Thursday, October 24, 2013

It's Not a Bug, It's a Feature - LinkedIn Intro Edition

Dear LinkedIn - please stop with Intro.

Sincerely, every security professional.

Let me sum up with what has just happened over at LinkedIn, in a very simple manner: features won over [common sense] security. Again.

In a world where companies feel ever-more pressured to "do the impossible" (seriously, marketing people, stop) features often win over common sense security. This is no exception. As this TechCrunch article clearly points out - what's going on is your mailbox is being MITM'd (Man-in-the-Middle). This means that sensitive content (see the Bishop Fox post) that you're exchanging between you and your email partner is being intercepted, changed, and re-packaged then re-sent to your device. Who does this sound like a good idea to? Honestly... think about it?

Seriously though, the very smart folks over at Bishop Fox already have a great piece on why Intro is a train wreck waiting to happen, so I won't re-hash what has already been said - but rather I have a few things to add:

  1. LinkedIn setting a dangerous precedent - As I said on Twitter, if this thing grows legs and attains any sort of momentum it's going to set a precedent that it's OK to launch more products like this, which clearly create security issues for your users and spit in the face of common sense. Yet another reason to discount those kooky security people, because LinkedIn understands security trust them, and because you absolutely need this new completely useless gadgetry for your inbox(es). There are already lots of examples of bad security practices being explained away as "it's a feature, not a bug", but this is perhaps the most blatant in recent memory.
  2. End users don't know better - The people who use your services see a shiny new gadget and blindly trust (although I can't explain why any more than I can explain why people text when they drive) that you're keeping their information and private communications safe. Your blog posts do not outline the many security problems which the Bishop Fox post points out plain as day, and instead focuses on the gimmicks. You're doing a disservice to your users... and I think you know it. When this is inevitably used to hack millions of mailboxes can we than call this willful negligence, because you know the risks full well, but your products folks chose to ignore them? (something to think about)
Where were the risk people?
Where was the privacy and legal team?
I think we know the answers to those two questions right? They probably weren't invited to the meetings, or per the usual their lamentations were simply ignored. I refuse to believe risk, privacy and legal professionals would approve of something like this at a company like LinkedIn.

Once again ... I was pretty sure there were some very smart security people over at LinkedIn. Is this just a prime example of 'agile product development' (aka product and marketing people running feral), or is this a legitimate product that the company stands behind? To me, this product announcement proves (once again) why security people feel so disillusioned... a sad state of affairs indeed, but endemic to our trade.

Feature gimmicks win over even the most common sense security, nearly every time. Take it as fact.
So now what?

Thursday, October 17, 2013

A Renaissance in the Manufacturing and Industrial Sectors

Having worked in an enterprise security capacity in the industrial and manufacturing sectors I'm one of the first to admit that those two sectors haven't exactly been on the bleeding edge of security innovation over the last decade. The good news, if recent events hold, is that the industrial and manufacturing sector appears to be going through somewhat of a renaissance. This is thoroughly exciting news for many of you who have been hearing stout opposition to your efforts.

After what appears to be decades of systematically ignoring security challenges, the recent climate of breaches seems to have shaken something loose. Purse strings have loosened. Boards have begun to ask security questions where they have never done so before. And most of all, I'm seeing several organizations formally hiring CISOs and giving them both accountability and control over the security future of the enterprise.

This makes me hopeful that change is in the air.

The problems with legacy drag

The latent risk that many CISOs at industrial and manufacturing sector companies are waking up to is potentially huge. Over the years they've accumulated large volumes of perfectly siloed equipment which was fully owned and managed by non-IT groups, and never connected to anything. As technology refresh cycles push forward many of these previously stand-alone components (think about a set of computers which is attached to a machine which takes a raw piece of material and produces a machine-milled part based on a digital drawing, CAD/CAM) are getting network cards and are being connected to other shop-floor types of components. The design workstation is being attached to the manufacturing station, to the quality control booth, and all tied together to the raw-material-management system. All over IP.

Also notice how I specifically pointed out that all these systems have not previously (and in some cases still are not) been available to the IT organization for management and maintenance. This obviously means that security likely didn't know they existed. Now they're being connected to the same flat, non-segmented, layer-2 network that the SAP and email systems are riding on. As these systems were previously managed by non-IT employees (in some cases it was an outside contractor) this translates to a lot of confusion and misunderstanding. Imagine taking one of these ICS systems, such as the assembly line control system, and handing it to someone in IT (and then enterprise security) to manage. The results have not been positive.

The other big challenge, as if we needed another, is that many of these systems easily qualify for the label of ultra-legacy. This means that they're greater than 15 years old and still functioning. In one example we've got a DOS-based application running off of a 1.44MB floppy disk on a 486/DX266 which manages the time cards of ~300 shop floor workers. This technology predates many of you reading this blog post, which means your immediate thought of "Why don't we just re-write this in Python?" is likely to break things in a way that will likely cause ripples through your supply chain and your bottom line.

Planning for the technology-driven future

As one of my favorite CIOs put it - "We need to get with it right now, while our competitors are still largely in the same position, because we are entering a time when industrial and manufacturing enterprises are no longer able to ignore their dependence on technology." This is so true.

As enterprises start to connect Widget A with ancient shop-floor Thing B we inevitably find that not only do those combinations create security issues, but the systems themselves are antiquated and unable to provide much in the way of options for a more secure implementation. This means that CIOs are conspiring with CISOs to modernize much of the shop floors, and overhaul large bits of technology. Of course, Rome wasn't built in a day and clearly this desire doesn't translate into action as easily as that would appear. Lots of road blocks, integration challenges, and risks to be assessed.

The good news is this is a topic for discussion, and folks like myself and others are being brought in to support these transformations. Again, this gives me a sense that the manufacturing and industrial sector is experiencing an industry-wide renaissance of sorts. An awakening to the needs of innovation requires kid gloves from my fellow security practitioners - as you well already know we get maybe one shot at this.

Looking the future in the eye

Step one of this entire renaissance is understanding what ring of legacy IT hell you're currently residing. This means spending a great deal of time reflecting inward and doing the equivalent of pulling at strings until yet another mystery unravels. I'm currently in the process with a few of these types of organizations of setting the guideposts for the next 12 months. There are a lot of hurdles to overcome and many engineers and line managers to win over with your charm. As I've already said, we will get one shot at this. The first time you crater a production-line system with a security patch because it needs to be applied for security reasons will likely be your last for a long while. Measure twice, then measure again and test before you make that cut.

The approach you'll be taking is one of assessment, transformation, optimization, management. Figure out where you are, make plans for making it better and execute to plan, slowly raise the bar over time and then make sure nothing falls through the long-term cracks. It's relatively simple on paper.

Your key trouble spots, from my observations so far, will be those legacy systems you've never gotten your paws on, your network, and your user base. In that order.

  • legacy systems - should be self-explanatory as these are the siloed and previously un-managed or under-managed systems which you suddenly have responsibility for securing since they now reside on your global, flat network
  • network - speaking of your network it may be high time to start thinking about segmenting and compartmentalizing... this is of course much easier said than done - got netflow?
  • user base - your users are likely not used to being 'managed' in any traditional sense, and while they've been running successfully with self-managed full admin capabilities, your meddling and trying to lock systems down and define user and admin profile will cause a stir
Those of you in the manufacturing and industrial sectors - remember all that complaining you did that your enterprises didn't find value in what you provided? You're about to get your chance to impress the business with your intimate knowledge of what it is your organization does, and how you should be supporting it going forward. You have a plan, right? 

Monday, October 7, 2013

Living in Glass Houses - #InfoSec Industry's Culture of Shaming

Edit (10/9/13 16:26 EDT)
Thanks to Steve Ragan for pointing out that the Internet never forgets ... in case you want to see a glimpse of the original post which has since been (quietly) removed, click here.

If you're anything like me and like to keep up on the industry, you've no doubt been overloaded with news on the apparently epic Adobe hack. As some of you may no doubt point out I'm no apologist for companies who fail to take security seriously, and I've made my share of pokes and jokes at Adobe's expense over the years. There is, however, a line I hold myself and others who wish to be known as professionals to. That line is personal hit-pieces where you're targeting a particular individual for the sins of the collective. This is commonly known as bulls***.

That being said, I took serious offense when I saw the original version of this post (I wish I had taken a screen capture, but it was quite distasteful) from Richi Jennings on Computerworld. When I read the original which basically sought to crucify Brad Arkin for Adobe being hacked I got upset. So upset that I took to Twitter and let Richi know it, and I can't say I was too polite either... After a few others laid into the author, the post was dramatically changed, the picture of Brad with the overlay "Fire Me" came down, and there was an apology. Of course, if you want to see the sorts of trolls that apparently read that column, look no further than the comments...yikes.

Anyway... let me get to the point.

There are some points I think we largely still miss as a security industry, judging by the interesting and colorful discussion about firing CISOs in the wake of a breach we had earlier in the day this post was written.

First, security is hard. Those who lament the failures of security professionals on the defensive from their offense armchairs (aka penetration testers) need to play defense for a while. You'll get an attitude adjustment, I promise. I came from a small company penetration tester mentality when I joined a massive global conglomerate back in early 2000's - and let me tell you that attitude adjustment was harsh. My "why can't you just fix this" was met with retort like "because we have budget to do one of two things - release the product and make the company money and keep our jobs, or hope to add security" over and over. I eventually learned the harsh lesson, luckily before I was relieved of duty.

Now, not apologizing for years of poor security practices in software products you sell to others to use, but Adobe has come a long way by my measures. They used to have Flash! bugs almost weekly - a torch which has been passed to Java. They also had poor practice in community interface, and other issues which no one really needs to hear over and over again. Brad Arkin's appointment to the Corporate CISO has made a tremendous improvement in that organization, and those who discount that simply don't know better...and if you don't know, stop talking.

Now back to security being hard. I can relate here. I've never been the CISO for a global conglomerate which has grown by acquisition as well as organically - but I did work for one. On that team which was responsible for global security but had very little mandate power - life was hard. When the company got breached we were in the firing line. When we worked tirelessly to do what we could with the few pennies we were given no one batted an eyelash. It's a thankless job trying to save the victim from drowning themselves - but that's what you sign up for when you go to work in #InfoSec in the corporate world. I get that. The last thing you need is some guy touting your employer relieving you of your job. Seriously?

Whether you're a Christian or not, there is a Bible verse which rings true in all our lives. John 8:7 says "..He that is without sin among you, let him first cast a stone.." Remember this my friends and colleagues, as you read the news and jump on the bashing-the-victim bandwagon. Some day very soon, if logic holds, your organization will be breached, hacked, sacked and shamed publicly by people just like you. You'll want to tell your peers in the industry just how hard you've worked to make even the smallest changes in culture, and how long it takes to change hearts and minds, attitudes, and budgets. But no one will listen and instead they'll be calling you names, laughing, and calling for your head. That's probably not the right thing to do, you think?

As the saying goes "People in glass houses shouldn't throw stones". We all have to live with issues that at any moment could expose us - whether it's in our personal or professional lives. There is no secure. So the next time you want to get your names in the publication talking about how stupid that one vendor is because they got hacked - ask yourself - what would you want your peers to say when it happens to you?