Research

Securosis has expanded. Just got an email from Rich: “Say hello to Riley Marie Mogull. 6lbs 15oz. Sharon made it without meds- she’s my hero” Rich, on the other hand, needed sedation. Help me congratulate Rich and Sharon on the arrival of their first child! Share:

It’s Friday again and time for the summary. It’s been a yin & yang kind of week for me, with mixed blessings and curses all around. On the down side, Friday is always the day for bad news. It’s the day that Fannie Mae, Countrywide and others announce impending disaster so as to lessen the impact on the market. I just have to wonder if they learned that from Office Space. Based upon what I am seeing in the press, and some things here in Arizona, this Friday will be no exception as I expect there to be another big bank announcement. Four friends have lost jobs in the last week and are struggling to find any work, and I am going to have to help a friend move this weekend because their house is going back to the bank. One person I know had someone access their bank account with a fake ATM card, and my next door neighbor got a call Tuesday from Wells Fargo as someone was trying to make a “Phone Cash Advance” on their account. And yet another indication that the system is broken is the credit shell game, with Experian no longer willing to sell credit scores to consumers. Technically, they were not doing it before, but when pushed to sell consumers the real FICO scores, instead of the “FAKO’s” they have been providing, they decided to bow out. Should we just go back to cash? That would solve a lot of problems. On the positive side we here at Securosis are in a very good mood and have high hopes for the future. Principal among the reasons for this is we are officially on “Nugget watch”, or rather we are waiting for the little Mogull to arrive soon. Mom is in good health and spirits while Rich is furiously decorating, arranging and preparing for the arrival. Male nesting … it’s simultaneously cute and sad to watch. But I have to say, the baby’s room looks great! Stay tuned as I will post something as soon as I hear more news. I had several conversations with different SIM/SEM vendors this week and I view the changes as positive. It’s no longer “Gee, look at all this neat data we have” nor trying to convince customers how great aggregation is (gaak!), and more about using that data to solve business problems and building some intelligence into the products. Rich and I are seeing some very cool things happening around encryption and key management that should make a lot of people very happy, and we will begin the encryption series we promised in the next couple weeks. And it looks like Motorola found some loose change under the couch, spinning out Good Technology to Visto; Visto should be able to put the technology to good use. That’s all positive! Rich & I are both wrapping up a couple of interesting projects and about to commence on new ones as well so things are busy. I am even starting to get excited about going to Source Boston and seeing a bunch of friends. Maybe we will even get to see where Mr. Hoff lands! Rolling into the weekend I am focused on the positive, so here it is, the week in review: Favorite Securosis Posts: Rich: A Very Revealing Statement by the PCI Council. Adrian: Thinking positive, Netezza buying Tizor is good for all parties. Favorite Outside Posts: Adrian: SEC Investigating the Heartland breach. Rich: Microsoft confirms Zero-Day. Top News and Posts: PCI Council announced ranked security and milestones Top Ten Web Hacking Techniques 2008, now official! More happy news: Flowers for Pirate Bay Witness’ Wife. Fuzzing for Fun & Profit on CGISecurity. Kindle 2 looks awesome. Comments here and here. Why we have spring training: Adobe “swings and misses” with PDF vuln. Virtualization: Disruptive Technologies and Security In GM’s continuing effort to go out of business no matter how much money is thrown at them: it also wanted to account for a possible tilt toward sales of bigger vehicles if gas prices remained at current levels in coming years.” Wow. With leadership like that, who needs enemies. Blog Comment of the Week: Allen Barronov on Will This Be The Next PCI Requirement Addition: If you are putting money down I’ll take you up on it let me just get some poor sucker’s credit card details in case I lose. On a serious note: DLP is very reactive. One advantage is that your CEO doesn’t have to say (quoting from Bob Carr) “we were alerted by Visa” which sounds very weak and can really be read as “we had no idea that people stole information from us until someone else told us about it”. This is apparently quite normal. Proactive is to analyse the entire PCI process from start to end and secure it accordingly. A few companies that I have had the privilege of working for have firewalled their “process network” off from their main business network. The reason to do this is really to protect availability. If a virus hits the business network then the (real) money making part of the business can still function – there may be pain but the gadgets still get made/gathered/fixed/etc. A payment processing business should think: PCI transmission is different from the normal network traffic and they should separate it accordingly. If Sue from Accounts gets a virus on her PC, it should not impact on PCI processing in any way (CIA). I really like DLP but it is not a cure for bad network design. I guess the answer is layers. Good network design (based on Business Processes) with DLP to catch the drips. “You know what else everyone likes? Parfaits.” Donkey in Shrek. Now, I am off for some more stealth photography. Share:

I was getting a little excited when I read this article over at NetworkWorld about how the PCI council will be releasing a prioritized roadmap for companies facing compliance. It’s a great idea- instead of flogging companies with a massive list of security controls, it will prioritize those controls and list specific milestones. Now before I get to the fun part, I want to quote myself from one of my posts on PCI: Going back to CardSystems, a large majority of major breaches involve companies that were PCI compliant, including (probably) Hannaford. TJX is an open question. In many cases, the companies involved were certified but found to be non-compliant after the breach, which indicates a severe breakdown in the certification process. Now on to the fun (emphasis added by moi): Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says. What a load of shit. With the volume of breaches we’ve seen, this either means the standard and certification process are fundamentally broken, or companies have had their certifications retroactively revoked for political reasons after the fact. As I keep saying, PCI is really about protecting the card companies first, with as little cost to them as possible, and everyone else comes a distant second. It could be better, and the PCI Council has the power to make it so, but only if the process is fixed with more accountability of assessors, a revised assessment/audit process (not annual), a change to real end-to-end encryption, and a real R&D effort to fix the fundamental flaws in the system, instead of layering on patches that can never completely work. You could also nominate me for the PCI Council Board of Advisors. I’m sure that would be all sorts of fun. Seriously – we can fix this thing, but only by fixing the core of the program, not by layering on more controls and requirements. Share:

While both Rich and I predicted this would happen, I admit I am still slightly surprised: Netezza has acquired Tizor for $3.1M in cash. Netezza press release here, and While I do not see a press release issued from either vendor xconomy has the story here. Surprising in the sense that I would not have expected a data warehousing vendor to acquire a database monitoring & auditing company. My guess is it’s the auto-discovery features that most interest them. But like many companies that provide data management and analysis, Netezza may be finding that their customers are asking for security and even compliance facilities around the data they manage. In that case, this move could really pay off. I am certain that they were hoping for more, but $3M in cash is a pretty good return for their investors given the current market conditions and competitiveness in the DAM market. While it is my personal opinion, I have never considered the Tizor technology a class leading product. It took them a very long time to adapt the network monitoring appliance into a competitive product that met market demand. Their audit offering was not endorsed by companies I know who have evaluated the technology. They had some smart people over there, but like many of the DAM competitors, they have struggled to understand the customer buying center and have lacked the laser focus vision of some of the vendors like Guardium have demonstrated . But they have made consistent upgrades to the product and the auto-discovery option last year was a very smart move. All in all, Netezza is getting value, and the Tizor investors about $3M more than they would have gotten a few months from now. I have to admit that my timing of these events has been wrong … I thought that this transaction would have happened at/by the end of last year, and I am waiting for more still. But the DAM vendors who are not profitable have a huge problem that move to quickly and you kill your value. Move too slowly and you are out of business. Sometimes the due diligence process takes a while. Check back later as I will update the post as I hear more, of if Rich weighs in on this subject. Share:

Just ran across this article on workers “stealing company data” on the BBC news web site. The story is based upon a recent Ponemon study (who else?) of former employees and the likelihood they will steal company information. It turns out that most of those polled will in fact take something with them. The Ponemon numbers are not surprising as this tracks closely with traditional forms of employee theft across most industries. What got me shaking my head was the sheer quantity of FUD being thrown out with the raw data. A “surging wave” of activity? You bet there is! And it tightly corresponds to the number of layoffs. I am guessing when I say that the point Kevin Rowney of Vontu Symantec was trying to make is companies do very little to protect information from insiders, especially during layoffs. But the author make it sound as if insider theft is bringing about the collapse of western civilization. What I don’t believe we can do here is try to justify security spending by saying “Look at these losses in revenue! They are staggering! Were getting killed by insider theft!” These companies are in trouble to begin with, which is why they are laying people off. Ex-employees may be taking information because their accounts are still active, or they may have left with it at the time they were fired. But just because the employee walked out with the information does not necessarily mean that the company suffered a loss. That data has to be used in some manner that affects the value of the company, or results in lost sales. And the capability for ex-employees to do this, especially in this economy, is probably going down, not up. The employee who has backup tapes in their closet may dream about “sticking it” to their former employer, but odds are high that the information they employee has will never result in the company suffering damages. Heck, they would actually have to land a new job before that could happen. I know some HR reps who probably envision their ex-emplyees contacting their underground ‘connections’ to sell of backup tapes, but how many employees do you really think can carry this off? You think they are going to sell it on eBay? Call a competitor? We have seen how that turns out. No use, no loss. “I had a very strong work ethic. The problem was my ethics in work.” There is also a huge double standard here, where most companies propagate the very activity they decry. When I worked at a brokerage, it was one of our biggest fears that an employee would steal one of our “books of business”, taking it to another brokerage, and when I first learned about the difficulties in protecting data from insiders and enforcing proper use. On the flip side, it was expected every broker that interviewed had their own “book of business”. If they didn’t, they were ‘losers’ or some other expletive right out of Glengarry Glenn Ross. Having existing relationships that could immediately bring in clients to the organization was on eof the top 5 considerations for employment. Most salesmen, attorneys, financiers and executives are considered not just for the skills they possess, but the relationships they have, and the knowledge they bring to the position. That knowledge is typically in their heads, rolodexes and their iPhone. I am not saying that they did not have paper or electronic backups as well, as 15% of the respondents admitted they did. My point is companies cry foul that they are the the victims of insider theft, but in reality they fired or laid off an employee, and that employee took a job with a competitor. I have trouble calling that an insider attack. Share:

Had a very interesting call today with a client in the pharma research space. They would like to protect clinical study data as it moves to researcher’s computers, but are struggling with the best approach. On the call, I quickly realized that DLP, or a content tracking tool like Verdasys (who also does endpoint DLP) would be ideal. The only problem? They need Windows, Mac, and Linux support. I couldn’t remember offhand of any DLP/tracking tool (or even DRM) that will work on all 3 platforms. This is an open call for you vendors to hit me up if you can help. For you end users, where we ended up was with a few potential approaches: Switch to a remote virtual/hosted desktop for handling the sensitive data… such as Citrix or VMWare. Use Database Activity Monitoring to track who pulls the data. Endpoint encryption to protect the data from loss, but it won’t help when it’s moved to inappropriate locations. Network DLP to track it in email, but without the endpoint coverage it leaves a really big hole. Content discovery to keep some minimal tracking where it ends up (for managed systems), but that means opening up SMB/CIFS file sharing on the endpoint for admin access, which is in itself a security risk. Distributed encryption, which *does* have cross platform support, but still doesn’t stop the researcher from putting the data someplace it shouldn’t be, which is their main concern. While this is one of those industries (research) with higher Mac/cross platform use than the average business, this is clearly a growing problem thanks to the consumerization of IT. This situation also highlights how no single-channel solution can really protect data well. It’s the mix of network, endpoint, and discovery that really allows you to reduce risk without killing business process. Share:

A month or so I go I was invited by Jeremiah Grossman to help judge the Top 10 Web Hacking Techniques of 2008 (my fellow judges were Hoff, H D Moore, and Jeff Forristal). The judging ended up being quite a bit harder than I expected- some of the hacks I was thinking of were from 2007, and there were a ton of new ones I managed to miss despite all the conference sessions and blog reading. Of the 70 submissions, I probably only remembered a dozen or so… leading to hours of research, with a few nuggets I would have missed otherwise. I was honored to participate, and you can see the results over here at Jeremiah’s blog. Share:

< div class=”wiki_entry”> Last Friday Adrian sent me an IM that he was just about finished with the Friday summary. The conversation went sort of like this: Me: I thought it was my turn? Adrian: It is. I just have a lot to say. It’s hard to argue with logic like that. This is a very strange week here at Securosis Central. My wife was due to deliver our first kid a few days ago, and we feel like we’re now living (and especially sleeping) on borrowed time. It’s funny how procreation is the most fundamental act of any biological creature, yet when it happens to you it’s, like, the biggest thing ever! Sure, our parents, most of our siblings, and a good chunk of our friends have already been through this particular rite of passage, but I think it’s one of those things you can never understand until you go through it, no matter how much crappy advice other people give you or books you read. Just like pretty much everything else in life. I suppose I could use this as a metaphor to the first time you suffer a security breach or something, but it’s Friday and I’ll spare you my over-pontification. Besides, there’s all sorts of juicy stuff going on out there in the security world, and far be it from me to waste you time with random drivel when I already do that the other 6 days of the week. Especially since you need to go disable Javascript in Adobe Acrobat. Onto the week in review: Webcasts, Podcasts, Outside Writing, and Conferences: Brian Krebs joined us on the Network Security Podcast. Favorite Securosis Posts: Rich: I love posts that stir debate, and A Small, Necessary Change for National Cybersecurity sure did the job. Adrian: Database Configuration Assessment Options. Favorite Outside Posts: Adrian: Rothman nails it this week with I’m a HIPAA, Hear Me Roar. Rich: Amrit on How Cloud, Virtualization, and Mobile Computing Impact Endpoint Management in the Enterprise. I almost think he might be being a little conservative on his time estimates. Top News and Posts: Kaminsky supports DNSSEC. His full slides are here. No, he’s not happy about it. Is there a major breach hiding out there? There is a major Adobe Acrobat exploit. Disable Javascript now. Verizon is implementing spam blocking. Nice, since they are one of the worst offenders and all. Sendio (email security) lands $3M. Glad we didn’t call that market dead. Microsoft sued over XP downgrade costs. Next, they’ll be sued for using the color blue in their logo. (Note to self- call lawyer). Much goodness at Black Hat DC. Too much to cover with individual links. Metasploit turns attack back on attackers. Stupid n00bs. Blog Comment of the Week: Sharon on New Database Configuration Assessment Options IMO mValent should be compared with CMDB solutions. They created a compliance story which in those days (PCI) resonates well. You probably know this as well as I (now I”m just giving myself some credit ) but database vulnerability assessment should go beyond the task of reporting configuration options and which patches are applied. While those tasks are very important I do see the benefits of looking for actual vulnerabilities. I do not see how Oracle will be able to develop (or buy), sell and support a product that can identify security vulnerabilities in its own products. Having said that, I am sure that many additional customers would look and evaluate mValent. The CMDB giants (HP, IBM and CA) should expect more competitive pressure. Share:

I’m almost willing to bet money on this one… Due to the nature of the recent breaches, such as Hannaford, where data was exfiltrated over the network, I highly suspect we will see outbound monitoring and/or filtering in the next revision of the PCI DSS. For more details on what I mean, refer back to this post. Consider this your first warning. Share:

I loved being a firefighter. In what other job do you get to speed around running red lights, chops someone’s door down with an axe, pull down their ceiling, rip down their walls, cut holes in their roof with a chainsaw, soak everything they own with water, and then have them stop by the office a few days later to give you the cookies they baked for you. Now, if you try and do any of those things when you’re off duty and the house isn’t on fire, you tend to go to jail. But on duty and on fire? The police will arrest the homeowner if they get in your way. Society has long accepted that there are times when the public interest outweighs even the most fundamental private rights. Thus I think it is long past time we applied this principle to cybersecurity and authorized appropriate intervention in support of national (and international) security. One of the major problems we have in cybersecurity today is that the vulnerabilities of the many are the vulnerabilities of everyone. All those little unpatched home systems out there are the digital equivalent of burning houses in crowded neighborhoods. Actually, it’s probably closer to a mosquito-infested pool an owner neglects to maintain. Whatever analogy you want to use, in all cases it’s something that, if it were the physical world, someone would come to legally take care of, even if the owner tried to stop them. But we know of multiple cases on the Internet where private researchers (and likely government agencies) have identified botnets or other compromised systems being used for active attack, yet due to legal fears they can’t go and clean the systems. Even when they know they have control of the botnet and can erase it and harden the host, they legally can’t. Our only option seems to be individually informing ISPs, which may or may not take action, depending on their awareness and subscriber agreements. Here’s what I propose. We alter the law and empower an existing law enforcement agency to proactively clean or isolate compromised systems. This agency will be mandated to work with private organizations who can aid in their mission. Like anything related to the government, it needs specific budget, staff, and authority that can’t be siphoned off for other needs. When a university or other private researcher discovers some botnet they can shut down and clean out, this law enforcement agency can review and authorize action. Everyone involved is shielded from being sued short of gross negligence. The same agency will also be empowered to work with international (and national) ISPs to take down malicious hosting and service providers (legally, of course). Again, this specific mission must be mandated and budgeted, or it won’t work. Right now the bad guys operate with impunity, and law enforcement is woefully underfunded and undermandated for this particular mission. By engaging with the private sector and dedicating resources to the problem, we can make life a heck of a lot harder for the bad guys. Rather than just trying to catch them, we devote as much or more effort to shutting them down. Call me an idealist. (I don’t have any digital pics from firefighting days, so that’s a more-recent hazmat photo. The banda a is to keep sweat out of my eyes; it’s not a daily fashion choice). Share: