Bejtlich has posted a really nice beginning (furtherment?) to the discussion of digital monoculture vs heteroculture (or control-compliance vs field-assessed). I don’t really have strong feelings on either side, but the discussion itself is incredibly interesting to think about. I think there are pros and cons to either side, and I’d be willing to bet various important factors will dictate the value either approach brings. Things like organizational size, need to prove a compliance level (gov’t, defense, or just large and public?), and quality of both internal IT and internal security staff.

While I’ve previously not enjoyed the approach that the Jericho Forum has employed to back their vision of the perimeter-less organization, it does help that position to think of an organization being a heteroculture and using field-assessed measurements for security efforts. Typically my opinion is perimeter-less security (as horrible a term as that is since there is always a perimeter no matter what scope you lay out) and defensible endpoints are something you can only do when you go balls-in all the way, which is rare. Still much of our security industry only goes into an approach like that on the barest of levels, which causes it to make no sense.

That’s not to say you can’t have a middle ground on the actual discussion on Bejtlich’s post. I only bring up the Jericho position because going to the extreme on field-assessed hetergeneous environments fits nicely with their world view. I probably fall into the bucket that says good measures of both approaches will probably bring the most value.

I’ll never be surprised that Bejtlich falls on the “field-assessed” side of this discussion. In fact, I think most trench-friendly security techs will be sypathetic to that side because it deals a bit more in fact and reality and specifics. Compliance is really made to be friendly to non-techs, both on an assessment side, but also on the consumption of the reports. It’s also the side I tend to be more friendly to, as well.

I haven’t mentioned SHODAN because I seem to see most everyone else mention it. Robert Graham at ErrataSec has a great, quick post about the site and why it is scary. It really is scary. Think about all that noise from scans you get on your border. Those are people randomly spending hours, days, weeks, months trying to find hosts to attack. SHODAN can change those months of scanning into a search query that takes seconds.

Google hacks already leverage the power of these searches. If a forum software has a hole in it, use Google to search for every known instance of that version.

If you run Server XYZ and tomorrow a remote vulnerability is found, now attacks can find it in seconds.

Now, while this is scary, there is a caveat: This shouldn’t really change your security stance as the host! Yes, attackers can find you faster. But they could find you previously anyway because you’re hosting remotely acccessible servers. This doesn’t make your web server any more vulnerable. But it should influence your time-to-patch and vigilence in keeping abreast of breaking issues.

The rest of what Robert stands firm, though. Attackers salivate over something like this.

At work we’re continuing to chip away at dealing with PCI requirements. There are lots of lessons to be learned from such a project. One of the more painful ones: It is relatively easy to say (and even convince an auditor!) you meet each bullet requirement, but it is difficult to have effective security without improving your staff. There are a number of bullets that involve logging, reviews, and monitoring…things that are driving SEIM/SIM and other industries. But these are also things that security geeks realize really need analysts behind the dashboards and GUIs. Otherwise these products only skim off the very slim top x% of the issues, the very easy ones to detect. And miss a hell of a lot else.

Rybolov has a great graphic depicting the layers in information security management. This is a great graphic to keep in mind, especially the concept that each layer only knows about the layers right next to it. This causes breakdowns the farther up or down you get. Even in private business which may only care about layers 1-4.

If this graphic makes enough sense that you want to learn more, watch Michael’s Dojosec presentation (the first vid).

Mogull over at Securosis points out an article on a lawsuit against a POS vendor and implementor for passing on insecure systems that violated PCI. Or something to that effect.

Either way, this is a Big Deal. This is something I’ve been patiently waiting for over the last couple years as PCI has gained traction.

I’m a little early, but I believe 2010 will be the year that The Security Blame Game becomes further legitimized as a business model. In other words, I feel that we’ve long had a quiet blame game when it comes to security, but as more becomes required to disclose and more cost is moved around from party to party, the quiet blame game is going to get very public, very annoying, and very costly.

Which is especially scary because security is not a state or achievement. You’ll end up with impossible contracts and a bigger gulf between what people think is secure and what is actually in place. And it will be shoved deeper into the shadows when possible. And compliance will continue to be questioned despite the improvements and exposure it can provide.

Here are some other observations I expect to hear more about in 2010:

• more exposure of stupid configurations, implementations, and builds of “secure” systems
• industry needs to clean out the security charlatans, and cost/lawsuits have to do it
• more pressure to do security “correctly” which is far more costly than most realize

And one thing I *hope* happens more:

“Turnkey” security tools whose vendors brag that you just turn them on and let them loose (sometimes with one-time tuning) and you’re secure. And you don’t need staff or extra business process or ongoing costs other than licensing. Bullshit. Every security technology needs analysts at the dashboards, at the very least. Hell, even in just plain old IT operations, far too many issues and incidents are found by third parties or by accident when looking at something else. It’s an epidemic (and an indirect product of economics) that will not begin to go away. I really hope the idea of security process continues to be foremost, and the idea that something is “secure” begins to die. I doubt the latter will ever happen, as it has been decades so far in computing; and longer in the realms of security in general. I’m not saying we need to solve security, in fact I want to say we need to solve our perception of it, so that we don’t actually ever ask or expect to “solve” security…

I don’t typically go for inspirational/motivational speaking. I also don’t usually get into the same old marketing/business-speak of annual corporate meetings. But a month ago our annual meeting had a nice, minor message that our CEO mentioned. That of entitlement. The attitude that someone is owed something. This attitude breaks down teams, organizations, even cultures. It is a waste of karma. I found the quick message meaningful enough to tuck away with just this quick mention to reinforce it. Always earn your way. If you deserve it, you’ll get it. (I’m sure this was in reference to this year’s talk of exec bonuses and frivolities in Wall Street, but I take it on a far different and more personal level.)

Just wanted to link to some (months old) updates on the Terry Childs case, the SF Net Admin who locked the city out of the network. ComputerWorld has two updates, one from July and another in August where 3 of the 4 charges against Childs were dropped.

Why am I bothering? Because this is a big deal, even if many people fall quite easily into the black or white sides on this topic and even if the conclusion of this case will slide into history quietly with no fanfare.

Have you ever been in charge of a privileged account? Or built a system or network that your job is to secure and protect? And then ever have someone ask you for that password, or to bastardize that account setup, or allow someone inferior to access, modify, or change the requirements of your setup in a way that decreases the stability and/or security? It’s not a fun to position to be in, especially in the constantly-on worlds of stability and security. I’ve never been and likely never will be in a position as huge as Terry, but on much smaller scales I have felt the pangs of frustration when other business units diminish my work because they make their own decisions, and so on.

Just today I was asked to give over an account password to a SQL DBA. This account is intended to be used in only one place and considered sensitive to the point that only admins on my level have access to it, and even then we forget the password after setting it. But now I’m put into a position where another set of eyes gets to see the password and store it to his leisure (and have it transmitted to him probably via internal email). And to have that account and password stored in a second system beyond the intended use. My initial reaction is that of concern, and it is frustrating to build up security only to have it dropped back down for whatever reasons.

Yes, an admin probably should defer to the actual owners of the system (business or political), or look out for the better good of the whole (usually a business and the customers). But sociologically it is a deep topic, and in terms of security a very weighty one. Do you set a precedent that access is shared out? That you never divulge the secrets? That you divulge the secrets when compelled? That you deny there are certain admins and rock stars in a business that truly do have godlike abilities and the value would be diminished if you limit that? And so on…

It really winds up being a series of problems with no real solution once you look at the various extremes. This is one aspect of why I think “risk management” is the rising star these days. Which extreme is the least risky and least costly/likely?

The Wall Street Journal has another article discussing the fact that consumers are often ahead of corporate IT practices and policies that tend to err on the strict side rather than the liberating side. These topics get beaten to death and it really just comes down to economics (often in IT support costs for all the disparate things employees end up doing), but it is always a good topic to be aware of and exercised up on. From both sides of the fence.

Found this on 1Raindrop.

Jim Routh and Gary McGraw discuss “why twenty-somethings skateboard right past security controls, and what it means for employers.” Basically this gets back to how Gen-Y (and some Gen-X) grew up with the Internet and can multitask and expect such access at work as part of their social culture. The subtle twist is that these multitaskers will often non-maliciously fenaggle access to the very things that are blocked, i.e. they’re “lifestyle hackers.” This puts pressure on policies, and on security teams that look for this behavior and consider it suspicious by default (kinda like why Skype sucks from a security perspective; ever try to analyze strange traffic endpoints when your business uses Skype? It blows!).

I can argue the topic either way, but what I don’t like is a company that uses only the excuse of productivity for such blockages, and makes it feel like the decison is an IT one. Really, productivity is an HR and managerial thing. Making it an IT or even painting productivity as a security issue reflects weak management. Sure, such restriction can be made a security reason, but productivity angles should not be argued in IT.

Oh, and I tend to fall into this lifestyle hacker group somewhat. I won’t go so far as to access FaceBook through a proxy/tunnel or be blatant about it, but I won’t shy away from updating my blog, Twitter, or other not-blocked things given I do actually get my work done. I do prefer to multitask, but I also do remember life before the Internet. I’m, age-wise, on the cusp of all these generational changes (I’m 32 this year).

Found this while catching up on my HiR feed.

In August and September, Evan Ratliff, a writer for Wired issued a challenge. He would attempt to disappear, both online and offline, from his normal life. And readers were encouraged to find him, with financial reward promised. The project has now concluded and his story has been posted.

Many of us think about anonymity on the Internet. But have you ever thought about dropping off the online or even the Real World grid? Changing identities entirely? Well, ok, so maybe black hat hackers do. 🙂 Or perhaps you’ve wanted to know how private investigators work. Or maybe what would happen if a massively public manhunt for some notorious criminal may proceed. Maybe wonder how those FBI Most Wanted lists and television criminal profile specials could possibly be usefulf.

Or maybe you’ve wondered just what “average” people can dig up about someone. Some of the posts pulled out for the article are downright…creepy. How the heck did they get that information legally?

Maybe this is the future for government and private tracking/investigations or even espionage (although more than likely the present)? Sticking to what people know (interests, locations) but also leveraging the draw of our online social lives to reveal small, but dramatically important bits of information, even subterfuge in online interactions. Combining IP addresses with social network information with old-fashioned stakeouts and interviews; the trails we leaves in logs and lives touched.

The article is written pretty quickly and, well, it doesn’t flow very well. But it touches on many amazing topics, from identity to social engineering to the lonliness (even desire to be caught!) and psychology of a mind on the run.

If there is any weakness in this whole adventure, it was that Ratliff didn’t need to pick up a job or want for money…yet. I imagine new challenges appear once you run out of cash and need to make up some money quick, yet stay off the grid or futher legitimize an identity. Likewise, I’m sure the stakes change once real law enforcement starts tracking your existing assets and moving quicker and with more experience on tips and information. I’m sure some aspects of his run are easier for real efforts (ditching gf/family/boss, the silly challenges), and others less so (money, life).

Still, this is a great glimpse into a person on the run, and the grassroots efforts regular people can undertake to track someone of interest in our cyber-real lives.

Currently listening to the excellent social-engineer.org podcast. They’re talking about police interrogations (probably more properly called ‘interviews’) and it reminds me of what I’ve read in a book a while back that I browsed over a few lunches in the bookstore (I hope I’m recalling the book content properly, it’s hard to verify without the book nearby). I’d still recommend it, because it does go into some good detail on police/FBI interviews: Arrest-Proof Yourself: An Ex-Cop Reveals How Easy It Is for Anyone to Get Arrested, How Even a Single Arrest Could Ruin Your Life, and What to Do If the Police Get in Your Face. Yeah it’s a long, cheesy title with a cheesy cover, but the insight is pretty nice for the price.

Television interviews are often rife with drama and tension and lots of build-up and subterfuge, but often it just comes down to the on-the-spot ability for an interviewer to get someone to tell them something they probably shouldn’t or wouldn’t want to tell you. From my observations, this just ends up being a small set of subtle reflexive skills. Skills that you can learn and, for a while, conciously employ, until they become normal. But really, it’s less specific situational subterfuge and elaborate planning and just about general human interaction like mirroring.

I’m not sure what is the worst part of reading an article like this that describes an obgoing investigation into the selling of millions of customer records from a “major mobile phone company.” The employee who had access to, ability to exfiltrate, and sell the records to competitors? The company that had no idea what happened until a third party had to break the news to them? The vague details that we’re yet again subjected to? That a company would buy such records (believe it!)? There are other issues I have, but I’ll stay quiet on them and only say that if there is a monetary value on data like this to someone in the world, then it will be realized, whether unauthorized or “authorized.”

My stance on security consultants vs dedicated security staff is pretty much across the board. Probably because it boils down to, “It depends.” I think security consultants have a sweet gig, to be honest, despite the issues.

If I were a typical business owner today, I would probably act much like a typical homeowner when it comes to security: wait until it is convenient, in terms of time, effort, finances, and emotional situations (i.e. did someone you know just get broken into? [is that transitive risk? risk-by-proxy?]). That probably means asking two questions and needing possibly one thing that consultants or a third-party provide:

1. How secure or insecure am I? This is answered by the function of audits or pen-tests. No folks, they’re not going away as long as this question is asked. Stop making it so damn complicated for the business owners when they ask a simple question like this. Compliance falls into this question, because owners will wrongly ask, “Am I compliant with XYZ?” rather than the correct question, “Am I secure?” A subtle, but important difference.*

2. What suggestions do you have that would improve my security? A sub-question usually not spoken but definitely just as important would differentiate between ideal suggestions versus high value/low resources suggestions (not the same as ROI if you ask me!). There’s that big difference between “patch Windows boxes” versus “patch all your software you use.” Or “log management” versus “out-of-band log management with your admins locked out, backed up to encrypted, secure tape and offloaded…” It is when business owners hear the extravagent solutions that they decide to just forget the whole thing and not bother. There is still a huge thirst for security knowledge, not just from enterprises, but even from individual consumers. It just needs to be doled out in digestible, actionable chunks. Often this ends up looking like, “Give me the top 10 things to do, in order of value/effort. I’ll only do the first 4, but I want to know what roadmap would be possible for the next 6.” This is healthy, and I think should be encouraged.

3. And consultants or a third-party can provide some managed services and regular tuning of an environment somewhat above and beyond advice and audits and pentests. I can argue that situation back and forth, but I concede there is realistic value. If you can share a security expert between 4 or 5 companies and they can tune your firewalls and give regular advice, that might provide a good value without the overhead of dedicated staff. Why try to figure out what PCI means on your own, or how best to maintain router config integrity or what to monitor with Tripwire, when some shared consultant already knows how? And if you get someone dedicated to you and a few others, you’ll probably get better service than some cog in the huge wheel of a large enterprise professional services department.

This third point that consultants provide is one thing that I often rag on because I don’t believe a third-party service will top quality internal, dedicated staff, and some consultants gets to happily throw down their suggestions and walk away without ever actually implementing them or experiencing the day-to-day realities of them. But relatively few firms have the ability to have dedicated security staff. Many barely get away with dedicated IT staff let along specialized security staff!**

And it is a nice step up from just buying point products with the intention of not maintaining them, but rather plopping them in and spending as little time with them as possible. This often ends up meaning unqualified persons put it in and call it good, when it fact no one knows if it is working properly or being used properly. This is why SIEM is in such a weird boat. They’re a bastard child between your typical “turn-key” solution and your high maintenance “gotta watch it!” process. Other recent complex solutions also fall into this trap, like WAFs and DLP and even identity management. They’re complex, they sound like low-maintenance efforts, but anyone who truly gets security knows they’re still going to be time vampires quite often, especially when used wrong.

* Compliance is a great driver, but it really should be placed under the auspice of having “security” as the goal. Sure, it may be a thin, cheap veneer, but it’s better than building a culture of just meeting compliance XYZ.

** Adding a bullet item to your IT staff job descriptions that says “maintain security” is not the same as having security staff. Yes, baking in security is necessary. But operations and even IT projects will always, always, always trump any security-related tasks that *should* be done to maintain a quality security posture. The only way to do this is to have dedicated time carved out of your staff hours for security, and that’s just never adhered to without a real SOC they can retreat to.

Offensive Security has opened their exploit database. This is a response to the halt of milw0rm due to whatever circumstances. In fact, they improve on it a bit by sometimes adding a link to the vulnerable application, which is pretty slick. If there’s anything missing, it’s that I haven’t seen an equivalent section for the milw0rm videos. (Bonus: this site isn’t blocked by Cisco like milw0rm is!)

Social-engineer.org has a new podcast out about, wait for it….social engineering! Hopefully this becomes the de facto place for SE information and education.

Mike Smith’s (rybolov) DojoSec talk on compliance is a good listen. The panel is good as well, although be forewarned that it gets deeper into government-types of compliance and standards. One theme: collaboration in creating and defining regulatory controls.I had to pull out one quote from Mike from the panel in regards to a question about graularity in compliance controls: “If you make [regulatory controls] very, very broad, you’re relying more on [in-the-trenches practitioners] with varying levels of skillsets to interpret it, but if you make it more and more specific, then you rule out a lot of other solutions. So you lose a lot of that flexibility. And in the places where you have really smart people who know what they’re doing that actually limits what they can do.” Other DojoSec videos can be found in their archives.

Andrew Hay decides to torture himself by reading (and then sharing!!) horrible press releases. Yes, I agree a little bit dies inside whenever I read this drivel where it reads more like marketing (or a company) trying to impress themselves with long sentences filled with vague buzzphrases and 5-cent words. This is why I prefer to talk to the SE and get my hands on products directly to form my own conclusions.

Chuvakin has been busy! First, he throws down about SIEM complexity (for me, SIEM is a nice-to-have only because it ends up being too complex…but that’s what you get in pursuing the futile effort of replacing analysts with a box, rather than marketing SIEM as a tool to *assist* analysts…). Second, he grabs FUD by the throat both for a shake and a hug. (Me, I don’t rail on FUD too often because I agree, it’s necessary and will never go away, but that doesn’t mean we need to wallow deep in it; besides, “FUD” itself is too subjective…). And third he addresses the devil of PCI DSS. (Again, my take is that PCI DSS is just fine, but organization’s suck at security in general and they’d suck even worse without PCI DSS. I don’t get how that’s hard to swallow.)

To swerve off on a brief tangent, security is not solvable. To this end, that means media can forever be able to point out flaws. Likewise, analysts can forever be able to point out how measure XYZ doesn’t address MNO. And further, FUD can always be brought up (whether “FUD” is a negative or a positive to you depends on that subjective definition [connotation/context] you place on it). Therefore, when I read tales about how XYZ isn’t addressing MNO, my first question has to be whether I need to care about MNO, not to rail against XYZ. My second question has to be how I would addres MNO, regardless whether XYZ exists or not, especially if XYZ is just a product/standard and not a concept. My third question would be whether XYZ *should* address MNO. And so on. If you read the links Anton lists in the devil entry, this paragraph will make more sense. Don’t create XYZ to be a devil when that’s missing the crux of several problems.

Mike Murray opines about why information security is the hardest career. He makes true points about how security needs to stay on the forefront of change in technology. (Although you can poke holes in the career examples, it is the point that counts, not the specific details.) And it is true. I could learn how to code something today, and probably live by honing that specific skill for a decade or longer. Security, however, doesn’t have that luxury. You tend to have to be knowledgable in many things, and sometimes at a workable level with those whose whole years are embroiled in that one technology (advising web app devs on secure coding [json] practices, for example).

I sometimes feel security consultants have a sweet gig. They can drop the hard projects in a few sentences and walk away all smug and feeling helpful, when those projects may in fact simply be impossible in practice for various political or economic reasons (run a vuln scan and address every finding is typically *not* a casual weekend project). But I admit they have the most need to be on top of everything new as they no doubt get the joy of answering questions on technology so new they’ve never even heard of it yet.

And none of this really goes into the dirty work of not just keeping up with new things, but keeping the existing things monitored and updated and in check as time marches on and attackers try everything from new techniques to old goodies from 10 years ago.

No matter where you are in security and how you try to roll it, it’s a difficult task and a stressful, but fun career. Then again, maybe I’m dramatizing it since I’m in it… 🙂

Mike and Lee’s talk at Defcon is one of those few talks I really should have attended, in retrospect. Hell, I still have to find and download it!