Research

Evidently it’s time to rethink our business model at Securosis. All you need to do is role out a certification program and wait for money to roll in. Actually prove skills? Bah, humbug. Actually require some sort of test? Screw that. Basically all you need is a CISO job and $200, and I have a certification for you. My severe case of snark is directed at the new Certified CISO program, introduced last week by the EC-Council. Those are the folks who do the Ethical Hacker certification, which is actually a decent program. This Certified CISO program? Not so much. How do you qualify to be a Certified CISO? Basically you need to have a pulse and a job. For the next year, all you have to do is show that you have 10 years of experience with 6 years across the 5 CISO domains (Governance, Controls and Auditing Management, Management – Projects and Ops, Security Core Competencies, Strategic Planning & Finance). Not that there isn’t something to be said about someone who decides to remain a CISO for 10+ years (besides questionable judgement), but who needs a certification to prove that? Do you wonder why most certifications are less useful than toilet paper? At least you can wipe your backside with toilet paper. Wouldn’t your resume just suffice – since this just proves your experience? Even better is the price. You can get this critical certification for the low, low price of $350 to apply and another $200/year to renew. I’m sure Lee Kushner is quaking in his boots, as clearly Certified CISOs will now reduce the need for CISO recruiting services. Companies can now just add this term to their resume filtering machines and move on to the next position, right? It seems the EC-Council plans to have some kind of test in 2012, although you can exempt out of that if you bother to get high-impact certifications like the CISSP, PMP, and CISA. Although it’s not clear to me how you’d build a truly objective test to show what’s really important for a CISO: persuasion skills and a very high tolerance for pain and frustration. And don’t think that we are anti-certification out of hand. We built the curriculum for the CCSK certification training program. It’s just that the certification has to have some grounding in reality. Is that too much to ask? All I can hope is that self-respecting CISOs see through this haze and realize that more letters on their business card don’t prove anything. Or maybe I’ll just stop tilting at windmills and roll out a Certified Pragmatic CSO program. Maybe that’s the ticket. Photo credit: “Very Happy Toilet Paper” originally uploaded by kim’n’Cris Knight Share:

At 20 years old, you are on a precipice of perception: you are an adult but many adults view you as a kid. In the back of your mind you worry a bit about how adults will perceive you. It was with trepidation that I met my best friend’s Mom in college. My friend George – someone I had only known a couple months, but felt like we had known each other for years – invited me to dinner. I was surprised when his truck stopped in front of my house and he was not in it – instead his mother was. The truck screeched to a halt and out popped the highest energy person I have ever met; with a hearty “Hi there,” she was literally effervescent with energy. I was reserved, wondering how the famous ‘Doctor’ would treat me – as a child or as an adult. She waved again, told me to get my ass out of the street and in the truck. I obliged, somewhat taken aback, and hopped in the passenger seat. She rolled up to the red light, looked both ways, and floored it! We screeched through the intersection, oncoming traffic be damned; up the street, fraternity boys racing for the sidewalks, we headed for home. I was in the passenger seat, looking at this 50-ish Mom in utter disbelief. She was flying through the streets of Berkeley. “Oh, shit!” she said, stubbing out a cigarette. “Don’t tell George I did that. He’ll have a fit I am driving his truck like this.” Then she started telling a dirty joke, and believe me, OB/GYN doctors have some some raunchy ones. It was at this point I relaxed, and I knew we were going to be friends. And we were. We have been very close for the last 24 years. I am not afraid to say I am closer to her that I was her son – and I consider George to be my brother. She would have adopted me had I been under 18; I know because she told me several years later she tried. While I had my own place at Cal Berkeley during college, I lived with them. When I graduated I visited every free weekend. Even when I moved to Arizona, every Bay Area visit during the last 10 years included a mandatory stop to visit my friend and drink mocha-java coffee and talk about whatever: the stock market, politics, sailboat racing, Scotch, gardening, her crappy neighbor, broken sewer lines, etc. The details never mattered – it was always fun. She had a phenomenal intellect and a razor sharp wit. And the food – the food – was always memorable. My friend passed away this week from cancer. Her 5th bout in the last 11 years. She never mentioned that, as she was determined to keep all these struggles a secret. But I knew – one way and another I pieced it together. And I kept my mouth shut because I knew she would be pissed off it I let on – there is no value in embracing such things. And at any sign of pity she would have whacked me in the head before kicking me out of the house. So I called an visited as often as I could and never said a word, never acted differently. After all, life is to be enjoyed, and she lived it exactly the way she wanted to. And I’ll always remember her as that energetic, wickedly funny person person who just wanted to have fun. There will never be pity or regret, but she will be missed. Oh, and a short summary this week. Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s DR post on Segregating DBA And Admin Duties. Favorite Securosis Posts David Mortman: Security Management 2.0: Migration. Adrian Lane: Home Invasion: What would you do? Other Securosis Posts Incite 9/21/2011: Where’s Waldo? Friday Summary: September 16, 2011. Favorite Outside Posts David Mortman: Don’t Hit the Snooze Button on DigiNotar Alarm Bells. Adrian Lane: Top 10 Most Overhyped Technology Terms. Very entertaining read by Amrit Williams. But just so that does not go to his head, he does really suck at Twitter. Rich: Criminal Hack versus FOIA request: The Showdown. Read this one and just think about it for a moment. Anonymous and Lulzsec look pretty petty and malicious. Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. Research Reports and Presentations Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Understanding and Selecting a File Activity Monitoring Solution. Database Activity Monitoring: Software vs. Appliance. Share:

It was a bit of a shock to us over two years ago, when we learned the Boy has a lazy eye. We found out when he got evaluated prior to entering kindergarten, and they said he needed to get his eyes examined. The Boss and I have very good vision, especially when we were growing up, so it was unexpected. Ultimately it’s not a big deal. He needs to wear glasses and we have to patch his good eye for a few hours every day to force his weaker eye to get stronger. We got him some pretty snazzy looking glasses. Oval in shape, you know, right out of the metrosexual handbook. Thankfully when you are 8, it’s cute. A couple years later, the glasses are part of him. He kind of looks strange when he doesn’t have them on. He is a boy, so he’s pretty hard on the glasses, with them always getting bent or otherwise screwed up. And when they don’t fit well, he tends to look over them. It’s not a conscious decision – he just lets them slide down his nose and goes about his business because his strong eye compensates. Or he doesn’t turn his head up when he’s looking up. Either way, he’s not getting the benefit of the glasses and it’s not helping to strengthen his weaker eye. During his quarterly check-up, the ophthalmologist suggested a new pair with bigger lenses that he wouldn’t be able to look over. We’re fine with that, but the Boy is a bit change averse. His first thought was that he didn’t want Waldo glasses. Those big frame models that make him look like the character from “Where’s Waldo?” We set the expectation that he’ll get the best glasses to address the issue, even if they are Waldo glasses. The Boss and I had a sneaking suspicion it wouldn’t end well, but we had to deal. I took him to the eyeglass shop and he started trying out frames. We found a pair that seemed good, which had rounder lenses. Not Harry Potter round, but rounder than his current model. I asked what he thought, and his response: “Horrible, Dad.” But both the optometrist and I told him they were cool, even if he didn’t believe us. Then I spied a pair of the dreaded Waldo glasses. “Boy, try these on!” After a little resistance, he put on the Waldo glasses (which were actually a pair of very expensive Calvin Klein models). I actually thought they looked good, but he was locked into the No Waldo position. He was clearly getting upset at the idea of having to get the Waldo model. Then I took the first pair with the rounded lenses and had him try those on again. Evidently it wasn’t the optometrist’s first rodeo either – he played up the cool frames and told him all the chicks would dig them. The Boy had no idea what he was talking about, but I was entertained. I had him put the Waldo glasses back on (just for good measure) and then try the rounded ones again. Then I went for the close. “So what do you think, dude?” He said, “I like them, Dad. They are cool!” Just like it was his idea. Win! Maybe at some point he’ll realize the conspiracy. Maybe not. Either way, it’ll be a lot harder for him to look over his glasses, which ultimately is all that matters. Even if it took a little manipulation to get him there. –Mike Photo credits: “Where’s Waldo” originally uploaded by Carolyn Coles Incite 4 U AV dying? Just like spam was going to be gone by 2004: Now that Microsoft has unveiled Windows 8 (talk about pre-announcing) with enhanced security features, the security industry is bracing for yet another assault on the cash cow of all cash cows: anti-virus. Evidently Win8 will have enhanced ASLR and heap stack protection, which is good news because <sarcasm>the attackers continue to stand still.</sarcasm> But it seems Windows Defender will be able to handle AV signatures now. First, AV signatures aren’t the answer. Second, inertia is substantial in both the consumer and business markets. If Microsoft said they were bundling white listing in, or some other mitigation that actually made a difference, I would be interested. But they didn’t so I’m not. But I do like the new Metro(sexual) interface. Not enough to actually use Windows, like ever, but it is pretty. – MR Needle in a crapstack: Most of the surveys we see in the security industry are pretty bad. They are driven by vendors looking for FUD to sell products. And hey, it’s our own fault because none of us wants to pay for the good stuff. (Our stuff excepted, of course 😉 ). But we can often find interesting nuggets anyway. These two surveys came courtesy of Martin McKeay, as prep material for this week’s podcast. The first, from Trustwave and Cybersource, tells us that 70% of businesses care more about their brands than PCI fines. Well, I sure as hell hope so – otherwise their priorities would be seriously out of whack. Then, courtesy of PWC, we find that only 13% of companies surveyed have a security strategy, reviewed the effectiveness of said strategy, and knew the types of breaches they suffered in the past 12 months. Heck, I’d say 13% sounds good – maybe even a little high. A lot of the rest of these two surveys is too tuned for my tastes, but I’m happy any time I can get a nugget or two. – RM Right tool for the job: If you are reliant upon email security to address HIPAA, you’ve already lost. But eWeek is positioning DLP Lite in email security tools as front-line defense for HIPAA. It’s a little like closing the window and leaving the front door wide open. Content screening of email is a last line of defense – one you hope you don’t

This is a bit off topic, but indulge me. We had a little situation in our neighborhood last week, involving a home invasion. A couple masked (evidently armed) guys tied up a family and ransacked their house. The father was in the garage when the intruders made their entrance. The mother and a teenage child were also in the house. This happened in my sleepy suburban neighborhood, so it can happen anywhere. The good news is that no one got hurt. They lost some money and some jewelry and I’d imagine they got a pretty good scare, given they were tied up in their bedroom after opening the safe. I don’t know the family, but it was the best outcome they could have gotten. As you can imagine, our neighborhood is in a tizzy. There are discussions of putting gates at the entrances, as well as significantly increasing the private security patrols that we contract. Yup, there is plenty of opportunity for security theater here. But security theater isn’t interesting to me. I deal with that crap every time I fly. It got me thinking about what I’d do in a similar situation. I’m in the garage, the Boss and the kids are in the house. Multiple armed men enter the garage. It’s quite a quandary. Some of you Hong Kong Phooey types might try to fend off the attackers. Do you run? Do you attack? Do you sacrifice everything to keep them out of the house? Do you try to talk some sense into them? Even if you have a gun in the house, how often are you in your garage? If you have an alarm, will you be able to hit the panic button? Should you, given that it could cause an unstable attacker to do something rash? Remember, you have family members in the house, which are unlikely to be as equipped as you to deal with the situation. I think I know what I’d do. But I’m not sure what standard operating procedure would be, so I’m asking for some help. I know a bunch of you have law enforcement and/or military backgrounds, and many have advanced training in all sorts of self-defense tactics. In a similar situation, what do you do? The police are holding a meeting in our neighborhood next week, so we’ll find out what they suggest we do. But that’s just one opinion, right? This seems like a targeted situation. The family has money and drives fancy cars, lives at the edge of the neighborhood, and their culture is known to keep cash and valuables in the house. None of which is my situation. But I’m wary of being too optimistic and naive about the risks to my family. So I’m going to do the threat models. I need to take precautions. I need to train my family what to do in a similar situation. What should I teach them? Share:

As we wrap up our Security Management 2.0 series, we have completed quite a journey. You have undertaken a disciplined and objective process to determine if it’s worth moving to a new security management platform. Assuming that your decision is to move, now it gets real. You need to implement and migrate your existing environment to the new thing, while maintaining service levels and without opening your organization to any additional risk. Walk in the park, right? Let’s address these migration issues, so hopefully you can learn from some of my pain. I started work at a previous employer two days after an IT consultancy performed a server migration. Coincidentally, at the same time I was helping a friend at a major bank review his data center migration plans. I’ll tell you that the bank had every phase of the change-over planned down in half-day increments, with backup plans in place following months of migration rehearsals. Let’s just say the IT consultancy had less elaborate plans. Bank employees knew their systems were critical and treated the migration as such – IT consultants, not so much. When I walked into the offices at my new job every server was down, removed from their racks, sitting in a pile by the door. The consultancy was assembling the new hardware – and had been for more than a day. Their plan was to finish the hardware in a day or so; when they finished that, they would install the operating systems. Then when they had the identity management system working, they planned to install the applications and import customer data. Out in the hallway, a few dozen very angry sales people paced the halls, idle, 3 weeks before the close of the quarter. It was a bad day for everyone. The IT consultancy’s contract was terminated that day. After plugging the old servers back in and dispersing the lynch mob outside the server room, I planned out how to migrate to the new servers without any additional downtime. It was not just for the business’s sake, but to ensure my personal safety as well. While I did not go to the same extremes as my friend’s team at a certain giant, I acknowledged my servers were no less critical to our business, and a seamless migration of services was mandatory. What can we learn from this somewhat transformative experience? A flash cutover never really is. We recommend you start deploying the new SIEM long before you get rid of the old. At best, you’ll deprecate portions of the older system after newer replacement capabilities are online, but you will likely want the older system as a fallback until the new functions have been vetted and tuned. We have learned the importance of this staging process the hard way. Ignore it at your own peril, keeping in mind that your security management platform sustains several key business functions. We have broken the migration process into two phases: planning and implementation. Your plan needs to be very clear and specific about when things get installed, how data gets migrated, when you cut over from the old systems to the new, and who performs the work. Plan The Planning step leverages much of the work you have done up to this point in the process of evaluating replacement options – you just need to tune it for the migration. Review: First, go back through some of the documents you created earlier in this series. First are the platform evaluation documents, which will help to understand what the current system provides, as well as the key areas of deficiency to address. These documents become the priority list for the migration effort, and form the foundation of the migration task list. Next, leverage what you learned during the Proof of Concept (PoC). When evaluating your new security management platform provider, you conducted a mini-deployment exercise. Use the findings from that exercise – what worked and what didn’t – to feed subsequent planning and address issues it identified. Focus on Incremental Success: What do you install first? Do you work top down or bottom up? Do you keep both systems operational throughout the entire migration, or do you shut down portions of the old as each node migrates? We recommend you use your deployment model as a guide. You can learn more about these models by checking out our Understanding and Selecting a SIEM paper. When using a mesh deployment model, it’s often easiest to make sure a single node/location is fully functional before moving on to the next. With ring architectures, it’s best to get the central SIEM platform operational and then gradually add nodes around it. Hierarchal models are best deployed top-down, with the central server first, followed by regional aggregation nodes in order of criticality, then down to the collector level. The point is to make sure the project is broken up to ensure success happens incrementally, and avoid proceeding down any wrong paths. Allocate resources: Who is going to do the work? When are they going to do it? How long will it take to deploy the platform, data collector and/or log management support system(s)? This is also the time to engage professional services and enlist the new vendor’s assistance. The vendor presumably does these implementations all day long, so they should have expertise at estimating these timelines. You may also want to engage them to perform some (or all) of the work in tandem with your staff, at least for the first few locations until you get the process down. Define the Timeline: Estimate the time it will take to deploy the servers, install the collectors, and implement your policies. Add some time in for testing and verification. There is likely some ‘guesstimation’ on your part, but you have some reasonable metrics to base your plan on, from the PoC and prior experience with SIEM. You did document the PoC, right? Plan the project commencement date and publish to the team. Solicit feedback and

It was the idea of a party that got me thinking about it: I loved the 1990’s. It was a great decade – for me at least. I had just graduated college and pretty much everything was new. During that decade I met my wife, got married, got my first place on my own, bought my first house, got my first promotion to CTO, was finally able to buy a car that cost more than a week’s salary, made good money, was best man at four friends’ weddings, started my first company, finally got to travel the US, and made many lasting friendships. The silicon valley was a great place to work back then – it seemed like every week there was some amazing new technology to work on, or an exciting new trend. This last decade sucked. I closed my first company, nearly lost every penny in the tech crash, had serious doubts about what I wanted to do with my life, was uncertain whether I wanted to stay in technology, suffered health issues, avoided the news every day in case ‘W’ did something else to piss me off, worked with jerks, moved friends out of their foreclosed homes, watched other friends implode, and finally closed my wife’s real estate office. It certainly has not been all bad, but there have been an inordinate number of poop storms. It feels like I have been enduring this depression – the economic one that technically started in 2007 with the real estate collapse – since the 2001 tech collapse. Everything good of the 90s was counterbalanced by the bad of the 2000s. My attitude and optimism took a severe beating. But things are getting much better – even though some places in Phoenix still look post-apocalyptic. I get to live at home now: no more interstate commute. I no longer work on Monkey Island. In the last 18 months or so, while the work load is staggering, this little business of ours has been growing. And I could not ask for better business partners! Technology is interesting again. I have finally gotten a life/work balance I am comfortable with. I don’t tie my entire sense of self worth to my work any longer. The family is healthy and happy, my wife is embarking on a new career, and it feels like we have turned a corner. So my wife and I decided it was time to come out of our doldrums and do something fun. As a symbol, we chose to revive our Halloween party – which we used to throw in the Bay Area for 80-100 people. We debated it for a long time – were we really in the mood? It was decided we would do a coming out of the depression party – a 1940s theme to commemorate the last time the US came out of a depression. We’ll arrange the living room like a scene from ‘Casablanca’, throw in some jazz & swing music, and top it off with classic cocktails. I think it should be a good time and I feel strangely optimistic. I doubt any of the three people reading this will be in Phoenix the weekend before Halloween, but if you are, let me know and I’ll scrounge up an invite. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian in webcast: Security Mgmt 2.0: Time to Replace Your SIEM? Favorite Securosis Posts Rich: Payment Trends and Security Ramifications. Awesome summary. Adrian Lane: Payment Trends and Security Ramifications. Yeah, I am picking my own post. Mike Rothman: Fact-Based Network Security: In Action. Someone else will link to Rich’s great SSL post, so let me highlight the kind of post I like best. Applied use of theory, even if it is a concocted scenario. You should read all the posts in this series. It’s good stuff if I do say so myself, and I do. David Mortman: Building an SSL Early Warning System. Other Securosis Posts Incite 9/14/2011: Mike and the Terrible, Horrible, No Good, Very Bad Day. Security Management 2.0: Making the Decision. Recently on the Heavy Feed. Friday Summary: September 9, 2011. Speaking at OWASP: September 22 and 23. Security Management 2.0: Vendor Evaluation – Driving the PoC. Security Management 2.0: Negotiation. Favorite Outside Posts Rich: Criminal Hack versus FOIA request: The Showdown. Read this one and just think about it for a moment. Anonymous and Lulzsec look petty and malicious. Adrian Lane: Protecting against XSS. Good analysis of XSS and tips on how to handle it. Mike Rothman: Surviving 9/11: Ten Years Later. Haunting story from Penelope Trunk about her experience surviving the 9/11 attack. And how she learned to be OK stepping off the fast track. “I am not a person who waited until the end of my life to slow down. I’m someone who stopped competing.” Word to that. David Mortman: DigiNotar: surveying the damage with OCSP. Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. NSO Quant: Manage Metrics–Process Change Request and Test/Approve. Research Reports and Presentations Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Understanding and Selecting a File Activity Monitoring Solution. Database Activity Monitoring: Software vs. Appliance. React Faster and Better: New Approaches for Advanced Incident Response. Top News and Posts LexisNexis’ study on the true cost of fraud. Huh. Intel and McAfee Unveil DeepSAFE. Debated whether qualified as news, given my first-hand knowledge that hardware-level security hooks for A/V, identity, and OS have been under serious consideration at Intel since at least 1998. But now we have a live implementation so I am interested to see the value it provides. Apache HTTP Server 2.2.21 Released Several important security fixes. Patch Tuesday Blocks More DigiNotar Certificates. Adobe, Windows Security Patches via Krebs. Microsoft Windows 8 will ship with built-in anti-virus. Blog Comment of the Week Remember, for every comment selected, Securosis makes a

You have made your decision and recommended it up the food chain, so now the fun part begins. Well, fun for some folks, anyway. For this post we’ll assume you have decided to move to a new platform. We understand some people decide not to move, but use the question of switching as a negotiating tactic. But it bears repeating that it is no bad thing to stay with your existing platform, so long as you have done the work to determine it can meet your requirements. We’re writing this paper for the people who keep telling us how unhappy they are, and how their evolving requirements have not been met. So after asking all the right questions, if the best answer is to stay put, that’s a less disruptive path anyway. Replacement Tactics For now, though, let’s just assume the current platform is not going to get there. Now the job is to get the best price for the new offering. Here are a few tips to leverage for the best deal: Time the buy: Yes, this is Negotiation 101. Wait until the end of the quarter and squeeze your sales rep for the best deal to get the PO in by the last day of the month. Sometimes it works, sometimes it doesn’t. But it’s worth trying. Tell the incumbent they have lost the deal: The next step is to get the incumbent involved. Once you put in a call letting them know you are going in a different direction, they usually respond. Not always, but most times the incumbent will try to save the deal. And then you can go back to the challenger and tell them they need to do a little better, because you got this great offer from their entrenched competition. And just like when buying a car, to use this tactic you must be willing to walk away. Look at non-cash add-ons: Sometimes the challenger can’t discount any more. But you can ask for additional professional services, modules, boxes, whatever. Remember, the incremental cost of software is zero, zilch, nada – so vendors can often bundle in a little more to get the deal. Revisit service levels: Another non-cash sweetner could be an enhanced level of service. Maybe it’s a dedicated project manager to get your migration done. Maybe it’s the Platinum level of support, even if you pay for Bronze. Given the amount of care and feeding required to keep any security management platform tuned and optimized, having a deeper service relationship could come in handy. Dealing with your boss’s boss: One last thing – be prepared for your recommendation to be challenged, especially if the incumbent sells a lot of other gear to your company. The entire process we have laid out prepares you for that call, so just go through the logic of your decision once more, making clear that your recommendation is the best direction for the organization. Tactics for the Status Quo But it would be pretty naive to not be prepared in case the decision goes the other way – due to pricing, politics, or any other reason beyond your control. So it you have to make the status quo work and keep the incumbent, here are some ideas flor making lemonade from the proverbial lemon. Tell the incumbent they’re losing the deal: If the incumbent doesn’t already know they are at risk, it can’t hurt to tell them. Some vendors (especially the big ones) don’t care, which is probably why you were looking for something new anyway. But others will get the wake-up call and try to make you happy. That’s the time to revisit your platform evaluation and figure out what needs to be fixed. Get services: If your issue is not getting proper value from the system, push to have the incumbent provide some professional services to improve the implementation. Maybe send your folks to training. Have their team set up a new set of rules and do knowledge transfer. There are many options, but if you have to make do with what you have, at least force the vendor’s hand to make the systems work better. Scale up (at lower prices): If scalability is the issue, confront that directly with the incumbent and request additional hardware and/or licenses to address the issue. Of course, this may not be enough, but every little bit helps, and if moving to a new platform isn’t an option, at least you can ease the problem a bit. Especially when the incumbent knows you were looking at new gear because of a scaling problem. Add use cases: Another way to get additional value is to request additional modules be thrown into a renewal or expansion deal. Maybe add the identity module or look at configuration auditing. Or work with the team to add database and/or application monitoring. Again, the more you use the tool, the more value you’ll get, so figure out what the incumbent will do to make you happy. Honestly, if you must stick with the existing system, you don’t have much flexibility. The incumbent doesn’t need to know that, though, so try to use the specter of migration as leverage. But at the end of the day, it is what it is. Throughout this process you have figured out what you need the tool to do, so now do your best to get there, within your constraints. Once the deal is done, it’s time to move to the new platform. We will wrap this series by discussing migration and helping structure a plan to get onto the new kit. It will be hard – it always is – but you can leverage everything you learned through your first go-round with the incumbent, as well as this process, to build a very clear map of where you need to go and how to get there. Stay tuned for that. Share:

Most security professionals have long understood at least some of the risks of the current ‘web’ or ‘chain’ of trust model for SSL security. To quickly recap for those of you who aren’t hip-deep in this day to day: Your browser knows to trust a digital certificate because it’s signed by a root certificate, generated by a certificate authority, which was included in your browser or operating system. You are trusting that your browser manufacturer properly vetted the organizations which own the roots and sign downstream certificates, and that none of them will issue ‘bad’ certificates. This is not a safe assumption. A new Mac trusts about 175 root certificates, and Apple hasn’t audited any of them. The root certificates are also used to sign certain intermediary certificates, which can then be used to sign other downstream certificates. It’s a chain of trust. You trust the roots, along with every certificate they tell you to trust – both directly and indirectly. There is nothing to stop any trusted (root) certificate authority from issuing a certificate for any domain it chooses. It all comes down to their business practices. To detect a rogue certificate authority, someone who receives a bogus certificate must notice that the certificate they issued is different than the real certificate somehow. If a certificate isn’t signed by a trusted root or intermediary, all browsers warn the user, but they also provide an option to accept the suspicious certificate anyway. That’s because many people issue their own certificates to save money – particularly for internal and private systems. There is a great deal more to SSL security, but this is the core of the problem: we cannot personally evaluate every SSL cert we encounter, so we must trust a core set of root providers to identify (sign) legitimate certs. But the system isn’t centralized, so there are hundreds of root authorities and intermediaries, each with its own business practices and security policies. More than once, we have seen certs fraudulently issued for major brands such as Google and Microsoft, and now we see attackers targeting certificate authorities. We’ve seen two roots hacked this year – Comodo and DigiNotar – and both times the hackers issued themselves fraudulent certs that your browser would accept as valid. There are mechanisms to revoke these things but none of them work well – which is why after major hacks the browser manufactures such as Microsoft, Mozilla, and Apple have to issue software updates. Research in this area has been extensive, with a variety of exploits demonstrated at recent Black Hat/Defcon conferences. I highly recommend you read the EFF’s just-published summary of the DigiNotar issue. It’s a mess. One that’s very hard to fix because: Add-on models, such as Moxie Marlinspike’s Convergence add-on and the Perspectives project are a definite improvement, but only help those educated enough to use them (for the record, I think they are both awesome). The EFF’s SSL Observatory project helps identify the practices of the certificate authorities, but doesn’t attempt to identify breaches or misuse of certificates in real time. DNSSec with DANE could be a big help, but is still nascent and requires fundamental infrastructure changes. Google’s DNS pinning in Chrome is excellent for those using that browser (I don’t – it leaks too much back to Google). I do think this could be a foundation for what I suggest below, but right now it only protects individual users accessing particular sites – for now, only Google. The Google Certificate Catalog is another great endeavor that’s still self-limiting – but again, I think it’s a big piece of what we need. The CA market is big business. There is a very large amount of money involved in keeping the system running (I won’t say working) as it currently does. The browser manufacturers (at least the 3 main ones and maybe Google) would all have to agree to any changes to the core model, which is very deeply embedded into how we use the Internet today. The costs of change would not fall only on evil businesses and browser developers, but would be shared among everyone who uses digital certs today – pretty much every website with users. We don’t even have a way to measure how bad the problem is. DigiNotar knew they had been hacked and had issued bad certs for at least more than a month before telling anyone, and reports claim that these certs were used to sniff traffic in Iran. How many other evil certs are out there? We only notice them when they are presented to someone knowledgeable and paranoid enough to notice, who then reports it. Dan Kaminsky’s post shows just a small slice of how complex this all is. To summarize: We don’t yet have consensus on an alternate system, there are many strong motivations to keep the current system even despite its flaws, and we don’t know how bad the problem is – how many bogus certs have been created, by how many attackers, or how often they are used in real attacks. Imagine how much more confusing this would all be if the DigiNotar hacker had signed certificates in the names of many other certificate authorities. Internally, long before the current hacks, our former intern proposed this as a research area. The consensus was “Yes, it’s a problem and we are &^(%) if a CA issues bad certs”. The problem was that neither he nor we had a solution to propose. But I have an idea that could help us scope out the problem. I call it a ‘transitional’ proposal because it doesn’t solve the problem, but could help identify the issues and raise awareness. Call it an “Early Warning System for SSL” (I’d call it “IDS for SSL”, but you all would burn my house down). The canary in the SSL mine. Conceptually we could build a browser feature or plugin that serves as a sensor. It would need a local list of known certificate signatures for

I write a lot about payment security. Mostly brief snippets embedded in our weekly Incite, but it’s a topic I follow very closely and remain deeply interested in. Early in my career, I developed electronic wallet and payment gateway software for Internet commerce sites, and application embedded payment options. In have been closely following the technical evolution of this market for over 15 years – back in the days of CyberCash, Paymatech, and JECF. But unlike many of the articles I write, payment security affects more than just IT users – it impacts pretty much everyone. And now is a very good time to start paying attention to the payment space because we are witnessing more changes, coming faster than ever. Most of the changes are directly attributable to disruptive nature of mobile devices: they not only offer a convenient new medium for payment, but they also threaten to reduce revenue and brand awareness of the major payment players. So issuing banks, payment processors, card brands, and merchants are all reacting in their own ways. The following are some highlights of trends I have been tracking: 1) Mobile Wallets: A mobile wallet is basically a payment app that authorizes payments from your phone. The app interacts with the point-of-sale terminal in one of several ways, including WiFi, images readers, and text message exchanges. While the technical approaches vary, payment is cleared without providing the merchant with a physical credit card, or even revealing a credit card or bank account number. Many credit card companies look on wallet apps as a way to ‘accelerate’ commerce and reduce consumer reticence to spend money – as credit cards did in the 70s. The flip side is that many card brands are scared by all this. Some are worried about losing their brand visibility – you pay with your phone rather than their branded credit card, and your bill might be from your telephone company without a Visa or Mastercard logo or identification. Customers can choose a payment application and provider, so churn can increase and customer ‘loyalty’ is reduced. Furthermore, the app need not use a credit card al all – like a debit card it could draw funds directly from a bank account. When you think about it, as a consumer, do you really care if it is Visa or Mastercard or iTunes or PayPal, so long as payment is accepted and you get whatever you’re paying for? Sure, you may look for the Visa/Mastercard sticker on the register or door today, but when you and the merchant are both connected to the Internet, do you really care how the merchant processes your payment, so long as they accept your ‘card’ and your risk is no greater than today? When you buy something using PayPal you draw funds from your bank account, from your credit card, or from your PayPal balance – but you are dealing with PayPal, and your bank or credit card provider is barely visible in the transaction. The threat of diminished revenue and diminished brand stickiness – on top of a global reduction in credit card use – is pushing card brands and payment processors into this market as fast as they can go. From what I see, security is taking a back seat to market share. Most of the wallets I review are designed to work now, minimizing software and hardware PoS changes to ensure near-term availability. Basic passwords and phone-presence validations will be in place, but these systems are designed with a security-second mentality. And just like the Chip & Pin systems I will discuss in a moment, mobile wallets could to be more secure than physical cards or reading numbers over the phone, but the payment schemes I have reviewed has are all vulnerable to specific threats – which might compromise the transaction, phone, or wallet app. 2) Smart Cards: These are the Chip & Pin – or Integrated Circuit – systems used widely in Europe. The technical standards are specified by the Europay-Mastercard-Visa (EMV) consortium. Merchants are being encouraged to switch to Chip & Pin with promises of reduced auditing requirements, contrasted against the threat of growing credit card fraud – but merchants know card cloning has been a problem for decades and it has not been enough to get them to endorse smart cards. I recently discussed the issues surrounding in Say Hello to Chip and Pin, but I will recap here briefly. Smart cards are really about three things: 1) new revenue opportunities provided by multi-app cards for affinity group sales, 2) moving liability away from the processor and merchant and onto the consumer, and 3) compatibility with Chip & Pin hardware and software systems used elsewhere in the world. More revenue, less risk, and standardized hardware for multiple markets reduce costs through competition. And a merchant that invests in smart card PoS and register software, is less likely to invest in payment systems that support mobile phones – creating PoS vendor and merchant lock-in. Once again, smart cards are marketed as advanced security – after all it is harder to clone a smart card – despite ample proof that Chip & Pin is hackable. This is about revenue and brand: making more and keeping more. Incremental security benefits are just gravy for the parties behind Chip & Pin. 3) Debit Cards: Mobile wallets may change the debit card landscape. If small cash transactions are facilitated through mobile wallet payments, the need for pocket cash diminishes, as does the need to carry a branded debit card! This is important because, since the Fed cut debit card fees in half, many banks have been looking to make up lost revenue by charging debit card ‘privilege’ fees above and beyond ATM fees. Wells Fargo, for example, makes around 45% of their revenue on fees; this number will shrink under the new law – potentially by billions, across the entire industry. Charging $3 a month for debit card usage will push consumers to look for

I have been looking forward to this day… well, since the Falcons’ season was abruptly cut short by a rampaging Pack last January. We had a little teaser with that great game Thursday, and although both teams couldn’t lose, having the Saints drop a tough one was pretty okay. I weathered a tumultuous lockout during the offseason. Even a bumpy pre-season for both my teams (NY Giants and ATL Falcons) couldn’t deter my optimism. Pro football started Sunday and I was fired up. The weekend was going swimmingly. I was able to survive a weekend with the Boss away with her girlfriends. With a little help from our friends, I was able to successfully get the Boy to his football practice, XX2 to her softball game, and both girls to dance practice Saturday. I got to watch a bunch of college football (including that crazy Michigan/Notre Dame game). The kids woke Sunday in a good mood when I got them ready for Sunday school. I got some work done and then got ready to watch the games at a friend’s house. Perfect. Until they started playing the games, that is. The Falcons got crushed. Ouch. They looked horrible, and after all the build-up and expectations it was rather crushing. It was terrible for sure. I do this knock-out pool, where you pick one team a week and if they win, you move on. If they lose, you are out. You can’t pick the same team twice, and it’s a lot of fun. But I’ve shown my inability to get even the easiest games right – I have been knocked out in the first week 2 of the last 3 years. Of course, I picked Cleveland because Cincinnati is just terrible, with a new QB and all. Of course Cleveland lost and I’m out. Yeah, that’s horrible. Just horrible. But things couldn’t get worse, right? The Giants were in Washington and they’ve owned the Redskins for years. Until today. The Giants have a ton of injuries, especially on defense. And it showed. They couldn’t stop a high school team. Their offense wasn’t much better. Man, tough day. Looking at the schedule, both teams dropping their games this week will hurt. Yup, that’s a no good day. And to add insult to injury, as I’m mumbling to myself in the corner, the Boy comes downstairs with his Redskins jersey on. Just to screw with me. Seriously. I know I shouldn’t let an 8-year-old get under my skin, especially the day before his birthday, but I wasn’t happy. Maybe I’ll laugh about it by the time you read this on Wednesday, but while I’m writing this on Sunday night, not so much. I sent him upstairs with a simple choice. He can change his shirt or I could insert a few metatarsals into his posterior region. It’s very bad when I can’t even handle a little chiding from my kids. It was a terrible, horrible, no good, very bad day. But putting everything in context, it wasn’t that bad. I’ve got my health. I do what I love. My biggest problems are about getting everything done. Those are good problems to have. An embarrassment of good fortune, and I’ll take it. Especially given how many around the world were mourning the loss of not only loved ones, but their freedom, as we remember the 9/11 attacks. -Mike Photo credits: “bad day” originally uploaded by BillRhodesPhoto Incite 4 U Design for FAIL: Part of the mantra of most security folks is to think like an attacker. You need to understand your adversary’s mindset to be able to defend against their attacks. There is some truth to that. But do you wonder why more security folks and technology product vendors don’t do the same level of diligence when designing their products. Mostly because it’s expensive, and it’s hard to justify changing things (especially the user experience) based on an attack that may or may not happen. Lenny Z makes a good point in his post Design Information Security With Failure in Mind, where he advocates taking lessons from ship builders. I’d put airplane manufacturers in the same boat. They intentionally push the limits, because people die if a cascade of failures sinks a ship. Do your folks do that with IT systems? With security? If not, you probably should. It’s not about protecting against a Black Swan, but eliminating as much surprise as we can. That’s what we need to do. – MR Jackass punks: No, this isn’t a diatribe against Lulzsec. Imagine you’re sitting at home and you start getting weird emails from some self-proclaimed degenerate who starts talking about showing up at your house. And you get emails from motels this person stayed at, holding you responsible for damages. And the person was on the lam from the law. Heck, they even have their own MySpace page. MySpace? Okay, that’s probably the first clue this is a scam, or a Toyota marketing campaign gone horribly wrong. Toyota set up a site where people could enter the personal details of their friends (or… anyone), who would then be subject to a serious Ashton Kutcher-style punking. Talk about insanely stupid. As much as we bitch about security marketing, this definitely takes the cake. While I don’t think $10M in damages is reasonable, Toyota certainly earned the lawsuit. – RM Pay-nablement: It’s easy to do online payment. The trick is in doing it securely, and I am not so sure that the ‘Buyster’ payment system has done anything novel for security. Buyster links your phone number to a bank account. To use the service you need to enter your phone number and a password – what could go wrong? In return you get a payment token via a message, which you can then pass to a merchant. This model keeps the credit card number off the merchant site, but they would need to modify their systems to accept the token and link to the Buyster payment