Incite 3/17/2010: Seeing the EnemyBy Mike Rothman
“WE HAVE MET THE ENEMY AND HE IS US.” POGO (1970)
I’ve worked for companies where we had to spend so much time fighting each other, the market got away. I’ve also worked at companies where internal debate and strife made the organization stronger and the product better. But there are no pure absolutes – as much as I try to be binary, most companies include both sides of the coin.
But when I read of the termination of Pennsylvania’s CISO because he dared to actually talk about a breach, it made me wonder – about everything. Dennis hit the nail on the head, this is bad for all of us. Can we be successful? We all suffer from a vacuum of information. That was the premise of Adam Shostack and Andrew Stewart’s book The New School of Information Security. That we need to share information, both good and bad, flattering and unflattering – to make us better at protecting stuff.
Data can help. Unfortunately most of the world thinks that security through obscurity is the way to go. As Adrian pointed out in Monday’s FireStarter, there isn’t much incentive to disclose anything unless an organization must – by law. The power of negative PR grossly outweighs the security benefit of information sharing. Which is a shame.
So what do you do? Give up? Well, actually maybe you do give up. Not on security in general, but on your organization. Every day you need to figure out if you can overcome the enemy within your four walls. If you can’t, then move on. I know, now is the wrong time to leave a job. I get that. But how long can you go in every day and get kicked in the teeth? Only you can decide that. But if your organization is a mess, don’t wait for it to get better.
If you do decide to stay, you need to discover the power of the peer group. Your organization will not sanction it, and don’t blame me, but find a local or industry group of peeps where you can share your dirt. You take a blood oath (just like in grade school) that what is spoken about in the group stays within the group and you spill the beans. You learn from what your peers have done, and they learn from you.
At this point we must acknowledge that widespread information sharing is not going to happen. Which sucks, but it is what it is. So we need to get creative and figure out an alternative means to get the job done. Find your peeps and learn from them.
Photo credit: “Pogo – Walt Kelly (1951) – front cover” originally uploaded by apophysis_rocks
Incite 4 U
Time to study marketing too… – RSnake is starting to mingle with some shady characters. Well, maybe not shady, but certainly on the wrong side of the rule of law. One of his conclusions is that it’s getting harder for the bad guys to do their work, at least the work of compromising meaty valuable targets. That’s a good thing. But the black hats are innovative and playing for real money, so they will figure something out and their models will evolve to continue generating profits. It’s the way of the capitalist. This idea of assigning a much higher value to a zombie within the network of a target makes perfect sense. It’s no different than how marketing firms charge a lot more for leads directly within the target market. So it’s probably not a bad idea for us security folks to study a bit of marketing, which will tell us how the bad guys will evolve their tactics. – MR
Lies, Damn Lies, and Exploits – We’ve all been hearing a ton about that new “Aurora” exploit (mostly because of all the idiots who think it’s the same thing as APT), but NSS Labs took a pretty darn interesting approach to all the hype. Assuming that every anti-malware vendor on the market would block the known Aurora exploit, they went ahead and tested the major consumer AV products against fully functional variants. NSS varied both the exploit and the payload to see which tools would still block the attack. The results are uglier than a hairless cat with a furball problem. Only one vendor (McAfee) protected against all the variants, and some (read the report yourself) couldn’t handle even the most minor changes. NSS is working on a test of the enterprise versions, but I love when someone ignites the snake oil. – RM
I hate C-I-A – Confidentiality, Integrity, and Availability is what it stands for. I was reminded of this reading this CIA Triad Post earlier today. Every person studying for their CISSP is taught that this is how they need to think about security. I always felt this was BS, along with a lot of other stuff they teach in CISSP classes, but that’s another topic. CIA just fails to capture the essence of security. Yeah, I have to admit that CIA represents three handy buckets that can compartmentalize security events, but they so missed the point about how one should approach security that I have become repulsed by the concept. Seriously, we need something better. Something like MSB. Misuse-Spoof-Break. Do something totally unintended, do something normal pretending to be someone else, or change something. Isn’t that a better way to think about security threats? It’s the “What can we screw with next?” triad. And push “denial of service” to the back of your mind. Script kiddies used to think it was fun, and some governments still do, but when it comes to hacking, it’s nothing more than a socially awkward cousin of the other three. – AL
Signatures in burglar alarm clothing – Pauldotcom, writing with his Tenable hat on, explains a method he calls “burglar alarms,” as a way to deflate some APT hype. This method ostensibly provides a heads-up on attacks we haven’t seen before. He uses this as yet another example of how to detect an APT. I know I’m not the sharpest tool in the shed, but I don’t see how identifying a set of events that should not happen, and looking for signs of their occurrence is any different than the traditional black list model used by our favorite security punching bags – IDS and AV. The list of things that should not happen is infinite. Literally. Yes, you use common sense and model the most likely things that shouldn’t happen, but in the end the list is too long and unwieldy, especially given today’s complex technology stack. Even better is his close: The way to catch the APTs is to meet them with unexpected defenses that they’ve never heard of before. I’m just wondering if I can buy the unexpected defense plug-in for Nessus on Tenable’s website. – MR
To tell the web filtering truth – You’ve got to applaud Bruce Green, COO for M86, for coming out and telling the truth: Internet filtering won’t prevent people deliberately looking for inappropriate material from accessing blocked content. Several British ISP’s are deploying content filtering on a massive scale to block ‘inappropriate material’ – obviously a euphemism for pr0n. M86, for those not aware, is the content security trifecta of 8e6, Marshal and Finjan, with a sprinkle of Avinti on top. They have a long track record of web content filtering in the education space. The Internet filtering trial was based upon M86’s technology and, like all filtering technologies, works exceptionally well under controlled environments when you do not take steps to avoid or conceal activity from the filters. But to Mr. Green’s point, those who are serious about their Internet ‘inappropriate material’ have dozens of ways to get around this type of filtering. What seems misleading about the study is to claim that they were “100% effective” in the ability to identify ‘inappropriate material’. But catching what you were expecting is unimpressive. As I understand the trial, they were not blocking, only identifying signatures. This means no one has had any reason to defeat the filters, because there was no need. At least M86 has no illusions about 100% success when they roll this out, and if nothing else they are going to get fantastic data on how to avoid Internet filtering. – AL
Leverage makes the rational security budget … more rational – Combine security skills, secure coding evangelism, a general disdain of most puffery, and a large dose of value economics, and you basically get Gunnar in a nutshell. He really nails it with this post about putting together a rational security budget. I suggest a similar model in the Pragmatic CSO, but the one thing Gunnar doesn’t factor in here (maybe because it’s a post and not a book) is the concept of leverage. I love the idea of thinking about security spend relative to IT spend, but the reality is a lot of the controls you’d need for each project can be used by the others. Thus leverage – pay once, and use across many. Remember, we have to work smarter since we aren’t getting more people or funding any time soon. So make sure leverage is your friend. – MR
Vapor Audits – I’ve been spending a lot more time lately focusing on cloud computing; partially because I think it’s so transformative that we are fools if we think it’s nothing new, and partially because it is a major driver for information-centric security. Even though we are still on the earliest fringes, cloud computing changes important security paradigms and methods of practice. Running a server in Amazon EC2? Want to hit it with a vulnerability scan? Oops – that’s against the terms of service. Okay, how about auditing which administrators touched your virtual server instance? Umm… not a supported feature. Audit, assessment, and assurance are major inhibitors to secure cloud computing adoption, which is why we all need to pay attention to the CloudAudit/A6 (Automated Audit, Assertion, Assessment, and Assurance API) group founded by Chris Hoff. if you care about cloud computing, you need to monitor or participate in this work. – RM
Learning HaXor skillz – Most of us are not l33t haXors, we are just trying to get through the day. The good news is there are lots of folks who have kung fu, and are willing to teach you what they know. The latest I stumbled upon is Mubix. He’s got a new site called Practical Exploitation, where the plan is to post some videos and other materials to teach the trade. Thus far there are two videos posted, one on leveraging msfconsole and the other on comparing a few tools for DNS enumeration. Good stuff here and bravo to Mubix. We need more resources like this. Hmmm, this could be a job for SecurosisTV… – MR