This is a very interesting article by Robert Westervelt over at Tech Target, and I wanted to make a couple follow-on comments.

Way back when, as a DBA, my morning ritual was to get into the office, grab a cup of coffee, and review the database and web app logs. Just to make sure that the databases were running smoothly and there was nothing unusual going on. I had a single web app and 5 or so databases. Took about 30 minutes. But that was pre-tech collapse, where DBAs only had 10 or so databases to manage. If you are managing 100 or more databases, you are not reviewing logs on a regular basis without automation. Whether it be security, systems management, or configuration management, you have to have help. And today, you are buying a tool for each, and of those, 2 of the 3 are not typically supplied by the database vendor or the tools vendor. We talk a lot about security products for databases here at Securosis, but few of them operate the way that DBAs and IT operations personal want them to work. Yes, I understand separation of duties and I understand that the DBA is not the best person to provide security analysis, but still, a single platform to provide all these operational aspects would make sense.

I used to love going to the IOUG events around the country. I gave presentations at some, but I wanted to go because I always learned something from the lectures or presentations. There was such a wealth of knowledge, and when you have hundreds of DBAs with unique problems and willing to experiment, they often run across very cool solutions. I ran across some Perl scripts once for data discovery that were really amazing, and I borrowed from this source as much as I could. It dawned on me that Oracle has an amazing resource here and does not leverage it enoug for either their own benefit, or for their users’. The model I am thinking of is Firefox and its community plug-ins. It would be nice to have the ability to browse and download utilities from the community at large and try them out. OEMs could really use that kind of lightweight option. And, yes, this means I have my doubts that Fusion middleware is going to be leveraged by the people who manage Oracle platforms and databases.

-Adrian

We had a killer episode of the Network Security Podcast this week as Jeremiah Grossman and Robert “Rsnake” Hansen joined us to talk a bit about their new clickjacking exploit. I definitely had some fun on this one, even though Jeremiah and Robert couldn’t dig too deeply into the details.

We also managed to sneak in a bit on open source voting, and the top 10 ways to know you’ve been exploited.

But mostly, you want to hear us making fun of each other.

This was also one of our first episodes we streamed live. Although we record at irregular times, we plan on live streaming as much as we can. Just keep an eye on us on twitter (rmogull or netsecpodcast) for a few hours warning if you want to listen in and harass us over IM.

You can download the episode here, and full show notes are at NetSecPodcast.com.

Finally took the plunge last week- I went out and bought a Mac. Actually, I bought a couple of them. That was not what I originally intended, as my plan was to get a top of the line MacBook Pro and a high end monitor to go with it. But every time I sat down in front of my wife’s iMac, I was really impressed with the quality of the display and the simplicity of the machine itself. When I learned the 24 inch version had the Core 2 Duo at 3GHz, I was sold. Given the amount of travel I do I needed a laptop, so I picked up an entry-level MacBook as well. It worked out about even money as far as hardware costs, and it will only cost me a little more for software, so I kind of feel like I got two for one. 

For the last week I have not been blogging all that much as I have spent every waking hour moving files, downloading software, installing, configuring, and learning a bunch of new applications. I don’t think I have bought this much personal software before. And with Rich and myself reworking the Securosis infrastructure at the same time, it has been a hectic week.  

For those who do not know me; I started my career with UNIX; moved to CTOS; then a mixture of Windows, UNIX, and Linux for about 5 years; but over the last 8 years it has been almost all Windows PCs. So learning a new OS is no big deal, and the UI design on the Mac is pretty darn easy, which has helped smooth the transition. But I must say I am glad that there is a UNIX-based OS sitting underneath … makes me feel a little more comfortable and made the learning process faster.  

I wanted to share the experience as I was wondering if some people had come to the same conclusions that I have about the Apple products. First the MacBook:

The MacBook is nice looking, but nothing all that spectacular IMO. While the 2.4GHz Intel processor is fast and I like the OS, the keyboard is decidedly ordinary and the display is really not all that great. Contrast, color saturation and accuracy are all pretty poor. Tried to calibrate as best I could without tools, but I only think I am going to get so far with this effort. My real concern at the moment has been stability. I have only been running the machine for a couple of days and Mail has hung twice, and the machine would not respond to shutdown requests. I installed all of the patches I could and hopefully that will help. I also upgraded the machine to 4gb, and when I did, I found an interesting white residue caked on the pins of the DIMMs. I am wondering if the installers are putting talc or something on the pins to make insertion easier, but there was so much I have to wonder if there were memory errors. Seems to be more stable now and I am hoping for the best.

The iMac- in a word, WOW! It is the nicest machine I have ever owned. Fast. Put 4gb of memory in it. The aluminum keyboard has a great feel to it. Keep looking for the right mouse button, but that’s OK, I am retraining myself. But the most amazing thing about this box is the monitor. 24 inches of real estate. The color, depth, and detail are stunning. It’s fun just to look at the pre-supplied backgrounds. And everything has worked without a hitch. Software installed in a fraction of the time of other platforms. The one time I messed up I simply dragged the application to the trash, started from scratch, and was done in two minutes. The only anomaly I found is the machine is spec’ed for DDR2 800, but came with DDR2 667. Other than that, perfect. The MacBook is nice, but the iMac is why I am beyond happy.  

Hard for me to imagine that this is true, given the long line that I had to wait in when I went to the Apple store. Plus I know 5-6 people who just switched to Macs, and half the people I know are saving up to get iPhones. With a product that is this solid, I don’t think Apple has a lot to worry about. 

-Adrian

Last night I managed to pull a serious Munson. My car battery was dead, so I jumped it from my wife’s car. Then both batteries were dead (her car literally shut down when I tried to start mine). Then my brother in law came over, and managed to jump both cars. We left them running, then turned them off- and both were dead again. One more trip from my brother in law, and we were up and running. We drove around for a bit and then stopped to run an errand. We stopped, and restarted, one car at a time, so we always had one running vehicle. Both restarted, so we ran them for a minute longer and then ran our errand. Came back, and both were dead. Mall security jumped her car; we drove on highways for 20 minutes, and parked it at home. Dead. Dead. Dead. Her car is a hybrid, and we think my battery is dead and something about jumping it blew something in her electrical system.

Good times, my friends. Good times.

At least I got some amusement this morning out of this article with some of the usual statistical dribble used to scare people into buying products.

There’s no need to go into detail- it’s just a survey talking about how few companies perform email encryption, how hard and manual it is, and how employees would use it more if it were easier. This is all, of course, tied into some Nevada law and sponsored by an email encryption vendor.

They forget, of course, to mention how few compromises there are of unencrypted email. No reference at all to any real cases where encryption would have prevented the loss of personal data (never mind any fraud associated with said loss). In short, nothing useful to help you make any kind of risk analysis or decision.

Remember, I’m not against numbers, nor am I against email encryption (I use it occasionally for business communications), but I *am* against silly numbers with no bearing to anything important. We need more quality metrics and surveys, not this dribble that likely won’t fool a single security professional into buying a product. You might, likely, use email encryption anyway, but this sure won’t affect your decision.

-rich

As I write this, the Dow is down nearly 600, Congress struggles to pass a bailout bill, and both the Broncos and Buffs lost over the weekend.

Bad times my friends, bad times.

Like many of you, although my current financial situation is pretty solid, I can’t help but wonder what the future holds. We’re not merely entering uncharted territory, we’re headed straight for that big black circle marked “There Be Monsters Here”. That doesn’t mean we won’t make it to the other side, but the journey is fraught with danger and challenge.

First, a couple of assumptions:

1. Some sort of bailout package will pass.
2. Times will get tough, but we won’t enter a full depression.

If we hit a depression all bets are off- since, at that point, much of society essentially collapses. But short of total economic collapse, or a miracle economic recovery, we can somewhat effectively follow the trends and postulate some conclusions.

I lost my crystal ball years ago during a wild night with Hoff and Amrit involving some bottles of 40 year old scotch, the real Travelosity gnome, and a Vegas cab driver snorting pure ground Brazilian sugar cane, but if we step back we can probably make a few guesses as to the collective future of the security world.

First, our starting assumptions:

1. We’ll continue to see severe credit restrictions- even tighter than now.
2. With limited credit and a weak stock market, the economic effects will spread beyond the financial sector. Retail, auto, and other credit-heavy industries will suffer the most.
3. We will see no decline in security threats, but the threats will morph to adapt to changing market conditions.

We don’t need to get fancy; belts will tighten, credit will be harder to obtain, the bad guys will keep adapting, and business will continue, albeit more slowly.

These lead directly to some conclusions about the security market:

1. Startup cash will dry up, and IPOs are no longer an exit strategy option. There will be less security product innovation, and what is created will be bought earlier, and cheaper, by established players who can’t afford big acquisitions anymore.
2. We will see continued, massive, consolidation as small companies struggle to survive and larger players can’t create growth. These won’t be big buyouts with happy founders retiring on the beach, but survival consolidations. Think Symantec buying Checkpoint, or Oracle buying Symantec. More middle players will consolidate as well, like the Sophos/Utimaco deal. We’ll have a few big generalists, a smattering of middle-sized guys glomming together, and the occasional small company that bootstrapped with a couple paying clients and isn’t dependent on external financing.
3. Best of breed loses to security suites. Users will demand more suites from their vendors, and “good enough” will be the name of the game. If you have a technologically superior solution no one will care. To be honest, no one really cares today, but they’ll care less in the future.
4. Large price pressure. Users will demand these suites at no (or minimal) additional cost. Vendors will grind over each other in a race to the bottom just to keep customers. It may not look like it on the surface price sheets, but in the nitty gritty street battles on deals you’ll see sales guys tossing in their firstborn essentially for free.
5. A continued obsession with compliance, cost reduction, and obvious threats. If a tool isn’t required by the auditors, doesn’t reduce ongoing operational costs, or stop a threat (like spam/viruses) that knocks people offline, it won’t sell very well. Vendors who don’t solve a clear and present business problem are in trouble. It will be nearly impossible to get budget for anything else.

We’ll also see some threat evolution:

1. Tighter credit issuing will reduce new account fraud. If it’s harder for the good guys to get credit, it will also be harder for the bad guys.
2. Existing account fraud will increase. It isn’t like the bad guys will go get some non-existent legitimate jobs. They’ll hammer the financial system, especially phishing/preying on financial fears. As any historian will tell you, fraud tends to increase during times of economic extremes- good and bad.
3. Major attack vectors will be similar to what we see today- clientside and web application. I don’t see anything in an economic downturn that changes the technical nature of the attacks we see today- they’ll continue to get more sophisticated, but that’s happening regardless of any economic issues.

And, of course, this will impact security professionals and how we do our jobs:

1. The bad guys will keep us employed, but salaries will be under pressure. “Good enough” applies to us as much as it does to our tools. We’ll see a little professional erosion as underexperienced newbies enter the market to stay employed, and non-security IT folks take added security responsibility. Now will be a good time for a diverse skill set to survive fat trimming.
2. We’ll have to do more with less. That’s so obvious I’m embarrassed to write it.
3. We’ll be under even greater pressure to justify what we do, and what we spend on. Again, really obvious, but as we’ve been talking about long before these economic troubles, the most successful security professionals will be those who can clearly communicate with the business and articulate their value.
4. Get used to accepting more risk. We’ll have to take hits on the small stuff to focus our efforts on the biggest risks.
5. Pragmatic wins. The broader your skill set, the less you cost the company while stopping most of the bad stuff; and the better you can communicate all of this the happier you’ll be. It’s always been about getting the job done, but let’s be honest and admit that it isn’t always about getting the job done. While internal politics and BS will never go away, odds are those who take a practical approach will survive better, and perhaps thrive, during tough economic times.

In other words, get used to people trying to nibble at your job, tighter belts in general, and doing more with less. Pet projects will fade and you’ll be forced to use suites more, as we try to reduce both what we spend on tools, and the people to manage those tools. Threats won’t fade, and we’ll focus more on the large obvious stuff that doesn’t obviously impact the balance sheet. Compliance won’t go away (it will be worse in some sectors) and will continue to define much of what we do.

The need for security doesn’t diminish, but the way it’s delivered has to change during tough times. Security practitioners, vendors, and bad guys alike will be pressured to solve obvious business problems while proving their value (preferably with numbers and pretty charts). In other words, the more practical you are (except for you backstabbing wizards of internal politics), the better you’ll be. Focus on the basics, keep the skill set up, and learn to talk to management and make nice looking charts.

As for me? I, like everyone, worry. As an expectant parent I’m starting to worry in ways I never imagined before. But I also know that if I continue to focus on helping my readers and clients save money, and am able to articulate said savings, I should be fine. I’m fairly pragmatic myself.

Oh- and I think we need a complete reboot of our fracking country and government, and fully intend on voting that way.

-rich

When was the last time you thought about your email security? Have you reviewed the vendors or the market lately? If not, it may be time. It is no surprise that the market is mature; read the collateral and the discussion has long since moved away from technology nuances- rather it is reputational risk reduction & business function continuity. It is no longer startups but some of the largest firms in security. And while not seeing a lot of growth in the segment, we are starting to see changes in how the services are delivered, and that is leading to some vendor swapping. What’s more, these changes are so transparent that the effect on privacy and security is not always obvious.

I have been doing a surprising amount of investigation in the email security segment lately. Rich and I have a couple of projects in and around email security, I have a friend who works in this area and was asking some market related questions, I have been helping another friend analyze a prospective job with an email security company, and at Securosis we have gone through the selection process for a supplementary spam filter (Postini, if you were interested). The focus on this segment showed a subtle change in direction, and raised a couple of issues you may want to consider.

Every vendor claims 96-99% efficiency, and on any given week, delivers on that promise. Most offer inbound and outbound anti-virus, content scanning, image scanning, archiving, reporting and policy management. Want an appliance or software? No problem. Want it as a service?

It’s a replacement market at this point, as every firm has some type of email security and filtering, either in-house or provided as a service. One company’s new email security customer come at another vendor’s expense. And there is a feeling that these offerings are a commodity. If you don’t like the vendor or product you have today, the cost of a switch is far less than it used to be. The battle in email security today is between the entrenched appliances and “security in the cloud”. And much like the AV market once it had reached this stage, changing providers can be a fluid event. Adding an extra layer of anti-spam at Securosis took a few minutes of work, and the cost is negligible. From a consumer standpoint, the ability to choose what I want and switch as needed shows the maturity of this space.

Appliances still rule the day, but with firms like Google (Postini) and Message Labs offering quality services, it appears to be this subsegment of the market that is making inroads. I am talking to a lot of customers who have a hybrid in place today, but many I speak with have not looked at their email security solution in years as it works, and so they just don’t give it a lot of thought. Those who do find it an easy choice to adopt a hybrid model, with inbound spam and AV filtering to reduce the load on internal systems while they review their plans for the future. Once again, while there are few new customers to be won, there is quite a bit of switching between vendors going on, with services gaining share.

However the change from in-house appliance and software brings some considerations in the area of data privacy. Outsourcing your inbound spam filtering and adding an extra layer of AV seems like a good idea, and can take the strain off older infrastructure.  And the switch can be so seamless and easy that often thought is not put into where the IP is actually going. As many of the email security providers offer outbound content analysis, leak prevention, and compliance assurance, you are by nature sending the data you want to protect offsite. While it is almost invisible to daily operations, there are ramifications and considerations for compliance and privacy. In my next post, I will discuss some of these considerations.

-Adrian

As most of you know, Adrian and I have been pretty slammed lately; bouncing all over the inter-tubes (and airports) on our quest to save freedom and not default on our mortgages. One thing we’ve been wanting to do for a while is summarize everything that’s been going on through the week in a bit more of a structured format, a la Rothman’s Daily Incite. But we’re not nearly as motivated as Mike, but we figure we can handle once a week before we attend the official Securosis Weekly Research Offsite (happy hour). It’s a summary of what we’ve been up to, and our top post selections for the week.
Webcasts, Podcasts, and Conferences:

• I put together the DLP Security School for TechTarget a few weeks back, but it was published while I was in the middle of my travel binge. I really like this education format, and believe it or not there are a few tidbits in there that aren’t in all the other stuff I’ve published on DLP.
• Adrian just finished the SIM Security School. Did I mention we like this format? Unlike the DLP school he put together a full webcast (as opposed to a video segment) with a ton of content.
• I spoke on a data masking panel at Oracle World. Here’s a post inspired by the session.
• This week on the Network Security Podcast Episode 121 our guest was T-Rob discussing Palin’s email hack, and MQ middleware security. Yeah, we thought it was a weird combo too.

Outside Writing:

• The big one for me this week was Macworld- I was heavily involved in the security issue that’s sitting on newsstands this month. Except where it’s sold out, like my neighborhood Barnes and Noble. (I swear I didn’t buy them all). I’m really proud of the issue- it addresses the security needs and questions of average users, and is the kind of thing I can send to my mom.

Favorite Securosis Posts:

• Rich: The Breach Reporting Dilemma. We really need to start looking at breach reporting differently, but I don’t expect it to happen anytime soon.
• Adrian: Behavioral Modeling. Some of the most significant advances we can make in security are in heuristics, but it’s also an extremely difficult problem.

Favorite Outside Posts:

• Adrian: Jeremiah Grossman on YouTube.
• Rich: Tim Wilson on Premature Chasm Crossing. I love articles/posts on thinking differently about the security market and, oh, I don’t know, focusing on the end users.

Top News:

• The economy. Is there any other news?

Blog Comment of the Week:
I don’t agree with all of them, but Dre has some of the deepest comments on the blog. Here’s one on our PCI scanning post:
[snip]… Most organizations implement firewall/IPS incorrectly. They assume it’s something you plug in. Most firewalls/IPS don’t protect on the outbound, and most policies allow outbound SYN origination from the DMZ on externally facing interfaces. Most firewalls/IPS don’t provide the real protections one would need without excessive CPU and memory usage. A few null routes (or uRPF) at the border is all that is necessary to prevent traffic to the 80 percent of the Internet we know we can’t trust. …[/snip]

We hope you all have a great weekend.
-rich

Over at the Washington Post they note that it looks like a “McCain Wins Debate” ad and quote accidently leaked before the… you know… debate actually happens.

While I don’t plan on voting for him, criticizing preparing ads and responses ahead of time would be silly. It’s only prudent since there really isn’t time to create this content after the fact in our obsessive 24 hour news cycle driven society. What can be criticized is this could show a little lack of organization and discipline.

Or not.

If I were the Democratic equivalent of Karl Rove I might drop a few of these things on my own. Through front companies, of course. Sure, it would eventually be repudiated, but the initial damage will be done. Heck, that’s not even all that creative- aside from the ubiquitous YouTube ads and testimonials, there are all sorts of new attack vectors thanks to the Internet age. We already see plenty of this going on through email campaigns, which seem even more effective than the push polling of Bush II vs. McCain eight years ago.

One reason this garbage is so effective? Most people have intense confirmation bias. As Adam posted recently, study after study shows we are inclined to believe that which aligns with our existing beliefs. On top of that, functional MRI studies have shown that political discussions trigger the same parts of the brain as religion- in other words, faith, and sections of our mind that are core to our identity.

It is far easier to manipulate someone into believing what they want to believe than to introduce contradictory information. The net is fracking perfect for this.

Some days I feel the suffocating weight of travel more than others. Typically, those days are near the end of a long travel binge; one lasting about 3 months this time.

When I first started traveling I was in my 20’s, effectively single (rotating girlfriends), and relatively unencumbered. At first it was an incredibly exciting adventure, but that quickly wore off as my social ties started to decay (friends call less if you’re never around) and my physical conditioning decayed faster. I dropped from 20 hours or more a week of activity and workouts to nearly 0 when on the road. It killed my progression in martial arts and previously heavy participation in rescues. Not that the travel was all bad; I managed to see the world (and circumnavigate it), hit every continent except Antarctica, and, more importantly, meet my wife. I learned how to hit every tourist spot in a city in about 2 days, pack for a 2 week multicontinental trip using only carry-on, and am completely comfortable being dropped nearly anywhere in the world.

Eventually I hit a balance and for the most part keep my trips down to 1 or 2 a month, which isn’t so destructive as to ruin my body and piss off my family. But despite my best scheduling efforts sometimes things get out of control. That’s why I’m excited to finish off my last trip in the latest binge (Oracle World) for about a month and get caught up with blogging and the business. For those of you earlier in your careers I highly recommend a little travel, but don’t let it take over your life. I’ve been on the run for 8 years now and there is definitely a cost if you don’t keep it under control. As we say in martial arts, there is balance in everything, including balance.

Now on to Oracle World and a little security.

I’m consistently amazed at the scope of Oracle World. I go to a lot of shows at the Moscone Center in San Francisco, from Macworld to RSA, and Oracle World dwarfs them all. For those of you that know the area, they hold sessions in the center and every hotel in walking distance, close of the road between North and South, and effectively take over the entire area. Comparing it to RSA, it’s a strong reminder that we (security) are far from the center of the world. Not that Oracle is the center, but the business applications they, and competitors, produce.

This year I was invited to speak on a panel on data masking/test data generation. As usual, it’s something we’ve talked about before, and it’s clearly a warming topic thanks to PCI and HIPAA. I’ve covered data masking for years, and was even involved in a real project long before joining Gartner, but it’s only VERY recently that interest really seems to be accelerating. You can read this post for my Five Laws of Data Masking.

Two interesting points came out of the panel. The first was the incredible amount of interest people had in public source and healthcare data masking. Rather than just asking us about best practices (the panel was myself, someone from Visa, PWC, and Oracle), the audience seemed more focused on how organizations are protecting their personal financial and healthcare data. Yes, even DNA databases.

The second, and more relevant point, is the problem of inference attacks. Inference attacks are where you use data mining and ancillary sources to compromise your target. For example, if you capture a de-identified healthcare database, you may still be able to reconstruct the record by mining other sources. For example, if you have a database of patient records where patient names and numbers have been scrambled, you might still be able to identify an individual by combining that with scheduling information, doctor lists, zip code, and so on.

Another example was a real situation I was involved with. We needed to work with a company to de-identify a customer database that included deployment characteristics, but not allow inference attacks. The problem wasn’t the bulk of the database, but the outliers, which also happened to be the most interesting cases. If there are a limited number of companies of a certain size deploying a certain technology, competitors might be able to identify the source company by looking at the deals they were involved with, which ones they lost, and who won the deal. Match those characteristics, and they then identify the record and could mine deeper information. Bad guys could do the same thing and perhaps determine deployment specifics that aid an attack.

If logic flaws are the bane of application security design, inference attacks are the bane of data warehousing and masking.

-rich

Over at Emergent Chaos, Adam raises the question of whether we are seeing more data breaches, or just more data breach reporting. His post is inspired by a release from the Identity Theft Resource Center stating that they’ve already matched the 2007 breach numbers this year.

Personally, I think it’s a bit of both, and we’re many years away from any accurate statistics for a few reasons:

1. Breaches are underreported. As shown in the TJX case, not every company performs a breach notification (TJX reported, other organizations did not). I know of a case where a payment processor was compromised, records lost for some financial services firms that ran through them, and only 1 of 3-4 companies involved performed any breach notification. Let’s be clear: they absolutely knew they had a legal requirement to report and that their customer information was breached, but they didn’t.
2. Breaches are underdetected. I picked on some of the other companies fleeced along with TJX that later failed to report, but it’s reasonable that at least some of them never knew they were breached. I’d say less than 10% of companies with PII even have the means to detect a breach.
3. Breaches do not correlate with fraud. Something else we’ve discussed here before. In short, there isn’t necessary any correlation between a “breach” notification and any actual fraud. Thus the value of breach notification statistics is limited. A lost backup tape may contain 10 million records, yet we don’t have a singe case that I can find where a lost tape correlated with fraud. My gut is that hacking attacks result in more fraud, but even that is essentially impossible to prove with today’s accounting.
4. There’s no national standard for a breach, never mind an international standard. Every jurisdiction has its own definition. While many follow the California standard, many others do not.

Crime statistics are some of the most difficult to gather and normalize on the planet. Cybercrime statistics are even worse.

With all that said I need to go call Bank of America since we just got a breach notification letter from them, but it doesn’t reveal which third party lost our information. This is our third letter in the past few years, and we haven’t suffered any losses yet.

-rich