Securosis

Research

Incite 7/13/2011: The King of the House

With the two girls at sleepaway camp, the Boss and I weren’t sure how the Boy would handle it. After all, he’s pretty much always surrounded by someone. Having a twin sister will do that to you. If he’s not at school, with his buddies, or doing an activity, he’s usually playing with one of his sisters. In fact, we think his ability to tune out almost everything directly correlates to always being around people. But don’t think the summer is only fun and games. I described Mommy Food Camp last week, and he’s doing well. He eats hot dogs now (“I don’t like them, but I’ll eat them”), and I even got him to eat a hamburger (“It was horrible!”). He’s now thinking of becoming a vegetarian (like his Dad), and tried to convince me that there’s no meat in Chicken Nuggets. He may actually be right, but that’s another story. We were also hoping he would become a bit more assertive, as he tends to be pretty quiet. We learned this was a non-issue when he had a tantrum at day camp when he wasn’t in a group with his buddies. Suffice it to say, the situation was rectified immediately, and we didn’t have to get involved. Of course, we’d like him to deal with things without crying and screaming, but he has friends who were put in the wrong group and didn’t say a word for days. We’ll take Mr. Assertive any day of the week. Truth be told, I think he likes the peace and quiet. We joke that the only time he had any peace was the minute after his sister was born, while he was waiting his turn. We do let him play on one of the iPads a bit and maybe watch a little TV, but nothing crazy. We’re glad he’s enjoying the few weeks he’s flying solo because the plan is to send him to sleepaway camp next year. Even though he maintains that he doesn’t miss his sisters, we make him write letters to them anyway. It’s as much to keep him writing as anything else, though we know the girls love to hear from him. He wrote a nice letter, telling them what’s he’s been up to, who he’s been hanging out with, and that he just lost another tooth and is awaiting the Tooth Fairy’s visit. At one point in the letter, he wrote: “I’m the King of the House.” We wondered whether we should pull that out, since it might make the girls feel bad, but decided to leave it in. Mostly because it was so damn cute. But when we dug a bit deeper, clearly the Boy does get overshadowed by his strong-willed sisters. With them not around (for a little while anyway), he assumes the mantle of the King. Of course, I don’t have the heart to burst his bubble. He’s no more the King of the House than I am. But that didn’t stop us from asking the King to clean up his dishes and get ready for bed. Even royalty needs beauty sleep. -Mike Photo credits: “KING CLUB” originally uploaded by oknovokght Incite 4 U The Daily Breach: Given the challenges of traditional media, it’s surprising that none of the tech books have launched a Daily Breach newsletter. It’s not like there’s no inventory. I mean, check out this screen grab of my SC Magazine newsletter this AM. 4 latest news stories, and 4 breaches. And that doesn’t even include the Booz Allen breach. Folks, this is the new reality. Breaches happen. Breaches are disclosed. Customers are pissed. Some folks would use a data point like this as an excuse to be grumpy or to do nothing. But there has always been a Daily Breach. You just didn’t know about them before. So now the spotlight is on us. Guess we should have been careful what we wished for. – MR Just do the work, or hire crap: Let’s look at A List Apart’s recent post on “RFPs: The Least Creative Way to Hire People”. You don’t need to be creative to hire people – you want to hire creative people (whether or not you yourself are). I have seen just as many bad creative hiring methods as bad conventional ones – both unwittingly filter due to the process. Have I even mentioned the time I was interviewed by 115 people for a VP of Engineering Job? Only two interviewers actually understood the skills needed for the job, and one interviewer wanted a bad candidate to ensure there was no challenge for her fiefdom. However it’s done, you just need to put in the time to understand what you are hiring for and adequately screen the sea of resumes. It’s the latter point that people don’t want – or know how – to do. So they create, effectively, giant lists of screening questions to filter the resumes. But here is a hint: PEOPLE LIE. Liars get through, and honest people don’t. Forget all the other fancy nonsense, put in the time, and do the work. – AL Know thyself: Managing your identity online is more than merely controlling your credentials and avoiding keyboard-mediated tourettes (something I should probably work on). In the real world our lives are naturally compartmentalized. There’s work, home, hobbies, groups, and all sorts of social circles. The online world isn’t really set up like this, and when we use work email accounts for personal communications, or tie our identities to our jobs, or link in everyone on the same social media platforms, we blur lines in ways we cannot always anticipate. That’s why Jeff Jones’ article on how he’s segregating his identities really resonated with me. I did something similar a while ago – Twitter is fully public, Facebook is now for (mostly) non-work friends and family only, and I’ve switched more personal email off Securosis, despite being a partner in the company. Think about your online personae, and it

Share:
Read Post

Incite 7/6/2011: Reading Between the Lines

As mentioned last week, our girls are off at sleepaway camp. They seem to be having a great time, but you can’t really know. Obviously if there was a serious issue, the camp would call us. Since we dealt with the nit-uation, we have heard from the guidance counselor that XX2 is doing great, and from the administrator that XX2 needs more stationary. Evidently she is a prolific writer, although our daily mailbox vigil has yielded nothing thus far. We’ll save a spot for her at Securosis, since by the time she’s out of school, I’ll need someone else to pick up the mantle of the Incite. The one thing that is markedly different than when I went to camp is the ability to see daily photos of the camp activities. Back when I went in the 80’s camp was a black box. We got on the bus, we’d write every so often, but my folks wouldn’t really know how we were doing until they came up for visiting day. Now we can see pictures every day, and that’s when the trouble begins. Why? Because the pictures don’t provide any context. Our crazy overactive brains fill in the details we expect to be there, even if it means making stuff up. We read between the lines and usually it’s not a positive thing. So you see XX1 in a picture she isn’t wearing her skirt. What’s the matter, doesn’t she like her clothes? Or she is smiling from ear to ear, but is that a genuine smile? Or she’s at the end of the row of kids. Why isn’t she right in the middle? Yes, we understand this line of thinking makes zero sense, but your brain goes there anyway. And even worse is when the girls aren’t in any pictures. What’s the deal with that? Are they in the infirmary? Aren’t they having fun? Why wouldn’t they be attention whores like their Dad and feel compelled to get into every picture. Don’t they know we are hanging on every shred of information we can get? How inconsiderate of them. Yes, I am painfully aware that this behavior is nonsensical. Camp is the greatest place on earth. How could they not have a great time? Grandma got a letter from XX1 and she said her bunk is awesome. We know the girls are doing great. But I also know we aren’t alone in this wackiness – when we get together with our friends we’re all fixated on the pictures. I’m pretty sure having the ability to fill in details in the absence of real information saved our gene line from a woolly mammoth or something 10,000 years ago, so it’s unlikely we’ll stop. But the least we can do is make the story a happy ending each day. -Mike Photo credits: “Reading Between The Lines” originally uploaded by Bob Jagendorf Incite 4 U Most (but not all) is lost: Good thought-provoking piece here by Dennis Fisher entitled Security May Be Broken, but All is Not Lost. His main contention is that the public perception is awful, but that’s only half the story – folks who block stuff successfully are not highlighted on CNN. It’s part of why I call security a Bizarro World of sorts. Only the bad news is highlighted and a good day is when nothing happens. But the real issue that Dennis pinpoints is the continued reticence to almost everyone about share data on what’s working and what isn’t. Whether the sharing is via formal or informal ISAC-type environments, security benchmarks, online communities (like our sekret project), or whatever, Dennis is spot on. Until we start leveraging our common experience, nothing will get better. – MR Dropped Box: It’s hard to root for a company – whose product you use and like – when they keep making boneheaded moves. If you didn’t hear, Dropbox poured gasoline on the idiocy fire when they came out with new Terms of Service that grant them wide latitude to mess with your stuff. I was hoping for an acknowledgement of the security architecture issues on the client and server side, along with a roadmap for when they will be resolved. Instead they lawyered up and gave themselves immunity to do stuff to your stuff, and when customers complained, they basically said customers misunderstood them. Yes, customers must be wrong because Dropbox is the first company to hold vast stores of customer data, so no one else could not possibly understand the nuances of their business. Who over there is not getting it? Management? Tech staff? Their PR agency? Their lawyers? All of the above? Do they not understand they must never – under any circumstances – allow a stolen configuration file to grant any client access to customer data? There is no reasonable explanation for a cascading failure on the server side which exposes accounts. It might be understandable that you need to make ‘translations’ of content (though Mike says that’s a bunch of crap); so they should specifically only need permission to do that. Don’t use overly broad legalese, like derivative works, because that opens up totally unacceptable use cases! Why is anyone satisfied with a security document that fails to explain how they handle key management or multi-tenant data security? I moved everything except 1Password’s independently encrypted password store off Dropbox yesterday, and am evaluating Spideroak. I’ll come back as an advocate and customer if they fix their mess, but they continue to pat themselves on the back for bad decisions, so it might be a long wait. – AL Second: Hopping onto Twitter at one point over the weekend I thought Dropbox had been taken over by Kim Jong-Il and all my data printed out and personally mailed to Anonymous, the NSA, and my third-grade English teacher. Hunting it down (you know, by reading 2 tweets back), I learned it was a change in the Terms of Service. Then I read the new terms and I realized some

Share:
Read Post

Call off the (Attack) Dogs

As while back, I spent some time categorizing tactics vendors use to create Fear, Uncertainty, and Doubt (FUD) as a buying catalyst for their products. We followed up with a survey trying to understand what kinds of security marketing content is useful at different stages of the sales cycle. I’m parsing and doing some lightweight analysis of the survey results as we build our inaugural vendor newsletter. Given space restrictions I couldn’t analyze all the data, but I do want to focus on one of my pet peeves: competitive attacks. When I was on the vendor side, one of the things that got my goat was the insistence on focusing (almost exclusively) on the competition. Everyone – both sales reps and customers – expected us to provide information sales reps could use to beat the competition. The dirtier and nastier the better. Some folks spread rumors about competitors’ finances, or bogus reports that competitive products fell over at customer sites, or that competitors were kicked out of Account X or Y. It all made me sick. Mostly because I thought it didn’t work. I figured prospects would appreciate information about how our products solved their problems. Unfortunately I had no data to prove that, beyond anecdotal reports of pissed-off prospects not appreciating hit pieces sent directly to their CIOs (two levels above where the decision got made). So we asked questions to provide a sense of if and where competitive attacks are useful, and to compare them against less-aggressive competitive analyses. To be clear, we aren’t dealing with a lot of data here. Only 32 responses, but enough to build my soapbox and support me urging vendors to stop worrying about competitors and start worrying about customers. Let’s take a look at the data on specific competitive attacks. The question was phrased: “Competitive Attacks”: This is down and dirty hand to hand combat tactics, where the vendor attempts to make the competition look bad. There are seemingly no boundaries here, where vendors will question financial viability, spread rumors about staff defections, gossip about investors pulling money out, or anything else to make the competition look bad. Click the image for a full-size view. Almost half of respondents believe this behavior negatively impacts their perception of the vendor. A lot less responded that it negatively impacts their view of the competitor. Very few said these tactics actually improved their perception of the attacker. And few used this information to guide vendor selection or justify selection of specific vendors. When we looked less aggressive competitive analyses, the results were a bit more favorable – but not much. “Competitive Analysis”: Some vendors will provide information (usually informally) about why its product/service is better than the competition. They may question the product’s technical capabilities, and/or talk about how they replaced the competitor in an account. They may also provide some reference accounts to discuss why they are better than the competitor. Click the image for a full-size view. About a quarter of respondents use this information in the selection process. As a client, I’m a fan of getting as many reference accounts as I can. Then I call them up and spend very little time on the vendor they chose. I ask why they didn’t choose the other vendors. They are usually pretty forthcoming about companies that didn’t make the cut. I put little stock in what they say about the vendor who gave me their name. Why? Because I know more than I should about the back-room arrangements that take place to get very busy practitioners to spend some of their days doing favors for sales reps. But those are stories better told over frosty beverages. Listen, I’m not naive here. I understand how the game works. Direct sales is like a street fight. You use whatever advantage you can. I can only tell you that the most successful reps I’ve worked with spent a lot more time focused on customer problems, and much less on the competition. Smart customers buy products based on who solves their business problems best, and do their homework on what products really work in the field. If a product falls over, they know about it from their own research, not the sniping of a competitor. But at the end of the day, it gets back to people. I’ve always done business with folks I like, and I’m not a big fan of dirty tactics. So if you badmouth your competition I’ll generally send you on your way. But that’s me. Share:

Share:
Read Post

Incomplete Thought: HoneyClouds and the Confusion Control

I was somewhat captivated by Lenny Zeltser’s recent post on a Protean Information Security Architecture. His idea is that another set of controls can be based on confusing the attacker. If you open/close different potential attack vectors, you can somewhat obscure the real payload you are trying to protect. Of course, Lenny nails that complexity cuts both ways: An environment that often changes may be harder to attack, but it is also hard to manage. In fact, many vulnerabilities seem to be associated with our inability to securely and timely implement changes, such as deploying security updates or disabling unnecessary services. But I think the concept is solid. It’s basically a more sophisticated approach to honeypots. But this time the objective isn’t necessarily to catch the bad guys in the honeypot – instead it’s to make their lives harder. And we all know that most attackers take the path of least resistance. So if they get confused, or their automated reconnaissance scripts miss stuff or dead-end, most will move on to the next target. But I’m very sensitive to the complexity issue. At scale, far too many organizations can barely manage their devices and network configurations (and I’m being kind). So as Lenny says, we need to make sure we don’t add even more management overhead and create a situation that inadvertently creates exposures due to operational failure. Lenny lays out a couple tactics that could confuse attackers, like opening/closing perimeter firewall ports, tarpitting inbound packets, building fake Internet servers, etc. All these are interesting concepts, but again create significant management overhead to provision and de-provision with enough variation to not be obvious obfuscation. And then it hit me. A lot of these operational tactics could be scripted and deployed in a private cloud, perhaps within your DMZ. Scripts could be built with varying attributes ti make the desired changes (likely on a second set of devices, to avoid messing with production/operational security) without requiring a lot of overhead. Basically you would build a sophisticated honeynet in a private cloud. A “HoneyCloud” of sorts. Sure, there are clear risks to this approach. Do it wrong and you could create holes large enough to drive a truck through. You would need to revisit the patterns & scripts every so often to change things up. You would have to invest in additional infrastructure to run this stuff. So it’s probably not for everyone, or even for most. But as Lenny says: “a protean approach to defense isn’t foolproof–it is one of the elements we may be able to incorporate into an information security architecture to strengthen our resistance to attacks.” I don’t know. I’m not sure if it’s just interesting as a shiny object, or if there is more there. Whether it’s operationally practical or economically feasible. We know this wouldn’t deter a persistent attacker for long. It doesn’t address targeted client-side attacks either. But at least it’s an interesting intellectual exercise. What say you? Is there anything to this Proteus stuff, or am I smoking seaweed? Share:

Share:
Read Post

Incite 6/28/2011: A Tough Nit-uation

As I saw the Welcome to North Carolina sign, I started to relax. About 4 hours earlier, we waved to our girls as they left for this summer’s sleepover camp expedition. The family truckster was loaded up with the boy and XX1’s friend from GA, and it took a few hours but I was getting into a driving rhythm. The miles were passing easily with Pandora as my musical guide. So I thought nothing of it when my phone intruded, showing a (610) number. I figured it was the camp just giving us a ‘heads up’ that XX2 was doing great her first day away from home. I was wrong. “Hi, Mr. Rothman? This is the Health Center at camp.” Oh crap. All sorts of bad thoughts went flying around my head. “Not to worry, it’s not an emergency.” OK, so no broken bones or stitches within the first few hours. What’s the issue then? Why did you interrupt my Pandora? Don’t you know I’m in a driving rhythm here? “We have [XX2] here and we found a few nits in her hair. We have a no nits policy, so you’ll have to pick her up and get her cleaned up before she can stay at camp.” Huh? She didn’t complain of her head being itchy. We had just been on the beach for a week, not in the wilderness. And did this nurse not hear that we just entered North Carolina? Which is not exactly close to Southern PA. It would take us at least 7 hours to get back to camp, and the friend needed to be home that night. Turning tail was a non-starter. This was a frackin’ mess. The Boss was distraught. I was trying to keep the van on the road, and we had a daughter in the health center. So we pulled over the car and activated the Bat Signal. Of course, we didn’t call the Caped Crusader – we called Super Grandma. We sent the girls to camp in Southern PA because it’s within driving distance of the Boss’s family in MD. So Super Grandma (and Papa too) jumped in the car and headed North to pick up XX2. She handled it like a trooper, though she was a little confused as to why she had to go home if her head wasn’t itchy. That kind of logical analysis under fire was pretty impressive in a 7-year-old. And she was already politicking to stay at camp for two extra weeks because she had such a great time in the 3 hours she was with her bunk. Her biggest concern was that she wouldn’t be allowed back to camp. I guess our acclimatization concerns were a bit misplaced. Meanwhile, we were working the phone to find a service that could clean her up quick and get her back to camp ASAP. Did you know there are tons of folks that will clean head lice from your kids, dogs, uncles, or anyone else who seems to get it? I had no idea, but there are a ton of them. I guess you don’t learn that until you have to deal with it. One service wanted our 7 year old to douse her head in olive oil and wrap it in a shower cap for a week after the treatment. Yeah, right. That would work pretty well at camp. So we went with someone who could show up at 7am the next morning, clean her up, and get her back to camp. Which is exactly how it turned out. There were no nits after all. $300 later, we discovered I genetically disposed XX2 to a dry scalp, and that combined with sand residue from a week of being buried at the beach (which is hard to remove, no matter how many times you wash and brush) can look like nits. So she is back at camp, and she acted so mature throughout the whole boondoggle that we decided to extend her stay at camp from two weeks to a month. So it was a very expensive drive home, all things considered. And as a bonus we learned more about head lice than any human should know. But all’s well that ends well, and this ended well. Now we get to spend a solid 3 weeks with the boy, with the express goal of expanding his food palette. That poor kid. He says he doesn’t miss his sisters, but after 3 weeks of Mommy Food Camp, I’m pretty sure he’ll be the first one on the bus to camp next year. But we’ll get to that installment of As the Incite Turns later this summer. I know you can’t wait. Mike Photo credits: “nit” originally uploaded by pshab Incite 4 U Scareware is good business: We Mac boys got all fired up about the unsophisticated MacDefender scareware a few weeks ago. You could get the feel that scareware was a big business, but you didn’t know how big. Thanks to some crack detective work in the Ukraine (h/t Brian Krebs) in conjunction with the FBI, we have an idea now. And it’s big business. A conventional security start-up with a revenue ramp to $72 million and 960,000 customers in a matter of months would earn a multi-billion valuation and a VC funding frenzy. Even better, they leverage commercial attack kits like Conficker to accelerate distribution. They probably even have fancy titles like “VP of (Social) Engineering” and “Head Phisherman.” Of course, the downside of this business is a few years in a Gulag, but the economics are staggering. In geographies where monthly salaries are in the hundreds, you can understand why competent computer folks take this path. – MR Secure code metrics: DHS/Mitre proposing a security scoring system is a good thing. Having been a development manager for over a dozen years, I know metrics are important. I also know they must be used carefully. The main problem is that they are tangential indicators – they don’t

Share:
Read Post

The Age of Security Specialization is Near!

First day back in the saddle after vacation is always interesting. I must have had a million ideas while lounging on the beach. I remember maybe 3, and probably won’t have time to do much of anything for a while – first I need to dig out of a week of inflow. But one thing I did want to revisit quickly is defining what security folks are, and more importantly what we need to move forward. I hit on this years ago when I published the Pragmatic CSO and sent out a little series called “5 tips to be a better CSO.” The first is this: Tip #1: You are a business person, not a security person When I first meet a CSO, one of the first things I ask is whether they consider themselves a “security professional” or a “finance/healthcare/whatever other vertical” professional. 8 out of 10 times they respond “security professional” without even thinking. I will say that it’s closer to 10 out of 10 with folks that work in larger enterprises. These folks are so specialized they figure a firewall is a firewall is a firewall and they could do it for any company. They are wrong. One of the things preached in the Pragmatic CSO is that security is not about firewalls or any technology for that matter. It’s about protecting the systems (and therefore the information assets) of the business and you can bet there is a difference between how you protect corporate assets in finance and consumer products. In fact there are lots of differences between doing security in most major industries. There are different businesses, they have different problems, they tolerate different levels of pain, and they require different funding models. Pragmatic CSO’s view themselves as business people first, security people second. To put it another way, a healthcare CSO said it best to me. When I asked him the question, his response was “I’m a healthcare IT professional that happens to do security.” That was exactly right. He spent years understanding the nuances of protecting private information and how HIPAA applies to what he does. He understood how the claims information between providers and payees is sent electronically. He got the BUSINESS and then was able to build a security strategy to protect the systems that are important to the business. This concept came back to me when I was reading Dave Shackleford’s post, “I’m not a coder” may not fly forever. His point is that a lot of our security problems are application-centric and we need to develop a bit of code fu to be effective moving forward. Can’t argue that fact, but does that mean we can take our eye off the network? The servers? The data? Probably not. Many of us identify as security folks, but in reality that is a limiting and self-destructive perception. I think we are entering an age of security specialization, at least within the large enterprise. Generalists will get lost in the complexity of enterprise problems. I believe the senior security folks still have to be focused on the business issues, and be considered a senior management peer to be effective. That’s what I describe above – the idea of being a business specialist. But not everyone needs to (or can) play at that level. The technical practitioner will have to make a choice. I don’t see a way around that. As Dave points out, someone needs to understand applications at the code level. Shrdlu has pointed out on numerous occasions that one of the best hunting grounds for security folks is the ranks of system and network adminsm because they understand how this stuff really works within the infrastructure. But those folks probably won’t be code ninjas, not unless they are savants or something like that. Regardless of which discipline you choose, you’ll need to understand how things really work for plenty of reasons. First, security isn’t something that folks do out of the goodness of their hearts. So you have to appeal to these colleagues in their native languages. That’s business for business folks, code for developers, and network and server configs for admin types. You try to talk to these constituencies in a generic language and they’ll shut down, write you off, and in the best case ignore what you are saying. More likely they’ll go around whatever you try to do and make it pretty much impossible for you to succeed. Second, you need to really understand when someone is yanking your chain. You need to be able to call folks out when they go around you. You must build credibility with the folks you are trying to influence. The only way to do that is to show them you aren’t a lightweight in the area they care about. Unless you are, in which case you have different issues. Obviously if you work for a smaller entity, specialization is not an option. You just don’t have the bench strength. So you need to fight complexity, because you ultimately need to be a mile wide, which means you’ll be an inch deep. Again – unless you are a savant. But large enterprise security folks will be specialists, methinks. Agree? Disagree? Am I two years behind the common wisdom (for a change)? Share:

Share:
Read Post

New White Paper: Security Benchmarking: Going Beyond Metrics

Ever since I wrote the Pragmatic CSO a lifetime ago (okay, 4 years, but it feels like a lifetime), I have been evangelizing about better quantification of security programs. Even without context, quantification is valuable, but they are much more useful together. So I have been pushing hard for finding a set of similar companies to compare your metrics against, to provide that needed context. Alas, with the number of fires we have to fight every day, most security folks just don’t make the time to embrace metrics. This paper focuses on why you should. We consider security metrics at a high level to lay the foundation, then spend most of the paper explaining what benchmarking offers your security program and how to do it. A brief excerpt from the Executive Summary explains it well: A key aspect of maturing our security programs must be the collection of security metrics and their use to improve operational processes. Even those with broad security metrics programs still have trouble communicating the relative effectiveness of their efforts – largely because they have no point of comparison. Thus when talking about the success/failure of any security program, without an objective reference point senior management has no idea if your results are good. Or bad. Enter the Security Benchmark, which involves comparing your security metrics to a peer group of similar companies. If you can get a fairly broad set of consistent data (both quantitative and qualitative), then compare your numbers to that dataset, you can get a feel for relative performance. Obviously this is very sensitive data, so due care must be exercised when sharing it, but the ability to transcend the current and arbitrary identification of problem areas as ‘red’ (bad), ‘yellow’ (not so bad), or ‘green’ (a bit better) enables us to finally have some clarity on the effectiveness of our security programs. Additionally, the metrics and benchmark data can be harnessed internally to provide objectives and illuminate trends to improve key security operations. Those of you who embrace quantification gain an objective method for making decisions about your security program. No more black magic, voodoo, or hypnosis to get your budget approved, okay? The paper has a landing page, or you can download the paper directly: Security Benchmarking: Going Beyond Metrics (PDF). While you are enjoying the paper, please send a thank you to nCircle for licensing it. Share:

Share:
Read Post

The Hazards of Generic Communications

Rich, Adrian, and I are pretty lucky. We are bombarded by data coming at us from every direction. What’s working, what’s not, who’s attacking who, what new widgets are out there – and that’s just the tip of the iceberg. For an information junkie like me, it’s a sort of nirvana. But absorbing all this information without being able to relay it to folks who need it defeats the purpose. Success in an analyst role comes down to talking to folks at the level and in the language that they need, to digest and use whatever you are telling them. I would expand the scope of that idea: being able to communicate is a critical success factor for any role. As I mentioned in my recent Dark Reading post (The Truth Will Set You Free), as an industry we aren’t very good at communicating, and this is a big problem as security gets a higher profile. Far too many folks make generic statements about threats and controls, assuming their own perspectives work for everyone. Lonervamp points this out in the cold, harsh light of reality by dismantling a recent post on McAfee’s blog in smb security advice: don’t read this article. McAfee’s post allegedly targeted an SMB audience with Five Simple Steps SMBs Can Take to Avoid a Disastrous Data Breach. But its language and guidance were more appropriate to an enterprise reader. LV did a great job discussing why each of their 5 steps were really ridiculous, given SMBs’ general lack of sophistication. Yes, that is another generalization, but it is generally correct in my experience. I’ll cut McAfee some slack because this came from their risk/compliance group – and they’re not really selling anything an SMB would buy. But that’s just one of about a zillion examples of how we screw up communications. This is vendor to customer communication, but both security folks talking to their organization (at both high and low levels), and consultants talking to customers, suffer from the same tone-deaf approach of figuring a single message works for everyone. It doesn’t. I should know – I have screwed this up countless times in pretty much every role I’ve ever had. So at least I have a few ideas about how to do it better. I’m particularly sensitive to this because we are starting to spend many more cycles on Securosis’ SMB-targeted offering. It literally requires us to shut down the enterprise part of our brains (which the three of us have honed for years) and think like an SMB. At the end of the day a little reminder can make a world of difference: it’s about understanding your audience. Really? Yes, it’s that simple. But still very difficult in practice. Which is why it’s important to sprinkle in industry vernacular if you are talking to a certain industry group. Why you need to focus on business-centric issues and outcomes if you speak to senior management. And why you need to keep things simple if you are addressing a group of small business people. Again, if you are in an SMB, or you are a senior manager, or you work in a certain industry: please don’t take offense. I’m not saying you can’t understand generic language. My point is that you shouldn’t have to. Any person communicating with you should respect you and your time enough to make sure their information is relevant to you, and to consider their presentation rather than merely repeating what they say to everyone else. Share:

Share:
Read Post

Incite 6/15/2011: Shortcut to Hypocrisy

I’m not a big basketball fan. I like the NCAA tournament. I may watch a game or two of the NBA playoffs/finals, but I don’t follow them. It seems nothing can get our nation to rise up like a common enemy. That enemy was the Miami Heat. My Tweeter exploded last night with all sorts of venom against the Heat, as they were losing to the Mavs. I could only laugh. Because it was a great example of the hypocrisy of so many sports fans. The Heat draws the ire of basically everyone because the top 3 free agents last year decided to play in Miami. The big 3 each took a $10-20MM financial hit in order to win championships. Sure, I see how fans of other teams can feel put out. Especially the fans in Cleveland who ended up holding the bag when LeBron left. But folks in LA? Folks in Boston? Folks in NYC? C’mon, man! How is what those teams do any different than what the Heat did? Except maybe the Heat did a better job – they landed the free agent whales. It seems like Boston fans have managed to forget Danny Ainge betting the ranch to bring in Kevin Garnett and Ray Allen to join Paul Pierce. And they delivered a championship. But that was different, right, Celtics fans? The Knicks signed A’mare and then traded pretty much everything else to get Carmelo Anthony. How is that different, especially after a first round exit in the playoffs? They talk about short cuts and in some of these pro leagues an owner willing to bet the ranch can assemble a very competitive team right now. How about baseball? The Yankees and Red Sox have been doing this forever. The Phillies joined the club this year as well, paying through the nose for Cliff Lee. And would it surprise anyone to see these teams playing in late October? What’s more surprising was last year, when teams like San Francisco and Texas got to play in the World Series. That gets my the point: folks are really pissed merely because their teams couldn’t get those guys. Basically they are jealous and complaining someone else did a better job – hypocrites. Maybe the sorest guy about this whole thing is the dude that owns the Cavs – Dan Gilbert. He was kind enough to tweet about the fact there are no shortcuts, which is a load of crap. There may not be a shortcut directly to winning the championship, but there are certainly shortcuts to make a team very competitive. And if you aren’t competitive, I’m pretty sure you won’t be playing in the championship. Photo credits: “Hypocrisy” originally uploaded by satosphere Incite 4 U On the “budget less” CISO: Raf Los seems to be hell-bent on antagonizing pretty much every CISO out there, advocating a divorce of the CISO from the security budget. The thing is, he’s advocating taking away something that was never really there in the first place. Sure, every company (of scale anyway) has a security budget, but that’s not our money. That’s the money the business has allocated as a cost of doing business. Maybe it’s to meet compliance needs. Maybe it’s to provide a minimum level of security. You can be sure the CFO will be trying to minimize this cost. Raf talks about a very Pragmatic approach to working with the business, in order to get them ultimately to buy into better controls. I have long believed that persuasion is the CISO’s most important skill – you must make the case to protect against an unknown attacker, using an unknown attack, going after data that may or may not be important. – MR ePayment pie: The fight for mobile payment supremacy is in full swing. And why not? Person to person commerce – with every mobile device able to be a point of sale terminal – offers huge potential revenue. The credit card providers love the concept of Square and Mophie Marketplace. It’s a win-win – for the banks anyway. Not only does more money move through the credit card system, but it gets close to removing cash from commerce altogether by making credit and pre-pay cards the de facto currency, with 2-3% transaction fees. Tons of smaller virtual currency providers are popping up to support people who want to pay in different ways, for everything from social networking to porn. You know it’s a big deal when the political lobbyists are going after other forms of virtual currency – like Bitcoin and Live Gamer – positioning their competition as unstable and only for online gaming and buying illegal drugs. Each virtual currency has its ideal application, and each has benefits for security, privacy, anonymity, and/or financial protection. So we will see plenty of FUD as all the players fight for a bigger slice of the revenue. – AL Passwords still suck: No, not the actual concept of passwords. Those are fine, as Adrian points out when pushing password managers. But only if you use them. The LulzSec folks continue to wreak havoc, so we might as well learn something from them. Troy Hunt does a great analysis of the passwords posted as a result of one Sony breach. Lots of pie charts and even a comparison to the file of Gawker passwords posted last year. The results are predictable, and sad. Well, they are sad if you want to improve the world. You can be happy if you are just hoping to not get pwned personally. Given the sheer number of weak passwords out there, if you use something a little less weak, you have a good chance of being over the threshold of what’s worthwhile for the bad guys. And lord knows, they are still all about the path of least resistance. – MR Zero knowledge pulpit: There is absolutely no reason to believe you can’t securely house PCI data in a cloud or virtualized environment. Ellen Messmer’s article questioning

Share:
Read Post

FireStarter: Truth and (Dis)Information

We all have our own truth. Think about it: two people can see exactly the same thing, but remember totally different situations. Remember the last argument you had with your significant other. It happens all the time. You see the world through your own lens, and whatever you believe: that’s your truth. But when someone questions that truth, even the strongest of us may falter. That’s the secret of disinformation, which creates deception and distrust, and can subvert any collective. Two recent data points push me to believe we are seeing a well-orchestrated disinformation campaign against the folks Josh Corman calls chaotic actors. You see, these loosely affiliated collectives of cyber-vigilantes are causing significant damage within the halls of power. And it seems the powers that be are concerned. To be clear, I don’t know anything specific. I’m basically speculating based on the ton of information I consume about security, making a living matching patterns, and a lot of spy novels. When I see a very specific gauntlet laid down by someone within NATO, basically claiming that Anonymous will be infiltrated, it’s interesting. Then I see another story which seems kind of wacky. The Guardian reports that 1 in 4 so-called hackers are actually informants. Gosh, that seems like a lot. To the point of being unbelievable. But combining these two data points gets very interesting. You see, by definition these chaotic actors are geographically dispersed. They communicate via secure(ish) mechanisms that obscure true identities, for obvious reasons. They have some kind of vetting process for folks who want to join their groups. Aaron Barr of HBGary Federal can tell you a bit about what happens when you are caught as an unwanted interloper. But at some point, they have to trust each other in order to put their plans into action. But disinformation breeds distrust. So it makes sense that, lacking any direct means to take down these collectives, a disinformation campaign would be next. Basically NATO has specifically called out Anonymous. The FBI allegedly has thousands of informants at all levels of all the online syndicates. Then throw in the high-profile takedowns of a few botnets recently, the arrest of some Spanish guys allegedly involved with Anonymous, and the reality that the hacker of all hackers, Albert Gonzalez, was an informant – and maybe the story isn’t so unbelievable, is it? So basically the chaotic actors start wondering if the folks they’ve been working with can be trusted. Maybe they are informants. Maybe they’ve already been infiltrated. Maybe the traitor is you. You see, whether the informants actually exist is besides the point. I do believe there are active efforts to penetrate these groups, since a public execution is another aspect of a psychological campaign to breed distrust. But I figure these efforts aren’t going too well. If the informants existed, the powers that be wouldn’t talk, they’d act. No? Am I nuts? Been reading too much Ludlum? Let me know what you think… PS: My old colleague Brian Keefer (@chort0) tweeted some similar thinking on Friday. Unfortunately I was tied up with our CCSK training and couldn’t engage in that discussion. But I wanted to recognize Brian drawing a similar conclusion… Photo credit: “disinformation is king” originally uploaded by ramtops Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.