Whew – well after a tough few months I’ve finally completed the coursework towards my masters degree in Information Security - taught by the Information Security Group (ISG) at Royal Holloway,  (via the University of London External System).

The online syllabus is available from the external system and the ISG also provides an overview of the programme here.

In addition to the syllabus and ISG’s introduction - I thought that a personal summary might be useful for those considering the programme.

As per the syllabus – there are four compulsory modules, two optional modules and a final project. A module is really a course, composed of roughly ten units, and lasts the full academic year – from October to the final exam in May.  Here’s a description of the compulsory modules (accurate as of 2008/09 academic year) along with my two chosen optional modules.

IC01 Security Management

This course addresses the major themes of security management, including people, processes and technology with particular emphasis on the role of policy in helping to shape an organisation’s security management strategy. The ISO 27000 series of standards (ISO 27001 and 27002 in particular) are covered in detail. COBIT, ITIL, ISF SOGP along with the DPA, RIPA, and relevant EU directives are examined. So too is the impact of industry specific regulations such as Sarbanes Oxley, Turnbull, Basel II, and HIPAA. Principles of risk assessment (quantitative/qualitative), compliance, audit, and management including excellent lectures from industry leaders help to round out what is probably the most important message of the course; namely the importance of creating organisational awareness and a culture of information security that includes all aspects of the business (and not just the technology). Some of the material on the course was a little dated but relevant nevertheless.  A ‘must read’ companion to this course is Bruce Schneier’s ‘Secrets and Lies.’

IC02 An Introduction to Cryptography and Security Mechanisms

This was a really great course in cryptography and security mechanisms. Pitched at just the right level for non-maths graduates the course explains the roles of all the major cryptographic primitives, including symmetric key cryptography (block and stream ciphers), hashes, message authentication codes, asymmetric (public) key cryptography and digital signatures. Historical algorithms along with well known algorithms like DES, AES, RSA, Diffie-Hellman and others are explained in detail (including worked examples of RSA modulus, public and private key calculations). The use of these primitives as mechanisms for providing higher level security services like data integrity, data origin authentication, entity authentication (unilateral and mutual authentication protocols) and non-repudiation is also explained in detail. If you can get a copy – you really should ready Stephen Levy’s book ‘Crypto - Secrecy and Privacy in the New Code War’ for a brilliant side-by-side narrative of everything that happened in the crypto world from 1975 onwards. It puts the course into perspective and explains exactly what was happening from the 70s to the 90s in the struggle between governments attempting to regulate crypto, and the commercial interests of the private sector. Simon Singh’s ‘The Code Book’ is also another great companion read.

IC03 Network Security

Also a great course on the fundamentals of network communications security including ISO 7498-2, as well as detailed analysis of network, transport, and application level security protocols (IPSec, SSL/TLS, SSH, Kerberos etc.) Other unit subjects included biometrics, email security, wireless networking, firewalls, GSM/UMTS security and an introduction to intrusion detection systems (IDS). One of the texts for this course is Douglas Comer’s brilliant book - 'Computer Networks and Internets (5th Edition)'.

IC03 Computer Security

A bit like IC02 above – there was some important history in this course in terms of the evolution of computer security, operating systems and formal security models including Bell Lapadula, Biba, Chinese Wall, and Clark-Wilson. For me at least – a real eye opener and it filled in a lot of important gaps – especially in terms of access control and some of the things I’d previously worked on in the areas of authorisation and workflow. Units on security in Pentium architecture, Unix/Linux, IBM z/OS and Windows helped to round off theory with real world and practical examples of applied computer security.

OPT5 Secure Electronic Commerce and Other Applications

I’d assumed (which turned out to be partially correct) that this course would be close to my comfort zone given my background in Web and e-commerce development. The course was ok – but I think could be structured better. It’s a pretty large subject (especially the ‘other applications’). The course’s primary objective is to link security specific methodologies to the traditional software development lifecycle as well as emphasise the different security approaches that might be required depending on the context of the application. Information flow analysis, threat modelling and application level risk assessment are covered in the opening units. The TETRA system is used as an initial case study, followed by units on Web application security, Web services security and an excellent unit on identity management. The final units introduce smart cards and the EMV standard. Lots of help from IC02 in this module as secure protocols are described in several units.

OPT12 Smart Cards/Tokens Security and Applications

This course was new to the distance learning programme this year (although taught at the ISG for several years). The accompanying text – ‘Smart Cards, Tokens, Security and Applications’ edited by two RHUL faculty members, Keith Mayes and Konstantinos Markantonakis – is a tour de force on all things in the smart card world. I’ll never look at my ‘chip and pin’ credit card the same way again. A really great course, benefiting hugely from being fresh and up-to-date. Topics included smart card production, smart card development, smart card for mobile communications (GMS/UMTS), banking and finance (EMV), RFID and contactless smart cards, smart cards in video broadcasting (DVB), an introduction to trusted platform modules (TCG/TPM), the Common Criteria (ISO 15408) for evaluation assurance, ID cards, e-passports and a fascinating unit on smart card attacks and countermeasures from Jacques Fournier at Gemalto.

In Summary

Looking back on the last two years, there were times when I wasn’t entirely sure how it was all going to fit together. With the benefit of hindsight I can clearly see the aims of the programme, and how the ISG has attempted to strike a balance between history, fundamentals, and applied techniques in information security.

The ISG has also put a lot of work into creating the distance learning version of this degree. They’ve experimented with multimedia and an online format which for the most part works well (although I still lean towards printed material and my trusty highlighter). Some of the material however (in particular a couple of the lectures in IC01) is starting to show its age and could do with a refresh – or at the least with a yearly update to the introduction for each module.

The course has totally changed the way I view the ‘information age’,  information security, and privacy (having now taken the ‘red pill’). I’m extremely glad I enrolled and looking forward to putting what I’ve learned into practise on future projects. Also looking forward to taking my time and working on my final project at a more relaxed pace over the next year or so.

To be continued…

Speechless really. I’m not often lost for words – but this presentation by Patrick Dixon of Siemens leaves me speechless. Thanks to RFIDs on the Brain from Boing Boing (and Douglas Rushkoff via ‘Joe’).

This is weird – was looking at some of the reports in the Webmaster Tools I use from Google – and there were a lot (several hundred) Web crawl 404 not founds. Google reports that its spider was failing to find pages that I’ve never published – and which contain values that are incrementing over a range as parameter inputs in the url – 692-708 in the snapshot below.

I found this series of links on the topic of XSS and other Web site security issues pretty interesting...

Programming Is Hard, Let's Go Shopping! from Jeff Atwood, in response to this post, Developers, Using Libraries is not a Sign of Weakness - from Dare Obasanjo as well as this... SgmlReader (and HTML parser)  from Mindtouch, and this...First Line of Defense for Web Applications – Part 4  by Anmol Malhotra

As an aside... dasBlog has an html/xhtml parser/verifier which, under the terms of the dasBlog open source license, could be used in other projects. I'm regularly impressed with the guts of dasBlog...some cool stuff in there.

Update: 28-11-2008 - Microsoft have released an update - v3 of the SDL Threat Modelling Tool - which is DFD based as opposed to use case driven. Check it out at The Microsoft SDL Threat Modeling Tool v3

Original post....

In my first year on the MSc programme at RHUL ISG,  I completed a course on security management, and while that hardly makes me an expert (since I'm still new to the world of information security), the course was excellent, and I learned a lot about the fundamentals of building an information security management system.

At its most basic level, information security management is about attempting to estimate the probability and impact of unwanted events; events that may effect the confidentiality, availability or integrity of information assets. Estimates about the risks associated with these events can then be used to make decisions about what measures (if any) an organisation will choose to implement as part of its overall information security management strategy.

The process of estimating and assessing risk should be guided by an information security policy that, among other things, will state the aims, values and objectives of an organization with regards to risk. The policy, when combined with legal, businesses and moral responsibilities will (or at least should) influence the choices that are made in managing risk within an organization (the ISO 27000 series of documents is the place to start if you'd like to know more about building an information security management system (ISMS)).

The process of producing risk estimates is called risk assessment, and while there are different techniques for performing a risk assessment, the  common goal of each is to produce a metric that allows risks to be weighed. Weighting risks allows an organization to make appropriate decisions about how to prioritise and manage risk.

One formula that is often used to describe the calculation of risk is: risk = threat x vulnerability x impact,  which translates to: What is the level of an identified threat (how common is it, how relevant is it to the industry or asset in question), how vulnerable is the asset or system to the threat, and what is the impact if the vulnerability to a specific threat for a specific asset is realized. If any of the factors are zero - then risk is is also zero.

Acceptable choices in managing risk include: 1) accept the risk, 2) mitigate the risk, 3) transfer the risk or 4) avoid the risk.

The first task then is to work out what the threats are, creating an applicable threat model (well actually the first task is to work out what your assets are - how much they're worth to you, and what a total loss of that asset would cost you in both tangible and intangible terms - but let's assume we're at the threat identification stage).

So how are threats identified? Well I think for the most part they come from a body of knowledge and experience that exists for a given industry and its assets. For example - a jewellery shop is likely to consider the threat of theft to be relevant since it has stuff of value, and jewellers have learned, through experience, that a small percentage of the population will attempt to steal things of value, ergo.. theft is a threat. How vulnerable the jewellery shop is to theft depends on where it's located, how valuable the jewels are, and whether or not the shop has implemented any measures designed to prevent theft- like locks on cabinets, security cameras, security cards etc.

Threats against computer systems and networks also require a body of knowledge in terms of historical and current threats. One approach in helping to identify threats as part of risk assessment is to use a threat library, or database of known threats. There are a few systems out there that take this approach - like a software tool called CRAMM Expert (based on the the CRAMM methodology) which includes a database of threats that you can use to create a threat model for your organisation.

This evening, during another one of those serendipitous link journeys, combined with some reading I've been doing on application lifecycle and security, led me to discover a link to the Threat Modeling Tool tool from Microsoft. While other methodologies in risk assessment cover a wide range of threats and security management issues, Microsoft's tool is geared specifically towards managing risk in software (not surprisingly) and is part of Microsoft's Security Development Lifecycle (SDL) methodology.

I think this tool (and the methodology) is pretty interesting. For starters it's free, which shows how committed Microsoft is to not only producing secure software, but to helping the community at large incorporate secure software development practices into their overall software development process.

In fact it was this post by Adam Shostack, Experiences in Threat Modeling At Microsoft (an excellent article) which led me to the SDL portal, and it was a reference in Bruce Schneier's - Crypto-Gram monthly newsletter that led me to Adam Shostack's post.

I can't claim to be an expert in using this tool after just 30 minutes of experimenting... but I was impressed. Using the the "New with wizard" option - I was able to create a rudimentary threat model in just a few minutes.

The process involved defining user roles (UR), components, service roles (SR) and data. The tool and the process is 'data centric' and as Adam Shostack points out in his article,

"... a great many software attacks involve the flow of data through the system in some way...."

Components used in service roles are also assigned relevancies (or features) like whether the component utilizes HTTP, or builds SQL queries.

Access control rules are created for the defined data entities - both for users and components.

Application Use Cases are then created which in turn are composed of application calls. The caller for each call in a use case can be a user role (UR) or a service (SR).

Threats can then be automatically generated and the tool will attempt to match a list of attacks in the attack library with the calls in a use case, creating a threat list for the given use case. The terminology here is slightly different from what I was taught - since I would have classified the threats that were produced as vulnerabilities, and the attack library as a threat library or database.

Here's an example call graph from a simple use case.

And here's a full screen-shot of the application with an automatically generated threat (vulnerability) that was created for the "Create User" use case.  I'm about to choose 'Reduce' as my Risk Response (remember I can choose to avoid, reduce, transfer or accept a risk). I've also chosen three counter-measures as the mechanisms I will use to reduce risk (click on the image for a larger version).

There is a lot in here, including being able to specify authentication mechanisms for roles (which I'm assuming is used to weight and select attacks) as well as analytics including data access matrix, component access matrix and subject object matrix reports as well as visualizations for call, data and trust flows. Other reports are divided into risk owner reports, design team reports, development team reports and test team reports. Development team reports even include code examples on how to implement selected countermeasures.

To be honest I'm not sure entirely where the Threat Analysis and Modelling tool fits into the data flow diagram (DFD) and "STRIDE per element" approach described in Adam Shostack's paper. The tool appears to be use case driven as opposed to data flow diagram driven.

Also wondering how this application might be integrated with other application design components, like logical or physical design models. There are options for importing Visual Studio Team System Deployment reports as well as exporting Team System Work Items.

I guess the ultimate test in value will be in how much effort is required to build and maintain a threat model using this application when compared to other methods. Large models in particular might be difficult to maintain, although I guess there is no reason why you couldn't use this application to create several smaller threat models with only the user/service roles, data and use cases that are specific to a given feature or iteration of development.

I think it's also worth pointing out that the Threat Analysis and Modelling tool is just one (albeit important) part of a larger process designed to create secure software. It is not a replacement for functional, performance, vulnerability (penetration) and regression testing, nor does it appear to have any risk modelling functions for assessing application deployment, configuration and change management risks.

My limited experience with both this application and a formal software security development process means that I'm not able to say how successful this application might be at helping to 'connect' the security process with application development. But it is a very interesting product, feature rich and easy to use - with zero financial risk to boot.

Managing the risks associated with software, whether developed in-house or acquired is a core component any information security management process and so any tool that helps to increase awareness and manage risk in this respect is a good thing.

I must have been asleep when this 'feature' appeared. I downloaded the latest ASP.Net MVC Storefront sample today from Codeplex. I then dragged the downloaded Zip file over to my project folder, extracted it and built the project. When I tried to run some of the unit tests - I got "Failed to queue test run me@myserver2008-09-23 15:20:05': Test Run deployment issue: The location of the file or directory '\...\.config' is not trusted.

A quick Google and I found the problem. There's a new attribute on files that you download from the Internet. Right click on the Zip file, choose Properties.. and you'll see the window as shown, with a message that says: This file came from another computer and might be blocked to help protect this computer. You need to click the Unblock button before you extract the contents of the Zip file... and then everything works fine...

Well that's two out of six exams over with - and the end of the silent period on my blog. Successfully sat 'Information Security Management' and 'Introduction to Cryptography' over the past two days.

Both manageable papers, and the first two of six in what has turned out to be a really excellent programme. Check out the Information Security Group at RHUL for the gory details, or the syllabus posted at the London External Programme - MSc in Information Security.

Now that I have my life back... (at least for the summer), watch this space for a re-designed blog and new photo gallery over the coming weeks.

These are interesting. And there I was feeling all warm and cosey with my trusted platform module (TPM). The RAM to USB utility is particularly cool.

http://citp.princeton.edu/memory/

http://www.cs.dartmouth.edu/~pkilab/sparks/

I posted here a while ago about setting up BitLocker on my PC - without a TPM. Works great.

I've recently been building up a new machine that will become my main development PC in the New Year - having decided to follow in the footsteps of others and build a decent spec Vista Ultimate 64 Bit box.

The spec:

Shuttle SP35P2 Pro
G.Skill 8GB 4-4-4-12 RAM
XFX NVidia GT 8800 Video
WD Raptor 10,000 RPM SATA for OS
SD Barracuda 300GB for Data
Vista 64 Ultimate 64 Bit

Anyway - more on this box later - which of course is going to be way better than others . :-)

BitLocker and EFS are now standard on my PCs and any new notebook I buy will have a TPM in it for sure.

That said - I'll be darned if I could get BitLocker to find the USB flash drive on this new PC to load the BitLocker keys at startup.

There are plenty of threads out there on the topic. Search for 'Bitlocker unable to read USB drive', or 'Bitlocker cannot find keys on USB drive'.

None of these helped me in this case.

Here's the solution (at least for this machine - with a Phoenix Award BIOS - V6.00PG - on an Intel P35 Express Chipset + ICH9R).

1. Be sure to put your USB keyring or flash drive in first!

2. Restart and enter your PC's BIOS (DEL at startup)

3. Go to the Integrated Peripherals menu item

4. Go to your USB Device Settings menu item

5. Set the USB controller to 'Enabled', 'High Speed' and the USB Storage function to 'Enabled'.

6. Here's the trick.... You should see a line like the one below with your USB thumbdrive listed.

*** USB Mass Storage Device Boot Settings***

[Yourdrive MFG name here]   [Auto]

The default is 'Auto'. Change it to 'HDD' and presto - Bitlocker will find the USB drive.

Took me ages to figure this one out...

I remember the first time I was burgled. It was in 1993 and I was living in London at the time. It was a tad unsettling to come home and see the front door of my apartment smashed open, and things not exactly the way I left them before I went to work!  I lost a bunch of Audio CDs, my TV and some cash that was lying around - but NOT my computer.

Since then being online a LOT more, and needing a safe place to store personal online information - account codes, banking information, subscription information etc. means that I've thought often about the best way to secure my personal (and work related) data.

I've used a couple of third party products in the past - but with Windows Vista Ultimate and BitLocker beckoning - I thought I'd give a combined BitLocker and Encrypted Files System (EFS) combination a shot.

BitLocker (in case you've not heard of it) encrypts the entire system partition - and until a valid key is supplied during system boot - the drive and its contents are effectively a nifty digital paperweight and nothing more. You can even safely dispose of the drive in this state - because again - without the key - it's just a lump of encrypted data.

My biggest concern with BitLocker was going to be performance especially since I was going to enable BitLocker on my main DEV box. Fortunately I have a 'kick it and see' PC I used to test everything on before implementing all of this on my main machine.

Here's the best article there is on how to configure BitLocker... Windows BitLocker Drive Encryption Step-by-Step Guide. In my case my PC doesn't have a Trusted Platform Module (TPM)- so I made the change as detailed in the article to allow BitLocker to be installed without a TMP.

Shortly after Vista Ultimate RTM was released - there was an update that included a BitLocker drive preparation tool. A word of warning here - and this relates to Windows Backup. Use the default partition settings from the drive preparation tool and allow it to create the new (and small) boot partition that will be needed for system startup (so that the boot process can start (unencrypted of course) before loading the OS from the encrypted drive). 

I have two partitions on my drive - my C: drive - which I will enable BitLocker on, and my D: drive which contains all my data. While exploring the command line options for the BitLocker drive preparation tool - I thought that since I already had a second partition (my D: drive) I could make this my boot drive (boot.in and OS loader) - but this was a bad idea. For starters it's a BIG partition - over 100GB. Secondly - when using Windows Complete System Backup (which I now use in favour of my previous third party imaging tool) - the backup will correctly detect that it needs both partitions to do a complete system backup. I don't want my D: drive included in this image (the reason for separate partitions in the first place) and so I switched back to the default BitLocker drive preparation settings - which creates a new small partition (S:) to hold the boot information.

My BitLocker generated key was created and written to a USB thumbdrive (attached to my key ring - along with the other 'real' keys). I put a second USB thumbdrive in a 'real' safe along with the recovery key. If I loose my keys (literally) this is the only way I'm getting back into my machine - so having a safe and alternate location for your recovery key is essential. It's kind of neat having to put the USB thumbdrive in my PC to start it up - like starting a car... :-). And it really doesn't interfere with the way I use my PC - my keys are always there on my desk - and I take them with me wherever I go so it fit fine into my pattern of work and play (you can take the key out of the computer as soon as BitLocker reads it - in fact BitLocker tells you to once it's read the key).

I have to say I was really impressed. I saw no performance difference on the 'kick it and see' PC and when installed on my live box - no difference there either. Impressive.

BitLocker will only work on system partitions - so that left the data on my D: drive. And this is where Encrypted File System comes to the rescue. That said not everything on my D: falls under the category of 'sensitive data' so I wasn't about to encrypt the entire drive. Instead I grouped my 'sensitive data' together in a special folder - and encrypted the contents using EFS. EFS uses a public-private key pair and a per-file encryption key to encrypt and decrypt data. The public-private key pair are stored in your Personal Certificate Store - which you can view by typing certmgr.msc in the search line of the start menu in Vista, or from the 'Run' command in XP. Alternatively you can view the personal store from the Tools, Internet Options, Content, Certificates option in Internet Explorer.

Since the certificate store in on the system partition - and this is now under the protection of BitLocker - the certificates are safe (although you still need to take a backup of the EFS certificate and keep this someplace safe too).

EFS is pretty cool - and they way it uses public keys to protect a per file symmetric key is neat - since it allows you to use several public keys - from several users - to encrypt a file - and then share it amongst those users if you needed to.

Here's an excellent description of how EFS works... Windows XP Resource Kit: Using Encrypting File System.

So I now have a production PC - working hard every day - with BitLocker on the system partition, EFS where I need it on the data partition - a set of keys safely tucked away in two locations - and I feel better about the prospect of getting robbed - because at least this time if they choose to take the PC - they'll be getting a lump of iron and silicone - and not a whole lot more than that.