Research

Shiny technology objects make us happy. Admit it – you want to believe the buzzword du jour will make things better. Or less crappy. But if the capabilities and value of new technology are contingent on humans, eventually you run into the most debilitating of constraints: expertise limitations. It seems like everyone wants to talk about Big Data Analytics, but the inconvenient truth is that without the math folks Big Data doesn’t do much. As the WSJ writes, Data Crunchers Now the Cool Kids on Campus: The explosive growth in data available to businesses and researchers has brought a surge in demand for people able to interpret and apply the vast new swaths of information, from the analysis of high-resolution medical images to improving the results of Internet search engines. Schools have rushed to keep pace, offering college-level courses to high-school students, while colleges are teaching intro stats in packed lecture halls and expanding statistics departments when the budget allows. So we see the problem, and now the education/industry complex is moving to address the skills gap. Good luck with that. Math is hard. Sure, it may provide a wonderful career path, but it’s not like all those liberal artsy types who don’t see much of a future as lawyers will all suddenly decide statistics is their calling. I do believe in the eventual impact of Big Data Analytics on all sorts of things including security. But we need to be realistic as an industry about when that impact will actually materialize. The rich can (and will) get richer by throwing money at math PhD’s, but the rest of the world will lag significantly. But we will be hear a lot of the term Data Scientist over the next few years. I’m lucky that my kids seem to be pretty mathematically inclined, so over time I will push and prod them toward statistics. Though by then there will be another shiny object to chase. There always is. Share:

Threat Intelligence comes in many shapes and sizes, all of which are helpful for Early Warning of imminent attack. After introducing the initial Early Warning concepts, we recently delved into how network telemetry and other information about your pipes can help to identify compromised devices in Network-based Threat Intelligence. We continue discussing all sorts of threat intel by focusing on phishing in our new series, Email-based Threat Intelligence. We stay true to our naming conventions. But in all seriousness, if you are targeted by phishing attacks, you probably know what we’re talking about. Attackers target your brand, they stage high-volume attacks to steal personal information from customers, and then ultimately they monetize stolen personal data – typically by looting the accounts of your customers. All of which cost your organization big money. So what we will do in this series is dig into the seedy underbelly of the phishing trade, starting with an explanation of how large-scale phishers operate. Then we’ll jump into threat intelligence on phishing – basically determining what kind of trail phishers leave – which gives us data to pump into the Early Warning system. Finally we will cover how to get quick wins with email-based threat intelligence. If you can stop an attack, go after the attackers, and ultimately disrupt attempts to steal personal data, you’d do that, right? So we will wrap up this short series by quickly showing impact. Before we get started I want to thank Malcovery for agreeing to potentially license the content at the end of the project. As with all our research, we will produce Email-based Threat Intelligence using Totally Transparent Research. That means we build the content independently and objectively, and tell you what you need to hear. Not what any vendor wants you to hear. Sizing up Targets Why do phishers target specific brands? To harvest and ultimately monetize personal information. Obviously targeting financial institutions is a no-brainer. So you probably see phishing attempts targeting every major bank, brokerage, and other financial institution like PayPal fly into your inbox all the time. Retailers are also low-hanging fruit – once phishers gain access to an online shopping account they can buy all sorts of stuff using your customer’s credit. And you get left holding the bag. Fun! But lately we have been receiving phishing attempts for other major consumer brands such as shipping companies, phone companies, and airlines. Huh? If someone owns a frequent flyer account, the risk is having them see how close until the next FF tier, right? No, not exactly. When you (or someone who works for your organization) clicks on a phish, they may enter account information into the phishing site, which is the first win for the attacker. But it’s not the only opportunity for pwnage. Attackers also systematically install malware on the device, and that’s where the real monetization happens. Once they have a foothold they mine the data for as long as they can. Attackers collect bank accounts, passwords, and other sensitive information. So basically every large consumer brand has been and will continue to be a serious phishing target. These companies have millions of customers, which means millions of potentially compromised devices for attackers to mine. Obviously the highest value phishing attacks target financials, where the victim can be monetized immediately. But the endgame involves installing malware which is why we see secondary brands emerge as phishing targets. It is outside of the scope of this research, but we would be negligent if we didn’t at least mention that it’s a very bad idea to save financial information in the website of any retailer or other services company. Sure, one-click buying is convenient, as is not enter that pesky credit card number with every purchase. But it also leaves you at the mercy of the website’s security – not a good place to be. If you do need to save personal information on these sites, at least use very strong unique passwords with a password manager, as Rich has described numerous times in places like MacWorld. The Phish Phishing is the front end of a multi-faceted attack, so let’s take a look at the first set of steps in Cloppert’s Kill Chain and show how these concepts apply to phishing. First let’s look at recon, which starts with picking the brand to target, typically a financial or payment company. The APWG’s statistics (PDF) show that upwards of 65% of phishing targets are financial and payment organizations. Duh. But let’s be clear about why many of the phishing campaigns target only a few popular brands. Is this just Pareto at work? The real reason is the advent of the phishing kit. Just like malware kits, phishing kits offer a packaged phishing campaign for a very modest price. This takes care of the weaponization step in the kill chain – these kits include everything you need to phish, with the exception of domains to host the phishing site. Images, emails, designs, and even a few malware variants are included, which is driving down the average IQ of phishers. You might think phishing kits need to be constantly updated to keep pace with the constant web site changes undertaken by the major consumer brands. Not so much – most consumer victims wouldn’t be able to tell a vintage 2009 Wells Fargo site from the latest and greatest. The images and code used on the phishing site tell a story about the attacker and can provide significant intelligence to disrupt the attack, so we will delve into that in the next post. The other key aspect of the kill chain for to phishing is delivery. The primary delivery mechanism for phishing is email, which requires the attacker to evade spam filters. Discussing those tactics is a bit beyond what we can do in this series, but suffice it to say that attackers are rather sophisticated in how they test both delivery of email and the domain names they drive victims to. Similarly to the way attackers use VirusTotal and other AV test harnesses, phishing professionals focus quite a bit of effort on testing against common anti-spam engines,

Thales released a 2012 survey on encryption spending trends today. In a nutshell, spending was up a modest amount for the first time in several years. From the Deep Dive post: estimated total spending on encryption by all sectors grew by 2.5 percent from 2011 to 2012, one of the biggest jumps in the eight years the survey has been conducted. Thales released the “2012 Global Encryption Trends Study” today. The Ponemon Institute of Traverse City, Mich., surveyed 4,205 individuals on Thales’ behalf. The spending figures were particularly interesting to Thales: “This last year we saw one of the biggest hikes in budgets that we’ve seen for the last seven years or so,” said Thales e-Security’s Richard Moulds, vice president of product strategy. In 2011, businesses and governments spent 15.1 percent of their information technology security budget on encryption. The number jumped to 17.6 in 2012. A couple things to note about this information. For security products not driven by compliance (like PCI) or vulnerabilities that totally disrupt IT (think SQL Slammer), sales typically grow at a rate of 2-3% a year. From our conversations with companies of all sizes, use of encryption is up across the board. However, adoption is mostly for new projects, rather than expansion of existing installations. And in many cases developers are the ones who select free or open source encryption products, not commercial products. They do this so the development process is not burdened by having to get budget or deal with sales droids. This means spending does not go up at the same rate that usage goes up. Still, the encryption market has not seen the sales growth we would otherwise expect – instead people invest in better key management services, or in alternatives to encryption (e.g. tokenization, masking) to protect data. It’s a growing market, but buyers are cautious about how and where they spend their money. Share:

One trend we see coming on like a freight train is the rebirth of security awareness training. Folks are working on content that doesn’t suck and enterprises are finally starting to gather data about how stupid mistakes (such as clicking phishing messages) are decreasing after training sessions. NetworkWorld recently ran an article (in their Insider section, which requires registration – boo!) providing some tips to deal with phishing. The part of the article I found most interesting was a description of how attackers appeal to either greed or fear to entice action. It sounds a bit like marketing to me… “most spear phishing attacks take one of two tacks – they either appeal to human greed or fear. In other words, either they offer money, coupons, discounts or bargains that are too good to be true. Or they announce that your checking account or eBay account has been frozen and you need to re-enter your credentials, or some other scenario in which you are required to enter personal information….or else.” Then there are a few tips about educating users, including having them look at URLs from right to left. Folks who read Hebrew have a clear advantage at this. And other obvious stuff, including not opening files from folks you don’t know, and never providing account credentials to an unsolicited query. Of course all this seems obvious to you and me. It’s too bad it’s not obvious to your employees. Get on board with security awareness training. Or keep cleaning up the mess. Photo credit: “Clean Up or You’re Out! :Brooklyn Street Sign” originally uploaded by emilydickinsonridesabmx Share:

With our last post in this series on Understanding and Selecting Cloud Identity and Access Management, we want to help guide you through product selection. No two customer environments or lists of requirements are the same, but key decision criteria will help you narrow down the field to suitable platforms. We will provide questions to help determine which vendors offer solutions that fit your architecture, a set of criteria to measure the appropriateness of a vendor solution to your design goals, and help walk you through the evaluation process. Your mileage WILL vary Spoiler alert – there’s no such thing as plain vanilla IAM. You may need a solution for customers as well as users. You may or may not need to include mobile devices. You may need fine-grained authorization controls for external applications. There are far too many variables in play for IAM evaluation to be fully quantifiable. But to help you weed out some players, to align your needs with product function, and to give you a handle on major product differentiators, we created the table below. You need to make sure products match your goals. Even IAM suites that can do everything on paper have their own strengths and weaknesses, so make sure you know them before leaping in. As we have discussed, prospective buyers should start with understanding their use cases and governance processes before analyzing the IAM marketplace. That said, here is a proposed checklist for beginning to analyze IAM products: Product Architecture What are the product’s key capabilities? What are the internal data models and formats for identity? What are the external data models and formats for identity? How does the product scale, vertically or horizontally? Development What is the development interface for implementing and extending the product? Is development typically performed by the company or third party consultants? Answer for both development and maintenance phases. What integration is available for source code and configuration management? What languages and tools are required to extend the product by with wrappers, adapters, and extensions? Interoperability What IAM standards are supported and where are they available in the product? What interfaces are standards based and what are proprietary? What directories are supported – Active Directory, LDAP …? What application servers are supported – Websphere, IIS, Tomcat, SAP …? Are cloud applications supported? Which ones? Are mobile platforms supported? Which ones? Product Security What is the product security model? Is Role-Based Access Control supported? Where? How is access audited? Use Case Support Describe the product’s support for provisioning uses Describe the product’s support for Singe Sign On uses Describe the product’s support for attribute exchange use cases What user self-service capabilities does the product support? Cost Model How is the product licensed? Does cost scale based on number of users, number of servers, or something else? What is the charge for adapters and extensions? This checklist provides a starting point for analyzing IAM products. As the evaluation unfolds, it is key to remember what matters: integration, standards, and cost. The buying process works much better if the initial step includes an inventory of IAM sources and targets: where identity is used, and what the authoritative sources are. What IAM processes exist currently, and which and are desired in future? POC FTW Securosis highly recommends a Proof-of-Concept (POC) as a final step for IAM buyers. PowerPoint does not crash much, but new implementations do. There is nothing like seeing a product working in your own environment. If there is more than one vendor in play – and there usually is – then bake-offs can be useful to determine the best fit. But we generally do not recommend bake-offs with more than two vendors. Many vendors take widely different conceptual approaches to IAM problems, and in-depth evaluations are too demanding to perform more than once or twice. Start with an initial review, against our checklist, to weed out unsuitable candidates. Then use a proof of concept to test viability and/or a bake-off to compare a couple similar candidates. Share:

As if the IBM Security Systems folks weren’t busy enough with the RSA Conference last week, they flew directly from San Francisco to Vegas for their annual Pulse Conference. Sure it’s a lot of back-patting and antennae rubbing, but there is usually a good nugget or two from their customer presentations. In this photo one of IBM’s companies highlights 7 reasons it is important to decide on the initial use cases for your SIEM before you buy it. I particularly like a few of them: 1. “Help with vendor selection – evaluate competitive SIEMs against use case criteria and forms requirements for purchase.” When I was in the SIEM space, trying to push 7-figure purchases, it was much easier when we could dictate the terms of the proof of concept (PoC). We’d test stuff we knew would work well, and that competitors couldn’t match. Of course that didn’t necessarily involve solve the customer’s problem. Oh, well. Enterprises should be driving the criteria for purchase and the PoC, and you do that by defining the initial set of use cases that drove the funding of the project anyway. 4. “Companies considering a SIEM should build a use case portfolio before even looking at a technology.” 6. “Understand quick wins/short term successes vs. long term roadmap (where do you want to be in two years).” I cannot tell you how many conversations I have had with folks looking at SIEM, who couldn’t tell me specifically what problem they were trying to solve. The initial use cases are really table stakes for SIEM procurement. It is critical not to choose a technology that will prevent you from doing things (like packet capture) in the future, as your program and needs evolve. But if you don’t have a clear idea what you want to do first, you are very unlikely to succeed. Share:

I think I’m finally waking up. After a week at RSA where I basically don’t sleep – not all bad, mind you – it takes a while to recover. In fact Monday might as well not have happened – I certainly got nothing done. It was not for lack of trying, but I was simply part of the zombie apocalypse – but I don’t want brains, just some Captain Crunch and sleep. Today I had the ‘Oh crap!’ realization – I promised people things last week, and I need to deliver. As much as I’d like to shuffle this stuff onto Rich, he has got a new baby and won’t take my calls. Something about taking it easy and enjoying time with the family. On the subject of the RSA Conference, I have to confess I’m not usually surprised by trends at RSA. If you read out pre-RSAC stuff, you noticed it was clear to us that Big Data and malware were going to take center stage, and those trends did not disappoint. But we are never quite sure whether we are going to run into grumpy vendors spewing forth about their dissatisfaction with foot traffic, booth space, and the lack of quality leads. This year … none of that. In fact most vendors told me traffic was up and, more importantly, prospects were seeking them out. They were happy. It certainly made the week a lot more fun, but happy are a bit like Mike Rothman’s smile – rare and it makes me nervous. The other thing that really surprised me was that every single vendor seemed to be asking for help locating talent. Penetration testers, product managers, marketing managers, engineering managers, researchers – you name it. But I am not aware of any seasoned security people who are looking – quite the opposite. I did not anticipate the security industry hiring so heavily, but that’s a good thing, and another sign that things are humming along. Let the good times roll. You know what else surprised me? The force field surrounding the Huawei booth. Okay, maybe there was no actual force field, but people walking the show floor acted like there was. They kept a curious 2-3’ distance from the booth. Maybe their schwag sucked. Or perhaps it was Huawei’s lack of booth babes. Or maybe people are pissed about the Mandiant report and think of Huawei as part of that whole fiasco. I don’t really know, but most vendors were humming with activity, yet the half-dozen times I went by their booth they were noticeably un-busy. –Adrian On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Our own ‘Mark’ Rothman’s DR post: You’re A Piece Of Conference Meat. snort Adrian’s Pragmatic Database Security Presentation. Favorite Securosis Posts Adrian Lane: Karmic Balance. I have witnessed 25 years of shenanigans, and it has turned out that most wrongs met their karmic opposite at some point. David Mortman: Flash! And it’s gone…. Mike Rothman: Karmic Balance. Yeah, I’m a homer for favoriting my own Incite this week. But it sums up what I’m about. Like most folk I have been scarred and battered and bruised. But I try to make those negatives into positives whenever I can. Other Securosis Posts Understanding Cloud IAM: Buyers Guide. Use cases are your friends. Isolating the Security Skills Gap. Be Careful What You Wish for…Now You’re CISO. Announcing the CCSK UK Train the Trainer Class in April. New Paper: Network-based Threat Intelligence. Friday Summary, RSA Edition: March 1, 2012. Favorite Outside Posts Dave Lewis: Time Stamp Bug in Sudo Could Have Allowed Code Entry. Gunnar: Google services should not require real names – Vint Cerf. Two years back Bob Blakley brought us on a quick tour of the weak points of Google requiring real names, in a word: insane. Adrian Lane: Creating and Validating a Sock Puppet. Everyone should have a couple of these. They come in handy. David Mortman: Barn Doors. “Mobile is just an amplification of all the insecure practices you and your company have been using for decades.” – Sing it, sister! Mike Rothman: Cisco CEO: We’re All In On Internet Of Everything. In the NSS (No Sh*t Sherlock) list this week, Cisco decides it’s in their best interest to drive “The Internet of Things.” Duh. But as we wrote in the RSAC Guide, the Internet of Things is something to keep an eye on. Check it out for the hype, but stay around because there will be all sorts of devices connecting to your stuff. Project Quant Posts Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. Top News and Posts Appsec at RSA 2013: nice recap. Oracle Issues Emergency Java Update via Krebs. Details of the February 22nd 2013 Windows Azure Storage Disruption HP Exec: We’re Investing $1 Billion in Big Data This Year Understanding iOS passcode security The Phoenix Project Critics: Substandard crypto needlessly puts Evernote accounts at risk Evernote plans two-factor authentication following last week’s hack Recent 10-Ks mentioning “cyber” incidents Java malware spotted using stolen certificate Google+ Can Be A Social Network Or The Name Police – Not Both Blog Comment of the Week This week’s best comment goes to Matt, in response to Attribution Meh. Indicators YEAH! if for no other reason than becausae he put a lot of thought and effort into it. The greatest significance can be found in this report’s overarching message to China: we see you and we’re doing something about it. This may well represent the catalyst for major geopolitical change. The value of this report is that it will likely disrupt the adversary’s operational capability for some time as corporations bolster defenses. The adversary is no longer a vague term referring to an unknown group somewhere in the world. We’re talking about the government of China. We’re talking about disrupting their

We all knew the Flash was fast. But it seems Apple has made Flash so fast you can’t even use it on your Macs. Well, actually, they put some new protections in to ensure only the latest version of Flash runs on Mac OS X 10.6 and later. In response to frequent exploits being leveraged against the popular Adobe software, Apple has introduced a safeguard that gives Safari users no option but to keep Flash up to date. “When attempting to view Flash content in Safari, you may see this alert: ‘Blocked Plug-in,’” said an Apple notice. From there, Safari users will be able to download the latest version of Flash. Similar to the way Mozilla is working to save us from ourselves, Apple is now getting into the game. How long before the OS and browser makers totally dictate the updating process for plug-ins they can run? Of course that creates an even higher wall around the garden, and the toolbelt community will squeal like stuck pigs. Well, they can configure Gatekeeper not to protect them. For everyone else, it looks like offering help keeping devices updated is a good thing. Photo credits: Flash Before Your Eyes originally uploaded by JD Hancock Share:

My career has been turbulent at times. I know that’s shocking to those of you who know me personally. When I was invited not to come to work at my last job in VA, I already had a good position at a hot start-up in Atlanta lined up. They were well aware of my situation, and once I was a free agent the deal got done quickly. I had one real estate agent selling a house in VA, and another looking for property in Atlanta. Full speed ahead. Then I got the strangest call from my “new” CEO. He said they did a final reference check and a past boss pretty much drove a shiv into my gut. WTF? So now the sure thing in Atlanta wasn’t so sure. And even better, if this guy was talking me down in VA, my odds of getting another job if Atlanta fell through weren’t so good. So I went into damage control mode. I wasn’t going to go down like a lamb, so I came out swinging. I called in every favor I had. I created dissension at my former employer by having folks in all parts of the organization talk to the Atlanta company confidentially to provide a different viewpoint. If I was going to investigate other occupations, it was going to be on my terms. Not because some whackjob CEO was trying to cover his behind as he lost control of his company. And you know what? I got the job. The good guys won. My friends stepped up for me bigtime, and I never forgot that. I promised myself that if I ever knew anyone else getting similarly screwed, I’d do everything in my power to help them. Everything. I’d return the favor when I had the opportunity. A few weeks ago I had lunch with a friend, who told me a story eerily similar to mine. He got caught in the crossfire of a regime change and received the blackball treatment that happens when backchannel chatter is more important than demonstrable accomplishments. My blood was boiling. I knew what I had to do. So at RSA last week I looked for an opportunity to do it. Thankfully one of my clients mentioned he was looking for the skill set my friend possessed. I jumped and put his name into the hat. I also mentioned his predicament and personally vouched for my guy. I called in a favor and asked my client to give him a chance. I don’t know if it’ll work out, but my guy is in the game and that’s all I asked. And when my friend called yesterday to thank me, I smiled. It was a really big smile. Like some type of karmic balance returned to the world, if only for a few minutes. I smiled because I remember being in that spot. I remember how powerless I felt. How a control freak had no control. And I remember how relieved I felt when I learned those folks stepped up for me. But most of all, it felt really good to be able to keep that promise I made to myself all those years ago. My friend asked what he could do for me. My answer was absolutely nothing. This wasn’t about me. It was about righting a wrong and doing the right thing. But I did tell him to pay it forward. Someday he’ll meet someone in the same position and he needs to help. And he will. –Mike TIP A DRINK TO RICH: Let’s all congratulate Rich and his wife Sharon for the successful launch of their latest joint project. The latest addition to the team, Ryan Mogull, was born Sunday night. Rich will be taking some time with the family for the rest of the week, but should be back in the saddle soon. And yes, we are shopping for a Securosis onesie. Photo credits: Switchbox karma originally uploaded by stuart anthony Upcoming Cloud Security Training Interested in Cloud Security? Are you in EMEA (or do you have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training class in Reading, UK, April 8-10. Sign up now. Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Email-based Threat Intelligence Industrial Phishing Tactics Understanding Identity Management for Cloud Services Architecture and Design Integration Newly Published Papers Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Incite 4 U Give a security hobo a pair of shoes: Really great post by Bob Rudis about what he’s calling Security Hobos, the truly small businesses that really have no idea what they need to do. But we have an opportunity to make a difference, like the cop who gave the homeless guy in NYC a pair of boots. Bob points out that these are the kinds of business that put their POS software on the only machine in the business. And yes, that machine will get popped and it will be bad. But rather than just railing about how these folks create problems, Bob makes some actual suggestions for how to help. Do things like speak at your Chamber of Commerce and search out small businesses to offer advice. I talked about returning karmic balance above, and this is another great opportunity to do it. Don’t expect anything in return – do it because it’s the right thing to do. – MR Driving competition: Amazon Web Services (AWS) rolled out a monitoring tool called Trusted Advisor. It is positioned as a performance and security tool, leveraging the intelligence Amazon gathers to help customers tune their environments. Like traditional IT tools playing at security, it’s really operational metrics and tools masquerading as security features. It’s just

It looks like Ray Umerley had a good time at the RSA Conference. Besides seeing pics on the Tweeter of him at the Ju Jitsu gathering, he took some time to document his thoughts about what he saw at the show (RSA Conference 2013: My Takeways). Ray covers security intelligence, and how as you collect more security data, it becomes more important that it be used within a security/risk management program. He points out that we need more quality people in the information security field. I’m going to go out on two limbs here: we need quality people regardless of certification, those with the aptitude, passion, and intellect to excel across multiple security disciplines but also more security people who can apply the business and soft skills to develop into effective leaders. I really feel our resource gap is in the latter more than the former. I question the effectiveness of many of the traditional CISO/CSO and whether we as a profession have evolved to meet the needs and expectations of our organizations. Can I hear an amen? That’s exactly right. We don’t need more bodies. Okay, maybe a few more bodies. But what we really need are quality folks. Inquisitive souls who love learning, but who also have the temperament to handle a job with murky success criteria (at best). Then Ray moves on to flesh out the leadership gap, as well. The security industry is oftentimes very insular, difficult to break into some of the cliques, and we have a frustrating habit of eating our young. What we need to do is continue to nurture and foster a pipeline of security neophytes and intermediates and help them develop into multi-disciplinary security professionals. We as an industry need to continue sharing what we know and paying it forward. Obviously we can’t find enough qualified folks to meet the need, so we need to train them. If you are staff constrained and you don’t have a plan (aside from sending n00bs to a week-long SANS course) to develop your folks in a very structured fashion, you’re doing it wrong. Share: