Research

Speaking as a “master of the obvious,” it’s worth mentioning the importance of having a correct mindset heading into the new year. Odds are you’ve just gotten back from the holiday and that sinking “beaten down” feeling is setting in. Wow, that didn’t take long. So I figured I’d do a quick reminder of the universal truisms that we know and love, but which still make us crazy. Let’s just cover a few: There is no 100% security I know, I know – you already know that. But the point here is that your management forgets. So it’s always a good thing to remind them as early and often as you can. Even worse, there are folks (we’ll get to them later) who tell your senior people (usually over a round of golf or a bourbon in some mahogany-laden club) that it is possible to secure your stuff. You must fight propaganda with fact. You must point out data breaches, not to be Chicken Little, but to manage expectations. It can (and does) happen to everyone. Make sure the senior folks know that. Compliance is a means to an end There is a lot of angst right now (especially from one of my favorite people, Josh Corman) about the reality that compliance drives most of what we do. Deal with it, Josh. Deal with it, everyone. It is what it is. You aren’t going to change it, so you’d better figure out how to prosper in this kind of reality. What to do? Use compliance to your advantage. Any new (or updated) regulation comes with some level of budget flexibility. Use that money to buy stuff you really need. So what if you need to spend some time writing reports with your new widget to keep the auditor happy. Without compliance, you wouldn’t have your new toy. Don’t forget the fundamentals Listen, most of us have serious security kung fu. They probably task folks like you to fix hard problems and deflect attackers from a lot of soft tissue. And they leave the perimeter and endpoints to the snot-nosed kid with his shiny new Norwich paper. That’s OK, but only if you periodically make sure things function correctly. Maybe that means running Core against your stuff every month. Maybe it means revisiting that change control process to make sure that open port (which that developer just had to have) doesn’t allow the masses into your shorts. If you are nailed by an innovative attack, shame on them. Hopefully your incident response plan holds up. If you are nailed by some stupid configuration or fundamental mistake, shame on you. Widgets will not make you secure Keep in mind the driving force for any vendor is to sell you something. The best security practitioners I know drive their projects – they don’t let vendors drive them. They have a plan and they get products and/or services to execute on that plan. That doesn’t mean reps won’t try to convince you their widget needs to be part of your plan. Believe me, I’ve spent many a day in sales training helping reps to learn how to drive the sales process. I’ve developed hundreds of presentations designed to create a catalyst for a buyer to write a check. The best reps try to help you, as long as that involves making the payment on their 735i. And even worse, as a reformed marketing guy, I’m here to say a lot of vendors will resort to bravado in order to convince you of something you know not to be true. Like that a product will make you secure. Sometimes you see something so objectionable to the security person in you, it makes you sick. Let’s take the end of this post from LogLogic as an example. For some context, their post mostly evaluates the recent Verizon DBIR supplement. What does LogLogic predict for 2010? Regardless of whether, all, some, or none, of Verizon’s predictions come true, networks will still be left vulnerable, applications will be un-patched, user error will causes breaches in protocol, and criminals will successfully knock down walls. But not on a LogLogic protected infrastructure. We can prevent, capture and prove compliance for whatever 2010 throws at your systems. LogLogic customers are predicting a stress free, safe 2010. Wow. Best case, this is irresponsible marketing. Worst case, this is clearly someone who doesn’t understand how this business works. I won’t judge (too much) because I don’t know the author, but still. This is the kind of stuff that makes me question who is running the store over there. Repeat after me: A widget will not make me secure. Neither will two widgets or a partridge in a pear tree. So welcome to 2010. Seems a lot like 2009 and pretty much every other year of the last decade. Get your head screwed on correctly. The bad guys attack. The auditors audit. And your management squeezes your budget. Rock on! Share:

A lot of my tech friends make fun of me for my minimal use of Google services. They don’t understand why I worry about the information Google collects on me. It isn’t that I don’t use any Google services or tools, but I do minimize my usage and never use them for anything sensitive. Google is not my primary search engine, I don’t use Google Reader (despite the excellent functionality), and I don’t use my Gmail account for anything sensitive. Here’s why: First, a quote from Eric Schmidt, the CEO of Google (the full quote, not just the first part, which many sites used): If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place, but if you really need that kind of privacy, the reality is that search engines including Google do retain this information for some time, and it’s important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities. I think this statement is very reasonable. Under current law, you should not have an expectation of privacy from the government if you interact with services that collect information on you, and they have a legal reason and right to investigate you. Maybe we should have more privacy, but that’s not what I’m here to talk about today. Where Eric is wrong is that you shouldn’t be doing it in the first place. There are many actions all of us perform from day to day that are irrelevant even if we later commit a crime, but could be used against us. Or used against us if we were suspected of something we didn’t commit. Or available to a bored employee. It isn’t that we shouldn’t be doing things we don’t want others to see, it’s that perhaps we shouldn’t be doing them all in one place, with a provider that tracks and correlates absolutely everything we do in our lives. Google doesn’t have to keep all this information, but since they do it becomes available to anyone with a subpoena (government or otherwise). Here’s a quick review of some of the information potentially available with a single piece of paper signed by a judge… or a curious Google employee: All your web searches (Google Search). Every website you visit (Google Toolbar & DoubleClick). All your email (Gmail). All your meetings and events (Google Calendar). Your physical location and where you travel (Latitude & geolocation when you perform a search using Google from your location-equipped phone). Physical locations you plan on visiting (Google Maps). Physical locations of all your contacts (Maps, Talk, & Gmail). Your phone calls and voice mails (Google Voice). What you read (Search, Toolbar, Reader, & Books) Text chats (Talk). Real-time location when driving, and where you stop for food/gas/whatever (Maps with turn-by-turn). Videos you watch (YouTube). News you read (News, Reader). Things you buy (Checkout, Search, & Product Search). Things you write – public and private (Blogger [including unposted drafts] & Docs). Your photos (Picassa, when you upload to the web albums). Your online discussions (Groups, Blogger comments). Your healthcare records (Health). Your smarthome power consumption (PowerMeter). There’s more, but what else do we care about? Everything you do in a browser, email, or on your phone. It isn’t reading your mind, but unless you stick to paper, it’s as close as we can get. More importantly, Google has the ability to correlate and cross-reference all this data. There has never before been a time in human history when one single, private entity has collected this much information on a measurable percentage of the world’s population. Use with caution. Share:

I was over at Rich’s place this week while we were recording the network security podcast. When finished we were just hanging out and Riley, Rich’s daughter, came walking down the hall. At 9 months old I was more shocked to see her walking than she was at seeing me standing there in the hall. She looked up at me and sat down. I extended my hand thinking that she would grab hold of my fingers, but she just sat there looking at me. I heard Rich pipe up … “She’s not a dog, Adrian. You don’t need to let her sniff your hand to make friends. Just say hello.” Yeah. I guess I spend too much time with dogs and not much time with kids. I’ll have to work on my little people skills. And the chew toy I bought her for Christmas was, in hindsight, a poor choice. This has been the week of the Rothman for us. Huge changes in the new year – you probably noticed. But it’s not just here at Securosis. There must have been five or six senior security writers let go around the country. How many of you were surprised by the Washington Post letting Brian Krebs go? How freakin’ stupid is that!?! At least this has a good side in that Brian has his own site up (Krebs on Security), and the quality and quantity are just as good as before. Despite a healthy job market for security and security readership being up, I expect we will see the others creating their own blogs and security continuing to push the new media envelope. And as a reminder, with the holidays over, Rich and I are making a huge press on the current Project Quant metrics series: Quant for Database Security. We are just getting into the meat of the series, and much like patch management, we are surprised at the lack of formalized processes for database security, so I encourage your review and participation. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike’s podcast with Amrit Williams on Log Management and SIEM.(transcript) Podcast with Dennis Fisher on Metrics and the Securosis/Security Incite Merger. Blog post on TechTarget’s Security Bytes regarding the merger. Securosis takes over the Network Security Podcast. Rich’s excellent article for Macworld on Mac security reality check: scams. Adrian’s Dark Reading post on Data Masking. Favorite Securosis Posts Rich: Quant for Database Security, Patches. Mike 2009 Wrap: Changes in Perspective – It’s critical to take some time every quarter and reflect on what you’ve learned and how that will change plans/tactics moving forward. Things move too quickly to just plod along doing the same old, same old. Adrian: Introducing Securosis Plus: Now with 100% More Incite! Meier: Google, Privacy, and You. Mort: Password Policy Disclosure. Other Securosis Posts Getting Your Mindset Straight for 2010 Incite – 1/6/2009 – The Power of Contrast RSA Treks to Sherwood Forest and Buys the Archer Password Policy Disclosure Securosis + Security Incite Merger FAQ Mike Rothman Joins Securosis Prison Computer ‘Hacker’ Sentenced Rich’s Personal Security Guiding Principles Hosting Providers and Log Security The POPE visits Security Incite + Securosis. Security Incite Contracts a Case of Securosis. Favorite Outside Posts Rich: Matt’s Guide to Vendor Responses. Should be required reading for vendors. Mike: A Way Forward – Shostack gets into our heads and makes the point that our issues are partly self-inflicted. He’s dead on. Adrian: Maybe this will Help by Jack Daniels. And it did. We talk about being pragmatic here, but I catch myself once a week, at least, yanking content out of a post of presentation because it is simply not accessible to the IT masses. This is a nice encapsulation of the perspective you need to have when producing for non-security audiences interested in accomplishing security tasks. Mort: Top 10 Reasons Your Security Program Sucks and Why You Can’t Do Anything About It Amrit does it again – funny, snarky, and all too true. Meier: Brian Krebs on FBI investigating $3M in stolen funds. Pepper: Schneier’s TSA Logo Contest Motto: either “Tedium, Stupidity, & Arrogance” or “Terror, Slowdowns, & Aggravation”. Pepper #2: NIST Certified USB Encryption Broken. Project Quant Posts Project Quant: Database Security – Patch Project Quant: Database Security – Discovery Top News and Posts Blogger’s Twitter account implicated in ‘Leak’. Wired post on changes to No-Fly list. Hacker demonstrated how to Geographically Locate Servers. Jeremiah Maps WASC to OWASP list, mum on blood feud. Political Websites Hacked. New Botnet Infiltrated. NIST Hash Competition. FBI Investigates $3M Theft in eWeek. Not security, but a glimpse at the dirty underbelly of technology PR. And Dave Lewis on Cyber-Ninjas post deserves honorable mention for making me laugh out loud. Blog Comment of the Week Remember, for every comment selected Securosis makes a $25.00 donation to Hackers For Charity. This week’s best comment comes from ‘smithwill’ in response to Mike Rothman’s post on Getting Your Mindset Straight for 2010: Bravo. Security common sense in under 1000 words. And the icing on the cake: buy our s#it and you won’t have to do anything line. Priceless. Congratulations! We will contribute $25.00 to HFC in ‘smithwill’s name! Share: