November 24, 2006

Who has a Core Competency in Security?

A debate over at Ravichar, McKeay, EC asks whether a core competency in security could make a difference. Some notes.

Core competencies are much misunderstood. They are things that by definition almost are very strong, uncopiable, and rather rare. For example, most auto manufacturers make good engines, but Honda has a core competency in building small petrol engines with efficient profiles -- that was the opinion of Porsche, no slouch in engine design themselves.

Most ordinary companies will do well just using security as a competency (non-core) which means they can do it for most purposes and reasonably well.

For example, one could suggest that Apple has security as a competency; they've always been reasonable at it, and have never really drifted far from a relatively secure product. We could also suggest that Microsoft are working on a decade long project to add a security competency.

But for some sectors, something more is needed. For a CORE competency in security we'd have to look further; the tiny word has more significance than it seems.

I'd pick IBM in the heyday, back in the 70s and 80s. IBM was the one always chosen by the banks to do the really difficult stuff in security. They had the people to build entire new systems. E.g., before public key was fashionable, IBM built it all with secret keys, and that included the systems to deliver the secret keys! They were the ones who had the strength to create DES, in the days when nobody much could spell cryptography, let alone understand its market purpose. In the 90s, the core competency lived on as banks chose IBM to do SET (something that a lot of companies discovered to their horror...) because IBM was it in security systems.

Who has a core competency in security these days? Nothing obvious springs to mind.

Posted by iang at November 24, 2006 08:56 PM | TrackBack
Comments

byte my tongue? ... well it has been 10plus years

IBM was/is a very large company with a very broad range of people.

for instance this archeological reference
http://www.garlic.com/~lynn/2006u.html#56

in this post
http://www.garlic.com/~lynn/aadsm26.htm#8 What is the point of encrypting information that is publicly visible

or this archeological reference
http://www.garlic.com/~lynn/2006v.html#10

in various discussions from the mid-90s ... pointing out significant issues ... the eventualy response (by numerous parties) was that they were taking the lead from visa and mastercard. For instance, the people that i dealt with on des and public key in the mid-80s weren't participating in this particular activity in the mid-90s ... another archeological reference from the mid-80s
http://www.garlic.com/~lynn/2006u.html#45

and then a few items referencing what went on in the mid-90s
http://www.garlic.com/~lynn/aepay7.htm#nonrep3 non-repudiation, was crypto flaw in secure mail standards
http://www.garlic.com/~lynn/aepay7.htm#nonrep5 non-repudiation, was crypto flaw in secure mail standards
http://www.garlic.com/~lynn/aadsm15.htm#2 Is cryptography where security took the wrong branch?
http://www.garlic.com/~lynn/aadsm17.htm#54 Using crypto against Phishing, Spoofing and Spamming
http://www.garlic.com/~lynn/aadsm18.htm#7 Using crypto against Phishing, Spoofing and Spamming
http://www.garlic.com/~lynn/aadsm20.htm#9 the limits of crypto and authentication

and then old public key archeological reference from mid-80s
http://www.garlic.com/~lynn/2006.html#30 IBM microwave application--early data communications

Posted by: Lynn Wheeler at November 25, 2006 11:41 AM

re:
http://www.garlic.com/~lynn/aadsm26.htm#8 What is the point of encrypting information that is publicly visiable?
http://www.garlic.com/~lynn/aadsm26.htm#9 Who has a Core Competency in Security?


misc. (other archeological) posts to/referencing set-discuss forum
http://www.garlic.com/~lynn/aadsm2.htm#storage Storage of Certificates
http://www.garlic.com/~lynn/aadsmore.htm#setjava javasoft SET - NO!
http://www.garlic.com/~lynn/aepay3.htm#disputes Half of Visa's disputes, fraud result from I-commerce (more)
http://www.garlic.com/~lynn/aepay4.htm#comcert3 Merchant Comfort Certificates
http://www.garlic.com/~lynn/aepay4.htm#comcert5 Merchant Comfort Certificates
http://www.garlic.com/~lynn/aepay4.htm#3dssl VISA 3D-SSL
http://www.garlic.com/~lynn/aepay6.htm#ecomich call for new measures: ICH would be glad to help
http://www.garlic.com/~lynn/aepay7.htm#nonrep4 non-repudiation, was Re: crypto flaw in secure mail standards
http://www.garlic.com/~lynn/aepay7.htm#nonrep6 non-repudiation, was Re: crypto flaw in secure mail standards
http://www.garlic.com/~lynn/aadsm8.htm#softpki16 DNSSEC (RE: Software for PKI)
http://www.garlic.com/~lynn/aepay10.htm#26 Definese Dept Criticised on Internal Credit Card Fraud
http://www.garlic.com/~lynn/aadsm18.htm#1 dual-use digital signature vulnerability
http://www.garlic.com/~lynn/aadsm20.htm#12 the limits of crypto and authentication

and even more archeological background

for much of the 80s, i reported to yorktown (but lived in san jose). yorktown was where the person responsible for des worked and one of the two people responsible for ecc worked.

i had office in bldg. 28 (san jose research on the main plant site) ... until they built the new building up the hill and then i had office in almaden research. I also had a block of offices and labs out in bldg. 29, the los gatos vlsi lab.

i still made the east coast trip a couple times a month (leaving on the monday night red-eye out of sfo for kennedy and returning on friday). when i started the habit, i would take twa#44 monday night, and return friday on the last leg of the twa tel aviv, rome, kennedy, sfo flight. twa went bankrupt and i switched to panam. then panam sold its pacific routes to united (to concentrate on atlantic routes), and i switched to american.

Posted by: Lynn Wheeler at November 25, 2006 02:48 PM

and now for something completely different

Defeating Virtual Keyboards and Phishing Banks
http://it.slashdot.org/it/06/11/27/0546230.shtml
Defeating Image-Based Virtual Keyboards and Phishing Banks
http://blogs.securiteam.com/index.php/archives/678

Posted by: Lynn Wheeler at November 27, 2006 10:04 AM

Fighting Fraudulent Transactions (from yesterday's blog)
http://www.schneier.com/blog/archives/2006/11/fighting_fraudu.html

... from above ....

The solution is not to better authenticate the person, but to authenticate the transaction. (Think credit cards. No one checks your signature. They really don't care if you're you. They maintain security by authenticating the transactions.)

... snip ...

"authenticate the transaction" sounds quite a bit like x9.59 financial industry standard from the work by the x9a10 financial standard working group started in the mid-90s
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959

and some of the posts in this blog on "yes card" exploits
http://www.garlic.com/~lynn/subintegrity.html#yescard

or the naked payments (and related) threads
http://www.garlic.com/~lynn/aadsm24.htm#5 New ISO standard aims to ensure the security of financial transactions on the Internet
http://www.garlic.com/~lynn/aadsm24.htm#7 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#8 Microsoft - will they bungle the security game?
http://www.garlic.com/~lynn/aadsm24.htm#9 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#10 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#12 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#14 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#21 Use of TPM chip for RNG?
http://www.garlic.com/~lynn/aadsm24.htm#22 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#25 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm24.htm#26 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#27 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#30 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#31 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#32 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#37 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#38 Interesting bit of a quote
http://www.garlic.com/~lynn/aadsm24.htm#41 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#42 Naked Payments II - uncovering alternates, merchants v. issuers, Brits bungle the risk, and just what are MBAs good for?
http://www.garlic.com/~lynn/aadsm24.htm#43 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#46 More Brittle Security -- Agriculture
http://www.garlic.com/~lynn/aadsm25.htm#1 Crypto to defend chip IP: snake oil or good idea?
http://www.garlic.com/~lynn/aadsm25.htm#4 Crypto to defend chip IP: snake oil or good idea?
http://www.garlic.com/~lynn/aadsm25.htm#9 DDA cards may address the UK Chip&Pin woes
http://www.garlic.com/~lynn/aadsm25.htm#10 Crypto to defend chip IP: snake oil or good idea?
http://www.garlic.com/~lynn/aadsm25.htm#20 Identity v. anonymity -- that is not the question
http://www.garlic.com/~lynn/aadsm25.htm#25 RSA SecurID SID800 Token vulnerable by design
http://www.garlic.com/~lynn/aadsm25.htm#28 WESII - Programme - Economics of Securing the Information Infrastructure
http://www.garlic.com/~lynn/aadsm25.htm#38 How the Classical Scholars dropped security from the canon of Computer Science
http://www.garlic.com/~lynn/aadsm26.htm#6 Citibank e-mail looks phishy

Posted by: Lynn Wheeler at November 28, 2006 07:00 PM

several related items from hackinthtebox.org ... somewhat related to my old post on the thread between information security and risk management
http://www.garlic.com/~lynn/aepay3.htm#riskm
http://www.garlic.com/~lynn/aepay3.htm#riskaads

......

Information Security Fundamentally Broken
http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=21854&mode=thread&order=0&thold=0
Information Security Fundamentally Broken
http://www.webpronews.com/expertarticles/expertarticles/wpn-62-20061130InformationSecurityFundamentallyBroken.html
Community Comments & Feedback to Security Absurdity Article
http://www.securityabsurdity.com/comments.php
IT industry looks to human behaviour experts to improve security
http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=21852
IT industry looks to human behaviour experts to improve security
http://www.innovations-report.de/html/berichte/informationstechnologie/bericht-75125.html
Hackers take aim at financial institutions
http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=21851
Hackers take aim at financial institutions
http://www.vnunet.com/vnunet/news/2169953/hackers-aim-financial

Posted by: Lynn Wheeler at November 30, 2006 11:21 AM

a recent thread with a few more archeological references
http://www.garlic.com/~lynn/2006w.html#12 more secure communication over the network
http://www.garlic.com/~lynn/2006w.html#15 more secure communication over the network
http://www.garlic.com/~lynn/2006w.html#18 more secure communication over the network

Posted by: Lynn Wheeler at December 10, 2006 10:50 AM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.