From the AEGIS e-Journal, Volume 6 Number 9, September 2003
Beyond Fear Bruce Schneier Copernicus Books ISBN: 0-387-02620-7 295 pages $25.00 http://www.copernicusbooks.com/ 1-212-228-0175 The big frustration for security professionals when dealing with security issues is that most people – including those making security decisions at all levels of our society, starting with the President of the United States and working down – simply don’t get it. What they mostly don’t get is that all security policies and all security decisions involve tradeoffs, that all security ÆGIS, September 2003 9 policies and all security decisions address agendas not problems, and that many security policies and measures are made for others by people whose agendas may differ radically from the agendas of the people on whose behalf they are making the decisions. Bruce Schneier gets it, and this shows clearly in his new book. If you could only read one book about security, the book you should read is Beyond Fear. On a pragmatic level, Beyond Fear gives you a set of tools to evaluate any given security policy or measure (actually, these can be used to judge any social policy of measure): 1. What assets are you trying to protect? 2. What are the risks to these assets? 3. How well does the security solution mitigate these risks? 4. What other risks does the security solution cause? 5. What tradeoffs does the security solution require? As all of us have seen in the last few years, security decisions are rarely straightforward. As an example, many spend a good deal of time criticizing airport security measures, few of which address airport security issues. However, if you realize that the purpose – the agenda – was not to increase airport security, but to make you feel comfortable about flying so that the airline infrastructure didn’t collapse, it all makes sense. It is security as theater, not security as protection. Is it worth it? That depends on your agenda, and Schneier deals with this issue. The author emphasizes the importance agendas and tradeoffs. For example, which better – and for whom? a. To spend $60 billion making us feel better about flying, the inconvenience of which will cause a large number of people to drive rather than fly, which in turn will mean that the actual number of travel deaths will go up because of the security measures. b. To spend $60 billion on intelligence gathering to have information that might allow us to prevent terrorist attacks. c. To spend $60 billion on finding a cure for cancer or malaria or some other disease. The “better” decision depends very much on who you are. Beyond Fear also considers the philosophical nuts and bolts of security. How do systems interact and fail? Are you better off having multiple levels ÆGIS, September 2003 10 of systems? Should you protect against things that don’t matter? How do detection, protection, and response all work together to increase security? What are the differences among the three distinct concepts (which seem to puzzle so many) of identification, authentication, and authorization? If you are involved in making decisions about security policy (something which is rarely entrusted to security people), this book will help put you in a position to understand what is actually involved, and to make sure your decisions are designed to meet some determined need – hopefully actually addressing some risk in a reasonable manner – rather than throwing money blindly, with the feeling that security is a needless cost which adds nothing to the bottom line. Benign Firetrust $34.95 http://www.firetrust.com/products/benign/ When we get e-mail we face a number of problems. One, of course, is spam, which we deal with using MailWasher from Firetrust. The other is people putting bad things into their e-mail messages, like viruses and worms, which we deal with by using anti-virus software, which we update regularly. There is, however, a whole set of other objects, some dangerous and some not, that come wafting their way to us via e-mail, and of which many are unaware. These include web bugs, malicious html, scripts, and in some cases as-yet unknown viruses and worms. We deal with these threats and potential by using Benign, also from Firetrust, the MailWasher people. Benign stands between your ISP’s POP3 server and your e-mail client. More technically, according to the good folks at Firetrust, if Benign is the only incoming mail scanner then Benign will come first, then your e-mail client, and then your antivirus program. If Benign is not the only incoming mail scanner (i.e., your anti-virus software scans incoming e-mail) then normally the antivirus mail scanner will come first, then Benign, then a second scan by the anti-virus mail scanner (if the mail client is connecting to Benign using the default port 110), then the e-mail will arrive at the e-mail client. Benign looks at the incoming e-mail and recognizes odd or undesirable HTML code and strips it out. It takes out 1×1 images, which are often web bugs that send back a message saying you are a valid e-mail address. It renames or blocks scripts and executable code. What you are left with is your e-mail, stripped of dangerous attachments and potential problems. ÆGIS, September 2003 11 How many potentially bad things are you likely to have? Today we had 38 e-mails come to our machine, of which 22 were filtered. This filtering included renaming 14 attachments, removing 194 non-standard HTML tags, removing 102 scripting tags and attributes, and blocking 2 web bugs. Were all of these serious threats? No. Is there any reason for us to have received them? No. Once installed, the operation of Benign is transparent to the user. Installation is trivial, and, if you are lucky, will be automatic. If you are less lucky, you will have to manually configure your e-mail client according to the simple instructions given for the listing of e-mail clients. For other issues, there is a Firetrust user group at http://www.computercops.biz/forums.html. We had two other minor problems. The first is that the installation program writes to the Windows hosts file, which on our machine was marked read only by Spybot (discussed in the July 2003 e-Journal) to protect it from hijackers. To deal with this, you can temporarily unselect this option in Spybot, or you find the hosts file (on our machine it is in C:\WINNT\system32\drivers\etc), click on the file with the right (as opposed to left) mouse button, and un-check the read only box. Reset it after the installation. Problem solved! The other problem was that the installation made port 110 visible to the outside world (you can test this by running a port scan using Steve Gibson’s Shields Up! program at https://grc.com/). In theory this is not a big deal, as the port will reject any attempts to use it, but we personally feel more comfortable with the port simply being invisible, and thus not tempting hackers. Fortunately, this is just a matter of tweaking your firewall. (We say this very casually, but, entre nous, it took the helpful ZoneAlarm experts at their technical forum at http://forums.zonelabs.com/zonelabs to figure out how to do this.) In the case of ZoneAlarm Pro 4, the firewall we use, it appears that all you do is put in an expert rule for Benign by opening ZAP4, selecting Program Control, clicking on Firetrust Benign, selecting Options/Expert Rules, clicking on Add, then filling in the boxes with: Name: POP3 server Rank: 1 Action: Allow Source: My Computer Destination: The IP address of your POP3 server from your ISP Protocol: POP3 Figuring out the mechanics of entering a program expert rule in ZoneAlarm – and entering it – takes about five minutes. This small effort makes ÆGIS, September 2003 12 everything work, and, milagro!, port 110 is hidden! We are given to understand that the process is similarly trivial with other firewalls. We strongly recommend Benign for your consideration. 7. Free-Subscription/Unsubscription/Copyright Information •• ÆGIS e-journal is supported and maintained by voluntary efforts. This publication is owned, published, and copyright © 2003 by The LUBRINCO Group Ltd, Inc. and Financial Examinations and Evaluations, Inc. It is edited jointly by Richard Isaacs (RBIsaacs@lubrinco.com) and L. Burke Files (LBFiles@lubrinco.com). The LUBRINCO Group provides services in three high-threat areas, too specialized to be dealt-with in-house, that can adversely affect domestic and international bottom lines. • Protection of trade secrets and intellectual assets. o Anti-economic espionage. o OPSEC: The identification and protection of information that would give your competitors and adversaries an advantage. • International financial investigations and due diligence consulting. o Location and recovery of missing and hidden assets. o Establishing business relationships and strategic partnerships in Central and Eastern Europe, the offshore financial centers, Beijing and Shanghai, Central Asia, and Latin America and the Caribbean. o Anti-money laundering and financial fraud requirements under the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2003 and the EU Revised Money Laundering Directive of 2003. • Protection of management, staff, and families. o In the high-threat environments of Latin America, Africa, the Mid- East, and Southeast Asia. o When traveling and living overseas. o When transporting items of substantial value. LUBRINCO identifies and quantifies threats and vulnerabilities, and their associated risk, then manages the vulnerabilities so you can transfer or live with the residual risk. We prevent disastrous financial loss to your company, and physical harm to you, your family, and your staff. ÆGIS, September 2003 13 For information on The LUBRINCO Group and its services, or for the archive of all past issues of ÆGIS e-journal in PDF format, please go to http://www.lubrinco.com/. To sign up for a complimentary subscription to ÆGIS e-journal or the ÆGIS e- journal PDF notification list, go to http://lb.bcentral.com/ex/manage/subscriberprefs?customerid=7768 or send an email to ejournal@lubrinco.com. To subscribe to our AvantGo channel, go to http://avantgo.com/channels/_add_channel.pl?cha_id=1773 To be removed from the subscription list, follow the instructions on the mailing you received, or send an e-mail to ejournal@lubrinco.com. If you know of anyone else who should be receiving ÆGIS e-journal, please send their e-mail address to ejournal@lubrinco.com. If there is a topic that you would like to know more about, send it to ejournal@lubrinco.com and the editors will consider it as the topic for an article in an upcoming issue. If you would like to submit an article for publication in ÆGIS e-journal, send it as an attachment to an e-mail to ejournal@lubrinco.com. Submission of an article certifies that (a) all information in the article is in the public record, or (b) that you are authorized to release any personal or corporate proprietary information contained in the article, and (c) that none of the article has previously been copyrighted. The submission of materials for publication in ÆGIS e-journal constitutes a license to The LUBRINCO Group Ltd, Inc., and/or Financial Examinations and Evaluations, Inc, their assigns, associates, or affiliates, to abridge and/or edit said submission, and to copyright and publish/republish any submitted materials in whatever written and/or electronic form they may choose. If you would like to go beyond normal fair-use in reproducing articles from this issue of ÆGIS e-journal, you may do so freely as long as appropriate source, copyright, accreditation, and link to the LUBRINCO website is included. This should be in the form
Article Title, from the September 2003 ÆGIS e-journal (© 2003 LUBRINCO & FEE), to be found at http://www.lubrinco.com/. ÆGIS e-journal is a forum for the exchange of information, ideas, operating styles, theories, and related topics for corporate managers who make ÆGIS, September 2003 14 decisions about threats typically outside the expertise available in-house, yet which have the potential to affect their company’s domestic and international bottom lines. Nothing appearing in ÆGIS e-journal should be construed as legal advice. The information provided is “general information,” not “specific advice.” The solution to any problem is highly dependent upon the precise facts involved. Thus, before making any reliance upon anything said here, you should consult with an appropriately skilled professional. Opinions expressed by contributors are not necessarily endorsed by the publisher, and may be presented to encourage a dialogue among subscribers. The publisher and any re-publisher cannot be held responsible for any loss incurred as a result of the application of any information published in ÆGIS e-journal. Please be safe, and be smart.