Research

The High Price of the Silence of Cyberwar: In today’s debate about cyberwar, all information disclosed seems to come with an agenda. Everyone evaluating the information is forced to look not only at the information, but the motivation for revealing that information. Worse, they can question if the information not revealed is shaped differently from what is revealed. A defender who reveals information regularly and in accordance with a policy will gain credibility, and with it, the ability to better influence the debate. Adam brings up an interesting point here, regarding whether there are advantages for nation states to discuss the kinds of attacks they are stopping. Of course, the quote above sums up the issue – which is balancing information versus disinformation and not causing a panic. Adam defends disclosure (mostly to a fault), and we need folks out there pushing for more information sharing, which is critical to evolving the practice of information security. That said, I do think in a lot of cases the public can’t handle the truth. They don’t want to handle the truth. They want to remain blissfully unaware of the impact of any attack, whether it’s an ICBM or a Stuxnet targeting their country’s critical infrastructure. What turns out to be a very brittle critical infrastructure – at least from an information security standpoint. Maybe we’ll get to the point where the military apparatus parades a country’s hackers through the capital like they do the tanks and armored militia, just to allay the fears of the populace that someone is defending the cyber frontier. Now that would be entertaining. Share:

Feds step up HIPAA enforcement with hospice settlement The Hospice of North Idaho (HONI) in Hayden will pay $50,000 to avoid more costly penalties if it would have been found in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HONI’s settlement, reached last Friday, stems from a June 2010 incident when an unencrypted laptop containing the electronic protected health information (ePHI) of 441 patients was stolen from an employee’s vehicle. For anyone still agonizing over deploying full disk encryption (FDE) on any device that handles protected data: Stop. It. Now. Just buy it. Yes, maybe the breach will happen to the other guy. Maybe the fines will hit the other guy. But clearly HHS wants to make examples of some folks, and you don’t want them to pick you. By the way, if you are worried about FDE costing a bunch of extra money, I’ll let you in on a little negotiating tactic. If you use Vendor X for endpoint protection, invite the rep in for a visit. Then strategically leave a mug from Competitor Y on you desk. Or maybe even give the rep coffee in the other vendor’s mug. Is that tacky? Sure, but it sends a clear message that you have options for endpoint protection. Which you do. Share:

But, he said, segregation of EHR data simply is not feasible or practical for integrated health systems such as Wellstar, … “But I also have to be able to make the information available immediately in an emergency,” he said. “A 90-second delay if you’re waiting at an ATM for your money is an inconvenience. But if it takes 90 seconds figure out if you’re allergic to penicillin, it could be a matter of life and death. Segregated healthcare networks rarely work, expert says Nice to see our friend Martin Fisher give some good quote in the CSO Online article and he’s right. As more integrated business systems become pervasive, they screw up your ability to segment networks. To be clear, segmentation is your friend, but that only works when you can segment. Otherwise you need to provide more access than you’d prefer, and that means the focus turns toward authentication (making sure the right people get on) and security monitoring. If you can’t keep them out, you had better be able to React Faster and Better. Share:

I was in the car the other day with one of the kids, and they asked me if I ever get lost. I have a pretty good sense of direction and have been able to read maps as long as I remember. I was probably compensating for my Mom’s poor sense of direction and my general anxiety at a young age about feeling lost. But it’s different today. With the advent of ever-present GPS and decent navigation, I can say it has been a long while since I have really been lost. I get misdirected sometimes, but that lasts maybe a minute and then I figure out my way. But these gadgets are no silver bullet. A couple years ago I was doing a seminar tour and ended up in Detroit. I did my thing, got some sleep, and was ready to head out to the airport the next morning. The car was equipped with a GPS from the rental car company, so I hit the button to take me to the airport and started driving. About 40 minutes later, I started thinking something was screwy. Then I got that feeling in the pit of my stomach, when I realized I selected the wrong airport in the GPS. I was driving in the wrong direction for over a half-hour and I was very unlikely to make my flight. And this was not the day to miss the flight. The Boss was leaving town and I had to get the kids from their various schools and activities. Of course, when I finally got to the right airport, all the flights back to Atlanta were booked up. I was totally screwed. So I paid a whole bunch of idiot tax and bought a first class seat on another airline. And I still had to call in a bunch of favors from friends and family to take the kids until I could get home. Feels like I’m still paying for that period of idiocy. Let’s just say I double check every time I enter an address into a GPS nowadays. But now let’s consider navigation metaphorically. We have technology that can help us get anywhere we want to go. It’s built into your car and you carry it in your pocket. But that doesn’t make it any easier to know where you should be going. And even when you get there, you are usually disappointed with the destination… Maybe it wasn’t everything you cracked it up to be. Sometimes the grass isn’t greener when you get there. When I think about it and play out the metaphor a bit further, there’s another reason it has been a while since I was last lost. I guess at this point in my life, I don’t get lost because I’m not trying to get anywhere. I’m very fortunate to be in a situation where I can actually say that. And mean it. Given my cultural programming, it took me a long time to accept where I am and to not strive to get to where I’m not. There are some days I forget – I am human after all. But there is no GPS for life. That’s worth remembering. –Mike Photo credits: Hertz NeverLost III originally uploaded by Josh Bancroft Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding Identity Management for Cloud Services The Solution Space Introduction Newly Published Papers Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U BYOD basics: I mentioned this briefly on the blog earlier this week but wanted to add a bit. ENISA released a great guide to getting started with BYOD. It is far more practical than most approaches I have seen, and includes links to a lot of public examples. One of key aspect is how the guide consistently addresses the issue of getting employee cooperation. You can’t hit BYOD with a hammer or you will just end up smashing your thumb. If the employee owns it, you need to entice them with benefits – not act as if you are doing them a favor by allowing them access to corporate email on their off hours. For more detail on the technology, I wrote a paper with a spectrum of options for protecting data on iOS. As a security guy I hate giving up control as much as anyone, but employees aren’t cattle and they need a fair deal or they’ll figure out a way around whatever you come up with. – RM Carnival of dysfunction: Leaking thousands of patient records is not news, – we have had a steady diet of leaks and breaches over the past decade. But the recent LA Times article on a couple who improperly stored some 300k patient records was interesting for the myriad levels of disfunction it describes. And it’s clear from comments by both the third party provider and Kaiser that they don’t understand data security. Couple that with the Times slant that small firms should never store sensitive data at home because it can’t be secure, and you have a carnival of dysfunction. This issue is not unique to Kaiser – most large enterprises engage small third party service providers because they offer a specific skill at low cost and are agile enough to adapt to market changes. But don’t expect them to know security, and don’t expect them to comply with requests for military-grade security or formal compliance processes. Companies should provide simple security controls that are both understandable and implementable by small firms. For example some full disk encryption, key management, and a dedicated computer for sensitive

Any time you go after an entrenched technology, there will be pushback. So it’s not surprising that some folks believe that imperva’s anti-virus study is garbage. this makes it pretty clear that the product a customer installs is very much a different thing from the program that virustotal uses – they will in most cases behave very differently and so the results that virustotal spits out cannot be considered representative of what actual users of anti-malware products will experience. Normally I won’t link to anything on the anti-virus-rants blog because I object to kurt’s lack of capitalization. But in this case, he underscores a reality that every security professional needs to deal with. There is detection and then there is protection. You can be protected from a malware attack without having technology to detect the malware. That means you have a synergistic (or complimentary) control in place to protect the device. For example, you may not have a signature to block a 0-day, but you’ve implemented application white listing on that public kiosk, so the malware can’t install. Protection without detection. Imagine that. So kurt’s general issue is railing against the industry marketing machine for vilifying the AV vendors because they can’t actually detect enough malware. His point is that endpoint protection involves more than just anti-virus detection. As such, many of those malware samples (tested by Technion through VirusTotal) would not necessarily compromise a device because other controls in the suite would provide the protection. he’s right. And yes, my lack of capitalization is an homage to kurt. 😉 But then he swings at Rob Graham about Rob’s defense of the testing methodology. Rob’s point is that the methodology is fine. The AV agents don’t detect a lot of the malware and that is how many folks deploy the anti-virus engines as part of a security gateway or UTM. In that scenario, Rob is right as well. Though we continue to avoid the elephant in the room, and that’s the marketing spin. You know, the game of words. Imperva spun this story as an indictment of endpoint protection, when it was really validating what should already be common knowledge. Standalone anti-virus is not going to catch much malware. You can decompose words and try to infer Imperva’s intent, but that’s pointless. The marketing folks at Imperva are good at what they do and I don’t begrudge them for spinning the results of the study. It’s their job. They try to create urgency for their employer’s technology by favorably positioning data points to tell their story. As I’ve said many times before. Don’t hate the playas, hate the game. Share:

what’s the deal with the cisco phone eavesdropping hack? These phones are basically little computers. If an attacker can take control of it, they can do the same things from it that they could by using a rogue or compromised system on a network. The “eavesdropping mic” is just one of many ways the compromised phone could be used. Yup, there is a demo out there of someone taking over a Cisco IP phone because basically it’s a computer. Even better, it’s a computer that allows privilege escalation via a kernel exploit if someone has access to the phone. Of course Lonervamp brings up one of the key issues, which is exfiltration. So if someone can eavesdrop on my very interesting heavy breathing during my deep research endeavors, they still have to get the data off the phone and out of the network. Remember back to Rich’s awesome data breach triangle. No exfiltration, no breach for you (in my Soup Nazi voice). But all the same, folks just plug stuff into their networks without a lot of thought for how these devices can become weapons against them. At some point they will, or not. Share:

How much does it cost to start your own CA? The main thing you’re looking to do is to pass the WebTrust audit and associated practices that the platforms will require you to do. Microsoft has the most mature process. They have a set of rules and guidelines. If you follow them, you’re in. One of those, by the way, is that you have to be a retail CA, as opposed to an internal one or a government one. It’s best to work with Microsoft first, and once you’re in their root program move to the others. They are fair, disciplined, and helpful. Most of all, once you’ve gone through all that, it’s easier to get into the other important root stores. This is an interesting description of the process Jon Callas drove at PGP to get them into the CA business. It’s instructive to understand the process, especially since compromising a CA seems to be the path of least resistance for a bunch of attackers to execute on multi-faceted attacks. I think it bears mentioning that starting the CA is really only the first step. Having certs in any of the major browsers makes you a major attack target. So even if it costs $250K to get things up and running, it will cost a lot more over time to protect the integrity of your CA. Share:

Levelling up in the real world. When you are looking out for the welfare of your organization instead of focusing on what you can get for yourself, that’s when you’ll be given the chance to do more and own more. Wendy provides some hard-earned career guidance on promotions. She presents a great list on what won’t get you promoted and what you shouldn’t do. Wendy talks about the hazards of being irreplaceable, but ultimately gets back to the real secret. It’s not about you. Yeah, it’s about karma, if you believe in that kind of stuff. Do the right thing for your organization without worrying much about how it will impact your pay or title, and good things will happen. Maybe not within that specific organization, as sometimes you’ll need to switch horses if there is nowhere to move. But the point is the same. Work consistently. Stop climbing over people on your way to the top. The big jobs can be overrated. But ultimately it’s about doing the right stuff, consistently. I talked about that in yesterday’s Incite. But I will mention one key aspect of career planning. Be careful what you wish for. Don’t be ashamed if your boss’s job is not interesting to you. That’s okay. What’s not okay is to accept a promotion or added responsibility that will make you unhappy. You’ll suck at the new job. You will become the problem. You’ll be moved out. That’s the anti-promotion. So if you like what you do, then do that. Live your life without regret. Share:

Happy 2013 everybody! At the dawn of a new year, most folks think more proactively about what they want to change – and what they don’t. I have spoken many times about the need to embrace change and even to learn to love change. Change is good. Stagnation is bad. But the trouble lies in how you achieve that change – and how you react when change is forced upon you. We were in the car the other day, and the Boss asked the kids about their New Year Resolutions. She and XX1 had some great ideas about what they resolved to do in the coming year. Everything they said was outstanding. But here’s the rub. Talk is easy. Resolutions are easy. Writing down resolutions is harder than saying them. And actually doing something consistently is infinitely harder. That’s why so many folks fail year after year regarding their resolutions. I am working on not putting a pin in every thought balloon floated in my direction. Cynics are trained to deflate ideas before they get airborne. It’s not the most positive feature of my OS. So in an attempt to do things differently, I held off from the typical interrogation that would follow a resolution. My instinct is to dig into the plan. I want everyone to lose weight or communicate better or get in shape or do whatever you’ve resolved to do. But without a plan – and more importantly an accountability partner – the odds are not in your favor. That’s not being pessimistic, it’s being realistic. You see, resolutions have to do with what you want to change. By the time we get through January, the best laid plans will be totally screwed up by external forces requiring you to adapt. Maybe it’s an injury that inhibits your exercise resolution. Or a new high profile project that gets in the way of family dinners. That’s why I largely stopped setting goals. And I don’t make New Year’s resolutions. Why should I wait until the end of December to do the right thing? That doesn’t mean I plan to stagnate. I know where I want to get to. But I’m less set on how I get there. Regardless of what happens, I’ll adapt accordingly. I did a bunch of analysis at the end of last year to figure out what needs to happen every month to hit my desired economic outcome. But life will intrude and I’ll need to adapt. I know how I need to eat to maintain my desired weight and how many days I need to exercise to strengthen my body accordingly. Some days I’ll do well, other days I won’t. My plan is to look back in 12 months and feel good about what I’ve accomplished. But there are no hard or fast rules about what that means. There are no specifically defined goals. It’s about making sure I’m moving in the right direction. I’ll get there when I get there. If I get there. The only thing I specifically focus on is consistent effort. The beauty of not being tied to specific goals is that I can add variety to my actions and my activities. I get that’s an oxymoron. To me, consistent variety means to work hard every day. Be kind every day. Make good choices every day. And adapt as needed. You know, grind. Do stuff. Make mistakes. But move forward. Always. For a pessimist, I’m pretty optimistic about 2013. –Mike Photo credits: Consistency originally uploaded by Matt Hampel Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Building an Early Warning System Deploying the EWS Determining Urgency Understanding and Selection an Enterprise Key Manager Management Features Newly Published Papers Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U Editors note: With great pleasure we welcome one of our two favorite Canadians as an Incite contributor. Jamie Arlen (@myrcurial for you Twitterati) will be contributing a piece each week, and his stuff will be tagged JA. So now you know where to send the hate mail… Monetizing the entire PC: Krebs’ recent post about the market for stolen passwords made me think of the huge markets the Boss and I visited in Barcelona last spring. The butchers there would sell pretty much every part of the animal. You’d look at the display case and think “WTF is that?” There is very little waste. It seems that PCs are silicon goats, and the underground markets Krebs frequents are the places where the parts get traded. By the way, it’s not much different than how Wall Street packages up pretty much everything, slices it, values it, and sells it in various tranches. Then they sell derivatives on the tranches, making transaction fees on every step of the cycle. I don’t think there is a big market for the meat of a lemming, but there is a huge market for consumer PC lemmings. That’s for sure. – MR Have fun without the echoes: 2012 is in the bag, and for some of us it couldn’t come soon enough. Oh, I had some nice highlights of the year (especially the bit about going to the Tour de France), but it seems I spent too much time sick or buried in less-interesting projects. Despite all that, one thing I avoided was getting caught up in the echo-chamber security BS that sometimes plagues Twitter, blogs, and the press. Almost none of these debates matter in any meaningful way, as Dave Shackleford says so well: “There’s been a lot of acrimonious discussion in the security community this year…and I

As we say goodbye to Old Man 2012 and get ready to welcome Baby New Year 2013, it is time for some downtime and reflection. This will be the last Incite of the year. My focus over the next two weeks will be enjoying the accomplishments of the past 12 months. Which, by the way, is very hard for me. I came into the world with the unsatisfied gene. No matter how good it is, it can be better. No matter how much got done, I could have done more. With every accomplishment, I have already started looking towards the next goal because there are always more things to do, different windmills to tilt at, and another mountain to climb. But not this year. I will make a concerted effort to acknowledge where I’ve been and how far I’ve come. Both personally and professionally. And it will be a long time coming. The Boss and I were talking last night and she mentioned that we need to enjoy things a bit more. To have more fun. We have a great lifestyle and comforts I couldn’t have imagined, growing up in a much more modest situation, but it always seems we’re running from one place to the next. Fighting yet another fire, working on the next project, or filling up our social calendar. She is exactly right. I also need to celebrate life. We keep being reminded how fleeting it is. I will take some time to appreciate my good health and the health of my family. I will enjoy the quality time I get to spend with the people I care about. And I’ll be thankful for every day I get. At some point in the future, I will get an invitation to stop playing this game called life. Until then I plan to make the most of it. When I say ‘celebrate’, don’t expect a big blowout bash or any other ostentatious showing of prosperity. I like to celebrate in a low-key fashion. I’m not into material things, so I don’t celebrate a good year by buying things I don’t need. I’m also painfully aware that it’s still tough out there. Good fortune has overlooked many folks who have more talent and work harder than I do. These folks continue to struggle as the global economy continues its slow arduous recovery. More to the point, I know success is fleeting, and I have personally been down a lot more than I have been up. I’ll smile a bit thinking back on the last year, but I am all too aware there is more work to be done, and on January 1 the meter resets to 0. See? There I go again, moving forward even when I’m trying to stay in one place. We have wrapped up our 2013 planning at Securosis, and we have a good plan. As good as 2012 has been, it can get better. We will launch the Nexus, we will continue investing in our cloud security curriculum, and we will continue researching, using our unique Totally Transparent Research model. And there will also be a surprise or two out of us next year. It will all be a lot of work and I look forward to it. If it was easy everyone would be doing it. And I would be remiss if I didn’t thank all of you for reading our stuff, adding comments to our posts, telling us when we’re wrong, and tipping one (or ten) back when we see each other in person. Every company is built on relationships, and we at Securosis are very very fortunate to have great relationships with great folks at all levels and functions within the security ecosystem. I wake up some days and pinch myself that I get to pontificate all day, every day. Yup, that calls for a celebration. It must be beer o’clock somewhere. From all of us at Securosis, have a great holiday, be safe, and we’ll see you in 2013. –Mike Photo credits: Celebrate You – Celebrate Life! originally uploaded by Keith Davenport Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Building an Early Warning System Deploying the EWS Determining Urgency Understanding and Selecting an Enterprise Key Manager Management Features Newly Published Papers Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U Title fail: I got pretty excited – any article called “Information Security as a Business Enabler” is bound to give me fodder to lampoon for hours. I mean, a business enabler? C’mon, man! Normally security is a business disabler. I remember trying to position digital certificates as an enabler of new business processes back in the day, and getting laughed out of the customer’s office. So you can imagine how disappointed I was to see the article is really about doing an impact analysis and post-mortem after a breach. I mean, the article is solid and makes points we have been talking about for years. But how this has anything to do with business enablement is beyond me. So some editor is either trolling for views or didn’t read the article. Either way it’s title FAIL. – MR HP contracts small guy syndrome: In last week’s Incite, both Mike and I commented on Gartner’s criticism of Amazon’s and HP’s service level agreements (SLAs) for their respective clouds. Lo and behold, HP responded with an amusing blog post this week. Remember that the only real cloud security controls you have are those guarantee in the contract, so it’s amusing that HP first felt the need to ‘educate’ us all on what an