The Security Catalyst

By David Stern

Before we delve any deeper into IDM, we should take a moment to acknowledge three “interim solutions” to the IDM problem that have supported IT for many years. Each of these solutions was designed to support centralized credentials for a specific class of system.

NIS – Network Information System or “Yellow Pages” was developed by Sun over 10 years ago to allow UNIX systems to share a common password store. NIS helped solve many password management issues, but it was plagued by inherent security issues.

TACACS – TACACS was developed as a central authentication method aimed at network devices. In an organization with hundreds of switches and routers, local account management that meets security standards can become impossible. TACACS solves this problem nicely.

Active Directory – AD evolved out of the primordial soup that was the Microsoft Domain model for NT. Every Microsoft desktop and server operating system, as well as server and desktop applications can use AD for centralized authentication. Microsoft’s industry dominance means that almost every organization (large and small) runs AD. In the past few years, Microsoft has opened AD to many other systems, allowing organizations to leverage their AD credentials for other systems. A good example of this is TACACS.

Each of these solutions provides sufficient coverage for most enterprise technology silos. But there are still applications and systems that either do not or cannot use one of these technologies. These solutions also do not include the work-flow processes involved in assigning roles, provisioning/de-provisioning accounts, auditing, and approving changes. IDM solutions provide this centralized management layer. The IDM world looked to an open standard known as LDAP to get closer to full interoperability.

IDM and a Reality Check

Lightweight Directory Access Protocol or LDAP is an open standard designed to allow applications to query directories in a common way. An LDAP directory will have a known hierarchy based on other open standards that provides the greatest chance for application or a system to understand where data is located. LDAP is so widely accepted that most operating systems and programming languages have built-in support for it. Microsoft Active Directory is itself a limited LDAP directory and most flavors of UNIX and Linux have direct support for LDAP.

The same mixed environment that relies on directory silos for each class of operating system looks much different when LDAP is introduced:

• Active Directory (AD) ties together Windows servers, desktops and email. Most of the leading LDAP directory solutions such as Sun One and Novel eDirectory can synchronize with AD.
• TACACS can use AD for an authentication source creating a common login for Windows and network elements.
• UNIX/Linux systems tie into the LDAP infrastructure. Since the LDAP is synchronized with AD, UNIX/Linux logins will be shared with Windows and network elements.
• The popular .Net application language makes integration with AD simple. Applications that take advantage of this integration can also share a common login.

This interoperable LDAP architecture looks great. It clearly shows that most technologies found in the enterprise can share a common source for credentials. In reality, a combination of politics, lack of technical vision, and many other common obstacles stifle this potential. Enterprises are still left with plenty of critical legacy systems that are marooned on their own separate islands.

The three most common types of systems that do not utilize common directories are custom applications, web based applications, and infrastructure such as operations systems or database systems. For each of these, the IDM community has attempted to devise solutions.

Custom Applications: Almost every industry has unique computing needs that the mainstays of IT (IBM, Microsoft, Cisco, Oracle, Red Hat) cannot address with their mainstream offerings. This leads organizations to create their own applications that rely on custom databases and schemas for authentication and authorization. The most common solution for a single identity comes from the Single Sign On (SSO) community. The usual solution involves installing an agent on each workstation that is programmed to capture login credentials from a known centralized directory such as LDAP or Active Directory. When the custom application is invoked, the agent will detect its login prompt and automatically fill in the credentials. While this methodology does not address back-end integration, it does allow for a common login for day to day activities. A more expensive and complicated solution is to write custom database connectors that allow an IDM solution to tie into the application’s proprietary database. While this approach covers more of the problem, the cost will usually make it undesirable.

Web Based Applications: The web has become the premier application delivery platform for its common interface and ease of development. Most custom web based applications share the same design deficiencies as their client-server brethren in terms of proprietary credential stores. From an IDM perspective, web based applications are much friendlier since they are designed with common security mechanisms such as session cookies.

A whole class of solutions knows as WebSSO have evolved to address this challenge. A WebSSO architecture fronts one or many web applications and accepts identity assertions. The WebSSO module hooks into a common directory, authenticates the user, and then passes that information back to the web based application. The solution is not cheap, but it allows an organization to tie dozens of disparate web based applications together with a single identity.

Infrastructure: In many organizations, the political divides run so deep that IT groups will never change to share a common directory. The IDM community takes a brute force approach to solve this problem. IDM solutions such as CA ETrust Admin use agents that can deploy and manage identities. They also create ODBC connections to remote proprietary databases. These mechanisms keep identities synchronized by detecting and propagating changes across every diverse infrastructure element. The solution is fraught with obstacles, but with time, money, and a mandate, it eventually corrals operating systems, applications, and infrastructure, forcing upon them a centralized identity.

You may have noticed that we have started to make some changes. Based on some feedback, we have consolidated a few forums to make it easier to navigate and update.

We have also added in a forum specifically to address the unique issues of dealing with the protection of information in academic environments. We believe that by blending this focus into the overall forums, we should be able to bridge any gaps and unite professionals together to make a difference.

I continue to be amazed by the amount of information and true mind-share in the forums. This is only the beginning, and I am excited to see what we can work together to build.

As I have shared before, I am working to determine how to incorporate an authenticated jabber chat, wiki and other elements that will make it easier for each of us to do our jobs. In the end, the goals of this community remain:
-    build a supportive environment to ask for help
-    create a culture where we are all able to share what we know to help each other, regardless of years of experience
-    find a way to share and blend our passions – which I firmly believe to exciting advancements in how we practice security. Of course, this is also how each of us grow as professionals.

We have incorporated RSS into the forum – so you will be able to subscribe to the forums of interest to you. Of course, you’ll still need to log in to share your ideas and comment as appropriate – but we’ve worked to make it easy to keep you informed.

I also wanted to point out that you also have the ability to “subscribe to changes by email.” This is the way that I keep tabs on the forums. To set this up, when you click on a forum, there is a tab on the right side named ‘notify’ – click on that and you can set the details to keep tabs.

You may find that makes it easier for you to keep abreast of updates, changes and topics. Spending on a few minutes a day makes a huge impact – and the time you spend helping others will come back to benefit you and save you time at your job as you continue.

In the end, I firmly believe that we are working together to build a resource that will save us all time while improving the quality of our work. Thanks for being part of this journey and making a difference in the world of information security!

As always – let me know how I can make your job easier by sending me an email at securitycatalyst@gmail.com.

Here are some exciting topics for you to get engaged on. You are always welcome to start your own, too! Please remember that our naming standard is to use your full name (firstname.lastname) separated by a period. That helps us keep the discussions professional - we all look forward to your ideas and insights.

Network Security and Students

Home Network: What do you use as a Firewall / Gateway?

“Windows Forensic Analysis” Sample Chapter available

The ABSOLUTE First Step

128 Bit RC4 with SHA MAC TLSV1 Tunnel

Remote off site backup software/services

Blocking Malicious sites - Wondering how you approach the problem

Preparing for Incident Response (Be Prepared)

dns rpc vulnerability zero day mitigation

Has anyone used (or seen) the UNH Cyberthreat Calculator?

Corporate Policy on Blogging

Jikto - ethical? security? tool?

Opinions and feedback about “Voltage SecureMail”?

Financial Industry Regs — Cross Reference Available?

You should be familiar with the phrase, “Be Prepared.”  It’s been used by millions of Boy & Girl Scouts around the world since 1907 [1].  Boy and girl scouts are trained to be in a state of readiness in mind and body, so that you know the right thing to do at the right moment and are willing and able to do it. 

As security professionals, shouldn’t we also “Be Prepared?”  We need to have a “tool bag of knowledge” that we can open whenever an event occurs.  This is a set of resources, instructions or processes that you can use when responding to a security event. An organized and careful reaction to an incident can mean the difference between complete recovery and total disaster.

One of the “security triangles” is protection, detection, & reaction.  Our response to an incident is just as important as how we protect key assets and detect anomalies.  An incident doesn’t have to be related to computers; it can be almost any unexpected event.  Also, your response should be a process that uses available tools, techniques, and technologies to address the most common risks.

The following are basic, high-level steps that prepare you for incident response:

 1. Risk Identification.  No one person or organization can prepare for everything that may possibly happen.  It just doesn’t make sense.  We in the Midwest are not prepared for a tsunami, nor should we be.  But we are ready for tornados, especially this time of year.  You need to take the same approach in preparing your incident response.  Ask yourself, “What’s the worst that can happen?”  What threats are most likely to occur and have the greatest impact?  Identifying the greatest risks will help you prepare an incident response plan that covers the most likely events.

 2. Get support.  You cannot possibly know nor do everything.  You need to have a support group ready to help when the time comes.  The group you will need depends on the threats and the incidents identified in step 1. 

 3. Practice. The only way to get good at something is to just do it.  Realistically, this isn’t always possible when responding to an incident.  At the very least, you should conduct a paper exercise where you and your support team discuss the incident and your response. As you practice, document what you do, what works and what doesn’t work. 

Note: these steps are not computer specific.  They will work for any type of incident: technical or not; business or personal.   In researching this topic, I searched on “incident response steps.” It’s interesting is that the top results all have to do with Computer Security.  Incident response is not and should not be unique to computers.  The basic, high-level preparation steps are the same, whether you’re responding to a shooting or a computer intruder.

Louis Pasteur said, “Chance favors a prepared mind.”  Improve your chances of success by being prepared.  You can join a discussion of Incident Response on the Security Catalyst forums: http://community.securitycatalyst.com/forums/index.php/topic,366.0.html.  Let us know how you prepare.

By helping each other, we all become stronger.

Here is the latest list of security bloggers and podcasters that have come together in the Security Catalyst Community in an effort to create a positive and supportive environment in which to improve how we think about and practice security.

We’re in the process of making some improvements to the structure of the forums and are getting closer on rolling out the jabber and wiki features. In the meantime, the conversations have been excellent - and we look forward to learning from you.

The Security Catalyst (Michael Santarcangelo) | http://www.securitycatalyst.com
The Network Security Blog and Podcast (Martin McKeay) | http://www.mckeay.net
Security Ripcord Blog and Podcast | http://blog.cutawaysecurity.com
Education Security Incidents (Adam Dodge) | http://www.adamdodge.com/esi
An Information Security Place (Michael Farnum) | http://infosecplace.com/blog
Andy, IT Guy (Andy Willingham) | http://andyitguy.blogspot.com/
Andrew Hay | http://www.andrewhay.ca/
Security Views | http://www.securityviews.com
Security Renaissance | http://securityrenaissance.com/
Marcin Wielgoszewski | http://www.tssci-security.com
Aditya Kuppa | http://rumblingsofaconfusedmind.blogspot.com
Sam Masiello | http://www.mxlogic.com/threat_center
Still Secure After All These Years (Alan Shimel) | http://www.stillsecureafteralltheseyears.com
John Biasi | http://www.john-biasi.com
Security Incite (Mike Rothman) | http://securityincite.com/blog/mike-rothman
Eric McMillen | http://www.mcmillengroup.com/blog/
Chris Hoff | http://rationalsecurity.typepad.com
RioSec Security WebLog (Chris Byrd) | http://www.riosec.com
James Costello | http://genesyswave.bloggerteam.com/
Harlan Carvey, CISSP | http://windowsir.blogspot.com
SecThis.com Security Podcast (Gene Naftulyev, CISSP) | www.secthis.com
Jon Robinson | www.jonsnetwork.com
The IT Security Guy (Joel Dubin) | http://www.thesecurityguy.com
Augusto Paes de Barros, CISSP | http://www.paesdebarros.com.br/english & http://www.paesdebarros.com.br/indexpb.html
Chris Harrington | www.infosecpodcast.com
John Gerber | http://www.securitymonks.com
Steve Mullen | http://skmullen.wordpress.com
Rory McCune | http://www.mccune.org.uk/
Nick Owen | http://www.wikidsystems.com/WiKIDBlog
Rebecca Herold | http://www.realtime-itcompliance.com & podcasts at http://www.realtime-itcompliance.com/podcast/
Randy Armknecht | http://www.rarmknecht.net
Gary Hinson | http://www.NoticeBored.com
Daniel Miessler | http://dmiessler.com/ | http://dmiessler.com/study/
Didier Stevens, CISSP | https://DidierStevens.com
Lester Nichols, MCP | http://virtualmindshare.blogspot.com/
Amrit Williams | http://techbuddha.wordpress.com
Ken Camp | http://www.ipadventures.com/
Liudvikas Bukys | http://L.Bukys.org
David D Bergert, CISSP, CISA | http://www.infosecblurb.com
Justin Clarke | http://www.justinclarke.com
Garrett Gee | http://ggee.org
Paul Barrett | http://blog.passfaces.com
Andrew Storms | http://blog.ncircle.com/blogs/sync
Lori MacVittie | http://devcentral.f5.com/weblogs/macvittie/
Rob Newby | http://robnewby.blogspot.com

If you are a member of the security catalyst community and have a blog or podcast that you would like to have listed here, please send a message to securitycatalyst@gmail.com. I’ll also change your status to security blogger/podcaster.

Wow! You did an awesome job with Warcraft III.  Your company, Blizzard Entertainment puts out fun games.  My kids love it except for one not so small problem: THEY CAN”T SAVE THIER GAMES!

Here’s the problem: Warcraft III requires that the user be logged in with as Administrator in order to play and save your progress.  Not only do you need to be Administrator to load the da*& thing, but you need it to save.  You can play, as long as you don’t mind starting over each time you play.

I don’t like that.  We don’t log in as administrator on our Windows XP PCs.  Everyone in my house (and at my work for that matter) has their own non-administrator account.  We only use administrator accounts to install programs, when necessary.  It’s amazing how this simple step reduces problems with viruses, spyware and other malicious programs. 

It’s not that I don’t trust my wife and kids, it’s that I don’t trust the Internet.  99% of the stuff my family needs to do doesn’t need admin privileges. WHY DOES WARCRAFT III?

I’ve tried everything I know to get the game to play on a non-administrator account.  I’ve shared its “Save” folder to allow everyone full access.  I’ve contacted their tech support.  Their response: “Duh Uhhhh, you need administrator to run… What’s the problem?” In other words, no help & no support.

I think you see the problem.  My kids are dying to play the game and be able to save their progress, but they can’t.  The only way we make it work is for me to log in to the Administrator account.  This allows them to save their game, but I need to be around for them to do it.  It’s sad that they can’t play a cool game like Warcraft III and save their progress without their old man around.

So, Mr Blizzard, we’re frustrated that your programmers were so short sited in developing this game that they couldn’t design it without administrator privileges.  I only ask that you don’t repeat this mistake with Warcraft IV or any other game you create in the future.

P.S.  If anyone has any idea of how we can run Warcraft III without admin priviledges, please let me know. You can also discuss it in the Security Catalyst forums (http://community.securitycatalyst.com/forums/index.php/topic,106.0.html).

David Stern, CISSP

Introduction

Depending on where you sit, Identity Management (IDM) is irrelevant, a holy grail, or a complete boondoggle. Having experienced all three situations at one time or another, and more recently seeing it actually work, it’s time to demystify the subject matter. In this article, we will cover the conceptual framework of Identity Management, and touch on some of the more important terms and methodologies.

Let us start out by defining an Identity. Your average enterprise uses a mix of Windows, UNIX, Mainframe, databases, applications, and networking elements. Each of these requires user interaction, which starts with a login and a password. These credentials authenticate you to the system and then determine what you are authorized to do. Your digital identity must encompass authentication and authorization information, as well as “white pages” type of information (phone number, address, title) that tie it back to the physical world. When a user presents his credentials to a system by logging in, it is known as “asserting credentials.” In the perfect IDM world, all of this information is stored in a single, universally accessible directory, sometimes known as a Meta Directory.

Single Sign On (SSO) is IDM’s close cousin. In an SSO environment, a user only needs to assert his login credentials once. After that, every system and application would automatically allow him access based on his one time identity assertion. Obviously, to make this work, every system in scope needs to share the same credential store, making IDM a virtual requirement.

The business drivers for Identity Management are quite compelling. Identity Management at its highest level is a conceptual framework from which an individual’s login credentials or identity is centrally managed. Outside of this framework I would need separate credentials for every server, PC, network device, web page and application that I use on a daily basis. That could amount to dozens of accounts that need to be managed individually. Inside of an Identity Management framework, my identity is created and access rights are established in one stroke. The same thing happens when my identity or rights need to be removed.

For the sake of IT newcomers, I will state that this works nicely on paper, but in reality has hurdles as high as K2. Until recently, systems have been written with no thought of commonality. Going back and rewriting or re-architecting enterprise systems can be compared to trying to change the tires on an Indy car flying down the straight away. However, the pain of distributed management was significant enough to push the industry to address the problem. Identity Management was born from this pain.

In the next part, we will look at interim solutions to the IDM challenge.

Greetings from Ocean City, MD! We came down here this weekend to spend our Easter Weekend with some friends. Having an RV allows us the ability to travel as a family for work and for pleasure. Now that we’re back on the road, I remember why I love these trips so much (even when I am working): I welcome the opportunity to stop the world for a bit, get outside, relax and unwind with my family.

As I look back on the last few months, I am excited about the ground we have covered and the opportunities that come before us. Thank you for your continued support. As we prepare to take some next steps as a group, I wanted to share with you some plans – both to get your feedback and to ask for your help.

April is proving to be an interesting month: several of the efforts I (and some colleagues) have been working on for the last year are “ready.” In addition to launching some new offerings and solutions, we’re taking the family on an RV adventure in April/May and gearing up for a “Security Revival Tour” in 2007, followed by a “Campaign Across America to Protect Information” for 2008.

I’ll share more details about the tour(s) and such in the coming weeks. I could use your help in selecting cities, helping to spread the word and maybe even guiding some logistics. In return, those that help will discounted or free training, coaching and the opportunity to spend some time together.

I need some help - Short Term
In two weeks, we are leaving Albany, NY and heading to: Nashville, Atlanta, Key West and Baltimore. We are currently planning the following schedule:

•    Nashville (arrive Monday, April 23, leave Wednesday April 25 or Thursday April 26)
•    Atlanta (arrive Thursday April 26, Talladega April 27 – 29, back to ATL 4/30 – 5/2)
•    Key West (5/3 or maybe 5/4 to 5/8 or maybe 5/9)
•    Baltimore (5/10 – 5/18)

Atlanta is hopefully going to see the launch of the SEN/Salon and some evening gatherings. I have a long stretch in Baltimore and could really use some help connecting and reconnecting with the various groups I have worked with there.

In each city, we’d like to offer the following programs:
1.    Are you Making a Living, or a Life? (morning) combined with Career Compass Coaching (afternoon)
2.    Speaking About Security (public, private or semi-private)

Where feasible, I’m happy to offer some professional keynotes to the organizations that are in a position to support my efforts (or otherwise are good groups and would help you or make a difference).

SCC members can take 10% off or select a BONUS coaching session. In addition, registered participants in each location are eligible to win:
-    coaching session (value: $250)
-    presentation makeover (value: $500)

If you can help, please drop me a note and I’ll send you more information on the different programs, etc. We are working to finalize our marketing plan this week, and then spending Q2 working to get all of our marketing and branding in place. We’re all close!!

Thank you for your help and continued support.

Programs
Speaking About Security
Are You Making a Living, or a Life?
Career Compass Coaching

Available Keynotes
Transform Your Awareness Program
Setting Your Career Compass
Into the Breach
Speaking About Security
Do More with Less and Have Less Stress!

The Catalyst Community continues to grow. One of our aims is to serve the needs of podcasters and bloggers by providing a central place for us to come together and ask for help, offer advice and share our passions. The blogs and podcasts below represent the members of the Catalyst Community:

The Security Catalyst (Michael Santarcangelo) | http://www.securitycatalyst.com
The Network Security Blog and Podcast (Martin McKeay) | http://www.mckeay.net
Security Ripcord Blog and Podcast | http://blog.cutawaysecurity.com
Education Security Incidents (Adam Dodge) | http://www.adamdodge.com/esi
An Information Security Place (Michael Farnum) | http://infosecplace.com/blog
Andy, IT Guy (Andy Willingham) | http://andyitguy.blogspot.com/
Andrew Hay | http://www.andrewhay.ca/
Security Views | http://www.securityviews.com
Security Renaissance | http://securityrenaissance.com/
Marcin Wielgoszewski | http://www.tssci-security.com
Aditya Kuppa | http://rumblingsofaconfusedmind.blogspot.com
Sam Masiello | http://www.mxlogic.com/threat_center
Still Secure After All These Years (Alan Shimel) | http://www.stillsecureafteralltheseyears.com
John Biasi | http://www.john-biasi.com
Security Incite (Mike Rothman) | http://securityincite.com/blog/mike-rothman
Eric McMillen | http://www.mcmillengroup.com/blog/
Chris Hoff | http://rationalsecurity.typepad.com
RioSec Security WebLog (Chris Byrd) | http://www.riosec.com
James Costello | http://genesyswave.bloggerteam.com/
Harlan Carvey, CISSP | http://windowsir.blogspot.com
SecThis.com Security Podcast (Gene Naftulyev, CISSP) | www.secthis.com
Jon Robinson |  www.jonsnetwork.com
The IT Security Guy (Joel Dubin) | http://www.thesecurityguy.com
Augusto Paes de Barros, CISSP | http://www.paesdebarros.com.br/english & http://www.paesdebarros.com.br/indexpb.html
Chris Harrington | www.infosecpodcast.com
John Gerber | http://www.securitymonks.com
Steve Mullen | http://skmullen.wordpress.com
Rory McCune | http://www.mccune.org.uk/
Nick Owen | http://www.wikidsystems.com/WiKIDBlog
Rebecca Herold | http://www.realtime-itcompliance.com & podcasts at http://www.realtime-itcompliance.com/podcast/
Randy Armknecht | http://www.rarmknecht.net
Gary Hinson | http://www.NoticeBored.com
Daniel Miessler | http://dmiessler.com/ |  http://dmiessler.com/study/
Didier Stevens, CISSP | https://DidierStevens.com
Lester Nichols, MCP | http://virtualmindshare.blogspot.com/
Amrit Williams | http://techbuddha.wordpress.com
Ken Camp | http://www.ipadventures.com/
Liudvikas Bukys | http://L.Bukys.org
David D Bergert, CISSP, CISA | http://www.infosecblurb.com
Justin Clarke | http://www.justinclarke.com
Garrett Gee | http://ggee.org
Paul Barrett | http://blog.passfaces.com

If you are a member of the Security Catalyst Community and have a blog or podcast that you would like to have listed here, please send a message to securitycatalyst@gmail.com. I’ll also change your status to security blogger/podcaster.

** If you are a member and are listed here but don’t have access to the blog and podcast area, shoot me a note.

By Adam Dodge

Did the title of this article surprise you? Given the ever-growing list of Federal and State regulations pertaining to the protection of information, this surprise is understandable. After all, at the very least any information security program should meet regulatory compliance goals for an organization. However, there are a few hidden dangers with this line of thought.