Stephen Mori iSOA Security Adviser
Since this is my first post to the ISOA Group blog, a few words
of introduction are in order. First of
all, thanks to Bryon and Cheryl for inviting me to join iSOA Group as their new
Security Adviser; I will be helping to articulate the development of iSOA
Group’s security practice.
My brief and abbreviated history spans forty years in various
technology roles: systems analyst,
coder/developer, software designer, consultant, systems architect and security
engineering and management culminating in the role as Autodesk’s first CISO
(retired 2012). Since my retirement I
have continued with a few judiciously selected consulting gigs. Retirement hasn’t allowed me much time for gainful
employment.
I look forward to being a regular contributor to this blog;
exploring what are hopefully topical issues across security, privacy and
trust. A particular interest of mine is
cyber-trust. There I’ve used “cyber”,
now I’ll actively seek to avoid over-using it since others are handling
that. No small part of that interest is
how we, as security professionals, bring the same sort of innovation to
defending our company and critical assets as the bad guys bring to uncovering
new ways of threatening us and our vital information assets.
But, first a look back to set the stage for future entries. It is 1970 and Willis Ware, early computer
scientist and security pioneer, delivers a commissioned report to the Advanced
Research Projects Agency - predecessor to DARPA. Known as the “
Ware Report”, officially titled
“Security Controls for Computer Systems: Report of the Defense Science Board
Task Force on Computer Security”, the report was only recently declassified by
the DOD. Why spend time looking at a 46
year old resource? Simply because it
remains a resource and it helps me make my point about the need for innovation,
while respecting history.
The report charter was to deal with the risks associated with the
rapid growth of “multi-access, resource sharing computer systems”. Rapid being relative, the authors could not
have envisioned today’s democratized Internet, hyper-connected world of social
media, computers in the form of watches, tablets, smartphones, let alone IoT
enabled appliances; and, of course, virtual servers, Amazon Web Services (AWS),
Docker, et al. That charter remains
valid in a world where factors are more connected - many factors faster than
real-world 1970.
“Providing satisfactory security controls in a computer system is
in itself a system design problem.” Did
Mr. Ware anticipate Agile development methodology, DevOps, and proliferating
App Stores?
“A combination of hardware, software, communication, physical,
personnel and administrative-procedural safeguards is required for
comprehensive security.” Defense-in-Depth, anyone? Implied in the statement are
IDS/IPS, Next Gen firewalls, vulnerability management software, SIEM,
multi-factor authentication, security awareness, policy and technical controls.
What of Advanced Persistent Threats, intentional and accidental
internal threat actors, and (Distributed) Denial of Services? Systems ought to be “...acceptably resistant
to external attack, accidental disclosures, internal subversion and denial of
use to legitimate users.” Effectively, this covers anything connected to the
Internet with open access to the Web, e-mail, text.
Finally, the report outlined what arguably remains the most
common system vulnerabilities:
accidental destruction of data by a system failure, user or
administrative error, active attacks that exploit weaknesses in user credentials,
or deliberate or accidental flaws in software, “unauthorized entry
points...created by a system programmer who wishes to provide a means for
bypassing internal security controls...”.
All of which evoke directory attacks, credentials/identity theft, and back doors.
The “Ware Report” pretty much covers the CISO’s world.
So that is my bit of context setting. Future entries will hearken back to these
legacy security issues, but with an updated perspective and current
terminology. My first thought upon reading
summaries of the “Ware Report” is the greatest progress we’ve made has been in
creating new acronyms. We need to endeavor
to get just as good at developing innovative responses to these classic and
evolving threats as we are at simplifying technical jargon.