Securosis

Research

Incite 12/1/10: Pay It Forward

I used to be a real TV head. Before the kids showed up, the Boss and I would spend a good deal of every Saturday watching the 5 or 10 shows we recorded on the VCR (old school, baby). Comedies, dramas, the whole ball of wax. Then priorities shifted and I had less and less time for TV. The Boss still watches a few shows, but I’m usually along for the ride, catching up on my reading while some drivel is on the boob tube (Praise iPad!). In fact, the only show I religiously watch is The Biggest Loser. I’ve mentioned before that, as someone for whom weight control is a daily battle, I just love to see the transformations – both mental and physical – those contestants undergo in a very short time. Actually this season has been pretty aggravating, but more because the show seems to have become more about the game than about the transformation. I stopped watching Survivor about 8 years ago when it became all about the money. Now I fear The Biggest Loser is similarly jumping the shark. But I do like the theme of the show this year: Pay It Forward. Each eliminated contestant seems to have found a calling educating the masses about the importance of better nutrition and exercise. It’s great to see. We have a similar problem in security. Our security education disconnect is less obvious than watching a 400 pounder move from place to place, but the masses are similarly uneducated about privacy and security issues. And we don’t have a forum like a TV show to help folks understand. So what to do? We need to attack this at the grassroots level. We need to both grow the number of security professionals out there working to protect our flanks, and educate the masses to stop hurting themselves. And McGruff the Cyber-crime dog isn’t going to do it. On the first topic, we need to provide a good career path for technical folks, and help them become successful as security professionals. I’m a bit skeptical of college kids getting out with a degree and/or security certification, thinking they are ready to protect much of anything. But folks with a strong technical/sysadmin background can and should be given a path to the misery that is being a security professional. That’s why I like the InfoSec Mentors program being driven by Marisa Fagan and many others. If you’ve got some cycles (and even if you don’t), working with someone local and helping them get on and stay on the path to security is a worthwhile thing. We also need to teach our community about security. Yes, things like HacKid are one vehicle, but we need to do more faster. And that means working with your community groups and school systems to build some kind of educational program to provide this training. There isn’t a lot of good material out there to base a program on, so that’s the short-term disconnect (and opportunity). But now that it’s time to start thinking about New Year’s Resolutions, maybe some of us can band together and bootstrap a simple curriculum and get to work. Perhaps a model like Khan Academy would work. I don’t know, but every time I hear from a friend that they are having the Geek Squad rebuild their machine because they got pwned, I know I’m not doing enough. It’s time to Pay it Forward, folks. And that will be one of my priorities for 2011. Photo credits: “Pay It Forward” originally uploaded by Adriana Gomez Incite 4 U You can’t outsource innovation: Bejtlich goes on a bit of a tirade in this post, basically begging us to Stop Killing Innovation. He uses an interview with Vinnie Mirchandani to pinpoint issues with CIO reporting structures and the desire to save money now, often at the expense of innovation. What Richard (and Vinnie) are talking about here is a management issue, pure and simple. In the face of economic uncertainty, many teams curl up into the fetal position and wait for the storm to pass. Those folks expect to ride productivity gains from IT automation, and they should. What they don’t expect is new services and/or innovation and/or out-of-the-box thinking. Innovation has nothing to do with outsourcing – it’s about culture. If folks looking to change the system are shot, guess what? They stop trying. So your culture either embraces innovation or it doesn’t. What you do operationally (in terms of automation and saving money) is besides the point. – MR It’s time: It’s time for a new browser. Some of you are thinking “WTF? We have Chrome, Safari, IE, Firefox, and a half dozen other browsers … why do I need or want another one”? Because all those browsers were built with a specific agenda in the minds of their creators. Most want to provide as much functionality as possible, and support as many fancy services as they can. It’s time for an idiot-proof secure browser. When I see stupid S$!& like this, which is basically an attempt to ignore the fundamental issue, I realize that this nonsense needs to stop. We need an unapologetically secure browser. We need a browser that does not have 100% functionality all the time. Sure, it won’t be widely used, because it would piss off most people by breaking the Internet with limited support for the ubiquitous Flash and JavaScript ‘technologies’. But I just want a secure browser to do specific transactions – like on-line banking. Maybe outfitted to corporate security standards (wink-wink). Could we fork Firefox to make this happen? Yeah, maybe. But I am not sure that it could be effectively retrofitted to thwart CSRF and XSS. The team here at Securosis follows Rich’s Macworld Super-safe Web Browsing guide, but keeping separate VMWare partitions for specific tasks is a little beyond the average user. This kind of security must come from the user side – web sites, security tool vendors, and security service

Share:
Read Post

Grovel for Budget Time

One of the concepts I use in my Pragmatic CSO material is a Day in the Life of a CISO. There are lots of firefighting and other assorted activities. I usually get a big laugh when I get to the part about groveling to the CIO and CFO for budget. Yes, I call it like I see it. But after seeing a post on budgeting by Ed Moyle from before Thanksgiving, I think it’s time to dig a bit deeper. Remember the budget is pretty critical to your success (or failure) in security. This job is hard enough with sufficient resources and funding. Without them, you’ve got no shot. So becoming a budget ninja is one of the key skills to climb the security career ladder. Ed makes a number of good points about spending transparency and measuring effectiveness. Basically trying to show senior management what you spend money on and how well it’s working. I agree with all of those sentiments. And I’m being a bit sarcastic (go figure), when I talk about groveling for budget. You need to ask, but in a way that provides a chance of success. And the most useful tool I’ve seen used for this in practice is the idea of scenarios. Basically when building up your architecture, project plans, and other assorted strategies for the coming year, think about breaking up those ideas into (at least) three scenarios: Low bar: This is the stuff you absolutely need – in order to have any shot at protecting your critical information, or meeting your compliance mandate, or the like. To understand where this bar is, think about a scenario where you would quit because you don’t have enough resources/funding to have any shot, and a significant issue becomes a certainty. That is your low bar. High bar: This is what you need to really do the job. Not to 100% certainty – don’t be silly. But enough to have a good feeling that you’ll be able to get the job done. Real bar: This is somewhere in the middle and what you hope to be the most likely scenario. To be clear, how much funding you get to do security is out of your control. It’s a business issue. You are competing with not just IT projects, but all projects, for that resource allocation. And if you think it’s a slam dunk to build a case for a new perimeter security infrastructure, as opposed to a new machine that can streamline manufacturing, think again. Even if you know your project is the right thing to do, it may not be as clear to someone with lots of folks all groveling for their own pet projects. The scenarios help you explain the risks of not doing something, and provide a more tangible idea of the costs, than a long project list which means nothing to a non-security person. Scenario Risks Group your projects into scenarios, and model a specific type of attack that would be protected. For example, in your low bar scenario, just make the case that you’ve got no shot to meet compliance mandate X without that funding. Then explain the possible ramifications of not being compliant (fines, brand damage, breaches, etc.). This must be done in a dispassionate way. You are presenting just the facts, like Joe Friday. The burden is on the business managers to weigh the risk of not meeting (funding) the low bar. When presenting the high bar, you can discuss some of the emerging attacks that you’d be able to either block or more likely detect faster to mitigate damage. Get as specific as you can, use real examples of your applications and the impact of those going down. But be careful to manage expectations. Even if you reach the high bar of funding (which typically only happens after a breach), you still may have problems, so don’t bet your firstborn or anything. The real bar provides a good mixture of protection and compliance. Or at least it should. Truth be told, this is our hopeful scenario, so make it realistic and plausible. Make it clear what you can’t do (relative to the high bar) and what you can do (compared to the low bar). And more importantly the potential risks/losses of each decision. Not in an annualized loss expectancy way, but in a we’ll lose this kind of data way. The key here is to rely on contrast to help the bean counters understand what you need and why. The low bar is really the bare minimum. Make that clear. The high bar is a wish list, and in reality most wishes don’t come true. The real bar is where you want to get to, so use some creativity to make the cases push your desired outcome. Don’t Take It Personally Above all else, when dealing with budgeting, you can’t take it personally. Every executive team must balance strategic investments and risks and decide what is the best way to allocate the limited resources of the organization. Sometimes you win the battle, sometimes you lose. As long as you get to the low bar, that’s what you get. If you don’t get to the low bar, then maybe you should take it personally. Either you made a crappy case, you have no credibility, or the powers that be have decided (in their infinite wisdom) that they are willing to accept the risks of not hitting the low bar. That doesn’t mean you have to accept those risks. Remember, you are the one who will be thrown out of the car (at high speed), if things go south. So if you don’t reach the low bar, it make be time to look for another gig. And do it aggressively and proactively. You don’t want to be circulating your resume while your organization is cleaning up a high profile breach. Photo credits: “spare change towards weed + starbucks 🙂 long live bank of america” originally uploaded by sandcastlematt Share:

Share:
Read Post

Incident Response Fundamentals: Phasing It in

You may have noticed we’ve renamed the React Faster and Better series to Incident Response Fundamentals. Securosis shows you how the security research sausage gets made, and sometimes it’s messy. We started RFAB with the idea that it would focus on advanced incident response tactics and the like. As we started writing, it was clear we first had to document the fundamentals. We tried to do both in the series, but it didn’t work out. So Rich and I re-calibrated and decided to break RFAB up into two distinct series. The first, now called Incident Response Fundamentals, goes into the structure and process of responding to incidents. The follow-up series, which will be called React Faster and Better, will delve deeply into some of the advanced topics we intended to cover. But enough of that digression. When we left off, we had talked about what you have to do from a structural standpoint (command principles, roles and organizational structure, response infrastructure and preparatory steps), an infrastructure perspective (data collection/monitoring), before the attack, during the attack (trigger, escalate, and size up and contain, investigate, and mitigate, and finally after the attack (mop up, analyze, and QA) to get a broad view of the entire incident response process. But many of you are likely thinking, “That’s great, where do I start?” And that is a very legitimate question. It’s unlikely that you’ll be able to eat the elephant in one bite, so you will need to look at breaking the process into logical phases and adopt those processes. After integrating small pieces for a while, you will be able to adopt the entire process effectively. After lots of practice, that is. So here are some ideas on how you can break up the process into logical groups: Monitor more: The good news is that monitoring typically falls under the control of the tech folks, so this is something you can (and should) do immediately. Perhaps it’s about adding additional infrastructure components to the monitoring environment, or maybe databases, or applications. We continue to be fans of monitoring everything (yes, Adrian, we know – as practical), so the more data the better. Get this going ASAP. Install the organization: Here is where you need all your persuasive powers, and then some. This takes considerable coercion within the system, and doesn’t happen overnight. Why? Because everyone needs to buy in on both the process and their response responsibilities & accountabilities. It’s not easy to get folks to step up on the record, even if they have been doing so informally. So you should get this process going ASAP as well, and coercion (you can call it ‘persuasion’) can happen concurrently with the additional monitoring. Standardize the analysis: One of the key aspects of a sustainable process is that it’s bigger than just one person; that takes some level of formality and, even more important, documentation. So you and your team should be documenting how things should get done for network investigation, endpoint investigation, and database/application attacks as well. You may want to consult an external resource for some direction here, but ultimately this kind of documentation allows you to scale your response infrastructure, as well as set expectations for what and how things need to get done in the heat of battle. This again can be driven by the technical folks. Stage a simulation: Once the powers that be agree to the process and organizational model, congratulations. Now the work can begin: it’s time to practice. We will point out over and over again that seeing a process on the white board is much different than executing it in a high-stress situation. So we recommend you run simulations periodically (perhaps without letting the team know it’s a simulation) and see how things go. You’ll quickly quickly the gaps in the process/organization (and there are always gaps) and have an opportunity to fix things before the attacks start happening for real. Start using (and improving) it: At this point, the entire process should be ready to go. Good luck. You won’t do everything right, but hopefully the thought you’ve put into the process, the standard analysis techniques, and the practice allow you to contain the damage faster, minimizing downtime and economic impact. That’s the hope anyway. But remember, it’s critical to ensure the QA/post-mortem happens so you can learn and improve the process for the next time. And there is always a next time. With that, we’ll put a ribbon on the Incident Response Fundamentals series and start working on the next set of advanced incident response-related posts. Share:

Share:
Read Post

Incite 11/24/2010: Fan Appreciation

Though I have tailed off a bit from my ridiculous pace of two years ago, I still go see a lot of live music. Although many of these acts make a mint, it’s not an easy life. I can only imagine how difficult it is to be on the road for months at a time. It’s hard enough for me, and I’m only gone one or two nights at a time. Though it’s not like I’m staying at the Ritz every night (don’t tell Rich I’m staying at the Ritz, okay?). But there are examples of bands that do a job and earn their money every night. Let me highlight two great examples. First off, I saw Green Day during the summer. Those guys are one of the biggest bands in the world right now, but they haven’t forgotten where they came from. They played for almost 3 hours, had folks doing stage dives, and even gave a guitar to a lucky audience member. At one point they all dressed in drag for a few laughs. And repeatedly they made the point about how much they appreciated their fans and that they give everything every night to make sure the fans get their money’s worth. They know that seeing a rock concert is a luxury for many people, and are grateful their fans choose to spend money they may not have to see them play music. Next I’ll highlight Styx. I saw them a few weeks ago on their Grand Illusion/Pieces of Eight tour. They played each album in its entirety and it was like stepping into a time machine. These guys haven’t had a hit record in decades, but they are able to travel around and play their classics year after year. And folks like me show up every time, which I assume provides a decent living for guys who probably carry AARP cards. They get how lucky they are and they play like it. It was a great show. I guess my point is that we all have fans, whatever that definition is. Folks who allow you to do what you do. Do you appreciate them? Really? In the day to day mayhem of deadlines and other demands, I need to remember that without our readers and contributors, I wouldn’t be able to do what I love. With Thanksgiving coming up, I want to let you know how appreciative I am. For all of you who read our stuff, who show up when we pontificate, and who ask for our advice, thank you. I know I speak for Rich and Adrian as well. We know how good we have it, and that’s because of you. So before you take off for the long weekend (if you are in the US, anyway), make sure your fans know you appreciate them. I know they’d appreciate being appreciated. Photo credits: “Starsky & Hutch Appreciation Fan Club originally uploaded by Ged Carroll Incite 4 U Truth in advertising? – Stop reading this and click this link. Read the words in the picture very carefully. Doesn’t it make a pretty acronym? Mike is pretty slow, so I’ll spell it out. The first letters of McAfee’s three attributes (Focused, Unwavering, & Dedicated) spell out FUD. Really. You have to see it to believe it. I have a really hard time believing this was completely accidental, and nobody at McAfee was sniggering when they came up with it. Perhaps some marketing wonk misunderstood the meaning. Perhaps someone knew what they were doing, and wanted to see if they could pull a fast one. Perhaps this was a Titanic example of proofreading FAIL. I actually saw that while driving to my hotel for an appointment today, but only off in the distance when I couldn’t read it. Anyway, I suspect it won’t be up for long, which is too bad because it shows a heck of a sense of humor. Maybe. – RM Why bother? – The SQL Server 2008 option for massively parallel servers is going to be late. Actually, it’s already late, but it’s going to be even late-er-er or something like that. But the question in my mind is why? Why play this game at all? Why try to be the biggest and fastest relational database out there when performance benchmarks have not been a major buying considerations for databases in 15 years. Teradata has a killer database that scales great … but it’s not exactly dominating the market. Look at super-fast databases and database hardware providers historically, and tell me how they have generally done. Ant? Sequent? Yeah, exactly. I can see why Microsoft would like to be a player in that lucrative field, but the number of firms willing to spend $40k per processor on giant mission critical transaction processing systems is dwindling. BI and data warehousing is moving to generic cloud based non-relational data stores that perform 10 to 100 times better, but can be leased at fractions of the price. And the requirements of the data warehousing market are changing. My guess is that cloud services will be “good enough”, and this will be a case where “cheap, fast, and easy” cuts the massively parallel server market down before Microsoft arrives on the scene. – AL Ray Noorda rolls in his grave… – Like Shimmy, I remember when Novell was the king of networking. In fact, I cut my teeth on a Novell LAN (Token Ring, in fact) and am happy to say I have a CNE (that lapsed probably 20 years ago). But Novell is no more. It’s being acquired by Attachmate for a cool $2.2 billion. And that doesn’t seem to include some intellectual property that Microsoft is buying. It seems Attachmate is becoming a friendly CA, in that they buy mature, slow-growth businesses with big customer bases and the associated maintenance streams. Novell does compete in some growth markets like Identity Management, SIEM, and desktop management – but really the private equity guys are using leverage to buy cash flow. It’s a good model for the investors – not sure for customers.

Share:
Read Post

I Am T-Comply

As we all get ready for the turkey-induced food coma awaiting us Yanks in two days, let me expand a bit on an incomplete thought put forth by the Hoff. His Cloudiness wonders aloud if Compliance is the Autotune of the Security Industry. Instead of having to actually craft and execute a well-tuned security program which focuses on managing risk in harmony with the business, we’ve simply learned to hum a little, add a couple of splashy effects and let the compliance Autotune do it’s thing. Genius. Forget that squirrel stuff, Hoff should just dub himself T-Comply. It’s actually worse than this. Our friends at the PCI Security Standards council have not only provided the sheet music, but also the equivalent of a nice little iPad app that has a big red button in the middle saying COMPLY. Press the button, it makes your friendly assessor go away (with his/her check for lots of money for the ROC), and you go back to playing World of Warcraft, right? Many of us rue the fact that compliance is the only thing that gets the attention of senior management. And this has resulted in the elimination of one bar previously security had to clear. These days there is really only one bar to get over: the ‘COMPLIANT’ rubber stamp you need in the annual report. There is little incentive to go beyond compliance, because if it’s good enough for the card brands it should be good enough for you, right? Of course, that’s wrong. But the ‘good’ news is that most people and organizations believe it. And they build their Auto-Tune security programs to just barely clear the bar. They are the folks at the bottom of the fraud food chain. So the reality is that Auto-Tune security is good for you, as long as you can convince senior management to clear the bar by a couple feet. Remember: You don’t have to outrun the grizzly – just your slowest friend. Yes, that’s easier said than done, but as you are munching on gizzards Thursday (or veggie meatballs and Tofurky, as it may be) be thankful that Auto-Tune security has emerged. It makes you look like a Security Rockstar in comparison. Though Chris could have used some Auto-Tune magic himself on that one. Share:

Share:
Read Post

Counterpoint: Availability Is Job #1

Rich makes the case that A Is Not for Availability in this week’s FireStarter. Basically his thinking is that the A in the CIA triad needs to be attribution, rather than availability. At least when thinking about security information (as opposed to infrastructure). Turns out that was a rather controversial position within the Securosis band. Yes, that’s right, we don’t always agree with each other. Some research firms gloss over these disagreements, forcing a measure of consensus, and then force every analyst to toe the line. Lord knows, you can never disagree in front of a client. Never. Well, Securosis is not your grandpappy’s research firm. Not only do we disagree with each other, but we call each other out, usually in a fairly public manner. Rich is not wrong that attribution is important – whether discussing information or infrastructure security. Knowing who is doing what is critical. We’ve done a ton of research about the importance of integrating identity information into your security program, and will continue. Especially now that Gunnar is around to teach us what we don’t know. But some of us are not ready to give up the ghost on availability. Not just yet, anyway. One of the core tenets of the Pragmatic CSO philosophy is a concept I called the Reasons to Secure. There are five, and #1 is Maintain Business System Availability. You see, if key business systems go down, you are out of business. Period. If it’s a security breach that took the systems down, you might as well dust off your resume – you’ll need it sooner rather than later. Again, I’m not going to dispute the importance of attribution, especially as data continues to spread to the four corners of the world and we continue to lose control of it. But not to the exclusion of availability as a core consideration for every decision we make. And I’m not alone in challenging this contention. James Arlen, one of our Canadian Wonder Twins, sent this succinct response to our internal mailing list this AM: As someone who is often found ranting that availability has to be the first member of the CIA triad instead of the last, I’m not sure that I can just walk away from it. I’m going to have to have some kind of support, perhaps a process to get from hugging availability to thinking about the problem more holistically. Is this ultimately about the maturation of the average CIO from superannuated VP of IT to a real information manager who is capable of paying attention to all the elements of attribution (as you so eloquently describe) and beginning the process of folding in the kind of information risk management that the CISOs have been carrying while the CIO plays with blinky lights? James makes an interesting point here, and it’s clearly something that is echoed in the P-CSO: the importance of thinking in business terms, which means it’s about ensuring everything is brought back to business impact. The concept of information risk management is still pretty nebulous, but ultimately any decision we make to restrict access or bolster defenses needs to be based on the economic impact on the business. So maybe the CIA acronym becomes CIA^2, so now you have availability and attribution as key aspects of security. But at least some of us believe you neglect availability at your peril. I’m pretty sure the CEO is a lot more interested in whether the systems that drive the business are running than who is doing what. At least at the highest level. Share:

Share:
Read Post

No More Flat Networks

As I continue working through the nuances of my 2011 research agenda, I’ve been throwing trial balloons at anyone and everyone I can. I posted an initial concept I called Vaults within Vaults and got some decent feedback. At this point, I’ve got a working concept for the philosophies we’ll need to embrace to stand a chance moving forward. As the Vaults concept describes, we need to segment our networks to provide some roadblocks to prevent unfettered access to our most sensitive information. The importance of this is highlighted in PCI, which means none of this is novel – it’s something you should be doing now. Stuxnet was a big wake-up call for a lot of folks in security, and not just organizations protecting Siemens control systems. The attack vectors shown really represent where malware is going. Multiple attack paths. Persistence. Lightning fast propagation using a variety of techniques. Multiple zero day attacks. And using traditional operating systems to get presence and then pivoting to attack the real target. Now that the map has been drawn by some very smart (and very well funded) attackers, we’ll see these same techniques employed en masse by many less sophisticated attackers. So what are the keys to stopping this kind of next generation attack code? OK, the first is prayer. If you believe in a higher power, pray that the bad guys are smitten and turned into pillars of salt or something. Wouldn’t that be cool? But in reality waiting for the gods to strike down your adversaries usually isn’t a winning battlefield strategy. Failing that, you need to make it harder for the attackers to get at your information. So I liked this article on the Tofino blog. It makes a lot of points we’ve been discussing about for a while within the context of Stuxnet. Flat networks are bad. Segmented networks are good. Discover and classify your sensitive data, define proper security zones to segregate data, and only then design the network architecture to provide adequate segmentation. I’ll be talking a lot more about these topics in 2011. But in the meantime, start thinking about how and where you can/should be adding more segments to your network architecture. Share:

Share:
Read Post

Incite 11/17/2010: Hitting for Average

We all need some way to measure ourselves. Are we doing better? Worse? Are we winning or losing? What game are we playing again? It’s all about this mentality of needing to beat the average. I hate it. What is average anyway? We took the kids in for their well checkups over the past week. XX1 is average. Hovering around 50% in height and weight. XX2 is pretty close to average as well. But the Boy is small. Relative to what? Other kids just turning 7? Why do I care again? Will the girlies not dig him if he’s not average? We see the same crap in our jobs. Everyone loves a benchmark, so they can spin the numbers to make themselves look good. In security we have very few quantitative ways to measure ourselves, so not many know if they are, in fact, average. Personally I don’t care if I’m average. I don’t care if I’m exceptional because I don’t know what that means. I did well on standardized tests growing up, but what did that prove? That I could take a test? Am I better now because I was above the arbitrary average then? Will that help me fight a bear? Right, probably not. I’d rather we all focus on learning what we need to. I don’t know what that means either, but it seems like a better goal than trying to beat the average. You see, I need to learn patience. So I guess I can’t be above average all the time because I’ve got to get comfortable waiting for whatever it is I’m waiting for. Which is maybe to be above average in something. Anything. So what do you tell your kids? It’s a tough world out there and beating the average means something to most people. They’ll compete with people their entire lives. As long as they choose to play that game, that is. I tell them to do their best. Whatever that means. That goes for you too. Even if your best is below the arbitrary average, as long as you know you did your best, it’s OK. Regardless of what anyone else says. Now a corollary to that is the scourge of delusion. You really need to do your best. Far too many folks accept mediocrity because they fool themselves into thinking they did try hard. I’m not talking about that. Only you know if you really tried or whether you mailed it in. And learn from every experience. That will allow you to do a little more or better the next time. Sure it’s scary and squishy to stop competing and let go over the scorecard. But if you are constantly grumpy and disappointed in yourself and everyone around you, maybe give it a try. You’ve got nothing to lose, except perhaps that perforated ulcer. Photo credits: “Not Your Average Joe’s” originally uploaded by bon_here Incite 4 U Rich is playing in the clouds (at the Cloud Security Summit) this week, he’s MIA. I’m sure he’s holding bar court in Orlando, debating the merits of the uncertainty principle and whether Arrogant Bastard Ale was really named after him. Holy backwards looking indicators, Batman! – It must be that time of year, where Symantec (formerly PGP) pays Larry Ponemon lots of shekels to run a survey telling us how encryption use is skyrocketing. Ah, thanks, Captain Obvious. Evidently 84% of nearly 1,000 companies are using some form of encryption. Wonder if they counted SSL? 62% use file server crypto, 59% full disk encryption, and 57% use database encryption. The numbers are the numbers, but that seems low for FDE use and high for DBMS encryption. But most interestingly, nearly 70% said compliance was the main driver for crypto deployment. That was the first time compliance was the main driver? Really? Not sure what planet the respondents of previous surveys inhabitat, but on Planet Securosis compliance has been driving crypto since, well, since Top Secret ruled the world. You think companies actually want to be secure? Come on now, that’s ridiculous. It isn’t until the audit deficiency is documented that there is any urgency for crypto. Or you lose a laptop and then your CEO has to fall on his/her disclosure sword. Wonder if that was one of the choices… – MR More secure, or passing the security buck? – Banking applications on cell phones seem to be a hit with customers. This type of service really makes sense for banks as it greatly reduces their customer service costs, and allows the bank to provide more easy-to-use services to the customer, enhancing their impression of the bank. Are you worried about security? From the customer’s standpoint, the security of their account(s) is probably better in the short term, if for no other reason mobile phone-based attacks are not as prevalent as web-based attacks. But from the bank’s perspective, this is a big win! All they need to do is worry about the security of their app. The cell providers and the phone platform providers inherit the rest of the burden! In the event a compromise happens, now there are three possible parties who could be responsible, any of which can accuse the other players of failing to do their job on security. In the confusion the customer will be left holding the (empty) bag. It will be interesting to see how this shakes out, as you know black hats are looking into War Driving, the cellular version. – AL We aren’t in the excuses business, Mr. Non-SSL web site – I’m not a big fan of excuses, just ask my kids. So it’s infuriating to see apologists still out there trying to rationalize why a lot of websites don’t go all SSL. Like the folks at Zscaler in their “Why the web has not switched to SSL-only yet? post. Sorry, with the exception of one issue, that’s all crap. Server overhead? Hogwash. Gmail proved that’s a load of the brown stuff. Increased latency? Where? Crap. How SSL impacts content delivery networks (mostly in terms of certificate integrity) is

Share:
Read Post

Rethinking Security

Security is broken. Captain Obvious here. We all know that but it doesn’t really help, does it? I came across a good post by Bobby Dominguez, who I met through Shimmy (but I won’t hold that against Bobby), which talks about rethinking security. To provide the proper context check out this excerpt, which beautifully highlights our futility: While all good security practitioners employ risk management techniques to protect the enterprise, we still can only get funding as an after-the-fact remediation. When we do get mitigation funding we deploy technologies that reduce impact or the likelihood of an event occurring. But these events are based on existing threats and the threats are evolving faster than point-solutions can be produced. Wow. That hits me like a kidney punch. You? Basically we aren’t getting it done and the game (as it’s laid out today) is stacked against us. So we need to change the game and Bobby has a few ideas on how to do that. The good news is that much of what he’s saying here are the cornerstones of what Securosis has been preaching for years, and I’ll use our terms to describe Bobby’s points. Information-centric security: Yes, focus on what needs to be protected rather than an infrastructure-based security model with appliances layered upon layer… This is the hard path. You get no credit when you still have to layer on those appliances because of compliance mandates. But still, if you want to have any chance, you need to start thinking about protecting the data, not just the devices. Trust no one: There is no insider or outsider any more. They are all threats, and must be treated as such. That means embracing things like user activity monitoring and checking for anomalous behavior. And that even applies to you. Separation of duties is a good thing. Embrace the commodities: Bobby talks sense about treating mature security technologies as the commodities they are. Why buy premium AV when they all suck (relatively) equally? Things like firewalls and IDS, and a bunch of other stuff, fit into the same category. That doesn’t mean there aren’t some capabilities that break commodity gear out of commodity status (like application aware firewalls), but for the most part focus your spending on technologies that will protect the most valuable stuff – that generally means focusing on the application layer. React Faster and Better: Despite Bobby’s rather abstract analogy about treating your network like a human body (so I should ply it with beer and other hallucinogens to make daily existence tolerable, right?), Bobby’s point is that we are already compromised. So focus your antibodies (security defenses) on figuring out where & how you are sick and attacking the infection. Yes, Rich and I are writing about that right now, so you have plenty of context for this concept. All told, I think Bobby does a good job of underscoring the fact that the status quo is dead, whether you want to believe it or not. There are some things we have to do because of old-line thinking and compliance mandates, but putting those requirements within the context of a different mindset can make a huge difference. Share:

Share:
Read Post

Incite 11/10/2010: Hallowreck (My Diet)

I fancy myself to have significant willpower. I self-motivate to work out pretty religiously, and in the blink of an eye gave up meat two and a half years ago – cold turkey (no pun intended). But I’m no superhero – in fact over the past few weeks I’ve been abnormally human. You see I have a weakness for chips. Well I actually have a number of food weaknesses, but chips are close to the top of the list. And it’s not like a few potato chips or tortilla chips will kill me in moderation. But that’s the rub – I don’t do ‘moderation’ very well. As I mentioned last week, for XX1’s birthday weekend we had a number of parties, which meant we had to have snacks around for all the visiting kiddies. Rut Roh. Yeah, the big bag of Kettle Chips from Costco. Untouched by the kids. Mowed through by me. Not in one sitting, so I guess I’m improving a bit. But over the course of 4-5 days I systematically dismantled the bag one bowl at a time. I guess I figured I couldn’t have a full-on binge if I did one bowl at a time, right? I’d have to get up and down to keep filling the bowl. I guess that’s how I got a portion of my exercise last week. Moderation, no so much. And of course, hot on the heels of the parties was Halloween. So the kids came back with bags and bags of candy. Normally my sweet tooth is contained. Maybe once a week I’ll have some ice cream with chocolate syrup. But with Almond Joys and Butterfingers and Peanut M&Ms around, you might as well put a crack pipe in Lindsay Lohan’s bedroom. Even worse, the Boss (who can’t eat chocolate – food allergies) got a 56oz bag of M&Ms. My hands aren’t big, but they can grab about 30 M&Ms in one swoop. And they did. Arghhh. So on Saturday night I put my foot down. The candy had to go. Thankfully they were collecting candy bars for the troops – and by the way, what the hell is that about? What better to send to the frackin’ desert than a couple of truckloads of chocolate bars. I heard those don’t melt on the surface of the sun, and that speaks nothing of their nutritional value (or lack thereof). But I guess they don’t want us donating produce to send to the troops, even though that makes a lot more sense. So, I put my foot down and decreed that the candy must go. The kids dutifully sorted their candy and we let them keep about 10 pieces to be doled out over the next few weeks. The Boss also stashed away some surplus for movie days, so we could use that instead of paying $10 for a box of Raisinettes at the theater. Maybe that’s kind of a dick move, getting rid of the candy because I struggle with self-control. But I’m cool with it. You don’t stock your fridge with beer if you are an alcoholic. You don’t buy a bong for a pothead’s birthday. And you don’t leave the Halloween candy in the house for those who struggle with their weight. Yes, I’ve made progress and working out hard 5-6 days a week gives me some buffer, but having that stuff around is just stupid. So we won’t… – Mike. Photo credits: “That’s a lot of Halloween candy. Bartell’s Drugs, Queen Anne, Seattle, 09/01/06” originally uploaded by photophonic Incite 4 U SCADA hysteria, coming to critical infrastructure near you: As I mentioned in my Storytellers post last week, I was at SecTor, and a lot of great discussion emerged from the conference. I have to give a shout-out to our contributor James Arlen, who from all indications did a great job of deflating the hype around SCADA attacks. Yes, Stuxnet happened and showed what is possible, but the sky isn’t falling. James points out that these systems are built for fault tolerance, and that compromising one control system isn’t likely to take down the power grid. Listen, I don’t want to minimize the risk – we all know these systems are vulnerable. But we do need to be wary of overhyping the issues, and James did a good job presenting both sides. His conclusion is key: “But, he encouraged security professionals to take a deep breath and assess the situation rationally.” Look for this one when it gets posted by the SecTor folks. – MR Cutting out the middle man: The Wall Street Journal highlights how major websites are limiting the number of tracking technologies they allow leeches ‘partner’ sites embed into their web pages. Why? Are they doing this for privacy concerns? Hell, no! And they’re not doing it to save the children, lower your cholesterol, reduce carbon emissions, or any other smokescreen. It’s about money and control, as always. The have lost control by allowing marketing firms to directly gather customer data, resulting in less data and money for site owners. Some firms found tracking software that they did not know about, while others found partners gathering information they did not even know was available. With many web sites desperately trying to stay in business, there will be significant investment into their own tracking software and data marts on the back ends, in order to monetize their data directly. We’ll see them code their own, and we will also see spyware “marketing software” vendors selling more plug-ins. And user privacy will be exactly the same as before, only the web sites will get a bigger slice of the financial pie. But that’s okay … it says so in the new end user (you have no) privacy agreement. – AL If you can’t beat ‘em, sue ‘em: There is no doubt that Microsoft once abused their position with anti-competative practices. I don’t mean in terms of what features they included in Windows, but all that back-room dealing and wrangling with hardware providers. That’s why I’m so amused by Trend trying to drum up antitrust

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.