Archive

Archive for the ‘Identity & Access Management’ Category

Confused about PSIM? You can’t just blame me anymore

January 13, 2011 2 comments

Last month Martha Entwistle, editor of Security Systems News posted an interesting article commenting on the nature of PSIM (physical security information management) and a new report by IMS Research.  First I’ll comment on the content of the report, and then I’ll comment on the origin of the term PSIM (which she credits to me).

Thanks for writing this article, Martha.  As a security industry analyst for the last 15 years, I can say I’m not surprised.  I’ve seen reports like IMS’ before. You can’t blame them for confusing the issue, really.  Young researchers with no field security experience partially digest and regurgitate conversations with paying vendor marketing executives who have tremendous stake in the status quo.

The article here says “IMS’s Wong notes that products such as VMS and ACS software, which meet some, but not all, of the criteria above, are not considered to be PSIM for the purposes of the report.”

Hmm. I read these functional descriptions and think to myself that simply combining  any popular VMS and ACS and you’d have 80% of the functionality IMS declares to be PSIM.  So what does that mean? a solution has to have 100% of these technical requirements to be considered PSIM?  Does it mean that “real” PSIM is actually and merely the 20% delta of functionality between an access control/video solution and the remaining functions?

Curious.

Regarding the term PSIM. Yes, I was the first person to publish the term PSIM and launch the global discussion on physical security information management.  When Chuck Teubner, CEO of VidSys, was CEO of e-Security (around 2003-04), he and I sat in the e-Security offices and discussed a new idea I was working on in my research: Security Information Management (SIM) for the physical security world.  At that time, SIM was a popular concept in IT security management.  Sadly, after I left Forrester and could no longer control the Forrester-Gartner debate on the topic, the acronym degraded to the current, utterly ridiculous SIEM.  Anyway, I digress.

About the same time, Kobi Huberman of NICE and I drew a PSIM-like diagram on the back of a napkin in London.  He was the VP of corporate strategy for NICE. Shortly thereafter, Arcsight, a leading vendor in the IT SIM world, contacted me and we brainstormed about SIM for the physical security world.  Then NetIQ guys started talking about a similar concept.

When Chuck Teubner called me again in 2006 and suggested that we name the new concept, PSIM was born.  I published it on my blog then.  I can also say definitively that VidSys was the first company to clarify the PSIM vision and set the standard for PSIM definition and execution.

As a footnote, NICE later got into the PSIM game by acquiring PSIM vendor Orsus in 2009.  NetIQ guys started PSIM-vendor Proximex.  ArcSight, dabbled in PSIM but  has not yet come up with an effective strategy to penetrate the market.

Please watch securitydreamer.com for more to come on PSIM.

DVTel shows me an impressive command center software design

If we limit the conversation just to the technology, you’ll hear me sing the praises of DVTel.  The command center console is attractive and intuitive and very functional.  I especially liked the simple, centralized management of video, access control, perimeter sensors and the flexible reporting capabilities.  DVTel’s iSOC v6 is a refreshing reinvention of the standard command center interface.

http://www.viddler.com/player/a11ba53f/

Approaches to enterprise information protection changing – as Axelrod, Bayuk, Hunt and others show

March 18, 2009 1 comment

A book I contributed to is available on Amazon.  Warren Axelrod and Jennifer Bayuk edited this collection of essays on security and privacy. Axelrod Book
I think it is a special, unique view of how physical and logical threats, plus dynamic business and compliance trends are changing how security needs to be done.  My chapter was on security as it relates to the Transportation industry.  I took a logical and physical view of the problem.

Scoring big in corporate dumpster diving

February 19, 2009 14 comments

Think your company takes data protection seriously? You may need to give it the dumpster diving test. This big bank was pretty surprised what I came up with.

http://www.viddler.com/player/da155f1a/

Not all that comes from China will be Gold!

Here is a blog post from HuntBI associate, Jeffrey Stutzman, CISSP.  His post makes me wonder how many corporate networks will be infiltrated by malware when Olympics visitors come home and plug back in. -sh

What happens in Vegas stays in Vegas right?

What happens in China won’t necessarily stay in China.

What do I mean by that? In the Navy there was a sea story. It went something like this…

We pulled into <name your favorite port>.  When we pulled in, the Captain came over the 1MC (the general shipboard loudspeaker system) and gave us a country brief. He told us to be careful. He told us that if we got into a fight, to win, and to be careful with the women- always. Sexually transmitted diseases ran wild in many of the ‘sailor ports’. The story I remember talked about how the hospital corpsman onboard the ship would use a Sharpie to put the name of the sailor on the pair of syringes used to rid us of whatever we picked up.  The syringes were then stuck into a dartboard in the Chief’s Mess. As the story goes, the dartboard was always full.

So here’s the deal….

Chinese cyber spies WILL steal your stuff! When you get to China and use your computers to access the Internet, you will be monitored, and will almost assuredly download, or be pushed, software that will execute on your computer. This software will sit quietly on your computer, will not be detected by anti-virus or intrusion detection/prevention software, and will likely ‘phone home’ –send your data back to intelligence collectors in China. When you return home, that software will likely spread automatically to other computers that you connect to or communicate with via email or through the web.  You will be infected. Be ready for it.

The problem? Antivirus vendors don’t have the syringes to fix you.  It’s a sad state, but the protections currently loaded on your computers are designed to protect from the common threats –those that infect everybody. When a specific group of users are targeted –Olympic visitors for example, or maybe Olympic visitors staying at a specific hotel, or maybe Olympic visitors who work for or represent certain governments or industries, the methods of infection are not always the same. Smart intelligence collection operators won’t use the same tools on everyone. You know why? They don’t WANT antivirus and intrusion prevention vendors to be able to keep up! Even if they are successful 10% of the time, the number of journalists, politicians, and business people entertaining others will easily afford the cyber spies small pieces of information that they can combine with other small pieces of information to eventually put together the pieces of the puzzle –the BIG piece of information.

You should expect this. It shouldn’t come as a surprise.

A recent interview on CNN disclosed publically (finally!) that over 3500 Chinese front companies exist in the US today solely for the purpose of collecting intelligence.  It reported that cyber attacks on the Pentagon (and likely all of DoD) have increased 55% since 2007.  References to other Chinese cyber attacks and information gathering run in the thousands on the Internet.  A quick Google search for the words “Titan Rain”, the term coined by US Government officials to describe the coordinated information warfare being waged from Chinese sources, yields over four million hits.

Thousands (millions?) of influential people – business managers, politicians, journalists, you name it, have headed to China for the 2008 Summer Games.  Don’t be a victim. Don’t allow your home/work networks to be victimized.

Here’s what you can do:

             Think like a spy…

o             Leave your computer(s) at home. If you have to have one, take a clean one (one used only for surfing the web and sending emails).

o             Use anonymous, encrypted email. The best spies never use computers to relay details of their exploits. If you must use a computer, create two anonymous accounts on an encrypted service such as Hushmail; an encrypted, web-based email service that scrambles your email.  Use one account to send, and the other to receive. If you must send data to your company from China, give the second account to the intended recipient before leaving the country.  Do not send the account and credentials by email. Kill, or abandon those accounts after you return.

o             Do not under any circumstances divulge your identity in email, even when using encrypted communications. This is a sure-fire way to give others those “small pieces of information” that can later be used to target you when you return home.

o             Never use HTML formatted email. All communications should be formatted as text only. Graphics and other fancy things that make your email sexy also make it very easy to hide viruses and Trojans in your email –those pieces of software that will later be used to send data back to China once you return home.

o             Do not send email directly to a work address.  Use the anonymous service. Software may get embedded in your outbound communications. That software will spread once opened by your intended recipient. 

o             When you do return home, expect to receive more junk e-mail. Spam, phishing, or spearphishing (targeted phishing) are easy ways to get you back into the collection network by embedding malicious software into HTML formatted messages.

o             Never forward or respond directly to emails received. If you need to respond to something, start with a fresh email, and format it in text only.

o             When you return home, do not, under any circumstances, plug these computers into ANY network without first having it professionally cleaned and reloaded with a fresh version of Windows, or your operating system of choice. 

Be safe. Be smart. I really don’t want to hear your IT guy bragging about the number of syringes in his dartboard!

“The other kind of analyst” has a great blog, but Jeff, dude, you need to post more

Jeff Kessler’s blog is always informative and insightful. He is one of the most accomplished and recognized financial analysts covering security (while I write from the end user’s perspective). But I wish he posted more often. Jeff, you don’t have to write research papers for every post. Aim for Twitter, not Gone with the Wind. But lovin’ it just the same.

Measuring the business value of security convergence projects ain’t always easy but this discussion is a good start

Speaking_engagements I recently invited Jan Johansen, CEO of Hi-Tech Stragey Consulting, to join me in a discussion about security convergence. Many of you tried to listen in with no luck. Sorry about the technical difficulties, but now everything is up and running.

Join us as we discover the business value that convergence projects can provide for end-users. From the highest level of sotware and networking combining to do physical security better, all the way down to the people and processes that need to collaborate to work more effectively.

No matter which way you look at integrating IT with Physical Security, it’s a win-win.

Download mp3

Corestreet in the money again

CoreStreet is one of the really cool young technology companiesCs_enabled  in the security industry, and now In-Q-Tel knows it, too.  The beltway-based investment vehicle for the US intelligence community made a strategic investment in CoreStreet.  This is the most recent in a long string of victories for the young identity management and access control vendor.

You’ve read about CoreStreet on this blog – about how they dominated a bid in the State of Colorado.  Well, other states will follow suit this year, and federal government FIPS 201 initiatives are all over the Corestreet products. 

This company, and those like it, are the reason I got into this business.  Very cool

Something is rotten in the state of Colorado. Either that, or Colorado is making a bold bet on FIPS 201 despite the political cost.

January 23, 2008 1 comment

It seems that HID, a company with product hanging on about 80 or 90% of all the doors in Colorado state buildings, has been stuck on the back burner.    Colorado has approved a first responder credentialing RFP calling for a new type of identity and access card – one that will not work with proprietary HID readers. 

This is curious, because the RFP has obvious implications for doors and not just first responders.  Surely, many of the first responders will be state employees and others with state issued access cards – cards already produced by HID.  So selecting any card other than HID for the first responders will beg the question of identity and access cards everywhere in the state. 

So here’s the story, as I understand it from a few sources close to the state capital.  Colorado announced an RFP to provide cards for its COFRAC v.3 standard (Colorado first responder authentication credentials), a standard for first responder identity credentialing.  The RFP is on a fast-track, ostensibly to establish the standard in advance of the Democratic National Convention to be held in Denver in August.  This acceleration means that the standard was pushed through without public meetings.  The state’s Identity Management Director, Micheline Casey, held a number of 2-hour meetings and reportedly short-changed the normal public comment period by posting the document in the state’s procurement system back in December.

HID was left out of most of these discussions, but CoreStreet wasn’t.  CoreStreet is the vendor that has been helping to rewrite the rules of credentialing for the last few years.  One of the first credential solution providers to be fully FIPS 201 compliant, the CoreStreet system is optimized for first responders.  But it also limits interoperability for legacy physical access control systems with any existing cards or readers by the use of the FIPS 201 specification (while its mobile solution does address some legacy issues).  A migration plan will have to be put in place that takes this into account.

Clearly, first responder credentialing needs the functionality described in the RFP such as the ability "to electronically validate the identity and the attributes (qualifications, certifications, authorizations, and privileges) of those who are required – or volunteer – to respond to natural or man-made disasters or acts of terror."  After all, you don’t want just anybody showing up at a disaster scene.  Imagine false paramedics, or worse, terrorists dressed as paramedics.

Does this signal the limit of HID’s technology – marking it as not ready for the future, or simply limited to doors?  Does this mean that FIPS 201 moves out of the DC area faster than expected? Or did CoreStreet’s lobby beat HID’s lobby fair and square?

Hacker at the door (I hope HID does slap me with a restraining order for reprinting this)

December 3, 2007 2 comments

Joel Rakow has a fun newsletter.  He authorized me to reprint this story.  If you want to get on his mailing list, drop him a note at joelrakow@olliviercorp.com

Many security professionals are concerned about IP access control readers being a source of vulnerability.  Think about it:  A network device on the unsecured side of every door.  Remove the cover and you have direct access to the enterprise network.  The assumption is that card readers based on the Weigand protocol…you know those HID readers..are secure.  If you are one-of those consider the following hack:

Use a proximity card in combination with a small PIC micro-controller chip (a Programmable Intelligent Computer chip).  Embed a program in the chip this requests a display of the code on the card of the last card holder that gained access. The PIC chip is spliced between one of three wire lines on the backside of a Wiegand reader. The entire manufacturing cost of the PIC device and wires is less than $3.  This hack can also be used to lock all of the doors so that nobody can gain access.  , wires   to outsmart the Wiegand-based readers communications standard, allowing him to gain access to restricted areas protected by the readers. Franken says he spent 12 hours working on his method, which included

Embed a program onto  and programming was about $3.  The program is written to replay the code on the card of the card-holder who most recently gained access.   

This hack is outlined here to help both security professionals and manufacturers maintain security.  Manufacturers need to prevent such simple hacks and professionals need to deploy readers knowing how they might be vulnerable.

Follow this link for the complete story.

Follow

Get every new post delivered to your Inbox.