Research

Amen to our buddy Paul Proctor, who starts a post, Why I hate the term GRC, with “GRC is the most worthless term in the vendor lexicon.” I couldn’t agree more. 10 years later I still don’t know what it means. Besides everything, as Paul explains: Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have. For seven years I have battled this monolithic term and I fear I’m losing the battle. The alternative is to try to bring some clarity to its usage by defining some boundaries. Unfortunately boundaries aren’t going to help. As long as Risk or Compliance (the R and C of GRC) continues to have budget line items, we will have both vendors and users dumping whatever they can into the GRC bucket. It’s a funding strategy that has worked for years, and unless there is some miraculous movement away from regulation it will be successful for years to come. Then Paul tries to put GRC tools into a box. Good luck with that. But he makes a good point: “Buying a tool to solve your GRC problems is putting the cart before the horse. For example, if you don’t have risk assessment, buying a GRC tool is not going to give it to you.” I applaud this attempt to provide some sanity to the idiocy of GRC. But that’s too positive and constructive for me. I would rather just bitch about it some more. Which I think I did… Share:

OK, not really. But as Rich pointed out in last week’s Incite (Truth is stranger than satire), The Onion getting hacked, and then the hackers posting stuff that seemed very Onion-like, was one step short of crossing the streams. In less than true Onion form – honest and satire-free –= they go through exactly what happened in a recent blog post, and it was very unsophisticated phishing. Phase 1 seemed random, and only one Onion staffer fell for the ruse. Leveraging that initial compromised account the attackers sent another wave of phishing messages. A few clicked the link but only two actually provided credentials. At that point the Onion folks realized they had compromised accounts and forced a company-wide password reset. But the attackers weren’t done. They were able to send a duplicate password reset email (through yet another compromised account) and they then got control of another 2 email accounts. One of which had access to the corporate Twitter account. Yikes! Hats off to The Onion – these posts are helpful for everyone to learn from the misfortune of others. They have some decent tips in the post as well, including using a dedicated application to access the corporate Twitter account (where you could apply more granular access control) and having email addresses associated with the corporate accounts on a totally separate system to provide account segregation. Rich talked about some other tactics to protect corporate Twitter accounts as well, with two-factor authentication topping the list. Photo credit: “Never again Mr. Onion” originally uploaded by dollen From the New York Post, of all places: Goldman later learned that Bloomberg staffers could determine not only which of its employees had logged into Bloomberg’s proprietary terminals but how many times they had used particular functions, insiders said. The matter raised serious concerns for the firm about how secure information exchanged through the terminals within the firm actually was – and if the privacy of their business strategy had been compromised. Oops. Imagine if AWS or Salesforce did something like this? They won’t because it is a kiss-of-death type mistake if there are viable alternatives, but Bloomberg is too entrenched for this to damage them materially. Share:

I have never been a fan of large gatherings of people. You would never find me at a giant convention center listening to some evangelist, motivational speaker, politician, or business ‘guru’ tell me how to improve my life. I don’t stalk celebrities; participate in “million man marches”, tea party gatherings, promise-keepers, or any something-a-palooza to support a cause. I don’t have a cult-like appreciation of ‘successful’ people. It has nothing to do with a political or religious bent and I don’t fear crowds – it is a personality trait. To me group-think is a danger signal. I’m a skeptic. A contrarian. If everyone’s doing it, it must be wrong. But it’s not like I never attend large events: AC/DC concerts are a go, and I’ll wait in long lines to get an iPhone. But it’s just as likely to bite you as be rewarding – you know, like the last Star Trek movie, the one with the terrible plot you’ve seen six times, because the cast and cinematography are oddly appealing. Anyway, when lots of people think something’s great I usually walk the other way. So what the heck was I doing at the Berkshire Hathaway Shareholders meeting last weekend? In Omaha, Nebraska, of all places? Forty thousand finance geeks standing in near-freezing rain, waiting for the doors to open at the CenturyLink center to hear Warren Buffett and Charlie Munger talk about stock performance? Are you kidding me? But there I was, with Gunnar Peterson, listening to the “Oracle of Omaha” talk about Berkshire Hathaway and investment philosophy. And it was a bit like a cult – a pilgrimage to listen to two of the greatest investors in history. But despite all my reservations I had a great time. You wouldn’t expect it from the topic but the meeting was entertaining. They were funny, insightful, and incredibly rational. They are politically incorrect and unapologetic about it. They are totally transparent, and as likely to remind you of their failures as successes. And they are more than happy to critique one another for their flaws (I’m certain I have seen these traits at another company before). As much as I have read about Munger and Buffett in the last 18 months – I think I read most of their funny quips before the meeting – there is something about hearing all of it in one place that weaves their concepts into a single cohesive tapestry of thought. You see the core set of values repeated consistently as they answer questions, no matter what the subject. If you are interested in a recap of the event, the Motley Fool blog did an excellent job of capturing the questions and some of the humor. I only started to follow Charlie and Warren about 18 months ago, because Gunnar’s use of sage Charlie Munger quotes got me curious. Now I am hooked, but not because I want investment ideas – instead I am fascinated by an incredibly simple investment philosophy, that involves an incredibly complex set of rational models, that forms the foundation of their decision process. Both men are contrarians – they choose to invest in a method that for decades people thought was a fluke. Berkshire has been called a 6-sigma outlier. They have been derided for not investing in tech companies during the tech boom – a profound critique when you consider Apple, Google, and Microsoft are some of the fastest-growing and 3 out of of 5 of the largest companies in the world. They have been mocked in the press as being “out of touch” when the market was going crazy during the whole mortgage/CDO fiasco. But they have stayed the course, despite fickle and fashionable trends, on their way to become the most successful investors in history. Berkshire is now one of the top 5 companies in the world, but ultimately their approach to decisions is what fascinates me. Had I heard about them during college, and comprehended their message as I do today, I would probably have gone into finance instead of computer science. Oh, before I forget, the majority of the Securosis team will be at Secure360 next week. Mort and I will be presenting on big data security. Ping us if you’re in Minneapolis/St. Paul and want to get together! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Security Implications of Big Data. Favorite Securosis Posts Rich: My “Peak Experience” article in The Magazine. I am really excited about this one, so even though it is technically an ‘Outside’ item I picked it as my favorite post. It’s the story of a mountain rescue I was on over a decade ago, for a really exciting publication, which I am honored to write for. David Mortman: The CISO’s Guide to Advanced Attackers: Evolving the Security Program. Mike Rothman: Some (re)assembly required. Need to show some love for our contributor Gal, who posted his first solo piece on the blog. He makes a great point about never forgetting the data security lifecycle. Adrian Lane: Finger-pointing is step 1 of the plan. Other Securosis Posts Database Breach Results in $45M Theft. Security Earnings Season in Full Swing. McAfee Gets Some NGFW Stones. Incite 5/8/2013: One step at a time. 2FA isn’t a big enough gun. Now China is stealing our porn. The CISO’s Guide to Advanced Attackers: Breaking the Kill Chain. Friday Summary: May 3, 2013. IaaS Encryption: How to Choose. IaaS Encryption: Object Storage. Favorite Outside Posts Rich: White House close to backing FBI’s wiretap backdoor proposal, says NYT. This is a short piece, but insanely important. Backdoors for wiretapping are horrible for security, with a long history of misuse and compromise. David Mortman: Google unveils 5-year roadmap for strong authentication. Mike Rothman: FUDwatch: Armenia. Marcus Ranum determines (with tongue firmly in cheek) that the biggest threat in the known world is… Armenia. Which just goes to show that you can make data say pretty much whatever you want it to. So interpret the breach reports and other data sources carefully, and figure out what you want them to say. Adrian Lane: The State of Web

Big news, big money – hackers stole $45M in a flash attack. They hacked into the bank system, focused on debit and pre-paid cards that lack the usual credit card anti-fraud detection, then made massive rapid withdrawals using mules scattered around the world. Not new. Viktor Pleshchuk, Sergei Tsurikov, Oleg Covelin and a fourth man, identified only as “Hacker 3,” pooled their talents, and with the help of a worldwide network of “cashers” in more than 280 cities, they were able to walk away with $9 million of RBS WorldPay’s money. The attack, detailed in a federal indictment announced Tuesday by the Department of Justice, illustrates clearly the level of organization and sophistication involved in ATM and payment-card fraud, as well as the difficulty banks face in guarding against these schemes. The scam began simply and came together quickly. In early November 2008, prosecutors allege that Covelin discovered a vulnerability in the network of RBS WorldPay, a subsidiary of the Royal bank of Scotland that handles payroll and other payment-processing transactions for companies around the world. As Gal Shpantzer said in our chat room today: this is the sort of ATM hack that should be in the Verizon DBIR – not necessarily skimming. Share:

From the New York Post, of all places: Goldman later learned that Bloomberg staffers could determine not only which of its employees had logged into Bloomberg’s proprietary terminals but how many times they had used particular functions, insiders said. The matter raised serious concerns for the firm about how secure information exchanged through the terminals within the firm actually was – and if the privacy of their business strategy had been compromised. Oops. Imagine if AWS or Salesforce did something like this? They won’t because it is a kiss-of-death type mistake if there are viable alternatives, but Bloomberg is too entrenched for this to damage them materially. Share:

There is no single right way to pick the best encryption option. Which is ‘best’ depends on a ton of factors including the specifics of the cloud deployment, what you already have for key management or encryption, the nature of the data, and so on. That said, here are some guidelines that should work in most cases. Volume Storage Always use external key management. Instance-managed encryption is only acceptable for test/development systems you know will never go into production. For sensitive data in public cloud computing choose a system with protection for keys in volatile memory (RAM). Don’t use a cloud’s native encryption capabilities if you have any concern that a cloud administrator is a risk. In private clouds you may also need a product that protects keys in memory if sensitive data is encrypted in instances sharing physical hosts with untrusted instances that could perform a memory attack. Pick a product designed to handle the more dynamic cloud computing environment. Specifically one with workflow for rapidly provisioning keys to cloud instances and API support for the cloud platform you use. If you need to encrypt boot volumes and not just attached storage volumes, select a product with a client that includes that capability, but make sure it works for the operating systems you use for your instances. On the other hand, don’t assume you need boot volume support – it all depends on how you architect cloud applications. The two key features to look for, after platform/topology support, are granular key management (role-based with good isolation/segregation) and good reporting. Know your compliance requirements and use hardware (such as an HSM) if needed for root key storage. Key management services may reduce the overhead of building your own key infrastructure if you are comfortable with how they handle key security. As cloud natives they may also offer other performance and management advantages, but this varies widely between products and cloud platforms/services. It is hard to be more specific without knowing more about the cloud deployment but these questions should get you moving in the right direction. The main things to understand before you start looking for a product are: What cloud platform(s) are we on? Are we using public or private cloud, or both? Does our encryption need to be standardized between the two? What operating systems will our instances run? What are our compliance and reporting requirements? Do we need boot volume encryption for instances? (Don’t assume this – it isn’t always a requirement). Do root keys need to be stored in hardware? (Generally a compliance requirement because virtual appliances or software servers are actually quite secure). What is our cloud and application topology? How often (and where) will we be provisioning keys? Object storage For server-based object storage, such as you use to back an application, a cloud encryption gateway is likely your best option. Use a system where you manage the keys – not your cloud provider – and don’t store those keys in the cloud. For supporting users on services like Dropbox, use a software client/agent with centralized key management. If you want to support mobile devices make sure the product you select has apps for the mobile platforms you support. As you can see, figuring out object storage encryption is usually much easier than volume storage. Conclusion Encryption is our best tool protecting cloud data. It allows us to separate security from the cloud infrastructure without losing the advantages of cloud computing. By splitting key management from the data storage and encryption engines, it supports a wide array of deployment options and use cases. We can now store data in multi-tenant systems and services without compromising security. In this series we focused on protecting data in IaaS (Infrastructure as a Service) environments but keep in mind that alternate encryption options, including encrypting data when you collect it in an application, might be a better choice or an additional option for greater granularity. Encrypting cloud data can be more complex than on traditional infrastructure, but once you understand the basics adapting your approach shouldn’t be too difficult. The key is to remember that you shouldn’t try to merely replicate how you encrypt and manage keys (assuming you even do) in your traditional infrastructure. Understand how you use the cloud and adapt your approach so encryption becomes an enabler – not an obstacle to moving forward with cloud computing. Share:

Most folks think you need to be a day trading financial junkie to have any interest in quarterly earnings releases and/or conference call transcripts. But you can learn a lot from following the results of your strategic security vendors and companies you don’t do business with, but who would like to do business with you. You can glean stuff about overall market health, significant problem spaces, technology innovation, and business execution. For instance, if you are thinking about upgrading your perimeter network security gear you have a bunch of options, most of them public companies. You cannot going much about Cisco, Juniper, IBM, Dell, or HP through their conference calls. Security is barely a rounding error for those technology behemoths, although a company like Intel does talk a little bit about its McAfee division because it is key to its growth prospects. But if you pay attention to the smaller public companies, such as Symantec, Check Point, Fortinet, Palo Alto, Sourcefire, Imperva, Websense, Qualys, etc., you can learn about how those bigger companies are competing. You need to keep in mind that you get a very (very very) skewed perspective, but it provides some ammo when challenging sales reps from those big companies. You can also learn a lot about business. How certain channel strategies work, or don’t work, which can help optimize how you procure technology. You can get a feel for R&D spend by your key vendors, which is important to the health of their new product pipelines. You should also read the Q&A transcripts, where investment analysts ask about different geographies, margins, product growth, and a host of other things. This information cannot help you configure your devices more effectively, but it does help you understand the folks you do business with, and feel better about writing big checks to your strategic vendors. Especially when you know the big deal they mention in the conference call is you. Here is a list of transcripts for the major publicly traded security companies. And if your favorite company (or the one in your 401k) isn’t here, it’s likely because they haven’t announced their Q1 results yet (like Splunk), or they may still be private. Symantec FQ4 2013 Earnings Call Transcript Check Point Q1 2013 Earnings Call Transcript Fortinet Q1 2013 Earnings Call Transcript Sourcefire Q1 2013 Earnings Call Transcript Qualys Q1 2013 Earnings Call Transcript Imperva Q1 2013 Earnings Call Transcript Websense Q1 2013 Earnings Call Transcript Proofpoint Q1 2013 Earnings Call Transcript SolarWinds Q1 2013 Earnings Call Transcript VASCO Data Security Q1 2013 Earnings Call Transcript Zix Q1 2013 Earnings Call Transcript That should keep you busy for a little while… Photo credit: “scrooge-mcduck” originally uploaded by KentonNgo Share:

Today’s big news is the hack against banking systems to pre-authenticate thousands of ATM and pre-paid debit cards. The attackers essentially modified debit card databases in several Middle Eastern banks, then leveraged their virtual cards into cash. From AP Newswire: Hackers got into bank databases, eliminated withdrawal limits on pre-paid debit cards and created access codes. Others loaded that data onto any plastic card with a magnetic stripe – an old hotel key card or an expired credit card worked fine as long as they carried the account data and correct access codes. A network of operatives then fanned out to rapidly withdraw money in multiple cities, authorities said. The cells would take a cut of the money, then launder it through expensive purchases or ship it wholesale to the global ringleaders. Lynch didn’t say where they were located. The targets were reserves held by the banks to fund pre-paid credit cards, not individual account holders, Lynch said … calling it a ”virtual criminal flash mob,”. The plundered ATMs were in Japan, Russia, Romania, Egypt, Colombia, Britain, Sri Lanka, Canada and several other countries, and law enforcement agencies from more than a dozen nations were involved in the investigation, U.S. prosecutors said It’s not clear how many of the thieves have been caught, or what percentage of the cash has been retrieved. Apparently this was the second attack, with the first successfully pulling $5 million from ATMs. Police only caught up with some of the attackers on the second attack, after they had managed to steal another $40M. How the thefts were detected is not clear, but it appears that it was part of a murder investigation of one of the suspects, and not fraud detection software within the banking system. The banks are eager to point to the use of mag stripe cards as the key issue here, but if your database is owned an attacker can direct funds to any account Share:

In hindsight we should have seen this coming. I mean it’s not like McAfee even showed up for the most recent NSS Labs next-generation firewall (NGFW) test. They made noise about evolving their IPS, I mean Network Security Platform, to offer integrated firewall capabilities. But evidently it was either too hard or would have taken too long (or both) to provide a competitive product. So McAfee solved the problem by writing a $389MM check for Stonesoft. You haven’t heard of Stonesoft? They weren’t a household name but they have had a competitive firewall product for years. Decent distribution in Europe and a very small presence in the US. They did about $50MM in revenues last year and are publicly traded in Finland. I guess what’s surprising is that it wasn’t Cisco, Juniper, IBM, or HP. What about Cisco’s blank check to regain competitiveness in the security business? If it’s not connected to an SDN apparently Juniper isn’t interested. I guess IBM and HP hope that if they continue to ignore the NGFW market it will just go away. Hope is not a strategy. And as perimeter consolidation continues (and it is happening – regardless of what IPS vendors tell you), if you don’t have a competitive integrated product you won’t be in the game for long. So McAfee needed to make this move. Certainly before someone else did. But it’s not all peaches and cream. McAfee has their work cut out for them. It’s not like they have really excelled at integrating any of their larger acquisitions. And they have to reconcile their existing IPS platform with Stonesoft’s integrated capabilities. Don’t forget about the legacy SideWinder proxy firewall, which continues to show up a lot in highly secure government environments. Why have one integrated platform when you can have 3? How they communicate the roadmap and assure customers (who are already looking at other alternatives) will determine the success of this deal. To further complicate matters, integration plans are basically on hold due to some wacky Finnish laws that prevent real integration until the deal is basically closed. It is unlikely they will be able to do any real planning until the fall (when they have acquired 50% of the stock), and cross-selling cannot start until they have 90% of the stock tendered – probably early 2014. Details, details. The NGFW game of musical chairs is about to stop, and the move towards the Perimeter Security Gateway is going to begin. The M&A in the space is pretty much done because there just aren’t any decent alternatives available to buy without writing a multi-billion-dollar check any more. Those vendors without something NGFW are likely to see their network security revenues plummet within 2 years. Select your network security vendors accordingly. Photo credit: “Stone Pile” originally uploaded by Mark McQuitty Share:

Do you ever look at your To Do list and feel like you want to just run away and hide? Me too. I talk a lot about consistent effort and not trying to hit home runs, but working for a bunch of singles and doubles. That works great for run rate activities like writing the Incite and my blog series. But I am struggling to move forward on a couple very important projects that are bigger than a breadbox and critical to the business. It is annoying the crap out of me, and I figure publicly airing my issues might help me push through them. I have tried to chunk up these projects into small tasks. That’s how you defeat overwhelm, right? But here it just means I need to push a bunch of tasks back and back and back in my Todo app rather than just one. I think my problem is that I feel like I need a block of time sufficient to complete a smaller task. But I rarely have a solid block of a couple hours to focus and write so I get stuck and don’t even start. But that’s nonsense. I don’t have to finish the entire task now – I just need to do a bit every day, and sure enough it will get done. Is that as efficient as clearing the calendar, shutting off Twitter and email, and getting into the zone? Nope. It will definitely take longer to finish but I can make progress without finishing the entire task. Really, I can. As much as I try to teach my kids what they need to know, every so often I learn from them too. XX1 just finished her big year-end project. It was a multi-disciplinary project involving science, language arts, and social studies. She invented a robot (J-Dog 6.2) that would travel to Jupiter for research. We went to the art store and got supplies so she could mock up the look of the robot; she had to write an advertisement for the product, a user manual, and a journal in the robot’s voice to describe what was happening – among other things. She did a great job. I’m not sure where she got her artistic chops or creativity but the Boss and I didn’t help her much at all. How does that relate to my issue getting big things done? She worked on the project a little every day. She cut the pieces of the model one day. Painted it the next. Outlined the journal on the third. And so on. It’s about making progress, one step at a time. She finished two days early so she didn’t have to do an all-nighter the day before – like her old man has been known to do. So I need to take a lesson and get a little done. Every day. Chip away at it. I have an hour left in my working day, so I need to get to work… –Mike Photo credits: XX1 Geobot project – May 2013 Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Defending Cloud Data/IaaS Encryption Object Storage Encrypting Entire Volumes Protecting Volume Storage Understanding Encryption Systems Security Analytics with Big Data Use Cases Introduction The CISO’s Guide to Advanced Attackers Evolving the Security Program Breaking the Kill Chain Verify the Alert Mining for Indicators Newly Published Papers Email-based Threat Intelligence: To Catch a Phish Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Incite 4 U I (for the record) am not the world’s greatest lover: I don’t know Troy Hunt but he probably isn’t either. But this awesome post basically supports his claim as the world’s greatest lover by stating “I could quite rightly say that nobody has ever demonstrated that this is not the case and there are no proven incidents that disprove it.” Then he goes on to lampoon the web site security seals from your favorite big security vendor. Not just that they can’t really justify their assurances that something is secure, but showing screenshots of these ‘protected’ sites busted by simple attacks. As funny (in a sad way) as this is, ultimately it won’t make much of a difference because the great unwashed think those seals actually mean something. – MR Nuclear powered 0-day: This is a bit of a weird one. Internet Explorer 8, and only IE version 8, is being actively exploited in the wild with a 0-day attack. It is always interesting when a vulnerability only works on one version of IE and doesn’t affect earlier or later versions. Additionally the malware was propagated through a US Department of Labor website, and only to people researching illnesses associated with work on nuclear weapons. Clearly the attackers were targeting a certain demographic, but I haven’t seen any reports of actual exploitation, which is the part we should be most interested in (except the DoL website – they totally pwned that one). It seems like a bit of an outlier attack because I don’t expect too many of their targets to look on the DoL site for that information, but what do I know? As we have learned, these espionage attacks are basically a targeted spray and play: attacking every possible path to their desired targets, understanding that the law of averages is in their favor. – RM Learn it. Know it. Live it.: Security professionals talk about how developers don’t understand security, but the Coverity team throws it right back at them with 10 Things Developers Wished Security People Knew. This is sound advice for security people working with software development. The underlying belief is that all these things require security to get to know the people, process, and code