Friday, May 20, 2016

Stephen Mori  iSOA Security Adviser




Since this is my first post to the ISOA Group blog, a few words of introduction are in order.  First of all, thanks to Bryon and Cheryl for inviting me to join iSOA Group as their new Security Adviser; I will be helping to articulate the development of iSOA Group’s security practice. 

My brief and abbreviated history spans forty years in various technology roles:  systems analyst, coder/developer, software designer, consultant, systems architect and security engineering and management culminating in the role as Autodesk’s first CISO (retired 2012).  Since my retirement I have continued with a few judiciously selected consulting gigs.  Retirement hasn’t allowed me much time for gainful employment.

I look forward to being a regular contributor to this blog; exploring what are hopefully topical issues across security, privacy and trust.  A particular interest of mine is cyber-trust.  There I’ve used “cyber”, now I’ll actively seek to avoid over-using it since others are handling that.  No small part of that interest is how we, as security professionals, bring the same sort of innovation to defending our company and critical assets as the bad guys bring to uncovering new ways of threatening us and our vital information assets.

But, first a look back to set the stage for future entries.  It is 1970 and Willis Ware, early computer scientist and security pioneer, delivers a commissioned report to the Advanced Research Projects Agency - predecessor to DARPA.  Known as the “Ware Report”, officially titled “Security Controls for Computer Systems: Report of the Defense Science Board Task Force on Computer Security”, the report was only recently declassified by the DOD.  Why spend time looking at a 46 year old resource?  Simply because it remains a resource and it helps me make my point about the need for innovation, while respecting history.

The report charter was to deal with the risks associated with the rapid growth of “multi-access, resource sharing computer systems”.  Rapid being relative, the authors could not have envisioned today’s democratized Internet, hyper-connected world of social media, computers in the form of watches, tablets, smartphones, let alone IoT enabled appliances; and, of course, virtual servers, Amazon Web Services (AWS), Docker, et al.  That charter remains valid in a world where factors are more connected - many factors faster than real-world 1970.

“Providing satisfactory security controls in a computer system is in itself a system design problem.”  Did Mr. Ware anticipate Agile development methodology, DevOps, and proliferating App Stores?

“A combination of hardware, software, communication, physical, personnel and administrative-procedural safeguards is required for comprehensive security.” Defense-in-Depth, anyone? Implied in the statement are IDS/IPS, Next Gen firewalls, vulnerability management software, SIEM, multi-factor authentication, security awareness, policy and technical controls.

What of Advanced Persistent Threats, intentional and accidental internal threat actors, and (Distributed) Denial of Services?  Systems ought to be “...acceptably resistant to external attack, accidental disclosures, internal subversion and denial of use to legitimate users.” Effectively, this covers anything connected to the Internet with open access to the Web, e-mail, text.

Finally, the report outlined what arguably remains the most common system vulnerabilities:  accidental destruction of data by a system failure, user or administrative error, active attacks that exploit weaknesses in user credentials, or deliberate or accidental flaws in software, “unauthorized entry points...created by a system programmer who wishes to provide a means for bypassing internal security controls...”.  All of which evoke directory attacks, credentials/identity theft, and back doors.

The “Ware Report” pretty much covers the CISO’s world.


So that is my bit of context setting.  Future entries will hearken back to these legacy security issues, but with an updated perspective and current terminology.  My first thought upon reading summaries of the “Ware Report” is the greatest progress we’ve made has been in creating new acronyms.  We need to endeavor to get just as good at developing innovative responses to these classic and evolving threats as we are at simplifying technical jargon.