Securosis

Research

$50K buys how much FDE?

Feds step up HIPAA enforcement with hospice settlement The Hospice of North Idaho (HONI) in Hayden will pay $50,000 to avoid more costly penalties if it would have been found in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HONI’s settlement, reached last Friday, stems from a June 2010 incident when an unencrypted laptop containing the electronic protected health information (ePHI) of 441 patients was stolen from an employee’s vehicle. For anyone still agonizing over deploying full disk encryption (FDE) on any device that handles protected data: Stop. It. Now. Just buy it. Yes, maybe the breach will happen to the other guy. Maybe the fines will hit the other guy. But clearly HHS wants to make examples of some folks, and you don’t want them to pick you. By the way, if you are worried about FDE costing a bunch of extra money, I’ll let you in on a little negotiating tactic. If you use Vendor X for endpoint protection, invite the rep in for a visit. Then strategically leave a mug from Competitor Y on you desk. Or maybe even give the rep coffee in the other vendor’s mug. Is that tacky? Sure, but it sends a clear message that you have options for endpoint protection. Which you do. Share:

Share:
Read Post

Java Sucks. Again.

Zero-day in the wild, in a popular exploit kit. From Brian Krebs: The hackers who maintain Blackhole and Nuclear Pack – competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they’ve added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. Alienvault confirms: Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab. To the best of your ability, disable Java in browsers and keep it that way. Otherwise you need alternate compensating controls. No idea if EMET helps with this, but that’s one place to start looking. Share:

Share:
Read Post

Most Consumers Don’t Need Mac AV

I can’t believe I forgot to post here when I put the article up on TidBITS, but here you go: Do You Need Mac Antivirus Software in 2013? While Macs aren’t immune to malicious software (malware), and we even experienced one reasonably widespread incident in 2012, malware on Macs is still not nearly common enough to recommend antivirus software for everyone. And while antivirus tools are effective against certain known attacks, they often don’t provide the level of protection people expect. … If Mac antivirus tools offered 100 percent effectiveness – or even 99 percent – I might take a different position. If we ever see massive volumes of malware, as happens in the Windows world, I might change my recommendations. But at this point, there are so few Mac malware infections, and antivirus tools are so limited, that for most users of current versions of OS X, antivirus doesn’t make sense. During the Flashback infection there were accusations that Mac users were too smug, or too ill-informed, to install antivirus software. But the reality is that antivirus tools offer only limited protection, and relying on antivirus for your security is as naive as believing Macs are invulnerable. Enterprises are a different story. Share:

Share:
Read Post

Integration vs. Segregation

But, he said, segregation of EHR data simply is not feasible or practical for integrated health systems such as Wellstar, … “But I also have to be able to make the information available immediately in an emergency,” he said. “A 90-second delay if you’re waiting at an ATM for your money is an inconvenience. But if it takes 90 seconds figure out if you’re allergic to penicillin, it could be a matter of life and death. Segregated healthcare networks rarely work, expert says Nice to see our friend Martin Fisher give some good quote in the CSO Online article and he’s right. As more integrated business systems become pervasive, they screw up your ability to segment networks. To be clear, segmentation is your friend, but that only works when you can segment. Otherwise you need to provide more access than you’d prefer, and that means the focus turns toward authentication (making sure the right people get on) and security monitoring. If you can’t keep them out, you had better be able to React Faster and Better. Share:

Share:
Read Post

Friday Summary: January 11, 2013

Tina Slankas presented at the Phoenix ISSA chapter this week on use of patterns for building security programs – slides can be downloaded here (PDF). The thrust of her idea was to use patterns – think design patterns if you like – for putting together control frameworks to define security efforts. Tina stated she was using the definition of ‘pattern’ in a very broad way, but the essence was reusable constructs for managing different aspects of enterprise security. For example: how identity management will function at a high level, and how will it fit with other systems. As a software developer or architect, patterns are invaluable for object-oriented programming, helping model complex ideas as a collection of simple patterns. To be honest, I abandoned the idea of secure design patterns for software architecture pretty much when I first got involved with security. I could not articulate security into the patterns, be they behavioral or structural. Maybe that was just my lack of skill at the time, but it felt like the complexities of how to secure code were beyond pattern descriptions. What was compromised was not as interesting as how it was compromised, and it usually turned out to be a process or protocol that got abused. It was the bits flowing between different patterns, or the ones left undefined, that I worried about. Trust relationships. Assumptions. Identity. Avoiding things like replay attacks. Repudiation. The problem space felt process-oriented, not object-oriented. But in terms of a control or management framework for IT systems, reusable patterns are an interesting idea. They help with consistency across multiple sites/deployments. They offer a layer of abstraction – you don’t care if the problem is solved by a firewall, a WAF, or DLP, so long as the required controls are in place and meet the requirements. Your could represent the entire PCI specification as a set of patterns. Unless you have a huge infrastructure to manage, I’m not clear how practical this is – but I am interested in the idea of security patterns. I remain skeptical of its value for secure code development, but I see its value for security program management. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich’s TidBITS post: Do You Need Mac Antivirus Software in 2013? Gunnar’s Dark Reading post: What Is It You Would Say That You Do Here? Adrian’s Dark Reading Post on DB Threats and Countermeasures. Securosis Posts $50K buys how much FDE? Java Sucks. Again. Most Consumers Don’t Need Mac AV. Integration vs. Segregation. DDoS: Distributed, but not evenly. Incite 1/9/2013: Never Lost. Detection vs. Protection and the Game of Words. ENISA BYOD FTW. Pwn Ur Cisco Phone. Understanding Identity Management for Cloud Service: The Solution Space. Prove It to Use It. Bored? Set up your own CA. Internet Explorer 8 0-Day Bypasses Patch. Favorite Outside Posts Adrian Lane: Hardening Sprints. What are they? Do you need them? I’m a big fan of the occasional hardening sprint to let each developer fix one thing that bugs them, to pull stuff out of the security bucket list, or to otherwise do quality control. James Arlen: Nather’s Law of Policy Management. Mike Rothman: State sponsored attack: a howto guide. For a change, Rob Graham is lampooning the prevailing wisdom. He’s very good that that. Project Quant Posts Malware Analysis Quant: Index of Posts. Malware Analysis Quant: Metrics – Monitor for Reinfection. Malware Analysis Quant: Metrics – Remediate. Malware Analysis Quant: Metrics – Find Infected Devices. Malware Analysis Quant: Metrics – Define Rules and Search Queries. Malware Analysis Quant: Metrics – The Malware Profile. Malware Analysis Quant: Metrics – – – Dynamic Analysis. Research Reports and Presentations Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Understanding and Selecting Data Masking Solutions. Top News and Posts Adobe fixes Flash Player and Microsoft patches IE 10 to update its built-in version. Under the hood of the cyber attack on the U.S. Banks. Facebook, Yahoo Fix Valuable $ecurity Hole$. Zero-Day Java Exploit Debuts in Crimeware. Does Your Alarm Have a Default Duress Code? How PCI Standards Will Really Die. Enhancing Certificate Security. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Bert Knabe, in response to Prove It to Use It. You mean you don’t believe it?! It’s from a government official! They never lie! Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.