite tasks has been to sit in a room with a representative from the acquisitions department and one from the legal department and attempt to articulate complex security requirements in both acquisition speak and legal speak. Unfortunately, it is an absolutely necessary task in many large organizations (or the government) where acquisitions are controlled by an acquisition or purchasing department.
2 - Human capabilities component

The human capabilities component of the security architecture consists of the human resources and skill sets available to the organization for the performance of security-related duties. Again, this is not limited to one portion of the organization, but is intended to be inclusive of all elements in the organization that perform security functions or critical supporting processes of the security architecture. This extends from the junior system administrator for some technical security functions to C-level management for policy decisions, and all layers in between. Every individual involved in the security functions or related processes of an organization needs some level of security awareness and knowledge that can often be difficult to quantify.
5 - Policy and governance component

The policy and governance component consists of all organizational strategy, policy, or governance structure that directs, implies, or supports security functions and security management. Examples of components in this category would be the organizations risk governance and tolerance, acquisitions policies, and the obvious information security policy. Many organizational policies or mission statements will state goals that imply security requirements even though they are not specifically security policies. In this area, the security architect likely has little direct control, but with a proper understanding of relationships within the organization, may be able to exert some influence on even non-security-related policy, assum-
3 - Structural descriptions component

The structural descriptions component consists of the sum of the documentation, diagrams, and artifacts describing securityrelated functions and processes within the organization. The reason I term this category as structural descriptions and not diagrams is that it is much more than just the technical drawings. This category encompasses the relationships between organizational business units, information exchanges both technical and human, and dependencies between pro14
ing the security architect or security manager is able to relate security requirements to financial or mission risk.
Relationship mapping
We have discussed five component categories for security architecture. While useful for categorizing security-related functions, what value do the component categories provide? They provide a useful structure for mapping relationships within the organizational security architecture. In this area I will issue a challenge to the reader. Take any security-related technical function (e.g., user authentication) related to confidentiality, integrity, or availability. Make an effort to prove that function has no relationship whatsoever with something from each of the other four component categories. While I fully expect most people will be able to find at least one example of a security-related technical function that fails to have a relationship to at least one of the component categories, it may be harder to find than you may assume. For any nontrivial security function, if you think there is no relationship, it may be that you are not looking hard enough. In cases where I have personally located a truly independent technical function, there usually followed a discussion concerning the purpose of that function and what value it provided to the organization, with the phrase because that is how it has always worked or some variation thereof in the conversation. The most common example of this is when a technical security function is enabled due to a security guide or other governance requirement from outside the organization. Often a check-box is checked or a technical function otherwise enabled with no supporting change to policy, documentation, process, or personnel training, and the long-term effectiveness of the technical function is questionable at best without that support.
required to effectively manage all of AD for the purposes of this example, which can be considerably higher), user accounts must still be created, modified, and deleted to enable user authentication, even though the authentication process itself is completely automated. The account administrator position must have appropriate training/skill requirements associated to ensure the individuals involved at least understand the basic Windows security model of permissions and group assignments, the general concept of role-based access,
User authentication
For an example, I will choose a very basic security technical function that normally functions nearly autonomously: user authentication in an environment that uses Microsoft Active Directory. While this is a relatively simple function to implement, at least from a purely technical perspective, we start seeing some complexity when we consider the relationships to the other four component categories that need to be addressed in the overall security architecture. First, we will consider the human skills involved in managing the Active Directory (AD) account base effectively. Notice the effectively qualification on the last statement. You can largely set it all up once, with heavy automation on account creation, and pretty nearly forget about it. Some organizations do this and simply clone existing accounts to include full permissions and group memberships whenever a new account is required. Often these same organizations do not periodically review the existing account base and remove unnecessary accounts or permissions. While the skills required to effectively manage the AD account base are not particularly high (we will omit the skills
15
and be sufficiently skilled and experienced to actually understand any Technical Create, Edit, Delete User Account User Authorization Enables Enables automation placed on the account Accounts Database (automated ) Functions creation/modification routines. AdAu dit ditionally they should have either s personal knowledge or a resource Human Security Auditor User Admin Role available to them in order to unRole Capabilities derstand something of the business s ble Ena Ena requirements of the organization so bles they can ensure a user actually has Structural Authorized ori ri Authorized Role to P Permission Authorizes the proper access. In too many cases Accounts List Account Validators mapping Descriptions I have seen an account admin being told to just clone an existing employGoverns ee account for a new employee, usuProcess and Account Management ally with no understanding on the Process Planning part of the manager that requests it Go nor the account administrator what ver ns effective permissions have now been Policy and assigned to an employee on day one Authorizes/Governs Governancy Account Policy with the organization. If the permission level granted is too low, it likely Figure 1 Sample relationship map. results in minimal impact since additional rights can be requested. However, when is the last time you had an employee request vulnerabilities can be introduced by weaknesses in the acrights be removed because he or she was granted too high of count creation process itself. If the documentation covering a permissions level? allowed permissions for user roles is nonexistent or incorrect, excessive permissions might easily be granted for either rogue If we take a quick look at the interactions between the comaccounts or legitimate accounts that might be used incorrectponent categories, we see there is a relationship to the human ly. Simply giving a new employee the same permissions as an resource requirements for training and experience (compoexisting employee might also generate either an intentional nent 2), not just technically, but in the organizational busimisuse from the insider threat or a completely unintentional ness processes itself. We see a potential need for some type failure if the new employee is not yet trained on the systems of documentation (component 3) that identifies appropriate being operated and causes unintentional data loss or data inpermissions and rights for users assigned to particular busitegrity failures. ness functions, as well as some documentation or artifact
Updat es
s ble Ena
les ab En
detailing the human side of the account management actions. We see the need for some type of account management process (component 4) that identifies who can authorize a new account with associated permissions, and some series of technical and approval steps required for account creation, modification, and deletion. Finally, there is an implied requirement that an account policy exists (component 5) that specifies roles and responsibilities and the requirement for some configuration guidance to be applied to Active Directory. Overall, this is a pretty basic function, but we have easily identified direct or indirect dependencies between a fully automated (once configured) technical function and multiple other architecture components. A weakness in any one of the dependencies has the potential to be a security weakness in the automated technical function. For instance, if organizational policy covering account management fails to identify strict approval authority and roles, from whom does the system administrator take account requests? That leaves the door wide open to a social engineering attack to generate rogue account requests or an insider attack generating phony accounts to cover unauthorized employee actions. The same 16
es cut Exe
Figure 1 details the example relationship mapping using a graphic. For more complex mappings, the use of a commercial architecture tool and an appropriately adapted architecture framework (e.g., DODAD, FEAC, etc) is advised. In a full implementation, a set of defined relationships would be used for mapping between components.
Value of the analysis

As an analysis tool, mapping dependencies between the architecture component categories can provide a direct value to the security architect. Referring back to the challenge I issued earlier to locate a technical security function and provide it has no relationship to at least one of the other four categories, I will now issue part II of the challenge. If you were able to locate something without a visible relationship to one or more of the other components in your organization, ask the question: Should it have a relationship, and if not what value does it provide? In some very rare cases the answer might be no to the relationship portions and high to the value portion, but I suspect you will find that the answer is typically yes the relationship portion if there is any value to the function.
Authorizes
Technical Functions
s le ab En
SMB Signing
Au dit s
Human Capabilities
G Group Policy Administrator

es abl En
es dat Up
Security Auditor Role
Structural Descriptions
GPO settings
Enables
Process and Planning
port a required technical function for certain devices. In the particular case I drew this example from, there was actually no existing relationship between security governance and the product acquisition process in the organization the acquisition process was concerned with functional requirements only and this problem identified a particular deficiency that resulted from not have the relationship between security governance and product acquisition firmly in place.
GPO Management Process
Au dit
Policy and Governancy

Figure 2 Example of an incomplete relationship map.
Mandatory Security Con guration Guide
Go ve rn
As an example, a common security technical function recommended for activation on Windows networks in many security configuration guides is Server Message Block (SMB) signing. It is a very useful security function that mitigates certain types of client-to-server man-in-the-middle attacks. Within a Windows network it can be activated by a simple setting within Group Policy. It can absolutely be configured by a single individual making changes based on a security configuration guide, and likely run for years with no problems in many environments. In some organizations, a setting like this might initially be considered independent of the other categories. However, to be effective and maintained, the system administrators certainly need to understand it is there and what it does for troubleshooting purposes, the setting needs to be documented and audited to ensure it remains functional, and the acquisition process needs to consider interoperability with this setting in the acquisition of new products. I encountered a scenario several years ago where this particular setting was integrated into the system administration operations side of an organization, but not by the acquisitions process, even though the requirement was identified in policy. This resulted in some very important technical components (storage appliances in this case) not being compatible with SMB signing in a Windows network, resulting in quite a few wasted man-hours due to incorrect identification of technical requirements. This can be easily traced to a failure of the acquisition entity to incorporate existing policy/ guidance into the acquisition process for product selection. As you can see in figure 2, this can be shown as a failure in the governance relationship between equipment acquisition process and the mandatory security configuration guidance. This resulted in a failure of the acquisition process to sup-
es cut Exe
Equipment Acquisition Process
s er n Gov
Governs
The goal of relationship mapping is to ensure that all technical security functions are supported by the enabling elements in the other component categories and that a clear chain of relationships exists between the technical functions and the overall organizational policy and governance. There should be no orphans within any of the component categories that do not have some relationship either within elements of the same category or with another category that cannot be traced to both technical functions and policy. This provides two distinct values to any organization. First, you can ensure that your technical functions are supported by human resources, documentation, management/ maintenance processes and authorized/governed through policy. This not only can identify the functions that do and do not provide value, but may identify a gap in one or more of the other component categories that needs to be addressed. Second, if you have a known or suspected gap in one or more of the four non-technical component categories, mapping the technical functions to the appropriate elements in each of the categories will provide a road map of what is missing from the overall architecture. For example, if you have no account policy in your organization, once you have mapped all of your technical security functions related to accounts or user authentication, the orphan technical functions that do not map to an existing policy or governance chain become candidates for a new policy or modification of an existing policy. While it is certainly not necessary to address every technical function directly in a high level policy, you do need to ensure some governing authority or lower level process is set forth in policy to manage every technical function and provide authority to a manager to provide detailed guidance or governance for specific types of technical security functions. The relationships provide a guide to the required contents for structural descriptions, processes, and policy, as well as provide input to the training programs for human skill development. When a role such as user administrator has been mapped to all technical functions associated to that role and 17
relationships are made between supporting elements between all the component categories, the relationship map of the various functions will show both the required skills and resources that must be available to the role, as well as interfaces with various processes. Unfortunately, a recurring theme I have seen in mapping technical functions to human resources, documentation, processes, and policy is the lack of technical function ownership and governance. Due to the plethora of technical functions embedded in both security-specific and general use IT products, many functions are left in the default state, or configured to whatever extent the system administrator has the capability to accomplish. Especially in the case of security products, different vendors often have overlapping functionality embedded, and for most practical suites of products you may have multiple products that perform the same functions or are capable of doing so. This potentially creates a scenario where the organization is duplicating effort unnecessarily where two products are running duplicate functions. In other cases system administrators may assume the security function is being provided by another system and disable the function in their system without realizing the function does not carry over to their system or is not, in fact, running elsewhere. The architectural relationship mapping allows easier identification of duplication or gaps.
Summary
We have looked at five categories into which security architecture components can be grouped. We have discussed the value of mapping relationships between components across the categories and performing an analysis of those relationships. This methodology, when adapted to a particular architect and environment, can provide significant value in the organization of the security architecture and significantly limit the likelihood of omissions. These categories and relationship mapping techniques provide a valuable tool for the architect when conducting a gap analysis of the technical and non-technical elements of security architecture. Additionally, they can provide a road map for the development of missing or insufficient elements of the architecture.
About the Author

Kevin Stoffell, CISSP- ISSAP, ISSEP, ISSMP, CAP, CISA, CEH, CSEP, PMP, is a Cyber Security Architect for the Battelle Memorial Institute working primarily in the federal government and military sectors. He has over 16 years experience in the information security field. He was assigned to both the Acquisition and Cyber Defense commands within the Marine Corps prior to retiring. He may be contacted at stoffellk@battelle.org.
PROTECT, DETECT & DEFEND AGAINST CYBER CRIME

Build specialized career-advancing strengths in fighting cyber crime with these online degree programs:
M.S. in Cybersecurity with Specializations in:
Intelligence Forensics
B.S. in Cybersecurity with Concentrations in:

Cybercrime Investigations and Forensics Information Assurance
CALL: 315.732.2640 VISIT: www.onlineuticacollege.com/ECJS
18
ISSA
Wi-Fi Positioning Systems:

By Ann Cavoukian and Kim Cameron
Beware of Unintended Consequences

This article explores the unintended consequences associated with the use of location data being established, shared, and used, using Wi-Fi Positioning Systems.
Abstract
This article explores the unintended consequences associated with the use of location data being established, shared, and used, using Wi-Fi Positioning Systems (WPS). WPS relies on wireless access points for location coordinates and makes use of the Media Access Control (MAC) address to a local area network. Since each access point is assigned a unique MAC address, which is designed to be persistent over the lifetime of the device, a number of identity and privacy issues may arise from unintended uses of this information. operation of this architecture. The MAC address was created as an identifier for local area network devices by IEEE Project 802 in order to identify items of real physical equipment, parts of such equipment, or functions that apply to many instances of physical equipment3 (See figure 1). 802.11 Frame
Header
Frame Duration Control ID MAC Addresses
Frame Body (Payload) Checksum

Other Controls Sample MAC Address 00:58:F0:F2:bC:92
aking advantage of the rapid growth of wireless access points (Wi-Fi) in urban areas, Wi-Fi Positioning Systems (WPS) emerged as an idea to solve situations where GPS signals may be weaker, or where the use of GPS puts too much strain on the devices battery. By relying on Wi-Fi access points, WPS allows for more rapid and accurate determination of a given phones location. Despite the advantages to mobile phone users that WPS has introduced, recent events involving several major mobile platform operators have prompted increased scrutiny over the extent of location data collected by smartphones and disclosed to third parties who fall outside the telecommunications regulatory environment.1 This paper explores the unforeseen and unintended uses of pre-existing architecture involving the collection and use of Wi-Fi device identifiers to create Wi-Fi Positioning Systems.
Figure 1 802.11 frame highlighting MAC address.
The unforeseen uses of pre-existing architecture

The Media Access Control Address2 (or, more commonly, MAC address) is an essential design feature for the proper
1 Yukari Kane, House Presses Apple, Google, Others on Location-Tracking Practices, The Wall Street Journal, April 26, 2011. 2 Also referred to as the Extended Unique Identifier or EUI-48. A mix of numbers and the first six letters of the alphabet (e.g., 00-1F-3F-D7-3C-58).
A prominent way in which the MAC address is being used for purposes other than the support of networked communication is the development of Wi-Fi Positioning Systems. WPS functions by mapping the locations of Wi-Fi access points, indexed by their MAC addresses, and comparing these against the access points visible to an end-user device to determine the devices location. A vast array of these access points has been constructed from individuals and businesses, in addition to the hot spots available in airports, hotels, coffee shops, public libraries, etc. Companies that provide the positioning technologies, such as Google and Skyhook Wireless (used for applications such as Google maps) make their location databases linking hardware IDs to street addresses publicly available on the Internet. If someone captures or already knows a specific MAC address, Google and Skyhooks services can reveal a previous location where that device was located. This can in practice reveal personal information including home or work addresses or even the addresses of restaurants frequented.4
3 See IEEE Standards Association. Guidelines for Use of EUI. Accessed January 13, 2011. http://standards.ieee.org/regauth/oui/tutorials/UseOfEUI.html. 4 Declan McCullagh.CNETNewsPrivacy Inc.Exclusive:Google's Web mapping can track your phone.CNET, accessed March 12, 2012, http://news.cnet.com/830131921_3-20070742-281/exclusive-googles-web-mapping-can-track-your-phone/.
19
Wi-Fi Positioning Systems | Ann Cavoukian and Kim Cameron
In addition to the MAC address, the Service Set Identifier (SSID) is an additional identifier for Wi-Fi access points (those devices, such as wireless routers, that provide Wi-Fi access to end-user devices). Often referred to as the network name, this SSID is included in a management beacon which communicates information about the network (connection speeds supported, identifiers, etc.) to all nearby devices. While the Wi-Fi Access Points SSID broadcast feature can be disabled, the SSID will nevertheless appear in some of the management packets transmitted on that wireless network.5
WPS data collection and use

WPS can be divided into two primary stages: the collection of MAC addresses of Wi-Fi access points and their associated locations into a database, and the use of this database to locate end-user devices. Though these two functionalities will, in practice, occur simultaneously and inform each other, for clarity we will separate the two in the discussion that follows.
It is important to understand that the privacy and data rules that apply to telecommunications companies may not cover the collection of WPS data. Telecommunications companies have always been able to locate devices to provide telecommunications coverage under a regulated environment; this tracking is network-based.8 However, many new locationbased services, such as WPS, are enabled by third parties who fall outside this regulatory environment, which again introduces new privacy issues. For example, US law requires a telecommunications carrier to obtain customer approval before using, disclosing, or providing access to customer proprietary network information, which includes location information and phone numbers.9 However, Wi-Fi location technology providers may not necessarily be considered a telecommunications carrier.10
Locating end-user devices with a WPS database
The collection of MAC addresses from Wi-Fi access points can be achieved in two ways: active and passive scanning.6 Active scanning involves sending out a probe to nearby access points and recording the network access device identifiers.7 Passive scanning typically records the periodic beacon frames transmitted by each wireless access point. Those who build WPS databases for commercial purposes by geo-tagging Wi-Fi access point data are dubbed location aggregators. These aggregators provide third parties with access to their WPS databases for location-based application development and advertising. The potential for unintended uses of the MAC address increases significantly if additional data is added to that captured by a WPS system. Identifying, classifying, and storing information about uniquely identified devices in WPS databases raises the possibility of data linkage. Data, and databases, cannot be considered in isolation; in fact, it is frequently in combination with other information that data will become a significant privacy concern. It is known, for instance, that multiple services exist which can convert any numerical location (such as latitude/longitude) of a Wi-Fi access point to an identifiable location (an address, for instance). Once this has been established, the address could be combined with White Pages information (if the location is a house) to infer the name of the access points owner.
00:58:F0:F
2:bC:92
These queries can also be used to update and/or refine the WPS location database, as any access point that is either not in the database, or which was previously associated with a different geographic location, will be identified during this process and the points new location calculated. In this way,
8 In Canada, as of February 1, 2010, and pursuant to Telecom Decision 2003-53 and Telecom Regulatory Policy CRTC 2009-40 the CRTC generally requires that all Canadian wireless service providers implement a form of wireless enhanced 9-1-1 (E9-1-1) service whereby the telephone number, cell site/sector information, and longitudinal and latitudinal information regarding the location of wireless E9-1-1 callers are automatically conveyed to the appropriate E9-1-1 call center or public safety answering point. 9 Telecommunications Act of 1996 222(c); see also 222(d) for exceptions, including for emergency services. N. King, Direct marketing, mobile phones, and consumer privacy: Ensuring adequate disclosure and consent mechanisms for emerging mobile advertising practices Federal Communications Law Journal 60 (2008): 229. 10 Testimony of M. Altschul before the Committee on Energy and Commerce, House of Representatives on February 24, 2010.
5 Ibid. 6 Article 29 Data Protection Working Party. Opinion 13/2011 on Geolocation Services on Smart mobile devices (adopted on 16 May 2011). 7 Active software such as NetStumbler, dStumbler, and MiniStumbler actually broadcast probe request frames to elicit responses from APs. See Yu-Xi Lim et. al. Wireless Intrusion Detection and Response (Proceedings of the 2003 IEEE, Workshop on Information Assurance, United States Military Academy. West Point, NY, June 2003) accessed January 25, 2011, http://users.ece.gatech.edu/owen/ Research/Conference%20Publications/wireless_IAW2003.pdf.
20
38.88952,
-77.03527
Collecting and locating Wi-Fi access points for a WPS database
Once a sufficient number of 00:58:F0:F2:bC:92 Wi-Fi access points have been 38.88952, -77.03527 uploaded to a location database, this information can be used to locate enduser devices. When an end-user device uses a WPS service to re00 :5 quest its location, it 8: F0 :F first identifies Wi2: bC 00:58:F0:F2:bC:92 :9 Fi access points 2 in its range. AfWhere am I? ter submitting the MAC addresses of these points to the WPS 38.88952, -77.03527 database, the known positions of one or more of these points is retrieved, allowing the devices location to be triangulated. The accuracy of WPS thus depends on the number of Wi-Fi access points entered into the reference database.
Wi-Fi Positioning Systems DB
the updating of the network of reference points can be crowdsourced, making the WPS database self-healing. As with Wi-Fi access point owners, owners of end-user devices may not be aware of the data being disclosed by their devices, or may not wish to have their location queries used to update a commercial database. As such, there are privacy concerns which may arise in the construction of WPS databases.
ing the original intention of the architecture.13 When designing a technical architecture, the potential for unintended uses should form part of a privacy threat/risk analysis.14 Information architects need to embed privacy into the design of WPS systems. Service delivery in mobile communications consists of a diverse range of providers that includes device manufacturers, the operating system and platform developers, network providers, application developers, data processors, and even users themselves.15 By taking a Privacy by Design (PbD) 16 approach to the development of technical architectures, the many players in the mobile space can play a contributing role to ensure end-to-end privacy. PbD advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organizations default mode of operation. The objectives of Privacy by Design ensuring privacy and gaining personal control over ones information and, for organizations, gaining a sustainable competitive advantage may be accomplished by putting in practice the seven foundational principles: (1) Proactive not reactive; preventative not remedial; (2) Privacy as the default setting; (3) Privacy embedded in the design; (4) Full functionality positive-sum, not zero-sum; (5) End-to-end security full life cycle protection; (6) Visibility and transparency keep it open; (7) Respect for user privacy keep it user-centric.17 In the case of MAC addresses and Wi-Fi Positioning Systems, creative thinking must be employed to find ways of embedding privacy directly into the architecture. Working with the broader research community, location aggregators and location-based technology/application developers should research and implement alternatives that protect the privacy of individuals, and provide individuals with a choice in whether their devices can be used in the creation and updating WPS architecture.
The unknowing informant model

Under the crowdsourced database updating model, it is known that users of WPS services may unwittingly be aiding the proprietors of the services to update and refine their database, based on the list of Wi-Fi access point MAC addresses submitted with each query. This model may not concern everyone after all, it leads to improvement in the services locating capabilities. But consider if even more information were being provided to the WPS service. Suppose it were the case, when a mobile user was querying for location, that he or she was also able to unknowingly detect the MAC addresses of mobile devices in range in addition to Wi-Fi access points. The MAC address becomes more than simply a device identifier. Instead, it identifies devices that are closely associated with people including their personal computers and mobile phones. These identifiers are persistent, remaining constant over the lifetime of the device. They are identifiers that are extremely reliable in establishing identity by virtue of being in peoples pockets or briefcases.11 They become, in turn, personal identifiers and, due to the static nature of the MAC address, they are identifiers that tend not to change for the life of the device.
Identifying and avoiding unintended uses

The popularity of Wi-Fi networks, in combination with the clear text transmission of identifiers for those networks, creates a ubiquitous infrastructure that may now be used for purposes far different from the original intent. For instance, De Montfort University in the United Kingdom is considering the use of their on-campus Wi-Fi networks, in combination with chips in ID cards, to track student attendance.12 The MAC address and SSID were first developed to ensure the proper functioning of wireless network components; they can now act as geo-location points, enabling location-based services and mobile virtual communities thereby transform-
Conclusion
The area of location privacy, involving an individuals ability to control who, when, how, and what granularity of personally identifiable location data is made available to others, is well established in the literature. However, additional discussion
13 International Working Group on Data Protection in Telecommunications (IWGDPT). Common Position on privacy and location information in mobile communications services. The enhanced precision of location information and its availability to parties other than the operators of mobile telecommunications networks create unprecedented threats to the privacy of the users of mobile devices linked to telecommunications networks. November 19, 2004. 14 Eric Rescorla. Can We Have a Usable Internet Without User Trackability? Accessed November 5, 2010. http://www.educatedguesswork.org/iab-privacy.pdf. 15 ASU Privacy by Design Research Lab and Information and Privacy Commissioner, Ontario Canada. The Roadmap for Privacy by Design in Mobile Communications: A Practical Tool for Developers, Service Providers, and Users 2010. http://www.ipc.on.ca/ images/Resources/pbd-asu-mobile.pdf. 16 On October 29, 2010, Dr. Ann Cavoukians concept of Privacy by Design was unanimously adopted at the 32nd annual International Conference of Data Protection and Privacy Commissioners, a worldwide assembly of regulators in what has been described as a landmark resolution. 17 Ann Cavoukian, Privacy by Design in Law, Policy and Practice, 2010 available online at www.ipc.on.ca.
11 Kim Cameron. The Laws of Identity smack Google, Kim Camerons Identity Blog, May 27, 2010, http://www.identityblog.com/?p=1100 See also, Peter Scharr, Smartphones always under control?, July 10, 2010, http:// www.bfdi.bund.de/EN/PublicRelations/SpeechesAndInterviews/blog/ SmartPhonesUnterKontrolle20100709.html?nn=1269676. Additionally, smartphones often transmit current characteristic data of surrounding WLANs to the service provider so that the corresponding WLAN-data bases can be appropriately supplemented and updated. In this way, the smartphone user will become without his knowledge the data collector for service providers. 12 See. Students concern over Big Brother-style surveillance. This is Leicestershire. Accessed June 6, 2011. http://www.thisisleicestershire.co.uk/Students-concern-BigBrother-style-surveillance/story-12718136-detail/story.html.
21
is required in this area where the individuals mobile device becomes an unknowing active contributor to the location architecture. In assessing the design of WPS architecture and location-based applications, the issues canvassed in this paper should be seriously considered, such as the concern for reidentification of location data, the sensitive nature of location information, the physical safety of individuals, and onward disclosure without the users knowledge, or worse contrary to his or her privacy preferences.
ISSA Journal 2012 Calendar

Search Past Issues www.issa.org/Members/Journal.
References
ASU Privacy by Design Research Lab and Information and Privacy Commissioner, Ontario Canada. The Roadmap for Privacy by Design in Mobile Communications: A Practical Tool for Developers, Service Providers, and Users, 2010. http://www.ipc.on.ca/images/Resources/pbd-asu-mobile. pdf. Cameron, K., The Laws of Identity smack Google, Kim Camerons Identity Blog, May 27, 2010, http://www.identityblog.com/?p=1100. Cavoukian, A.,Privacy by Design in Law, Policy and Practice, 2010 available online at www.ipc.on.ca. Kane, Y., House Presses Apple, Google, Others on LocationTracking Practices, The Wall Street Journal, April 26, 2011. King, N., Direct marketing, mobile phones, and consumer privacy: Ensuring adequate disclosure and consent mechanisms for emerging mobile advertising practices Federal Communications Law Journal 60 (2008): 229. McCullagh, D.,CNETNews Privacy Inc.Exclusive:Googles Web mapping can track your phone.CNET, accessed March 12, 2012, http://news.cnet.com/8301-31921_3-20070742-281/ exclusive-googles-web-mapping-can-track-your-phone. Rescorla, E., Can We Have a Usable Internet Without User Trackability? Accessed November 5, 2010. http://www. educatedguesswork.org/iab-privacy.pdf. Scharr, P., Smartphones always under control? July 10, 2010, http://www.bfdi.bund.de/EN/PublicRelations/ SpeechesAndInterviews/blog/SmartPhonesUnterKontrolle20100709.html?nn=1269676.
JANUARY Legal and Privacy Issues FEBRUARY Looking to the Future MARCH Advanced Threat Concepts and Cyberwarfare APRIL Smart Grid / Control Systems Security MAY Security Architecture JUNE Cryptography Update Whats New and on the Horizon?
Editorial Deadline 5/1/12
JULY Standards, Compliance, and Governance

AUGUST Mobile Security
SEPTEMBER History of Information Security

About the Authors

Ann Cavoukian, Ph.D. is Information and Privacy Commissioner of Ontario, Canada. Recognized as one of the worlds leading privacy experts, Dr. Cavoukian developed Privacy by Design, now the gold standard in data protection and privacy, in the 1990s. She may be reached at info@ipc. on.ca. Kim Cameron is a leading expert in digital identity, and the creator of the influential Laws of Identity. A founder of ZOOMIT Corporation, and later Chief Identity Architect at Microsoft, he is an advisor on identity architecture and issues.
OCTOBER Risk Analysis / Risk Management

NOVEMBER Black Hats, Malware, Organized Crime and What This Means to Security Professionals
DECEMBER Storage Security and Forensics

For theme descriptions, visit https://www.issa.org/page/?p=282.
EDITOR@ISSA.ORG WWW.ISSA.ORG
22
ISSA
Social Media Policy and the Law

By Jon Banks ISSA member, Metro Atlanta, USA Chapter
This article appeared in the March 2012 ISSA Journal.
Organizations cannot escape social medias ubiquitous presence and the unique challenges it creates. This article will examine various laws and regulations that must be considered when creating our social media policies to avoid these legal risks.
Abstract
Organizations cannot escape social medias ubiquitous presence and the unique challenges it creates. Our attempts to regulate social media for security and compliance requirements must now be balanced with the need to protect our organizations from the unintended legal consequences of overregulation. This article will examine various laws and regulations that we must consider when creating our social media policies to avoid these legal risks.
following is not a legal consultation but rather is intended to help information security professionals gain an appreciation and understanding of the laws and regulations that affect their social media policies and encourage them to seek further information from their legal counsel. Although this article will only examine US laws and regulations as they affect social media policies, the same analysis and discussion could be applied when examining the laws and regulations of other countries as they relate to social media. Throughout this article, consider what other documents your organization has that may be impacted by this material, such as policies, procedures, standards, guidelines, employment contracts, employee handbooks, and any other document that specifies what employees can and cannot do both at work and outside of work.
n September 2, 2011, a National Labor Relations Board (NLRB) Administrative Law Judge (ALJ) ruled that a non-profit organization unlawfully discharged five employees for complaining about their jobs on Facebook. The judge found that the employees were illegally discharged because the Facebook discussion was concerted protected activity under Section 7 of the National Labor Relations Act1 (NLRA). The judge ordered the organization to reinstate the employees and awarded them back pay.2 Whether we like it or not, laws and regulations permeate every aspect of the information security profession, and the rapid growth of social media in the workplace has not escaped this legal reach. Unfortunately, our efforts to address the unique security and compliance challenges posed by social media can in many ways conflict with these laws and regulations. The result is our social media policies might be exposing our organizations to serious legal consequences. As I always state before every article and presentation, I am not a lawyer but an information security professional with an Executive Juris Doctor degree in Law and Technology. The
1 29 U.S.C. 151169. 2 Hispanics United of Buffalo v. Ortiz, 3-CA-27872, September 2, 2011.
The United States Constitution

When discussing social media policies or any topic related to privacy, I always like to start with a discussion on the First and Fourth Amendments of the United States Constitution and clear up some mistaken notions that many people have about their rights under these two amendments.
The First Amendment

The First Amendment reads in part, Congress shall make no law...abridging the freedom of speech, or of the press;... Most people in the United States have incorrectly interpreted this to mean that they have the right to say anything they want in any environment without repercussions. What most Americans do not understand is that this right only prohibits the federal, state, and local governments from restricting your free speech. (Actually, there are a few ways the government can limit your free speech such as dictating the time, place, or manner of your speech, but a discussion of these exceptions is 23
Social Media Policy and the Law | Jon Banks
outside the scope of this article.) The First Amendment does not give you freedom of speech protection from non-governmental organizations (e.g., employers). Look at a couple public examples: Gilbert Gottfried was fired as the voice of the Aflac Duck when he sent jokes about the Japanese tsunami via Twitter. Hank Williams, Jr. was replaced as the opening scene in Monday Night Football by the NFL for political comments he made in reference to the President, Vice President, and Speaker of the House playing golf together.
These people had the right to say what they wanted, and the government didnt punish them. Their employers did! Make sure your employees understand that the First Amendment protections do not apply to them in the workplace.
The Fourth Amendment

The Fourth Amendment reads, The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Book Review
Social Engineering: A Must-Have Book and Skill

By Greg Playle ISSA member, Colorado Springs, USA Chapter
he constant in privacy and security is people. In Social Engineering: The Art of Human Hacking (Dec. 21, 2010), Christopher Hadnagy brings this home in detail. He even has a website1 dedicated to this and helped develop the Social Engineering Toolkit (SET) as a framework for applying the information. If you are someone involved in daily life, you are into social engineering as target and as engineer. Advertisers, marketers, con men, politicians, co-workers, all apply this knowledge. Some do so as part of their legitimate jobs; some as a way of life; and some unconsciously. If you want to know how it works, this book is an excellent start. As security improves in software, those who exploit it move to easier targets the people. The book is aimed at two audiences: those in the security field and those who may be victims of social engineering (SE). With the latter, he intends to make the reader more aware of the techniques, to avoid being engineered or conned. With the former, he demonstrates the approach of gathering information on a target, typically an organization such as a corporate client (in an assessment), but equally applicable to use on individuals such as senior executives. Hadnagy recommends the tools available with the BackTrack distribution of Linux, which is optimized for penetration testing, hacking, and social engineering. In particular, he refers to Dradis and BasKet as good tools to store the information you obtain while investigating a target. He uses BasKet, centered around the type of data collected. If you work on a team, Dradis offers a multi-user tool that you may prefer. One caution later in the book is to analyze the data for authority. Bad data can trip up an otherwise useful SE gig. Likewise, you need a way to orga1 http://www.social-engineer.org.
nize the data for reference; with quite a bit of data generated in a full-on engagement, you need something better than a text editor. He covers Google hacking and calls out Johnny Long as one source. He mentions whois searches to gather information on the targets online profile, surfacing information of use in technical hacks. From there he treats social media, blogs, and so on, with a reference to how social media can be used to target someone for burglary (when they announce theyre on vacation). One point is that several nations have passed laws to make it illegal to create, distribute, or possess materials that allow someone to break any computer law, such as port scanners. Be careful what tools you take along as you travel. Remember that officers of the law, and others such as TSA, are bereft of a sense of humor. Hadnagy treats eliciting information from people via their basic motivations, as well as specific concerns, to make the elicitation work. In this, he echoes Johnny Longs work, explaining that the communications must be natural to the situation, the people, and the topics of interest; the enquirer must know enough about the target to make his approach believable; and the enquirer must seek only a little information with each enquiry, to avoid tipping the target. The best possible way to elicit information is to listen; Ive seen more people gather more information with that approach than any directed conversation. If this seems counter-intuitive, pick up a book on active or directed listening and try a few of its techniques or flip to the section starting page 158. Hadnagy discusses preloading the target with ideas or thoughts, without the targets knowledge. He goes on to give a step-by-step approach to being a successful elicitor.
24
In much the same way most people misconstrue their rights under the First Amendment, so, too, they fail to properly comprehend their rights under the Fourth Amendment. Most people think the Fourth Amendment confers on them an absolute right to privacy, an inference first made in a dissent opinion in Olmstead v. United States (1928), written by Supreme Court Justice Louis Brandeis. However, the Fourth Amendment only protects you from government searches and seizures. It does not guarantee you an absolute right to privacy from your employer in the workplace. Whether the government can seize something in the workplace without a warrant depends on whether or not you, as
an employee, have a reasonable expectation of privacy, but this is also not an absolute as will be shown below. For this reason, many organizations tell their employees they have no expectation of privacy in the workplace when using social media and other communication technologies. Although outside the scope of this article, a very thorough discussion of computer searches and seizures as they relate to reasonable expectations of privacy can be had by reading Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.3
3 Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Third Edition, September 2009. http://www.cybercrime.gov/ ssmanual/index.html
There is quite a coverage of pretexting, or creating an invented scenario to persuade a targeted victim to release information or perform some action. A well-deserved caution is that pretexting is not merely lying but is actually living that role. All that research done up front pays off in a believable pretext. Hadnagy provides the psychological basis for pretexting successfully, as well as the steps to take in preparation. There are sources of sound tracks, spoofed phone numbers, and such required for a pretext to succeed. As in each chapter, he also gives case studies along the way, showing both successful and unsuccessful approaches. He also covers the legality of pretexting that is required learning for the practitioner. The psychological principles include various modes of thinking (visual, hearing, and feeling, corresponding to the visual, auditory, and kinesthetic modes of learning). These modes apply in specific situations; an example shows how a salesman would program the target to remember particular points. He treats microexpressions, based on research in the 1990s by Dr. Paul Ekman. One key point is where Hadnagy explains his approach to learning to read microexpressions and encourages the reader to look up Ekmans work and website. He discusses other tips and techniques for both interpreting someones behavior and in malicious application exploiting someone. There is also NeuroLinguistic-Programming (NLP), again with recommendations for source material. His section on Building Instant Rapport is a must-read, in particular the subsection on meeting peoples needs to build rapport. He details how a social engineer abuses this rapport by manipulating expectations and creating a presupposition that the target will comply with the SEs intended course of action. Hadnagy discusses powers of persuasion and influence to coopt the target. He outlines the fundamentals and provides eight tactics for influencing people. One of the most successful tactics relies on the principle of reciprocity, which builds a sense of indebtedness in the target. The SE does something nice for the target and counts on the targets willingness to return the favor. Typically, this is giving something of value to the target. This is successful nearly every time by sending a relevant gift to the senior staff member with a note asking them to browse a particular
website and review a PDF file, then promising to follow up with a phone call. That PDF existed but was poisoned, dropped a payload on the targets machine, and Hadnagy got instant access to the corporate network. He borrows a refrain from Tom Sawyers painting of the fence: people find things more attractive if they are hard to get; the things do not need to be inherently valuable. The SE also succeeds by framing expectations and the surrounding environment so the SE does not create a cognitive dissonance that alerts the target. Then Hadnagy covers manipulating the target and gives an excellent example of the way corporations manipulate the publics perception of their actions; again, a must-read section. There are case studies of corporations creating demand for their products, which should make the reader question all advertising. There are all kinds of tools the social engineer uses, ranging from lock picks and shims to secret recording devices and information search software (Maltego). He also introduces the Social Engineer Toolkit and demonstrates how to combine the two with malicious payloads to tunnel back out from the targets network. There are a variety of other tools to present the correct information for the SE gig, including spoofing caller ID. He wraps the book up with case studies of particularly sensitive engagements, including finding a hole in a network that already had a hacker in it and social engineering the hacker. Put together Johnny Longs No Tech Hacking, Frank Abnagles Catch Me If You Can, and Hadnagys Social Engineering and youll view society in a whole different way. This book should be part of every security professionals reading.
About the Author

Greg Playle, CISSP, IAM/IEM, C|EH, C|HFI, FITSP, a senior principal engineer at Serco-NA, provides network and information assurance/computer network defense services to the United States federal government. Greg has a Masters in Systems Engineering from the University of Southern California, a Masters in Software Engineering from Colorado Tech University, and over 30 years experience in computer security. Greg may be reached at gplayle@ earthlink.net.
25
The issue of reasonable expectation of privacy was addressed by the Supreme Court in Ontario v. Quon.4 Quon, a police officer, argued he had a reasonable expectation of privacy in his text messages sent via an employer-provided device. The Supreme Court ruled that the government employer could still conduct a search if it was for: A non-investigatory, work-related purpose The investigation of work-related misconduct Although this case concerned government employees, the Supreme Court stated, the search would be regarded as reasonable and normal in the private-employer context. It is important to note that the Court added, [E]mployer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated. Again, it is important to ensure your employees understand their privacy rights as an employee when using social media or any communications technology in your organization and that these policies are clearly communicated.
NLRA usually discuss whether the employees actions were protected, concerted activity. When doing an analysis of an alleged violation of the NLRA, the Board, ALJ, or the court will first try to determine if the employees comments and use of social media was a concerted activity. Concerted activity has been defined as: With or on the authority of other employees, and not solely by and on behalf of the employee himself Circumstances where individual employees seek to initiate or to induce or to prepare for group action Truly group complaints8 To satisfy the concerted activity requirement, the comments posted on social media have to be more than one person complaining or griping and must be directed to other employees of the organization, and these comments must be an attempt to create a discussion of protected activities (as will be defined in the next paragraph). For example, if one employee posts a comment on Facebook about a protected activity and another co-worker responds to the comment, this would be considered concerted activity. Also, even if no other coworkers respond to the comment about protected activity but the intent of the Facebook posting was to initiate or induce other co-workers to respond, this, too, would be considered concerted activity. While there is no definitive list of what activities are considered protected by the NLRA, some activities that have been deemed protected include: Comments about working conditions Discussions about supervisory actions
National Labor Relations Act

Now, despite the lack of protection afforded employees by the First and Fourth Amendments as it relates to social media in the workplace, employees are not without significant legal protections. The most prolific of these protections comes from the National Labor Relations Act (NLRA), which is effectuated by the National Labor Relations Board. While the NLRA covers a wide range of employees, some employees are exempted from this law. These exempted employees generally include government employees, agricultural workers, domestic servants, independent contractors, supervisors, and railway and airline employees.5 See the NLRA for a complete listing of exempted employees. Even if your organization and employees would not be covered under the NLRA, writing your policies to be congruent with the NLRA is a pretty good idea. Many times when courts do not have a legal precedent to follow in a case, they will look to similar legal precedents in other jurisdictions. So, if your employees are not covered by the NLRA, a court might still look to the NLRA when making a decision as it relates to social media in the workplace.
Comments about wages, terms, and conditions of employment Many organizations in the their social media policies and other documents sometimes prohibit some protected activities such as wage discussions. You may want to revisit your policies and other employment documents and see if they prohibit these types of protected activities. The NLRB Office of General Counsel issued an Operations Management Memo9 (hereafter NLRB Memo) dated January 25, 2012, addressing various topics related to social media and the NLRA. An example taken from the NLRB Memo is illustrative of protected, concerted activity occurring in a social media context. In one case, an employee was terminated for posting critical comments about the employer on Facebook. After the employer transferred the employee to a less lucrative position, the employee went home and posted expletive comments to Facebook stating that the employer had made a mistake. In response, several current and former co-workers responded supporting the employees position and echoing the employees frustrations with the employers
8 Meyers Industries (Meyers I), 268 NLRB 493, and Myers Industries (Meyers II), 281 NLRB 882 (1986). 9 Operations Management Memo from the NLRB Office of General Counsel http:// www.nlrb.gov/news/acting-general-counsel-issues-second-social-media-report.
Protected, concerted activity

The two most important sections of the NLRA are Section 7,6 which defines employee rights and Section 8(a)(1),7 which prohibits employers from interfering with employees Section 7 rights. Section 7 reads in part, Employees shall have the right...to engage in other concerted activities for...mutual aid or protection,... As a result, most rulings involving the
4 5 6 7 560 U. S. (2010) 29 U.S.C. 152 29 U.S.C. 157. 29 U.S.C. 158(a)(1).
26
treatment of employees. The employer later fired the employee over the Facebook postings. However, the NLRB ruled that the employees Facebook postings, and the discussion it generated among other employees, clearly involved complaints about working conditions and the employers treatment of its employees and clearly fell within the Boards definition of protected, concerted activity.
environment that the employees not identify themselves as employees of the organization. Furthermore, employers have imposed restrictions on employees use of company logos, trademarks, service marks, etc., in social media postings unless prior permission is received from senior management or the legal team. However, the NLRB considers this prohibition to be a violation of an employees Section 7 rights. The NLRB has gone on to state that an employees use of trademarked and copyrighted name and logos in connection with Section 7 activity did not infringe upon the employers rights to these trademarks and copyrights. Note that while the topic of employee identification and their use of logos, trademarks, etc., in social media is discussed in the NLRB Memo, a telephone call made by the author to the NLRB found that the particular case this commentary is based on, LabCorp,11 is still pending final disposition as of the writing of this article. Therefore, more exact details of this case are not presently available from the NLRB. However, the Office of General Counsel does cite another case in their commentary on this topic, Pepsi-Cola Bottling Co.,12 which also stated employees had the right to use company logos and
Overly broad, vague, and ambiguous language

Along these same lines, overly broad, vague, and ambiguous language in our social media policies can get our organizations into legal trouble. Many policies are either written broadly to encompass all activities or use vague and ambiguous language or terms mainly because it is easier to cast a wide net rather than attempting to define and list each individual activity that is and is not permitted. Consider some of these vague, ambiguous terms that are normally used in social media and other policies: Reasonable Appropriate Inappropriate Professional Unprofessional Confidential Proprietary Sensitive Non-public
11 NLRB Case 28-CA-023503 CRC_081MA_ISSA ad_Layout 1 4/17/12 (4th PM Page 1 12 301 NLRB 1008, 1019-20 (1991), enfd. 953 F.2d 638 1:51Cir. 1992)
Many social media policies and employee handbooks have been found to be overly broad and in violation of Lutheran Heritage Village-Livonia.10 Under Lutheran Heritage, a social media or employee handbook rule is considered unlawful if it explicitly restricts Section 7 activities. Furthermore, if a rule does not explicitly restrict Section 7 activities, the rule can still be found illegal if: The employees would reasonably construe the language to prohibit Section 7 activities The rule was promulgated in response to union activity The rule has been applied to restrict the exercise of Section 7 rights Recent NLRB rulings have stated that without defining exactly what types of activity were included in vague and ambiguous terminology, a violation of employees Section 7 rights still occurred because there was no way for the employee to know that their Section 7 rights are still allowed. The use of savings clauses, a statement stating that the vague and ambiguous terms did not include Section 7 activities, was also found to be inadequate under the NLRA.
SAVE 50% and receive Free standard shipping when you order online and enter Promo Code 081MA.
Offer expires 7/31/2012
Employee identification
Many times, employers will require that when employees use social media either in the workplace or outside the work
10 343 NLRB 646, 647 (2004).
27
trademarks under Section 7, although this was not a social media case.
Disparagement
Even disparaging comments made about the organization or its management can be protected under the NLRA. When considering whether disparaging and egregious employee communications should be protected, the NLRB has had to modify two traditional tests it normally employs to accommodate the unique nature of social media which allows the public to be party to the communications. The first test, called the Jefferson Standard,13 is typically used when employee communications are intended to appeal to third parties. The Board considers whether the communication is in reference to a labor dispute and the level of disparagement the communication has to the employers products or services. The Board uses the Atlantic Steel14 test when the communication is between employees and supervisors and contemplates the extent that the communication disrupts or undermines discipline within the organization. This test considers several factors including the place of the communication, its subject matter, the nature of the outburst, and whether the outburst was caused by the employers unfair labor practices. The modified analysis of the Board takes the disruption of the workplace factor of Atlantic Steel and combines it with the disparagement analysis of the Jefferson Standard although the other factors of Jefferson and Atlantic can be considered, based on the circumstances of each case. In many cases, prohibiting disparagement in social media policies is unlawful. For a more comprehensive discussion of the NLRA as it relates to social media, including NLRB decisions as they relate to specific examples of social media, please see the NLRB Memo.
line endorsements including, but not limited to, social media when promoting or endorsing your organizations products or services.
Ownership of social media

Finally, if you allow or require social media use in your organization, your social media policies need to address who will own the social media. This issue of ownership is a new legal wrinkle involving social media and came about as a result of a recent dispute between a former employee, Kravitz, and his employer, Phonedog.15 While working for Phonedog (part of the legal debate is if Kravitz was an employee or contractor of the company), Kravitz used a Twitter account to communicate information to customers. When Kravitz left Phonedog, he changed the account name and password on the Twitter account to reflect he had left the company and kept the followers. Kravitz maintains that the account was always his personal property while the company claims the followers were proprietary and trade secrets. As of this writing of this article, this case is still pending. However, to avoid such legal complications in your own organization, your social media policy should articulate who owns any social media accounts and content used for business purposes and what will happen to these accounts upon employment termination.
Conclusion
As information security professionals, we are not the only ones challenged by the issues social media create. Social media issues are even challenging our courts. Justice Kennedy, writing for the majority in Quon, highlighted this challenge by stating: Rapid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior.... [I]t is uncertain how workplace norms, and the laws treatment of them, will evolve.16 Despite these challenges, you still need to consult with your legal counsel to determine what changes need to be made to your social media policies and other employment documents to protect your organization.
Federal Communications Commission

Federal Communications Commission (FCC) regulation 16 CFR 255.5 reads in part, When there exists a connection between the endorser and the seller of the advertised product that might materially affect the weight or credibility of the endorsement (i.e., the connection is not reasonably expected by the audience), such connection must be fully disclosed... This regulation also addresses disclosure of an employeremployee relationship but for a different reason than for Section 7 activities. Here, the FCC requires that any employee or other agent of an organization that promotes or endorses a product or service of the organization must disclose the fact that he is an employee or agent of the organization. This way, third parties will know of the relationship and possible bias in the endorsement. Therefore, employees of your organization must know and understand that they must identify themselves as an employee of your organization in any on13 NLRB v. IBEW, Local No. 1229 (Jefferson Standard), 346 U.S. 464, 472 (1953). 14 Atlantic Steel Co., 245 NLRB 814, 816-817 (1979).
About the Author

Jon J. Banks, EJD, CISSP, CEH, Project+, is an information security leader with 14 years of diverse experience including security engineering, analysis, and operations; governance and compliance, and Big 4 IT advisory. He holds an Executive Juris Doctor degree from Concord Law School and is interested in senior leadership roles in IT and security. He can be reached at pilot@ ILoveToFly.org.
15 Phonedog v. Kravitz, 3:11-cv-03474 (N.D. CA, 2011) 16 Ibid. at 11.
28
International Conference
The Magic Kingdom - Embracing a Changing World October 25 & 26, 2012 Disneyland Hotel Anaheim, California - USA
New opportunities abound in the midst of amazing transformations in technology, business, and culture. Inspired by Disneys innovative vision, the cybersecurity community will gather at the Magic Kingdom on October 25-26 to look at change as a chance to achieve excellence. Disruptions like big data, cloud computing, massive collaboration, and business transformation make it possible for us to blaze new trails and build effective foundations. We are enabling our work forces to be mobile and productive while protecting sensitive data. We build systems and policies that impede our foes and guard our constituents. This is an exciting time to be in the information security field and we are all vital in making our businesses faster, better, smarter and, most importantly, safer. Sessions will include: Cloud Infrastructure Mobile Security Threat Updates Big Data Business Skills Application Security Legal Updates Critical Infrastructure Securing the End Users Incident Response Governance and Compliance
Register Before July 20 for Special Rates

- ISSA Members just $199 USD - Non Members $325 USD, includes ISSA Membership
Special Events
- Calling all Chapter Leaders: Chapter Leaders Summit* October 24 - CISO Executive members and guests: 4th Quarter CISO Forum* October 27
*Open to qualied attendees only.
Mark your calendar for the 2012 ISSA International Conference
www.issaconference.org
for more information visit:
ISSA
Understanding Private Cloud Security

By Yuri Diogenes ISSA member, Fort Worth, USA Chapter and Dr. Tom Shinder
This article covers the main elements that should be addressed from the security perspective while architecting and designing a private cloud infrastructure.
Abstract
There are a lot of reasons why cloud computing is getting so much media and industry attention, but one of the main reasons why companies are adopting cloud computing is the financial advantage. While public cloud seems to be the preferred choice for small and medium businesses, there is another cloud infrastructure model that is growing in large enterprises the private cloud. The private cloud can have a substantial impact on the way information technology (IT) operates; it redesigns the data center by providing agility to the business, enables better resource utilization, and fuels higher availability. However, as with the public cloud, in a private cloud security concerns are still a major challenge. Although many cloud architects argue that private cloud does not present security concerns since it is owned and operated by the company itself, the reality is that there are many security elements that must be addressed before adopting, architecting, and designing a private cloud. This article will cover the main elements that should be addressed from the security perspective while architecting and designing a private cloud infrastructure.
will be authorized, authenticated, and have access of some type to the infrastructure. With private cloud adoption this risk is likely to increase because if an internal intruder successfully exploits a vulnerability in the private cloud infrastructure, he can potentially affect all other tenants as shown in Figure 1.
Why care about security in a private cloud infrastructure?
E
1
ven if you take private cloud out of the equation, data center security and operations must be well planned and executed in order to enhance the overall security strategy. According to a report issued by Varonis,1 internal threats are still the major concern for corporations in 2012, and with private cloud adoption the vast majority of the users
Varonis Top Predictions for Data Governance in 2012 http://www.varonis.com/go/ resources/whitepapers/Varonis-Top-Predictions-for-Data-Governance-in-2012.pdf.
Figure 1 Without security controls in place a compromised tenant can affect others.
In the private cloud, the importance of a well-architected and executed security design has not changed; the only difference is adjusting to this new model. In a traditional data center environment, the demarcation of security responsibilities between the data center operator and the service user was relatively well defined. Generally, the responsibility was aligned with ownership of the particular physical compo-
30
Understanding Private Cloud Security | Yuri Diogenes and Dr. Tom Shinder
nent, whether that was a server, a networking device, or the overall network infrastructure; if the IT department owned and administered the server, then that department also managed and updated security on that asset. With cloud models, security responsibility has altered in that departments may be responsible for a portion of the security on the service that they pay for, depending on the service provisioning model in use. A key differentiator in public cloud environments is that service is provided on a shared tenant basis and multiple tenants use portions of the same pooled infrastructure and services. In the private cloud the tenants will be the departments of the company as shown in Figure 2. The public cloud implementation then applies authentication, authorization, and access controls to create logical partitions between the tenants so that individual tenants are isolated from each other and cannot see other tenants data.
can use blade server arrays or other compute configurations to provide cloud-based services. However, the advantages of improved server utilization and greater operational flexibility that virtualization platforms provide have led to very high uptake of this technology in cloud environments. Virtualization introduces a very different threat landscape from a security perspective. This happens because virtualization changes the way an organization secures and manages its data center. Since workloads are mobile and can move from host to host based on optimization algorithms that require no human involvement, security policies linked to physical location are no longer effective, so security policies must be independent of network or hardware topologies. Additionally, in order to provide effective security in virtualized environments, it is necessary to have virtualization of the security controls themselves. As these virtualized controls become available, they should as a minimum meet the following criteria: Fully integrate with the private cloud fabric Provide separate configuration interfaces Provide programmable, on-demand services in an elastic manner Consist of policies that govern logical attributes, rather than policies that are tied to physical instances Enable the creation of trust zones that can separate multiple tenants in a dynamic environment Security in a virtualized infrastructure must be adaptive and natively implemented into a fabric where resources are allocated dynamically. Any security functionality that is tied to a server, an IP address, a MAC address, port, or other physical instance will no longer be as effective as in purely physical environments due essentially to the decoupling of services and the physical hardware seen in a virtualized environment.
Figure 2 Shared tenant model in private cloud infrastructure.
Similar to the multi-tenant scenario in the public cloud, in the private cloud each department or business unit within the company must be isolated from others even when their services are located on the same host operating system and server. There is nothing new on this requirement; even today large enterprises do have some sort of isolation to enhance security, privacy, and performance between departments. Generally organizations do have good reasons to implement such isolation, such as between different business units or between the accounts department and the rest of the organization. Consequently, a private cloud model may also be a shared tenant model with similar requirements for effective security partitioning between different business units as with public cloud implementations.
Private cloud security challenges

NIST (National Institute of Standards and Technology) publication 800-145,2 The NIST Definition of Cloud Computing, defines the five essentials characteristics of cloud computing: Resource pooling Rapid elasticity On-demand self service Broad network access Measured service These essential characteristics also apply to both public and private cloud models and for four of them there is at least one core security concern that must be addressed during the
Virtualized environments
Although there is a natural tendency to correlate cloud with virtualization, the reality is that virtualization is not an absolutely essential component of private cloud architectures. Companies that are moving to a private cloud infrastructure
NIST Definition of Cloud Computing http://csrc.nist.gov/publications/ nistpubs/800-145/SP800-145.pdf.
31
designing and planning phase of your private cloud infrastructure.
In order to address these security concerns it is important to: Monitor errors in security provisioning Have a cleanup process deprovision resources, remove access, and destroy any residual data that might be present Return to the cloud in the same base state as all assets in the respective resource pools
Resource pooling
Resource pooling is the mechanism by which cloud environments can increase utilization levels, reduce costs, and make use of cheaper resources such as commoditized servers and inexpensive hard disks. The users (tenants) primary security concern regarding this essential characteristic is related to how secure his data is, who else can access it, and if the data is safe even if something untoward occurs. In order to address this security concern, the cloud architect will need to design the private cloud security infrastructure to: Prevent leakage between tenants by isolating them Use AAA (authentication, authorization, and access control) and RBAC (role-based access control) Use least privilege approach while delegating permissions
Rapid elasticity
Rapid elasticity enables organizations and business units to scale their operations up and down quickly to meet demand. Because the compute, storage, and network resources are pooled and can therefore be shared between tenants, users can request as little or as much of each resource as needed within their budgetary constraints. The management system can then rapidly allocate these additional resources either through manual requests or by automated, demand-led provisioning. The security concern that a user (tenant) has regarding rapid elasticity is that a rogue application, client, or denial of service (DoS) attack might destabilize the data center by requesting an overly large amount of resources. The challenge here is to reconcile the perception of infinite resources while keeping control of the resources to avoid such problems. In order to address this security concern it is important to: Monitor and manage resource utilization Use automation to avoid human error Enforce policy-based quotas to restrict overuse of the resources
On-demand self-service
The essence of cloud provisioning is self-service. When combined with rapid elasticity, self-service enables cloud implementations to provide dynamic and timely responses to requests for more or fewer resources. However, simplicity and convenience of on-demand self-service can also be its weakness. Because cloud environments are often virtualized, any errors in assigning security permissions during the provisioning process could, for example, result in other tenants being able to access the newly provisioned environment. It is very important to understand that many organizations do have IT operations in place (such as ITIL v3) that already require different levels of service agreement between divisions and IT. When you move to the private cloud, those service agreements should be reviewed so they are consistent with what can be provided by the new private cloud platform. It is quite possible that you will enhance the Service Level Agreement (SLA) for many operations due to the flexibility and agility that private cloud offers. The cloud architects major security concern as it relates to on-demand self-service is how to control who has access to private cloud services and how to monitor and audit these services. The open questions shown in Figure 3 must be answered and explicitly covered in the SLA.
Figure 3 Details about on-demand self-service that must be on the SLA.
Broad network access

Although some cloud architects will argue that broad network access only applies to public cloud, the reality is that this is not true. Even without cloud computing considerations, large enterprises already require broad network access, which is why for the past ten years VPN technologies have evolved to be more easily implemented and transparent to use. In a private cloud infrastructure remote users will still need to have remote access to those resources located in the private cloud. Consumers of your private cloud services may be authenticating to an application provided by a public cloud provider using federated identity to authenticate from your internal directory service. Your internally-hosted private cloud implementations may also be using web services from a third public cloud provider. In consequence, failing to consider the broad network access picture is, therefore, inherently limiting. The cloud architect security concern regarding this mechanism is how to ensure that an appropriate level of security applies regardless of client location and regardless of form factor. This requirement applies to both cloud management and application security.
32
In order to address this security concern it is important to: Access device state Implement application level access control
Implement security controls to avoid data leakage located on users own device
center. You can then use on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured services as buckets in which to place your security design issues specific for private cloud.
Additional resources
For more information about private cloud security: A Solution for Private Cloud Security: Service Blueprint, http://social.technet.microsoft.com/wiki/contents/articles/6643.blueprint-for-a-solution-for-private-cloud-security.aspx. A Solution for Private Cloud Security: Service Design, http://social.technet.microsoft.com/wiki/contents/articles/6644.design-guide-for-a-solution-for-private-cloudsecurity.aspx. A Solution for Private Cloud Security: Service Operations, http://social.technet.microsoft.com/wiki/contents/ articles/6645.operations-guide-for-a-solution-for-privatecloud-security.aspx. We encourage you to review all three of these documents prior to and during the design and planning phases of your pri-
Summary
Cloud computing is having a major impact on our industry and how we think about security. While private cloud is often considered to have security concerns similar to those addressed in a traditional data center, there are a few issues that are unique to private cloud security, and others that represent similar data enter security issues, but with an increased emphasis when applied to the private cloud. Of all the security issues that you need to address in the private cloud, one of the most important is that of isolating tenants in a multitenant environment. Isolating tenant services from one another needs to be enforced at all levels of the private cloud infrastructure, including compute, storage and networking. You can use the five essential characteristics of cloud computing as a pivot for addressing the security issues that cloud computing introduces over those seen in the traditional data
ISSA-LA Donates $20,000 for Nonprofits to Attend the 4th Annual Information Security Summit
he ISSA Los Angeles Chapter has created a donation fund of up to $20,000 for IT employees and executives of nonprofits to attend, at no charge, the Fourth Annual Information Security Summit on Wednesday, May 16, 2012, at Hilton Universal City Hotel in Los Angeles. The theme of the one-day summit is, The Growing Cyber Threat: Protect Your Business, which includes the business of operating nonprofits. We are offering 100 free registrations to our nonprofit friends because we know how important it is that the critical work of nonprofits moves forward unimpeded by criminal attacks, said ISSA-LA President Stan Stahl, PhD. Nonprofits are prime targets of cybercriminals who steal personal identities and bank funds. Additionally, nonprofits typically have thousands upon thousands of individual pieces of data, sensitive data that belongs to the people in our community and which cannot be secured if staff members and executives are not aware of how to deal with the danger they face. The idea of extending a hand to nonprofits is in line with ISSA-LAs credo that It takes the village to secure the villagesm. According to a new study by the Center for Civil Society at the UCLA's Luskin School of Public Affairs in September 2011, the latest date for which data is available, there were 31,600 registered 501(c)(3) public charities in Los Angeles County, generating more than $35 billion in economic activity and employing over 230,000 people. At least 10% have budgets over $1 million. A significant number of large nonprofits have
budgets of more than $10 million. Most of the donations today are made over the Internet and kept on the organizations databases. This information needs to be properly protected and secured. The Summit is the only educational forum in Los Angeles specifically designed to encourage participation and interaction among all three vital information security constituencies: (1) business and organization executives, senior business managers, and their trusted advisors, (2) technical IT personnel with responsibility for information systems and the data they contain, and (3) information security practitioners with responsibility for ensuring the security of sensitive information. Registration is open to anyone interested in learning more about information security but is particularly recommended for business and nonprofit executives and senior managers; business professionals in law, accounting, insurance and banking; technical IT personnel; and information security practitioners. The Information Security Summit is part of ISSA-LAs important community outreach program. The goal of the program is to help the community stay safe from cybercrime by enabling the necessary collaboration between business, nonprofit, and community leaders, technical IT professionals, and the information security community. Nonprofits interested in registering for the event should email vp@issa-la.org to receive the appropriate registration codes. 33
vate cloud infrastructure. You can also download slide deck that we delivered at ShareCloud Dallas 2012 that covers this subject, available at http://gallery.technet.microsoft.com/ASolution-for-Private-0739e4a1.
About the Authors

Yuri Diogenes, CISSP, C|EH, C|CSA, CompTIA Cloud Essentials Certified, CompTIA Security+, MCSE+Security, currently works as Senior Technical Writer in the Server and Cloud Division Information Experience at Microsoft. Yuri is the co-author of the Microsoft Forefront Threat Management Gateway (TMG) Administrators Companion from Microsoft Press, co-author of the Forefront book series also from Microsoft Press and currently it is writing a Windows 8 Security book for Syngress in partnership with Tom Shinder. Yuri is a candidate for a Master of Science Degree in Cybersecurity Intelligence & Forensics from UTICA College. Yuri can be contacted at http://blogs.technet.com/yuridiogenes or you can also follow him on Twitter (@yuridiogenes).
Dr. Tom Shinder is a 15-year veteran of the IT industry. Prior to entering IT, Tom was a practicing neurologist with special interests in epilepsy and multiple sclerosis. He then began his career in IT as a consultant, and worked with many large companies, including Fina Oil, Microsoft, IBM, HP, Dell and many others. He then started his writing career toward the end of the 1990s and has published over 30 books on Windows, Windows Networking, Windows Security and ISA Server/TMG. For over a decade, ISA Server and TMG were Toms passions, and he ran the popular web site www.isaserver.org, in addition to writing 8 books on ISA/TMG. Tom joined Microsoft in December of 2009 as a member of the UAG DirectAccess team and started the popular Edge Man blog that covered UAG DirectAccess. Tom is currently a Principal Knowledge Engineer in the Server and Cloud Division Information Experience Group Solutions Group and his primary focus now is private cloud with special interests in private cloud networking and security. You can follow him on Twitter (@tshinder). Waging War in the Digital Age is reprinted this issue, page 8.
Waging War in the Digital Age appeared in the March 2012 ISSA Journal.
Waging War in the Digital Age

By Michael Starks ISSA member, Fort Worth, USA Chapter Ethics and Privacy, March 2012 Brett Osborne says: When we speak about cyberwar, we should reference the conventions. Ill add Westphalia and the United Nations Convention on the Law of the Sea to the list. Militaries should know the definition of war and what globally accepted norms of warfare are. After the two world wars, aggressions that primarily attack civilian targets was banned. The Internet is massively civilian in nature and is extra-territorial. i.e., not part of any sovereign nation-state. Lets also define the so called aggressions: do any qualify as war? Overwhelmingly not. Most of these activities fall into one of several categories: (Export Administration Regulations, International Traffic in Arms Regulations). Information technology is no different.
Response in Connect
Collateral damage? Yes and No. Yes, almost everything that can be targeted on the Internet can and should be considered civilian. Remember, militaries are only supposed to attack military targets. A very nanometric percentage of Internet assets may be national or military. But these are overwhelmingly gateways to protected, isolated networks or systems. So, militaries should not be attacking over the Internet (nations may conduct espionage, which is not warfare). But for truly well-targeted, refined attacks (regardless of the source, for now), they will be very unlikely to cause collateral damage. Stuxnet reportedly was designed to attack nuclear industrial equipment, which apparently it did very well. The vast majority of other systems infected with Stuxnet were not significantly impacted. Crude, simplistic, non-targeting attacks probably will cause widespread damage. Any DDOS attack is an example. So what should we do and propose? LEAD!
Piracy/Anarchy one who fights for other than a sovereign
Criminal this covers a wide range from simple thief, bank
state. These are your Anonymous and Leakis harass and embarrass. Probably arrested by civilian authorities, though there is some history of military law. robbers, and other thugs. They also work to exploit a persons identity or image in addition to financial gain. Criminal activity is normally covered by existing law enforcement and jurisprudence. it. International definition and law is quite succinct here also. Mostly arrested by civil authorities, but also some military law may be involved.
Espionage spying is spying. Nations do it. Companies do
Define aggressions include crimes, exclude cyberwar. Demilitarize and set multilateral agreements Geneva Cy Defend with coordinated multinational/multilateral
ber Convention? UN Policy for Law of the Internet? Security Council Resolution?
Weapons of cyber? Yes, anything can be militarized, weaponized, or have dual purpose. Look at the lists for arms control
monitoring and enforcement chase pirates and criminals regardless of where they are.
34
ISSA
Perspectives on the Practice of Security Architecture

By Tohru Watanabe ISSA member, New York Metro, USA chapter
This article reviews the current state of the practice in an effort to enhance the practice of security architecture.
Abstract
Security architecture is a common topic for discussion among security practitioners. Discussions range from what it is to what a security architect performs in his practice. Security architecture involves people, processes, and technology and a successful program aims to provide protection against compromise. Security architects are tasked with a wide variety of responsibilities ranging from hands-on technical tasks to hands-off consultative roles. Concurrently, security itself is a nebulous concept. This article reviews the current state of the practice in an effort to enhance the practice of security architecture. quent artifact of discussions, the result is reduced efficiency and loss of credibility for the security architect. Loss of credibility, especially for a security architect, serves as a hindrance at a minimum and can result in lack of professional success on the other end of the extreme. Such potential malady can be avoided if one is mindful of the lack of consensus definition and semantic challenges between intra- and inter-personal communication and exercises additional care to ensure intent is properly communicated.
Lack of organization of the profession

Security architecture has been covered with fair regularity in the ISSA Journal. Past discussions on the topic have been presented from different perspectives to include the philosophical, conceptual, and practical.2 Across the different perspectives, security architecture has been likened to a model, a framework, a puzzle, and as a balance between too little and too much.3 While some perspectives are unique, there is overlap in many cases as to what security architecture is, the practice of security architecture, and how the acceptable levels of architecture should be measured. In several cases, authors have recounted the loose definition of security architecture and security architects in the information security community and suggested new or restated existing definitions and descriptions in an effort to level set with the audience. For example:
2 Price, S. M., Conceptual Principles for the Security Architect, ISSA Journal (August 2011); Williams, R., Designing a Security Architecture, ISSA Journal (December 2004); Price, S. M., A Defense-in-Depth Security Architecture Strategy Inspired by Antiquity, ISSA Journal (March 2010); Helmich, P., Security Architectures, ISSA Journal (May 2003); Stawowski, M., Network Security Architecture, ISSA Journal (May 2009); Weise, J., Security Architecture and Adaptive Security, ISSA Journal (July 2008). 3 Tomhave, B., Architecting Adequacy: When Good Enough Really Is, ISSA Journal (March 2010).
Introduction
ecurity architecture is a common topic for discussion among security practitioners. Security practitioners who focus on technology architecture are often referred to as security architects. Security architects are tasked with a wide variety of responsibilities that range from handson technical tasks to hands-off consultative duties such as translation of business requirements into a technologically acceptable form across all industry verticals, geographies, and sizes. Though security architecture has become a commonly used term, a consensus definition is still absent. The lack of a consensus definition has caused cascading effects to include miscommunication both inside and outside the information security community and results in work efforts that are often not aligned with the intent of the requestor. Such miscommunications are common in HR and recruiting functions where lack of consensus definition also results in lack of standardization of job duties, requirements, and salary information.1 When miscommunications become a fre1 A search for security architect on Salary (www.salary.com) and Bureau of Labor Satistics (www.bls.gov) yields zero exact hits.
35
Perspectives on the Practice of Security Architecture | Tohru Watanabe
Paul Helmich
A security architecture can generally be considered to define and describe the organization of technical security mechanisms used to implement an organizations security policy.4 The role of the security architect is to act as a conduit between related, yet different, disciplines, while maintaining a focus on security; one or more individuals who possess the ability to articulate and comprehend information, process it, formulate solutions that conform to the security policies of the organization, and communicate them to the target audience in an understandable manner.5 A security architecture is a cohesive security design, which addresses the requirements (e.g., authentication, authorization, etc.) and in particular the risks of a particular environment/scenario and specifies what security controls are to be applied where. The design process should be reproducible.6
4 Helmich, P., Security Architectures, ISSA Journal (May 2003). 5 Collette, R., and Gentile, M., The Security Architect: Bridging the Gap Between Business, Technology and Security, ISSA Journal (April 2006). 6 Thorn, A., Christen, T., Gruber, B., Portman, R., and Ruf, L., 2010. What is a Security Architecture, Information Security Society Switzerland, accessed March 12, 2012, http://www.isss.ch/fileadmin/publ/agsa/Security_Architecture.pdf.
Ron Collette and Mike Gentile
Anthony Thorn, et al
The authors initial exploration of the topic of security architecture resembled the overexposed and redundant past approaches. Recycling of content may be useful to keep an idea top of mind but does not engage the community to introspectively assess the current state of the practice. Slades law of computer history suggests those who do not learn the lessons of computer history are doomed to buy it all again repackaged and a recycling approach focused too exclusively on repackaging the past.7 With the intent to avoid recycling content, a new reality that better addressed the conundrum facing many information security practitioners emerged. The practice is full of terms, acronyms, and definitions that are often inconsistent across security architects. Lack of consistency is characteristic of any emerging field that has not organized around a governing body to form a profession. Central to the characteristics of a profession are a common knowledge base, competency, learning, ethics, and membership with an association of peers.8 Though there are professional organizations that attempt to centralize the attributes common to a profession, security practitioners are faced with a growing number of choices for organizational affiliation. For example, SANS affiliates and credential holders are more likely to have background in hands-on aspects of security architecture when compared directly with an individual affiliated with (ISC)2 based purely on a comparison of common bodies of knowledge and certification focus areas of the two organizations.
This Months
Professional organizations for security architects

Security architecture practitioners are commonly affiliated with one or more professional organizations to include ISSA, ISACA, (ISC)2, SANS, EC-Council, Comp-TIA, and ASIS. Each organization offers its members access to resources, certifications, educational curriculum, and networks. Similarly, each organization maintains its own common body of knowledge (CBK), learning opportunities, and code of ethics. As each organization focuses on variations of the available information security practice areas, there are unique but discrete differentiations that members must be mindful of. Such differentiation often requires members of two or more organizations to exercise due care relative to management of multiple continuing professional education (CPE) requirements and code of ethics as well as additional administrative effort required to maintain good standing with each organization. For example, ISSA, ISACA, (ISC)2, and ASIS members must pay an annual fee to each organization. In addition, individuals who hold certifications from different organizations must earn CPE credits for each discrete certification. Though there is cross over in educational activities, the cre7 Slade, R. M., 2010. Everything New Is Old Again, in Information Security Management Handbook (6th Ed, Volume 4), ed. Harold F. Tipton and Micki Krause. Accessed March 4, 2012, Skillsoft. 8 Griffiths, M., Brooks, D. J., and Corkill, J., November 2010. Defining the Security Professional: Definition through a Body of Knoweldge, Proceedings of the 3rd Australian Security and Intelligence Conference, accessed March 12, 2012, http:// ro.ecu.edu.au/asi/5.
ISSA Web Conference

Youve Got Humans on Your Network: Securing the End User
Rregister for this event: www2.gotomeeting.com/register/275275850
Live Event: May 22, 2012 Even the best technology can be circumvented. All it takes is timing and a good story. Melisa, I Love You, The Worlds Best Virus Scanner what do these all have in common? They all circumvented security by tricking the users. As technology improves and the value of circumvention increases, the weakest link will become the end user. And dont kid yourself APT has proven they will be targeted. This session will discuss the human element and its impact on security.
Other conferences: www.issa.org/page/?p=57

36
dential holder must exercise care to ensure proper accounting of time earned. As an example, CPE requirements for the Certified Information Systems Security Professional (CISSP) certification are broader than that for Certified Information Security Manager (CISM). Therefore, educational activities with a focus on security management may count as towards both CISM and CISSP, but activities not relevant to security management such as an update on cryptographic technologies may count towards CPE for CISSP but not for CISM.9
Theory and practice of security architecture

Following the discussion of the professional landscape, the next step is to review the practice of security architecture through the lens of action science to identify any gaps between theory and practice. Action science is an organizational development intervention designed to help people improve their interpersonal and organizational effectiveness by exploring the hidden beliefs that drive their actions.10 The fundamental technique is to compare espoused theories with theories-in-use. The delta between the two theories will reveal the gap. Even though the technique is not directly relevant to the security practice, a comparison of espoused theory of security architecture as a practice compared with the actual practice of security architects yields a gap that is representative of the reality facing security professionals. While survey is a common method to measure espoused theories, sampling of job postings for a security architect yields qualitative and quantitative qualities valued by hiring managers. A review of sample job postings across verticals and organization size reveals the broad and disorganized nature of knowledge, skills, and abilities (KSAs) of an ideal candidate with a single exception: the security architect is a senior-level position that requires a minimum of seven years relevant experience.11 Aside from the experience requirement, job descriptions were extremely varied. When the verbiage of the job description was processed through Wordle12 to create a word frequency cloud chart, the result reveals the overuse of the term Security followed by Solutions, Information, Technical, Enterprise, and Systems (see figure 1). Though several individual job descriptions included specific technologies, the overabundant re-use of words hints at the potential of lack of specificity for experience, certification, technologies, or frameworks. Such a result could also result from lack of synergy between Human Resources and the hiring department.
9 ISC2 - Maintaining Your Credentials in Good Standing, https://www.isc2.org/ uploadedFiles/Credentials_and_Certifcation/About_Our_Credentials_and_Process/ CPE.pdf; ISACA - Maintain Your CISM, http://www.isaca.org/Certification/CISMCertified-Information-Security-Manager/Maintain-Your-CISM/Pages/default.aspx. 10 Raelin, J. A., Action Learning and Action Science, in Organization Development, ed. Joan V. Gallos. (San Francisco: Jossey-Bass, 2006), 203. 11 Based on a random sampling of 24 job postings on Dice and LinkedIn for Security Architect. 12 Wordle is a tool for generating word clouds from text that you provide. The clouds give greater prominence to words that appear more frequently in the source text, http://www.wordle.com.
Figure 1 Word Frequency Cloud Chart.
Given that security architecture jobs do not require a common baseline KSAs, inter-organizational communications between security architects could result in differing levels of miscommunication. Such miscommunication both directly and indirectly results in reduced efficiency, loss of productivity, or harm. There are many examples of negative impact to include vendor-customer communications. As an example, organizations rely on vendors for products and services and there are many instances where vendor-customer relationships degrade based on semantic differences of an emerging technology. The mutuality of vendor-customer relationships often rests on the communication of needs and requirements between the two entities. In some instances, semantic differences result in misunderstandings with consequences ranging from annoyances to financial loss for either or both parties. For example, semantic differences occur when security architects communicate with individuals outside the security community. The word secure is a term that has been widely used and abused to describe a desired state with little regard for the potential for semantic differences between two or more parties. As an example, a corporate DMZ may be considered secure when a secure remote access solution is in place. In reality, the presence of a secure remote access solution alone does not provide any assurance of its effectiveness without additional consideration to include configuration and implementation compared against desired objectives.
Knowledge, skills, and abilities of a security architect
Security remains a nebulous concept for practitioners.13 Such an ambiguity in the definition of security may help to explain the multitude of diverging definitions of the practice of security architecture. The clich, ask five security architects to define security will yield 10 answers may have some truth to it. First, a review of security credentials reveals an acronym soup of credentials to distinguish security practitioners includes, but are not limited to, CISSP (Certified Informa13 Collette, R., and Gentile, M., The Security Architect: Bridging the Gap Between Business, Technology and Security, ISSA Journal (April 2006); Helmich, P., Security Architectures, ISSA Journal (May 2003); Thorn, A., Christen, T., Gruber, B., Portman, R., and Ruf, L., 2010. What is a Security Architecture, Information Security Society Switzerland, accessed March 12, 2012, http://www.isss.ch/fileadmin/ publ/agsa/Security_Architecture.pdf.
37
An individual with a CISSP may demonstrate a different perspective on security architecture topics when compared to another with a CPT.
tion Systems Security Professional), CISA (Certified Information Systems Auditor), CCSP (Cisco Certified Security Professional), OSPC (Offensive Security Certified Professional), CEH (Certified Ethical Hacker), CPT (Certified Penetration Tester), GSEC (Global Information Assurance Certification Security Essentials Certification), CCSE (Checkpoint Certified Security Expert), and Security+. Each credential certifies a candidate against a CBK relative to the accrediting organization, which may be a non-profit or for-profit organization. While overlaps in CBKs often do exist, every credential requires demonstrable knowledge and understanding of a set of security CBK, and some organizations further require candidates validate additional pre-requisites such as practical experience in the field prior to issuance of the credential. Other credentials may require hands-on demonstration to validate KSAs against the CBK. When compared to the academic model of standardization of CBK where member schools of must follow the same baseline curriculum (i.e., Association to Advance Collegiate Schools of Business (AACSB), American Bar Association (ABA), Accreditation Board for Engineering and Technology (ABET), American Medical Association (AMA), or American Psychological Association (APA), an individual with a CISSP may demonstrate a different perspective on security architecture topics when compared to another with a CPT. Such disparity serves to decentralize the community and to some extent, devalue each credential and credentialing organization. As an example, an aspiring security architect with desire to certify her KSA of penetration testing has several choices for certification including CPT, CEH, OSPC, and GPEN. Ancillary negative impacts affect job seekers who may
be qualified but otherwise lack resources to attain requisite certifications. Consequently, employers may experience difficulty filling a vacancy due to the increased specificity of available credentials and the resulting self-selection based on a credential mismatch.
Traditional architecture frameworks

Enterprise architecture is an architectural discipline started in 1987 with the development of the Zachman Framework.14 The Department of Defense (DoD) soon followed suit with an enterprise architecture framework known as the Technical Architecture Framework for Information Management (TAFIM).15 From the TAFIM, The Open Group Architecture Framework (TOGAF) followed in 1995.16 The first enterprise security architecture framework was developed in 1995, then published in 1996 by John Sherwood. SABSA (Sherwood Applied Business Security Architecture) provides a high-level framework for security practitioners to reference when building an enterprise security architecture.17 Sherwood (2005) intentionally avoided specific descriptions and technical details to ensure longevity of the framework. While the SABSA offers a framework for security architects, the lack of specific descriptions and technical details adds to the difficulty in understanding and properly applying the framework in the design of enterprise security architectures. As an example, the SABSA model layers the six questions used in the Zachman framework, what, why, how, who, where, and when, against the six unique views into the operation of a business, the business view, architects view, designers view, builders view, trade mans view, and facilities managers view. When mapped together, each of the 36 cells makes up the components for developing an enterprise security architecture.18
14 Wikipedia, Enterprise Architecture Framework. Last modified March 19, 2012, http://en.wikipedia.org/wiki/Enterprise_Architecture_framework. 15 Ibid. 16 Wikipedia, The Open Group Architecture Framework. Last modified April 19, 2012, http://en.wikipedia.org/wiki/The_Open_Group_Architecture_Framework. 17 Sherwood, J., Clark, A., Lynas, D., 2005. Enterprise Security Architecture. 18 Ibid.
Looking for a New Career Opportunity or that Perfect Addition to Your Staff?
ISSAs Career Center offers a community to connect employers and those seeking new opportunities.
Current opportunities include: Criminal Justice (Cybersecurity or Forensics) Faculty Opening Security Engineer - Information security Information Security Analyst III Information Security Specialist Information Security Professional Senior Threat Risk Assessment Specialist Systems Security Analyst Director of Information Technology DLP Security Analyst Senior Security Engineer
www.ISSA.org/Resources/Careers.html ISSA Career Center

38
Given the comprehensive nature of the SABSA framework, the average implementation requires anywhere from one to one and a half years including resources dedicated to the development, management, and maintenance of the enterprise security architecture framework.19 Many organizations do not have the resources to devote to such an effort, leaving the adoption of the SABSA approach to select organizations with the desire to tackle the effort. As an example, 8.3% of Security Architect job descriptions included reference to SABSA or TOGAF.20
a technology architect to manage the hands-on operational components. Conversely, a medium matrixed organization may retain a number of enterprise security architects, each focusing on a different role. Lastly, a larger organization could invest in the implementation of a traditional enterprise security framework and manage the enterprise security architecture roles within the respective framework.
Conclusion
In conclusion, the security architect faces numerous challenges in their practice to include a myriad of organizing entities, credentials, and objectives. The effective security architect must understand the impact of the current state of profession as well as a logical hierarchy of security architecture in organizations. The gap between organizations with the resources to adopt traditional enterprise security architecture frameworks and those organizations that have not implemented traditional framework leaves sufficient room for a simpler approach of separating technology components from governance. By differentiating security architects focus to governance or technology, a greater number of organizations can build, manage, and maintain a security architecture program with greater consistency and improve the overall security posture of the organization.
A gap and solution

There is a gap between the comprehensive enterprise security architecture frameworks adopted by a minority of organizations and the splintered state of security architecture affecting the rest of the organizations that have not implemented traditional frameworks. A review of a guide published by The Open Group reveals a method to bridge the gap. The Open Enterprise Security Architecture lists three components of enterprise security architecture: governance, technology architecture, and operations.21 Given the three components, the existing ambiguity could be better structured by tying past attempts to structure security architecture as part of the technology architecture that comprises the enterprise security architecture. Explicating this approach separates the technology components from governance and would simplify future discussions of security architecture. The traditional concept of security architecture becomes the technical security architecture while enterprise security architecture provides the umbrella to manage the hierarchy of governance, technology architecture, and operational components. As an example, a security architect without full coverage of governance, technology architecture, and operations should be considered a technology security architect rather than an enterprise security architect. In essence, the objective is to include a qualifier to security architecture to distinguish between a minimum of two types of security architects. In addition to the added hierarchical structure, such an approach simplifies intra- and inter-organizational communication to include hiring functions. For example, a requisition for a technical security architect should focus primarily on the underlying technologies that implement the security policy while the enterprise security architect oversees the governance, technology architecture, and operations for the program. Concurrently, organizations that do not require separation of the two roles can choose which part of the role is essential and communicate the structure to candidates. For example, a smaller organization may choose to consolidate the governance and policy management function of an enterprise security architect into a higher level role while hiring
19 IMF Academy, SABSA Foundation, http://www.imfacademy.com/areasofexpertise/ security_management/SABSA_Foundation.php. 20 Based on a random sampling of 24 job postings on Dice and LinkedIn for Security Architect. 21 The Open Group, April 2011, Open Enterprise Security Architecture, http://pubs. opengroup.org/epubs/samples/9789087536725SMPL.pdf.
About the Author

Tohru Watanabe, CISM, CISSP, helps organizations define requirements and integrate products and services to protect information assets. Tohru has over 16 years experience in IT, holds a Bachelors in Business Administration, and is working to complete a Masters program. In his free time, Tohru enjoys piloting a variety of fixed-wing aircrafts, exploring entrepreneurial interests, and traveling. He can be reached at tohruw@aol.com.
Hidden Requirements continued from page 9

self how you measure up on the unwritten requirements scale. The time to think about where you need improvement is now. Corporations are shifting cultures and placing much more value on technology professionals who also display strong soft skills and business acumen. Improving these skills makes you more valuable to both your current company and your potential future employer.
About the Author

Joyce Brocaglia is the CEO of Alta Associates, the leading recruiting firm specializing in information security, IT Risk Management, and GRC, and founder of the Executive Womens Forum (www.ewf-usa.com) a community of leading experts in IT Risk, Security, and Privacy. Joyce may be reached at www.altaassociates.com and Joyce@altaassociates.com.
39
toolsmith Buster Sandbox Analyzer
By Russ McRee ISSA Senior Member, Puget Sound (Seattle), USA Chapter
Prerequisites
Windows Sandboxie 3.64 or later1 other utilities using Sandboxie as a file container, so I knew already of the potential to write other types of programs for use with Sandboxie. I created Buster Sandbox Analyzer because I didnt like that all publicly available malware analyzers were running under Linux. I like Linux-based operating systems but Im mainly a Windows user, so I wanted a malware analysis tool running under Windows. I knew Sandboxie was perfect for this task and with the help of Ronen Tzur (Sandboxies author) it was possible to do it. Pedro cites several favorite use cases but two are stand outs for him: 1. Use the tool to know what files and registry modifications were created by a program. While this use case is not always directly related to malware analysis, it can be used by any user that wants such information regarding program behavior. 2. Use the tool to learn if a file (executable, PDF document, Word document, etc.) exhibits malware-specific behavior. Goes without saying, right? Pedro reports that Buster Sandbox Analyzer suffers from a lack of user feedback (help change that!). Hes not really sure how many people have used it to date or how many use it regularly but does recall one success story from a user on the Wilders Security Forums: I was shopping on Usenet for some tax software... I found it and ran it in the sandbox. As is my practice, I explored the installed files. Everything worked well. No obvious signs of infection, no writing to Windows, no start/run entries, and no files created in temp folders. But I still wasnt satisfied. I used Busters program and reran the install...The program logs were literally laced with created events, DNS queries to Russia, and many hidden processes. Needless to say, I kept it in the sandbox. One message to convey to you, readers: a few versions ago Pedro introduced multi-language support; there are translations for Spanish, Russian and Portuguese (Brazil), while a translation to German may be available soon. He would like to have translations for Italian, French, Japanese, and Chinese and would be grateful if someone can contribute translations for these languages. Given the likelihood that this article will be read by security professionals, Pedro welcomes anyone who tries out BSA and has suggestions, ideas, feedback, bugs, etc., to send them to his attention at malware dot collector at gmail dot com.
n April 10, 2012, a new version of Sandboxie was released, and on April 16 so too was a new version of the Buster Sandbox Analyzer,2 which uses Sandboxie at its core. Voila! Instant toolsmith fodder. Its been a few months since weve covered a malware analysis-specific tool, so the timing was excellent. Buster Sandbox Analyzer (BSA) is intended for use in analysis of process behavior and system changes (file system, registry, ports) during runtime for evaluation as suspicious. Youll find it listed among the Sandbox Tools for Malware Analysis on one of my favorite Internet resources, Grand Stream Dreams.3 As always, I pinged the developer and Pedro Lopez (pseudonym) provided me with a number of insightful details. He releases new versions of Buster Sandbox Analyzer on a fairly regular basis,4 version 1.59 is current as I write this. Theres an update mechanism built right into BSA; just click Updates then Check for Updates. Pedro has recently improved static analysis, and hes always trying to improve dynamic analysis as he considers it the most important aspect of the tool. For future releases the TO-DO list is short, given over two years of constant development. The following features are planned: A feature to analyze URLs in automatic mode. Utilizing the information stored in the SQL database, a feature to generate statistics including used compressors, detected samples, and others. Pedro continuously looks for new malware behaviors to include and improvements for the features already implemented. Your feedback is welcome here, readership. Pedro was first motivated to create the tool thanks in large part to Sandboxie. Before I start coding Buster Sandbox Analyzer back in late 2010, I knew of Sandboxie already. I started using this great software around 2008 and had coded
1 2 3 http://www.sandboxie.com/. http://bsa.isoftware.nl/. http://grandstreamdreams.blogspot.co.uk/2012/04/malware-analysis-resources. html. 4 http://bsa.isoftware.nl/frame8.htm.
40
toolsmith: Buster Sandbox Analyser | Russ McRee
Experiment and fine tune your settings. To then remember settings and load them automatically when the tool starts, select Options | Program Options | Save settings on exit. You can also save multiple configuration files via Options | Program Settings | Save Settings As so as to make use of different analysis patterns. Lastly, and I imagine you knew I was going to say this, I run BSA in a Windows XP virtual machine and on a bare metal install of Windows 7 running SteadierState. Some malware not only knows when its running in a VM but it knows when its running in Sandboxie. If you suspect thats the case, you can hide Sandboxie during a BSA run via Program Options | Hide Sandboxie.
Figure 1 BSA Explorer features.
Using BSA
I wanted to test BSA in two different capacities, one with a browser-borne exploit and one with a normal PE. I am privileged to receive a daily report inclusive of a number of drive-by exploit vehicles so I am always rich in options for exploration, and
hxxp:// www.ugpag.cd/index.php?option=com_content&view= article&id=49&Itemid=75
Configure BSA
Refer to installation and usage documentation on the BSA site as your primary source, but you may find the BSA guidance at reboot.pro5 helpful but a bit dated. Consider it documentation reloaded. Actual installation of both Sandboxie and BSA is really straightforward, but there are some configuration tricks worth paying attention to. After reading reboot.pro be sure to add the following to the Sandboxie default configuration file:
InjectDLL=C:\BSA\LOG_API.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y
was no exception. To examine, I started BSA via bsa.exe in C:\BSA, tuned my BSA configuration to include some additional reporting options, clicked Start Analysis, right-clicked Internet Explorer and chose Run Sandboxed (given that Sandboxie is also integrated right into the Windows shell), and finally browsed to the ugpag.cd site. Once I willingly stepped through a few browser blocks (yes, Im sure I want to do that), the infection process completed and I chose Terminate All Programs by right-clicking on the system tray Sandboxie icon followed by Finish Analysis in BSA. A few key elements jumped right out during BSA analysis and findings. First, the site spawned an instance of Windows Media Player in order to play hcp_asx as seen in figure 2.
Even more importantly, this assumes youve installed BSA in C:\bsa. If you choose differently, you must modify the Sandboxie configuration file accordingly. Avoid the Program Files directories on later versions of Windows given the need for administrative permissions to write there. Im a big fan of Windows shell integration with any tool that offers it. Under Options | Program Options | Windows Shell Integration select Add right-click action Run BSA and Analyze in BSA. From Options set Common Analysis Options to include saving packet captures under Packet Sniffer via Save Capture To File. Be sure to select the correct adapter here as well. Note: BSA utilizes NetworkMinerConsole.exe for PCAP analysis. Also set your Report Options from the Options menu. I prefer HTML; you may also select PDF and XML. You may also like the SQL options where you can write to a SQL database for analysis and report results. Be sure to check out the additional features under the Utilities menu, including submittal to online analyzers, file tools including disassembly, hashing, hex editing, renaming, signature check, scanning, and strings. There are also explorers for memory, PCAPs, PE files, processes, and registry hives as seen in figure 1.
5 http://reboot.pro/14602/.
Figure 2 Pwned site spawns Media Player for hcp_asx.
41
toolsmith: Buster Sandbox Analyser | Russ McRee
Second, when reviewing Report.html, I quickly spotted two evil URLs (lukastroy. in & zdravyou.in) under Network Services. Also note the process/window information as seen in figure 3. A quick URLquery.net search for the URLs called gave me everything I needed to know. Yep, BlackHole exploit kit. That was easy. I used a Banload sample (MD5: D03BF6A E 5 65 4 55 0A 8A0 8 63F 3A265A412) to validate BSA PE analysis capabilities. As expected, they were robust. Figure 3 BSA reporting reveals BlackHole URLs. The File Disassembler utility immediately discerned that the sample was UPX-packed. Figure 4 points out a number of revealing elements. Of interest is the fact that a connection is made to hxxp://alessandrodertolazzi.hospedagemdesites.ws (187.45.240.69) in Brazil with attempts to download mac.rar. Banload/ Banker commonly originates from Brazil, so this comes as no surprise. This sample is a bit dated so the evilware hosted on Alessandros site is long gone, but you get idea. If you optimize your BSA reporting options to include Virustotal results, the changes to file system section will include all the detections for created files as seen in figure 5. The opportunities for exploration are many with Buster Sandbox Analyzer, and the fact that its free and regularly developed is of huge benefit to our community. Among the features you may find noteworthy and useful are BSAs ability
Figure 5 BSA reporting provides Virustotal results with created file.
to automatically analyze a folder in a batch process as well as dump analyzed processes. BSA has moved to the top of my list for sandbox analysis, plain and simple.
In conclusion
The combined strengths of Sandboxie and Buster Sandbox Analyzer make for a truly powerful combination and invaluable malware analysis platform. Theres no reason to not start exploring right away. As always, do be careful playing with live samples and remember to provide feedback to the BSA project; your support is welcome. Ping me via email if you have questions (russ at holisticinfosec dot org). Cheersuntil next month.
Acknowledgements
Pedro Lopez, lead developer, Buster Sandbox Analyzer
About the Author

Russ McRee leads the incident management and penetration testing functions for Microsofts Online Services Security team. He advocates a holistic approach to information security via holisticinfosec.org and volunteers as a handler for the SANS Internet Storm Center. Reach him at russ at holisticinfosec dot org or @ holisticinfosec.
Figure 4 BSA API logging reveals Banload behavior.
42
Conferences
Have a chapter event to post? Let us know apvembu@issa.org.
ISSA Events
IT Security Summit New Mexico (ITSSNM) The Perfect Storm
May 3, 2012 Santa Fe Community College Whether your organization has recently consolidated your infrastructure using virtualization or you want to better understand the current security threats, you wont want to miss the ITSSNM in Santa Fe. The ITSSNM will be a dynamic forum where government, academia, and private industry Information Technology and Information Assurance professionals will have the opportunity to network, exchange information, and engage in discussions on IT Security best practices, trends, and emerging technologies. For more information and registration: www.fbcinc.com/e/ ITSSNM/default.aspx.
ISSA EVENT
Los Angeles specifically designed to encourage participation and interaction among three vital information security constituencies: business leaders, technology professionals and information systems security leaders. Speakers include Alan Paller, Ira Winkler, Chris Coffey, and Lance Spitzer. For more information: www.issala.org.
ISSA CISO Executive Forum

Denver, CO: May 16 - 17, 2012 Boston, MA: August 2-3, 2012 Anaheim, CA: October 26-27, 2012
ISSA EVENT
For details on the CISO Forum: www.issa.org/ciso/?p=96. *CISO Executive Memberships are subject to approval. Applicants and guests must be executive level information security professionals; reporting directly to the CEO, CFO, CIO, and be responsible for internal security for their organization. For complete membership criteria: www.issa.org/ciso/?p=96.
Portland Chapter Hosts: NW ISSA Security Summit
ISSA EVENT
May 3, 2012 Oregon Convention Center Portland, Oregon Cost: $65. Discount: $50 for ISSA /ISACA/(ISC)2 members The NW ISSA Security Summit is a full day special event at InnoTech Oregon. Designed for and by security professionals, this conference offers in-depth conference sessions on the latest issues and trials facing IT Security in the NW. To register: www.innotechconferences.com/oregon/about-2/ registration.
Denver Chapter Hosts The Rocky Mountain Information Security Conference
ISSA EVENT
May 17-18, 2012 Sheraton Denver Downtown, 1550 Court Pl, Denver, CO Cost: Thursday, optional full-day training - $250; Friday, main conference: student/government/military - $100, ISSA/ ISACA member - $200; Non-member - $250. The Rocky Mountain Information Security Conference (RMISC) is the only conference of its kind in the Rocky Mountain region. The RMISC is a convenient, affordable knowledge-builder for IT security, audit, and compliance professionals at all levels. The RMISC provides the perfect blend of education, networking, and opportunities that are critical to your success in todays economy and security climate! Pre-conference full-day workshops provide in-depth training with courses for management, technical, and audit professionals. For more information and for registration: www.rmisc.org.
ISSA Turkey Grand Security Conference

May 11-12, 2012 Microsoft Turkey Office/Bellevue Residences Levent-Istanbul Cost: Free
ISSA EVENT
Join us at this Middle East security conference hosted in Istanbul by ISSA Istanbul Grand Security. For more information about this event: itgsc.issatr.org/. To register: itgsc2012. eventbrite.com.
Fifth Annual Central Ohio InfoSec Summit

May 17-18, 2012 Hyatt Regency, Downtown Columbus Cost: $175.
ISSA EVENT
Fourth Annual Los Angeles Information Security Summit: Protect Your Organization from the Growing Cyber Threat
ISSA EVENT
May 16, 2012 Universal Hilton, Universal City, Los Angeles, California Cost: $199. Discount to ISSA members: $125. Never before has it been so important for our community to learn about the dangers of cybercrime and what they need to do to protect their organizations from loss. Not just for the information security professional, the Summit will build on our chapters tradition of being the only educational forum in
Join information security practitioners and executives from throughout the region as we bring together the leaders in our profession for two days of intense lecture and study across various tracks. You will choose from highly technical, technical, management, and executive level sessions, as we tackle the latest industry trends, issues, and solutions. Attendance at this event will qualify an individual for 14 CPEs. The summit will be held in the same location as last year, Hyatt Regency, Downtown Columbus. Keynote presentations from nation-
Expanded listings www.issa.org/News/Events.html
43
Conferences
ally renowned speakers include: Howard Schmidt, Richard Clarke, Curtis Levinson, Rob Rachwald, and William Hagestad to name a few . For registration and more details: www.centralohioissa. org/?page_id=936.
Industry Events
SecureWorld Expo
Charlotte, May 2-3, 2012 Philadelphia, May 23-24, 2012 SecureWorld Expo brings together the security leaders, experts, senior executives, and policy makers who are shaping the very face of security. SecureWorld helps IT professionals earn required CPE training credits. Located in different regions throughout the U.S, SecureWorld is at the convergence of Information Security, Physical Security, GRC, IT Audit, Computer Forensics, Business Continuity, Consumerization, Cloud Security, Privacy, and Security Awareness. ISSA MEMBERS are offered a $100 discount off the $265 conference pass which includes access to the Conference Sessions, Conference Breakfast Keynote, Exhibits and Open Sessions with Lunch Keynote, and 12 CPE credits. Register online ISSNWS12. SecureWorld + Extended Training 2012 includes 4+ hours of intensive training worth 16 CPE credits and full access to the complete SecureWorld conference program. SecureWorld + pass is only $495 with a special ISSA member discount, register using code ISSNWS12. For conference details and to register go to www.secureworldexpo.com/.
North Alabama Chapter Hosts: 4th Annual Cyber Security Summit

June 7, 2012 Von Braun Convention Center, Huntsville, Alabama
ISSA EVENT
The North Alabama chapter of ISSA is pleased to announce the 4th Annual North Alabama Cyber Security Summit copresented by Cyber Huntsville. This one day event attracts 450+ attendees and over 45 exhibitors providing opportunities for business and intellectual engagement among attendees on topics related to Information Assurance and Cyber Security. For more information and registration: www.cyber-securitysummit.org.
ISSA International Conference

October 25-26, 2012 Disneyland Hotel Anaheim, CA USA
ISSA EVENT
New opportunities abound in the midst of amazing transformations in technology, business, and culture. Inspired by Disneys innovative vision, the cybersecurity community will gather at the Magic Kingdom on October 25-26 to look at change as a chance to achieve excellence. Disruptions like big data, cloud computing, massive collaboration, and business transformation make it possible for us to blaze new trails and build effective foundations. We are enabling our work forces to be mobile and productive while protecting sensitive data. We build systems and policies that impede our foes and guard our constituents. This is an exciting time to be in the information security field and we are all vital in making our businesses faster, better, smarter and, most importantly, safer. Imagine the possibilities. Special events held in conjunction with the International Conference: Chapter officers plan on arriving in Anaheim early to attend the Chapter Leaders Summit on October 24*. CISO Executive members and guests please join us for the 4th Quarter CISO Forum on October 27*, immediately following the International Conference. *Open to qualified attendees only. For more information: www.issaconference.org.
Infosecurity Montevideo 2012

Thursday, May 3, 2012 Centro de Convenciones y Eventos de la Torre de los Profesionales, Montevideo, Uruguay Cost: Free INFOSECURITY 2012 a Week of Security in Montevideo Cloud and Mobile Security. This event includes senior level strategies for protecting information, cyberwar for corporations, cloud security protecting information outside of your organization, privacy a problem without a solution?, protecting your executives or protecting yourself from them? For more information regarding this event contact the ISSA Uruguay chapter: http://uruguay.issa.org/contacto.
Security Development Conference

May 15-16, 2012 Washington DC, USA Discount to ISSA members: $200; Discount code: ISSA@ sdc2012%!29. The inaugural Microsoft Security Development Conference 2012 will bring together industry professionals to network and learn from security experts about secure development practices. SDC 2012 will include information for leaders in software engineering, process and business management who are responsible for implementing or accelerating the adoption and effectiveness of secure development practices in their organizations.To register or for more information: www.securitydevelopmentconference.com/main.aspx.
44
Expanded listings www.issa.org/News/Events.html
ISSA Membership Application

Return completed form with payment. * Required Entries * Name _________________________________________________________ Job Title____________________________________ * Employer _______________________________________________________ * Email ______________________________________ Certifications ____________________________________________________ * Daytime Phone _______________________________ * Address 1 ______________________________________________________ Address 2 ______________________________________________________ Evening Phone _______________________________ Fax _______________________________________
* City___________________________________________________________ * Country ____________________________________ * State/Province ___________________________________________________ * Zip/Postal Code ______________________________ * Account Verification: What is the last high school you attended? ______________________________________________________________ Note: In order to obtain personal information and account access over the phone, ISSA Member services will ask for Account Verification. Annual general membership dues of $95 per year include $28 for a one-year subscription to the ISSA Journal.
ISSA Privacy Statement:

The ISSA privacy statement is included in the Organization Manual, and is provided for your review at www.issa.org/privacy.htm. To enable us to better serve your needs, please complete the following information:
Your Industry (Select only ONE number from below and enter here) _________ A. Advertising/Marketing J. Engineering/Construction/Architecture S. Manufacturing/Chemical B. Aerospace K. Financial/Banking/Accounting T. Medicine/Healthcare/Pharm. C. Communications L. Government/Military U. Real Estate D. Computer Services M. Hospitality/Entertainment/Travel V. Retail/Wholesale/Distribution E. Security N. Information Technologies W. Transportation/Automobiles F. Consulting O. Insurance X. Energy/Utility/Gas/Electric/Water G. Education P. Internet/ISP/Web Y. Other __________ H. Computer Tech-hard/software Q. Media/Publishing I. Electronics R. Legal Your Primary Job Title (Select only ONE number from below and enter here) _________ 1. Corporate Manager/CIO/CSO/CISO 9. Operations Manager 17. Engineer 2. IS Manager/Director 10. Operations Specialist 18. Auditor 3. Database Manager, DBA 11. LAN/Network Manager 19. President/Owner/Partner 4. Database Specialist, Data Administrator 12. LAN/Network Specialist 21. Financial Manager 5. Application Manager 13. Security Specialist 22. Administrator 6. Applications Specialist 14. Contingency Planner 23. Educator 7. Systems/Tech Support Manager 15. Sales/Marketing Specialist 24. Other______ 8. Systems Programmer/Tech Support 16. Independent Consultant Your Areas of Expertise (Circle all that apply) A. Security Mgmt Practices E. Security Architecture B. Business Continuity/Disaster Recovery F. Applications/Systems Development C Network Security G. Law/Investigations/Ethics D. Access Control Systems/Methods H. Encryption I. Operations Security J. Physical Security K. Telecommunications Security L. Computer Forensics
Membership Fees
*Membership Category _______________________________
(list on reverse)
*Chapter(s) _______________________________________
(Required within 50 miles of local chapter)
ISSA Member Dues (on reverse)

(on reverse)
$ _____________ $ _____________ $ _____________ $ _____________ $ _____________ $ _____________
Chapter Dues x Years of Membership
Additional Chapter Dues Total Membership Due
(if joining multiple chapters - optional)
Donation to ISSA Foundation Total Due
Full payment must accompany this form. Mail check/money order (payable to ISSA) to:
I heard about ISSA from (circle one): Conference Poster ISSA Website Business Reply Card An ISSA Member :_____________________________________ Other ____________________ Would you like to receive free product information and special promotional offers via mail from the industrys leading vendors? n Yes n No
ISSA Headquarters 9220 SW Barbur Blvd #119-333 Portland, OR 97219

Phone +1 (206) 388-4584 Fax +1 (206) 299-3366 www.issa.org Or fax credit card information. Please see other side.
ISSA Code of Ethics
The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA has established the following Code of Ethics and requires its observance as a prerequisite for continued membership and affiliation with the Association. As an applicant for membership and as a member of ISSA, I have in the past and will in the future: Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles; Promote generally accepted information security current best practices and standards; Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities; Discharge professional responsibilities with diligence and honesty; Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association; and Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or employers.
Signature ________________________________________________________________________ Date ____________________________

ISSA Member Application 4/12
Risk Radar: Real-World Rogue AV | Ken Dunham
ISSA Membership Categories and Annual Dues

General Membership: $95 plus chapter dues
Professionals.who.have.as.their.primary.responsibility.information.systems.security.in.the.private.or.public.sector,.or.professionals.who.supply.information. systems.security.consulting.services.to.the.private.or.public.sector;.or.IS.Auditors,.or.IS.professionals.who.have.as.one.of.their.primary.responsibilities.information.systems.security.in.the.private.or.public.sector;.Educators,.attorneys. and.law.enforcement.officers.having.a.vested.interest.in.information.security;. or.Professionals.with.primary.responsibility.for.marketing.or.supplying.security. equipment.or.products..Multi-year.memberships.for.General.Members,.are.as. follows.(plus.chapter.dues.each.year): . 2-Year:.$185; 3-Year: $270;.5-Year: $435
Government Organizational: $90 plus chapter dues

This. membership. offers. government. agencies. the. opportunity. to. purchase.membership.for.an.employee..This.membership.category. belongs.to.the.employer.and.can.be.transferred.as.reassignments. occur..When.an.employee.is.assigned.to.this.membership,.he.or.she. has.all.of.the.rights.and.privileges.of.a.General.Member.
Student Membership: $30

Student. members. are. full-time. students. in. an. accredited. institution. of. higher. learning.. This. membership. class. carries. the. same. privileges.as.that.of.a.General.Member.except.that.Student.Members. may.not.vote.on.Association.matters.or.hold.an.office.on.the.ISSA. International.Board..There.is.no.restriction.against.students.forming. a.student.chapter.
Credit Card Information

Choose.one:...n..Visa. n..MasterCard. n..American.Express. Card.#.___________________________________Exp..Date._____________ Signature._____________________________________________________ ISSA Foundation:.A.tax-deductible.contribution,.as.allowed.by.US. tax.code,.can.be.made.in.addition.to.your.ISSA.Membership.Payment.. For.more.information.on.the.foundation.and.its.programs,.visit..www.issaef.org. Donation.Amount.$.______________________________________________ Signature._____________________________________________________
CISO Executive Membership: $995

The.role.of.information.security.executives.continues.to.be.defined. and.redefined.as.the.integration.of.business.and.technology.evolves.. While.these.new.positions.gain.more.authority.and.responsibility,. peers.must.form.a.collaborative.environment.to.foster.knowledge. and.influence.that.will.help.shape.the.profession..ISSA.recognizes. this.need.and.has.created.the.exclusive.CISO.Executive.Membership.program.to.give.executives.an.environment.to.achieve.mutual. success..For.more.information.about.CISO.Executive.Membership. and.required.membership.criteria,.please.visit.the.CISO.website.. http://ciso.issa.org.
ISSA Chapters & Annual Dues

At-Large............................. 25 Switzerland........................ 80. Turkey................................ 30. Asia Pacific Chennai............................... 0. UK. . .................................... 0. Hong.Kong........................... 0. Latin America Philippines......................... 20.. Argentina............................. 0. Singapore.......................... 10. Barbados............................ 25. Sri.Lanka............................ 10. Brasil................................... 5. Sydney................................. 0. Chile.................................. 30. Tokyo................................. 30. Colombia............................. 5 Victorian.............................. 0. Ecuador................................ 0. Europe Middle East & Africa Brussels.European............. 40. Egypt.................................... 0. France................................ 00. Irish................................. 155. Israel.................................... 0. Italy.. .................................. 65. Netherlands........................ 30. Nordic.................................. 0. Poland................................. 0. Romania............................... 0. Saudi.Arabia........................ 0. Germany............................ 30. Spain................................. 60. Lima,.Per........................... 5. Puerto.Rico........................ 35 Uruguay............................... 0. North America Alamo................................ 20. Alberta............................... 25. Amarillo............................. 25. ArkLaTex.............................. 0. Baltimore........................... 20. Baton.Rouge...................... 25. Blue.Ridge......................... 25. Bluegrass............................. 0. Boise.................................. 25. Buffalo.Niagara.................. 25.
Changes/additions visit our website www.issa.org
Capitol.Of.Texas................. 35. Central.Alabama................... 0. Central.Florida................... 25. Central.Indiana................... 25. Central.New.York................. 0. Central.Ohio....................... 20. Central.Pennsylvania......... 20. Central.Plains.................... 30. Central.Virginia.................. 25. Charlotte.Metro.................. 30. Chicago............................. 30. Colorado.Springs............... 25. Connecticut........................ 20. Dayton............................... 25. Delaware.Valley.................. 20. Denver............................... 25. Des.Moines........................ 30. East.Tennessee................... 35. Eastern.Idaho....................... 0. Eastern.Iowa......................... 0. Fort.Worth.......................... 20. Grand.Rapids....................... 0. Greater.Augusta................. 25. Greater.Cincinnati.............. 10. Greater.Spokane................. 20.
Hampton.Roads................. 30. Hawaii................................ 20. Inland.Empire..................... 20. Kansas.City........................ 20. Kentuckiana....................... 35. Lansing.............................. 20. Las.Vegas........................... 30. Los.Angeles....................... 20. Madison............................. 15. Mankato............................. 20. Melbourne,.FL................... 25. Memphis............................ 30. Metro.Atlanta..................... 30. Middle.Tennessee.............. 35. Milwaukee.......................... 30. Minnesota.......................... 20 Montana............................. 25. Montgomery...................... 35. Montreal.............................. 0. Motor.City.......................... 25. Mountaineer....................... 25. National.Capital................. 25. New.England...................... 20. New.Hampshire.................. 20. New.Jersey......................... 20.
New.York.Metro................. 55. North.Alabama................... 15. North.Dakota...................... 25. North.Oakland.................... 25. North.Texas........................ 20. Northeast.Florida............... 30. Northeast.Indiana............... 10. Northeast.Ohio................... 20. Northern.New.Mexico........ 20. Northern.Virginia............... 25. Northwest.Arkansas........... 15. Oklahoma........................... 30. Oklahoma.City................... 25. Omaha................................. 0. Orange.County................... 20. Ottawa................................ 10. Palouse.Area...................... 30. Phoenix.............................. 30. Pittsburgh.......................... 30. Portland............................. 30. Puget.Sound...................... 20. Quebec.City......................... 0. Rainier............................... 20. Raleigh............................... 25. Rochester........................... 15.
Sacramento.Valley.............. 20. San.Diego.......................... 30. San.Francisco.................... 20. SC.Midlands...................... 25. Silicon.Valley..................... 30. South.Florida..................... 20. South.Texas........................ 30. Southeast.Arizona.............. 20. Southern.Indiana................ 20. Southern.Maine................. 20. Southern.Tier.of.NY.............. 0. St..Louis............................ 20. Tampa.Bay.......................... 20. Tech.Valley.Of.New.York..... 35. Texas.Gulf.Coast................ 30. Toronto............................... 20. Tri-Cities............................ 20. Triad.of.NC......................... 25. Tucson,.AZ......................... 10. Upstate.SC........................... 0. Utah................................... 15. Vancouver.......................... 20. Ventura,.CA........................ 30 Yorktown............................ 30
ISSA.Member.Application.2/12
Crypto Corner Lemons or Lemonade?

By Luther Martin ISSA member, Silicon Valley, USA Chapter
t the 2011 RSA Conference, Peter Gutmann, a researcher in the computer science department of the University of Auckland, gave an interesting talk about the history of X.509based public-key infrastructure (PKI) that described how a series of mistakes by PKI vendors dramatically limited the use and acceptance of the technology.1 Understanding past failures can help us avoid making the same mistakes again in the future, so lets take a closer look at one explanation for why PKI failed to deliver all that it first promised. Some of the problems that PKI experienced can be explained by economist George Akerlofs insight into why some markets fail. Akerlof shared the 2001 Nobel Prize in economics for his analysis of how markets in which the seller has more information than the buyer has can collapse.2 The most famous example of his argument explains why problems can arise in the market for used cars. Suppose that all used cars are worth $10,000 if they are in good repair, but half of them (lemons) actually need $2,000 worth of repairs. What happens if buyers cant tell the difference between the good cars and the lemons? In this case, buyers should expect to spend an average of $1,000 (50 percent of $2,000), for repairs on a typical used car. So in this case, the imperfect knowledge of the buyers would set the market price of used cars at $9,000, or $10,000 minus the expected additional cost of $1,000.
But at this price, those who have cars that are actually in good repair will not be inclined to sell them. After all, their cars are worth $10,000, but they can only get $9,000 for them. This means that the cars offered for sale at $9,000 will tend to be the lemons. The lower quality of the cars offered for sale will eventually result in the lowering of buyers expectations and a corresponding lowering in the market price for used cars, and this downward spiral in quality and price could even cause the market for used cars to collapse entirely. Information security is similar to the used car market in some ways. In particular, there is often a considerable difference in knowledge between buyers and sellers, and encryption products may be one of the best examples of where this can happen. Encryption vendors often employ specialists that have an extremely deep understanding of encryption technology. Most users of encryption technology, on the other hand, typically dont have as good an understanding of the technology. But their job is typically to use the technology to solve business problems, not to understand the details of exactly how and why it works, so thats what wed expect to see. Gutmann described that in the absence of easy ways to tell high-quality PKI products from the low-quality ones, users of PKI developed some quick-anddirty tests to help them do this, and an important one of these involved checking to see how well a particular PKI product worked with the certificates created by other vendors products. But then bugs crept into leading PKI products, bugs that made them create certificates that should have been rejected as being invalid. And because the technology was fairly arcane, it was
hard for people to tell that the improperlycreated certificates should have been considered invalid. How did the other the vendors react to this problem? They actually changed their products to let the bad certificates pass their tests for validity. If they hadnt done this, they would have been perceived as being inferior because they couldnt work well with the buggy certificates. And as the number of bugs in certificate validation increased over time, the result was a downward spiral in quality that was much like the one that Akerlof described. The net result of this was that many of the advanced features of digital certificates turned out to be too unreliable to use. A digital certificate still cryptographically bound an identity to a particular public key, but the additional policy information that a digital certificate could carry ended up not being very useful because of the unpredictable way that applications would handle it. This meant that PKI technology couldnt deliver its promise of creating a security infrastructure that could be used to support the implementation of online business processes. And it may have happened because it was hard for people to tell whether they had lemons or lemonade.
About the Author

Luther Martin is the Chief Security Architect for Voltage Security. You can find his daily thoughts on information security at http://superconductor.voltage.com and can reach him at martin@voltage.com.
1 Session STAR-304, "PKI Markets: Lemons and Lemonade," based on his previous article, P. Gutmann, "PKI: It's Not Dead, Just Resting," Computer, Vol. 35, No. 8, pp. 41-49, 2002. 2 G. Akerlof, "The Market for 'Lemons': Quality Uncertainty and the Market Mechanism," Quarterly Journal of Economics, Vol. 84, No. 3, pp. 488500, 1970.
47
CA Technologies congratulates Security at the point the 2012 Gala Honorees
of collaboration.
In todays fluid, global marketplace, business success takes agility, collaboration and innovation. But how do you secure collaboration without constraining it? Content-Aware Identity and Access Management solutions from CA Technologies reduce risk across enterprise, virtual and cloud environments, allowing you to embrace the emerging technologies that help drive innovation.
+ JOIN US for our webcast: Securing Access to SharePoint: Best Practices for Secure Collaboration. Learn more and register at security.com
Copyright 2012 CA. All rights reserved.

ISSA Journal May 2012

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

ISSA Journal May 2012

Hochgeladen von

Copyright:

Verfügbare Formate

Volume 10 Issue 5

Using Component Categories and Relationship Mapping in Security Architecture

KEEP YOUR CAREER ON TRACK

MASTERS DEGREE Two year program Specialize in cybersecurity or policy management

The program can be taken on campus or completely online

LEARN MORE www.regisdegrees.com/ISSA | 877.791.7188

ISSA Journal | May 2012

12 Using Component Categories and Relationship Mapping in Security Architecture

30 Understanding Private Cloud Security

23 Social Media Policy and the Law

35 Perspectives on the Practice of Security Architecture

Also in this issue

Ethics and Privacy

10 Association News 24 Book Review

43 Conferences 47 Crypto Corner

ISSA Journal | May 2012

o, is my phone spying on me? Again?

Editorial Advisory Board

From the President

ISSA Journal | May 2012

DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Hello ISSA members

International Board Officers

Treasurer/Chief Financial Officer

Board of Director Members

ISSA Journal | May 2012

The Invisible Mr. Security Guy

Hey Mr. Security Guy Its time.

About the Author

Sabetts Brief Its the IP, Stupid!

ISSA Journal | May 2012

About the Author

Ethics and Privacy Waging War in the Digital Age

ISSA Journal | May 2012

This column appeared in the March 2012 ISSA Journal.

See page 34 for a comment on Connect.

About the Author

Career Corner Hidden Requirements

ISSA Journal | May 2012

ISSA Journal | May 2012

Spring Selection Cycle Opens for Senior Member and Fellows

ISSA Web Conference

Youve Got Humans on Your Network: Securing the End User

ISSA Journal | May 2012

Journal Author Receives National Writing Award

DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

ISSA Journal | May 2012

Using Component Categories and Relationship Mapping in Security Architecture

Using Component Categories and Relationship Mapping | Kevin Stoffell

ISSA Journal | May 2012

A philosophical note on architecture

Components of an effective security architecture

Using Component Categories and Relationship Mapping | Kevin Stoffell

ISSA Journal | May 2012

1 - Technical functions component

4 - Process and planning component

2 - Human capabilities component

5 - Policy and governance component

3 - Structural descriptions component

Using Component Categories and Relationship Mapping | Kevin Stoffell

ISSA Journal | May 2012

Using Component Categories and Relationship Mapping | Kevin Stoffell

ISSA Journal | May 2012