Research

Just a quick note that I’m speaking at the Macworld conference this Friday in San Francisco on iOS security. This is one of the few times I get to talk about basics with a completely-consumer audience. Last year was my first time speaking (after attending for a few years), and you can’t spend any time there and still believe the stupid “Mac users think they are invulnerable and don’t care about security” meme. There are two cool things about this year. First, that I was invited; with the new baby I missed the call for papers and wasn’t planning on speaking, but it seems they wanted some more security content. Second, that this is hands-on. I have a 75 minute session to walk everyone through securing their iOS devices (and yes, un-jailbreaking is high on the list). If you are there, drop me a line. I get in Thursday afternoon and fly home Friday night… normally I like to have more time, but it’s too close to RSA this year and it’s hard to get out for back to back trips with my kids so young. Share:

Some days I wish I was a screenwriter. There, nothing is out of bounds. Physics? Bah. Logic? Who needs that? How cool was it that the writers of Dallas (the show, not the city) decided to take a mulligan… on an entire season? Pretty cool, I’d say. What if we could take a mulligan on some of those decisions we made years ago? You know, like parachute pants. Or signature-based antivirus. IDS. Token-based authentication. If you could pull a Dallas, what would you build? It’s a fascinating question. And one that I’d like to investigate – with your help, of course. To be clear, this is a thought experiment. If you were just hired as the security architect for a company that had nothing, what would you implement? I’m not going to build a scenario with applications and number of locations and all that crap. Figure you work for a big company and somehow they’ve decided to start over again. You have applications and some even use the web. You have sensitive data, the kind that bad guys would love to get. You have lots of locations all over the world. And the powers that be just gave you the keys to the car. Now point it in the right direction. So what would you do? And before you get bent around an axle, saying you need to implement a firewall and AV because the regulations say so, forget that. No compliance mandates here. You are focused on protecting the critical information in your organization. And money is no object. What would be on your shopping list? What wouldn’t be? There are no wrong or right answers. I think it’ll be interesting to hear everyone’s opinions. I have posted some of my thoughts on Positivity, which make sense to me. That doesn’t mean they’re right. Ready, set, discuss! Photo credit: Green fields of wheat originally uploaded by Robert Crum Share:

Quick note: Don’t forget to RSVP to the RSA Disaster Recovery Breakfast, and sign up for the Inagural Cloud Security Alliance training class we are building & running. I had one of those awesome, weird, enlightening experiences today… and it’s actually relevant to technology and security. Probably. The thing that initially got me hooked on blogging was how it enabled a persistent community discussion. We could all debate issues out in the open, asynchronously (since some of us spend a lot of time trapped on planes), and everything becomes part of the public record. It was like the internal peer review process we had at Gartner (which is far better than most outsiders realize) burst open and spewed all over the Internet. Sure, some blogs really sucked, and there was no shortage of trolls, but it’s how I got to meet people like Rothman, Hoff, Martin McKeay, and many many others. It also led directly to how we handle review and our Totally Transparent Research process. But over the past year we have noticed a serious decline in blogging in general and comments on our site specifically. It’s actually a lot harder to come up with all these Summary links, because the initial idea was to share link love, but we mostly refer to the same people or link to news stories. This isn’t unique to us – a lot of our blogging friends have mentioned it (the few who blog). We all know Twitter is the culprit. I love Twitter, but it makes me sad that we lose the asynchronous conversations and persistence (come on, no one really reads old Tweets). Even when I’m sitting at my desk I can’t keep up with everyone I want to follow. Earlier today I tweeted that I needed some review on a couple incident response posts I’m working on. This was for a series we have been working on for a couple months. What did I learn? We have very few comments on the posts, but I got a ton of response over Twitter and some amazing feedback via email. Maybe I’m old, but although I still prefer having these discussions through the blog, I realize it’s time to start moving them more to Twitter. The problem will be finding the delicate between getting valuable feedback and contributing back to the community without ‘abusing’ the medium. We pump out way too much content for me to toss everything out to Twitter… and I’m not even comfortable tweeting links to all my posts. Any suggestions appreciated. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences The Network Security Podcast, Episode 228. Had my sick daughter on my lap while recording this one, so it might be amusing. We are building the official Cloud Security Alliance CCSK training class, and running the first class at RSA. It’s $400, but you get a $295 voucher to take the CCSK certification test. DB2 Security Overview. Adrian’s white paper on DB2 security features. Favorite Securosis Posts Adrian Lane: The Appearance Myth. This is so spot on. I stopped carrying Star Wars paperbacks in my back pocket and brushed my hair – suddenly nobody believed I was a UNIX Admin. Get my first CTO job and started wearing a collared shirt, and suddenly I must not understand the abstract factory design-pattern or IPC. Wear the wrong garb and you are shunned. Mike Rothman: APT Defeated by Marketure. And here I thought Oswald killed the APT. Rich: Mogull’s Law. Yet another old post, but I picked this one because for some reason when I Google my name (for news alerts) this is the top link. Can’t argue with Google. Other Securosis Posts Dueling Security Reports: Cisco vs. Intego. Incite 1/19/2011: Posturing Alpha Males. SMB isn’t ready for disaster. Are you? The 2011 Securosis Disaster Recovery Breakfast. Fighting the Good Fight. Favorite Outside Posts Adrian Lane: Security fail: When trusted IT people go bad. I hate to foster the fear of ‘The Insider Threat”, but this sort of thing does happen on occasion. What’s surprising is a firm this large did not spot the problem sooner through other IT personnel. Mike Rothman: In defense of FUD. Jack kills it: “…a little bit of discomfort and uncertainty can drive us to question our preparedness, and rethink the challenges we face.” Love that. Rich: A Day of Reckoning is Coming. New School on breach outcomes. It isn’t what you think. Chris Pepper: Understanding Targeted Attacks: Two Questions. Gunnar Peterson: Three Types of IT Leaders. Research Reports and Presentations The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Network Security Operations Quant Metrics Model. Network Security Operations Quant Report. Understanding and Selecting a DLP Solution. Top News and Posts Oracle CPU for Q1. There was a super critical database issue with Audit Vault, but with only 2 companies using the product, the overall risk is pretty low. GSM (cellphone) security in deep trouble. Hackers responding to job postings with malware. ENISA releases report on security for government clouds. Errata Security has a run-in with an infamous security fraudster. Twitter worm. AT&T hacker’s chats turned in by anonymous source. I have a hard time believing the feds would build a case based on anonymous IRC logs. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to shrdlu, in response to Funding Security and Playing God… Your experience has shown you that finding a bug THAT YOU INTEND TO FIX is cheaper to fix early on. That’s great. But fixing is a choice, based on risk assessment. Businesses make that choice every day. And we’re not providing good arguments for them to choose something when we use circular logic to tell them they should fix it simply because we found it, and that finding it makes it certain to be a problem that will affect them. Share:

You can always tell whether you are at a hacker con or a corporate-oriented conference in our business. The hacker cons have plenty of tattoos, piercings, fringe hairstyles, and the like. In fact, I’m usually more concerned that folks will think I’m a narc because I have none of the above. But this brings me around to the idea of appearance and its impact on your career. I think Lee and Mike had a good, reasoned response in their Fashion Advice from Infosecleaders post. The question is about a guy, who is climbing the corporate ladder and now finds himself having to dress the part. And it’s uncomfortable. Lee and Mike’s general thought is that he needs to deal with it, and that to play the game you have to look like you are in the game. And maybe they are right. But they might also be wrong. I think there could be other factors at work here, based on experiences I’ve had, because I’ve very rarely looked the part in any job I’ve had. Let’s start with my early META Group experience. I was in my early 20s and looked 18. My hair hadn’t started turning gray yet, and I was sitting across from CEOs and folks whose networking budgets had 9 or 10 zeros. I would be brought in to discuss trends in networking and telecommunications. The reality was that some of these networking jockeys probably had underwear older than me. So as you can imagine the first few minutes of each meeting were always pretty interesting, as everyone in the room sized each other up. I was far less snarky at that point so I usually didn’t antagonize the clients with tales of beer funnels, pet rocks, and dances with girls. You know, the stuff us kids used to do for fun in the olden days. Most of them took me for a lightweight and thankfully they didn’t have BlackBerrys back then, because I imagine they would have started banging through email before the introductions ended. But then a strange thing happened. Pretty much every time. I started talking. I answered their questions. I provided perspectives on trends that indicated I actually knew what I was talking about. Who knew? This young whippersnapper actually talked to lots of folks and although a front-end processor was invented while he was still crapping in diapers, he understood IBM’s product strategy and what that meant to these poor saps who had to make the stuff work. I actually kind of enjoyed that expectations were pretty low when I entered the room. It made impressing clients much easier. Now back to the topic of attire. Truthfully, I’m not sure whether this guy’s problem is attire or self-esteem. You see, he feels different, and therefore the senior team treats him as different. He doesn’t seem to believe he belongs at the table with the big boys. So, I believe, senior folks pick up on that and realize his self-fulfilling prophecy. If you don’t think you belong in the club, you are right. If you have confidence in your abilities, know you speak knowledgeably, and are not intimidated by muckety-mucks who believe you need to wear a tie to be successful, you should be fine. Even in your khakis and button-down shirt. And if your organization truly judges you based on what you wear, and not what you know and what you do, then you are working for the wrong organization. Share:

Today, within a few minutes of each other, I read the latest 2010 security reports from Cisco and Intego. The Cisco report is very broad, while the Intego report is Mac specific. They really highlight the reality vs. hyperbole problem we often see in threat reports. While there’s some good information in the Cisco report, reading the APT section on page 22 and then my satircal post from yesterday should be good for some laughs. And when you hit the Android/Apple section? Umm… hard to say anything nice. There’s a ton of hyperbole in there about Apple and mobile devices being a major focus in 2011, without anything to back it up. The report seems to assume vulnerabilities correlate with exploits! As in: there are lots of Apple vulnerabilities, so we know there will be a ton of new attacks! Maybe 2011 will be the year Macs get the snot kicked out of them, but it won’t be due to rising vulnerability rates. Macs have had plenty of easily exploited vulns for years now. Heck, if anything it’s harder to exploit the current OS X than just a couple years ago. I can’t find any basis in the report for their conclusion. No data on rising attack rates. Just some point examples that fail to indicate a trend, plus a pretty graph of platform vulnerability rates. Wishful thinking, I guess. Oh, the best part is the title of the graph “Recent Spike in Exploits Targeting Apple Users”… with a graph of the vulns. Someone on the security team needs to have a word with the marketing team. As a counter, take a read of the Intego report. Page one lists all the exploits they’ve seen over the past year… which, once you knock out variants, you can count on one hand. Share:

Washington, D.C. Officials today revealed that the “Advanced Persistent Threat” (APT) has been completely defeated by vendor marketure, analyst/pundit tweets, and PowerPoint presentations. “APT is dead. Totally gone. The term APT is meaningless now” revealed a senior official under the condition of anonymity, as he was not authorized to discuss the issue with the press – as if anyone believes that anymore. “Advanced Persistent Threat” was a term coined by members of the military, intelligence, and defense industries to define a series of ongoing attacks originating from state and non-state actors primarily located in China, first against military targets, and later against manufacturing and other industries of interest. It referred to specific threat actors, rather than a general type of advanced attacks. Revealed through major breaches at Google and reports from Lockheed-Martin, APT quickly entered the Official Industry Spin Machine and was misused to irrelevance. Bill Martin, President, CEO, and CMO of Big Security, stated, Our security products have always protected against advanced threats, and all threats are persistent, which is why we continue to push LOVELETTER virus definitions to our clients desktops. By including APT in our marketing materials and webcasts we are now able to educate our clients on why they should give us more money for the same products we’ve been selling them for years. In 2011 we will continue to enhance our customers’ experiences by adding an APT Gauge to all our product dashboards for a minimal price increase. Self-proclaimed independent security pundit Rob Robson stated, “The APT isn’t dead until I say it is. I will continue to use APT in my presentations and press quotes until I stop getting invited to RSA parties”. When asked in an unrelated press conference whether this means China is no longer hacking foreign governments and enterprises, Cybergeneral Johnson replied, “We have seen no decrease in activity.” Johnson continued, “If anything, we’ve seen even more successful breaches due to agencies and companies believing the latest security product they purchased will stop the APT. We are still in the middle of a long-term international conflict with a complex political dynamic that could materially affect our military and economic capabilities in the future. I don’t think a new firewall will help”. For more on this topic, please see The Security Industry Anti-Disambiguation Movement. Share:

You all know how much I like surveys. But I tend to think surveys targeted at SMB tend to be a little closer to reality, especially ones with 1,000+ responses. Our Big Yellow pals recently did a Disaster Preparedness Survey of 1,800+ small businesses, and the news isn’t very good, but not unexpected either. Here are a few soundbites: Median cost of a day of downtime is $12,500. 50% of respondents don’t have a DR plan. 41% said it never occurred to them to put a plan in place. 40% said it’s not a priority. Less than half back up data weekly. Only 23% back up data daily. 50% of those with DR plans wrote one after an outage Yes, I could go on and on – but why bother? The issues are the same and a consistent mentality applies whether you are talking about security or disaster recovery. That’s the other guy’s problem. It won’t happen to me. Until it does. We could be talking about an attack that takes out our critical resources or a hardware failure that takes out our critical resources. They’re effectively the same. You end up with stuff that’s down and unavailability is bad. That’s if you like your job. So what to do? Continue fighting the good fight. Push for an incident response plan, as well as a disaster recovery plan. There should be a lot of leverage between the two. At least from the standpoint of restoring operations. The Symantec folks made a few recommendations, which are actually pretty good. They include: Don’t wait until it’s too late, protect information completely, get employees involved, test frequently, and review your plan. Yup, that’s pretty much what you want to do. Don’t wait until it’s too late to make sure you are ready for problems. Regardless of whether you work for a big or small company. Share:

One of the terms you’ll likely hear at RSA this year is security posture. Along with “situational awareness” and other terms which refer to your ability to understand if you are under attack and how your defenses are positioned to protect your assets. But I’m fascinated by the psychology of posturing, because we see that kind of behavior every single day. It’s not like I go clubbing a lot (as in, at all), but you can always tell when someone who thinks they are an alpha male enters. They intentionally project a “don’t fsck with me” attitude and are likely to fly into a ‘roid rage at any time. They are posturing, and it’s likely a self-esteem issue has caused them to overcompensate by juicing up and thinking that pushing around someone around in a bar makes them cool. Either that or they have a small piece. Maybe their Mom could have given them a few more hugs growing up. Or they should have tried that Swedish pump highlighted in Austin Powers. I know we aren’t done with the 2010 season yet (though my teams have been eliminated, so I’m just a bemused observer at this point), but there is a lot of uncertainty regarding the 2011 season. The CBA (collective bargaining agreement) expires in early March and the owners don’t think the existing structure is good for them. Of course, at the other end of the table, the players want their fair share of the unbelievable revenues generated by the NFL. Fair is the key word here. Each has their own definition of fair. So there is a lot of posturing on both ends. Everyone wants to be the alpha male. Each says the other side wants a lockout. Lots of disinformation is flying back and forth, all to sway the fans to support one side or the other. The spin doctors are working overtime. Sounds like a presidential election, come to think of it. Personally, it’s hard to feel bad for either side. The owners are billionaires and the NFL is a cash machine. The players are very well compensated for playing a game. And millions of fans dutifully buy season tickets, watch games, and buy merchandise. In fact, my Matt Ryan jersey arrived yesterday. Just in time! Frackin’ snow storm. So I’ll be pissed if there is any kind of lockout. All of these 7 and 8 figure alpha males just need to get over themselves and remember it’s because of us fans that they get to do anything. These guys forget we have alternatives. I can tell you college football will become a lot more popular if there is some kind of NFL work stoppage. SEC football is pretty OK, even if you don’t have an alma mater to go bonkers over. The NCAA should move games to Sunday if the NFL doesn’t play. Seems the owners believe that if they delay or cancel the season, all the fans will let wait breathlessly for their return. I know this is a game of high stakes poker, but it seems there is a lot of short-term thinking here. With billions of dollars being generated, it’s unbelievable that you can’t structure a win-win situation for all involved. Gosh, am I thinking rationally here? Must be time to take the clear, or is today a cream day? A good ‘roid rage will do wonders for my outlook on the situation. And anyway, I need my full alpha male posture on come RSA time… -Mike Photo credits: “Bad Posture” originally uploaded by bartmaguire Vote for Me. I’ll buy you a beer. There is still time to vote for the Social Security Blogger Awards. The Incite has been nominated in the Most Entertaining Security Blog Category. My fellow nominees are Jack Daniel’s Uncommon Sense, the Naked Sophos folks, and some Symantec bunker dwellers from the UK. All very entertaining and worthy competition. Help out a brother with a vote. Incite 4 U The Lazy Man’s Guide to Success: Mike Dahn has a treatise called Leverage, where he calls for a number of tactics to increase your effectiveness in the next year. Things like delegation, networking, and turning cost centers into revenue opportunities. Interesting stuff. What do all of these ideas have in common? They allow you to be lazy. If you can get someone else to do your work for you, why wouldn’t you? I’d love to delegate all the stuff I’m supposed to do. I’d like to turn my cost centers into revenue centers. I like the idea of leverage. Because I’d much rather be reading NFL news all day than actually doing work. Who wouldn’t? But I shouldn’t joke too much because Mike has a point here. Unless your goals are too low, you will need help to get there. So think about it from that perspective. – MR Someone needs a fact checker: I understand that press releases are a fact of life. While they all sound exactly the same, some of them provide a valuable nugget of information mixed in with all the masturbatory self-congratulations for signing up yet another small school district as a customer. After the obligatory FUD, that is. For example, today I received, “In the wake of increasing levels of data breaches, accidental data losses and incidents of user’s privacy being compromised, the Online Trust Alliance (OTA) is set to release its 2011 Data Breach Incident Readiness Guide in time for Data Privacy Day (Jan. 28th)”. Which is funny, as most sources like the Open Security Foundation DataLossDB and our own 2010 Data Security Survey show a relative decline in reported breaches. Maybe there are more breaches and privacy leaks, but it isn’t like they have numbers to prove it. – RM The Recognized Leader: I am the leader in a new ‘market’. I just found this out after having read the press release on Nice Systems’ new product to reduce financial risk associated with PCI-DSS. Apparently they provide live redaction of call

Here in the US, today is Martin Luther King, Jr. Day. For many this means a day off. For others it’s a continued call to arms to right the injustice we see. For me, it’s a reminder. A reminder of how one person’s efforts can make a difference against unsurmountable odds. How passion, focus, and a refusal to fail can change the world. Not overnight and not without setbacks, personal sacrifices, and a lot of angst. But it can be done. We in the security world seem to forget that all the time. Today started like most other days. I checked my email. I looked at my Twitter feed and, surprisingly enough, a bunch of folks were bitching about PCI and stupid assessors and all sorts of other negativity. Pretty much like every other day. I shut down my Twitter client and thought a bit about why I do what I do, even though it seems to make no difference most days. It’s because it’s the good fight and the mere fact that it’s hard doesn’t mean we shouldn’t continue pressing forward. Rich summed it up very well a few weeks ago in his Get Over It post. Human nature isn’t going to change. So we’ll always be swimming upstream. Deal with it. Or find something else to do. And to be clear, what we do isn’t hard. Fighting for civil rights is hard. Overcoming oppression and abject poverty and terrible disease is hard. Always keep that in mind. Always. The Boss is constantly telling me there is no grey in my world. Right. Wrong. Nothing in between. And pushing to educate our kids about what they should and should not do online is right. Pushing to help our organizations understand the risks of all their business plans is right. Trying to get senior management to appreciate security, even though it makes their jobs harder at times, is right. Doing nothing is wrong. If you are reading this blog, then you are likely very fortunate. With resources and education and opportunities that billions of people in this world don’t have. So yes, what we do is hard. But it’s not that hard. On this day, where the US celebrates one of its true giants, a man who gave everything for what he thought was right, take a few minutes and re-dedicate yourself to fighting the good fight. Because it’s the right thing to do. Image credit: “Martin Luther King, Jr.” originally uploaded by U.S. Embassy New Delhi Share:

The RSA Conference is just around the corner, and you know what that means. Pain. Pain in your head, and likely a sick feeling in your stomach. All induced by an inability to restrain your consumption when surrounded by oodles of fellow security geeks and free drinks. You know what? We’re here for you. Once again, with the help of our friends at ThreatPost and Schwartz Communications, we will be holding our Disaster Recovery Breakfast to cure what ales ya (or ails you, but I think my version is more accurate). This year the breakfast will be Thursday morning from 8-11 at Jillian’s in the Metreon. It’s an open door – come and leave as you want. We’ll have food, beverages, and assorted recovery items to ease your day (non-prescription only). No marketing, no spin, just a quiet place to relax and have muddled conversations. It sure beats trying to scream at the person next to you at some corporate party with pounding music and, for the most part, a bunch of other dudes. Invite is below. To help us estimate numbers please RSVP to rsvp@securosis.com. Share: