Research

Brian Krebs breaks another story: Prosecutors in New York today said that federal agencies have taken over the Silk Road, a sprawling underground Web site that has earned infamy as the “eBay of drugs.” On Tuesday, federal agents in San Francisco arrested the Silk Road’s alleged mastermind. Prosecutors say 29-year-old Ross William Ulbricht, a.k.a “Dread Pirate Roberts” (DPR), will be charged with a range of criminal violations, including conspiracy to commit drug trafficking, and money laundering. And on hiring a hit man (seriously): On March 31, DPR began haggling over the price, responding: “Don’t want to be a pain here, but the price seems high. Not long ago, I had a clean hit done for $80k. Are the prices you quoted the best you can do? I would like this done asap as he is talking about releasing the info on Monday.” I wonder if Benedict Cumberbatch will play DPR in the movie? Compelling read. Nothing to do with IT security unless you plan on hosting an illegal site, but fascinating. Share:

Threatpost has another good piece on exploit disclosure (I swear I still read other sites). This is the other side of vulnerability disclosure, where you need to decide on releasing exploit details based on factors such as detecting live exploits in the field. A quote from a talk by Tom Cross from Lancope and Holly Stewart from Microsoft: “If there’s nothing you can tell the users to do, there’s not a lot of point in disclosing the exploits,” he said. “It depends on the level of exploitation, the geographic distribution, is a patch available, when will it be if it’s not. If the answer is to tell people not to use a piece of software that’s necessary to do business, the reality is that’s not going to happen.” It’s also true that the decision is not always solely in the hands of the vendor or even the researcher who discovered the vulnerability. In some cases, a third party security company may notice exploit attempts against a previously unknown vulnerability and take the step of notifying customers. Vulnerability disclosure often seems more about philosophy and ego. Exploit disclosure is far more complex, with even farther-reaching implications. Exploit disclosure makes vulnerability disclosure look like a kid’s game. Share:

I’m really looking forward to this, although my skills will keep me in the back of the room: October 2013 Chicago Crypto-For-Developers Class Share:

It seems everyone has an opinion about security awareness training, and most of them are negative. Security luminaries have largely panned awareness training as ineffective and a waste of time and money. They use weird analogies, claiming things like we cannot train folks not to eat fast food, so training never works. Are they wrong? We have all sat through endless PowerPoint slides telling us what we can do and cannot do on the Internet. They threaten you with termination unless you follow the rules specified in the 15-page Acceptable Use Policy, without any context for why they matter. It is not much different than your parents telling you that you cannot do something “because we said so.” But regardless of the specific situation, security awareness training occurs for a few reasons, some more productive (and strategic) than others: Limit Corporate Liability: If an organization doesn’t make very clear to employees what they can and cannot do using corporate technology assets, they cannot terminate employees for doing the wrong thing. Too much of today’s awareness training content is built as a warning to justify termination. This kind of training is built by lawyers expressly to enable them to prosecute employees if needed. That gives you a warm and fuzzy feeling, doesn’t it? Compliance Mandate: This is in play in many government organizations, who are expected to follow NIST 800-50 to comply with FISMA and build a security training program. We applaud the mandate – we all know it wouldn’t happen otherwise. But compliance requirements rarely create sufficient urgency to excel or address the original goals behind the regulation. Protect Information: Before our cynicism gets the best of us, some organizations perform security awareness training to actually train employees about security. Imagine that. In this case they need to know what not to click and why. They need to learn who to call when they think something is wrong. How to protect their mobile devices, which increasingly contain sensitive data and access. This content is typically built by the security team (or under their watch). If your current awareness program is controlled by Human Resources with a heavy influence from the General Counsel, you have some work to do. If you are in charge of an awareness training program, at least you can roll out some content to achieve your objectives. That doesn’t mean you understand the latest and greatest training techniques. Nor does it mean you actually have the time to build effective training materials. But at least you can make some decisions about the training program, and that’s a start. So we are excited to start a new blog series: “Security Awareness Training Evolution.” Adversaries have gotten better, so you need to prepare employees more effectively to be the first line of defense. Obviously they are an imperfect line of defense, but a human control is better than no control at all. As with all our blog series, we will write this one using our Totally Transparent Research methodology, which means we will post everything to the blog first and let you have an opportunity to provide feedback to make sure we are on target. Before we get started, we would like to thank the fine folks at PhishMe for potentially licensing the paper when we finish. We use the term ‘potentially’ because with our research process there is no commitment on either side until the research is done. That allows us to write what needs to be written, and for each licensee to verify that the content meets their needs (objectively, of course) before they actually license anything. Pragmatic Security Training It’s not like a focus on security awareness training is the flavor of the day for us. We have been talking about the importance of training users for years, as unpopular as training remains. The main argument against security training is that it doesn’t work. That’s just not true. But honestly it doesn’t work for everyone. Like security in general, there is no 100%. Some employees will never get it – mostly because they just don’t care, but they do bring enough value to the organization that no matter what they do (short of a felony) they are sticking around. You need to accept that those folks will do what they want and you will clean it up. You also need to realize that some of your employees will be targeted by advanced attackers. No amount of security training will protect them if they are targeted. To clean that up you will need some-high end forensics, and if that’s in play you probably should consult our CISO’s Guide to Advanced Attackers. Then there is everyone else. Maybe it’s 50% of your folks, or perhaps 90%. Regardless of the number of employees who can be impacted and influenced by better training content, wouldn’t it make your life easier if you didn’t have to clean up after them too? Obviously it depends on the organization, but we have seen training reduce the amount of time spent cleaning up easily avoidable mistakes. Yet, far too many organizations lose interest when they don’t see immediate results. Like any program, security awareness training requires patience and persistence. This is covered in Mike’s Pragmatic CSO book. Here is an excerpt on this point: The easiest thing to do regarding security awareness is to give up. Most organizations (and CSOs) are impatient. It’s hard to make a consistent effort when it is not clear that progress is being made. There really is a “tipping point” in security awareness, and until you get there, it’s hard to justify the time and investment required by the program. Thus the most critical success factor for security awareness is CONSISTENCY and PERSEVERANCE. It takes months and years of consistent effort to make security awareness second nature. Your employees have to overcome years of bad habits, like opening attachments and clicking links in emails. What’s Broken? How hard could it be to teach folks what not to do? You

17 years. That’s a long time. The last time the US Government shut down was December 1995 through January 1996. I was working for META Group at the time, probably on an airplane heading to a meeting with some client. I wasn’t married yet. I could sleep in on a Saturday. Those were the days. Life was fundamentally different. Looking back I don’t remember the specifics of what happened during the last shutdown, as that group of politicians battled each other over funding this, that, or the other thing. In fact, until this latest shutdown because a possibility, I didn’t even remember it happened in the first place. 17 years later, in my mind that shutdown was an inconsequential footnote in history that I needed to look up on Wikipedia to even remember it happened. I suspect we will see the same outcome this time. 17 years from now I doubt I’ll even remember how this group of politicians fought over funding this, that, or the other thing. The more things change, the more the stay the same. Negotiating deadlines are blown, activities are impacted, and people (a lot of people) aren’t working today because these folks can’t find the middle ground. But they’ll work it out. They always do. The last time the shutdown lasted for a total of 28 days. Maybe this one will be shorter. Maybe longer. The only thing I know for sure is that it will be more visible. With social media, you’ll be seeing tweets from folks out of work and Facebook blasts talking about how they are right and the opposition is wrong. So even though it’s the same, it will feel worse because we will see much more of it. That’s just the way things go down nowadays. We know how this movie ends. At some point they will make a compromise. Both sides will claim victory. Everyone will get back to work. Programs will be funded. Money will be squandered. Life will go on. Which is why it’s hard for me to get fired up about this stuff any more. The system is broken, but it’s the one we have. My efforts are far better spent worrying about the things I can control, and the idiotic machinations in Washington just aren’t on that list. So shutdown all you like. I have writing to do. –Mike Photo credit: “Anarchist computer” originally uploaded by Michael Bingaman Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Defending Against Application Denial of Service Introduction Firewall Management Essentials Quick Wins Managing Access Risk Optimizing Rules Change Management Introduction Newly Published Papers Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U Distributing workloads won’t fill the gap: No, this isn’t my attempt to infringe on Rich’s cloud security coverage. I am talking about the significant security skills gap. In my CISO Roundtables at the IANS Forums this year, a very consistent theme has been the challenges of staffing. From finding qualified folks, to retaining the good ones, to keeping pace with technology… most CISOs spend a large (and increasing) portion of their time dealing with these softer personnel issues. After spending a day with HR, a firewall console probably never looked so good. Michael Santarcangelo explains in his CSO blog how believes that distributing the workload among operational groups is the answer. He even said: “We don’t need more security professionals.” Uh, WTF? That’s dead wrong. I’m not saying we don’t need help, or that we don’t need the rest of the organization to become more security aware. But they have no real incentive to be secure. So over the long run, they won’t. Period. We clearly don’t have enough skills internally to even work with the ops groups and business folks to help them become more secure. So there is a skills gap, and it’s serious – and no amount of internal redistribution is going to solve it. – MR MS RAMPing up: For those who don’t know, FedRAMP is the US government’s way of setting up a security baseline for cloud providers. While every agency (well, the ones still in business) needs to still meet its own requirements, FedRAMP is an assessment baseline they can leverage to reduce their overhead. So not every agency needs to deeply audit each cloud provider. Like most cloud security certifications, FedRAMP says the cloud meets a baseline, so you can focus on the bits you deploy above that. Microsoft Azure was just granted its FedRAMP certification (Okay, it isn’t a certification per se, but close enough). Microsoft is the first cloud service to get the sign off-from the Joint Assessment Board (DoD, DHS, and GSA), while Amazon has theirs from HHS and a third party assessor. Why do you care? Even if you aren’t a Fed (and you aren’t, because they aren’t allowed on the Internet right now for no apparent reason), FedRAMP, especially from the JAB, is a decent security baseline. It doesn’t mean you are ‘secure’ on that cloud, but it sure is a nice additional assurance. – RM Better memory: Oracle’s big announcement at OOW 2013 was an in-memory database option. With a single configuration change and a metric crapton of DRAM, you basically can run the database in memory. What does that have to do with security, you wonder? Absolutely nothing. This really does not change any threats to the database, to answer a question a couple of you have asked me this week. But what’s most interesting is that the database loads data into memory as columnar and row stores, and