Deb Hale has a nice BCP/DR story to tell over at the ISC Diary page in regards to this summer’s Missouri River flooding. This hits a little closer to home (pun intended) since I’m from Sioux City and my parents currently reside in the Dakota Dunes (they’ve been lucky).

While at first glance a natural disaster isn’t always a foremost thought in the minds of information security, it certainly is part of a wholistic security view. And is one of the few scopes that pretty much any manager or executive can relate to and have ideas about, especially since managing people in the face of a disaster is a key problem. While light on details of what you can do to enhance your business continuation plans, it does illustrate the impact such events have on the community and may have on your business, both short term and long term.

I’d just like to add 2 things to the discussion. Keep abreast of area disaster possibilities. You don’t want to find out too late that a flood is going to happen in your area. Some events are quick (tornado), but others are not. And when you do hear about an incident, don’t drag feet when making preparatory or reactive actions. The sooner you act, the better off you are. This is also one place where community, in-person networking will always trump your digital network and internet social ties.

90% of US companies have been breached!
90% of US companies hacked!
90% of US companies have been victims of cyber attacks!

These are the sorts of headlines coming out from a survey by Ponemon sponsored by Juniper, named (for reasons that are unclear) “Perceptions About Network Security.” [pdf] These are also the sorts of headlines that I immediately question, namely: “What is your definition of a cyber attack/breach?” Sadly, the report doesn’t answer this question, but does hint that any sort of security incident counts, even if it happened to someone else who had some information from your company (i.e. Episilon email ‘marketing’ breach) or some workstation issue which is never defined. Normally, I wouldn’t even bother posting about the survey, but I keep seeing those stupid headlines mentioned at the top…

Ok, fine, page 6 does start to hint at the sorts of incidents we’re talking about in Bar Chart 8 where “malware” is featured in 5 of the 8 breach causes. I’m sorry, but largely incidental malware attacks don’t necessarily count as “cyber attacks” or “breaches” to me. (Yes, I understand that is arguable, in fact, that’s my point.) The same goes for lost or stolen laptops. Far too many of those incidents are going to be non-targeted crimes of opportunity.

I do buy that 90% of companies probably do suffer computer insecurity incidents. I just dislike the sensational tone so many headlines are taking. Like 90% of them are pwned and attacked and being stolen from by attackers in targeted incidents. Hell, the number should be 100%.

I had more to post, but it’s just all me complaining about the report being misleading, laughably funny in other places, supportive in the obvious places (no shit, complexity and resources are challenges?), and having a few concluding recommendations based on weak supporting evidence (e.g. 2 leading questions). None of that helps anyone, so I excised it. 🙂

Sometimes the simplest security questions are the worst. Today, I got an email forwarded to me: “Am I ok opening this?”

That question is properly responded to with another question,”Do you know the sender and did you expect a file from that sender?”

The easiest answer is when it is obviously a spam or phishing attempt. Beyond that, however, all bets are off on this ever being a fun question. Will I ever be able to say, “Yes, this is absolutely safe?”

And how is a user ever going to truly know the risks and make a proper acceptance or denial of them on their own? Even I had to take a few dozen minutes out of my day to poke around, since that email isn’t very clearly business-related, includes a link to a different site, includes a file format I can’t ever vouch for entirely, and the site used for the file transfer has an invalid SSL certificate.

And do I know that site is legit and itself is secure?

Little questions like these carry some of the worst weight with them. It also illustrates how, at some point, security just has to draw some line and say, “Looks clear.”

(Way too obscure allusion to Pitch Black’s Riddick character, who says, “Looks clear,” just before someone steps out and gets snatched by some creature. “You said it was clear!” “I said it *looks* clear.”)

The 2011 CWE/SANS Top 25 Most Dangerous Software Errors report has been released to the public. [PDF version here]

This may be a carry-over from previous years, but I like the actual advice given for each item, even if I feel the description is lacking. Part of this is because of the modular design of the doc, where even if you grab and take offline the PDF version, you can’t click the links in the PDF file to get to the online definitions of the items. I understand, but dislike that choice.

I also really like the “Monster Mitigations” on page 35, which give the general high-level advice for framing your security posture.

It sometimes amazes me when I find I haven’t included a link in my sidebar to a site I greatly respect and enjoy. So goes when I just realized I love the advice Lee Kushner and Mike Murray give on their blog, but noticed I don’t actually link to the InfoSecLeaders site at all! Travesty! Lee & Mike answer questions and give advice about careers in information security.

If the old perimeter were the firewalls and network borders…

…and the current perimeter is your web presence(s)…

…the next “border” is your remote connectivity and mobile devices? (I’ll ignore for the moment how “the cloud” explodes the current perimeter.)

With the last two “perimeters” in the above example, you can hire a security geek to come in and immediately direct their effort at something somewhat finite. “Go look at the firewall rules and network segmentation!” “Go scan our websites and vomit out a vulnerability report of your findings!” “Go make sure our client-app-database pipeline is appropriate!” But none of that expands to what offers real endemic security in an organization. Those are necessary security tasks, but certainly are not wholistic.

Maybe this is why data-centric security is scary. You can’t just target the data in some data warehouse (the visual of that is far more interesting to me than the definition!). Rather than treat the skin of the organization, you’re basically needing to cover the same area that the entire vascular system covers (heart, arteries, veins, capillaries…).

It might also be why mobile device security is scary: it’s not easily scoped and bounded to narrow segments of an entity. And, god forbid, it means dealing with users and consumer devices. I mean that not only in the backroom security geek being scared to interact with people, but in the thought that, holy shit, *users* need to be part of security, too, whether they (the users) like it or not. I know we often talk to education and policies, but most every user I know in an organization that doesn’t have a direct interest in security as part of their job, will almost always prefer someone else deal with it. And this is absolute if that security even remotely negatively impacts their own job or convenience.

I’m actually wrestling with buying back into Apple (been out since ipod 4th gen) and actually getting an iPad device, but not because I want to use it. It’ll be because I need to get back to the user perspective and have some sort of experience with it.

You certainly cannot say that security is a cheap career (in money, time, and effort)!

(I’ve hesitated posting this, since I’m myself getting sick of just complaining. But sometimes it helps with the thought process…)

So I’ve regularly been seeing these announcements that the perimeter is porous and users are adopting “cloud” (in the loose definition) services and consumer products to consume corporate data, and how security needs to accept it and start tailoring data-centric controls and architecture to deal with that reality.

That’s all great and fine to say, but there’s nothing actionable in these postings. Maybe I’m being dense for the moment, but in all these sorts of grand announcements, no one actually seems to have any idea what to actually do. (Or maybe all of the suggestions are at a developer level and involve more people vetting processes/data usage, and more QA controls, and…I hate to say it, but Lord help us if so. In that case, the security team needs to be part-time developers, and have 48-hour days.)

And no, I don’t want to hear (yet again) about education and dialogue and threat analysis. Necessary, yes, but there’s no real assurances in that. That’s like saying we’ll implement a firewall by talking about it in a monthly group therapy session. (Update: Ok, maybe education is the only real answer here. I’ll accept that if people say it, I guess. I’ll just remind them there’s still no *real* assurance there, and you don’t have enough security staff to watch everyone all the time.)

If a company is using Google docs, I want to know what a security team can do to keep that more secure.

If a company is using the Amazon cloud to deliver part of their web site content, I want to know what a security team can contribute.

If a company is using Github, I want to know what options a company has with their code security.

If some employees were using Dropbox for the past few weeks to backup business-critical files, what can you assure me with their security? (Or do you even have a chance to know someone accessed your files during the “any password accepted” hours?)

If you’re allowing your executive teams to use iPads, I want to know what you’re doing to assure some security for those users on those devices with the things they access. (Not counting people who only browse the web and check their web mail.)

And I don’t want blog comments, I want to actually see industry blog posts that go into realistic detail, ya know? Not because I want someone to do my job for me, but if we can’t solve things behind our curtains, we’re damn sure not going to solve things in front of the management teams.

I completely buy that the “perimeter” is porous (my coworkers are getting used to my sighs of exasperation as I hear of yet another service that wiggles and persists itself through any and all perimeter controls. [Strangely, all of this is a *product* of perimeter control, ya know? We stopped things, people still wanted them, it evolved. Just like an attacker!]) But so many articles and blog posts include the reverse implication that you need to forget your perimeter and find something else to do. A something else they never define. They just say we need it. Even Neo needed something tangible to wrap his mind around (pun intended) so he could start buying into this paradigm shift.

I know I’m being self-fulfilling in this, but we have a lot of commentary and not a lot of doing these days. I’m painfully aware of my own coasting over the last year or so. Still, I’d rather have a lot of complainers than a lot of people saying vague general unactionable things, to be honest.

With recent high-profile hacks and “lulz” going around, there has been a marked level of discussion about whether these attacks are useful or damaging, what security is, and why it is failing or not failing. Most of that sort of discussion eventually makes my head hurt, but if there’s a blog post worth reading, it’s “Take a bow everybody, the security industry really failed this time,” by David Maynor over at Errata Security. I wanted to quote something from it, but the whole thing is quotable and discussable.

So, has the security industry failed? I’m not sure. I’m pretty sure the “real” talent in the security industry knows the problems and knows how to fix specific problems, but as Maynor illustrates, these are often just not listened to for various, ultimately economical, reasons.

Is this a problem of the security industry however? Certainly not entirely. I mean, what are you going to do when someone doesn’t have the budget to stop your extravagent attack? What can security do when companies like Ligaxx and SecuxxxxMetxxxs.com do crap work (if work at all) and still get attention because the customer doesn’t know better?

I’ve long said it, but finally the mainstream media is latching onto the infinite amount of drama that can be found in corporate and public digital security. In other words, security won’t ever be perfect. There will always be incidents. This means there will always be a fail, which means there will always be juicy, sensational bits of news to throw out. (Granted, my opinion would be even more cemented if any of the recent examples had been really damned good with their security…)

In the end, I really think lots of things are failing, and there’s really no answer to fix it.

Perhaps “security” needs to stop looking beyond its own borders. When we talk about security on a global level, ultimately there is nothing to feel good about. When we talk about security in a single organization, you can actually accomplish some damn good stuff.

Perhaps this is a problem illustrated by a three-way tug-of-war. Security vs economics vs convenience. With other actors thrown in, like consumers, greed, knowledge, and so on. There’s just no win there, only various points where everywhere is somewhat satisfied according to their own situations.

Perhaps, perhaps. Anyway, I have no answers here. I’m still trying to frame my perspective on things. It’s like not knowing if you like a sculpture or not, because you’re still trying to figure out how to properly look at it, what lighting, what angle.

I just know there’s a heck of a lot to be excited about and a heck of a lot to be upset about. And that itself is exciting and upsetting! (At some point, the disturbing vision of jerking off gloriously while sobbing in utter despair occurred, and that’s just not right at all. Yet I felt compelled to share it…hey, I’m in security, I’m not well in the head by default!)

Put yourself into the position of your CEO. He rubs shoulders at various functions and places with other business owners and CEOs and VIPs. He’d *love* you if he were the one showing off the newest awesome technology to his peers, rather than the one oogling someone else’s gear that *their* staff succeeded in implementing. Better yet if he can actually do work conveniently and securely! The same goes when he and 3 competitors are offering presentations to a prospective customer, and he simply has better technology to show off (either on his person or in the demo).

It really comes back to one of those rules of business: always make sure your manager looks good. Don’t be the person who makes your manager look bad.

Of course, this whole circular problem with managers (consumers) influencing each other and bringing in technology ideas to the corporation and thus bogging down IT and security is a problem. But some problems none of us may end up solving unless we’re in a hard-and-fast regulation-driven organization housed in the Pentagon.

In that case, keep in mind that you can make allies by running ahead of the curve. Just make sure if you stumble a few times, you only scrape your knees rather than take your whole team out of the race.

(I know, it depends on your culture and CEO personality. For many, trying and failing now and then is valuable as opposed to not trying at all. But for some, trying and failing in front of the CEO is just as much a career death knell as anything, no matter how gracefully you handle it.)

Just a quick pointer/bookmark over to a story on risky.biz about distribute.it, who was digitally attacked and is facing their demise because of a lack of offline backups.

I missed the episode, but I like what Patrick quoted from Paul: “We can tell management about the risk all day long and they’re not going to believe us until it happens to them. If you told an executive at any one of these companies… They’re probably just going to say ‘yeah, well we think the business can just recover from that…'”

I like to mention when I pull news off the infosecnews wire! Oh, this is one!

(I wanted to spend more time on this post, but my brain hurts now. Keep in mind that I don’t have it out for simple or complex passwords; the crux of my post is that neither is de facto better than the other. It all just depends. But if some “normal” person asks me for my advice, I won’t say simple passwords are the solution.)

Read and wanted to comment on an article I saw over on Securiteam, but my comment got way longer than I felt like posting, so I figured I’d vomit it out here in full instead. The article, titled, “Simple passwords are the solution,” made the claim: “The solution is not to make passwords more complex. It’s making them less complex (so that users can actually remember them) and making sure brute force is impossible.”

You see what Aviram did there? Took a bad statement and clarified it with the better answer in that last phrase. Cute. 🙂 This is a common approach when dealing with users, particular managers who make decisions. The demand, “I want simpler passwords,” is rightfully countered with, “Sure, but in order to do that we need to make sure brute forcing is difficult and cracking is adequately thwarted. Here’s what that will cost…”

Let’s back up to that first part about simple passwords being the solution and how that relates to the originally-referenced article over on PCPro.co.uk. That original article is pretty useless, but let me forget that for a moment.

I think there is a problem with saying simple passwords are the solution and complex passwords are bad.

You should be saying: 2F auth is better than complex passwords which itself is better than simple passwords.

If I walk around my business saying simple passwords are better because then you won’t have to write them down, I’m spreading around a horrible habit for those systems/apps/sites that may only accept a simple password. This provides a bad mixed message to my users, which has no upside to it. I’m also oversimplifying the problem. If there’s anything at all that turns users off to security, it’s the mixed, complex messages we can concoct when we’re not careful. If I have to go into a deeply technical discussion about simple vs complex passwords and why one is better than the other in some cases but not others, I’ve already lost them.

Oh, and what is more of a risk? Someone with physical access to a written-down password, or a digital attack that leverages any weakness in that simple password? I’m not sure I’d even begin to say I have an answer for that…

The risks:

• brute force the login (effective against simple pw)
• hash/encryption cracking
• long-term reuse once found
• acquiring the password in other ways
• hash resuse (which I won’t touch on here)

2F auth really helps all of these cases, which isn’t really an argument since I think everyone here can agree to that.

(For this paragraph I may have been distracted with the link to the Password: Impossible article by Aviram.) But password expiry/rotation limits some risk as well. If a password is disclosed, at least the user can change their password or it naturally gets changed during the age expiration. Many attacks are point in time hacks where a hash gets out or a password guessed. Clearly, this isn’t universal as an attacker may have another channel to get back in or perform his attack periodically, but certainly it avoids the point in time exposures. Still, if a password is disclosed for whatever reason, you want some automatic method to prevent that knowledge from being useful forever.

The article talks entirely about cracking passwords. 2F auth helps avoid that risk, but otherwise fixing things to make cracking much more difficult is a server-side thing and won’t affect users (salts, shadow, time-based tokens…) beyond having more complex passwords. The same goes for simply protecting the hashes (but even I assume that will be exposed at some point).

The article doesn’t make a new argument at all. Cracking like this has been around for 20+ years, it’s just faster. That’s certainly not news that it is faster today, and doesn’t change any answers or risks. It’ll be faster tomorrow and it’ll be faster in 10 more years. And we’re still talking about cracking taking longer with complex passwords than it does with simple ones. We haven’t changed that. Sure, we might be talking a few minutes, but that’s still a few minutes. Being that I’m not a crypto-geek, I’ll have to stay shallow in this topic.

It really all gets back to looking at some core security fundamentals. Is there a perfect answer/silver bullet? No. So does that mean we should be accepting any incremental security measure we can that decreases our risk and makes sense economically? Yes. Simple passwords, complex passwords, and passwords of *any* type are not perfect, but at least they help. (And let’s remember that passwords are also still a form of security through obscurity….).

We should keep in mind that “writing down” passwords is the same concept whether you write them down on a post-it note under the keyboard, in a journal in a lock drawer or in a digital safe application. Yes, some are easier to break into than others, but we’re still talking about recording-them-somewhere-because-they’re-too-long-to-remember. And if you do that digitally, you actually *might* increase user risk because they have far less chance to memorize the password and may never actually know it. Which sucks when your digital safe is not accessible at some point for whatever reason.

We should also step back and see that there are certainly different assets that passwords are protecting. Should I use 2F auth when commenting on some forum or blog that has their own login I need to use, whose server-side setup I know nothing about? Certainly not, unless I truly value it. Does this mean I should use simple passwords so I don’t write them down? Perhaps, especially if I see very little value to an attacker or even myself in that asset. Certainly the answer is not that I have a 2F auth fob for every login I use, and certainly the answer is not some universal solution so I have just one fob but a federated identity for everything (arguable, and I’ll let that one just hang there as a wholly different topic).

Just to get back to the main point, saying simple passwords are better is a bad statement, even if I agree with it given qualified scenarios and restrictions.

It’s not news that people and employees (or owners!) need to watch what they “say” online. But it’s not (quite) every week that you get a perfect high-profile illustration of this advice: Duke Nukem PR agency Redner Group blacklisting venomous Duke Nukem reviews via a Twitter announcement. And then getting fired. Why is this particularly apt?

– clearly this is something done, just usually not copped to in public!
– done via official company twitter account, not just some marketing moron
– oh, and it was the namesake owner himself who did it
– pr group successfully is drawing attention to poor duke nukem reviews
– looks like this is their biggest client… oops, was

A vendor today sent me their “PCI certificate.” Turns out this was just a site scan for their external mail server. This is a Google result of what their site certificate looks like (this is just a random Google search result, not my vendor): site certificate.

That’s pretty damn misleading. But then again, so is the entire SecurityMetrics.com website. Check out their steps to PCI compliance. Yes, that says 25 minutes to PCI compliance.

If you have desktops that fall under PCI scope, you can buy and run a scan from their website. Oh shit, someone should tell Steve Gibson to rebrand his ShieldsUp! service.

To at least give the benefit of the doubt, there are some hints that this company actually knows how to do PCI compliance, but the vast majority of their site leads customers down the path of thinking PCI is cheap and easy and takes very little time and only requires making up answers on a self-assessment questionnaire and an external vulnerability scan.

This is really the kind of low-bid crap that causes real security to be elusive.

If you ever have a chance to assist your boss with job interviews to fill a position, I highly recommend taking the opportunity. Maybe I’ll expound on it someday, but even for a quiet, slightly a-social (there’s a difference with antisocial!), introvert like me, it’s a really useful experience.

You get to see what you look for in potential employees, get to see their strengths and weaknesses, their experiences and work history, and see how that applies to your own situation. In a way, that can also build confidence in your own lot in life. You also get to hear your boss talk about the company and the open role is ways you likely haven’t heard spoken since your own interviews!

One thing I can attest to, is having your resume and/or things you talk about ready to match up to the job position as honestly as possible. And try to stress (if it’s true) your own geek-like passion that exists even outside the job. I still really feel someone who does sysadmin stuff or networking stuff or security stuff outside of a paycheck (on their own time) is almost always going to be a superior employee just because of their deep interest and passion. Write your own apps? Stand up your own website? Home phone system is fully Asterisk/VOIP? Show it off!

As far as my own reflection, do I have some action ideas? Sure. I’ve been at my current position 5 years, and I’ve gotten a bit lax in attending security conferences and plugging in a cert/study activity here and there as well. I wouldn’t mind continuing to demonstrate my involvement and personal learning. Maybe a grad cert, maybe another industry cert, maybe just some continuing education class (like something parallel to a bhusa) either in my field or even completely outside it (foreign language), or even contribute to some other project in our area.
Update: I also want to add, don’t wait until you’re out of a job or on the way out to do interviews. Feel free to just do them and look around, even if you’re not truly looking to move on. Get used to them, use them to get ideas and maybe meet people (central Iowa is NOT a large place to disappear in). Who knows, you might find an awesome deal that you weren’t expecting. If you *do* interviews just to do them, though, try not to seem like you’re knowingly wasting someone’s time. Put forth the real effort and then maybe later just say you’ve opted to remain where you are. There’s a certain level of comfort doing an interview when you don’t *need* the job. Be picky with recruiters, though. Too many can’t walk the technical talk, and your passion can be lost on them, aka a human keyword filter. And make sure they require your permission before they pass you on.

If you want to read a poorly crafted article, check out this one today from McAfee: Five Simple Steps SMBs Can Take To Prevent A Disastrous Data Breach. May as well check out these five steps, keeping in mind this is geared to the small/medium business segment.

1. Conduct a Candid Data Quality Assessment – identifying your data is a noble goal, but for 1 of 5 steps for an SMB to actually prevent a data breach, this item has zero actionable value. And let’s just get this out of the way now, even though it permeates the article: Your language is for that of an enterprise with a robust security maturity; not an SMB who is going to go, “Huh? Ok…tell me *what* to do.”

2. Create a Detailed Description of all Data Touch Points – Data touch points? Are you kidding me? I understand the point here, despite the lofty enterprise-level wording, but I was hoping by now I’d have seen some mention of patching your systems. Oh, and this is step #2 that isn’t actually doing anything; it’s just about taking inventory (which itself should just be one bullet point).

3. Conduct Periodic System Reviews – Another noble item, but for most SMBs, it’s about getting things done more so than yanking on the reins and slowing things down to gather the security ramifications of applications that are rolled out. I was really hoping this item would talk about actual periodic system reviews, which anyway itself is so vague to be useless. Every SMB is just going to “do a system review” that is half-assed, and then say go ahead.

4. Develop Comprehensive and Specific Security Policies – The first overt bit of upsell for McAfee services. In fact, I’m not even sure what the text has to do with the bullet point, which is useful for a security program, but again doesn’t prevent shit. And if anyone is going to write a policy that gathers dust, it will be an SMB.

5. Deploy Comprehensive Solutions – And here’s the big marketing/sales slap to the face. Also, you might as well tell an SMB, “To prevent data breaches buy security tools that prevent data breaches.” Yeah, great advice. At any rate, the description given for this monolithic comprehensive security solution means nothing to an SMB and is not actionable. Scales, easy to implement and minimal maintenance, and supports all places where data resides.

My advice on making a better checklist is to drop the enterprise-level lingo and get some actual actionable bullet points. The items have merit, certainly, but are useless to SMBs with bounded time and staff and talent. All of these bits of advice turn into “go-get-em” initiatives that won’t go anywhere because they take time, require completeness, and don’t even have medium-term results. Sure, the SMB may find out all sorts of things about their data, systems, data touch points, and policies, but none of that actually *does* anything.

So that’s it. No advice on patching. Not even some advice on desktop malware protection or even network layer malware detection (which I was expecting and would have *accepted* coming from McAfee…