Research

How do I secure “big data”? A simple and common question. But one without a direct answer – simple or otherwise. We know thousands of firms are working on big data projects, from small startups to large enterprises. New technologies enable any company to collect, manage, and analyze incredibly large data sets. As these systems become more common, the repositories are more likely to be stuffed with sensitive data. Only after companies are reliant on “big data” do they ask “How can I secure it?” This question comes up so much, attended by so much interest interest and confusion, that it’s time for an open discussion on big data security. We want to cover several areas to help people get a better handle on the challenges. Specifically, we want to cover three things: Why It’s Different Architecturally: What’s different about these systems, both in how they process information and how they are deployed? We will list some of the specific architectural differences and discuss how how they impact data and database security. Why It’s Different Operationally: We will go into detail on operational security issues with big data platforms. We will offer perspective on the challenges in securing big data and the deficiencies of the systems used to manage it – particularly their lack of native security features. Recommendations and Open Issues: We will outline strategies for securing these data repositories, with tactical recommendations for securing certain facets of these environments. We will also highlight some gaps where no good solutions exist. Getting back to our initial question – how to secure big data – what is so darn difficult about answering? For starters, “What is big data?” Before we can offer advice on securing anything, we need to agree what we’re talking about. We can’t discus big data security without an idea of what “big data” means. But there is a major problem: the term is so overused that it has become almost meaningless. When we talk to customers, developers, vendors, and members of the media, they all have their have their own idea of what “big data” is – but unfortunately they are all different. It’s a complex subject and even the wiki definition fails to capture the essence. Like art, everyone knows it when they see it, but nobody can agree on a definition. Defining Big Data What we know is that big data systems can store very large amounts of data; can manage that data across many systems; and provide some facility for data queries, data consistency, and systems management. So does “big data” mean any giant data repository? No. We are not talking about giant mainframe environments. We’re not talking about Grid clusters, massively parallel databases, SAN arrays, cloud-in-a-box, or even traditional data warehouses. We have had the capability to create very large data repositories and databases for decades. The challenge is not to manage a boatload of data – many platforms can do that. And it’s not just about analysis of very large data sets. Various data management platforms provide the capability to analyze large amounts of data, but their cost and complexity make them non-viable for most applications. The big data revolution is not about new thresholds of scalability for storage and analysis. Can we define big data as a specific technology? Can we say that big data is any Hadoop HDFS/Lustre/Google GFS/shard storage system? No – again, big data is more than managing a big data set. Is big data any MapReduce cluster? Probably not, because it’s more than how you query large data sets. Heck, even PL/SQL subsystems in Oracle can be set up to work like MapReduce. Is big data an application? Actually, it’s all of these things and more. When we talk to developers, the people actually building big data systems and applications, we get a better idea of what we’re talking about. The design simplicity of these these platforms is what attracts developers. They are readily available, and their (relatively) low cost of deployment makes them accessible to a wider range of users. With all these traits combined, large-scale data analysis becomes cost-effective. Big data is not a specific technology – it’s defined more by a collection of attributes and capabilities. Sound familiar? It’s more than a little like the struggle to define cloud computing, so we’ll steal from the NIST cloud computing definition and start with some essential characteristics. We define big data as any data repository with the following characteristics: Handles large amounts (petabyte or more) of data Distributed, redundant data storage Parallel task processing Provides data processing (MapReduce or equivalent) capabilities Central management and orchestration Inexpensive – relatively Hardware agnostic Accessible – both (relatively) easy to use, and available as a commercial or open source product Extensible – basic capabilities can be augmented and altered In a nutshell: big, cheap, and easy data management. The “big data” revolution is built on these three pillars – the ability to scale data stores at greatly reduced cost is makes it all possible. It’s data analytics available to the masses. It may or may not have traditional ‘database’ capabilities (indexing, transactional consistency, or relational mapping). It may or may not be fault tolerant. It may or may not have failover capabilities (redundant control nodes). It may or may not allow complex data types. It may or may not provide real-time results to queries. But big data offers all those other characteristics, and it turns out that they – even without traditional database features – are enough to get useful work done. So does big data mean the Hadoop framework? Yes. The Hadoop framework (e.g. HDFS, MapReduce, YARN, Common) is the poster child for big data, and it offers all the characteristics we outlined. Most big data systems actually use one or more Hadoop components, and extend some or all of its basic functionality. Amazon’s SimpleDB also satisfies the requirements, although it is architected differently than Hadoop. Google’s proprietary BigTable architecture is very similar to Hadoop, but we exclude

Our very own Gunnar Peterson is co-presenting what looks like an insanely awesome mobile application security class. And with a name like The Mobile App Sec Triathlon you know I am interested. The class is November 5-7 in San Jose, and you can get more information and sign up This class covers what developers, architects, and security people should know when working on Mobile, iOS, and Android. The first day is more high level, with the second two days all developer hands-on. Gunnar also wrote a post on why he trains, with a lot more information. This is really a great opportunity, and I don’t believe there is anyone else as qualified offering this sort of class. Share:

In today’s news we see yet another zero-day Internet Explorer exploit being used in the wild. And once again, soon after becoming public, an exploit was added to Metasploit. Well, sort of. While the in-the-wild attack only works against Windows XP, the Metasploit version works against Windows 7 and Vista. (Note that IE 10 isn’t affected). You can read the article linked above for the details, but this gets to something I have been recommending privately for a while: support 2 browsers, even if one is only for emergencies. First of all, ideally you’ll be on a modern operating system. I’m not one to blame the victim, but allowing XP is a real problem – which I know many of you fight every day. Second, this advice doesn’t help with all browser-based attacks, especially Java. But you can configure it in a way that helps. Choose a secondary browser that is allowed for web browsing. Chrome is most secure right now, but make sure you set its privacy defaults to not bleed info out to Google. Ideally block Java in the browser. Maybe even Flash, depending on how you feel about the Chrome sandbox. If something like this IE flaw hits, notify users to use the secondary browser for outside websites (odds are you need IE for internal web apps programmed by idiots or 19th-century transplants, and so cannot ban it completely). If you can, set a network policy that (temporarily) blocks IE from accessing external sites (again, you can make exemptions for partners). Unfortunately I don’t believe many tools support this. I know this advice isn’t perfect. And there are tools like Invincea and (soon) Bromium that can likely stop this stuff cold in the browser – as well as a few network tools, although history shows signature-based defenses aren’t all that effective here. But if you can pull it off you aren’t stuck waiting for a patch or another workaround. Especially if you go with the “block Java / isolate or block Flash” option. This approach allows you to still only support one browser for your applications, and use a secondary one when needed without users having to violate policy to install it themselves. Share:

For years security folks have grumbled about the role compliance has assumed in driving investment and resource allocation in security. It has all been about mandates and regulatory oversight, which drive a focus on protection, ostensibly to prevent data breaches. We have spent years in the proverbial wilderness focused entirely on the “C” (Confidentiality) and “I” (Integrity) aspects of the CIA triad, mostly neglecting the “A” (Availability). But that hasn’t worked out too well. Regulators pretty much only care whether data leaks out. They don’t care about the availability of systems – data can’t leak if the system is down, right? Without a clear compliance-driven mandate to address availability (due to security exposure), many customers haven’t and won’t do anything. Of course attackers know this. So they have adapted their tactics to fill the vacuum created by compliance spending. They increasingly leverage availability-impacting attacks to both cause downtime (costing site owners money), and use availability issues to mask other kinds of attacks. Yes, these availability-impacting attacks are better known as Denial of Service (DoS) attacks. To be clear, most security professionals are very familiar with DoS attacks. It may be hard to remember back over a decade ago, but in the heyday of the Internet bubble we saw many old-fashioned Distributed DoS (DDoS) attacks targeting high profile web properties (think Yahoo and E*Trade, back in the day), with attackers like Mafiaboy doing the damage more for notoriety than to cause real economic damage. Over the past decade attackers have reoriented toward financially motivated attacks, which has meant increasingly application-centric attacks designed to evade detection and exfiltrate lucrative data. Obviously knocking down a target interferes with efforts to rob it electronically. But DDoS never really went away – it became a supplementary extortion tactic. In this scenario, attackers would communicate with a company and promise to knock down their site unless they received a ransom. It’s a simple shakedown move, and many targets were simply unable to survive a significant outage. They paid up rather than fight. We didn’t hear about many of these attacks – nobody wants to publicize that they are vulnerable to shakedowns. But that is all changing now. It’s like Back to the Future a bit – the rise of hacktivism has brought the Denial of Service back into a prominent position in the nightmares of security folks. Facilitated by the availability of open source tools such as LOIC and the availability of bot networks to launch attacks, a DoS renaissance is underway – which means availability has once again become a major factor in security architecture and control design. We try to do forward-looking research at Securosis. So we have started poking around, talking to practitioners about their plans, but we still see a knowledge gap around the kinds of Denial of Service attacks in use today and the defenses needed to maintain availability. So today we launch a new series: Defending Against Denial of Service Attacks, which will (unsurprisingly) provide guidance on the DoS attacks in use today, defensive tactics, and the basic process required for any chance to defend your organization. Let’s start by understanding the major kinds of DoS attacks. Flooding the Pipes versus Filling the Servers We’ll dig into specific attack tactics in much more depth in the next post, but to understand Denial of Service we need to draw a clear distinction between network-based attacks and application-based attacks. Both have the same objective: to impair availability – but they go about it in fundamentally different ways. Network-based attacks overwhelm the network equipment and/or totally consume network capacity by throwing everything including the kitchen sink at a site. This prevents legitimate traffic from getting to the site. This volumetric type of attack tends to be what most folks consider Denial of Service, because it is the most visible type. If your adversary has a big enough cannon it’s very hard to defend against these attacks, and you will quickly be reminded that bandwidth may be plentiful, but it’s certainly not free. Application-based attacks are different – they target weaknesses in web application components to consume all the resources of a web, application, or database server to effectively disable it. These kinds of attacks can target either vulnerabilities or ‘features’ of an application stack to overwhelm servers and prevent legitimate traffic from accessing web pages or completing transactions. The beginning of a network-based attack is fairly obvious. But application-based DoS attacks are less obvious – you are unlikely to discover the attack is underway until servers inexplicably start falling over – so they require more sophisticated defenses. That said, much of DoS defense is about properly leveraging existing controls, and of course compliance mandates haven’t gone away, so still have those required controls. Since you are already robbing Peter to pay Paul to address audit deficiencies, for DoS protection you need to focus your defenses on the attacks you are most likely to see. Which brings us to our next concept: studying your adversaries. Adversary Analysis A new tactic increasingly leveraged by security practitioners is adversary analysis. It’s not enough to just understand attacks and build defenses based on attacks – there is simply too much attack surface, and too many attack vectors. Your security success depends on your ability to prioritize your efforts, as we hammered home in the Vulnerability Management Evolution paper. This involves making strategic bets about who is most likely to attack you and what tactics they tend to use. This will enable you to build control sets with the right initial focus, based on what’s likely to happen. Of course you will be wrong – attackers evolve tactics over time – but in the universe of things you can do, this approach helps narrow your options into something (mostly) manageable. So let’s coarsely group the kinds of adversaries who use DoS attacks. Protection Racketeers: These criminals use a DoS threat to demand ransom money. Attackers hold a site hostage by threatening to knock it down, and sometimes follow

Rich here. Way **way** back in my earliest Gartner days one of my first speaking engagements was a series of three-city tours where I was paired up with an extremely experienced telecom analyst. I was still in my twenties, and probably wasn’t qualified to wash my privates — never mind advise anyone on their security strategy. This was an awesome training ground for a number of reasons. First of all, the stakes were low — these were smaller audiences, out for a free event. Second was all the practice I got, giving the same talk three days in a row to different groups. And it was great to work with an exceptionally good speaker with oodles of experience. But that’s not what I’m going to talk about. The best part for me, as someone with an unhealthy attraction to wireless devices, was spending time with someone who’d been on the inside of the telecom industry for over 20 years. The tech part I could understand easily enough, but the business side was far more fascinating than I expected. And this was after I had worked in Europe for a few months helping design the first system to sell and activate mobile phones over the Internet. Nick hammered one rule into my head that hasn’t changed in the dozen-odd years since. “Telecom providers are greedy and stupid”. Every single decision they make is dependent on those baseline traits. This is especially relevant as I try and figure out just what combination of iPhone 5 and data plan will best fit my needs. First there are the relevant technology limitations. Such as the fact that LTE is a data-only standard, and carriers around the world haven’t really figured out the voice details. So the phones have to support their *old* voice and data standards (GSM or CDMA) *plus* LTE, and your phone might behave differently depending on your coverage. The best example is that Verizon only supports voice and data at the same time if you are on LTE, but not on 3G. Then there are all the roaming agreements and spectrum issues for us world traveler types. Like when I was in Russia and it was $5 per minute for voice calls *on the discounted plan*. For comparison a satellite phone is around $1 per minute, but you need a clear view of the sky. Then there are the plan and transition issues. All the carriers hooked us with unlimited data, then said “f*** off — you are over-using what you paid for”. So we have things like shared data plans, which look better but probably cost more for most people. And then there is the very special case of AT&T, who will change their iPhone 5 signal indicator to a big fat middle finger. (Or the other 2-finger gesture, if you are roaming from the UK). Want FaceTime over cellular? Just switch to our more expensive plan and consider yourself lucky we **let** you install Angry Birds! You want 4G? Fine, we’ll change the display to say 4G to shut you up. Not that Verizon is innocent. They might make a big deal over not restricting FaceTime, but they have to allow it (and Personal Hotspot) thanks to agreements they made with the US government for LTE spectrum. It’s only a feature because they were forced. And those of you in Europe and Asia? Man, when I worked in Europe back around 2000 it was paradise compared to the US. Now I hear it’s more like paying for a high-priced dominatrix who beats the crap out of anyone else who looks at you funny. And that still beats Australian providers, who are friggin’ Mother Theresas compared to *Canadian* providers. So I hear. Then again, us Apple folks live in paradise compared to all the hacked-together Android phones you can’t update, which carriers load down with their “value add” user interfaces and crapware. I don’t mind the carriers making money, and I don’t mind paying for my data, but they clearly haven’t figured out that brand loyalty and happy customers might, just possibly, come from a positive user experience beyond “Oh good, I didn’t lose this call.” Instead of adopting the traits that made Apple so popular, they are trying their damndest to maxmize revenue and reduce churn through penalty-based lockin. But it could be worse. They *could* start smashing your head against a wall of glass shards while calmly stating “your call is very important to us,” like cable companies. On to the Summary: ##Webcasts, Podcasts, Outside Writing, and Conferences * [Mike quoted in this Silicon Angle series on CyberWars](http://siliconangle.com/blog/2012/08/07/cyberwars-caught-in-the-crossfire-cyberwars/). Probably too much hype here and overuse of buzzwords, but decent perspectives on the attackers. [Part 1](http://siliconangle.com/blog/2012/08/07/cyberwars-caught-in-the-crossfire-cyberwars/), [Part 2](http://servicesangle.com/blog/2012/08/08/cyberwars-2-welcome-to-the-wild-wild-west-cyberwars/), [Part 3](http://servicesangle.com/blog/2012/08/09/cyberwars-3-a-new-business-reality-cyberwars/) * Rich quoted [about a not-so-great mobile study](http://securitywatch.pcmag.com/none/302447-problems-with-pew-s-mobile-privacy-study). ##Favorite Securosis Posts * Adrian Lane: [The Five Laws of Data Masking](https://securosis.com/blog/the-five-laws-of-data-masking). I pulled another classic Securosis post for this week’s fave. * Mike Rothman: [Incite 1/25/2012: Prized Possessions](https://securosis.com/blog/incite-1-25-2011-prized-possessions). Evidently we don’t blog any more (doh!), so we have taken to digging through the archives and highlighting pieces from the past. Here is an Incite I wrote back in January, and it reminds me of what’s important. To me, anyway. * Rich: Mike starts his new DDoS series — [Defending Against Denial of Service (DoS) Attacks](https://securosis.com/blog/defending-against-denial-of-service-dos-attacks-new-blog-series) ##Favorite Outside Posts * Mike Rothman: [It’s More Important to be Kind than Clever](http://blogs.hbr.org/taylor/2012/08/its_more_important_to_be_kind.html). Most businesses are always striving for improvement. But at what cost? This HBR post puts things in the proper context. _”Just make sure all their efficiency doesn’t come at the expense of their humanity.”_ * Adrian Lane: [Tracking Down the UDID Breach Source](http://intrepidusgroup.com/insight/2012/09/tracking-udid-src/). The thoughtful quest to figure out the UDID breach source. Well done! * Rich: Verizon’s [third post in a series on opportunistic attacks](http://securityblog.verizonbusiness.com/2012/09/11/ask-the-data-on-opportunistic-attacks-part-3/). I may pick on the wireless side, but the Verizon Business security guys are our best industry source for data driven reports right now. ##Research Reports and Presentations * [Understanding and Selecting Data Masking Solutions](https://securosis.com/research/publication/understanding-and-selecting-data-masking-solutions).

It seems like so long ago that I read the Opposites board books to the kids when they were toddlers. And it was. Today XX2 and the Boy turn 9. It’s hard to believe how quickly the time has flown. Just yesterday I was emailing with an old colleague and I figured his youngest daughter must be in college by now. Turns out she graduated last year and is now in a PhD program. I’m no spring chicken anymore, that’s for sure. On a more dour note, yesterday we remembered the tragedy of 9/11. For us the contrast between 9/11 and 9/12 couldn’t be more pronounced. When the twins were born in 2003, the emotions around 9/11 were still very raw. Yet, after a challenging pregnancy, including carrying close to 13.5 pounds of baby for 37 weeks, the twins showed up the day after. Talk about opposite emotions. But that’s not all that’s opposite. I look at the twins now and they seem like polar opposites. It’s not just their respective genders. XX2 is loud and over the top. The Boy is pretty shy and reserved. Their interests are different. Their strengths are different. Their weaknesses are different. What they eat is different too. It’s like looking at Yin and Yang every day. Obviously dealing with opposites can be challenging at times. But we not only tolerate, we embrace their individuality. We push the kids to be their own people and have their own interests. To find their likes, understand their dislikes and hopefully spend more time doing the former than the latter. They need to embrace the fact they are different from each other, from XX1, and from us. Even though they were born on the same day, that shouldn’t define the twins or their relationship. It was funny visiting camp with them, where we met a bunch of folks who had no idea they were twins. Brother and sister clearly, but also individuals. They weren’t constrained by being in the same grade, getting on the same bus, or having the same family friends. They could just be XX2 and the Boy. They’re lucky, as they’ve always had someone to play with and talk to, even before either could really talk. It’s true that many siblings have that kind of bond, but with twins it’s different. They not only share a birthday, but they share some kind of strange bond that outsiders can’t understand. They probably won’t appreciate it until they get older, but they don’t need to. For now, we’ll live in the moment and wish them a Happy 9th Birthday! -Mike Photo credits: Yin Yang Candy originally uploaded by FadderUri Incite 4 U Research, not hyperbole: The first I heard of the supposed AntiSec/FBI/Apple UDID ‘hack’ last week was via email from a journalist I respect. He was checking in on the plausibility of the scenario. I was out of the office, but after a bit of research my response was (real cut and paste here): “I can’t really say anything informative. Could be true, could be BS, could be data they got from another source and then are pretending is from the FBI. No real way to know what’s true, and the folks who do this sort of thing like using a lot of disinformation.” Thanks to David Schuetz (@DarthNull) we have evidence the data came from an app vendor. The initial denials from the FBI and Apple, and the vendor saying they think it was them, reinforce this. As we continue our journey into the days where chaotic actors directly manipulate the press through social media, perhaps we should keep a little skepticism on the table. (Great work David!) – RM Targeted, not targeted attacks: It’s great that guys like Jay Jacobs have the time to mine security data and sometimes come across some pretty interesting ideas. Many of us make decisions mostly based on anecdotal evidence, which is usually close enough to point you in the right direction. But being able to analyze and quantify things can be cool. Jay just finished up a series examining what he calls opportunistic attacks (Part 1, Part 2), which are basically non-targeted attacks. But that gets back to how you define targeted. We tend to think about a targeted attack as focused on a specific organization, but as Jay shows, the bad guys are actually targeting by focusing their recon activities. They looked for a specific port, usually sending just one packet, and if they didn’t find it open, they moved on to the next target. Evidently it’s a big world and they don’t want to spend a lot of time going deep into a site to find an issue that may or may not be there, so they just move on. So these attackers are actually targeting, but a specific vulnerability rather than a specific victim. – MR A long way to go: Tom’s IT has a visual history of cryptography. What struck me, when looking at cryptography in this way, is how backwards it all seems. Simplistic, unscientific, and less than parlor trick obscurity. It dawns on you just how bad cryptography has been until very recently, and with the rate of change we are seeing, how much further we need to go. When I learned cryptography, DES was widely used and shipping 40-bit encryption algorithms out of the country would get you locked up for violating federal munitions restrictions. There was still a sense of mystery to it. Like most technologies, we have improved exponentially at algorithms and understanding attacks in just the last 10-15 years. But something about this visual representation makes me think we are still in the dark ages of this science. – AL Maximizing your pen test: Good post here on the SpiderLabs blog about how to get the most from your pen test. Yes, it’s a lot of common sense, but that’s okay. Far too many folks apply precious little sense in their daily activities. Their point is to

I thought 35 years later, Voyager 1 is heading for the stars was very cool. It brought back many memories of starting my career at Jet Propulsion Laboratories. Voyager had been in space for a decade when I started there, but these satellites were just starting to send the stunning images back from Saturn and Jupiter. Every morning people got into work early just to see what data was sent back from the night before. Friends were processing the images, doing error and color corrections, and we were seeing other planets up close and personal for the first time. We used to get copies provided to us as employees, many with color enhancement to highlight certain features of the planets and moons. It added an element of excitement to my early career that almost made us forget we were at work. And it was fun working there. JPL teemed with really smart Caltech grads with math skills beyond most mortals. I got to see Carl Sagan speak – twice. I got to see artifacts from the rocket projects that nearly burned down the Caltech campus, and prompted JPL’s creation in the back canyons of La Canada – where they were unlikely to set anyone else on fire. I went on tours of many of the projects, control centers, and laboratories where components of space vehicles were tested. And there were many other satellite projects going on at the time, like the Galileo Spacecraft, which was in many ways more impressive that Voyager. Sure, doing mainframe and dBaseIII+ database programming seemed mundane in comparison, but what I was actually being paid for was just a small part of working there. Stuff like Voyager got me interested in science and technology, and at the time I thought I was working in one of the coolest places on the planet. It helped pushed me through college because I knew there was way more interesting stuff going on outside – in the real world. Where else could you go see wind tunnels and rocket engines and hand-held nuclear reactors and giant gold-plated radio antennae during your lunch break? The back lot was quite literally a bunch of “space junk”, with things like a platform that held the lunar rover on the Apollo spacecraft during its trip to the moon just lying in the weeds. How freakin’ cool is that? And I marvel at a simple, fragile appliance that was catapulted into space at catastrophic speeds, through planetary rings and heated fields of plasma. Something designed and built before the Apple II was even available for sale. But it continues to function and send back radio data to this day. Amazing. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted in a Silicon Angle series on CyberWars. Probably too much hype and overuse of buzzwords, but decent perspectives on the attackers. Part 1, Part 2, Part 3 Mike’s Dark Reading column on tough choices. Rich will participate on Protecting Your Digital Life August 22.. Adrian joined Rich and Martin on The Network Security Podcast, episode 285. Adrian won the Nimby Award for Best Identity Forecast Blog. Favorite Securosis Posts Mike Rothman: Gaming the Tetragon. Since we haven’t written much new stuff of late, I figured I’d go back and mine some of the classics of yore. My recent rant on Earning Quadrant Leadership wasn’t the first time I made similar points about the MQ. The first was a couple of months after I joined Securosis, in this post complete with a fancy picture. Users should pay attention to this stuff because if your preferred solution isn’t in the ‘right’ quadrant you might not get to buy it. So you need to game the system from both sides. Adrian Lane: Database Connections and Trust. This week I pulled out an old post to show the app developer mindset – when it comes to data storage and non-relational environments these issues are even more important. Other Securosis Posts Incite 9/4/2012: Dealing with Dealers. Friday Summary: August 31, 2012. Favorite Outside Posts Adrian Lane: Advanced Exploitation of Xen Hypervisor Memory Corruption Bug. On the more technical side, but this is interesting. Mike Rothman: Mobile Attack Surface. GP does it again. Great post here expanding on some of Jim Manico and Jim Bird’s work on defining mobile attack surface. This quote is right on the money: “I use the Attack Surface Model in combination with a Threat Model to identify and locate countermeasures.” Mobile devices are necessarily different and we need to start thinking about how our security is gong to necessarily change. Necessarily. Project Quant Posts Malware Analysis Quant: Index of Posts. Malware Analysis Quant: Metrics – Monitor for Reinfection. Malware Analysis Quant: Metrics – Remediate. Malware Analysis Quant: Metrics – Find Infected Devices. Malware Analysis Quant: Metrics – Define Rules and Search Queries. Malware Analysis Quant: Metrics – The Malware Profile. Malware Analysis Quant: Metrics – Dynamic Analysis. Research Reports and Presentations Understanding and Selecting Data Masking Solutions. Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks. Implementing and Managing a Data Loss Prevention Solution. Defending Data on iOS. Malware Analysis Quant Report. Report: Understanding and Selecting a Database Security Platform. Vulnerability Management Evolution: From Tactical Scanner to Strategic Platform. Top News and Posts Hacker ‘steals’ Hertfordshire Police Database. Anonymous Leaks Apple UDIDs Following Alleged Hack of FBI. How the FBI might’ve been owned (12M Apple records). FBI Says Laptop Wasn’t Hacked; Never Possessed File of Apple Device IDs. Confirm nothing. Deny everything. Make counter-accusations. That’s the playbook. Apple Releases Fix for Critical Java Flaw. Hacker steals $250k in Bitcoins from online exchange Bitfloor. FBI Arrests Suspected LulzSec Hacker For Sony Pictures Attack. Right here in the greater Phoenix area. Huh. Adobe fixes Photoshop heap overflow. McAfree has detected 1.5 million new malware samples in the last three months. A Handy Way to Foil ATM Skimmer Scams. TSA Denies Stonewalling Nude Body-Scanner Court Order. Blog Comment of the Week Remember, for every comment

Back in March I mentioned it was about time for a new set of wheels. Of course nothing happens quickly in my world, so it wasn’t until mid-June that I got serious about a new car. You’d figure a guy like me would relish the opportunity to sit across from a car salesperson and beat them into submission to get the best deal. I’m not the kind of guy to blink, and I’d just as soon walk out if I don’t get what I want. Turns out I’ve been there and done that, and despite living to tell the tale, I have learned there is a better way to skin this specific cat. Of course, not everyone gets this or is willing to listen to a different approach. I remember 8 years ago when my in-laws told me they were going to test drive a new car. I told them not to buy the car that day. Just go in and test drive it. That I’d help them and save them some money. Sure enough they had to drive over to show me their spanking new generic car that they bought right off the lot. From the first dealer they visited. They got a good deal. That was their story and they were sticking to it. But they pretty much got raped. Hard. I just shook my head. But you know, they felt good about it, so I wasn’t about to piss in their oatmeal. But going into a car dealership and buying a car is a pretty stupid way to do things. Regardless of how good a negotiator you are, if you go into a dealership to negotiate for a car you’re doing it wrong. About 10 years ago I was introduced to a service called Fighting Chance. It’s pretty much a research service for car buyers. I get the power of research and tracking trends and leveraging other folks’ experiences to save time and money. That’s what I do for a living, after all. The fine folks at Fighting Chance teach you how to buy the car based on what’s really happening in the field, give you information about promotions and deals, help you figure out the data you need to compare apples to apples, and provide target values for recent sales for the model you are looking for. The service is awesome. It costs something like $40 and has saved me thousands. Their idea is that a car is a commodity. If you live in a typical metropolitan area, each car brand has 10-25 dealers within a short drive who will be happy to sell you a car. The exact same car. It’s not like Dealer A has a different Honda than Dealer B. You don’t buy a commodity by dealing with one seller. Not if you’re smart, anyway. You buy a commodity by getting dealers to compete with each other. I won’t give away the exact process (you should buy the service), but it involves getting dealers to bid against each other. I was able to buy a brand new current model Honda CR-V substantially under invoice by getting bids from 5 local dealers. I handled the process via email and a few phone calls, and it took me a couple hours. By the way, most car dealers hate this approach. They prey on folks who don’t know what they are doing. But it turns out that smart dealers focus on volume and make it up on the back end through incentives and other payments from the manufacturers, with far higher margins on services and trade-ins. These folks love guys like me, since I know exactly what I want and can get the transaction done in an hour. Notice I said CR-V, not Prius V, my preference back in March. Both the Boss and the dealer pointed out to that driving only about 7,000 miles a year means negligible savings in gas, and for 10% less I could get the fully decked-out CR-V instead of a mid-level Prius V. And they were right. Who said I’m inflexible and rock-headed? –Mike Photo credits: USED CAR SALESMAN KITTY originally uploaded by victoriafee Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Pragmatic WAF Management Securing the WAF Application Lifecycle Integration Policy Management Incite 4 U Showing your true colors: Great post by Conrad Constantine about maintaining your sanity when dealing with a high profile incident. He should know – he was at ground zero for a pretty serious one. He points out that you’ll get to meet some pretty big wheels in your organization, and they will want answers and direction. Even if you don’t have any. He starts by telling you to keep a timeline of exactly what happened. Even if that information never sees the light of day (and likely it won’t) you need it. Conrad provides tips for playing above your pay grade and living to tell about it, and talks about the reality behind the PR spin machine. His point that it always ends at some point, and things go back to the new normal, are exactly right. But the best idea in the post is the reality of how people behave under duress: “Before anything else, no matter what field you work in during times of crisis you will see everyone’s true colors brought forth – not least of which – your own.” What he said. – MR Security Bypass: It’s not that IT users thumb their noses at IT security, as claimed by the author of this analysis of the iPass Mobile Workforce Report. But users sidestep anything that makes work more difficult. If the impediment is security controls on applications or data usage, users find ways around it. Mobile

Rich here. Yesterday I published an article over at Macworld on the New Java exploits, and why Mac users likely aren’t at risk. As with many previous articles on Mac security, I’m getting really positive feedback. Heck, I have even had people tell me that I’m currently writing the best stuff out there on Apple security overall. (Probably not true, but I’ll take it.) When I asked some people privately about this, they told me they like my articles because they are accurate, hype free, and practical. The thing is, there really isn’t anything special about how I write this stuff up. Some days I feel like it’s some of the easiest prose I put on the screen. I think there is one compelling reason there are so many bad security articles out there in general (when we write about attacks), and even more crap about Apple products. Page views. Anytime anything remotely related to security and Apple comes up, there is a bum rush to snag as many mouse clicks as possible, which forces those writers to break pretty much every rule I have when writing on the issue. Here’s how I approach these pieces: Know the platform. Don’t hype. Research, and don’t single source. Accurately assess the risk. Accurately report the facts. This isn’t hard. It really comes down to understanding the facts and writing without unnecessary hype. From what I can tell, this also results in solid page views. I don’t see my Macworld or TidBITS stats, but from what they tell me the articles do pretty well, even if they come a day after everyone else. Why? Because many of the other articles suck, but also because users will seek out information that helps them understand an issue, rather than an article that just scares them. These are the articles that last, as opposed to the crap that’s merely thinly-disguised plagiarizing from a blog post. I get it. If it bleeds, it leads. But I would rather have a reputation for accuracy than for page views. There are also a bunch of articles (especially from AV vendors) that are technically accurate but grossly exaggerate the risk. Take all the calls for the impending Mac Malware Epidemic… by my count there have only been two large infections in the past two years, neither of which resulted in financial losses to consumers. I really don’t care how much Elbonian porn is back-doored with trojans. (I have been waiting 5 years to write that sentence). Anyway, for those of you who read these articles rather than writing them, here are a few warning signs that should raise your skepticism: Are all the quotes from representatives of security companies with something to gain from scaring you? Does the headline end in a question mark? Is it cross-platform, but ‘Mac’ or ‘iPhone’ got shoehorned into the headline to snag page views? Is more than one source cited? Multiple blog posts which all refer back to the same original source don’t count. Does the article provide a risk assessment in the lead or only in the conclusion? Does it use phrases like “naive Apple users”? Then again, I don’t get paid by hit counts. Or maybe I just underestimate how many people download Elbonian porn. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted in this Silicon Angle series on CyberWars. Probably too much hype and overuse of buzzwords, but decent perspectives on the attackers. Part 1, Part 2, Part 3 Mike’s Dark Reading column on making tough choices. Rich covered the Java exploit for Macworld. Favorite Securosis Posts Adrian Lane: Ur C0de Sux. Seeing as we have not been able to blog much lately, I pulled out an old favorite. Mike Rothman: Always on the Run. When I read my intro to this week’s Incite again, I realized it’s pretty good advice. To me. So I’ll bookmark it and get back to it every time I start dragging a bit. Just keep running and good things happen. David Mortman: Pragmatic WAF Management – Securing the WAF. Other Securosis Posts Slow week – and to be honest, next week will also be slow thanks to way too much travel. We promise to get back to annoying you more consistently soon. Maybe. Favorite Outside Posts Mike Rothman: How to set up two step verification on Dropbox. You probably use Dropbox. You probably don’t want anyone else in that file store. You probably should use two-step authentication. If it works as cleanly and easily as Gmail 2FA this is a no-brainer. I’ll be testing it over the weekend. Adrian Lane: Schneier on Security Engineering. “‘Security’ is now a catch-all excuse for all sorts of authoritarianism, as well as for boondoggles and corporate profiteering.” Excellent post. Dave Lewis: Identity is Center Stage in Mobile Security Venn. David Mortman: Don’t build a database of ruin. Rich: The rise of data-driven security. Scott Crawford is A Very Smart Dude and has been tracking this issue longer than any other analyst. The report is for-pay only, but there is a lot of good info in the long (and free) intro post. Research Reports and Presentations Understanding and Selecting Data Masking Solutions. Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks. Implementing and Managing a Data Loss Prevention Solution. Defending Data on iOS. Malware Analysis Quant Report. Report: Understanding and Selecting a Database Security Platform. Vulnerability Management Evolution: From Tactical Scanner to Strategic Platform. Top News and Posts New Java 0day With Maynor statements like “This is as about a bad a bug as I’ve ever seen,” and “This exploit is awesome,” you know it’s good. German police buy stolen data, accuse Swiss of aiding tax evaders. It sounds like German investigators not only sought out stolen financial data, but will continue to do so. New Trojan Discovered. Chrome: Blocked Plug-ins. For those who want a little more granularity than ‘On’ or ‘Off’. ISC(2) Board Petition Snafu. Oh, why am I not surprised? Project Viglio

Wake up. Get the kids ready for school. Exercise (maybe). Drink some coffee. Write. Make calls. Eat (sometimes too much). Write some more. Make more calls. Drink more coffee. Think some big thoughts. Pick up the kids from some activity. Have dinner. Get the kids to bed. Maybe get back to writing. Maybe watch a little TV. Go to bed much too late. Wake up and do it again. That’s an oversimplified view of my life, but it’s not far off. But that isn’t a bad thing – I really enjoy what I do. I reflect at least daily on the deal I cut with Satan to be able to actually make a living as a professional pontificator. But I am always on the run. Until I’m not, because there are times when my frontal lobe just shuts down and I sit in a mostly vegetative state or pass out on our couch. There doesn’t seem to be much in between. Is it healthy? You know, running as fast as you can until you collapse and then getting up and running full tilt again? I’m no runner, but it doesn’t seem to be a prudent way to train or live. A mentor always told me, “It’s not a sprint, it’s a marathon.” With ‘it’ being basically everything. Intuitively I understand the message. But that doesn’t mean anything changes. I still run at the razor’s edge of burnout and implosion, and every so often the machine fails. Yet I still find myself running. Every day. Consulting my lists and getting agitated when there isn’t structure to what needs to get done, especially at home. I’m constantly badgering the Boss for my list of house tasks every Saturday morning, so I can get running. Yet if I’m being honest with myself, I like my lists. More specifically, I like checking things off my lists. I like to feel productive and useful and getting things done helps with that. Again, that doesn’t mean that at the end of a long day or on Sunday afternoon I’m not slipping into that vegetative state. That’s how I recharge and get ready for the next day. This run, collapse, repeat cycle works for me. At least it does for now. In another 15 years, when the kids are out of college and fending for themselves, maybe I’ll have a different opinion. Maybe I’ll want to play golf, lounge by the pool, or sit in a cafe all day and read the newspaper. Or read whatever delivers news to me at that point in time, which is unlikely to be paper. Maybe I’ll just chill out, stop running, and enjoy the fruits of my labor. Then again maybe not. As I look back, I’ve been running at this kind of pace as long as I can remember. But it’s different now. Over the past couple years I stopped worrying about where I’m running to. I just get up every morning and run. Obviously I know the general direction my efforts are pointed in, but I no longer fixate on when I’m going to get there. Or if I’ll ever get there. As long as I’m having fun, it’s all good. And then a funny thing happened. I realized that I have a shot at hitting some of those goals I set many years ago. To actually get to the place I thought I was running to all this time. That’s kind of weird. What happens now? Do I set new goals? Do I slow down? Do I savor my accomplishments and take a bow? I’ll take D) None of the above. I think I’ll just keep running and wind up where I wind up. Seems to have worked out okay for me so far. –Mike Photo credits: Running originally uploaded by zebble Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Endpoint Security Management Buyer’s Guide Summary: 10 Questions to Ask Your Endpoint Security Management Vendor Platform Buying Considerations Pragmatic WAF Management Securing the WAF Application Lifecycle Integration Policy Management Incite 4 U Massive unpatched java flaw being exploited: First, just the facts. There is a massive remotely exploitable cross platform flaw in the latest version of Java. How exploitable? Just read David Maynor’s description of owning everything including OS X, Windows, and Linux. This is as bad as it gets folks. Here’s the drama: after FireEye posted some info, based on real world exploitations, the attack was quickly added to Metasploit and now any script kiddie can compromise nearly any vulnerable system they can get their hands on. I’m generally not thrilled when Metasploit adds exploit code for 0days without giving defenders any chance in hell of blocking or otherwise mitigating the problem. On the latest Network Security Podcast my co-host Zach mentioned that the exploit itself may have leaked from Immunity, who frequently includes 0days in their pen testing product and doesn’t notify vendors or wait for patches. Once again, we are shooting ourselves in the head as an industry because someone doesn’t like the smell of our feet. – RM Epic security research fail: You know those times when you aren’t paying attention to where you’re walking and you run into a pole? And when you get up you look around and hope no one is watching. That happened to FireEye’s research team last week when they inadvertently stumbled upon a honeypot set up by Kaspersky and made a big stink about a change in attacker tactics. It didn’t take long for the Kaspersky researchers to call them out, and within a few hours FireEye issued a retraction. As my kids say, whoopsie! But this is a manifestation of the race for something newsworthy to fill the media sites with fodder to