Securosis

Research

FireStarter: The Time for Corporate Password Managers

I talk a lot on Twitter about my password manager. I use 1Password and love it. It auto-generates random passwords for me of any length I choose, auto-fills web forms for me, and remembers both the web page and the hideously complex password I have chosen. It automatically synchronizes across all my computers so I am never without all my current passwords. The file is encrypted with AES-128 and they handle encryption keys securely, so I believe the product is pretty secure. Now, rather than having a couple good passwords for the handful of sites I care about – and a single generic password for the 300 sites I don’t – every single one of my web accounts has its own strong password. Or I should say as strong a password as each site allows. I always worried about having the application crash and losing every single one of my passwords. Irrational fear. I back it up like any other application. In hindsight I can’t figure out what took me so long to change over. Another irrational aspect of passwords dawned on me today: we automate password administration and enforcement, but require users perform a manual process. Why? There are some basic problems with people and passwords: We don’t want random passwords – too hard to remember. We don’t want to choose long passwords – too hard to remember. We don’t like typing long passwords. Frankly they are a pain in the ass to type in, and a triple pain in the ass if you mistype the first attempt. We don’t want to rotate passwords – it means I have to learn three of four long passwords just for work. We hate calling IT to reset passwords – because that takes more time out of our day. And the guy in IT treats us like dorks every time we call. Ultimately this is all because we suck at remembering passwords. Worse, we don’t care about the passwords – they are a necessary evil. Passwords are something we have to do. So why not automate the whole mess – especially for corporate IT users? Today we centralize password policies and automate enforcement of those policies (length, character requirements, expiration, etc.). There is no reason we can’t automate the client side as well, but enterprise password managers are rare as hen’s teeth. For corporate environments we could even embed advanced capabilities with virtual RSA tokens, access tokens for shared services without shared credentials, or even SAML capabilities. And we could allow each user to maintain individual passwords, with separate password repositories in case a single user account is compromised. I acknowledge that it’s conjecture on my part, but I am willing to bet that automation will reduce user error and ultimately IT’s password management burden. I am not aware of a password management product that can fully support enterprises today – but several are not far off. I think it’s time we see more password managers in corporate environments Share:

Share:
Read Post

Friday Summary: July 22, 2011

I imagine with this heat wave covering most the country you’re likely on your way to the beach – or at least some place better than work. So with me traveling, Mike suffering through physical therapy, and Rich spending time with the family, this week’s summary will be a short one. A friend sent me this video earlier in the week – I don’t know if you have seen these before, but if not take some time to look at this video on 3-D printer technology. It’s just one of the coolest things I have seen in years. I originally got interested in this a year or so ago when learning about some of the interesting stuff you can do with Arduino and I remain fascinated. Feed in a CAD design – even with non-connected moving parts – and it will literally print a physical object. If you notice, the printer in the video uses HP bubblejet printer cartridges – but filled with the resin hardener rather than ink. The technology is simple enough that you could literally build one at home. And pretty much anyone with basic CAD capability can design something and have it created instantly. As 3D printers evolve, so that they support other materials beyond plastic, And these designed can be shared – just like open source software – only in this case it’s open source hardware. What I find just as interesting is that people keep sending me links to the video, expressing their hopes and visions of the future. When teachers send me the link they talk about using these types of technologies to encourage student interest in technology. When I talk to car enthusiasts, they talk about sharing CAD models of hard-to-find car parts and simply re-fabricating door handles for a 1932 Buick. Star Trek nerds fans talk about the realization of the replicator. When I talk to friends with a political bent who are frustrated that everything is made in China, I hear that this is a disruptive technology that could make America a manufacturing center again. That is more or less the take behind the Forbes video on 3-D printers. Whatever – check out the video. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted by The Register in: Major overhaul makes OS X Lion king of security Favorite Securosis Posts David Mortman: Donate Your Bone Marrow. You could save a life. Do it now. Mike Rothman: Friction and Security. Wouldn’t it be great if we had KY Jelly for making everyone in IT work better together? Adrian Lane: Rise of the Security Monkeys. Only because I have a Monkey Shrine. Seriously. It’s a long story. Other Securosis Posts Incite 7/19/2011: The Case of the Disappearing Letters. Mitigating Software Vulnerabilities. Friday Summary: July 14, 2011. Favorite Outside Posts Mike Rothman: Howard Stern questions Citrix marketing strategy. You have no idea what my first thought was when I saw this headline. Though Stern knows a bit about marketing on the radio. Just goes to show how marketing technology has changed over the years. David Mortman: Phone hacking, technology and policy. Adrian Lane: Security Tips for Non-Techies. Dealing with non-technies on security issues more than I like, I feel your pain. Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. NSO Quant: Manage Metrics–Process Change Request and Test/Approve. NSO Quant: Manage Metrics–Signature Management. NSO Quant: Manage Metrics–Document Policies & Rules. NSO Quant: Manage Metrics–Define/Update Policies and Rules. NSO Quant: Manage Metrics–Policy Review. Research Reports and Presentations Security Benchmarking: Going Beyond Metrics. Understanding and Selecting a File Activity Monitoring Solution. Database Activity Monitoring: Software vs. Appliance. React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Top News and Posts Using data to protect people from malware Comcast Hijacks Firefox Homepage: “We’ll Fix” Feds Arrest 14 ‘Anonymous’ Suspects Over PayPal Attack, Raid Dozens More Microsoft Finds Vulnerabilities in Picasa and Facebook How a State Dept. contractor funneled $52 million to secret family Anti-Sec is not a cause, it’s an excuse. Azeri Banks Corner Fake AV, Pharma Market via Krebs. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Betsy, in response to Donate Your Bone Marrow. As a recent transplant recipient with three close friends also recipients plus a best friend recently diagnosed with leukemia, your post is spot on. Signing up to be a donor is trivially simple and, as you say, a direct path to saving or vastly improving lives. Visit organdonor.gov for a good source of information on how to donate. Thanks for your post. Share:

Share:
Read Post

Hacking Spikes and the Real Time Media

The Freakonomics blog assembled an interesting quorum on security. Industry heavyweights like Schneier weighed in on the following question: Why has there been such a spike in hacking recently? Or is it merely a function of us playing closer attention and of institutions being more open about reporting security breaches? Aside from Bruce there were opinions from folks at Imperva, IronKey, Aite Group, and BAE Systems – most of it decent. Some contradictory points, but get a bunch of folks to weigh in and that’s bound to happen. In something targeted to a mass market readership, some of these folks threw in the APT and PCI terminology. Seriously. Which really underscored to me how most security folks have no fracking clue on how to talk to a non-security audience. But that’s a story for another day. Since I wasn’t invited into the quorum (sad panda), I figured I’d rant a bit on the question. So if they kind folks at Freakonomics invited me to participate (hint, hint), here’s what I’d say. In general I have to agree with Bruce Schneier. There hasn’t been a huge spike in hacking. Sure, the number of data breaches is up, but the number of stolen identities is way down. The real change is the increased reporting on hacking. That’s right – security has finally come into your living room. And it’s a scary place for most folks. For instance, a few months back the Anonymous hacker collective broke into the website of Westboro Baptist Church – on live TV. Unless you’ve been to the Black Hat conference or a similar technical forum, you probably haven’t seen a lot of computer attacks happen live. That was cool. It was newsworthy. So the media picked up on this hacking stuff. Combined with the disclosure of previously off-limits information on sites like WikiLeaks and Pastebin, now you have real news. When the contact information of undercover Arizona police officers is posted on the Internet, or the tactics of The News of the World come to light, it’s going to make news. And it has. We do have more visible attacks as well. When hackers take down Sony’s PlayStation Network for weeks, that’s newsworthy. Steal some plans for the Joint Strike Fighter, which happened a few years ago, and it barely makes news. Take down a multi-player game and all hell breaks loose. This is the world we live in. We can talk about the increasing sophistication of the hackers (as a number of them did), but that’s crap. Most of these attacks have not been sophisticated at all. We can also talk about the laws requiring data breach disclosure, but that’s also crap. Disclosures have been happening for years, and this mainstreaming of hacking is much more recent. Compounding the issue is the real-time media cycle. Driven by anyone with a computer Tweeting whatever they want, and dimwit media outlets running with it without proper fact checking (or, often, even understanding what they’re saying), and you have a perfect way to game the system. We see it every day with the NFL labor negotiations. Some player – perhaps clued in but just as likely not – tweets something, and everyone thinks it’s gospel. Within seconds it’s broadcast on ESPN and NFL Network. It’s on TV so it must be right, right? It’s not gospel. It’s not anything besides what’s always been happening. Now it’s in plain sight, and that’s uncomfortable for most folks. Especially the ones who find their corporate and personal secrets on public web sites. Share:

Share:
Read Post

Incite 7/19/2011: The Case of the Disappearing Letters

Something didn’t add up. We got a call from the girl’s camp literally 3 days after they got there saying XX2 needed more stationery. We hoped this meant she was a prolific writer, and we’d be getting a couple updates a week. Almost 3 weeks later, we got 1 postcard. That’s it. A few of her friends got letters, but not nearly enough to have depleted her stash of letters/postcards. And the longer we went without a letter, the more ornery The Boss got. Mostly because she spent a bunch of time buying, stamping, addressing, and return labeling the additional letters. So to not get any mail was really adding insult to injury. Luckily we were going to see the girls on Visiting Day, so we’d get to the bottom of the situation. Maybe there were mail gremlins in the Post Office, getting their kicks by reading (almost) 8 year old chicken scratch. Maybe the small-town post office was just overwhelmed. Or maybe XX2 had screwed up a bunch of letters and just thrown them out, as opposed to trying to fix them. It could be anything, and we were determined to get to the bottom of it. When we got to the camp, we spent a few minutes with XX1, including meeting her counselors and seeing her bunk. It’s far from roughing it, but they still get a somewhat rustic experience. Then we made our way over the XX2’s bunk to do a similar assessment. With me as the bull in a china shop, I (of course) just blurted out what I know The Boss was thinking. “I’m so happy you are having a great time at camp, but what the hell? Who did you write to with all your stationary? It certainly wasn’t us!” XX2 looked very confused. She reiterated that she did write letters, and she wrote 3-4 to us. It looked like it might be a job for the late Columbo, who could solve this posthumously. Then we asked the key question: “When did you mail the letters?” She again looked at us quizzically. That’s when all the pieces fit together. “I need to mail one letter every three days to get into dinner. So I give them one letter.” Looks like we found the smoking gun. I then asked XX2 to show us her stationary box, and sure enough there were 6 letters and 3 postcards ready to go. I forget she is not even 8 years old yet. She took the instructions literally. She needed one letter to fulfill the requirement, and didn’t realize she could mail more than one letter at a time, or even on an off day. We got the characteristic, “oh well” shrug from her and then we all just busted out laughing. To be clear, I’m not sure we’d do anything different next time. I refuse to be one of those crazy, guilt-slinging parents who browbeat their kids about writing. If they aren’t writing, odds are they are having fun. And we may even save a few bucks in postage. That’s a win-win in my book. -Mike Photo credits: “Nobody Loves Me” originally uploaded by Robert Hruzek Incite 4 U The next wave of consumer security: Following (and participating in) the SIEM space, one of the biggest jokes was fraud detection. You know, you’d set your SIEM to look at transaction records and it would find fraud. It’s just data, right? Fraud is just another pattern, right? Not so much, but it’s still a magic chart requirement to have a solution in this space, even though the financial folks use purpose-built offerings to do it for real. But that doesn’t mean that reputation and pattern matching for fraud detection has no place in security. Actually, it does, and with a tip of the hat to Fred Wilson, I can point you to a new service called BillGuard that monitors your credit card transaction streams and can alert you to things that might be funky. Remember, consumers don’t care about security for its own sake. But they care about losing money to fraud and other nuisances, and this kind of offering should just kill it. Disclaimer: I haven’t used BillGuard, nor have I checked out their security. But the idea is right on the (proverbial) money. – MR Agile is the word: Uh-oh. The US Government is taking cyber-security lessons from businesses. Are things that bad? Actually, while the title of this post filled me with visions of Sony and other enterprises, the actual document is worth review. The government is effectively advocating an Agile process – its basic tenets read more like secure code development ideals than as network deployment. Most security experts urge building security into the products we deploy rather than bolting it on afterwards. And this encourages working with smaller (read: more innovative) security technology providers. Their guidance is a good fit with our own enterprise guidance. – AL A sign of the times: About a hundred years ago, I co-founded a company focused on driving broader adoption of PKI. We focused on application integration to add capabilities such as encryption and digital signatures. But it never took off, mostly because no one was willing to trade inconvenience for security. By the way, not much has changed. If security works, it’s behind the scenes, embedded within the user experience so users don’t need to know about it. Adobe is clearly going taking another run at digital signatures with their EchoSign buy. I’m not sure the outcome will be different this time around. EchoSign got some lift because it wasn’t about technology – it was about a seamless business process to eliminate paper from contract signing. We’ll see if Adobe learns from that, or just tries to add another option to the product – you know how the latter scenario ends. – MR Skype pwnage: It will likely be patched by the time you read this, but there is a cross site scripting vulnerability with Skype. In

Share:
Read Post

Rise of the Security Monkeys

As far back as I can remember, I have been a fan of testing your defenses. Some people call it pen testing, others refer to it as an assurance process, but the point is the same either way. The bad folks test your defenses every day, and if you aren’t using the same tactics to find out what they can get, you’re going to have a bad day. Maybe not today, maybe not even tomorrow. But the clock is ticking. Truly understanding your security posture gets even harder when you start thinking about the cloud and the complexities of architecting a totally new infrastructure. We have a zillion dollars worth of systems management installed to monitor and manage our data centers, although I reserve judgment on how suck-tastic that investment has been. Now that we are moving many things to the cloud (whatever that means), it’s time to revisit how we test our infrastructure. The existing systems management (and security) vendors are falling all over themselves to position their existing products as appropriate for managing cloud operations, but most of their solutions are heavy on slide decks and virtual appliances (same stuff, different wrapper), and lighter on the actual management technology. In fairness, it’s still early, so we shouldn’t totally count out the systems management incumbents, right? I mean, those are some innovative organizations, [sarcasm]no?[/sarcasm] Yet, this cloud thing will force us to totally rethink how we run operations, and thus how we test our environments. The good news is that many of the cloud services leaders are more than happy to share what they are doing, so you can learn what works and what doesn’t, avoiding the school of hard knocks. I mean, when before has a company basically shared its data center architecture? Thanks, Facebook. And now NetFlix is sharing some of their management approaches. Netflix’s concept is to use a Simian Army (not literal monkeys, but automated testing processes) to put their infrastructure through the ringer. To see where it breaks. To pinpoint performance issues. And to do it continuously, on an ongoing basis. They even have a chaos gorilla, which takes entire availability zones out of play, so they can see how their infrastructure reacts. The same discipline applies to security. You need to build a set of hacking simians to try to break your stuff. No, it won’t be easy, and you’ll need to do a lot of manual scripting and integration to build a security monkey. Although there are some offerings (like Core’s new Insight product), focused on running continuous testing processes, it’s still early in this market. So you’ll need to do a lot of the work. But the alternative is having your dirty undergarments posted on pastebin. But don’t forget my standard caveat: when you test using live ammo, be careful! Given the economics of cloudy things, you should have a test environment that looks an awful lot like your production environment. And let the monkeys loose on your test environment early and often. But some of these monkeys can/should be used on the production stuff. Although you can make the test environment look the same, it’s not. We learn that hard lesson over and over again. In the post, Netflix talks about shutting down production instances (with a lot of oversight, obviously), just to see what happens. They reminds me a bit of the kanban process in manufacturing, in that you mess with the working system to find the breaking points, to see where you can make it more efficient. The assumption that everything is working fine has never held water. The question is whether you search for what’s broken, or wait for it to find you. But most of all, I love both the metaphor and the message of Netflix’s approach. These guys test their stuff, so when half of Amazon AWS goes down they stay up. Obviously this isn’t a panacea (as their recent outage showed), but clearly there is something going on over at Netflix. So jump on the monkey bandwagon – they are taking over the world anyway. Share:

Share:
Read Post

Mitigating Software Vulnerabilities

Matt Miller, Tim Burrell, and Michael Howard from the Microsoft Security Engineering Center published a paper last week on Mitigating Software vulnerabilities. In a nutshell, they advocate a set of tactics that limit – or outright block – known and emerging attack techniques. Rather than play catch-up and patch the threat du jour, they outline use cases for the technologies that Microsoft employs within their own products to make it much harder to compromise code with canned attacks. Over the past decade, Microsoft has developed a variety of exploit mitigation technologies that are designed to make it more difficult for attackers to exploit software vulnerabilities such as buffer overruns. This section enumerates each of the mitigation technologies currently available, and provides answers for common questions that relate to how each technology works, how effective they are, and any important performance or compatibility considerations. Three basic recommended tactics are: Generic detection of a hacker’s attempt to subvert a system though exception handler overwrites or running code from within data segments. Randomizing code or configurations to breaks canned attacks Employ simple security ‘speed bumps’ that require a little bit of insider knowledge which is difficult for an attacker to acquire. Two things I like about the paper: First, the tactics approach exploitation protection from a developer’s prospective. This is not a third-party tool or analyzer or bolt-on protection. These tools and complier options are in the context of the development environment, and offer protections a developer has some degree of control over. The more involved the developer is in the security precautions in (or for) their code, the more likely they are to think about how they can protect it. Second, this mindset assumes that code will be under attack and looks for ways to make it more difficult to subvert – rather than desperately hoping the newest mitigation can stop a determined attacker permanently. Understanding that small variations can cause huge headaches for attackers and malware developers is a fundamental insight for defensive development. While this paper is recommended reading for developers, bring a big cup of coffee. The documents are only about 10 pages, but the terminology is a bit obtuse. For example, “artificial diversity” and “knowledge deficits” are accurate but unfamiliar terms. I am pretty sure there is a better way to say “new invariants”. Still, esoteric vocabulary seems to be this paper’s main vice – slight criticism indeed. Educating developers on a simple set of tactics – built into their development tools – is powerful. The key insight is that you can take away the easy (known) pathways in and out of your code, and make it very expensive for an attacker to break your application. It is just as important to give yourself more time to detect iterative attacks in progress. The paper is well worth your time. Share:

Share:
Read Post

Donate Your Bone Marrow

I’m going to keep this short. Dave Lewis (@gattaca)’s wife was diagnosed with leukemia yesterday. Dave is one of our Contributing Analysts and a hell of a great guy, and while I haven’t met her, everyone says his wife is even better (seems to be a common trend). James Arlen (@myrcurial) posted with details over at Liquidmatrix. You may not know this, but Dave’s wife is the second person in our security community suffering from a blood-related disease (the other being Barkode, a fellow Defcon goon). If you aren’t signed up as a bone marrow donor, do it now. Only 1 in about 540 people in the registry are ever matched, so they need massive numbers. A lot of people used to tell me how cool it was that I was “saving lives” when I was working fire/rescue/ambulance. Donating your bone marrow is a far more effective and direct way to save someone. I’m not sure I actually saved too many lives in those days, but I do know that if I’m a match the odds are damn high someone will live who nature tried to take out. Do it. Now. Share:

Share:
Read Post

Friday Summary: July 14, 2011

Some days I think that in fitness, I’m getting wrong everything I advise people in security. I’ve been an athlete all my life – including some stints competing at a reasonably high (amateur) level. Like the time I went to nationals for my martial art. Cool, eh? Other than the part about getting my butt whipped by a 16-year-old. It seems cutting weight in a sport where knockouts aren’t the goal isn’t necessarily a good thing (me strong… me slow… puny teenager stand still so Hulk can kick in head, pleeze?). But running a startup and having kids seriously crimps my workout style. No more 20 hours of training a week, with entire weekends spent climbing or skiing some mountain. Here are a few of the ways in which I’m an idiot: I’m addicted to the toys. I currently use the Rolex of heart rate monitors (the Polar RS800CX). This thing connects to up to 4 external sensors at once to track my heart rate, position, and (I think) the fungus level of my little toe. Does it make me faster? Er… nope. So I’m spending for capabilities far beyond my needs. But damn, I really want that watch that counts my swimming laps. I bet I’d really use that one every day. I promise – now can I buy it? I’m a binge/purge sort of athlete. Rather than hitting a steady state of training and sticking with it, I’m on and off my program like a child actor at rehab. Oh, I always have great excuses like kids and travel, but as much time as I dedicate to working out, I tend to blow it with a bad month here or there. In other words some days I feel like I flit around worse than a horny butterfly with a narcissism problem. I get hurt. A lot. Then instead of fixing the root cause I freak out that I’m getting out of shape, jump back in at full speed, and get hurt again. I suppose I’m consistent (I have been on this cycle since I was a kid). On the upside, I get my money’s worth from insurance. I have delusions of grandeur. If some dude passes me on the bike I take it personally. Which is inconvenient, since most folks pass me on the bike. Or the run. Or… whatever. So I try to keep up, ignoring the fact that I train in places that attract professional athletes. Yeah, that doesn’t last too long. What really sucks is that as easy as it is to identify these problems, and much as I do (sometimes) work on them, I still make the same mistakes over and over. Okay, age has mellowed me a bit, but I’d quit my job and work out 8 hours a day in a heartbeat… … which I can measure with extreme accuracy thanks to my watch. And heck, after blowing out my knee by hour 6 I can go start work again. This is depressing. I think I’ll go sign up for a race… On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian quoted on DAM market trends. Rich quoted in eWeek Europe. Rich on NetSecPodcast. Adrian’s Dark Reading Post on Federated Data. Mike’s monthly post on Dark Reading: Low And Slow, Persistence, Loud And Proud, And The Fundamentals. Favorite Securosis Posts Mike Rothman: Friction and Security. Wouldn’t it be great if we had KY Jelly for making everyone in IT work better together? Adrian Lane: Incite: The King of the House. Chicken McNuggets for vegetarians. Priceless. Rich: Call off the (Attack) Dogs. Other Securosis Posts (for 2 weeks because we skipped last week’s summary) Security Marketing FAIL: Claims of Risk Reduction. Tokenization vs. Encryption: Healthcare Data Security. Tokenization vs. Encryption: Personal Information Security. How to Encrypt or Tokenize for SaaS (and Some PaaS). Smart Card Laggards. Simple Isn’t Simple. Social Media Security 101. Incite 7/6/2011: Reading Between the Lines. Favorite Outside Posts Mike Rothman: Space Shuttle: good riddance. Count on Rob Graham to look at the situation, not the nostalgia, then bring it around to security. Compelling arguments about complexity and risk. Adrian Lane: How Digital Detectives Deciphered Stuxnet. Best article documenting Stuxnet I have read. Very entertaining. Rich: While not security specific, James Staten at Forrester has a good summary of this week’s cloud announcements. These are all pretty big developments that will affect your datacenter operations. Eventually. Pepper: Evgeny Kaspersky interviewed by Spiegel. Wide ranging and pretty interesting. Research Reports and Presentations Security Benchmarking: Going Beyond Metrics. Understanding and Selecting a File Activity Monitoring Solution. Database Activity Monitoring: Software vs. Appliance. React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Top News and Posts Anti-Sec is not a cause, it’s an excuse. Azeri Banks Corner Fake AV, Pharma Market via Krebs. SIEM Montage. Gotta have a montage! Anonymous Declares War on .mil. Microsoft Patches Bluetooth Hole in July’s Patch Tuesday. Intego Releases iPhone Malware Scanner. Jury’s still out. Google Removes All .CO.CC Subdomains Over Phishing, Spam Concerns. A Journey to the Cloud (Part 2). Inside the Chinese Way of Hacking. Police: Internet providers must keep user logs. Sony Exec Calls PlayStation Network Hack ‘A Great Experience’. In other news, he’s also really into S&M. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Michael, in response to Incomplete Thought: HoneyClouds and the Confusion Control. We will not be able to tell if the effectiveness of these Proteus tactics actually works, although I would welcome it. I do actually believe these tactics will work against certain people / bots. I am a big believer in time, the longer time it takes the more a person / bot is prone to give up and move

Share:
Read Post

Security Marketing FAIL: Claims of Risk Reduction

Every time I see the phrase “reduce your risk by X%,” I break out in hives. I agree that it is critical to think about risk (which to me is really about economic loss), but everyone has a different definition of risk. And to say anyone can reduce risk by a certain percentage triggers my bullcrap filter. Secunia recently did a study of their vulnerability database, which posits that if customers would patch only the 37 most popular Windows apps or their 12 most risky programs, they could reduce risk by 80%. There is that pesky word ‘risk’ again, because these numbers are questionable at best. They define risk as a sum of the number of vulnerabilities weighted by the criticality of the vulnerability. Huh? What about exploitability? Or the ability to exfiltrate data as required per the Data Breach triangle? How can you not factor in any other controls in place to mitigate and/or work around those ‘risks’? In fact, patching some of those apps is irrelevant because they pose no real risk to corporate assets. We are still fans of patching. In fact, it’s one of the anchor tenets of the Endpoint Security Fundamentals and a critical aspect of data center ops. I agree that most customers cannot patch everything within their typical maintenance windows, so some prioritization is necessary. But I’m not about to claim that patching will reduce anyone’s risk by an arbitrary percentage (or one calculated from an arbitrary formula). Any risk calculation needs to factor in the value of the data residing on the vulnerable device, not just the criticality of the vulnerability. For instance, what if a device has 50 critical vulnerabilities, but holds no corporate data? Is that a huge risk? I guess an attacker getting remote shell to the device could use it to stage further into the network, so that’s not good, but by itself that device doesn’t represent a real risk to the organization. Is it a bigger risk than a non-critical vulnerability on the server operating the business’ main transactional system? What would you patch first? Your patching process must include prioritization. If you are wondering how that works, Rich has done a ton of work on decomposing the granular processes of patching for our Patch Quant research – check it out. But we have beaten this horse enough. Let’s deal with the bigger issue: marketers’ efforts to quantify risk reduction. I’ve been there. The sales force needs some kind of catalyst to get customers to buy something. You figure if you do a little math, however wacky the assumptions, that will be good enough for customers to make a case to buy your stuff. You are wrong. It’s foolish to make blanket statements about risk reduction. Each organization’s perception of risk and its willingness to spend money to address or defer it is unique. But that won’t stop folks from trying. Despite my understanding, I still get annoyed by the attempts of security marketers to make bold statements with little real-world basis; and by the trade press biting hook, line, and sinker on pretty much anything described in percentages. But maybe that’s just me. Share:

Share:
Read Post

Tokenization vs. Encryption: Healthcare Data Security

Securing Personal Health Records (PHR) for healthcare providers is supposed to be the next frontier for many security technologies. Security vendors market solutions for Protected Health Information (PHI) because HIPAA and HITECH impose data security and privacy requirements. Should a healthcare provider fail in their custodial duty to protect patient data, they face penalties – theoretically at least – so they are motivated to secure the data that fuels their business. Tokenization is one of the technologies being discussed to help secure medical information, based on its success with payment card data, but unfortunately protecting PHR is a very different problem. A few firms have adopted tokenization to substitute for personal information – usually a single token that represents name, address and Social Security number – with the remainder of the data in the clear. But this use case is a narrow one. The remainder of the health-related data used for analysis – age, medical conditions, medications, zip code, heath care, insurance, etc. – can be used while the patient (theoretically) remains anonymous. But this usage is not very effective because it’s part of the medical, billing and treatment data that needs to be anonymized. It has not yet been legally tested, but a company may be protected if they substitute a person’s name, address, and Social Security number, even if the rest of the data should be lost or stolen. Technically they have transformed the records into an ‘indecipherable’ state, so even if a skilled person can reverse engineer the token back into the original patient identity, the company has reduced the risk of penalties. At least until a court decides what “low probability” means. So while there is a lot of hype around tokenization for PHI, here’s why the model does not work. It’s a ‘many-to-many’ problem: we have many pieces of data which are bundled in different ways to serve many different audiences. For example, PHI is complex and made up of hundreds of different data points. A person’s medical history is a combination of personal attributes, doctor visits, complaints, medical ailments, outsourced services, doctors and hospitals who have served the patient, etc. It’s an entangled set of personal, financial, and medical data points. And many different groups need access to some or all of it: doctors, hospitals, insurance providers, drug companies, clinics, health maintenance organizations, state and federal governments, and so on. And each audience needs to see a different slice of the data – but must not see PHI they are not authorized for. The problem is knowing which data to tokenize for any given audience, and maintaining tokens for each use case. If you create tokens for someone’s name and medical condition, while leaving drug information exposed, you have effectively leaked the patient’s medical condition. Billing and insurance can’t get their jobs done without access to the patient’s real name, address, and Social Security number. If you tokenized medical conditions to ensure patient privacy, that would be useless to doctors. And if you issue the same tokens for certain pieces of information (such as name & Social Security number) it’s fairly easy for someone to guess the tokenized values from other patient information – meaning they can reverse engineer the full set of personal information. You need to issue a different token for each and every audience, and in fact for each party which requests patient data. Can tokens work in this ‘many-to-many’ model? It’s possible but not recommended. You would need a very sophisticated token tracking system to divide up the data, issuing and tracking different tokens for different audiences. No such system exists today. Furthermore, it simply does not scale across very large databases with dozens of audiences and thousands of patients. This is an area where encryption is superior to tokenization. In the PHI model, you encrypt different portions of personal health care data under different encryption keys. The advantage is that only those with the requisite keys can see the data. The downside is that this form of encryption also requires advanced application support to manage the different data sets to be viewed or updated by different audiences. It’s a many-to-many problem, but is feasible using key management services. The key management must be very scalable key to handle even a modest community of users. And since content is distributed across multiple audiences who may contribute new information, record management is particularly complicated. This works better than tokenization, but still does not scale particularly well. If you need to access the original data at some point in the future, encryption is your only choice. If you don’t need to know who the patient is, now or in the future, the practical alternative is masking. Masking technologies scramble data, either working on an entire database or on a subset of the data. Masking can scramble individual columns in different ways so that the masked value looks like the original – retaining its format and data type just like a token – but is no longer sensitive data. Masking also is effective for maintaining aggregate value across an entire database, meaning the sum and average values within the data set can be preserved while changing all the individual data elements. Masking can be done in such a way that it’s extremely difficult to reverse engineer back to the original values. In some cases, masking and encryption provide a powerful combination for distribution and sharing of medical information. Tokenization is an important and useful security tool with cost and security advantages in select use cases – in some cases tokens are recommended because they work better than encrypted data. The goal is to reduce data exposure by reducing the number of places sensitive data is stored – using encryption, tokenization, masking, or something else. But every token server still relies on encryption and key management to safeguard stored data. End users may only see tokens, but somewhere in the tokenization you can always find encryption services supporting it. We recommend tokenization in various

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.