Incite 12/15/2010: It’s not a sprint…By Mike Rothman
One of the issues of being a high achiever (at least in my own mind) is that you’re always in a rush. Half the time we don’t know where we’re going, but we need to get there fast. And it results in burn-out, grumpiness, and poor job performance – which is the worst thing for someone focused on achievement. A mentor of mine saw this tendency in me early on and imprinted a thought that I still think about often: “It’s not a sprint, Mike, it’s a marathon.” Man, those words speak the truth.
Rich’s post on Monday urging us to Get over it is exactly right. It made me think about sprints and marathons and also the general psyche of successful security folks. We are paranoid, we are cynical, we expect the worst in people. We have to, it’s our job. But do this long enough and you can lose faith. I think that’s what Rich is referring to, especially at the end of yet another year where the bad guys won, whatever that means.
So this is the deal. Remember this is a marathon. The war is not won or lost with one battle (unless you take a spear to the chest, that is). The bad guys will continue to innovate. Assuming you are a good guy/gal, you’ll struggle all year to catch up and still not get there. Yes, most of sleeping at night as a security person involves accepting that our job is Sisyphean. We will always be pushing the rock up the hill. And we’ll never get there. It’s about learning to enjoy the battle. To appreciate the small victories. And to let it go at the end of the day and go home with no regret.
I know folks like to vent on Twitter and write inflammatory blog posts because they can commiserate with all their cynical buddies and feel like they belong. Believe me, I get that. But I also know a lot of these folks pretty well, and most love the job (as dysfunctional as it is) and couldn’t think of doing anything else.
But if you are one of those who can’t get past it, I suggest you spend some time over the holidays figuring out whether security is the right career path for you. It’s okay if it’s not. Really. What’s not okay is squandering the limited time you have on something that makes you miserable.
Photo credits: “Day 171” originally uploaded by Pascal
Incite 4 U
Anti-Exploitation works. Who knew? Rich has been talking about anti-exploitation defenses on endpoints for a long time. I added a bit in Endpoint Security Fundamentals, but the point has been that we need to make it harder (though admittedly never impossible) for hackers to attack memory. Now Microsoft itself has a good analysis of the effectiveness of DEP and ASLR and their value – both alone and together. Clearly these controls will stop some attacks, but not all, so don’t get lulled into a false sense of security because you leverage these technologies where possible. They are a good start, but you aren’t done. You’re never done, but you already know that. – MR
Out with the old: Gunnar Peterson asks: Is your site more secure than Gawker? – covering the iceberg of password reuse across sites, but also stating that passwords are intrinsically unsafe. Sure, they provide all or nothing access, but I don’t think the discussion should center on the damage caused by bad passwords. I’d say we know that. Instead we should use alternatives we could actually implement to fight this trend. Passwords are like statistics in baseball, in that they have been around so long they are taken for granted; and additionally because most IT professionals can’t wrap their heads around the concept of life without passwords. Bill Cheswick gave a great presentation at OWASP 2010 in Irvine, with evidence on why passwords are unnatural devices, tips on improving password policies, and most importantly alternative methods for establishing identity (26:30 in) such as Passfaces, Illusion, Passmaps, and other types of challenge/response. Many of these alternatives avoid storing Gunnar’s proverbial land mine. – AL
IE9 puts a cap in the drive-by: We all know Microsoft Internet Explorer security sucks, right? I mean that’s what I read in all the Slashdot comments. Too bad the latest NSS Labs report shows exactly the opposite. NSS hired some alcoholic, porn, and gambling obsessed rhesus monkeys to browse all the worst of the Internet for a few days and see which browsers showed the best defenses against drive-by and downloadable malware. The winner? IE9 (beta) with a 99% success rate, followed by IE8 at 90%, then Firefox at… 19%. They did test Firefox without our recommended NoScript and other security enhancing plug-ins, but that accurately reflects how the great unwashed surf the web. Despite being a Mac fanboi, for a couple years now I’ve been doing all my banking on a Win7 system with IE8/9. It’s nice to see numbers back up my choice. – RM
Fox in the henhouse alert: Speaking of anti-malware tests, it seems the endpoint security vendors are banding together to reset the testing criteria, with the willing participation of ICSA Labs. To be clear, this is a specific response to the tests that NSS Labs has been running which make all the endpoint vendors look pretty bad. So why not work with a respected group like ICSA to redefine the testing baseline, since the world changed? Conceptually it’s a good idea, in practice… we’ll see. I have a lot of friends at ICSA, so I don’t want to be overly negative out of the gate, but let’s just say I doubt any of the baseline tests will make mincemeat out of the endpoint security suites. And thus they may not reflect real world use. You can quibble with NSS and their anti-malware testing methodology, but whatever they are doing is working, as demonstrated by the EPP vendors uniting against them. What’s that they say about “The enemy of my enemy is my friend.”? – MR
Cloudy with a chance of SQL injection: A while back I talked to some VC types about a startup looking to bring Web Application Firewalls to the cloud. I thought it was a killer idea with a massive potential market (especially in SMB), but the money guys never did quite get it. I mean all you have to do is reroute your DNS, set up some
.htaccessmagic, and someone else can easily filter all your web app traffic. This week Imperva announced a new spinoff called Incapsula to cover the SMB cloud WAF side, while they stick with their enterprise focus. Breaking out like this is good strategy because the requirements and architectures are fundamentally different for these different markets. Incapsula now competes with Cloudflare and (to a lesser degree) Art of Defense. To be honest I want one of these for Securosis and am looking forward to checking these offerings out. – RM
Risk scoring is still a load of crap: I’ve been hearing a lot about these anti-bot products being stacked up next to an IPS to figure out and track command and control traffic. The poster child is Damballa, which to be clear exists only because IPS doesn’t do enough. Now Damballa is adding risk scoring (whatever that means) to its product based on the type of malware and bad activity observed. I buy into the idea of prioritizing infections based on the type of information Damballa sees, but calling it a “risk score” is horse puckey. That assumes foreknowledge of the value of information/data, which requires a subjective assessment by the customer, which happens rarely and is then out of date within minutes. So appreciate that a tool like this can tell you how borked your devices are, but to call that risk es no bueno. – MR
Product vs. Project: Rich and I talk a lot about how Web Applications are a unique challenge for security, and one facet of this is the eternal beta cycle most web applications – and all web sites – seem stuck in. There is no such thing as a finish line. Development continues ad infinitum, with both big picture modifications and tactical feature additions launched every week or two. Joseph Flahill’s article on choosing an agile management approach captures the essence of this issue. Joseph focuses on the complexity and management differences between ongoing and classical development, but his points apply to security as well. There is a difference between product and project management techniques. Having a defined end point has meaning – full regression sweeps, fuzzing, penetration testing, and complete application assessments can be performed on a stable platform. Applications under constant revision never get the complete security sweep they require. It’s a subtle but important distinction. – AL