November 20, 2006

Creating ISO images in Windows

I hardly can image today how we (as infosec pros) lived without virtualization (VMware, Virtual PC, Xen, Paralells...) a few years ago. As a security professional, I use virtualization software every day for several tasks, such as penetration testing, malware analysis, computer forensics, honeynet deployments, security training and live presentations and demos. Lots of times I need to boot multiple virtual machines from Linux based live CDs (or DVDs), to simulate specific system and networking environments. BTW, my preferred ones are BackTrack, (old) Auditor, Helix, Insert, or my own Knoppix-based home-made distribution.

Obviously, with a single CD drive in your computer, you cannot boot from multiple CDs unless you are really fast changing CDs (;-)) or you have each as an ISO image file.

In Linux, it is pretty trivial to create an ISO image file from a CD through the standard mkisofs command.

In Windows, although one of the most commonly used CD/DVD burning software vendors is determined to make this almost impossible (specially in the latest versions), there is an easy to use, tiny and really fast freeware tool, called LCISOCreator.exe. Give it a try!

As an alternative, you can use the standard Linux dd command (or one of its variants, like dcfldd) to make a binary copy of a CD into a file:
# dd if=/dev/cdrom of=cd_image.iso

In Windows, you can use the porting of the dd command for this purpose:
C:\> dd if=\\.\D: of=cd_image.iso

November 12, 2006

Security Strategy

Being computer security one of my hobbies and my job, I always tend to believe that it is important to protect of our systems as part of the due care that is supposed to be part of our job description. However, I must recognize that I was wrong.

The common acceptance of risk analysis as a tool for determining the countermeasures that must be applied and the ones that are unnecessary, has dismissed the idealistic thought that the more secure a computer system is, the better. And it is important to have done so because having a secure computer is expensive (Yes, time is money also) and, even more, a secure information system.

During the early stages of the security adoption within a company, it is very common to assign a higher priority to the recommendations of the good practices over the requirements of the business strategy. The confusion is so big that in some cases the strategy is defined based on the results of the risk analysis. Although it is true that the risk analysis should have been based on the impact that unavailability, lose of integrity and lose of confidentiality may have on the organization's business, I don't think this is the proper way to define the security strategy. The security strategy must be defined based on the business strategy of the company and must be decided before performing the risk analysis or implementing any other countermeasures (besides reactive ones, of course). As recognized in the international standard ISO 17799:2005, "the organization's overall business strategy and objectives" are identified as one of the sources for defining the security requirements, together with the legal and operational requirements.

From a business point of view, security is a cost, and thus, it must be added to the ones that are included in the value chain of the products or services that are provided by the organization. Every dollar added to the costs of a product or service must be perceived by the customer as differentiation, i.e. the customer must be willing to pay the extra money for having that level security, or else, the company will lose competitive advantage.

Security costs can be classified in three groups:
  • Required security costs: Those are the costs produced by the countermeasures that must be applied by every company in that business. Every competitor must incur in those costs. The most common example is implementing the requirements of a law (Sarbanes-Oxley, Basel II, etc.)
  • Strategic security costs: Those are the costs that are related to implement the business strategy and produce differentiation. For companies that sell hosting or that act as certification authority, security is a differenciator and its value is (or should be) directly perceived by the customer.
  • Risk management security costs: Those are the costs accepted to reduce the risks down to the accepted residual level.
Obviously any other cost that is not included in these three groups must have been previously dismissed in the results of the risk analysis.

It should be quite easy to formulate a specific security strategy that includes the security objectives that produce the first two types of costs. As for the third one, there are a couple of valid solutions. Something similar to "Do a risk analysis and manage the risks to a residual level" could do. However that is very vage and I don't like it. When being specific is required, the best source again is the business strategy and, if there are no clear security needs that come from it, the Information Systems strategy, that should be aligned with the former.

As Sun Tzu said: "All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved."