Securosis

Research

The Greenfield Project: How would you start over?

Some days I wish I was a screenwriter. There, nothing is out of bounds. Physics? Bah. Logic? Who needs that? How cool was it that the writers of Dallas (the show, not the city) decided to take a mulligan… on an entire season? Pretty cool, I’d say. What if we could take a mulligan on some of those decisions we made years ago? You know, like parachute pants. Or signature-based antivirus. IDS. Token-based authentication. If you could pull a Dallas, what would you build? It’s a fascinating question. And one that I’d like to investigate – with your help, of course. To be clear, this is a thought experiment. If you were just hired as the security architect for a company that had nothing, what would you implement? I’m not going to build a scenario with applications and number of locations and all that crap. Figure you work for a big company and somehow they’ve decided to start over again. You have applications and some even use the web. You have sensitive data, the kind that bad guys would love to get. You have lots of locations all over the world. And the powers that be just gave you the keys to the car. Now point it in the right direction. So what would you do? And before you get bent around an axle, saying you need to implement a firewall and AV because the regulations say so, forget that. No compliance mandates here. You are focused on protecting the critical information in your organization. And money is no object. What would be on your shopping list? What wouldn’t be? There are no wrong or right answers. I think it’ll be interesting to hear everyone’s opinions. I have posted some of my thoughts on Positivity, which make sense to me. That doesn’t mean they’re right. Ready, set, discuss! Photo credit: Green fields of wheat originally uploaded by Robert Crum Share:

Share:
Read Post

The Appearance Myth

You can always tell whether you are at a hacker con or a corporate-oriented conference in our business. The hacker cons have plenty of tattoos, piercings, fringe hairstyles, and the like. In fact, I’m usually more concerned that folks will think I’m a narc because I have none of the above. But this brings me around to the idea of appearance and its impact on your career. I think Lee and Mike had a good, reasoned response in their Fashion Advice from Infosecleaders post. The question is about a guy, who is climbing the corporate ladder and now finds himself having to dress the part. And it’s uncomfortable. Lee and Mike’s general thought is that he needs to deal with it, and that to play the game you have to look like you are in the game. And maybe they are right. But they might also be wrong. I think there could be other factors at work here, based on experiences I’ve had, because I’ve very rarely looked the part in any job I’ve had. Let’s start with my early META Group experience. I was in my early 20s and looked 18. My hair hadn’t started turning gray yet, and I was sitting across from CEOs and folks whose networking budgets had 9 or 10 zeros. I would be brought in to discuss trends in networking and telecommunications. The reality was that some of these networking jockeys probably had underwear older than me. So as you can imagine the first few minutes of each meeting were always pretty interesting, as everyone in the room sized each other up. I was far less snarky at that point so I usually didn’t antagonize the clients with tales of beer funnels, pet rocks, and dances with girls. You know, the stuff us kids used to do for fun in the olden days. Most of them took me for a lightweight and thankfully they didn’t have BlackBerrys back then, because I imagine they would have started banging through email before the introductions ended. But then a strange thing happened. Pretty much every time. I started talking. I answered their questions. I provided perspectives on trends that indicated I actually knew what I was talking about. Who knew? This young whippersnapper actually talked to lots of folks and although a front-end processor was invented while he was still crapping in diapers, he understood IBM’s product strategy and what that meant to these poor saps who had to make the stuff work. I actually kind of enjoyed that expectations were pretty low when I entered the room. It made impressing clients much easier. Now back to the topic of attire. Truthfully, I’m not sure whether this guy’s problem is attire or self-esteem. You see, he feels different, and therefore the senior team treats him as different. He doesn’t seem to believe he belongs at the table with the big boys. So, I believe, senior folks pick up on that and realize his self-fulfilling prophecy. If you don’t think you belong in the club, you are right. If you have confidence in your abilities, know you speak knowledgeably, and are not intimidated by muckety-mucks who believe you need to wear a tie to be successful, you should be fine. Even in your khakis and button-down shirt. And if your organization truly judges you based on what you wear, and not what you know and what you do, then you are working for the wrong organization. Share:

Share:
Read Post

SMB isn’t ready for disaster. Are you?

You all know how much I like surveys. But I tend to think surveys targeted at SMB tend to be a little closer to reality, especially ones with 1,000+ responses. Our Big Yellow pals recently did a Disaster Preparedness Survey of 1,800+ small businesses, and the news isn’t very good, but not unexpected either. Here are a few soundbites: Median cost of a day of downtime is $12,500. 50% of respondents don’t have a DR plan. 41% said it never occurred to them to put a plan in place. 40% said it’s not a priority. Less than half back up data weekly. Only 23% back up data daily. 50% of those with DR plans wrote one after an outage Yes, I could go on and on – but why bother? The issues are the same and a consistent mentality applies whether you are talking about security or disaster recovery. That’s the other guy’s problem. It won’t happen to me. Until it does. We could be talking about an attack that takes out our critical resources or a hardware failure that takes out our critical resources. They’re effectively the same. You end up with stuff that’s down and unavailability is bad. That’s if you like your job. So what to do? Continue fighting the good fight. Push for an incident response plan, as well as a disaster recovery plan. There should be a lot of leverage between the two. At least from the standpoint of restoring operations. The Symantec folks made a few recommendations, which are actually pretty good. They include: Don’t wait until it’s too late, protect information completely, get employees involved, test frequently, and review your plan. Yup, that’s pretty much what you want to do. Don’t wait until it’s too late to make sure you are ready for problems. Regardless of whether you work for a big or small company. Share:

Share:
Read Post

Incite 1/19/2011: Posturing Alpha Males

One of the terms you’ll likely hear at RSA this year is security posture. Along with “situational awareness” and other terms which refer to your ability to understand if you are under attack and how your defenses are positioned to protect your assets. But I’m fascinated by the psychology of posturing, because we see that kind of behavior every single day. It’s not like I go clubbing a lot (as in, at all), but you can always tell when someone who thinks they are an alpha male enters. They intentionally project a “don’t fsck with me” attitude and are likely to fly into a ‘roid rage at any time. They are posturing, and it’s likely a self-esteem issue has caused them to overcompensate by juicing up and thinking that pushing around someone around in a bar makes them cool. Either that or they have a small piece. Maybe their Mom could have given them a few more hugs growing up. Or they should have tried that Swedish pump highlighted in Austin Powers. I know we aren’t done with the 2010 season yet (though my teams have been eliminated, so I’m just a bemused observer at this point), but there is a lot of uncertainty regarding the 2011 season. The CBA (collective bargaining agreement) expires in early March and the owners don’t think the existing structure is good for them. Of course, at the other end of the table, the players want their fair share of the unbelievable revenues generated by the NFL. Fair is the key word here. Each has their own definition of fair. So there is a lot of posturing on both ends. Everyone wants to be the alpha male. Each says the other side wants a lockout. Lots of disinformation is flying back and forth, all to sway the fans to support one side or the other. The spin doctors are working overtime. Sounds like a presidential election, come to think of it. Personally, it’s hard to feel bad for either side. The owners are billionaires and the NFL is a cash machine. The players are very well compensated for playing a game. And millions of fans dutifully buy season tickets, watch games, and buy merchandise. In fact, my Matt Ryan jersey arrived yesterday. Just in time! Frackin’ snow storm. So I’ll be pissed if there is any kind of lockout. All of these 7 and 8 figure alpha males just need to get over themselves and remember it’s because of us fans that they get to do anything. These guys forget we have alternatives. I can tell you college football will become a lot more popular if there is some kind of NFL work stoppage. SEC football is pretty OK, even if you don’t have an alma mater to go bonkers over. The NCAA should move games to Sunday if the NFL doesn’t play. Seems the owners believe that if they delay or cancel the season, all the fans will let wait breathlessly for their return. I know this is a game of high stakes poker, but it seems there is a lot of short-term thinking here. With billions of dollars being generated, it’s unbelievable that you can’t structure a win-win situation for all involved. Gosh, am I thinking rationally here? Must be time to take the clear, or is today a cream day? A good ‘roid rage will do wonders for my outlook on the situation. And anyway, I need my full alpha male posture on come RSA time… -Mike Photo credits: “Bad Posture” originally uploaded by bartmaguire Vote for Me. I’ll buy you a beer. There is still time to vote for the Social Security Blogger Awards. The Incite has been nominated in the Most Entertaining Security Blog Category. My fellow nominees are Jack Daniel’s Uncommon Sense, the Naked Sophos folks, and some Symantec bunker dwellers from the UK. All very entertaining and worthy competition. Help out a brother with a vote. Incite 4 U The Lazy Man’s Guide to Success: Mike Dahn has a treatise called Leverage, where he calls for a number of tactics to increase your effectiveness in the next year. Things like delegation, networking, and turning cost centers into revenue opportunities. Interesting stuff. What do all of these ideas have in common? They allow you to be lazy. If you can get someone else to do your work for you, why wouldn’t you? I’d love to delegate all the stuff I’m supposed to do. I’d like to turn my cost centers into revenue centers. I like the idea of leverage. Because I’d much rather be reading NFL news all day than actually doing work. Who wouldn’t? But I shouldn’t joke too much because Mike has a point here. Unless your goals are too low, you will need help to get there. So think about it from that perspective. – MR Someone needs a fact checker: I understand that press releases are a fact of life. While they all sound exactly the same, some of them provide a valuable nugget of information mixed in with all the masturbatory self-congratulations for signing up yet another small school district as a customer. After the obligatory FUD, that is. For example, today I received, “In the wake of increasing levels of data breaches, accidental data losses and incidents of user’s privacy being compromised, the Online Trust Alliance (OTA) is set to release its 2011 Data Breach Incident Readiness Guide in time for Data Privacy Day (Jan. 28th)”. Which is funny, as most sources like the Open Security Foundation DataLossDB and our own 2010 Data Security Survey show a relative decline in reported breaches. Maybe there are more breaches and privacy leaks, but it isn’t like they have numbers to prove it. – RM The Recognized Leader: I am the leader in a new ‘market’. I just found this out after having read the press release on Nice Systems’ new product to reduce financial risk associated with PCI-DSS. Apparently they provide live redaction of call

Share:
Read Post

Fighting the Good Fight

Here in the US, today is Martin Luther King, Jr. Day. For many this means a day off. For others it’s a continued call to arms to right the injustice we see. For me, it’s a reminder. A reminder of how one person’s efforts can make a difference against unsurmountable odds. How passion, focus, and a refusal to fail can change the world. Not overnight and not without setbacks, personal sacrifices, and a lot of angst. But it can be done. We in the security world seem to forget that all the time. Today started like most other days. I checked my email. I looked at my Twitter feed and, surprisingly enough, a bunch of folks were bitching about PCI and stupid assessors and all sorts of other negativity. Pretty much like every other day. I shut down my Twitter client and thought a bit about why I do what I do, even though it seems to make no difference most days. It’s because it’s the good fight and the mere fact that it’s hard doesn’t mean we shouldn’t continue pressing forward. Rich summed it up very well a few weeks ago in his Get Over It post. Human nature isn’t going to change. So we’ll always be swimming upstream. Deal with it. Or find something else to do. And to be clear, what we do isn’t hard. Fighting for civil rights is hard. Overcoming oppression and abject poverty and terrible disease is hard. Always keep that in mind. Always. The Boss is constantly telling me there is no grey in my world. Right. Wrong. Nothing in between. And pushing to educate our kids about what they should and should not do online is right. Pushing to help our organizations understand the risks of all their business plans is right. Trying to get senior management to appreciate security, even though it makes their jobs harder at times, is right. Doing nothing is wrong. If you are reading this blog, then you are likely very fortunate. With resources and education and opportunities that billions of people in this world don’t have. So yes, what we do is hard. But it’s not that hard. On this day, where the US celebrates one of its true giants, a man who gave everything for what he thought was right, take a few minutes and re-dedicate yourself to fighting the good fight. Because it’s the right thing to do. Image credit: “Martin Luther King, Jr.” originally uploaded by U.S. Embassy New Delhi Share:

Share:
Read Post

Incite 1/12/2011: Trapped

I enjoy living in the South (of the US). I’m far enough North that we get seasons. But far enough South to not really be subjected to severe winter weather. It’s kind of like porridge in the story of the 3 bears. Living in ATL is just right for me. Usually. In a typical year, we’ll see snow maybe twice. And it will be a dusting, usually gone within an hour. Only once in the 6 years I’ve lived in Atlanta has there been enough snow to even make a snowman – and Frosty it wasn’t. Which is fine by me. But this weekend we got hammered. 6 inches in most places. I know, you rough and tumble Northerners laugh at 6 inches. That’s not enough to even start up your snow blower. I get that. But you are prepared and you have the right equipment to deal with the snow. We don’t. I’ve seen it written that Chicago has 200 snow plows. Atlanta has 8. Seriously. And I live about 30 miles north of Atlanta, so we have zero snow plows. Even if you get a few inches of snow, it’s usually above freezing, so it melts enough to clear the roads and get on with business. Not this time. When it got above freezing, we got frozen rain. And then it got colder, so anything that melted (or rained) then froze on the roads. I’m a good winter driver and I know enough to not mess with ice. I even had to shovel. Thankfully, I didn’t toss my good shovel from up North. It still worked like a charm – though my back, not so much. So basically I’m trapped. And so are the Boss and kids. They canceled school for the past two days, and it’s not clear (given the forecast for more freezing weather) that they will have school at all this week. Thankfully the snow is still novel for them, so they go out and sled down a hill in our back yard in a laundry basket. Yes, a laundry basket. That’s a southern kids’ sled, don’t you know? I’ll give the kids props for creativity. But a week at home with the kids without the ability to go do stuff is going to be hard. For the Boss. I’ll be sequestered in my cave looking busy. Very very busy. OK, I’m not totally trapped. I did escape for an hour this afternoon to brave the slush and other wacky drivers. I had to pick up a prescription and get some bread. The roads were passable, but bad. And to add insult to injury, Starbucks closed about 20 minutes after I got there, so I couldn’t even get much writing done. My routine is all screwed up this week. I know this too shall pass. The snow will melt, the kids will go back to school, and things will return to normal. But to be honest, it can’t pass soon enough. We love the kids. But we also love it when they get on the bus each morning and become their teachers’ problems for 6 hours. -Mike Photo credits: “Snowed in Snowdon” originally uploaded by zalgon Vote for Me. I’ll buy you a beer. OK, I’ll finally come clean. I’m an attention whore. Why else do you think I’d write this drivel every week? Yes, my therapist has plenty of theories. But it seems that some of you think this stuff is entertaining. Well, at least the judges of the Social Security Blogger Awards do. I’m both flattered and excited to once again be nominated in the Most Entertaining Security Blog Category. I actually won the award in 2008, but was crushed like a grape in 2009 by Hoff. And deservedly so. But this year Hoff is thankfully in another category, so my fellow nominees are Jack Daniel’s Uncommon Sense, the Naked Sophos folks, and some Symantec bunker dwellers from the UK. All very entertaining and worthy competition. I’ll reiterate an offer to buy a beer for anyone who votes for me, but there is a catch. You can only collect at the Security Bloggers meet-up at RSA. Seems Shimmy is on to my evil plans. So if you like beer. Or if you like me. Or if you feel sorry for me. Or if you want my Mom to be able to kibbitz with her group of Yentas in Florida about her entertaining blogger son. Help out a brother with a vote. Incite 4 U Brand this: George Hulme argues against the idea that security doesn’t matter to a company’s brand. George can (on rare occasions) be a disagreeable guy, but this one is a bit of a head scratcher. If the measuring stick for is stock price, then George is wrong. There has been no negative effect on stock price from a security breach. George states that companies suffering breaches have greater churn than those that don’t. But evidently not enough to impact their stocks. I did a podcast with Shimmy yesterday and toward the end we discussed this. My point is that clearly breaches cost money, both in terms of the direct costs and the opportunity cost of not doing something more strategic with those resources. Those are real costs. But do they outweigh the additional costs incurred by trying to be secure? That is the zillion dollar question. And there isn’t any data to prove it one way or the other. As Rich always preaches to us, we need to be very careful when we infer causation without specific data. Which I think has happened on both sides of this discussion. – MR Don’t blame the hinge manufacturer if you leave the door open: I get sort of annoyed when people blame someone else for their problems. Take the latest brouhaha over the brand new Mac App Store. It turns out – and you might want to sit down for this one – that if you don’t follow Apple’s guidelines on

Share:
Read Post

Marketing Skills for Security Wonks: Leveraging Elmer FUDd

At the risk of having Rich yell at me again (like he did early last year) because I’m writing too much high-level stuff, let’s get back to a key soft skill of being a security manager. It’s not like we got a lot better at that in 2010, right? I talked about motivating your team earlier this week, so now let’s turn to marketing and sales. Right – you are a security guy/gal, what do you need to know about sales? Well, unless your senior management comes to you with a blank check and a general understanding of how to protect your stuff, you need to map out a security program and sell it to them. If you end up with about 20% of the budget you need every year, and at layoff time you lose 40% of an already understaffed team, guess what? You have a sales problem. And that means you may have to get your Elmer FUDd on. A post by Dave Shackleford got me thinking about FUD (fear, uncertainty, and doubt) from a user context. It’s a constant presence when dealing with vendors, who are always trying to scare their customers into buying something. But end users can leverage FUD as well. Just be careful – it’s a bit like using live exploits. You might get what you want, but in the process take down the entire system. I’ve been talking for years about the need for security managers to focus on communications and leave the firewall rules to the admins. Part of that communication strategy is about creating urgency. Urgency gets things done. Urgency doesn’t allow folks to debate and get into an analysis/paralysis loop. You need urgency. And used correctly, FUD can create urgency. You are probably thinking about how distasteful this whole discussion seems. You can’t stand it when your sales reps try to throw a FUD balloon at you, and now you need to do the same thing? Just hear me out. The deal with using FUD in an end user context is pretty straightforward – it’s really just about telling the truth, the whole truth. And that’s really the difference. The amount of risk most organizations face can be overwhelming, so most security managers downplay it, or run out of time to tell the entire story. What you want to do is explain to senior management, preferably with examples of how it happened to other folks (who look like your company & managers), all the ways you can be compromised. Yes, the list is long. I recommend you do this within the context of a risk assessment and the associated triage plan to fix the most urgent issues. This process is outlined in Steps 2 and 3 of the Pragmatic CSO. You see, if you show them you can get killed 200 ways, but ask for funding to only fix 50, it’s a win win. The reality is even if you had the resources, you couldn’t fix all 200 anyway, and by the time you are done there will be another 200. But that can stay just between us. The senior folks think you are making tough choices to fix the stuff that’s most important and exposed – which you are. So as you hunt for those wascally wabbits each day, don’t be too scared to break out the Elmer FUDd from time to time. Sometimes the end justifies the means. But don’t tell the vendors I said FUD is OK (sometimes). That needs to remain our little secret. Photo credits: “Elmer Fudd” originally uploaded by Joe Shlabotnik Share:

Share:
Read Post

Mobile Device Security: 5 Tactics to Protect Those Buggers

In this series we’ve tackled the threats these new handheld computers mobile devices present, as well as how we need to deal with folks culturally when they demand access to sensitive corporate information on mobile devices. As we wrap up this short series on mobile device security, let’s jump in and talk about a few things we can do to protect these devices. As we all understand that these mobile devices are really handheld computers, we need to think about the tactics that are successful for securing our more traditional computers. Admittedly, ‘successful’ may be a bit optimistic, but there are still many lessons we can learn from the controls we use to protect laptops. Some of these fall into a traditional security technology bucket, while others tend to be more operational and management oriented. But really, those distinctions are hair-splitting. Things like secure configurations and access policies contribute to the safety of the data on the device, and that’s what’s important. Tactic #1: Good Hygiene I know you hate every time you go to the dentist and see the little sign: Only floss the teeth you want to keep. I certainly do, but it’s true. As much as I hate to admit it, it’s still true. And the same goes for protecting mobile devices. We need to have a strong posture on these devices, in order to have a chance to be secure. These policies won’t make you secure, but without them you have no chance. Strong Passwords: If you have sensitive data on your mobile devices, they need to be password protected. Duh. And the password should be as strong as practical. Not a 40 digit series of random numbers. But something that balances the user’s ability to remember it (and enter it n times per day) against the attackers’ ability to brute force it. And you want to wipe the device after 10 password failures or so. Auto-lock: Along with the password, the device should lock itself after a period of inactivity. Again, finding the right setting is about your users’ threshold for inconvenience, the length of their passwords, and your ability to dictate something secure. 5-10 minutes is usually okay. Data encryption: Make sure the device encrypts data on it. Most mobile devices do this by default, but make sure. Continuous Hygiene With your dentist, doing a good brushing right before your appointment probably won’t going to fool him or her if you haven’t flossed since the last appointment. But unless you are checking constantly whether the mobile device remains in accordance with your configuration policies, you can be fooled. Just because you set up a device correctly doesn’t mean it stays that way. For traditional networks, a technology like Network Access Control (NAC) can be used to check a device when it joins the network. This ensures it has the right patches and right configuration, and has been scanned for malware, etc. You should be doing the same thing for your mobile devices. Upon connecting to your network, you can and should check to make sure nothing is out of compliance with policy. This helps block the user who gets his device from you and promptly jailbreaks it. Or does a hard reset to dump the annoying security controls you put in place. Or the one who turned off the password or auto-lock because it was too hard to deal with. Remember, users aren’t as dumb as we think they are. Well, some aren’t. So some of them will work to get around the security controls. Not maliciously (we hope), but to make things easier. Regardless of the security risks. Part of your job is to make sure they don’t manage it. Tactic 2: Remote Wipe Despite your best efforts, some users will lose their devices. Or their kids will drop them (especially the iDevices). Or they’ll break and be sent in for service. However it happens, the authorized user won’t be in control of their devices, and that introduces risk for you. And of course they won’t tell anyone before sending the device is into the shop, or losing it. So we get a memo asking for a replacement/loaner because they have to access the deal documents in the can. You need the ability to eliminate the data on the device remotely. This doesn’t have to be complicated, right? Authenticate properly and nuke it from orbit. Hopefully your user backed up his/her device, but that’s not your issue. Ultimately if there is sensitive data on the mobile device, you need to be able to wipe it from anywhere in the world. One caveat here is that in order to wipe the device you must be able to connect to it. So if a savvy attacker turns it off, or puts it into airplane mode or something, you won’t be able to wipe it. That’s why having an auto-wipe policy in case of 10 password failures is critical. At some point, someone will try to get into the device, and that’s when you want to be rid of the data. Tactic 3: Lock down Network Access It’s no secret that most public wireless networks are the equivalent of a seedy flea market. There are some legitimate folks there, but most are trying to rip you off. And given the inherent bandwidth limitations of cellular data, most users leverage WiFi whenever and wherever they can. That creates risk for us, who need to protect the data. So what to do? Basically, get a little selective about what networks you allow users to connect to. You can enforce a policy to ensure any WiFi network used offers some kind of encryption (ideally at least WPA2) to avoid snooping the network traffic. Or you can VPN all the devices’ network traffic through your corporate network, so you can apply your web filtering and other protections, with encryption to rebuff sniffers. Unfortunately this isn’t easy to swing in reality. Remember, these devices don’t belong to your organization, so mandating

Share:
Read Post

Incite 1/5/2011: It’s a Smaller World, after All

I’m happy to say the holiday season was pretty eventful for the Boss and her family. Her brother (and his wife) welcomed twin boys into the world right after Xmas. The whole process of creating life still astounds, and the idea of two at a time boggles the mind – even if you’ve been through it. Turns out we were up North when the new guys showed up (a week early), so we got to meet them in person. We live 600 miles apart, so that was an unexpected bonus. It also meant there was no shot at all of us attending the Bris. 8-day-old boys provide a little donation to the gods and everybody eats. It’s a festive occasion (for us – for the babies, not so much) and we hated the economic reality that we couldn’t travel to attend in person. But then over the hills we saw a glimmer of hope. Was it a plane? Nope. 5 tickets are just too much money. A train? Nope. Can’t take a day to go back and forth. It’s video conferencing. Sure, Skype is fun to do a little video conference with the grandparents from time to time. It’s also critical when traveling abroad, unless you like $2,000 phone bills. In this case, video allowed us to be at the Bris, from the comfort of our home office. The kids were off from school, and my brother in law set up his web cam to overlook the ceremony. So we all crouched around the computer and watched the ritual. We got to wave a lot and they did a great job of including us in the ceremony. Of course it wasn’t exactly like being there, but it was a hell of a lot better than seeing a few pictures three days later. When my kids were born, our option to do something similar was a $30,000 video conferencing system. You could fly in on the Concorde for less. And my brother in law would have needed a compatible systems as well. Through the wonders of Moore’s Law and the kindness of the bandwidth gods, now we can be anywhere in the world at any time. Now a Bris is not something you need (or even want) to see via a higher fidelity telepresence type environment. But seeing the entire family gathered, and being able to participate ourselves from Atlanta, was amazing. And that’s why the world is getting to be a smaller place every day. Of course I don’t do much video, because Rich and Adrian know what I look like (pretty as that is) and I’d rather not everybody see my 6-day stubble and bunny slippers (my usual work attire). But the technology is invaluable for connecting with those you like (and perhaps especially those you don’t like), when a phone call seems a bit 2-dimensional. Whether Apple’s FaceTime commercials bring a tear to your eye or not, you can’t disregard the experience. Video conferencing is going to happen, and I saw why on Monday. -Mike Photo credits: “It’s a Small World!” originally uploaded by Thomas Hawk Incite 4 U Pen testing obsolete? Hardly… Val Smith laid out some bait regarding whether pen testing is rapidly becoming obsolete. I guess that depends on how you define pen testing. The traditional unsophisticated run of Core or Metasploit with a bunch of glorified monkeys to check the compliance boxes is actually alive and well. PCI will ensure that for years to come. But that clearly not-so-useful practice will become more automated and cheaper, like every other competitive commodity function. But Val’s point at the end is that pen testing is evolving and needs to provide organizations with “a new type of service which tests their infrastructures and security postures in a different way”. That I agree with. There will always be a role for sophisticated white hats to try to break stuff. Maybe we stop calling that pen testing, which is fine by me. As long as you keep trying to break your stuff, call it whatever you want. – MR Don’t hack me, bro! Mocana made news this week when they announced they hacked into Internet TV set top boxes. I don’t think anyone is really surprised by this. The entire set top box / TV as Internet market is the poster boy for feature advancement land grab, with companies furiously vying for a share of Internet TV audiences. But really, who wants to worry about security when all you want is frackin’ TV! Can’t we all just get along? Well, no, not really. I am willing to bet that any security measure beyond a password and some rudimentary session-based encryption never came up in the product design meetings. “Winning the market” is about features, and the winner can clean up the mess later. Or at least that is the attitude I see. But these devices are stripped-down computers. And they use standard networking protocols. In most cases with reduced-footprint variants of standard operating systems. And it’s now attached to your home network. To me, Mocana is just pointing out the obvious, which is that these freakin’ things lack basic security. And it probably did not take anything more than a MitM attack to intercept the credit card, but I am willing to bet they are susceptible to injection as well. Granted, Mocana sells security products to help developers and designers secure these devices, so their PR is self-serving (of course), but this whole segment needs a wake-up call. – AL The name of the game? Reduce scope! I did a customer advisory board meeting for a client last year, and one of the attendees mentioned his specific goal was to reduce his PCI in-scope devices to zero. Right, he wanted to transition all protected data (and the associated processes) to external service providers and make PCI their problem. Certainly a noble goal, but not sure how realistic that is for most organizations. Clearly the trend is towards higher segmentation

Share:
Read Post

Mobile Device Security: Saying no without saying no

As we discussed in our first Mobile Device Security post (I can haz your mobile), supporting smartphones isn’t really an choice. You aren’t going to tell your CEO or any other exec 5-6 pay grades above you that they can’t use their iPad to access the deal documents on that multi-billion dollar acquisition. You know it’s much easier to read an iPad on the can, than to lug the laptop around when taking care of business, right? If you are like most security professionals, your first instinct is to blurt out a resounding no, when presented with a request to connect an Android phone to your network. But your instincts are wrong. That wasn’t a question. It was an order – or soon will be. So your best bet is to practice the deep breathing exercises your meditation guru suggested. Once you’ve gotten your pulse back to a manageable 130, then you can and must have a constructive discussion about what resources are needed on the smartphone and why. User Profiles Are Your Friend The (sometimes fatal) mistake we see most often is treating every user as equivalent to every other user with the same device. This leads to providing the same level of access, regardless of who the user is. Allow us to suggest an alternative: profile users based on what they need to get, define 3-4 user types, and build your policies based on what they need, not what devices they have. For instance, you might have three user types: Executive: These folks can crush you with a stroke of their pen. Okay – a pen is old school. How about a click of their mouse? These people get what they want because saying no is not an option. They should be configured for email and document access, with a VPN client so they can access the corporate network (from the can). Connected Users: There will be another group of users who might have compromising pictures of the executives. Or maybe they actually provide tangible value to your organization. Either way, these folks need access, but probably not to everything. Design the policy to give them only what they need, and nothing more. Everyone else: If a person doesn’t fit into either of the other two buckets, then you give them access, but not enough that they can hurt themselves (or you). That means email, but probably not VPN access to the corporate network. These buckets are just examples – you’ll need to go through the use cases for each type of job function and see what levels of access make sense for your organization. Yes, but… As we mentioned above, your first instinct is likely to say ‘no’ when asked to support smartphones. But let’s tune the verbiage a bit and say “Yes, but” instead. After this easy mantra, go into all the reasons why it’s a bad idea for the user to have smartphone access to the organization’s sensitive stuff. You aren’t telling them no, but you are trying to convince them it’s a bad idea. But let’s acknowledge the truth: you’ll lose and the requestor will get access. The goal of this exercise isn’t necessarily to win the argument (though being able to block someone’s every so often access is good for your self-esteem), but instead to get folks put into the right user profile buckets. Everyone wants access to everything. But we know that’s a bad idea, so success is really more about how many users (as a percentage of all smartphone users) have limited access. That number will vary based on organization, but if it approaches 0% you need to practice “yes, but” a lot more. Cover Your Hind Section The last suggestion we’ll make relative to process is to ensure that you have documented the risks of supporting these devices. It’s critical to understand that our job as security professionals isn’t to stop business from happening – it’s to provide information to the decision makers so they can make rational, educated decisions. That means you need to inform them of the risks of whatever action they are going to take and push them to acknowledge the risk. If you fail to do this, you’ll be the one thrown out of the car at high speed when something goes wrong. Without ensuring clearly, and in writing, that everyone understands all the things that can go wrong by taking a particular action; you’ll end up in the proverbial creek without a paddle. Acknowledge that you won’t like all the decisions. Your job is to protect information and that requires reducing risk. Every company needs to take risks to continue to execute on their business plans. These two goals are diametrically opposed, but at the end of the day, it’s not our job to decide what risks make sense for your business. It’s our job to make sure everyone is clear on what those risks are, and enforce the decisions. As helpful as it is to put users in specific profiles, there are still a number of things you can do technically to protect your organization from the iPocalypse. As we wrap up this series, we’ll go through a few and provide ideas for how to protect your smartphone wielding employees from themselves. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.