Home 
Behaviorally Speaking Behaviorally Speaking: Systems Security - CM is the Missing Link!!!
Behaviorally Speaking Behaviorally Speaking: Systems Security - CM is the Missing Link!!!
|
In my “spare” time I have been reading through the review text for the CISSP exam. This certification for Security experts is becoming a very hot item to add to your resume. Some of the material is very interesting and informative. Unfortunately, the Software Development material is frankly pretty light and I am still searching for a section on Software Configuration and Release Management. There is some information on Change Control, but somehow the CISSP does not address the relevance of CM to security. This is ironic since, as the global head of CM for my company, I am the only person who accompanied our Director of Systems Security to the quarterly meeting of the New York Electronic Crimes Task Force (NYECTF) organized by the United States Secret Service. Without proper Software Configuration and Release Management best practices there is NO POSSIBLE WAY to have “secure systems,” particularly if you have global financial systems available via the Internet. Read on if you would like to understand where CM fits in and how this dependency is an excellent reason why security should be part of your core competencies! What is the CISSP? The Certified Information Systems Security Professional (CISSP) is an industry certification which covers 10 domain areas as designed by the International Information Systems Security Certification Consortium (ISC²). The two most relevant knowledge domains are Application and Systems Development Security and secondly Business Continuity Planning and Disaster Recovery. Briefly the other 8 knowledge domains include Access Control, Telecommunications & Network Security, Security Management, Architecture and Models, Cryptography, Operations & Physical Security and finally Laws Investigations and Ethics. Security For CM Experts I am often amazed at how many CM experts still use CM tools that lack adequate integrity controls, audit and role based (e.g. developers vs buildmeisters) controls. I would love to discuss with other CM practitioners how they can put the resources of a large financial services firm into RCS, SCCS or CVS (which is based upon RCS libraries). Every time I convert a Microsoft VSS (sorry Bill!) or CVS library to Clearcase, I find files that were lost or corrupted long ago. State of the art CM tools are based upon databases which have strong controls and audit logging that is itself secure. If you managed to compromise one of these more capable tools the entire database would crash or at least be detected by the normal integrity checking tools. Yet I recently had a vendor trying to convince me that CVS was secure because it passed the Security Review of a large international financial services firm. In my opinion, this just means that this firms' systems security professionals do not have enough technical knowledge and expertise to understand that they are putting the companies resources at risk. You’ve Been Hacked! The NYECTF discusses many incidents involving essential systems being penetrated and compromised. The 2002 Osborne McGraw Hill CISSP review manual describes an incident (p. 28) in which it was purported that 34 American Military sites were hacked with information regarding troop positions being compromised. The story goes that Saddam Hussein refused to pay for this information, because he thought that it was a trick. While this writer does not have confirmation that this incident actually occurred (other than it is printed in review book, published by a well respected author), the risk of essentials being hacked is obviously a serious concern. Attendees at the Secret Service meetings have heard first hand account of essential systems being compromised, leading to significant loss and interruption of essential systems and services. The offices of the Secret Service were destroyed in the attack on the World Trade Center as well as the NYC Emergency Command Center. Are You Ready? If you had to recreate all of your systems from scratch could you? From a technical perspective it is very unlikely that relying upon runtime modules alone would be sufficient. It is entirely possible that some modules would need to be recompiled and relinked, even under the best of circumstances. From a disaster recovery standpoint we need to perform due diligence that all source code is available, as well as all compile and runtime dependencies. I usually set the goal that if there was a disaster, we could hand someone a set of backup tapes and a credit card and all of the key systems should be available shortly after new hardware was delivered and installed. The truth is that many development teams cannot compile and release their code if key software developers take a 2 week vacation! Development processes need to maintain the requirement that all releases are independently rebuilt, in order to “Quality Assure” the build process. Being Practical I don’t believe that it is always practical to have an independent build team and really that is not absolutely necessary. The deployment process can simply require an independent build from a special buildmeister account. In fact, independent build teams often find themselves in conflict with the developers with an endless game of “compile error volleyball!” The developers claim the release is ready and the buildmeisters rebuild the release only to be stopped by compile errors. Worms and Trojan Horses Another serious problem can result from a system containing malicious code that simply creates a “back door” entry point into the system. The “back door” might be discovered and corrected, but the malicious code could periodically recreate the “back door” and might be extremely difficult or impossible to find. It is not my intent to give a lesson on creating computer viruses, but I do want to make the point that they can be extremely difficult to find and eliminate. Viruses that get spread via the internet (and email) are often identified and their signatures can be identified and used to eliminate the virus by commercial software (e.g. Norton Antivirus and others). But what if you are the only target for a particular hacker? Maybe it is an inside job designed to steal money from your large financial services firm? In these real life situations Norton Utilities are not going to help you. Security Planning Financial Services firms need to confirm that their system can be rebuilt from scratch without (what my boss likes to call) heroic efforts. This is the only reasonable way to insure that if you system is compromised; it can be rebuilt from scratch. This effort would involve taking a machine, wiping it completely clean and rebuilding the Operating System and all of the applications from scratch. For third party applications (e.g. Microsoft Office or a third party CRM system) this would mean loading the application from CDROM. For user written systems (e.g. many large scale trading systems) this would mean pulling the source code from source code repository and then recompiling and relinking the code from scratch. This level of effort is required to confirm that the original malicious code has been eradicated. Measuring Risk These time consuming measures are a matter of measuring risk or, in CISSP terminology, planning for security requirements. In fact the CISSP builds security planning explicitly into the Software Development Lifecycle. In all cases it is essential to be practical do what is reasonable in business terms. Planning for security is not an end in itself. It is simply a tool to help run our businesses. Next Steps It is the suggestion of this writer that Software Configuration and Release Management are core competencies that need to be added to the CISSP and knowledge thereof for all system security professionals. There is also a lot of value for CM Practitioners to become more knowledgeable about systems security and the CISSP certification. Personally, I don’t believe that gaining CISSP certification will help me in my career. But there is a synergy here and I believe that the fields of Systems Security and CM have a lot of overlap. So I look forward to attending the next Secret Service NYECTF meeting, where I hope to give a short paper on what every systems security professionals needs to know about Software Configuration and Release Management. Please contact me via email if you would like more information about the CISSP or the NYECTF! Bob Aiello is a Senior Contributing Editor for Crossroads News and an Associate Director at Bear Stearns & Co. where he is engaged in Software Process Improvement on a large scale basis. He is also on the Board of Directors for the Organizational Development Network of Greater New York (ODNofGNY) and a member of the Steering Committee of CitySPIN in New York. Mr. Aiello has a Masters in Industrial Psychology and a BS in Computer Science. You can reach Mr. Aiello by email at raiello@acm.org
Set as favorite
Bookmark
Email this
Hits: 8065 Trackback(0)Comments (0)
|
| Last Updated on Tuesday, 01 April 2008 10:52 |
TrackBack URI for this entry
Subscribe to this comment's feed