RSAC Guide 2015: IOWTF

Have you heard a vendor tell you about their old product, which now protects the Internet of Things? No, it isn’t a pull-up bar, it’s an Iron Bar Crossfit (TM) Dominator! You should be mentally prepared for the Official RSA Conference IoT Onslaught (TM). But when a vendor asks how you are protecting IoT, there’s really only one appropriate response: “I do not think that means what you think it means.” Not that there aren’t risks for Internet-connected devices. But we warned you this would hit the hype bandwagon, way back in 2013’s Securosis Guide to RSAC: We are only at the earliest edge of the Internet of Things, a term applied to all the myriad of devices that infuse our lives with oft-unnoticed Internet connectivity. This wonʼt be a big deal this year, nor for a few years, but from a security standpoint we are talking about a collection of wireless, Internet-enabled devices that employees wonʼt even think about bringing everywhere. Most of these wonʼt have any material security concerns for enterprise IT. Seriously, who cares if someone can sniff out how many steps your employees take in a day (maybe your insurance underwriter). But some of these things, especially the ones with web servers or access to data, are likely to become a much bigger problem. We’ve reached the point where IoT is the most under- or mis-defined term in common usage – among not just the media, but also IT people and random members of the public. Just as “cloud” spent a few years as “the Internet”, IoT will spend a few years as “anything you connect to the Internet”. If we dig into the definitional deformation you will see on the show floor, IoT seems to be falling into two distinct classes of product: (a) commercial/industrial things that used to be part of the Industrial Control world like PLCs, HVAC controls, access management systems, building controls, occupancy sensors, etc.; and (b) products for the consumer market – either from established players (D-Link, Belkin, etc.) or complete unknowns who got their start on Kickstarter or Indiegogo. There are real issues here, especially in areas like process control systems that predate “IoT” by about 50 years, but little evidence that most of these products are actually ready to address the issues, except for the ones which have long targeted those segments. As for the consumer side, like fitness bands? Security is risk management, and that is so low on their priority list that it is about as valuable as a detoxifying foot pad. We aren’t dismissing all consumer product risks, but worry about your web apps before your light bulbs. At RSAC this year we will see ‘IoT-washing’ in the same way that we have seen ‘cloud-washing’ over the last few years – lots of mature technology being rebranded as IoT. What we won’t see is any meaningful response to consumer IoT infiltration in the business. This lack of meaningful response nicely illustrates the other kinds of change we still need in the field: security people who can think about and understand IPv6, LoPAN, BLE, non-standard ISM radios, and proprietary protocols. Sci-Fi writers have told us what IoT is going to look like – everything connected, all the time – so now we’d better get the learning done so we can be ready for the change that is already underway, and make meaningful risk decisions, not based on fear-mongering. Share:

Read Post

Verizon DBIR 2014: Incident Classification Patterns

[Note: Rich, Adrian, and Mike are all traveling today, so we asked Jamie Arlen to provide at least a little perspective on an aspect of the DBIR he found interesting. So thanks Jamie for this. We will also throw Gunnar under the bus a little because he has been very active on our email list, with all sorts of thoughts on the DBIR, but he doesn’t want to share them publicly. Maybe external shaming will work, but more likely he’ll retain his midwestern sensibilities and be too damn nice.] As usual, the gang over at Verizon have put a lot of information and effort into the 2014 edition of their DBIR (registration required). This is both a good thing and a bad thing. The awesome part is that there are historically very few places where incident information is available – leaving all too many professionals in the position of doing risk mitigation planning, based on anecdotes, prayer, and imagination. The DBIR offers some much-needed information to fill in the blanks. This year you will note the DBIR is different. Wade, Jay, and the gang have gone back to the data to provide a new set of viewpoints. They have also done a great job of putting together great graphics. Visualization for the win! Except that all the graphics are secondary to the high quality data tables. Of course graphics are sexy and tables are boring. Unless you have to make sense of the data, that is. So I will focus on one table in particular to illustrate my point.   This is Figure 19 (page 15 printed, 17 of 62 in the PDF) – click it to see a larger version. You may need to stare at it for a while for it to even begin to make sense. I have been staring at it since Friday and I’m still seeing new things. Obvious things Accommodation and Point of Sale Intrusion: No real surprise here. The problem of “the waiter taking the carbons” in the 70’s seems to be maintaining its strength into the future. Despite the efforts of the PCI Council, we have a whole lot of compliance but not enough security. And honestly, isn’t it time for the accommodation industry to make that number go down? Healthcare Theft/Loss: Based on the news it is no great surprise that about half the problems in healthcare are related to the loss or theft of information. We have pretty stringent regulation in place (and for years now). Is this a case of too much compliance and not enough security? It is time to take stock of what is really important (protecting the information of recipients of health care services) and build systems and staff capabilities to meet patient expectations! Interesting things Industry = Public: Biggest issue is “Misc. Error”. I didn’t know what a Misc Error was either. It turns out that it is due to the reporting requirements most of the public sector is under – they need to (and do) report everything. Things that would go completely unremarked in most organizations are reported. Things like, “I sent this email to the wrong person,” “I lost my personal phone (which had access to company data),” etc. I vaguely remember something from stats class about this. Incident = Denial of Service: The two industries reporting the largest impact are ‘Management’ and ‘Professional’. If you look at the NAICS listings for those two industry categories, you will see they are largely ‘offices’. I would love a deeper dive into those incidents to see what’s going on exactly and what industries they really represent. The text of the report talks primarily about the impact of DoS on the financial industry, but doesn’t go into any detail on the effects on Management and Professional. You can read into the report to see that the issue may have been the takeover of content management systems by the QCF / Brobot DoS attacks. Incident = Cyber Espionage: Just sounds cool. And something we have all spent lots of time talking about. It seems to affect Mining, Manufacturing, Professional and Transportation in greater proportion than others. Again, I’d love a look at the actual incidents – they are probably about 10% Sneakers and 90% Tommy Boy. If you are working in those industries you have something interesting to talk to your HR department about. There shouldn’t be any big surprises in this data, but there are plenty of obvious and interesting things. I am still staring at the table and waiting for the magic pattern moment to jump out at me. Though if I stare at the chart long enough, I think it’s a sailboat. Share:

Read Post

FireStarter: Certifications? We don’t need no stinkin’ certifications…

It’s time that the security industry stopped trying to play paramilitary games and started trying to do a good job (aka “best practices”.) It would be a very pleasant change. Currently, the three major information security religions – ISACA, ISC2, and SANS – offer a total of roughly 75 different certifications. This laundry list of certifications leads to a set of fairly serious problems: Security professionals need fold-out business cards Organizations need an equivalency look-up table for resume filtering These problems are entertaining to describe this way, but also present a real problem – how can you objectively determine whether or not a given candidate has the skills necessary to do the job that they’re being asked to do? Recently, The Commission on Cybersecurity for the 44th Presidency released a fairly damning report entitled “A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters” available as a PDF which essentially calls out the old-line security certification bodies for producing really good compliance rubber-stampers but not functional security practitioners. A real gap that needs to be managed – outside of the scope of the pre-existing commercial security certifications. Then things get interesting, this requirement was speedily turned into the ‘National Board of Information Security Examiners’ and if you just glance under the covers, you’ll discover something very interesting. Report authors: Franklin S. Reeder, Karen Evans, James Lewis NBISE Leadership: Franklin S. Reeder, Karen Evans, James Lewis It’s almost like they were ready to go with all of the answers to the problems they created… I guess they had some insight into what the report was going to say. If you look around a little bit, you’ll likely reach the same conclusion that I did: SANS is a little miffed at EC-Council being named in the most recent DoD 8570 directive and someone specifically wanted to carve out a little bit of a government-regulated monopoly on security certifications – a permanent revenue stream. I don’t think that this response is any more useful or valid than the position of the traditional security certifications. It’s yet another organization which exists for the service of it’s self – not it’s members and certainly not the ultimate end-users of it’s membership. If you are a member of ISACA, ISC2 or SANS, I would encourage you to ask yourself what they’ve done for you lately, what they’ve done to make the information security profession more respectable, and most importantly how many hours has it been since they suggested to you that you need to help them get more members. After all, making a scarce resource less scarce is the best way to increase quality and make sure your value stays high. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.