Bejtlich continues discussion on his blog about risk metrics with a post on “physics envy.” I’ve followed several articles and postings lately (i.e. several lately, but also over the years) about this topic, and it’s nice to see these other thoughts.

I was actually just thinking this weekend how much security is still an art no matter how much we want to apply numbers and statistics to it. I can probably tell you what risks you need to look out for and which ones are not going to be a big deal. But it becomes *much* harder when I want to give some hard numbers or determine a value so I can tell you what to spend.

I can prioritize efforts as well, in my own mind, but trying to justify them with numbers and budgets becomes mind-swimmingly annoying. I can tell you, from a gut level, when you’re spending too much to protect something silly. I can outline and detail an effective security posture, but if you want me to back it with metrics, I’m going to hate you.

There might even be people who disagree with my prioritization and steps, and that’s unfortunate that I’m right and you’ll just have to be wrong. 🙂

Is this like trying to apply a level of precision to security spending that we just can’t have because there are simply too many factors? Is this like trying to find that magical formula to solve the stock markets (or your perfect fantasy baseball roster or the exact match-ups in the Final Four)?*

I suppose the old approach is still best. Do what measurements you can, and at the very least try to align the results with what your gut tells you, and then be consistent with those practices over and over and over… But that still makes me feel like we’re just tainting numbers to what we want, which devalues their integrity completely.

* Hell, I think it’s natural that we have this crazy tendency to identify patterns, even those as silly as lucky underwear on night games, or a certain routine on game days to praying the right amount for deliverance… It doesn’t help that nature so often promotes this tendency by being exceedingly mathematical from chemical reactions, to photosynthesis, to fractals, to the Nile (I sound a lot like the narrator from the movie Pi, but that’s coincidence as I would have the same thoughts regardless…hell I don’t even remember that movie but for the end and the music). But this doesn’t all mean there *must* be a pattern, especially with the ultimate variable: human choice.

I have been slowly reading through the Verizon Data Breach Report (which is awesome!) and one thing kept niggling at me. As I read through it, this popped into my mind: Are the numbers maybe skewed by just one or a couple huge cases?

My Hypothesis: Only one or a couple of breach cases are responsible for a huge majority of the records breached.

So I started taking notes and went back into the report a bit. Satisfied with my findings, I read on not 1 more page before the authors outright stated on page 32: “The top five breaches account for 93 percent of total records compromised.” Way to deflate my balloon!

Nonetheless, it does diminish the value of the graphs dealing with number or percent of records, which I think the authors acknowledged by keying more on the breaches and less on the records disclosed. So that’s good!

Following are the notes I had taken to investigate my hypothesis. They’re here mostly just to hear myself talk, and don’t necessarily have much actual use othewise. But feel free to read if you want.

90 breaches in the study (pg 6)
285,000,000 records involved (pg 6)
financial services account for 30% of the breaches (~30) (pg 6)
financial services account for 93% of the records (265,000,000) (pg7)
external sources account for about 93% of the records (266,788,000) (pg 11)
median of external records per breach is 37,847 (pg 11)

I’m going to guess that all of the meaningful financial services breaches occurred with external sources, considering the numbers above. This means that out of 30 breaches with a total record disclosure of 265,000,000, the average breach should be 8.8 million. If this were a normal distribution, the average and median should be similar, but they’re not even close. To me, this indicates just a couple large numbers, while many of the others were quite small.

95% of records were breached by an attack of high difficulty (pg 28)

There are some other numbers which indicate that there was really not just one single large incident, but at least a few. If there was just one large incident, these numbers would also be nearly 90%, but they’re not:

Financial services almost certainly were targeted by just the larger % types of hacking from the graph on page 17: SQL injection, improperly constrained or misconfigured ACLs, and unauthorized access via default or shared credentials. The attack was through a web application (79%) and remote access & mgmt (27%) and/or End-User Systems (26%). (pg 19) This could certainly indicate at least 2 major incidents that account for this huge number of records breaches in 2008. In fact, I wouldn’t be surprised if one large incident was due to a web app, and a second was a combination of remote access andend-user systems, with those two attacks being the huge majority of the records.

I’m actually surprised that no graph was presented which shows that a huge percentage of the records fell to targeted breaches, as that is what I suspect, at least with highly difficult breaches, anyway.

Certainly these couple financial services breaches housed online data, as 99.9% of all records were online data (pg 30), i.e. payment card records which were 98% of all records (pg 32).

Hell, page 32 confirms my suspicions: the top 5 breaches contribute 93% of all records. Doh!

Cutaway discusses some memory image analysis tools over on his blog.

A blog article over on ZDNet lists 5 IT security pet peeves. I thought I’d tackle them.

Too many people still believe ignorance is an effective security strategy. – I’m not sure so many people actively believe in this strategy so much as they are just that way. The same mindset that when your toaster breaks, you wait and try 10 more times hoping the issue just goes away and it magically works tomorrow. Or the old cliche of see no evil… Or the other habit that we have of saying something won’t happen to us. Sadly, the author dives headfirst with eyes closed into the “security/obscurity” topic and just ends up sounding closed-minded. Watch how you word these things, please. There *is* value in obscurity, to an extent. The correct phrase is not to achieve security through obscurity only.

People who know nothing about IT security have godlike power over matters of IT security policy. – The examples given (congress, judges, law enforcement…) reek of an “IT guy” who only really pays attention to cnn.com issues as a consumer. Sure, he can manage his home all-in-one fax and 2 laptops on his home DSL…

Anyway, despite the tone, I think this item should otherwise hit the nail squarely, and is related to the first bullet. There are too many people who wield significant power over IT security that should have no business mucking in it other than as an overall business strategic concern. And while there are execs who will say they stay strategic and let their minions do things (yay!), there is also that undercurrent of productivity pressure, top-down, that will steal away valuable analyst time from actually verifying and maintaining security. Ever try to explain to a non-technical person the art of investigating a single IPS alert? You lose them in 30 seconds every time. But 2 days later they wonder why you spend more than 5 minutes on a mysterious alert that could portend ominous happenings on the wire. These same people wonder why you can’t just set up logs and never, ever read them. “But we gather them, right? Oh, it broke 5 months ago and we never knew because we don’t check them? Oh…shit.”

I had more to say about the rest of his bullet points, but have decided to leave it at a summary judgement. The rest of the bullet points reeks of a non-corporate person who runs his home network and otherwise plays backseat IT guy. They’re also narrow-sighted consumerland items that make him seem inexperienced and annoyed that his social network browsing is interrupted now and then by kiddies. (And yes, I have feelings on both sides of the fence when it comes to visibility into communication.)

If you haven’t patched your Linux systems lately (for instance Ubuntu 8.04/8.10), you might want to do so. HD Moore threw this out on Twitter.

There are seminal vuln-exploit instances that get used as easy attacks in testing, especially your personal labs. Years ago it was LSASS attacks. In recent months, MS06-087 is an easy route. For some Linux flavors, this should be one of the first scripts grabbed to pwn a box and move on.

Update after reading more: You need to be running SCTP on the target box. Yeah, I haven’t heard of SCTP either.

It wasn’t too long ago that I was musing about EthicalHacker.net’s latest challenge dealing with some wireless hijinks.

A similar topic just came up on the SecurityFocus IDS mailing list in regards to PCI 11.1 about wireless IDS. It was mentioned that an option would be to use something like RogueScanner on the wired side to detect wireless devices. I don’t know why I hadn’t thought of that right away, but yes, you can poll your wired network, gather MAC addresses, and compare them against what they should be. If you see any that are obvious wireless products, you go over and yank it out.

Now, that’s great, but keep in mind not a foolproof detection. MACs can be changed even on some home consumer wireless routers, firewalls may prevent the polling up front (although a switch MAC table may give more away), extra unmanaged hops can get in the way, and a laptop acting as a router with a second wireless interface may only show up as a regular laptop. But you do get the obvious low-hanging fruit covered.

I have wondered if it could be possible to push traffic from the wired network out through the wireless side. A silent AP can stay relatively hidden, but if you can force it to throw something out now and then, it can be picked up.

I had not heard of OAuth before reading a post today on LiquidMatrix about an OAuth vulnerability, found right after a pretty large round of exposure from Twitter adoption.

A big vuln and the pulling back of support is a big deal, but I’d just like to point to OAuth’s own explanation of the security bug.

This article discussing the details of the bug is excellent (especially given a very confusing bug). It gives detail, it remains honest and open, it demonstrates understanding of the issue. I wish all vendors, closed and open, would be more like this. Yes, fine, it makes the sales and marketing teams feel squeamish, but this sort of open cultural attitude is going to make a difference. Maybe not today, maybe not even in ten years, but someday it will be necessary as the world grows up into technology and efficient information-sharing.

So, regardless of what I think about OAuth or the vuln, props for a great disclosure discussion.

Update 1:37pm: So I saw this Google Group posting, and I have to shake my head and think, “Really? Did you just try to say this? Fail.” The statement, “Please do not speculate or publicly discuss the actual details of this or other threats.” Hopefully someone smacks his hand and tells him not to try that tact again.

Human nature is silly, isn’t it? Too many companies do next to nothing about security until they’re burned by it. And I read today that a Congresswoman who used to be a staunch supporter of warrantless wiretapping has changed her tune after being the subject of a wiretapping herself. Go fucking figure. Way to demonstrate that you’ve not really thought through the subject over the last several years. Of course, she’ll blame those who did it by insinuating they should be held to higher standards and this was an obvious mistake… (which only strengthens my disdain…)

I’m really restraining myself here as this topic of personal responsibility, empathy, and forward-thinking is something I feel especially strongly about.

For every annoying idiot or asshole on the net tubes, there are still swaths of users on various sites who have a great sense of humor and demonstrate this on forums and news comments.

My best laugh so far today was seeing that email used to be very scary. While the picture and caption itself are fun enough to pass on, it is the comments that made my day. Things like:

so since he doesnt have a computer that email flails around the office like an angry ghost that is trapped between worlds?

You have 100 zombies beating against your door. There is a chance one of them will beat his fists in the right spot to either smash a hinge or bump the handle in a way that the door springs open.

Your buddy across the street has only 5 zombies beating on his door, but is in the same predicament: they have a chance to smash and hinge or bump the handle.

Which door would you rather be behind?

If you choose the one with 5 zombies, then I’d say that is a less risky situation entirely because there are fewer zombies beating on the door.

If you move your SSH server from default port 22 to some obscure port like 38724, I can predict you will have fewer zombies beating on the door of your SSH server. You’ve lowered your risk. You’ve increased your security (depending on your definition of security).

(Obviously, I’m yet again annoyed at the insistence by some that there is no value in security through obscurity. Those people are confusing “security only through obscurity” as being the same as “no security value in obscurity.” I think most people say they like “security through obscurity” as an additive value to an overall posture. Not as the only measure.)

Read some concepts lately that I wanted to remind myself about, and don’t really want to bother figuring out where I first saw them.

Time-to-penetrate. Locks are rated by how long they take to fall to an expert. How long will your network/security last? To drive-by scripts/kids/worms? To experts?

Increasing attacker’s costs. I read about border security between the US and Mexico and how border authorities want to make it more expensive for drug cartels to get drugs over the border. Not stop it, but make it more difficult/expensive. If you rightly believe in the inevitability of insecurity, then you really want to keep the bar raised as far as possible (this is an argument that can formulate a defense to ‘security through obscurity,’ in moderation).

I’ve read but really didn’t digest that Twitter use has exploded this year. It was only maybe half a year ago when the most-followed people on Twitter were all excited about 40,000 followers. Now celebrities are topping 300,000 with ease! That’s crazy.

What’s interesting is how this may change culture a bit. On one hand, all of us norms get to see all the silly crap that celebrities think they want to tweet about (and mispell!). Kinda like what will be known as the Kevin Rose effect: it will make celebrities be much more down-to-earth, almost like you know them.

On the other hand, they lose more privacy indirectly as well, such as checking out the few privileged people your favorite celebs are following, some of whom may be unaccustomed to the attention, etc. Not to mention vulnerable to social attacks.

Bear with me as I ramble a bit in this post. Something unpolished but didn’t really want to lose. I’ll reserve the ability to completely change my opinion!

Which one of these will realistically get us the farthest in security? Choose only one.

• administration: managers/execs/policywriters
• techs in the trenches
• auditors/testers
• secure code/architecture i.e. “build it secure”

Yes, the best answer is clearly a combination of all of the above.

But for the sake of argument, let’s say you can only pick one horse to put your money behind. Which one gives you the most realistic chance?

– administration: managers/execs/policywriters – This is your typical layer where policies get written, strategies formulated, and employees managed. To me, this is a necessary layer, but alone they don’t do a whole lot without the support of everyone else, much like a policy with no enforcement. There is also the devil of being too abstracted from the real goings-on to be effective, or to live in the correct reality. Do they say security is working but have really no way to back that up? This isn’t always the case, but it is the devil they must battle. And that’s assuming their employees are even following the decrees made… A good aspect on this might be the guys who manage appliances on a broad level to create statistics or whatnot. But do we really want to lean heavily on Big Boxes?

– techs in the trenches – This is where I’d put my money. The people on the ground and in the trenches. Sure, they may have some weaknesses like enforcing security with no real policy or guidance, or a lack of focus, but to me they’re the ones who will always do the implementations, detections, and investigations. These would be the guys and gals who, if you gave them 8 hours a day to “do security” and left them in a room, they’d implement all sorts of wild things that can be extremely effective. If you get them even slightly working with the rest of business rather than just in their caves, they can be a real force.

– auditors/testers – This is your group of people who both point out all the wrong things you do, but also hopefully point out how you can do things correctly. A powerful group, but I think they ultimately rely on finger-pointing and may not, directly, actually get anything done. Given a high degree of intelligence and knowledge, though, and those rare individuals are exceedingly valuable. On the testing side, their research and automation are hideously valuable.

– secure code/architecture i.e. “build it secure” – This is a great approach, but I think the “realistic” part really kills this. I’ve talked about the caveats in this group before (and can’t find the post[s]), so I won’t get into detail. But if technology didn’t change and economics shifted to value security, this could be a powerful group. Sadly, while important, I wouldn’t bet on it as my horse because it just isn’t realistic alone. Technology changes faster than we can learn it enough to secure it properly upon creation; economics pushes function before security; etc.

These are the kinds of articles I don’t like to read. This is about Peerhboy, a terrorist group ‘hacker’ arrested in India.

The implications I don’t like in this article are twofold.

First, this guy got some ‘training’ and this seems to be implied as bad. Does this mean any ‘hacking’ or security training will mark you as evil?

Second, the only wireless ‘hacking’ alluded to in this article is the use of unsecured wireless access points. Yes, a concern, but hardly worthy of eye-catching ‘hacking’ adventures.