fudsec.com

Showcasing Fear, Uncertainty and Doubt from the Information Security Industry

Testing the Vendor Guarantees. Guaranteed Security….Just Show Us the Money!

Every now and then, a vendor makes a claim about their products or services that actually gets tested.  Not by a lab with a "representative" environment, but by Blackhats in a production environment.  Read on for just such a case...  My thanks to Drazen for delivering a fudsec sledgehammer :).

By Drazen Drazic

I’ve been waiting a while for a higher profile test case and it’s finally arrived.  

Integral Energy, one of Australia’s largest energy corporations has been in a spot of bother in recent times as reported here: 

http://www.smh.com.au/technology/security/sinister-integral-energy-virus-outbreak-a-threat-to-power-grid-20091001-gdrx.html 

If all reports are correct, the critical infrastructure organisation’s networks “are protected by a Symantec security solution”.  

Now going by my last correspondence with Symantec here, they guaranteed me that their product would provide “…..proactive protection against unknown and zero day threats”.  

Being slightly dubious of these claims, I asked for confirmation of the claims and was told by the Symantec representative; “I can confirm this statement is correct”.  

Now wanting to double and triple check that they stood by their claim, (being the cynic that I am), they then re-stated the claim, albeit slightly modified the next time, but with the end message the same; “This is one of the value statements of our product which we standby but I cannot personally guarantee that anything will not happen. If you configure and install the product correctly, then we will stand by this statement”.  

Now Integral Energy may have a claim here. But I wonder if Symantec can argue the case that they only provide “…..proactive protection against unknown and zero day threats” and this being an old piece of badware, means all guarantees are null and void ;-).

Do the Evolution...

Joshua Corman is the invited guest this week on fudsec.com.  This post goes pretty deep to the core, thus for maximum benefit I recommend reading at least 2 times :-).  I know Josh is looking for feedback/comment on this post so let us know your thoughts by leaving a comment.  Without further ado...thanks Josh!

By Joshua Corman [twitter]

Change is constant - and security professionals are change averse. To become partners to the business, we must have the courage to embrace and enable change. If we don't, we continue to fight the last war and remain an obstacle to the business?

“The path of the security professional is beset on all sides, by constant and turbulent change.” We find ourselves in a time of unprecedented change. The image below is currently my “one slide” I use when I talk about information security.

Cost, Complexity, and Risk have grown to unprecedented, unacceptable, unsustainable levels. Why? Well, in part, the sum total is being fueled by turbulent and accelerating rates of change across these five fronts:

1) Evolving Threat: The adversaries have shifted from Prestige, to Profit, Politics, and Prestige – and jumped from 1st gear to 5th gear – showing no signs of slowing.

2) Evolving Compliance: Compliance has eclipsed Threat as the primary driver of Security. Why? As a CIO so eloquently stated, “Josh, I might get hacked, but I will get fined.” Vendors follow the money - and the money is in compliance… Is anyone even trying to solve for our threat needs anymore?

3) Evolving Technology: Innovations like x86 Virtualization, Cloud Computing, iPhones in the workplace, and social media… barrage us at every turn. Each beneficial advance requires tremendous efforts to assure we can reap the benefits while preserving acceptable risk.

4) Evolving Economics: The global economic meltdown has slashed headcounts and cut budgets to the bone – further challenging our ability to address these sources of risk.

5) Evolving Business Needs: The changes that should affect the risk of a business are the ones that the CEO, Board of Directors, and their industries demand. Businesses are seeking ways to better collaborate with their clients and partners. They want to enter new markets or become more agile. Will security be the reason they can take these valuable risks? Or will security be the reason they cannot?

Evolving Security Professionals: What about our profession?

What is blatantly obvious to me is that “Evolution” is the headline.

What is also obvious to me is, the only thing not evolving is the good guys.

Where is our evolution?

Our population tends to be pretty risk averse. We tend to hate change. Change == Risk, right? Given that we are beset on all sides by constant and turbulent change, what does this mean for our roles?

For years we’ve been the person saying “No” to change. Can you now shift to become the agent of change? Instead of laying down on the tracks in front of the moving train, can you be the reason your company safely and selectively embraced the Cloud and its benefits to the business?

I see no signs that change is slowing. In fact, the signs are that change is accelerating. I’m pretty sure many of us will not make the required changes.

Many of you won’t want the job as our roles continue to morph – half of you are already unhappy. Those who continue to be at odds with the business may be asked to leave. For those who are capable of evolving, what are you waiting for?

We cannot continue to take backwards looking, static approaches to an ever changing, dynamic problem space. It is a fundamental mismatch. It clearly isn’t working now – and is only going to get worse. And no, static PCI rules are not going to save you. When the next major breach was *also* PCI compliant, should we be surprised? Would Einstein find you insane?

To date, there has been a stunning lack of evolution on our part. Change happens. Those who adapt, thrive. Those who fail to adapt… perish. Natural selection may help to thin the herd. Are you fit? Or unfit? Would Darwin be proud?

Most of my work over the last few years has been to challenge conventional wisdom. We need to get to the marrow of the things which prevent us from being more agile and aligned with that which matters most. We need to get past reacting to the last war and start strategizing for the next one. We started Information Security with Signature AV and Firewalls. Can you name *one* security control we’ve retired? Are we keeping pace?

The best of us love a challenge and thrive on this kind of change. There is a lot of latent talent in this industry. Now is the time turn that potential into kinetic energy. Or we could continue to whine about PCI ruining risk management…

Improvise! Adapt! Overcome!

Learn to play Chess – you have incredibly talented and strategic adversaries.

Study USAF Colonel John Boyd’s brilliant OODA Loop. Observe, Orient, Decide, Act [repeat].

If you are feeling a lack of purpose, read LTC Dave Grossman’s On Sheep, Wolves, and Sheepdogs. Where are our Cyber-Sheepdogs?

My good friend Eric Hanselman once said, “We need the courage to sacrifice the past on the altar of change”.

Do you have that courage?

Seperating the Men from the Boys

Do you hire security consultants?  Perhaps you are one...  Wim from Belgium is this weeks guest and fires torpedoes into what some consultants today consider as 'established practice'.  As with many things in life, just because everyone else is doing it, doesn't mean you have to follow.  It all comes down to how you define value.  Value for your customer or some deluded sense of self-value hinged on the "latest and greatest" vendor.

By Wim Remes

I enjoyed reading Balazs' post a few weeks ago and what he was telling us was nothing but the truth.  I would like to expand on the subject and maybe wake up a few more dogs while rattling the cage.  That's what we are here for.

Sure, we see customers every week coming to us because they have a particular problem and they think they need a point solution for that.  Do you see what the key word is there?  Right, it is "think".  They call us, to consult them in their choice.  Now, consulting has changed a lot in the past years.  Where we actually built solutions from the ground up about a decade ago, we are now led by marketers and companies with a big budget which have build an ecosystem around them of silver, gold and platinum partners who are rewarded when they sell those specific solutions, wait, I mean products.  In the process, they have actually dumbed down the consultants that were once bright and inventive people by feeding them product-specific certifications.  Nowadays, you rarely find a "perimeter" specialist. You will find tons $vendorname certified engineers though. 

You, as a customer can act against this trend. How? 

By stating your problem clearly followed by a deafening silence. 

Why?

Because this way, you'll know what you're partner is about.  If he starts throwing marketese at you, you will know he learned this from going through a bunch of white papers and computer-based trainings and someone was probably holding his hand while he clicked on a,b,c or d for the multiple choice exam. 

The partner you are looking for will solve your problem, depending on the complexity of it, combining several point solutions, tied together to actually improve your security posture. He will combine well-known and lesser-known commercial products and won't hold back to integrate open source products. What is most important though, he will have a clear answer to every question you ask and he will know which part of the new infrastructure fits which purpose.  Also, as his solution will probably not exactly be what you had in mind, he will do his best to explain why he made surprising choices.  

I hope to see an rise in the number of consultants, or whatever you call yourself, that return to the beautiful art that is information security.  Not by adding another certification to their wishlist but by starting to offer real solutions for real problems.  Thinking out of the box is not a trend, it is what separates the men from the boys and that, my friends, is what our customers are looking for:  Real men creating real solutions to solve real problems.

The Value of Multi-Factor Authentication with Amazon Web Services

This week, O'Reilly author George Reese assesses the real-world applicability of a recently announced cloud security control.  Meaningful security control or pleasing the checklist brigade?  My thanks to George for taking time out of his busy schedule to contribute to fudsec - much appreciated.

By George Reese

Amazon recently released a new service called Amazon Multi-Factor Authentication (MFA) for Amazon Web Services (AWS). Amazon’s MFA enables you to configure your AWS account to leverage two-factor authentication for access to the AWS console. The AWS MFA is based upon the Initiative for Open Authentication (OATH) HMAC-based One Time Password (HOTP) specification.

AWS and OATH HOTP

Amazon Web Services is a cloud computing infrastructure provider that enables you to provision virtualized hardware resources (servers, firewalls, block storage devices, etc.) via a web services API and pay for those resources by the hour. A typical systems administrator of a customer using AWS will login to Amazon’s web interface to launch servers and perform other actions. Because the system is based on a web services API, a number of third-party solutions exist that provide extended functionality.

When you create an AWS account, you leverage your existing Amazon consumer account. Each AWS account is then associated with exactly one Amazon user. In other words, one account = one user ID = one person.

As more enterprises are adopting AWS to support their IT infrastructure, AWS has been seeing demands for multi-factor authentication to address corporate security policies that require multi-factor authentication when performing administrative functions over systems that house sensitive data. Multi-factor authentication is a solid business best practice for such systems. When AWS introduced MFA, they described it as “[MFA] should be especially attractive to our enterprise-level customers, but we expect customers of all types to value the additional security.”

Under MFA, I purchase a device from Gemalto that synchronizes with AWS and generates a one-time password. Any time I attempt to login to my AWS account after configuration, I must provide two factors of authentication:

  • My user ID + password (something I know)
  • The next token from my device (something I have)

Does AWS Realize the Benefits of MFA?

Paradoxically, AWS MFA is wrong for the customers for whom it was designed and perfect for everyone else. If you are a small business with a single AWS account managed by one system administrator, AWS MFA is for you. It costs just $13 to purchase the device and access to the service is free.

As I noted in the quote earlier, AWS did not design MFA for that audience. Instead, AWS developed the MFA solution for organizations that have multi-factor authentication as a checklist security requirement for administrative access to information security systems housing sensitive data.

MFA suffers from an inherent problem in OTP solutions like OATH HOTP that rely on a key shared between the device and the server: you have to have a new device for every system you manage unless those systems are tied together via some kind of single sign-on solution. Having to remember a dozen passwords is painful; having to carry around a dozen key fobs is unmanageable.

If you have a single AWS account, there’s no need to carry around a dozen devices—one works just fine. An enterprise—the target market for this offering—is likely to have multiple people managing multiple AWS accounts. Both the “multiple people” and the “multiple accounts” aspects of the AWS authentication system make MFA unsuitable to the enterprise market.

I’ve already addressed why multiple accounts are problematic—you have to carry around a new device for each account. Though single sign-on is a solution to the multiple device problem, AWS does not support single sign-on across different AWS accounts. If you have multiple accounts protected by AWS MFA, you need multiple devices.

The multiple people problem is much more significant. It too is related to the one AWS account = one user = one person structure of Amazon Web Services. While one person = one user is proper, the fact that one user = one AWS account makes it impossible for those people who need multi-factor authentication to meet other policy needs. In particular, you cannot implement both of the following security policies with AWS:

  • One person = one user
  • Redundancy in administrative roles

If you want redundancy in administrative roles, you must share an AWS user and the supporting credentials between at least two individuals. If you want to support one person = one user, you cannot have a backup administrator for your AWS account. For a large enterprise, opting to comply with the one person = one user is just not operationally possible with AWS. By design, however, AWS MFA enforces one person = one user because only one person can have the device tied to the user (and only one person can carry the device at any time).

One final issue with enterprise adoption of AWS MFA: it’s US-only. In other words, businesses with systems administrators outside the US cannot use this service. Furthermore, no timeline exists for availability outside the US.

The Bottom Line

Given the current design of AWS authentication, AWS MFA looks like a checklist item poorly suited to the needs of people with the checklists (enterprises). AWS would have been better off implementing an SMS-based system. Though such a system supports attack vectors that the AWS system lacks, it is ultimately much more practical for enterprise IT operations.

I’m Not Secure and You Can’t Make Me.

It's that time again, and Kevin Riggins serves this weeks fudsec dish.  If you have any influence over infosec purchasing decisions where you are, you should read this.  My thanks to Kevin!

By

Kevin Riggins

Do a Google search for the following: 

"make.*secure" +"press release" computer network 

Go ahead, I’ll wait. 

When I sat down to write this piece, I searched for that phrase. My results? 303,000 items. Granted, many of them have nothing to do with information security, but the first three in my search results did. 

It seems like I see advertising or a press release just about everyday that spouts some sensationalist drivel about how you are going to get hacked in the next five minutes. This is followed up with “just install our product and you will be secure.” These ads and press releases are aimed at both individuals and companies. 

First, I want to make something clear. I am well aware that if you stick an unprotected machine on the internet, it is not going to last 60 seconds, let alone 5 minutes. I am not arguing that the threat isn’t real.  

The problem I have is the use of fear to sell an idea that is patently false. That idea is that any product can make a system or network secure. There is exactly one way to make a system or network completely secure. Keep it turned off. 

The best we can hope for is to increase the security of our systems and networks by:

  • making risk appropriate decisions about what technologies to implement
  • making appropriate design decisions, again, based on risk
  • ensuring that the products we use and build are engineered in a manner that addresses known issues and resists the introduction of new vulnerabilities.
Yup, I said it, risk management, intelligent design, and secure development will make your environments more secure. They will NOT however, MAKE you secure. Nothing will. Sorry.

Knowing Walls from Speed Bumps

This weeks guest post is from Balazs, an ex-senior malware analyst, who - despite his career change - remains interested in the field of information security. In his own words, "my goal is to bust FUD and provide solutions for preventing successful attacks (as opposed to selling products)".  I'd like to thank Balazs for encouraging us all to see the big picture and give recognition to his anti-FUD efforts (check his blog - link below) - fudsec salutes you!

It is a sad fact that in the security industry most of the people most of the time concentrate on point solutions and fail to consider the general impact those solutions will have and how easy is to circumvent them (how future proof are they). While the "I have this problem NOW" mentality is probably built into our genes (and accentuated by marketing), it takes only a little effort to research ones options more thoroughly and it can have a big (positive) impact in the future (much like counting to ten before saying anything one might regret).

Example: suffering a malware outbreak, company X calls up Anti-Virus vendor Y and asks desperately: "Do you detect malware Z, which is spreading in our network? We already have another product, but it doesn't detect it!". And so the decision is made to replace the old product with the new product, without considering the fact that for each Anti-Virus product there are tens of thousands of malware which they miss, and it just so happens that in this case the first product detected while the second product missed the particular malware, but it could easily have happened the other way around.

Taking a step back the company could have identified key issues which lead to the malware infection in the first place, and which - if corrected - could reduce the probability of the incident happening much more drastically than swapping out one AV product for an other:
- the ability of users to run arbitrary programs (which could be prevented by using a whitelisting solution)
- autorun being enabled (which could be disabled trough Group Policy, and in addiction solutions for disabling the USB ports could be used)
- the ability for users to write to the file-server (which could be prevented by clarifying the requirements for the given file-server and locking it down according to the policy)

Second example: at BlackHat USA 2009 a researcher suggested that because he was able to implant a bootkit (a rootkit running from the boot sector) while running under Windows with Truecrypt installed, Truecrypt is broken. He also suggested a simple patch (for Truecrypt to deny write access to the MBR) and was upset when his patch was rejected (you can find part of the discussion on his blog - http://peterkleissner.com/?p=11 - where all the arguments were already detailed, but he remains unconvinced).

Again, let us take a step back and check our assumptions:
- we are talking about code under Windows which is able to write to arbitrary locations on the harddisk. This already supposes that it has enough privileges to execute code in kernel mode. Any measures taken by Truecrypt could be easily circumvented by patching the Truecrypt driver on-the-fly
- second of all, if the code already runs in the live Windows session, it has full access to the decrypted data. It doesn't need the Truecrypt password at all! It can simply register itself to be started when Windows starts up and upload all the sensitive data bit-by-bit
- finally, even using BitLocker in a TPM-enabled environment (which is the other suggestion by him), there is still the threat of hardware keyloggers (which could be embedded directly in the keyboard - see the ''Reversing and Exploiting an Apple® Firmware Update" talk from BlackHat USA 2009)

Seeing the big-picture takes a considerable amount of knowledge and understanding about the internals of how computers and software operate. One can't expect any help from the sales persons either because, even if we abstract away from the fact that he is trying to sell you the product, most probably he doesn't know. Just try to find out from a whitelisting vendor if she is doing the enforcement of the rules in user mode or in kernel mode. Knowing walls from speedbumps can be very hard because both have the effect of stopping the attack if they are of low enough speed. Curmudgeons can help, but as can be seen from the second example, they aren't correct always either.

What is the conclusion? Do your own research. Distrust grandiose claims, whoever makes them. And eliminating the root of the problem is in most of the cases simpler, cheaper and effective in combating a larger set of issues, than just buying a "solution".

Apple vs Microsoft as a Malware Target.. Stop Saying Market Share..

This guest post from Haroon, debunks some of the FUD that loiters around the MAC vs PC security argument.  

Seen any security vendors playing to this in their product positioning?  If so, email fudalert@fudsec.com...

By
Haroon Meer of Sensepost [published with permission]

I really enjoy listening to Mac Break Weekly.. Leo Laporte is an excellent host and i would tune in just to hear [Andy Ihnatko's] take on the industry and the (possible) motivations behind certain players moves. (he is sometimes wrong, but always worth listening to). The only time the things ever get a little cringe-worthy is when talk switches to malware and security (although both Andy and Leo for the most part have pretty reasonable balanced views on it).

Disclosure: I am a mac user, and love the hardware.. the fan-boy'ism that surrounds it, not so much..

Most security savvy mac users, dont push Invulnerable-Mac argument too much.. But it does lead to the follow-up "Once Mac gets more market share, we will hit the malware tipping point".. I dont think that this is how it will go down.. Here's my $0.002c on it.

One of the talks we gave at the recent ITWeb Security Summit was titled "One bad Apple".. The aim of the talk was to examine the truth/lies/fud behind the security claims on both the fan-boy and hater end of the spectrum.. I dont want to cover the whole talk here, but do want to touch on just a few of the current annoying red-herrings that normally pop up in this discussion:

Vulnerability counts as a useful Metric

This argument has been had by [many people] far brighter than me, so i wont rehash it here. I think its safe to say that since there isnt really a standard on what gets reported, very few vuln count reports end up comparing apples with apples. What i did pick on during the talk, was that some people dont even bother trying to dress up the stats in a cloak of reasonableness. The table below was taken from ByteSize magazine showing that Apple indeed had more Vulnerability Disclosures than Microsoft:

Vendors with the Most Vulnerability Disclosures (ByteSize - 3rd Ed. 2009)

Instead of muddying the water by asking what a 3.2% disclosure means, or by comparing Apple with Microsoft you have to ask yourself if the table is really comparing Microsoft, with its software, hardware, * against Wordpress with its 60 000 lines of PHP code?

My suggestion there is that if we going to use tables and charts, we should at least stick to the reasonable ones:

Malware defense

Of course the next topic that refuses to die is how mac architecture pixie-dust prevents it from getting worms and viruses.. A quick check should clarify this.. The ILOVEYOU virus which took windows computers all over the world (and according to Wikipedia cost about $5.5 billion in damage) was a snippet of VBS that read your address book, and mailed itself to your contacts (where it did the same). You can hack this up in Automator in seconds.. Same functionality completely..

Memory Corruption Attacks

In recent times, Microsoft has made huge leaps in terms of generic memory corruption protection mechanisms to minimize the effect of buffer overflow/mem corruption attacks. While Apple claimed to do the same with Leopard, they still trail Microsoft in this regard. The 3 points we covered:

  1. Non-executable Stack.
  2. Non-executable Heap.
  3. Address Space Layout Randomization.

(We cover these in more detail in an upcoming [conference in July] - but again, its fairly well understood that OSX in its current form is only randomizing libraries, and that to get the benefit of ASLR, you need to be randomizing everything)

So if we are saying that Apple is just as vulnerable to ILOVEYOU and even more vulnerable today than Windows from a nimda or a code-red, then what explains the fact that we dont see Macs getting owned on the same level as Windows?

The almost global answer is "Market share!". The belief that once more people are running macs, the big bad malware writers will start aiming at them.

If you look at the [netcraft web server survey] (2003) you should notice that at the time that nimda and code-red were running around the Internet, IIS didnt have the lions share of the webserver market either. Their lower market share didnt keep them safe then, why does it keep mac users safer now ?

The real market share difference

One of my guesses here is that we are looking at the wrong data for market share. What Microsoft does have over Apple, is a bigger market share of [developers..]

Microsoft went out of their way to make sure that anyone and their dog could write code for their platform, that any idiot in the world could write an app for them, and many did. I suspect that if you consider that any group will have a proportion of people with evil intentions, then in part what we seeing is just the percentage of the bigger pool.

Different user profiles

The other thing (although it sounds strange) is the question of user culture which is different. My wifes macbook air has very little software that didnt come with the machine. Apples "batteries included" policy means that her machine remains pretty clean.. Her mothers windows machine is a different story

Which means what?

Today, pound for pound, OS X Leopard is indeed more vulnerable than a Vista machine, but the eco system around Mac is holding back the huge embarrassing attacks that shamed Microsoft into action. Apple has a small window during which time they can take action, refine their built in mitigation strategies and come out on the other side acting like they were better all along..

(Recent hires like Ivan give hope for this happening)

If Snow Leopard is done right, it will hopefully be Apples XP-SP2, and us fanboys will be able to keep our securer-than-thou attitude.. If it doesnt, its only a matter of time..

Might As Well Face It...

This weeks #fudsecfriday invited guest post is by shrdlu, an IT security manager who has held international positions in multiple institutions and is now US based.  The other clue to his identity is he amuses himself at the expense of his children ("otherwise what's the point in having them?").  I'm still not convinced that narrows it down ;-).  

My thanks to shrdlu for the molitov cocktail of a post...

IT Security Manager

Now, many of you are probably too young to get a Pogo reference, so I'll just get to the point.

Hello, my name is shrdlu, and I'm a FUD addict.

And so are you.

Come now, do you really think that FUD is only produced by eeeevil vendors out to make a quick buck?  Or do you think it's only generated by clueless media?  No, folks, we're doing it to ourselves on a daily basis.

The very nature of security involves uncertainty.  We all know deep down that you can never have 100% security; that sooner or later, as Richard Bejtlich is so fond of saying, prevention eventually fails.  It's only a matter of time.  And so rather than sitting down and waiting for the threat to come to us, we go out looking for it.  Endlessly.

Emily Yoffe in Slate.com writes about ongoing research in what one scientist calls our "seeking" drive - our addictive behavior around finding nuggets of information:

We actually resemble nothing so much as those legendary lab rats that endlessly pressed a lever to give themselves a little electrical jolt to the brain. While we tap, tap away at our search engines, it appears we are stimulating the same system in our brains that scientists accidentally discovered more than 50 years ago when probing rat skulls.

A very simple example of this addictive seeking behavior can be found in the Facebook application called "Hatchlings."  The player collects eggs of different colors by looking for them in the profile pages of friends also playing the game, as well as other random pages on Facebook.  Once collected, the eggs hatch into various creatures matching their eggs, and can be deleted ("released into the wild") or retained by periodically feeding them -- you guessed it -- more harvested eggs.  It's stupid, it's mindless ... and so far I've found 5,545 of the damned things.  And as far as users go, I'm by no means the worst:  the top-ranked player in my city has over 48,000 of them and the number one player globally has more than 592,000.

So if Hatchling eggs are the gateway drug, it's but a small step from there to Easter eggs in other software.  And when the Easter eggs run dry, well, there are built-in Easter eggs that the developer didn't even know about, aren't there?  They're called "unintended functionality," or vulnerabilities.

Take a look at this year's Black Hat schedule and count the number of talks that are NOT based on finding a vulnerability or finding an attack.  Go ahead, I'll wait.  It's actually kind of like hunting for a needle in a haystack ... and I promise, you'll get a dopamine rush out of it, especially if you find it.

So when pretty much every talk at every conference is about newly discovered vulnerabilities and attacks; when we treat vulnerability researchers as rock stars; when defenders are only interesting when they've actually suffered a breach; is it any wonder that we're steeped in FUD?

If there's still any doubt in your mind, try to remember the last time you said or heard someone say,"You know, our security is probably just fine.  Don't worry about it."

Hyper Security

This week's invited guest post is from Brian Honan, an information security consultant based in Dublin, Ireland who founded and heads Ireland's national CSIRT team.  This post explores hype - the LSD of the infosec industry...  Thanks Brian!


Brian Honan

Independent Information Security Consultant

A discussion with an old friend recently strayed into the area of
information security and the hype that she currently sees surrounding
products that will make us more compliant, secure and hacker proof.  She
works as an IT manager is a relatively large company and confessed to
feeling confused by the various products, their claims and indeed the hype
over the threats these products promise to address.

This is a subject that I have spoken about a number of times and it is
something that I feel as an industry we need to be careful about.  Yes we
need to make people aware of the problems but lets not become Chicken Licken
proclaiming the sky is falling.

The plain truth is that all products are hyped up, be that a car, a plasma
TV or an information security product.  This is especially so in IT where we
are constantly being told certain products will do things for us cheaper,
faster, smaller, and quicker, making us all more productive with minimal
effort.  So there is an amount of hype that will come from selling products
or services, including those in the information security field.
The other source of hype is from within the media, both industry and
mainstream.  Very often the security stories that make the news relate to
major computer virus outbreaks or attacks on well known institutions.  These
stories only make the news because they are simply that, news!

As someone who is heavily involved in information security I am often
frustrated by the lack of concern people display with regards to computer
security.  If anything there is not enough awareness of the threats people
face once they go online.  People understand the security risks we face in
the real world. That’s why we deploy burglar alarms on our homes or business
premises, shred important documents, have a safe to store valuables and keep
our money in banks.  Based on our understanding of the risks we face we take
appropriate steps to protect ourselves.  For example, if I owned a company
that is a small professional firm with no valuable stock to protect, I would
deploy burglar alarms and ensure I had good locks on the doors. If my
company keeps valuable or desirable stock on the premises then I would take
additional steps to protect myself, such as install CCTV, employ a security
guard and store the valuables in a safe.

Securing your business is all about risk management. You identify the threat
to your business, be that burglars, theft from staff, fraud or fire. You
then decide what you need to put in place to manage that risk.  Once you
deploy computers and/or connect to the Internet, there are very real threats
to your business. Computer viruses, hackers and in-house threats exist and
need to be managed.

So yes there are real threats and people need to be made more aware of these
threats and how they can counter them.  The problem is most people,
including those working in IT, do not understand properly the threats and
problems relating to IT security.

Yet everyone is looking for solutions without actually understanding the
problem.  Vendors and resellers will be only too happy to sell products,
however if the underlying problem is not properly addressed then these
solutions are not going to work as expected resulting in the customer having
a greater lack of confidence in information security.

With the recent economic downturn the information security industry is seen
to be countering the trend seen elsewhere in the IT industry by having its
budgets maintained or in some cases even increased.  Vendors and resellers
fully understand this and see information security as the area with the
money and are unsurprisingly exploiting it as only they can.  Having worked
in the information security industry for many years where only a small
number of companies provided expertise and services, I suddenly find every
company now offer information security solutions.  While it is good that
more people are becoming aware that information security needs should be
addressed, customers need to ensure that their vendor fully understands
information security and are providing solutions based on impartial advice
and not simply to sell a product.

It is time for us to stop listening to the hype, looking properly at the
risks that need to be addressed and calling that sales person or consultant
to task when they start to over hype a problem or solution.  But it is also
time for us to grow up and accept some responsibility for our own actions.
We need to fully understand what the problems are we are trying to address
so that we can identify the best solutions to those problems and be able to
ignore the hype.

Showing The Oblomovs The Door

This week's invited guest post is from Nick Selby, a security convergence consultant and enterprise security thought leader who established and led The 451 Group's Enterprise Security Practice from 2005-2009.  [Ed: This post was provided shortly prior to Black Hat/Defcon]

Nick Selby
Founder, Cambridge Infosec Associates, Inc
 
A recent survey shows that half of information security professionals are unhappy in their jobs despite six-figure salaries. Of course they're unsatisfied - we have well-trained, well-intentioned security professionals reduced through a series of relentless box-ticking to ensuring that their hopelessly dated signature-based technologies have the most recently-updated chance of not stopping anything. Why? Because as punishment for making everything so complicated, security professionals have been saddled with compliance management.
 
The CEO who lets the Security organization become the compliance department has abdicated to the government and Payment Card Industry his responsibility to understand and manage organizational risk. That is a fiduciary breach of CEO responsibility to shareholders. In addition to firing your ass, this should also be a floggable offense.
 
I stomped away from trying to influence security as an analyst because compliance (the adjective and the verb and the noun ... and whatever form is the word, 'Compliancy') has managed to suck every ounce of oxygen from the room that is the security industry. Okay, that's an exaggeration - I really quit because I find it more rewarding to once again do security than to talk about doing security.
 
We're in an Orwellian information technology universe, and we've let criminals become Big Brother because they often have better configuration management data than our own information security groups. We have a rapidly evolving threat landscape, advanced persistent threats, new generations of attacks and attackers and a wildly changed attack paradigm, and purveyors of “intrusion detection” and "anti virus" don't just exist, they're propped up as puppet regimes by the makers of rulesets designed to keep us “safe” and “smart.”
 
Josh Corman at IBM was spot-on when he called PCI, the, “Cyber-incarnation of 'No Child Left Behind.'” At this writing it's unclear whether Black Hat and DefCon demonstrations will include the PCI-compliant account skimmers we're heard of, but the fact that they're out there stands testament to the Pyrrhic victory that is the PCI Data Security Standard. Well-intentioned businesspeople at PCI, seeing their money walk out the door at an exponentially increasing rate, thought they'd, "Raise the bar" by setting forth some highly specific tasks. Unfortunately they were specific to a paradigm gone by, and those who don't comply get their credit card privileges popped. Thus have they managed not only to not raise the bar but in fact to substantially lower the ceiling - PCI is not the minimum standard, it's the maximum effort that many organizations make.
 
And why not? By doing PCI, one can claim to be doing, 'Best practices'. ('Best Practices' is a term for which toilet-dunks should be applied rigorously -  the term is, to borrow a phrase from Marcus Ranum, weapons-grade marketing bullshit.)  Meanwhile, Visa and MasterCard stay shtum on their card fraud numbers in one of the best shell games around as banks and card associations play the Three Wise Monkeys, passing the buck back and forth amongst their cabal while storm clouds of another off-balance-sheet Armageddon gather in the distance.
 
Is this just another "anti-compliance" rant? Sure, but it's also a "pro-risk rant". It's not just that our lives as security professionals are increasingly (and increasingly exclusively) about feeding the compliance beast. It's more about the fact that all this compliance stuff is preventing us from addressing risk and performing, you know, security. Compliance is big money (there are more than 100 sponsored links on Google for the phrase, “Security compliance”), so vendors and analysts push it, and departmental budgetary politics becomes all about securing compliance-related funding. This directly leads to stovepipes - those "Cylinders of Excellence" in which the slightest thought about anything not budgeted becomes, "out-of-scope".
 
Now hear this: Our enemies do not compartmentalize their attack resources. They don't have a budgetary or organizational constraint against standing in the smoking area and walking in to your building behind a smoker who's taped open the ram-bar latch; or phishing credentials from one of your employees by phone, fax or email; or popping through a poorly constructed web application; or if the stakes are really high, having someone sit in front of your Vice President of Whatever's house, looping trivially through his WEP-"protected" WiFi and surfing into your network on his VPN connection. Let's not even talk about his cell phone.  How many stovepipes within your organization have those utterly commonplace vectors just crossed?
 
To deal with these threats we don't need more stuff, we need to talk to one another, to use the resources we have in place already in smarter and better ways. Communication, cooperation and a top-down emphasis on understanding risk - these are things that can't come from the comet tail of crap being pushed by vendors and consultants today.  We face a 360-degree threat, every day, and bad guys are as innovative and resourceful as they need to be to stay one step ahead of you. The problem is we're not making them need to be very resourceful at all.
 
Compliance - the state of being - is achieved as a by-product of well-managed risk, not through a relentless ticking of boxes by Oblomovs you've hired to "deal with" compliance. Security requires integrity, inter-departmental communication, articulation of goals and give-and-take between stakeholders so that everyone has more information to take into account when making business decisions. It requires coordination between physical and logical, between departments as seemingly disparate as HR and marketing and bizdev and sales, and the executives who make decisions about where they want their firm to go.
 
You want to be a CEO? Manage risk by demanding your people give you information supportive of cost-benefit analyses that are based on how you can create more value as opposed to how you can avoid being fined or having your name in the paper. You want your compliance department to manage risk for you? You'd better hope your firm is considered, “Too big to fail,” so the next round of government bailouts can save your sorry butt. Although, since you're allowing the government - through SOX and HIPAA - and other industries like the payment folks to set your agenda, maybe a bailout was what you had in mind from the start.