Incite 3/2/2011: Agent Provocateur

It’s been a while since I have gotten into a good old-fashioned Twitter fight. Actually the concept behind FireStarter was to throw some controversial thought balloons out there and let the community pick our stuff apart and help find the break points in our research positions. As Jeremiah tweeted yesterday, “whatever the case, mission accomplished. Firestarter!” to my post Risk Metrics Are Crap. It devolved into a bare-knuckled brawl pretty quickly, with some of the vociferous risk metrics folks. After reading our Twitter exchanges yesterday and today, you might think that Alex Hutton and I don’t like each other. I can’t speak for him, but I like Alex a lot. He’s smart, well read, and passionate about risk metrics. I knew I’d raise his ire with the post, and it’s all good. It’s not the first time we’ve sparred on this topic, and it won’t be the last. Lord knows I make a trade of giving folks a hard time, so it would be truly hypocritical if I didn’t like the taste of my own medicine. And it don’t taste like chicken. Just remember, you won’t last in any business if you can’t welcome opposing perspectives and spirited debate. Though I do have to admit that Twitter has really screwed up the idea of a blog fight. In the good old days – you know, like 3 years ago – fights would be waged either in the comments or by alternating inflammatory blog posts. It was awesome and asynchronous. I wouldn’t lose part of an argument because I had to take a piss and was away from my keyboard for a minute. And I also wasn’t restricted to 140 characters, which makes it tough to discuss the finer points of security vs. risk metrics. But either way, I appreciate the willingness of Alex and other risk metrics zealots like Jack Jones and Chris Hayes to wade into the ThunderDome and do the intellectual tango. But hugging it out with these guys isn’t the point. I’ve always been lucky to have folks around to ask the hard questions, challenge assumptions, and make me think about my positions. And I do that for my friends as well. One of whom once called me a ‘provocateur’ – in a good way. He wanted to bring me into his shop to ask those questions, call their babies ugly, and not allow his team to settle for the status quo. Not without doing the work to make sure the status quo made sense moving forward. It doesn’t matter what side of the industry you play. Users need someone to challenge their architectures, control sets, and priorities. Vendors need someone to stir the pot about product roadmap, positioning, and go-to-market strategies. Analysts and consultants need someone to tell them they are full of crap, and must revisit their more hare-brained positions. The good news is I have folks, both inside and outside Securosis, lined up around the block to do just that. I think that’s good news. Where can you find these provocateurs? We at Securosis do a good bit of it, both formally and informally. And we’ll be doing a lot more when we launch the sekret project. You can also find plenty of folks at your security bitch sessions networking groups who will be happy to poke holes in your strategy. Or you can go to an ISSA meeting, and while trying to avoid a sales person humping your leg you might run into someone who can help. They would much rather be talking to you than be a sales spunk repository, for sure. Also keep in mind that the provocateur isn’t just a work thing. I like when folks give me pointers on child rearing, home projects, and anything else. I probably wouldn’t appreciate if someone blogged that “Rothman’s Drywall Skills Are Crap” – not at first, at least. But maybe if they helped me see a different way of looking at the problem (maybe wallpaper, or paneling, or a nice fellow who does drywall for a living), it would be a welcome intrusion. Or maybe I’d just hit them with a bat. Not all provocateurs find a happy ending. -Mike Photo credits: “So pretty.” originally uploaded by cinderellasg Incite 4 U Ready for the onslaught of security migrants?: Last week I ranted a bit about giving up, and how some folks weren’t really prepared for the reality of the Bizarro World of security. Well, sports fans, it won’t be getting better. When the CareerBuilder folks call “Cyber security specialist” the top potential job, we are all screwed. Except SANS – they will continue running to the bank, certifying this new generation of IT migrants looking for the next harvest. But we probably shouldn’t bitch too much, given the skills shortage. But do think ahead about how your organization needs to evolve, given the inevitable skill decline when you hire n00bs. We all know a company’s security is only as good as its weakest link, and lots of these new folks will initially be weak. So check your change management processes now and make sure you adequately test any change. – MR NSFW login: Every now and then an idea comes along that is so elegant, so divinely inspired, that it nearly makes me believe that perhaps there is more to this human experience than the daily grind of existence. I am, of course, talking about the Naked Password. Here’s how it works… you install the JavaScript on your site and as users create passwords – the (ahem) ‘longer’ and ‘stronger’ the password, the less clothing on the 8-bit illustrated woman next to the password field. Forget the password strength meter, this is a model I can… really get my arms around. Mike Bailey said it best when he reminded us that, for all the time we spend learning about social engineering attacks, perhaps we should apply some of those principles to our own people. – RM Old school cloud: When did Gmail & Hotmail become “The Cloud”? Seriously. Gmail goes down for a few hours – because of a bad patch – and that warrants

Read Post

Network Security in the Age of *Any* Computing: the Risks

We are pleased to kick off the next of our research projects, which we call “Network Security in the Age of Any Computing.” It’s about how reducing attack surface, now that those wacky users expect to connect to critical resources from any device, at any time, from anywhere in the world. Thus ‘any’ computing. Remember, in order to see our blog series (and the rest of our content) you’ll need to check out our Heavy feed. You can also subscribe to the Heavy feed via RSS. Introduction Everyone loves their iDevices and Androids. The computing power that millions now carry in their pockets would have required raised flooring and an large room full of big iron just 25 years ago. But that’s not the only impact we see from this wave of consumerization. Whatever control we (IT) thought we had over the environment is gone. End users pick their devices and demand access to critical information within the enterprise. And that’s not all. We also have demands for unfettered access from anywhere in the world at any time during the day. And though smart phones are the most visible devices, there are more. We have the ongoing tablet computing invasion (iPad for the win!); and a new generation of workers who either idolize Steve Jobs and will be using a Mac whether you like it or not, or are technically savvy and prefer Linux. Better yet, you aren’t in a position to dictate much of anything moving forward. It’s a great time to be a security professional, right? Sure, we could hearken back to the good old days. You know – the days of the Blackberry, when we had some semblance of control. All mobile access happened through your BlackBerry Enterprise Server (BES). You could wipe the devices remotely and manage policy and access. Even better, you owned the devices so you could dictate what happened on them. Those days are over. Deal with it. The Risks of Any Computing We call this concept any computing. You are required to provide access to critical and sensitive information on any device, from anywhere, at any time. Right – it’s scary as hell. Let’s take a step back and quickly examine the risks. If you want more detail, check out our white paper on Mobile Device Security (PDF): Lost Devices: Some numbnuts you work with manage to lose laptops, so imagine what they’ll do with these much smaller and more portable devices. They will lose them, with data on them. And be wary of device sales – folks will often use their own the devices, copy your sensitive data to them, and eventually sell them. A few of these people will think to wipe their devices first, but you cannot rely on their memory or sense of responsibility. Wireless Shenanigans: All of these any computing devices include WiFi radios, which means folks can connect to any network. And they do. So we need to worry about what they are connecting to, who is listening (man in the middle), and otherwise messing with network connectivity. And rogue access points aren’t only in airport clubs and coffee shops. Odds NetStumbler can find some ‘unauthorized’ networks in your own shop. Plenty of folks use 3G cards to get a direct pipe to the Internet – bypassing your egress controls, and if they’re generous they might provide an unrestricted hotspot for their neighbors. Did I hear you to say ubiquitous connectivity is a good thing? Malware: Really? To be clear, malware isn’t much of an issue on smart phones now. But you can’t assume it never will be, can you? More importantly, consumer laptops may not be protected against today’s attacks and malware. Even better, many folks have jailbroken their devices to load that new shiny application – not noticing that in the process they disabled many of their device’s built-in security features in the process. Awesome. Configuration: Though not necessarily a security issue, you need to consider that many of these devices are not configured correctly. They will load applications they don’t need and turn off key security controls, then connect to your customer database. So any computing creates clear and significant management issues as well. If not handled correctly, these will create vastly more attack surface. “Network Security in the Age of Any Computing” will take a look at these issue from a network-centric perspective. Why? You don’t control the devices, so you need to look at what types of environments/controls can provide some control at a layer you do control – the network. We’ll examine a few network architectures to deal with these devices. We will also looking at some network security technologies that can help protect critical information assets. Business Justification Finally, let’s just deal with the third wheel of any security initiative: business justification. Ultimately you need to make the case to management that additional security technologies are worthwhile. Of course, you could default to the age-old justification of fear – wearing them down with all the bad things that could happen. But with any computing it doesn’t need to be that complicated. List top line impact: First we need to pay attention to the top line, because that’s what the bean counters and senior execs are most interested in. So map out what new business processes can happen with support for these devices, and get agreement that the top line impact of these new process is bigger than a breadbox. It will be hard (if not impossible) to estimate true revenue impact, so the goal is to get acknowledgement that positive business impact is real. New attack vectors: Next have a very unemotional discussion about all the new ways to compromise your critical information via these new processes. Again, you don’t need to throw FUD (fear, uncertainty, and doubt) bombs, because you have reality on your side. Any computing does make it harder to protect information. Close (or not): Basically you are in a position to now close the loop and get funding – not by selling Armageddon, but instead providing a simple trade-off. The organization needs to support any computing for lots of business reasons. That introduces new attack vectors, putting critical data at risk. It will cost $X

Read Post

Random Thoughts on Securing Applications in the Cloud

How do you secure data in the cloud? The answer is “it depends”. What type of cloud are you talking about – IaaS, PaaS, or SaaS? Public or Private? What services or applications are you running? What data do you want to protect? Following up on the things I learned at RSA, one statement I heard makes sense now. Specifically, a couple weeks ago Chris Hoff surprised me when, talking about data security in the cloud, he tweeted: Really people need to be thinking more about app-level encryption. Statements like that normally make the information-centric security proponent in me smile with glee. But this time I did not get his point. Lots of different models of the cloud, and lots of ways to protect data, so why the emphatic statement? He answered the question during the Cloudiquantanomidatumcon presentation. Chris asked “How do you secure data in two virtual machines running in the cloud?” The standard answer: PKI and SSL. Data at rest and data in motion are covered. With that model in your head, it does not look too complex. But during the presentation, especially in an IaaS context, you begin to realize that this is a problem as you scale to many virtual machines with many users and dispersed infrastructure bits and pieces. As you start to multiply virtual machines and add users, you not only create a management problem, but also lose the context of which users should be able to access the data. Encryption at the app layer keeps data secure both at rest and in motion, should reduce the key management burden, and helps address data usage security. App layer encryption has just about the same level of complexity at two VMs; but its complexity scales up much more gradually as you expand the application across multiple servers, databases, storage devices, and whatnot. So Chris convinced me that application encryption is the way to scale, and this aligns with the research paper Rich and I produced on Database Encryption, but for slightly different reasons. I can’t possibly cover all the nuances of this discusion in a short post, and this is big picture stuff. And honestly it’s a model that theoretically makes a lot of sense, but then again so does DRM, and production deployments of that technology are rare as hen’s teeth. Hopefully this will make sense before you find yourself virtually knee deep in servers. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.