Amrit posted a really nice piece about what drives spending on security. I agree with his three reasons: an incident, a requirement/law, and insecurity is impacting availability. I think I’ve known and accepted this for some time, with caveats. One thing to notice in these three reasons: rather objective, firm reasons that you can measure; binary, black or white, on or off. I think many organizations drive security spending in exactly that fashion; even some that won’t admit it to themselves.

However, if Amrit is correct, then there should be many companies that do not even follow best practices like using passwords, at least not until they suffer an incident. I can’t quite buy that.

I don’t buy this because the reasons he gives that are not reasons that drive IT security spending do in fact drive security spending in some places. Some people do believe in security ROI and enablement, some companies do try to be proactive, others do afford their security curmedgeons a high level of credibility enough to drive spending based on their risk assessments.

For instance, some people do buy alarms for their house, not because they’ve had an incident, are required to, or because it helps availability. It’s because of their personal, subjective risk assessment to prevent something bad from happening. They understand the potential incidents that may occur, and make a value judgement based on their comfort level, their environment, their assets, and their available funds.

But, if I were to make expectations on security spending, Amrit’s reasons are the ones I would book on. There are plenty of organizations whose security spending is entirely based on those three reasons.

It has gotten to be a very busy couple months and only promises to get busier (coworker just resigned, death in the family, etc). Nonethless, I’ve decided to move forward with getting hooked up with the Offensive Security 101 training offered by the good people behind the BackTrack project. Either that or I wait until it’s convenient to me, but I doubt that will ever happen; never does! My start date may be April 6th, or later if I’m slow on the payment.

If anyone has any experience with the course, feel free to drop me a line. I don’t expect a huge sweeping ton of things, but I do expect to learn more about BackTrack and security assessing using it (I off and on use BT both from livecd and a laptop I’ve installed it to). I fully approve of videos and self-paced training, and look forward to that practical at the end. If this goes well, I’ll likely go ahead with the next course in this series as well, BackTrack to the Max.

CanSecWest is over and that also means the Pwn 2 Own contest is over. I did a quick faux-prediction a few weeks ago thinking the kill order would be Ubuntu, OSX, Vista. I’m a little surprised that Ubuntu survived unscathed even through the last day. I’m not surprised OSX or Vista were owned, particularly through applications (Safari in OSX and Flash in Vista). I think this means Ubuntu just isn’t important enough to pwn yet, though I’m surprised by that since I figured many researchers to be Linux-friendly. Perhaps more are on Macs and Windows than the secuirty clubs would like to admit. 🙂

A fun contest, although I’d hesitate entirely to trumpet the results to back any sort of “xxx OS is more secure” arguments. The real benefit is increasing interest in doing these sorts of things on the good side of the fence before the bad side of the fence does them. It also appears to get Apple to patch their crap… Besides, this is fun for our community, and we really need more fun and back-papping in the field.

Speaking of predictions, I’m kicking myself a bit for not getting into any NCAA Tournament pools this year, having picked 5 of the elite 8, all final fours, and am still confident in UNC over UCLA in the final. Of course, not a ton of broken brackets this year, so I expect lots of people would have been up there with me. I’ve been very busy lately and didn’t research much before the games, so opted not to ante up to anything this year.

Need a tap on the cheap? I found a blog post detailing making a cheap passive tap using some wiring plugs. Makes sense! The post didn’t mention it, but, while there are 8 wires in an ethernet cable, 4 of them are not used. If the cable is built to standard, the brown and blue pairs are not used. The oranges take care of traffic in one direction, and the greens take care of the traffic in the other direction.

This is easy enough that it really should be added to the list of tasks all security neophytes should complete.

A link was recently posted to the DailyDave mail list with the simple subject, “the typical security guy I interview.” The link went to a Craiglist resume post which I found quite amusing. I’ll repost it below, in case the original ever goes down. This is not my work!

I chat all day long on the underground hacker chats including _SILC_ AND _IRCS_ ones, not just public IRC servers. Therefore I KNOW ALL THE HACKERS. When it comes 2 the streets of the internet underground I have my ear 2 the ground.
i never use a spell checker, and i send terribly formatted work emails often with numbers used for letters and words.
I’m basically extremely lazy and I scope projects that take 4 hours of real work time for about 1-2 weeks since thats how long it takes to bring myself to work on whatever stupid project I’m assigned. I’ve been mudding against recently, I have to get the good eq. drops.

I work marginally well on teams. I dont have a problem with authority, I just dont view them as being authoritative. I am late to work constantly, but not _THAT_ late. I need at least $105k a year. I consistently order the most expensive drinks I possibly can get away with when the company card is down. I will even order drinks to then just pour out into the toilet or onto the carpet just to make the company tab higher.

I can program a variety of languages including but not limited to C, C++, a number of assembly languages, PERL, BASH, TCL and SPIN.

I cannot currently program ERLANG, SCHEME, PYTHON or RUBY but if required (which is highly likely if you think your company is a cool, hip and intelligent one), I can learn any of these languages in 2 days with fluent programmign ability with 2 weeks, as any real programmer can do with any language.

I’m an excellent programmer but many aspies (people with aspergers) can out-program me.

I have microcontroller and embeded systems programming and hardware experience including fabrication and circuit design, although I am by no means an expert in this.

I have a very useful formal college education in mathematics from a top tier university I dropped out of, and therefore I can solve many problems very logically with many extra mental tools. I am by no means a mathematics genius.

I have 10+ years in professional (PAID) computer security experience but the security industry is completely retarded now. So I don’t want to secure your web apps, _AT ALL_.

Wired has a Bruce Schneier essay posted that dives “Inside the Twisted Mind of the Security Professional.” Mostly, he talks about having a security mindset.

The lack of a security mindset explains a lot of bad security out there: voting machines, electronic payment cards, medical devices, ID cards, internet protocols. The designers are so busy making these systems work that they don’t stop to notice how they might fail or be made to fail, and then how those failures might be exploited. Teaching designers a security mindset will go a long way toward making future technological systems more secure.

“Reality is that which, when you stop believing in it, doesn’t go away.” -Philip K. Dick

More than a couple hospital workers have been fired or punished for accessing private information on singer Britney Spears at the UCLA Medical Center. This brings up two quick points.

First, considering how many people checked out the information, I’d have to say access controls are pretty lenient. I think I’d be safe in saying that if this many people accessed her records even though they had no need to know, it indicates this has been done before…maybe up to a point where some didn’t think this was a bad thing. That hot girl in bed 312? Let’s check her records out! Lenient controls may help everyone do their jobs, granted. But at least it sounds like they had good auditing to track the accessing.

Second, give your management a new test, something that can be called the “Celebrity” test. Assume you have some huge profile celebrity using your services. How many of your own authorized employees would let curiosity pull them to access information about the celebrity? Or perhaps a hot new movie you have access to. Or hot new game. Or important information that could lead to recommendations to trade or not trade for your parent’s stock portfolio. And so on. Assume that instead of the normal run-of-the-mill corporate data you have, replace it with something very enticing to normal employees. Do your controls rely on people beating the curiosity beast? Or at least being able to audit those breakdowns? Good employees who’ve resisted accessing data 34,212 times previously may think differently in the Celebrity test, “Just this one time…” Guess which makes the presses?

Sure, that may over-value the data you really do have, but it is a good exercise to mentally test your own controls and security posture. Besides…do you know for sure that tomorrow won’t see Britney Spears as a new customer of yours?

A quick InfoWorld article on the traits of a good CISO. The tagline says some of these traits are surprising (or that maybe deep technical knowledge being lower is surprising), but I’m personally not surprised by this at all. I think the technical knowledge is related to making informed decisions, knowing what information is needed to make informed decisions, and in being a good mentor. Other traits are a good moral compass and the ability to take the blame. I really like the mention of taking blame, since it is so hard to admit being wrong or just taking the blame for someone else. We’re not trained that way as kids with school and report cards and everything else. We’re questioned by adults (parents) until we make up some excuse or blame someone else.

Oops, that turned into a ramble.

Marcin last night linked me this image of “an activity diagram to describe the resolution of HTTP response status codes, given various headers.” I wanted to save this flowchart, so this post is me saving it!

I normally don’t follow Bruce Schneier because I figure the good posts he makes will get linked by the sites I do read. Yet again I’m right, as I got pointed over to Bruce’s latest by a post from Rothman. Bruce is talking about buying security suites vs best-of-breed and tons of other little pokes and prods. I know not everyone gets what the big deal about Bruce is, but you have to admit he has a lot of good thoughts.

…and we continually fool ourselves into believing whatever we don’t have is better than what we have at the time.

I’m a firm believer in this cyclical pattern coming up quite often in human experience. In IT, it is like having centralized mainframes, then decentralized microcomputers, and now pushing back to centralized iron. By the time we get entrenched in web services, we’ll be wanting the next thing (or going back to fat apps).

Honestly, no one wants to buy IT security. People want to buy whatever they want — connectivity, a Web presence, email, networked applications, whatever — and they want it to be secure. That they’re forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear.

I think I do agree with what Bruce is saying here. The problem is we, as an IT industry, cannot keep up with the pace of technological change right now. By the time we get people experienced and trained to make secure decisions about a technology, we either get new software versions, new hardware with a new OS, new needs by our stakeholders, new solutions from our developers, or entirely new technologies. An analogy to the car world would be like driving a new car every week. Sometimes the lights stay on when you shut it off, sometimes the stereo buttons are on the left, sometimes you don’t get teloscopic tilt, and that’s not even getting into how you learn the feel of the shifting on manuals and how it handles on the road in varying conditions. The questions come down to: Can you drive it safely? Can you drive it well? Two very different approaches.

It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they’re selling.

The problem? Security is not something you can achieve completely. This means your vendor *will* fail. What happens then? Do you sue them? Do they recover your losses? The problem with moving security anywhere but outside the company is the difficulty in also moving the responsibility and blame for insecurity. Risk management is the way to go, but it still seems business doesn’t handle that very well as a whole. Either it works always, or it doesn’t work and we’re moving on.

Rothman tackles this another way which I fully agree with.

It’s true that customers don’t really care about security, but I can tell you they absolutely HATE their carrier or cable company. The idea that they would trust them to provide security in the cloud is a joke.

You’re damned right. Carriers are large beasts, and they completely suck at delivering services. They can deliver a product (pipe of size X or solution B) but once you get away from their small portfolio of slightly specialized products, they suck. I’d never trust my home provider or any of the providers we use at work for my security. And I’m positive they won’t help me anyway once things get inside my walls, just like they don’t troubleshoot network issues past the demarc. But they deliver my Internet pretty damned well most of the time!

(Aside: What is security, a product or a service? Bring that up as a discussion starter at the pub next time!)

But let’s move from ISPs and go further. I understand that companies like Boeing contract pretty much all of their IT out (I believe mostly Dell right now) to solutions providers (btw, ask anyone at Boeing just how not-awesome their IT support is!). In this case, security better damn well fall into Dell’s lap as well, or some other outsourcer. But that leaves a hell of a lot of SMB business still fending for themselves. Sure, security and IT should be one and the same and both outsourced as infrastructure, but I feel we have a VERY long way to go before this can trickle down past the Fortune 500 or into consumerland. Siemens, IBM, and other players can only go so far before they become so diluted the whole landscape remains at a minimum security level. Images of Jerry Maguire…less clients, better attention, better quality…or the opposite.

So what else is an answer besides just outsourcing it all since that will take forever? Marrying IT and security in house with your current IT techs. If they can do their job while keeping security in mind, you can do some pretty acceptable things, with some oversight.
Of course, if anything even partially mentioned above or in the above links is the right answer, it’d be very obvious and the idea would take our industry by storm. But none do, which mean none are really the answer for everyone.

Holy crap! Chinese [coughmay becough] able to backdoor routers created over there and shipped to the US!

While I understand contemplating such an attack has some minor value, this is not a slippery slope anyone in security should spend too much time sliding down. You can literally grind your company to a halt by going down this road too loudly. Besides, it’s one of the fundamental limitations of security: you have to trust a lot of things transitively in the world. We like to think of our networks as castles with a nice perimeter, and logically that can still hold up, but when you get deep enough, the materials to build those castles still come from elsewhere.

Do you know where:

…your napkins are created? What if they’re laced with anthrax!?
…your keyboards are created? What if they have hardware keyloggers?!
…your cell phones are created? What if they have GPS trackers and can record/transmit your calls?!
…your softwares are created? What if they have backdoors?!
…your cigars are creased? What if they have calf blood in them?!
…your contractors come from? What if they are ninjas bent on haxing your systems and stealing your company?!
…your air comes from? What if they pump toxins into the air as it prevails over the Pacific to us?!
…your cars from from? What if they are set to explode on Oct 23, 2009?!
…the rocks in your garden come from? What if they are alien invaders disguised as rocks?!
…your best friend is right now? What if he is a shape-shifting self-preserving freak from Antarctica posing as your friend?!

Someone needs to make a security lolcat. “Im in ur paranoya, makin’ u crazee!”

Ever read a security article that makes you hurt with every sentence written? Yeah, not too often, but this article in The Register about a data breach nine months ago at the Pentagon that had “an amazing amount of data” stolen, offers up a lot of hurt. I can’t even quote the bad parts since the whole thing is an escalation (or downward spiral!) into needing a few stiff drinks before lunch.

And sometimes, just sometimes, sentences offer up Hurt Combos, like this one:

It took three weeks and $4m to clean up the mess.

Ok, that shows off how bad this issue was, but it also hurts to remind us just what it takes to spend money to get shit done. We (the US) spent $4m in 3 weeks…can’t we do that to prevent the amazing number of issues packed into this little article/incident? This article absolutely begs disclosure on what the hell happened.

Ask.com has been an also-ran search engine for some time, and is going through some changes. I think part of their problem is their name: Ask.com. Ever try talking to someone about Ask.com? Say it out loud a few times conversationally. Yup, it sounds like you’re talking about Ass.com. That just can’t be good.

Then again I thought HD-DVD would beat Blu-ray because my mom knows what HD-DVD means, but has no clue about Blu-ray. HD + DVD? Must be better DVD! I guess I didn’t take into account the pockets Sony had…

This is an amusing story. Supposedly a hacker has broken into a new site and has been posting plagiarized news posts to discredit the company…for the past 2 years?? No one noticed until last month. What an amusing, devious hacker! I’m surprised more people don’t blame the nebulous, mysterious, all-powerful hacker for lots of things going wrong. Global warming? Hackers! Hell, it was hackers that made Doom and all these demon-devil killer games popular! Hackers play D&D, create bombs out of computers, and torture squirrels!