Aaaand we're back - bringing you fresh FUDSEC for 2010.

This week it's the turn of Mike Rothman, President of Securosis.  Mike notes that he "hasn't really met too many people he can't piss off, one way or another".  This obviously makes him a natural FUDSEC guest.  Thanks Mike!

It all started when I read Richard Bejtlich's post on Partnerships and Procurement. This was the "I'm sick of it and I'm not going to take it anymore" moment for me. I mean, come on. We spend billions on security, yet we are not any more secure. We have lots of regulations, but that has created a low bar mentality where the objective is to get the stamp - not protect the private information.

And we've had consolidation. Oh, have we had consolidation. The big vendor swallows up the little vendor. Of course, this has happened since the beginning of time and it's a hallmark of every maturing industry. But in our space this constant consolidation has marginalized security. Security gets buried within these huge companies. Sales reps don’t care whether they sell replacement parts for old appliances or security. As long as they hit the number, it doesn't matter.

From an attack standpoint things are bad out there, and getting worse. Or so it seems. That could be the ambulance chasing media — who in a Twitter manic, Facebook checking, 24/7 mentality finds a lot more sexiness in an attack that requires 3 PhD's, a supercomputer, and a roll of duct tape — than in stories that talk about how to solve problems. Part of me wants to just give up. Get all Zen and relent. What will be will be.

But that's not me. I don't give up. I don't back down. I press forward. But where am I going? Where can/should we tell the industry to go? We've got a distinct lack of leadership in security right now. Sure, we have lots of new vendor offerings built to try and address the latest attack (which still requires the multiple PhD's, supercomputer and duct tape) and lots of consultants to charge big bucks to "assess" an organization's security posture.

As an aside, I can save you folks some money. Write in crayon "You're Screwed" on a piece of paper and give it to the CIO. See, you just saved $100,000 and a couple of reams of paper. The findings won't be any different from the high priced consultant's risk assessment. They just figure out a way to say it with 40,000 words and lots of pie charts.

Who is going to lead us? I remember when we had guys like Jim Bidzos making huge pronouncements (like the idiocy of the US encryption export policies) at industry conferences. The keynotes at the RSA Conference were a who's who of the captains of the technology industry.

Now we get the CTO of 3Com and the guy who runs the security business for CA. Bill Gates and John Chambers they are not.

I'm not sitting here saying that we need vendors to lead us to the Promised Land. We do need to believe that all the inventory big vendors have bought over the past 5 years is amounting to something. But that's not going to happen. Sorry. There is no one minding the security store in the big IT shops.

Who is in charge of IBM's security strategy? HP? Cisco? Oracle? Do they have the ear of the CEO? Do they sit in senior staff meetings? Most importantly, can stop a new product or a deal or some other major endeavor because it presents risk to customers? Yeah, probably not.

Where is the next generation rallying cry? What will be this decade's Trustworthy Computing? Microsoft did a great job driving that concept to every part of the business. I'm not holding my breath for the next generation rallying cry.

If the vendors won't lead us, what about the Federal Government? The grand "recommendations" coming after the high profile White House 60-day review were pretty much toilet paper. Actually, that's insulting to toilet paper. I certainly wish the "cyber-coordinator" Howard Schmidt good luck, but he only warranted a photo with the President. Keep in mind they hold ceremonies in the Rose Garden for the Presidential dog groomer.

To be clear, this isn’t about Howard. It’s about a role with no real empowerment for change. I don’t think Ike (yes, random WWII reference) could have been successful as cyber-coordinator. Looks to me like this position will be yet another eunuch sent to the slaughterhouse in a cloud of beltway politics and bureaucracy.

As for end users, the really smart ones are either too busy to tell us what they’re doing, or hamstrung by the same idiot lawyers who think putting a confidentiality notice on the bottom of an email is actually useful.

Let's all agree the vendors aren't going to get us there. The US Government has a bad case of the blind leading the blind. And too many of the end users that will talk have self-promotion syndrome, always angling for their next CISO gig. Sorry Dorothy, there is no Yellow Brick Road.

Wow, that felt good. I’ve been holding in that rant for 15 months and it’s good to finally get it out in the open. But alas, what makes me feel better doesn’t help you do your job better, now does it? So let’s start looking for solutions. What can we do to make some progress against these enormous obstacles?

Look in the mirror. I'm not kidding. The answer is staring back at you. That's right, don't act so surprised.  There is a revolution coming, and it starts with you.

The general problem is that we as an industry keep waiting for someone to bail our ass out of the fire. Yet, real change never happens that way. Real change bubbles up from the bottom and becomes a movement. The movement gathers steam and starts gaining attention, and then the status quo rises up to quell the change. Only through herculean effort does it become accepted practice. All change has to start somewhere and the nature of our jobs as security professionals is changing. To make things better and to survive, we’ll need to change with it.

Security is no longer a technical discipline. Technology plays a role, of course, but the success of your security endeavors has nothing to do with your technical competence. It has to do with your skills at "playing the game." Basically we have to master the art of persuasion. We have to persuade the movers and shakers in our organizations that security is important and that it helps the business.

But how do we do that? Especially given that business folks don't care about security.

Basically, you need to become a guerilla. Security folks have no "shock and awe." We're lucky to have a BB gun. So we've got to fight smart. We have to fly under the radar. We have to use leverage and magnify our impact. And yes, it's possible.

Some may say guerillas don’t fight “fair.” The fact is most of the folks just don’t have the resources to fight any other way. What they do have are some characteristics that wouldn’t be bad to replicate – like agility, resourcefulness, and persistence. They are visible about their successes and they build their attack plans based on intimate details of their situation and surroundings. Can you do that? Can you be a guerilla?

To clarify things a bit more let's outline a 5-step plan to put this into action. And yes, it follows the general approach of the Pragmatic CSO:

1)   Understand the Business - I'm sure some of you have tried to convince senior management you are great at security because of your 99% AV coverage metrics. Or your 1-day patch window. Right, they don't care. You need to relate security TO THE BUSINESS.

Unless you understand your business, you can't understand the leverage points that will appeal to the business leaders. Read your annual report. Understand how your senior team is bounced. Find out who will get fired if a system goes down. Make like J. Edgar Hoover and start assembling "files" outlining the success criteria and leverage points of the influencers in your organization.

2)   Get face time - Persuasion is not something you do via email or in a bi-annual summary meeting with the board. It's something that has to be done consistently. So you have to befriend the movers and shakers. You have to add value to their environment. You built the file, you know what these folks need to accomplish. Now you have to figure out how to apply security techniques to help them reach their goals. Or potentially position security as a way to ensure an outside influence doesn't stop them from meeting their goals.

3)   Get a Quick Win - Once you have their ear, you need to show the goods. This is the testing phase. So maybe you catch an insider in the act. Or you intervene before an application goes live, which could have resulted in a breach. When you are in the heads of the influencers, these kinds of opportunities present themselves. But don't take a long time because influencers have a short attention span. The Quick Win builds credibility, and with credibility you can take a more strategic and structured approach.

4)   Pitch the Program - After proving your mettle in adding value to the influencer’s environment, then you need to sell a more structured approach. Yes, that means they need to get on board with the security program. Explain to the influencers how the security team does stuff and how they consistently add value - but only if they are IN THE LOOP. That's the objective, pure and simple. To have these bigwigs in the organization actually call BEFORE they do something. It doesn't happen overnight, and you'll need to be patient - but with consistent effort it can happen.

5)   Execute Consistently - That's right, don't screw up. Credibility is kind of like good will. You can spend years building it, and it goes bye-bye in the blink of an eye. Think Tiger Woods. So always manage expectations, always follow-up and show results, and also take some time to pat yourself on the back. The Guerilla Security Warrior is not an overnight thing, so if you've gotten to this point - it's quite an accomplishment.

The bad news is some of you will never have a chance at all. Statistically we smart folks (your read FUDSEC, don’t you?) are surrounded by idiots, and many of them are somewhere in senior management. You know, the Peter Principle in action. While you should make your best effort, for your own health it’s important to recognize that some executives in some organizations will never be receptive to improving security no matter how good you are.

If you’re stuck in that situation, you need to decide if you can live with it (I suggest focusing on your family while covering your ass with documentation at work) or if it’s time to polish up the resume. Life’s too short to come home from work angry every day. I should know; I’m a reformed angry guy.

Let me finish up by reminding you the road to hell is paved with good intentions. Words mean nothing (especially given my living comes from writing words), actions mean everything. I come from the school of leading by example. With security, senior executives will not have an epiphany and get religion overnight. Unless a data breach at your organization becomes front-page fodder. Then you'll be looking for your next job anyway. So leadership starts with you. Leadership is built one step at a time, through consistent value-adding action. Get to work.

Are you up to the task of Guerilla Security Warfare?

 

Security product testing criteria have always struck me as quite odd.  Why *just* focus on the product or even the vendor financials?  I mean, the product is wrapped up in a sales cycle, a marketing program and sometimes, an entire belief system.  Then there is the on-going relationship...

Vince Tuesday has been around the block.  He's heard what you have to say my dear vendor.  He knows your script, in fact, he's probably reading ahead.  The sad truth is you already lost his attention 5 minutes into your sales pitch.  He did briefly perk up as you enthusiastically sprayed your enthusiasm towards him - but this was merely to avoid getting his suit wet.  As you posture to impress him, he's figuring out whether to eat the left over Chinese food for lunch or go down the pub.  He's already decided if he's going to take you up on your offer of lunch.  Sharing food does not mean you are any closer to a deal.  It merely means he is more likely to fall asleep when you insist on using up more of his precious time by ordering desert as a tactic to "keep him in play".

Vince makes purchasing decisions that sales people would die for.  But to get to the sale, the path is narrow...and winding as you'll see below.  Thanks Vince - I owe you a beer!

By Vince Tuesday

I am a security manager with a secret identity, Vince Tuesday. He comes out when I have things to say that it would be inappropriate under my work identity. You may also know him as a 2003 East Coast Region ASBPE Silver award winner for “The Strange Case of the Phantom Intruder”, no? You surprise me. When KingCloud (as I like to call Craig) approached me about FUD I dithered but the promise of international fame and fortune was hard to resist, so I’d like to talk to you today about more than just FUD (although FUD will be a part of it). I’m going to do a top ten of “Things I never want to hear from my vendor”. It may be when I get into the flow I go beyond 10…

1. "You can write your own templates/scripting language"

Not only great for your professional sales organisation but I also can extend my vendor lock to you in by forcing all my team to learn your stupid re-invention of perl/bash and better yet you can hide behind the fact that you haven’t incorporated decent features by claiming I can add my own. I can even pay extra for training from you – so be sure to change the scripts on a regular basis so you can make that a recurring revenue stream. Also, when you release the new version of the product then make sure my scripts stop working and don’t dare give me things like import/export and change control.

2. “We wrote our own crypto”

Sure, you did an MSc from some European country, maybe you even read “Applied Crypto”, you might even own the Brucie action figure – what could possibly go wrong? I’m sure there is no reason that the solution to every software problem from a security point of view (see Gunnar Peterson’s excellent critique) is Network Firewall and SSL. Why would we like SSL? – sure it has problems but they get fixed. Your own implementation is never going to have any problems and even better if there was then you’ll never know and never fix them – less patches, love it! Better yet are those security products that don’t even include authentication or confidentiality in their own connections and therefore add security risk to the environment. That kind of stuff is just hard to configure and adds overhead, doesn’t it? No better way to convince me your security tool is a must have if it lacks any security over the features it offers.

3. “Sorry, We forgot to encrypt the laptop”

Along with not bothering to embed security features in your security product it is even better when security vendors and consultancies don’t take security seriously in their work and own infrastructure. I’ve found vendors with my staff and clients’ personal data stored in their environment without full disk encryption on their laptops and thank goodness – no pesky keys to protect if you don’t bother to encrypt. Also it would be a waste of time to have some modicum of physical security for your office and your data centres – you’ve a mission to spread the knowledge of your product to the world so what better way than having my data stolen and published? It’s like cheap advertising, no?

4. “We have a great console”

When start-ups build in their environment they make a nice whizzy front end that they use for a few minutes on a local network link to the back-end and with a small set of test data from a few end point systems. In our enterprise environments we have WAN links between desktops and backend, sometimes over satellite from remote areas, we have hundreds of admins, 100ks of endpoints and terabytes of data flowing through our systems. We also have hundreds of security systems to integrate and limited analyst time in the SOC. So I’m dying for a new front end that I can’t integrate with my existing management framework and toolset – then I’d never see your badly rendered pie charts that I can’t cut and paste into my other reports.

5. “The front-end is web based”

Oh great, slow Java pages that don’t load and work properly on the ancient version of IE we get on our desktops. Lovely,

6. “The front-end is thick client”

Oh great, a patching and update nightmare that also means I get some painful licensing and DR site version errors and have to pay extra to get the client packaged and deployed. I’m an easy customer to make happy, aren’t I?

7. “It's in the cloud”

Thank goodness because if you hadn’t mentioned cloud I might have forgotten it is 2009. Either you are using this as a marketing buzz word in which case well done for firmly sitting on that bandwagon or you are not building out your own data centre so you can respond to demands of growth – you’re probably using mains electricity and have an office near public transit – why not include that in your sales pitch as well?

8. “It has an alerting tool for the desktop”

If I thought having a management client for my desktop wasn’t enough of a thrill ride then I definitely want an alerting system –something proprietary and heavyweight or extremely configurable like a hard coded email address (and just one, why waste time supporting multiple addresses?) in every end point for where the alerts are forwarded. Don’t worry about throttling or summary – I love getting 9000 emails/minute when your system has a hiccup as it provides a useful replacement for your failure to include a heartbeat in the communications protocols.

9. It works via "secret sauce" or "magic"

That reassures me that they don’t waste valuable time and money training pre-sales staff to actually understand or be able to communicate the details of the product. Why would I want that? If you did that and your sales team had integrity you might actually tell me when the product wasn’t a good fit rather than sell me any old nonsense and then were would your IPO be?

10. "The next version will support that."

Good, let me give you my money for all the things it doesn’t do, in fact why not show me the same 5 year roadmap for 2 years running but just slip the start date each time, that convinces me to invest exactly as much in your product as you are and saves you time and thinking bothering with a decent plan.

11. "Dave at XXX is one of our reference sites"

Wicked, when I do buy your product then I’m going to be keen to be a reference site – to feed my own ego and try to convince more suckers to deploy it so I look like a visionary (call it twisted skin in the game) so I enjoy knowing that you bandy your highly confidential client contact details to entirely un-validated prospects.

12. "Here is a picture of our head office"

I bet your VCs loved having this in their pitch, and it certainly makes exactly as much sense to show me the picture of the outside of a managed office in a business park. You may be very proud of your move out of your carport or your ability to search on google images but with only 20 slides you’ll definitely not get closer to a close if you tell me about the product so better to show me stuff I just don’t care about but that looks pretty.

13. "Here are our key clients and customers.”

I love a page of badly cut'n'paste logos, mostly at web quality dpi so they look ugly and old versions that break brand guidelines as much as anyone. A particular pleasure is when people pitch with our own logo on the page, sure we are a big company but you’ve got to be gutsy to attempt to get us to pay for your licenses twice – let’s face it, if I’m going to buy it’s all going to be because you spent a long time on the graphic design and look and feel of that page, isn’t it?

14. "It has no CPU impact"

It’s great to come with a hardware upgrade but isn’t that going to be expensive to deploy, oh hang on, what you are really saying is “we don’t bother doing stress tests in a range of circumstances to be able to give you meaningful capacity planning information as you might realise it’s a bloated pile of crap that doesn’t scale beyond 5 users if we published anything like that”. I agree the other wording is better.

15. "It automatically updates"

Great, I do enjoy troubleshooting problems on a Monday mid-morning at peak business hours because all your agents decided to use some insane Hawaiian time zone to schedule their updates. And change control is for companies who don’t really bother with availability, isn’t it?

16. "It doesn't automatically update"

Marvellous, I do love a steadily increasing TCO based on dedicated teams of people packaging, and deploying new versions containing features I don’t want but some big prospect in Japan wanted. For bonus points make sure old agents don’t work with new central servers so I have to do a big bang high risk upgrade or add gaps in coverage if I want up to date versions. Also great to have updates work only from scratch so I have to uninstall the old version and install from scratch so I can lose all my configuration and customisation work each time

17. “No, I don’t think it is covered by any export restrictions”

Yes, I’m certain your intuitive grasp of State Department rules and regulations is spot on because they are instinctive and clear and spending any time or money understanding them and making your product workable isn’t going to be helpful to a global buyer.

18. “Let me do a demo…I just need unfiltered, broadband connectivity right now”

Absolutely, I’m going to allow you to connect your ropey laptop to my corporate network and thanks for not bothering to tell me so I could have got you a wifi guest login or god forbid you bother to set up a WebEx demo or bring a 3g card rather than make it my problem for you to be able to do the demo.

19. "It's common criteria/ITSec certified"

Spiffy, I do enjoy it when you meet some outdated self-defined model rather than actual business needs. Also good to spend your limited funds with certification agencies to chase a government market rather than add features and improve the product. Even better for you to have a strong incentive not to issue substantial security updates to your product because they would invalidate your certification.

20. "It can log everything"

Just make sure you do it in your own proprietary format and ensure all the logging is done locally, we all need to drive a bigger security market so everyone needs to do their bit for log aggregation tools. Also make it so you spread alerts over several lines and change the headers of your data layout between versions. I don’t have any desire to automate this stuff, my SOC teams can’t get enough of this as it really uses their skills in the right way..

21. "It has a very granular access control database so you can control exactly which menu items each user can see"

Brilliant, more professional services, I can see your IPO going better and better, I am visionary to have selected your product, just make sure you don’t add any sensible roles so everyone gets to be admin under a shared account. And as a large enterprise I don’t have enough different stores of user credentials so don’t integrate with any of them. I want a whole new username and password and a system of groups. Who wants all their eggs in one basket?

22. "It scales without limit"

I’m glad the laws of physics and 60 years of IT experience don’t apply to your product. Clearly you tested it on 1, 2 and 3 users so by proof by induction means it scales without limit and make sure you confuse “XXX company was stupid enough to buy a 100,000 user license that now sits on a shelf” with “XXX company has 100,000 users using it”.

23. "Company X has tested it and found no security holes"

You paid someone to say it was brilliant, and they did. That _was_ money well spent. There is nothing as independent as paying someone to say you are lovely, might I suggest you get your mother to test it next time as she’ll be cheaper and I bet she thinks it is really secure as well. Even better if you save money by picking a name of someone I’ve never heard of or go for a big name but a very limited scope so it comes with so many caveats that the testing is worthless.

24. "We ran a contest to show it was hack proof"

Even better if you make the prize be a pile of gold or don’t pay the people who win the contest. I like your gutsy approach of either a) nobody breaks in as organised crime thinks it can get more out of exploiting your product in live or b) some script kiddie owns you entirely and then you have to whine on about how they didn’t follow the rules – because attackers are always following the rules!

25. "It solves/prevents problem X"

Yep, you are actually selling a combined magic beans/silver bullet that will also make coffee. Nothing convinces me you are a well researched and sensible sales organisation as when you convince me it will solve a problem it can’t. PGP ran some great ads about how important full disk encryption at border crossings was after customs accessed data on disks. The fact the customs agents have the legal right to demand the keys doesn’t make that advert bizarre at all. A nice 20/20 hindsight variety is "If only so-and-so had had it then <big bad thing> wouldn't have happened!"

26. "It fixes HIPAA/Sox/BASEL II"

All the better if I’m not in healthcare/listed company/regulatory capital regime. And won’t it be great for me to look down my nose at those companies hiring hundreds or thousands of compliance staff and running holistic programmes across technology and the business when all I needed to do is buy your one niche security product – cost saving!

27. "It's much better than product Y"

I love it when you competition bash because clearly you have many great bits of your product if you use your time trash talking other products. Nothing adds to your credibility if you used to work for product Y company and only a few weeks ago were trying to sell that to me.

28. "Do you like Golf?"

Now we are stepping towards the inducement and bribe approach to selling product, nice. It’s not like I’m well paid and successful so a day of golf is more than enough to make me change my mind and risk my integrity and job. I was going to make a joke about a certain company here but I actually don’t even want to risk my integrity and job for a joke.

29. "Vince, Vince, blah, Vince"/ NLP

It is true that people who trust each other use their first names more frequently in conversation, however you’ve delightfully confused symptom with root cause and I love your cargo cult-style approach of repeating the symptoms in the hope of reaching the cause. Add a little mirroring of my body language and we’ll build so much rapport that I’ll pile my entire budget into your in-tray.

30. What is your no. 30? Add it in the comments below.

When you need to get things "in", "on time"...what tactics do you employ and where did they come from?  When you present to decision makers, how do you frame your request for the pot of gold?

I came across Ewout a few years back on a course in preparation for a popular certification.  He'd paid for it himself and consequently he was getting stuck in, challenging some of the not-so-great material on the course (in a blunt, yet respectful way).  Initially, I rolled my eyes - "this course will never finish" I thought.  Anyway, a few coffee break discussions later and I was joining in.  We somehow managed to suspend our Infosec belief system just enough to convince the people reviewing our test papers that we "got their religion".  Anyway, we've been good friends ever since.  it gives me great pleasure to share a "Mokum joint" with you.  Thanks Ewout!

FUD Just Feels Right [Or how the FUD card was created by the end user and since we couldn't beat them, we joined them.]

By Ewout Meij

My first assignment as a coder, done while still a teen in a programming language that was already old by then, was to decipher barcodes stuck on carts entering and leaving the company's delivery platform to keep inventory of said carts. There was just one single user of the application. All he had to do was check the inventory and enter a cart number by hand if it had bypassed the scanners somehow without being registered.

The reading of the serial data was simple, the requested totals where even simpler. What took me three weeks to complete was the user interface.

Since 'my office' [think of an empty box floating in a giant hall, formerly used as storage for… crap] was right above the work floor I just had to jump down to show my latest incarnation of the interface and get feedback from my user. This proved more cumbersome then I ever imagined. I am not a certified Asperger unlike most of my buddies, but dealing with the ever changing requirements and wish list of my sole user grounded my productivity to a halt.

Bigger letters, larger numbers, less options ["Maximal 2 and not 3 items in the list please"], an amber not green monochrome screen, a clicking keyboard with larger keys: the requests for changes where endless and I would respect each and every one of them. The customer was my senior in age, like 3 times, on IT-literacy I was his to the third power.

One day my boss [there were no managers at the time, they were bosses and owned your ass 120 hours a week if they so pleased] walks in, asks me with a smug smile about the progress of the juniors' assignment and I told him about the logic being up and running for weeks, but the interface issues I was having.

Long story short: next day there was a 16 year old behind the amber screen with one of the first incarnations of my application front end.

This introduction to the awesome powers of the IT wizard shocked me, for all I had faced until that moment was the magic of turning human readable code into pure binary. What I liked so much about hacking for fun and profit was the fact that the box would do exactly what I did, mistakes and surprises included. The spill over from the confined, well-known, trusted, reliable, "turn on and off-able" world to real life was unprecedented and unforeseen.

Loads of water under the bridge since, but what has actually changed?

I dropped the “security” part as description of what I do as I got bored with explaining the exclusivity, availability & integrity trinity, now I call my current role “site reliability engineer” as it better fits the underlying desire of the companies I work for. It boils down to the same old, same old, but it gives me a nice platform to reiterate the importance of all aspects and not just focus on the exclusivity aspect. As a freelancer I face a plethora of issues, companies & people. 9 out of 10 times the intake conversation goes something like "We have an issue with product X and need you to solve it. Get it done!" What happens next is that for a couple of hours, days or weeks even, I'll be given a guided tour through the organization and try to get acquainted with the problem at hand. Very soon the nice technical issue will turn out to be of an inter-departmental process challenge more than anything else. Long time operator|department X|Y|Z will not accept change A|B|C and thus resorts to pure guerrilla tactics, added with a splice of artillery, to prevent change A|B|C to be successfully implemented.

The tricks are basically the same: make it take too long, come up with endless prerequisites, show another far away department's form does not fit the new requirements or call in sick 'at the right' moment.

Here is where not 'we', but the 'user' is playing the FUD card. They've done this since day one, and we are so accustomed to the procedure and its inherent effectiveness that there was no other option than to use it too. But does it work as well?

As a reliability professional part of our job is to come up with metrics for FUD. We show tons of events being generated and… forgotten about. We show intriguing scans of systems, clever IP ranges & routes. We come up with 'simple' solutions to stop XSS, buffer overflows, DOS and try to make the decision makers listen and pay for what we come up with. Multiple Internet gateways, DMZs, proxies, scanners, redundant paths, enforced paths, black hole routers, IDS, firewalls, end point isolation, private IP space and duty segregation. I have done presentations, enthusiastically explaining 'man in the browser' attacks against a particular bank to people so alienated from society, they had a stylist visit me a couple of days before the planned presentation to make sure I looked the professional they expected to see.

With all the tools & smart tricks that we have at our disposal it is of no surprise that a frequently asked question is: "If we let you do this, when will you be here again asking for more?" The famous "Security is not a project, but a state of mind" line does not cut it in that case. It feels like you're asking for a blank check, something not too many BODs are happy to hand out to people who do not have a handicap in golf.

In situations like these only the money oriented approach will swing the doubters over. Get a couple of 'verifiable metrics', divide & multiply, pinch in some climate-gate trickery and show the result to be positive in one form or another. But will it make your customer safer in the real world?

For each and every hurdle we put in place, a de-tour will be found. Example? We have been issuing identification papers for 100's of years and make them more and more fraud resistant. What does Mr. Foo do? He hacks the issuing process.

FUD is something we all use, abuse and understand and it is a Good Thing[™] as long as it motivates action and does not lead to submission.

I'm very pleased to have Rocky as this weeks "Fudsec Friday" guest.  I've had the pleasure of meeting Rocky in a business context.  I quickly came to appreciate he is one of the minority: an information security professional providing true insight and solutions based on real world experience of what works.  To put it simply, Rocky "gets it".  If you read just one blog post today, read this one.  Thanks Rocky!

By Rocky DeStefano

Recently, I was fortunate enough to have the opportunity to listen in on a speech from General Hayden (former Director of the NSA and CIA, in addition to his service as a four star general in the US Air Force).  This man has executed at a level most of use only see through fiction writers and movies and he has done so for 30 + years.  I provide that backdrop only to say that when General Hayden speaks, I not only listen, I listen intently and replay his words and overall sentiment in my head very carefully.  What he said at this event was encapsulated very well by Richard Bejtlich in this blog post so I won’t go into all the areas described in this post.  In short, General Hayden’s speech sparked some long-dormant thought in my feeble brain.  His thoughts energized me to refocus my thoughts and actions to go beyond the day-to-day struggles we constantly fight.  I was stuck in a rut and didn’t even realize it.

In order to navigate our world and interact with it and one another, we as humans had to learn to fly, we had to learn to navigate the oceans, and we had to learn to overcome distances and difficult terrain, by creating solutions to work with the landscape.   We’ve done something quite unique though, we created a new terrain and new domain.  The domain we’ve created is fundamentally different while at the same time it is every bit as tangible as the natural domains we exist in.  The difference is that this information domain is of human ingenuity and therefore in addition to building tools to work within the landscape, we can actually alter the landscape as we see it.  This information domain also exists separately as its own entity and as such evolves at a rate much different than the physical domains.  Perhaps most importantly this information domain evolves, dies or otherwise is influenced based on our human interactions.  It is moldable.  Sure I can agree that humans might affect the temperature of the planet every few thousand years by a fraction of a degree, but we can fundamentally change our information domain on a daily basis if we chose to.   Think about it, we all know that, it isn’t new, but at the same time it’s quite liberating to think about the fact that we can change the entire game to suit our needs, versus playing by rules we can’t change or worse yet play in an environment that highlights the strengths of our adversary.

As this domain has evolved we have set in motion a series of evolutionary steps based on tactical requirements without really having a strategic plan for where it should be headed.  We made decisions along the way that were necessary to get us past a hurdle, but without much rational thought about the impact.  To put it simply there is no city planning going on.  We’re continually developing “solutions” to meet short term needs.  Granted these are real needs, no question, but who is providing the strategic vision of how our decisions will affect how we interact in the future?  For far too long we have applied “fixes” that fit the bounds of the information domain as it exists today.  It is time to start looking at how we can transform the domain itself to more appropriately suit our needs moving forward.  I’m convinced we are in the very earliest of stages in the evolution (perhaps on the doorstep of revolution) with regard to this domain, but unlike evolution on the natural plain this domain can’t and won’t change itself, we must act to influence it to better meet our needs.

Much to my own amusement I see this domain much like a scene from a kids movie - when Jafar turns is transformed into genie in Disney’s Aladdin and he boasts something like “The Power, The absolute Power, The universe is mine to command, to control, to create” and we get it without the constraint of living in a bottle.  The constraints that apply only exist in our minds and actions.  We need to get out of the mindset of applying protection techniques based on physical realms and focus on evolving the entire environment to better suit our needs moving forward.

I’m certain as we start this dialogue that more fundamental aspects will arise – which is exactly what I hope to elicit from this dialogue but here his where my current thought process has lead me to consider with regards to how to step out of our box and move our eyes towards the horizon.  I’ve bundled my thoughts into a few categories, leadership, research and information sharing.   I’m sure your thoughts will help us all to refine this into much more!

Leadership:  I’ve come to realize that there is no one coming to save us from ourselves here.  No government czar, compliance initiative, nor vendor product suite is going to pave the way.   Homeland Security, NSA, Military, Congress, The White House – they’ll all continue to play their part, but let’s be honest here they have not and should not drive the overall thought process here.  We must all define how we chose to exist in this domain.

Certainly we should encourage government and legal involvement along the way so that they can contribute as appropriate.  In the end the government should be involved to enable us to succeed in this domain, not to define how it should be crafted – at least not without our agreement.  Yet we wait the announcement of the all mighty czar… it’s crazy.  I believe that we can lead from right here, wherever here happens to be.  There are dozens of examples, but I chose just a few to highlight some of the decisions we’ve made and how we can start making better ones moving forward.

1. Information Security Leadership.  We need to start pushing back at all levels here.  It’s my opinion that business’s need to care much less about being compliant and more about being fundamentally secure – or if you prefer having better visibility into real risk.  Risk to the mission, risk to the business not the risk to an asset.  We continue to create irrelevant measurements – irrelevant because they are point in time, against a less-than secure model and on a playing field that is skewed towards the success of our adversary. 

As information security professionals how on earth did we let the primary financial driver for security spending be compliance initiatives?  We sold our souls because we lacked the knowledge of the business and how to apply what we do in a meaningful way to the business.  We let compliance initiatives that promised “measurable” results have their way because we thought we could tag along for the ride and implement best possible solutions given the situation. As I see it we are no better off for this and now our teams have either competing agendas or more work to drive us away from protecting our organizations. Sure we’ve created some “building codes” but do “point in time” snapshots matter anymore when the attacker can mold his approach on a whim?

Partners, Vendors play a critical role in helping us reach our goals; they should also play a role in the thought leadership moving forward. Product and solution vendors have done a great job in developing solutions to meet our defined needs along the way as we’ve evolved in our usage of information systems.  We’ve all witnessed some seriously cool steps forward over the last 15-20 years, but recently many of those solutions have been evolutionary in nature, not necessarily innovative, but more and more they are band-aid fixes for problems we’ve encountered or realized.  

Don’t get me wrong it is a very necessary evolution, but we’ve hit a point that we need to start thinking about long-term health and welfare of how we interact as humans.  We need to find ways to encourage that vendor thought leadership onto a larger more strategic problem-set.  I would encourage those customer facing people with consulting and/or vendor organizations to take a very basic consultative approach on a daily basis: listen to your customer’s actual needs, not always what they state as a need (PCI Compliance, etc) but to the goals they are really trying to solve and communicate those findings inwardly to your organization (and in general terms externally to the community).  The more inputs for this information stream the more refined the thought process can be.  You can’t imagine the amount of information that some of these folks have in their heads they just haven’t been heard appropriately.   

To those that manage consultants - please encourage your staff to listen and enable meaningful communications, in fact I would challenge you to incentive your staff to provide this input.  Give them the opportunity to buy in to more than just a single technology, but into solving a much greater problem.  This may mean some major internal change in thought about how to approach management of teams, customer engagements, support, product development, etc – that’s exactly the point – we need to learn to listen better to the larger picture and not the point in time snapshot.   

Those were two very basic examples of how we can lead from wherever we sit in the organization there are literally thousands of other examples out there.   I hope you can see that I’m suggesting leadership by example – you can still enable business using these techniques, you just have to get past “the way its been done”. 

2. A key component in moving forward has to be a dedicated focus on Research and Development.  I mean significant investment in R&D on a national and international scale, information sharing about current and proposed strategies across industries, etc.  We need to be pushing our employers, VC’s, governments into broader research initiatives.  We need an innovation revolution at this point, not just evolutionary point solutions. 

There are some very recent initiatives that show promise, like the announcements by Northrop Grumman that NG is sponsoring information research in conjunction with Carnegie Mellon, The Massachusetts Institute of Technology and Purdue University.

If you will, think of these research opportunities as form of health care for our future, I don’t care how it’s justified but we need to act in support of efforts like this in every way we can, perhaps by offering state or federal tax credits?  Certainly I can agree that we need to watch spending and as such we should have to pay for performance, but we need to encourage strategic innovation versus tactical evolution (band-aids).  The investment in long-term strategy has been anemic at the federal level.  We’ll spend millions on watching the effect of gnat bites on mouse nuts, but we haven’t found the necessary stomach to pay for the ability to effectively comprehend where we’re headed as a species as it relates to communications, business and everyday life. 

3. Perhaps the most immediate thing we can influence is better Information Sharing.  We need to start thinking about how we can change the IT Domain into something that allows for a level playing field.   The old adage “The enemy of my enemy is my friend” applies very well here.  It’s ridiculous to think that our teams are better off not talking with industry competition about defensive strategies. The other side is free to share, adapt and overcome as they see fit, yet we tie our own hands and ask for beatings – and hope they don’t hurt too much.  I’m really not into S&M.  I’d rather retake control – how about you?

A few good examples to learn from already exist, the Defense Industrial Base (DIB) has an information sharing related to APT (Advanced Persistent Threat) detection profiles, and workshops like SANS “What Works” or IANS Summits are a great beginning to this conversation,  but in reality they are very limited in reach and only relevant at a point in time.  We need to develop more daily interaction at a deeper level.

Summary:  I’m in no way suggesting I’m intelligent enough to have all the answers, or to have even fully described the problems, I’m simply stating that we need to elevate our thinking and we must invest in the thought process and commit to the information sharing required to make the decisions necessary so that we may shape our own destiny.  As I see it we must all act on the relevant fronts (Leadership, Research, Information Sharing, others?) to better comprehend the changes and position ourselves to be able to make the changes necessary in the future.  That’s my starting point, how will you enhance the conversation?
 
Disclaimer:
The opinions expressed here are my personal opinions. My views and opinions are subject to change based on the input I consume and the analysis I apply to those inputs.  Content published here is neither read nor approved in advance by my employer and does not necessarily reflect the views and opinions of my employer. 

I'm delighted to welcome back Nick Selby, now Managing Director of Trident Risk Management, for a special fudsec Thanksgiving edition.  Thanks Nick!

Update 30th November: modified text at request of Nick re: mitigation to avoid distracting from the main point of the post - Ed

By Nick Selby

The critical infrastructure security debate has reached, well, a critical juncture. However in the United States, the debate has been limited to either more government regulation or proactive mitigation on the part of private utilities. Since I write from America on the day we Americans give thanks for that which founded our country and made it great, let's attack this issue from a third front.

Let's get the customers pissed off, so that they vote with their wallets.

Because the US' infrastructure is mainly privately owned, the only way utilities will upgrade or properly configure their systems is under pressure of market demand for it. If the US business community, armed with the understanding of the risk of utility interruption to their enterprises, demands better service - that is, they demand that their businesses are better protected by those they pay to provide them with power - then the utility markets that are the most competitive will become the safest.

There's a strong business case here: many exploits of the vulnerabilities in our electrical power grid cost little to mount and cost a lot to remediate. As security researchers, practitioners and thought leaders, we can articulate a business case to American business leaders:

• You're being forced to accept risk. Utilities are offloading risk of an outage to their customers, by charging for power and reliability and not mitigating even obvious, well-known risks;
• The risks are to your people, your property and your profits - that is, they are to your brand. If your business relies on power for mission-critical or safety processes, the failure on the part of utilities to remediate means your customers and your brand are at risk - on the terms of the utilities, not your business' risk managers or your shareholders;
• Cleaning up after the risk becomes reality is a hidden tax on your business and on you. The consequence management aspect of a loss of the power grid of even 20 minutes are massively high in terms of life, safety, profits and our national sense of well-being and safety. By not remediating these risks, utilities are offloading to us taxpayers the cost of clean-up and restoration after a catastrophic failure.

With respect to the last point, I seem to recall us fighting a war over taxation without representation. I submit that this is another one. I know that some utilities will be mad at me for saying this, but as far as I can tell, they've had their chance to take action. Now it's our turn.

Some high-level context
This may be stating the obvious, but what's obvious to people who look at this problem a lot is not obvious to people who don't.

For years, public and private security researchers have been pointing out that the networks at electric utilities were reliant on the thinnest veneer of security - if that. This was not because utilities didn't care, it was because utilities built themselves for the functionality of production of electricity in an age when their networks were truly air-gapped - that is, they were physically separated from the Internet.

To further state the obvious, one big problem is that these networks haven't been truly air-gapped for years and years, but the utilities continue to behave as if they are. And there's a great deal of reliance on plain old security-through-obscurity.

The government can make recommendations and even some regulations, but at the end of the day, and here's another obvious statement, the reason the majority of electric utilities in this country haven't upgraded their security is because doing so is expensive and there's not been any publicly released information about a compelling reason to spend the money.

Hacks or DOH! - Cause Is Less Important Than The Impact
Whether a successful attack on a US utility has happened already, it will happen (not for nothing, but there are active investigations of such attacks underway now). Regardless of the cause, bringing down power networks has life-and-death consequences. Security professionals sometimes forget the 'A' part of the CIA triad (of confidentiality, integrity and availability).

I wrote recently that in 2008 an ice storm blacked out much of my county for eight days - my family spent eight days with sub-zero temperatures and no water, heat (except my woodstove) or even telephone. Life changed dramatically for us, very fast. It is, being obvious again, very important that we safeguard against attack or misconfiguration or any other event that brings down the power grid.

In a recent post on Errata Security, Robert Graham rightly pointed out two important things:

As a pen-tester, I know that our power grid is insecure...I know I can hack in from the Internet and cause power outages. However, government regulation isn't the answer.

Not only has government regulation not been the answer, but private industry has ignored, largely, government initiatives of exactly the kind I would expect would resonate with the security community and the public at large. In many cases, the guidance is specific, limited in scope to what is necessary, driven by expert analysis and input from leaders in security research, vendors, private and public employees and regulators; in short, it's the findings that come after Mr Smith went to Washington.

And still, it's pulling teeth.

A Good Example: Aurora
A perfect example is the Aurora vulnerability (See the Power Point here, page 8, for more), because it has been public knowledge for about two years, the cause is understood and the mitigation is straightforward and well-understood. There's so much great published research and congressional testimony on the problem and its solution that I cannot believe that there has been such low takeup in doing that.

In just two days of scouring open source, unclassified documents I was able to put together a basic mitigation strategy sheet (and to scare the crap out of myself about how easy and inexpensive it would be to mount an Aurora attack). Yet, anecdotally, it seems that only a really small percentage of substations have been protected against this well-known vulnerability. By the way, I don't charge customers to see this remediation sheet.

What Is To Be Done?
After consulting with a number of people in and out of governments, I've decided that the best way to use this information is, at no charge to them, telling businesses which depend for mission critical processes on the public power grid. The at-no-cost part is important to me, because I believe that this is an issue too important not to share.

It's my hope that in sharing this information, outlining the issues and explaining to business leaders how they can and should raise them with their utilities, the utilities will see that there is in fact customer demand for mitigation, and come at this from the market side.

I had asked for a debate and a discussion, so here's my contribution: I'm suggesting all pen-testers and consultants who've looked at this to get vocal - find something within the field that raises your level of concern, something that can be mitigated rather easily.

Then, as opposed to trying to monetize that knowledge directly, help your customers articulate concern in a way that matters to the private utilities: "We, your paying customers, find this to be a risk that you should mitigate. Please do so." We should also help the utilities find federal money to contribute to their effort to help mitigate these risks. Hell, if they're going to throw all that money around on "infrastructure" projects let's at least get some in this area - the government has made it clear that it would like to.

If many of us who have the ear of the customer and the knowledge of the issues do this in a constructive way, we can go a long way to raising the bar. In the end, the real questions remain,

• How hard is it to exploit vulnerabilities in our system?
• How can we make it harder?
• What help is there for private industry to raise its bar?

Many have said that action is not that important, because "no attacks have happened yet on American soil." Arguments about whether attacks have happened are for another forum, but if your main argument against mitigation is justifying the cost with evidence of an attack, I'll ask you this question:

What is the cost of wrong?

I hereby pronounce today "Cyber-FUD-Friday".  I don't know about you, but I tend to whince anytime someone uses the word "Cyber".  Combine that with an emotive word like "war" and suddenly everyone has an opinion and is touted as an "expert".  Huh, kinda reminds me of Cloud Security ;-).  This weeks guest post delivers a much needed dose of perspective.  Thanks Jayson!

By Jayson E. Street

456 BC: Aeschylus, a Greek playwright, was killed when an eagle dropped a live tortoise on him, mistaking his bald head for a stone. The tortoise survived.

Dying by a falling turtle has been documented and therefore is a proven threat. However it still remains unlikely for you to die that way. Cyber-War (what the cool kids are calling it) has in fact happened.  This proven threat does not necessarily mean a country’s smart grid is going down anytime soon.

I started doing research for a book I am writing which includes cyber-warfare. During that process I was startled by a few things I observed.
1.People who know what is going on don’t talk about it to either confirm or deny it. Conversely, people who don’t really know what is going on have no problem speaking about it at great length with much authority.
2.In a realm where anonymous attacks are the norm not the exception, people are really quick to lay blame on who is doing what.
3.Everyone is INVOLVED!

Observation One: I am not an expert on cyber-warfare. This is just something I started researching for supporting material in a book. Like a lot of people I had been reading about on this subject, I had not been to any of the countries commonly named as participants in cyber-warfare.  I knew I would not get good answers without “boots on the ground” experience.  I applied for my passport and took my first trip outside of the USA.  I wanted to see what was really going on.

The best place to begin seemed like China.  After all, the people where were doing the talking were dropping that name with great frequency. I attended Xcon where I had dinner with GoodWell, the founder of the Green Army.  He is commonly known as the godfather of the Chinese hacker movement in with activity going back to 1997. He has gone the way of his Western counterparts.  He has left his past to apply the knowledge gained from underground hacking and illegal breaches for a more legitimate profession that pays better and comes with cool business cards.  He now consults with billion-dollar clients.

I was amazed to sit there and listen to his concerns of how hacking has become more a tool of crime rather than exploration and political action. Here was one of the major figures of the Chinese hacking culture expounding on the problems with criminal hackers and worried about so many attackers assailing Chinese networks. In fact, the typical Chinese home computer user is under constant attack from bots, Trojans and also a virus here and there (sound familiar?). 

So my first trip abroad was a real eye opener.  I learned to not be so quick to judge or take everything I here about “Cyber-Warfare” as gospel.  It was after I returned home that I started listening more to what “experts” were saying about cyber-war.  I realized most have been using data from certain 2003 incidents.  Their opinions were not based from data gained first-hand.

Since then I have traveled to other countries and gained a more open perspective of what is going on in this realm. The most important thing I have learned still remains what I knew from the beginning. I am not an expert, but I can form opinions based on what I know first hand.  I am limited to information in the public domain, but that is not all there is to the story.  Most of the sources offering opinions have the same limitation.

Observation Two: I believe this to be the biggest problem facing those who are on the front lines – the battlefield is virtual. A physical attack is much easier to detect and trace back to the source. You can see the path the attackers take.  You can see the bullets they fire. The person attacking you with a DDOS is harder to trace.

The recent attack on South Korean and United States websites showcases the perils of being quick to judge and even quicker to accuse. For example, within a week of the attacks Congressman Peter Hoekstra of Michigan (1) insisted we needed “to send a strong message.”  Yet to this day there has been no positive proof who was actually responsible.

With $50,000 USD anyone can hire a botnet to replicate these attacks. It is that easy because most criminals are not motivated by politics but by money. This also poses another problem. When anyone can hire or create their own army of compromised computers does it make the impact less because it was a guy in Paraguay who was curious and wanted to see if he really could take down the White House website? In a way it would be more comforting if such activity were limited to the high tech branch of a rouge nation launching an opening salvo in a cyber-attack. That can be an easier target for a response.  But the same damage is felt regardless of who dealt the blow.

As time goes on expect to hear about more cyber attacks that are “thought” to be either this country or that country but with no publicly available proof of who was responsible. This is a problem that will not be going away. So how can you protect and more importantly trace the attacks when the bullets appear from everywhere including from your own side?

This brings us to Observation Three: who is now involved in cyber-war activity? The answer is EVERYONE! I would say (just my opinion based on my research) that most every industrialized nation is working on a military hacking division (or whatever a government wants to call it). The Chinese were probably the first with the Indonesian cyber-skirmish in 1998(2). 1998 was also a notable year for the ramping up of cyber-warfare capabilities in the USA.  Attacks on Serbian air command were used to help facilitate USA airstrikes as well as targeting enemy bank accounts (3). Also in the late 1990s, a computer specialist from Israel's Shin Bet was able to compromise the mainframe of the Pi Glilot fuel depot north of Tel Aviv (4).

So here we are over 10 years later still wondering what “Cyber-Warfare” is, who is doing what, and what can we do to defend ourselves?  It is also a safe assumption that everyone is also getting much better at attacking.

We are not learning from the past and the old adage bears true that we will likely repeat it. The 1980’s were the decade to fear the nukes. This decade we fear the digital arsenal. The good news is we did not die in atomic fire (though that was a proven threat). The bad news is we found something else to fear (and we always will).

We need to understand the threat of a digital holocaust is a possibility. And so could a nuclear war break out, Swine flu become an epic pandemic, a meteor wipe out all life on the planet or a falling turtle kill one of us.  The threats are real.  But should we panic?  No, probably not.

1. http://www.scmagazineus.com/cyber-retaliation-debate-is-north-korea-guilty-of-ddos/article/139968/
2. http://www.disasterpreparednessblog.com/disaster-preparedness-blog/2009/10/22/chinas-cyber-warfare-capabilities-highlighted-in-report-to-c.html
3. http://findarticles.com/p/articles/mi_qa5332/is_1_48/ai_n28827258/?tag=content;col1
4. http://www.alertnet.org/thenews/newsdesk/LV83872.htm

TGIF!  A recent flashmob poll of CISOs discovered that the flagrant abuse of statistics, graphs and number theory misleads at least 5*9+(sqrt 10)^3 of decision makers "most of the time".  Returning guest Lori Mac Vittie came across a recent "study" that caused her to reach out for a key tool of the professional defudder -  the humble calculator.  Ah yes, ladies and gentleman - every number tells a story - which shelf in the bookstore that story belongs is a different matter.  Read on as Lori takes aim at the numbers from a recent "study".  Thanks Lori!

Lori Mac Vittie

Technical Marketing Manager for F5 Networks.

The latest study “State of Internet Security” from WebSense indicates that 95% of all user-generated content is, well, to put it simply: crap. Even more frightening is the conclusion that “61 percent of the top 100 sites either hosted malicious content or contained a masked redirect” and “77 percent of Web sites with malicious code are legitimate sites that have been compromised.”

OMGWTFWEB2.0?

It’s enough to keep you away from social networking sites, surely! After all, the “top 100 most visited Web properties…tend to be classified as ‘Social Networking’ or ‘Search’ sites.” Facebook? Twitter? MySpace? My god, they’re probably all infected. Grab a face mask and pull that cable from the wall lest you catch some social (networking) disease from visiting your BFF Jill’s Facebook page.

Now that we’re done (I hope) having hysterics and fear-induced panic attacks, let’s consider the math for a minute, shall we?

Facebook now has 300 million users. Let’s assume that each user has at least one piece of user-generated content on their Facebook page cause, well, it’s a very user-content driven site. That means that of the 300 million home pages on Facebook that 95% (285 million) has either a malicious link or other insecure content. Conversely that means that 5% (15 million) are clean, uninfected, safe pages.

The average Facebook user has 120 friends or 281 friends, depending on which news article you might be reading. Let’s just assume for mathematical purposes that the number is somewhere in the middle, at about 200 friends per user. Let’s pretend, too, that you visit every friend’s page in a single day. Because it’s your day off, of course, you wouldn’t actually do that at work.

The mathematical likelihood that one of your 200 friends is one of the 95% that is infected is infinitesimal. Visiting a second-order friend (a friend of your friend) makes it more likely, but in mathematical terms one could still categorize the risk as statistically insignificant. In other words, all this hubub about how much content is malicious and insecure is a blown a bit out of proportion; considering the magnitude of the numbers we’re dealing with we could say 99% of all content is crap and still not raise your security risk much higher than it is today.

That is, of course, purely a mathematical view of the security risks associated with social networking. Generalizing statistics can be useful, as can statistical sampling. But we  - both as pushers of that data and as consumers of the same – need to be more aware of how the magnitude of the data behind those statistics affects the actual risk involved. It’s always more fun to say 95% than to give a real number, especially when those numbers are so large that they essentially lose meaning to human beings. And we know that people will interpret 95% to mean 95% of the content they visit because that’s the way it’s presented. But is that reality? Likely not, unless their behavior on-line is such that it puts them more at risk because they’re visiting and connecting with a higher percentage of the content out there.

The reality is that there’s only so much providers and vendors can do to protect individuals online. Web application firewalls. Firewalls. IDS. IPS. Vulnerability scans. Anti-virus. SPAM filtering. These technologies are necessary to reducing risk in general and they do, but the best and primary protection mechanism in every user’s arsenal should be themselves. Users need to educate themselves on the risk inherent in today’s increasingly connected web of content and proactively examine content presented to them with a more educated eye. And they need to be aware that at least part of the risk incurred from user-generated content is self-inflicted: the more content, the more friends, the more connected they are, the higher the risk of stumbling into malicious content.

The danger in generating such a false sense of insecurity is that users will begin to fear content and links to content, which means they’ll fear the Web in general because the whole premise of the Internet, of the World Wide Web, of Web 2.0, is links and content and the intricate relationships between them. The web is useful because of links and content and user-generated content and yes, much of it contains malicious code and other nasty tricks. But rather than scare users with statistics that don’t accurately portray the risk to them we ought to do a better job educating them on how to recognize malicious content and provide simple ways for them to report or tag or otherwise mark malicious content when they do find it so we, as protectors of data and users and content, can continue to innovate new ways to automatically handle removing such content from our applications and sites.

Instead of scaring users let’s engage users and make them part of the solution rather than just another part of the problem.

Sometimes you just have to tell it like it is.  And this week, the man that puts the "Paul" in "PaulDotCom" does precisely that.  From system administrators whining, to defense in depth, this invited guest post challenges some common assumptions and provides an actionable response.  Thanks Paul!

By Paul Asadoorian

Microsoft patch Tuesday, or "Black Tuesday" as it is referred to as, has been around for some time.  At first it seemed like a good thing, with all these patches coming out it gave people time to plan accordingly and get them installed in their environment.  I firmly believe it was a knee-jerk reaction that has plagued us since 2001-2003 when "worms" and network-based vulnerabilities were being exploited on a regular basis.  The time has come to react more quickly to the wide variety of threats posing organizations infrastructure, and have the flexibility to apply patches as they come out, not just once a month.

I remember it fondly as I worked for a University at the time patch Tuesday was being dreamed up.  It was a time in a land where XP firewalls did not exist, nobody blocked the NetBIOS ports from the Internet, and the term "automatic updates" was something that did not exist.  Machines were getting compromised faster than they could be rebuilt, in fact many became compromised WHILE they were being re-built.  At some point, someone hit Microsoft with a clue bat and they began coming out with patches, lots and lots of patches.  Before you know it systems administrators were overwhelmed with patch installations, and were not armed with the appropriate tools to handle the patches.  So they do what some systems administrators do best, they bitch.  I have to admit, when I was a systems administrator, I did my share of bitching.  Its that kind of job, somewhat thankless, so bitching came with the territory.  But in this situation, it caused Microsoft to take a step back and think about how they release patches.  Then, Patch Tuesday was born (along with exploit Wednesday).  This meant Microsoft was now holding back patches, saving them up for one release!  While I started to grow hatred for this method, systems administrators did less bitching, which makes everyone's lives easier.  Another factor that played heavily into the decision to release regular patches was desktop management.  Very large corporations with 10s of thousands of desktops incurred costs when applying patches.  Each of these desktops, and servers, needed to be rebooted in order for the patches to apply!  This adds an economic factor to the equation, meaning is costs money for organizations to apply patches.

Times have changed and its time to evolve.  The regular patch release schedule got us over a hump and got systems administrators in a grove of applying patches. However, Imagine this situation:  

There are terrible viruses running around in the real world (like ones that infect you as a person, not your computer).  Your doctor is getting the vaccinations as soon as they are available.  However, its left to your doctor to determine when they are applied.  So to make things easy for everyone, vaccinations are done on the second Tuesday of every month.  In the mean time, you and your family (are users like children?) are vulnerable to the virus, some of which can be fatal, and others that are not so bad.

Let me ask you this: if it was your family, how would you feel about vaccinations that only come out on the second Tuesday of every month?

You should be equally as outraged about patch Tuesday, and here are some things you can do about it:

Set your own patch schedule

This is something I have been preaching for some time.  As an organization you need to evaluate the threats against your business, and prioritize the defensive measures you implement (if any).  You should not have to wait for an third party to release patches, they should be applied according to your own priorities.  Security is about evaluating risk and I can assure you that you can do a better job than Microsoft of evaluating risk for your organization.  

Define your own threat level

The other aspect of security that Microsoft believes they have covered for you is determining the criticality of each bulletin (which can contain multiple vulnerabilities, which doesn't help!).  What is deemed "critical" by Microsoft may not be as critical to your organization.  Evaluate each vulnerability, not just the bulletin, and think about the impact it has on YOUR organization, not the rest of Microsoft's customers.  Home users, small businesses, governments, health care, universities, they all use Microsoft products in some capacity, do they all treat threats the same way?  Hell no, and neither should you.  Define what "critical" means to your business, and that means reading each of the security bulletins when they are released, in detail.  So, on the second Tuesday of every month, get a bigger cup of coffee, sit down, relax, and enjoy the ride.

Conclusion

Dumb Questions: Is it "wormable"? Is there "public exploit" code available?

The real question you should be asking: "How does this impact our business?".  

Lets get one thing clear, evil bad guys have exploits.  They have exploits for stuff we don't know about yet.  When a patch is released, its too late. Shortly after a patch is released, its really too late.  So patching needs to be built right into your operations and balanced with your business plan.  Don't get caught up in the hype around "remote exploits", "wormable", and all that crap, take matters into your own hands, at least as much as Microsoft lets us. The game is risk mitigation, not patching.  But we can't rely on MS to provide reasonable, workable, mitigants to many of their bugs based on track record.

How well do you think you know FUD?  Anton knows FUD.  He's sliced, diced and presented the head of FUD on a plate so we can examine it from a different angle.  If you're a FUD hater, that considers they never use FUD to "get things done", this post is especially for you :-).  Thanks Anton - great post!

By Dr. Anton Chuvakin

FUD or Fear/Uncertainty/Doubt triad seems better known than the other security triad: C-I-A.  It seems inextricably linked with security industry as well as with security technologies. After all, don’t we reach for some extra safety and security if we fear something, feel uncertain about something or doubt something?

While few CSOs and security leaders admit that they build their security programs based on FUD, below we will hypothesize that FUD is indeed a meta-level above risks, threats, vulnerabilities as well as compliance mandates. FUD’s role in security today probably overshadows the role of any other factor we know.  To put more substance into our discussion, here are some well-known examples where fear, uncertainty and doubt manifest themselves:

• Fear
• Getting compromised by attackers
• Failing an audit
• Suffering big loss
• All of the above: Failing an audit + getting hacked + being dragged into a media circus
• Uncertainty
• Keeping  a security leadership job
• “Keeping the wheels on” for security infrastructure
• In case of an incident, loss amount is uncertain
• Threats and their impact
• Doubt
• Security mission success
• Effectiveness of security measures
• Support of senior management

Further, many people view using FUD for driving security spending and security technology deployments as the very opposite of sensible risk management. However, FUD is risk management at its best: FUD approach is simply risk management where risks are unknown and unproven but seem large at first glance, information is scarce, decisions uncertain and stakes are high. In other words, just like with any other risk management approach today! Big Hairy Ass Risks (BHARs) dominate both the FUD-infested security vendor materials as well as internal CSO presentations. Note that very few of the BHARs are truly imminent and thus fall out of FUD realm as there is no uncertainty about them - just like only few people develop phobias of poisonous snakes (which would be a very useful phobia to have).

In light of this, we have to accept that there are benefits of FUD – as well as risks.

The benefits of FUD stem from the above view of security which is defined as “being free from danger” or ”measures taken as a precaution” against something bad.

First, in the world we live in, FUD works! Demonstration of a BHAR followed by technology purchase or control implementation does reduce possible loss of not only due to said BHAR, but also due to other threats (if BHAR ends up being completely mythical). Such implementations often also deliver other useful things for the organization. It is worthwhile to remind that “FUD selling” applies to CISOs no less than to “enterprise software” sales people. It also applies to “fear of auditors” as well as “fear of attackers” – both drive security adoption, even if lately the former seems to be winning.

Second, keep in mind that many of the BHARs are both genuinely scary and, in fact, likely. Scaring a company into updating its anti-malware tools (despite all the concerns about their relative efficiency) or into deploying tools to collect and analyze logs is excusable, at the very least.

Third, many proclaim that people need to be naturally drawn towards doing "the right thing" after being educated about what the right thing might be and scaring people into action is not that efficient. The technical answer to such concern is a resounding “Ha-har-ha!!!”

Finally, for years FUD was used to sell insurance as well as safety features in cars and other products, legal services, to make people update their boring DR and BC plans, and other good things. Fear might not be a very positive emotion to experience, but acting out of fear has led to things that are an overall positive, all the way down to resolving political tensions out of fear of a nuclear war…

Admittedly, Fear/Uncertainty/Doubt approach has issues as well. The key issue with FUD is its “blunt weapon” nature. It is a sledgehammer, not a sword! If you use FUD to “power through” issues, you might end up purchasing or deploying things that you need and things that you don’t.

Second, it is well-known that magic of FUD wanes if you invoke it too often. If you scare your customers or your management into taking your product or your security agenda seriously, they are almost guaranteed to stop listening to you at some point. However, if enough BHARs manifest , FUD approach will continue to be fairly productive. One can get desensitized upon hearing that "sky is falling" too often, but here is the thing: I am willing to take the risk of such "desensitization" given that sky is indeed "not quite stable."

Third, FUD power – as any other power – corrupts whoever wields it too often. If you end up scaring people into action or spreading uncertainty, you might well lose an ability to win security arguments any other way. Also, if fear is a motivation for every decision you make, checking into a mental institution is not a bad idea. You might actually be paranoid!

Finally, I’d like to bring up the good old “greed vs fear” model for advancing security, last mentioned at BlackHat by one of the speakers. As “greed-based” ROI scams fail to move security ahead, the role of fear has nowhere to go but up. In other words, all of us get to pick out favorite 3 letter abbreviation – and I’d take honest FUD over insidious ROI any day…

To conclude, fighting FUD is a noble pursuit; Don Quixote thought the same about fighting windmills. Even if objective metrics will ever replace FUD as the key driver for security, we have a bit of time to prepare now. After all, in that remote future age interstellar travel, human cloning, teleportation and artificial intelligence will make the life of a security practitioner that much more complicated…