Securosis

Research

Safari enables per-site Java blocking

I missed this during all my travels, but the team at Intego posted a great overview: Meanwhile, Apple also released Safari 6.0.4 for Mountain Lion and Lion, as well as Safari 5.1.9 for Snow Leopard. The new versions of Safari give users more granular control over which sites may run Java applets. If Java is enabled, the next time a site containing a Java applet is visited, the user will be asked whether or not to allow the applet to load, with buttons labeled Block and Allow: Your options are always allow, always block, or prompt. I still highly recommend disabling Java entirely in all browsers, but some of you will need it and this is a good option without having to muck with plugins. Share:

Share:
Read Post

No news is just plain good: Friday Summary, April 18, 2013

I know the exact moment I stopped watching local news. It was somewhere around 10-15 years ago. A toddler had died after being left locked in a car on a hot day. I wasn’t actually watching the news, but one of the screamers for the upcoming broadcast came on during a commercial break for whatever I was watching. A serious looking female reporter, in news voice, mentioned the death and how hot cars could get in the Colorado sun. Then she threw a big outdoor thermometer in a car, slammed the door, and reminded me to watch the news at 10 to see the results. I threw up a little bit, I think. I don’t remember the exact moment I gave up on cable news, but it was sometime within the past year or two. I have a TV in my office I use for background noise; one of those little things you do when you have been working at home for a decade or so. I used to keep it on MSNBC but the bias finally went too over the top for me. Fox is out of the question, and I was trying out CNN. That lasted for less than an hour before I realized that Fox is for the right, MSNBC for the left, and CNN for the stupid. It was nothing other than sensational exploitative drivel. As an emergency responder I know what we see at night rarely correlates to actual events. I have been on everything from national incidents to smaller events that still attracted the local press. Even responders and commanders don’t always have the full picture – never mind a reporter hovering at the fringe. Once I was on the body recovery of a 14-year-old who died after falling off a cliff while taking a picture. I showed up on the third day of the search, right around when one of our senior members finally located him due to the green gloss of a disposable camera. He used a secondary radio channel to report his location and finding because we know the press scans all the emergency frequencies. I was quietly sent up and we didn’t stop the rest of the search, to provide a little decorum. Around the time the very small group of us arrived at the scene, the press finally figured it out. The next thing I knew there was a helicopter headed our way to get video. Of a dead kid. Who had been in the Colorado sun, outdoors, for 3 days. I used my metallic emergency blanket to cover him him and protect his family. Years later I was on another call to recover the body of a suicide in one of the most popular mountain parks in Boulder. Gunshot to the head. When we got to the scene one of the police investigators mentioned we that needed to watch what we said because the local station had a new boom mike designed to pick up our conversations at a distance. I never saw it, so maybe it wasn’t true. I don’t watch local news. I don’t watch cable news. Even this week I avoid it. They both survive only on exploitation and emotional manipulation. I do occasionally watch the old-school national news shows, where they still behave like journalists. I read. A lot. Sources with as little bias as I can find. According to the Guardian, research shows the news is bad for you. Right now I find it hard to disagree. On to the Summary: Favorite Securosis Posts Adrian Lane: Run faster or you’ll catch privacy. Managing privacy in large firms is its own private hell. Hello, EU privacy laws! Mike Rothman: Sorry for Security Rocking. LMFAO applied to security FTW. And evidently I slighted our contributor Gal, who believes he’s up to provide the definitive Security LMFAO version. Name that tune, brother! Rich: The CISO’s Guide to Advanced Attacks. I am jealous I’m not writing this one. David Mortman: Run faster or you’ll catch privacy Other Securosis Posts Intel Buys Mashery, or Why You Need to Pay Attention to API Security. On password hashing and how to reply to security flaws. Safari enables per-site Java blocking. Incite 4/17/2013: Tipping the balance between good and evil. Why you still need security groups with host firewalls. Is it murder if the victim is already dead?. Unused security intelligence is, well… dumb. Favorite Outside Posts Adrian Lane: Agilebits 1Password support and Design Flaw?. Good discussion of the flaw and a good response from AgileBits. Now… patch, please! Mike Rothman: Patton Oswalt on the Boston Marathon Attack. I linked to this in the Incite but it’s worth mentioning again. Great context about taking a long-term view, even when the wounds are fresh. David Mortman: NIST: It’s Time To Abandon Control Frameworks As We Know Them. Rich: EmergentChaos on the 1Password design flaw issue. Don’t just read the post – read the first comment. The guys at AgileBits show yet again why I trust them. Research Papers Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Top News and Posts ColdFusion hack used to steal hosting provider’s customer data. Wait, people still use Cold Fusion? (Rich – I used to totally rock CF, back in the day!) Oracle Patches 42 Java Flaws. House approves cybersecurity overhaul in bipartisan vote. Cloudscaling licenses Juniper virty networking for new OpenStack distro. Microsoft deploys 2-factor to all services. Obama threatens to veto CISPA. Get your popcorn. Update: DARPA Cyber Chief Peiter “Mudge” Zatko Heads To Google. Google does so many great security things, but their views on privacy kill their usefulness to me. Blog Comment of the Week This week’s best comment goes to fatbloke, in response

Share:
Read Post

Incite 4/17/2013: Tipping the balance between good and evil

There are things you just can’t explain. No amount of dogma, perceived slights, or anything can excuse a senseless act of violence on unsuspecting, innocent people. Yes, I’m talking about the Boston Marathon attack, but it applies extends to any act of terrorism. I believe in karma, and the perpetrators will get their just rewards. Maybe out of the view of the public eye, but they will. Though I’m not really a fan, Schneier has it right in his post, “Keep Calm and Carry On”. We cannot live in fear. That’s what the terrorists want. We can’t legitimize their cause and we can’t impinge on our personal freedoms. Because then they win. Truth be told, we in the US are spoiled. There are many parts of the world where a bombing like yesterday wouldn’t even make the news. Where terror is an everyday occurrence. I feel very fortunate that isn’t my life and it’s not the life of my kids. We won the birthplace lottery and we must not forget that. But we do have to deliver some kind of message to the younger generation. Try to explain the unexplainable. In today’s iPhone (and iPod touch) driven society, the kids are tuned in whether we like it or not. XX1’s Instagram blew up with pictures and prayers, and she started asking questions right when she got home from school. XX2 and the Boy learned of it soon after because news travels like wildfire in my house. All we could do is explain that some people are misguided souls and they harm each other for no apparent reason. We are security folks. We understand how this works. That you can be aware of what’s around you and not put yourself unnecessarily at risk, but you cannot eliminate this kind of attack. Schneier mentions (correctly) your extreme unlikelihood of being personally impacted by this kind of attack. That’s little consolation to my friend who was at the finish line yesterday, who still has a ringing in his ears and concussive effects from the explosion. And it’s clearly no consolation to the families the people hurt in the attack, picking up the pieces of their lives today. But ultimately the balance is tipped heavily towards the good. Just think of the emergency responders running into the blast area. The folks carrying the wounded out of harm’s way. People opening their homes to displaced strangers. Good people doing good deeds when called upon. The best viewpoint I saw yesterday came from comedian Patton Oswalt on Facebook. He makes exactly the right point at exactly the right time: But the vast majority stands against that darkness and, like white blood cells attacking a virus, they dilute and weaken and eventually wash away the evil doers and, more importantly, the damage they wreak. This is beyond religion or creed or nation. We would not be here if humanity were inherently evil. We’d have eaten ourselves alive long ago. So when you spot violence, or bigotry, or intolerance or fear or just garden-variety misogyny, hatred or ignorance, just look it in the eye and think, “The good outnumber you, and we always will.” Well said, Mr. Oswalt. Well said. –Mike Photo credits: good and evil originally uploaded by Scotto Bear Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. The CISO’s Guide to Advanced Attackers Sizing up the Adversary Understanding Identity Management for Cloud Services Buyers Guide Architecture and Design Integration Newly Published Papers Email-based Threat Intelligence: To Catch a Phish Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Incite 4 U Can we sacrifice PCI yet? Dave Elfering makes a number of good points in Worshipping at the Alter of Best Practices. It is basically stuff you know, but we see folks fall into the same trap over and over again. Not you but other folks, of course. Looking for the prescriptive guidance rather than doing the work. “Unfortunately we in security and IT often succumb to the microwave dinner approach to solving business issues.” Should we call this the Hungry Man approach to security? But Dave is exactly right – mandates start in the right place, but ultimately “often cross over into zealotry complete with dueling and echelons of priestly orders.” How many of you will be at the Temple of Bob Russo on Sunday? Yeah, that’s a scary thought… – MR Cloud FUD-tastic: Things must be getting ugly in the competitive battle between cloud vendors if Verizon is pulling out the FUD card by claiming that you’re ‘endangering’ your business by selecting Amazon as a cloud service provider. Many data centers did get flooded by hurricane Sandy, so Verizon’s dodging of that bullet makes them look smart by comparison, but that is a long way from claiming Amazon AWS endangers your business. Any cloud provider basing their competitive claims on 100% uptime is likely to be embarrassed in the future – it is unreasonable to expect a cloud service to be 100% reliable. And if Amazon AWS is having more security issues that competitors, I am willing to bet tha it’s because they have a lot more customers, with a far larger number who don’t take security seriously. If other cloud infrastructure providers want to cast stones, look at issues of lock-in and why more customers don’t have failover contingencies to multiple regions. Those are more compelling concerns. – AL Awareness and security training – not mutually exclusive: This is wading into the discussion a couple weeks late, but two of the biggest windbags in security, Bob Schneier and Ira Winkler, got into it over security training. Stephen Cobb provided a good summary and better perspective on the issues. Suffice it to say we need more and better of both security awareness

Share:
Read Post

The CISO’s Guide to Advanced Attackers: Sizing up the Adversary [New Series]

Every year there seems to be a new shiny object that works security marketeers into a frenzy. The Advanced Persistent Threat hype continues to run amok 3 years in, and doesn’t seem to be abating at all. Of course there is still lot of confusion about what the APT is, and Rich’s post from early 2010 does a good job explaining our view. That said, most security vendors are predictable animals and they adhere to the classic maxim “If all you have is a hammer, everything looks like an APT.” So it makes no difference what the security product or service does – they are all positioned as the answer to APT. Of course this isn’t useful to security professionals who actually need to protect important things. And it’s definitely not helpful to Chief Information Security Officers (CISOs) who have to communicate their organization’s security program and set realistic objectives, and manage expectations accordingly. So, as usual, your friends at Securosis will help you focus on what’s important and enable you to wade through the hyperbole to understand what’s hype and what’s real, in our new series: The CISO’s Guide to Advanced Attackers. This series will provide a high-level view of these “advanced attacks”, designed to help a CISO-level audience understand what they need to know, and map out a clear 4-step process for dealing with advanced attackers and their techniques. Before we get started I want to thank Dell SecureWorks for agreeing to potentially license the content at the end of the project. As with all our research, we will produce The CISO’s Guide to Advanced Attackers independently and objectively, and tell you what you need to know. Not what any vendor wants you to hear. Defining Advanced Attacks First let’s dismiss the common belief that advanced attackers always use “advanced attacks”. That’s just not the case. Of course there are innovative attacks like Stuxnet, stealing the RSA token seeds to attack US Defense sector organizations, and compromising Windows Update using stolen Certificate Authority signing keys. But those attacks are exceptions, not the rule. These attackers are very business-like in their operations. They don’t waste a fancy advanced attack unless they need to. They would just as soon get an unsuspecting office worker to click a phishing email and subsequently use a known Adobe Reader exploit to provide the attacker with a presence in your environment. There is no award for unique attacks. This understanding necessarily changes the way you think about adversaries. The attacks you see will vary greatly depending on the attacker’s mission and their assessment of the most likely means to compromise your environment. A better way to get your arms around potential advanced attacks is to first understand the potential targets and missions. Then profile specific attackers, based on their likelihood of be interested in the target. This can give you a feel for the tactics you are likely to face, and enables you evaluate controls that may be able to deter them – or at least slow them down. The security industry would have you believe that implementing a magic malware detection box on your perimeter or locking down your endpoints will block advanced attackers. Of course you cannot afford to believe everything you hear at a security conference, so let’s break down exactly how to determine what kind of threat you are facing. Evaluate the Mission Having the senior security role in an organization (yes, Mr./Ms. CISO, we’re talking to you) means accepting that the job is less about doing stuff and more about defining the security program and evangelizing the need for security with senior management and peers. A key first part of this process is to learn what’s important in your environment, which would be an interesting target for an advanced attacker. Since you have neither unlimited resources nor the capabilities to protect against every attack, you need to prioritize your defenses. Prioritize by focusing on protecting your valuables. The first order of business in dealing with advanced attackers is to understand what they are likely to look for. That is most likely to your: Intellectual property Customer data (protected) Business operations (proposals, logistics, etc.) Everything else It is unlikely that you can really understand what’s important to your organization by sitting in your office. So a big part of this learning requires talking to senior management and your peers to get a feel for what’s important to them. After a few of these conversations it should be pretty clear what’s really important (meaning people will get fired if it’s compromised) and what’s less important. Once you understand what the likely targets of an advanced attacker (the important stuff), you can take a reasonably educated guess at the adversaries you’ll face. Profile the Adversary We know it seems a bit simplistic to make generic assumptions about the kinds of attackers you will face, depending on what you are trying to protect. And it is simplistic, but you need to start somewhere. So let’s quickly describe a very high-level view of the adversaries you could face. Keep in mind that many security researchers (and research organizations) have assembled dossiers on potential attackers, which we will discuss with threat intelligence in the next post. Unsophisticated: These folks tend to smash and grab attacks, where they use a publicly available exploit (perhaps leveraging tools like Metasploit) or some kind of packaged attack kit. They are opportunistic and will take what they can get. Organized Crime: A clear step up the food chain is organized crime attackers. They invest in security research, test their exploits, and have a plan to exfiltrate and monetize what they find. They are still opportunistic, but can be quite sophisticated in attacking payment processors and large-scale retailers. They tend to be most interested financial data, but have also been known to steal intellectual property if they can sell it and/or use brute force approaches like DDoS threats to extort victims. Competitor: At times competitors use unsavory means to gain advantages in product development, or when seeking information on competitive bids. These folks

Share:
Read Post

Why you still need security groups with host firewalls

Security groups are the basic firewall rules associated with instances in various compute clouds. Different platforms may use different names but security group is the most common so that’s the term we will use. Basically, it is a way of defining hypervisor firewall rules. Of course this is a gross simplification – different cloud platforms enforce groups at other layers of the virtual or physical network, but you get the point. You assign instances to a security group and they inherit that rule set, which applies at a per instance level. This is key because you need to do some deeper thinking about what access rules should apply to an individual instance, which is distinctly not like a network segment with a firewall in front of it. For example you can set security group rules that restrict traffic between all instances assigned to the same security group. Thus it has traits of both a host firewall and network firewall, which is kinda cool. I was teaching our cloud security class last week and one student asked why we don’t just use IP tables or another host firewall. The answer is pretty basic. Security groups allow you to decouple network security from the operating system on the instance. This provides a few advantages: Security for specific instances can be managed without needing to instantiate or access them. Network security rules can be managed via the cloud API and management plane, supporting better automation. Security groups apply no matter the boot or security state of an instance, so if your instance is compromised you can isolate it easily with a quick security group rule change. This does not mean you don’t still need host firewalls. They still play a valuable role when you need extra granularity, such as protecting instances when they move between different security groups. Another use for a host firewall is to provide the administrator with control over the specific instance’s security without requiring cloud management layer changes. Security group capabilities vary widely between platforms but the basic principles are pretty consistent. They also don’t necessarily substitute (yet) for more advanced firewall/IPS setups, which is when virtual appliances or some of the fancy integrated technologies (such as what VMWare is doing with vShield) come into play to inspect inter-VM traffic. The more I use them the more I am becoming a big fan of security groups, even with their limitations. They are pretty dumb, without even basic stateful packet inspection capabilities. Long term, any network security tools that want to play well with the cloud will need to adopt the same degree of integration with security groups implemented via the cloud platform, as well as access to those controls via robust cloud APIs. Share:

Share:
Read Post

Sorry for Security Rocking

How cool would it be if LMFAO (or a reasonable proximity – Beaker, anyone?) did a security version of “Sorry for Party Rocking,” because evidently the security job market is rocking. But it offers a great perspective on the mind of the security professional. Check out the following quotes to get a feel for how things seem, which I can anecdotally validate based on the number of calls I get from CISO types looking to grow and retain their teams. “What’s the unemployment rate for a good cybersecurity person? Zero,” Weatherford said, adding that government agencies and the private sector were stealing the best people from each other. “We are all familiar with the fratricide going on.” Salaries split in 2013, with the median staff salary declining $2,000 to $95,000 this year. Management salaries continued to rise, topping $120,000 in 2013, up $5,000 from the previous year. The trend in total compensation reflects the same split as salaries: Total compensation for staff declined in 2013 to a median of $98,000, down $5,000, while management saw a $2,000 increase, to $129,000. So salaries for staff are down marginally, but still considerably higher than general IT jobs. That’s good, right? Security folks should feel good about their job security and their place in the organization, right? Doesn’t scarcity mean companies need to be taking better care of their security folks? That would be a reasonable conclusion, no? In 2013, security practitioners showed a slight drop in how secure they feel in their jobs. While other IT disciplines continue to feel as secure in their positions as in 2012, IT security staff saw a seven-point drop, to 43%, in the number that feel very secure. It’s totally counterintuitive, or is it? The reality is that when something bad happens, and in security something bad always happens sooner or later, someone is going to take the fall. So I can kind of understand how in the Bizarro World of security, scarcity and higher salaries make folks less secure in their jobs. But here’s the real point: even if your organization throws you under the bus, there are a hundred companies waiting in line for you to chase their windmills and eventually end up under their buses. So rejoice, security professionals! You may not keep a business card for long, but you shouldn’t have to spend much time in the unemployment line. Photo credit: “Help Wanted” originally uploaded by James Share:

Share:
Read Post

Is it murder if the victim is already dead?

Sometimes seeing what you have known for years in print is helpful, even comforting. So Gartner’s Paul Proctor writing about killing compliance in cold blood is good. Paul has a bigger megaphone than the rest of us, so maybe folks will start getting on board with doing security (or risk, depending on your vernacular) and stop worrying so much about the checklists. Compliance is no longer the driver for IT risk and security. Compliance is just one of many risk domains to be addressed in a mature risk management program and approach. Recently the security hyperbole trifecta (APT/advanced malware, BYOD, and Big Data) has been sucking up all the oxygen in security marketing, so compliance is suffocating. Compliance as the primary driver of security/risk is already effectively dead, but many people haven’t noticed yet. More to the point, certain classes of organizations are not sophisticated enough to realize what has happened. That gets down to Paul’s use of the ‘M’ word: maturity. The problem is that the great unwashed are still in security/risk diapers, so they can’t see compliance as only one risk domain among many. Their list of audit deficiencies makes it the only domain they are aware of. But that’s okay – every organization needs to start somewhere, and checklists can be helpful for spurring action and establishing a very very low bar of protection. Then as organizations climb the curve of security and risk maturity, they can and should “stop being a rule following and become a risk leader” as Paul suggests. That’s the goal. Followers are buried in regulatory distraction that impedes their ability to innovate, perform, optimize and adapt their programs. Followers are busy covering their butts. Leaders are able to map risk and security dependencies into desired business outcomes and report these risks into the appropriate decision makers. For example, a modern risk and security program can support mergers and acquisitions through proactive due diligence that guides actual integration decisions by non-IT decision makers. That’s influencing the business! Actually, we’re all busy covering our butts – including leaders. The difference is that leaders proactively identify what will kill them, and tells non-IT decision-makers where they will be hit. And that may be enough to save them when the brown stuff hits the fan. Whereas followers never see it coming because it wasn’t on a checklist… Photo credit: “Murder” originally uploaded by AJ Cann Share:

Share:
Read Post

Unused security intelligence is, well… dumb

The hype cycle for Threat Intelligence is just getting going. It will soon join advanced malware, BYOD, and Big Data as terms that mean nothing because they have been poked, prodded, manipulated, and otherwise killed by vendor hyperbole. We have done a bunch of research into how to use threat intelligence (Early Warning, Network-based Threat Intelligence, and Email-based Threat Intelligence), so we get the value of benefiting from other folks’ misfortune and learning from how they were attacked. But I also know that our papers run 15-20 pages and usually fall into the category of tl;dr. So let me point to a few posts Scott Crawford put out there. The first talks about integration and its importance for dealing with the kinds of attacks you face. The other post I want to highlight is next in that series, bringing up the sticky issue of actually integrating threat intelligence into your control sets. It is simply this: in order for intelligence to factor into effective response, proactive defense or environment hardening, security intelligence systems must be able to send data out as well as take it in. Intelligence has historically been positioned as a differentiator for a product and/or service, not as a stand-alone offering with its own value. That’s changing, but not quickly enough. Scott’s points are exactly right – whether you are talking about security intelligence (the new term for SIEM) or threat intelligence, the data needs to be available in a number of formats for import/export to make sure you can actually use it. Scott doesn’t sugarcoat the ongoing concerns of operations folks or their unwillingness to allow any kind of automation to reconfigure controls and defenses. And clearly a filter needs to be applied. The stuff you know is bad should be blocked. If you aren’t sure, your layers need to come into play. Sure, there are lots of reasons beyond the limitations of monitoring technology why we wouldn’t want to do this. Automating blocking at scale would do a little more than step on the toes of IT operations and irk our insect overlords, if what we effectively build is the Mother of All Denial of Service Vehicles that raises existing problems with false positives to an entirely new level. But the point is the point. All that time you have spent collecting data and doing some simple analysis has positioned you to take the next step toward Scott’s concept of data-driven security. Let me simplify the issue a bit more. Having great intelligence doesn’t help if you can’t use it. That would be, well, just dumb. Photo credit: “#dumb” originally uploaded by get directly down Share:

Share:
Read Post

Friday Summary: April 12, 2013

Ever start a simple project – or perhaps ask for something simple to be done on your behalf – and get far more than you bargained for? Sometimes the seemingly simple things reach up and bite you. I was thinking about this two weeks ago, in the middle of some weekend gardening, expecting to tackle a small irrigation leak that popped up during the winter. I went out to the yard with the handful of tools I would need and started scouting around the pool of standing water to locate the source of the leak, and I found it – more or less. It was buried under some mud, so before I could fix the leak I needed to remove the mud around the irrigation line. Before I could remove the mud I needed to remove the giant rat’s nest on top of the mud – stuffed full of Cholla. Literally. It apperas a rat ate the irrigation line and then used it as a private port-o-let. But in order to remove the rat’s nest I needed to remove the 45 lbs of prickly pear cactus that formed the roof of the rat’s nest. Before I could remove that cactus, I needed to remove the 75 lb Agave that arched over the prickly pear. Before I could get to the agave I needed to remove a dead vine. Before I could cut out the vine I need to remove some tree branches. Each step required a new trip to the garage to collect another tool. And so it went for the next three hours, until I finally found the line and fixed the leak. When I finally finished that sequence I was rewarded with 30 minutes tweezing prickly pear micro-thorns from my fingers. What should have taken minutes took the entire morning, and left painful reminders. Which brings me to IT: those who provision data centers and migrate backbone business applications know exactly what this feels like – as I was reminded when I told a couple friends about my experience, and they laughed at me. That described their life. They deal with layers of operational, security, regulatory, and budgetary hurdles – mixed liberally with rat droppings – all the time. Someone asks for a small server to host a small web portal and before you know it someone is asking how PCI compliance will be addressed. Say what you will about cost savings being a driver for cloud services – simplicity (or at least avoidance of complexity) is a major driver too. Sometime it’s just better to have a third party do it on your behalf – and that comes (anonymously of course) from some IT professionals. On to the Summary: Favorite Securosis Posts Gal: Security FUD hits investors. HP bought ArcSight, right? Adrian Lane: Gaming the Narcissist. Fun read, and a topic to consider when weighing potential employers, but I’ll offer an alternative view: 1980 to 2008 was itself a wild period for company performance – see Warren Buffet’s speech from November 1999 for what I mean. I’d say Narcissist CEOs succeeded or simply ran off the tracks faster in that window. David Mortman: Should the Red (Team) be dead? Mike Rothman: Should the Red (Team) Be dead? Yup, it’s mine, but this one created a bit of discussion and even a comment by HD Moore… Other Securosis Posts Incite 4/10/2013: 103. Friday Summary, Gattaca Edition: April 5, 2012. Favorite Outside Posts Rich: Analyzing Malicious PDFs or: How I Learned to Stop Worrying and Love Adobe Reader (Part 1). Adrian Lane: Oracle Details Big Data Strategy. The FUD, it burns, it burns! My not favorite post this week – I recommend you, with your best Borat impersonation, yell not! after every quote and claim. It’s fun and more accurately reflects what’s happening in the big data market. Gal: Alleged Carberp Botnet Ringleader Busted. They’re doing it wrong: Rule #1. You’re supposed to steal from countries where you do not reside, and with whom your home country has no extradition treaty. Rule #2. Don’t steal tons of money from Russian and Ukranian banks regardless of where you live, but especially if you’re violating rule #1 and you live in Russia or Ukraine… Dave Lewis: Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight. Gunnar: Bitcoin – down ~50% in a day, first DDoS currency crash. David Mortman: Tor Hidden-Service Passive De-Cloaking. Mike Rothman: Who Wrote the Flashback OS X Worm? All of you aspiring security researchers can once again thank Brian Krebs for showing you how it’s done. And be thankful Krebs has figured out how to make a living from doing this great research and sharing it with us. Project Quant Posts Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Top News and Posts Security Lessons from the Big DDoS Attacks. A couple weeks old but I just saw it. Bitcoin crashes – lose 1/2 value. Vudu resets user passwords after hard drives lost in office burglary. DEA Accused Of Leaking Misleading Info Falsely Implying That It Can’t Read Apple iMessages. Windows XP still maintains 39% overall market share. Speechless. Windows XP Security Updates ending in one year. Update your calendars! North Korean military blamed for “wiper” cyber attacks against South Korea. Lessons from the Spamhaus DDoS incident. Microsoft Reportedly Adding Two-Factor Authentication to User Accounts. Google will fight secretive national security letters in court. FBI’s Smartphone Surveillance Tool Explained In Court Battle. IsoHunt Demands Jury Trial. Critical Fixes for Windows, Flash & Shockwave via Krebs. Blog Comment of the Week This week’s best comment goes to HD Moore, in response to Should the Red (Team) be dead? It isn’t clear why Gene believes that CTF contests have any correlation to professional red teams. A similar comparison would be hackathons to software engineering. In both cases you approach the problem differently and the participants learn a

Share:
Read Post

Gaming the Narcissist (to get what you want)

We have each probably worked for a CEO who we’d just as soon meet in a dark alley (without video surveillance), while carrying a nightstick and a taser. So when I saw Ed Moyle’s blog about Narcissistic CEOs, I was hoping it would end with “You’d better bring a mop. And a body bag.” Unfortunately Ed highlighted some research that these narcissistic douches adopt technology more aggressively (mostly due to their oversized egos) and are more likely to be successful. Humbug. … We find strong support when testing our hypotheses on a sample of 78 CEOs of 33 major pharmaceutical firms, examining their response to the emergence of biotechnology over the period 1980 to 2008… our results suggest that narcissism may be a key ingredient in overcoming organizational inertia. So the nice CEO, who isn’t a total prick usually can’t get the organization to move, and so is tossed out with yesterday’s garbage in favor of some objectionable human, who worries more about having cooler toys than the other CEOs in his or her golf group. Awesome. But aside from my CEO bitterness (you might think, after almost 4 years, the road rash would have healed just a bit), Ed actually draws a conclusion that could actually be helpful. As a pragmatist, my concern is mostly about how practitioners can leverage this. For example, rather than pitching a new technology on the basis of return to the organization, business enablement, cost savings, etc. – maybe harnessing executives competitiveness could be effective. So rather than saying, “this new cloud system will save us 50% over 10 years”, saying something like “Check out the attention our competitor is getting for being so innovative and forward thinking. I wonder if there’s a way for us to lead instead of them” might be more resonant if what these folks say is true. That’s why I think security benchmarking is a good idea. Having a benchmark to compare your organization to another gives you the data to appeal to these ego monsters. And if you have to deal with these folks, at least use their personalities to get what you want. Photo credit: “Hello My Name Is Narcissit” originally uploaded by One Way Stock Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.