Research

Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the forum software vBulletin, security experts warn. vBulletin is the the most popular forum platform out there. It runs many, or most, of the sites your admins and developers peruse for technical advice and questions. Now tens of thousands of those sites are hosting malware. Hope you have some web filtering capable of detecting and blocking the flood. This is the very definition of a watering hole attack, as much as I hate that stupid marketing term. Share:

You may have noticed our posting was down a bit this week. Okay, pretty much non-existent. But take a look at the links in this Summary for what we have been reading and thinking about. This is turning out to be the busiest end-of-year I can remember for us. We always compress some things in Q4 as people use up end-of-year budget, but this year it is really hitting hard… and I am absolutely loving it. I have 3 papers to finish up before the end of the year, all of them on topics I am extremely interested in. Plus travel nearly every week. It will, of course, run me into the ground, but it looks like there will be plenty of time to remind the kids what I look like over the holidays, when I can bribe them. Our one post this week was Mike’s Incite, Youth is Wasted on the Young. While that is true, in my case I think age is wasted on the middle-aged. I didn’t barge out of college with a checklist of life goals quite like Mike. My graduation was more of a whimper. I spent 8 years as an undergrad, starting off in aerospace engineering and Navy ROTC with a clear path to being an astronaut, leaving as an itinerant paramedic and IT pro with a degree in history and an almost-finished second major in molecular biology. I don’t, for an instant, feel that I wasted my youth, missed opportunities, or failed to work to my peak potential. I needed to develop a lot as a person, like everyone, but managed to mostly avoid the deep pains and frustrations that Mike seems to have encountered. This wasn’t some genius superpower, but some incredible acts of fortune that brought amazing friends into my life to help me along. Martial arts also played a major role by developing self-awareness. That said, I did have a couple doozies, especially involving the finer gender, but nothing that didn’t launch me into something even more interesting. Age is wasted on the middle-aged because I have nearly as much enthusiasm, see just as much opportunity, but lack the freedom to pursue it as aggressively. I am not willing to risk my family’s lifestyle and home, and so am forced to proceed at a more methodical pace – which annoys the hell out of my 27-year-old self-image. But I don’t look at this with regret. I took full advantage of the opportunities I had at 27, and while I sometimes itch for more in my 40s, I know exactly what I would have to sacrifice to achieve them quickly, and I prefer this life. Besides, I am still egotistical enough to think I will achieve all my goals in time. And don’t go thinking I’m all zen or anything. Some of this bugs the hell out of me on a daily basis, but not to the point where I freak out over it. I suppose that’s progress… and sleep deprivation. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s DR post on Evasion Techniques And Sneaky DBAs. Favorite Securosis Posts Adrian Lane: Youth is wasted on the young. The ‘halfway’ point realization is a sobering thought. No Other Securosis Posts this Week Favorite Outside Posts Adrian Lane: EMV vs the UPT, Can We Fix the #FAIL? Branden Williams points out one of the many reasons Chip and Pin is a long way off in the US. David Mortman: Identity Management and Its Role in Security Strategy of Enterprise Environments. Gal Shpantzer: Is the Affordable Health Care Website Secure? Probably not. James Arlen: SecTor 2013: Are there limits to ethical hacking? Mike Rothman: The Lie in the Network. Thought provoking post by the Rev. Baker about how we can’t count on the network for security and have to look at the issue differently. I will cover this in a longer post next week but it’s worth reading now. And I look forward to the next few posts to check out some of his ideas. Research Reports and Presentations A Practical Example of Software Defined Security. Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Dealing with Database Denial of Service. The 2014 Endpoint Security Buyer’s Guide. The CISO’s Guide to Advanced Attackers. Defending Cloud Data with Infrastructure Encryption. Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment. Quick Wins with Website Protection Services. Top News and Posts Forrester Contradicts Verizon Report, Says Insider Threat Leads Data Breaches. Call me skeptical. Alleged ‘Dread Pirate Roberts’ Heads to New York in Silk Road Case Nordstrom Finds Cash Register Skimmers Make your own Enigma Replica. Perfect high school project! Microsoft pays out $100,000 bounty for Windows 8.1 bug. Google’s Schmidt: Android more secure than iPhone. Not. Blog Comment of the Week This week’s best comment goes to louis vuitton belts, in response to about a dozen blog posts: You write well This has to be our most persistent and impressed reader ever. It’s really nice he or she feels this way about our work. Please keep the support coming – I’m sure we will approve one of your comments soon. Share:

  We all know and love the firewall. The cornerstone of every organization’s network security defense, firewalls enforce access control policies and determine what can and cannot enter your network. But, like almost every device you have had for a while, you take them for granted and perhaps don’t pay as much attention as you need to. Until a faulty rule change opens up a hole in your perimeter large enough to drive a tanker through. Then you get some religion about more effectively managing these devices. Things are getting more complicated as next-generation functionality brings a need to define and manage application policies; new devices and infrastructure evolution make it difficult to know what is allowed and what isn’t. The issues around managing firewalls can be summed up in an excerpt from our newest paper: Like a closet in your house, if you don’t spend time sorting through old stuff it can become a disorganized mess, with a bunch of things you haven’t used in years and no longer need. This metaphor fits the firewall like a glove, so we decided to get back to our network security roots to document the essentials to automating management of firewalls. We explain the need for a strong automated change management process, the importance of optimizing the rule base, and the benefits of managing access risk. It should serve as a good primer on how to improve the operational excellence of your network security controls. We would like to thank Firemon for licensing the research and supporting what we do. You cannot get rid of firewalls, and if anything their importance is increasing daily. So you might as well get better at managing them, and that’s what this research is all about. Check out the FME landing page in our research library, or download the Firewall Management Essentials paper directly. Share:

A couple years ago, when I decided to lose weight and change my eating habits, I did it with a view to living until I was at least 90. That was the number I envisioned, and given my family history, it should be achievable. So as I celebrated my 45th birthday this week, it was strange to realize that I’m close to halfway done. WTF? How did that happen? It seems just like yesterday I was loading up the U-Haul for the trek to relocate to DC after college to start my adult life. That yesterday was 24 years ago. I drove that speed limited truck (it wouldn’t go faster than 60) with all my worldly possessions down the 95 with all these expectations. I was going to do this, and do that, and achieve this, and basically become the master of all I survey. No plan survives contact with the enemy, and mine was no exception. I certainly had the energy and the drive, but I didn’t understand the game. I was too young to have any perspective. All I wanted to be was an adult, and have my own money and buy my own stuff and be responsible for myself. It took 24+ years of screwing things up to finally appreciate how the old saying: “Youth is wasted on the young” is absolutely correct. The young don’t know how to harness their capabilities. They don’t know what they don’t know. Which is obvious every time I chat with kids just entering the job markets. I love their energy and idealism, but I shake my head at their sense of entitlement. Mostly I’m excited for them to learn stuff the way I learned it – the hard way. That’s really the only way to learn, and these kids will do great things in the few instances when they aren’t screwing up. But 24+ years later, I can appreciate that process and understand that I had to go through the good, the bad, and the ugly to end up where I am today. Which is right where I should be. So as I enter the second half of my life, I am thankful for the first half. It gave me an opportunity to figure some things out, especially about myself and what’s important to me. I don’t worry so much any more about fitting in or living up to others’ expectations. I’m young enough to still do a lot of stuff, but old enough to kind of know what I’m doing. And that’s a good place to be. –Mike Photo credit: Youth on the Move in Volos 12, originally uploaded by EU Social Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Defending Against Application Denial of Service Introduction Firewall Management Essentials Quick Wins Managing Access Risk Optimizing Rules Change Management Introduction Newly Published Papers Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U Keep it simple, get it right: I am often highly critical of Poneman Institute reports because their methodology is often flawed, especially using surveys to estimate losses for intellectual assets that can’t really be quantified. But their latest Cost of Cybercrime report moves in the right direction. This time it only counts direct costs related to incident response, not some wild-ass guess at the value of stolen files. I do believe these costs can be quantified, although the odds are many organizations lack the maturity and tracking to really be consistent about what it really costs to clean up a mess. But Ponemon kept a tight scope, with clear definitions, and noted that costs rose 18% (total, not per incident). One reason cited may be the increasing numbers and sophistication of attacks, but I suspect better detection incidents is a larger factor. – RM Down the river of payments: The card brands very publicly announced a global tokenization proposal to make shopping “simpler and safer”, which they promise to release real soon now. But, with significantly less press coverage, on-line retailer Amazon went one step better – by extending Amazon’s existing payment infrastructure to other retail sites. Amazon customers will leverage their Amazon account, including payment and shipping preferences, when they buy from participating retailers. That is Payment as a Service (PAYaaS), people! Participating merchants will no longer need to manage and secure the payment process, or user accounts and passwords, so they will not need to slog through PCI requirements. Amazon makes money on each transaction. Users benefit from a single account and password, and only need to trust Amazon (who already provides a very good user experience) with their account & payment information. – AL 3 Keys to security survival: Great overview in Dark Reading of how the core imperatives of a CISO continue to change given the Inevitability of Attacks. The article covers an Interop presentation by Blackstone’s CISO, Jay Leek, and describes three mindset and strategic shifts. The first is to get better visibility into threats and attacks. You also need better intelligence about attacks and attackers. And finally you need a planned response rather than just reacting to the latest attack du jour. It is right on the money so check out the article when you can. And keep in mind that this doesn’t mean you need to dump all your preventative controls. It just means you need to do a better job of being prepared to respond. – MR Assume the worst: We have been saying for years that you should assume your environment has been breached, or will be, and define your defensive controls around that.

I was never a big fan of the Rolling Stones. Heard them on the radio all the time growing up but never bought any of their stuff. It was good but not good enough to spend my hard-earned money. Recently a friend, a hardcore Stones addict, convinced me I needed some in my music collection. A couple clicks on Amazon, and three days later I had a big box of music waiting for me when I got back from the Splunk conference. In need of a little rest after a hectic few weeks, I cracked open the package and gave it a listen. And WTF? This is not what I heard on the radio. This song is hardcore blues. The next song is honky-tonk. Then rock and roll, followed by some delta blues. Singer, guitarist, and drummer all changing styles with each song like each one was a style they had played all their lives. This is amazing. Different, but (ahem) I liked it! The band as I heard it on the radio growing up is not the band on CDs and records. There is depth here. Versatility. Ingenuity. What I thought is not what they are. Their popularity suddenly makes sense. The songs played on radio and streaming services do a disservice to the band, and fail to capture special aspects of what they are (and were) about. So this morning I realized the answer to a simple question, which I have been hearing for years without a good answer. The question is most often asked as “We are evaluating SIEM solutions but this vendor Splunk came up. Who are they and what do they do?” The security community primarily knows them as an almost-SIEM platform. They do more than log management, but less than SIEM. And that is accurate – most of the security press talks about Splunk in that grey area between SIEM and LM, but fails to explain what’s going on or why the platform is popular. What you have read in the press and seen in… let’s call them “Supernatural Quadrangles” for the sake of argument… does not capture what is going on or how this platform fits into the enterprise. Yes, I said enterprise. This came up because Splunk was kind enough to invite me to their conference in Las Vegas this week to catch up on recent platform enhancements and speak with some of their customers. I don’t get paid to go, in case you’re wondering, but it is worth spending a couple days speaking with customers and hearing what they are really doing. The customer conversations were the optimistic variety I expected, but the keynote was something else entirely. Their CEO talked about mining the data feeds from aircraft and trains to help optimize safety and efficiency. About getting telemetry from mobile endpoints to gauge app reliability. I heard user stories about using the platform as a basis for consumer buying trend analysis and fraud analytics. This is not security – this s generalized analytics, applied to all different facets of the business. Even weirder was the enthusiastic fanboi audience – security customers normally range from mildly disgruntled to angry protagonist. These people were happy to be there and happy with the product – and the open bar was not yet open. Wendy Nather and I did a quick survey of the crowd and discovered that we were not among a security audience – it was IT Operations. Splunk’s core is a big data platform. That means it stores lots of data, with analytics capabilities to mine that data. And like most big data platforms, you can apply those capabilities to all sorts of different business – and security – problems. It is a Swiss Army Knife for all sorts of stuff, with security as the core use case. To understand Splunk you need to know that in addition to security it also does IT analytics, and is applicable to general business analytics problems. Another similarity to “Big Data” platforms is that many commercial and open source projects extend its core functionality. The only security platform I know of with a similar level of contributions is Metasploit. Again, it’s not SIEM. It is not the ideal choice for most enterprise security buyers who want everything nicely packaged together and want fully automated analytics. Correlation and enrichment are not built into Splunk. Enterprises need reports and to ensure that their controls are running, so anything different is often unacceptable. They don’t want to rummage around in the data, or tweak queries – they need results. Well, that’s not Splunk. Not out of the box. Splunk is more flexible because it is more hands-on. It offers more use cases, with a cost in required customization. Those are the tradeoffs. There is no free lunch. A few years ago I mocked Splunk’s “Enterprise Security Module”. I said that it did not contain what enterprise security centers want, they did not understand enterprise security buyers, and they didn’t offer what those buyers demand in a security platform. Yeah, in case you were wondering, I failed charm school. Splunk has gotten much closer in features and functions over three years, but it is still not a SIEM. In some ways that is a good thing – if you are just looking to plug in a SIEM, you are missing their value proposition. Splunk pivoted vertically to leverage their capabilities across a broader set of analysis problems, rather wage trench warfare with the rest of the event management market. The majority of people I spoke with from larger enterprise belonged to operations teams. At those firms, if security uses the product, they piggy-back off the Ops installation, leveraging additional security features. The other half of customers I spoke with were security team members at mid-sized firms, applying the platform to highly diverse security use cases and requirements. To understand why Splunk has so many vocal advocates and protagonists you need to broaden your definition of a security platform.

A few months back I did a series of posts demonstrating a proof of concept for implementing some basic software defined security (using AWS, Chef, and Ruby). This ended up being the basis for my KickaaS Security with APIs and Cloud talk at Black Hat. I decided to release it as a white paper. Because I think there are too many trees in the world, and this will encourage you to print it out. Or buy a tablet – doesn’t matter to me. Landing Page: A Practical Example of Software Defined Security Direct Download (PDF) In all seriousness, I hope you like it; and that this white paper, with complete content from the posts, is useful to you. Share:

Brian Krebs breaks another story: Prosecutors in New York today said that federal agencies have taken over the Silk Road, a sprawling underground Web site that has earned infamy as the “eBay of drugs.” On Tuesday, federal agents in San Francisco arrested the Silk Road’s alleged mastermind. Prosecutors say 29-year-old Ross William Ulbricht, a.k.a “Dread Pirate Roberts” (DPR), will be charged with a range of criminal violations, including conspiracy to commit drug trafficking, and money laundering. And on hiring a hit man (seriously): On March 31, DPR began haggling over the price, responding: “Don’t want to be a pain here, but the price seems high. Not long ago, I had a clean hit done for $80k. Are the prices you quoted the best you can do? I would like this done asap as he is talking about releasing the info on Monday.” I wonder if Benedict Cumberbatch will play DPR in the movie? Compelling read. Nothing to do with IT security unless you plan on hosting an illegal site, but fascinating. Share:

Threatpost has another good piece on exploit disclosure (I swear I still read other sites). This is the other side of vulnerability disclosure, where you need to decide on releasing exploit details based on factors such as detecting live exploits in the field. A quote from a talk by Tom Cross from Lancope and Holly Stewart from Microsoft: “If there’s nothing you can tell the users to do, there’s not a lot of point in disclosing the exploits,” he said. “It depends on the level of exploitation, the geographic distribution, is a patch available, when will it be if it’s not. If the answer is to tell people not to use a piece of software that’s necessary to do business, the reality is that’s not going to happen.” It’s also true that the decision is not always solely in the hands of the vendor or even the researcher who discovered the vulnerability. In some cases, a third party security company may notice exploit attempts against a previously unknown vulnerability and take the step of notifying customers. Vulnerability disclosure often seems more about philosophy and ego. Exploit disclosure is far more complex, with even farther-reaching implications. Exploit disclosure makes vulnerability disclosure look like a kid’s game. Share:

I’m really looking forward to this, although my skills will keep me in the back of the room: October 2013 Chicago Crypto-For-Developers Class Share:

It seems everyone has an opinion about security awareness training, and most of them are negative. Security luminaries have largely panned awareness training as ineffective and a waste of time and money. They use weird analogies, claiming things like we cannot train folks not to eat fast food, so training never works. Are they wrong? We have all sat through endless PowerPoint slides telling us what we can do and cannot do on the Internet. They threaten you with termination unless you follow the rules specified in the 15-page Acceptable Use Policy, without any context for why they matter. It is not much different than your parents telling you that you cannot do something “because we said so.” But regardless of the specific situation, security awareness training occurs for a few reasons, some more productive (and strategic) than others: Limit Corporate Liability: If an organization doesn’t make very clear to employees what they can and cannot do using corporate technology assets, they cannot terminate employees for doing the wrong thing. Too much of today’s awareness training content is built as a warning to justify termination. This kind of training is built by lawyers expressly to enable them to prosecute employees if needed. That gives you a warm and fuzzy feeling, doesn’t it? Compliance Mandate: This is in play in many government organizations, who are expected to follow NIST 800-50 to comply with FISMA and build a security training program. We applaud the mandate – we all know it wouldn’t happen otherwise. But compliance requirements rarely create sufficient urgency to excel or address the original goals behind the regulation. Protect Information: Before our cynicism gets the best of us, some organizations perform security awareness training to actually train employees about security. Imagine that. In this case they need to know what not to click and why. They need to learn who to call when they think something is wrong. How to protect their mobile devices, which increasingly contain sensitive data and access. This content is typically built by the security team (or under their watch). If your current awareness program is controlled by Human Resources with a heavy influence from the General Counsel, you have some work to do. If you are in charge of an awareness training program, at least you can roll out some content to achieve your objectives. That doesn’t mean you understand the latest and greatest training techniques. Nor does it mean you actually have the time to build effective training materials. But at least you can make some decisions about the training program, and that’s a start. So we are excited to start a new blog series: “Security Awareness Training Evolution.” Adversaries have gotten better, so you need to prepare employees more effectively to be the first line of defense. Obviously they are an imperfect line of defense, but a human control is better than no control at all. As with all our blog series, we will write this one using our Totally Transparent Research methodology, which means we will post everything to the blog first and let you have an opportunity to provide feedback to make sure we are on target. Before we get started, we would like to thank the fine folks at PhishMe for potentially licensing the paper when we finish. We use the term ‘potentially’ because with our research process there is no commitment on either side until the research is done. That allows us to write what needs to be written, and for each licensee to verify that the content meets their needs (objectively, of course) before they actually license anything. Pragmatic Security Training It’s not like a focus on security awareness training is the flavor of the day for us. We have been talking about the importance of training users for years, as unpopular as training remains. The main argument against security training is that it doesn’t work. That’s just not true. But honestly it doesn’t work for everyone. Like security in general, there is no 100%. Some employees will never get it – mostly because they just don’t care, but they do bring enough value to the organization that no matter what they do (short of a felony) they are sticking around. You need to accept that those folks will do what they want and you will clean it up. You also need to realize that some of your employees will be targeted by advanced attackers. No amount of security training will protect them if they are targeted. To clean that up you will need some-high end forensics, and if that’s in play you probably should consult our CISO’s Guide to Advanced Attackers. Then there is everyone else. Maybe it’s 50% of your folks, or perhaps 90%. Regardless of the number of employees who can be impacted and influenced by better training content, wouldn’t it make your life easier if you didn’t have to clean up after them too? Obviously it depends on the organization, but we have seen training reduce the amount of time spent cleaning up easily avoidable mistakes. Yet, far too many organizations lose interest when they don’t see immediate results. Like any program, security awareness training requires patience and persistence. This is covered in Mike’s Pragmatic CSO book. Here is an excerpt on this point: The easiest thing to do regarding security awareness is to give up. Most organizations (and CSOs) are impatient. It’s hard to make a consistent effort when it is not clear that progress is being made. There really is a “tipping point” in security awareness, and until you get there, it’s hard to justify the time and investment required by the program. Thus the most critical success factor for security awareness is CONSISTENCY and PERSEVERANCE. It takes months and years of consistent effort to make security awareness second nature. Your employees have to overcome years of bad habits, like opening attachments and clicking links in emails. What’s Broken? How hard could it be to teach folks what not to do? You