Research

Hey everyone, As you know, we try to make our research process as open and transparent as possible. We know any research that ends up with a vendor logo on it somewhere is viewed with justified skepticism, so our goal is to combat that perception of bias with radical transparency. For the past 6 years or so, since I started the company, we have handled that with blog comments, and by requiring even vendors who license the content to submit feedback via the site. That has worked well but the world keeps evolving beyond blogs. As an experiment I just posted my latest draft paper on GitHub. You can view the Executive Guide to Pragmatic Network Security Management on GitHub. It helps that we write all our papers in Markdown, and GitHub is very Markdown friendly. I will try to use this to both collect comments and keep everyone up to date as we edit the paper. This is also a much better mechanism than blog comments for people to suggest exact changes, although that does require becoming a bit familiar with GitHub. This is truly an experiment and I could definitely use your feedback. I will still post the paper in pieces as we normally do, but if you are up for checking it out, please give GitHub a shot. Share:

Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the forum software vBulletin, security experts warn. vBulletin is the the most popular forum platform out there. It runs many, or most, of the sites your admins and developers peruse for technical advice and questions. Now tens of thousands of those sites are hosting malware. Hope you have some web filtering capable of detecting and blocking the flood. This is the very definition of a watering hole attack, as much as I hate that stupid marketing term. Share:

You may have noticed our posting was down a bit this week. Okay, pretty much non-existent. But take a look at the links in this Summary for what we have been reading and thinking about. This is turning out to be the busiest end-of-year I can remember for us. We always compress some things in Q4 as people use up end-of-year budget, but this year it is really hitting hard… and I am absolutely loving it. I have 3 papers to finish up before the end of the year, all of them on topics I am extremely interested in. Plus travel nearly every week. It will, of course, run me into the ground, but it looks like there will be plenty of time to remind the kids what I look like over the holidays, when I can bribe them. Our one post this week was Mike’s Incite, Youth is Wasted on the Young. While that is true, in my case I think age is wasted on the middle-aged. I didn’t barge out of college with a checklist of life goals quite like Mike. My graduation was more of a whimper. I spent 8 years as an undergrad, starting off in aerospace engineering and Navy ROTC with a clear path to being an astronaut, leaving as an itinerant paramedic and IT pro with a degree in history and an almost-finished second major in molecular biology. I don’t, for an instant, feel that I wasted my youth, missed opportunities, or failed to work to my peak potential. I needed to develop a lot as a person, like everyone, but managed to mostly avoid the deep pains and frustrations that Mike seems to have encountered. This wasn’t some genius superpower, but some incredible acts of fortune that brought amazing friends into my life to help me along. Martial arts also played a major role by developing self-awareness. That said, I did have a couple doozies, especially involving the finer gender, but nothing that didn’t launch me into something even more interesting. Age is wasted on the middle-aged because I have nearly as much enthusiasm, see just as much opportunity, but lack the freedom to pursue it as aggressively. I am not willing to risk my family’s lifestyle and home, and so am forced to proceed at a more methodical pace – which annoys the hell out of my 27-year-old self-image. But I don’t look at this with regret. I took full advantage of the opportunities I had at 27, and while I sometimes itch for more in my 40s, I know exactly what I would have to sacrifice to achieve them quickly, and I prefer this life. Besides, I am still egotistical enough to think I will achieve all my goals in time. And don’t go thinking I’m all zen or anything. Some of this bugs the hell out of me on a daily basis, but not to the point where I freak out over it. I suppose that’s progress… and sleep deprivation. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s DR post on Evasion Techniques And Sneaky DBAs. Favorite Securosis Posts Adrian Lane: Youth is wasted on the young. The ‘halfway’ point realization is a sobering thought. No Other Securosis Posts this Week Favorite Outside Posts Adrian Lane: EMV vs the UPT, Can We Fix the #FAIL? Branden Williams points out one of the many reasons Chip and Pin is a long way off in the US. David Mortman: Identity Management and Its Role in Security Strategy of Enterprise Environments. Gal Shpantzer: Is the Affordable Health Care Website Secure? Probably not. James Arlen: SecTor 2013: Are there limits to ethical hacking? Mike Rothman: The Lie in the Network. Thought provoking post by the Rev. Baker about how we can’t count on the network for security and have to look at the issue differently. I will cover this in a longer post next week but it’s worth reading now. And I look forward to the next few posts to check out some of his ideas. Research Reports and Presentations A Practical Example of Software Defined Security. Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Dealing with Database Denial of Service. The 2014 Endpoint Security Buyer’s Guide. The CISO’s Guide to Advanced Attackers. Defending Cloud Data with Infrastructure Encryption. Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment. Quick Wins with Website Protection Services. Top News and Posts Forrester Contradicts Verizon Report, Says Insider Threat Leads Data Breaches. Call me skeptical. Alleged ‘Dread Pirate Roberts’ Heads to New York in Silk Road Case Nordstrom Finds Cash Register Skimmers Make your own Enigma Replica. Perfect high school project! Microsoft pays out $100,000 bounty for Windows 8.1 bug. Google’s Schmidt: Android more secure than iPhone. Not. Blog Comment of the Week This week’s best comment goes to louis vuitton belts, in response to about a dozen blog posts: You write well This has to be our most persistent and impressed reader ever. It’s really nice he or she feels this way about our work. Please keep the support coming – I’m sure we will approve one of your comments soon. Share:

A few months back I did a series of posts demonstrating a proof of concept for implementing some basic software defined security (using AWS, Chef, and Ruby). This ended up being the basis for my KickaaS Security with APIs and Cloud talk at Black Hat. I decided to release it as a white paper. Because I think there are too many trees in the world, and this will encourage you to print it out. Or buy a tablet – doesn’t matter to me. Landing Page: A Practical Example of Software Defined Security Direct Download (PDF) In all seriousness, I hope you like it; and that this white paper, with complete content from the posts, is useful to you. Share:

Brian Krebs breaks another story: Prosecutors in New York today said that federal agencies have taken over the Silk Road, a sprawling underground Web site that has earned infamy as the “eBay of drugs.” On Tuesday, federal agents in San Francisco arrested the Silk Road’s alleged mastermind. Prosecutors say 29-year-old Ross William Ulbricht, a.k.a “Dread Pirate Roberts” (DPR), will be charged with a range of criminal violations, including conspiracy to commit drug trafficking, and money laundering. And on hiring a hit man (seriously): On March 31, DPR began haggling over the price, responding: “Don’t want to be a pain here, but the price seems high. Not long ago, I had a clean hit done for $80k. Are the prices you quoted the best you can do? I would like this done asap as he is talking about releasing the info on Monday.” I wonder if Benedict Cumberbatch will play DPR in the movie? Compelling read. Nothing to do with IT security unless you plan on hosting an illegal site, but fascinating. Share:

Threatpost has another good piece on exploit disclosure (I swear I still read other sites). This is the other side of vulnerability disclosure, where you need to decide on releasing exploit details based on factors such as detecting live exploits in the field. A quote from a talk by Tom Cross from Lancope and Holly Stewart from Microsoft: “If there’s nothing you can tell the users to do, there’s not a lot of point in disclosing the exploits,” he said. “It depends on the level of exploitation, the geographic distribution, is a patch available, when will it be if it’s not. If the answer is to tell people not to use a piece of software that’s necessary to do business, the reality is that’s not going to happen.” It’s also true that the decision is not always solely in the hands of the vendor or even the researcher who discovered the vulnerability. In some cases, a third party security company may notice exploit attempts against a previously unknown vulnerability and take the step of notifying customers. Vulnerability disclosure often seems more about philosophy and ego. Exploit disclosure is far more complex, with even farther-reaching implications. Exploit disclosure makes vulnerability disclosure look like a kid’s game. Share:

I’m really looking forward to this, although my skills will keep me in the back of the room: October 2013 Chicago Crypto-For-Developers Class Share:

A vulnerability in Internet Explorer has been known and unpatched for two weeks. According to ThreatPost, an exploit module is now in Metasploit, and real attacks are growing. Better deploy the FixIt tool if you don’t have some other way of blocking exploits. But I’m probably screwed, because I can’t get that mitigation to run on my Mac. Share:

I haven’t worked at Gartner for over six years now, so I’m not surprised that many people still think vendors can pay to move up the rankings in a Magic Quadrant. I mean, just look at them. Big vendors almost always show up in the top left or right, so they have to be paying for play. Vendors can’t buy Magic Quadrant ratings. Let me say it again: vendors cannot directly buy MQ ratings. I don’t expect to change any minds here, but that isn’t how it works. Not that money can’t influence the process, which I will get into. Analysts are totally walled off from the financial side of Gartner. They are not compensated, at all, based on how much a vendor spends. Many analysts have a very negative view of the vendor community, which can actually be destructive. It doesn’t matter how much a vendor spends – the analyst makes the same. In the seven years I was there I never saw management ask an analyst to adjust an MQ because a new client spent more money. Really, the anti-vendor attitude is so deep that an analyst is more likely to reduce a rating if a vendor tries to play those games. There used to be a loophole. Analysts used to get paid more for participating on strategy days with vendors. Some unscrupulous analysts effectively used blackmail to get vendors to buy more days. Gartner cut that off around the time I became an analyst, sometime around 2001 I think. It pissed off some analysts who were basically doubling their salary with strategy days. Today, all a strategy day does is keep an analyst away from their family – they don’t get paid more. However. Gartner clients get to talk with the analysts more. Anyone can brief an analyst once a quarter or so, but paying clients get longer calls, more frequently. Strategy days mean the vendor gets face time with the analyst and can build a personal relationship (there are guidelines limiting gifts, meals, and such to reduce influence there). This can subtly influence an analyst over time, even though it isn’t explicit buying. Smart vendors can do much the same thing without spending a dime, because most analysts don’t care about contract value, but paying up can definitely be used as an advantage. So why do all the big companies score better, especially in ability to execute? Because, in many MQs, that’s where a larger, more mature organization will almost always score better. They have mature sales, marketing, and channel programs. Bigger support teams. The ability to support larger clients. As much as we slam them for inefficiency all the time, you can throw enough bodies at certain problems to make them go away. It doesn’t mean the product executes or performs better, but that the company has accountants. That’s why startups tend to do much better on vision (since they, you know, actually innovate). One of my weirdest post-Gartner experiences was helping some vendors work through the MQ process. All I really did was help them figure out what the analysts wanted (honest answers) and how to avoid getting into trouble (legal threats if your dot moved 3mm, which happens). I even warned them away from trying to schedule strategy days too close to an MQ, which could be seen as trying to cheat. I wouldn’t say it is a perfect process. And there is a reason Securosis will never engage in vendor comparison research like an MQ, but money doesn’t directly buy results. I have no skin in this game (not even stock) and have been out for a long time, so take it as you will. But if you are an analyst reading this, don’t think for an instant that vendors aren’t trying to influence you every second of every day, and there’s a reason they call it the “Gartner Tax”. Share:

Over at Network World Anton Gondalves wrote Security industry in ‘rut,’ struggling to keep up with cybercriminals: Dramatic changes are needed in multiple fronts if the security industry hopes to move ahead of cybercriminals, who are continuously finding new ways to breach corporate systems, experts say. Some technology pros say the industry needs to develop new technologies and architectures that send hackers back to the drawing boards. Meh. In many cases the technologies are already here, or deep into development. The problem isn’t a lack of innovation, but that people keep spending money on the same old crap. That’s a different kind of rut. Besides, no matter what we do, the bad guys will keep innovating around it, as they have been for thousands of years. There are a couple good bits deeper in the article, including: On the white hat side, security professionals get paid for how they defend, not what they share, and companies view knowledge as a competitive advantage. In addition, companies fear being sued by customers or partners, if the data shared relates to them. That is a big one, and worthy of a separate article. Share: