Research

A couple days ago I posted some thoughts on Data Security and the US Government, how I perceive the role of Cybersecurity, and what I suspected would be a difficult challenge as the Cybersecurity team was set up at cross-purposes with the intelligence community. Today the Wall Street Journal released an article on the resignation of National Cybersecurity Chief Rod Beckstrom. In a case of “even a blind squirrel occasionally finds a nut”, my estimate of internal conflict appears to already be going on. In his resignation letter, Mr. Beckstrom stated that the “NSA currently dominates most national cyber efforts” and “The intelligence culture is very different than a network operations or security culture”. The WSJ focuses on privacy and separation of power issues with additional comments from Mr. Beckstrom: “the threats to our democratic process … if all top level network security and monitoring are handled by any one organization”. The resignation letter has a different feel and focus, pointing out that there was a general lack of support for the NCSC, and the specific ways Beckstrom feels his organizations was subjugated. If you have interest in this subject, you will want to read his resignation letter, as it contains more information. It also lists a couple methods by which the NSA can subtly (sneakily?) affect the effectiveness of Cybersecurity efforts that I did not mention in my post. Quite frankly I am surprised that the National Cybersecurity Center could somehow manage to only get 5 fully funded days of operation, but if true, this demonstrates the challenges faced by NCSC. This could get ugly unless both sides understand that each organization can benefit the other, and realize the goals and agendas do not necessarily need to be at the expense of each other. Concessions have to be made, otherwise this is an expensive and ugly turf war and the entire security problem- which is quickly becoming a US government security problem- continues to fester. Share:

During the recent podcast I did with Rich, I made a couple throw-away comments about the selection of Melissa Hathaway as cybersecurity advisor. A lot of ideas went into those comments and a few articles that I have read that brought to the fore several issues I have had ideas rolling around in my head for the last couple of years. In fact I have written this post a couple of times over the last year and deleted it because I thought it would be perceived as too political. My goal is not political commentary rather trying to provide perspective about the evolution of data security, but sometimes the two are linked so tightly together it is difficult to fully separate. The subject I want to discuss is the general state of basic underlying security of our electronic infrastructure, and the role that the government plays in Cyber Security. What got me going on this subject yet again was several articles that I ran across in the last month. The first was an article referenced by Bruce Schneier’s blog on The Register that talks about the NSA’s attempt to eavesdrop on Skype, which I am not sure they confirmed but highly believable. The second is the appointment of Melissa Hathaway, and while it is only being hinted at in this piece by USA Today, her comments indicate efforts at odds with other US intelligence organizations. The final article that urged me to rewrite this post was the following piece on Wired’s Threat Level Blog that the NSA wants to oversee cybersecurity. There is a strange push and pull going on here, because part of our government wants our entire electronic infrastructure to be both secure and private. They recognize the the Internet is a huge global marketplace for science and commerce, and is often leveraged by public entities as well, therefore it is in our best interest to have it secured to protect citizens & organizations alike. This is echoed in Hathaway’s comments. Conceptually this would reduce fraud globally, which costs companies billions of dollars every year. On the other side of the coin, strong electronic security makes intelligence gathering through eavesdropping difficult to impossible, and often requires secondary assistance to gather (insider cooperation, back doors in code and devices, cracking, etc) the same information, only at a higher cost. So what’s the problem? Good security on communications and infrastructure worldwide makes intelligence gather much, much harder. The people I have spoken with who have worked for or with US & British Intelligence organizations all share the same view that a secure communications infrastructure is facing stiff challenges from within our own government. A few years ago, Mr. Stephen Squires, who is/was at the time Chief Scientist for HP, spoke at Stanford Luncheon I attended about the evolution of computer security in the US. In a nutshell, he felt that cryptography would have solved most of the issues of privacy and security we have today, and today’s vendors with their point solutions were less than Band-Aids on gunshot wounds. Encryption could have easily been built into routers, phone switches, Ethernet cards and the like to ensure safe data transmission. Encryption could have been built into business applications to offer considerably higher security for data in motions and data at rest. He went on to say this was “discouraged” in various direct and indirect ways by our own government. He cited many examples of influence; the way bids are done, project specifications, funding, public-private partnerships, and most notably, US export controls on cryptography. A decade ago this was a common topic most of the crypto guys I have had the pleasure of meeting, and they were mostly frustrated by the US’s unwillingness to have all data and communications encrypted and secured. For those of you not familiar with what I am talking about, in the mid-90s, you could obtain cryptographic algorithms in papers and textbooks, but if you shipped encryption technology, you were going to be brought up on charges for illegal disbursement of munitions. When I got my first real job involving security, I had to be careful that I did not accidentally include a foreign national on the “CC:” line of an email that included the Blowfish variant we were working on as I could have been arrested. It’s code, for &!^@ sake! But the US Government was quite serious about this and has hindered the deployment of some security technologies on national infrastructure as well as allowing exportation, and have done little to lead in an area where they are in a perfect position to set an example for private industry. I am not sure what degree the majority of security professionals out there understand how rabid our government intelligence agencies are about encryption, but many historians view US victory in WW2 was due in large part to breaking the Japanese encryption codes, as well as the British efforts to reconstruct the Enigma cipher. While these are nice historical references, few are aware of more recent cases with the British in Falklands war and governments in the middle east were breached by the ability to break or bypass cryptography. This lesson is not lost on the Intelligence community, and who I would expect nothing less than to look for any advantage they can get. What is good for business security is considered bad for our spies. The concept from the governmental perspective was the benefits that the US Intelligence Services derive from lax security and encryption was a huge competitive advantage, so impediments into quality encryption technologies being widely available was to be discouraged. And when I have this discussion with people, they are usually thinking about Echelon, or the PROMIS variants that perform data analysis, but just two angles of using intelligence. We read all the time about Chinese or Russians breaking into US Government computers; is there some compelling reason to think this is not going on in the other direction? Another way to think about

Off-topic post … My wife is constantly reading about the banks and lending institutions, and likes to read to me every gory detail she learns. Occasionally I do listen. About a month ago she made the comment “If the banks do go under, we’ll have to go back to cash. That will be strange.” I thought about it for a while and I realized just how true that was. I seldom carry cash. I do a lot of my shopping on the Internet. Can’t really do that with cash very well. I used the credit card for everything … even the occasional Starbucks triple-shot-Hoff-inspired-venti-iced-coffee-with-splenda-shaken-not-stirred gets a credit card swipe. Then my wife says “Let’s see if we can go for a month without spending on the credit card. Just cash!” Being the contrarian that I am, I decided “What the heck, let’s try it.” We failed miserably. The whole thing about spending cash is you have to go somewhere and get cash before you can spend cash. An important small step. We had a minor medical emergency and we were not about to slow down and get cash first. When you take enough out to cover expenses, the bank teller’s get weird and antsy like you are doing something wrong. Trying our best, by the end of the month, we looked at the results, and we were only 60% credit card, 40% cash by dollar amount. But overall, our spending and it was down quite a bit. While we hear about how much easier psychologically it is to spend money when it’s not cash, I see just how true that is. Either you reel yourself in because you are not sure you have enough cash on you, or you feel a little more attached to the money that the concept of money and hold back on some purchases that are not necessary. So we are going to try it again this month, and we think we can reverse this to 60% cash, 40% CC. I have never been mugged. I have never had my wallet stolen, and I am not really worried about carrying some cash around. I have had fraudulent charges on my credit card, more than a dozen times, and I am constantly worried about my bill having bogus charges. I usually state that the reason I use credit cards so much is that I have reduced risk. Lost or stolen, I am only liable for $50.00. Airline tickets and hotels are a nightmare without a credit card. And I would never buy something on line without the ability to shield myself from bogus merchants. But my perspective has changed that, given most common situations, cash has a lower risk than credit and changed my behavior in a positive way. It’s been an interesting experiment, and I think we are going to keep doing it for a while. Share:

Securosis has expanded. Just got an email from Rich: “Say hello to Riley Marie Mogull. 6lbs 15oz. Sharon made it without meds- she’s my hero” Rich, on the other hand, needed sedation. Help me congratulate Rich and Sharon on the arrival of their first child! Share:

It’s Friday again and time for the summary. It’s been a yin & yang kind of week for me, with mixed blessings and curses all around. On the down side, Friday is always the day for bad news. It’s the day that Fannie Mae, Countrywide and others announce impending disaster so as to lessen the impact on the market. I just have to wonder if they learned that from Office Space. Based upon what I am seeing in the press, and some things here in Arizona, this Friday will be no exception as I expect there to be another big bank announcement. Four friends have lost jobs in the last week and are struggling to find any work, and I am going to have to help a friend move this weekend because their house is going back to the bank. One person I know had someone access their bank account with a fake ATM card, and my next door neighbor got a call Tuesday from Wells Fargo as someone was trying to make a “Phone Cash Advance” on their account. And yet another indication that the system is broken is the credit shell game, with Experian no longer willing to sell credit scores to consumers. Technically, they were not doing it before, but when pushed to sell consumers the real FICO scores, instead of the “FAKO’s” they have been providing, they decided to bow out. Should we just go back to cash? That would solve a lot of problems. On the positive side we here at Securosis are in a very good mood and have high hopes for the future. Principal among the reasons for this is we are officially on “Nugget watch”, or rather we are waiting for the little Mogull to arrive soon. Mom is in good health and spirits while Rich is furiously decorating, arranging and preparing for the arrival. Male nesting … it’s simultaneously cute and sad to watch. But I have to say, the baby’s room looks great! Stay tuned as I will post something as soon as I hear more news. I had several conversations with different SIM/SEM vendors this week and I view the changes as positive. It’s no longer “Gee, look at all this neat data we have” nor trying to convince customers how great aggregation is (gaak!), and more about using that data to solve business problems and building some intelligence into the products. Rich and I are seeing some very cool things happening around encryption and key management that should make a lot of people very happy, and we will begin the encryption series we promised in the next couple weeks. And it looks like Motorola found some loose change under the couch, spinning out Good Technology to Visto; Visto should be able to put the technology to good use. That’s all positive! Rich & I are both wrapping up a couple of interesting projects and about to commence on new ones as well so things are busy. I am even starting to get excited about going to Source Boston and seeing a bunch of friends. Maybe we will even get to see where Mr. Hoff lands! Rolling into the weekend I am focused on the positive, so here it is, the week in review: Favorite Securosis Posts: Rich: A Very Revealing Statement by the PCI Council. Adrian: Thinking positive, Netezza buying Tizor is good for all parties. Favorite Outside Posts: Adrian: SEC Investigating the Heartland breach. Rich: Microsoft confirms Zero-Day. Top News and Posts: PCI Council announced ranked security and milestones Top Ten Web Hacking Techniques 2008, now official! More happy news: Flowers for Pirate Bay Witness’ Wife. Fuzzing for Fun & Profit on CGISecurity. Kindle 2 looks awesome. Comments here and here. Why we have spring training: Adobe “swings and misses” with PDF vuln. Virtualization: Disruptive Technologies and Security In GM’s continuing effort to go out of business no matter how much money is thrown at them: it also wanted to account for a possible tilt toward sales of bigger vehicles if gas prices remained at current levels in coming years.” Wow. With leadership like that, who needs enemies. Blog Comment of the Week: Allen Barronov on Will This Be The Next PCI Requirement Addition: If you are putting money down I’ll take you up on it let me just get some poor sucker’s credit card details in case I lose. On a serious note: DLP is very reactive. One advantage is that your CEO doesn’t have to say (quoting from Bob Carr) “we were alerted by Visa” which sounds very weak and can really be read as “we had no idea that people stole information from us until someone else told us about it”. This is apparently quite normal. Proactive is to analyse the entire PCI process from start to end and secure it accordingly. A few companies that I have had the privilege of working for have firewalled their “process network” off from their main business network. The reason to do this is really to protect availability. If a virus hits the business network then the (real) money making part of the business can still function – there may be pain but the gadgets still get made/gathered/fixed/etc. A payment processing business should think: PCI transmission is different from the normal network traffic and they should separate it accordingly. If Sue from Accounts gets a virus on her PC, it should not impact on PCI processing in any way (CIA). I really like DLP but it is not a cure for bad network design. I guess the answer is layers. Good network design (based on Business Processes) with DLP to catch the drips. “You know what else everyone likes? Parfaits.” Donkey in Shrek. Now, I am off for some more stealth photography. Share:

I was getting a little excited when I read this article over at NetworkWorld about how the PCI council will be releasing a prioritized roadmap for companies facing compliance. It’s a great idea- instead of flogging companies with a massive list of security controls, it will prioritize those controls and list specific milestones. Now before I get to the fun part, I want to quote myself from one of my posts on PCI: Going back to CardSystems, a large majority of major breaches involve companies that were PCI compliant, including (probably) Hannaford. TJX is an open question. In many cases, the companies involved were certified but found to be non-compliant after the breach, which indicates a severe breakdown in the certification process. Now on to the fun (emphasis added by moi): Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says. What a load of shit. With the volume of breaches we’ve seen, this either means the standard and certification process are fundamentally broken, or companies have had their certifications retroactively revoked for political reasons after the fact. As I keep saying, PCI is really about protecting the card companies first, with as little cost to them as possible, and everyone else comes a distant second. It could be better, and the PCI Council has the power to make it so, but only if the process is fixed with more accountability of assessors, a revised assessment/audit process (not annual), a change to real end-to-end encryption, and a real R&D effort to fix the fundamental flaws in the system, instead of layering on patches that can never completely work. You could also nominate me for the PCI Council Board of Advisors. I’m sure that would be all sorts of fun. Seriously – we can fix this thing, but only by fixing the core of the program, not by layering on more controls and requirements. Share:

While both Rich and I predicted this would happen, I admit I am still slightly surprised: Netezza has acquired Tizor for $3.1M in cash. Netezza press release here, and While I do not see a press release issued from either vendor xconomy has the story here. Surprising in the sense that I would not have expected a data warehousing vendor to acquire a database monitoring & auditing company. My guess is it’s the auto-discovery features that most interest them. But like many companies that provide data management and analysis, Netezza may be finding that their customers are asking for security and even compliance facilities around the data they manage. In that case, this move could really pay off. I am certain that they were hoping for more, but $3M in cash is a pretty good return for their investors given the current market conditions and competitiveness in the DAM market. While it is my personal opinion, I have never considered the Tizor technology a class leading product. It took them a very long time to adapt the network monitoring appliance into a competitive product that met market demand. Their audit offering was not endorsed by companies I know who have evaluated the technology. They had some smart people over there, but like many of the DAM competitors, they have struggled to understand the customer buying center and have lacked the laser focus vision of some of the vendors like Guardium have demonstrated . But they have made consistent upgrades to the product and the auto-discovery option last year was a very smart move. All in all, Netezza is getting value, and the Tizor investors about $3M more than they would have gotten a few months from now. I have to admit that my timing of these events has been wrong … I thought that this transaction would have happened at/by the end of last year, and I am waiting for more still. But the DAM vendors who are not profitable have a huge problem that move to quickly and you kill your value. Move too slowly and you are out of business. Sometimes the due diligence process takes a while. Check back later as I will update the post as I hear more, of if Rich weighs in on this subject. Share:

Just ran across this article on workers “stealing company data” on the BBC news web site. The story is based upon a recent Ponemon study (who else?) of former employees and the likelihood they will steal company information. It turns out that most of those polled will in fact take something with them. The Ponemon numbers are not surprising as this tracks closely with traditional forms of employee theft across most industries. What got me shaking my head was the sheer quantity of FUD being thrown out with the raw data. A “surging wave” of activity? You bet there is! And it tightly corresponds to the number of layoffs. I am guessing when I say that the point Kevin Rowney of Vontu Symantec was trying to make is companies do very little to protect information from insiders, especially during layoffs. But the author make it sound as if insider theft is bringing about the collapse of western civilization. What I don’t believe we can do here is try to justify security spending by saying “Look at these losses in revenue! They are staggering! Were getting killed by insider theft!” These companies are in trouble to begin with, which is why they are laying people off. Ex-employees may be taking information because their accounts are still active, or they may have left with it at the time they were fired. But just because the employee walked out with the information does not necessarily mean that the company suffered a loss. That data has to be used in some manner that affects the value of the company, or results in lost sales. And the capability for ex-employees to do this, especially in this economy, is probably going down, not up. The employee who has backup tapes in their closet may dream about “sticking it” to their former employer, but odds are high that the information they employee has will never result in the company suffering damages. Heck, they would actually have to land a new job before that could happen. I know some HR reps who probably envision their ex-emplyees contacting their underground ‘connections’ to sell of backup tapes, but how many employees do you really think can carry this off? You think they are going to sell it on eBay? Call a competitor? We have seen how that turns out. No use, no loss. “I had a very strong work ethic. The problem was my ethics in work.” There is also a huge double standard here, where most companies propagate the very activity they decry. When I worked at a brokerage, it was one of our biggest fears that an employee would steal one of our “books of business”, taking it to another brokerage, and when I first learned about the difficulties in protecting data from insiders and enforcing proper use. On the flip side, it was expected every broker that interviewed had their own “book of business”. If they didn’t, they were ‘losers’ or some other expletive right out of Glengarry Glenn Ross. Having existing relationships that could immediately bring in clients to the organization was on eof the top 5 considerations for employment. Most salesmen, attorneys, financiers and executives are considered not just for the skills they possess, but the relationships they have, and the knowledge they bring to the position. That knowledge is typically in their heads, rolodexes and their iPhone. I am not saying that they did not have paper or electronic backups as well, as 15% of the respondents admitted they did. My point is companies cry foul that they are the the victims of insider theft, but in reality they fired or laid off an employee, and that employee took a job with a competitor. I have trouble calling that an insider attack. Share:

Had a very interesting call today with a client in the pharma research space. They would like to protect clinical study data as it moves to researcher’s computers, but are struggling with the best approach. On the call, I quickly realized that DLP, or a content tracking tool like Verdasys (who also does endpoint DLP) would be ideal. The only problem? They need Windows, Mac, and Linux support. I couldn’t remember offhand of any DLP/tracking tool (or even DRM) that will work on all 3 platforms. This is an open call for you vendors to hit me up if you can help. For you end users, where we ended up was with a few potential approaches: Switch to a remote virtual/hosted desktop for handling the sensitive data… such as Citrix or VMWare. Use Database Activity Monitoring to track who pulls the data. Endpoint encryption to protect the data from loss, but it won’t help when it’s moved to inappropriate locations. Network DLP to track it in email, but without the endpoint coverage it leaves a really big hole. Content discovery to keep some minimal tracking where it ends up (for managed systems), but that means opening up SMB/CIFS file sharing on the endpoint for admin access, which is in itself a security risk. Distributed encryption, which *does* have cross platform support, but still doesn’t stop the researcher from putting the data someplace it shouldn’t be, which is their main concern. While this is one of those industries (research) with higher Mac/cross platform use than the average business, this is clearly a growing problem thanks to the consumerization of IT. This situation also highlights how no single-channel solution can really protect data well. It’s the mix of network, endpoint, and discovery that really allows you to reduce risk without killing business process. Share:

A month or so I go I was invited by Jeremiah Grossman to help judge the Top 10 Web Hacking Techniques of 2008 (my fellow judges were Hoff, H D Moore, and Jeff Forristal). The judging ended up being quite a bit harder than I expected- some of the hacks I was thinking of were from 2007, and there were a ton of new ones I managed to miss despite all the conference sessions and blog reading. Of the 70 submissions, I probably only remembered a dozen or so… leading to hours of research, with a few nuggets I would have missed otherwise. I was honored to participate, and you can see the results over here at Jeremiah’s blog. Share: