Incite 10/31/2012: The Eye of the GoblinBy Mike Rothman
My kids love Halloween. They obsess about their costumes for weeks ahead of the big day. They go back and forth with their friends to coordinate their looks. Sometimes it works (XX2 will be a candy corn with all her friends), sometimes it doesn’t (XX1 couldn’t gain consensus amongst her friends). They love to collect all sorts of candy they won’t eat and await the sugar rush when we let them partake in a few after trick or treating. They like to swing by the awesome haunted house in the neighborhood. It’s a day when they can forget about their issues, challenges, homework, and hormone drama, and just be kids.
Of course, a quarter of the country won’t have that option this year. Hurricane Sandy wreaked havoc on the Northeast Monday night and into Tuesday. It wasn’t pretty. The wrath of Mother Nature can be very destructive. Transformers exploding, hospitals being evacuated, flooding subways, trees down everywhere, and millions without power. They have bigger issues to worry about then whether the pumpkin outfit makes them look fat.
One of the things I did notice about the real-time Twitter driven news cycle is the amount of faulty stuff out there. A hospital was on fire, except it wasn’t. The NYSE was flooded, but it wasn’t. Workers were trapped in a Con Ed facility that exploded, except they weren’t. We have known for a while that fact checking has gone the way of the Dodo, but this was ridiculous. Just more stark evidence that you can’t believe everything you read.
It also pays to think about your disaster plan every once in a while. I know Rich has a bag ready to go in case aliens attack, which shows his early responder training and mentality. I thought my Dad’s wife was crazy when she installed a natural gas-powered generator at their house in NY to remove dependence on the power grid. She looks pretty smart today, as their entire town in Rockland County is dark. Except their house – and others with generators. Estimates are that it will take a week to restore power. Not fun.
We all owe a debt of gratitude to the folks who will spend the next month cleaning up debris, opening up roads, restoring power, and getting things back to normal. And the construction business will likely see an uptick rebuilding a whole mess of the Jersey shore and Long Island. I know that’s trying to make lemonade out of a very sour lemon (especially to those whose houses floated away). But the area will recover. It always does.
Thankfully we escaped the storm in ATL. The biggest issue we have to deal with is that it’ll be little cold tonight as we trick-or-treat, but it will be dry. I am hoping that all of you affected by the storm recover quickly and get power back in the near term. You wouldn’t want to miss out on the final week of Presidential Election politics, would you?
Photo credits: Green Goblin originally uploaded by Javi M
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.
Building an Early Warning System
Implementing and Managing Patch and Configuration Management
Understanding and Selecting a Key Manager
Understanding and Selecting Identity Management for Cloud Services
Newly Published Papers
Incite 4 U
Guidance on how to SecaaS: Sometimes I scratch my head wondering how acronyms happen, but since the Cloud Security Alliance has dubbed Security as a Service with the catchy term SecaaS (possibly pronounced “suck-aas”) I’ll go with it. It will give me a joke to use in speaking gigs for years. But Security as a Service actually is happening, and you probably should get a feel for what to look for. Kidding aside, the CSA just published a mess of implementation guides and the like to help you understand what you’re buying, what to expect from your provider, and how your operational environment needs to evolve to handle some SecaaS. I only had time to go through one of the documents (Security Assessment) and it’s pretty comprehensive and useful. I can’t speak to the rest of the documents yet, but this is good stuff. – MR
Re-architect what exactly? Killing the Computer to Save It is a short – and interesting – bio of Peter G. Neumann, but the article focuses on his desire to rearchitect the Internet to make it secure. And this is the same line of reasoning I see from a lot of early Internet pioneers who lament the exclusion of security from the beautifully simplistic design of the Internet. But I still maintain that “We have not fundamentally redesigned our networks for 45 years, …” is not a problem. We cannot trust networks in a system which is open to every adversary who choses to participate, so I see no point redesigning the Internet in a pointless attempt to rectify that problems somehow. But if we learn one lesson from the Big Data security survey we did last month, it is that security cannot be bolt-on – it needs to be systemic. That’s not what we call “App Sec” today – system and application architectures that self validate – and hopefully that is the “Lessons From Biology” hinted at in the article. – AL
Numb: I don’t normally highlight our own stuff in the Incite, as there is usually too much external stuff to poke fun at. But I don’t want to let a very important post fly by without some additional commentary. Rich recently wrote on Dark Reading about How the World Ended and No One Noticed. It’s true – the world has become numb to security attacks. So your FUD will no longer move the needle to get funding or create urgency within your organization. It’s debatable whether that ever worked, but now it’s clearly over. Until losses reach an unacceptable level, nothing happens. So what can you do? The best you can, with the resources you have. Yes, it’s that simple. If you survive a breach, then you’ll get more money to spend. Until then keep fighting the good fight, prioritizing your efforts, and monitoring the crap out of everything to catch the attack as quickly as possible. Just another day in paradise for a security pro. – MR
No data for you: We used to call 2008 “the year of the data breach”, but 2012 is going to blow it away in terms of total records stolen, and likely number of incidents as well. But what will be the same as always is that state, local, and federal institutions will be responsible for the bulk of incidents. And every year we hear about how a specific breach like the one at the South Carolina Department of Revenue is unprecedented, and a few months later we learn that a default password, or SQL injection, or unencrypted data was the cause. The number of incidents is not going down. Is it time for states, universities, and federal organizations to simply not be allowed to have personal data? Maybe a policy of “if we are hacked, you get a 100% tax refund”, or “get hacked, lose database privileges for a year” or even “free college tuition with every leak”? If you don’t pay your taxes, you get fined or go to jail. But if they lose your data there is no financial penalty, so no incentive for them to get a clue. We like to complain about “foreign actors” and Russian hackers, but after a decade of breaches that is tired. – AL
Opening the door for your checkbox: Branden Williams points out an issue with the current PCI mandate for scanning in-scope systems. Basically external scanning companies (ASVs) need to break through the perimeter to be able to scan the devices that matter. Right, but that creates holes any attacker can take advantage of – it’s not like the bad guys cannot discover IPs of scanning SecaaS players. Then the magic of IP spoofing enables them to evade perimeter defenses. Branden suggests that those required to have ‘internal’ scans should be allowed to keep their perimeter defenses in place, and that’s a start. But I’d take it one step further. Every company should have to provide the ASV with an internal presence to load an agent (like on a VM inside the network), which can do the scan and then communicate with the external world. Scanning vendors have been doing internal scans forever – this isn’t novel. And opening up your perimeter to attack traffic is just a bad idea all around. – MR
We still need the human factor: It’s hard to detect today’s attacks. Duh. That’s basically the conclusion of this vendor-heavy and content-light article on Dark Reading about Monitoring to Detect Persistent Enemies. Blah blah blah. The points are obvious, but a money quote bears highlighting: “Perhaps the biggest weak point in all these systems, however, is that no matter what the technology, companies need a good security analyst who knows how to spot the indicators of compromise as well as the most likely groups threatening their business.” Clearly that is the missing piece, so for anyone worried about some data source or correlation machine taking your job, forget about it. Though leveraging this threat intel is critical to developing an Early Warning System to help you prioritize your efforts. And yes, I do happen to be writing a blog series on exactly that topic. Glad you asked. – MR