security elephants aren’t endangered

If you read nothing else each week as far as infosec blogs, always check out the weekly Incite at Securosis and weekly reviews at Infosec Events. Yeah, it’s kinda cheating since both branch out and point elsewhere, but at least it’s not nearly as static a list of links as any of our RSS feeds end up being.

Over on the Incite, I particularly like a piece by Rich Mogull which I’ll blatantly steal and repost here because, well, it’s truth (emphasis is mine):

…But if you want to quickly learn a key lesson, check out these highlights from the investigation report – thanks to Ira Victor and the SANS forensics blog. No logging. Flat network. Unpatched Internet-facing systems. Total security fundamentals FAIL. …Keep in mind this was a security infrastructure company. You know, the folks who are supposed to be providing a measure of trust on the Internet, and helping others secure themselves. Talk about making most of the mistakes in the book! And BTW – as I’ve said before I know for a fact other security companies have been breached in recent years and failed to disclose. How’s that for boosting consumer confidence? – RM

I’ve recently been talking about elephants sitting in our infosec rooms. There’s a lot of them. The first bit I bolded above is one of them, and I really feel that very few organizations get the fundamentals even started, let alone tight (that’s as much a statement of ecnomics reality than a criticism). Still, DigiNotar’s state is pretty egregious.*

But Rich’s point drives home: DigiNotar is a friggin’ security industry company (maybe they forgot that, maybe that should be their mission statement). Yes, utter fail. (Now, back to who audited them in the face of such fail, or who lied to the auditors?)

The second bolded statement is also something I have to reluctantly agree with: Reported incidents are just a tip of the iceberg. And we’re not talking solely executive decision to hush up events for fear of public humiliation, but also middle management and even techies staying quiet about things. I absolutely am not surprised whenever I hear at the bar the inevitable tales from auditors and security folks about incidents that are hidden up or poor security that is hidden with smoke and mirrors.

From top down, this is classic negative conditioning: you get slapped for action X, so you either stop doing or try to hide action X. If you try to stop it, but it costs money that you get slapped for…

* As a bonus discussion, Richard Bejtlich has been talking a lot recently about threat-centric security vs vulnerability-centric security. DigiNotar is clearly an entity that needs to apply threat-centric principles (who are your threats, what do they want that you have?). But can you do that when you’re not even doing the fundamental vuln-centric stuff?**

** For those who’ve played StarCraft II, I could use an analogy for you. Perhaps threat-centric security would work, but I feel like it is definitely a sort of “all in” approach you have to take in order to be effective. There’s no doing some things here, and some things vuln-centric. You’ll just spread your resources too thin and not be good at either side. Sort of similar to multiplayer SC2. You could build a few of every unit, but you’re going to get trounced; you really want to focus all of your efforts on one strategy, and adapt/change only as a reaction to what your opponent is doing. <--There's seriously a big blog post comparison waiting to happen there.