Research

Game on! It’s hard to imagine, but this year we are hosting the Fifth Annual RSA Conference Disaster Recovery Breakfast, in partnership with SchwartzMSL and Kulesa Faul (and possibly one more surprise guest). When we started this we had no idea how popular it would be. Much to our surprise it seems that not everyone wants to spend all their time roaming a glitzy show floor or bopping their heads to 110 decibels in some swanky club with a bunch of coworkers wearing logo shirts and dragging around conference bags. (Seriously, what is up with that?!?) As always, the breakfast will be Thursday morning from 8-11 at Jillian’s in the Metreon. It’s an open door – come and leave as you want. We’ll have food, beverages, and assorted recovery items to ease your day (non-prescription only). Remember what the DR Breakfast is all about. No marketing, no spin, just a quiet place to relax and have muddled conversations with folks you know, or maybe even go out on a limb and meet someone new. After three nights of RSA Conference shenanigans, it’s an oasis in a morass of hyperbole, booth babes, and tchotchke hunters. Invite below. See you there. To help us estimate numbers please RSVP to rsvp (at) securosis (dot) com. I (Rich) won’t actually be there this year (probably) or at RSA at all. It seems my wife decided to have a baby that week, so unless the little bugger comes pretty early I’ll be at home for my first RSA in many years. So have one or two for me on Wednesday night, then a few aspirin and Tums for me on Thursday morning at the breakfast. Share:

Between WikiLeaks imploding, the LulzSec crew going to jail, and APT becoming business as usual, you might think data security was just so 2011, but the war isn’t over yet. Throughout 2012 we saw data security slowly moving deeper into the market, driven largely by mobile and cloud adoption. And slow is the name of the game – with two of our trends continuing from last year, and fewer major shifts than we have seen in some other years. You might mistake this for maturity, but it is more a factor of the longer buying cycles (9 to 18 months on average) we see for data security tools. Not counting the post-breach panic buys, of course. Cloud. Again. ‘Nuff Said? Yes, rumor is strong that enterprises are only using private cloud – but it’s wrong. And yes, cloud will be splattered on every booth like a henchman in the new Aaarnoold movies (he’s back). And yes, we wrote about this in last year’s guide. But some trends are here to stay, and we suspect securing cloud data will appear in this guide for at least another couple years. The big push this year will be in three main areas – encrypting storage volumes for Infrastructure as a Service; a bit of encryption for Dropbox, Box.net, and similar cloud storage; and proxy encryption for Software as a Service. You will also see a few security vendors pop off their own versions of Dropbox/Box.net, touting their encryption features. The products for IaaS (public and private) data protection are somewhat mature – many are extensions of existing encryption tools. The main thing to keep in mind is that, in a public cloud, you can’t really encrypt boot volumes yet so you need to dig in and understand your application architecture and where data is exposed before you can decide between options. And don’t get hung up on FIPS certification if you don’t need FIPS, or will you limit your options excessively. As for file sharing, mobile is the name of the game. If you don’t have an iOS app, your Dropbox/Box/whatever solution/replacement is deader than Ishtar II: The Musical. We will get back to this one in a moment. There are three key things to look for when evaluating cloud encryption. First, is it manageable? The cloud is a much more dynamic environment than old-school infrastructure, and even if you aren’t exercising these elastic on-demand capabilities today, your developers will tomorrow. Can it enable you keep track of thousands of keys (or more), changing constantly? Is everything logged for those pesky auditors? Second, will it keep up as you change? If you adopt a SaaS encryption proxy, will your encryption hamper upgrades from your SaaS provider? Will your Dropbox encryption enable or hamper employee workflows? Finally, can it keep up with the elasticity of the cloud? If, for example, you have hundreds of instances connecting to a key manager, does it support enough network sockets to handle a distributed deployment? If encryption gets in the way, you know what will happen. Is that my data in your pocket? BYOD is here to stay, as we discussed in the Key Themes post, which means all those mobile devices you hate to admit are totally awesome will be around for a while. The vendors are actually lagging a bit here – our research shows that no-one has really nailed what customers want from mobile data protection. This has never stopped a marketing team in the history of the Universe. And we don’t expect it to start now. Data security for BYOD will be all over the show floor. From network filters, to Enterprise DRM, with everything in between. Heck, we see some MDM tools marketed under the banner of data security. Since most organizations we talk to have some sort of mobile/BYOD/consumerization support project in play, this won’t all be hype. Just mostly. There are two things to look for. First, as we mentioned in Key Themes, it helps to know how people plan to use mobile and personal devices in your workplace. Ideally you can offer them a secure path to do what they need to solve their business problems, because if you merely block they they will find ways around you. Second, pay close attention to how the technology works. Do you need a captive network? What platforms does it support? How does it hook into the mobile OS? For example, we very often see features that work differently on different platforms, which has a major impact on enterprise effectiveness. When it comes to data security, the main components that seem to be working well are container/sandboxed apps using corporate data, cloud-enhanced DRM for inter-enterprise document sharing, and containerized messaging (email/calendar) apps. Encryption for Dropbox/Box.net/whatever is getting better, but you really need to understand whether and how it will fit your workflows (e.g., does it allow personal and corporate use of Dropbox?). And vendors? Enough of supporting iOS and Windows only. You do realize that if someone is supporting iOS, odds are they have to deal with Macs, don’t you? Shhh. Size does matter Last year we warned you not to get Ha-duped, and good advice never dies. There will be no shortage of Big Data hype this year, and we will warn you about it continually throughout the guide. Some of it will be powering security with Big Data (which is actually pretty nifty), some of it will be about securing Big Data itself, and the rest will confuse Big Data with a good deal on 4tb hard drives. Powering security with Big Data falls into other sections of this Guide, and isn’t necessarily about data security, so we’ll skip it for now. But securing Big Data itself is a tougher problem. Big Data platforms aren’t architected for security, and some even lacking effective access controls. Additionally, Big Data is inherently about collecting massive sets of heterogenous data for advanced analytics – it’s not like you could just encrypt a single column.

In response to this SC Magazine article (thanks @pauljudge), I tweeted: An important distinction to keep in mind when you read these articles. Share:

Yep – we are doing our very best to overload you with research this year. Here’s my latest. From the paper’s home page: Between new initiatives such as cloud computing, and new mandates driven by the continuous onslaught of compliance, managing encryption keys is evolving from something only big banks worry about into something which pops up at organizations of all sizes and shapes. Whether it is to protect customer data in a new web application, or to ensure that a lost backup tape doesn’t force you to file a breach report, more and more organizations are encrypting more data in more places than ever before. And behind all of this is the ever-present shadow of managing all those keys. Data encryption can be a tricky problem, especially at scale. Actually all cryptographic operations can be tricky; but we will limit ourselves to encrypting data rather than digital signing, certificate management, or other uses of cryptography. The more diverse your keys, the better your security and granularity, but the greater the complexity. While rudimentary key management is built into a variety of products – including full disk encryption, backup tools, and databases – at some point many security professionals find they need a little more power than what’s embedded in the application stack. This paper digs into the features, functions, and a selection process for key managers. Understanding and Selecting a Key Manager (PDF) Special thanks to Thales for licensing the content. Share:

Thanks to your friends at Accuvant labs. Very worth reading for security pros. Peter Morgan, Ryan Smith, Braden Thomas, and Josh Thomas did an excellent job breaking it down. Here’s the security risk: One important point to make is that unlike the previous jailbreakme.com exploits, which could be used against an unwitting victim, jailbreaks that require USB tethering have a lower security impact, and are usually only useful to the phone’s owner. Attackers are less interested because iPhones with a passcode set will refuse to communicate over USB if they are locked, unless they have previously paired with the connecting computer. So your phone is stolen and it’s locked, attackers won’t be able to jailbreak it. Therefore, only malicious code already running on your computer can leverage USB jailbreaks nefariously. In case you didn’t know, iOS devices that pair with a computer will re-pair with other user accounts on that computer. It is device-based, not user account based. Share:

Evad3rs releases an iOS 6.1 jailbreak for all devices. Update: According to @drscjmm this will not work when a passcode is set, which means we are still in pretty good shape from a security standpoint. Untethered, which means you still need to plug the device into a computer, but the jailbreak lasts across reboots (this is not remotely executable at this time). This means all iOS devices are exposed to hands-on forensics, even with a passcode. Data protection still needs to be broken, but an attacker can jailbreak and install a back door to sniff your password if they have physical control of the device for long enough. if you lose your phone and recover it, wipe it and restore from a known unjailbroken backup. From the jailbreak notes: Please disable the lock passcode of your iOS device before using evasi0n. It can cause issues. I can’t test right now, but will be interesting if a passcode prevents the jailbreak, or is sometimes just an obstacle. Please leave comments if you know or find out. Update: As we said above, a passcode appears to block this jailbreak, which is good. (Hat tip to The Verge for the link). Share:

What’s the over/under on this one working? Mac users – this means XProtect won’t block it in your web browser, so if you don’t want it active be careful. I actually feel bad for the team that has to clean Java up. I’d hate to be in that mess. Share:

Apple uses XProtect to block the Java browser plugin due to security concerns. Draconian, but a good move, I think. Still, they should have notified users better for the ones who need Java in the browser (whoever that may be). You can still manually enable it to run if you need to. This doesn’t block Java itself, just the browser plugin. If complaint levels stay low, it indicates how few people use Java in the browser, and will empower Apple to make similar moves in the future. Share:

A must-read reported by the Times itself: For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees. The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings. The article contains many more details than we usually see about these incidents. Pure APT, and I had Mandiant pegged as the responders by the second paragraph. Of greater interest AT&T’s role in initially identifying the attack. Some in the security community, especially researchers, like to dismiss APT, but there is no question that China (and others, including the US) are engaging in massive attack campaigns. The key difference is that China is brazen and appears to target anyone in the public who private sector who comes anywhere near their radar screen. This includes companies far smaller than the Times. Until there are consequences for these actions, don’t expect anything to slow down. Gumming up the Huawei deal doesn’t come close to a material consequence. Update: Looks like the Wall Street Journal is also under persistent attack from China. Share:

Plan. Build. Run. It’s a pretty straightforward process. One of those things that is so simple we rarely need to even call it out. We tend to structure our research this way, even if we use different terms that are more consistent with the context at hand. This morning my wife gave me one of those looks as I got all excited and mentioned our build phase was nearly over. You see, for the past four-plus years our lives have been in big-time family build mode. We knew we wanted kids, we planned a bit, and then started building the family. What I didn’t realize was the sort of stasis that you get into when you cram build mode into a short timeframe (three kids in under five years for us). Nothing is ever stable when you bring children into the picture, but life sort of goes on hold when you are having kids, in a weird way that’s different from adjusting to the various changes as they grow up. For example, our garage is chock full of strollers, baby clothes, and other accouterments. We can’t even throw away any toys because the next baby will need all the same stuff. Sophie the Giraffe ain’t cheap for a hunk of rubber, and it isn’t even worth pulling it out of rotation with our kids so close. I just know one day I will pull around the block and see a Hoarders film crew in front of my house. Cars? Carseats? Daycare costs? Vacation plans? Even framing family photos is all messed up when you know the next little bugger is on the way. I knew life would be more difficult with children, but I didn’t anticipate the time dilation as you put your life on hold for the build years. And let’s be perfectly clear – it is a hell of a lot easier on me than my wife. I’m not the one who has to plan my wardrobe nine months in advance. As the rest of the Securosis team, and many of you, head out to RSA, I will be back here in Phoenix working on our Build-to-Run transition. Well, more like witnessing – it’s not like I’m doing any of the real work. The Mogull family will be in full production mode, and we can start slowly cleaning out the dev archives. Er… maybe I’m working too much. Anyway, I’m as excited to know that we have three happy and healthy kids, and no more, as I am to meet the new one for the first time (really, they aren’t very exciting for the first six or so months anyway). We can start moving forward and enjoy the few short years we will have them around to wreck our sleep, break our sh**, and otherwise teach us levels of emotional pain we can’t possibly imagine. But damn, they’re cute. And while I miss the freedom of the pre-kid versions of our lives, this is exactly where I want to be at this point in my life. Without question or hesitation. Really, they’re very cute. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Big Data Tweet-jam roundup. Adrian quoted on Big Data. Rich quoted in the Economist on Android security. Rich reviews his favorite fitness gadget for TechHive. Favorite Securosis Posts Adrian Lane: No Limits – New York Times Hacked by China. Mike Rothman: Universal Plug and Play Vulnerable to Remote Code Injection. One of the things Adrian didn’t get in this post is that Rapid7’s tool requires Java. FAIL. David Mortman: IAM for cloud use cases. Rich: It it was easy, everyone would be doing it… Other Securosis Posts Remember, every jailbreak is a security exploit Incite 1/30/2013: Email autoFAIL The Internet is for Pr0n Gartner on Software Defined Security The Graduate: 2013 Style Threatpost on Active Defense The Inside Story of SQL Slammer Java Moving from Ridiculous to Surreal Marketers take the path of least resistance Mobile Commerce Numbers Don’t Lie In through the Barracuda Back Door Favorite Outside Posts Adrian Lane: Symantec Gets A Black Eye In Chinese Hack Of The New York Times. Low effectiveness, but who will remove it? Mike Rothman: Check Point, Juniper, Stonesoft shine in low-end network firewall test. I like the work NSS does to put these products through their paces. It can’t really reflect real world circumstances, but their tests are as close as we are going to get. Rich: Decoding SDN by Juniper. SDN is hitting, and it’s time to get up to speed on the fundamentals. David Mortman: Trust will make or break cloud ID management services. Rich (#2): Jeff Carr asks great questions on the NYT article. Top News and Posts Twitter flaw allowed third party apps to access direct messages Google Tells Cops to Get Warrants for User E-Mail, Cloud Data Backdoors Found in Barracuda Networks Gear Speedtest.net serving malvertiseing. How Yahoo allowed hackers to hijack my neighbor’s e-mail account. Wikr updates iOS app. I like Wikr, but don’t have enough people to use it with. Blog Comment of the Week This week’s best comment goes to David, in response to Threatpost on Active Defense. Rich, I am promoting using the term “Active Response Continuum” instead of “active defense” for the reason you cite, which is the term is too vague to be meaningful in discussion. The Active Response Continuum includes everything you list above, using two ranges (one capacity to respond, the other aggressiveness of actions). For more on this concept, see David Dittrich and Kenneth E. Himma. Active Response to Computer Intrusions. Chapter 182 in Vol. III, Handbook of Information Security, 2005. http://papers.ssrn.com/sol3/papers.cfm? abstract_id=790585 and my Honeynet Project blog post responding to someone promoting “active defense” http://www.honeynet.org/node/1004 Share: