Two scenarios.

Dev: “I can either do this the more secure way which will take me 3 hours to set up and test, or I can just do it this less secure way that is already in place which will take me 5 minutes. Which would you like to pay me to do?”

And…

Dev: “Here’s a quick mock-up of what your website will look like. This is functional, but not all the protections and back-end work is done yet.”

Stakeholder: “This looks great! Perfect! Don’t touch anything, this is how it should be.”

Dev: “Wait, this isn’t done, this is just the really quick-and-dirty version.”

Stakeholder: “Nope, don’t change anything else. This looks perfect!”

Dev: “But it’s not done.”

Stakeholder: “That’s ok, I already have your time earmarked for other tasks that don’t look done yet. If we can blast through this, we’ll impress the client and they’ll be happier.”

Dev: “But…”

Stakeholder: “If the client isn’t asking for it, stop putting time into it!”

Ian Hayes has a blog post up in which he details using Reaver to attack WPS.

I am sympathetic to those who compare info security to insurance, but there are gaping holes in such an analogy which sometimes lead people down the wrong paths. Ultimately, the real point of the comparison is to attack the idea the security enables or generates revenue or something. Unless security is something you do as a business, it’s going to be a cost.

I’m going to drastically oversimplify some things here, and I don’t have experience in the underlying nuts and bolts of insurance, but humor me for a few minutes.

1. Being covered by insurance implies means you’ll be compensated if something goes bad (the “risk of contingent, uncertain loss” [wikipedia]). This would lead someone to think if they invest in security, then when an incident happens, they will get money back somewhere. While this might (arguably) work when specifically talking about actual ‘cyberinsurance,’ this doesn’t seem like a healthy way to look at your own internal security expense/duties. This then has nothing to do with prevention or detection or mitigation. Sure, those may be qualifying factors, but that’s security, not insurance. If I, as a CEO, spend money on security and I still get hacked, I better not be expecting compensation anywhere.

2. Nothing’s standard in IT. One of the biggest challenges to, well, anything in IT at all is the fact that every shop does things just a little bit differently, with lots of magic customized glue holding things together. Perhaps today’s SaaS/IaaS/Cloud will level the playing field a bit, but we’re a long, long ways away from being able to value anything properly. We have a hard enough time in specific industries. You can go to 10 companies in the same industry space and of similar sizing, and a deep dive into their security postures will probably yield 10 incompatible reports. (Note I mention a deep dive, not some piddly 2-day pen test and PCI-worthy interview process and vuln scan that harps on the same 12 things, but an actual analysis and hand-holding look beneath the covers.)

3. You don’t even need to be hacked to have your bottom line affected. Take last week’s Google Wallet disclosures. I’m not sure if anyone has actually attacked anyone with it (let alone Google), but just the presence and media attention has caused Google to take notice and even halt a line of their business while they attend to it. Try valuing that.

Anyway, I’ve exhausted my brain already on this, must be low on fuel or something, so I’ll just leave this as is.

Wendy is awesome. Her posts are awesome. I wanted to link to two must-reads. I’ll quote soundbytes, but really every paragraph drips of awesome.

First, let’s skip ahead to, “In 50 gigabytes, turn left: data-driven security.”

“Yes, automation is getting better, but it’s not there yet. There are still too many alerts taking up too much time to sort through (particularly in the tuning phase). IT staff get hundreds of emails a day; they can’t handle more than two or three alerts that require real investigation. (By the way, this is why operations often can’t respond to something until it’s down — it’s the most severe and least frequent kind of alert that they receive all day, and they don’t have time to chase down anything lower-level, like a warning message that hasn’t resulted in badness yet.)”

There’s a parallel here to another piece I just read today via the PCIGuru blog: People in the Loop: Are They a Failsafe or a Liability?, by Dan Geer.

And also check out Wendy’s Insecure at any speed:

“What this indicates to me is that our IT infrastructure — from the networks to mobile — is inherently, badly insecure. And we’re so far down the road in its widespread implementation that it will be decades before the problem is substantially fixed, even assuming we started today with all software developers and manufacturers. Nobody is going to pay to replace what’s running just fine today — until someone loses a figurative eye.”

I love her explanation of telling security pros vs operations staff about business insecurity, and how their reactions are so different. You can pretty much tell someone’s background by their resigned or indignant reactions to the same ol’ news.

In the latter post, Wendy essentially talks about baking security into technology from the start. While I do agree with this, I’m not holding my breath on it. In fact, I just am not sure this will actually ever happen, even on a small scale.

The sad part is I can’t read posts like this without hearing my phone ring with 3 vendors proffering their wares as “the turnkey/plug-n-play solution” to any of the above issues before they even know what sort of business they just called.

Check out the TrustWave 2012 Global Security Report, a summary/analysis of breaches investigated by TrustWave and other good information. Feel free to submit bogus registration information.

Recent news about law firm attacks/hacks has renewed interest in the surprising unsurprising plight of small business, especially in regard to law firms, in recent articles. For instance, should a law firm employing maybe a dozen people have tight security, “just enough” security, or barely any? I think that’s hard to say. Many of these firms are going to be lucky to have a single IT-minded staffer all to themselves or to have software to do their main line of business (e.g. case management software/file storage), let alone to be secure.

So I thought it might be poignant to revisit an old post of mine where I review “5 security steps for small businesses.” Hell, even my “10 security steps for home users” is getting old.

You know you’ve been blogging a while when you can’t remember your own posts, and when you do find them, they’re way older than you thought they were!

So, how do my steps hold up? I’m not even done with this post, and I really think I need to update my list.

1. Backups. Still has to be the first suggestion. Even if you get hacked, you can still keep going if your data is backed up.

2. Network firewall on the Internet link. Gunnar calls this outdated technology (I can’t resist!), but it’s still going to be a necessary line of defense. The “pain” of the lack of this is far removed today than it used to be, though, where households had 1 computer or businesses had just a few systems and they had their balls hanging out on the Internet with public IP addresses passed right on through. In addition, so many attacks right now are coming in through the app layer (and straight on into your precious database) or through email-borne vectors. Old, but still going to be necessary.

3. Desktop Antivirus. No one really puts much weight on this, but you still don’t tell people it’s ok to not use it. If absolutely nothing else, you’re going to be considered negligent if you’re caught without it.

4. Patch Management. Yes, please. More, please.

Wow, I clearly cheated a bit on the next “one.”

5.1. Physical Security. This is usually easy for most people because it’s maybe the easiest to understand, and unless you get serious, is not really technical. If you go beyond a lock system, you won’t roll your own solution but instead talk to security professionals. Why not do the same with the systems? For a law firm, this should include secure waste disposal.

5.2. Inventory/Baselining. I’m not sure I’d keep this, but it does end up being a foundational task for any intermediate or advanced security projects.

5.3. Get Help. I think this should be a necessity on any list. It appears the dramatic #10 on my suggestions for home users, and I think it should bookend every such list.

5.4. Wireless Security. This is still important, but not as gaudy and interesting as it was when retailers were being siphoned off from parking lots. Likewise, today’s “APT” and “organized” online hacktivists aren’t typically performing physical proximity attacks. Yet it’s hard to drop this down too far, lest an SMB leave their wireless pants around their ankles…

I think I will look into that revised list of steps for SMBs…this feels woefully inadequate today, which itself is strange, since things don’t seem to have changed *that* much, have they?. I struck that last part, but wanted to preserve the thought. When you’re looking at security right in front of your nose, it’s hard to see that things really are changing. I like lists and exercises like this, because it allows one to step back and get a different perspective on things, in more than one way. Get back to the roots and fundamental problems/steps, but also empathize with the position of an SMB and their capabilities (or lack of), limitations, and pain points…

Via securosis I read that really good article: “Happiness Takes (A Little) Magic”.
I won’t rehash his points, but I think there is still more to these stories than appears in that one. The biggest ones: to each their own happiness, and actively choose how your spend your time and work towards achieve feel happiness with it.

(Disclaimer: This has nothing to do with information security, or even technology…and reading this is likely a waste of time for everyone, including me.)

1. To each their own, you know? It’s one thing to say, “XYZ makes *me* happy,” but another problem entirely to write a piece about happiness in a way that smacks of trying to convince the world that your view of happiness is the universal or correct one. Or just the “correcter” one. This is a failing of religion and some people in general, where there is self-doubt until such a time as other people agree with you. And if the whole entire world agrees with you, then you can relax, because clearly you’re right. If that article got 5 pagehits and 0 comments, does that make it better or worse than the one that gets 1m hits and 500 comments in a week? Or I just need to let the tone of the piece go, and move on. 🙂

2. The junk food news/information is definitely a problem. It’s why I never spent much time on Fark. It’s why I’m loathe to “hang out” on IRC again. It’s why I never got into Digg or Reddit or other news sites where the news may be interesting, but just doesn’t matter to me or my life. It takes effort to stick to useful news rather than unuseful (useless!) stuff when you’re on the Internet. It takes time to cull the useless bits from a newsreader or learn to quickly scan usefulness in a Twitter feed. I’m finding value is consciously and unconsciously spending time on things that matter. And I already feel dirty browsing YouTube videos and realizing I just lost 3 hours for no real gain.

(Then again, there is a real world analog to this. If you spend 3 hours at a bar meeting 60 people, only maybe 5 are worth your time. Or maybe all the time spent driving to get to those beautiful outdoorsy places that make you feel spiritual. Or those dozen other places that you thought would be beautiful, but just gave you a rash. Or the tourist traps akin to 40m-hit YouTube videos. Great, you can say you’ve seen it, but was it *really* that good for you? Yes, to each their own…)

Honestly, I think this is an age issue for me. Even just a few years ago, I didn’t really give a shit what I spent my time doing. These days, I’m more conscious of my shortening time in this world. Hobbies are fine and distractions/entertainment are fine as well, but I’m trying hard to keep them somewhat bounded. My main weakness is really just video gaming…. As long as I’m truly enjoying the moments, I think that’s the most we can ask for.

2.5 I’m also finding a place for things that let me consume technology in a smarter or faster way. As a youngin, I used to tailor the shit out of my Windows UI with WindowBlinds or various other tweaks whose names escape me. But I quickly moved away from that because every new system or every rebuild would require all that time input again, and the time spent is just not worth it. Being able to quickly set up hotkeys to do mundane tasks that will get me done with computer work is a blessing, but eye candy is useless. I think this is one of the places the “cloud” wants to be, but is still trying to figure out how to do it and be profitable at the same time. It’s not there, but it’s a step… That may be a sub-resolution for this year or maybe the next: to more fully adopt hotkey tools and automate even more things that I do at work and play… (But not automate it in a way that saves some time, but just moves the time spent to maintaining that automation, like scripting/coding often get trapped into.)

Simplify, simplify.

3. There’s this space of people who make money and expect to make money doing very little, i.e. lounging around online, calling themselves social media experts, pursuing page hits, and writing about themselves like they’re more important than most others. I tend to feel like many of these people are one half-step away from a shattered self-image and deep depression and financial disaster. I don’t know the numbers, but it seems like so many of these people may have a few good things to say that are worth reading, but most of it is drivel and useless and a waste of my time. And certainly not worth providing some money to. Sure, play a violin beautifully in the tunnel and I’ll chip in a 20 spot. Give me good conversation in a bar and I may buy you a beer. Give me a good article, I’ll consume and move on. For so many, I think you’re better off getting a “real job” than trying to do the laziest thing you can. (Clearly, this does not apply to everyone as there are truly effective, hard-working, and highly profitable people whose sole product is online media or writing. I’m generalizing unfairly.)

4. I think there is merit in saying human beings need a little bit of adventure, but I also believe we need a little bit of ownership and production and creation of something. Basically, a tangible result of our efforts and sense of self-value. Sort of a microscopic mirror of the problem that the US is moving away from being a manufacturing country and more of an-I-don’t-know-what country. (Consuming and ueslessness? Thinking? Information?) Creating a blog and other online content and chatting and comments should help support real life interactions or at least fill voids temporarily as needed, but none of that is really tangible enough to provide long-term happiness for many people. “I blog for a living” still, to me, even as technologically in-tune as I may be, seems like an awful way to make a living. Sure, there are some who are very useful on a weekly basis and earn it as a real journalist, but for every 1, there is likely a thousand who need to stop lying to themselves and actually create or do something real, ya know? And in turn, stop contributing to the noise.

Then again, I may just have my panties in a bunch this week (HQ power outage all day due to carrier mistake will do that) and have some unfair opinions. But I think that’s increasinfly my right for advancing in age.

Bare with me for a moment while I make a statement or two that I’m just throwing out there, but not really meaning to defend with any huge force, especially considering this is one of theonly times I can recall where I’ve defended politicians or Congress… (and before anyone exercises their right to be dumb and not understand what I’m saying, I oppose SOPA as well.)

Yesterday, many sites went black in protest of SOPA. In addition, many people are upset about such legislation even being proposed, citing corporate interests and corrupt Congress and technological idiots in Congress.

Personally, I love what happened yesterday, but not because the Internet swelled up and got seen on the front pages of every mainstream news outlet. Rather, I love that this is exactly how the process is supposed to happen.

Congress doesn’t jot down new legislation and throw it into the hopper to be perfect and the answer. It’s discussed, changed, challenged, sometimes approved, and sometimes stricken down through the checks and balances system as well as peer and public discourse.

Yes, “politics” does influence things, but the idea of throwing SOPA out there, discussing it, reacting to public opinion when it swells, and maybe even rejecting bad ideas, is part of our democratic process.

In other words, be sure to focus your wrath a bit. Don’t just assume Congress politicians are idiots (at least not based on this one issue; since I also think many of them are idiots). Even submitting idiotic laws and acts is part of the process which hopefully keeps them from doing more harm than good in the long run.

When I look around my desk at work, I can see paper. I’m a notetaker. I have been since grade school. I re-use little calendar pages to take notes on, and they accumulate. While I’d love to reduce this clutter, I’m not ready to try and replace everything, such as my Moleskines. Few things are faster for taking notes than grabbing a piece of paper, a pen, and jotting something down. Few things are faster to re-reference than grabbing a piece of paper and, for example, looking at the checklist of things I have left to do on website build XYZ. Grepping my notes is harder, though. As is trying to remember a shopping wishlist while at the store when the notes are on my desk or at home on a whiteboard.

I have more little electronic devices than I’ll admit to you. Few of them get a ton of use. Part of that is the pain of using one device for a while, and then attempting to consume the same things on another device. Notes taken on a tablet are not as easily ported over to my personal laptop or my phone. And so on. Lots of people seem to be satisfied with using email to shuttle things back and forth, but that seems archaic and dirty to me.

I also have a desire to not put myself ino a position of device-dependency such that lack of that device makes me helpless. For instance, I’m already dependent on my cell phone, specifically the contact list. I don’t even know my parent’s phone number off the top of my head (though yes I have a little piece of paper in an address file). I’d hate to be even worse off if I don’t have an Internet connection nearby, or mobile hot-spot, or just an electronic device. (Story: My power recently went out, and I drained the battery on my Nook Tablet, which reminds me that I can always read physical books or magazines if I still possess the ability to create fire…)

[Aside: Magazine consumption on my tablet is a mixed bag. I like this experience, but I’m screwed on the process of ripping out a page for future reference like I can when I own the book, or maybe even taking a screenshot of a page when I’m flipping through it in the store, which I do every work day over lunch.]

All of this puts pressure on digital consumption in my life. And I also believe this is collectively a huge reason why “cloud” is on the rise. More people have more devices, and more devices that are mobile. They’re sick of maintaining their PC (though arguably most smartphones are just as challenging and frustrating to maintain). They want data/experience across multiple devices without needing experience in server/network administration.

Unfortunately, it’s still cumbersome, and the market has so many solutions that it fragments everyone and adds risk that your chosen solution will just die in a year or two. Likewise, you have lockin (iTunes, B&N store for the Nook…) or differences in experience (phone vs PC web browsers) or inability to install things (iPad-only apps). And lack of trust/privacy/assurance that you’re not being sold/used/exposed.

I’ve had EverNote on my radar for a while now, but I think my work desk situation is going to prompt me into trying it out finally. Of course, this makes me sigh in exasperation as I can probably exfiltrate data from work out to my personal systems at home, but I guess the ability to stop that is becoming more and more of a fairy tale as the months go by… Perhaps this situation is always arguable; I mean, an employee can leave a company and take everything along with him in his head, yeah?

Anyway, I had more to say in this post, but halfway through, work duties interrupted, and getting back to this has sapped my Muse…

If you’d like a quick dose of why discussion in the security circles goes in, well, circles, check out the “Rate Stratfor’s Incident Response” thread taking place on the full-disclosure mailing list. The real headache-inducing pieces take a few responses to get to, but eventually the discussion piles into hiring hackers, security economics, and perfect security. Unfortunately, some of the discussion is driven by one or more people who fail a bit at critical thinking in discussions like this, but it still illustrates some of the pain in security, especially how people coming in from different perspectives are just as correct as others from other perspectives. And this is just discussion and not real action! (I’m ignoring any difficulty in non-english responses, but that is also a troublespot in the small, global community of security).

Granted, there are some non-industry people in the list, and some who don’t really sound like they’ve had a real deep technical job (or have any business sense), but certainly there are plenty of decent participants.

Wired has a really strange story about Cisero’s Ristorante and Nightclub being fined for PCI violations (and alleged breaches?), having money taken from them, then sued by their bank, and thus counter-suing their bank and effectively putting this whole PCI security process under a legal magnifying glass.

PCI sounds fine, it really does. But once you start looking at the various steps on their own, it really makes you feel dirty. It’s even dirtier when you start talking about arbitrary costs, rules, changes, and general lack of communication up and down the chain.

This may not be so much a problem of PCI, as opposed to a problem with how PCI is used by the merchants, banks, and Visa/Mastercard. No one wants to eat these costs, and the less-skilled persons (merchants) end up being responsible for highly technical issues.

Definitely a story to keep an eye on.

If you don’t think this sort of backdoor stuff happens as a requirement to do business with communications networks (and increasingly technology devices), you’re not keeping up with the times.

The memo suggests that, “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.

Communications eavesdropping, device backdoors, and external/subpoena access to data should always be on your mind. No site or company is going to risk those recriminations on your behalf when pressed.

Network traffic analysis and log analysis post is up over at OverHack. Good stuff, and I completely agree with the intro paragraph.

Doing actual log analysis is trickier than most supervisors think it is. You want to know when someone gains domain admin rights, eh? Ok, you have to watch all created accounts. You have to watch for existing account changes that slide an account into the domain admins group, or into any other group nested inside there. You have to watch for someone sliding a group into the domain admins group. You have to watch for strange account usage and failed logins to any accounts in the domain admins group. And you can’t just look for suspicious things, but you should track down every instance, even if it appears to match your account naming schemes.

Oh, and you can’t just do this once a week with a delta on accounts present. If an attacker created an account, used it, and then deleted it, will you notice? And we’re just talking about one (important) sliver of log data!

“Take your craft seriously, but don’t take yourself seriously.”

I like this new year’s tweet from hrbrmstr:

Final “Three things: Resolutions” (no blog post needed) for infosec professionals: Stop being smug; Build more then break; Quit the FUD.

Particularly, I like that middle part. (That first part can roll into people in general, not just infosec). Build more than break. It’s great and necessary that we have people who can research and find issues. And that we have people who can break into systems and play on red teams as a learning tool. All of this makes for great learning and research, no doubt.

But what really brings value to individual businesses is the ability to create defense and protect against risks in a realistic fashion. This doesn’t mean just blabbering on about best practices and what a company should do, taking your consulting paycheck, and leaving. It means actually being able to design, build, and maintain a proper defensive posture. Not just talk it, but actually be able to walk the walk and explain what works and what actually is just smoke and mirrors or way too costly despite how it sounds on paper. If you tell someone they should be watching XYZ logs for events ABC and correlating those against change mgmt forms and GHI assets, but have never done it and have no idea how much work that actually entails (let alone how fragile it is once you do figure out a way to do it), you’re not helping. And that doesn’t even take into account the audience business size/type/incomes/staff/industry…

Part of that is also being able to talk in a senior leadership sort of way to technical persons like network admins and software developers and desktop teams; to not just give them the same old lines, but be able to give actionable, technical, specific guidance for improvement.

In my opinion, all of this requires a technical background filled with actual hands-on-the-keyboard experience. Not meeting agendas and new school non-PowerPoint presentations and email mandates. Sure, these are needed, but the real value is made or broken down in the trenches.

Addendum: I feel like I shortchanged the attacker knowledge a bit. I absolutely believe we need to be able to think and behave like attackers to anticipate issues, but also it makes for a great way to test our defenses rather than waiting for an attack, enticing an attack, or waiting for that annual pen test which may or may not even trigger what you’d like to test.