August 25, 2008 - Volume 3, #72

Good Morning:
As most of you know, I've been seeing a lot of live music this summer. It's been great. Stone Temple Pilots was the latest on the list. It was kind of amazing to see the number of young people at the show. By young I mean college age (remember, I'm no spring chicken anymore). Weiland did a good job and the band sounded pretty good.

But as I sat down to write this morning, I wanted to mix up the soundtrack a bit. I've been focused on listening to the bands that I'm going to see (so I can remember their songs), but I just had a yen for some Billy Joel this AM. So I busted out "Songs in the Attic." What a classic!

And then I went to check out my bookmarks and realized that there were some great posts that I didn't get around to discussing when they first showed up.

So today I'm going to hit some of the "blog posts in the attic." I'll hit a couple of posts (including a bunch from Richard Bejtlich) that I should have gotten to in the first place. Hopefully you'll still hit a few links and check out the full pieces. They are worth it (or I wouldn't waste time covering them now).

Then it's back to the grind. Lots of client work to get through this week and no travel to distract me.

Have a great day. 

Photo: "a light in the attic" originally uploaded by kevtori

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Blog Posts in the attic

The Tao way to think about the DNS exploit
Bejtlich looks at the DNS exploit from the perspective of "time and relative data." The idea is that the bad guys have the time to complete the picture, even from relatively scant data. This was clearly the case in the DNS situation. Once Dan intimated there was a cat in the bag, lots of people on both sides of the law went about figuring what kind of feline was trapped in the burlap. We make the assumption that Halvar's speculation and Matasano's confirmation were the first examples of this. But in reality, those were only the first that most of us heard about. We can't assume that our adversaries don't already have the exploit. Which is why I'm such a big fan (and card carrying member of the Network Security Monitoring religion) of testing our defenses as often as practical. I don't like to assume the bad guys don't have the attack. The DNS issue is just the latest example of why this approach is important. And Richard even worked a Dr. Who reference in there, which is always good. 
http://taosecurity.blogspot.com/2008/07/dns-and-cyber-tardis-problem.html
Link to this

Do we really want to know about that insider?
#2 on today's Bejtlich hit parade is Richard questioning whether we really want to find those insiders. He uses an example of counterintelligence services not really wanting to find spies because it doesn't make anyone look good. The unfortunately truth is that many folks bury information because they think it will make them look bad. They turn their head at behavior they know is wrong and hope it will go away. Hope is not a strategy and the issues don't go away. They just fester until they blow up. And there is a lot more collateral damage in an explosion. One of the hallmarks that I stress in the Pragmatic CSO is that "it is what it is." Burying the issue won't help. Avoiding the question doesn't help either. Deal with the situation, quickly and candidly. I guarantee you will look worse if the truth comes out and it's not from you. Richard suggests a central group that is in charge of identifying security breaches. Kind of like an IAB (internal affairs bureau) for your organization. If you are really big, these folks are usually called Audit, but we know that's kind of a joke at times as well. Basically, there are lots of potential remedies, but at the end of the day, it depends on PEOPLE. If you and your people do the right thing, this isn't an issue. That's the challenge we all face every day.
http://taosecurity.blogspot.com/2008/07/counterintelligence-worse-than-security.html
Link to this

Buckle up, it's going to be bumpy
Dino talks a bit about the history of security in this great post. Basically his theory is that we are dealing with the hangover from our promiscuous connectivity in the 90's and our focus on exploits over the past few years. It's an interesting idea, but the most compelling aspect of the discussion is the fact that most progress happens in rough evolutionary advances that most people cannot predict. Life is not linear, by any stretch of the imagination. Neither is progress. So we have a lot of status quo, and then our world view is turned upside down and then it settles down. Then repeat. So what does that mean? I have no idea what it means. If I could predict things, I wouldn't be writing a security newsletter. Yet we can prepare for the inevitability of a truly disruptive attack or defense by being able to REACT FASTER, by focusing on how you'll contain the damage, and ultimately by doing the right things every day to not get caught flat footed. You still will be (caught flat footed), but at least you'll sort of be ready. A lot of the Pragmatic CSO is done within the context that you don't know what's around the next corner and trying to figure it out is kind of futile (for the most part). And smarter folks that me continue to assemble stories that validate this view on security.
http://blog.trailofbits.com/2008/07/24/evolution-is-punctuated-equilibria/
Link to this

Wherefore art though quantification?
Shrdlu goes down an interesting path in this post trying to figure out the degree of quantifying the risk of any situation. I've been an outspoken critic of trying to truly model "risk" in any meaningful way, not because I don't think it would be useful, but more because the number of assumptions that need to be layered on top of other assumptions, which are then sent through someone's subjective filter about the true "risk" of any situations makes me skeptical. Shrdlu makes a number of these points, which really get down to the fact that RISK IS IN THE EYE OF THE BEHOLDER. And the amount you are willing to spend to reduce, eliminate or transfer that risk is going to be different than the next guy. This is one of my frustrations with trying to gather objective metrics on security operations as well. The business relevance (after all, what other kind of relevance is there?) is really not something that is going to be consistent between organizations. Not by a long shot. Ultimately it gets down to this: "What matters is the building blocks your executive wants to use to make his risk decisions, and whether they’re dollar figures, colors, or Venn diagrams, you’ll need to make an effort to supply them." Well said.
http://layer8.itsecuritygeek.com/layer8/quant-love
Link to this

Failure happens
Being an entrepreneur at heart, failure is not a big problem for me. In fact, I've been failing at one thing or another for most of my adult life. But that doesn't stop me. In fact, it drives me harder because I know that is the process and the way things work. If I'm not doing some stuff wrong or finding things that don't work, then I'm not pushing beyond my comfort zone and I'm not getting better. There is a ridiculous stigma of "failing" in our society and it's too bad. Part of my family is very risk-averse. Change is hard for them. They actually think I'm an alien, which I get great enjoyment from. I don't think the green suit and bug eyes help, but the thing that makes failure acceptable to me is that I'm pretty confident I won't make the same mistake(s) again. I spend  some time analyzing what worked and what didn't. Whether you are talking about a failed business, product line or even a security incident, the POST-MORTEM is one of your most important tools. Fool me once, shame on you. Fool me twice, shame on me. The post-mortem makes sure this doesn't happen. Check out this post about how one guy's start-up went down and what he learned. It's fascinating and stuff we probably know already. But seeing it reminds us. And reading this post is a lot cheaper than doing it yourself, no?
http://www.alleyinsider.com/2008/7/monitor110-a-post-mortem
Link to this