fudsec.com

Showcasing Fear, Uncertainty and Doubt from the Information Security Industry

Customer-Induced FUD

We're breaking rank and posting a day early this week.  Why?  To give this post some time to breath before a small gathering in San Francisco of security wonks.  My thanks to Jeremiah for this post, and I fully agree with his call to action!  You?

By Jeremiah Grossman

I’m told fudsec is a place to float, among other things, half-baked and incomplete security ideas. I’ve no shortage of those I assure you. Fortunately the infosec community is not shy about telling you so. For today’s thought let’s provide some background...

A few weeks ago a consultant by the name of Larry Suto published, “Analyzing the Accuracy and Time Costs of Web Application Security Scanners,” [1] which reviewed desktop black box website vulnerability scanners: Acunetix, IBM AppScan, BurpSuitePro, Cenzic Hailstorm, HP WebInspect, NTOSpider, and Qualys WAS (Software-as-a-Service). Larry faced off these products using the vendors’ very own public-demonstration, vulnerability-laden “test websites” as the scan targets. For those curious, WhiteHat Security politely declined to participate because Sentinel is delivered as SaaS solution and not a product like the others tested. [2]

You may read the report yourself, but I’ll save you the suspense. The results for nearly all scanners were basically horrible. Large percentages of vulnerabilities were missed, there were false-positives galore, and significant human configuration time was required. Perhaps these are benefits if you are looking for tools to help fill the gaps in your day and provide job security. Several vendors wasted little time in defending themselves, attacking the report’s methodology and Larry himself, which is presumably to be expected anytime you call someone’s baby ugly.

The conclusion from the vendors: Don’t take these results seriously. For best results, scan real-live production websites, like your own environment, and not test websites.

You know, I can agree with that! I’ve been recommending the same for quite some time. First though, try something a little different. Turn the tables around. Instead of running your websites through the gauntlet, risking downtime from intrusive scans, only to discover you have vulnerabilities just like everyone else -- how about making the vendor eat their own dog food.

Ask the sales rep for a trial license and permission to scan THEIR production commerce website(s). That’s right, scan the vendor! Imagine their FUD-induced response. If they really believe in their product’s capability, safety, and marketing hype this shouldn’t be an unreasonable request. A “right to test” is no more than any reasonable cloud computing client would ask for. Right? Plus, doing so will provide a good reference point for when you scan your own websites, if, in fact, Larry’s results were atypical. The sales rep might say they don’t have authority to grant such authorization. Fair enough, but go ahead and press a little. It’s not like the bad guys are asking permission to scan these sites everyday anyway. Just ask [3] xssed.com [4].


[1] http://ha.ckers.org/blog/20100203/accuracy-and-time-costs-of-web-application-security-scanner-report/
[2] http://jeremiahgrossman.blogspot.com/2010/02/wheres-whitehat-re-scanner-comparisons.html
[3] http://www.xssed.com/search?key=hp.com
[4] http://www.xssed.com/search?key=ibm.com

The Broken Windows Economics of IT Security

What type of vendors are you dealing with?  Type A or B?  

Amrit is back with a post that highlights the link between economics, security and vendors.  Thanks Amrit!

By Amrit Williams [reposted with permission]

To economists, the term “Broken Windows” refers to the question that if a shopkeeper pays a glazier to repair a broken window at his store, does this deliver an economic benefit to society? Many people would say yes, because it generates demand for glass and work for the glazier.

Have you ever been witness to the fury of that solid citizen, James Goodfellow, when his incorrigible son has happened to break a pane of glass? If you have been present at this spectacle, certainly you must also have observed that the onlookers, even if there are as many as thirty of them, seem with one accord to offer the unfortunate owner the selfsame consolation: “It’s an ill wind that blows nobody some good. Such accidents keep industry going. Everybody has to make a living. What would become of the glaziers if no one ever broke a window?

Excerpt from the 1850 essay “That Which is Seen and That Which is Unseen” By Frederic Bastiat 

The majority of economists, however, would say that it is a fallacy to believe that the broken window generates economic good, as it forces the shopkeeper to expend resources to fix something that wasn’t broken and functioned perfectly well before small boys began playing baseball in front of the shop. Paying for repairs reduces his/her business’ ability to spend money on more rewarding alternatives—financing inventory, expanding the shop, etc.

But if, by way of deduction, you conclude, as happens only too often, that it is good to break windows, that it helps to circulate money, that it results in encouraging industry in general, I am obliged to cry out: That will never do! Your theory stops at what is seen. It does not take account of what is not seen.

It is not seen that, since our citizen has spent six francs for one thing, he will not be able to spend them for another. It is not seen that if he had not had a windowpane to replace, he would have replaced, for example, his worn-out shoes or added another book to his library. In brief, he would have put his six francs to some use or other for which he will not now have them.

Society loses the value of objects unnecessarily destroyed, and at this aphorism, which will make the hair of the protectionists stand on end: “To break, to destroy, to dissipate is not to encourage national employment,” or more briefly: “Destruction is not profitable.”
IT security has evolved into a classic broken windows business. It exists to repair things that shouldn’t break in the first place. Furthermore, every dollar that a business spends on Security subtracts a dollar from expenditure on more worthwhile alternatives—product innovation, improved public services, higher salaries, dividends to investors, etc.

Every so often someone gets up and claims that good IT security pays for itself. Nonsense. Every CEO, CIO, and CFO I have ever met resents every dollar they have to spend to protect themselves from the oversights of system architects, software developers, and product designers. They know that IT security is a wound that never heals, and that while they need to be lucky all the time, a hacker needs only to be lucky once to do serious damage to business processes, balance sheet assets, and/or marketplace reputation.

Realistically, IT security is going to remain a significant budget item as far as the eye can see. But I believe two types of security solution vendors have emerged. While they still make up a majority, Type A vendors sell paranoia. They harp endlessly on the mortal threats of thumb drives, social media sites, and satanic plots spawned by hackers of disparaged nations and ethnicities. Shattered windows are their business and they love the sound of breaking glass. Established type A security vendors simply have too much to lose by helping their customers eliminate or reduce the potential for broken windows events and thereby enabling companies to reduce their IT security budgets.

Type B vendors recognize the market opportunity to help customers reduce the cost and complexity of IT security. Make no mistake. Profit motivates Type B vendors every bit as much as Type A counterparts. It’s just that they mix some enlightenment with their self-interest. Type B vendors are the ones advocating ways to efficiently minimize target surfaces, radically change their security programs, and perform mundane but necessary system management processes as thoroughly and friction-free as possible.

While generalizations are slippery, such vendors will always be in the minority and tend to be the innovative upstarts of the industry. They are not part of the PCI collective, they find it difficult to swim against the rising tide of broken glass marketing, they offer viable alternatives to the current <glass breaks – repair glass – add more glass – glass breaks – repeat> cycle the IT security industry has created.

As I write, the RSA Conference is getting ready to open soon in San Francisco. Hundreds of vendors will convene to spend millions of dollars to convince public and private sector managers to continue to spend billions of dollars on various IT security widgets, left-handed monkey wrenches, and foo foo dust. They will do their best to drown out voices that say it doesn’t have to be this way that there are viable alternatives to the never-ending IT security hamster wheel of pain. What a waste.

Casual Hex and the Failure of Security Awareness Training

This week I'm pleased to announce that this weeks guest haxxor, Larry Pesce from PaulDotCom, was able to extract himself from the Matrix for this post.  This is all the more remarkable when you consider the availability of free beer within the matrix (Larry, I'll buy you a beer the day we meet, so long as you promise not to Shmooball me).  My thanks to Larry!  Please leave your comments below...

by Larry Pesce

I've been preaching education for end users for quite some time, knowing that having educated users would help them from getting owned, either at home or at work.

I'm beginning to think that user education is a losing battle.

We've preached to our users about safe internet practices. We tell them to examine SSL certificates. We tell them not to open e-mail attachments from people that they were not expecting.

What do they do? Exactly the opposite of what we say. Why? Human nature I suppose. In 99% of the cases the users we are supporting are not what you call tech savvy. Sure they can set the clock on their VCR nowadays, but they don't know how to use the computer to do much more than the job at hand. They just want that new piece of technology (computer or otherwise) to work. They want to get their job done, communicate with their friends or do something cool.

When we do convince them to click "NO", and it doesn't work or do something cool, they try again and click "YES". Nothing Advanced or terribly Persistent about it. Yes, it is still a threat.

So why doesn't user education work? No matter how many seminars we give, pamphlets we distribute, or posters we hang quite frankly our users don't care.

I used to think that if the education worked for just one person in an organization it was all worth it. The problem is that all of that education is a lot of work to develop and deliver to reach one person out of fifty. With persistent education, maybe we will get three out of those fifty. Scale that up a bit and those aren't very good odds in helping protecting your organization.

Let's draw a parallel to the recent compromises at Google. Not having worked there, I have to make some assumptions about the skill level and caring of the staff there. One has to figure that most of the employees are pretty technical and get the risk. They, for the most part don't need the user education. The problem is there are a whole bunch of people that help that business run that aren't techies. That's who get owned. I'd imagine that Google has a pretty darned good internal user education program. They still got owned.

So, how do we save the users from themselves? Maybe this whole internet fad is out of hand. We can spend metric assloads of money on security technology and the people to appropriately staff them. Or we can change the way people thing about the internet in general in a work environment. Instead of the user education for everyone connected to the internet at the office, how about we make the use of the internet a privilege, not an inalienable right.

Now the user education for the few people in the organization that actually do have access to the internet will hopefully have a little more punch, potentially reduce our costs on some security technology and staffing, as well as potentially changing our overall security posture.

Best of luck on whichever direction you choose. It is just a matter of time before we're all compromised no matter what we do.