Research

It started out great. Fantastic even. The Dome was fired up. The team started fast. Field goal. Forced punt. Matty Ice throws a pick. Then the Falcons force a fumble and get the ball back. Touchdown. Forced punt. Field goal. 13-0. Red zone stop on a huge 4th and 1. Touchdown on a bomb. Huge sack to end the half. The Falcons were up 20-0. This was it. The year they finally exorcise the playoff demons. We all cheered for the kids showing off their football prowess during halftime as national Punt, Pass & Kick finalists. Then the second half started. Seattle drives down and scores. Then the Falcons respond with a 7+ minute drive to go up 27-7 when the 3rd quarter ends. The crowd goes bonkers. Only one team has blown a 20+ point lead in the playoffs at this point in the game. Elation sets in. It’s over. Until it’s not. Bad tackling. Mental lapses. A tight end playing on a ripped-up foot keeps making huge catches over the middle. Seattle scores. 27-14. Matt Ryan throws a pick. Seahawks drive down the field again. Touchdown Seattle. Cover that guy! 27-21. Oh crap. Now is the time. Make a play, offense. Get some first downs, burn up some clock and get this done. Come on, man! 3 and out. Falcons punt. This is not good. You can feel the tension in the Dome. All the negative thoughts creep in. All the playoff failures. How could they choke? How could they?!?!? Falcons force a punt. OK. It’s under control now. Just a few first downs and it’s over. 3 and out. Again. Seahawks have the ball back. 5:32 left. Seahawks driving again. They are on the Falcons 3. They score. Falcons are down 28-27. WTF? This would be the choke to end all chokes. We were stunned. The Dome was in shock. 31 seconds left. How could it end like this? Again? So disappointed. So so disappointed. Sure it was a good season, but another one and done in the playoffs and it’s going to set this franchise back years. Unbelievable. It’s only a football game, but it sure doesn’t feel that way. The Falcons get the ball back with 31 seconds on the clock. They need 40 yards to get into field goal range. First pass goes for 22 to a receiver named Harry D. Could they? Dare we have hope? The odds are long and they’ve done it before, but not with a berth in the NFC Championship at stake. 19 seconds. Another pass goes for 19 more yards to 36 year old Tony Gonzalez, a sure fire first ballot Hall of Famer who has never won a playoff game. Ever. They’re in field goal range. They set up the kick. I can’t breathe. Literally. No one can. This is it. The Boss squeezes my hand. The kick is up. The kick is good. HOLY CRAP. We scream. We hug. We embrace people we don’t even know. We scream some more. We jump up and down. You can’t hear anything because everyone is screaming. I give the Boss a huge hug. I mean huge. Instant elation emerges out of the depths of despair. It doesn’t get better than this. But it’s not over. There are still 8 seconds left. Seattle gets the ball back in good field position due to a muffed squib kick. A short pass. 2 seconds. Seattle is on the 50. Hail Mary time. The pass is in the air. The Dome holds its breath some more. The Falcons’ Julio Jones comes down with the ball. It’s finally over. Playoff demons vanquished. We just rode a 3.5 hour emotional roller coaster. A pretty high high. Then a very low low. Then the best moment in any football game I’ve ever experienced. I had emotional whiplash. I was nauseous. I was exhausted. My whole body hurt. My voice was gone. And I can’t wait until next Sunday to do it again. Rise up Falcons. It’s time. –Mike Photo credits: Buddha in Neck Brace originally uploaded by bixentro Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding Identity Management for Cloud Services The Solution Space Introduction Newly Published Papers Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U Control via cloud: A lot of people focus on cloud computing as a security risk, but few look upon it as a security control. I suspect this is due to its newness – anything that disrupts our current models is nearly always seen as a risk to defenders at first. But as this article at cloudave.com points out, the cloud can play an awesome role in improving security. Specifically, if you adopt Platform as a Service for your application environment, you expand your security control scope, gaining the ability to enforce development standards be eliminating the variability of platform configurations. All the apps now run on a pre-configured platform, and there just isn’t much opportunity to screw it up. Plus you can enforce other code standards and practices based on the interfaces exposed via centralized platform management. Since it is faster and easier to use the PaaS, you aren’t fighting the developers. Sweet, eh? – RM Guessing for dollars: Does anyone really believe that the market for financial critical infrastructure security will reach $17 BILLION by 2017? Even if you could pin down what “financial critical infrastructure” even meant, and thought that you could estimate the portion of those dollars going to security products or services, do you really think you could extrapolate the amount 5 years out?

“Experts” who tell you to do dumb things… are not experts Dump anything you don’t use. Dump anything with a proven track record of failure which you don’t need (for example, if you don’t need Java, uninstall it). That’s the easy bit, the rest requires thought and effort. If you need Java for desktop apps, but don’t need Java in your browser – disable the browser plugins. You might find it a bit strange when we tell you to beware of experts – especially because we are often hyped as experts. But it’s not. The day we start believing our hype and calling ourselves experts in anything beside pontificating and drinking coffee, we’re done in this business. We’re fortunate to know a lot of experts, but knowing and being are very different things. Jack’s point is exactly right. Anyone can talk to the press and that supposedly makes them an expert. It would be funny except that many of these folks say stupid and wrong things, and because they show up in reputable publications they must be right. Not so much. It’s easy to say things. It’s hard to do things, especially restrictive things like eliminating Java and IE from your environment. Is almost impossible to do these resrictive things on an enterprise scale. And that triggers Jack’s point about dumping software you don’t use. It’s convenient to have a standard desktop image, but that will involve basically allowing everything on it. That’s not a path to security success. And how to deal with experts providing bad advice? Triangulate everything. Everyone has an opinion. Solicit a variety of different folks and see what they have to say. The more weighty the decision, the more folks you should talk to. Sometimes the opinions will be consistent and that makes the decision easy. Sometimes they aren’t, and then you have to figure out what’s right in the context of that decision. Which is why you make the big bucks. Share:

From the BBC: The US government has told thousands of companies to beef up protection of computers which oversee power plants and other utilities. The action comes after a survey revealed that thousands of these systems can be found online. The survey was carried out via a publicly available search engine that pinpointed computers controlling critical infrastructure. This comes as little surprise. I have used Shodan and found a lot of similar issues with externally exposed systems. I spent quite a few years in that sector and have learned that there is an inherent disconnect in how control system operators and security folks view these issues. They typically don’t play well together. Control system operators are good at their jobs. They keep the lights on. However, on occasion they take a focus on convenience that can ultimately expose critical systems to the wilds of the Internet. Enter the security folks who gleefully rub their hands together at all the missteps taken by engineering folks. There are two ways this can play out. Security folks can help them better understand the security issues and work with them, as Bob and Jacob did, or they can point and laugh. Sadly too often the path taken leads to the schoolyard. Share:

Hey folks, Just a quick note that I am trying to decide between a few different topics for my next paper. If you have a moment, I could use your opinion. Which will take no more than 5-15 seconds when you click this link. The options are: BYOD Security Fundamentals Defending Cloud Data – Encrypting for Dropbox, Box.net, and Friends Defending Data in Cloud Infrastructures – IaaS Encryption and Data Security Defending Enterprise Data on Mobile Devices Other (please specify) I threw it out on Twitter and IaaS encryption took an early lead, which is interesting because I expected it to be BYOD. Thus I decided to double up and push it out through the blog. Thanks. Share:

Microsoft to release emergency Internet Explorer patch on Monday The vulnerability, which is present in IE 6, 7 and 8, is a memory corruption issue. It can be exploited by an attacker via a drive-by download, a term for loading a website with attack code that delivers malware to a victim’s computer if the person merely visits the website. Microsoft released a quick fix for the issue earlier this month, but did not have a more permanent patch ready when it released its monthly batch of patches last Tuesday. The company will occasionally release an emergency patch if the software vulnerability is considered a high risk. So if Mondays weren’t bad enough, have fun applying this out of cycle patch because Microsoft couldn’t get it done in time for the regular patch cycle. Of course you need to be running an older version of IE for this to be an issue, so there’s that. Share:

It’s a new year, so let’s get physical and personal. I wondered what people do about physical security specifically – how do you protect your laptop while on business travel? Hotels, airports, cars, etc. We have all seen that “road rules” can be pretty different, so what precautions do you take to ensure your laptop and devices return home safely? Do you always carry your laptop? Carry a lock? Have ways to hide it? It seems like there are no real 100% answers or ‘best’ practices – just least-bad practices, and answers I hear are an interesting mix of personal and technology options. I asked a number of folks and here is what they said. (please comment on your own “least bad” approach) “I usually carry my laptop. But have left it in an in-room safe and locked in my bag. I don’t leave anything out and visible.” Hotels: “On rare occasions that I leave it in my room, i leave the Do Not Disturb sign up. Disinformation FTW. I think the real answer is try to travel with tablets and not laptops if possible” “I try to avoid traveling with a laptop anymore, although I still need it for conferences usually.” “I use the do not disturb trick, and I never use the hotel safe since that’s the first place they’ll look. I bury my laptop in my clothes bag when I leave it. With an 11-inch MacBook Air, that’s easy. But the truth is it is disposable for me. I’d be out the money, but being well encrypted I don’t worry about data loss. And everything is synced anyway.” I have only been able to do this for the past few years thanks to Dropbox and a few other things. (This one is from our very own Rich Mogull). “I rarely travel with a laptop, and keep a short lock on iOS devices.” On TSA: “I don’t care about TSA – nothing to hide. But I do shut down if I’m someplace where I worry about cold boot (China).” What are your road rules? Share:

GigaOm offers a fascinating glimpse into Netflix’s EC2 architecture: Netflix shows off how it does Hadoop in the cloud: “Hadoop is more than a platform on which data scientists and business analysts can do their work. Aside from their 500-plus-nod[sic] cluster of Elastic MapReduce instances, there’s another equally sized cluster for extract-transform-load (ETL) workloads – essentially, taking data from other sources and making it easy to analyze within Hadoop. Netflix also deploys various “development” clusters as needed, presumably for ad hoc experimental jobs.” The big data users I have spoken with about data security agreed that data masking at that scale is infeasible. Given the rate of data insertion (also called ‘velocity’), masking sensitive data before loading it into a cluster would require “an entire ETL cluster to front the Hadoop cluster”. But apparently it’s doable, and Netflix did just that – fronted its analytics cluster with a data transformation cluster, all within EC2. 500 nodes massaging data for another 500 nodes. While the ETL cluster is not used for masking, note that it is about the same size as the analysis cluster. It’s this one-to-one mapping that I often worry about with security. Ask yourself, “Do we need another whole cluster for masking?” No? Then what about NoSQL activity monitoring? What about IAM, application monitoring, and any other security tasks. Do you start to see the problem with bolting on security? Logging and auditing are embeddable – most everything else is not. When the Cloud Security Alliance advised reinvestment of some savings back into security, I don’t think this is quite what they had in mind. Share:

Identity management on mobile devices: How do we do it? I have been taking a lot of calls on mobile identity issues and solutions over the last three months, and I am just as confused now as when I started looking into this subject. And I think the vendors I have spoken with are reaching, in their assessments of the right course of action and where the market is heading. If you want to implement identity on a mobile device, what do you do? Option 1, Crawl: Use a mobile browser and capture user names and passwords just like we do on the desktop. But mobile browsers kinda suck. People don’t want to use them and they suffer many of the same security problems we have had for a decade (see OWASP Top 10). Option 2, Toddle: Augment with OAuth tokens. Is OAuth 2.0 even a standard? But what about the security issues of encryption, digital signatures, and bi-directional verification of trust? Option 3, Walk: Adopt the ‘App’ model, and create an IAM app, which handles all the complicated identity stuff on your behalf. How does that app cooperate with other apps? How do we deal with personal and corporate personas? How do we deal with knowing the user is who they are supposed to be, and not a random person who found your phone? Option 4, Run: Use special features of the mobile platform, such as voice recognition on phones, or cameras for facial recognition? Will that work when I am on the subway or in Starbucks? Does Joe User want that – enough to pay for it – or will they look at such things as privacy violations? These are the options I am hearing about. And none of them seem to be fully thought out. And once we get past Toddle, who’s the buyer? Seeking wisdom, I scaled the mountain to discuss the topic with Securosis’s IAM guru, Gunnar Peterson. What I got was: “Mobile Identity? Ooohhh – it’s early days and it’s an unholy mess”. Yes, that pretty much summed it up. Gunnar agreed that this is the current progression, and that Identity definitely gets ‘stronger’ with each progressive step outlined, but it also gets much more complicated. Do you think I am over-reacting? Did I miss anything that concerns you? This is a topic we will dive into over the coming weeks, so I would like to hear from the community. Share:

The High Price of the Silence of Cyberwar: In today’s debate about cyberwar, all information disclosed seems to come with an agenda. Everyone evaluating the information is forced to look not only at the information, but the motivation for revealing that information. Worse, they can question if the information not revealed is shaped differently from what is revealed. A defender who reveals information regularly and in accordance with a policy will gain credibility, and with it, the ability to better influence the debate. Adam brings up an interesting point here, regarding whether there are advantages for nation states to discuss the kinds of attacks they are stopping. Of course, the quote above sums up the issue – which is balancing information versus disinformation and not causing a panic. Adam defends disclosure (mostly to a fault), and we need folks out there pushing for more information sharing, which is critical to evolving the practice of information security. That said, I do think in a lot of cases the public can’t handle the truth. They don’t want to handle the truth. They want to remain blissfully unaware of the impact of any attack, whether it’s an ICBM or a Stuxnet targeting their country’s critical infrastructure. What turns out to be a very brittle critical infrastructure – at least from an information security standpoint. Maybe we’ll get to the point where the military apparatus parades a country’s hackers through the capital like they do the tanks and armored militia, just to allay the fears of the populace that someone is defending the cyber frontier. Now that would be entertaining. Share:

Feds step up HIPAA enforcement with hospice settlement The Hospice of North Idaho (HONI) in Hayden will pay $50,000 to avoid more costly penalties if it would have been found in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HONI’s settlement, reached last Friday, stems from a June 2010 incident when an unencrypted laptop containing the electronic protected health information (ePHI) of 441 patients was stolen from an employee’s vehicle. For anyone still agonizing over deploying full disk encryption (FDE) on any device that handles protected data: Stop. It. Now. Just buy it. Yes, maybe the breach will happen to the other guy. Maybe the fines will hit the other guy. But clearly HHS wants to make examples of some folks, and you don’t want them to pick you. By the way, if you are worried about FDE costing a bunch of extra money, I’ll let you in on a little negotiating tactic. If you use Vendor X for endpoint protection, invite the rep in for a visit. Then strategically leave a mug from Competitor Y on you desk. Or maybe even give the rep coffee in the other vendor’s mug. Is that tacky? Sure, but it sends a clear message that you have options for endpoint protection. Which you do. Share: