July 22, 2008 - Volume 3, #63

Good Morning:
The first day back from vacation is always fun. Even though I did a decent job of keeping up with the news (so my RSS reader wasn't overflowing), there were a lot of details, follow-ups, deliverables, and the like that needed to be addressed once back in the saddle. There always are, and that makes the first couple of days back pretty intense.

Yes, it's just like whack-a-mole. No matter how many of those little critters you whack, there is always another one ready to poke his ugly little head up at you, demanding more attention. Of course, one way to handle the situation is to think about all the things on your list, and all the things that aren't getting done. 

I track my daily commitments on a 2x2 piece of scrap paper. I figure if I can't fit it on that little paper, then it probably won't get done anyway. Though on days like yesterday, I forget how small I can write. 

So I ended the day with about 75% of the list not finished. It's a pretty crappy feeling, but it's not worth getting crazy about. More will get done today and everything will be done by tomorrow. I ended vacation relaxed, but ready to get back to business. Why let some internally generated angst take me right back into the muck?

When I had a real job, I used to see that all the time. Folks would go on holiday. It would take them 3 days to unwind from all their angst. Three days before they come back they'd start worrying about what's not getting done and have more angst. If their vacation was only a week, they'd have a sum total of one day of relaxation. They'd return from vacation totally stressed out because they were away for a week and all this crap piled up.

That used to be me. But not anymore.

You wonder why folks are dropping dead from stress in their 40's and 50's? I don't. It's this 24/7 totally connected "lifestyle." Just as trees don't grow to the sky, you cannot continue to improve productivity 10% every year, year after year after year. Yet, that's what seems to be expected in today's business environment. It's not rational, it's not sustainable, and it's making most of us miserable.

Chew on that. Have a great, stress-free, satisfying day. I dare you!

Photo: "whack" originally uploaded by simplerich

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

You dirty rat(proxy)
So what? - This is kind of old, but still important. The folks at Google have made their internal web application assessment tool - called ratproxy - freely available. It's not the tool that is interesting, but it gives me yet another opportunity to reinforce the need to be constantly testing your stuff (networks, systems, web apps, etc.) from the bad guy's view. No one tool is totally comprehensive, so you need to use many tools. No one person is totally comprehensive either, so you need to use many people - some internal, some external. Of course, this is gated by the value of the information accessible via the web app. Obviously you don't pay a bunch of money to test applications that don't house private data - UNLESS that application would provide a path to the vault. That's why segmentation (physical, logical, otherwise) is so important. Even the least important app can kill you if it provides a path to some important data. So application architecture and operational provisioning continue to be important, and not only when you first roll out the application. It makes sense to revisit the entire application eco-system every so often (maybe quarterly) just to make sure the architecture and segmentation plan make sense. 
Link to this

How clouds will rain on your parade
So what? - Before everyone unplugs their existing data centers and moves everything to the crowd, I guess we should think about the security implications of that. It would be a first (to actually think about security before doing something), but there is a first for everything. The good news is that the big G is thinking about such issues, which they can do with 25 analyst covering little, old security. This NetworkWorld summary points out some of the issue to be concerned with. Fact is, these are things we need to worry about in any kind of computing environment. You know, things like privileged user access and compliance. There are some unique aspects to worry about relative to cloud computing, but it's not anything we haven't seen before. And that's a key idea in this cloud-based, web 2.0 reality we all seem to be rushing headlong into. None of this stuff is turning security on it's ear. 90% of it is doing the stuff we should already be doing right. Of course, if you aren't doing that stuff right - then it's another issue.
Link to this

We've got to count something, no?
So what? - One of the things that hit right before I left for holiday was the Mogull's initiative with Mozilla to institute a model to track risk within Firefox over time. I get the need for this type of initiative, especially given the fact that bug counting in browser code is irrelevant to the true security of the application. The most important aspect of the initiative is that Mozilla is going to be tracking these numbers over time, and presumably (though I shouldn't assume anything) use that trend analysis to pinpoint issues in their development process. Of course, we really shouldn't confuse counting aspects of the dev process (like the time to route an issue to the appropriate developer) with the risk presented by that bug. Maybe this will positively impact Mozilla's dev process, maybe it won't. Ultimately I don't think it matters. This is about marketing against an entrenched competitor who has done a good job of equating security with bug counting (in the minds of most customers anyway). When it's hard to win, change the rules. And that's what Mozilla is attempting to do.
Link to this


The Laundry List

Top Blog Postings

DNS hole: $10,000. Seeing Thomas with his hat in his hand: Priceless
You know it right when it happens. You don't have a pit in your stomach, it feels like you ate a watermelon whole.  And you know because you totally screwed up. I've been there, and I don't envy Matasano Thomas, who is there right now. Of course, I'm referring to the fiasco with Dan Kaminsky's DNS flaw. Dan truly did the unbelievable in getting a whole lot of vendors to coordinate patches and start to fix the issue. It was very impressive. But without details, the loudmouths in the security research community called the issue "marketing" and figured it was hype for Dan's Black Hat speech. So the hyper-connected Mogull gets smart Matasano's on the line to verify that it's a big issue. Of course, based on the law of unintended consequences, Halvar's generic speculation led to a domino effect of Matasano inadvertently spilling the beans. Of which Thomas had to make a public and gut wrenching apology. The moral of the story, you can't have your cake and eat it too. Dan played with fire in terms of pre-announcing the DNS flaw when the patches were release, and that created the environment where someone was going to figure it out. Security by obscurity works, but only if you are truly obscure and thus not a target. Dan put a big target on the DNS flaw by talking about it, and this is what happens.
http://www.matasano.com/log/1105/regarding-the-post-on-chargen-earlier-today/
Link to this

Tiger team or pen test? Does it matter?
pdp goes through some gyrations in this post to draw differences between a "tiger team" and a pen test. I guess wikipedia (which is always right) has determined the terms to be synonymous, pdp disagrees. Personally, I'm not a big fan of getting caught up in vernacular. Both terms indicate you are going to Hack Yourself, which I think is a great thing. How much quality, pricing and time frame you can afford is up to you and your organization, culture, value of protected data, etc. Though it is much cooler to say "I'm part of a Tiger Team," rather than I'm a penetration tester. Though in some sections of LA I figure anything having to do with penetration is highly sought after, especially if it comes with video skills. Kidding aside, I don't care what you call it, but you need to be familiar with tiger teams, pen tests, and anything else that will help you understand how you can be compromised. Remember that surprise is the enemy of the security professional. 
http://www.gnucitizen.org/blog/tiger-team-operations-vs-penetration-tests/
Link to this

Crystal ball, Mogull-style
Another series that bears mentioning is Rich's attempts to project where application and data security are going. The first post really sets the stage by going over a bunch of assumptions. Are the assumptions accurate? Who knows? That's the problem with assumptions. If they aren't right, then everything else you say is crap. Thankfully Rich waters things down to a few statements (like bad guys are focused on web apps, and code is generally insecure), which I'd say are fact. Yet it's the second post that really gets interesting. Basically it's Rich's short manifesto on why monitoring is the only way to address the issue. He adds a bit of protection to that (making the acronym ADMP - application and database monitoring and protection), but that's more because some folks will actually try to block stuff and they should (for the most obvious issues). Rich also goes through a potential use case that I think has some legs in building a somewhat isolated, application specific experience that will wall off the computing from everything else on the device. For banking applications (most like high value banking), this approach makes a lot of sense. Philosophically, there are abstractions we can take from these ideas. I'm all about the monitoring because (as I've probably said about a million times) we don't know what tomorrow will bring us. But we do know if it causes some unexpected behavior, traffic patterns, transactions, etc. If you are aren't collecting data from all aspects of the system (from browser to database, as Rich says), then you can't really get the big picture. Of course, it's still very hard to collect and make sense of all this data, but it's our best near-term hope for addressing the gaping hole that are web applications. Longer term, we have to change the game and secure the data directly, but that is a LONG way off.
http://securosis.com/2008/06/27/the-future-of-application-and-database-security-part-2-browser-to-wafgateway/
Link to this