Research

Some days I wish I was a screenwriter. There, nothing is out of bounds. Physics? Bah. Logic? Who needs that? How cool was it that the writers of Dallas (the show, not the city) decided to take a mulligan… on an entire season? Pretty cool, I’d say. What if we could take a mulligan on some of those decisions we made years ago? You know, like parachute pants. Or signature-based antivirus. IDS. Token-based authentication. If you could pull a Dallas, what would you build? It’s a fascinating question. And one that I’d like to investigate – with your help, of course. To be clear, this is a thought experiment. If you were just hired as the security architect for a company that had nothing, what would you implement? I’m not going to build a scenario with applications and number of locations and all that crap. Figure you work for a big company and somehow they’ve decided to start over again. You have applications and some even use the web. You have sensitive data, the kind that bad guys would love to get. You have lots of locations all over the world. And the powers that be just gave you the keys to the car. Now point it in the right direction. So what would you do? And before you get bent around an axle, saying you need to implement a firewall and AV because the regulations say so, forget that. No compliance mandates here. You are focused on protecting the critical information in your organization. And money is no object. What would be on your shopping list? What wouldn’t be? There are no wrong or right answers. I think it’ll be interesting to hear everyone’s opinions. I have posted some of my thoughts on Positivity, which make sense to me. That doesn’t mean they’re right. Ready, set, discuss! Photo credit: Green fields of wheat originally uploaded by Robert Crum Share:

You can always tell whether you are at a hacker con or a corporate-oriented conference in our business. The hacker cons have plenty of tattoos, piercings, fringe hairstyles, and the like. In fact, I’m usually more concerned that folks will think I’m a narc because I have none of the above. But this brings me around to the idea of appearance and its impact on your career. I think Lee and Mike had a good, reasoned response in their Fashion Advice from Infosecleaders post. The question is about a guy, who is climbing the corporate ladder and now finds himself having to dress the part. And it’s uncomfortable. Lee and Mike’s general thought is that he needs to deal with it, and that to play the game you have to look like you are in the game. And maybe they are right. But they might also be wrong. I think there could be other factors at work here, based on experiences I’ve had, because I’ve very rarely looked the part in any job I’ve had. Let’s start with my early META Group experience. I was in my early 20s and looked 18. My hair hadn’t started turning gray yet, and I was sitting across from CEOs and folks whose networking budgets had 9 or 10 zeros. I would be brought in to discuss trends in networking and telecommunications. The reality was that some of these networking jockeys probably had underwear older than me. So as you can imagine the first few minutes of each meeting were always pretty interesting, as everyone in the room sized each other up. I was far less snarky at that point so I usually didn’t antagonize the clients with tales of beer funnels, pet rocks, and dances with girls. You know, the stuff us kids used to do for fun in the olden days. Most of them took me for a lightweight and thankfully they didn’t have BlackBerrys back then, because I imagine they would have started banging through email before the introductions ended. But then a strange thing happened. Pretty much every time. I started talking. I answered their questions. I provided perspectives on trends that indicated I actually knew what I was talking about. Who knew? This young whippersnapper actually talked to lots of folks and although a front-end processor was invented while he was still crapping in diapers, he understood IBM’s product strategy and what that meant to these poor saps who had to make the stuff work. I actually kind of enjoyed that expectations were pretty low when I entered the room. It made impressing clients much easier. Now back to the topic of attire. Truthfully, I’m not sure whether this guy’s problem is attire or self-esteem. You see, he feels different, and therefore the senior team treats him as different. He doesn’t seem to believe he belongs at the table with the big boys. So, I believe, senior folks pick up on that and realize his self-fulfilling prophecy. If you don’t think you belong in the club, you are right. If you have confidence in your abilities, know you speak knowledgeably, and are not intimidated by muckety-mucks who believe you need to wear a tie to be successful, you should be fine. Even in your khakis and button-down shirt. And if your organization truly judges you based on what you wear, and not what you know and what you do, then you are working for the wrong organization. Share:

You all know how much I like surveys. But I tend to think surveys targeted at SMB tend to be a little closer to reality, especially ones with 1,000+ responses. Our Big Yellow pals recently did a Disaster Preparedness Survey of 1,800+ small businesses, and the news isn’t very good, but not unexpected either. Here are a few soundbites: Median cost of a day of downtime is $12,500. 50% of respondents don’t have a DR plan. 41% said it never occurred to them to put a plan in place. 40% said it’s not a priority. Less than half back up data weekly. Only 23% back up data daily. 50% of those with DR plans wrote one after an outage Yes, I could go on and on – but why bother? The issues are the same and a consistent mentality applies whether you are talking about security or disaster recovery. That’s the other guy’s problem. It won’t happen to me. Until it does. We could be talking about an attack that takes out our critical resources or a hardware failure that takes out our critical resources. They’re effectively the same. You end up with stuff that’s down and unavailability is bad. That’s if you like your job. So what to do? Continue fighting the good fight. Push for an incident response plan, as well as a disaster recovery plan. There should be a lot of leverage between the two. At least from the standpoint of restoring operations. The Symantec folks made a few recommendations, which are actually pretty good. They include: Don’t wait until it’s too late, protect information completely, get employees involved, test frequently, and review your plan. Yup, that’s pretty much what you want to do. Don’t wait until it’s too late to make sure you are ready for problems. Regardless of whether you work for a big or small company. Share:

One of the terms you’ll likely hear at RSA this year is security posture. Along with “situational awareness” and other terms which refer to your ability to understand if you are under attack and how your defenses are positioned to protect your assets. But I’m fascinated by the psychology of posturing, because we see that kind of behavior every single day. It’s not like I go clubbing a lot (as in, at all), but you can always tell when someone who thinks they are an alpha male enters. They intentionally project a “don’t fsck with me” attitude and are likely to fly into a ‘roid rage at any time. They are posturing, and it’s likely a self-esteem issue has caused them to overcompensate by juicing up and thinking that pushing around someone around in a bar makes them cool. Either that or they have a small piece. Maybe their Mom could have given them a few more hugs growing up. Or they should have tried that Swedish pump highlighted in Austin Powers. I know we aren’t done with the 2010 season yet (though my teams have been eliminated, so I’m just a bemused observer at this point), but there is a lot of uncertainty regarding the 2011 season. The CBA (collective bargaining agreement) expires in early March and the owners don’t think the existing structure is good for them. Of course, at the other end of the table, the players want their fair share of the unbelievable revenues generated by the NFL. Fair is the key word here. Each has their own definition of fair. So there is a lot of posturing on both ends. Everyone wants to be the alpha male. Each says the other side wants a lockout. Lots of disinformation is flying back and forth, all to sway the fans to support one side or the other. The spin doctors are working overtime. Sounds like a presidential election, come to think of it. Personally, it’s hard to feel bad for either side. The owners are billionaires and the NFL is a cash machine. The players are very well compensated for playing a game. And millions of fans dutifully buy season tickets, watch games, and buy merchandise. In fact, my Matt Ryan jersey arrived yesterday. Just in time! Frackin’ snow storm. So I’ll be pissed if there is any kind of lockout. All of these 7 and 8 figure alpha males just need to get over themselves and remember it’s because of us fans that they get to do anything. These guys forget we have alternatives. I can tell you college football will become a lot more popular if there is some kind of NFL work stoppage. SEC football is pretty OK, even if you don’t have an alma mater to go bonkers over. The NCAA should move games to Sunday if the NFL doesn’t play. Seems the owners believe that if they delay or cancel the season, all the fans will let wait breathlessly for their return. I know this is a game of high stakes poker, but it seems there is a lot of short-term thinking here. With billions of dollars being generated, it’s unbelievable that you can’t structure a win-win situation for all involved. Gosh, am I thinking rationally here? Must be time to take the clear, or is today a cream day? A good ‘roid rage will do wonders for my outlook on the situation. And anyway, I need my full alpha male posture on come RSA time… -Mike Photo credits: “Bad Posture” originally uploaded by bartmaguire Vote for Me. I’ll buy you a beer. There is still time to vote for the Social Security Blogger Awards. The Incite has been nominated in the Most Entertaining Security Blog Category. My fellow nominees are Jack Daniel’s Uncommon Sense, the Naked Sophos folks, and some Symantec bunker dwellers from the UK. All very entertaining and worthy competition. Help out a brother with a vote. Incite 4 U The Lazy Man’s Guide to Success: Mike Dahn has a treatise called Leverage, where he calls for a number of tactics to increase your effectiveness in the next year. Things like delegation, networking, and turning cost centers into revenue opportunities. Interesting stuff. What do all of these ideas have in common? They allow you to be lazy. If you can get someone else to do your work for you, why wouldn’t you? I’d love to delegate all the stuff I’m supposed to do. I’d like to turn my cost centers into revenue centers. I like the idea of leverage. Because I’d much rather be reading NFL news all day than actually doing work. Who wouldn’t? But I shouldn’t joke too much because Mike has a point here. Unless your goals are too low, you will need help to get there. So think about it from that perspective. – MR Someone needs a fact checker: I understand that press releases are a fact of life. While they all sound exactly the same, some of them provide a valuable nugget of information mixed in with all the masturbatory self-congratulations for signing up yet another small school district as a customer. After the obligatory FUD, that is. For example, today I received, “In the wake of increasing levels of data breaches, accidental data losses and incidents of user’s privacy being compromised, the Online Trust Alliance (OTA) is set to release its 2011 Data Breach Incident Readiness Guide in time for Data Privacy Day (Jan. 28th)”. Which is funny, as most sources like the Open Security Foundation DataLossDB and our own 2010 Data Security Survey show a relative decline in reported breaches. Maybe there are more breaches and privacy leaks, but it isn’t like they have numbers to prove it. – RM The Recognized Leader: I am the leader in a new ‘market’. I just found this out after having read the press release on Nice Systems’ new product to reduce financial risk associated with PCI-DSS. Apparently they provide live redaction of call

Here in the US, today is Martin Luther King, Jr. Day. For many this means a day off. For others it’s a continued call to arms to right the injustice we see. For me, it’s a reminder. A reminder of how one person’s efforts can make a difference against unsurmountable odds. How passion, focus, and a refusal to fail can change the world. Not overnight and not without setbacks, personal sacrifices, and a lot of angst. But it can be done. We in the security world seem to forget that all the time. Today started like most other days. I checked my email. I looked at my Twitter feed and, surprisingly enough, a bunch of folks were bitching about PCI and stupid assessors and all sorts of other negativity. Pretty much like every other day. I shut down my Twitter client and thought a bit about why I do what I do, even though it seems to make no difference most days. It’s because it’s the good fight and the mere fact that it’s hard doesn’t mean we shouldn’t continue pressing forward. Rich summed it up very well a few weeks ago in his Get Over It post. Human nature isn’t going to change. So we’ll always be swimming upstream. Deal with it. Or find something else to do. And to be clear, what we do isn’t hard. Fighting for civil rights is hard. Overcoming oppression and abject poverty and terrible disease is hard. Always keep that in mind. Always. The Boss is constantly telling me there is no grey in my world. Right. Wrong. Nothing in between. And pushing to educate our kids about what they should and should not do online is right. Pushing to help our organizations understand the risks of all their business plans is right. Trying to get senior management to appreciate security, even though it makes their jobs harder at times, is right. Doing nothing is wrong. If you are reading this blog, then you are likely very fortunate. With resources and education and opportunities that billions of people in this world don’t have. So yes, what we do is hard. But it’s not that hard. On this day, where the US celebrates one of its true giants, a man who gave everything for what he thought was right, take a few minutes and re-dedicate yourself to fighting the good fight. Because it’s the right thing to do. Image credit: “Martin Luther King, Jr.” originally uploaded by U.S. Embassy New Delhi Share:

I enjoy living in the South (of the US). I’m far enough North that we get seasons. But far enough South to not really be subjected to severe winter weather. It’s kind of like porridge in the story of the 3 bears. Living in ATL is just right for me. Usually. In a typical year, we’ll see snow maybe twice. And it will be a dusting, usually gone within an hour. Only once in the 6 years I’ve lived in Atlanta has there been enough snow to even make a snowman – and Frosty it wasn’t. Which is fine by me. But this weekend we got hammered. 6 inches in most places. I know, you rough and tumble Northerners laugh at 6 inches. That’s not enough to even start up your snow blower. I get that. But you are prepared and you have the right equipment to deal with the snow. We don’t. I’ve seen it written that Chicago has 200 snow plows. Atlanta has 8. Seriously. And I live about 30 miles north of Atlanta, so we have zero snow plows. Even if you get a few inches of snow, it’s usually above freezing, so it melts enough to clear the roads and get on with business. Not this time. When it got above freezing, we got frozen rain. And then it got colder, so anything that melted (or rained) then froze on the roads. I’m a good winter driver and I know enough to not mess with ice. I even had to shovel. Thankfully, I didn’t toss my good shovel from up North. It still worked like a charm – though my back, not so much. So basically I’m trapped. And so are the Boss and kids. They canceled school for the past two days, and it’s not clear (given the forecast for more freezing weather) that they will have school at all this week. Thankfully the snow is still novel for them, so they go out and sled down a hill in our back yard in a laundry basket. Yes, a laundry basket. That’s a southern kids’ sled, don’t you know? I’ll give the kids props for creativity. But a week at home with the kids without the ability to go do stuff is going to be hard. For the Boss. I’ll be sequestered in my cave looking busy. Very very busy. OK, I’m not totally trapped. I did escape for an hour this afternoon to brave the slush and other wacky drivers. I had to pick up a prescription and get some bread. The roads were passable, but bad. And to add insult to injury, Starbucks closed about 20 minutes after I got there, so I couldn’t even get much writing done. My routine is all screwed up this week. I know this too shall pass. The snow will melt, the kids will go back to school, and things will return to normal. But to be honest, it can’t pass soon enough. We love the kids. But we also love it when they get on the bus each morning and become their teachers’ problems for 6 hours. -Mike Photo credits: “Snowed in Snowdon” originally uploaded by zalgon Vote for Me. I’ll buy you a beer. OK, I’ll finally come clean. I’m an attention whore. Why else do you think I’d write this drivel every week? Yes, my therapist has plenty of theories. But it seems that some of you think this stuff is entertaining. Well, at least the judges of the Social Security Blogger Awards do. I’m both flattered and excited to once again be nominated in the Most Entertaining Security Blog Category. I actually won the award in 2008, but was crushed like a grape in 2009 by Hoff. And deservedly so. But this year Hoff is thankfully in another category, so my fellow nominees are Jack Daniel’s Uncommon Sense, the Naked Sophos folks, and some Symantec bunker dwellers from the UK. All very entertaining and worthy competition. I’ll reiterate an offer to buy a beer for anyone who votes for me, but there is a catch. You can only collect at the Security Bloggers meet-up at RSA. Seems Shimmy is on to my evil plans. So if you like beer. Or if you like me. Or if you feel sorry for me. Or if you want my Mom to be able to kibbitz with her group of Yentas in Florida about her entertaining blogger son. Help out a brother with a vote. Incite 4 U Brand this: George Hulme argues against the idea that security doesn’t matter to a company’s brand. George can (on rare occasions) be a disagreeable guy, but this one is a bit of a head scratcher. If the measuring stick for is stock price, then George is wrong. There has been no negative effect on stock price from a security breach. George states that companies suffering breaches have greater churn than those that don’t. But evidently not enough to impact their stocks. I did a podcast with Shimmy yesterday and toward the end we discussed this. My point is that clearly breaches cost money, both in terms of the direct costs and the opportunity cost of not doing something more strategic with those resources. Those are real costs. But do they outweigh the additional costs incurred by trying to be secure? That is the zillion dollar question. And there isn’t any data to prove it one way or the other. As Rich always preaches to us, we need to be very careful when we infer causation without specific data. Which I think has happened on both sides of this discussion. – MR Don’t blame the hinge manufacturer if you leave the door open: I get sort of annoyed when people blame someone else for their problems. Take the latest brouhaha over the brand new Mac App Store. It turns out – and you might want to sit down for this one – that if you don’t follow Apple’s guidelines on

At the risk of having Rich yell at me again (like he did early last year) because I’m writing too much high-level stuff, let’s get back to a key soft skill of being a security manager. It’s not like we got a lot better at that in 2010, right? I talked about motivating your team earlier this week, so now let’s turn to marketing and sales. Right – you are a security guy/gal, what do you need to know about sales? Well, unless your senior management comes to you with a blank check and a general understanding of how to protect your stuff, you need to map out a security program and sell it to them. If you end up with about 20% of the budget you need every year, and at layoff time you lose 40% of an already understaffed team, guess what? You have a sales problem. And that means you may have to get your Elmer FUDd on. A post by Dave Shackleford got me thinking about FUD (fear, uncertainty, and doubt) from a user context. It’s a constant presence when dealing with vendors, who are always trying to scare their customers into buying something. But end users can leverage FUD as well. Just be careful – it’s a bit like using live exploits. You might get what you want, but in the process take down the entire system. I’ve been talking for years about the need for security managers to focus on communications and leave the firewall rules to the admins. Part of that communication strategy is about creating urgency. Urgency gets things done. Urgency doesn’t allow folks to debate and get into an analysis/paralysis loop. You need urgency. And used correctly, FUD can create urgency. You are probably thinking about how distasteful this whole discussion seems. You can’t stand it when your sales reps try to throw a FUD balloon at you, and now you need to do the same thing? Just hear me out. The deal with using FUD in an end user context is pretty straightforward – it’s really just about telling the truth, the whole truth. And that’s really the difference. The amount of risk most organizations face can be overwhelming, so most security managers downplay it, or run out of time to tell the entire story. What you want to do is explain to senior management, preferably with examples of how it happened to other folks (who look like your company & managers), all the ways you can be compromised. Yes, the list is long. I recommend you do this within the context of a risk assessment and the associated triage plan to fix the most urgent issues. This process is outlined in Steps 2 and 3 of the Pragmatic CSO. You see, if you show them you can get killed 200 ways, but ask for funding to only fix 50, it’s a win win. The reality is even if you had the resources, you couldn’t fix all 200 anyway, and by the time you are done there will be another 200. But that can stay just between us. The senior folks think you are making tough choices to fix the stuff that’s most important and exposed – which you are. So as you hunt for those wascally wabbits each day, don’t be too scared to break out the Elmer FUDd from time to time. Sometimes the end justifies the means. But don’t tell the vendors I said FUD is OK (sometimes). That needs to remain our little secret. Photo credits: “Elmer Fudd” originally uploaded by Joe Shlabotnik Share:

In this series we’ve tackled the threats these new handheld computers mobile devices present, as well as how we need to deal with folks culturally when they demand access to sensitive corporate information on mobile devices. As we wrap up this short series on mobile device security, let’s jump in and talk about a few things we can do to protect these devices. As we all understand that these mobile devices are really handheld computers, we need to think about the tactics that are successful for securing our more traditional computers. Admittedly, ‘successful’ may be a bit optimistic, but there are still many lessons we can learn from the controls we use to protect laptops. Some of these fall into a traditional security technology bucket, while others tend to be more operational and management oriented. But really, those distinctions are hair-splitting. Things like secure configurations and access policies contribute to the safety of the data on the device, and that’s what’s important. Tactic #1: Good Hygiene I know you hate every time you go to the dentist and see the little sign: Only floss the teeth you want to keep. I certainly do, but it’s true. As much as I hate to admit it, it’s still true. And the same goes for protecting mobile devices. We need to have a strong posture on these devices, in order to have a chance to be secure. These policies won’t make you secure, but without them you have no chance. Strong Passwords: If you have sensitive data on your mobile devices, they need to be password protected. Duh. And the password should be as strong as practical. Not a 40 digit series of random numbers. But something that balances the user’s ability to remember it (and enter it n times per day) against the attackers’ ability to brute force it. And you want to wipe the device after 10 password failures or so. Auto-lock: Along with the password, the device should lock itself after a period of inactivity. Again, finding the right setting is about your users’ threshold for inconvenience, the length of their passwords, and your ability to dictate something secure. 5-10 minutes is usually okay. Data encryption: Make sure the device encrypts data on it. Most mobile devices do this by default, but make sure. Continuous Hygiene With your dentist, doing a good brushing right before your appointment probably won’t going to fool him or her if you haven’t flossed since the last appointment. But unless you are checking constantly whether the mobile device remains in accordance with your configuration policies, you can be fooled. Just because you set up a device correctly doesn’t mean it stays that way. For traditional networks, a technology like Network Access Control (NAC) can be used to check a device when it joins the network. This ensures it has the right patches and right configuration, and has been scanned for malware, etc. You should be doing the same thing for your mobile devices. Upon connecting to your network, you can and should check to make sure nothing is out of compliance with policy. This helps block the user who gets his device from you and promptly jailbreaks it. Or does a hard reset to dump the annoying security controls you put in place. Or the one who turned off the password or auto-lock because it was too hard to deal with. Remember, users aren’t as dumb as we think they are. Well, some aren’t. So some of them will work to get around the security controls. Not maliciously (we hope), but to make things easier. Regardless of the security risks. Part of your job is to make sure they don’t manage it. Tactic 2: Remote Wipe Despite your best efforts, some users will lose their devices. Or their kids will drop them (especially the iDevices). Or they’ll break and be sent in for service. However it happens, the authorized user won’t be in control of their devices, and that introduces risk for you. And of course they won’t tell anyone before sending the device is into the shop, or losing it. So we get a memo asking for a replacement/loaner because they have to access the deal documents in the can. You need the ability to eliminate the data on the device remotely. This doesn’t have to be complicated, right? Authenticate properly and nuke it from orbit. Hopefully your user backed up his/her device, but that’s not your issue. Ultimately if there is sensitive data on the mobile device, you need to be able to wipe it from anywhere in the world. One caveat here is that in order to wipe the device you must be able to connect to it. So if a savvy attacker turns it off, or puts it into airplane mode or something, you won’t be able to wipe it. That’s why having an auto-wipe policy in case of 10 password failures is critical. At some point, someone will try to get into the device, and that’s when you want to be rid of the data. Tactic 3: Lock down Network Access It’s no secret that most public wireless networks are the equivalent of a seedy flea market. There are some legitimate folks there, but most are trying to rip you off. And given the inherent bandwidth limitations of cellular data, most users leverage WiFi whenever and wherever they can. That creates risk for us, who need to protect the data. So what to do? Basically, get a little selective about what networks you allow users to connect to. You can enforce a policy to ensure any WiFi network used offers some kind of encryption (ideally at least WPA2) to avoid snooping the network traffic. Or you can VPN all the devices’ network traffic through your corporate network, so you can apply your web filtering and other protections, with encryption to rebuff sniffers. Unfortunately this isn’t easy to swing in reality. Remember, these devices don’t belong to your organization, so mandating

I’m happy to say the holiday season was pretty eventful for the Boss and her family. Her brother (and his wife) welcomed twin boys into the world right after Xmas. The whole process of creating life still astounds, and the idea of two at a time boggles the mind – even if you’ve been through it. Turns out we were up North when the new guys showed up (a week early), so we got to meet them in person. We live 600 miles apart, so that was an unexpected bonus. It also meant there was no shot at all of us attending the Bris. 8-day-old boys provide a little donation to the gods and everybody eats. It’s a festive occasion (for us – for the babies, not so much) and we hated the economic reality that we couldn’t travel to attend in person. But then over the hills we saw a glimmer of hope. Was it a plane? Nope. 5 tickets are just too much money. A train? Nope. Can’t take a day to go back and forth. It’s video conferencing. Sure, Skype is fun to do a little video conference with the grandparents from time to time. It’s also critical when traveling abroad, unless you like $2,000 phone bills. In this case, video allowed us to be at the Bris, from the comfort of our home office. The kids were off from school, and my brother in law set up his web cam to overlook the ceremony. So we all crouched around the computer and watched the ritual. We got to wave a lot and they did a great job of including us in the ceremony. Of course it wasn’t exactly like being there, but it was a hell of a lot better than seeing a few pictures three days later. When my kids were born, our option to do something similar was a $30,000 video conferencing system. You could fly in on the Concorde for less. And my brother in law would have needed a compatible systems as well. Through the wonders of Moore’s Law and the kindness of the bandwidth gods, now we can be anywhere in the world at any time. Now a Bris is not something you need (or even want) to see via a higher fidelity telepresence type environment. But seeing the entire family gathered, and being able to participate ourselves from Atlanta, was amazing. And that’s why the world is getting to be a smaller place every day. Of course I don’t do much video, because Rich and Adrian know what I look like (pretty as that is) and I’d rather not everybody see my 6-day stubble and bunny slippers (my usual work attire). But the technology is invaluable for connecting with those you like (and perhaps especially those you don’t like), when a phone call seems a bit 2-dimensional. Whether Apple’s FaceTime commercials bring a tear to your eye or not, you can’t disregard the experience. Video conferencing is going to happen, and I saw why on Monday. -Mike Photo credits: “It’s a Small World!” originally uploaded by Thomas Hawk Incite 4 U Pen testing obsolete? Hardly… Val Smith laid out some bait regarding whether pen testing is rapidly becoming obsolete. I guess that depends on how you define pen testing. The traditional unsophisticated run of Core or Metasploit with a bunch of glorified monkeys to check the compliance boxes is actually alive and well. PCI will ensure that for years to come. But that clearly not-so-useful practice will become more automated and cheaper, like every other competitive commodity function. But Val’s point at the end is that pen testing is evolving and needs to provide organizations with “a new type of service which tests their infrastructures and security postures in a different way”. That I agree with. There will always be a role for sophisticated white hats to try to break stuff. Maybe we stop calling that pen testing, which is fine by me. As long as you keep trying to break your stuff, call it whatever you want. – MR Don’t hack me, bro! Mocana made news this week when they announced they hacked into Internet TV set top boxes. I don’t think anyone is really surprised by this. The entire set top box / TV as Internet market is the poster boy for feature advancement land grab, with companies furiously vying for a share of Internet TV audiences. But really, who wants to worry about security when all you want is frackin’ TV! Can’t we all just get along? Well, no, not really. I am willing to bet that any security measure beyond a password and some rudimentary session-based encryption never came up in the product design meetings. “Winning the market” is about features, and the winner can clean up the mess later. Or at least that is the attitude I see. But these devices are stripped-down computers. And they use standard networking protocols. In most cases with reduced-footprint variants of standard operating systems. And it’s now attached to your home network. To me, Mocana is just pointing out the obvious, which is that these freakin’ things lack basic security. And it probably did not take anything more than a MitM attack to intercept the credit card, but I am willing to bet they are susceptible to injection as well. Granted, Mocana sells security products to help developers and designers secure these devices, so their PR is self-serving (of course), but this whole segment needs a wake-up call. – AL The name of the game? Reduce scope! I did a customer advisory board meeting for a client last year, and one of the attendees mentioned his specific goal was to reduce his PCI in-scope devices to zero. Right, he wanted to transition all protected data (and the associated processes) to external service providers and make PCI their problem. Certainly a noble goal, but not sure how realistic that is for most organizations. Clearly the trend is towards higher segmentation

As we discussed in our first Mobile Device Security post (I can haz your mobile), supporting smartphones isn’t really an choice. You aren’t going to tell your CEO or any other exec 5-6 pay grades above you that they can’t use their iPad to access the deal documents on that multi-billion dollar acquisition. You know it’s much easier to read an iPad on the can, than to lug the laptop around when taking care of business, right? If you are like most security professionals, your first instinct is to blurt out a resounding no, when presented with a request to connect an Android phone to your network. But your instincts are wrong. That wasn’t a question. It was an order – or soon will be. So your best bet is to practice the deep breathing exercises your meditation guru suggested. Once you’ve gotten your pulse back to a manageable 130, then you can and must have a constructive discussion about what resources are needed on the smartphone and why. User Profiles Are Your Friend The (sometimes fatal) mistake we see most often is treating every user as equivalent to every other user with the same device. This leads to providing the same level of access, regardless of who the user is. Allow us to suggest an alternative: profile users based on what they need to get, define 3-4 user types, and build your policies based on what they need, not what devices they have. For instance, you might have three user types: Executive: These folks can crush you with a stroke of their pen. Okay – a pen is old school. How about a click of their mouse? These people get what they want because saying no is not an option. They should be configured for email and document access, with a VPN client so they can access the corporate network (from the can). Connected Users: There will be another group of users who might have compromising pictures of the executives. Or maybe they actually provide tangible value to your organization. Either way, these folks need access, but probably not to everything. Design the policy to give them only what they need, and nothing more. Everyone else: If a person doesn’t fit into either of the other two buckets, then you give them access, but not enough that they can hurt themselves (or you). That means email, but probably not VPN access to the corporate network. These buckets are just examples – you’ll need to go through the use cases for each type of job function and see what levels of access make sense for your organization. Yes, but… As we mentioned above, your first instinct is likely to say ‘no’ when asked to support smartphones. But let’s tune the verbiage a bit and say “Yes, but” instead. After this easy mantra, go into all the reasons why it’s a bad idea for the user to have smartphone access to the organization’s sensitive stuff. You aren’t telling them no, but you are trying to convince them it’s a bad idea. But let’s acknowledge the truth: you’ll lose and the requestor will get access. The goal of this exercise isn’t necessarily to win the argument (though being able to block someone’s every so often access is good for your self-esteem), but instead to get folks put into the right user profile buckets. Everyone wants access to everything. But we know that’s a bad idea, so success is really more about how many users (as a percentage of all smartphone users) have limited access. That number will vary based on organization, but if it approaches 0% you need to practice “yes, but” a lot more. Cover Your Hind Section The last suggestion we’ll make relative to process is to ensure that you have documented the risks of supporting these devices. It’s critical to understand that our job as security professionals isn’t to stop business from happening – it’s to provide information to the decision makers so they can make rational, educated decisions. That means you need to inform them of the risks of whatever action they are going to take and push them to acknowledge the risk. If you fail to do this, you’ll be the one thrown out of the car at high speed when something goes wrong. Without ensuring clearly, and in writing, that everyone understands all the things that can go wrong by taking a particular action; you’ll end up in the proverbial creek without a paddle. Acknowledge that you won’t like all the decisions. Your job is to protect information and that requires reducing risk. Every company needs to take risks to continue to execute on their business plans. These two goals are diametrically opposed, but at the end of the day, it’s not our job to decide what risks make sense for your business. It’s our job to make sure everyone is clear on what those risks are, and enforce the decisions. As helpful as it is to put users in specific profiles, there are still a number of things you can do technically to protect your organization from the iPocalypse. As we wrap up this series, we’ll go through a few and provide ideas for how to protect your smartphone wielding employees from themselves. Share: