Login  |  Register  |  Contact
Wednesday, May 13, 2009

Draft Questions for Initial Survey

By Rich

One of our major milestones in the project is to perform an initial user survey to get a handle on how people are managing their patching process.

I just completed my first rough-draft of some survey questions over in the forums. The main goal is to understand to what degree people have a formal process, and how their process is structured.

I consider this very rough and in definite need of some help.

Please pop over to this thread in the forums and let me know what you think. You can also leave comments here if you don’t want to register for the site/forums.

In particular I’m not sure I’ve actually captured the right set of questions, based on our priorities for the project (I know survey writing is practically an art form).


The Network Security Podcast Hits Episode 150 and 500K Downloads

By Rich

I first got to know Martin McKeay back when I started blogging. The Network Security Blog was one of the first blogs I found, and Martin and I got to know each other thanks to blogging. Eventually, we started the Security Blogger’s Meetup together. After I left Gartner, Martin invited me to join him as a guest-host on the Network Security Podcast, and it eventually turned into a permanent position. I’ve really enjoyed both podcasting, and getting to know Martin better as we moved from acquaintances to friends.

Last night was fairly monumental for the show and for Martin. We recorded episode 150, and a few hours later hit 500,000 total downloads. No, we didn’t do anything special (since we’re both too busy), but I think it’s pretty cool that some security guy with a computer and a microphone would eventually reach tens of thousands of individuals, with hundreds of hours of recordings, based on nothing more than a little internal motivation.

Congratulations Martin, and thanks for letting me participate.

Now on to the show:

This is one of those good news/bad news weeks. On the bad side, Rich messed up and now has to retake an EMT refresher course, despite almost 20 years of experience. Yes, it’s important, but boy does it hurt to lose 2 full weekends learning things you already know. On the upside, this is, as you probably noticed from the title of the post, episode 150! No, we aren’t doing a 12 hour podcast like Paul and Larry did (of PaulDotCom Security Weekly), but we do have the usual collection of interesting security stories.

Network Security Podcast, Episode 15, May 12, 2009

Time: 38:18

Show Notes


Tuesday, May 12, 2009

Consumer Protection and Software

By Adrian Lane

CNET is reporting that last week the European Commission is proposing consumer protection laws be applied to software. Mentioning specifically anti-virus and video game software, commissioners Viviane Reding and Meglena Kuneva have proposed that EU consumer protections for physical products be extended to software in an effort to protect customers and implying that consumers would use more and buy more if the software was better.

“extending the principles of consumer protection rules to cover licensing agreements of products like software downloaded for virus protection, games, or other licensed content,” according to the commissioners’ agenda. “Licensing should guarantee consumers the same basic rights as when they purchase a good: the right to get a product that works with fair commercial conditions.”

In reality I am guessing some politician took notice that few in the voting public are for crappy software. Or perhaps they took notice that anti-virus software does not really stop malware, spyware, phishing and viruses as advertised? Or perhaps they still harbor resentment for “ET: The Game”? Who knows.

I had to laugh at Business Software Alliance Director Francisco Mingorance’s comment that “Digital Content is not a tangible good and should not be subject to the same liability as toasters.” He’s right. If your toaster is mis-wired it could kill you. Or if you used it in the bathtub for that matter. If people are not happy with a $45.00 piece of software, and no one died from its use, do you think anyone is going to prosecute? Sure, Alvin & the Chipmunks really sucked; caveat emptor!

Even if you should find a zealous prosecutor, if something should go wrong with the software, who will get the blame? The vendor for producing the code? The customer for they way they deployed, configured, and modified it? How would this work on an application stack or in one of the cloud models? Was the software fully functional to the point in time specification, but the surrounding environment changes created a vulnerable condition? If anti-virus stops one virus but not another, should it be deemed defective? There is not enough time, money or interest to address these questions, so the legislative effort is meaningless.

I appreciate the EC’s frustration and admire them for wanting to do something about software quality and ‘efficacy’, but the proposal is not viable. Granted there are the few software developers who look upon their craft to build the best the best possible software, but most companies will continue to sell us the crappiest product that we will still buy. The only people who will benefit are the lawyers who will be needed to protect their clients from liability; you think EULAs are bad now, you have seen nothing yet! Do not be surprised if you see the software quality bandwagon rumble through Washington D.C. as well, but it will not make security software better because you cannot effectively legislate software quality. Meaningful change will come when customers vote with their dollars.

–Adrian Lane

The Data Breach Triangle

By Rich

I’d like to say I first became familiar with fire science back when I was in the Boulder County Fire Academy, but it really all started back in the Boy Scouts. One of the first things you learn when you’re tasked with starting, or stopping, fires is something known as the fire triangle. Fire is a pretty fascinating process when you dig into it. It demonstrates many of the characteristics of life (consumption, reproduction, waste production, movement), but is just a nifty chemical reaction that’s all sorts of fun when you’re a kid with white gas and a lighter (sorry Mom). The fire triangle is a simple model used to describe the elements required for fire to exist: heat, fuel, and oxygen. Take away any of the three, and fire can’t exist. (In recent years the triangle was updated to a tetrahedron, but since that would ruin my point, I’m ignoring it). In wildland fires we create backburns to remove fuel, in structure fires we use water to remove heat, and with fuel fires we use chemical agents to remove oxygen.

With all the recent breaches, I came up with the idea of a Data Breach Triangle to help prioritize security controls. The idea is that, just like fire, a breach needs three elements. Remove any of them and the breach is prevented. It consists of:


  • Data: The equivalent of fuel – information to steal or misuse.
  • Exploit: The combination of a vulnerability and/or an exploit path to allow an attacker unapproved access to the data.
  • Egress: A path for the data to leave the organization. It could be digital, such as a network egress, or physical, such as portable storage or a stolen hard drive.

Our security controls should map to the triangle, and technically only one side needs to be broken to prevent a breach. For example, encryption or data masking removes the data (depending a lot on the encryption implementation). Patch management and proactive controls prevent exploits. Egress filtering or portable device control prevents egress. This assumes, of course, that these controls actually work – which we all know isn’t always the case.

When evaluating data security I like to look for the triangle – will the controls in question really prevent the breach? That’s why, for example, I’m a huge fan of DLP content discovery for data cleansing – you get to ignore a whole big chunk of expensive security controls if there’s no data to steal. For high-value networks, egress filtering is a key control if you can’t remove the data or absolutely prevent exploits (exploits being the toughest part of the triangle to manage).

The nice bit is that exploit management is usually our main focus, but breaking the other two sides is often cheaper and easier.


Monday, May 11, 2009

Data Harvesting and Privacy

By Adrian Lane

Someone has finally captured my vision of what a data centric society without privacy rights looks like. This video is really funny … and scary. Law enforcement and drug companies have been doing this for years. And even if it is not public knowledge, many insurance companies are doing this as well. Orwell had no idea how deep the rabbit hole goes.

–Adrian Lane

Friday, May 08, 2009

Friday Summary - May 8, 2009

By Adrian Lane

A lot of security related news this week in the mainstream press. What with Nuclear Secrets being a fringe benefit to eBay shopping. Other big names like McAfee exposing users to a CSRF and MI-6’s operations nixed on a missing memory stick. With security this bad, who needs Chinese hackers? What gets me is the simple stuff that gets missed. Unencrypted hard drives and memory sticks. WTF? Fighter jet plans and power grid control systems on networks, directly or indirectly attached to the Internet? Whoever thought that was a good idea needs to be discovered and fired. Anyway, enough negativity, and you don’t need to read my rants when there are this many good articles to read this week.

The funniest thing I saw all week was from last night: Rich and I were having dinner, waiting for the 10:00 PM premiere of the new Star Trek movie, when Rich decided he was going to have some fun and do some ‘live #startrek’ tweets. Not real, but live. Rich was on a roll as we started to joke about plot lines and just making up character twists and throwing BS on Twitter. I must say, he has Trekkie cred, because he knows a heck of a lot more than I do about the entire genre. We were having a great time just making $%(# up. After dinner we went to the theater and got dead center seats! We were not 5 minutes into the movie when one of Rich’s tweets came alarmingly close to the real thing. Another 5 minutes, and Rich nailed another plot line. I am not going to say which ones, you will just have to go see the movie. Oh, and we both really liked it! A must-see for Star Trek fans. But for a little amusement, before you go to the movie, check Rich’s tweets.

I know Rich said it last week, but I wanted to mention it again – if you’d like to get our content via email instead of RSS, please head over and sign up for the Daily Digest, which goes out every night.

And now for the week in review:

Webcasts, Podcasts, Outside Writing, and Conferences

  • Martin and Rich on the weekly Network Security Podcast.
  • I did a series of three videos and an executive overview on DLP for Websense. It was kind of cool to go to a regular studio and have it professionally edited. The videos (each about 2 minutes long) and Executive Guide are designed to introduce technical or non-technical executives to DLP. It’s all objective stuff, and cut-down versions of our more extensive materials.

Favorite Securosis Posts

Favorite Outside Posts

Top News and Posts

Blog Comment of the Week

This week’s best comment was from Nick in response to Spam Levels and Anti-Spam:

Since the McColo shutdown we have seen a gradual rise in spam only returning to pre-McColo levels about a month ago. We are a small fish and only deal with about 20,000 emails per day including spam. But I have not been able to recognize the “return to normal” that everyone was talking about several months ago.

I would actually estimate that after the shutdown, we have been sitting about 20% lower than usual, until this past month. Not including the first period of time after McColo.

–Adrian Lane

Thursday, May 07, 2009

Updated Patch Management Cycle

By Rich

Based on feedback from the forums, I updated the patch management cycle. Please take a look and let me know what you think. Here’s the direct link to the update in the forums.

The main changes are swapping the evaluate/acquire phases, including both pre and post package creation testing, and creating a sub-cycle for deploying-confirming-cleaning up.


Get the iPhone or Not?

By Adrian Lane

It’s kind of Apple Day here. Rich has been stuck in a ‘Genius Bar’ time warp all morning with a handful of dead Mac minis (Probably died from processor envy when the new Mac Pro arrived). Despite the recession, if you lose your appointment slot, you are going to be waiting a long time, as the AZ Apple stores are always packed. I would gladly have switched places with him, as I have spent all morning trying to decipher alien runes AT&T iPhone pricing plans. My cell phone provider, QuestQwest, is dropping all its cellular services and I now need two new phones. I thought this would be an easy decision as everyone I know seems to have an iPhone. Most people I know in the security profession have had their iPhones for a year or more and they love them. They really like to show off their eye-candy apps and what a powerful mobile computer the iPhone really is. But if 95% of your use is going to be phone calls, is it worth it?

As bad as the AT&T pricing is, the real issue is service. AT&T coverage and clarity sucks, or SUCKS, depending upon where in the country you live. I get phone calls from from friends and associates, usually someone I know who has some comment about how my recent blog post demonstrated a complete lack of knowledge, and I should really have done my homework prior to posting. And that person is really smart and is probably making really compelling arguments, but it comes across as a small child making motorboat noises while facing away from the phone. I can’t help myself and laugh out loud. My laughter and saying “Dude!” really pisse them off, but the it is really hard to hear! And this is just the Securosis side of things. My wife and I drive lots of places where a clear connection is critical, and might have a life-threatening need to reach out and speak to someone who can help. In cases like this, a cool gadget loses every time to a reliable call.

I love all the Apple products I have purchased and will seriously consider the iPhone. But AT&T is not Apple, and when it comes down to it, service is the bulk of what I am paying for. I was really hoping the rumored Verizon branded iPhone Nano would happen as I could get the Apple product and have good coverage. I have been cruising Mac Rumors every day to see what’s new. We’ll see. There is a rumor that AT&T is dropping prices, which is nice, but Verizon is running a 2 for 1 sale on Blackberrys, which is even more compelling. I have another month or two of service before I have to make a decision, by which time the new iPhones should be out, and then I will make the decision.

–Adrian Lane

Wednesday, May 06, 2009

Spam Levels and Anti-Spam SaaS

By Adrian Lane

I was reading the Network World coverage last night of the McAfee Spam Report stating spam rates were down 20%. While McAfee’s numbers are probably accurate, my initial reaction was “Bull$#(&”, because I personally am not seeing a drop in spam. If the McAfee report, as well as Brian Krebs’ posts, show the totals are down, why am I getting a lot more spam, increasing weekly to the point where I am becoming actively annoyed again? I was wondering how much was due to the launch of the new Securosis web site, which was the ‘cat and mouse’ cyclical changing of spam techniques, and how much was an anti-spam provider not keeping up.

I spent a couple of hours last night combing through Postini alerts, my internal junk folder, and the deleted spam that had made it to my inbox. What I found was a linear progression from the time we started with Postini until now, with increasing rates getting caught by my internal spam filter, and a corresponding linear increase getting into the Inbox. Not sure why I allowed this to capture my efforts on Cinco de Mayo, especially considering I have developed a really good margarita recipe that deserved some focused appreciation, but hey, I have no life, and the article grabbed my interest enough to go exploring.

Anyway, I think that Postini is just falling behind the curve. We switched over September of 2008. My email address was broadcast when I joined Rich last July and I was surprised that there was not more spam. When we added the Postini service, no spam was getting through for a while, and every evening I would get my Postini status digest of the one or two spam messages it had intercepted. I still get these, and the digest always shows 1-2 emails captured. However, I am getting several dozen in my internal spam folder and another 15-20 in my inbox. And it is the old school blatant “Bank of Nigeria” and “Lottery Winner ” stuff that is sneaking in. Even the halfway well-executed Citibank/Chase/BofA Security alert phishing attempts are getting caught my my personal filters, so how in the world is this stuff getting through Postini? This is not the 97-99% percent blockage that I talked about in the past, and customers have reported to me. I just did a survey 9 months ago and it may already be out of date.

It’s time to make a change. The beauty of spam filtering as SaaS is that we can change without pain. I am on the lookout for a 10 seat SaaS anti-spam plan. Got recommendations? I would love to hear them. Share your advice and I will share my margarita recipe.

–Adrian Lane

The Network Security Podcast, Episode 149

By Rich

It’s been a bit of a strange week on the security front, with good guys hacking a botnet, a major security vendor called to the carpet for some vulnerabilities, and yet another set of Adobe 0days. But being Cinco de Mayo, we can just margarita our worries away.

In this episode we review some of the bigger stories of the week, and spend a smidge of time pimping for a (relatively) new site started by some of our security friends, and a new project Rich is involved with.

Network Security Podcast, Episode 149, May 5, 2009

Time: 34:08

Show Notes:


We’re All Gonna Get Hacked

By Rich

Kelly at Dark Reading posted an interesting article today, based on a survey done by BT around hacking and penetration testing. I tend to take most of the stats in there with a bit of skepticism (as I do any time a vendor publishes numbers that favor their products), but I totally agree with the first number:

Call it realism, or call it pessimism, but most organizations today are resigned to getting hacked. In fact, a full 94 percent expect to suffer a successful breach in the next 12 months, according to a new study on ethical hacking to be released by British Telecom (BT) later this week.

The other 6% are either banking on luck or deluding themselves.

You see, there’s really no difference between cybercrime and normal crime anymore. If you’ve ever been involved with physical security in an organization, you know that everyone suffers some level of losses. The job of corporate security and risk management is to keep those losses to an acceptable level, not eliminate them.

It’s called shrinkage, and it’s totally normal.

I have no doubts I’ll get hacked at some point, just as I’ve suffered from various petty crime over the years. My job is to prepare, make it tough on the bad guys, and minimize the damage to the best of my ability when something finally happens. As Rothman says, “REACT FASTER”, and as I like to say, “REACT FASTER AND BETTER”.

Once you’ve accepted your death, it’s a lot easier to enjoy life.



Tuesday, May 05, 2009

There Are No Trusted Sites: Security Edition

By Rich

If you’ve been following this series, we’ve highlighted some of the breaches of trusted sites that were, or could have been, used to attack visitors. There’s nothing like hitting a major media or financial site and using it to hack anyone who wanders by that day.

This week we’re breaking it down security style, thanks to multiple vulnerabilities at McAfee. McAfee suffered multiple XSS and CSRF vulnerabilities in different areas, including a simple CSRF in their vulnerability scanning service (ironic, eh?). If you don’t know, Cross Site Request Forgery allows an attacker to “influence” your session if you are logged into a service. If you are logged into your bank in one window, they can use malicious code from the evil site under their control to transfer funds and such.

I know a lot of exceptional security types over at McAfee so I don’t want to slam them too hard. This shows that in any large organization, web application security is a tough issue. Hopefully they will respond publicly, openly, and aggressively, which is really the best approach when you’ve been exposed like this.

Just a friendly reminder that you can’t trust anyone or anything on the Internet. Except us, of course.


Monday, May 04, 2009

LogLogic acquires Exaprotect

By Adrian Lane

Another interesting news item during the RSA show that I am just getting time to comment on is LogLogic’s announcement they have acquired Exaprotect. When LogLogic announced a partnership with Exaprotect a few months back, my initial reaction was “Who”? Actually, I had heard of the company, but knew very little about the technology. I had not heard any of the companies I speak with on a regular basis mention them, so I had not been paying very close attention to this small firm. When I went to Exaprotect’s website to see what products they offered, I really was unable to tell. It looked like a carbon copy of the LogLogic product benefits summary! It is amazingly difficult to understand what differentiates one product from another on corporate web sites when they are all attempting to cover the current market drivers, and do so at the expense of explaining what they actually do. The company is not very well known by those of you who do not follow this space closely, but they do offer a security event management product, along with a couple of other interesting pieces in the areas of configuration management and policy management.

The reason this acquisition is important is two-fold. First, this is the removal of the last line of distinction between log management vendors and SEM vendors. ArcSight, LogLogic, eIQ Networks, Q1Labs, LogRhythm, NitroSecurity, and so on are all covering log management and security analysis. Granted, the degree to which each vendor provides the respective capability varies, and each has its own strengths. All in all, these systems collect disparate events, analyze the events in relation to some policy, and provide storage and reporting. The difference was the type of events collected, the speed with which the analysis was conducted, and the audience for the results. These distinctions were usually split down the middle, either near-real-time security response or a forensic analysis and event correlation. What we will see in the coming quarters is adjustment in vendor architectures for these offerings to be efficiently merged into seamless offerings, continuing to provide evolutionary updates to near-real-time and forensic offerings, and looking for ways to differentiate from their competitors.

The second reason is that it spotlights the technical and value path this market segment is (and needs to be) headed down. The tough question, now that the vendors collect just about every relevant piece of security & operational data available, is what do you do with that data? How do you differentiate yourself? How do you provide the customer more value? Sure we are going to see new features appended to the core offerings, a la database protection, but the more important feature/functions will have to do with configuration management, business process verification, and policy management/enforcement. Configuration management provides the vendors with a big missing piece of preventative control and baselining of systems that are critical for most compliance efforts. It’s not that difficult to implement, fits nicely within a log management architecture, and offers value to several buying centers. Policy management, provided the vendors actually can take a business policy and automatically map that to the underlying data streams available, will also provide a huge leap in value to customers and speak to non-technical audiences. The final piece of the puzzle is a flexible analytics engine, so policy verification can be performed in an appropriate time-frame in the specific customer environment, in order to verify business continuity and efficacy. I use the word ‘verification’ because enforcement is not really the customer requirement, and more importantly blocking is not typically the appropriate way to remediate problems – the solution is often more complex. All three of these offerings show SEM moving up the stack and making sense of business processing and compliance in the business context. I look at the LogLogic acquisition as a step necessary to compete, not just the in basic SEM infrastructure of near-real-time event processing, but in all three of the evolutionary ways security event management is heading. That’s not an endorsement of the Exaprotect technology – I have not gotten my hands on it and could not tell you how well it works – but it does encapsulate the segment trends.

I intend to delve into each of these trends in more depth.

–Adrian Lane

How Do You Deploy Your Patches?

By Rich

Last week I posted an outline for a patch management cycle to base Project Quant metrics on. Based on some feedback, I think we need to hear from those of you who actually do this for a living (you really don’t want to know the crappy process we used back in my sysadmin days).

If you have a moment, please pop over to the forums and let us know what you are using for your process. (If you want to leave anonymous feedback, instead of the forums you can leave it as a comment on the main post; this is a weird limitation of our platform).



Innovation, the RSA Conference, and Leap Years

By Rich

On Thursday at the RSA Conference, I had the opportunity to attend a lunch with the conference advisory board: Benjamin Jun of Cryptography Research, Tim Mather of RSA, Ari Juels of RSA Laboratories, and Asheem Chandna of Greylock Partners. It was an interesting event, and Alex Howard of TechTarget did a good job of covering the discussion in a recent article.

As with many things associated with the RSA Conference, it took me a bit of time to digest and distill all the various bits of information crammed into my sleep-deprived brain. I find that these big events are an excellent opportunity to smash my consciousness with far more data than it can possibly process, and eventually a few trends emerge. No, not this year’s “hot technology”, but macro themes that seem to interweave the disparate corners of our practice and industry. It might run contrary to many of the articles I read, or conversations I’ve had, but I think this year’s subtext was “innovation”. (And not because I presented on it with Hoff).


Every year when I run into people on the show floor, the first question they tend to ask is “see anything new and interesting?” Finding something new I care about is pretty rare these days for two reasons. First, if it’s in my coverage area I sure as heck had better know about it before RSA. Second, most of the advances we see these days are evolutionary, and earth-shattering new products are few and far between. That doesn’t mean I don’t think we’re innovating, but that innovation is more pervasive throughout the year and less tied to any single show floor. One really interesting bit that popped out (from Asheem) was that the Innovation Station had only 14 applicants last year, and over 50 this year. I think in these days of tight marketing budgets for startups, a floor booth is hard to justify, and perhaps some of the total crap was weeded out, but security startups are far from dead (just look at my Inbox).

But more interesting than innovation in startups is innovation from established players. For the first time in a very long time I’m seeing early tendrils of real innovation leaking from some of the big vendors again. We talked about it for a few minutes at the lunch, but it’s obvious that the security industry was able to coast for a few years on its core approaches. Customers were more focused on performance and throughput than new technologies, thus there was little motivation for big innovation. The limited market demand pushed innovation into the realm of startups, where new technologies could incubate until the big companies would snatch them up. Our financial friends at Marker Advisors even talked about this trend in a recent guest post, and how “traditional” buying cycles are now disrupted by technology turnover and changing client requirements. It all ties in perfectly to Hoff’s Hamster Sign Wave of Pain.

On the other side, we’re seeing some of the most dramatic attack innovation since the discovery of the buffer overflow. And for the first time, these attacks are causing consistent, real, measurable, and widespread losses. We’ve seen major financial institutions breached, the plans for the Joint Strike Fighter stolen (‘leaked’ doesn’t nearly convey the seriousness), and malware hitting the major news outlets (with often crappy reporting). There is evidence that all aspects of our information society are deeply penetrated and fallible. Not that the world is coming to an end, but we can’t pretend we don’t have problems.

This combination of buying cycles, threat innovation, growing general awareness, and product and practice innovation creates what may be the most interesting time in history to work in security. We’ve never before had such a high profile, faced such daunting challenges, and seen such open opportunities. Merely building on what we’ve done before doesn’t have a chance of restoring the risk balance, and there’s never been better motivation for big financials, the government, and big manufacturing (you know, the guys with all the money) to invest in new approaches. I’d call it a “Perfect Storm” if that phrase wasn’t banned by the Securosis Guide of Crappy Phrases, Marketing Hyperbole, and Silly, Meaningless Words (after “holistic” and before “synergy”).

Frankly, we don’t have any choice but to innovate. When market forces like this align the outcome is inevitable.

Tim Mather referred to the National Cyber Leap Year, a program by the government to engage industry and push for game-changing security advancements. Not that the Leap Year program itself will necessarily succeed, but there is clear recognition that innovation is essential to our survival. We can’t keep layering the same old crap onto hot newness and expect a good result.

Those of you who hate change are going to be seriously unhappy. Those who revel in challenges are in for a wild ride.

The good news is there’s no way we can lose – it isn’t like society will let itself break down completely and go all Road Warrior. Especially since Mel turned into an anti-semitic whack job.

(Image courtesy www.pdrater.com).