Securosis

Research

Vulnerability Management Evolution: Introduction

Back when The Pragmatic CSO was published in 2007, I put together a set of tips for being a better CISO. In fact you can still get the tips (sent one per day for five days) if you register on the Pragmatic CSO site. Not to steal any thunder, but Tip #2 is Prioritize Fiercely. Let’s take a look at what I wrote back then. Tip #2 is all about the need to prioritize. The fact is you can’t get everything done. Not by a long shot. So you have a choice. You can just not get to things and hope you don’t end up overly exposed. Or you can think about what’s important to your business and act to protect those systems first. Which do you think is the better approach? The fact is that any exposure can create problems. But you dramatically reduce the odds of a career-limiting incident if you focus most of your time on the highest profile systems. Maybe it’s not good old Pareto’s 80/20 rule, but you should be spending a bulk of your time focused on the systems that are most important to your business. Or hope the bad guys don’t know which is which. 5 years later that tip still makes perfect sense. No organization, including the biggest of the big, has enough resources. Which means you must make tough choices. Things won’t be done when they need to be. Some things won’t get done at all. So how do you choose? Unfortunately most organizations don’t choose at all. They do whatever is next on the list, without much rhyme or reason determining where things land on it. It’s the path of least resistance for a tactically oriented environment. Oil the squeakiest wheel. Keep your job. It’s all very understandable, but not very effective. Optimally, resources are allocated and priorities set based upon value to the business. In a security context, that means the next thing done should reduce the most risk to your organization. Of course calculating that risk is where things get sticky. Regardless of your specific risk quantification religion, we can all agree that you need data to accurately evaluate these risks and answer the prioritization question. Last year we did a project called Fact-Based Network Security: Metrics and the Pursuit of Prioritization which dealt with one aspect of this problem: how to make decisions based on network metrics. But the issue is bigger than that. Network exposure is only one factor in the decision-making process. You need to factor in a lot of other data – including vulnerability scans, device configurations, attack paths, application and database posture, security intelligence, benchmarks, and lots of other stuff – to get a full view of the environment, evaluate the risk, and make appropriate prioritization decisions. Historically, vulnerability scanners haves provided a piece of that data, telling you which devices were vulnerable to what attacks. The scanners didn’t tell you whether the devices were really at risk – only whether they were vulnerable. From Tactical to Strategic Organizations have traditionally viewed vulnerability scanners as a tactical product, largely commoditized, and only providing value around audit time. How useful is a 100-page vulnerability report to an operations person trying to figure out what to fix next? Though the 100-page report did make the auditor smile, as it provides a nice listing of all the audit deficiencies to address in the findings of fact. At the recent RSA Conference 2012, we definitely saw a shift from largely compliance-driven messaging to a more security-centric view. It’s widely acknowledged that compliance provides a low (okay – very low) bar for security, and it just isn’t high enough. So more strategic security organizations need better optics. They need the ability to pull in a lot of threat-related data, reference it with an understanding of what is vulnerable, and figure out what is at risk. Yesterday’s vulnerability scanners are evolving to meet this need, and are emerging as a much more strategic component of an organization’s control set than in the past. So we are starting a new series to tackle this evolution – we call it Vulnerability Management Evolution. As with last year’s SIEM Replacement research, we believe it is now time to revisit your threat management/vulnerability scanning strategy. Not necessarily to swap out products, services, or vendors, but to enssure your capabilities map to what you need now and in the future. We will start by covering the traditional scanning technologies and then quickly go on to some advanced capabilities you will need to start leveraging these platforms for decision support. Yes, decision support is the fancy term for helping you prioritize. Platform Emergence As we’ve discussed, you need more than just a set of tactical scans to generate a huge list of things you’ll never get to. You need information that helps you decide how to allocate resources and prioritize efforts. We believe what used to be called a “vulnerability scanner” is evolving into a threat management platform. Sounds spiffy, eh? When someone says platform, that usually indicates use of a common data model as the foundation, with a number of different applications riding on top, to deliver value to customers. You don’t buy a platform per se. You buy applications that leverage a platform to provide value to solve the problems you have. That’s exactly what we are talking about here. But traditional scanning technology isn’t a platform in any sense of the word. So this vulnerability management evolution requires a definite technology evolution. We are talking about growth from single-purpose product into multi-function platform. This evolved platform encompasses a number of different capabilities. Starting with the tried and true device scanner, to include database and application scanning and risk scoring. But we don’t want to spoil the fun today – we will describe not just the core technology that enables the platform, but the critical enterprise integration points and bundled value-added technologies (such as attack path analysis, automated pen testing, benchmarking, et al) that differentiate between a tactical product decision to a strategic platform deployment. We will also talk about the enterprise features you need from a platform, including

Share:
Read Post

Incite 3/28/2012: Gone Tomorrow

A recent Tweet from Shack was pretty jarring. Old friend from college died today. Got some insane rare lung disease out of nowhere, destroyed them. Terrifying. 37 years old. :/ Here today. Gone tomorrow. It’s been a while since I have ranted about the importance of enjoying (most) every day. About spending time with the people who matter to you. People who make you better, not break you down. Working at something you like, not something you tolerate. Basically making the most of each day, which most of us don’t do very well. Myself included. This requires a change in perspective. Enjoying not just the good days but also the bad ones. I know the idea of enjoying a bad day sounds weird. It’s kind of like sales. Great sales folks have convinced themselves that every no is one step closer to a yes. Are they right? Inevitably, at some point they will sell something to someone, so they are in fact closer to a ‘yes’ with every ‘no’. So a bad day means you are closer to a good day. That little change in perspective can have a huge impact on your morale. The challenge is that you have to live through bad days to appreciate good days. It takes a few cycles thorugh the ebbs and flows to realize that this too shall pass. Whatever it is. It’s hard to have that patience when you are young. Everything is magnified. The highs are really high. And the lows, well, you know. You tend to remember the lows a lot longer than the highs. So a decade passes and you wonder what happened? You question all the time you wasted. The decisions you made. The decisions you didn’t. How did you turn 30? Where did the time go? The time is gone. And it gets worse. My 30s were a blur. 3 kids. Multiple jobs. A relocation. I was so busy chasing things I didn’t have, I forgot to enjoy the things I did. I’m only now starting to appreciate the path I’m on. To realize I needed the hard times. And to enjoy the small victories and have a short memory about the minor defeats. I was a guest speaker at Kennesaw State yesterday, talking to a bunch of students studying security. There were some older folks there. You know, like 30. But mostly I saw kids, just starting out. I didn’t spend a lot of time talking about perspective because kids don’t appreciate experience. They still think they know it all. Most kids anyway. These kids need to screw up a lot of things. And soon. They need to get on with bungling anything and everything. I didn’t say that, but I should have. Because actually all these kids have is time. Time to gain the experience they’ll need to realize they don’t know everything. Dave’s college friend doesn’t have any more time. He’s gone. If you are reading this you are not. Enjoy today, even if it’s a crappy day. Because the crappy days make you appreciate the good days to come. –Mike Photo credits: “Free Beer Tomorrow Neon Sign” originally uploaded by Lore SR Heavy Research We’re back at work on a variety of our blog series. So here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can access all of our content in it’s unabridged glory. Defending iOS Data Securing Data on Partially-Managed Devices Watching the Watchers (Privileged User Management) The Privileged User Lifecycle Restrict Access Understanding and Selecting DSP Technical Architecture Incite 4 U This sounds strangely familiar… It seems our friend Richard Bejtlich spent some time on Capital Hill recently, and had a Groundhog Day experience. You know, the new regime asking him questions he answered back in 2007. Like politicians are going to remember anything from 2007. Ha! They can’t even remember their campaign promises from two years ago (yup, I’ll be here all week). So he went back into the archives to remind everyone what he’s been saying for years. You know, reduce attack surface by identifying all egress points and figure out which ones need to be protected. And monitor both those egress paths and allegedly friendly networks. Though I think over the past 5 years we have learned that no networks are friendly. Not for long, anyway. Finally, Richard also recommended a Federal I/R team be established. All novel ideas. None really implemented. But on the good news front, the US Government spends a lot of money each year on security products. – MR Perverse economics: I’m going to go out on a limb and make a statement about vulnerability disclosure. After years of watching, and sometimes participating, in the debate, I finally think I have the answer. There is only one kind of responsible disclosure, and the economics are so screwed up that it might as well be a cruddy plot device in a bad science fiction novel. Researchers should disclose vulnerabilities privately to vendors. Vendors are then responsible for creating timely patches. Users are then responsible for patching their systems within a reasonable period. Pretty much anything else screws at minimum users, and likely plenty of other folks. (And this doesn’t apply if something is already in the wild). But as Dennis Fisher highlights, the real world never works that way. Today it’s more economically viable for researchers to sell their exploits to governments, which will use them against some other country, if not their own citizens. It’s more economically viable for vendors to keep vulnerabilities quiet so they don’t have to patch. And users? Well, no one seems to care much about them, but scrambling to patch sure isn’t in their economic interest. It seems ‘responsible’ means ‘altruistic’, and we all know where human nature takes us from there. – RM Scoring credit: Hackers have been stealing credit reports and financial data from – where else? – credit scoring agencies and selling the data to the highest bidder. Shocking, I know. Seems they are abusing the sooper-secure credit score user validation system; asking “which bank holds

Share:
Read Post

Watching the Watchers: Restrict Access

As we discussed in the Privileged User Lifecycle post, there are a number of aspects to Watching the Watchers. Our first today is Restricting Access. This is first mostly because it reduces your attack surface. We want controls to ensure administrators only access devices they are authorization to manage. There are a few ways to handle restriction: Device-centricy (Status Quo): Far too many organizations rely on their existing controls, which include authentication and other server-based access control mechanisms. Network-based Isolation: Tried and true network segmentation approaches enable you to isolate devices (typically by group) and only allow authorized administrators access to the networks on which they live. PUM Proxy: This entails routing all management communications through a privileged user management proxy server or service which enforces access policies. The devices only accept management connections from the proxy server, and do not allow direct management access. There are benefits and issues to each approach, so ultimately you’ll be making some kind of compromise. So let’s dig into each approach and highlight what’s good and what’s not so good. Device-centricity (Status Quo) There are really two levels of status quo; the first is common authentication, which we understand in this context is not really “restricting access” effectively. Obviously you could do a bit to make the authentication more difficult, including strong passwords and/or multi-factor authentication. You would also integrate with an existing identity management platform (IDM) to keep entitlements current. But ultimately you are relying on credentials as a way to keep unauthorized folks from managing your critical devices. And basic credentials can be defeated. Many other organizations use server access control capabilities, which are fairly mature. This involves loading an agent onto each managed device and enforcing the access policy on the device. The agent-based approach offers rather solid security – the risk becomes compromise of the (security) agent. Of course there is management overhead to distribute and manage the agents, as well as the additional computational load imposed by the agent. But any device-based approach is in opposition to one of our core philosophies: “If you can’t see it, it’s much harder to compromise.” Device-centric access approaches don’t affect visibility at all. This is suboptimal because in the real world new vulnerabilities appear every month on all operating systems – and many of them can be exploited via zero-day attacks. And those attacks provide a “back door” into servers, giving attackers control without requiring legitimate credentials – regardless of agentry on the device. So any device-based method fails if the device is rooted somehow. Network Segmentation This entails using network-layer technologies such as virtual LANs (VLANs) and network access control (NAC) to isolate devices and restrict access based on who can connect to specific protected networks. The good news is that many organizations (especially those subject to PCI) have already implemented some level of segmentation. It’s just a matter of building another enclave, or trust zone, for each group of servers to protect. As mentioned, it’s much harder to break something you can’t see. Segmentation requires the attacker to know exactly what they are looking for and where it resides, and to have a mechanism for gaining access to the protected segment. Of course this is possible – there have been way to defeat VLANs for years – but vendors have closed most of the very easy loopholes. More problematic to us is that this relies on the networking operations team. Managing entitlements and keeping devices on the proper segment in a dynamic environment, such as your data center, can be challenging. It is definitely possible, but it’s also difficult, and it puts direct responsibility for access restriction in the hands of the network ops team. That can and does work for some organizations, but organizationally this is complicated and somewhat fragile. The other serious complication for this approach is cloud computing – including both private and public clouds. The cloud is key and everybody is jumping on the bandwagon, but unfortunately it largely removes visibility at the physical layer. If you don’t really know where specific instances are running, this approach becomes difficult or completely unworkable. We will discuss this in detail later in the series, when we discuss the cloud in general. PUM Proxy This approach routes all management traffic through a proxy server. Administrators authenticate to the PUM proxy, presumably using strong authentication. The authenticated administrator gets a view of the devices they can manage, and establishes a management session directly to the device. Another possible layer of security involves loading a lightweight agent on every managed devices to handle the handshake & mutual authentication with the PUM proxy, and to block management connections from unauthorized sources. This approach is familiar to anyone who has managed cloud computing resources via vCenter (in VMware land) or a cloud console such as Amazon Web Services. You log in and see the devices/instances you can manage, and proceed accordingly. This fits our preference for providing visibility to only those devices that can legitimately be managed. It also provides significant control over granular administrative functions, as commands can be blocked in real-time (it is a man in the middle, after all). Another side benefit is what we call the deterrent effect: administrators know all their activity is running through a central device and typically heavily monitored – as we will discuss in depth later. But any proxy presents issues, including a possible single point of failure, and additional latency for management sessions. Some additional design & architecture work is required to ensure high availability and reasonable efficiency. It’s a bad day for the security team if ops can’t do their jobs. And periodic latency testing is called for, to make sure the proxy doesn’t impair productivity. And finally: as with virtualization and cloud consoles, if you own the proxy server, you own everything in the environment. So the security of the proxy is paramount. All these approaches are best in different environments, and each entails its own compromises. For those just starting to experiment with privileged user management, a PUM proxy is typically the path of least

Share:
Read Post

Watching the Watchers: The Privileged User Lifecycle

As we described in the Introduction to this series, organizations can’t afford ignore the issue of privileged users (P-Users) any more. A compromised P-user (PUPwned) can cause all sorts of damage, and so needs to be actively managed. In the last post we presented the business drivers and threats – now let’s talk about solutions. As most analysts favor some kind of model to describe something, we’ll call ours the Privileged User Lifecycle. In this post we will describe each aspect of the lifecycle at a high level. But before the colorful lifecycle diagram, let’s scope the effort. Our lifecycle starts when the privileged user receives escalated privileges, and ends when they are no longer privileged or leave the organization, whichever comes first. So here is the whole lifecycle: Provisioning Entitlements The Privileged User Management lifecycle starts when you determine someone gets escalated privileges. That means you need both control and an audit trail for granting these entitlements. Identity Management is a science all by itself, so this series won’t tackle it in any depth – we will just point out the connections between (de-)provisioning escalated privileges, and the beginning and end of the lifecycle. And keep in mind that these privileged users have the keys to the kingdom, so you need tight controls over their provisioning process, including separation of duties and a defined workflow which includes adequate authorization. Identity management is repository-centric, so any controls you implement throughout the lifecycle need native integration with the user repository. It doesn’t work well to store user credentials multiple times in multiple places. Another aspect of this provisioning process involves defining the roles and entitlements for each administrator, or more likely for groups of administrators. We favor a default deny model, which basically denies any management capabilities to administrators, assigns capabilities by an explicit authorization to manage device(s), and defines what they can do on each specific device. Although the technology to enforce entitlements can be complicated (we will get to that later in this series), defining the roles and assigning administrators to the proper groups can be even more challenging. This typically involves gaining a significant consensus among the operations team (which is always fun), but is on the critical path for P-User management. Now we get to the fun stuff: actively managing what specific administrators can do. In order to gain administrative rights to a device, an attacker (or rogue administrator) needs access, entitlements, and credentials. So the next aspects of our lifecycle address these issues. Restrict Access Let’s first tackle restricting access to devices. The key is to allow administrators access only to devices they are entitled to manage. Any other device should be blocked to that specific P-User. That’s what default deny means in this context. This is one of the oldest network defense tactics: segmentation. If a P-User can’t logically get to a device, they can’t manage it nefariously. There are quite a few ways to isolate devices, both physically and logically, including proxy gateways and device-based agents. We will discuss a number of these tactics later in the series. When restricting access, you also need to factor in authentication, as logging into a proxy gateway and/or managing particularly sensitive devices should require multiple factors. Obviously integrating private and public cloud instances into the P-User mangement environment requires different tactics, as you don’t necessarily have physical access to the network to govern access. But the attractiveness of the cloud mean you cannot simply avoid it. We will also delve into tactics to restrict access to cloud-specific and hybrid environments later. Protect Credentials Once a P-User has network access to a device, they still need credentials to manage it. Thus administrator credentials need appropriate protection. The next step in the lifecycle typically involves setting up a password vault to store administrator credentials and provide a system for one-time use. There are a number of architectural decisions involved in vaulting administrator passwords that impact the other controls in place: restricting access and enforcing entitlements. Enforce Entitlements If an administrator has access and the credentials, the final aspect of controls involve determining what they can do. Many organizations opt for a carte blanche policy, providing root access and allowing P-Users to do whatever they want. Others take a finer-grained approach, defining the specific commands the P-User can perform on any class of device. For instance, you may allow the administrator to update the device or load software, but not delete a logical volume or load an application. As we mentioned above, the granularity enforced here depends on the granularity you use to provision the entitlements. Technically, this approach requires some kind of agent capability on the managed device, or running sessions through a proxy gateway which can intercept and block commands as necessary. We will discuss architectures later in the series when we dig into this control. Privileged User Monitoring Finally, keep a close eye on what all the P-Users do when they access devices. That’s why we call this series “Watching the Watchers”, as the lifecycle doesn’t end after implementing the controls. Privileged User Monitoring can mean a number of different things, from collecting detailed audit logs on every transaction to actually capturing video of each session. There are multiple benefits to detailed monitoring, including forensics and compliance. We should also mention the deterrent benefits of privileged user monitoring. Human nature dictates that people are more diligent when they know someone is watching. So Rich can be happy that human nature hasn’t changed. Yet. When administrators know they are being watched they are more likely to behave properly – not just from a security standpoint but also from an operational standpoint. No Panacea Of course this privileged user lifecycle is not a panacea. A determined attacker will find a path to compromise your systems, regardless of how tightly you manage privileged users. No control is foolproof, and there are ways to gain access to protected devices, and to defeat password vaults. So we will examine the weaknesses in each of these tactics later in this series. As with

Share:
Read Post

Incite 3/21/2012: Wheel Refresh

It seems like a lifetime ago. June of 1999. Actually it was more than XX1’s lifetime ago. The Boss and I still lived in Northern Virginia. I was close to the top of the world. I started a software company, we raised a bunch of VC money, and the Internet Revolution was booming. The lease on my crappy 1996 Pathfinder was up, and I wanted some spiffy new wheels. Given my unadulterated arrogance at that time in my life, I’m surprised I didn’t go buy a 911, since that’s always been my dream car. But in a fit of logic, I figured there was plenty of time for fancy cars and planes once we took the company public. But I did want something a bit sportier than a truck, so I bought a 1999 Acura TL. It had 225 horses, lots of leather, and cool rims. In fact, I still feel pretty good about it almost 13 years later. I’m still driving my trusty TL. Well, I guess the term driving is relative. I drive about 7,500 miles a year. Maybe. With three kids, we don’t take trips in the TL any more, so basically I use it to go to/from Starbucks and the airport. At almost 100,000 miles, it’s starting to show its age. It’s all dented up from some scrapes with my garage (thanks Grandma!) and countless nights spent in an airport parking lot. But I can’t complain – it’s been a great car. But the TL is at the end of the road and my spidey sense is tingling. That model is notorious for transmission failures. So far I’ve been lucky, but I fear my luck is about to run out. The car just doesn’t feel right, which means it’s probably time for a pre-emptive strike to refresh my wheels. What to buy? I’m not a car guy, but my super-ego (the proverbial devil on my shoulder) looks longingly at a 911 Carrera Convertible. That’s sweet. Or maybe a BMW or Lexus gunship. A man of my stature, at least in my own mind, deserves some hot wheels like that. Then my practical side kicks in (the angel on my other shoulder) and notes that I frequently need to put the 3 kids in the car, and the kids aren’t getting smaller. No SmartCar for me. I also want something that gets decent gas mileage, since it’s clear that gas prices aren’t coming down anytime soon. But it’s so boring and lame to be practical, says the Devil on my shoulder. We know how that ended up for Pinto in Animal House, but what will happen with me? I can’t really pull off the sports car right now, so maybe I should get an ass kicking truck. One of those huge trucks with the Yosemite Sam mud flaps and a gun rack. It will come in handy when I need to cart all that mulch from Home Depot back to my house. Oh right, I don’t cart mulch. My landscaper does that. Again, the practical side kicks in – reminding me that folks needing to make obvious statements about their a badassitude usually have major self-esteem problems. What happened to me? Years ago, this decision would have been easy. I’d get the sports car or the truck and not think twice. Until I got my gas bill or had to tie one of the kids to the roof to get anywhere. But that’s not the way I’m going. I’m (in all likelihood) going to get a Prius V. Really. A hybrid station wagon, and I’ll probably get the wood paneling stickers, just to make the full transformation into Clark Griswold. Though if I tied Grandma to the roof, I wouldn’t be too popular in my house. Even better, the Prius will make a great starter car when XX1 starts to drive 4-5 years from now. That will work out great, as by then it’ll be time for my mid-life crisis and the 911 convertible… -Mike Photo credits: “porsche 911 hot wheels” originally uploaded by Guillermo Vasquez Heavy Research We’re back at work on a variety of blog series. Here is the research currently underway. Remember you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory. Defending iOS Data Introduction iOS Security and Data Protection Data Flow on iOS Protecting Data on Unmanaged Devices Secure File Apps for Unmanaged Devices Watching the Watchers (Privileged User Management) Access to the Keys (to the Kingdom) Understanding and Selecting DSP Data and Event Collection Incite 4 U Assuming the worst is not new: It’s pretty funny that our pals at Dark Reading are now talking about Security’s New Reality: Assuming the Worst – meaning you need to assume compromise and act accordingly. Duh. Gosh, I’ve been talking about Reacting Faster since early 2007 (I actually checked and the term first appeared on Security Incite in December of 2006. Praise the Google.), and it’s not like I have been the only one, but it is pretty cool to see everyone else jumping on the you’re screwed bandwagon. I was talking to a freelance writer Monday, and she asked what kind of skills I thought people getting into security need to work on, and I said forensics. Obviously there are a lot of fundamentals that need to be in place to understand how to figure out something is wrong, but it’s clear that capable incident responders will be in high demand for a long time. And even incapable incident responders will be busy, as companies in the middle of coping with breaches can’t afford to be too picky. – MR Password Manager Kinda-fail: Elcomsoft conducted a security review of 17 different personal password managers, examining their encryption and key management. The full report (PDF) contains most of the interesting information. The problem is that the report is not very well written. The attacks they discuss all depend on having physical access to the device, or being able to gain access to the device backups – a power-station hack on

Share:
Read Post

Watching the Watchers: Access to the Keys (to the Kingdom)—New Series

We are happy to announce a new series, where for the first time we will research and document the issues around privileged user management (PUM). It may not sound as exciting as cloud anything, or iOS data protection, but it’s something you overlook at your own risk. Because administrators (those privileged users) have the keys to your kingdom. A sysadmin with malicious intent can cause a very bad day for you and your organization. And no, this isn’t just another recycled attempt to bring the insider threat back into vogue – much to the chagrin of the DLP vendors, who drove their first wave of growth based on the nebulous insider threat. First of all, privileged users (P-users) don’t necessarily need to be insiders. And most insiders have limited access and authorization entitlements, while administrators can basically giving themselves access to do whatever they want. That old privilege escalation thing. That’s why we are calling this series Watching the Watchers – because if not properly managed, administrators are Above the Law. Business Imperatives Changing Privileges We live in a brave new world of technology. What used to be within your site, in your data center, or running on your big iron, now may or may not be in any or all of those places. Even if your stuff runs in your data center you might not know exactly where and it may not be in your control. It may or may not be running on an operating system you understand. You may or may not control the pipes that lead to that data. And you certainly can’t tell business users and/or business partners that they need to go back to the old model, where you had visibility from the bare metal all the way to the data layer. Times have changed. Even better, you might not even know who is responsible for managing those specific systems. With layers of virtualization abstracting pretty much all physical networks, storage, and servers, there are many different folks responsible for managing the pieces of what we call an application. Even the term ‘application’ is really a misnomer – applications can be almost anything, processing anywhere, accessing data from anywhere, and presenting information to anyone, anywhere. Times sure have changed. So let’s start by defining what a privileged user is. Privileged User: Anyone with admin (or root) access to a device. Based on that definition, every user is a privileged user to some device. That’s a bit broad, so we’ll restrict our discussion (and this research) to users who manage critical devices – running applications, hosting databases, or pushing packets to the places they need to be. Sure, it’s problematic if the P-user in charge of the receptionist’s device (the receptionist) is compromised. But it’s much more serious if someone who can administer the device hosting your customer database gets owned. Let’s get a bit more specific about the business drivers and the impact on privileged users: Reduce Cost – Virtualization/Cloud: Many organizations are under dramatic pressure to continue reducing costs wherever possible. That means embracing technologies like virtualization to make better use of physical hardware, and cloud computing to make better use of data center real estate. The impact of this driver is scale. Now you have a lot more things to manage and they can be spun up and torn down at the click of a button or via script. Throw in the unbounded number of instances that can be run in the public cloud, and the only thing you can be sure of is a massive change management headache. Reduce Cost – Outsource: While data centers are virtualizing, organizations are contracting with (lower) cost management to do their (alleged) commodity work. You know, like managing databases and email. All kidding aside, it’s common to see third parties manage wide swaths of an organizations’ IT infrastructure – providing nameless, faceless folks (perhaps on the other end of a SAML link) with access to critical stuff. Agility – New Apps: If you think about a typical web app, it’s more ‘assembled’ nowadays than built from the ground up. And parts may be yours, they could be pieces you got from someone else, or they might include data from somewhere else, integrated into your environment via a foreign API. It’s hard to know what an application is nowadays. And if we don’t know what it is it’s generally difficult to manage. Yes, there are more business drivers, but you get the picture. Anyone with access to manage a device that runs something important (or is a component of something important) is a privileged user, and the change management issues inherent in this escalating complexity requires that administrators continue to become more efficient and leveraged. Which can result in errors, shortcuts, and general violation of good operational practices. Now let’s look at some specific threats these privileged users present. P-User Risk Assessment Yeah, we’re old school. We still like to assess risk, or at least run through a quick mental exercise to figure out how many ways we can get killed. So let’s do that with this explosion of devices managed by privileged users. Of course this isn’t an exhaustive list – more a back of the envelope exercise to uncover some of the biggest threats to our environment if these privileged users are compromised. And while we are at it, let’s define a new term, PUPwnage, for a compromised privileged user. Just rolls off the tongue, right? Compromised devices: This one is obvious. If a privileged user is compromised (PUPwned), the attackers gain access to any device they manage, and then the fun begins. Data leakage: PUPwnage can result in any and all data being stolen from the devices they control. Create accounts: PUPwnage allows attackers to create both user and admin accounts on devices, and to pivot through the environment, moving from one compromised device to another – stealing data thefts as they march along. Pollute applications and/or data: PUPwnage also results in application attacks, such as changing code to break functionality, creating backdoor access, deleting or changing data, or otherwise breaking your applications.

Share:
Read Post

Incite 3/14/2012: My Kind of People

Like everyone else, I have a bunch of jobs. There is the day job and then my job at home. Well, it’s not really a job, it’s more a responsibility – to be a good husband and to teach my kids to be properly functioning adults. As most of you know, I take the parenting responsibility very seriously. I am constantly stressing hard work and best effort. Making the point constantly to my kids that the only thing they can truly control is their own effort. But ultimately I am flawed, like everyone else, and I worry my flaws will be passed on to my kids. We get each kid’s schoolwork back on Thursday. Usually they do very well but sometimes they blow a test or quiz. The Boss spends a lot of time going through their mistakes to make sure they don’t make the same ones again. I peruse the papers and try to celebrate the good scores on the math quiz or the spelling test. But it’s hard. I’m on to the next thing already. What’s next on the list? No time to celebrate – too much to do. That’s how I’m wired. But all the accomplishments and all the tasks checked off the task list pale in comparison to trying to teach the kids to be good people. To be nice and supportive and good friends. To be empathetic about other folks’ challenges, and to appreciate the charmed life they lead. Part of that process is sending them to sleepaway camp each summer. There they need to function as part of a group, without the Boss and me to tell them exactly what to do. Before we know it they’ll be out in the nasty, unforgiving world, so we hope they can learn some important lessons in a safe environment before it’s real. Another aspect of their real life training is to show that everyone has their own challenges, and they can choose to make every situation either better or worse. USA Network recently aired a show called NFL Characters Unite, which provided a great opportunity to teach the kids about the importance of empathy and being kind. The show takes some NFL heavy hitters (Hines Ward, Jimmy Graham, Tony Gonzalez, and Tony Dungy) and tells their stories of suffering racism, bullying, and abandonment. A 6’5” and 250 lb guy, being bullied? Amazingly enough, yes. It showed how these guys overcame those challenges, and showed them each mentoring a kid in a similar position. The show was really awesome. Not because it humanized the players, which it did. But it (hopefully) taught my kids a few things. First the impact of being unkind. They could see how bullying and meanness impact a kid. I also hope they learned not to judge a book by its cover. You’d never think NFL stars could be bullied or suffer racism. These guys are invincible, right? Not so much. The kids shouldn’t draw conclusions, but instead get to know folks and make up their own minds. Finally, perhaps they can appreciate how lucky they are to have a supportive family. Maybe, just maybe, when they get into a situation where they can choose to be kind or unkind, they’ll choose correctly. We hope they will reject peer pressure to go for the quick laugh, and stand up for someone who may not be able to stand up for themselves. Ultimately, in 10 years, when all our kids are loose on the world, I can only hope they’ll be kind people. The kind of people I’ll be proud to know. –Mike Photo credits: “In the end, only kindness matters” originally uploaded by SweetOnVeg Lazy Deal Analysis: Dell goes SuperSonic(WALL) Dell made news a year ago shelling out big bucks for SecureWorks, and now they are at it again, spending a reported $1-1.5 billion to acquire SonicWALL from the clutches of private equity. We actually like this deal – not only because it reinforces that Mr. Market Says Security Is Winning. But additionally, SonicWALL’s traditional business in the mid-market is a good fit with Dell’s distribution engine, and dovetails nicely with the SecureWorks services offering. But this deal is all about IBM and HP envy. Do you think it will be long before Dell formally moves all their security stuff into a separate business unit? They want to compete with the big boys, and large enterprise wants security from their major IT providers. Both SecureWorks (via the VeriSign MSS deal) and SonicWALL (with its SuperMassive NGFW) have increasingly focused on the enterprise. We expect Dell to continue investing in services folks to wrap the integration layer around the products and services. We have been hearing speculation about Dell acquiring Fortinet, but this deal seems like a much better option. It’s much cheaper, provides functionally comparable technology, and brings on less infrastructure to worry about integrating – especially at the enterprise level. And don’t forget about the biggest winners here: Thoma Bravo, the private equity fund that took SonicWALL private about 18 months ago for $717 million. Perhaps doubling in that time period is a huge win. But as Rich said in Mr. Market: the bankers always win. Incite 4 U Leaving an Anonymous Trail of Bits: We all talk about how as a good guy you need to always be right, while the bad guys only need to be right once. It turns out that no one can be wrong, ever, as our buddies at Threatpost detail by showing how some Anons left a trail, and the FBI (and other law enforcement folks) are getting much better at following such trails. Sabu forgot to Tor a few times and got bagged. Rob G talked a bit about it. And finally Nigel Perry talks a bit about how Sabu turning turncoat was obvious, in hindsight anyway – given his attempts to get his buddies to do bad stuff. I recently saw the movie Drive, and the bad guy says to the good guy that he can walk away, but he’ll always be looking over his shoulder. I guess that’s a universal truth

Share:
Read Post

Incite 3/7/2012: Perspective

Life is a series of ebbs and flows. Highs and lows. Crests and troughs. It’s a yin/yang thing, and unfortunately most folks can’t appreciate that. Especially when they can’t see their way out of a down period. For a lot of security folks, the last two weeks have been such a contrast between those highs and lows that many are probably feeling whiplash. A lot of folks went to the RSA Conference last week and saw an industry thriving again after 3 years in the doldrums. We all felt good. Those who read blog posts and tweets from folks at the conference felt good. It was one of those highs, and I returned to ATL exhausted but in good spirits. Not necessarily feeling like the tide had turned, but that swimming upstream wouldn’t be as hard for a while – however brief. Then the discussions about whether we are losing started early this week. Ben’s post on LiquidMatrix verbalized a lot of what we all feel from time to time. And the burnout, building brick by brick which Rich described so eloquently is a clear explanation of the phenomenon. Rich’s point is that we will always have bad days, just as we have good days. And those who can survive in security for a long time don’t take things personally – especially the bad days. They know (and appreciate) the futility of the game, and enjoy the battles. The learning. The teamwork. They don’t get bitter and angry about the stupidity or the politics or the apathy. Or they hit the wall. Hard. Which is really the point. It’s not about winning or losing. It’s about enjoying the journey. You will lose some battles, just as you will win some. You may lose more than you win, but that’s because the game is rigged. Like Vegas. In the long run, math wins. It’s always been that way, and yet we (amazingly enough) still function. As Ranum says, the Internet will be as secure as it needs to be. In the wake of the shocking news that Sabu was an informer (sound familiar? Gonzalez the Sequel?) and he provided the smoking guns to take down LulzSec, some folks started gloating. That good wins over evil crap. But now is not the time to gloat. Nor is every compromise or incident the time to let despondency or depression creep in. If you get too high or too low you’ll burn out. Been there. Done that. To remain on even keel requires perspective. Perspective that is hard to appreciate when you are in the trenches and on the front lines. On the flight back from RSA we flew into a pretty nasty storm. The last 30 minutes of the flight was turbulent. Regardless of my understanding of statistics, which dictates that I’m as safe in the air during heavy turbulence as I am now – sitting in a coffee shop writing this missive – it’s still a bit unsettling. So I closed my eyes and visualized riding a roller coaster, which I love to do. The exhilaration, the perception of danger, the adrenaline rush – you get off a coaster feeling alive. Maybe a bit scared, but alive. And you want to do it again. That flight was a microcosm of life. Smooth and comfortable for a while, then not so much. Highs, lows, and everything in between. I enjoyed the flight because the bumpy air is part of the deal. You can’t avoid it – not entirely. So I chose to have perspective and enjoy the coaster. I just wish more folks in security could appreciate the journey… -Mike Photo credits: “Learning Perspective” originally uploaded by Yelnoc Lazy Deal Analysis: Trustwave buys another laggard We don’t care enough about the Trustwave/M86 merger to do a stand-alone post, but it does warrant a least a little snark… erm… analysis. 86-it: Trustwave announced today that they will be putting M86 out of its misery, acquiring the mixed bag of stuff web and email security vendor for an undisclosed sum. For those with long memories, M86 was formed as the merger of creaky web security appliance vendor 8e6 with the seriously outdated Marshall mail security software. The resultant M86 company tried to acquire themselves into relevance, making sage investments in Finjan’s secure web gateway software and Avinti’s behavior-based malware detection software. Yeah, 10 pounds of crap in a 5-pound bag. While those products were great additions, the core capabilities were several years behind the competition – and worse, never fully integrated. Details, details. While their Firefox secure browsing plugin was a fun toy, their ability to protect cloud data was suspect and the product development roadmap seemed driven by the trend du jour, rather than some holistic vision of web user security. Trustwave’s acquisition strategy has been reminiscent of the island of lost toys: buying laggards like Vericept, Mirage Networks, Breach Security, BitArmor, ControlPath, and Intellitactics. From that perspective M86 is a good fit with little overlap, but without really integrating the offerings, this is just more integration on the PO. More likely they will continue to target customers too lazy to perform a head-to-head comparisons with class-leading products and those trying to make audit deficiencies (found by Trustwave themselves, in an unholy alliance of audit and security product) go away. – AL & MR Incite 4 U Don’t be Lulzed into a false sense of security: By the time I submit this to Mike I’m sure someone else will slip in a link to the story about LulzSec getting nailed by the FBI with some good old-fashioned police work. You know, attempting to scare the crap out of the perp and turn him against his friends. Uh, like they did to Sabu. To be honest, the headlines don’t really matter that much to those of us in operational security (including me – someone has to keep Mike and Adrian safe) as we are pretty pragmatic about the media’s incentive to work everyone into a frenzy. Rafal Los does a great job pointing out how to handle headline hysteria. Raf’s point is to ignore the headlines, focus

Share:
Read Post

Upcoming Cloud Security Training Courses

Our world domination tour continues. At least if you consider training for the Certificate of Cloud Security Knowledge (CCSK) part of your plan to know all things Cloud Security. As authors of the training curriculum, we are the only folks who can train and certify instructors to deliver the training, so a couple times a year we deliver the courses, live and in person. We’ve got two courses coming up, one in San Jose and the other in Milan, Italy. If you want to become certified to teach, you’ll need to attend one of these courses. And if you aren’t interested in teaching, it’s also a good opportunity to get the training from the folks who built the course. San Jose: March 27-29 Milan, Italy: April 2-4 Here is the description of each of the 3 days of training: There is a lot of hype and uncertainty around cloud security, but this class will slice through the hyperbole and provide students with the practical knowledge they need to understand the real cloud security issues and solutions. The Certificate of Cloud Security Knowledge (CCSK) – Basic class provides a comprehensive one day review of cloud security fundamentals and prepares them to take the Cloud Security Alliance CCSK certification exam. Starting with a detailed description of cloud computing, the course covers all major domains in the latest Guidance document from the Cloud Security Alliance, and the recommendations from the European Network and Information Security Agency (ENISA). The Basic class is geared towards security professionals, but is also useful for anyone looking to expand their knowledge of cloud security. (We recommend attendees have at least a basic understanding of security fundamentals, such as firewalls, secure development, encryption, and identity management). The CCSK-Plus class builds upon the CCSK Basic class with expanded material and extensive hands-on activities with a second day of training. The Plus class (on the second day) enhances the classroom instruction with real world cloud security labs! Students will learn to apply their knowledge as they perform a series of exercises, as they complete a scenario bringing a fictional organization securely into the cloud. This second day of training includes additional lecture, although students will spend most of their time assessing, building, and securing a cloud infrastructure during the exercises. Activities include creating and securing private clouds and public cloud instances, as well as encryption, applications, identity management, and much more. The CCSK Instructor workshop adds a third day to train prospective trainers. More detail about how to teach the course will be presented, as well as a detailed look into the hands-on labs, and an opportunity for all trainers to present a portion of the course. Click here for more information on the CCSK Training Partner Program (PDF). We look forward to seeing you there. Share:

Share:
Read Post

Bringing Sexy back (to Security): Mike’s RSAC 2012 Wrap-up

Oh yeah. I’m back in the ATL after a week at the RSA Conference. Aside from severe sleep deprivation, major liver damage, and some con flu… I’m feeling great. It seems everyone else is as well. Something appeared at RSA that we haven’t seen for at least 3 years: smiles. Which I guess is to be expected, since in 2009 and 2010 everyone walked around with hard hats, expecting the sky to fall. In 2011 there were some positive signs but still a lot of skepticism, which was gone this year. Almost everyone I talked to was very optimistic for 2012 and beyond. As a contrarian, my first instinct was that we must be breathing our own exhaust. You point to two other guys and they say they are optimistic, and then it becomes the perception of optimism, rather than optimism you can pay your mortgage with. But even when challenged, everyone felt pretty good. Even the tools felt sexy. It didn’t help their hygiene much, but you can’t expect the world to change overnight, can you? But to be clear, the idea of Bringing Sexy back (to Security) is not mine. But someone said it to me when I was in a drunken haze. I thought it was Rich, but he wouldn’t acknowledge it. So if you were the one who said it to me, thanks. It’s a great assessment of where we are at, after years in the compliance-driven darkness. Pendulum Swinging back to Security Speaking of compliance, overt messaging around our least-favorite C word was pretty muted at the show this year. PCI is old news. HiTech enforcement is an unknown quantity, and for the most part unless an organization has been sleeping for the past 7 years they should be in decent shape regarding the low bar that a compliance mandate represents. Now actually securing something? That’s entirely different, and as such, the pendulum clearly swung back toward more of a security message on the floor this year. Which should warm the hearts of all you security folks nauseated at the game we have had to play to get our security projects paid for out of the compliance budget. So when you do next year’s holiday cards, send one to the Red Army and probably Anonymous. By then you’d expect both organizations to be Doxed, so you may even have an address. And they both probably own the USPS, so they can get their own mail as well, if they care to… Kidding aside, between high profile targeted attacks and chaotic actors, it is now clear to most organizations that PCI isn’t good enough. And that means we need to start talking about security again. Also be thankful that we’ve seen innovation in perimeter security gear (think NGFW), as well. Given the number of depreciated firewalls awaiting something interesting to drive a perimeter security renewal/re-architecture, having NGFW gear reach stability created a wave of buying that has also driven many of the public security companies. Those that HP and IBM haven’t overpaid for yet, anyway. Honestly, it was great to actually talk security this week, and not weird funding strategies. Really great. BigData Hype did not disappoint As we highlighted in the RSA Guide 2012, it has been obvious that BigData would be a big theme at the show. And it was. I ran into Joe Yeager from Lancope on my flight home and he joked to me that we should sell Powered by Hadoop stickers for $20K each. Given that every company needs to jump onto the BigData bandwagon, Joe is exactly right. Those would fly off the shelf. Apparently the marketers still haven’t figured out the difference between BigData and a lot of data, but that’s okay. Hyperbole rules the trade show floor (and some booth babes shaking their things), so it’s all good. But I suspect we’ll be seeing a lot of BigData at security conferences for the foreseeable future. Cloud still prominent It was also all cloud, all the time, at RSA this year. Again, not a surprise and probably justified. Though there was a lot more SECaaS (SECurity as a Service), than actual cloud security. I’m sure Rich will want to expand on this a bit at some point, but we saw plenty of folks talking about encrypting data in the cloud, along with lots of focus on managing cloud instances and the security of those instances. And all that is great to see. Real innovation is happening in this space, and not a second too soon – folks are doing this cloud thing, and we need to figure out how to protect that stuff. Yes, we saw a bunch of cloud washing, especially from the network security folks, who made a big deal about their VM instances that can run in the cloud. After hearing for years about how their hardware prowess makes their boxes great, it was kind of funny to hear them talk about how their stuff runs great in the cloud, but whatever. It’s a bandwagon and RSA requires you to jump aboard or get left behind. Good vibrations on BYOD The other area that we expected to hear a lot about was mobile security, specifically this BYOD stuff. At the e10+ session on Monday morning we did an entire section on BYOD and it spurred a great discussion. Here are some takeaways: iOS is cool, Android is not, and BlackBerry is dead: That’s not to say BlackBerry is gone, but it’s just a matter of time, as almost everyone in the room was migrating to another platform. It’s also not that Android isn’t showing up on corporate networks – it is, but with caveats. We’ll get to that. iOS is generally accepted as okay, mostly because of the way the App Store screens applications prior to availability. Everyone has policies. Most are not enforced. We spent a good portion of the session talking about policies, and everyone agreed that documenting policies is critical. Though enforcement of these policies is clearly lagging, especially for senior folks. But any employee seems to know

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.