Security Journal on Ulitzer

How many times have you seen an employee wave on by a customer when the “security device enclosed” in some item – be it DVD, CD, or clothing – sets off the alarm at the doors? Just a few weeks ago I heard one young lady explain the alarm away with “it must have be the CD I bought at the last place I was at…” This apparently satisfied the young man at the doors who nodded and turned back to whatever he’d been doing.

All the data the security guy needed to make a determination was there; he had all the context necessary in which to analyze the situation and make a determination based upon that information. But he ignored it all. He failed to leverage all the tools at his disposal and potentially allowed dollars to walk out the door. In doing so he also set a precedent and unintentionally sent a message to anyone who really wanted to commit a theft: I ignore warning signs, go ahead.

Don't Set Digital Precedents In Your Organization
Context, especially in the realm of information security, is paramount to ensuring legitimate access is authorized and all other forms of access is not.

You can understand, then, why it was that when a recent attempt at a Facebook login resulted in a request to verify my identity because I was signing in “from an unfamiliar location” I was delighted beyond words. Annoyed? A little, but it was completely overshadowed by the understanding that Facebook was utilizing the context available to ensure the integrity of my data.

Facebook did not ignore the “security device enclosed” and acted upon the context of the request to better prevent illegitimate access to an account. It looked, digitally, and determined that the situation warranted further investigation.

When you fail to leverage all the tools at your disposal to ensure that access to applications and data is legitimate, you’re essentially ignoring the “security device enclosed” warning. A web application request isn’t just a bunch of HTTP headers. It’s a bunch of HTTP headers that’s been transmitted over a network, from a location containing data created by a user. The information that accompanies that request about the network, the user, the data, and the request form part of the context to which you probably have access, but aren’t leveraging to its fullest potential.

When an application request that normally results in a 4KB response suddenly returns 40KB, there’s something odd going on. If you don’t recognize that something is different, it’s the digital equivalent of ignoring the alarm when an enclosed security device sets it off. When a user logs in from a completely new location, the alarm is going off. Hand-waving it through sets a digital precedent that you aren’t really watching as closely as you could and encourages miscreants to try even bolder approaches.

If you have a context-aware solution, take advantage of it. If you have a web application firewall capable solution, at least let it warn you if you aren’t comfortable with having it block requests and responses. If you have the means to inspect responses for unexpected variations in content size or the inclusion of sensitive data, do so. Take into consideration as many variables as you can as you continue to implement and improve your application and information security strategy.

But whatever you do, don’t ignore the security devices enclosed in your data center.

Read the original blog entry...