Securosis

Research

Incite 10/9/2013: Youth is wasted on the young

A couple years ago, when I decided to lose weight and change my eating habits, I did it with a view to living until I was at least 90. That was the number I envisioned, and given my family history, it should be achievable. So as I celebrated my 45th birthday this week, it was strange to realize that I’m close to halfway done. WTF? How did that happen? It seems just like yesterday I was loading up the U-Haul for the trek to relocate to DC after college to start my adult life. That yesterday was 24 years ago. I drove that speed limited truck (it wouldn’t go faster than 60) with all my worldly possessions down the 95 with all these expectations. I was going to do this, and do that, and achieve this, and basically become the master of all I survey. No plan survives contact with the enemy, and mine was no exception. I certainly had the energy and the drive, but I didn’t understand the game. I was too young to have any perspective. All I wanted to be was an adult, and have my own money and buy my own stuff and be responsible for myself. It took 24+ years of screwing things up to finally appreciate how the old saying: “Youth is wasted on the young” is absolutely correct. The young don’t know how to harness their capabilities. They don’t know what they don’t know. Which is obvious every time I chat with kids just entering the job markets. I love their energy and idealism, but I shake my head at their sense of entitlement. Mostly I’m excited for them to learn stuff the way I learned it – the hard way. That’s really the only way to learn, and these kids will do great things in the few instances when they aren’t screwing up. But 24+ years later, I can appreciate that process and understand that I had to go through the good, the bad, and the ugly to end up where I am today. Which is right where I should be. So as I enter the second half of my life, I am thankful for the first half. It gave me an opportunity to figure some things out, especially about myself and what’s important to me. I don’t worry so much any more about fitting in or living up to others’ expectations. I’m young enough to still do a lot of stuff, but old enough to kind of know what I’m doing. And that’s a good place to be. –Mike Photo credit: Youth on the Move in Volos 12, originally uploaded by EU Social Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Defending Against Application Denial of Service Introduction Firewall Management Essentials Quick Wins Managing Access Risk Optimizing Rules Change Management Introduction Newly Published Papers Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U Keep it simple, get it right: I am often highly critical of Poneman Institute reports because their methodology is often flawed, especially using surveys to estimate losses for intellectual assets that can’t really be quantified. But their latest Cost of Cybercrime report moves in the right direction. This time it only counts direct costs related to incident response, not some wild-ass guess at the value of stolen files. I do believe these costs can be quantified, although the odds are many organizations lack the maturity and tracking to really be consistent about what it really costs to clean up a mess. But Ponemon kept a tight scope, with clear definitions, and noted that costs rose 18% (total, not per incident). One reason cited may be the increasing numbers and sophistication of attacks, but I suspect better detection incidents is a larger factor. – RM Down the river of payments: The card brands very publicly announced a global tokenization proposal to make shopping “simpler and safer”, which they promise to release real soon now. But, with significantly less press coverage, on-line retailer Amazon went one step better – by extending Amazon’s existing payment infrastructure to other retail sites. Amazon customers will leverage their Amazon account, including payment and shipping preferences, when they buy from participating retailers. That is Payment as a Service (PAYaaS), people! Participating merchants will no longer need to manage and secure the payment process, or user accounts and passwords, so they will not need to slog through PCI requirements. Amazon makes money on each transaction. Users benefit from a single account and password, and only need to trust Amazon (who already provides a very good user experience) with their account & payment information. – AL 3 Keys to security survival: Great overview in Dark Reading of how the core imperatives of a CISO continue to change given the Inevitability of Attacks. The article covers an Interop presentation by Blackstone’s CISO, Jay Leek, and describes three mindset and strategic shifts. The first is to get better visibility into threats and attacks. You also need better intelligence about attacks and attackers. And finally you need a planned response rather than just reacting to the latest attack du jour. It is right on the money so check out the article when you can. And keep in mind that this doesn’t mean you need to dump all your preventative controls. It just means you need to do a better job of being prepared to respond. – MR Assume the worst: We have been saying for years that you should assume your environment has been breached, or will be, and define your defensive controls around that.

Share:
Read Post

Security Awareness Training Evolution: Why Bother Training Users?

It seems everyone has an opinion about security awareness training, and most of them are negative. Security luminaries have largely panned awareness training as ineffective and a waste of time and money. They use weird analogies, claiming things like we cannot train folks not to eat fast food, so training never works. Are they wrong? We have all sat through endless PowerPoint slides telling us what we can do and cannot do on the Internet. They threaten you with termination unless you follow the rules specified in the 15-page Acceptable Use Policy, without any context for why they matter. It is not much different than your parents telling you that you cannot do something “because we said so.” But regardless of the specific situation, security awareness training occurs for a few reasons, some more productive (and strategic) than others: Limit Corporate Liability: If an organization doesn’t make very clear to employees what they can and cannot do using corporate technology assets, they cannot terminate employees for doing the wrong thing. Too much of today’s awareness training content is built as a warning to justify termination. This kind of training is built by lawyers expressly to enable them to prosecute employees if needed. That gives you a warm and fuzzy feeling, doesn’t it? Compliance Mandate: This is in play in many government organizations, who are expected to follow NIST 800-50 to comply with FISMA and build a security training program. We applaud the mandate – we all know it wouldn’t happen otherwise. But compliance requirements rarely create sufficient urgency to excel or address the original goals behind the regulation. Protect Information: Before our cynicism gets the best of us, some organizations perform security awareness training to actually train employees about security. Imagine that. In this case they need to know what not to click and why. They need to learn who to call when they think something is wrong. How to protect their mobile devices, which increasingly contain sensitive data and access. This content is typically built by the security team (or under their watch). If your current awareness program is controlled by Human Resources with a heavy influence from the General Counsel, you have some work to do. If you are in charge of an awareness training program, at least you can roll out some content to achieve your objectives. That doesn’t mean you understand the latest and greatest training techniques. Nor does it mean you actually have the time to build effective training materials. But at least you can make some decisions about the training program, and that’s a start. So we are excited to start a new blog series: “Security Awareness Training Evolution.” Adversaries have gotten better, so you need to prepare employees more effectively to be the first line of defense. Obviously they are an imperfect line of defense, but a human control is better than no control at all. As with all our blog series, we will write this one using our Totally Transparent Research methodology, which means we will post everything to the blog first and let you have an opportunity to provide feedback to make sure we are on target. Before we get started, we would like to thank the fine folks at PhishMe for potentially licensing the paper when we finish. We use the term ‘potentially’ because with our research process there is no commitment on either side until the research is done. That allows us to write what needs to be written, and for each licensee to verify that the content meets their needs (objectively, of course) before they actually license anything. Pragmatic Security Training It’s not like a focus on security awareness training is the flavor of the day for us. We have been talking about the importance of training users for years, as unpopular as training remains. The main argument against security training is that it doesn’t work. That’s just not true. But honestly it doesn’t work for everyone. Like security in general, there is no 100%. Some employees will never get it – mostly because they just don’t care, but they do bring enough value to the organization that no matter what they do (short of a felony) they are sticking around. You need to accept that those folks will do what they want and you will clean it up. You also need to realize that some of your employees will be targeted by advanced attackers. No amount of security training will protect them if they are targeted. To clean that up you will need some-high end forensics, and if that’s in play you probably should consult our CISO’s Guide to Advanced Attackers. Then there is everyone else. Maybe it’s 50% of your folks, or perhaps 90%. Regardless of the number of employees who can be impacted and influenced by better training content, wouldn’t it make your life easier if you didn’t have to clean up after them too? Obviously it depends on the organization, but we have seen training reduce the amount of time spent cleaning up easily avoidable mistakes. Yet, far too many organizations lose interest when they don’t see immediate results. Like any program, security awareness training requires patience and persistence. This is covered in Mike’s Pragmatic CSO book. Here is an excerpt on this point: The easiest thing to do regarding security awareness is to give up. Most organizations (and CSOs) are impatient. It’s hard to make a consistent effort when it is not clear that progress is being made. There really is a “tipping point” in security awareness, and until you get there, it’s hard to justify the time and investment required by the program. Thus the most critical success factor for security awareness is CONSISTENCY and PERSEVERANCE. It takes months and years of consistent effort to make security awareness second nature. Your employees have to overcome years of bad habits, like opening attachments and clicking links in emails. What’s Broken? How hard could it be to teach folks what not to do? You

Share:
Read Post

Incite 10/2/2013: Shutdown

17 years. That’s a long time. The last time the US Government shut down was December 1995 through January 1996. I was working for META Group at the time, probably on an airplane heading to a meeting with some client. I wasn’t married yet. I could sleep in on a Saturday. Those were the days. Life was fundamentally different. Looking back I don’t remember the specifics of what happened during the last shutdown, as that group of politicians battled each other over funding this, that, or the other thing. In fact, until this latest shutdown because a possibility, I didn’t even remember it happened in the first place. 17 years later, in my mind that shutdown was an inconsequential footnote in history that I needed to look up on Wikipedia to even remember it happened. I suspect we will see the same outcome this time. 17 years from now I doubt I’ll even remember how this group of politicians fought over funding this, that, or the other thing. The more things change, the more the stay the same. Negotiating deadlines are blown, activities are impacted, and people (a lot of people) aren’t working today because these folks can’t find the middle ground. But they’ll work it out. They always do. The last time the shutdown lasted for a total of 28 days. Maybe this one will be shorter. Maybe longer. The only thing I know for sure is that it will be more visible. With social media, you’ll be seeing tweets from folks out of work and Facebook blasts talking about how they are right and the opposition is wrong. So even though it’s the same, it will feel worse because we will see much more of it. That’s just the way things go down nowadays. We know how this movie ends. At some point they will make a compromise. Both sides will claim victory. Everyone will get back to work. Programs will be funded. Money will be squandered. Life will go on. Which is why it’s hard for me to get fired up about this stuff any more. The system is broken, but it’s the one we have. My efforts are far better spent worrying about the things I can control, and the idiotic machinations in Washington just aren’t on that list. So shutdown all you like. I have writing to do. –Mike Photo credit: “Anarchist computer” originally uploaded by Michael Bingaman Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Defending Against Application Denial of Service Introduction Firewall Management Essentials Quick Wins Managing Access Risk Optimizing Rules Change Management Introduction Newly Published Papers Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U Distributing workloads won’t fill the gap: No, this isn’t my attempt to infringe on Rich’s cloud security coverage. I am talking about the significant security skills gap. In my CISO Roundtables at the IANS Forums this year, a very consistent theme has been the challenges of staffing. From finding qualified folks, to retaining the good ones, to keeping pace with technology… most CISOs spend a large (and increasing) portion of their time dealing with these softer personnel issues. After spending a day with HR, a firewall console probably never looked so good. Michael Santarcangelo explains in his CSO blog how believes that distributing the workload among operational groups is the answer. He even said: “We don’t need more security professionals.” Uh, WTF? That’s dead wrong. I’m not saying we don’t need help, or that we don’t need the rest of the organization to become more security aware. But they have no real incentive to be secure. So over the long run, they won’t. Period. We clearly don’t have enough skills internally to even work with the ops groups and business folks to help them become more secure. So there is a skills gap, and it’s serious – and no amount of internal redistribution is going to solve it. – MR MS RAMPing up: For those who don’t know, FedRAMP is the US government’s way of setting up a security baseline for cloud providers. While every agency (well, the ones still in business) needs to still meet its own requirements, FedRAMP is an assessment baseline they can leverage to reduce their overhead. So not every agency needs to deeply audit each cloud provider. Like most cloud security certifications, FedRAMP says the cloud meets a baseline, so you can focus on the bits you deploy above that. Microsoft Azure was just granted its FedRAMP certification (Okay, it isn’t a certification per se, but close enough). Microsoft is the first cloud service to get the sign off-from the Joint Assessment Board (DoD, DHS, and GSA), while Amazon has theirs from HHS and a third party assessor. Why do you care? Even if you aren’t a Fed (and you aren’t, because they aren’t allowed on the Internet right now for no apparent reason), FedRAMP, especially from the JAB, is a decent security baseline. It doesn’t mean you are ‘secure’ on that cloud, but it sure is a nice additional assurance. – RM Better memory: Oracle’s big announcement at OOW 2013 was an in-memory database option. With a single configuration change and a metric crapton of DRAM, you basically can run the database in memory. What does that have to do with security, you wonder? Absolutely nothing. This really does not change any threats to the database, to answer a question a couple of you have asked me this week. But what’s most interesting is that the database loads data into memory as columnar and row stores, and

Share:
Read Post

The Goof Excuse

Another day, another breach – that’s not novel. A bunch of personal information (including driver’s license numbers) was stolen from Virginia Tech. But having the organization own up to the fact that the breach resulted from a human error is uncommon. Of the 144,963 individuals affected, only 16,642 provided their driver’s license numbers. According to school officials, the breach was a result of “human error” involving compliance protocols when dealing with the personal data. A forensic investigation into the issue revealed that the information was “partly” accessed through a Virginia Tech server in Italy. “The issue here is that someone on our staff goofed,” Larry Hincker, associate vice president for University Relations, said. Kudos to these folks for not blaming a super-sophisticated attack or the APT or any other way to skirt responsibility. They screwed up and lost data. It is also a reminder about the downside of poor security and IT operations. Photo credit: “Professional Strength [GOOF OFF]” originally uploaded by Chapendra Share:

Share:
Read Post

Continuous Security Monitoring [New Paper]

Continuous Monitoring has become an overused and overhyped term in security circles, driven by US Government mandate (now called Continuous Diagnostics and Mitigation). But that doesn’t change the fact that monitoring needs to be a cornerstone of your security program, within the context of a risk-based paradigm. So your pals at Securosis did their best to document how you should think about Continuous Security Monitoring and how to get there. Given that you can’t prevent all attacks, you need to ensure you detect attacks as quickly as possible. The concept of continuous monitoring has been gaining momentum, driven by both compliance mandates (notably PCI-DSS) and the US Federal Government’s guidance on Continuous Diagnostics and Mitigation, as a means to move beyond periodic assessment. This makes sense given the speed that attacks can proliferate within your environment. In this paper, Securosis will help you assemble a toolkit (including both technology and process) to implement our definition of Continuous Security Monitoring (CSM) to monitor your information assets to meet a variety of needs in your organization. We discuss what CSM is, how to do it, and the most applicable use cases we have seen in the real world. We end with a step-by-step list of things to do for each use case to make sure your heads don’t explode trying to move forward with a monitoring initiative. We are indebted to all our licensees for supporting our research and broadening our reach, including Qualys, Tenable Network Security, and Tripwire. We don’t expect you to rebalance security spending between protection and detection overnight, but by systematically moving forward with security monitoring and implementing additional use cases over time, you can balance the scales and give yourself a fighting chance to figure out you have been owned – before it’s too late. Check out the landing page in our Research Library or download the paper directly: Continuous Security Monitoring (PDF) Share:

Share:
Read Post

Incite 9/25/2013: Road Trip

Every so often my mind wanders and I flash back to scenes from classic movies. When I remember Animal House, I can’t help but spend perhaps 15 minutes thinking about all the great scenes in that movie. I don’t even know where to begin, but one scene that still cracks me up after all these years is: Boon: Jesus. What’s going on? Hoover: They confiscated everything, even the stuff we didn’t steal. Bluto: They took the bar! The whole f****** bar! [Otter grabs a bottle of whiskey and throws it to Bluto, who chugs it all.] Bluto: Thanks. I needed that. Hoover: Christ. This is ridiculous. What are we going to do? Otter & Boon: Road trip. ROAD TRIP! Just the mere mention of those words makes me smile. Like most folks, I have great memories of the road trips I took in high school, college, as a recent graduate, and even now when my ATL buddies and I make a pilgrimage to go see a SEC football game every year. There isn’t much better than hopping in the car with a few buddies and heading to a different location, equipped with a credit card to buy decent drinks. Though this past weekend I had a different kind of road trip. I took The Boy to go see the NY Giants play in Charlotte. After a crazy Saturday, we drove the 3.5 hours and even had dinner at Taco Bell on the way. He loves the Doritos shell tacos and since it was Boys weekend, we could suspend the rules of good eating for a day. We stayed at a nice Westin in downtown Charlotte and could see the stadium from our room. He was blown away by the hotel and the view of the stadium at night. It was great to see the experience through his eyes – to me a hotel is a hotel is a hotel. We slept in Sunday morning, and when I asked him to shower before breakfast, he sent a zinger my way. “But Dad, I thought on Boys weekend we don’t have to shower.” Normally I would agree to suspend hygiene, but I had to sit next to him all day, so into the shower he went. We hit the breakfast buffet and saw a bunch of like-minded transplanted New Yorkers in full gear to see the Giants play. He got a new Giants hat on the walk to the stadium and we got there nice and early to see the team warm-ups and enjoy club level. Of course, the game totally sucked. The G-men got taken to the woodshed. Normally I’d be fit to be tied – that was a significant investment in the hotel and tickets. But then I looked over and saw the Boy was still smiling and seemined happy to be there. He didn’t get pissed until the 4th quarter, after another inept Giants offensive series. He threw down the game program, but within a second he was happy again. I kept asking if he wanted to stay, and he didn’t want to go. We were there until the bitter end. After the long trip home, as he was getting ready for bed, we got to do a little post-mortem on the trip. He told me he had a great time. Even better, he suggested we take road trips more often – like every weekend. Even though I didn’t have one drink and the Giants totally sucked, it was the best road trip I’ve ever taken. By far. –Mike Photo credit: “Smoke Hole Rd, WV” originally uploaded by David Clow Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Firewall Management Essentials Quick Wins Managing Access Risk Optimizing Rules Change Management Introduction Continuous Security Monitoring Migrating to CSM The Compliance Use Case The Change Control Use Case The Attack Use Case Classification Defining CSM Why. Continuous. Security. Monitoring? Newly Published Papers Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Defending Cloud Data with Infrastructure Encryption Incite 4 U Security According to Security Moses: Evidently Security Moses has descended from Mt. Sinai with the tablets of CISO success: the 10 Golden Rules of the Outstanding CISO by Michael Boelen. Most of this stuff is obvious, but it’s a good reminder that your integrity is important and to focus on the fundamentals. I had a chat with a large enterprise yesterday about that very topic. Don’t forget to be the “master of communication” and not to panic. Although it is easy to panic when the house seems to be burning down. Don’t oversell what you can do, and remember that process beats technology. Again, not brain surgery here, but under duress it’s always good to go back and consult the stone tablets. – MR Emphatic Maybe: A simple statement like “We don’t have backdoors in our products” would address the issue. The problem is that every vendor who has released a statement regarding the NSA compromising their platforms has issued a qualified answer. This time it’s RSA, with “We don’t enable backdoors in our crypto products.” Which means exactly what? You have someone else do it? The NSA dropped the code into your product, so you didn’t have to? Was the RNG subsystem weakened to achieve the same result? Those are all accusations being thrown about, and the released statement does not definitively address them. The recommendation to stop using BSafe’s Dual Elliptic Curve Deterministic Random Bit Generator was a step in the right direction. Still, the ambiguity, which looks intentional, is fueling the fire of what has now become the biggest security story of the year. And it is reducing trust in data security vendors. In fact, it’s generating renewed interest in security

Share:
Read Post

Firewall Management Essentials: Quick Wins

As we put a little bow on our Firewall Management Essentials series, it’s time to focus on getting quick value from your investment. We are big fans of a Quick Wins approach, because far too many technologies sputter as deployment lags and value commensurate with the investment is never seen. The quick wins approach focuses on building momentum early in the deployment by balancing what can be done right now against longer-term goals for a technology investment. If a project team doesn’t prove value early and often, that typically dooms the implementation to failure. For firewall management, the lowest hanging fruit is optimization of existing rule sets before implementing a strong change management process. But let’s not put the cart before the horse – first you need to deploy the tool and integrate it with other enterprise systems. Deployment and Integration The good news for firewall management is that one central server can handle quite a few firewalls – especially because the optimization and change management processes happen on a periodic, rather than continuous or real-time, basis. It’s not like management devices need to be inline and monitoring continuously, so the deployment architecture won’t make or break the implementation. Typically you deploy the firewall management server in a central location, and have it discover all the firewalls in your environment. You might kickstart the effort by feeding the list of existing firewalls into the management system. Do you want one central system, or a distributed environment? That depends on the scale of your environment and how quickly you need to be notified of changes. The longer the interval before rechecking each device’s configuration, the longer the window before you detect an unauthorized change. So you need to balance resource consumption against frequent checks to narrow the exploitation window between exploitation and detection. The deployment architecture depends more on the frequency of monitoring for configuration changes than on anything else. The change process (workflow) can run off the central server. And the math to optimize a rule set doesn’t consume resources on a firewall. We have seen large firewall environments (think service providers) managed by a handful of firewall management devices – multiple devices installed for availability and redundancy, rather than for performance reasons. For integration, as described earlier in this series, you will want to pull or push information from tools like a vulnerability management system, a SIEM/log management tool, and/or a reporting/GRC system. Most of these tools have well-established APIs, and it is reasonable to expect your vendor to already have integrated with the leading tools in these categories. Pulling information into the firewall management tool provides more context to understand what changes pose what risk. The area where you will gain the most value from enterprise integration is the help desk/task management system. Given the operational leverage of automating an effective firewall change management process, you will want to make sure changes are tracked in whatever tool(s) the operations team uses so you don’t have two sources of information, and everything is in sync. The good news is that these operational tools are mature, with mature SDKs for integration. Again, it is reasonable to expect your firewall management vendor to have already integrated with your work management environment. Getting the Quick Win and Showing Value We covered the change management process first in this series, because over time it is where we typically see the most sustainable value accrued. But in a quick wins scenario we need to get something done now. So going through existing firewalls and pinpointing areas of improvement, in terms of both security and performance, can yield the quick win we want. This is the optimization process. The first job is to get value, but that is no good unless you can communicate it. So look to reports to highlight the results of the early optimization efforts. You will want to show things like how many unused rules were eliminated (reducing attack surface), as well as whether any of your old rules conflicted, and how the cleanup improved security. This quick effort (it should take a day or two) can build momentum for the next area of focus: change management. Once the change management process is accepted in the environment and enumerated in the firewall management tool, you can start tracking service levels and response times on changes happening daily. You can also track the number of times changes that would have increased attack surface were flagged (and stopped) before going operational, to show how the tool reduces risk and increases the accuracy of firewall changes. This highlights the benefits of a firewall management tools to reduce the risk of a faulty rule change and adding attack surface. A what-if analysis of potential changes can ensure that nothing will break (or crush performance) before actually making a change. You can also demonstrate value by migrating rules from one firewall to another. If you need to support a heterogeneous environment, or are currently moving to a NGFW-based architecture, these tools can provide value by suggesting rule sets based on existing policies and optimizing them for the new platform. If you are a glutton for punishment you can migrate one device without using the tool (busting out your old spreadsheets), and then use the firewall management tool for the next migration for a real comparison. Or you can use an anecdote (we saved XX days by using the tool) to communicate the value of the firewall management tool. Either way, substantiate the value of the tool to your operational process. Finally, at some point after deploying the tool, you will have an assessment or audit. You can then both leverage and quantify the value of the firewall management tool, in terms of saving time and increasing the accuracy of audit documentation. Depending on the regulation, the tool is likely to include a pre-built report which requires minimal customization the first time you go through the audit, in order to generate documentation and substantiate your firewall controls. You have now learned a bit about how to manage your firewalls in a

Share:
Read Post

Keep Calm and Bust out the Tinfoil Hat

Dennis Fisher writes what many of us have been feeling for a while in The Sky is Not Falling–It’s Fallen. He argues that the fundamental underpinnings of security are being whittled away – slowly but surely. And the fact that it’s a cynical view doesn’t make it wrong. …the steady accumulation of evidence over the last three months makes it difficult to come to any conclusion other than this: nothing can be trusted. Security folks have talked about trusting no one – basically since the beginning of time. But really trusting nothing appears to present a mental barrier that many people are either unable or unwilling to jump. So we’ve come to the point now where the most paranoid and conspiracy minded among us are the reasonable ones. Now the crazy ones are the people saying that it’s not as bad as you think, calm down, the sky isn’t falling. In one sense, they’re right. The sky isn’t falling. It’s already fallen. I am no government apologist, and I think some activities definitely cross the line – including using the specter of terrorism to do whatever they want. We have evidence that the “powers that be” have manipulated the truth, painted dissenters as traitors, and continue to hide behind layers and layers of national security rhetoric and fear of terrorism to obfuscate the truth. But I wonder whether all this is really new. If I remember correctly, McCarthy used many of the same tactics to squelch dissent about clear violations of the rights of good, upstanding citizens, and to wage a witch hunt. Now they have automated tools to search for witches, and we’re surprised they are using them? We have worried about foreign governments (regardless of which particular governments you are most concerned about) putting back doors in imported products for a long time. Why would anyone assume our own government wouldn’t be doing the same? I guess the outrage comes from the realization that the emperor hasn’t changed his clothes since the 1950’s. I suppose it’s much more comfortable to go through life blissfully unaware of what’s really happening. I can’t really say that my life is better now that I know for a fact what I always suspected. Actually, now that I think about it, my life is the same. Am I going to do things differently because someone is watching? Nope. That doesn’t mean we should accept a surveillance society. But at the end of the day I am a realist, and perhaps a crazy one, because even if it’s “as bad as you think,” I am pretty sure life will go on. It will be different, but change is inevitable – the increasing pace of communications and automation continue to disrupt how we do things, in security and everywhere else. The question we each need to ask is: how much will we let this stuff impact our daily lives? Will you start wearing a tinfoil hat and embrace your own personal paranoia to the point of distraction? Or will you move forward, knowing the world is different, society has overcome lots of bad behavior in the past, and will do so in the future. That is a decision each of us needs to make, and we all need to live with the consequences of our decisions. For better and worse. And somewhere along the line I have become a borderline optimist. I guess it’s time to leave security. Share:

Share:
Read Post

Defending Against Application Denial of Service Attacks [New Series]

As we discussed last year in Defending Against Denial of Service Attacks, attackers increasingly leverage availability-impacting attacks both to cause downtime (which costs site owners money) and to mask other kinds of attacks. These availability-impacting attacks are better known as Denial of Service (DoS) attacks. Our research identified a number of adversaries who increasingly use DoS attacks, including: Protection Racketeers: These criminals use DoS threats to demand ransom money. Attackers hold a site hostage by threatening to knock it down, and sometimes follow through. They get paid. They move on to the next target. The only thing missing is the GoodFellas theme music. Hacktivists: DoS has become a favored approach of hacktivists seeking to make a statement and shine a spotlight on their cause, whatever it may be. Hacktivists care less about the target than their cause. The target is usually collateral damage, though they are happy hit two birds with one stone by attacking an organization that opposes their cause when they can. You cannot negotiate with these folks, and starting public discourse is one of their goals. ‘CyberWar’: We don’t like the term – no one has been killed by browsing online (yet), but we can expect to see online attacks as a precursor to warplanes, ships, bombing, and ground forces. By knocking out power grids, defense radar, major media, and other critical technology infrastructure, the impact of an attack can be magnified. Exfiltrators: These folks use DoS to divert attention from the real attack: stealing data they can monetize. This could be an intellectual property theft or a financial attack such as stealing credit cards. Either way, they figure that if they blow in your front door you will be too distracted to notice your TV scooting out through the garage. They are generally right. Competitors: They say all’s fair in love and business. Some folks take that one a bit too far, and actively knock down competitor sites for an advantage. Maybe it’s during the holiday season. Maybe it happens after a competitor resists an acquisition or merger offer. It could be locking folks out from bidding on an auction. Your competition might screen scrape your online store to make sure they beat your pricing, causing a flood of traffic on a very regular and predictable basis. A competitor might try to ruin your hard-earned (and expensive) search rankings. Regardless of the reason, don’t assume an attacker is a nameless, faceless crime syndicate in a remote nation. It could be the dude down the street trying to get any advantage he can – legalities be damned. Given the varied adversaries, it is essential to understand that two totally different types of attacks are commonly lumped under the generic ‘DoS’ label. The first involves the network, blasting a site with enough traffic (sometimes over 300gbps) to flood the pipes and overwhelm security and network devices, as well as application infrastructure. This volumetric attack basically is the ‘cyber’ version of hitting something a billion times with a rock. This brute force attack typically demands a scrubbing service and/or CDN (Content Delivery Network) to deal with the onslaught of traffic and keep sites available. The second type of DoS attack targets weaknesses in applications. In Defending Against DoS we described an application attack as follows: Application-based attacks are different – they target weaknesses in web application components to consume all the resources of a web, application, or database server to effectively disable it. These attacks can target either vulnerabilities or ‘features’ of an application stack to overwhelm servers and prevent legitimate traffic from accessing web pages or completing transactions. These attacks require knowledge of the application and how to break or game it. They can be far more efficient than just blasting traffic at a network, and in many cases take advantage of legitimate features of the application, making defense all the harder. We are pleased to launch the next chapter in our Denial of Service research, entitled “Defending Against Application Denial of Service Attacks” (yep, we are thinking way out of the box for titles). In this series we will dig far more deeply into application DoS attacks and provide both an overview of the tactic and possible mitigations for defense. Here is a preliminary list of what we intend to cover: Application Server Attacks: The first group of AppDoS attacks targets the server and infrastructure stack. We will profile attacks such as Slowloris, Slow HTTP Post, RUDY, Slow read, and XerXes, discussing mitigations for each attack. We will also talk about brute force attacks on SSL (overwhelming servers with SSL handshake requests) and loading common pages – such as login, password reset, and store locators – millions of times. Attacking the Stack: Targeting Databases and Programming Languages: In this post we will talk about the next layers in the application stack – including the database and languages used to build the application. Regarding database DoS, we will highlight some of our recent research in Dealing with Database Denial of Service. Abusing Application Logic: As we continue to climb the application stack, we will talk about how applications are targeted directly with GET floods and variants. By profiling applications and learning which pages are most resource intensive, attackers can focus their efforts on the most demanding pages. To mitigate these attacks, we will discuss the roles of rate controls and input validation, as well as WAF and CDN based approaches to filter out attack requests before the application needs to deal with them. Billions of Results Served: We will profile the common attacks which overwhelm applications by overflowing memory with billions of results from either search results or shopping carts. We will touch on unfriendly scrapers, including search engines and other catalog aggregators that perform ‘legitimate’ searching but can be gamed by attackers. These attacks can only be remediated within the application, so we will discuss mechanisms for doing that (without alienating the developers). Building DoS Protections in: We will wrap up the series by talking about how to implement a productive process for working with developers to build in AppDoS protections.

Share:
Read Post

Incite 9/18/2013: Got No Game

On Monday night I did a guest lecture for some students in Kennesaw State’s information security program. It is always a lot of fun to get in front of the “next generation” of practitioners (see what I did there?). I focused on innovation in endpoint protection and network security, discussing the research I have been doing into threat intelligence. The kids (a few looked as old as me) seemed to enjoy hearing about the latest and greatest in the security space. t also gave me a forum to talk about what it’s really like in the security trenches, which many students don’t learn until they are knee-deep in the muck. I didn’t shy away from the lack of obvious and demonstrable success, or how difficult it is to get general business folks to understand what’s involved in protecting information. The professor had a term that makes a lot of sense: security folks are basically digital janitors, cleaning up the mess the general population makes. When I started talking about the coming perimeter re-architecture (driven by NGFW, et al), I mentioned how much time they will be able to save by dealing with a single policy, rather than having to manage the firewall, IPS, web filter, and malware detection boxes separately. I told them that would leave plenty of time to play Tetris. Yup, that garnered an awkward silence. I started spinning and asked if any knew what Tetris was? Of course they did, but a kind student gently informed me that no one has played that game in approximately 10 years. Okay, how about Gears of War? Not so much – evidently that trilogy is over. I was going to mention Angry Birds, but evidently Angry Birds was so 12 months ago. I quit before I lost all credibility. There it was, stark as day – I have no game. Well no video game anyway. Once I got over my initial embarrassment, I realized my lack of prowess is kind of intentional. I have a fairly addictive personality, so anything that can be borderline addictive (such as video games) is a problem for me. It’s hard to pay my bills if I’m playing Strategic Conquest for 40 hours straight, which I did back in the early 90’s. I have found through the years that if I just don’t start, I don’t have to worry about when (or if) I will stop. I see the same tendencies in the Boy. He’s all into “Clash of Clans” right now. Part of me is happy to see him get his Braveheart on attacking other villages, Game of Thrones style. He seems pretty good at analyzing an adversary’s defenses and finding a way around them, leading his clan to victory. But it’s frustrating when I have to grab the Touch just to have a conversation with him. Although at least I know where he gets it from. Some folks can practice moderation. You know, those annoying people who can take a little break for 15 minutes and play a few games, and then be disciplined enough to stop and get back on task. I’m not one of those people. When I start something, I start something. And that means the safest thing for me is often to not start. It’s all about learning my own idiosyncrasies and not putting myself in situations where I will get into trouble. So no video games for me! –Mike Photo credit: “when it’s no longer a game” originally uploaded by istolethetv Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Firewall Management Essentials Optimizing Rules Change Management Introduction Continuous Security Monitoring Migrating to CSM The Compliance Use Case The Change Control Use Case The Attack Use Case Classification Defining CSM Why. Continuous. Security. Monitoring? API Gateways Implementation Key Management Developer Tools Newly Published Papers Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Defending Cloud Data with Infrastructure Encryption Incite 4 U Good guys always get DoS’ed: Django learned the hard way that if you give hackers an inch they’ll take a mile – and your site too. Last week they suffered a denial of service attack when users submitted multi-megabyte passwords – the “computational complexity” of generating strong hashes for a few requests was enough to DoS the site. Awesome. The mitigation to this kind of attack is input validation. Sure, as a security expert I still get pissed when sites limit me to 8 character passwords, but it’s unreasonable to accept the Encyclopedia Britannica as valid field input. I am sorry to be smiling as I write this – I feel bad for the Django folks – but it’s funny how no good security intentions go unpunished. Thanks for patching, guys! – AL DHS gets monitoring religion (to the tune of $6B): Not sure how I missed the award of a $6 billion DHS contract to implement continuous detection and mitigation technology. Evidently this is the new term for continuous monitoring, and it seems every beltway bandit, and scanning and SIEM vendor, is involved. So basically nothing will get done – I guess that’s the American way. But this move, which started with NIST’s push to continuous monitoring and continues with DHS’s rebranded CDM initiative, is going in the right direction. Will they ever get to “real time” monitoring? Does it matter? They can’t actually respond in real time, so I don’t think so. If any of these gold-plated toilet seats provides the ability to see a vulnerability with a few days (rather than showing up on a quarterly report, and being ignored), it’s an improvement. As they said in Contact, “baby steps…” – MR FUD filled vacuum: When working with clients I am often still surprised at how often even mature organizations underestimate the eventual misinterpretations of their

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.