Tuesday, December 10, 2013

A Breach is Not a Failed End State (get over it)

I struggled with the right way to start this blog post, but ultimately I settled on the most blunt approach which is the naked truth.

There are those in our security community that feel that a breach is a [failed] end-state. To me, these people fundamentally don't understand security in the modern context.

Before you start writing your comment to scold me for my directness, consider this... how many organizations can you name that can honestly claim that they are 'secure' - with evidence to back that up? Conversely, look at the tremendous number of organizations, enterprises and, yes even government entities that have been breached and not only survived the breach but are inexplicably thriving as an aftermath.

If the fact that a company's stock can look like the below graph (thanks Adrian, brilliant graphics work) after a breach boggles your mind, read on. Even if you get it, read on anyway ... maybe you'll find something to disagree with?

I've been going on and on about this topic for a while now, but let me be clear on my stance - everyone gets breached. I firmly believe there are two types of companies/organizations: those that have experienced a breach and those that don't know they have. This seems to be a universal truth more and more as I and my peers venture into organizations who claim to be "secure" only to find broad and rather obvious evidence of either past intrusions and exfiltration - or worse - active intrusions on the corporate assets. Depending on how you define an intrusion it's virtually impossible to find an organization without some active threat or adversary inside their prized assets. There is simply too much to protect in security*, but I digress.

Let's take one of the largest, most prolific breaches in recent memory - the TJX breach. I can recall that at the time of the breach there were plenty of high-profile folks, including some in the media, who called for their immediate demise. To be truthful, even I (being young(er) and naive) believed that the breach would be their undoing. Well, suffice to say we were all wrong. Check out the company's stock courtesy of Adrian's graphical handywork:

So what gives? If the company's stock drop was simply a blip on the radar to an otherwise wildly profitable company - why bother with security at all? Granted this was more than a few years ago - but is anyone reading this foolish enough to think that consumer sentiment has changed that much? I dare say not. Furthermore, I know what some of you are thinking ... this is the retail sector and retail shoppers are notorious for not really caring much about a credit card breach because ultimately credit cards are trivial to replace and rarely does it mean financial loss for the customer. More of a nuisance, really. True. Other industries and market segments of course will wildly vary, and I don't claim to have insight into every market segment.

Here's my logic.

  • Even the best-run, best-staffed, best-equipped security organizations are overwhelmed with operational tasks and there is bound to be some avenue or attack vector you leave unguarded for even a split-second
  • Attackers will exploit this weakness and breach your organization
Now, this is where it turns into a "choose your own adventure" book (remember those?)... the good security organizations think beyond simply preventing a breach and are always in detection mode, ready to respond to the intrusion and resolve any incident and consequently learn from it. Poorly run security organizations just get breached, and pandemonium ensues when they eventually, often accidentally, figure it out.

There are a number of factors that contribute to successfully riding out that inevitable dip in confidence and likely stock price:

  • How effectively your organization communicates the issue
  • How truthful your organization's communications are
  • How transparent and open your organization is about the breach or incident
  • The timeliness of notification of individuals, and the public, put at risk
  • The level of accountability your organization takes
  • The ultimate scope of the breach or incident (for example, was the entire database stolen, or did the attacker only get away with 1/4 of the records before they were stopped?)
  • The speed at which the issue is resolved
  • What changes your organization makes, tactically and strategically, to your defensive posture as a result of the lessons learned

Now, assuming you do a reasonably good job at the bullet points above, you may ride out the issue just fine, and in fact may come out of the poop-storm smelling like a rose! Of course the court of public opinion gets to determine how well your organization is perceived to do, and the standard goes up with each major breach). You will of course be measured against yourself in a previous breach (consecutive breaches inside your organization get less and less sympathy from your customers, partners, and the media), and your competitors - so it's not a low bar to get over necessarily.

When I explain this to CIOs and CISOs, I often find myself saying that the big issue isn't that you are experiencing a [perceived] catastrophic breach, but the true issue and Enterprise Security's responsibility is to "shorten the dip" (in the case of publicly traded companies). The better your security organization is the more integrated it will be throughout the company into legal, risk and yes even PR and marketing. The better you do in managing the incident and public perception the shorter that dip in stock price will be, and the less likely you are to hurt long term.

In fact, and this is shown up in the graphic above, there is a very good chance that even if your handling of your breach is mediocre, you will still get some tremendous exposure to new people, and will get a chance to set a high-bar for the next organization to follow. Consumers, partners and clients understand that and largely respond to it. In the case of the Buffer compromise** the company was transparent, did all the right things to mitigate the compromise, and then rolled out quick fixes... and where I wasn't a customer before I was so impressed with their handling of the incident I'm a Buffer user now. Go figure, a breach brings in new customers...

There you have it. That's my thinking on why a breach isn't a failed end state but rather an opportunity for enterprise security to shine and actually drive the company's position and confidence in the enterprise forward.

* There will be more (much more) on this later as it necessitates a separate thread of discussion.
** If you're interested in hearing an interview on the BufferApp compromise and how they fared - check that out here on my Down the Rabbithole podcast. (shameless plug)

Monday, December 9, 2013

Security Intelligence for the Enterprise - Part 3

As promised, this is the 3rd installment of my Security Intelligence for the Enterprise post where I’ll drop some of the things that I find useful for clients looking to adopt a less “on your heels” security stance in the cyber realm.

I’ve already explained my position on what Security Intelligence is and why it’s different from Threat Intelligence, so I won’t revisit that… you can read part 1 and part2 respectively if you want that background.


Before you dive into this campaign, and it is just that – a campaign, you’ll need to spend some time understanding what it is you want to accomplish. I suggest defining and setting your own goals since others will likely not fit in line with your business strategy or budget or resource constraints.

If you’re going to mobilize for a new function, or maybe you’re starting a not-so-successful program from another time, you have to set goals and understand direction. Security intelligence is a holistic thing, so you have to approach it as such. First ask yourself “What is lacking in our business-aligned security program?” If your security program is yet to be business-aligned, start there and come back to Security Intelligence only after you’re got appropriately tight business alignment.

Remember, ultimately you’re hoping that your security intelligence program helps you answer security-related questions faster and with greater certainty. It’s a way to learn from the past, analyze in the present and be more risk-averse in the future.

Capacity is a big issue. One of the first things I advise my clients to do is take a look at their existing security program and assess whether they have the human resources and capital to take on such an endeavor. If your staffers are pulling 50+ hour weeks and are overworked already you’re not going to have the ability to start a security intelligence program. Unless, that is, you drop one of your existing program elements or consolidate/repurpose. That’s actually quite common. And since I know you’re going to ask what the most common program element that disappears as a stand-along function is I may as well tell you that it’s the TVM (Threat and Vulnerability Management) piece. TVM nicely matures into Security Intelligence – if done properly. I will attempt to cover the metamorphosis from TVM to SecIntel in a future post, hopefully it won’t take as long to publish as this one did.

So once you’ve lined up your goals, done due diligence on resource checking, you’re ready to begin the actual planning. Although it’s not the stylish thing to do these days, the security intelligence programs I build for clients start from the inside and work outward. This means you’re not going to be reverse-engineering malware and signing up for a pricey threat intel feed just yet. Security Intelligence inside-out means you’re converting at least a few of your vulnerability analysts (depending on company size) temporarily into business analysts. Look internally into your organization and start by going over some of your old RCAs (Root Cause Analyses) from incidents you’re experienced. Find the trouble spots, from both a technical and business perspective and focus on those. If you’ve never had an incident, or don’t have major anything to work with, look at the various aspects of how security interacts with the operation of business and ask yourself what things are causing the most friction.

Now you’re on the right track to better protecting the business by having the correct information, at the right time, with the level of certainty you need. Certainty is crucial here – you can’t make decisions (such as preventing a project going live) with impartial data, or information you don’t have a high degree of confidence in.

At this stage you’ve added in the externalities that will be implemented later on as part of the holistic approach. Hacker group profiles (TTPs), external feeds of raw data, and timely research are all part of your master plan, each with specific value and specific payback for your program.

Basically ask yourself the question: “How does this widget/thing help me meet the operational goals of security for this enterprise?” Be ready to justify these items to both yourself, your team, and your management.

Execute the plan

Now that your plan is looking good and has been appropriately signed off it’s time to execute. I recommend that organizations seeking to adopt a more holistic approach using security intelligence start slow – with their existing TVM program. Modify your current TVM program as much as you can to suit the purpose of decision making … now with added business context.

Track changes you’re making, track issues you’ve encountered and gains you feel you’ve made along the way. This will help you to claim success at some point, without any uncertainty. I advocate CISOs hire on (at least temporarily) a project manager to assist with keeping things on an even keel. Security programs, including Security Intelligence, are prone to scope and project creep more than other things, I fear. I’m not sure why that is.

Don’t be afraid to test and fail. For example, one of my clients got ambitious and added web app server logs in full debug to their security intelligence platform and quickly realized that while they were getting some amazing data the systems they had in place for analysis and storage were being overwhelmed. They failed, but it only took a week, and they were able to work with their Operations organization to pare down the data volume while still receiving useful information they can process in a reasonable amount of time to make business-saving decisions. That’s pretty cool

Measure it

By now you’re aware of my addiction to measuring your gains/losses. Security Intelligence is no different, honestly. You’re investing, potentially quite heavily, in a new function to help your business be more agile in its security decision-making. If you can’t tell me how much more efficient or intelligent your org has become as a result of implementing your key items, you haven’t accomplished anything in my book.
In fact, I spend so much time on definition, collection and analysis of data for provability of effectiveness that I make it a centerpiece of the program.

My SecIntel strategy has a placeholder for developing KPIs based on the decisions you’re hoping to make faster or more effectively with relation to some business item. Maybe you can make decisions on “attack or not attack” 50% faster than before the program rolled out. If you don’t have the metrics to back that up, rolling up into a KPI dashboard you’re in trouble. People won’t take your word for it, the days of FUD ruling the enterprise are (hopefully) long over.

There you go, folks. A few tidbits that will hopefully help you kick off your security intelligence program right. If you’d got questions, you can always hit me up – I’m here to help in any way I can.

Tuesday, December 3, 2013

Enterprise Security Professionals Getting Out of the Enterprise?

Enterprise security is hard, and the role of enterprise security leader is getting even harder.

In fact, I'm noticing something of a phenomenon lately that may have everything to do with how difficult it is to succeed in an enterprise security leadership role. No less than three of my real-life colleagues and friends in the last 90 days have left the enterprise role for a vendor or consulting opportunity. Now, this may all just be a coincidence but if you look back over the past year successively more and more very smart people from the enterprise are leaving their roles.

I've been thinking a lot about why this is happening, or whether it's just part of the normal cycle of things - but I think there is a pattern worth noting here. As the hum of 'cyber-security' becomes deafening even in the mainstream media and enters every crevice of our collective conscious - it's becoming difficult to spit without hitting something cyber-security related. With that as evidence perhaps it's simply true that the opportunities in the consulting and vendor world are far greater than in the enterprise. While this is probably true on a financial incentive level, these folks I know are not solely money driven so there must be more to it.

Is it simply too hard to thrive in the enterprise as a security leader?

Let's look at what factors in... First of course is the very definition of success. I know far too many organizations (large or small) that still have the delusional view that they expect their enterprise security folks to keep them from being attacked or hacked. This is a wildly unrealistic expectation in this climate. Hell this was wildly unrealistic 5 years ago...but I digress. If enterprise leadership that the CISO or security leader is to report to can't adequately understand how to define success for the CISO - what's the use in trying to dive in to achieve an undefined goal? That's madness! More precisely, if failure is easy to identify (being hacked/breached) and success is unclear - what are the odds of success here? I'd say pretty close to zero.

If you can get past the very definition of success and get to something mutually agreeable and achievable - there's always the issue of culture and budget. Some organizations are simply not going to adopt sane and sound security practices without a lot of forced retirement. I'm actually serious. Chris Hoff ( @beaker ) had a great quote a while back that certain paradigms (I think he was talking about cloud computing at the time) are literally waiting for us to die off (us being the dinosaurs) before they're mainstream adopted. Think about it. Those folks in you company that have been working there before computers were an everyday thing in all aspects of life, and before hackers and cyber was a common thing will probably never fully understand or mentally grasp the gravity of what you're going to ask them to do. So you'll literally have to wait until they're gone from the company before things get better. Now, don't get me wrong, I'm not saying that the latest generation raised on FaceBook and SnapChat have any better clues on security but at least they're understanding the technologies better ... or so we'd hope. The other major hindrance is budget, and that's just a fact of life in the enterprise. When things are going well, you get budget. When things are going poorly (and you really need every penny) you're likely being asked to cut back - the problem is that in security it's nearly impossible to pare back "unnecessary items" unless you've really padded your budget (in which case, shame on you, and good job). So there's that.

Lastly - your adversaries are kicking your ass all over the playground. They have better toys, they have more time, and they're often times much better equipped to win. You're stuck affording a mid-level firewall resource who also has to use the web app scanner to scan your web apps while your adversary is financially driven and has an entire supply chain of bad-asses at their disposal. Seriously, you're screwed. There is no way you're entering a CISO role at an organization that has a public profile without getting some bruises and having one of those very, very long nights when things go sideways.

So perhaps getting out of the enterprise (like I did back in '08) is just the thing to do right now, because to play defense is challenging to put it politely. Or perhaps the consulting and vendor side just pays way, way better and offers more challenge and a climate where it's at least possible to succeed. Or perhaps this is all just a coincidence ... but I bet it's more than that.

What do you think? Have you recently made the switch from enterprise to the dark side? Or have you gone back the other way (vendor/consultant to enterprise)? I'd like to hear from you in the comments section below...

Wednesday, November 27, 2013

5 Life Lessons in InfoSec from Surviving the First Month of Twins

For some of you, those that don't know me on Twitter or in real-life, you may be asking yourself where the heck I've fallen off to lately. I have, in fact, largely fallen out of the #InfoSec roller coaster and as I write this I'm struggling to remember what day it is...no seriously. On October 27th, 2013 my wife and I were blessed with twins, a boy and a girl, and since then life has been ...non-stop leaving very little room for anything other than #DadOps.

Now that we've crossed that magical 30-day line, I'm starting to get back to reading email, reading current events, and using Twitter for more than just posting pictures of the kids. With that, I thought I would share 10 things I've learned over the last month - or re-affirmed is more like it - from being a new dad of twins that also applies to our lives in the Enterprise Security space. Here we go...

  1. As in the enterprise with your end-uses and customers, you and the baby don't speak the same language, and often effective verbal communication is difficult at best. Figuring out how to fulfil their needs by hearing and understanding their cues is an art-form but not something to be taken lightly. The baby is up, crying. Is it a wet diaper? An upset tummy? Or does he or she just want to be held? Your VP says that his organization needs this app, but you know it's a nightmare. Figuring out what they really need and filling that need separates those that are good at their jobs from those that are great.
  2. I can't say this enough - there is no such thing as being over-prepared. A quick run to the grocery store with the twins seems easy enough and shouldn't take long at all. No need to stock a diaper bag with baby bottles and all the stuff that takes 30 minutes to prepare - it's just a quick run. Wrong. Like in your enterprise security day job there is no such thing as being over-prepared. In fact, make over-preparation a full time job. Make sure that you have your tools and preparation laid out, tested, and ready to go. Even if you don't think you'll need it. You probably won't ever need to get the logs from that low-risk app server out in the partner DMZ, but archive it anyway, and make sure you can read the data and pump it through an analytics tool as well. With the twins, we pack a diaper bag with bottles, formula, bibs, diapers, wipes, at least 2 sets of new clothes and other things you probably think you don't need. Trust me. Nothing like being in traffic and realizing you really, really need to change that diaper...and the car seat cover, your kid's outfit, and roll the windows down a bit.
  3. Work at making your response (virtually) autonomic. Taking the night shift with the twins I can tell you that after the first week and a half I probably went through the motions of waking up, warming bottles, changing diapers, feeding, swaddling and putting them back into bed while not being fully awake. I am proud of that. I talk a lot about detect, respond, resolve in my enterprise security talks - and it's absolutely true that you must work at response until you can do it without thinking about it. When things go sideways, and they will go sideways at the worst possible moment, you're going to want to have you response training kick in and just take you through without having to read manuals or panic. Just do.
  4. Accept support, and provide it. This is a lesson I learned early on. In our industry, security, there is way, way too much individualistic drive and self-back-patting. Too many rock stars and those who like to tear others down to make their own egos feel better. There is no room for that when you're a parent at this stage, there just isn't. I was very proud of the fact that my wife and I didn't need my parents or anyone else's support (and stupidly turned it away at first) to get through the day. Then on day 4 when we realized we had an empty fridge, no time to grocery shop or cook, and zero time to sleep or even take a sanity break we did a self-check. Realizing that you're not the rock star that your ego tells you that you are, that's big. As a parent you put your children first, ahead of your big ego, your quarrels with family or friends and just learn to accept and ask for help. In the enterprise this isn't any different. Even if you're the smartest person you know, you're going to need help so learn to accept it, and give it graciously when you're able to.
  5. Work together, as a team. Your #InfoSec team is an autonomous unit. There are times that you literally succeed together, or fail together - there is no "I" in team. In the enterprise that's pretty true, but in parenthood that's an absolute. I've learned that if my wife is doing something slightly different than I would like, but I'm the backup or her support, I don't get to interrupt or impose my will on her process - I just go with it. She does likewise. Otherwise chaos ensues. Children pick up on dynamics between parents, you know you did as a kid. Your adversaries will pick up on dynamics inside your organization and where you have dysfunction and will absolutely exploit it to its fullest capacity. You're a team, act like it, respect and support each other and only disagree when you have a moment to debrief and there is nothing currently on fire. I'm taking this as an absolute golden rule in parenthood, and I encourage you to do the same in your enterprise security organization.
There you have it. I hope that's helpful!

Who knew raising twins would be so much work, and yet feel so amazing. Kids are a gift, a little miracle and it just so happens that we were blessed with two of them at once. I think as silly as it may sound now, this experience will ultimately apply thoroughly in enterprise security and defense.

Have something you'd like to share than you think I missed? Want to add your own anecdote? Leave a comment or hit me on Twitter ( @Wh1t3Rabbit ) and let's talk about #DadOps :-)

Thursday, October 24, 2013

It's Not a Bug, It's a Feature - LinkedIn Intro Edition

Dear LinkedIn - please stop with Intro.

Sincerely, every security professional.

Let me sum up with what has just happened over at LinkedIn, in a very simple manner: features won over [common sense] security. Again.

In a world where companies feel ever-more pressured to "do the impossible" (seriously, marketing people, stop) features often win over common sense security. This is no exception. As this TechCrunch article clearly points out - what's going on is your mailbox is being MITM'd (Man-in-the-Middle). This means that sensitive content (see the Bishop Fox post) that you're exchanging between you and your email partner is being intercepted, changed, and re-packaged then re-sent to your device. Who does this sound like a good idea to? Honestly... think about it?

Seriously though, the very smart folks over at Bishop Fox already have a great piece on why Intro is a train wreck waiting to happen, so I won't re-hash what has already been said - but rather I have a few things to add:

  1. LinkedIn setting a dangerous precedent - As I said on Twitter, if this thing grows legs and attains any sort of momentum it's going to set a precedent that it's OK to launch more products like this, which clearly create security issues for your users and spit in the face of common sense. Yet another reason to discount those kooky security people, because LinkedIn understands security trust them, and because you absolutely need this new completely useless gadgetry for your inbox(es). There are already lots of examples of bad security practices being explained away as "it's a feature, not a bug", but this is perhaps the most blatant in recent memory.
  2. End users don't know better - The people who use your services see a shiny new gadget and blindly trust (although I can't explain why any more than I can explain why people text when they drive) that you're keeping their information and private communications safe. Your blog posts do not outline the many security problems which the Bishop Fox post points out plain as day, and instead focuses on the gimmicks. You're doing a disservice to your users... and I think you know it. When this is inevitably used to hack millions of mailboxes can we than call this willful negligence, because you know the risks full well, but your products folks chose to ignore them? (something to think about)
Where were the risk people?
Where was the privacy and legal team?
I think we know the answers to those two questions right? They probably weren't invited to the meetings, or per the usual their lamentations were simply ignored. I refuse to believe risk, privacy and legal professionals would approve of something like this at a company like LinkedIn.

Once again ... I was pretty sure there were some very smart security people over at LinkedIn. Is this just a prime example of 'agile product development' (aka product and marketing people running feral), or is this a legitimate product that the company stands behind? To me, this product announcement proves (once again) why security people feel so disillusioned... a sad state of affairs indeed, but endemic to our trade.

Feature gimmicks win over even the most common sense security, nearly every time. Take it as fact.
So now what?

Thursday, October 17, 2013

A Renaissance in the Manufacturing and Industrial Sectors

Having worked in an enterprise security capacity in the industrial and manufacturing sectors I'm one of the first to admit that those two sectors haven't exactly been on the bleeding edge of security innovation over the last decade. The good news, if recent events hold, is that the industrial and manufacturing sector appears to be going through somewhat of a renaissance. This is thoroughly exciting news for many of you who have been hearing stout opposition to your efforts.

After what appears to be decades of systematically ignoring security challenges, the recent climate of breaches seems to have shaken something loose. Purse strings have loosened. Boards have begun to ask security questions where they have never done so before. And most of all, I'm seeing several organizations formally hiring CISOs and giving them both accountability and control over the security future of the enterprise.

This makes me hopeful that change is in the air.

The problems with legacy drag

The latent risk that many CISOs at industrial and manufacturing sector companies are waking up to is potentially huge. Over the years they've accumulated large volumes of perfectly siloed equipment which was fully owned and managed by non-IT groups, and never connected to anything. As technology refresh cycles push forward many of these previously stand-alone components (think about a set of computers which is attached to a machine which takes a raw piece of material and produces a machine-milled part based on a digital drawing, CAD/CAM) are getting network cards and are being connected to other shop-floor types of components. The design workstation is being attached to the manufacturing station, to the quality control booth, and all tied together to the raw-material-management system. All over IP.

Also notice how I specifically pointed out that all these systems have not previously (and in some cases still are not) been available to the IT organization for management and maintenance. This obviously means that security likely didn't know they existed. Now they're being connected to the same flat, non-segmented, layer-2 network that the SAP and email systems are riding on. As these systems were previously managed by non-IT employees (in some cases it was an outside contractor) this translates to a lot of confusion and misunderstanding. Imagine taking one of these ICS systems, such as the assembly line control system, and handing it to someone in IT (and then enterprise security) to manage. The results have not been positive.

The other big challenge, as if we needed another, is that many of these systems easily qualify for the label of ultra-legacy. This means that they're greater than 15 years old and still functioning. In one example we've got a DOS-based application running off of a 1.44MB floppy disk on a 486/DX266 which manages the time cards of ~300 shop floor workers. This technology predates many of you reading this blog post, which means your immediate thought of "Why don't we just re-write this in Python?" is likely to break things in a way that will likely cause ripples through your supply chain and your bottom line.

Planning for the technology-driven future

As one of my favorite CIOs put it - "We need to get with it right now, while our competitors are still largely in the same position, because we are entering a time when industrial and manufacturing enterprises are no longer able to ignore their dependence on technology." This is so true.

As enterprises start to connect Widget A with ancient shop-floor Thing B we inevitably find that not only do those combinations create security issues, but the systems themselves are antiquated and unable to provide much in the way of options for a more secure implementation. This means that CIOs are conspiring with CISOs to modernize much of the shop floors, and overhaul large bits of technology. Of course, Rome wasn't built in a day and clearly this desire doesn't translate into action as easily as that would appear. Lots of road blocks, integration challenges, and risks to be assessed.

The good news is this is a topic for discussion, and folks like myself and others are being brought in to support these transformations. Again, this gives me a sense that the manufacturing and industrial sector is experiencing an industry-wide renaissance of sorts. An awakening to the needs of innovation requires kid gloves from my fellow security practitioners - as you well already know we get maybe one shot at this.

Looking the future in the eye

Step one of this entire renaissance is understanding what ring of legacy IT hell you're currently residing. This means spending a great deal of time reflecting inward and doing the equivalent of pulling at strings until yet another mystery unravels. I'm currently in the process with a few of these types of organizations of setting the guideposts for the next 12 months. There are a lot of hurdles to overcome and many engineers and line managers to win over with your charm. As I've already said, we will get one shot at this. The first time you crater a production-line system with a security patch because it needs to be applied for security reasons will likely be your last for a long while. Measure twice, then measure again and test before you make that cut.

The approach you'll be taking is one of assessment, transformation, optimization, management. Figure out where you are, make plans for making it better and execute to plan, slowly raise the bar over time and then make sure nothing falls through the long-term cracks. It's relatively simple on paper.

Your key trouble spots, from my observations so far, will be those legacy systems you've never gotten your paws on, your network, and your user base. In that order.

  • legacy systems - should be self-explanatory as these are the siloed and previously un-managed or under-managed systems which you suddenly have responsibility for securing since they now reside on your global, flat network
  • network - speaking of your network it may be high time to start thinking about segmenting and compartmentalizing... this is of course much easier said than done - got netflow?
  • user base - your users are likely not used to being 'managed' in any traditional sense, and while they've been running successfully with self-managed full admin capabilities, your meddling and trying to lock systems down and define user and admin profile will cause a stir
Those of you in the manufacturing and industrial sectors - remember all that complaining you did that your enterprises didn't find value in what you provided? You're about to get your chance to impress the business with your intimate knowledge of what it is your organization does, and how you should be supporting it going forward. You have a plan, right? 

Monday, October 7, 2013

Living in Glass Houses - #InfoSec Industry's Culture of Shaming

Edit (10/9/13 16:26 EDT)
Thanks to Steve Ragan for pointing out that the Internet never forgets ... in case you want to see a glimpse of the original post which has since been (quietly) removed, click here.

If you're anything like me and like to keep up on the industry, you've no doubt been overloaded with news on the apparently epic Adobe hack. As some of you may no doubt point out I'm no apologist for companies who fail to take security seriously, and I've made my share of pokes and jokes at Adobe's expense over the years. There is, however, a line I hold myself and others who wish to be known as professionals to. That line is personal hit-pieces where you're targeting a particular individual for the sins of the collective. This is commonly known as bulls***.

That being said, I took serious offense when I saw the original version of this post (I wish I had taken a screen capture, but it was quite distasteful) from Richi Jennings on Computerworld. When I read the original which basically sought to crucify Brad Arkin for Adobe being hacked I got upset. So upset that I took to Twitter and let Richi know it, and I can't say I was too polite either... After a few others laid into the author, the post was dramatically changed, the picture of Brad with the overlay "Fire Me" came down, and there was an apology. Of course, if you want to see the sorts of trolls that apparently read that column, look no further than the comments...yikes.

Anyway... let me get to the point.

There are some points I think we largely still miss as a security industry, judging by the interesting and colorful discussion about firing CISOs in the wake of a breach we had earlier in the day this post was written.

First, security is hard. Those who lament the failures of security professionals on the defensive from their offense armchairs (aka penetration testers) need to play defense for a while. You'll get an attitude adjustment, I promise. I came from a small company penetration tester mentality when I joined a massive global conglomerate back in early 2000's - and let me tell you that attitude adjustment was harsh. My "why can't you just fix this" was met with retort like "because we have budget to do one of two things - release the product and make the company money and keep our jobs, or hope to add security" over and over. I eventually learned the harsh lesson, luckily before I was relieved of duty.

Now, not apologizing for years of poor security practices in software products you sell to others to use, but Adobe has come a long way by my measures. They used to have Flash! bugs almost weekly - a torch which has been passed to Java. They also had poor practice in community interface, and other issues which no one really needs to hear over and over again. Brad Arkin's appointment to the Corporate CISO has made a tremendous improvement in that organization, and those who discount that simply don't know better...and if you don't know, stop talking.

Now back to security being hard. I can relate here. I've never been the CISO for a global conglomerate which has grown by acquisition as well as organically - but I did work for one. On that team which was responsible for global security but had very little mandate power - life was hard. When the company got breached we were in the firing line. When we worked tirelessly to do what we could with the few pennies we were given no one batted an eyelash. It's a thankless job trying to save the victim from drowning themselves - but that's what you sign up for when you go to work in #InfoSec in the corporate world. I get that. The last thing you need is some guy touting your employer relieving you of your job. Seriously?

Whether you're a Christian or not, there is a Bible verse which rings true in all our lives. John 8:7 says "..He that is without sin among you, let him first cast a stone.." Remember this my friends and colleagues, as you read the news and jump on the bashing-the-victim bandwagon. Some day very soon, if logic holds, your organization will be breached, hacked, sacked and shamed publicly by people just like you. You'll want to tell your peers in the industry just how hard you've worked to make even the smallest changes in culture, and how long it takes to change hearts and minds, attitudes, and budgets. But no one will listen and instead they'll be calling you names, laughing, and calling for your head. That's probably not the right thing to do, you think?

As the saying goes "People in glass houses shouldn't throw stones". We all have to live with issues that at any moment could expose us - whether it's in our personal or professional lives. There is no secure. So the next time you want to get your names in the publication talking about how stupid that one vendor is because they got hacked - ask yourself - what would you want your peers to say when it happens to you?

Thursday, September 26, 2013

Why Your Unified Identity May Just Be FaceBook

The age of "unified identity" is coming ... in fact many of you are already starting to get comfortable with it. Unified identity (sounds similar to SSO - Single Sign On) is a concept where you authenticate to a single place (FaceBook, let's just say) and then your identity is federated out to various other places. You've been using it for a while, probably, as have your family and friends.

Today we are seeing this happening all over the place, mainly in the consumer online world. You can now log into several of your favorite websites and applications simply using your FaceBook identity. FaceBook verifies you know your password and are likely you, then federates (tells the 3rd party) that it has verified your credentials. Again, this is primarily happening in the consumer space right now, and while it's becoming more pervasive it's still a nice to have because almost every site still offers you the ability to create your own username and password. But ... let's be honest here, the convenience you get of having a single password to remember that works for many other places is hard to pass up and many of us (your humble blogger here included) simply acquiesce.

Is this really a good idea?
The answer to the question of whether this type of activity is a good idea or bad idea lies in whether you believe that individual web identities are manageable (I do not), and whether you trust yet another website with managing your credentials properly over FaceBook (I believe this is likely a toss-up, with FaceBook getting the benefit of the doubt).

Look, you're not good at managing the hundreds of websites, applications, and places where you have to create yet another username and password pair. Believe me when I say this because I know I'm terrible at it and I have to be paranoid for a living. I can probably remember ~15-20 site/app and credential pairs relatively sanely while using reasonably complex passphrases and passwords. Anything beyond that and I'm forced to re-use ... yep, I do it too. Let's face it though, the truth is that if I have 1 username/password combination for all the sites I'll never go back to again that have nothing really private about me, I don't care and neither do you.

So let's look at FaceBook. They've had many years to increase security in their authentication mechanism and federation system. I won't even insult your intelligence by saying they're secure, but they work very hard at knowing who you are, and being sure it's actually you. Why? Simple - this is how they make money, by getting good tracking data on you. Double-edged sword folks.

Do you really want to give FaceBook the power?
Well the simple answer to this question is heck no. Although ...you have to ask yourself what privacy you're additionally giving away and if the juice is worth the squeeze. Are you willing to maintain that thin illusion of privacy by trying to manage potentially hundreds of logins and credentials? I'll save you the brain cycles - the answer is really no.

The other thing here, if I'm honest, is that FaceBook probably already tracks you on many of those sites anyway ... seriously. I'm not saying this makes it OK by any stretch of the imagination, but ... maybe... ?

Yes, we're inching towards a situation where the folks over at FaceBook are going to hold incredible analytical capabilities when it comes to who we are, what we do, what we buy, where we visit and just about every aspect of our digital lives in exchange for the convenience and added security of safe-guarding that information to a single central party over hundreds or thousands of organizations we know we don't trust.

So what if FaceBook gets compromised? Great question.

You probably use something similar to 1Password (if you're smart) to manage all of your web presence and logins ... right? What if they get compromised? That's just a risk we take, it's a calculated risk based on the fact that we know your passwords are stored in a database that requires your passphrase to unlock. Could someone insert malicious code into that application by compromising that password management group - of course. Will they? Maybe. The fact is I would rather have that single point of failure - if I can be reasonably sure it's well-defended - than hundreds of poorly defended ones.

The real issue is the future...
The real issue is this article right here - "FaceBook wants to make mobile payments easier with 'AutoFill'"...there are many that sprang up over night reporting on the same issue. The question isn't only whether FaceBook will become the de facto standard for Internet enabled identity, but how pervasive that identity will become. If you can not only log into, but also quickly pay using your FaceBook identity - would you subscribe? I'm guessing those of you who think like I do are saying to yourselves "Hell no!". The truth is that your family members, colleagues and friends can't wait to jump in on this.

Why you ask? Simple. It simplifies your life. As your life in the real world melts more and more into your digital persona services like FaceBook's "AutoFill" will becomes increasingly popular and useful. No doubt in my mind.

Alright, I'm worried
...and you should be, but probably not for the reasons you're thinking.
This trend troubles me because the war over your online and physical identity is being fought fiercely in the background and no one appears to be taking notice. Security professionals aren't noticing, privacy professionals aren't noticing in large parts - and I don't see or hear a lot of talk about this.

Can FaceBook swallow the world, and become a reasonably secure global federated identity provider? I think the chances of this are likely, and they've probably got this on their business plan because they're smart. Will Google keep trying to oppose them - heck yes. Should we all take notice and start to look at the way FaceBook manages our authentication and federates (including WHAT access it gives to your information to the party they federate out to) - absolutely.

I think this is the final frontier in the collision of our still-separate physical and digital lives. Once the identities melt together into a single federated FaceBook (or whom ever wins this war) identity, the game will again change.

You'll notice this post hasn't even begun to tackle the topic of authorization yet - that's another story for another time.

I'm curious what you think ... am I totally off my rocker? Chat me up on Twitter @Wh1t3Rabbit and let's hear what you think.

Monday, September 23, 2013

Apple's Touch ID - a gimmick or real security?

Earlier tonight (after I read that the CCC had broken Apple's Touch ID[1]) I posted this to Twitter:
"So hyperbole aside, #Apple just set back "real security" several years with this fingerprint gimmick (for the masses)? Awesome."
That was supposed to be a bit ironic, and some people got that others got mad at me, as well as insightful. I've been thinking a lot about this Touch ID that Apple has released with their latest version of the iPhone, the 5S. For me it all comes down to the opening paragraph of the above references page on Touch ID -
"Much of our digital lives are stored on our iPhones, and everyone should use a passcode to help protect this important information and their privacy. Unfortunately, not everyone does; more than 50 percent of smartphone users don't use a passcode. Your fingerprint is one of the best passcodes in the world. It's always with you, and no two are exactly alike. Touch ID is a seamless way to use your fingerprint as a passcode. With just a touch of the Home button of your iPhone 5s, the Touch ID sensor quickly reads your fingerprint and automatically unlocks your phone. You can even use it to authorize purchases from the iTunes Store, App Store, and iBooks Store."
Before we get into this, let me first give credit to Apple for good things they've done with the latest version of the iPhone and beyond. First, they've forced everyone to put in a passcode - this is already a leap forward. I've been telling people to protect their phones with a passcode, but it seems like every day I see someone new who isn't following that line of thinking and I have to explain all over again. So this push to something is better than nothing. Also, a 1 in 50,000 chance is always better than a 1 in 10,000, but when you consider many people never even use the passcode feature before this version of the phone - this seems kind of irrelevant. I wonder if Apple has statistics on how many people never enable the passcode at all, I'd be much more interested in that - although I suspect no one will ever give this information out, unfortunately.

Now - let me explain why I call Touch ID a gimmick. But one more thing... let me tell you what I'm taking as truth here...

  1. Apple is a largely consumer-based company, and markets primarily to the consumer
  2. The consumer demographic doesn't necessarily know the difference between good security and the stuff they see in the movies
  3. If you put 1 and 2 together above, you get "What Apple says people believe as gospel" for a large part of their user base (in other words: not for everyone)

OK, now that you understand where I'm coming from, let me move on.

To explain why I believe Touch ID is a gimmick I will simply cite two sources on the subject. First a presentation from PacSec 2006 (that's right 7 years ago) on the quality and worthiness of fingerprint readers as authentication mechanisms. You should walk through those slides on your own (Apple probably missed them), but if you're in a pinch let me sum it up for you with the conclusion Starbug reaches-
"Don't use fingerprint recognition systems for security relevant applications!"
You're probably saying to yourself, "self, but this application isn't necessarily high security" and I would agree with you if you weren't wrong. The problem is that this fingerprint application is the key to your phone, and can be set up to authorize purchases as Apple tells us. As soon as this catches on the average user will be asking for Touch ID to be the authenticator of choice for FaceBook, Twitter, and other authentication type applications. Trust me, it'll happen. Right - but there's a 1 in 50,000 chance of your fingerprint colliding (being close enough to) someone else, right? Except that after 5 unsuccessful attempts you still have to use your passcode so you don't get the full 50,000 tries. Wait. Then we're back to the 1 in 10,000 4-digit passcode? That can't be right ...logic doesn't make sense here. Does it make sense to you?

OK, moving on, instead of trying to tell you why I think fingerprints are a bad idea for authentication, I'll just point you to Dave Aitel's "Daily Dave" mailing list which quotes Dave ...
"...[T]here are two important reasons why biometrics won't work, and why the old-fashioned password is still a better option: a person's biometrics can't be kept secret and they can't be revoked...Since a person can't change their fingerprint or whatever biometric is being relied upon, it's 'once owned, forever owned.' That is biometrics' major failing and the one that will be hardest to overcome." - Dave Aitel, USAToday, 12 September 2013"
So let me sum it up for you...

  1. Because it's Apple, you'll now have a massive user base believing fingerprints are infallible, and likely be demanding this type of authentication for more applications (psst! your enterprise application is next
  2. Your super-secure fingerprint vault and amazing scanner (1 in 50,000 chance of collision) still defaults to a simple passcode (1 in 10,000 chance of guessing) after 5 failure guesses
  3. Your fingerprint is relatively simple to find, and duplicate because it's not secret
  4. You can't change your fingerprint once it's copied and compromised (oh oh)
[tinfoil hat]
But now we get to the really fun part, in case you're still not clear on why this is a gimmick at best, and a bad, bad idea at worst. Put your tinfoil hat on and follow me here for a minute.

Apple now has control of one of the largest fingerprint stores in the world (albeit mathematical representations, and distributed ... so we're told), potentially more than many local law enforcement or federal databases - by sheer size. Remember there were more than 9 million iPhone 5S's sold just over the weekend from Sept 20 - 22nd. How long until the NSA or some Federal entity comes calling and asking Apple for access to that mechanism, or ask Apple to modify the code? Feel secure right about now, do you?
[/tinfoil hat]

So why does this set back real security at least a half-decade? In my mind, we the "community" have been working very hard to change end-user's behaviors and to get them to make more complex passwords (pass-phrases) and not re-use, etc... and now along comes Apple promising security with the swipe of a finger. And just like that ... poof all that work we've done is out the window. Users will swipe their finger, enter 1234 as their backup pass-code because the fingerprint is good enough, and we're back to where we started.

[1] CCC breaks Touch ID blog post - http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

Friday, September 20, 2013

Engineering Software That Is Difficult To Exploit

A recent post to the SC-L mailing list lamented an interview with an executive where the executive stated his company's approach to software security was to raise the cost/complexity bar for exploring their software.

The poster wrote "The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices."

I don't believe the person posting really understands the goals of software security, or is simply failing to understand these are not opposing goals. If you still delusionally believe that you can engineer all security bugs out of your code, I think you don't understand modern software security. You may also be setting some unrealistic goals.

Even though I've assisted enterprises with employing "best practices" and a plethora of tools and procedures to integrate software security into their various SDLCs, they still produce security defects/bugs. This is nearly universal. Even organizations that understand the difference between flaw and vulnerability, to quote Gary McGraw, still fail to eliminate all security defects. The answer for these groups is to make defects more difficult and more costly to exploit. There is absolutely nothing wrong with setting this as a goal, in my experiences.

This approach doesn't herald giving up on writing secure software but rather acknowledging ratcheting cost/complexity of exploitation is a valid piece of the overall software security program.

Quite simply, failing to understand this results in frustration and continued alienation between security and development personnel.

Should your goal be to produce more secure software? Absolutely.

Should you're goal be to force your adversary to spend more anf work hardet to exploit your code? Absolutely.

Are these two opposing concepts? Hell no.

Tuesday, September 17, 2013

Boogeymen from the NSA/GCHQ

If you're an American, you can't help but feel the weight of the world's disdain for the deeds the National Security Agency (NSA) has been caught with. Domestic spying, infiltration of international targets and who knows what else have given the world's hackers a target painted squarely on US interests. Private organizations and government agencies are the target for hackers seeking to make a point, like this one - a hacking of the NASA websites. This has done American tech companies a massive disservice for a number of reasons...

  1. Cloud - good luck trying to sell the European Union on cloud services based in the US, or from US-based companies. Hereforth we'll have to answer for the extensive erosion of trust that the NSA has accomplished. Good luck getting your US-based cloud service sold to any organization outside the US in the near term.
  2. Hacktivism- globally, hacktivists have mobilized against the US (and UK via GCHQ) spy agencies. The problem is that hacktivists are opportunistic and often pick low-hanging and weak targets such as the NASA site cited above. US businesses, government agencies, and anything exposed will continue to be the target into the foreseeable future for this hacktivist, anti-spying, anti-US war mongering campaign. For the record, I'm not implying that this is something new - only that there is a renewed sense of common enemy.
  3. Boogeymen - have you noticed that nearly every time there has been even a minor incident involving hacking, malware, or infiltration immediately the question of GCHQ and NSA comes up? This story on Belgacom's issue with malware takes up the NSA and GCHQ boogeyman, as if on queue. Of course, the accusation of infiltration from the NSA may be entirely valid, but at this point (of this writing) it's entirely unsubstantiated, publicly.
What makes this whole thing worse is that now the mainstream media will have something to feed on for the next few months. Every intrusion, discovered hack or malware infestation will be the NSA. Driving this type of hype is not only distracting, but can actually cause harm to those of us trying to bring sanity to the adversary conversation.

If you're on the defense - understand that you're a target even if you're a government 3-letter agency. Keep your guard up extra, but as far as I can tell the good news is that much of this hacktivism is defacements and protest - very little of it is actually destructive or otherwise malicious.

Remember, they're from the government, they're here to help.

Friday, September 13, 2013

HTCIA International 2013 - The Leading and Trailing Edge of Technology

In the security industry, we pride ourselves on having some of the best minds in technology, with cutting edge gear and techniques always on display. The perpetual arms race between offense and defense is just that – perpetual – but those who say that criminals are overwhelmingly winning are only partially correct. The HTCIA (High Technology Investigation Assn,) International conference this week showcased some of the most cutting edge technology, tools and techniques that could potentially shift the balance of power back towards middle against the criminal element.

There is a problem with this, because even as technology, tools, and techniques move forward at a blistering pace the trailing wave is still significantly behind. What I mean by this, is that there is an atypical distribution here on the technology adoption curve. Whereas you would expect to see a bell curve heavily concentrated in the middle, and thinning to either extreme, I think ( and this is a personal opinion formed from observation ) that the highest concentration of the curve is shifted towards the back – the laggards – of the technology adoption curve.

When you account for enterprise, law enforcement (LEOs), and government combined on the defense it becomes clear that the technology, tools, and techniques that are ‘cutting edge’ are slow to being adopted for a number of reasons. Awareness seems to be the biggest stumbling block, while budget and capability round out the top 3 reasons. Many of the folks that attended ( or should have attended ) the conference this past week, the ones who are most apt to get the maximum benefit from rapid advancements in technology, weren’t even here… or worse were physically here but missed many of the worthwhile sessions. Towards the middle of day 3 we saw the typical 1/3 of the audience that were there on day 1 evaporate. You can’t even blame it on good weather and Las Vegas because it was ugly, rainy and gloomy. So what was the issue? Honestly I don’t know… I do see it in the technology industry ( specifically security ) all the time though. No one wants to speak at the end of the day, the beginning of the 2nd and 3rd days, or on the 3rd day at all because people bail out, tune out, or end up nursing hangovers from the parties that happen. This is a sad commentary on these types of events in general – but it’s the reality. The ones who were here, were generally wide-eyed as if they had never heard of some of these things before. I know much of this gets published in journals, papers, blogs and sometimes tweets – but it somehow doesn’t make it down to the practitioners. There is just a general lack of awareness of some of the advancements in the industry – and this is unfortunate. As a community the security industry and the high-tech anti-crime community need to do a better job of getting together more than once a year.

Another issue I see is budget. Lots of the LEOs that were here, and even the enterprise folks, made it clear that while the things they saw were excellent unless they were cheap or open-source they weren’t going to be affordable. You can blame your government’s ineptitude to appropriate funding for that one in part, and just general lack of budget allocation for high-tech solutions. I could go on and on about budget but this is a problem all around the industry broadly in security – so let’s not flog a dead horse any further.

The 3rd reason for the disproportionate lag in the industry, to me, is just a general lack of capability. In the law enforcement sector the transition from physical investigations to cyber has been slow and painful. Training has been sparse and heavily vendor-centric at times which doesn’t help. There was also a murmur in the halls and an almost unspoken sense in many of the talks that there just weren’t enough people to staff these high-technology criminal investigations. DFIR (Digital Forensics and Incident Response) people are rarely available…and they’re expensive. Affording a good investigator or incident responder is difficult in most Law Enforcement capacities, and even worse in smaller enterprises. Even in bigger enterprise the few DFIR specialists that can be hired quickly get overwhelmed. This is a problem now, and will continue to be a problem in the future – and a major reason why it is largely true that the bad guys are beating us.

The conference was great, and I encourage you – if you’re in investigations and high-tech anti-crime – to attend next year or join your local HTCIA chapter. These types of associations and organizations need your support, your expertise, and your mentorship to help shift the balance of power close to the middle of the teeter-totter, and improve the general state of the industry. Get involved, contribute your skills, and bring others in. This is how we will collectively raise the bar and help push the bell in the curve towards the shape if should be, rather than a simple large trailing wave.

Tuesday, September 3, 2013

Tripyarn for the common post-breach enterprise

Something interesting is happening right now in the Information Security community. I’m reading and hearing more and more discussion, papers, blog posts refocusing efforts from preventing breaches to detecting and responding. This is a great thing, and quite frankly it’s about damn time.

Zane Lackey from Etsy posted a brilliant talk the other day on Slideshare, and since I follow Zane I got the alert in my inbox and immediately went to check the deck out. If you've not seen it, it’s right here, titled “Attack-driven defense”.  I love the slides, I love the idea, but I was left wanting more. Zane’s ideas clearly work within Etsy – but how many environments are there out there like this? While it’s clear that there are many, many enterprises facing a similar level of threat, what is unclear is how many of them can respond in the manner that Zane’s presentation outlined.

The challenge, in my opinion, is adapting the Tripyarn (love the name of this…) framework that is clearly proprietary to Etsy to the broader small-to-medium enterprise. Enterprises that don't have a Zane and multi-person team which has the capability to write custom-code. Enterprises which rely on Windows systems and servers more than they rely on Linux. Enterprises where the present threat far outbalances the ability to play defense. This is the problem space that I believe needs Zane’s framework and approach most urgently … right now.

The trouble with approaches so customized to the environment they’re developed for is they can’t easily be adapted elsewhere – except in concept. The trouble with adapting a concept is that you need capability and skill – that doesn't always exist plentifully in smaller organizations.

The challenge, then, is to build a “Tripyarn” framework which can be adapted in environments from Fortune 100 massive enterprises, to an enterprise which has a handful of IT security resources working through keeping patches current and encrypting endpoint hard drives. What these types of organizations need is a set of pre-build blocks (like Legos) that they can put together as it fits their business and operating capability, but that still provides some incremental level of benefit in detecting “interesting operational deviations” which may signal a compromise, or at very least something interesting to go investigate.

I think tonight we may have seen the beginnings of this, and I suspect before long there will be a group working together from enterprises big and small, to deliver a defensive framework that isn't pattern-based so it can’t be ”evaded” but that has great effectiveness at detecting interesting things that have a high degree of being important to security. I’m hopeful that Zane’s presentation and slides have started something, finally, and that we’ll get past the “break everything” over-focus on offensive breaking and get into a more offensively minded defense that actually is innovative.

If this sounds interesting to you, let me know, there is lots of room for ideas and collaboration here.

Monday, August 26, 2013

Wheel locks - Theft deterrent or mostly annoying?

As I was trying to change a tire on my wife's SUV the other day, in the pouring rain, I realized something... those little wheel locks (the funny-shaped bit that's on one of the wheel lugs so you have to have the "key") are the quintessential example of a security idea that just doesn't past real-world muster.

There I was, changing a tire, getting soaked, and now I was going to have to dig through my glove box, arm rest, trunk compartment for that special key so I could get the damn wheel off. As I was cursing the people who put these things on the truck I tried to understand why they are put on cars anyway. Turns out, this is a security feature, right? To keep people from stealing wheels from nice cars (or sometimes not) these were meant as a deterrent to theft, and to frustrate the would-be wheel thief. There's just a few problems with this...
  • Wheel locks barely add any anti-theft "security" - primarily because thieves can get these things quite easily, you don't need any special permissions, validation that you own that particular make and model, or really anything else. If I wanted to steal the wheels off of a high-end Mercedes I'd simply call up the local dealership, ask them for one, and then go off and steal the wheels off the car.
  • The inconvenience to losing one of these is immense - if you've ever lost one, or can't find out, you know what I'm talking about. As I was there on the side of the road, getting soaked and cursing up a storm I wondered where I could get one so the rest of my day wasn't spent calling dealers, and trying to get a ride to pick one of these up from a dealer that was less than 25mi away. Very frustrating.
  • Wheel locks are expensive! - I'm not one to complain about a $25 part, but when I have to pay the dealership $25 (or more) to replace one of these wheel locks, which is just annoying to me anyway, I'm upset and feel like I'm getting hit when I'm already down. Again, very frustrating.
The lesson learned? Sometimes something that has a reasonable perceived security value to inconvenience trade-off is completely wrong in the real world. This is perfectly in-line with how I feel about having to change your password every 30 days, or those often insane-sounding complexity requirements for passwords (you know, 10 characters, 2 numbers but not in the beginning or end, and an upper-case letter, but no spaces of "special characters", and no repeats) ... come to think of it I'm starting to feel like passwords altogether are going this direction in general.

My plea to you security professionals out there, and those that are aspiring to lead enterprises into the future of security - please, please think about what you're asking not just developers but end-users to do and then weigh that carefully against the real risk-reduction benefit. Often times if you're forced to do a failure-mode analysis-like activity around your desired control you may find out that there are 100 ways this new thing can be heavily inconvenient to the end-user, while there are less then a handful of cases where it will benefit and reduce risk.

Love wheel locks? Hate 'em? Have a real-life story to share? Love to hear your input, frustrations, and snarky commentary. Hit me on Twitter (@Wh1t3Rabbit) and hashtag your tweets with #SecBiz ... let's learn from other seemingly great ideas!

Saturday, August 24, 2013

Bug Bounties are great but...

As the case with the most recent bug on PayPal one has to ask themselves whether this was a bug found and diligently disclosed to PayPal only, or was it first used by the criminal element and then when it was used up disclosed to PayPal to receive the bounty?

I suppose PayPal could have the data somewhere to support either way, or maybe they don't?

I'm not arguing against bug bounties, I've been converted...but I have to wonder whether they are being abused...or maybe it doesn't matter as long as the vendor gets the heads up they likely wouldn't gerry otherwise? The money isn't massive sums, certainly arguable that it's cheaper than hiring many more security professionals on staff...and likely more effective, but... I'm still left wondering.

Bug bounties are great but, how much are they giving companies a heads up? Do wr even care for the small fees we pay out?


Thursday, August 22, 2013

The Startup with a Legacy Problem

I don't know about you readers, but I used to absolutely love the show House on FOX. I loved the character of Dr. House for many reasons - but primarily because he loved to solve puzzles others either gave up on, or saw as 'solved'. I feel a little like Dr. Greg House when I get to tackle a new puzzle, and a recent engagement made gave me pause. I've never run into an organization that had all the complexities and challenges of a start-up company coupled with the pain of a legacy brick-and-mortar organization so naturally I'm hooked.

Imagine a fictitious organization called the ACME Widget Company, which for the last 50 years has been a business unit within a global widget manufacturer - and last year became the result of a successful spin-off into their specific niche - the widget power unit. The power unit they developed was so good that other manufacturers started coming to them to power their widgets - so a spin-off was only natural because the new organization was going to be able to build its own market and generate revenue more readily if it wasn't part of the parent widget maker.

Over the past year the Widget Power Unit Company has been busy creating its own infrastructure, hiring entire new departments which never existed before (they were services provided by the parent until a year ago!) generating sales and manufacturing and shipping those power units all over the world. Business is good and now they're expanding globally to new markets, and scaling up their business.

Now I'm sitting around the table with Bill the CIO, Amy the "security manager", and a few other select people who run operations, architecture, and other critical components. Oh, one more thing is critical to think of here - the Widget Power Unit Company is nearly fully outsourced... each department within IT has a manager but behind them are small armies of contractors. Servers, desktops, networking, applications and other critical pieces including security operations (I use this term loosely here, bear with me) are all contractors. Making this matter even more complex, they're different outsourcing organizations. It's the usual list of IT outsourcing suspects, including a small, local boutique company. Ordinarily you'd take a hard look at this type of arrangement and question how this company gets anything done - but I assure you the arrangement, while not optimal, works.

Over the course of 2 days I had the opportunity to do in-depth discovery with all the leadership of the organization's Information Technology group. What struck me is hearing things like "We've never had to think about that before, that's always been provided by the mothership!" from Bill the CIO. This included things like risk management and legal functions!

As we were talking about strategy and trying to determine what his org structure would look like, services they would offer, and their insource/outsource strategy going forward it occurred to me just how difficult of a job Bill had ahead of him. This is a puzzle Dr. House would find worthy of his time, and I'm certainly thrilled to be engaged here.

The big challenge with this type of organizational profile is the presence of what we commonly refer to as legacy systems (systems and applications) that fall into the outdated bucket. Ordinarily start-ups don't face these issues since they're starting with a clean slate - but organizations that are spin-offs often face the worst of both worlds. They struggle with supporting outdated systems and applications which are vital to their mission, but at the same time are often strained to find the people necessary to keep these dinosaurs running.

  • People - Organizations that fit in this profile have a major issue. You're hiring people who can tend to the dinosaurs, while trying to hire people who can make sure you're technologically competitive and able to innovate in today's market. Now consider that you are a start-up and hiring is a priority but your pool of cash isn't endless. Good luck finding an employee that has the skills to maintain your Cobol systems, while trying to help your organization be cloud-ready. Now if you find one of these folks - good luck affording them.
  • Process - Business processes that were largely supported (at scale, as a shared service) by the parent company now have to be replicated, and you need to hopefully replicate ancient processes using modern technology - this is a lot more difficult than it sounds if you haven't tried it.
  • Technology - You may carry some of the legacy systems and platforms with you from your old situation into the new independent business - but you'll likely not have all the resources since you didn't manage them yourself. Things like machine management tech (HMI, ICS systems) may come with the plant or factory or office - but other things like that SAP platform you depend on or the materials ordering system probably will need to be developed ... and your workforce knows that old system not some new replacement you put in place. Choosing your technology is a delicate dance of death on a high-wire. You also have to get things to inter-operate. You will likely have some dinosaurs talking to some new systems that are just shedding their shrink-wrap.
The challenges are many. The purse is likely small.

This is no time for a weak stomach, and desire to sleep, but it sounds like fun to me.

If you have survived this type of situation, and have any tips or advice - by all means - share it! On Twitter you can find me as @Wh1t3Rabbit, and if you want to discuss this post, or other similar security - business topics hit the hashtag #SecBiz.


Thursday, August 15, 2013

Unmasking th3 J35t3r ... or not

He goes by the Twitter handle th3j35t3r, and has taken the phrase "tango down!" from a military term to something that has come to mean that somewhere in cyberspace, a web server serving up hate or inciting Jihad is screaming. Sir J3t53r (or "J" as he is affectionately known to some) is loved, hated and even stalked (yep, seriously ... weirdo stalker alert!) - but above all he's respected.

So who is that masked man?

Some have guessed him a wounded warrior.
Some have guessed him a fraud.
Some have guessed him a CIA, NSA, FBI or other agency operative.
Some have guessed he's some kid in his mom's basement.
Maybe he's 5 penguins in a trenchcoat.

You know what, I don't think it really matters.

Many have tried to "dox" him, to dig deep and analyze his every word, move, geo-location and tweet to try and figure out his true identity. There have been some pretty interesting attempts, but you have to admit the guy could quite literally write the book on Operational Security (OpSec) - he's proving to be that good.

I'm going to go back to my previous statement - I don't really think it matters just who th3j35t3r is in real life - he's transcended the humanity of a human being and has become an idea many, many believe in.

Operationally, th3j35t3r does things that the US Government probably wants to do but doesn't want to get caught doing it...shutting down or temporarily disabling web sites that incite death and destruction across the globe isn't a clean business. Th3J35t3r has proven time and again that he's not afraid to get dirty, and break a few rules. When the organizations who should care are overwhelmed, under-resourced, and arguably over-matched we send in 007 with a jester hat.

So then who, or more importantly what is this @th3j35t3r?

He's me.
He's you.
He's everyone who is gets sick to their stomach every time bureaucracy and red tape makes it possible for good people to throw up their hands in defeat or stand idly by while bad people do bad things unchecked.

So I pose this ... you see people running around with those Guy Fawkes masks representing their movement ... maybe it's time for jester hats and jester masks? Maybe it's high time we acknowledge the idea behind the hacker.

Love him, or hate him - Th3J35t3r is more than a person ... he's an idea who's time I believe has come.

Wednesday, August 14, 2013

Orange is the New Green

Hey everyone ... this is cross-posted from my HP corporate blog. I'm going to be doing this a lot more now because it's easier to comment, share, and link here...

If you've been to the airport a few times over the last decade and your mind thinks in that slightly different way mine does you have undoubtedly noticed something curious. Right after the tragic events of September 11th, 2001 things got a little crazy at the airports. Over the next decade or so the fall-off of hype and fear mongering didn't drop off as expected, instead, orange (alert level) became the standard for the next 10 years or so as best as I can remember. The problem with this is, of course, that when you constantly live in “heightened fear” that becomes the new normal and the baseline adjusts. When the baseline adjusts the general population adjusts to the new normal quickly, and that fear dissipates.

This was not the intended consequence, but it is human nature.

Consequently, this is also happening in the Information Security space…although it may be a good thing.

For the Information Security (or Cyber Security if you prefer) world, I would propose we've never been at condition green… it’s been all orange all the time but our ability to see that is just now maturing. I won’t try and argue that the threat has been as great in 1998 as it is now, but then again the level of technical capability and integration was significantly less. The threat to technology from the attacker has grown proportionally with the increase of technology in our daily lives. This shouldn't surprise anyone. More opportunity for the bad guys means more attacks, simple.

So what does this mean, for those of you working on defending your enterprise networks, systems, applications and critical intellectual property from the attackers and thieves? It means that orange is the new green… and we actually do live in what one executive has called a “post-breach” world.

Starting your day with the assumption that the enemy is likely among you already is not something most people, even hardened Information Security veterans, are comfortable with. That being said, this isn't a completely new concept and it shouldn't be that revolutionary.  Except that it is.  The problem is enterprises have collectively spent hundreds of millions of dollars (just a SWAG) on prevention and when that approach didn't work they spent even more. So now we’re at the same place we've been for a long time: condition orange. The enemy is inside the infrastructure, is watching us and waiting to strike when we’re not paying attention. They know what you're doing (probably better than you), and know how to exploit you.

How will you adjust?

This is a wake-up call. How will your organization adjust to the acknowledged state of heightened risk – permanently? This is not a drill.

I’m kicking off a series of posts on this topic that I’ll address over the next few weeks, with some thoughts on how to actually live in an era where orange is the new green, and we have to assume we've been breached.

Sunday, August 11, 2013

US cyber defense versus the world...and ourselves.

An interesting article caught my attention earlier tonight - written by @sedaye_man it shines a bit of a spotlight on a topic that's been discussed in think tanks and around executive board room tabletop exercises ...but it has meaning for a much broader audience. The article is entitled "Will the U.S. - Iran cyber conflict escalate?" and it does more than merely pose a question that has a fairly obvious answer ...

The aforementioned article calls to light a recent publication called "Iran: How a Third Tier Cyber Power Can Still Threaten the United States" from an organization called the Atlantic Council. Interestingly enough, without even having to read the publication or attend the event they hosted, if you've been paying attention to the 'cyber' aspect of our daily lives you can start to see how even a "tier 3" country like Iran can and may likely cause substantial damage - financial, political and maybe in terms of human lives - to a "tier 1" country like the United States.

I'd like to take a slightly different perspective here, as you all already know me for doing. I'd like to point out a painful fact that the United States government is causing a large portion of its own demise. Allow me to explain...

What do countries like Iran, Syria and perhaps even China have in common? Once you get past the rebellious faction of the population you quickly come to the nationalists. To an outside observer, countries like Syria, Iran and China are burrowing deep within the United States, and other countries too, infrastructure largely being supported by their government. These attacks driven by nationalism to a degree - for example look at the Syrian Electronic Army (SEA) - and fueled by the brainwashed hate of western society and the US.

Now, by itself this would all appear to be standard operating procedure and something the United States will simply have to deal with. But judging by the global news - and this very well may be because countries like China, Iran and Syria have tight control on their news outlets - while the nationalists from these countries are fighting the United States, the United States is fighting not only them but internal battles as well with their own citizens. This I blame largely on the corruption inside the US which has reached a fever pitch. It's not like this kind of unrest didn't exist before - only now we have the Internet and connected systems which can potentially open a dam and flood a town mistakenly connected to the open Internet.

If you're in the business of protecting United States critical infrastructure, you have an interesting adversary model to build. On the inside threat you have groups like Anonymous (which by now we all know) and other hacktivists, and on the outside you have organizations like the Syrian Electronic Army and APT1. That is not an enviable position to be in.

One has to wonder whether the lack of a catastrophic incident involving a cyber aspect inside the United States is due to the tremendous skills of the defenders, the enemy biding their time, or simply incompetence and dumb luck... whatever the real cause this is not a good position for us to be in.

I can tell you this with reasonable certainty - adversary models would be a whole lot less complex if we didn't have an ever-expanding internal threat at level or greater than the external threat. Maybe it's time to rethink US internal and foreign policy ... and maybe that is the lesson of cyber?