Research

You can always tell whether you are at a hacker con or a corporate-oriented conference in our business. The hacker cons have plenty of tattoos, piercings, fringe hairstyles, and the like. In fact, I’m usually more concerned that folks will think I’m a narc because I have none of the above. But this brings me around to the idea of appearance and its impact on your career. I think Lee and Mike had a good, reasoned response in their Fashion Advice from Infosecleaders post. The question is about a guy, who is climbing the corporate ladder and now finds himself having to dress the part. And it’s uncomfortable. Lee and Mike’s general thought is that he needs to deal with it, and that to play the game you have to look like you are in the game. And maybe they are right. But they might also be wrong. I think there could be other factors at work here, based on experiences I’ve had, because I’ve very rarely looked the part in any job I’ve had. Let’s start with my early META Group experience. I was in my early 20s and looked 18. My hair hadn’t started turning gray yet, and I was sitting across from CEOs and folks whose networking budgets had 9 or 10 zeros. I would be brought in to discuss trends in networking and telecommunications. The reality was that some of these networking jockeys probably had underwear older than me. So as you can imagine the first few minutes of each meeting were always pretty interesting, as everyone in the room sized each other up. I was far less snarky at that point so I usually didn’t antagonize the clients with tales of beer funnels, pet rocks, and dances with girls. You know, the stuff us kids used to do for fun in the olden days. Most of them took me for a lightweight and thankfully they didn’t have BlackBerrys back then, because I imagine they would have started banging through email before the introductions ended. But then a strange thing happened. Pretty much every time. I started talking. I answered their questions. I provided perspectives on trends that indicated I actually knew what I was talking about. Who knew? This young whippersnapper actually talked to lots of folks and although a front-end processor was invented while he was still crapping in diapers, he understood IBM’s product strategy and what that meant to these poor saps who had to make the stuff work. I actually kind of enjoyed that expectations were pretty low when I entered the room. It made impressing clients much easier. Now back to the topic of attire. Truthfully, I’m not sure whether this guy’s problem is attire or self-esteem. You see, he feels different, and therefore the senior team treats him as different. He doesn’t seem to believe he belongs at the table with the big boys. So, I believe, senior folks pick up on that and realize his self-fulfilling prophecy. If you don’t think you belong in the club, you are right. If you have confidence in your abilities, know you speak knowledgeably, and are not intimidated by muckety-mucks who believe you need to wear a tie to be successful, you should be fine. Even in your khakis and button-down shirt. And if your organization truly judges you based on what you wear, and not what you know and what you do, then you are working for the wrong organization. Share:

Today, within a few minutes of each other, I read the latest 2010 security reports from Cisco and Intego. The Cisco report is very broad, while the Intego report is Mac specific. They really highlight the reality vs. hyperbole problem we often see in threat reports. While there’s some good information in the Cisco report, reading the APT section on page 22 and then my satircal post from yesterday should be good for some laughs. And when you hit the Android/Apple section? Umm… hard to say anything nice. There’s a ton of hyperbole in there about Apple and mobile devices being a major focus in 2011, without anything to back it up. The report seems to assume vulnerabilities correlate with exploits! As in: there are lots of Apple vulnerabilities, so we know there will be a ton of new attacks! Maybe 2011 will be the year Macs get the snot kicked out of them, but it won’t be due to rising vulnerability rates. Macs have had plenty of easily exploited vulns for years now. Heck, if anything it’s harder to exploit the current OS X than just a couple years ago. I can’t find any basis in the report for their conclusion. No data on rising attack rates. Just some point examples that fail to indicate a trend, plus a pretty graph of platform vulnerability rates. Wishful thinking, I guess. Oh, the best part is the title of the graph “Recent Spike in Exploits Targeting Apple Users”… with a graph of the vulns. Someone on the security team needs to have a word with the marketing team. As a counter, take a read of the Intego report. Page one lists all the exploits they’ve seen over the past year… which, once you knock out variants, you can count on one hand. Share:

Washington, D.C. Officials today revealed that the “Advanced Persistent Threat” (APT) has been completely defeated by vendor marketure, analyst/pundit tweets, and PowerPoint presentations. “APT is dead. Totally gone. The term APT is meaningless now” revealed a senior official under the condition of anonymity, as he was not authorized to discuss the issue with the press – as if anyone believes that anymore. “Advanced Persistent Threat” was a term coined by members of the military, intelligence, and defense industries to define a series of ongoing attacks originating from state and non-state actors primarily located in China, first against military targets, and later against manufacturing and other industries of interest. It referred to specific threat actors, rather than a general type of advanced attacks. Revealed through major breaches at Google and reports from Lockheed-Martin, APT quickly entered the Official Industry Spin Machine and was misused to irrelevance. Bill Martin, President, CEO, and CMO of Big Security, stated, Our security products have always protected against advanced threats, and all threats are persistent, which is why we continue to push LOVELETTER virus definitions to our clients desktops. By including APT in our marketing materials and webcasts we are now able to educate our clients on why they should give us more money for the same products we’ve been selling them for years. In 2011 we will continue to enhance our customers’ experiences by adding an APT Gauge to all our product dashboards for a minimal price increase. Self-proclaimed independent security pundit Rob Robson stated, “The APT isn’t dead until I say it is. I will continue to use APT in my presentations and press quotes until I stop getting invited to RSA parties”. When asked in an unrelated press conference whether this means China is no longer hacking foreign governments and enterprises, Cybergeneral Johnson replied, “We have seen no decrease in activity.” Johnson continued, “If anything, we’ve seen even more successful breaches due to agencies and companies believing the latest security product they purchased will stop the APT. We are still in the middle of a long-term international conflict with a complex political dynamic that could materially affect our military and economic capabilities in the future. I don’t think a new firewall will help”. For more on this topic, please see The Security Industry Anti-Disambiguation Movement. Share:

You all know how much I like surveys. But I tend to think surveys targeted at SMB tend to be a little closer to reality, especially ones with 1,000+ responses. Our Big Yellow pals recently did a Disaster Preparedness Survey of 1,800+ small businesses, and the news isn’t very good, but not unexpected either. Here are a few soundbites: Median cost of a day of downtime is $12,500. 50% of respondents don’t have a DR plan. 41% said it never occurred to them to put a plan in place. 40% said it’s not a priority. Less than half back up data weekly. Only 23% back up data daily. 50% of those with DR plans wrote one after an outage Yes, I could go on and on – but why bother? The issues are the same and a consistent mentality applies whether you are talking about security or disaster recovery. That’s the other guy’s problem. It won’t happen to me. Until it does. We could be talking about an attack that takes out our critical resources or a hardware failure that takes out our critical resources. They’re effectively the same. You end up with stuff that’s down and unavailability is bad. That’s if you like your job. So what to do? Continue fighting the good fight. Push for an incident response plan, as well as a disaster recovery plan. There should be a lot of leverage between the two. At least from the standpoint of restoring operations. The Symantec folks made a few recommendations, which are actually pretty good. They include: Don’t wait until it’s too late, protect information completely, get employees involved, test frequently, and review your plan. Yup, that’s pretty much what you want to do. Don’t wait until it’s too late to make sure you are ready for problems. Regardless of whether you work for a big or small company. Share:

One of the terms you’ll likely hear at RSA this year is security posture. Along with “situational awareness” and other terms which refer to your ability to understand if you are under attack and how your defenses are positioned to protect your assets. But I’m fascinated by the psychology of posturing, because we see that kind of behavior every single day. It’s not like I go clubbing a lot (as in, at all), but you can always tell when someone who thinks they are an alpha male enters. They intentionally project a “don’t fsck with me” attitude and are likely to fly into a ‘roid rage at any time. They are posturing, and it’s likely a self-esteem issue has caused them to overcompensate by juicing up and thinking that pushing around someone around in a bar makes them cool. Either that or they have a small piece. Maybe their Mom could have given them a few more hugs growing up. Or they should have tried that Swedish pump highlighted in Austin Powers. I know we aren’t done with the 2010 season yet (though my teams have been eliminated, so I’m just a bemused observer at this point), but there is a lot of uncertainty regarding the 2011 season. The CBA (collective bargaining agreement) expires in early March and the owners don’t think the existing structure is good for them. Of course, at the other end of the table, the players want their fair share of the unbelievable revenues generated by the NFL. Fair is the key word here. Each has their own definition of fair. So there is a lot of posturing on both ends. Everyone wants to be the alpha male. Each says the other side wants a lockout. Lots of disinformation is flying back and forth, all to sway the fans to support one side or the other. The spin doctors are working overtime. Sounds like a presidential election, come to think of it. Personally, it’s hard to feel bad for either side. The owners are billionaires and the NFL is a cash machine. The players are very well compensated for playing a game. And millions of fans dutifully buy season tickets, watch games, and buy merchandise. In fact, my Matt Ryan jersey arrived yesterday. Just in time! Frackin’ snow storm. So I’ll be pissed if there is any kind of lockout. All of these 7 and 8 figure alpha males just need to get over themselves and remember it’s because of us fans that they get to do anything. These guys forget we have alternatives. I can tell you college football will become a lot more popular if there is some kind of NFL work stoppage. SEC football is pretty OK, even if you don’t have an alma mater to go bonkers over. The NCAA should move games to Sunday if the NFL doesn’t play. Seems the owners believe that if they delay or cancel the season, all the fans will let wait breathlessly for their return. I know this is a game of high stakes poker, but it seems there is a lot of short-term thinking here. With billions of dollars being generated, it’s unbelievable that you can’t structure a win-win situation for all involved. Gosh, am I thinking rationally here? Must be time to take the clear, or is today a cream day? A good ‘roid rage will do wonders for my outlook on the situation. And anyway, I need my full alpha male posture on come RSA time… -Mike Photo credits: “Bad Posture” originally uploaded by bartmaguire Vote for Me. I’ll buy you a beer. There is still time to vote for the Social Security Blogger Awards. The Incite has been nominated in the Most Entertaining Security Blog Category. My fellow nominees are Jack Daniel’s Uncommon Sense, the Naked Sophos folks, and some Symantec bunker dwellers from the UK. All very entertaining and worthy competition. Help out a brother with a vote. Incite 4 U The Lazy Man’s Guide to Success: Mike Dahn has a treatise called Leverage, where he calls for a number of tactics to increase your effectiveness in the next year. Things like delegation, networking, and turning cost centers into revenue opportunities. Interesting stuff. What do all of these ideas have in common? They allow you to be lazy. If you can get someone else to do your work for you, why wouldn’t you? I’d love to delegate all the stuff I’m supposed to do. I’d like to turn my cost centers into revenue centers. I like the idea of leverage. Because I’d much rather be reading NFL news all day than actually doing work. Who wouldn’t? But I shouldn’t joke too much because Mike has a point here. Unless your goals are too low, you will need help to get there. So think about it from that perspective. – MR Someone needs a fact checker: I understand that press releases are a fact of life. While they all sound exactly the same, some of them provide a valuable nugget of information mixed in with all the masturbatory self-congratulations for signing up yet another small school district as a customer. After the obligatory FUD, that is. For example, today I received, “In the wake of increasing levels of data breaches, accidental data losses and incidents of user’s privacy being compromised, the Online Trust Alliance (OTA) is set to release its 2011 Data Breach Incident Readiness Guide in time for Data Privacy Day (Jan. 28th)”. Which is funny, as most sources like the Open Security Foundation DataLossDB and our own 2010 Data Security Survey show a relative decline in reported breaches. Maybe there are more breaches and privacy leaks, but it isn’t like they have numbers to prove it. – RM The Recognized Leader: I am the leader in a new ‘market’. I just found this out after having read the press release on Nice Systems’ new product to reduce financial risk associated with PCI-DSS. Apparently they provide live redaction of call

Here in the US, today is Martin Luther King, Jr. Day. For many this means a day off. For others it’s a continued call to arms to right the injustice we see. For me, it’s a reminder. A reminder of how one person’s efforts can make a difference against unsurmountable odds. How passion, focus, and a refusal to fail can change the world. Not overnight and not without setbacks, personal sacrifices, and a lot of angst. But it can be done. We in the security world seem to forget that all the time. Today started like most other days. I checked my email. I looked at my Twitter feed and, surprisingly enough, a bunch of folks were bitching about PCI and stupid assessors and all sorts of other negativity. Pretty much like every other day. I shut down my Twitter client and thought a bit about why I do what I do, even though it seems to make no difference most days. It’s because it’s the good fight and the mere fact that it’s hard doesn’t mean we shouldn’t continue pressing forward. Rich summed it up very well a few weeks ago in his Get Over It post. Human nature isn’t going to change. So we’ll always be swimming upstream. Deal with it. Or find something else to do. And to be clear, what we do isn’t hard. Fighting for civil rights is hard. Overcoming oppression and abject poverty and terrible disease is hard. Always keep that in mind. Always. The Boss is constantly telling me there is no grey in my world. Right. Wrong. Nothing in between. And pushing to educate our kids about what they should and should not do online is right. Pushing to help our organizations understand the risks of all their business plans is right. Trying to get senior management to appreciate security, even though it makes their jobs harder at times, is right. Doing nothing is wrong. If you are reading this blog, then you are likely very fortunate. With resources and education and opportunities that billions of people in this world don’t have. So yes, what we do is hard. But it’s not that hard. On this day, where the US celebrates one of its true giants, a man who gave everything for what he thought was right, take a few minutes and re-dedicate yourself to fighting the good fight. Because it’s the right thing to do. Image credit: “Martin Luther King, Jr.” originally uploaded by U.S. Embassy New Delhi Share:

The RSA Conference is just around the corner, and you know what that means. Pain. Pain in your head, and likely a sick feeling in your stomach. All induced by an inability to restrain your consumption when surrounded by oodles of fellow security geeks and free drinks. You know what? We’re here for you. Once again, with the help of our friends at ThreatPost and Schwartz Communications, we will be holding our Disaster Recovery Breakfast to cure what ales ya (or ails you, but I think my version is more accurate). This year the breakfast will be Thursday morning from 8-11 at Jillian’s in the Metreon. It’s an open door – come and leave as you want. We’ll have food, beverages, and assorted recovery items to ease your day (non-prescription only). No marketing, no spin, just a quiet place to relax and have muddled conversations. It sure beats trying to scream at the person next to you at some corporate party with pounding music and, for the most part, a bunch of other dudes. Invite is below. To help us estimate numbers please RSVP to rsvp@securosis.com. Share:

Apparently I got out of New York just in time. The entire eastern seaboard got “Snowmageddon II, the Blanketing” a few hours after I left. Despite a four-legged return flight, I did actually make it back to Phoenix. And Phoenix was just about the only place in the US where it was not snowing, as I heard there was snow in 48 states simultaneously. I was in NYC for the National Retail Federation’s 100th anniversary show. It was my first. I was happy to be invited, as my wife and her family have been in retail for decades, and I was eager to speak at a retail show. And this was the retail show. I have listened to my family about retail security for 20 years, and it used to be that their only security challenge was shrinkage. Now they face just about every security problem imaginable, as they leverage technology in every facet of operations. Supply chain, RFID, POS, BI systems, CRM, inventory management, and web interfaces are all at risk. On the panel were Robert McMillion of RSA and Peter Engert of Rooms to Go. We were worried about filling an hour and a half slot, and doubly anxious about whether anyone would show up to talk about security on a Sunday morning. But the turnout was excellent, with a little over 150 people, and we ended up running long. Peter provided a pragmatic view of security challenges in retail, and Robert provided a survey of security technologies retail merchants should consider. It was no surprise that most of the questions from the audience were on tokenization and removal of credit cards. I get the feeling that every merchant who can get rid of credit cards – those who have tied the credit card numbers to their database primary keys – will explore tokenization. Oddly enough, I ended up talking with tons of people at the hotel and its bar, more than I did at the conference itself. People were happy to be there. I guess they they were there for the entire week of the show, and very chatty. Lots of marketing people interested in talking about security, which surprised me. And they had heard about tokenization and wanted to know more. My prodding questions about POS and card swipe readers – basically: when will you upgrade them so they are actually secure – fell on deaf ears. Win some, lose some, but I think it’s healthy that data security is a topic of interest in the retail space. One last note: as you can probably tell, the number of blog entries is down this week. That’s because we are working on the Cloud Security Alliance Training Course. And fitting both the stuff you need to know and the stuff you need to pass the certification test into one day is quite a challenge. Like all things Securosis, we are applying our transparent research model to this effort as well! So we ask that you please provide feedback or ask questions about any content that does not make sense. I advise against asking for answers to the certification test – Rich will give you some. The wrong ones, but you’ll get them. Regardless, we’ll post the outlines over the next few days. Check it out! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s DR post on Vodafone’s breach. Rich quoted in the Wall Street Journal. Adrian at the National Retail Federation Show, telling the audience they suck at security. Did I say that? Mike, talkin’ to Shimmy about Dell, brand damage, and the Security Bloggers meet-up Favorite Securosis Posts Rich: The Data Breach Triangle. We didn’t push out a lot of content this week so I’m highlighting an older post. In line with Gunnar’s post on where we spend, I find it interesting that the vast majority of our security spending focuses on ingress… which in many ways is the toughest problem to solve. Mike Rothman: What do you want to see in the first CSA Training Course? Yes, we have a murder’s row of trainers. And you should go. But first tell us what needs to be in the training… David Mortman: What Do You Want to See in the First Cloud Security Alliance Training Course? Gunnar Peterson: What Do You Want to See in the First Cloud Security Alliance Training Course? Sensing a theme here? Adrian Lane: Mobile Device Security: 5 Tactics to Protect Those Buggers. Other Securosis Posts Funding Security and Playing God. Incite 1/12/2011: Trapped. Favorite Outside Posts Rich: Gunnar’s back of the envelope. Okay, I almost didn’t pick this one because I wish he wrote it for us. But although the numbers aren’t perfect, it’s hard to argue with the conclusion. Mike Rothman: Top 10 Things Your Log Managment Vendor Won’t Tell You. Clearly there is a difference between what you hear from a vendor and what they mean. This explains it (sort of)… David Mortman: Incomplete Thought: Why Security Doesn’t Scale…Yet.. Damn you @Beaker! I had a section on this very need in the upcoming CSA training. And, of course, you said it far better…. Adrian Lane: Can’t decide between this simple explanation of the different types of cloud databases, and this pragmatic look at cloud threats. Gunnar Peterson: Application Security Conundrum by Jeremiah Grossman, with honorable mention to The Virtues of Monitoring. Project Quant Posts NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. NSO Quant: Manage Metrics–Process Change Request and Test/Approve. Research Reports and Presentations The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Network Security Operations Quant Metrics Model. Network Security Operations Quant Report. Understanding and Selecting a DLP Solution. White Paper: Understanding and Selecting an Enterprise Firewall. Understanding and Selecting a Tokenization Solution. Top News and Posts China CERT: We Missed Report On SCADA Hole . SAP buying SECUDE. TSA Worker Gets 2 Years for Planting

I was reading shrdlu’s post on Connecting the risk dots over on the Layer 8 blog. I thought the point of contention was how to measure cost savings. Going back and reading the comments, that’s not it at all. “we can still show favorable cost reduction by spotting problems and fixing early.” You have to PROVE it’s a problem first … This is why “fixing it now vs fixing it sooner” is a flawed argument. The premise is that you MUST fix, and that’s what executives aren’t buying. We have to make the logic work better. She’s right. Executives are not buying in, but that’s because they don’t want to. They don’t want to comply with SOX or pay their taxes either, but they do it anyway. If your executives don’t want to pay for security testing, use a judo move and tell them you agree; but the next time the company builds software, do it without QA. Tell your management team that they have to PROVE there is a problem first. Seriously. I call this the “quality architect conundrum”. It’s so named because a certain CEO (who shall remain nameless) raised this same argument every time I tried to hire an architect who made more than minimum wage. My argument was “This person is better, and we are going to get better code, a better product, and happier customers. So he is worth the additional salary.” He would say “Prove it.” Uh, yeah. You can’t win this argument, so don’t head down that path. Follow my reasoning for a moment. For this scenario I play God. And as God, I know that the two architectural candidates for software design are both capable of completing the project I need done. But I also know that during the course of the development process, Architect A will make two mistakes, and Architect B will make 8. They are both going to make mistakes, but how many and how badly will vary. Some mistakes will be fixed in design, some will be spotted and addressed during coding, and some will be found during QA. One will probably be with us forever because we did not see the limitation early enough and we be stuck. So as God I know which architect would get the job done with fewer problems, resulting in less work and less time wasted. But then again, I’m God. You’re not. You can’t prove one choice will cause fewer problems before they occur. What we discover, being God or otherwise, is that from design through the release cycles a) there will be bugs, and b) there will be security issues. Sorry, it’s not optional. If you have to prove that there is a problem so you can fund security you are already toast. You build it in as a requirement. Do we really need to prove Deming was right again? It has been demonstrated many times, with quantifyable metrics, that finding issues earlier in the product development cycle reduces at large costs to an organization. I have demonstrated, within my own development teams, that fixing a bug found by a customer is an order of magnitude more expensive than finding and fixing it in house. While I have see diminishing returns on some types of security testing investments, and some investments work out better than others, I found no discernable difference in the cost of security bugs vs. those having to do with quality or reliability. Failing deliberately, in order to justify action later, is still failure. Share:

It leaked a bit over Twitter, but we are pretty excited that we hooked up with the Cloud Security Alliance to develop their first training courses. Better yet, we’re allowed to talk about it and solicit your input. We are currently building two courses for the CSA to support their Cloud Computing Security Knowledge (CCSK) certification (both of which will be licensed out to training organizations). The first is a one day CCSK Enhanced class which we will be be delivering the Sunday before RSA. This includes the basics of cloud computing security, aligned with the CSA Guidance and ENISA Rick documents, plus some hands-on practice and material beyond the basics. The second class is the CCSK Review, which will be a 3-hour course optimized for online delivery and to prep you for the CCSK exam. We don’t want to merely teach to the book, so we are structuring the course to cover all the material in a way that makes more sense for training. Here is our current module outline with the person responsible and their Twitter handle in case you want to send them ideas: Introduction and Cloud Architectures. (Domain 1; Mike Rothman; @securityincite) Creating and securing a public cloud instance. (Domains 7 & 8; David Mortman; @mortman) Securing public cloud data. (Domains 5 & 11; Adrian Lane; @adrianlane) Securing cloud users and applications (Domains 10 & 12; Gunnar Peterson; @oneraindrop) Managing cloud computing security and risk (Domains 6 & 9 and parts of 2, 3, & 4; James Arlen; @myrcurial) Creating and securing a private cloud (Domain 13; Dave Lewis; @gattaca) The entire class is being built around a fictional case study to provide context and structure, especially for the hands-on portions. We are looking at: Set up instances on AWS and/or RackSpace with a basic CMS stack (probably on EC2 free, with Joomla). Set basic instance security. Encrypt cloud data (possibly the free demo of the Trend EBS encryption service). Something with federation/OAuth. Risk/threat modeling exercise. Set up a private cloud (vCloud or Eucalyptus) Keep in mind this is a one-day class so these will be very scripted and quick – there’s only so much we can cover. I will start pushing out some of the module outlines in our Complete feed (our Highlights RSS feed still has everything due to a platform bug – you only need to know that if you visit the site). We can’t put everything out there since this is a commercial class, but here’s your chance to influence the training. Also remember that we are deep into the project already with a very tight deadline to deliver the pilot class at RSA. Thanks Share: