For a year, Fudsec.com has brought you the finest FUD-bashing that money can buy, and many have asked us how they can post here (email us at the address below if you'd like to).

All too often, though, we've outed fear, uncertainty and doubt without thought to giving credit to those who toil thanklessly to create it.

We're out to change that.

Announcing the FUDdies® - the industry standard recognition of innovation and creativity in the prodution of FUD. After all, coming up with new ways to wrest legitimate budget dollars from security initiatives towards illegitimate boxes is no easy task. Join Fudsec.com as we honor those in the business of making this magic happen.

Face it, folks: there's tons of FUD out there, and even here on Fudsec there are few people being specifically called out for FUD. So let's bring it. Tell us who's doing it. Tell the community about it. 

We need your help to get these going. Email us your thoughts, your nominations, or anything else you think we should think about. Right now, there are two categories of FUDdie: FUDiest Campaign, and Most Unctuous Information Security Marketing Executive.

Voting is held by secret ballot at fudsec ( at ) gmail com  , and all results are reviewed by a top secret, anonymous committee whose decisions shall be final.

Prizes are coveted, genuine Reynolds-built aluminum foil caps, which look great and shield your brain from electromagnetic mind control carrier waves and beacons. The prizes will be announced at RSA 2011, which means we need help now.

Vote early! Vote with your heart! 

The Fudsec Team

Today's post comes from Ben Tomhave. Ben and others felt the Zalewski ZDNet piece was a bit of a "Blame or Frame Job" on our industry and was compelled to respond. Do you agree? You'll want to follow the links if you haven't already read them. Any post that starts with a Sin City reference is likely to be gritty.

by Ben Tomhave (@falconsview)

"I've been framed for murder and the cops are in on it. But the real enemy, the son of a bitch who killed the angel lying next to me, he's out there somewhere, out of sight, the big missing piece that'll give me the how and the why and a face and a name and a soul to send screaming into hell." ("Marv" in the movie Sin City)

I've read and reread (a couple times) the May 20th article "Security engineering: broken promises" by Michal Zalewski of Google (a guest post on ZDNet's "Zero Day" feature). I have to say, I find it highly disappointing and FUD-tastically frustrating. The bio at the end describes him as a "security researcher," which in my mind makes him a "breaker" more than a "fixer" (supported by the kinds of tools he's released). As such, we have to expect a degree of whining cynicism about how bad things are, but I would have at least hoped he'd have a little more clue before spreading FUD doom and gloom.

Framing Frameworks
"...for several decades, we have in essence completely failed to come up
with even the most rudimentary, usable frameworks for understanding and
assessing the security of modern software... The frustrating, jealously
guarded secret is that when it comes to actually enabling others to
develop secure systems, we deliver far less value than could be expected."

As a card-carrying member of OWASP, I find this statement to be ill-informed and suspicious. While it is true that we don't have mathematical models describing software security (to which he later alludes), it is completely false to say that we lack frameworks for understanding and assessing software security (which he never defines). There are lots of options to choose from, whether it be OpenSAMM, BSIMM/BSIMM2, or even the various efforts of groups like OWASP, ISECOM, or WASC. Let's also not forget efforts like Microsoft's SDL.

In terms of enabling others, this is not a security failure, it's a management and business failure. Many like to throw blame onto security teams for this situation, but everything ultimately comes down to the decision-makers and their needing to place proper emphasis on the need/requirement for writing secure code+apps.

Framing Risk Management
Now we get into some very FUD-erific territory...

"...[risk management] introduces a dangerous fallacy: that structured
inadequacy is almost as good as adequacy, and that underfunded security
efforts plus risk management are about as good as properly funded
security work."

and

"...security incidents are nearly certain, but out of thousands exposed
non-trivial resources, any resource could be used as an attack vector,
and none of them is likely to see a volume of events that would make
statistical analysis meaningful within the scope of the enterprise."

and

"...in information security, there is nothing contributed by healthy
assets to directly offset the impact of a compromise, and there is an
insufficient number of events to model their distribution with any
degree of certainty; plus, there is no way to reliably limit the maximum
per-incident loss incurred."

Wow, talk about cynical. First off, apparently risk management has no value. Second, risk management apparently detracts from security initiatives. Third, because there are potentially infinite threat vectors, the statistical analysis performed in risk assessment is pointless. All of this prattle belies a keen ignorance about risk management, and once again seems to suggest that software security failures are a result of something other than poor coding practices under the rule of security-disinterested business leaders.

More importantly, his risk management comments don't seem to have much of anything to do with risk management, but instead seem to be focused on risk assessment methods. He probably also thinks that qualitative risk assessment techniques are de rigueur. It never ceases to amaze me when criticism is launched from a place of ignorance.

Framing Unified Theories
As the piece progresses (or maybe it digresses), it seems that we finally start to see his true intentions as he talks about CWE and CVSS, saying: "Having said that, none of them yielded a grand theory of secure software yet - and I doubt such a framework is within sight." This comment finally reveals Zalewski's true intent or hope, and that is some sort of mystical silver bullet "grand theory of secure software." I thought this guy was a security researcher for the venerable GOOG? Anybody else's spidey sense tingling over the inanity of his comment here?

Of course, perhaps the biggest problem is Zalewski chafing at what is actually "good enough" from a software security perspective. Frameworks seem to be the preferred ideal du jour, but to what end, and with what backing? More importantly, to quote Amrit Williams:

"What we must learn to accept is that security – as it pertains to both
the development of software and its operational use – is ultimately more
survivable than we like to believe." (from "The Simple Elegance of Faith; When Good Enough Is")

Call me crazy, but it seems like Zalewski is framing infosec for the failing of business leaders, compounded by his own ignorance.

What do you think?

Also check out Jack Daniel's response ("A bit of deep thought.") as he links to several other replies as well.

This week's post comes from Eric Hanselman. Eric has an uncommon, common sense. Eric tried to leave Security two years ago after the RSA conference - bound for Virtualization-land. Alas, security pulls you back in and he was right back at RSA 2009. We always say "we'll do better at security the next time." "We'll bake security in." There were a lot of promises and claims made about how much better virtualization security would be. Here is sort of a "state of the union" from Eric.

by Eric Hanselman (@e_hanselman)

We’re heading in to a brave new world of desktop security and we need to do it with our eyes open.  There’s a lot of potential benefit that desktop virtualization can bring to an organization.  Like any new technology, though, there’s a lot of misunderstanding of the change in risk dynamics and how to deal with them.  In recent weeks there have been announcements and discussions that bear some analysis.

Hosted and Virtual desktops (HVD is the Gartner term) deliver awesome mitigation for data loss.  The desktop is back in the data center and the only the screen image makes it back to the user.  There are also all of these really great operational expense savings.  It’s easy to think that it resolves some of our biggest endpoint protection headaches.  There’s an air of irrational exuberance out there, that’s a little disturbing.

There are two big concerns:

·       Users think that desktops in datacenters are wicked safe.

·       Vendors aren’t disabusing them of this delusion.

At RSA this year, in two different virtualization security sessions, I heard attendees ask if anti-virus software was still needed with virtual desktops.  Lest you think that these were aberrations, industry analysts are posing the question, as well.

Forget about all of the Blue/Red Pill hysteria.  There’s a much more fundamental issue that we need to address.  Yes, the desktops are now in the datacenter, but there are still a whole set of security issues that have to be handled.  We’ve made a big jump forward with physical security.  It’s now a lot harder for random people to plug USB devices in to desktops or walk off with the thing that holds all that local data.  We’ve paid for this by turning every user in to a remote user.  Remote access security is something that we should have a good handle on, but now every user needs it.  IAM capabilities take a big step forward.

Securing the desktop is where real work still needs to be done and that falls to the traditional tools of endpoint defense.  The hitch is that our existing tools don’t play well with the virtual world.  For the security conscious, the virtual desktop gets built like the physical desktop.  Tried and true desktop suites can be managed in the virtual world alongside the physical desktops.  This works.

There’s a danger lurking here, if we don’t understand the impact in the virtual world.  There are a number of horror stories of a newly minted virtual installation being brought to its knees when every one of the virtual desktops was scheduled to do system scans at the same time.  Even if our suite supports flexible scheduling, those compute and I/O intensive tasks that worked so well when distributed across bunches of under-utilized systems are a huge load when brought back to a shared set of servers.

This is a problem that has many people considering turning off traditional protections.  A big difference between server and desktop virtualization is the concern about scale.  Running endpoint protection on virtual desktops reduces the number of desktops that can be hosted on a given set of hardware.  There are virtualization vendor claims that, by destroying each desktop after use, we eliminate infection.  This is the first vendor complicity issue.

What about all of that user data?  Aren’t there a lot of PDF’s full of APT’s out there?  Fortunately, virtualization can address a part of this.  But only part.

One big benefit of desktop virtualization is that I’ve got all of my users’ disks in the datacenter.  They’re available all of the time.  If I’ve got enough disk I/O capacity, I can scan all of those disks any time with minimal user impact.  I’ve also got the potential to remediate issues centrally.  A big win.  Some traditional AV vendors pitch this as their “virtual” solution today.

The piece that isn’t covered is execution monitoring.  The virtual environment still doesn’t have a way to keep tabs on live processes.  There are good signs, but they’re not complete.  VMware’s VMSafe opens memory pages for inspection, but, again, we’re back to static signature scans and advanced threats have proven that they’re pretty good at obfuscation.  And only VMware offers this today.  And only a few security vendors are doing anything with VMsafe.  This is a missed opportunity.

We now come to the recent announcement by Citrix and McAfee of their partnership for virtual desktop security, the MOVE platform.  This sounds like it’s going on the right direction.  It makes the agent functions more granular and allows processing to be split between the desktop and the virtual environment.

How will this fare when put under the scrutiny of the recently developed SCSOVLF metric?  Not well, unfortunately.  To begin with, it’s still a “concept” with delivery some months off. Details are still emerging, but the first stage seems to move some analysis parts to a separate VM and leans heavily on virtualization being a great way to improve configuration management.  Points off for relabeling something that we should have been doing already.

There is a second phase to MOVE, native hypervisor inspection.  My heart leapt!  Until I realized that it’s application  and process whitelisting.  This is desktop security, not server, right?  There are a lot people who’ve been burned out there by the twin issues of manageability and effectiveness for whitelisting.  It puts us right back to manually locking down users’ desktops.  While this is a step in the right direction, it comes with a high cost.  And more sophisticated threats already know how to beat it (DLL injection anyone?).

What we really need is endpoint protection that can rely on sophisticated techniques in the hypervisor.  Have per instance execution monitoring for the desktop, and leave the signature scans to a storage analysis piece.  And correlate the two, please.

And wouldn’t it be even better if, while providing virtual execution cycles, the virtualization layer was doing some effective protection, as well.  A guy can dream, right?