Research

This year at RSA we will no doubt see the return of Big Data to the show floor. This comes along with all the muscle confusion that it generates – not unlike Crossfit. Before you hoist me to the scaffolding or pummel me with your running shoes, let’s think about this. Other than the acolytes of this exercise regimen, who truly understands it? Say “Big Data” out loud. Does that hold any meaning for you, other than a shiny marketing buzzword and marketing imagery? It does? Excellent. If you say it three times out loud a project manager will appear, but sadly you will still need to fight for your budget. Last year we leveraged the tired (nay, exhausted) analogy of sex in high school. Everyone talks about it but… yeah. You get the idea. Every large company out there today has a treasure trove of data available, but they have yet to truly gain any aerobic benefit from it. Certainly they are leveraging this information but who is approaching it in a coherent fashion? Surprisingly, quite a few folks. Projects such as the Centers for Disease Control’s data visualizations, Twitter’s “Topography of Tweets”, SETI’s search for aliens, and even Yelp’s hipster tracking map. They all leverage Big Data in new and interesting ways. Hmm, SETI and Yelp should probably compare notes on their data sets. These are projects happening, often despite the best intentions of organizational IT security departments. Big Data is here, and security teams need to get their collective heads around the situation rather than hanging about doing kipping pull-ups. As security practitioners we need to find sane ways to tackle the security aspects of these projects, to help guard against inadvertent data leakage as they thrust forward with their walking lunges. One thing we recommend is ahike out on the show floor to visit some vendors you’ve never heard of. There will be a handful of vendors developing tools specifically to protect Big Data clusters, and some delivering tools to keep sensitive data out of Big Data pools. And your Garmin will record a couple thousand more steps in the process. Second, just as many Big Data platforms and features are built by the open source community, so are security tools. These will be under-represented at the show, but a quick Google search for Apache security tools will find more options. Your internal security teams need to be aware of the issues with big data projects while striking a balance supporting business units. That will truly lead to muscle confusion for some. If you’re looking for the Big Data security purveyors, they will most likely be the ones on the show floor quietly licking wounds from their workout while pounding back energy drinks. Share:

Malware is a pervasive problem in enterprises today. It can often be insidious as hell and difficult to ferret out. But sometimes the response to a malware outbreak defies basic common sense. The CIO for the Economic Development Administration (EDA) thought a scorched earth policy was the best approach… From the Depart of Commerce audit report (.pdf): EDA’s CIO concluded that the risk, or potential risk, of extremely persistent malware and nation-state activity (which did not exist) was great enough to necessitate the physical destruction of all of EDA’s IT components. 20 EDA’s management agreed with this risk assessment and EDA initially destroyed more than $170,000 worth of its IT components,21 including desktops, printers, TVs, cameras, computer mice, and keyboards. By August 1, 2012, EDA had exhausted funds for this effort and therefore halted the destruction of its remaining IT components, valued at over $3 million. EDA intended to resume this activity once funds were available. However, the destruction of IT components was clearly unnecessary because only common malware was present on EDA’s IT systems. And there was this: Not only was EDA’s CIO unable to substantiate his assertion with credible evidence, EDA’s IT staff did not support the assertion of an infection in the e-mail server There are no words to express my complete amazement at this abjectly irresponsible waste of taxpayer dollars. The real rub from the report: There was no widespread malware infection There was no indication of an infection in the e-mail server The fundamental disconnect here is mind-boggling. Share:

Hi folks, Dave Lewis here, and it is my turn to pull the summary together this week. I’m glad for the opportunity. So, a random thought: I have made a lot of mistakes in my career and will more than likely make many more. I frequently refer to this as my well-honed ability to fall on spears. The point? Simple. This is a learning opportunity that people seldom appreciate. Much like toddlers, we learn to walk by mastering the fine art of the faceplant. We learn in rather short order that we really don’t care for the experience of falling on our faces, and soon that behavior is corrected (for most, at least). So why, pray tell, do we continue to suffer massive data breaches? Not a week goes by without some major corporation or government body announcing that they have lost a USB drive or had a laptop stolen. Have we not learned yet that “face + floor = pain” is not an equation worthy of an infinite loop? Just my musing for this week. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted by The Macalope. Adrian’s DR paper: Security Implications Of Big Data. Rich quoted on Watering Hole Attacks. Adrian’s DR post: Database Security Operations. Mike’s DR post: You’re A Piece Of Conference Meat. snort Favorite Securosis Posts Rich: 1 in 6 Amazon Web Services users can’t read. This seriously tweaked me. And don’t give me guff for picking my own post – no one else posted this week. You’d think with 3 full timers and 6 contributors, someone else… Adrian Lane: Proposed California Data Law Will Affect Security… but it will take quite a while before companies take it seriously. David Mortman: Flash! And it’s gone… Dave Lewis: Defending Cloud Data: How IaaS Storage Works. Other Securosis Posts Cybersh** just got real. Proposed California Data Law Will Affect Security. Brian Krebs outs possible Flashback malware author. Appetite for Destruction. Get Ready for Phone Security and Regulations. IaaS Encryption: Understanding Encryption Systems. An article so bad, I have to trash it. Favorite Outside Posts Rich: Activists on Front Lines Bringing Computer Security to Oppressed People. Lives really are at stake for these people. Mike Mimoso is doing a great job with this coverage. Adrian Lane: IT for Oppression. And I just thought this was IT culture. Dave Lewis: Googlers exultant over launch of Blink browser engine. Google rolls their own browser engine. This should be interesting. Dave Mortman: Building Technical Literacy in Business Teams. James Arlen: Delivering message w/ impact && Announing our ‘Reverse Job Fair’. This should be a brilliant workshop. Top News and Posts New PoS malware. That’s “point of sale”, not the other thing. Sometimes. How to Dress Like a Cyber Warrior OR Looking Like a Tier-Zero Hero. This amused me far more than it should have. Bill would allow bosses to seek Facebook passwords. …and then Amendment aimed at workers’ passwords pulled. Apple’s iMessage encryption trips up feds’ surveillance. Because encrytion is haaaard. (h/t James Arlen). Aaron Swartz’s Prosecutors Were Threatened and Hacked, DOJ Says. I’ll just bite my tongue Honeypot Stings Attackers With Counterattacks. Top 10 Web Hacks 2012. FBI Pursuing Real-Time Gmail Spying Powers as “Top Priority” for 2013 Attempted child abduction thwarted when girl asks stranger for code word. This article caught my eye for the brilliant simplicity for keeping your kids safe. Blog Comment of the Week This week’s best comment goes to Nate, in response to 1 in 6 Amazon Web Services Users Can’t Read. I’d go out on a limb and wager a good portion of those open buckets were setup by non-IT groups who used Amazon as an end around governance and process. I’d also wager a fair number just used one of the available tools to manage their S3 because they don’t really understand the technology and that tool set the bucket to public unbeknownst to them. That means even if they received and read the email above, they probably didn’t understand it. Is that Amazon’s fault? Absolutely not. It does highlight the issue of kicking governance down the road to IT rather than dealing with it at a business level so it can be easily avoided, or focusing governance only on dollars so small opex spends fly under the radar. Unless business leaders start caring about governance and process a whole awful lot, nothing is going to get better, it’s not. Sorry, the kids have been watching the Lorax movie non stop lately. Share:

From the BBC: The US government has told thousands of companies to beef up protection of computers which oversee power plants and other utilities. The action comes after a survey revealed that thousands of these systems can be found online. The survey was carried out via a publicly available search engine that pinpointed computers controlling critical infrastructure. This comes as little surprise. I have used Shodan and found a lot of similar issues with externally exposed systems. I spent quite a few years in that sector and have learned that there is an inherent disconnect in how control system operators and security folks view these issues. They typically don’t play well together. Control system operators are good at their jobs. They keep the lights on. However, on occasion they take a focus on convenience that can ultimately expose critical systems to the wilds of the Internet. Enter the security folks who gleefully rub their hands together at all the missteps taken by engineering folks. There are two ways this can play out. Security folks can help them better understand the security issues and work with them, as Bob and Jacob did, or they can point and laugh. Sadly too often the path taken leads to the schoolyard. Share:

It’s just a couple days until RSA Conference 2011. Is this your first time attending the security conference in San Francisco? Having attended for a few years now I can safely say that there are some things you should take into account before you show up. First of all, download the Securosis Guide to RSA 2011 (PDF) or (ePub). Next you need a plan. After you have completed registration, which I assume by this point you have, consider your options. When you arrive on site at the Moscone Center give yourself a good amount of time to get through registration and badge pickup. The conference folks manage a good job of processing people through, but there will be a lot of people. Give yourself enough time. Next up, what to see? There is far too much content to expect to see it all. As a result you need a plan for which talks to attend. RSA has a daily planner on its site that can help. This is a helpful resource, but it doesn’t entirely do it for me. I want something tailored to my interests. Thankfully, RSA has created a tool for that. Behold the personal scheduler! I should point out that you must be logged into the RSA Conference site to access that tool. So next ask yourself why you are coming to RSA. What are you there to learn? Or are you taking a break on the company dime? I know some of you are doing just that; I’ve seen it before. So be honest with yourself. Which tracks interest you? There are quite a few this year: Application and Development Business of Security Cloud Security (new for 2011) Cryptography Data Security Governance & Risk Compliance Hackers & Threats Hot Topics Industry Experts Law Policy & Government Professional Development Sponsor Case Studies Strategy & Architecture Technology Infrastructure (also new) Not to mention some great talks like these and programs like e10+ for more experienced attendees. That’s a lot to choose from, so I would suggest you do your homework and be sure to check into the talks before you arrive. It would be a shame to find that you’ve landed smack in the middle of an hour-long lecture on widgets when you’re more interested in grapple grommets. Then there is the shark tank: the convention floor. Sweet mother, this is one massive collection of vendors. All of them are hunting for your dollars. That’s the name of the game. They’re not all there just to hand out free t-shirts. These folks work for a living. Take some time to speak with them and get to know their products. You can show up in a suit and be swarmed, or conversely, dress down if you want to blend into the background. The most important thing to remember for the convention floor is to wear a comfortable pair of shoes. No, really. The first time I went to RSA my back was out of commission for several days afterwards. That said, enjoy your time at the conference and bring along your favourite headache remedy. After you’re done with the vendor parties don’t forget to show up for the Securosis Disaster Recovery Breakfast Thursday morning – and be sure to RSVP. Share:

Now that the media has feasted on the Stuxnet carcass, it gives me a moment of pause. What of a different perspective? I know – madness, right? But seriously, we have seen the media in a lather over this story for some time now. Let’s be honest – to someone who has worked in the SCADA community, this really is nothing new. It’s just one incident that happened to come to light. An alternative angle to the story, which seems to have been shied away from, is under-financed but motivated agents. Technical ‘resources’ with too much free time and a wealth of knowledge. This is not a new idea – just look at the abundance of open source projects that rely heavily on this concept: smart people with free time on their hands. What happens when you combine a surfeit of technical competence with a criminal bent? This was well documented back in the 80’s, when a group of German hackers led by Karl Koch were arrested for selling source code they had purloined from US government and corporate computers to the KGB. In this case these hackers were receiving payments in the form of cocaine and cash. Nothing major, just enough to keep them happy (and awake during their coke-fueled coding sessions). At least that was the idea until they were caught and Karl met his untimely end in a German forest in 1989. The argument will invariably be: how could they have the knowledge required for some of these attacks? Ever worked for a power company? There are usually a good number of disgruntled workers and $1,000 US will go a long way in some countries. It was also not difficult to gain access to the documentation from most control system vendors until recently. To borrow from Rich Mogull: funding = resources – the biggest of which are time and knowledge. Looking back to my earlier statement, this is something that a lot of disaffected hackers in former eastern bloc countries have in droves. Throw in some cash and drugs and you could have a motivated crew. I don’t think this is the case, but you must admit it’s within the realm of possibility. After all, this is not without precedent. There’s a skeleton in a forest someplace to prove it. Share: