http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2011-04-01 16:42:59 - fudsec.com : Rabbit-rabbit folks on this 1st day of the month Just when many of you thought it was safe to go back into the water Just when you thought nothing could be worse than APT think again Wade Baker followed his nose and unearthed something even more silent - even more deadly This is the Press Release they didn't want you to see by Wade Baker wadebaker Advanced Persistent Threats APTs garnered a huge amount of attention within the security community in 2010 Reports of sophisticated attacks against high-profile organizations provided ample fuel, and the fear of APTs spread like wildfire Many expressed a sense of hopelessness against this new foe Trade secrets were lost Reputations damaged White-knuckled fear and frustration ensued But that was last year, and there is no relief for the afflicted, no rest for the weary 2011 brings with it a foul wind of another, even more advanced, and vastly more persistent threat into our midst These vile agents known as Far Advanced Relentless Threats have quickly become an assault to the senses, permeating corporate environments with ease Intelligence and research analyst Wade Baker laments the worse part about this new threat is that the data on their origins, behaviors, and motives is so scarce Security hinges on knowing our enemy, but that s impossible with Far Advanced Relentless Threats They rise up from the bowels of who-knows-where and hit you like a ton of bricks so fast it can take your breath away When asked about whether the analyst community is looking into this situation, industry analyst Josh Corman answers Absolutely As soon as the news broke wind of this new threat, we stuck our noses out to see what we could learn It didn t take long to catch a whiff of Far Advanced Relentless Threats affecting our own ranks They hit Andrew Hay bad one day last week it was nasty and it s going to take some time to recover Researchers are, at least, trying to better understand how they work Those who incorporate JavaBeans into their applications seem particularly vulnerable says application security specialist Jeremiah Grossman Far Advanced Relentless Threats typically follow an attack pattern that results in a sudden and violent buffer overflow condition Being on the receiving end of that kind of force really stinks According to industry expert Christofer Hoff, one of the aspects of Far Advanced Relentless Threats that makes them so invasive is their ability to spread rapidly via the cloud They re extremely efficient, he says They are highly scalable, deploy quickly, and can also dissipate swiftly as though they were never there By then, of course, the damage has already been done and don t even get me started on what this will mean for cropdusting and cloudbursting Some Far Advanced Relentless Threats trumpet their presence loudly, but it s the silent ones that are truly deadly, claims forensic investigator Andrew Valentine In most circumstances they leave no lasting evidence and studying those rare logs that are left behind hasn t yielded much useful information regarding the identity and or origin of these threats Because of their stealthy tactics, some believe Far Advanced Relentless Threats are a bunch of hot air But those who have experienced their awful reality first-hand know better It can really damage your reputation, say Alex Hutton, and that awful stain that may never wash away When that happens, you might as well just go home there s no showing your face again in public after that Not everyone is ready to surrender and go home, however Chris Porter has put together a special unit known as the Far Advanced Relentless Threat Emergency Response Squad We can t keep holding back and silently letting things go It s not the time to be timid it s go time We re gonna drop some bombs, he says pointedly and confidently Happy April 1st Be sure to use the FARTsec hash when referring to this new threat Permalink Leave a comment http://www.secuobs.com/revue/news/295696.shtmlhttp://www.secuobs.com/revue/news/295696.shtml Secuobs.com : 2011-03-25 15:15:20 - fudsec.com - By Bob Rudis hrbrmstr By now, most infosec folk have digested, opined on and come to loathe the EMC RSA SecurID breach story that broke on March 17 Their 8-K filing contains both the open public letter as well as the initial guidance provided to customers on steps they should take to ensure the CIA of their SecurID infrastructure EMC released additional information on March 22, but no official communication has gone into any real detail as to the specific vectors of the attack save for a singular line Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat APT Despite that vague speculation led us to believe is not we confidently know on the part of EMC, it seems that there are at least two vendors who know exactly what APT-style was used and how they can stop it The problem is that they seem to disagree on which APT it was Vendor 1 --------- For various reasons, I had to redact portions of this particular communication I can attest to the authenticity of the e-mail, but you could argue that makes me about as trustworthy as a Comodo SSL certificate Their e-mail came soon after the breach announcement, hence me putting them first Here is what they claim to know what happened to EMC View image You can read the full, redacted e-mail at your leisure Thankfully, we already use their technology, so I can be confident I'm fully protected against the EMC-felling APT HTML6 really needs a tag Vendor 2 --------- Just as I was feeling smugly safe all weekend, I awoke to the following in e-mail today as did many others view image I hadn't even had one ounce of caffeine yet, but was forced into immediately questioning my security posture and whether or not I was truly protected from these APTs Given the intensity of their message, these folks must have the inside scoop view image Quite the differing views on what happened and where I need to focus my protection efforts Which one should I believe Who Protects Us From The Protectors ------------------------------------ Both vendors called out in this post seized on the opportunity to feast on the wounded carcass of a competitor who is a huge player in the IT security compliance sector Neither has helped me effectively communicate the real threat s to my stakeholders and neither has given me anything tangible to put into a roadmap for my security program Even EMC itself caused a significant amount of churn in many organizations and has done it's own share of spreading Fear, Uncertainty and Doubt due to the sheer lack of information from their breach I am fully aware of how difficult the situation is for EMC and the fine line they need to walk in this situation However, fueling the APT FUD machine was unnecessary and has only encouraged more speculation in the infosec community and seems to have brought out the worst in some other companies in this sector We need to make it clear to vendors that we won't stand for opportunistic scare tactics like this and we also need to continue to foster a community of sharing and open discourse between each other to keep the FUD under control Permalink Leave a comment http://www.secuobs.com/revue/news/294186.shtmlhttp://www.secuobs.com/revue/news/294186.shtml Secuobs.com : 2010-12-11 01:57:08 - fudsec.com - As unlikely as it would be for the Wikileaks phenomenon to be uttered in proximity of FUD, our returning champion Chris Swan felt compelled to speak on the matter Let's hope he doesn't get us DDoS'd Wait DDoS attacks are just FUD, right We've lost track by Chris Swan cpswan Firstly this isn t a post about the rights or wrongs of Wikileaks itself That s been covered elsewhere in a more serious, thoughtful and funny way than I could ever do myself This is about Wikileaks being the new mother lode of FUD It s becoming the centre of the stories that security vendors tell customers to keep them scared at night I m not going to link to the guilty We all know who they are, and I could never be comprehensive enough It would be like having just a few hundred examples out of a quarter of a million We could point and laugh at one culprit without realising that an even more egregious example is just around the corner What I have to say here has its genesis in Andrew McAfee s post a few days ago Did WikiLeaks' Cablegate Result From Too Much Information Sharing This is a problematic question, and seems to put information sharing which is key to running a business or government at odds with security which is key to running a business or government what to do I made some comments on the post, which are worth repeating here The problem here wasn't classification The material was correctly classified, and processed on the right systems The problem here wasn't clearance Whoever did this almost certainly needed access to material of this protective marking As you rightly point out the problem isn't about sharing The intelligence community and military at large have got better at sharing, and need to continue The problem is aggregation This is a well known problem in the military security community, and one that has changed dramatically in the digital era It's bad enough if you have an entire aircraft, ship or tank filled with sensitive material on paper fall into enemy hands, but as we see here that's nothing compared to what you can get onto a thumb drive The massive fail appears to be that the monitoring systems didn't ring alarm bells when somebody was bulk downloading massive quantities of data Quantities of data that couldn't possibly have been read by an individual or even a large unit This should be the focus of the fire drill that's surely going on right now This isn't about horses or stable doors, this is about somebody driving a virtual semi-trailer out the gate and nobody noticing I ve since had time to reflect on those comments I now very much doubt that the material was correctly classified A lot of it is marked SECRET, and it s worth having a quick reminder of its definition - Secret shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security Arguably serious damage hasn t yet been caused, and hence QED the documents were incorrectly classified It s also worth mentioning here that the US seems to be stuck in an old world system of classification where others such as the UK have moved on to a more refined concept of protective marking In that system there s a sub category for Impact on foreign relations and at business impact level 3 we find Cause embarrassment to Diplomatic relations , which is where we seem to find ourselves Pointing the finger at aggregation is perhaps an oversimplification Schneier is right that it s really an access control issue at least to the extent that you don t get an inappropriate aggregation if you have the right access control It would appear that the issue with SIPRNet is that there s no effective compartmentalisation of material as there would be on systems holding TOP SECRET material Of course we see this issue in business too Cleared to see need to know, and there s often a specific need for compartmentalisation to create ethical boundaries or their more politically incorrect cousins Chinese firewalls It s at this point that the FUD toting security industry bandwagon rolls into town and says my product service can solve these access control issues We ll be seeing a lot of DLP ERM IRM vendors doing this over the coming weeks and months More so if Wikileaks move on from government to big business, as has been threatened The problem is that this is total BS I wrote some years ago about the wrongs of enterprise rights management and spent a great deal of time socialising the issues with security vendors Largely those issues have been ignored, and the vendors have continued to peddle solutions that are just as broken now as they were then That s because these are hard problems Problems that require business commitment and human input Problems that can t be solved by a technology silver bullet Of course the technology could get better at helping us with the organisational and people issues here, but it s not a magic wand Perhaps some of the solutions out there could have helped with what happened on SIPRNet by creating workable compartmentalisation overlays, observing anomalous access patterns or preventing exfiltration But that would be a question of scope and scale, and cablegate may be unique in that The real problem here is that there s nothing technology can do about an authorised insider turning rogue and leaking a single critical piece of information, and that s what we re likely to see next single smoking guns that cause real harm to businesses and likely an ethical car crash for added PR impact The FUDmeisters might claim that they can sell the solution to these problems, but I fear they can only solve much simpler issues Permalink Leave a comment http://www.secuobs.com/revue/news/271009.shtmlhttp://www.secuobs.com/revue/news/271009.shtml Secuobs.com : 2010-11-05 19:25:24 - fudsec.com - This post comes from Peter Hesse Peter knows a thing or two about SSL Certificates With apologies, Peter submited this a while ago The recent FireSheep hooplah triggered the SSL thought, which triggered this unrelated post by Peter Hesse pmhesse Earlier this week, a phone call from a friend drove me to write this on twitter Wow, SSL Certificates are really a ginormous scam I then received a few followup messages on twitter, and ended up responding to an SSL vendor by email, which in turn inspired me to write this post As background, I have worked in around with public key infrastructure PKI for nearly my entire professional career My first software development job was working on a certification authority reference model for NIST in 1996 So, I know a thing or two about SSL certificates For example, I know they cost far less to create and maintain than SSL vendors typically charge There is no additional burden on the issuer between the different levels of certificates the costs of hardware, hosting, audit, etc are very similar between the types of certificates perhaps excluding extended validation or EV certificates I can understand charging more based on the speed of issuance of the certificate, and the quality and depth of the validation performed to ensure the requestor works for the organization whose name will appear in the certificate After all, you can usually only pick two of faster cheaper better SSL certificate issuers are free to charge what they think people are willing to pay for certificates rather than trying to relate it to the actual cost of creation and management That is their right, and it is my right to call them out when I feel the prices are ridiculous The scam of SSL certificates these days is that the sales representatives are being trained to use fear, uncertainty, and doubt to scare people into buying more expensive certificates than they need The following is from a friend relaying his exchange with an SSL vendor Sales rep stated our current certificate is hackable because it can go down to 40bit, explained that this makes us vulnerable I argued I only allow 128-bit at the server , and he said yes, but since your cert is only 40 bit it can still be compromised you need a server gated cryptography certificate If you know what you are doing security wise you will block all weak cryptographic ciphers at your web server This may prevent older browsers from being able to connect to your site, but will ensure the cryptographic strength is always high The sales representative was trying to scare my friend into thinking this wouldn't do the trick, which is patently false The following link gives some good reasons why SGC certificates are a bad idea and don't solve the weak encryption problem Even the wikipedia entry for SGC calls SGC certificates obsolete and no, I didn't just go edit that entry to say that as far as you know, anyway evil-arched-eyebrows The sales representative also continued the discussion to try and convince my friend that one certificate wasn't enough In discussing his configuration, he revealed he has many back-end servers which all sit behind an SSL-offloading load balancing proxy The sales representative tried to convince him that he would now need to buy a certificate for each of the back-end servers to afford him the best protection So instead of needing one or two certificates, my friend was going to need twenty Yes, I think we all know that defense in depth is important and he should indeed use SSL between his proxy and the back-end servers Paying 50- 1500 each for browser-trusted SSL certificates on the back end is just a flat-out waste of money Self-signed certificates, or certificates generated by an in-house PKI would provide at least the same level of security at a far reduced cost So, there you have it Make sure you know what you need before you try to buy an SSL certificate The sales representatives are willing and able to charge you whatever they can scare you into believing you need Permalink Leave a comment http://www.secuobs.com/revue/news/262774.shtmlhttp://www.secuobs.com/revue/news/262774.shtml Secuobs.com : 2010-09-20 22:04:19 - fudsec.com - Now repeat poster, Ben, was chomping at the bit to be share his thoughts on brace yourself Cyber War Further, he wanted it introduced with some AC DC lyrics from Thunderstruck We at least thought we could go with Let's have a war by Fear or A Perfect Circle instead Someone should update it for Let's have a cyber war sometime With some level of protest have at it I was caught In the middle of a railroad track Thunder And I knew there was no turning back Thunder My mind raced And I thought what could I do Thunder And I knew There was no help, no help from you Thunder Sound of the drums Beatin' in my heart The thunder of guns Tore me apart You've been - thunderstruck by Ben Tomhave falconsview I've been reading Richard Clarke's latest book, Cyber War, recently in an effort to delve deeper into the topic Maybe it's been all the recent inflammatory rhetoric, or maybe it's an earnest interest, or maybe - just maybe - it comes from an innate interest in fighting obtuse uses and abuses of FUD The tone of the book initially is far less FUD-y than one might expect Some of the tech details are clearly off a bit, but overall it's been surprisingly level-headed Except for the scenarios These are some of the most over-the-top scenarios I've seen since digital Pearl Harbor in 2000 However, in this case it gives me pause, and not just because of the glaring FUD factor What I wonder is this just how much data and control must we lose before we stand up and start taking action How much proprietary designs, plans, formulas, etc, must be compromised How many SCADAsystems have to be pwnd Is it really going to take a massive blackout before energy company execs wake up and smell the ozone Clarke asserts that foreign assets already have embedded attack tools logic bombs into many, if not all, critical infrastructures We've not done an adequate job of supply chain management, so consider that his assertion may, in fact, be fact-based and plausible Now add factual assertions that massive research databases academic, government, and corporate have been copied wholesale by these same foreign assets Accept this as fact, if you will, and not as FUD How does this change your perspective on the topic The Case For FUD Taking the previous examples as fact as an example here - we can debate the depth of pwnage, but I think we can all agree that there are serious concerns here , there may be a valid case for FUDtastic scenarios like the ones Clarke uses in his book The digital Pearl Harbor example of yore is nothing He puts an interesting spin on it what if there is reasonable upside to a foreign power to take down our critical infrastructure in a single, well-coordinated attack What if our assumption of a cold war styled standoff based largely on a belief in economic interdependency isn't actually valid If anybody has attended Black Hat and DEFCON, then they should know definitively just how good the breakers are these days, and just how behind the curve most organizations really are Pulling out a book like Clarke's can help drive home this point in a wonderfully FUDerific manner If you don't fix things NOW, then you will lose everything Or so it might go in your head After all, there's nothing like a healthy dose of fear to motivate people Or does it really work that way The Case Against FUD There are a couple deficiencies with using FUD to make an argument Excessive and continuous use of FUD can elevate the message to a state of background noise It can also hurt your credibility If every time you open your mouth FUD spews forth, then people will tune you out or avoid you We in infosec - especially vendors - seem to be guilty of this historically, as evidenced by how hard it is to get the attention of execs Another problem is context If everything is expressed as the highest of high risks, then how do you decide how to respond If everything rates a 10 on a 10-pt scale , then does that mean everything must be addressed immediately How do you justify that Along these same lines, there's also typically a lack of adequate supporting data to justify the consistently hyped state Where are the metrics and measurements Have the risk factors been measured and ranked using a reliable method FUD tends to not have these supporting structures, which further damages credibility We're So Screwed This statement probable summarizes our situation today, at least from the US perspective How do we get this message across If we have a high degree of credibility, and if we haven't abused the use of escalated rhetoric, and if we have some facts to back us up, then and only then can we whip out some FUD to make our point of course, we could debate if this is really FUD, but I digress You have all thattoday, right No Uh oh Now what This, I think, reflects our current situation We are sorely in need of a breakthrough, too SCADA owners - I'm looking at you One such step being taken is that DHS is now sending teams off to energy companies to help with security, but this seems unlikely to be sufficient We have decent methods for modeling risk eg FAIR How do we take the next step How do we get the message across in a meaningful way that spurs meaningful action What do you think Permalink Leave a comment http://www.secuobs.com/revue/news/249966.shtmlhttp://www.secuobs.com/revue/news/249966.shtml Secuobs.com : 2010-06-18 16:39:14 - fudsec.com - For a year, Fudseccom has brought you the finest FUD-bashing that money can buy, and many have asked us how they can post here email us at the address below if you'd like to All too often, though, we've outed fear, uncertainty and doubt without thought to giving credit to those who toil thanklessly to create it We're out to change that Announcing the FUDdies - the industry standard recognition of innovation and creativity in the prodution of FUD After all, coming up with new ways to wrest legitimate budget dollars from security initiatives towards illegitimate boxes is no easy task Join Fudseccom as we honor those in the business of making this magic happen Face it, folks there's tons of FUD out there, and even here on Fudsec there are few people being specifically called out for FUD So let's bring it Tell us who's doing it Tell the community about it We need your help to get these going Email us your thoughts, your nominations, or anything else you think we should think about Right now, there are two categories of FUDdie FUDiest Campaign, and Most Unctuous Information Security Marketing Executive Voting is held by secret ballot at fudsec at gmail com , and all results are reviewed by a top secret, anonymous committee whose decisions shall be final Prizes are coveted, genuine Reynolds-built aluminum foil caps, which look great and shield your brain from electromagnetic mind control carrier waves and beacons The prizes will be announced at RSA 2011, which means we need help now Vote early Vote with your heart The Fudsec Team Permalink Leave a comment http://www.secuobs.com/revue/news/232877.shtmlhttp://www.secuobs.com/revue/news/232877.shtml Secuobs.com : 2010-06-11 16:51:13 - fudsec.com - Today's post comes from Ben Tomhave Ben and others felt the Zalewski ZDNet piece was a bit of a Blame or Frame Job on our industry and was compelled to respond Do you agree You'll want to follow the links if you haven't already read them Any post that starts with a Sin City reference is likely to be gritty by Ben Tomhave falconsview I've been framed for murder and the cops are in on it But the real enemy, the son of a bitch who killed the angel lying next to me, he's out there somewhere, out of sight, the big missing piece that'll give me the how and the why and a face and a name and a soul to send screaming into hell Marv in the movie Sin City I've read and reread a couple times the May 20th article Security engineering broken promises by Michal Zalewski of Google a guest post on ZDNet's Zero Day feature I have to say, I find it highly disappointing and FUD-tastically frustrating The bio at the end describes him as a security researcher, which in my mind makes him a breaker more than a fixer supported by the kinds of tools he's released As such, we have to expect a degree of whining cynicism about how bad things are, but I would have at least hoped he'd have a little more clue before spreading FUD doom and gloom Framing Frameworks for several decades, we have in essence completely failed to come up with even the most rudimentary, usable frameworks for understanding and assessing the security of modern software The frustrating, jealously guarded secret is that when it comes to actually enabling others to develop secure systems, we deliver far less value than could be expected As a card-carrying member of OWASP, I find this statement to be ill-informed and suspicious While it is true that we don't have mathematical models describing software security to which he later alludes , it is completely false to say that we lack frameworks for understanding and assessing software security which he never defines There are lots of options to choose from, whether it be OpenSAMM, BSIMM BSIMM2, or even the various efforts of groups like OWASP, ISECOM, or WASC Let's also not forget efforts like Microsoft's SDL In terms of enabling others, this is not a security failure, it's a management and business failure Many like to throw blame onto security teams for this situation, but everything ultimately comes down to the decision-makers and their needing to place proper emphasis on the need requirement for writing secure code apps Framing Risk Management Now we get into some very FUD-erific territory risk management introduces a dangerous fallacy that structured inadequacy is almost as good as adequacy, and that underfunded security efforts plus risk management are about as good as properly funded security work and security incidents are nearly certain, but out of thousands exposed non-trivial resources, any resource could be used as an attack vector, and none of them is likely to see a volume of events that would make statistical analysis meaningful within the scope of the enterprise and in information security, there is nothing contributed by healthy assets to directly offset the impact of a compromise, and there is an insufficient number of events to model their distribution with any degree of certainty plus, there is no way to reliably limit the maximum per-incident loss incurred Wow, talk about cynical First off, apparently risk management has no value Second, risk management apparently detracts from security initiatives Third, because there are potentially infinite threat vectors, the statistical analysis performed in risk assessment is pointless All of this prattle belies a keen ignorance about risk management, and once again seems to suggest that software security failures are a result of something other than poor coding practices under the rule of security-disinterested business leaders More importantly, his risk management comments don't seem to have much of anything to do with risk management, but instead seem to be focused on risk assessment methods He probably also thinks that qualitative risk assessment techniques are de rigueur It never ceases to amaze me when criticism is launched from a place of ignorance Framing Unified Theories As the piece progresses or maybe it digresses , it seems that we finally start to see his true intentions as he talks about CWE and CVSS, saying Having said that, none of them yielded a grand theory of secure software yet - and I doubt such a framework is within sight This comment finally reveals Zalewski's true intent or hope, and that is some sort of mystical silver bullet grand theory of secure software I thought this guy was a security researcher for the venerable GOOG Anybody else's spidey sense tingling over the inanity of his comment here Of course, perhaps the biggest problem is Zalewski chafing at what is actually good enough from a software security perspective Frameworks seem to be the preferred ideal du jour, but to what end, and with what backing More importantly, to quote Amrit Williams What we must learn to accept is that security as it pertains to both the development of software and its operational use is ultimately more survivable than we like to believe from The Simple Elegance of Faith When Good Enough Is Call me crazy, but it seems like Zalewski is framing infosec for the failing of business leaders, compounded by his own ignorance What do you think Also check out Jack Daniel's response A bit of deep thought as he links to several other replies as well Permalink Leave a comment http://www.secuobs.com/revue/news/230725.shtmlhttp://www.secuobs.com/revue/news/230725.shtml Secuobs.com : 2010-06-04 16:53:48 - fudsec.com - This week's post comes from Eric Hanselman Eric has an uncommon, common sense Eric tried to leave Security two years ago after the RSA conference - bound for Virtualization-land Alas, security pulls you back in and he was right back at RSA 2009 We always say we'll do better at security the next time We'll bake security in There were a lot of promises and claims made about how much better virtualization security would be Here is sort of a state of the union from Eric by Eric Hanselman e_hanselman We re heading in to a brave new world of desktop security and we need to do it with our eyes open There s a lot of potential benefit that desktop virtualization can bring to an organization Like any new technology, though, there s a lot of misunderstanding of the change in risk dynamics and how to deal with them In recent weeks there have been announcements and discussions that bear some analysis Hosted and Virtual desktops HVD is the Gartner term deliver awesome mitigation for data loss The desktop is back in the data center and the only the screen image makes it back to the user There are also all of these really great operational expense savings It s easy to think that it resolves some of our biggest endpoint protection headaches There s an air of irrational exuberance out there, that s a little disturbing There are two big concerns Users think that desktops in datacenters are wicked safe Vendors aren t disabusing them of this delusion At RSA this year, in two different virtualization security sessions, I heard attendees ask if anti-virus software was still needed with virtual desktops Lest you think that these were aberrations, industry analysts are posing the question, as well http wwwbrianmaddencom blogs brianmadden archive 2009 12 02 in-a-virtual-desktop-world-do-we-need-to-pay-30-a-seat-for-antivirus-and-client-securityaspx Forget about all of the Blue Red Pill hysteria There s a much more fundamental issue that we need to address Yes, the desktops are now in the datacenter, but there are still a whole set of security issues that have to be handled We ve made a big jump forward with physical security It s now a lot harder for random people to plug USB devices in to desktops or walk off with the thing that holds all that local data We ve paid for this by turning every user in to a remote user Remote access security is something that we should have a good handle on, but now every user needs it IAM capabilities take a big step forward Securing the desktop is where real work still needs to be done and that falls to the traditional tools of endpoint defense The hitch is that our existing tools don t play well with the virtual world For the security conscious, the virtual desktop gets built like the physical desktop Tried and true desktop suites can be managed in the virtual world alongside the physical desktops This works There s a danger lurking here, if we don t understand the impact in the virtual world There are a number of horror stories of a newly minted virtual installation being brought to its knees when every one of the virtual desktops was scheduled to do system scans at the same time Even if our suite supports flexible scheduling, those compute and I O intensive tasks that worked so well when distributed across bunches of under-utilized systems are a huge load when brought back to a shared set of servers This is a problem that has many people considering turning off traditional protections A big difference between server and desktop virtualization is the concern about scale Running endpoint protection on virtual desktops reduces the number of desktops that can be hosted on a given set of hardware There are virtualization vendor claims that, by destroying each desktop after use, we eliminate infection This is the first vendor complicity issue What about all of that user data Aren t there a lot of PDF s full of APT s out there Fortunately, virtualization can address a part of this But only part One big benefit of desktop virtualization is that I ve got all of my users disks in the datacenter They re available all of the time If I ve got enough disk I O capacity, I can scan all of those disks any time with minimal user impact I ve also got the potential to remediate issues centrally A big win Some traditional AV vendors pitch this as their virtual solution today The piece that isn t covered is execution monitoring The virtual environment still doesn t have a way to keep tabs on live processes There are good signs, but they re not complete VMware s VMSafe opens memory pages for inspection, but, again, we re back to static signature scans and advanced threats have proven that they re pretty good at obfuscation And only VMware offers this today And only a few security vendors are doing anything with VMsafe This is a missed opportunity We now come to the recent announcement by Citrix and McAfee of their partnership for virtual desktop security, the MOVE platform This sounds like it s going on the right direction It makes the agent functions more granular and allows processing to be split between the desktop and the virtual environment http communitycitrixcom display ocb 2010 05 12 Taming the Four Horsemen of the Virtualization Security Apocalypse How will this fare when put under the scrutiny of the recently developed SCSOVLF metric Not well, unfortunately To begin with, it s still a concept with delivery some months off http searchvirtualdesktoptechtargetcom news column 0,294698,sid194_gci1513283,00html Details are still emerging, but the first stage seems to move some analysis parts to a separate VM and leans heavily on virtualization being a great way to improve configuration management Points off for relabeling something that we should have been doing already There is a second phase to MOVE, native hypervisor inspection My heart leapt Until I realized that it s application and process whitelisting This is desktop security, not server, right There are a lot people who ve been burned out there by the twin issues of manageability and effectiveness for whitelisting It puts us right back to manually locking down users desktops While this is a step in the right direction, it comes with a high cost And more sophisticated threats already know how to beat it DLL injection anyone What we really need is endpoint protection that can rely on sophisticated techniques in the hypervisor Have per instance execution monitoring for the desktop, and leave the signature scans to a storage analysis piece And correlate the two, please And wouldn t it be even better if, while providing virtual execution cycles, the virtualization layer was doing some effective protection, as well A guy can dream, right Permalink Leave a comment http://www.secuobs.com/revue/news/228655.shtmlhttp://www.secuobs.com/revue/news/228655.shtml Secuobs.com : 2010-05-28 21:12:58 - fudsec.com - Interesting technical post by the super-smart Andy Ellis It may not obvious what this post may have to do with FUD Some context may help A position we've heard DNSSEC and its benefits have been postponed for years by folks afraid that zone files would not be secret enough NSEC was an attempt to add secrecy, but it cost the world three tries and associated delays to settle on NSEC3 Oh, and by the way, it doesn't solve the issue either Was FUD a factor here delaying the move to DNSSEC By Andy Ellis CSOAndy NSEC3, or the Hashed Authenticated Denial of Existence , is a DNSSEC specification to authenticate the NXDOMAIN response in DNS To understand how we came to create it, and the secrecy issues around it, we have to understand why it was designed As the industry moves to a rollout of DNSSEC, understanding the security goals of our various Designed Users helps us understand how we might improve on the security in the protocol through our own implementations About the Domain Name Service DNS DNS is the protocol which converts mostly readable hostnames, like wwwcsoandycom, into IP addresses like 209170117130 At its heart, a client your desktop is asking a server to provide that conversion There are a lot of possible positive answers, which hopefully result in your computer finding its destination But there are also some negative answers The interesting answer here is the NXDOMAIN response, which tells your client that the hostnames does not exist Secrecy in DNS DNS requests and replies, by design, have no confidentiality anyone can see any request and response Further, there is no client authentication if an answer is available to one client, it is available to all clients The contents of a zone file the list of host names in a domain are rarely publicized, but a DNS server acts as a public oracle for the zone file anyone can make continuous requests for hostnames until they reverse engineer the contents of the zone file With one caveat the attacker will never know that they are done, as there might exist hostname that they have not yet tried But that hasn't kept people from putting information that has some form of borderline secrecy into a zone file Naming conventions in zone files might permit someone to easily map an intranet just looking at the hostnames Host names might contain names of individuals So there is a desire to at least keep the zone files from being trivially readable DNSSEC and authenticated denials DNSSEC adds in one bit of security the response from the server to the client is signed Since a zone file is usually finite, this signing can take place offline you sign the contents of the zone file whenever you modify them, and then hand out static results Negative answers are harder you can't presign them all, and signing is expensive enough that letting an adversary make you do arbitrary signings can lead to DoS attacks And you have to authenticate denials, or an adversary could poison lookups with long-lived denials Along came NSEC NSEC permitted a denial response to cover an entire range eg, there are no hosts between wardialercsoandycom and wwwcsoandycom Unfortunately, this made it trivial to gather the contents of a zone after you get one range, simply ask for the next alphabetical host wwwacsoandycom and learn what the next actual host is andys-sekrit-ipadcsoandycom From a pre-computation standpoint, NSEC was great - there are the same number of NSEC signed responses in a zone as all other signatures - but from a secrecy standpoint, NSEC destroyed what little obscurity existed in DNS NSEC3 NSEC3 is the update to NSEC Instead of providing a range in which there are no hostnames, a DNS server publishes a hashing function, and a signed range in which there are no valid hashes This prevents an adversary from easily collecting the contents of the zone as with NSEC , but does allow them to gather the size of the zone file by making queries to find all of the unused hash ranges , and then conduct offline guessing at the contents of the zone files as Dan Bernstein has been doing for a while Enabling offline guessing makes a significant difference with traditional DNS, an adversary must send an arbitrarily large number of queries guesses to a name server making them possibly detectable with NSEC, they must send as many queries as there are records and with NSEC3, they must also send the same number of requests as there are records with some computation to make the right guesses , and then can conduct all of their guessing offline While NSEC3 is an improvement from NSEC, it still represents a small step down in zone file secrecy This step is necessary from a defensive perspective, but it makes one wonder if this is the best solution why do we still have the concept of semi-secret public DNS names If we have a zone file we want to keep secret, we should authenticate requests before answering But until then, at least we can make it harder for an adversary to determine the contents of a public zone Best practices in zone secrecy If you have a zone whose contents you want to keep obscure anyway, you should consider Limiting access to the zone, likely by IP address Use randomly generated record names, to make offline attacks such as Dan Bernstein's more difficult Fill your zone with spurious answers, to send adversaries on wild goose chases Instrument your IDS system to detect people trying to walk your zone file, and give them a different answer set than you give to legitimate users Jason Bau and John Mitchell, both of Stanford, have an even deeper dive into DNSSEC and NSEC3 Permalink Leave a comment http://www.secuobs.com/revue/news/226750.shtmlhttp://www.secuobs.com/revue/news/226750.shtml Secuobs.com : 2010-05-21 17:13:09 - fudsec.com - This week's post is short and sweet for a change Duncan hints at a subtle, nuanced, but important question Should security follow the same patterns we see in other markets like consumer electronics FUD, too many products, tight budgets, and compliance checklist mindsets are all trending security spending toward a perceived good enough Is this a good thing Hoopes hopes for an interesting discussion, so bring on the comments By Duncan Hoopes DuncRH If we look at the preferences and trends in the consumer electronics market, can we gain insights into IT security development and purchasing patterns I subscribe to Wired magazine, but my teenage sons pilfer it before I have a chance to read it all As such, it was only when I came across a news snippet about a Wired article in another magazine that I stopped to think about the security implications From worldmagcom Robert Capps, writing in Wired, identifies a revolution that began with technology but is changing the way other industries, including law and medicine, are doing business Capps calls it the 'Good Enough Revolution' and uses the Flip video camera to illustrate his point Traditional video cameras emphasized image quality and features A new company, Pure Digital, came along and saw a market for a low-cost video camera that was easy to use and produced video that was easy to share online It sacrificed image quality for ease of use The Flip Ultra is now the best-selling video camera and controls 17 percent of the market Capps writes 'We now favor flexibility over high fidelity, convenience over features, quick and dirty over slow and polished Having it here and now is more important than having it perfect I recall the days when hi-fi was the objective Sure, the market still recognizes differences in quality, but other factors seem much more important As Capps points out, despite the availability of excellent medical technology, good enough is an emerging theme in healthcare My question Does this trend represent dissident behavior on the part of the masses Or am I the dissident because I believe that security technology should be more secure than what the trend of 'quick and dirty' brings Permalink Leave a comment http://www.secuobs.com/revue/news/224447.shtmlhttp://www.secuobs.com/revue/news/224447.shtml Secuobs.com : 2010-05-14 15:44:33 - fudsec.com - Since the founding of Fudsec we've looked to expose FUD, but until today it's been a little like Justice Stewart's definition of obscenity - I can't define it, but I know it when I see it In this week's invited post, information security and risk management consultant Gal Shpantzer blows the lid of that problem with the Shpantzer Coma Scale We at the Fudsec Institute For FUD Studies are delighted that he could bring clarity and metrics to such an important topic - because if you can't measure it, you can't well, you know By Gal Shpantzer shpantzer When considering the veritable cornucopia of vendor offerings in the information security niche, you'll find a spectrum of quality in the products and services themselves, from the ridiculous to the incredibly useful and well-designed You'll also find a wide variety of approaches to sales and marketing these very same products and services Some vendors are consistent and have good products as well as sales marketing teams This is a rare vendor indeed Treasure them if you find them The majority within the vendor space have either good products or good marketing Then there are those with neither Inconsistency breeds hilarity Please consider this friendly scoring system, inspired by a combination of the Glasgow Coma Scale, APGAR and some other medical scoring schema for survivability of trauma and disease Note We're carefully calibrating the rating system with an old Cray supercomputer in rybolov's basement YMMV Let's add up some points Vendor inappropriately uses absolute terms like always and never in order to delude the sucker, er, I mean prospect into thinking there's any certainty to be had in the security niche Take one point off for every absolute term, starting at 5 Bottom score of -5 for FUD lameness --------------------------------------------------------------------- Number of minutes from start of presentation until vendor uses the term APT 1 point for every minute past start Max -5 points Bonus 3 points for not mentioning it at all, unless prompted to --------------------------------------------------------------------- If, when prompted to address APT, vendor says oh yeah, we've been doing APT since before 9 11 -5 points --------------------------------------------------------------------- If, when asked, How do you approach the APT issue, exactly they respond That's on our roadmap -5 points --------------------------------------------------------------------- Vendor claims to fully detect malware on your endpoint The more certain the claim sounds, the more points you can take off, starting from 5 Bottom score of -5 --------------------------------------------------------------------- Vendor has something that goes beyond a default OS build for its products Starting at 0, add points for each aspect of security hardening credibly claimed 1 point per feature, Max 5 points --------------------------------------------------------------------- Vendor has credible claims to integrate with relevant third party applications and services 1 point per feature, Max 5 points --------------------------------------------------------------------- Vendor offers some level of choice in pricing model 1 point per choice, Max 5 points --------------------------------------------------------------------- Vendor has recent history of catastrophic encryption implementation failures -5 points --------------------------------------------------------------------- Vendor offers a 99pourcents discount off retail pricing for year one software licensing When pressed for total cost of ownership over 3 years, they reveal their plan to stick you with maintenance based on MSRP for years two and three -5 points --------------------------------------------------------------------- Vendor offers some level of ability to update and upgrade the software they're selling Max 5 points --------------------------------------------------------------------- Vendor actually responds to vulnerability reports in a way that remotely resembles something a reasonably responsible business would 5 points --------------------------------------------------------------------- Vendors offers some level of centralized management of distributed product Max 5 points --------------------------------------------------------------------- Vendor's central management of said distributed product causes DoS on your network -5 points --------------------------------------------------------------------- Vendor has some sort of third party certifications for their crypto library and or device as a system FIPS 140-2, Common Criteria, UK gov't, German gov't, etc Max 5 points --------------------------------------------------------------------- Vendor doesn't use proprietary encryption algorithms yes, this is still being done, see Onix International and EncryptStick polymorphic 5 free points for using AES or other accepted algorithm --------------------------------------------------------------------- Vendor has technical capability to deploy in a flexible manner, to suit your virtualization strategy, if relevant 5 points --------------------------------------------------------------------- Vendor has real scalability in technical and pricing terms Ask for references, don't just buy the canned demo 5 points --------------------------------------------------------------------- Vendor has reasonable licensing terms that allow for configurations that serve different use cases 5 points --------------------------------------------------------------------- Vendor can integrate with two-factor authentication tokens cards, at least for administrative interface 5 points --------------------------------------------------------------------- Vendor is very negative and constantly disparages other competitors in their space 0 points --------------------------------------------------------------------- Vendor is negative when disparaging obvious lamers like those who use polymorphic encryption Max 3 points --------------------------------------------------------------------- When asked about reference customers, vendor claims that the entire DoD and civilian government uses their products When pressed for a confidential phone call, under NDA That's classified, but just between you and me, we're all over Langley and Ft Meade -25 points and a call to the FBI Counterintelligence office --------------------------------------------------------------------- Vendor is an otherwise credible up-and-coming security player that has been around for more than a year and can legitimately support an enterprise customer, in theory Max 5 points --------------------------------------------------------------------- Vendor product does in the testing lab something close to what it says in the slideware Max 5 points Bonus 3 points for having a reasonably responsive pre-sales engineer available via webex to help with a qualified bake-off --------------------------------------------------------------------- Vendor is an otherwise credible security player that's been around for a while and has actual, reference-able enterprise customers Max 5 points --------------------------------------------------------------------- SCORE Negative Score Bring back the pillory and the scarlet letter Under 30 Run, don't walk Then keep running Write a blog post to lower your blood pressure 31-50 Ask for a webinar and have them explain polymorphic encryption to you 51-70 Possible long-list candidate with value play 71-90 Probably gonna make it to shorlist for tech eval 91 Might be able to deliver on the promise and not the peril Permalink Leave a comment http://www.secuobs.com/revue/news/222191.shtmlhttp://www.secuobs.com/revue/news/222191.shtml Secuobs.com : 2010-05-07 15:11:08 - fudsec.com - In mid-2009, after a flurry of Twitter activity on the subject, Craig Balding established Fudsec He felt that, since Fear, Uncertainty and Doubt was permeating the world of information security, there should be a place where information security professionals could rebut it, could stake claims to intellectual honesty and begin conversations about issues of community interest Fudsec, Craig wrote, was created to showcase bad examples of Information Security marketing Anytime the marketing message from an Information Security vendor or provider makes you feel Fear, Uncertainty, Doubt FUD or just plain dirty, let us know and we'll feature it here The Twitter effect was certainly responsible for the site's rapid growth, and by many measures the site has been a great success Readership for each of the more than 30 posts to date has averaged several thousand, and the feedback generated has been highly positive Each entry has a call to action Not all posts draw comments on the site All posts have sparked conversations - some highly charged, some in violent agreement, some in lively debate The list of contributors to date reads like a Who's Who of the information security world - in alphabetical order, posts have been contributed by Iftach Ian Amit, Paul Asadoorian, Balazs Attila-Mihaly, Richard Bejtlich, Carl Brooks, Anton Chuvakin, Justin Clarke, Joshua Corman, Rocky DeStefano, Drazen Drazic, David Etue, Will Gragido, Jeremiah Grossman, Brian Honan, Peter Kuper, Lori MacVittie, Haroon Meer, Ewout Meij, Chris Nickerson, Dale Pearson, Larry Pesce, George Reese, Wim Remes, Kevin Riggins, Chris John Riley, Mike Rothman, Nick Selby, Shrdlu, Jayson Street, Chris Swan, Vince Tuesday and Amrit Williams Now Craig is passing the baton, curtailing his online activities to turn his attention to his growing family, and a new team will be running Fudsec - in Craig's words, two of Fudsec's biggest fans and notable contributors You can expect the same level of integrity as before, and the potential for some new debate, or even some new services A podcast is not out of the question The Fudsec site will remain true to Craig's original and important vision intellectual honesty, an open forum where the known and the not-so-well known can contribute to the conversation Where voices from all continents and cultures will find an audience As he passed the torch, Craig passed on some thoughts about how the site should be continued A small sample of what currently comprises our mission statement We need to go beyond acknowledging the FUD elephant in the room We need to exorcise the demon from withinor ultimately we will be without Fudsec is the place to initiate that We don't claim sole rights on the FUD meme, but we built a launchpad and every week aim rockets at the collective infosec consciousnessA Fudsec piece without a call to action is an operating system without an application If you'd like to write for Fudsec, please let us know at fudsec at gmail dot com Permalink Leave a comment http://www.secuobs.com/revue/news/219913.shtmlhttp://www.secuobs.com/revue/news/219913.shtml Secuobs.com : 2010-04-30 17:13:41 - fudsec.com - Today our invited post is from David Etue, a vendor speaking about FUD in information security marketing Yes, he has skin in the game and yes, he knows it But his larger point is that when marketers point FUD at vendors in other markets, intellectual honesty and customer information is the victim By David Etue Twitter djetue Disclosure I am a marketing guy - a VP of Products and Markets at Fidelis Security Systems, a network security company addressing problems from cyber defense to DLP That's my conflict, and now it's disclosed Sadly, FUD continues to evolve, and not in a positive way As Anton Chuvakin has pointed out, FUD's role in security today probably overshadows the role of any other factor we know However vendor's use of FUD is continually evolving, and has now reached what I determine to be its Third Wave Fear, Uncertainty and Doubt against other solution categories In order to understand the third wave, we'll first look back at what I consider the first and second wave The First Wave The first wave of FUD is when vendors use fear, uncertainty and doubt to convince well, scare an organization to buying their security product Rather than learning a customer's organization and explaining how the technology, along with people and process, benefits the customer's risk management program, this FUD involved targeted messages to the end user on how they will be hacked, fail an audit, lose their job, etc if they don't purchase this product This first wave of FUD is still omnipresent today, but many consider it misdemeanor-level FUD as it's also the easiest to detect by the end user - it often overlaps with silver bullet FUD stating how the product solves both all information security problems, and maybe even world hunger too The Second Wave The second wave of FUD targets competitors in the same sub-sector of a given industry this is FUD-marketing attacking the competition to win the customer bake-off Again, rather than competing the noble way and articulating how product differentiators affect customers cost of ownership and benefits their risk management program to gain selection, many resort to competitive FUD There are few different types of second wave FUD Bogus Requirements This FUD consists of establishing criteria that have NO or LOW material mapping to how the organization would use the product and there for no benefit, yet will eliminate competitive solutions My personal favorite examples are when organizations require esoteric templates, often compliance related, in the product with NO relevancy to their organization because one vendor has them and convinced them to include it in the specification Bogus Features I have a product management background so I often refer to these as test cases , versus use cases These are typically extraneous, but can sometimes be intentionally malicious The extraneous cases consist of creating an event that would never happen in the real world, modifying your product to cover it, and then convincing the end user it matters A few years ago, I came across a great example of a more malicious example from a data leakage prevention DLP vendor, where they had modified their product whether intentionally or unintentionally to alert on a Social Security Number ending in 0000 , which is not a valid SSN The vendor then proceeded to provide the end user with a test file of SSN's ending in four zeros, and then claimed to be the only vendor to detect the file correctly The Third Wave Unfortunately, we've gone past these to the third wave of FUD, where FUD is used to compete for a customer's mind-share versus other solution categories Rather than using FUD as a compelling event FUD wave one , or competitive FUD to gain selection FUD wave two , vendors are now FUDing for mind share before projects even start A great example of this is Gunter Ollmann of Damballa's blog post, Botnet Prevention with DLP Technologies I am pretty familiar with the DLP space, and I'm not aware of many cases of vendors using botnets, or even botnet FUD, as a primary selling point of a DLP solution However, Gunter goes out of his way to try to make a point that he can't see a reason for DLP existing as a separate security technology anyway As an aside, I'd recommend that Gunter choose his FUD more carefully in the future Much of his DLP doesn't do botnet FUD could also be used to argue why a separate botnet appliance like Damballa shouldn't exist as a separate security technology , as he makes a compelling argument that IPS, anti-spam and perimeter Web gateway help stop nodes from being infected over the network anti-virus best deals with determining malicious intent of the binary files and IP Domain URL blocking technologies are effective at blocking command and control Why is Gunter focusing Botnet FUD at DLP While botnets certainly may play a role in data exfiltration, Damballa's mission of protecting businesses from bot-driven targeted attacks used for organized, online crime and DLP's focus on content-aware data security are fairly different I think the reason is that DLP is currently a funded market category with name-funded projects in the large enterprises that Damballa is interested in selling too These same enterprises don't have a named, botnet detection project or budget, so the battle for dollars and mind share has begun He is not alone in this FUD, as many other vendors have joined this third wave of FUD with DLP alone For example, Lancope announced their DLP solution that is soooooo good that it not dependent upon packet-level data thanks to Rich Mogull of Securosis for calling out this FUD in his blog post Hit the Snooze on Lancope's Data Loss Alarms There are many more examples across the security landscape So, how did we get to this third wave I have a few ideas First, the security buyer is suffering from information overload If we look across the security product landscape, Gartner has a taxonomy that defines 159 discrete security topics ranging from infrastructure protection to identity access management to compliance, risk governance This overwhelming list of solutions is way too many categories for an end user to possibly navigate, let alone have in depth knowledge of how they would benefit their organization's risk management program Second, there is very little spending on new security projects, or new IT projects in general According to the quarterly Citi CIO Survey for the fourth quarter of 2009 by Richard Gardner and Aswin Shirviakar , the 80 20 rule applies to existing projects and maintenance versus new IT spending about 80pourcents of IT spending over the next year is expected to be maintenance This report also states that security spending intentions remain high yet just stable What does this mean Any of the products within the Gartner 159 security categories which is not yet deployed is fighting for 20pourcents of IT security spending, and the overall pie from which the 20pourcents is derived isn't growing Finally, compliance spending continues to drive the majority of the spending in security dollars The same Citi CIO survey cited before noted that government regulations were a significant driver of spending As compliance regulations have become more prescriptive, this compliance-spending has become very focused on a small number of traditional some may call legacy security controls This report also states that security spending intentions remain high yet just stable, so more and more solutions are fighting for budgets that are flat Finally, compliance spending continues to drive the majority of the spending in security dollars The Citi CIO survey also noted that government regulations were a significant driver of spending The Payment Card Industry Data Security Standard PCI DSS is a great example of this, as, as Josh Corman points out, it only explicitly requires nine security technologies firewall IDS anti-virus log management encryption vulnerability scanning web application firewalls or application reviews integrity monitoring and patch management This leaves 150 of 159 Gartner sub-sectors of security - many with technologies solving significant challenges important to enterprises today - not required by compliance So, we have a confused buyer not able to keep up with the number of security product categories available, let alone the products within them They may have little motivation to learn as budget pressures allow for few new projects, especially when 80pourcents of the budget is spent on existing projects and maintenance Top that off with compliance driving spending to a small number of legacy controls This leaves the remaining vendors thinking If they have one discretionary project left, it MUST come to my project, and makes them incredibly focused on driving the small fraction of remaining budget to their solution This is no excuse for the use of FUD, but is a sobering view of the state of the information security industry today Conclusion Information security has reached a desperate time and some say desperate times call for desperate measures However, these desperate measures should be to the benefit of the end user, not any single vendor I would suggest that the presence of third order FUD is an indicator of the desperation of a solution to find its way in a crowded marketplace This is a commentary on both the marketplace and the vendors who seek to use it In a time when we all want to drive FUD down, adding a third wave should not be acceptable In the interest of continued disclosure, I remind you, I am a vendor But am I wrong Which examples of third-wave FUD do you have Permalink Leave a comment http://www.secuobs.com/revue/news/217715.shtmlhttp://www.secuobs.com/revue/news/217715.shtml Secuobs.com : 2010-04-23 19:54:48 - fudsec.com - This week we've invited Peter Kuper to comment If you've ever met Peter, you won't be surprised that the topic of this week's post is the crisis amongst innovators Thanks, Peter By Peter Kuper Google made it entirely impossible for anyone to deny the harsh reality We are pwned The call for better security solutions has never been greater it is headline news not in some geek blog, but the New York Times We re finally getting the attention the problem deserves Any day now we should be seeing money raining down all over security as the brains would be getting endless calls from investors worldwide, the big tech providers creating a buying frenzy to snap up and rush the leading products to market and the new solutions and ideas would line up for long as far as the eye could see The reality is the exact opposite the reality is the entire ecosystem for the innovative ideas to solve this undeniable problem is at a critical state the money has left the building and likely ain t coming back anytime soon Venture Capitalists have run from security as the easy money returns showered on them from the Symantec s and McAfee s of the tech world let alone the IPO s has all but disappeared At a time when our economy needs the VC s the most, they re not willing or able to step up The latest data from VentureWire confirms these fears - Venture-backed cyber-security start-ups secured just 626 million in 2009, less than half the amount they raised in 2005 Buyers are smaller, as are the targets - acquiring entities are mostly rollups meaning amassing a portfolio of technologies just for reselling purposes, not advancing the cause or roadmaps for that matter Eg, Barracuda Networks made nine acquisitions since taking 40 million in financing from Sequoia Capital and Francisco Partners in 2006 There's a lot of great technologies that haven't gotten traction and people can't see how to profit from it, that are forced into a position to sell when normally they wouldn't be looking to sell , Dean Drako, CEO Barracuda Networks It is a simple cycle The companies need to sell as the capital to sustain operations has largely evaporated less sales, less funding leads to more distressed EOLs But the slippery ugly slope doesn t end for us poor users there Even worse, the large security and other technology providers that purchase the private companies with the better technologies are then, in most every case killing off the R D and product road maps The overall data shows the undeniable trend Despite the over 388 deals completed by the top 10 tech companies, including 276 between 2005-2007, R D levels declined Where did the R D go Source Publicly reported data Public companies acquired are no exception either IBM paid 13 Billion for ISS and what has become of those technologies More distressing perhaps is that the problem will linger as the VC s aren t stepping in to replace the nearly 400 companies wiped off the earth in the past 5 years The main driver of this is the VC s are looking at the exit valuations According to the 451 Group, the returns for technology deals are simply lower Cooley Godward s report captures the reality of VC s risk aversion Over the past four years, fewer early stage deals are being completed for later stage investments Later stage rounds have increased to 39pourcents in 2009 from 33pourcents in 2006 the gains came from the A rounds 30pourcents in 2009 vs 37pourcents in 2006 as Series B stayed the same 30pourcents Source Cooley Godward Kronish Who cares if the VC s aren t there They weren t much help anyway some have cried While that may be true in some cases, the dollars for R D aren t coming from the larger companies either As Goldman Sachs illustrates in the table which follows, IT has historically been the largest R D spender versus any other industry, yet it dropped by 6pourcents in 2009 and is expected to increase just 3pourcents this year And the even harsher reality is that VC s and public vendors provide the lion s share of research dollars So for now anyway we re screwed Of course, eventually the market, as it should, will find an answer SuperAngels is fast becoming a recognized term as wealthy individuals and groups of such step in to fund Series A deals that are harder to fulfill in this environment Boot-strapping is also returning to vogue which has some very useful residual effects While growth might be hampered from a lack of resources, running a frugal ship from day one avoids the cash burn trap many startups fall into as well as retain higher ownership of the company But given the overall saturated state of attack surfaces, something s got to give if we hope to fight back let alone win, anytime soon Permalink Leave a comment http://www.secuobs.com/revue/news/215491.shtmlhttp://www.secuobs.com/revue/news/215491.shtml Secuobs.com : 2010-04-09 19:25:40 - fudsec.com - Its Fridaywhich can only mean a torpedo of FUD comin' at ya Sometimes you read a blog post that really hits home This is one of them I asked Chris if I could repost it here and he was gracious enough to say 'Hell, yeah That's cool' at this point, I pictured him whipping out the MOFO wallet Chris is an experienced security practitioner by day and co-host of the Exotic Liability podcast by night well worth a listen, just protect the children - and informal champion for the non-rock-stars in the infosec community he wouldn't call himself this as he's too modest on this score Anyway, enjoy the post and tell us what you think in the comments Thanks Chris By Chris Nickerson GOD, grant me the serenity to accept people that will not secure their networks, the courage to face them when they blame me for their problems, and the wisdom go out drinkin afterwards -APDelchi I am over it I am over all of the BS I am over all of the compliance posturing I am over all of the NEW AGE High tech hipster ways to get a hold on a problem that is created FOR THE PEOPLE BY THE PEOPLE I am over We can t I am over the cutting of the security budget to the bone I am over having to use FUD to get attention Which is nothing more than promoting the stereotype of security professionals being cry baby premadonna s I am over having to try and use corporate politics, back handed practice and overall impossible tactics just to create something to REACT to I am just plain sick and tired of the loss of money, the incessant security breach headlines, the constant increase of security theater, and the train wreck life of a typical security posture Have you ever felt this way Do you feel this way now Are you too tired or powerless with regards to the security battle Do you feel under control, hands tied, and have an overall lack of drive Do you see a pattern Big_Giant_Breath These are the signs you would see in a person with an extreme addiction Yep Change the words and context around just a little bit and you have a classic addict Its hard to choke down I get it It s not conventional I know But, it s real As with the history of alcohol and drug abuse, there have been decades of quick fixes There has been millions of get fixed quick type programs There have been high tech treatments and silver bullet pills that cure this horrible disease but none of them was is a real solution The reason for this is that fighting an addiction takes a lifetime of practice and will only end when you die Until then, you will have to take it one day at a time and step by step Around every corner will be a reason to slip back into your old ways Sound familiar yet With all of these factors above sharing a frightening parallel and a quite common theme I think there is something to learn I started thinking about this quite a long time ago when I was first exposed to the 12 step program I was studying conjoint family therapy with the hopes that it would seriously up my Social Engineering game I was taking the cross training approach to my career I wanted to get into all of the classes, books, seminars and groups that were focused on fixing the bad behaviors of humans I figured that by learning the fix I would better learn how to break them Holy h1T was I surprised Here I am, sitting in the room, playing my role and absorbing as much as I could when it hit me I am really screwed up I know, shocking haha Seriously though I was able to identify things in my life what were superpower road blocks Things that were so serious that I was sitting in the room, on the verge of tears and feeling completely helpless A man named Stephen Young, who was teaching this class, came over to me and knew I was in a bad way He knew this because under my supercool H4x0r exterior I was falling apart He read my psychosomatic posture, he analyzed my every move and breath, he even was taking my pulse and temperature This extraordinary man came up to me and put me on the spot With his relentless pursuit of the truth and his unreasonable stance for my resolve he broke me in half He exposed me It took a long time To me it felt like an eternity but in the end I opened up like a box that didn t install the patch for MS08-067 From my session in this class I learned about something very important in my life I learned the difference between being HELPLESS and being POWERLESS On the surface this may be a no brainer or it may look like the 2 words can be interchanged Underneath the hood of the human experience, this is one of the tipping points of eternal happiness I won t go into detail on the many facets of how humans treat themselves based on their perception of the situation or the vast and complex punishments we invoke on ourselves You are a human, you have done it Like it or not we all do It is a common thread in our psychological makeup Due to that fact, we all have a struggle with these powerless and helpless concepts To set the record straight in the most raw definition of the words Powerless Without POWER This feeling comes with an overwhelming feeling of being weak When we are powerless we do not have control We are not the driver and we have no way to decide whether the car is going to crash into the wall or not The brakes are out, the steering wheel is broken, and all the doors are locking you in You are not without help or a solution, but you just have no real choice on what comes next this concept took about 3 years for me to really get, so if it is confusing in this short burst you are not alone When the car hits the wall there is no reason to be mad it was out of your control What freedom No reason to beat yourself up It was simply out of your hands at that very moment Helpless Without HELP Now, we really gotta dig in to where that puts us mentally When you do not have power, you feel weak You feel like you can not take on something alone You feel abandoned and in a state where all is lost The confusion here commonly comes from the target of your abandoned feeling In you mind it means that you are alone and not equipped to handle the job You don t have the manpower to overcome the odds at hand In reality you are abandoned Not by other people You abandon yourself You punish yourself by making all these crazy meanings that you extrapolate from mounds of evidence to support your claim You are not without friends You are not without HELP You are not alone at all Your perception is your jail and its security controls are unable to be compromised after all you built em I know, I know you are saying Geez hippie hug a tree or something But this is an important thing to understand with relevance to InfoSec Take those definitions above and apply them to your daily life Apply them to your job Apply them to all of the frustration that you had agreed with in the beginning of this post What did you find Well, because we are all humans, and because we all have a TON in common We are all likely to experience the same feelings at some point or another Maybe for you this is not the time Maybe this is the one Regardless, it is a part of life We have all been happy or sad, or indifferent For this simple trend, we all have had common issues This brings us back to our fuzzy little InfoSec lives The revolving world of compliance drives companies to scope and de scope assets like fashion trends They inspire a momentary response which is more motivated by negative incent than anything else Now, I am not saying compliance is bad or useless or whatever you make it I am saying that the feeling that causes action still leaves you in that helpless state It never addresses the human anchored problem that we all face It never addresses the helpless feeling which overwhelms so much of the industry Compliance has created amazing action and movement in InfoSec but it usually doesn t provide a wholistic and cultural human change It is kind of like taking an alcoholic and saying Well, we will consider you recovered if you don t drink Vodka any more All of the other alcohol isn t IN SCOPE This is just an insane statement but it is how I see many compliance programs dealt with For this reason I started thinking about how addicts are treated Sure, there are pills, programs, and fixes all over There are Detox centers that claim to Get you clean, but all the successful ones have a common thread They have a common goal and a common roadmap to get there This roadmap is called the 12 Step program It has stood the test of time as a repeatable and trend able mechanism for recovery As I looked at the steps in depth from many perspectives I realized that this may be a good place for us to start our own recovery We have a million ways to lock down an organization We have more to implement and even more technologies to support it What we don t have is a real way to get started We don t own our own recovery, we usually act like it is forced upon us Because of the lack of ownership, it allows us to cheat in our own program It allows us to blame a scapegoat whether that s compliance or an infosec savvy employee There is always someone else to blame and at the root of it, it is the reason we have rarely succeeded with our insecurity recovery Taking all of that into account, I decided to modify the steps just slightly to see if they would work to aid in our business recovery efforts After a long hard look and a few flights I wanted to present this back out to the community to see what we could do with it 12 Steps of insecurity recovery 1 We admitted we were powerless over security that our environments had become unmanageable 2 Came to believe that a power greater than ourselves could restore us to being secure 3 Made a decision to turn our will and our lives over to the care of best practice as we understand them 4 Made a searching and fearless inventory of our environments and its assets, both information and physical 5 Admitted to ourselves and those assisting us in our recovery the exact natures of our wrongs 6 Were entirely ready to have an independent assessment of our environment and accept the recommendations suggested to remove the flaws identified 7 Humbly ask for help remediating our flaws 8 Made a list of all the persons we ignored and became willing to make amends to them all 9 Made direct amends to such people wherever possible, except when to do so would injure the brand or the company 10 Continue to take corporate inventory and when we were find flaws promptly admitted it 11 Sought through policy, process and procedure to improve our conscious understanding of best practices as we understand them and only for knowledge of his will for us and the power to carry that out 12 Having had a corporate awakening as the result of these steps, we tried to carry this message to other organizations and to practice these principles in all our affairs I know that there is no silver bullet There is no magic diet pill that will make me thin, healthy, and perfect There are some things we can do about it There are things we can accept in life and leverage the experience to live a life that is extraordinary The quick fixes are rarely responsible for major breakthroughs The tech won t save us The regulations will never be good enough The cloud won t be the silver lining Sorry to say it, but security is hard work It takes blood, sweat, tears and good ole fashion work to make headway We can use the fads and toss around millions of dollars on a quick fix, or we can just get to work Do you want to put in the work to admit you have a problem or do you want to continue blaming someone else for the problems There is a way out You have help All you have to do, is take The first step Permalink Leave a comment http://www.secuobs.com/revue/news/210579.shtmlhttp://www.secuobs.com/revue/news/210579.shtml Secuobs.com : 2010-04-02 14:33:05 - fudsec.com - This week, head hacker Dale Pearson digs into an area that we infosec guys and gals often give lip service too, but all too often fail to properly address Cheers mate By Dale Pearson I have a problem well maybe it s more of an addiction I just love gadgets and technology, if it beeps and has lots of flashing lights I just have to have it I am sure a lot of you share my affliction - we are like magpies - we all like new shiny kit arriving at the door Ok, so it s a personal problem, but it s a problem that exists in organisations also, and it s a real problem In the world of business, organisations are constantly reminded of the threats and risks that exist, and the steps they need to take to reduce and eradicate these so called threats So how do organisations spend their security budget Well they spend a lot of money on little boxes that sit in huge racks, with lots of flashing lights and the occasional beeps Sounds like heaven right With all this firewalls, IDS, AV and filtering technology we have nothing to worry about, the virtual gates are tightly locked It doesn t stop there though we need policies, procedure and governance to, so we have to spend a little money here as well We need to tick those regulatory and legislative compliance tick boxes so we can get the nice certificate on the wall, and assure our customers that we are secure because we are compliant The purse strings are tightening a little now, but we are jumping aboard the risk management framework train now, and this is a big deal, so we need some money for this So now we are on the circular line of risk procrastination and unrealistic checklists, but it all sounds good and sets the right image to the outside world Now there really is no money left in the kitty, but we need to carry out penetration testing and user awareness to keep our certificates on the wall So we employ a team of penetration testers to run a vulnerability assessment on a small portion of our infrastructure Now for user awareness training, a simple presentation we can rinse and repeat each year on the Intranet should do the job So lets quickly recap 50pourcents of the budget spent on infrastructure, 30pourcents spent on compliance maintenance, 25pourcents spent on risk management, 4pourcents spent on penetration testing, and 1pourcents on user awareness Money well spent, and a secure environment has been achieved Free publicity on the TV, Radio and the Newspapers when millions of customers records left the building via portable storage and boxes of paper priceless Companies say they take security seriously, and they know people are the weakest link, and they have training in place to cover this risk I say FUD They should hang their head in shame Here me when I say, you have personnel problems I am not saying forget about all the shiny toys and flashing lights, but remember and invest if your wetware to People are the weakest link Humans are programmed to be helpful, not to question, challenge or be suspicious We need to empower our personnel they need to be regularly reminded of the risks, and the forms they take They need procedures to follow to mitigate risks, reward them for following processes and challenging the unknown This can't be done on the cheap with a presentation knocked up one weekend Just ask yourself how much the information that walks out the door is worth or when users give full access to the network via a Facebook application, or when offered the chance to win an iPod, and calculate how much you should really be investing in real awareness and education Obviously the other components are important, we just need to readjust the allocation of funding to ensure adequate coverage for all area of vulnerability Awareness and education needs to hit home at a personal level, and it needs to be realistic, effective, constantly maintained and reinforced Security is everyone s responsibility It s not that simple I hear you cry In order to get funds we need buy-in, we need to demonstrate ROI, and besides nothing has ever walked out our front door, we would have known If this is the case I encourage you to find the budget at least once for a no holes bared full on social engineering assessment, and I am confident you will be shocked at the results, and if done properly you should be on your way to starting your journey that gets the buy-in and the required ointment to your personnel problems There is no magic red pill that will cure the rash that is human stupidity, but through regularly monitoring and constant treatment, we can reduce the inflammation to an acceptable level, and allow us to go outside and face the world Permalink Leave a comment http://www.secuobs.com/revue/news/208410.shtmlhttp://www.secuobs.com/revue/news/208410.shtml Secuobs.com : 2010-03-26 11:28:43 - fudsec.com - Please nurse, can I haz some more Yes my long-suffering infosec brethren, it's fudsec Friday and time for your meds This week, Chris John Riley is dispensing Chris currently resides in Austria, where he is a pen-tester in the financial sector, Infosec con junkie and fellow co-host of the Eurotrash Security Podcast He also has a penchant for red aprons don't ask If you're not already a subscriber to his blog, you're missing out by Chris John Riley I love to learn new things there, I've said it I'm addicted to the latest technique, the new attack vector, the shiny exploit code that makes your dreams come true A lot of us in security are That's not always such a bad thing I love the buzz you get when you do something you never thought possible It's the best kind of high Still, the first step in any cure, is to admit that you have a problem As an industry, we have a problem It's time we took a step back and really start to rectify the issues, instead of craving our next fix We all love the latest big thing The thrill of a new idea, the chance to learn something new and different For many of us in security, the chance to try something out for the first time is hard to pass up After all, for the majority, this is the reason we got into security in the first place The constant change, the new challenges and the ability to play with exciting things in the name of progress We're like kids in a candystore If you need proof of that, just consider the packed halls at Defcon, Blackhat and a hundred other security conferences that take place around the world every year You can't help but see the ever growing demand for the next big thing in information security I'll gladly admit, I'll be amongst the first reading the latest batch of white-papers to see what I can learn and use next time I'm testing a system After all, this is why I moved into security to begin with to have that constant growth and ongoing education that I felt network server administration lacked Still, lets keep to the point, because loss of focus is what got us here in the first place Where exactly do we expect this constant march of new and ingenious attack strategies to take us Is there some mythical nirvana we can only reach after gathering up every zero day in Internet Explorer Are we suddenly going to become secure once we find every possible way to crash Apache server I don't think that day will be coming anytime soon Still, that's not really the reason for this little rant and yes it is a rant, no matter what I try and make of it Sometimes as security professionals we need to understand that the latest and greatest isn't always the norm There are so many perfect examples out there to pick from Whether it's Conficker, coming back again and again to top-up it's prescription, or the seemingly endless Hotel chain data breaches The flaws are well known to us, and well advertised Of course, there are always exceptions to the rule, and I'm not saying that zero day bugs aren't going to be exploited by attackers Whether it's manually, or by worms, trojans, and all that come between There will always be Companies worthy of targeted attacks after all Still these are, as the name suggests, exceptions and not the day-to-day that we still seem to fall down on As security professionals we can't hope to protect 100pourcents against the unknown Still, there's no such easy excuse for our general failure to protect and educate about the known Perhaps we should all spend a little less time thinking about the next amazing attack technique, and a little more time sitting with the application developers, network technicians, security guards, or even management Don't you think your clients customers company would get more out of going back to basics and really understanding the vulnerabilities a little better, or do you think knowing the latest SSL rebinding attack defense is more important than fixing the aging SQL Injection flaws in your website It may not be the new hotness, but it's been more than 11 years since it was first discussed I'm not trying to say that ignoring the latest threats and vulnerabilities is the way to go We need a balanced approach after all Despite what some people say, defense-in-depth isn't dead yet Just remember, that for the most part, our jobs are to protect against attackers Whether you're patching things, finding the flaws in your systems, or responding to attacks The focus should be on what attackers are doing now, with an eye on what they might do next Some of the most widespread system infections have been caused by vulnerabilities that should have long been fixed Take some time to look at the news headlines once in a while SQL injection, weak or default passwords, misconfigured and un-patched systems, business logic failure and client-side exploits rule the roost Maybe I'm in the minority, but most security testing I do comes down to the same depressing flaws and vulnerabilities that have been known for years, in some form or another How many of us who work as penetration testers, can honestly say that the latest technique was the key to breaking through defenses and gaining access Of those who can honestly say yes, and I'm thinking that's not many, I'm willing to bet these are the companies getting it right The companies doing the secure development life-cycle, doing the user and developer education, and most importantly, building security into every individual stage From system and architectural design, through to change management and system maintenance I look forward to the time, when the only way to bypass defenses is to reach into that bag of tricks and pull out some new miracle pill To me this is what penetration testing really is, and where I feel it serves it's core purpose After all, there's little value in paying penetration testers to point out something that a 15 minute automated scan could tell you You don't call an ambulance, if all you need is an aspirin Sometimes we forget what the real threats to our environment are We start boarding up the windows and forget all about the side door we left ajar If this were a zombie movie, we'd be the poor suckers getting blind-sided while searching behind the dresser for our stash Where are you going to focus your efforts today Permalink Leave a comment http://www.secuobs.com/revue/news/205748.shtmlhttp://www.secuobs.com/revue/news/205748.shtml Secuobs.com : 2010-03-19 19:05:46 - fudsec.com - And as if by magic, a new fudsec post appears Having recently survived as a guest of Exotic Liability, I'd like to thank Iftach Ian for delivering our medication to us this week By Iftach Ian Amit I ve been intravenously fed with FUD for as long as I ve been in the business The main strategy for understanding that you are facing FUD is to realize that there is a financial motivation behind the FUD-spreading entity This has served me well over the years and managed to keep me out of trouble ie buying selling liking any you gotta have this technology I have to admit that when I started seeing what the media is doing to the term CyberWar, I was a bit baffled What s the motivation It s not like we can run to the local RadioShack and buy an Anti-CyberWar overpriced box of solutions for just 3999 not including annual license renewal of 9999 Nevertheless, as someone who likes security yeah, I know sorry and actually spends most of his time playing around with computers my semi-formal job definition , I had to dig into this I decided to start off with my prior knowledge of CyberCrime again - definitions aside, some say eCrime, some CyberCrime, some tomato to cover the more traditional attack vectors and risk surfaces Armed with these, I wore my thinking hat and ventured back in history to re-inspect some of the cyberwar incidents of our past The main incidents that brought the most media attention were Estonia and Georgia Estonia being dubbed the first true cyberwar in some publications and by some professionals turned out to be mostly civilian - meaning that there didn't seem to be a Kremlin general, high on Vodka, that marched his army of hackers into cyberspace to crush the Estonia internet On the other hand, reality seemed much more familiar than expected - a couple of defacements from skiddies on the hacktivism side, and a fairly traditional DDoS using a botnet that - behold - is attributed to CyberCrime Almost like someone was trying to push me back to my place To be completely honest, there was a bit more to it For anyone who is familiar with the RBN, you're probably are aware of the close ties it has with Russian authorities, that allow it to operate almost uninterrupted The timing of the attacks, and the scale of it, indicate that either some hacktivists got a huge favor from a highly commercially inclined organization, or that some kind of quid-pro-quo between RBN and a Kremlin rep was in place to put a little pressure on the Estonian neighbors But from some greased hands that allow RBN to keep running aloof, to the first true cyberwar is a long haul The second example was the Georgia-Russia front While getting somewhat less attention in the media, this was more closely a CyberWar , or an act of cyberwarfare, as it was closely coordinated with kinetic actions taken on the ground by Russian forces Nevertheless, the same deniability factor plays well here - the main attack surface was the use of botnets operated primarily by CyberCriminal groups Interestingly enough - true cyberwar acts failed to truly make a media hit look for the alleged bombing of the alleged nuclear plant in Syria by alleged Israeli F-16s These allegedly did not show up on any radar screen Not in Turkey, nor in Syria or Lebanon Go figure - But the real cherry on top has been APT When I first heard that there was an APT and it was very malicious and scary I thought that there goes my favorite Linux distribution Yeah - I m such a sucker for the media - Too bad that the latest APT and that s the last time you'll see this acronym written in this post is just another FUD-happy name for - wait for it - TROJANS Trojans, and rootkits, and keyloggers and viruses Run for your lives Seriously now Whether state sponsored possible or just another highly targeted criminal attack on select organizations seen it before, handling some on a daily basis, not calling it funny names , we go back again to the FUD motivation According to the latest one FUD that is , CyberWar is full of APT broke my promise deal with it , and it can only be protected by - you guessed it - AntiVirus or whatever new fancy names our beloved vendors find for the same software they have been pushing us in the last 20 years So cheer up The sky is not falling It's just a little cloudy, and the usual bad people are still around doing their thing The only difference is that you need to realize that ANYONE can hire these bad guys Yes - even your government or whatever shell company used to disguise it Just like we are used to do with more conventional arms dealing Hope this was some food for thought For more on the topic you can check out my past coverage of Cybercrime on my blog and the up-and-coming coverage of Cyber CrimeWar connections in BlackHat EU Permalink Leave a comment http://www.secuobs.com/revue/news/203475.shtmlhttp://www.secuobs.com/revue/news/203475.shtml Secuobs.com : 2010-03-12 20:51:53 - fudsec.com - This week, Will from Cassandra Security steps up on the Fudsec infosec catwalk for some aurorasomeness sorry, couldn't resist I've got three words for you data, data, data I'm done Thanks a lot Will By Will Gragido The Danger of Allegations Mob mentality is a scary and dangerous thing History has proven that time and time again Our industry is not immune to this In fact, in many respects, it is quite good at perpetuating the madness Understanding the interplay of fear, uncertainty and doubt within the cultural zeitgeist and attitude is not only important, but critical As a result, we must strive to prevent errant thought and irresponsibility within our profession and industry without sacrificing our ability to think critically Avoiding sensationalistic allegations pertaining to cyber-boogiemen real or imagined, is of paramount importance in order that we not be perceived as a collective body of chicken littles Sensationalism is fine for carnivals and circuses, allegations the tabloids, but not an industry where the lines between logical and physical threats are blurring on an ever increasing level Examples of Allegations in Recent History and Their Importance Influencing FUD in Matters of Information Security Several powerful examples can be drawn from recent history that articulate and underscore this point Allegations are often made in the absence of comprehensive data Disturbing yes unrealistic no With enough circumstantial evidence arguments can be made with respect to onus and responsibility for events of interest in almost all circumstances This is true whether one is speaking of fiduciary malfeasance, large scale cyber criminal cabals, state sponsored activity or what Aunt Sally said to Uncle Phil In some cases this is necessary misdirection in other cases, it is simply irresponsible and Barnumesque Regardless, it is vitally important that a clear understanding of the word allegedly exists in your lexicon in order to avoid pitfalls Understanding it will aid you in your daily and professional lives The word allegedly can be defined in the following way A declaration made that cannot be proven or substantiated a claim with questionable supporting evidence The Aurora , attacks or Operation Aurora named by Dmitry Alperovitch of McAfee of recent history are excellent examples of the power of allegation wielded in the absence of irrefutable evidence Beginning in mid-December 2009 this event of interest colloquially referred to as operation aurora took on a life of its own The first to publicly and this is important folks address and speak about it was Google blog post made in mid-January It should be noted that Google stated that the attack originated in China and that though US Secretary of State, Hillary Clinton issued a brief statement condemning the attacks and requesting a response from China, neither she nor Google blamed the Chinese Government nor accused them of being responsible That is of paramount importance Why In part because there was not sufficient evidence to suggest or warrant such allegations yet sensationalism and the media momentum associated with it , built like a tsunami Over time the attack was said to have targeted several organizations including but not limited to Adobe Juniper Networks Rackspace Yahoo , Inc Symantec, Inc Northrop-Grumman DOW Chemical Researchers the world over exhaustively poured over the Microsoft IE zero day vulnerability used in the compromise in order to analyze and assess the possibility of derivative exploitation Commentary on the levels of sophistication ranged from very , to more elementary Media figures, industry pundits and people the world over who previously assumed that concepts such as advanced persistent threats and subversive multi-vector threats the author is of the opinion that these threats are absolutely real but that they are non-trivial in terms of architectural intent , were the stuff of which the cyber-boogeyman were made of, began changing their tunes Unbridled allegations and assertions were being made even in light of the fact that on almost a day-to-day basis more information was coming to the surface Onus and responsibility were shifted away from the Chinese Government and re-focused on two universities within China Some argued that this could be a cleverly devised diversionary tactic of the Chinese while others entertained other, equally and, in my humble opinion, plausible explanations having to do with China being effectively framed for this event of interest Wake Me When It s Over Reality Checks in the Midst of Chaos The reality is that without careful intelligence gathering, application of analytics and thorough vetting out of data, we are left to speculate, arrive at best guesses and thusly produce statements which include for better or worse allegations Put another way, unless we have a need to know and there is something to know , we most often don t know what we don t know We need to understand as information security professionals that there is a danger in mad speculation It more often leads to a state of imbalance rather than control We must think more clearly so as to avoid mistakes from extraction could prove difficult at best China is an easy target We do know they are active in the proliferation of cyber-warfare tactics, methodologies and strategy, however we must be careful to avoid throwing the baby out with the bath water so as to avoid finding ourselves being the accused as opposed to the accuser Closing Thoughts The world and our interactions within it are changing as such, the ability to approach these challenges dynamically while presenting the appropriate mindset is critical The ability to think and consider things in an asymmetric fashion in a symmetric world is of the utmost importance and influences non-repudiation greatly 1 The threats are real, but we need to assess the data carefully and in a manner not driven by hysteria 2 In the absence of irrefutable proof, we risk much when we make allegations we need to be careful 3 As a colleague of mine Josh Corman and I were discussing this, it occurred that we always will lack 100pourcents irrefutable proof but that we must make decisions for the greater good predicated on the best intelligence we have at the time 4 As a result we must be more highly attuned to FUD and its impact on tactical and strategic information security as it is easy to be misled Your thoughts Permalink Leave a comment http://www.secuobs.com/revue/news/201202.shtmlhttp://www.secuobs.com/revue/news/201202.shtml Secuobs.com : 2010-02-25 18:20:20 - fudsec.com - We're breaking rank and posting a day early this week Why To give this post some time to breath before a small gathering in San Francisco of security wonks My thanks to Jeremiah for this post, and I fully agree with his call to action You By Jeremiah Grossman I m told fudsec is a place to float, among other things, half-baked and incomplete security ideas I ve no shortage of those I assure you Fortunately the infosec community is not shy about telling you so For today s thought let s provide some background A few weeks ago a consultant by the name of Larry Suto published, Analyzing the Accuracy and Time Costs of Web Application Security Scanners, 1 which reviewed desktop black box website vulnerability scanners Acunetix, IBM AppScan, BurpSuitePro, Cenzic Hailstorm, HP WebInspect, NTOSpider, and Qualys WAS Software-as-a-Service Larry faced off these products using the vendors very own public-demonstration, vulnerability-laden test websites as the scan targets For those curious, WhiteHat Security politely declined to participate because Sentinel is delivered as SaaS solution and not a product like the others tested 2 You may read the report yourself, but I ll save you the suspense The results for nearly all scanners were basically horrible Large percentages of vulnerabilities were missed, there were false-positives galore, and significant human configuration time was required Perhaps these are benefits if you are looking for tools to help fill the gaps in your day and provide job security Several vendors wasted little time in defending themselves, attacking the report s methodology and Larry himself, which is presumably to be expected anytime you call someone s baby ugly The conclusion from the vendors Don t take these results seriously For best results, scan real-live production websites, like your own environment, and not test websites You know, I can agree with that I ve been recommending the same for quite some time First though, try something a little different Turn the tables around Instead of running your websites through the gauntlet, risking downtime from intrusive scans, only to discover you have vulnerabilities just like everyone else -- how about making the vendor eat their own dog food Ask the sales rep for a trial license and permission to scan THEIR production commerce website s That s right, scan the vendor Imagine their FUD-induced response If they really believe in their product s capability, safety, and marketing hype this shouldn t be an unreasonable request A right to test is no more than any reasonable cloud computing client would ask for Right Plus, doing so will provide a good reference point for when you scan your own websites, if, in fact, Larry s results were atypical The sales rep might say they don t have authority to grant such authorization Fair enough, but go ahead and press a little It s not like the bad guys are asking permission to scan these sites everyday anyway Just ask 3 xssedcom 4 1 http hackersorg blog 20100203 accuracy-and-time-costs-of-web-application-security-scanner-report 2 http jeremiahgrossmanblogspotcom 2010 02 wheres-whitehat-re-scanner-comparisonshtml 3 http wwwxssedcom search key hpcom 4 http wwwxssedcom search key ibmcom Permalink Leave a comment http://www.secuobs.com/revue/news/195614.shtmlhttp://www.secuobs.com/revue/news/195614.shtml Secuobs.com : 2010-02-12 10:33:26 - fudsec.com - This week I'm pleased to announce that this weeks guest haxxor, Larry Pesce from PaulDotCom, was able to extract himself from the Matrix for this post This is all the more remarkable when you consider the availability of free beer within the matrix Larry, I'll buy you a beer the day we meet, so long as you promise not to Shmooball me My thanks to Larry Please leave your comments below by Larry Pesce I've been preaching education for end users for quite some time, knowing that having educated users would help them from getting owned, either at home or at work I'm beginning to think that user education is a losing battle We've preached to our users about safe internet practices We tell them to examine SSL certificates We tell them not to open e-mail attachments from people that they were not expecting What do they do Exactly the opposite of what we say Why Human nature I suppose In 99pourcents of the cases the users we are supporting are not what you call tech savvy Sure they can set the clock on their VCR nowadays, but they don't know how to use the computer to do much more than the job at hand They just want that new piece of technology computer or otherwise to work They want to get their job done, communicate with their friends or do something cool When we do convince them to click NO , and it doesn't work or do something cool, they try again and click YES Nothing Advanced or terribly Persistent about it Yes, it is still a threat So why doesn't user education work No matter how many seminars we give, pamphlets we distribute, or posters we hang quite frankly our users don't care I used to think that if the education worked for just one person in an organization it was all worth it The problem is that all of that education is a lot of work to develop and deliver to reach one person out of fifty With persistent education, maybe we will get three out of those fifty Scale that up a bit and those aren't very good odds in helping protecting your organization Let's draw a parallel to the recent compromises at Google Not having worked there, I have to make some assumptions about the skill level and caring of the staff there One has to figure that most of the employees are pretty technical and get the risk They, for the most part don't need the user education The problem is there are a whole bunch of people that help that business run that aren't techies That's who get owned I'd imagine that Google has a pretty darned good internal user education program They still got owned So, how do we save the users from themselves Maybe this whole internet fad is out of hand We can spend metric assloads of money on security technology and the people to appropriately staff them Or we can change the way people thing about the internet in general in a work environment Instead of the user education for everyone connected to the internet at the office, how about we make the use of the internet a privilege, not an inalienable right Now the user education for the few people in the organization that actually do have access to the internet will hopefully have a little more punch, potentially reduce our costs on some security technology and staffing, as well as potentially changing our overall security posture Best of luck on whichever direction you choose It is just a matter of time before we're all compromised no matter what we do Permalink Leave a comment http://www.secuobs.com/revue/news/191285.shtmlhttp://www.secuobs.com/revue/news/191285.shtml Secuobs.com : 2010-01-29 16:34:20 - fudsec.com - This week, geek reporter Carl Brooks does a turn on the fudsec catwalk Carl worked in the trenches for 10 years as an IT consultant administrator before switching careers Here he argues that FUD is less about security, and more about shills selling security to suckers He has a point - maybe it's time to rebrand fudsec Shills and Suckers Thanks Carl By Carl Brooks I m here to join the long chain of security-minded IT people to straighten out some of the bugaboos of security- where it lies, where you should start looking, and why people really need, at the very least, to understand what to worry about I m no security professional I m a middling-to-fair sysadmin with plenty of run-of-the-mill small network experience, but I worked for people to whom computers might as well have been crystal balls and CAT5e was something I named my pets because I was weird So like many of my ilk, I was the temple guardian for lots and lots and lots of users who trusted everything they read in an email or thought Microsoft ISA was a real firewall because it said so on the box This is heart of the problem Computers are commoditized, networks are commoditized, IT overall comes in a box that you buy off the shelf Its not news that any old sap can get themselves a full fledged network of computing resources with a call to Dell and a trip to Best Buy On the way comes fear, uncertainty and doubt about all the things that can go wrong, all the threats out there -- and 99pourcents of them are bogus -- just sales pitches to cram another product in your box or your building or your brain Bought a server The Dell fella sure was helpful, huh He even said you should get up and running with that antivirus server trial on there, roll it out to all your computers, keep your employees safe Never mind that you don't know what your router is for - it's got a firewall, says so on the box Why, without a firewall, you're screwed like a slow ape by a fast gorilla And backups Holy DAT, Batman, you need a backup Yes, plug it in Phew Done That's the problem, kids Every user in the world is convinced they need security features, not security procedures They KNOW this It's drilled in tell a manager antivirus is a bow, not the present, or tell him managing backups will take more than one trip, and you've got five heads He knows he's supposed to be afraid, but you aren't presenting the answers he's primed for That s what FUD is for- shape someone's worry, and you've shaped their answer This is why, for the purposes of security, there is only one answer- someone, somewhere, has to know what the fuck is going on with your IT That responsibility is the only answer to buying 'solutions', because they can, and do, go horribly wrong It's the corollary of fear, uncertainty and doubt - false reassurance and false confidence lead to consequences you don't understand As always, security devolves to fundamentals - and they're usually forgotten after all the dots on the planning chart are connected Real security is the afterthought until it s a necessity Its more common than not that nobody really knows what s going on in their organization That is always the real headache around security It s almost NEVER a technical problem Now, here s a real security problem or two, by way of example Back when I worked for a living, we ran outsourced IT for small businesses we also ran a thriving emergency room for computing disasters One day we get a server with a failed RAID 5 array, delivered by a guy who pretends he has no idea why he is there We call the boss, find out he wants the RAID fixed and the data back Unfortunately, the array has been destroyed despite having two perfectly fine hard drives Oh, dear We naturally ask Mr Shrugs-a-Lot what led to this turn of events we eventually determine, no thanks to Mr Now-Sweating-Bullets, that he had called his computer guy who, over the phone, had tried to help him diagnose and repair a failed disk in a hotswap RAID5 array Hotswap Computer guy doesn t know what on God s green earth he is doing, so he calls Dell support on his other phone, while relaying instructions to Mr Now-Gripped-with-Icy-Terror Guess what Dell told them to do To sum up, my boss worked through the weekend, made a nice fat fee and I had a frank talk with the client company's president That s a security problem, people But, you say, they didn t know any better, clearly this doesn t happen in organizations that use process and compliance and have IT staff Oh, really Ok, one day, in runs a dude we d never seen before, carrying a circa 1998 whitebox tower This is in 2006-ish He is in a panic He works for a security company, the kind that sits in gatehouses with badges on It is, naturally, a disaster- failed mainboard, rapidly failing hard drive, years of environmental exposure, frankly worthless It s a loss More panic Many cell phone calls, hands waving, and treading circles in the workshop Turns out there is no replacement for this machine, no backups and no way to reconstruct the configurations Windows 98, naturally, with some custom app some nameless developer came up with a long time ago, no docs, no contacts, nothing They are royally fucked this is the thing onsite they need to do their job Well, we perform the specialty of IT all over the world, and pull something out of our asses, locate a chassis and gear that supports this slop, image the drive to a new one, etc Off they go, the security folks with their repaired and functional piece of poop What was it for It was the sole repository of photo ID and entry and exit badge verification data, including all the photos and employee records, for a single point of entry at a very, very, very large aerospace weapons manufacturer We did a little work for that security company subsequently Anyone want to guess the admin password on their NETGEAR firewall Don t bother, you can look it up Now THAT, ladies and gentlemen, is a security problem Permalink Leave a comment http://www.secuobs.com/revue/news/186643.shtmlhttp://www.secuobs.com/revue/news/186643.shtml Secuobs.com : 2010-01-22 18:08:42 - fudsec.com - This weeks guest post is by Justin Clarke, an unusual blend of Web Application Security freak and Kiwi Justin is the lead author of SQL Injection - a book that Richard Bejtlich recently voted as his 2009 Best Book Bejtlich Read high praise indeed Justin is the man you call when your webapp security program needs to keep it real - Thanks Justin By Justin Clarke So, you've got yourself a security solution for software that your organization develops Maybe you've just invested in some automated tools, or developer training Maybe you did hear a bit of FUD in the sales presentation, but it all seemed to make sense Great You're going to be producing secure code now aren't you Security problem over Well, no There are a number of problems with solving the problem of insecure software One of the biggest is that there is no one-size-fits-all solution to the problem, regardless of what some less-than-honest vendors will tell you All approaches that are parts of solving the insecure software problem have their upsides and downsides To give a few examples, lets look at some of the popular approaches to assuring software security Penetration testing blackbox testing - probably the most popular and widespread approach to securing software such as web network applications For enterprise situations, this would normally be performed near to completion, generally in a user acceptance or pre-production environment As an approach, it is intended to simulate the risk of an external party such as an attacker or malicious user of the system attempting to compromise the system The generally accepted upsides of this approach are that it should give you a good picture of where you are with regards to someone breaking in Downsides include that it is resource intensive and therefore expensive , and very dependent on the skill of the people performing the assessment It is also very late in the development cycle, so in many cases major rework can result in cost and schedule overruns and delays Very commonly used in environments where the possible loss due to a security issue is high, such as banks and other financial institutions A variation is the use of automation for some or all of the testing These are generally tools that implement some from of fuzzing approach, with the most mature products being those in the web application space from HP and IBM This provides the ability to cover many more applications in the same amount of time, but seldom with the same level of depth or flexibility that a person performing the same assessment could Very commonly these are used in conjunction with other assessment approaches in order to provide greater coverage or to find easier to detect issues that would then warrant additional manual attention Code Review - becoming increasingly popular in the United States, and to some extent in Europe, is the review of the source code of an application for security vulnerabilities, either on a manual, automated, or combination of both basis Manual analysis of source code is extremely resource intensive and as such can be very expensive, however recently a number of static analysis tools from vendors such as Fortify and IBM have become effective in allowing the analysis of larger volumes of source code for security issues The upside to this approach is that it should provide far greater coverage than black box testing, as all of the code included in the solution and all possible execution paths can be evaluated, potentially allowing a lot more issues to be discovered - including those occurring from edge cases that may not be picked up with other approaches The downside to this approach is that it can still be resource intensive, even if using automation Also, the pace of technology change restricts the ability for automated tools to support newer technologies - the wide variety of technologies and frameworks in use means that it is extremely difficult for automated tool vendors to support a wide selection of the technologies that are currently in use Code review is commonly used in areas where security failure would be especially critical or result in major loss Platform Defenses - another area that is seeing increasing use if to have platform or in some cases, framework level defenses in place, normally so that some level of protection is afforded to applications running in that environment regardless of whether the application itself is secure Some widely spaced examples are buffer overflow protections such as stack canaries and non-executable stacks and web application firewalls The upside to this approach is that, in many cases, the application developer will need to make minimal if any changes in order to take advantage of these security features These can also be a useful approach for providing additional security over applications purchased into an organization The downside to this approach is that they can only provide a band-aid level of protection if an underlying security issue does exist Also, for each of the approaches there is generally widely known issues, limitations, and bypasses for getting around that particular control Training - always popular is security training for developers For enterprise situations this can be customized to be most relevant for the types of issues that are most commonly present in that organization's applications Upsides to this approach are that a good training program can increase awareness of issues, and change development practices in the short term Downsides are that training is a point in time activity, and as such must be reinforced or followed up to ensure that new starters are trained and that trained security knowledge is not lost over time Architectural Design Analysis - areas that are increasingly seeing attention are approaches that seek to tackle security issues at the requirements, design and implementation stages These could take the form of security reviews of the architecture and or design and threat risk analysis activities such as Threat Modeling Upsides to analysis at this level include the ability to detect and correct architectural or design issues that would be extremely difficult or in some cases, impractical to address during or after development, potentially leading to significant cost savings over addressing these later in the development process The main downside of this approach is the difficulty of developing and maintaining these types of analysis with popular development approaches eg agile development approaches , largely due to the velocity of changes to the design during development OK, so those all work then And other people are using them OK, I'll pick the best one of these approaches for me and I'll be fine Well, no Anyone who tells you that, or uses that approach while selling you something is selling you a load of FUD there is no silver bullet First of all, there isn't any real amount of scientific research available which would give you any guidance as to what approach would be the best, or the best for you Also, generally held belief if you have a look at what is available, especially if you look at what information is available on what other organizations such as Microsoft are doing would seem to imply that you need to be doing all of these approaches and more Which would be both far too expensive, and far too much change for most organizations to even consider implementing So, is there anything out there that would tell me what I should be doing if I want secure software Something useful, and FUD-free Well, yes and no Recently a couple of closely related frameworks have been released that at provide some structure to this question though Although a number of approaches to the Secure SDLC have been publicly available in the past notably Microsoft's SDL , these take a different approach of looking at the maturity of security considerations in the development process These are the Open Software Assurance Maturity Model OpenSAMM and Building Security In Maturity Model BSIMM models These two models both look at the processes you would normally expect to see within a Secure SDLC at various levels of maturity in a similar way to a Capability Maturity Model The main difference between the models is that the research that has gone into BSIMM captures actual secure development practice at large organizations with initiatives in place such as Microsoft, Google, and Wells Fargo whereas OpenSAMM presents a more academic model of leading practice These models are very useful for answering questions about what you could do - especially BSIMM They are even pretty good at giving you information and materials that would help justify why you would want to introduce certain activities What they're not good at is providing you with the vision of secure development you'll need for your organization They are good at providing a framework for tying together disparate efforts into a consistent picture, but you'll have to provide the driving force behind how you will get from where you are now to where you want to be They are also pretty good for having in your back pocket for after you've got a couple of secure development activities in place through guerilla means or otherwise to be able to relate gaps in the organizational processes and skillsets to activities that should be looked at next Does this answer the question of what your organization should do Well, no - what it may do is help you figure out for yourself what would work for the organization After all, its you who has the knowledge of how the business works that is critical in the success of getting any business change in place And after all that, what is the activity that both OpenSAMM and BSIMM both consider to be the most important things with developing secure software Pentesting Code review Nope - its having someone who is championing and driving software security within the organization Having a group of folks who are ready and willing to shepherd and drive through all of the various changes to how the organization works over time These are sometimes in BSIMM in particular referred to as the Software Security Group SSG , and in many cases can be make or break in getting adoption and use of security initiatives within the organization After all of that, it turns out the best thing for software security in your org Permalink Leave a comment http://www.secuobs.com/revue/news/184521.shtmlhttp://www.secuobs.com/revue/news/184521.shtml Secuobs.com : 2010-01-08 14:36:02 - fudsec.com - Aaaand we're back - bringing you fresh FUDSEC for 2010 This week it's the turn of Mike Rothman, President of Securosis Mike notes that he hasn't really met too many people he can't piss off, one way or another This obviously makes him a natural FUDSEC guest Thanks Mike By Mike Rothman It all started when I read Richard Bejtlich's post on Partnerships and Procurement This was the I'm sick of it and I'm not going to take it anymore moment for me I mean, come on We spend billions on security, yet we are not any more secure We have lots of regulations, but that has created a low bar mentality where the objective is to get the stamp - not protect the private information And we've had consolidation Oh, have we had consolidation The big vendor swallows up the little vendor Of course, this has happened since the beginning of time and it's a hallmark of every maturing industry But in our space this constant consolidation has marginalized security Security gets buried within these huge companies Sales reps don t care whether they sell replacement parts for old appliances or security As long as they hit the number, it doesn't matter From an attack standpoint things are bad out there, and getting worse Or so it seems That could be the ambulance chasing media who in a Twitter manic, Facebook checking, 24 7 mentality finds a lot more sexiness in an attack that requires 3 PhD's, a supercomputer, and a roll of duct tape than in stories that talk about how to solve problems Part of me wants to just give up Get all Zen and relent What will be will be But that's not me I don't give up I don't back down I press forward But where am I going Where can should we tell the industry to go We've got a distinct lack of leadership in security right now Sure, we have lots of new vendor offerings built to try and address the latest attack which still requires the multiple PhD's, supercomputer and duct tape and lots of consultants to charge big bucks to assess an organization's security posture As an aside, I can save you folks some money Write in crayon You're Screwed on a piece of paper and give it to the CIO See, you just saved 100,000 and a couple of reams of paper The findings won't be any different from the high priced consultant's risk assessment They just figure out a way to say it with 40,000 words and lots of pie charts Who is going to lead us I remember when we had guys like Jim Bidzos making huge pronouncements like the idiocy of the US encryption export policies at industry conferences The keynotes at the RSA Conference were a who's who of the captains of the technology industry Now we get the CTO of 3Com and the guy who runs the security business for CA Bill Gates and John Chambers they are not I'm not sitting here saying that we need vendors to lead us to the Promised Land We do need to believe that all the inventory big vendors have bought over the past 5 years is amounting to something But that's not going to happen Sorry There is no one minding the security store in the big IT shops Who is in charge of IBM's security strategy HP Cisco Oracle Do they have the ear of the CEO Do they sit in senior staff meetings Most importantly, can stop a new product or a deal or some other major endeavor because it presents risk to customers Yeah, probably not Where is the next generation rallying cry What will be this decade's Trustworthy Computing Microsoft did a great job driving that concept to every part of the business I'm not holding my breath for the next generation rallying cry If the vendors won't lead us, what about the Federal Government The grand recommendations coming after the high profile White House 60-day review were pretty much toilet paper Actually, that's insulting to toilet paper I certainly wish the cyber-coordinator Howard Schmidt good luck, but he only warranted a photo with the President Keep in mind they hold ceremonies in the Rose Garden for the Presidential dog groomer To be clear, this isn t about Howard It s about a role with no real empowerment for change I don t think Ike yes, random WWII reference could have been successful as cyber-coordinator Looks to me like this position will be yet another eunuch sent to the slaughterhouse in a cloud of beltway politics and bureaucracy As for end users, the really smart ones are either too busy to tell us what they re doing, or hamstrung by the same idiot lawyers who think putting a confidentiality notice on the bottom of an email is actually useful Let's all agree the vendors aren't going to get us there The US Government has a bad case of the blind leading the blind And too many of the end users that will talk have self-promotion syndrome, always angling for their next CISO gig Sorry Dorothy, there is no Yellow Brick Road Wow, that felt good I ve been holding in that rant for 15 months and it s good to finally get it out in the open But alas, what makes me feel better doesn t help you do your job better, now does it So let s start looking for solutions What can we do to make some progress against these enormous obstacles Look in the mirror I'm not kidding The answer is staring back at you That's right, don't act so surprised There is a revolution coming, and it starts with you The general problem is that we as an industry keep waiting for someone to bail our ass out of the fire Yet, real change never happens that way Real change bubbles up from the bottom and becomes a movement The movement gathers steam and starts gaining attention, and then the status quo rises up to quell the change Only through herculean effort does it become accepted practice All change has to start somewhere and the nature of our jobs as security professionals is changing To make things better and to survive, we ll need to change with it Security is no longer a technical discipline Technology plays a role, of course, but the success of your security endeavors has nothing to do with your technical competence It has to do with your skills at playing the game Basically we have to master the art of persuasion We have to persuade the movers and shakers in our organizations that security is important and that it helps the business But how do we do that Especially given that business folks don't care about security Basically, you need to become a guerilla Security folks have no shock and awe We're lucky to have a BB gun So we've got to fight smart We have to fly under the radar We have to use leverage and magnify our impact And yes, it's possible Some may say guerillas don t fight fair The fact is most of the folks just don t have the resources to fight any other way What they do have are some characteristics that wouldn t be bad to replicate like agility, resourcefulness, and persistence They are visible about their successes and they build their attack plans based on intimate details of their situation and surroundings Can you do that Can you be a guerilla To clarify things a bit more let's outline a 5-step plan to put this into action And yes, it follows the general approach of the Pragmatic CSO 1 Understand the Business - I'm sure some of you have tried to convince senior management you are great at security because of your 99pourcents AV coverage metrics Or your 1-day patch window Right, they don't care You need to relate security TO THE BUSINESS Unless you understand your business, you can't understand the leverage points that will appeal to the business leaders Read your annual report Understand how your senior team is bounced Find out who will get fired if a system goes down Make like J Edgar Hoover and start assembling files outlining the success criteria and leverage points of the influencers in your organization 2 Get face time - Persuasion is not something you do via email or in a bi-annual summary meeting with the board It's something that has to be done consistently So you have to befriend the movers and shakers You have to add value to their environment You built the file, you know what these folks need to accomplish Now you have to figure out how to apply security techniques to help them reach their goals Or potentially position security as a way to ensure an outside influence doesn't stop them from meeting their goals 3 Get a Quick Win - Once you have their ear, you need to show the goods This is the testing phase So maybe you catch an insider in the act Or you intervene before an application goes live, which could have resulted in a breach When you are in the heads of the influencers, these kinds of opportunities present themselves But don't take a long time because influencers have a short attention span The Quick Win builds credibility, and with credibility you can take a more strategic and structured approach 4 Pitch the Program - After proving your mettle in adding value to the influencer s environment, then you need to sell a more structured approach Yes, that means they need to get on board with the security program Explain to the influencers how the security team does stuff and how they consistently add value - but only if they are IN THE LOOP That's the objective, pure and simple To have these bigwigs in the organization actually call BEFORE they do something It doesn't happen overnight, and you'll need to be patient - but with consistent effort it can happen 5 Execute Consistently - That's right, don't screw up Credibility is kind of like good will You can spend years building it, and it goes bye-bye in the blink of an eye Think Tiger Woods So always manage expectations, always follow-up and show results, and also take some time to pat yourself on the back The Guerilla Security Warrior is not an overnight thing, so if you've gotten to this point - it's quite an accomplishment The bad news is some of you will never have a chance at all Statistically we smart folks your read FUDSEC, don t you are surrounded by idiots, and many of them are somewhere in senior management You know, the Peter Principle in action While you should make your best effort, for your own health it s important to recognize that some executives in some organizations will never be receptive to improving security no matter how good you are If you re stuck in that situation, you need to decide if you can live with it I suggest focusing on your family while covering your ass with documentation at work or if it s time to polish up the resume Life s too short to come home from work angry every day I should know I m a reformed angry guy Let me finish up by reminding you the road to hell is paved with good intentions Words mean nothing especially given my living comes from writing words , actions mean everything I come from the school of leading by example With security, senior executives will not have an epiphany and get religion overnight Unless a data breach at your organization becomes front-page fodder Then you'll be looking for your next job anyway So leadership starts with you Leadership is built one step at a time, through consistent value-adding action Get to work Are you up to the task of Guerilla Security Warfare Permalink Leave a comment http://www.secuobs.com/revue/news/179593.shtmlhttp://www.secuobs.com/revue/news/179593.shtml Secuobs.com : 2009-12-18 12:01:04 - fudsec.com - Security product testing criteria have always struck me as quite odd Why just focus on the product or even the vendor financials I mean, the product is wrapped up in a sales cycle, a marketing program and sometimes, an entire belief system Then there is the on-going relationship Vince Tuesday has been around the block He's heard what you have to say my dear vendor He knows your script, in fact, he's probably reading ahead The sad truth is you already lost his attention 5 minutes into your sales pitch He did briefly perk up as you enthusiastically sprayed your enthusiasm towards him - but this was merely to avoid getting his suit wet As you posture to impress him, he's figuring out whether to eat the left over Chinese food for lunch or go down the pub He's already decided if he's going to take you up on your offer of lunch Sharing food does not mean you are any closer to a deal It merely means he is more likely to fall asleep when you insist on using up more of his precious time by ordering desert as a tactic to keep him in play Vince makes purchasing decisions that sales people would die for But to get to the sale, the path is narrowand winding as you'll see below Thanks Vince - I owe you a beer By Vince Tuesday I am a security manager with a secret identity, Vince Tuesday He comes out when I have things to say that it would be inappropriate under my work identity You may also know him as a 2003 East Coast Region ASBPE Silver award winner for The Strange Case of the Phantom Intruder , no You surprise me When KingCloud as I like to call Craig approached me about FUD I dithered but the promise of international fame and fortune was hard to resist, so I d like to talk to you today about more than just FUD although FUD will be a part of it I m going to do a top ten of Things I never want to hear from my vendor It may be when I get into the flow I go beyond 10 1 You can write your own templates scripting language Not only great for your professional sales organisation but I also can extend my vendor lock to you in by forcing all my team to learn your stupid re-invention of perl bash and better yet you can hide behind the fact that you haven t incorporated decent features by claiming I can add my own I can even pay extra for training from you so be sure to change the scripts on a regular basis so you can make that a recurring revenue stream Also, when you release the new version of the product then make sure my scripts stop working and don t dare give me things like import export and change control 2 We wrote our own crypto Sure, you did an MSc from some European country, maybe you even read Applied Crypto , you might even own the Brucie action figure what could possibly go wrong I m sure there is no reason that the solution to every software problem from a security point of view see Gunnar Peterson s excellent critique is Network Firewall and SSL Why would we like SSL sure it has problems but they get fixed Your own implementation is never going to have any problems and even better if there was then you ll never know and never fix them less patches, love it Better yet are those security products that don t even include authentication or confidentiality in their own connections and therefore add security risk to the environment That kind of stuff is just hard to configure and adds overhead, doesn t it No better way to convince me your security tool is a must have if it lacks any security over the features it offers 3 Sorry, We forgot to encrypt the laptop Along with not bothering to embed security features in your security product it is even better when security vendors and consultancies don t take security seriously in their work and own infrastructure I ve found vendors with my staff and clients personal data stored in their environment without full disk encryption on their laptops and thank goodness no pesky keys to protect if you don t bother to encrypt Also it would be a waste of time to have some modicum of physical security for your office and your data centres you ve a mission to spread the knowledge of your product to the world so what better way than having my data stolen and published It s like cheap advertising, no 4 We have a great console When start-ups build in their environment they make a nice whizzy front end that they use for a few minutes on a local network link to the back-end and with a small set of test data from a few end point systems In our enterprise environments we have WAN links between desktops and backend, sometimes over satellite from remote areas, we have hundreds of admins, 100ks of endpoints and terabytes of data flowing through our systems We also have hundreds of security systems to integrate and limited analyst time in the SOC So I m dying for a new front end that I can t integrate with my existing management framework and toolset then I d never see your badly rendered pie charts that I can t cut and paste into my other reports 5 The front-end is web based Oh great, slow Java pages that don t load and work properly on the ancient version of IE we get on our desktops Lovely, 6 The front-end is thick client Oh great, a patching and update nightmare that also means I get some painful licensing and DR site version errors and have to pay extra to get the client packaged and deployed I m an easy customer to make happy, aren t I 7 It's in the cloud Thank goodness because if you hadn t mentioned cloud I might have forgotten it is 2009 Either you are using this as a marketing buzz word in which case well done for firmly sitting on that bandwagon or you are not building out your own data centre so you can respond to demands of growth you re probably using mains electricity and have an office near public transit why not include that in your sales pitch as well 8 It has an alerting tool for the desktop If I thought having a management client for my desktop wasn t enough of a thrill ride then I definitely want an alerting system something proprietary and heavyweight or extremely configurable like a hard coded email address and just one, why waste time supporting multiple addresses in every end point for where the alerts are forwarded Don t worry about throttling or summary I love getting 9000 emails minute when your system has a hiccup as it provides a useful replacement for your failure to include a heartbeat in the communications protocols 9 It works via secret sauce or magic That reassures me that they don t waste valuable time and money training pre-sales staff to actually understand or be able to communicate the details of the product Why would I want that If you did that and your sales team had integrity you might actually tell me when the product wasn t a good fit rather than sell me any old nonsense and then were would your IPO be 10 The next version will support that Good, let me give you my money for all the things it doesn t do, in fact why not show me the same 5 year roadmap for 2 years running but just slip the start date each time, that convinces me to invest exactly as much in your product as you are and saves you time and thinking bothering with a decent plan 11 Dave at XXX is one of our reference sites Wicked, when I do buy your product then I m going to be keen to be a reference site to feed my own ego and try to convince more suckers to deploy it so I look like a visionary call it twisted skin in the game so I enjoy knowing that you bandy your highly confidential client contact details to entirely un-validated prospects 12 Here is a picture of our head office I bet your VCs loved having this in their pitch, and it certainly makes exactly as much sense to show me the picture of the outside of a managed office in a business park You may be very proud of your move out of your carport or your ability to search on google images but with only 20 slides you ll definitely not get closer to a close if you tell me about the product so better to show me stuff I just don t care about but that looks pretty 13 Here are our key clients and customers I love a page of badly cut'n'paste logos, mostly at web quality dpi so they look ugly and old versions that break brand guidelines as much as anyone A particular pleasure is when people pitch with our own logo on the page, sure we are a big company but you ve got to be gutsy to attempt to get us to pay for your licenses twice let s face it, if I m going to buy it s all going to be because you spent a long time on the graphic design and look and feel of that page, isn t it 14 It has no CPU impact It s great to come with a hardware upgrade but isn t that going to be expensive to deploy, oh hang on, what you are really saying is we don t bother doing stress tests in a range of circumstances to be able to give you meaningful capacity planning information as you might realise it s a bloated pile of crap that doesn t scale beyond 5 users if we published anything like that I agree the other wording is better 15 It automatically updates Great, I do enjoy troubleshooting problems on a Monday mid-morning at peak business hours because all your agents decided to use some insane Hawaiian time zone to schedule their updates And change control is for companies who don t really bother with availability, isn t it 16 It doesn't automatically update Marvellous, I do love a steadily increasing TCO based on dedicated teams of people packaging, and deploying new versions containing features I don t want but some big prospect in Japan wanted For bonus points make sure old agents don t work with new central servers so I have to do a big bang high risk upgrade or add gaps in coverage if I want up to date versions Also great to have updates work only from scratch so I have to uninstall the old version and install from scratch so I can lose all my configuration and customisation work each time 17 No, I don t think it is covered by any export restrictions Yes, I m certain your intuitive grasp of State Department rules and regulations is spot on because they are instinctive and clear and spending any time or money understanding them and making your product workable isn t going to be helpful to a global buyer 18 Let me do a demo I just need unfiltered, broadband connectivity right now Absolutely, I m going to allow you to connect your ropey laptop to my corporate network and thanks for not bothering to tell me so I could have got you a wifi guest login or god forbid you bother to set up a WebEx demo or bring a 3g card rather than make it my problem for you to be able to do the demo 19 It's common criteria ITSec certified Spiffy, I do enjoy it when you meet some outdated self-defined model rather than actual business needs Also good to spend your limited funds with certification agencies to chase a government market rather than add features and improve the product Even better for you to have a strong incentive not to issue substantial security updates to your product because they would invalidate your certification 20 It can log everything Just make sure you do it in your own proprietary format and ensure all the logging is done locally, we all need to drive a bigger security market so everyone needs to do their bit for log aggregation tools Also make it so you spread alerts over several lines and change the headers of your data layout between versions I don t have any desire to automate this stuff, my SOC teams can t get enough of this as it really uses their skills in the right way 21 It has a very granular access control database so you can control exactly which menu items each user can see Brilliant, more professional services, I can see your IPO going better and better, I am visionary to have selected your product, just make sure you don t add any sensible roles so everyone gets to be admin under a shared account And as a large enterprise I don t have enough different stores of user credentials so don t integrate with any of them I want a whole new username and password and a system of groups Who wants all their eggs in one basket 22 It scales without limit I m glad the laws of physics and 60 years of IT experience don t apply to your product Clearly you tested it on 1, 2 and 3 users so by proof by induction means it scales without limit and make sure you confuse XXX company was stupid enough to buy a 100,000 user license that now sits on a shelf with XXX company has 100,000 users using it 23 Company X has tested it and found no security holes You paid someone to say it was brilliant, and they did That _was_ money well spent There is nothing as independent as paying someone to say you are lovely, might I suggest you get your mother to test it next time as she ll be cheaper and I bet she thinks it is really secure as well Even better if you save money by picking a name of someone I ve never heard of or go for a big name but a very limited scope so it comes with so many caveats that the testing is worthless 24 We ran a contest to show it was hack proof Even better if you make the prize be a pile of gold or don t pay the people who win the contest I like your gutsy approach of either a nobody breaks in as organised crime thinks it can get more out of exploiting your product in live or b some script kiddie owns you entirely and then you have to whine on about how they didn t follow the rules because attackers are always following the rules 25 It solves prevents problem X Yep, you are actually selling a combined magic beans silver bullet that will also make coffee Nothing convinces me you are a well researched and sensible sales organisation as when you convince me it will solve a problem it can t PGP ran some great ads about how important full disk encryption at border crossings was after customs accessed data on disks The fact the customs agents have the legal right to demand the keys doesn t make that advert bizarre at all A nice 20 20 hindsight variety is If only so-and-so had had it then wouldn't have happened 26 It fixes HIPAA Sox BASEL II All the better if I m not in healthcare listed company regulatory capital regime And won t it be great for me to look down my nose at those companies hiring hundreds or thousands of compliance staff and running holistic programmes across technology and the business when all I needed to do is buy your one niche security product cost saving 27 It's much better than product Y I love it when you competition bash because clearly you have many great bits of your product if you use your time trash talking other products Nothing adds to your credibility if you used to work for product Y company and only a few weeks ago were trying to sell that to me 28 Do you like Golf Now we are stepping towards the inducement and bribe approach to selling product, nice It s not like I m well paid and successful so a day of golf is more than enough to make me change my mind and risk my integrity and job I was going to make a joke about a certain company here but I actually don t even want to risk my integrity and job for a joke 29 Vince, Vince, blah, Vince NLP It is true that people who trust each other use their first names more frequently in conversation, however you ve delightfully confused symptom with root cause and I love your cargo cult-style approach of repeating the symptoms in the hope of reaching the cause Add a little mirroring of my body language and we ll build so much rapport that I ll pile my entire budget into your in-tray 30 What is your no 30 Add it in the comments below Permalink Leave a comment http://www.secuobs.com/revue/news/173822.shtmlhttp://www.secuobs.com/revue/news/173822.shtml Secuobs.com : 2009-12-11 11:04:23 - fudsec.com - When you need to get things in , on time what tactics do you employ and where did they come from When you present to decision makers, how do you frame your request for the pot of gold I came across Ewout a few years back on a course in preparation for a popular certification He'd paid for it himself and consequently he was getting stuck in, challenging some of the not-so-great material on the course in a blunt, yet respectful way Initially, I rolled my eyes - this course will never finish I thought Anyway, a few coffee break discussions later and I was joining in We somehow managed to suspend our Infosec belief system just enough to convince the people reviewing our test papers that we got their religion Anyway, we've been good friends ever since it gives me great pleasure to share a Mokum joint with you Thanks Ewout FUD Just Feels Right Or how the FUD card was created by the end user and since we couldn't beat them, we joined them By Ewout Meij IMAGE My first assignment as a coder, done while still a teen in a programming language that was already old by then, was to decipher barcodes stuck on carts entering and leaving the company's delivery platform to keep inventory of said carts There was just one single user of the application All he had to do was check the inventory and enter a cart number by hand if it had bypassed the scanners somehow without being registered The reading of the serial data was simple, the requested totals where even simpler What took me three weeks to complete was the user interface Since 'my office' think of an empty box floating in a giant hall, formerly used as storage for crap was right above the work floor I just had to jump down to show my latest incarnation of the interface and get feedback from my user This proved more cumbersome then I ever imagined I am not a certified Asperger unlike most of my buddies, but dealing with the ever changing requirements and wish list of my sole user grounded my productivity to a halt Bigger letters, larger numbers, less options Maximal 2 and not 3 items in the list please , an amber not green monochrome screen, a clicking keyboard with larger keys the requests for changes where endless and I would respect each and every one of them The customer was my senior in age, like 3 times, on IT-literacy I was his to the third power One day my boss there were no managers at the time, they were bosses and owned your ass 120 hours a week if they so pleased walks in, asks me with a smug smile about the progress of the juniors' assignment and I told him about the logic being up and running for weeks, but the interface issues I was having Long story short next day there was a 16 year old behind the amber screen with one of the first incarnations of my application front end This introduction to the awesome powers of the IT wizard shocked me, for all I had faced until that moment was the magic of turning human readable code into pure binary What I liked so much about hacking for fun and profit was the fact that the box would do exactly what I did, mistakes and surprises included The spill over from the confined, well-known, trusted, reliable, turn on and off-able world to real life was unprecedented and unforeseen Loads of water under the bridge since, but what has actually changed I dropped the security part as description of what I do as I got bored with explaining the exclusivity, availability integrity trinity, now I call my current role site reliability engineer as it better fits the underlying desire of the companies I work for It boils down to the same old, same old, but it gives me a nice platform to reiterate the importance of all aspects and not just focus on the exclusivity aspect As a freelancer I face a plethora of issues, companies people 9 out of 10 times the intake conversation goes something like We have an issue with product X and need you to solve it Get it done What happens next is that for a couple of hours, days or weeks even, I'll be given a guided tour through the organization and try to get acquainted with the problem at hand Very soon the nice technical issue will turn out to be of an inter-departmental process challenge more than anything else Long time operatordepartment XYZ will not accept change ABC and thus resorts to pure guerrilla tactics, added with a splice of artillery, to prevent change ABC to be successfully implemented The tricks are basically the same make it take too long, come up with endless prerequisites, show another far away department's form does not fit the new requirements or call in sick 'at the right' moment Here is where not 'we', but the 'user' is playing the FUD card They've done this since day one, and we are so accustomed to the procedure and its inherent effectiveness that there was no other option than to use it too But does it work as well As a reliability professional part of our job is to come up with metrics for FUD We show tons of events being generated and forgotten about We show intriguing scans of systems, clever IP ranges routes We come up with 'simple' solutions to stop XSS, buffer overflows, DOS and try to make the decision makers listen and pay for what we come up with Multiple Internet gateways, DMZs, proxies, scanners, redundant paths, enforced paths, black hole routers, IDS, firewalls, end point isolation, private IP space and duty segregation I have done presentations, enthusiastically explaining 'man in the browser' attacks against a particular bank to people so alienated from society, they had a stylist visit me a couple of days before the planned presentation to make sure I looked the professional they expected to see With all the tools smart tricks that we have at our disposal it is of no surprise that a frequently asked question is If we let you do this, when will you be here again asking for more The famous Security is not a project, but a state of mind line does not cut it in that case It feels like you're asking for a blank check, something not too many BODs are happy to hand out to people who do not have a handicap in golf In situations like these only the money oriented approach will swing the doubters over Get a couple of 'verifiable metrics', divide multiply, pinch in some climate-gate trickery and show the result to be positive in one form or another But will it make your customer safer in the real world For each and every hurdle we put in place, a de-tour will be found Example We have been issuing identification papers for 100's of years and make them more and more fraud resistant What does Mr Foo do He hacks the issuing process FUD is something we all use, abuse and understand and it is a Good Thing as long as it motivates action and does not lead to submission Permalink Leave a comment http://www.secuobs.com/revue/news/170966.shtmlhttp://www.secuobs.com/revue/news/170966.shtml Secuobs.com : 2009-12-04 16:01:49 - fudsec.com - I'm very pleased to have Rocky as this weeks Fudsec Friday guest I've had the pleasure of meeting Rocky in a business context I quickly came to appreciate he is one of the minority an information security professional providing true insight and solutions based on real world experience of what works To put it simply, Rocky gets it If you read just one blog post today, read this one Thanks Rocky By Rocky DeStefano Recently, I was fortunate enough to have the opportunity to listen in on a speech from General Hayden former Director of the NSA and CIA, in addition to his service as a four star general in the US Air Force This man has executed at a level most of use only see through fiction writers and movies and he has done so for 30 years I provide that backdrop only to say that when General Hayden speaks, I not only listen, I listen intently and replay his words and overall sentiment in my head very carefully What he said at this event was encapsulated very well by Richard Bejtlich in this blog post so I won t go into all the areas described in this post In short, General Hayden s speech sparked some long-dormant thought in my feeble brain His thoughts energized me to refocus my thoughts and actions to go beyond the day-to-day struggles we constantly fight I was stuck in a rut and didn t even realize it In order to navigate our world and interact with it and one another, we as humans had to learn to fly, we had to learn to navigate the oceans, and we had to learn to overcome distances and difficult terrain, by creating solutions to work with the landscape We ve done something quite unique though, we created a new terrain and new domain The domain we ve created is fundamentally different while at the same time it is every bit as tangible as the natural domains we exist in The difference is that this information domain is of human ingenuity and therefore in addition to building tools to work within the landscape, we can actually alter the landscape as we see it This information domain also exists separately as its own entity and as such evolves at a rate much different than the physical domains Perhaps most importantly this information domain evolves, dies or otherwise is influenced based on our human interactions It is moldable Sure I can agree that humans might affect the temperature of the planet every few thousand years by a fraction of a degree, but we can fundamentally change our information domain on a daily basis if we chose to Think about it, we all know that, it isn t new, but at the same time it s quite liberating to think about the fact that we can change the entire game to suit our needs, versus playing by rules we can t change or worse yet play in an environment that highlights the strengths of our adversary As this domain has evolved we have set in motion a series of evolutionary steps based on tactical requirements without really having a strategic plan for where it should be headed We made decisions along the way that were necessary to get us past a hurdle, but without much rational thought about the impact To put it simply there is no city planning going on We re continually developing solutions to meet short term needs Granted these are real needs, no question, but who is providing the strategic vision of how our decisions will affect how we interact in the future For far too long we have applied fixes that fit the bounds of the information domain as it exists today It is time to start looking at how we can transform the domain itself to more appropriately suit our needs moving forward I m convinced we are in the very earliest of stages in the evolution perhaps on the doorstep of revolution with regard to this domain, but unlike evolution on the natural plain this domain can t and won t change itself, we must act to influence it to better meet our needs Much to my own amusement I see this domain much like a scene from a kids movie - when Jafar turns is transformed into genie in Disney s Aladdin and he boasts something like The Power, The absolute Power, The universe is mine to command, to control, to create and we get it without the constraint of living in a bottle The constraints that apply only exist in our minds and actions We need to get out of the mindset of applying protection techniques based on physical realms and focus on evolving the entire environment to better suit our needs moving forward I m certain as we start this dialogue that more fundamental aspects will arise which is exactly what I hope to elicit from this dialogue but here his where my current thought process has lead me to consider with regards to how to step out of our box and move our eyes towards the horizon I ve bundled my thoughts into a few categories, leadership, research and information sharing I m sure your thoughts will help us all to refine this into much more Leadership I ve come to realize that there is no one coming to save us from ourselves here No government czar, compliance initiative, nor vendor product suite is going to pave the way Homeland Security, NSA, Military, Congress, The White House they ll all continue to play their part, but let s be honest here they have not and should not drive the overall thought process here We must all define how we chose to exist in this domain Certainly we should encourage government and legal involvement along the way so that they can contribute as appropriate In the end the government should be involved to enable us to succeed in this domain, not to define how it should be crafted at least not without our agreement Yet we wait the announcement of the all mighty czar it s crazy I believe that we can lead from right here, wherever here happens to be There are dozens of examples, but I chose just a few to highlight some of the decisions we ve made and how we can start making better ones moving forward 1 Information Security Leadership We need to start pushing back at all levels here It s my opinion that business s need to care much less about being compliant and more about being fundamentally secure or if you prefer having better visibility into real risk Risk to the mission, risk to the business not the risk to an asset We continue to create irrelevant measurements irrelevant because they are point in time, against a less-than secure model and on a playing field that is skewed towards the success of our adversary As information security professionals how on earth did we let the primary financial driver for security spending be compliance initiatives We sold our souls because we lacked the knowledge of the business and how to apply what we do in a meaningful way to the business We let compliance initiatives that promised measurable results have their way because we thought we could tag along for the ride and implement best possible solutions given the situation As I see it we are no better off for this and now our teams have either competing agendas or more work to drive us away from protecting our organizations Sure we ve created some building codes but do point in time snapshots matter anymore when the attacker can mold his approach on a whim Partners, Vendors play a critical role in helping us reach our goals they should also play a role in the thought leadership moving forward Product and solution vendors have done a great job in developing solutions to meet our defined needs along the way as we ve evolved in our usage of information systems We ve all witnessed some seriously cool steps forward over the last 15-20 years, but recently many of those solutions have been evolutionary in nature, not necessarily innovative, but more and more they are band-aid fixes for problems we ve encountered or realized Don t get me wrong it is a very necessary evolution, but we ve hit a point that we need to start thinking about long-term health and welfare of how we interact as humans We need to find ways to encourage that vendor thought leadership onto a larger more strategic problem-set I would encourage those customer facing people with consulting and or vendor organizations to take a very basic consultative approach on a daily basis listen to your customer s actual needs, not always what they state as a need PCI Compliance, etc but to the goals they are really trying to solve and communicate those findings inwardly to your organization and in general terms externally to the community The more inputs for this information stream the more refined the thought process can be You can t imagine the amount of information that some of these folks have in their heads they just haven t been heard appropriately To those that manage consultants - please encourage your staff to listen and enable meaningful communications, in fact I would challenge you to incentive your staff to provide this input Give them the opportunity to buy in to more than just a single technology, but into solving a much greater problem This may mean some major internal change in thought about how to approach management of teams, customer engagements, support, product development, etc that s exactly the point we need to learn to listen better to the larger picture and not the point in time snapshot Those were two very basic examples of how we can lead from wherever we sit in the organization there are literally thousands of other examples out there I hope you can see that I m suggesting leadership by example you can still enable business using these techniques, you just have to get past the way its been done 2 A key component in moving forward has to be a dedicated focus on Research and Development I mean significant investment in R D on a national and international scale, information sharing about current and proposed strategies across industries, etc We need to be pushing our employers, VC s, governments into broader research initiatives We need an innovation revolution at this point, not just evolutionary point solutions There are some very recent initiatives that show promise, like the announcements by Northrop Grumman that NG is sponsoring information research in conjunction with Carnegie Mellon, The Massachusetts Institute of Technology and Purdue University If you will, think of these research opportunities as form of health care for our future, I don t care how it s justified but we need to act in support of efforts like this in every way we can, perhaps by offering state or federal tax credits Certainly I can agree that we need to watch spending and as such we should have to pay for performance, but we need to encourage strategic innovation versus tactical evolution band-aids The investment in long-term strategy has been anemic at the federal level We ll spend millions on watching the effect of gnat bites on mouse nuts, but we haven t found the necessary stomach to pay for the ability to effectively comprehend where we re headed as a species as it relates to communications, business and everyday life 3 Perhaps the most immediate thing we can influence is better Information Sharing We need to start thinking about how we can change the IT Domain into something that allows for a level playing field The old adage The enemy of my enemy is my friend applies very well here It s ridiculous to think that our teams are better off not talking with industry competition about defensive strategies The other side is free to share, adapt and overcome as they see fit, yet we tie our own hands and ask for beatings and hope they don t hurt too much I m really not into S M I d rather retake control how about you A few good examples to learn from already exist, the Defense Industrial Base DIB has an information sharing related to APT Advanced Persistent Threat detection profiles, and workshops like SANS What Works or IANS Summits are a great beginning to this conversation, but in reality they are very limited in reach and only relevant at a point in time We need to develop more daily interaction at a deeper level Summary I m in no way suggesting I m intelligent enough to have all the answers, or to have even fully described the problems, I m simply stating that we need to elevate our thinking and we must invest in the thought process and commit to the information sharing required to make the decisions necessary so that we may shape our own destiny As I see it we must all act on the relevant fronts Leadership, Research, Information Sharing, others to better comprehend the changes and position ourselves to be able to make the changes necessary in the future That s my starting point, how will you enhance the conversation Disclaimer The opinions expressed here are my personal opinions My views and opinions are subject to change based on the input I consume and the analysis I apply to those inputs Content published here is neither read nor approved in advance by my employer and does not necessarily reflect the views and opinions of my employer Permalink Leave a comment http://www.secuobs.com/revue/news/168655.shtmlhttp://www.secuobs.com/revue/news/168655.shtml Secuobs.com : 2009-12-01 05:13:51 - fudsec.com - This guest post from Haroon, debunks some of the FUD that loiters around the MAC vs PC security argument Seen any security vendors playing to this in their product positioning If so, email fudalert fudseccom By Haroon Meer of Sensepost published with permission I really enjoy listening to Mac Break Weekly Leo Laporte is an excellent host and i would tune in just to hear Andy Ihnatko's take on the industry and the possible motivations behind certain players moves he is sometimes wrong, but always worth listening to The only time the things ever get a little cringe-worthy is when talk switches to malware and security although both Andy and Leo for the most part have pretty reasonable balanced views on it Disclosure I am a mac user, and love the hardware the fan-boy'ism that surrounds it, not so much Most security savvy mac users, dont push Invulnerable-Mac argument too much But it does lead to the follow-up Once Mac gets more market share, we will hit the malware tipping point I dont think that this is how it will go down Here's my 0002c on it One of the talks we gave at the recent ITWeb Security Summit was titled One bad Apple The aim of the talk was to examine the truth lies fud behind the security claims on both the fan-boy and hater end of the spectrum I dont want to cover the whole talk here, but do want to touch on just a few of the current annoying red-herrings that normally pop up in this discussion Vulnerability counts as a useful Metric This argument has been had by many people far brighter than me, so i wont rehash it here I think its safe to say that since there isnt really a standard on what gets reported, very few vuln count reports end up comparing apples with apples What i did pick on during the talk, was that some people dont even bother trying to dress up the stats in a cloak of reasonableness The table below was taken from ByteSize magazine showing that Apple indeed had more Vulnerability Disclosures than Microsoft Vendors with the Most Vulnerability Disclosures ByteSize - 3rd Ed 2009 Instead of muddying the water by asking what a 32pourcents disclosure means, or by comparing Apple with Microsoft you have to ask yourself if the table is really comparing Microsoft, with its software, hardware, against Wordpress with its 60 000 lines of PHP code My suggestion there is that if we going to use tables and charts, we should at least stick to the reasonable ones Malware defense Of course the next topic that refuses to die is how mac architecture pixie-dust prevents it from getting worms and viruses A quick check should clarify this The ILOVEYOU virus which took windows computers all over the world and according to Wikipedia cost about 55 billion in damage was a snippet of VBS that read your address book, and mailed itself to your contacts where it did the same You can hack this up in Automator in seconds Same functionality completely Memory Corruption Attacks In recent times, Microsoft has made huge leaps in terms of generic memory corruption protection mechanisms to minimize the effect of buffer overflow mem corruption attacks While Apple claimed to do the same with Leopard, they still trail Microsoft in this regard The 3 points we covered 1 Non-executable Stack 2 Non-executable Heap 3 Address Space Layout Randomization We cover these in more detail in an upcoming conference in July - but again, its fairly well understood that OSX in its current form is only randomizing libraries, and that to get the benefit of ASLR, you need to be randomizing everything So if we are saying that Apple is just as vulnerable to ILOVEYOU and even more vulnerable today than Windows from a nimda or a code-red, then what explains the fact that we dont see Macs getting owned on the same level as Windows The almost global answer is Market share The belief that once more people are running macs, the big bad malware writers will start aiming at them If you look at the netcraft web server survey 2003 you should notice that at the time that nimda and code-red were running around the Internet, IIS didnt have the lions share of the webserver market either Their lower market share didnt keep them safe then, why does it keep mac users safer now The real market share difference One of my guesses here is that we are looking at the wrong data for market share What Microsoft does have over Apple, is a bigger market share of developers Microsoft went out of their way to make sure that anyone and their dog could write code for their platform, that any idiot in the world could write an app for them, and many did I suspect that if you consider that any group will have a proportion of people with evil intentions, then in part what we seeing is just the percentage of the bigger pool Different user profiles The other thing although it sounds strange is the question of user culture which is different My wifes macbook air has very little software that didnt come with the machine Apples batteries included policy means that her machine remains pretty clean Her mothers windows machine is a different story Which means what Today, pound for pound, OS X Leopard is indeed more vulnerable than a Vista machine, but the eco system around Mac is holding back the huge embarrassing attacks that shamed Microsoft into action Apple has a small window during which time they can take action, refine their built in mitigation strategies and come out on the other side acting like they were better all along Recent hires like Ivan give hope for this happening If Snow Leopard is done right, it will hopefully be Apples XP-SP2, and us fanboys will be able to keep our securer-than-thou attitude If it doesnt, its only a matter of time Permalink Leave a comment http://www.secuobs.com/revue/news/167079.shtmlhttp://www.secuobs.com/revue/news/167079.shtml Secuobs.com : 2009-11-27 11:14:02 - fudsec.com - I'm delighted to welcome back Nick Selby, now Managing Director of Trident Risk Management, for a special fudsec Thanksgiving edition Thanks Nick By Nick Selby The critical infrastructure security debate has reached, well, a critical juncture However in the United States, the debate has been limited to either more government regulation or proactive mitigation on the part of private utilities Since I write from America on the day we Americans give thanks for that which founded our country and made it great, let's attack this issue from a third front Let's get the customers pissed off, so that they vote with their wallets Because the US' infrastructure is mainly privately owned, the only way utilities will upgrade or properly configure their systems is under pressure of market demand for it If the US business community, armed with the understanding of the risk of utility interruption to their enterprises, demands better service - that is, they demand that their businesses are better protected by those they pay to provide them with power - then the utility markets that are the most competitive will become the safest There's a strong business case here many exploits of the vulnerabilities in our electrical power grid cost little to mount and cost a lot to remediate As security researchers, practitioners and thought leaders, we can articulate a business case to American business leaders You're being forced to accept risk Utilities are offloading risk of an outage to their customers, by charging for power and reliability and not mitigating even obvious, well-known risks The risks are to your people, your property and your profits - that is, they are to your brand If your business relies on power for mission-critical or safety processes, the failure on the part of utilities to remediate means your customers and your brand are at risk - on the terms of the utilities, not your business' risk managers or your shareholders Cleaning up after the risk becomes reality is a hidden tax on your business and on you The consequence management aspect of a loss of the power grid of even 20 minutes are massively high in terms of life, safety, profits and our national sense of well-being and safety By not remediating these risks, utilities are offloading to us taxpayers the cost of clean-up and restoration after a catastrophic failure With respect to the last point, I seem to recall us fighting a war over taxation without representation I submit that this is another one I know that some utilities will be mad at me for saying this, but as far as I can tell, they've had their chance to take action Now it's our turn Some high-level context This may be stating the obvious, but what's obvious to people who look at this problem a lot is not obvious to people who don't For years, public and private security researchers have been pointing out that the networks at electric utilities were reliant on the thinnest veneer of security - if that This was not because utilities didn't care, it was because utilities built themselves for the functionality of production of electricity in an age when their networks were truly air-gapped - that is, they were physically separated from the Internet To further state the obvious, one big problem is that these networks haven't been truly air-gapped for years and years, but the utilities continue to behave as if they are And there's a great deal of reliance on plain old security-through-obscurity The government can make recommendations and even some regulations, but at the end of the day, and here's another obvious statement, the reason the majority of electric utilities in this country haven't upgraded their security is because doing so is expensive and there's not been any publicly released information about a compelling reason to spend the money Hacks or DOH - Cause Is Less Important Than The Impact Whether a successful attack on a US utility has happened already, it will happen not for nothing, but there are active investigations of such attacks underway now Regardless of the cause, bringing down power networks has life-and-death consequences Security professionals sometimes forget the 'A' part of the CIA triad of confidentiality, integrity and availability I wrote recently that in 2008 an ice storm blacked out much of my county for eight days - my family spent eight days with sub-zero temperatures and no water, heat except my woodstove or even telephone Life changed dramatically for us, very fast It is, being obvious again, very important that we safeguard against attack or misconfiguration or any other event that brings down the power grid In a recent post on Errata Security, Robert Graham rightly pointed out two important things As a pen-tester, I know that our power grid is insecureI know I can hack in from the Internet and cause power outages However, government regulation isn't the answer Not only has government regulation not been the answer, but private industry has ignored, largely, government initiatives of exactly the kind I would expect would resonate with the security community and the public at large In many cases, the guidance is specific, limited in scope to what is necessary, driven by expert analysis and input from leaders in security research, vendors, private and public employees and regulators in short, it's the findings that come after Mr Smith went to Washington And still, it's pulling teeth A Good Example Aurora A perfect example is the Aurora vulnerability See the Power Point here, page 8, for more , because it has been public knowledge for about two years, the cause is understood and the mitigation is as straightforward and relatively inexpensive as a trip to the dentist for a routine cleaning There's so much great published research and congressional testimony on the problem and its solution that I cannot believe that there has been such low takeup in doing that In just two days of scouring open source, unclassified documents I was able to put together a basic mitigation strategy sheet and to scare the crap out of myself about how easy and inexpensive it would be to mount an Aurora attack Yet, anecdotally, it seems that only a really small percentage of substations have been protected against this well-known vulnerability By the way, I don't charge customers to see this remediation sheet What Is To Be Done After consulting with a number of people in and out of governments, I've decided that the best way to use this information is, at no charge to them, telling businesses which depend for mission critical processes on the public power grid The at-no-cost part is important to me, because I believe that this is an issue too important not to share It's my hope that in sharing this information, outlining the issues and explaining to business leaders how they can and should raise them with their utilities, the utilities will see that there is in fact customer demand for mitigation, and come at this from the market side I had asked for a debate and a discussion, so here's my contribution I'm suggesting all pen-testers and consultants who've looked at this to get vocal - find something within the field that raises your level of concern, something that can be mitigated rather easily Then, as opposed to trying to monetize that knowledge directly, help your customers articulate concern in a way that matters to the private utilities We, your paying customers, find this to be a risk that you should mitigate Please do so We should also help the utilities find federal money to contribute to their effort to help mitigate these risks Hell, if they're going to throw all that money around on infrastructure projects let's at least get some in this area - the government has made it clear that it would like to If many of us who have the ear of the customer and the knowledge of the issues do this in a constructive way, we can go a long way to raising the bar In the end, the real questions remain, How hard is it to exploit vulnerabilities in our system How can we make it harder What help is there for private industry to raise its bar Many have said that action is not that important, because no attacks have happened yet on American soil Arguments about whether attacks have happened are for another forum, but if your main argument against mitigation is justifying the cost with evidence of an attack, I'll ask you this question What is the cost of wrong Permalink Leave a comment http://www.secuobs.com/revue/news/165734.shtmlhttp://www.secuobs.com/revue/news/165734.shtml Secuobs.com : 2009-11-20 11:33:44 - fudsec.com - I here pronounce today Cyber-FUD-Friday I don't know about you, but I tend to whince anytime anyone uses the word Cyber Combine that with an emotive word like war and suddenly everyone has an opinion and is touted as an expert Huh, kinda reminds me of Cloud Security - This weeks guest post delivers a much needed dose of perspective Thanks Jayson By Jayson E Street 456 BC Aeschylus, a Greek playwright, was killed when an eagle dropped a live tortoise on him, mistaking his bald head for a stone The tortoise survived Dying by a falling turtle has been documented and therefore is a proven threat However it still remains unlikely for you to die that way Cyber-War what the cool kids are calling it has in fact happened This proven threat does not necessarily mean a country s smart grid is going down anytime soon I started doing research for a book I am writing which includes cyber-warfare During that process I was startled by a few things I observed 1People who know what is going on don t talk about it to either confirm or deny it Conversely, people who don t really know what is going on have no problem speaking about it at great length with much authority 2In a realm where anonymous attacks are the norm not the exception, people are really quick to lay blame on who is doing what 3Everyone is INVOLVED Observation One I am not an expert on cyber-warfare This is just something I started researching for supporting material in a book Like a lot of people I had been reading about on this subject, I had not been to any of the countries commonly named as participants in cyber-warfare I knew I would not get good answers without boots on the ground experience I applied for my passport and took my first trip outside of the USA I wanted to see what was really going on The best place to begin seemed like China After all, the people where were doing the talking were dropping that name with great frequency I attended Xcon where I had dinner with GoodWell, the founder of the Green Army He is commonly known as the godfather of the Chinese hacker movement in with activity going back to 1997 He has gone the way of his Western counterparts He has left his past to apply the knowledge gained from underground hacking and illegal breaches for a more legitimate profession that pays better and comes with cool business cards He now consults with billion-dollar clients I was amazed to sit there and listen to his concerns of how hacking has become more a tool of crime rather than exploration and political action Here was one of the major figures of the Chinese hacking culture expounding on the problems with criminal hackers and worried about so many attackers assailing Chinese networks In fact, the typical Chinese home computer user is under constant attack from bots, Trojans and also a virus here and there sound familiar So my first trip abroad was a real eye opener I learned to not be so quick to judge or take everything I here about Cyber-Warfare as gospel It was after I returned home that I started listening more to what experts were saying about cyber-war I realized most have been using data from certain 2003 incidents Their opinions were not based from data gained first-hand Since then I have traveled to other countries and gained a more open perspective of what is going on in this realm The most important thing I have learned still remains what I knew from the beginning I am not an expert, but I can form opinions based on what I know first hand I am limited to information in the public domain, but that is not all there is to the story Most of the sources offering opinions have the same limitation Observation Two I believe this to be the biggest problem facing those who are on the front lines the battlefield is virtual A physical attack is much easier to detect and trace back to the source You can see the path the attackers take You can see the bullets they fire The person attacking you with a DDOS is harder to trace The recent attack on South Korean and United States websites showcases the perils of being quick to judge and even quicker to accuse For example, within a week of the attacks Congressman Peter Hoekstra of Michigan 1 insisted we needed to send a strong message Yet to this day there has been no positive proof who was actually responsible With 50,000 USD anyone can hire a botnet to replicate these attacks It is that easy because most criminals are not motivated by politics but by money This also poses another problem When anyone can hire or create their own army of compromised computers does it make the impact less because it was a guy in Paraguay who was curious and wanted to see if he really could take down the White House website In a way it would be more comforting if such activity were limited to the high tech branch of a rouge nation launching an opening salvo in a cyber-attack That can be an easier target for a response But the same damage is felt regardless of who dealt the blow As time goes on expect to hear about more cyber attacks that are thought to be either this country or that country but with no publicly available proof of who was responsible This is a problem that will not be going away So how can you protect and more importantly trace the attacks when the bullets appear from everywhere including from your own side This brings us to Observation Three who is now involved in cyber-war activity The answer is EVERYONE I would say just my opinion based on my research that most every industrialized nation is working on a military hacking division or whatever a government wants to call it The Chinese were probably the first with the Indonesian cyber-skirmish in 1998 2 1998 was also a notable year for the ramping up of cyber-warfare capabilities in the USA Attacks on Serbian air command were used to help facilitate USA airstrikes as well as targeting enemy bank accounts 3 Also in the late 1990s, a computer specialist from Israel's Shin Bet was able to compromise the mainframe of the Pi Glilot fuel depot north of Tel Aviv 4 So here we are over 10 years later still wondering what Cyber-Warfare is, who is doing what, and what can we do to defend ourselves It is also a safe assumption that everyone is also getting much better at attacking We are not learning from the past and the old adage bears true that we will likely repeat it The 1980 s were the decade to fear the nukes This decade we fear the digital arsenal The good news is we did not die in atomic fire though that was a proven threat The bad news is we found something else to fear and we always will We need to understand the threat of a digital holocaust is a possibility And so could a nuclear war break out, Swine flu become an epic pandemic, a meteor wipe out all life on the planet or a falling turtle kill one of us The threats are real But should we panic No, probably not 1 http wwwscmagazineuscom cyber-retaliation-debate-is-north-korea-guilty-of-ddos article 139968 2 http wwwdisasterpreparednessblogcom disaster-preparedness-blog 2009 10 22 chinas-cyber-warfare-capabilities-highlighted-in-report-to-chtml 3 http findarticlescom p articles mi_qa5332 is_1_48 ai_n28827258 tag content col1 4 http wwwalertnetorg thenews newsdesk LV83872htm Permalink Leave a comment http://www.secuobs.com/revue/news/163341.shtmlhttp://www.secuobs.com/revue/news/163341.shtml Secuobs.com : 2009-11-13 14:51:00 - fudsec.com - TGIF A recent flashmob poll of CISOs discovered that the flagrant abuse of statistics, graphs and number theory misleads at least 5 9 sqrt 10 3 of decision makers most of the time Returning guest Lori Mac Vittie came across a recent study that caused her to reach out for a key tool of the professional defudder - the humble calculator Ah yes, ladies and gentleman - every number tells a story - which shelf in the bookstore that story belongs is a different matter Read on as Lori takes aim at the numbers from a recent study Thanks Lori Lori Mac Vittie Technical Marketing Manager for F5 Networks The latest study State of Internet Security from WebSense indicates that 95pourcents of all user-generated content is, well, to put it simply crap Even more frightening is the conclusion that 61 percent of the top 100 sites either hosted malicious content or contained a masked redirect and 77 percent of Web sites with malicious code are legitimate sites that have been compromised OMGWTFWEB20 It s enough to keep you away from social networking sites, surely After all, the top 100 most visited Web properties tend to be classified as Social Networking or Search sites Facebook Twitter MySpace My god, they re probably all infected Grab a face mask and pull that cable from the wall lest you catch some social networking disease from visiting your BFF Jill s Facebook page Now that we re done I hope having hysterics and fear-induced panic attacks, let s consider the math for a minute, shall we Facebook now has 300 million users Let s assume that each user has at least one piece of user-generated content on their Facebook page cause, well, it s a very user-content driven site That means that of the 300 million home pages on Facebook that 95pourcents 285 million has either a malicious link or other insecure content Conversely that means that 5pourcents 15 million are clean, uninfected, safe pages The average Facebook user has 120 friends or 281 friends, depending on which news article you might be reading Let s just assume for mathematical purposes that the number is somewhere in the middle, at about 200 friends per user Let s pretend, too, that you visit every friend s page in a single day Because it s your day off, of course, you wouldn t actually do that at work The mathematical likelihood that one of your 200 friends is one of the 95pourcents that is infected is infinitesimal Visiting a second-order friend a friend of your friend makes it more likely, but in mathematical terms one could still categorize the risk as statistically insignificant In other words, all this hubub about how much content is malicious and insecure is a blown a bit out of proportion considering the magnitude of the numbers we re dealing with we could say 99pourcents of all content is crap and still not raise your security risk much higher than it is today That is, of course, purely a mathematical view of the security risks associated with social networking Generalizing statistics can be useful, as can statistical sampling But we - both as pushers of that data and as consumers of the same need to be more aware of how the magnitude of the data behind those statistics affects the actual risk involved It s always more fun to say 95pourcents than to give a real number, especially when those numbers are so large that they essentially lose meaning to human beings And we know that people will interpret 95pourcents to mean 95pourcents of the content they visit because that s the way it s presented But is that reality Likely not, unless their behavior on-line is such that it puts them more at risk because they re visiting and connecting with a higher percentage of the content out there The reality is that there s only so much providers and vendors can do to protect individuals online Web application firewalls Firewalls IDS IPS Vulnerability scans Anti-virus SPAM filtering These technologies are necessary to reducing risk in general and they do, but the best and primary protection mechanism in every user s arsenal should be themselves Users need to educate themselves on the risk inherent in today s increasingly connected web of content and proactively examine content presented to them with a more educated eye And they need to be aware that at least part of the risk incurred from user-generated content is self-inflicted the more content, the more friends, the more connected they are, the higher the risk of stumbling into malicious content The danger in generating such a false sense of insecurity is that users will begin to fear content and links to content, which means they ll fear the Web in general because the whole premise of the Internet, of the World Wide Web, of Web 20, is links and content and the intricate relationships between them The web is useful because of links and content and user-generated content and yes, much of it contains malicious code and other nasty tricks But rather than scare users with statistics that don t accurately portray the risk to them we ought to do a better job educating them on how to recognize malicious content and provide simple ways for them to report or tag or otherwise mark malicious content when they do find it so we, as protectors of data and users and content, can continue to innovate new ways to automatically handle removing such content from our applications and sites Instead of scaring users let s engage users and make them part of the solution rather than just another part of the problem Permalink Leave a comment http://www.secuobs.com/revue/news/160569.shtmlhttp://www.secuobs.com/revue/news/160569.shtml Secuobs.com : 2009-11-06 11:14:54 - fudsec.com - Sometimes you just have to tell it like it is And this week, the man that puts the Paul in PaulDotCom does precisely that From system administrators whining, to defense in depth, this invited guest post challenges some common assumptions and provides an actionable response Thanks Paul By Paul Asadoorian Microsoft patch Tuesday, or Black Tuesday as it is referred to as, has been around for some time At first it seemed like a good thing, with all these patches coming out it gave people time to plan accordingly and get them installed in their environment I firmly believe it was a knee-jerk reaction that has plagued us since 2001-2003 when worms and network-based vulnerabilities were being exploited on a regular basis The time has come to react more quickly to the wide variety of threats posing organizations infrastructure, and have the flexibility to apply patches as they come out, not just once a month I remember it fondly as I worked for a University at the time patch Tuesday was being dreamed up It was a time in a land where XP firewalls did not exist, nobody blocked the NetBIOS ports from the Internet, and the term automatic updates was something that did not exist Machines were getting compromised faster than they could be rebuilt, in fact many became compromised WHILE they were being re-built At some point, someone hit Microsoft with a clue bat and they began coming out with patches, lots and lots of patches Before you know it systems administrators were overwhelmed with patch installations, and were not armed with the appropriate tools to handle the patches So they do what some systems administrators do best, they bitch I have to admit, when I was a systems administrator, I did my share of bitching Its that kind of job, somewhat thankless, so bitching came with the territory But in this situation, it caused Microsoft to take a step back and think about how they release patches Then, Patch Tuesday was born along with exploit Wednesday This meant Microsoft was now holding back patches, saving them up for one release While I started to grow hatred for this method, systems administrators did less bitching, which makes everyone's lives easier Another factor that played heavily into the decision to release regular patches was desktop management Very large corporations with 10s of thousands of desktops incurred costs when applying patches Each of these desktops, and servers, needed to be rebooted in order for the patches to apply This adds an economic factor to the equation, meaning is costs money for organizations to apply patches Times have changed and its time to evolve The regular patch release schedule got us over a hump and got systems administrators in a grove of applying patches However, Imagine this situation There are terrible viruses running around in the real world like ones that infect you as a person, not your computer Your doctor is getting the vaccinations as soon as they are available However, its left to your doctor to determine when they are applied So to make things easy for everyone, vaccinations are done on the second Tuesday of every month In the mean time, you and your family are users like children are vulnerable to the virus, some of which can be fatal, and others that are not so bad Let me ask you this if it was your family, how would you feel about vaccinations that only come out on the second Tuesday of every month You should be equally as outraged about patch Tuesday, and here are some things you can do about it Set your own patch schedule This is something I have been preaching for some time As an organization you need to evaluate the threats against your business, and prioritize the defensive measures you implement if any You should not have to wait for an third party to release patches, they should be applied according to your own priorities Security is about evaluating risk and I can assure you that you can do a better job than Microsoft of evaluating risk for your organization Define your own threat level The other aspect of security that Microsoft believes they have covered for you is determining the criticality of each bulletin which can contain multiple vulnerabilities, which doesn't help What is deemed critical by Microsoft may not be as critical to your organization Evaluate each vulnerability, not just the bulletin, and think about the impact it has on YOUR organization, not the rest of Microsoft's customers Home users, small businesses, governments, health care, universities, they all use Microsoft products in some capacity, do they all treat threats the same way Hell no, and neither should you Define what critical means to your business, and that means reading each of the security bulletins when they are released, in detail So, on the second Tuesday of every month, get a bigger cup of coffee, sit down, relax, and enjoy the ride Conclusion Dumb Questions Is it wormable Is there public exploit code available The real question you should be asking How does this impact our business Lets get one thing clear, evil bad guys have exploits They have exploits for stuff we don't know about yet When a patch is released, its too late Shortly after a patch is released, its really too late So patching needs to be built right into your operations and balanced with your business plan Don't get caught up in the hype around remote exploits , wormable , and all that crap, take matters into your own hands, at least as much as Microsoft lets us The game is risk mitigation, not patching But we can't rely on MS to provide reasonable, workable, mitigants to many of their bugs based on track record Permalink Leave a comment http://www.secuobs.com/revue/news/158181.shtmlhttp://www.secuobs.com/revue/news/158181.shtml Secuobs.com : 2009-10-30 19:10:35 - fudsec.com - How well do you think you know FUD Anton knows FUD He's sliced, diced and presented the head of FUD on a plate so we can examine it from a different angle If you're a FUD hater, that considers they never use FUD to get things done , this post is especially for you - Thanks Anton - great post By Dr Anton Chuvakin FUD or Fear Uncertainty Doubt triad seems better known than the other security triad C-I-A It seems inextricably linked with security industry as well as with security technologies After all, don t we reach for some extra safety and security if we fear something, feel uncertain about something or doubt something While few CSOs and security leaders admit that they build their security programs based on FUD, below we will hypothesize that FUD is indeed a meta-level above risks, threats, vulnerabilities as well as compliance mandates FUD s role in security today probably overshadows the role of any other factor we know To put more substance into our discussion, here are some well-known examples where fear, uncertainty and doubt manifest themselves Fear Getting compromised by attackers Failing an audit Suffering big loss All of the above Failing an audit getting hacked being dragged into a media circus Uncertainty Keeping a security leadership job Keeping the wheels on for security infrastructure In case of an incident, loss amount is uncertain Threats and their impact Doubt Security mission success Effectiveness of security measures Support of senior management Further, many people view using FUD for driving security spending and security technology deployments as the very opposite of sensible risk management However, FUD is risk management at its best FUD approach is simply risk management where risks are unknown and unproven but seem large at first glance, information is scarce, decisions uncertain and stakes are high In other words, just like with any other risk management approach today Big Hairy Ass Risks BHARs dominate both the FUD-infested security vendor materials as well as internal CSO presentations Note that very few of the BHARs are truly imminent and thus fall out of FUD realm as there is no uncertainty about them - just like only few people develop phobias of poisonous snakes which would be a very useful phobia to have In light of this, we have to accept that there are benefits of FUD as well as risks The benefits of FUD stem from the above view of security which is defined as being free from danger or measures taken as a precaution against something bad First, in the world we live in, FUD works Demonstration of a BHAR followed by technology purchase or control implementation does reduce possible loss of not only due to said BHAR, but also due to other threats if BHAR ends up being completely mythical Such implementations often also deliver other useful things for the organization It is worthwhile to remind that FUD selling applies to CISOs no less than to enterprise software sales people It also applies to fear of auditors as well as fear of attackers both drive security adoption, even if lately the former seems to be winning Second, keep in mind that many of the BHARs are both genuinely scary and, in fact, likely Scaring a company into updating its anti-malware tools despite all the concerns about their relative efficiency or into deploying tools to collect and analyze logs is excusable, at the very least Third, many proclaim that people need to be naturally drawn towards doing the right thing after being educated about what the right thing might be and scaring people into action is not that efficient The technical answer to such concern is a resounding Ha-har-ha Finally, for years FUD was used to sell insurance as well as safety features in cars and other products, legal services, to make people update their boring DR and BC plans, and other good things Fear might not be a very positive emotion to experience, but acting out of fear has led to things that are an overall positive, all the way down to resolving political tensions out of fear of a nuclear war Admittedly, Fear Uncertainty Doubt approach has issues as well The key issue with FUD is its blunt weapon nature It is a sledgehammer, not a sword If you use FUD to power through issues, you might end up purchasing or deploying things that you need and things that you don t Second, it is well-known that magic of FUD wanes if you invoke it too often If you scare your customers or your management into taking your product or your security agenda seriously, they are almost guaranteed to stop listening to you at some point However, if enough BHARs manifest , FUD approach will continue to be fairly productive One can get desensitized upon hearing that sky is falling too often, but here is the thing I am willing to take the risk of such desensitization given that sky is indeed not quite stable Third, FUD power as any other power corrupts whoever wields it too often If you end up scaring people into action or spreading uncertainty, you might well lose an ability to win security arguments any other way Also, if fear is a motivation for every decision you make, checking into a mental institution is not a bad idea You might actually be paranoid Finally, I d like to bring up the good old greed vs fear model for advancing security, last mentioned at BlackHat by one of the speakers As greed-based ROI scams fail to move security ahead, the role of fear has nowhere to go but up In other words, all of us get to pick out favorite 3 letter abbreviation and I d take honest FUD over insidious ROI any day To conclude, fighting FUD is a noble pursuit Don Quixote thought the same about fighting windmills Even if objective metrics will ever replace FUD as the key driver for security, we have a bit of time to prepare now After all, in that remote future age interstellar travel, human cloning, teleportation and artificial intelligence will make the life of a security practitioner that much more complicated Permalink Leave a comment http://www.secuobs.com/revue/news/155730.shtmlhttp://www.secuobs.com/revue/news/155730.shtml Secuobs.com : 2009-10-23 15:33:05 - fudsec.com - Every now and then, a vendor makes a claim about their products or services that actually gets tested Not by a lab with a representative environment, but by Blackhats in a production environment Read on for just such a case My thanks to Drazen for delivering a fudsec sledgehammer By Drazen Drazic I ve been waiting a while for a higher profile test case and it s finally arrived Integral Energy, one of Australia s largest energy corporations has been in a spot of bother in recent times as reported here http wwwsmhcomau technology security sinister-integral-energy-virus-outbreak-a-threat-to-power-grid-20091001-gdrxhtml If all reports are correct, the critical infrastructure organisation s networks are protected by a Symantec security solution Now going by my last correspondence with Symantec here, they guaranteed me that their product would provide proactive protection against unknown and zero day threats Being slightly dubious of these claims, I asked for confirmation of the claims and was told by the Symantec representative I can confirm this statement is correct Now wanting to double and triple check that they stood by their claim, being the cynic that I am , they then re-stated the claim, albeit slightly modified the next time, but with the end message the same This is one of the value statements of our product which we standby but I cannot personally guarantee that anything will not happen If you configure and install the product correctly, then we will stand by this statement Now Integral Energy may have a claim here But I wonder if Symantec can argue the case that they only provide proactive protection against unknown and zero day threats and this being an old piece of badware, means all guarantees are null and void - Permalink Leave a comment http://www.secuobs.com/revue/news/153467.shtmlhttp://www.secuobs.com/revue/news/153467.shtml Secuobs.com : 2009-10-16 15:18:41 - fudsec.com - Joshua Corman is the invited guest this week on fudseccom This post goes pretty deep to the core, thus for maximum benefit I recommend reading at least 2 times - I know Josh is looking for feedback comment on this post so let us know your thoughts by leaving a comment Without further adothanks Josh By Joshua Corman twitter Change is constant - and security professionals are change averse To become partners to the business, we must have the courage to embrace and enable change If we don't, we continue to fight the last war and remain an obstacle to the business The path of the security professional is beset on all sides, by constant and turbulent change We find ourselves in a time of unprecedented change The image below is currently my one slide I use when I talk about information security IMAGE Cost, Complexity, and Risk have grown to unprecedented, unacceptable, unsustainable levels Why Well, in part, the sum total is being fueled by turbulent and accelerating rates of change across these five fronts 1 Evolving Threat The adversaries have shifted from Prestige, to Profit, Politics, and Prestige and jumped from 1st gear to 5th gear showing no signs of slowing 2 Evolving Compliance Compliance has eclipsed Threat as the primary driver of Security Why As a CIO so eloquently stated, Josh, I might get hacked, but I will get fined Vendors follow the money - and the money is in compliance Is anyone even trying to solve for our threat needs anymore 3 Evolving Technology Innovations like x86 Virtualization, Cloud Computing, iPhones in the workplace, and social media barrage us at every turn Each beneficial advance requires tremendous efforts to assure we can reap the benefits while preserving acceptable risk 4 Evolving Economics The global economic meltdown has slashed headcounts and cut budgets to the bone further challenging our ability to address these sources of risk 5 Evolving Business Needs The changes that should affect the risk of a business are the ones that the CEO, Board of Directors, and their industries demand Businesses are seeking ways to better collaborate with their clients and partners They want to enter new markets or become more agile Will security be the reason they can take these valuable risks Or will security be the reason they cannot Evolving Security Professionals What about our profession What is blatantly obvious to me is that Evolution is the headline What is also obvious to me is, the only thing not evolving is the good guys Where is our evolution Our population tends to be pretty risk averse We tend to hate change Change Risk, right Given that we are beset on all sides by constant and turbulent change, what does this mean for our roles For years we ve been the person saying No to change Can you now shift to become the agent of change Instead of laying down on the tracks in front of the moving train, can you be the reason your company safely and selectively embraced the Cloud and its benefits to the business I see no signs that change is slowing In fact, the signs are that change is accelerating I m pretty sure many of us will not make the required changes Many of you won t want the job as our roles continue to morph half of you are already unhappy Those who continue to be at odds with the business may be asked to leave For those who are capable of evolving, what are you waiting for We cannot continue to take backwards looking, static approaches to an ever changing, dynamic problem space It is a fundamental mismatch It clearly isn t working now and is only going to get worse And no, static PCI rules are not going to save you When the next major breach was also PCI compliant, should we be surprised Would Einstein find you insane To date, there has been a stunning lack of evolution on our part Change happens Those who adapt, thrive Those who fail to adapt perish Natural selection may help to thin the herd Are you fit Or unfit Would Darwin be proud Most of my work over the last few years has been to challenge conventional wisdom We need to get to the marrow of the things which prevent us from being more agile and aligned with that which matters most We need to get past reacting to the last war and start strategizing for the next one We started Information Security with Signature AV and Firewalls Can you name one security control we ve retired Are we keeping pace The best of us love a challenge and thrive on this kind of change There is a lot of latent talent in this industry Now is the time turn that potential into kinetic energy Or we could continue to whine about PCI ruining risk management Improvise Adapt Overcome Learn to play Chess you have incredibly talented and strategic adversaries Study USAF Colonel John Boyd s brilliant OODA Loop Observe, Orient, Decide, Act repeat If you are feeling a lack of purpose, read LTC Dave Grossman s On Sheep, Wolves, and Sheepdogs Where are our Cyber-Sheepdog s My good friend Eric Hanselman once said, We need the courage to sacrifice the past on the altar of change Do you have that courage Permalink Leave a comment http://www.secuobs.com/revue/news/151185.shtmlhttp://www.secuobs.com/revue/news/151185.shtml Secuobs.com : 2009-10-02 13:15:56 - fudsec.com - Do you hire security consultants Perhaps you are one Wim from Belgium is this weeks guest and fires torpedoes into what some consultants today consider as 'established practice' As with many things in life, just because everyone else is doing it, doesn't mean you have to follow It all comes down to how you define value Value for your customer or some deluded sense of self-value hinged on the latest and greatest vendor By Wim Remes I enjoyed reading Balazs' post a few weeks ago and what he was telling us was nothing but the truth I would like to expand on the subject and maybe wake up a few more dogs while rattling the cage That's what we are here for Sure, we see customers every week coming to us because they have a particular problem and they think they need a point solution for that Do you see what the key word is there Right, it is think They call us, to consult them in their choice Now, consulting has changed a lot in the past years Where we actually built solutions from the ground up about a decade ago, we are now led by marketers and companies with a big budget which have build an ecosystem around them of silver, gold and platinum partners who are rewarded when they sell those specific solutions, wait, I mean products In the process, they have actually dumbed down the consultants that were once bright and inventive people by feeding them product-specific certifications Nowadays, you rarely find a perimeter specialist You will find tons vendorname certified engineers though You, as a customer can act against this trend How By stating your problem clearly followed by a deafening silence Why Because this way, you'll know what you're partner is about If he starts throwing marketese at you, you will know he learned this from going through a bunch of white papers and computer-based trainings and someone was probably holding his hand while he clicked on a,b,c or d for the multiple choice exam The partner you are looking for will solve your problem, depending on the complexity of it, combining several point solutions, tied together to actually improve your security posture He will combine well-known and lesser-known commercial products and won't hold back to integrate open source products What is most important though, he will have a clear answer to every question you ask and he will know which part of the new infrastructure fits which purpose Also, as his solution will probably not exactly be what you had in mind, he will do his best to explain why he made surprising choices I hope to see an rise in the number of consultants, or whatever you call yourself, that return to the beautiful art that is information security Not by adding another certification to their wishlist but by starting to offer real solutions for real problems Thinking out of the box is not a trend, it is what separates the men from the boys and that, my friends, is what our customers are looking for Real men creating real solutions to solve real problems Permalink Leave a comment http://www.secuobs.com/revue/news/146826.shtmlhttp://www.secuobs.com/revue/news/146826.shtml Secuobs.com : 2009-09-18 19:14:48 - fudsec.com - This week, O'Reilly author George Reese assesses the real-world applicability of a recently announced cloud security control Meaningful security control or pleasing the checklist brigade My thanks to George for taking time out of his busy schedule to contribute to fudsec - much appreciated By George Reese Amazon recently released a new service called Amazon Multi-Factor Authentication MFA for Amazon Web Services AWS Amazon s MFA enables you to configure your AWS account to leverage two-factor authentication for access to the AWS console The AWS MFA is based upon the Initiative for Open Authentication OATH HMAC-based One Time Password HOTP specification AWS and OATH HOTP Amazon Web Services is a cloud computing infrastructure provider that enables you to provision virtualized hardware resources servers, firewalls, block storage devices, etc via a web services API and pay for those resources by the hour A typical systems administrator of a customer using AWS will login to Amazon s web interface to launch servers and perform other actions Because the system is based on a web services API, a number of third-party solutions exist that provide extended functionality When you create an AWS account, you leverage your existing Amazon consumer account Each AWS account is then associated with exactly one Amazon user In other words, one account one user ID one person As more enterprises are adopting AWS to support their IT infrastructure, AWS has been seeing demands for multi-factor authentication to address corporate security policies that require multi-factor authentication when performing administrative functions over systems that house sensitive data Multi-factor authentication is a solid business best practice for such systems When AWS introduced MFA, they described it as MFA should be especially attractive to our enterprise-level customers, but we expect customers of all types to value the additional security Under MFA, I purchase a device from Gemalto that synchronizes with AWS and generates a one-time password Any time I attempt to login to my AWS account after configuration, I must provide two factors of authentication My user ID password something I know The next token from my device something I have Does AWS Realize the Benefits of MFA Paradoxically, AWS MFA is wrong for the customers for whom it was designed and perfect for everyone else If you are a small business with a single AWS account managed by one system administrator, AWS MFA is for you It costs just 13 to purchase the device and access to the service is free As I noted in the quote earlier, AWS did not design MFA for that audience Instead, AWS developed the MFA solution for organizations that have multi-factor authentication as a checklist security requirement for administrative access to information security systems housing sensitive data MFA suffers from an inherent problem in OTP solutions like OATH HOTP that rely on a key shared between the device and the server you have to have a new device for every system you manage unless those systems are tied together via some kind of single sign-on solution Having to remember a dozen passwords is painful having to carry around a dozen key fobs is unmanageable If you have a single AWS account, there s no need to carry around a dozen devices one works just fine An enterprise the target market for this offering is likely to have multiple people managing multiple AWS accounts Both the multiple people and the multiple accounts aspects of the AWS authentication system make MFA unsuitable to the enterprise market I ve already addressed why multiple accounts are problematic you have to carry around a new device for each account Though single sign-on is a solution to the multiple device problem, AWS does not support single sign-on across different AWS accounts If you have multiple accounts protected by AWS MFA, you need multiple devices The multiple people problem is much more significant It too is related to the one AWS account one user one person structure of Amazon Web Services While one person one user is proper, the fact that one user one AWS account makes it impossible for those people who need multi-factor authentication to meet other policy needs In particular, you cannot implement both of the following security policies with AWS One person one user Redundancy in administrative roles If you want redundancy in administrative roles, you must share an AWS user and the supporting credentials between at least two individuals If you want to support one person one user, you cannot have a backup administrator for your AWS account For a large enterprise, opting to comply with the one person one user is just not operationally possible with AWS By design, however, AWS MFA enforces one person one user because only one person can have the device tied to the user and only one person can carry the device at any time One final issue with enterprise adoption of AWS MFA it s US-only In other words, businesses with systems administrators outside the US cannot use this service Furthermore, no timeline exists for availability outside the US The Bottom Line Given the current design of AWS authentication, AWS MFA looks like a checklist item poorly suited to the needs of people with the checklists enterprises AWS would have been better off implementing an SMS-based system Though such a system supports attack vectors that the AWS system lacks, it is ultimately much more practical for enterprise IT operations Permalink Leave a comment http://www.secuobs.com/revue/news/142278.shtmlhttp://www.secuobs.com/revue/news/142278.shtml Secuobs.com : 2009-09-11 20:19:13 - fudsec.com - It's that time again, and Kevin Riggins serves this weeks fudsec dish If you have any influence over infosec purchasing decisions where you are, you should read this My thanks to Kevin By Kevin Riggins Do a Google search for the following make secure press release computer network Go ahead, I ll wait When I sat down to write this piece, I searched for that phrase My results 303,000 items Granted, many of them have nothing to do with information security, but the first three in my search results did It seems like I see advertising or a press release just about everyday that spouts some sensationalist drivel about how you are going to get hacked in the next five minutes This is followed up with just install our product and you will be secure These ads and press releases are aimed at both individuals and companies First, I want to make something clear I am well aware that if you stick an unprotected machine on the internet, it is not going to last 60 seconds, let alone 5 minutes I am not arguing that the threat isn t real The problem I have is the use of fear to sell an idea that is patently false That idea is that any product can make a system or network secure There is exactly one way to make a system or network completely secure Keep it turned off The best we can hope for is to increase the security of our systems and networks by making risk appropriate decisions about what technologies to implement making appropriate design decisions, again, based on risk ensuring that the products we use and build are engineered in a manner that addresses known issues and resists the introduction of new vulnerabilities Yup, I said it, risk management, intelligent design, and secure development will make your environments more secure They will NOT however, MAKE you secure Nothing will Sorry Permalink Leave a comment http://www.secuobs.com/revue/news/140136.shtmlhttp://www.secuobs.com/revue/news/140136.shtml Secuobs.com : 2009-09-04 20:05:28 - fudsec.com - This weeks guest post is from Balazs, an ex-senior malware analyst, who - despite his career change - remains interested in the field of information security In his own words, my goal is to bust FUD and provide solutions for preventing successful attacks as opposed to selling products I'd like to thank Balazs for encouraging us all to see the big picture and give recognition to his anti-FUD efforts check his blog - link below - fudsec salutes you By Balazs Attila-Mihaly It is a sad fact that in the security industry most of the people most of the time concentrate on point solutions and fail to consider the general impact those solutions will have and how easy is to circumvent them how future proof are they While the I have this problem NOW mentality is probably built into our genes and accentuated by marketing , it takes only a little effort to research ones options more thoroughly and it can have a big positive impact in the future much like counting to ten before saying anything one might regret Example suffering a malware outbreak, company X calls up Anti-Virus vendor Y and asks desperately Do you detect malware Z, which is spreading in our network We already have another product, but it doesn't detect it And so the decision is made to replace the old product with the new product, without considering the fact that for each Anti-Virus product there are tens of thousands of malware which they miss, and it just so happens that in this case the first product detected while the second product missed the particular malware, but it could easily have happened the other way around Taking a step back the company could have identified key issues which lead to the malware infection in the first place, and which - if corrected - could reduce the probability of the incident happening much more drastically than swapping out one AV product for an other - the ability of users to run arbitrary programs which could be prevented by using a whitelisting solution - autorun being enabled which could be disabled trough Group Policy, and in addiction solutions for disabling the USB ports could be used - the ability for users to write to the file-server which could be prevented by clarifying the requirements for the given file-server and locking it down according to the policy Second example at BlackHat USA 2009 a researcher suggested that because he was able to implant a bootkit a rootkit running from the boot sector while running under Windows with Truecrypt installed, Truecrypt is broken He also suggested a simple patch for Truecrypt to deny write access to the MBR and was upset when his patch was rejected you can find part of the discussion on his blog - http peterkleissnercom p 11 - where all the arguments were already detailed, but he remains unconvinced Again, let us take a step back and check our assumptions - we are talking about code under Windows which is able to write to arbitrary locations on the harddisk This already supposes that it has enough privileges to execute code in kernel mode Any measures taken by Truecrypt could be easily circumvented by patching the Truecrypt driver on-the-fly - second of all, if the code already runs in the live Windows session, it has full access to the decrypted data It doesn't need the Truecrypt password at all It can simply register itself to be started when Windows starts up and upload all the sensitive data bit-by-bit - finally, even using BitLocker in a TPM-enabled environment which is the other suggestion by him , there is still the threat of hardware keyloggers which could be embedded directly in the keyboard - see the ''Reversing and Exploiting an Apple Firmware Update talk from BlackHat USA 2009 Seeing the big-picture takes a considerable amount of knowledge and understanding about the internals of how computers and software operate One can't expect any help from the sales persons either because, even if we abstract away from the fact that he is trying to sell you the product, most probably he doesn't know Just try to find out from a whitelisting vendor if she is doing the enforcement of the rules in user mode or in kernel mode Knowing walls from speedbumps can be very hard because both have the effect of stopping the attack if they are of low enough speed Curmudgeons can help, but as can be seen from the second example, they aren't correct always either What is the conclusion Do your own research Distrust grandiose claims, whoever makes them And eliminating the root of the problem is in most of the cases simpler, cheaper and effective in combating a larger set of issues, than just buying a solution Permalink Leave a comment http://www.secuobs.com/revue/news/137983.shtmlhttp://www.secuobs.com/revue/news/137983.shtml Secuobs.com : 2009-08-21 08:49:57 - fudsec.com - This weeks fudsecfriday invited guest post is by shrdlu, an IT security manager who has held international positions in multiple institutions and is now US based The other clue to his identity is he amuses himself at the expense of his children otherwise what's the point in having them I'm still not convinced that narrows it down - My thanks to shrdlu for the molitov cocktail of a post Shrdlu IT Security Manager IMAGE IMAGE Now, many of you are probably too young to get a Pogo reference, so I'll just get to the point Hello, my name is shrdlu, and I'm a FUD addict And so are you Come now, do you really think that FUD is only produced by eeeevil vendors out to make a quick buck Or do you think it's only generated by clueless media No, folks, we're doing it to ourselves on a daily basis The very nature of security involves uncertainty We all know deep down that you can never have 100pourcents security that sooner or later, as Richard Bejtlich is so fond of saying, prevention eventually fails It's only a matter of time And so rather than sitting down and waiting for the threat to come to us, we go out looking for it Endlessly Emily Yoffe in Slatecom writes about ongoing research in what one scientist calls our seeking drive - our addictive behavior around finding nuggets of information We actually resemble nothing so much as those legendary lab rats that endlessly pressed a lever to give themselves a little electrical jolt to the brain While we tap, tap away at our search engines, it appears we are stimulating the same system in our brains that scientists accidentally discovered more than 50 years ago when probing rat skulls A very simple example of this addictive seeking behavior can be found in the Facebook application called Hatchlings The player collects eggs of different colors by looking for them in the profile pages of friends also playing the game, as well as other random pages on Facebook Once collected, the eggs hatch into various creatures matching their eggs, and can be deleted released into the wild or retained by periodically feeding them -- you guessed it -- more harvested eggs It's stupid, it's mindless and so far I've found 5,545 of the damned things And as far as users go, I'm by no means the worst the top-ranked player in my city has over 48,000 of them and the number one player globally has more than 592,000 So if Hatchling eggs are the gateway drug, it's but a small step from there to Easter eggs in other software And when the Easter eggs run dry, well, there are built-in Easter eggs that the developer didn't even know about, aren't there They're called unintended functionality, or vulnerabilities Take a look at this year's Black Hat schedule and count the number of talks that are NOT based on finding a vulnerability or finding an attack Go ahead, I'll wait It's actually kind of like hunting for a needle in a haystack and I promise, you'll get a dopamine rush out of it, especially if you find it So when pretty much every talk at every conference is about newly discovered vulnerabilities and attacks when we treat vulnerability researchers as rock stars when defenders are only interesting when they've actually suffered a breach is it any wonder that we're steeped in FUD If there's still any doubt in your mind, try to remember the last time you said or heard someone say, You know, our security is probably just fine Don't worry about it You're soaking in it Permalink Leave a comment http://www.secuobs.com/revue/news/133083.shtmlhttp://www.secuobs.com/revue/news/133083.shtml Secuobs.com : 2009-08-14 17:11:46 - fudsec.com - This week's invited guest post is from Brian Honan, an information security consultant based in Dublin, Ireland who founded and heads Ireland's national CSIRT team This post explores hype - the LSD of the infosec industry Thanks Brian Brian Honan Independent Information Security Consultant A discussion with an old friend recently strayed into the area of information security and the hype that she currently sees surrounding products that will make us more compliant, secure and hacker proof She works as an IT manager is a relatively large company and confessed to feeling confused by the various products, their claims and indeed the hype over the threats these products promise to address This is a subject that I have spoken about a number of times and it is something that I feel as an industry we need to be careful about Yes we need to make people aware of the problems but lets not become Chicken Licken proclaiming the sky is falling The plain truth is that all products are hyped up, be that a car, a plasma TV or an information security product This is especially so in IT where we are constantly being told certain products will do things for us cheaper, faster, smaller, and quicker, making us all more productive with minimal effort So there is an amount of hype that will come from selling products or services, including those in the information security field The other source of hype is from within the media, both industry and mainstream Very often the security stories that make the news relate to major computer virus outbreaks or attacks on well known institutions These stories only make the news because they are simply that, news As someone who is heavily involved in information security I am often frustrated by the lack of concern people display with regards to computer security If anything there is not enough awareness of the threats people face once they go online People understand the security risks we face in the real world That s why we deploy burglar alarms on our homes or business premises, shred important documents, have a safe to store valuables and keep our money in banks Based on our understanding of the risks we face we take appropriate steps to protect ourselves For example, if I owned a company that is a small professional firm with no valuable stock to protect, I would deploy burglar alarms and ensure I had good locks on the doors If my company keeps valuable or desirable stock on the premises then I would take additional steps to protect myself, such as install CCTV, employ a security guard and store the valuables in a safe Securing your business is all about risk management You identify the threat to your business, be that burglars, theft from staff, fraud or fire You then decide what you need to put in place to manage that risk Once you deploy computers and or connect to the Internet, there are very real threats to your business Computer viruses, hackers and in-house threats exist and need to be managed So yes there are real threats and people need to be made more aware of these threats and how they can counter them The problem is most people, including those working in IT, do not understand properly the threats and problems relating to IT security Yet everyone is looking for solutions without actually understanding the problem Vendors and resellers will be only too happy to sell products, however if the underlying problem is not properly addressed then these solutions are not going to work as expected resulting in the customer having a greater lack of confidence in information security With the recent economic downturn the information security industry is seen to be countering the trend seen elsewhere in the IT industry by having its budgets maintained or in some cases even increased Vendors and resellers fully understand this and see information security as the area with the money and are unsurprisingly exploiting it as only they can Having worked in the information security industry for many years where only a small number of companies provided expertise and services, I suddenly find every company now offer information security solutions While it is good that more people are becoming aware that information security needs should be addressed, customers need to ensure that their vendor fully understands information security and are providing solutions based on impartial advice and not simply to sell a product It is time for us to stop listening to the hype, looking properly at the risks that need to be addressed and calling that sales person or consultant to task when they start to over hype a problem or solution But it is also time for us to grow up and accept some responsibility for our own actions We need to fully understand what the problems are we are trying to address so that we can identify the best solutions to those problems and be able to ignore the hype Permalink Leave a comment http://www.secuobs.com/revue/news/130957.shtmlhttp://www.secuobs.com/revue/news/130957.shtml Secuobs.com : 2009-08-10 02:03:14 - fudsec.com - Found FUD Send links scans to fudalert fudseccom IMAGE What fudsec was created to showcase bad examples of Information Security marketing Anytime the marketing message from an Information Security vendor or provider makes you feel Fear, Uncertainty, Doubt FUD or just plain dirty, let us know and we'll feature it here Why fudsec Wow, you haven't been in the industry long FUD Fear, Uncertainty and Doubt Oh and it seems to happen a lot with the security industry Why now Because it's time to give recognition where dueplus we think its fun How can I help See our carefully crafted call to action immediately below this sentence Found FUD Send links scans to fudalert fudseccom FAQ Do you offer any free bonuses YES You can follow us for free on twitter to get updates http twittercom fudsec There is so much FUD, what will be featured We can't possibly feature all the FUD, therefore we will give preference to mainstream security vendors that should know better I'm a security vendor, can I advertise on your site Indirectly yes If you ads meet our strict publishing criteria see above , they may be featured on this website We reserve the right to add a commentary to facilitate the positioning of your product service The primary audience of this website are information security professionals, therefore by appearing on fudseccom you can rest assured you are reaching decision makers I'm a marketeer and I resent you featuring my ad on fudseccom - I spent ages coming up with that Although we don't offer official marketeer counseling services, we can suggest an approach that has worked for many in the past - change your company name and branding - it turns out people have really short term memories Do you hate marketeers Not at all We hate bad marketing If a marketeer constantly pushes out FUD and or hyperbolic marketing messages then its possible they could get featured on a possible future project fudsecmarketeerscom How long will you run this site for Til the FUD problem is solved How long is that You need to ask - Why do you use cheesy highlighting for your call to action Why not We hear it works really well for ebook sellers Found FUD Send links scans to fudalert fudseccom Permalink Leave a comment http://www.secuobs.com/revue/news/129449.shtmlhttp://www.secuobs.com/revue/news/129449.shtml Secuobs.com : 2009-08-10 02:03:14 - fudsec.com - This is the perfect guest post to start our fudsec journey Thanks for the inspiration Amrit By Amrit Williams re-posted with permission Chief Technology Officer, BigFix, Inc As a former IT industry analyst and current Chief Technology Officer of a security and systems management software company, I spend a considerable amount of time reading press releases, marketing collateral, and news about and generated by our industry I have always been fascinated by the sheer volume of fear-based marketing propagated by security vendors This in and of itself isn t terribly interesting, but it provides some insight when trying to understand end-user purchasing and investment decisions We all know that fear is a great motivator, and few things evoke more uncertainty and doubt than fear Marketing departments expect that this fear, uncertainty, and doubt FUD--will help their companies grow, prosper and expand their market share Here are some examples of fear marketing from across the security industry Michael Jackson s death sparks off spam hackers are relatively fast to grab on breaking news to spread their malware and spam They and other cyber-criminals show no reverence to decency or taste All that they want is to reap financial benefits and turn the lives of other end-users into misery There is no connection between a dead celebrity and malware, except that malware authors are opportunistic and will use any media sensation to trick users into clicking on malicious content Curiously, security vendors play the same game by leveraging fads and media sensations to direct readers to self-serving marketing materials Don t believe me Perform the following Google search name of your favorite anti-virus vendor Michael Jackson The damage caused by new mobile threats likely will be more extensive than those caused by today's PC threats because of the large volume of smartphones shipping and the small percentage that are protected by mobile-security measures The above statement was written in 2005 by one of the leading anti-virus vendors that happened to be releasing a new mobile AV solution Mobile malware is like the flying car Whatever year it happens to be, it is always some years away As we said before the ability to have viruses and all sorts of other malware is inherently available in all modern operating systems, Mac, Linux, BSD It is a warning to get antivirus protection for those Macs, even if the shopkeeper told you do not need it, even if there are no viruses in the wild today MacOS X, like all operating systems, can be infected, no doubt about it The costs of managing third party endpoint security solutions at enterprise scale and their negative impact on user productivity, however, can outweigh the risks and costs of an actual infection Show of hands how many of you know of you would like your Mac to run as slowly and inefficiently as a Windows box Online theft costs 1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves And Last year was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs We have certainly come a long way since the Dark Avenger first crafted his polymorphic virus in the late 80 s, but 1 trillion a year I wonder where this figure comes from because it can t be based in reality To give some perspective of size the total US GDP is about 14 trillion and that includes the value of every good and service produced and consumed in the world s largest economy Cybercrime is bad, but it isn t larger than the entire worldwide drug trade, nor is it a 1 trillion industry at least not yet 2008 was the year when cyber warfare began it showed that you can bring a country down within minutes And From a national security perspective, other than a weapon of mass destruction or a bomb in one of our major cities the threat to our infrastructure, the threat to our intelligence, the threat to our computer network is the most critical threat we face Cyber warfare, however one defines it, is far from the greatest threat we face To name five threats more relevant and impactful than cyber warfare, just review the world news for the past 1-2 months pandemics, global economic collapse, political instability in countries with weapons of mass destruction, severe global climate changes, and depleting supplies of natural resources Any one of these has more impact on our lives, both personal and professional, than 998 percent of all digital badness that one can think of There is no question that information security is a problem The increased reliance on technology for communications, culture, government, and commerce all create an environment that breeds crime I believe that while awareness is important, people should have a realistic grasp of the dynamics and risks inherent in this new digital environment FUD, however, doesn t solve the problem It stokes hysteria that must be constantly amplified lest customers lapse into ambivalence and apathy FUD is the drug of the security industry and many are addicted Permalink Leave a comment http://www.secuobs.com/revue/news/129448.shtmlhttp://www.secuobs.com/revue/news/129448.shtml Secuobs.com : 2009-08-10 02:03:14 - fudsec.com - Queen of the Application Delivery Space, tech geek and accomplished blogger, Lori Mac Vittie wrote this weeks invited guest post The subject she chose - Cloud Security is close to my heart and given some of the ass backwards reasoning going on right now this is a prime topic to de-FUD Thanks Lori Lori Mac Vittie Technical Marketing Manager for F5 Networks Immediately after Twittergate broke pundits began predictably to use the resulting breach of Google Apps as reinforcement of the notion that cloud security is a widespread issue surpassed only in impact and reach by world hunger One of the problems with this because there are quite a few but we don t have the time to get into all of them is the use of the moniker cloud as an umbrella term and the application of the security issues of one model to all models Google, Salesforce, Facebook These are cloud only in the very loosest sense of the term They are hosted services that have taken up the cloud banner because, well, it s effective marketing these days But when it comes down to it there is a much similarity between SaaS and IaaS and PaaS as there is between a car and a boat Sure, they re essentially made of the same material, but their uses, architecture, and implementation are so vastly different that equating them under a single moniker of vehicle makes absolutely no sense --------------------------------------------------------------------- WHO IS RESPONSIBLE FOR WHAT and WHERE --------------------------------------------------------------------- There are certainly security issues with all kinds of cloud , but the security issues that need to be addressed by Amazon AWS or BlueLock or GoGrid are vastly different from those that need to be addressed by Facebook and Google and Salesforce In the case of SaaS, all security from layer 1 to layer 7 are the responsibility of the service provider Google and Facebook and Salesforce provide the network, the infrastructure, and the application They are responsibility for all aspects of security The provider owns the entire stack including the software, and is therefore responsible for ensuring isolation multi-tenancy , application security, and security of the overall network In the case of an IaaS provider like Amazon or BlueLock or GoGrid the situation is vastly different The provider is responsible for the network security, for the security of its infrastructure and management systems, but the rest is up to the customer The security of the applications the customer deploys in an IaaS cloud are solely the responsible of the customer and it is the customer that is beholden to its customers if something goes wrong, ie a breach in application security The provider is responsible for any breaches that are successfully perpetrated through the exploitation of its underlying architecture and infrastructure, but if it happens through a customer s deployed application then it s solely the responsibility of the customer In the case of a PaaS provider like Microsoft and its Azure cloud, the distinction is a bit fuzzier Microsoft is certainly responsible for the network and application network security of its infrastructure, and of the platform, but again the applications developed and deployed are the responsibility of the customer Isolation multi-tenancy needs to be assured by PaaS providers to ensure against cross-contamination between customer applications, to be sure, but in the end it is the customer of the PaaS provider who is ultimately responsible to its customers to ensure the security of its applications The provider could and should be held responsible for successful breaches via the network infrastructure or via the exploitation of vulnerabilities in the platform, but not the applications its customers build and deploy --------------------------------------------------------------------- THE RED HERRING THAT IS CLOUD SECURITY --------------------------------------------------------------------- Cloud security means different things in different environments Using a breach in Google Apps to question the security of the cloud is like using a bad seam in a boat to question the construction of a car engine It s utter fail and the fallacy inherent in the logic should be obvious to anyone with even a smattering of technical understanding of cloud computing models Just as there are different types of clouds in the sky, there are different types of clouds in the ether Each cloud has its very own risks and while the dark ominous cloud may be in danger of bursting open the white fluffy one is not Such is also true of clouds in the ether each comes with its own unique security risks and they should each be treated as individual models, not as an undifferentiated group Pointing to vulnerability in Google Apps or any other SaaS provider as proof positive that there are security problems in the cloud is nothing more than a red herring it s FUD, plain and simple, and if cloud is ever going to be what pundits hope it will be such blatant misconceptions must be put to rest sooner rather than later What do you think Permalink Leave a comment http://www.secuobs.com/revue/news/129447.shtmlhttp://www.secuobs.com/revue/news/129447.shtml Secuobs.com : 2009-08-10 02:03:14 - fudsec.com - This weeks invited guest post is from Richard Bejtlich - a true thought leader in the incident response space Here he shares his insights on threat-centric thinking, FUD how we can all make a difference Thanks Richard - appreciate it Richard BejtlichDirector of Incident Response at General Electric and TaoSecurity blogger A lot of people have been discussing denial of service attacks against various Important Sites earlier this month It struck me that the focus of the discussion, really to the exclusion of anything else, has been one question who did it Think about that for a second If this attack had happened in 1996, we would have asked how did that happen In other words, network DoS was new enough to warrant a technical examination of the event Attribution would be a concern, but most people would want to know how it happened The same thinking held true for many years Numerous technical variations of DoS ensued, moving from the elegance of the original SYN flood allowing very few packets per minute to completely disable a service on a Windows NT computer to the brutality of bandwidth consumption attacks Distributed DoS became popular as the last decade ended, but really only law enforcement cared about who was responsible for attacks on several high profile sites in early 2000 For much of this decade we have continued to focus on the how, not the who This focus slowly changed over the last few years, to the point where who did it dominates all other discussion I had to spend a decent amount of time trying to find any site that explained the nature of these DoS attacks, while trying to sift out the FUD over who Is this focus on who good Shouldn't we care about addressing vulnerabilities that make targets susceptible to attack, zombies prone to compromise, and the like On the contrary, I think focusing on who is the best approach we could take Trying to assign attribution is what real professionals do They think in terms of threats, not vulnerabilities People who can make a real difference, a lasting difference, frame almost all productive security work using threat-centric thinking These people are called governments, and they control military, police, intelligence, diplomatic, and economic levers of power Vulnerabilities are for people who don't have the power to make a difference People who think in terms of vulnerabilities aren't allowed to arrest or shoot anyone they work for companies, non-profits, universities, and so on They have no choice but to patch and hope for the best while the marauding hordes surround their circled wagons Those who defend assets should work with threat-centric groups to deter and eliminate threats In fact, we should demand that we get help from these government forces We can also educate these parties, since their technical acumen is uneven at best and counterproductive at worst Asking who is the right question, finally Now we can all try making a difference Permalink Leave a comment http://www.secuobs.com/revue/news/129446.shtmlhttp://www.secuobs.com/revue/news/129446.shtml Secuobs.com : 2009-08-10 02:03:14 - fudsec.com - I love the smell of FUD in the morning -- Anonymous Infosec Dude 1 After much research we are proud to unveil the fudsec voting machine This is a place where you can submit blog posts, articles, marketing materials and other URI based receptacles of infosec Fear, Uncertainty and Doubt There's even a handy bookmarklet on the site so you can submit while your surf Technology wise, we decided against using the leading vendor after stumbling across the below on the Intertweets IMAGE Instead, we went through a 70 step RFP dream sequence and outsourced it to a free web 20 service - Go hither, submit FUD and vote at the fudsec voting machine Permalink Leave a comment http://www.secuobs.com/revue/news/129445.shtmlhttp://www.secuobs.com/revue/news/129445.shtml Secuobs.com : 2009-08-10 02:03:14 - fudsec.com - This weeks invited guest blog post is from Chris Swan, who surgically deFUDs a classic infosec metaphor - the silver bullet Insightful as always, thanks Chris Chris Swan CTO at Capital SCF Why do we have FUD Ian Grigg characterises security products and services as a Market for Silver Bullets a market where neither the buyer nor the seller has sufficient information to determine whether something is effective or provides value for money That is why we have so much Fear Uncertainty and Doubt FUD The Market for Goods, as described by Information and by Party Buyer Knows Buyer Lacks Seller Knows Efficient Goods Lemons used cars Seller Lacks Limes Insurance Silver Bullets Security Ian s 3rd hypothesis is In the market for silver bullets, neither buyers nor sellers of the good are informed sufficiently to make rational decisions From which we might infer that it s in the interest of sellers to push buyers towards making irrational decisions decisions based on emotion rather than logic and data Fear is an emotional response to threats and danger, related to the specific behaviours of escape and avoidance, whereas anxiety is the result of threats which are perceived to be uncontrollable or unavoidable Fear sells the product service that provides the means of escape and avoidance Anxiety is not profitable there s no money in things that are uncontrollable or unavoidable The point of FUD is to make us fearful rather than anxious So where does the uncertainty and doubt come in That s in the lack of information in the hands or heads of the buyer and seller The seller doesn t want to reveal that he can t be sure that his product or service is effective, so instead he must concentrate his efforts on the fact that the buyer also lacks information about what s going on How do we get past FUD This can only be done by having better information in the hands of both buyers and sellers, which is tricky as we re dealing with a 3rd party the attacker who doesn t want to join the party The information that both the buyer and the seller of security are most lacking is in the head of the attacker All is not lost however as speakers at security conferences keep boring on about eCrime is now a business rather than a hobby, and businesses need transaction venues eCrime transaction venues are by their very nature underground, or on dark nets , but they are imperfect in keeping law enforcement and security researchers out We can therefore see what the attackers are up to, and determine a measured and economically viable response This is what Ross Anderson was driving at with his original paper on the Economics of Information Security, and this is also why I think the Workshop on the Economics of Information Security WEIS is probably the best security conference going Get along, get deFUDed, and dodge some silver bullets Permalink Leave a comment http://www.secuobs.com/revue/news/129444.shtmlhttp://www.secuobs.com/revue/news/129444.shtml Secuobs.com : 2009-08-10 02:03:14 - fudsec.com - He who is prepared, spots the FUD - Anonymous Infosec Dude 2 Stumbled across this highly relevant manifesto for the FUDbuster Read and apply the mind grep test to future infosec marketing materials you receive If a vendor indulges you in buzzword bingo, consider emailing this manifesto with a simple subject line of 'I saw this and thought of you Important note Failure to reply to follow-up emails heightens effect Download PDF IMAGE Permalink Leave a comment http://www.secuobs.com/revue/news/129443.shtmlhttp://www.secuobs.com/revue/news/129443.shtml Secuobs.com : 2009-08-10 02:03:14 - fudsec.com - This week's invited guest post is from Nick Selby, a security convergence consultant and enterprise security thought leader who established and led The 451 Group's Enterprise Security Practice from 2005-2009 Ed This post was provided shortly prior to Black Hat Defcon Nick Selby Founder, Cambridge Infosec Associates, Inc A recent survey shows that half of information security professionals are unhappy in their jobs despite six-figure salaries Of course they're unsatisfied - we have well-trained, well-intentioned security professionals reduced through a series of relentless box-ticking to ensuring that their hopelessly dated signature-based technologies have the most recently-updated chance of not stopping anything Why Because as punishment for making everything so complicated, security professionals have been saddled with compliance management The CEO who lets the Security organization become the compliance department has abdicated to the government and Payment Card Industry his responsibility to understand and manage organizational risk That is a fiduciary breach of CEO responsibility to shareholders In addition to firing your ass, this should also be a floggable offense I stomped away from trying to influence security as an analyst because compliance the adjective and the verb and the noun and whatever form is the word, 'Compliancy' has managed to suck every ounce of oxygen from the room that is the security industry Okay, that's an exaggeration - I really quit because I find it more rewarding to once again do security than to talk about doing security We're in an Orwellian information technology universe, and we've let criminals become Big Brother because they often have better configuration management data than our own information security groups We have a rapidly evolving threat landscape, advanced persistent threats, new generations of attacks and attackers and a wildly changed attack paradigm, and purveyors of intrusion detection and anti virus don't just exist, they're propped up as puppet regimes by the makers of rulesets designed to keep us safe and smart Josh Corman at IBM was spot-on when he called PCI, the, Cyber-incarnation of 'No Child Left Behind' At this writing it's unclear whether Black Hat and DefCon demonstrations will include the PCI-compliant account skimmers we're heard of, but the fact that they're out there stands testament to the Pyrrhic victory that is the PCI Data Security Standard Well-intentioned businesspeople at PCI, seeing their money walk out the door at an exponentially increasing rate, thought they'd, Raise the bar by setting forth some highly specific tasks Unfortunately they were specific to a paradigm gone by, and those who don't comply get their credit card privileges popped Thus have they managed not only to not raise the bar but in fact to substantially lower the ceiling - PCI is not the minimum standard, it's the maximum effort that many organizations make And why not By doing PCI, one can claim to be doing, 'Best practices' 'Best Practices' is a term for which toilet-dunks should be applied rigorously - the term is, to borrow a phrase from Marcus Ranum, weapons-grade marketing bullshit Meanwhile, Visa and MasterCard stay shtum on their card fraud numbers in one of the best shell games around as banks and card associations play the Three Wise Monkeys, passing the buck back and forth amongst their cabal while storm clouds of another off-balance-sheet Armageddon gather in the distance Is this just another anti-compliance rant Sure, but it's also a pro-risk rant It's not just that our lives as security professionals are increasingly and increasingly exclusively about feeding the compliance beast It's more about the fact that all this compliance stuff is preventing us from addressing risk and performing, you know, security Compliance is big money there are more than 100 sponsored links on Google for the phrase, Security compliance , so vendors and analysts push it, and departmental budgetary politics becomes all about securing compliance-related funding This directly leads to stovepipes - those Cylinders of Excellence in which the slightest thought about anything not budgeted becomes, out-of-scope Now hear this Our enemies do not compartmentalize their attack resources They don't have a budgetary or organizational constraint against standing in the smoking area and walking in to your building behind a smoker who's taped open the ram-bar latch or phishing credentials from one of your employees by phone, fax or email or popping through a poorly constructed web application or if the stakes are really high, having someone sit in front of your Vice President of Whatever's house, looping trivially through his WEP- protected WiFi and surfing into your network on his VPN connection Let's not even talk about his cell phone How many stovepipes within your organization have those utterly commonplace vectors just crossed To deal with these threats we don't need more stuff, we need to talk to one another, to use the resources we have in place already in smarter and better ways Communication, cooperation and a top-down emphasis on understanding risk - these are things that can't come from the comet tail of crap being pushed by vendors and consultants today We face a 360-degree threat, every day, and bad guys are as innovative and resourceful as they need to be to stay one step ahead of you The problem is we're not making them need to be very resourceful at all Compliance - the state of being - is achieved as a by-product of well-managed risk, not through a relentless ticking of boxes by Oblomovs you've hired to deal with compliance Security requires integrity, inter-departmental communication, articulation of goals and give-and-take between stakeholders so that everyone has more information to take into account when making business decisions It requires coordination between physical and logical, between departments as seemingly disparate as HR and marketing and bizdev and sales, and the executives who make decisions about where they want their firm to go You want to be a CEO Manage risk by demanding your people give you information supportive of cost-benefit analyses that are based on how you can create more value as opposed to how you can avoid being fined or having your name in the paper You want your compliance department to manage risk for you You'd better hope your firm is considered, Too big to fail, so the next round of government bailouts can save your sorry butt Although, since you're allowing the government - through SOX and HIPAA - and other industries like the payment folks to set your agenda, maybe a bailout was what you had in mind from the start Permalink Leave a comment http://www.secuobs.com/revue/news/129442.shtmlhttp://www.secuobs.com/revue/news/129442.shtml