March 11, 2009 - Volume 4, #24

Application Security is Journey, Not a Destination

Good Morning:
Long time readers of my ramblings can remember the seemingly zillions of times I've mentioned the importance of application security. Not only are your applications the path of least resistance for the bad guys, we also suffer from a distinct lack of visibility in terms of what's actually happening within the application.

Limited visibility is quite a problem, since a big part of my security philosophy revolves around REACT FASTER, which is basically understanding what's happening in your environment and knowing quickly when something is funky (like an attack or compromise). Well, it's hard to do that when we don't really have any instrumentation in the application to tell us.

So, for a change, we security folks are flying blind. Right, that doesn't end well.

The answer for application security is two-fold. There is a somewhat tactical path, which involves a penetration test to figure out what is obviously broken. This is the "fingers in the dam" approach because odds are there will be a number of problems that can't be fixed and every time you change the application, you introduce more issues. 

Another tactical measure is something like a web application firewall (WAF). Of course, the hyperbole of WAF vendor hyperbole would lead you to believe a WAF will block today's attacks and tomorrows and is really a strategic answer. Let's be clear - it's not. Not because a WAF isn't important, especially for common attacks like SQL*Injection, which can ruin your day. But there are always logic flaws in your applications and it seems the bad guys have a real knack for finding them.

So what's the strategic answer? You've got to build security into the application. FROM DAY ONE. That's right, as I referred to yesterday, this is mostly a process problem and a people issue. Technology is kind of besides the point. But how? I talk to very few folks that don't want to build secure software. They just don't know how, and they can't really quantify the impact of doing so.

But that is gradually changing. A few friends of mine (Brian Chess of Fortify, Gary McGraw and Sammy Migues of Cigital) have published a guide called the BSI-MM (Build Security In - Maturity Model) that's actually based upon (are you sitting?) the actual experiences of some large companies that have been doing this strategically for a while. Companies you may have heard of like Microsoft, Adobe, EMC and Google.

The concepts are presented within a "maturity model" for software security, which indicates the kinds of processes used to build code and make sure it's not a steaming pile of FAIL. There are twelve practices, each broken down into multiple steps. And this isn't going to happen overnight. In fact, the entire thing may not happen ever in its entirety. But the document gives you the perspective to understand how the process can work.

Like any other methodology, you have to figure out what parts are applicable for your organization, both technically and politically. Application security is a collaborative process and requires significant buy-in and sponsorship from an executive with enough mojo to push the agenda and enforce the impact of the process changes. Doing this right requires organization commitment, reorganization and incentives to encourage the right behavior. These are hard pills to swallow for many organizations, which is why software security is such a mess.

Personally, I have high hopes for this research. Most organizations remain skeptical and reticent about implementing a secure software process because they don't really understand the benefits, nor the long term impact of shipping secure code. By following these organizations over time and benchmarking their results, it can give evangelists and big thinkers some data to prove the value of building security in.

And we all know that the only thing that really shuts up a skeptic is data.

Have a great day.

Photo credits: “365/25” originally uploaded by teachingsagittarian 

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

March 10, 2009 - Volume 4, #23

Good Morning:
For all the toys, gadgets and gizmos we've gotten for the kids, it's usually the simple mundane and classic stuff that they really gravitate to. For example, we have a room full of assorted toys, games and the like. The kid's stuff used to be all over the house, but we've made a concerted effort to contain it to one or two rooms as they've gotten older. So what do they play with?

Crayons. That's right, good old fashioned Crayolas. We've been tightening the belt a bit at Chez Incite, so when the Boss brought home a little carousel with a couple hundred crayons in it and a bunch of 11 x 17 coloring books, I was a bit steamed. Sure it wasn't a lot of money, but the kids have a bunch of stuff they don't play with - why buy them more?

The fact is, I had a point. We are very careful, but I still get the feeling that my kids are spoiled and don't appreciate how good they have it. They want for nothing. If they need it, they get it. Even if they don't need it, a lot of the time they get it. And don't get me started on controlling the grandparents, who believe they have a license to spoil.

But after a weekend with the new crayons and coloring books, I have to admit that the Boss made a good purchase. My boy especially loves to color. The focus and intensity he brings to the task is amazing. He painstakingly colors every square millimeter on these 11x17 pictures. It doesn't hurt that the coloring books are from Star Wars and the Incredibles (two of his favorite movies). He can sit and color for hours at a time.

Photo: "Crayon Fence" originally uploaded by laffy4k
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

1. #3 on the jobs you don't want to have list... - Clearly that would be Federal Cybersecurity czar. Probably right behind athletic cup tester and right in front of grease trap cleaner. Thanks to Adrian, who posted a quick update over the weekend, Beckstrom resigned after about a year on the job. It seems the NSA got in the way of almost everything he tried to do. Byron Acohido does a great interview with Beckstrom here as well on his new-ish blog. The take-aways here? The idea of coming up with a coordinated Federal cybersecurity process is pretty much a non-starter. These folks are professional beaurocrats and you think they are going to let some entrepreneurial soul get in the way of their 3 hour lunches? So we'll continue to get "guidance" from NIST and each agency will continue to blaze their own trail. Which given the scope of the US Government and the different requirements of the different agencies may not be an entirely bad thing. As opposed to trying to coordinate everything, maybe it's time to decentralize a bit and then give FISMA (or something like it) more teeth.
2. Technology is only the third stool - It's been said security is about people, process and technology. Though we in the industry seem to continue searching for magic bullets, potions or anything else that will give us a leg up on the bad guys. Yet, that mentality hasn't worked for the past 10 years and it's not going to work moving forward. Neil MacDonald over at Gartner makes that point on his blog, talking specifically about application security. He's right. Tools can help, but fundamentally it's a process and a people issue. And until we figure that out as an industry, things aren't going to get much better. I'll have more to say on that tomorrow.
3. PCI + Virtualization = ??? - Clearly given the drive towards virtualizing everything, there is a big hole in the PCI-DSS regarding what you can and can't do relative to virtualization. So the PCI Standards Council spun up a virtualization working group to figure it out. This is a good move, but the proof is always in the pudding. Will they put some real controls in place? Or will it just be more of the same? Of course, a bunch of vendors are praying they do a 6.6 redux and mandate a virtualization security widget. That's not likely, but these folks can hope, no? And more importantly, when will they force adoption of these guidelines? Virtualization is happening today and I suspect many organizations aren't doing it in the most "secure" fashion, whatever that means. Which will entail a retro-fit of the infrastructure. Retailers and banks don't like retro-fitting much of anything, especially in a global recession. So we'll see what kind of tight rope Russo & Co will walk on this one.
4. Cisco jumps on the email security SaaS bandwagon - I guess when you are Cisco, you don't need to be on the cutting edge. At least when it comes to mature markets and technology. About 3 years after everyone else, Cisco's IronPort group finally announces a hybrid offering encompassing appliances and services for email security. To be clear, most of the time trying to sell both appliances and services is a recipe for failure. Some companies do boxes well and some do services well. Not many do both well. But that's neither here nor there, the point is that customers will choose the right deployment model for their operational requirements. And the vendors need to figure out how to do both well, but only if they want to address the entire market.
5. Dumping on the CAG - Standards are tough, especially when there are no teeth there. It seems the industry has looked at the CAG (Consensus Audit Guidelines) and decided consensus sucks. That's because it usually does. Dan Philpott at the Guerrilla CISO blog talks a bit about why the CAG has become the Hindenburg of security guidance. But to be clear, anyone trying to develop the Rosetta Stone for security is going to have similar problems. I think everybody acknowledges that FISMA needs to be improved, and give some credit to the folks behind CAG (Gilligan and Paller) for getting some discussion going. But ultimately publishing a white paper and a set of slides doesn't not accountability make. Without teeth, a standard is pretty much useless.

March 4, 2009 - Volume 4, #22

What the F is with Visa?

Good Morning:
Sometimes I just sit in my office and scratch my head. It's rare that I'm speechless (very rare, just ask the Boss), but when I came across this article in NetworkWorld on Visa's latest perspective on the "new" data breach, I was pretty much paralyzed. Yesterday, SC Magazine covered it as well.

In a nutshell, Visa is either being run by lawyers or the Three Stooges. It's not clear to me which one, though I'd have to side with the lawyers at first glance.

In a classic Clintonian "it depends on what the definition of is is" moment, it turns out Visa's statement on the "new" breach didn't indicate it was actually new. And now they are saying it wasn't new. Maybe customers were compromised. Or maybe they weren't. Holy crap I'm confused.

Which is the real problem. First of all, it's clear that consumers credit card data has been compromised. Maybe it was a new breach, maybe it wasn't. But clearly there was a successful (very successful, dare I say) attack vector and we still don't know anything about it. Instead we have word games and obfuscation from the lawyers that have to approve any messages that go to either customers or the media.

With all due respect to my Dad and all the other lawyers I call friends (most of the time), I hate lawyers. You see, this gets back to the disclosure issue. These attacks are happening, RIGHT NOW. These attacks are being successful. Financial institutions and retailers are sitting under a two ton anvil called the recession (some would even say depression).

These folks need to optimize their resources and make sure their defenses are in place against new and innovative attack vectors. Instead, you have their lawyers trying to decipher what Visa and Mastercard's lawyers are saying or not saying. All the while the attackers continue to have their way with pretty much anyone and everyone (PCI compliant or not).

I know I'm asking a lot, but to hear the truth would be nice. It's all fine and dandy that Visa is now "risk scoring" each transaction to look for fraud (didn't they do that anyway? If not what the hell do I pay my 2% per transaction for?). But they are still reacting to the attacks, not helping to address them.

Makes me want to do my best Moe imitation and give an eye poke to Larry (Visa) and a head slap to Curly (MasterCard).

Have a great day.

Photo credits: “Three Stooges” originally uploaded by NYCArthur 

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

March 2, 2009 - Volume 4, #21

Good Morning:
When I was a kid, I used to love snow days. What could be better than not going to school. As I grew up (well, to the degree that a guy like me grows up) and had kids, then I really started to appreciate the pain of the snow day. First of all, it snowed. So there is always some type of clean up involved in that. Some love the snow, but me - not so much. I don't ski, so there is little attraction to it.

Today they canceled school in Fulton County, GA. If you ask me, the roads were fine, though there were some icy patches and it was still cold enough this AM that the ice hadn't melted yet. So I can kind of understand. But it caused a number of complications for the Boss.

First of all, we have to make sure we have coverage for the kids all day. Thankfully the twins pre-school was still open, so that eliminated a big problem. But we still had one to deal with, and it meant rescheduling a bunch of things and basically being adaptable.

Of course, we got through it, with a minimum of pain. Next year when the twins are in public school the one (or two) days a year when school is canceled with present a much bigger challenge. Yet it got me thinking about what I can learn from the snow day. Here a couple of thoughts:

1. Adapting - It usually gets down to being able to adapt at the last minute. I was in town, so I could bring the twins to school and Jodi was able to make some plans at the last minute to keep our oldest occupied. Every day it seems we have to adapt to different things, especially in the security business. So this should be second nature. Note that I said "should" because it's amazing how many people get bent out of shape when they have to diverge from their Gantt chart and GTD task list.
   
2. Re-prioritizing - eIQ's office in MA is closed today. It's stupid to expect people to drive through a foot of snow to make an appearance. But that means some activities that need collaboration or depend on something in the office aren't going to get done. So what do you do with the time you have? What can you get done in a remote context? This is kind of related to adapting, but all the same you always need to have a list of things that can get done in the airport (given a delay) or at home (given a problem getting to the office). Maybe it's a good day to work through all that crap piled in your inbox.
   
3. Communicate - One of the things most challenging for folks not used to working remotely is to keep other people in the loop about activities, especially when you aren't in viewing range. Many managers will just assume if you are home, you aren't doing anything. Yes, it's stupid - but it's reality. So pound them with email. Every hour or so, even if you don't have anything to say. At least they'll know you are at your machine doing something.

You can also probably skip the workout at the gym, since I hear that snow can be pretty heavy. Though it's been about 5 years since I've had to use my shovel. And I'm perfectly OK with that.

Have a great day.

Photo: "Portland loves snow days" originally uploaded by ArielAmanda
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

Given today is a snow day, I figured I'd work through some of my older links that I haven't had a chance to get to. I've pretty much depleted my backlog, so I figure the rest of the week I'll do some stand-alone rants and then maybe an incite on Thursday or Friday. Enjoy.

1. Yes, we still need to build it in - OK, so this post from Gunnar was from this AM. He makes too good a point to put on the shelf for a week. It's really just another reminder about how important it is to strategically build security into the application layer. Throwing other technologies to try to overcome software security issues hasn't worked. Not well enough anyway. I'm still a fan of layered defenses, but given today's attack vectors, breaking the application seems to provide a get of out jail free card against all the other controls we have in place. So it gets back to doing what we all know needs to be done.
   
2. It can happen to you - A couple of months back I talked about my eBay account getting compromised. It wasn't because I was proud or happy about it, the point is that it can (and probably will) happen to you. My hope is that my issues would be a reminder to do the right thing. The same applies to a recent David Berlind column, where he talks about his Facebook password being compromised by a phishing scheme. If you aren't constantly checking URLs and always aware, it can happen to you too. David was able to patch things up quickly, change the passwords at risk and not suffer any damage (let's hear it for the incident response plan), but this should remind all of us that it can happen and likely will happen - so be ready.
   
3. Avoiding your SQL fix - I'm at a party on Saturday night, and I see a friend who happens to work for a company that recently suffered a pretty high profile data breach. Of course, we start talking about the breach and it was clear the initial compromise was via a SQL injection type of attack. So I explained to this non-technical guy about how an attacker can "inject" a web application with SQL commands and gain access to the database. He was amazed. I soiled my pants because these web attacks have become mainstream. Big J does a great job of going through the issues with SQL Injection and more importantly how to holistically defend against the attack. It's a lot of hard work and won't happen overnight, but unless we start thinking about web app security more strategically, I may be discussion your data breach at a party happening soon.
   
4. Speaking of IR plans - The illustrious Cutaway has a great post up about an incident response plan. It was all spurred by that "oh crap" moment when one of your fail-safes trips and alerts to you a successful attack. Don's first point is that you must NOT PANIC. That's absolutely true. And there is a lot of other great stuff in there about making sure you are prepared. I certainly have spoken about this topic ad nauseum throughout the years, but to me it never gets old. Why? Because as long as I keep stumbling across folks that are surprised by successful attacks and have no idea how to respond, it means the work is not done. And clearly the work is not done.
   
5. How do you measure success again? - Measuring success for a security person is probably the hardest thing we have to do. I've long though we spend a lot of time quantify stupid things because it's too hard to quantify the right stuff. Mark Davidson is blogging now, so check out his piece on the topic. It's pretty high level and not overly enlightening, but makes the right points. Right now we are somewhat constrained to things like vulnerability management data and SIEM types of information. That's a starting point, and can certainly present some interesting operational data, but it's not going to yield the information you need to make a case to the senior team. For that you need to get a lot more Pragmatic...
   
6. King Gillette would be proud - That's right, he's the guy that figured out the handle isn't that interesting, it's the ability to sell blades. It seems Check Point is looking at the same model with their "software blade architecture," which aims to provide a lot more flexibility in how security capabilities are deployed. Ah, sounds a bit like what Crossbeam has been talking about for years, but in software as opposed to hardware. It's also a bit interesting to try to paint a UTM platform as "innovative," since for years customers haven't cared about the underlying plumbing, just that they can solve their problems at a reasonable price. But I guess if you spend a bunch of money overhauling your technology, you need to at least send out a press release.
   

February 27, 2009 - Volume 4, #20

Good Morning:
Although the NFL season has been over (for all intents and purposes) for a month, I feel more connected to what's going on this year than I have before. Why? NFL blogs. Both ESPN and NFL.com have some great blogs that keep you connected with everything that is happening. Whether it's the combine or even free agency, football junkies can stay on top of what's going on with an RSS reader and minimal effort.

Ah free agency. That annual time of year when smart money usually stays on the sidelines and stupid money parties like it's 1999. Even this year, when money is tight everywhere (even Commissioner Goodell took a 20% pay cut - down to like $7 million a year, ouch) there will be some high profile signings. And we can look forward to the coming years when there will be those same high profile flame-outs, but they will have a few more Bentleys courtesy of NFL stupid money.

That got me thinking to how to apply a free agent mentality to our industry. The reality is there are folks with a unique skill set or a set of accomplishments that will always be valued. And headhunters are kind of the "agents" of security folks, except they work for the "owners." So basically you need to act as your own agent and find out which of the owners needs to bolster their defensive line.

That's right, even though the economy is crap and most security professionals are keeping their heads down, now is a good time to start networking and seeing what's out there. No, I didn't spike my coffee this morning. I'm serious. Smart companies are always looking to UPGRADE their talent. That's right, even though there is a low likelihood there is something open - that also takes the pressure off from any meetings you'd have.

So maybe it's time to test the free agent market. Who knows, maybe you'll be the next Albert Haynesworth.  

Have a great weekend.

Photo: "Michelle Yeoh: He was the highest bidder" originally uploaded by chrisjohnbeckett
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

I'm sure you know some folks that never make a mistake. The kinds that no matter what happens, it's someone else's problem. They are perfect and everyone else sucks. Sound familiar? Well it seems that guy is now the PCI Security Standards Council. Their leadership is not willing to accept any responsibility or intimate that their wonderful 12 requirements may, in fact, not be perfect.


I had a rip roaring rant all lined up in my mind and then I saw Rich become totally unglued about it. Rich correctly intimates: "With the volume of breaches we’ve seen, this either means the standard and certification process are fundamentally broken, or companies have had their certifications retroactively revoked for political reasons after the fact." 'nuf said.

1. It's all about inertia. - So the earnings season for security/network related companies is in full swing. We had strong earnings from McAfee a week ago and now we see SourceFire, Blue Coat and Guidance holding their own. Why are some companies doing well and others (like Trend Micro) not so much. I tend to think there are three thoughts here. The first is companies with a large exposure to Federal business is certainly going to do OK, since the Feds continue to spend money on cyber-defense. Second, are companies that have huge inertia, meaning large customer bases and big maintenance streams. It's easier to just renew the maintenance on pretty much anything when expenses are being scrutinized, so that's got to be part of it. Finally, a lot of security companies really executed poorly over the past few years, and a few got new management in place that is sucking a bit less. And there you have it.
2. Data must drive decisions - Security metrics is truly quicksand. We all want it, yet we can't really agree on what needs to be there. I know folks like CIS are driving progress in the area (which is great), but we still have a long ways to go. This month's Fortune Cookie from Intel's Matthew Rosenquist resonated with me. "A worthless metric is one which fails to drive decisions, even when the metric result radically changes." That's exactly right. Now the data we need to gather and analyze can be for two audiences. Us and them. We need operational data that helps "us" prioritize what needs to be done. We also need higher level, business centric data to substantiate value to "them," you know - the guys writing the checks.
3. A whole lotta ROSI - It shouldn't be a surprise, but I'm still no fan of trying to pain security within any kind of ROI context. Grumpy Pete and I have had battle royales over this in the past and now Fratto is weighing in. He uses Ed Moyle's thinking about saving money (as providing ROI) through increased efficiency and then brings up a great point. "What is never talked about is where that savings comes from." That's exactly right. And his conclusion is also right: "Efficiency is a side effect, not a goal." I ranted a while back about the challenges of using efficiency to justify expenses now, given that most staffs are already cut to the bone (it was my Selling Fear post). Whether it's fear or value, selling something other than efficiency is probably your best path in these times.
4. The price tag of PCI - Found a set of interesting numbers (from Gartner I think) on the PCI DSS Compliance blog. Level 1's report spending almost $3 million on PCI. Level 2's do $1.1 big. Those are big numbers and they are going up, but we don't get a feel for percentages, and that would be most interesting. How much of a companies security budget/spend is being consumed on PCI or any other reg? I suspect it's a lot, although a lot of the stuff for PCI can be used for security ops and other regulations. The point is to figure out how to get some of these leveraged projects paid for and it seems PCI is still a good place for that. Even though you know Russo will point the finger at you, at least he's helping you pay for stuff.
5. Shut up and drive. - One of the tactics that can be particularly useful to folks trying to gain credibility internally is to start up a security steering committee. This would get involvement from all sorts of folks within the organization that can make your life miserable if they aren't on your team. There is a good piece on SearchSecurity about how University of Washington is using the steering committee to get things done. I'm always looking for good, leveraged ways to get face time and ensure the senior team is on board with the program and the tactics. So this sound like a great idea to me. I'm kind of pissed I didn't think about it. There is always P-CSO 2.0.

February 25, 2009 - Volume 4, #19

Good Morning:
It's tough to find the balance. Like most of you, I struggle daily with how to spend my time. Of course, there are day job responsibilities that have to get done, but also lots of things to do around the house and I also continue to indulge my habit of writing these missives a couple of times a week.

I need to send my buddy Shimmy a big shout out today. For the last two days (yesterday, today), he's done his own version of the "Incite" and truth be told, he's doing a great job. That just goes back to the reality that what I do certainly isn't unique, nor is the way I do it. And by the way, Alan was kind enough to send me a nice email yesterday morning to make sure I wasn't steamed that he's co-opted the format.

Personally I couldn't be happier. I'm also very flattered. I read all the trade press and it's pretty dry and mostly crap. So the idea of summarizing the things that are important makes a lot of sense and then having an audience to wax poetic and spout whatever crap comes into my brain that day is fantastic. I would be very selfish, but also delusional and arrogant if I tried to "own" the format.

In today's world, content wants to be free and it's very easy to "borrow" business models. So I default back to the idea that I don't need to own everything anymore. I don't need to win if it means everyone else has to lose. This isn't a zero sum game, so there should be plenty of room for other loudmouths to share their opinions in short snippets every day.

Which brings my back to the concept of balance. Every day we all have to make choices about what we will do and what we won't do. How we'll spend the 24 hours ahead of us and what compromises that will require. The way things are going now, I'll likely only be able to do a Daily Incite type of piece once or twice a week. I find the format is somewhat restrictive to going into more detail on a topic, which is the other one or two pieces a week.

I couldn't be happier that guys like Shimmy are willing to join the conversation and adopt the format. Anything that adds value to the community at large is OK by me. It's taken me a long time, but I finally figured out that if it's good for all of you, then in the long run it'll be good for me. Now back to the tight rope.  

Have a great day.

Photo: "this guy is walking on a flaming rope" originally uploaded by noopzilla
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

Unfortunately I wasn't able to trek up to DC to attend Black Hat DC this year. The reason I like going to these kinds of shows is really to remind me about what is there and how although the tactics have changed, the general philosophy of what we need to do really doesn't. Richard Bejtlich really sums that up nicely in his Black Hat wrap-up. His words are much better than mine.

Man, that is well said and really sums up the REACT FASTER doctrine. And it still works, though with the ability of the bad guys to cover their tracks and hide their malicious code, it's getting harder. What fun would it be if it was easy, right?

1. The only guarantee is that you'll fail - Hoff (who is looking for a new gig) gets it exactly right on this one. I knew there was a significant brain drain out of IBM/ISS, but it seems there is no one left over there with any sense of security history. That's obviously not true, but to put out a statement that they "guarantee" cloud security is just asinine. Unless they've figured out how to get rid of all the people that have access to the data in the cloud, they can't make statements like that. But the good news is that the Internet never forgets, and as soon as there is an issue, there will be tons of folks digging up this quote and shoving IBM's face in the hot pile of steaming you know what. I can't wait... 
   
2. Kicking the competition in the nuts - Alan hit on BigFix's 50% sale in one of his "Incites" and was generally positive on the concept. I've got mixed feelings. First of all, companies compete on price when they can't compete on capabilities or value. That's usually true, but in this kind of environment, inertia is very very strong. So customers aren't going to do much of anything besides write their maintenance checks. But if you reduce their maintenance pricing by 50% that could play very well with folks trying to figure out how to do more with less. It's very aggressive, and I like aggressive. It also allows BigFix to tell the story about how patch management is only like 10% of what they claim to do. All in all, this is good marketing. Now we'll see how the competitors respond.
   
3. You probably can't do this at home - Great story on Dark Reading about how HD Moore dealt with a DDoS attack on his Metasploit sites. The good news is that you probably aren't HD, so the odds you'll be specifically targets as often as he is are small. But in the event you are (hey HD!) or are a similarly high profile target, keep in mind that you can't solve these problems on your own. You need the help of fellow researchers to quickly pinpoint the origin of the attacks and likely the authorities to try to shut down the botnet command and control apparatus. Also keep in mind that you don't really "win" a DDoS fight, you try to get to a point where you can limp away. 
   
4. Time for more marshmallows, the fire sales continue - Two more deals over the past week that I'd term as "fire sales." The first is Mirage being acquired by TrustWave. Lots of folks continue to wonder if NAC will ever become a real business and my stand has been pretty consistent on that. It's a feature and the question is not if, it's when the independent NAC folks are taken out of the mix. Next it's Nortel starting to divest assets as part of their bankruptcy activities and it seems RadWare is taking on the Alteon web balancing product line. After a couple of years at Nortel, you wonder if there is anything but a customer list and some hardware inventory left within the Alteon group.
   
5. Virtualization security moving to the fore? Uh huh... - Sometimes you read something that just makes you laugh. I need to thank Neil Roiter for my comic relief a few days ago when I found his recent piece, "Virtualization security moves to the fore in 2009." HA! I guess there wasn't a lot to write about last week. Yes, virtualization will remain hot this year due to it's ability to make data centers more efficient. And lots of researchers will continue to try to break the virtualization layer to figure out where the issues are. I also expect the vendors to continue flapping their lips about how they are making virtualization more secure. What I don't expect to happen is for customers to give a crap in 2009. Unless one of the researchers is very successful that is.
   

February 20, 2009 - Volume 4, #18

I M HIPAA: Hear me roar!!!

Good Morning:
Through the years, I've been pretty vocal about the fact that HIPAA has become a joke. A toothless tiger, if you will. I literally had discussions with healthcare security folks who's organizations made the decision to risk the limited HIPAA fines, rather than put the proper security controls in place to meet the spirit of the legislation.

The good news is that I wasn't the only one jumping on HIPAA. The Office of the Inspector General (OIG) got about two knuckles deep into the eyes of HHS (Dept of Health and Human Services) calling them out about the lack of enforcement relative to HIPAA.

Evidently the folks at HHS were listening and what they needed was a nice, costly public execution to prove to folks that they mean business. It looks like they got one, fining CVS $2 million for privacy violations in 2006. It seems that some of the pharmacists would just toss bottles with labels on them containing names and details of the medications. Obviously that's a no-no.

Even better is that CVS addressed the problems back in 2006 and they still got tagged with a big fine. OK, not big for a multi-billion dollar operation like CVS, but big enough to get the attention of lots of other organizations that probably have had similar transgressions.

And it gets even better, check out this quote from the SearchSecurity article:

That is just outstanding, especially the part about allowing State AGs to bring civil actions against individuals. Lord knows an Attorney General never met a law suit (especially if it shows how his/her citizens have been wronged) they didn't like, especially when it comes with lots of PR coverage.

So what does that mean for us practitioners? Basically, if you are in the healthcare business, your HIPAA vacation is over. I suspect there will be a number of other public executions to show that the new HHS regime means business, especially with the explicit direction from the Obama administration to push forward with electronic medical records.

It's time to revisit the training procedures relative to making sure your employees understand how to handle private data. It also probably makes sense to look at that DLP technology (even if it's poor man's DLP built into email and web security gateways) and possibly NetFlow analysis/data to see if there are strange network flows indicating information leakage. If you've been trying to get a project funded, this kind of data point will be pretty useful (remember about Selling Fear?).

Finally get ready for the HIPAA FUD bonanza coming from the vendors. All 800 vendors left will be frantically figuring out how to renew their pitch around HIPAA compliance for the healthcare space. Once again, the regulatory Gods are shining their warm lights down on the information security business.

Have a great weekend.

Photo credits: “Tiger face portrait in a square” originally uploaded by GavinBell 

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

February 18, 2009 - Volume 4, #17

Good Morning:
Sometimes you read stuff and are both horrifyingly shocked and strangely impressed. The news of the ATM attack last November caused some shock waves early this month, when it was first announced. But in reading James Heary's analysis of the event, my blood ran cold. This folks is the future of crime. It's kind of a "clicks and mortar" approach to crime.

Just to revisit the situation, it seems that a global group of criminals compromised the systems of RBS Worldpay and were able to issue 100 payroll cards. These are not credit cards (and thus not subject to the fraud analysis that most credit card transactions would), but rather debit-like cards. So the attackers distribute these 100 "cards" to 49 cities around the world. Every time the money ran out on the card, they would go back into the system and refill it. In the span of 30 minutes are able to get $9 million out of ATM machines That's a pretty good take for 30 minutes of actual "work."

Why was this attack so successful? It seems the bad guys (assuming they are guys) did a couple of things very right.

1. Know the system - The criminals knew that payroll cards have much less scrutiny than a credit card transaction or so it seems. How else could $9 million be pulled from 100 cards in 30 minutes. They also knew that by compromising the issuer's systems, they could refill the cards when the money ran out.
   
2. In and out, no one gets hurt - The magic here wasn't just that the criminals got it done, it's that they stopped after 30 minutes. Given the number of intertwined systems used for the fraud, it was a safe bet that no one would put the pieces together fast enough to stop the attack. But if they tried to do it over 2 or 3 hours, the chances they'd be discovered and law enforcement would be mobilized grew dramatically. These guys got out before they got caught - uncharacteristic behavior from criminals.
   
3. Leverage - Obviously a small group of thieves couldn't pull $9 million out of ATM machines in an hour. So they built an organization (or leveraged an existing one) to magnify the impact of their efforts. The more hands in a scheme, the more likely someone will talk - but the reality is this attack happened so fast and with cards that were not able to be traced, the risk was greatly diminished. And you can assume the folks on the street had no idea what the scheme was to restrict information to those that needed to know it.
   
4. Coordination - Can you imagine the project plan that was needed to coordinate the logistics and pull this off? This is not a band of misfits ripping off the local 7-11 or Circle K. These folks are smart, structured, and brutally effective.

Finally there are a couple of lessons here for all of us paid to protect information.

1. Do not underestimate our adversaries. This is the first and most important lesson. The folks trying to steal our stuff are good and they are getting better. If they see soft spots, they will take advantage of them.
   
2. Question every business process. Clearly these payroll cards are a great convenience to the companies that use them. But every new process has it's risks and it's downsides. We need to make sure we ask lots of questions about fraud vectors PRIOR to the system being rolled out. Yes, I know that is somewhat Utopian (and more than a bit naive), but it's important. It all gets down to credibility (read the P-CSO if you need to learn more about that). It's a little late to be asking about the security of the transaction system after the bad guys have made off with $9 big ones.
   
3. If it smells bad, it probably is. One of the hallmarks of my approach to security is to react faster. Now that applies to everything, not just security and system activity. I find it hard to believe that a $9 million disbursement from ATM machines in a 30 minute period was "normal." We need to look for the anomalies and there is a likelihood that the ATM usage was not normal and could have been flagged.
   
4. Sometimes the bad guys win. Yep, the reality is in this case, there may not have been anything RBS could have done to stop the attack as it's happening. This is not the movies and the good guys don't always win. You can only hope that measures are being taken to make sure this same attack doesn't happen again.

And that brings up my final point, which is about discussion and disclosure. Word is traveling around the grapevine that another credit card processor has been compromised (like Heartland). You have to wonder if Heartland came clean right away and discussed exactly how the attack happened and why it was successful, whether other processors could have taken preventative measures to ensure the same attack vector wouldn't work twice.

Of course, this line of thinking is even more naive than anything else. First of all, there is no way a processor (or anyone else for that matter) can come clean. The Tort vultures will sue them into oblivion if they accept blame and discuss their shortcomings. Secondly, there is a stigma to being the folks that got nailed, so the inclination is to bury the information. But we lose a very important learning experience. Thirdly, the "powers that be" don't want anyone talking because that can impact an "ongoing investigation."

I can see all of these points, but I still think we are making it too easy for the attackers to find a new scheme and replicate it over and over and over again. By sharing a little information, we can stop a lot of fraud. But the system is stacked against this kind of disclosure, so it won't happen - which is too bad.

Have a great day.

Photo credits: “Crime Done Wrong” originally uploaded by 0x0000org 

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

February 17, 2009 - Volume 4, #16

Good Morning:
Sometimes it's easier to just give in. That's right, as much as I huff and puff most of the time, there are some fights that I'm not going to win and therefore I shouldn't fight. Last year, I railed about Valentine's Day (pretty funny if I do say so myself) and the holiday still doesn't make much sense to me.

But it makes perfect sense to all those chickadees out there. So this year, I finally gave in. I bought the Boss flowers. A dozen tulips and no joke, she was smiling from ear to ear. So it works. Buy some flowers, Boss smiles and gives me some more rope to hang myself. Which I will manage to do within a few days, so I'll take it.

But now I have a quandary. Do I go back to my default behavior and opt for the nice card next year? Or do I get the flowers and see them wilt and die right before my eyes? And I don't want to hear "both" from any of your wise guys out there. Life is about choices and to do both would be playing right into the hands of both the floral industry, and the card makers.

One I can handle. Both will make me nuts.

If I had to guess, I think I'll opt for the card next year. I am a decent writer and a couple of times a year I can come up with some sentimental prose to describe how I feel about my beloved. Flowers just don't do that. Not in my world anyway. And flowers die.

Since I'm so big on managing expectations, if I do flowers again next year, there is a high likelihood that the Boss will expect flowers every year. We can't set those expectations, now can we?

So I'll likely just go back to flowers every couple of years to keep her on her toes. Oh, she does read the TDI as well, so I also could be engaging in some disinformation. That's been known to happen...

Have a great day.

Photo: "dead flowers" originally uploaded by sindesign
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

I guess there is no recession for overpriced encryption algorithms. After Jim Bidzos rode in on his white horse trying to save Certicom from a dreaded RIMM job, it seems the Blackberry folks just had to have it, and they were willing to pay $106 MM for it. That's right, over $100 million for Certicom. Unbelievable. I thought $60MM was way too much. Maybe that's why I do what I do, and they do what they do. In any case, the Certicom shareholders should erect a statue of their CEO somewhere. He deserves it.

1. Yes Scarlett, budgets are coming down - Finally an IT budget survey that seems to reflect the reality of a tight economy. SearchCIO-Midmarket talked to their mid-market readers and it seems that 30% are cutting budgets and another 30% are keeping them level. Turns out 40%+ of larger enterprises are cutting budgets as well. Personally, that doesn't seem enough to me. I suspect a lot of folks still have happy ears about the projects they want to push through in 2009. Let's see what the CFO has to say about that. 
   
2. Little Red gets it done - That's right, McAfee keeps on going, like the Energizer bunny. 22% growth on the top line. Of course, some of that is due to acquired technology (like SafeBoot and Reconnex - yes, that's a joke), but it's also clear that MFE is executing well in the field. In North America anyway, which I guess is why they hired a new head of EMEA this past quarter. Will it continue? They are predicting modest growth in Q1, so I guess things are all roses. The new regime in Big Yella-land has it's work cut out for it.
   
3. Can't unplug? Watch outbound connections - I joke during speaking engagements that the only way to ensure data won't be stolen is to unplug a device from the network, which is true. Yes, that's clearly not practical. So what to do? Rich brings up the age old concept of managing outbound connections. Clearly data needs to be exfiltrated to be useful to an attacker (though the exfiltration could be via USB thumb drive or iPod) and that usually involves some kind of outbound connection. If you are looking for anomalous outbound connections, then you should see the data be stolen. He has some ideas about using firewalls and web security gateways to scrutinize the traffic. I added my two cents in the comments and also mentioned that monitoring NetFlow is another way to track outbound connections. However you do it, it's a pretty good idea. 
   
4. 4 years later, a FISMA update - That's right. The fine folks at NIST are finally revisiting FISMA for the first time since 2005. Awesome. Just in time. Comments on this draft(pdf) are due March 27. There is good news and bad news about this. The good news is that some agencies have moved well beyond what is mandated by FISMA anyway. The bad news is that most haven't and a bunch can't even get old FISMA right. What makes us think they'll get it right now, as the bar is moved even further away to deal with the new attacks and be more in line with industry frameworks like ISO 27001/2. Anyhow, that's kind of indicative of the world right? Some go beyond the standard and most don't. Why would the Feds be any different?
   
5. Protect those passwords (in your web apps) - The folks at Veracode are tired of passwords being pilfered time after time from leaky web sites. So they are kindly providing some pointers to make sure your passwords are stored securely. You know, simple things like no storing them in the clear. No kidding. Things like one-way hashes and salts actually work. But I'm sure there are many millions of sites out there that still screw this up. They also address issues like doing password reset correctly and the like. Remember, these guys can break your stuff, so you probably should listen when they are trying to help.
   
6. 4 points about security metrics - It's true, we've all been waiting for a set of security metrics we can work with, and it's been slow in coming. I believe the Center for Internet Security will be publishing their cut at security metrics in the near future. They've been at it for over a year, so hopefully consensus is near. Grumpy Pete weighs in here about getting a bit more strategic relative to metrics, and defines 4 points that need to be factored into any metrics discussion. The first are transactions, then we have value, controls is next and finally incidents are last. OK, it's hard to argue that most things that we count can be abstracted to have components of all four. But I'm still a bit at a loss, since this seems more like a hierarchy to build a security architecture, not necessarily count what is going on. Hopefully Pete will flesh things out more (a lot more).