Securosis

Research

Network Security Podcast: Episode 80

Once again Martin and I recorded late enough in the day that I could enjoy a fine beer during the taping (Moose Drool this week). I also need to shout out to Paul and Larry and Pauldotcom Security Weekly; based on their advice I picked up a WRTSL54GS for some wireless access point hacking. Too bad I bricked it… by opening the box. Needless to say that one is on its way back to the online store, and a new one is headed to me. I’ve been working on this pet project of mine for a year and really hope this is the right box to get the job done. Also, congrats to Martin on re-entering the world of the gainfully employed. He starts with Trustwave on Tuesday. Show Notes: Microsoft AutoRuns PGP Flaw not really a flaw at all Securosis: Slashdot bias and much ado about nothing PGP encryption issue Slashdot: Undocumented bypass in PGP whole disk encryption Securology: PGP whole disk encryption – barely acknowledged intentional bypass Retailers vs. PCI Securosis: Retailers btch slap PCI Security Standards Council Techtarget: National Retail Federation takes aim at PCI DSS Council SC Magazine: Retail Lobby offers alternative to PCI standards Network Security Blog: Merchants mad about credit card retention iPhone Jailbreak (missed the link on this one) Suit against Apple for bricking iPhones Six ticks to Midnight: One plausible journey from here to a total surveillance society Tech Liberation Front Onstar to stop supports RSA Speaking on Security interviews Shon Harris, and I get a mention too. CIO.com: Hacker Economics 1: Malware as a service Tonight’s Music: The Moon is Full by Albert Colins, Johnny Copeland and Robert Cray Network Security Podcast, Episode 80, October 9, 2007 Time: 46:51 Share:

Share:
Read Post

Everything You Need To Know About Security And Risk Is In This Post (Humor)

Meerkat Manor, via the Guerilla CISO. Here’s an excerpt: 09 October 2007: Dear diary, I drew sentry duty for the third day this week. I know it’s my solemn duty to protect the clan, but my risk assessment has determined that, although a predator is a high-impact event, it is a low rate-of-occurance activity and so I think a better use of my time is in foraging for stray eggs. Besides, if the predators come and eat us all, it’s not like I’ll have to face the Meerkat Manor Board of Directors. 10 October 2007: Dear diary, I grow tired of the incessant looking for predators. I mean, why do us meerkats focus exclusively on detective controls which use up to 15% of our available manpower when we could just as easily reduce the sentries to 5% of our efforts and put in place corrective controls such as trap holes and punji sticks to reduce the threats to our home? The true cost savings is that the effort for corrective controls is a one-time installation where sentry duty is a recurring bill. Didn”t the alpha-pair learn anything in their Masters in Meerkat Administration classes? 11 October 2007: Dear diary, today I instituted a metrics program to gauge the effectiveness of our sentry program and to determine if we are getting the best level of risk for the time that we are investing. So far, I”ve made a bar chart to analyze the total number of predator alerts versus the total number of predator intrusions. I think I have a business case to slowly reduce the ratio of sentries to foragers during the day. Share:

Share:
Read Post

The Five Problems With Data Classification, And Introduction To Practical Data Classification

Data classification is one of the most essential tools of data security. It enables us to leverage business priorities into technical and physical controls over the management and protection of data. Applying data security controls without data classification is like trying to protect a pile of cash in an open field filled with piles of leaves by air dropping concrete barricades from 10,000 feet. At night. It’s also hard. Really hard. So hard that outside of a few companies in a few industries, mostly financial services, energy production, military/intelligence, and some manufacturing, I’m not sure I’ve ever seen someone with a useful and effective classification program. I’ve talked with hundreds, possibly thousands, of organizations struggling with data classification. Some give up, others blow wads of cash on consultants that don’t really give them what they want, and others have a well documented, detailed program that everyone ignores. Data classification is so hard because it is both Non-intuitive and instinctive. Instinctive in that we all innately classify everything we see. From people, to movies, to enterprise data, we humans are judgmental classification machines. We classify as good vs. bad, threat vs. non-threat, important vs. irrelevant. Non-intuitive because in an organization we’re asked to classify not based on our instincts, but based on policies designed by someone else. Thus the first problem with data classification isn’t because we can’t classify, it’s because we always classify. We just classify based on our instincts, not a piece of paper on a shelf. When they differ, our instincts win. The second problem with data classification is that we overlay it onto business process, rather than building it in. Classification becomes a task outside of the processes we engage in to complete our job; it’s an “add on” that slows us down, and is simple to ignore. The third problem with data classification is that we fail to provide employees with the tools to get the job done. It’s not only manual and non-intuitive, but we don’t provide the technical tools needed to even make it meaningful. Quarterly assessments in a spreadsheet aren’t very useful. The fourth problem with data classification is that it’s static. We tend to classify data at the time of creation or based on where it’s stored, but that’s never revised based on changing use and business context. Data’s sensitivity varies greatly over its lifecycle and based on how it’s being used; few data classification systems account for this. The fifth, and final, problem with data classification is that it’s usually too complicated. The classification scheme and process itself is even less intuitive than asking someone to classify against their instincts. We use terms like, “sensitive but unclassified” that have little meaning outside the world of the military/government. But that doesn’t mean all hope is lost. As I mentioned before, there are places where data classification works well, mostly because they’ve adapted it for their specific environment. The military does a good job of overcoming these obstacles- data classification is built into the culture, which redefines native instincts to include enterprise priorities. It’s baked into the process of handling information and essential to business (yes, the military is a business) processes. Technology systems are specifically designed and chosen due to their suitability to handle classified data. No, it’s not perfect, but it does work. That doesn’t mean that military classification works in private enterprise. It doesn’t. It fails. Badly. Which is unfortunate, because that’s how all the books tell you to do it. Over the next two posts I’ll suggest something I call Practical Data Classification. It’s designed to provide organizations an effective model that integrates with existing enterprise practices and culture, while still providing value. It’s not for you military or financial types that alreaady do this well; consider it data classification for the rest of us. Share:

Share:
Read Post

Product Happenings: Guardium, SafeBoot, Palo Alto, and Vontu

Despite my departure from the analyst world, thanks to the blog some of the vendors out there are still keeping me updated on their products. I also still have to track big swaths of the market to support my consulting work. While I don’t intend to this blog to just spew PR dribble, I do see some cool stuff every now and then that’s worth mentioning. Disclaimer: I do not currently have a business relationship with any of the vendors/products in today’s post, but based on the nature of my business I do work with vendors and often have discussions about potential projects. I will disclose these relationships when I can, and while I strive to remain objective no matter who I work with you should never go buy something just because I said it was cool. Do the research, get balanced opinions, trust no one. I’m not endorsing these products over their competitors, just highlighting some interesting advances, and you’ll probably see competing products pop up in other posts over time. Here are a few things that have caught my eye: First up is SafeBoot, just acquired by McAfee. Overall I think the acquisition is positive, but there’s really no reason to consolidate whole drive encryption with endpoint DLP. File-level encryption linked to DLP is more interesting, but also very challenging and I suspect at least a couple years out for McAfee other than some basic content like Social Security Numbers. It’s wait and see on this one, but SafeBoot stands up on its own. Next is Guardium, who just updated their product for the mainframe. Guardium briefed me last Friday on this and I meant to get something up earlier. This is a really smart move, especially since they partnered with Nuon Neon who sells to the mainframe buying center. They can now offer full database monitoring (including SELECT queries) on the mainframe outside of network sniffing (which misses certain kinds of connections). Why you care? Now you have an independent way to enforce separation of duties on mainframe administrators without interfering with how they work or affecting performance. And you can integrate the policies for alerts, and the logs, with all your other database monitoring. I think I was more excited about this one than the guys giving me the briefing- it’s one of these “small but big” markets. An industry contact I work with pointed me towards Palo Alto Networks and I had a brief conversation with them about a month ago. Basically, they parse and secure network traffic based on the application, not just port and protocol. This is a big problem for things like DLP solutions that don’t really like it (or work as well) when they have to figure out which application is tunneling over port 80 this week. I think these guys have a lot of partnership opportunities down the road. Last up today is Vontu, who just released version 8. The news here is increasing their endpoint capabilities to start blocking and integration with document management systems. This release isn’t notable for any new world-changing feature, but because most of the work was on the back end and increasing the capabilities of the product line. DLP is settling down a bit and focusing on maturing, rather than land-grabbing with hyped up features. I’ve had some other DLP briefings lately and I’m seeing this focus on maturing the platforms across the board; moving from start-ups to mature products is some seriously hard work. Blocking activity on the endpoint is a big deal and it’s nice to see Vontu add it (a few competitors also have their own flavor of it, so it’s not unique). That’s it for now. I probably won’t do these more than once a month or so and I’ll only include any updates that seem interesting to me either because they are innovative of because they show an industry trend. I’m happy to take briefings from just about anyone, but that by no means guarantees a mention on the blog. Now back to the absolutely thrilling world of data classification… Share:

Share:
Read Post

Practical Data Classification: Type 1, The Hasty Classification

In over thirteen years with mountain rescue and five years as a ski patroller I participated in countless search and avalanche drills, and a fair number of real incidents. Search in the real world, as in the computing world, is difficult due to the need to balance performance with thoroughness. In a rescue situation you need to find the victim as quickly as possible; a thorough search has a higher Probability of Detection (POD), but takes longer. Assuming you’re looking for a live victim this time can mean the difference between a rescue and a recovery. Since detailed searches also take time to gather resources (searchers), most searches/rescues start with what’s called a hasty. A hasty search is light and fast- you send out a smaller, faster team to scour the area for obvious clues. The probability of detection is low, but you don’t need a 50 person team with full gear to find a half-burried skier in an obvious tree well in the middle of a deposition zone (where all the snow ends up after an avalanche). I’ve been on a bunch of hasty teams in real-world searches (no avalanches) and would guess that we found the victim before the big search was launched somewhere around 20-30% of the time. A hasty is effective because it’s designed to maximize speed while finding anything obvious in critical situations. We can adapt the principle of the hasty for data classification. Many classification programs fail because they attempt to solve the entire problem while taking too long to protect the critical assets. In a hasty classification program you focus on a single critical data type and roll out classification enterprise wide. Rather than overwhelming users with a massive program, focus on one kind of data that’s clearly critical in a very focused program to protect it. It’s a baby step to protect a critical asset while slowly changing user habits. Data Classification Type 1: Hasty Classification The short version: Pick one critical type of data. I suggest credit card numbers, Social Security Numbers, or something similar. Have business units tell you where they use it and store it. Issue security policies for how that data needs to be secured. Work with units to secure the systems Security helps the business units secure the data, while audit plays the enforcement role. This makes security the good guys. Keep it updated with ongoing audits and regular “compliance” reporting of where and how data is used and stored. Same process, with more details: Design your basic classifications. I suggest no more than 3-4, and use plain English. For example, “Sensitive/Internal/Public”. If you deal with personally identifiable information (PII) that can be a separate classification, and call it PII, NPI, HIPAA, or whatever term your industry uses. Pick one type of critical data that is easy to recognize. I highly recommend PII- credit card numbers, Social Security Numbers, or something similar. Get executive approval/support- this has to come from as high as possible. If you can’t get it, and you care about security, update your resume. Beating your head against a wall is painful and only annoys the wall and anyone within earshot. Issue a memo requiring everyone to identify any business process or IT system that contains this data within 30/60/90 days. Collect results. While collecting the results, finalize security standards for how this data is to be used, stored, and secured. This includes who is allowed to access it (based on business unit/role), approved business processes (billing only, or billing/CRM, etc.), approved applications/systems (be specific), where it can be stored (specific systems and paper repositories), and any security requirements. Security requirements should be templates and standards with specific, approved configurations. Which software, which patch level, which configuration settings, how systems communicate, and so on. If you can’t do this yourself, just point to open standards like those at cisecurity.org. Issue the security standards. Require business units to bring systems into compliance within a specific time frame, or get an approved exception. IT Security works with business units to bring systems/processes into compliance. They work with the business and do not play an enforcement role. If exceptions are requested, they must figure out how to secure the data for that business need, and the business will be required to adopt needed alternative security controls for that business process. After the time period to bring systems into compliance expires, the audit group begins random audits of business units to ensure reporting accuracy and that systems are in compliance with corporate standards. Business units periodically report (rolling schedule) on any changes on use or storage of the now-classified data. Security continuously evaluates security standards, issues changes where needed, and helps business units keep the data secure. Audit plays the enforcement role of looking for exceptions. I know some of you are sitting there going, “This is the easy way? I’d hate to see the hard way!” The hasty classification is really an entire data classification program, but focused on one single kind of easily identified data. When you think about it, you’re just picking that critical data, figuring out where it is, helping secure it, and using audit to make sure you’re doing what you think you’re doing. When I discuss this with people I prefer to lay out all the steps in detail, but most of you will adapt it to suit your own environment. The key is to keep it simple, pick one data type to start, and separate between those securing the data, and those verifying that the data is secure. In our next post on this topic we’ll talk about how to grow this into a complete program. I’m even working on pretty pictures! Share:

Share:
Read Post

Encryption: The Maginot Line of Data Security

History is a funny thing. It’s amazing that what many children see in early schooling as a boring collection of facts is neither boring nor factual. On a good day we might get some dates correct, but there isn’t a “fact” in history that isn’t open to interpretation. This is as it should be; think about all the factors that went into a major life decision- say a marriage or picking your college. Now distill everything involved in that decision into a paragraph, stick it in a drawer for a couple decades, pull it out, and see if it still matches your memories and accurately reflects the situation. If you don’t have a few decades to spare, the answer is, “it doesn’t.” The main problems with history are actually those we see in computer science- bandwidth, compression, indexing, and search. We can’t possibly collect and store all the bandwidth of human interaction, so we drop into “sampling mode” and further compress it for long-term storage. We then rely on imperfect indexing to organize the data, and flawed search protocols to find what we need. We don’t collect everything, lose large amounts of data in compression, poorly index it, and rely on primitive search tools. No wonder history is open to interpretation. Take the Maginot Line. And Encryption. For those of you who aren’t military history buffs, the Maginot Line was a series of interlocking defenses, sometimes 25 kilometers deep, that the French built after WWI to keep the Germans out. In popular security culture the term is often used as an analogy to describe a misguided investment designed to fight the last war that’s easily circumvented. In marketing films of the time the Maginot Line was promoted as being an invincible defense for France. A folly painfully realized when the German invasion succeeded in only a month. A metaphor for a failure of hubris. Reality is, of course, open to interpretation. Another interpretation of the Maginot Line is that it completely succeeded in its defined task, preventing a frontal assault along the Franco-German border. The Maginot Line held, but the other defensive layers- the Ardennes and the French Army along the Belgian border- failed. The Maginot Line was designed for a mission it effectively met, but other design flaws in the defense in depth of France lead to the German occupation. Which brings us to encryption. The first version of the PCI Data Security Standard called encryption, “the ultimate data security technology”. Wrong. Encryption is a powerful technology, but probably the most-misunderstood in the context of what it provides for data security. With the McAfee acquisition of SafeBoot for $350M, encryption is in the headlines again. A while ago I wrote the Three Laws of Data Encryption to help users get the most value out of encryption. I really do think of encryption as the Maginot Line of data security. It’s powerful, nigh invincible, if used correctly, but easily circumvented if your other security controls aren’t properly designed. For example, if you have a large application connected to a large database full of encrypted credit card numbers, and that application is subject to SQL injection, odds are your encryption is worthless. Laptop encryption protects you from stolen laptops, but is useless against malicious software running in the context of the user. As I keep walking through the Data Security Lifecycle you’ll see a lot of posts on encryption; it’s a fundamental technology for protecting content. But when big companies start throwing around hundreds of millions of dollars I think it’s an opportune time to step back and remind ourselves of the problem we’re trying to solve, and how the different parts of the solution fit together. If we want a real-world example we need to look no further than TJX. Rumor has it that cardholder data was encrypted, but the attackers sniffed an unencrypted portion of the communications to perform transactions. The encryption worked perfectly, but the breach still succeeded. Share:

Share:
Read Post

Some Answers for Jeremiah: Website Vulnerabilities

Jeremiah posted these questions on dealing with website vulnerabilities. Here are my quick answers (I have to run- sorry for the lack of links, but you can Google the examples): Lets assume a company is informed of a SQLi or XSS vulnerability in their website (I know, shocker) either privately or via public disclosure on sla.ckers.org. And that vulnerability potentially places private personal information (PPI) or intellectual property at risk of compromise. My questions are: 1) Is the company “legally” obligated to fix the issue or can they just accept the risk? Think SOX, GLBA, HIPAA, PCI-DSS, etc. Definitely no for intellectual property. Definitely no for SOX- SOX says you’re free to make as many dumb mistakes and lose as much money as you want, as long as you report it accurately. Other laws are a toss-up, but generally there is no obligation unless there is evidence that a breach occurred. For PCI-DSS you have to remediate or document compensating controls for any network vulnerabilities at the time of your audit (and this expands to applications with 1.1), but there is no definitive requirement for immediate remediation. California AB1950 is the big question mark in this area and I’m unsure on enforcement mechanisms. The regulations are very unclear and unhelpful here, and it’s quite likely a company can accept the risk. But if a breach occurs, they may be held negligent. Take a look at the PetCo case where the FTC mandated a security program after a breach, and Microsoft/MSN. The companies were held liable for losing customer data, but not because of any of the usual regulations. There is almost no case law that I’m aware of. 2) What if repairs require a significant time/money investment? Is there a resolution grace period, does the company have to install compensating controls, or must they shutdown the website while repairs are made? No. Most regulations only require breach notification or remediation of flaws discovered through auditing. Reasonable person theory probably applies if there is a breach with losses and it goes to court. I’ve read all of the regulations- none mention a specific time period. 3) Should an incident occur exploiting the aforementioned vulnerability, does the company bear any additional legal liability? They may carry liability due to negligence. See the cases I mentioned above. 4) If the company’s website is PCI-DSS certified, is the website still be considered certified after the point of disclosure given what the web application security sections dictate? Unknown because there are no public cases that I can find. I believe you remain certified until the next audit. In the case of Cardsystems, they were PCI certified when the breach occurred and immediately re-audited and de-certified following public disclosure of the breach. That’s one problem with PCI-DSS- it’s very audit-reliant and changes between audits don’t directly affect certification. 5) Does the QSA or ASV who certified the website potentially risk any PCI Council disciplinary action for certifying a non-compliant website? What happens if this becomes a pattern? No known cases of disciplinary action, but an audit insider might know of one. Disciplinary action will most likely only take place if the audit failed to follow best practices and a large breach occurs, or if there is (as you mention) a pattern. None of this is formalized to my knowledge. I’ve spent a lot of time researching and discussing all the various data protection and breach disclosure regulations. Organizations generally only face potential liability if they either falsify documentation for auditing or certification, or suffer a breach and are later shown to be negligent. I am unaware of legal enforcement mechanisms if there is a known vulnerability, but no definitively unapproved disclosure of information. This is an inherent risk of audit-based approaches to data protection. Share:

Share:
Read Post

Understanding and Selecting a DLP Solution: Part 5, Data-In-Use (Endpoint) Technical Architecture

Welcome to Part 5 of our series on DLP/CMF/CMP; look here for: Part 1, Part 2, Part 3, and Part 4. I like to describe the evolution of the DLP/CMF market as a series of questions a CEO/CIO asks the CISO/SGIC (Security Guy In Charge). It runs something like this: Hey, are we leaking any of this sensitive data out over the Internet? (Network Monitoring) Oh. Wow. Can you stop that? (Network Filtering) Where did all of that come from in the first place? (Content Discovery) This is pretty much how the market evolved in terms of product capabilities, and it often represents how users deploy the products- monitoring, filtering, then discovery. But there’s another question that typically comes next: < p style=”text-indent:20pt;”>4. Hey, what about our laptops when people are at home and those USB things? DLP usually starts on the network because that’s the most cost-effective way to get the broadest coverage. Network monitoring is non-intrusive (unless you have to crack SSL) and offers visibility to any system on the network, managed or unmanaged, server or workstation. Filtering is more difficult, but again fairly straightforward on the network (especially for email) and covers all systems connected to the network. But it’s clear this isn’t a complete solution; it doesn’t protect data when someone walks out the door with it on a laptop, and can’t even prevent people from copying data to portable storage like USB drives. To move from a “leak prevention” solution to a “content protection” solution, products need to expand not only to stored data, but to the endpoints where data is used. Note: although there have been large advancements in endpoint DLP, I still don’t recommend endpoint-only solutions for most users. As we’ll discuss, they normally require to compromise on the number and types of policies that can be enforced, offer limited email integration, and offer no protection for unmanaged systems. Long term, you’ll need both network and endpoint capabilities, and most of the leading network solutions are adding (or already offer) at least some endpoint protection. Adding an endpoint agent to a DLP solution not only gives you the ability to discover stored content, but to potentially protect systems no longer on the network or even protect data as it’s being actively used. While extremely powerful, it has been very problematic to implement. Agents need to perform within the resource constraints of a standard desktop while maintaining content awareness. This can be problematic if you have large policies such as, “protect all 10 million credit card numbers from our database”, as opposed to something simpler like, “protect any credit card number” that will give you a false positive every time an employee visits Amazon.com. Existing products vary widely in functionality, but we can break out three key capabilities: Monitoring and enforcement within the network stack: This allows enforcement of network rules without a network appliance. It should be able to enforce both the same rules as if the system were on the managed network, and separate rules designed only for enforcement when on unmanaged networks. Monitoring and enforcement within the system kernel: By plugging directly into to the operating system kernel you can monitor user activity, such as cutting and pasting sensitive content. This also allows you to potentially detect (and enforce) policy violations when the user is taking sensitive content and attempting to hide it from detection, perhaps by encrypting it or modifying source documents. Monitoring and enforcing within the file system: This allows monitoring and enforcement of where data is stored. For example, you could restrict transfer of sensitive content to unencrypted USB devices. I’ve simplified the options, and most early products are focusing on 1 and 3; this solves the portable storage problem and protects devices on unmanaged networks. System/kernel integration is much more complex and there are a variety of approaches to gaining this functionality. Over time, I think this will evolve into a few key use cases: Enforcing network rules off the managed network, or modifying rules for more-hostile networks. Restricting sensitive content from portable storage, including USB drives, CD/DVD drives, home storage, and devices like smartphones and PDAs. Restricting cut and paste of sensitive content. Restrict applications allowed to use sensitive content- e.g., only allowing encryption with an approved enterprise solution, not tools downloaded online that don’t allow enterprise data recovery. Integration with Enterprise Digital Rights Management to automatically apply access control to documents based on the included content. Audit use of sensitive content for compliance reporting. Outside of content analysis and technical integration, an endpoint DLP tool should also have the following capabilities: Be centrally managed by the same DLP management server that controls data-in-motion and data-at-rest (network and discovery). Policy creation and management should be fully integrated with other DLP policies in a single interface. Incidents should be reported to, and managed by, the central management server. Rules (policies) should adjust based on where the endpoint is located (on or off the network). If the endpoint is on the managed network with gateway DLP, redundant local rules should be ignored to improve performance. Agent deployment should integrate with existing enterprise software deployment tools. Policy updates should offer options for secure management via the DLP management server, or existing enterprise software update tools. The endpoint DLP agent should use the same content analysis techniques as the network servers/appliances. In short, you ideally want an endpoint DLP solution with all the content analysis techniques offered by the rest of the product line, fully integrated into the management server, with consistent policies and workflow. Realistically the performance and storage limitations of the endpoint will restrict the types of content analysis supported and the number and type of policies that are enforced locally. For some enterprises this might not matter, depending on the kinds of policies you’d like to enforce, but in many cases you’ll need to make serious tradeoffs when designing data-in-use policies. Endpoint enforcement is the least mature capability in the DLP/CMF/CMP market but it’s an essential part

Share:
Read Post

Retailers B*tch Slap PCI Security Standards Council, If You Believe Them

From Bill Brenner at TechTarget (who never calls anymore now that I’m independent- where’s the love?). From the letter, written by NRF Chief Information Officer David Hogan: “All of us – merchants, banks, credit card companies and our customers – want to eliminate credit card fraud. But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place. With this letter, we are officially putting the credit card industry on notice. Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place.” The letter notes that credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy card company retrieval requests. According to NRF, retailers should have a choice as to whether or not they want to store credit card numbers at all. This is an exceptionally great idea. I’ve been covering PCI since the start and never realized that one of the reasons retailers were keeping card numbers was because of the credit card companies themselves. I’m not fully convinced they really mean it. I’ve worked with hundreds of retailers of all sizes over the years, and many keep card numbers for reasons other than the credit card company requirements. Most of their systems are built on using card numbers as customer identifiers, and removing them is a monumental task (one that some forward-looking retailers are actually starting). Retailers often use card numbers to validate purchases and perform refunds. Not that they have to, but I wonder how many are really willing to make this change? I’ve long thought that the PCI program was designed more to reduce the risks of the credit card companies than to protect consumers. There are many other ways we could improve credit card security aside from PCI, such as greater use of smart cards and PIN-based transactions. Fortunately, even badly motivated actions can have positive effects, and I think PCI is clearly improving retail security. PCI, and credit card company practices, really push as much liability on the retailers and issuing banks as possible. Retailers are challenging them on multiple fronts, especially transaction fees. This is the kind of challenge I like to see- eliminating stored card numbers removes a huge risk (but not all risk, since the bad guys can still attack on a transaction basis), would reduce compliance costs, and simplify infrastructures. We traditionally talk about four ways to respond to risk- transfer, avoid, accept, mitigate. As a martial artists I have to admit I prefer avoiding a punch than blocking it, getting hit, or having someone else take it on the chin for me. Share:

Share:
Read Post

Slashdot Bias And Much Ado About Nothing (PGP Encryption Issue)

I’m sitting here working out of the library (it’s closer to the bars for happy hour), when a headline on Slashdot catches my eye: Undocumented Bypass in PGP Whole Disk Encryption“PGP Corporation’s widely adopted Whole Disk Encryption product apparently has an encryption bypass feature that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled. The feature is also apparently not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base. Jon Callas, CTO and CSO of PGP Corp., responded that this feature was required by unnamed customers and that competing products have similar functionality.” OMG!!!! WTF!!!! Evil backdoors in PGP!!!! Say it ain’t so!!!! Oh, wait a moment. It’s just the temp bypass feature that every single enterprise-class whole disk encryption product on the market supports. I love Slashdot, it’s one of the only sources I read religiously, but on occasion the hype/bias gets to me a little. The CTO of PGP responded well, and I’ll add my outsider’s support. Full disk encryption is a must-have for laptops, but it does come with a bit of a cost. When you encrypt the system, the entire OS is encrypted and you need a thin operating system to boot when you turn on the PC, have the user authenticate, then decrypt and load the primary operating system. Works pretty well, except it interferes with some management tasks like restoring backups and remote updates. Thus all the encryption companies have a feature that allows you to turn off authentication for a single boot- when you need to install an update and reboot the user logs the system in, updates are pushed down and installed, the system reboots without the user logging in, and the bypass flag cleared for the next boot. Otherwise the user would have to sit in front of their machine and enter their password on every reboot cycle. Sure, that would be more secure, but much less manageable- and the risk of data leaking at just the right moment is pretty small. A few vendors, notably Credent, don’t encrypt the entire drive to deal with this problem, but I don’t consider this issue significant enough to discount whole disk encryption solutions like PGP, CheckPoint/Pointsec, Utimaco, etc. This isn’t a back door or a poorly thought out design feature- it’s a reasonable trade-off of risk to solve a well-known management problem. PGP kind of pisses me off sometimes, but I have to support them on this one. Here’s PGP’s documentation. In short, yes- it’s a security risk, but it’s a manageable risk and not significant enough to warrant the hype. Especially since you can disable (or simply not use) the feature in high-security situations. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.