The RSA breach details will spark discussion and armchair quarterbacking for years, that’s a given. But I can at least pile on a little bit more here and there, yeah? The SANS ISC weighed in on some of the RSA details, and I wanted to pull out small bits to tackle briefly. Here’s what I consider the prefacing assertion:

There are just too many ways to circumvent the perimeter, spear phishing being just one.

1. “The thing is I don’t think this new paradigm is so new. Many have been advocating for years moving the prevention and detection closer to the data.” – We wouldn’t be *quite* (important word!) as concerned about the circumvention of the perimeter if we didn’t have such awfully porous technologies sitting on the desktops. Yes, you, web browsers and attending tech (Flash), Adobe, and Office. You’ve all become too bloated to be secured anymore, and it’s your own damn fault. Just think if these were much better secured by default. We’d have less updates which should mean better ways to keep them updated on desktops, etc. (Some may argue that others will just take over the role, and perhaps that is the inevitable result…but you can’t ignore that these porous softwares are making things worse. The insecurity of the interior is making the security of the perimeter worse. If you improve the middle, the perimeter is better valued…from a certain perspective.)

2.”There are a lot of approaches that can be used here, but in my mind it begins with segregating servers from the desktop LAN and controlling access to these protected enclaves as thoroughly or better as we do our perimeters today.” – This is one area where the “cloud” is actually useful; it moves data away from these workstations…sort of. One could still argue that access is access, whether you have 3 firewalls or 0 between them. But any push to get users better segregated from servers when so many are in a shared network by default, is a good thing. If nothign else, this can push better documentation on data flow needs. This should also include better egress controls…yeah, I’m looking at you FTP-exflitration. (Of course, lock that down, and even more people/devs will just use 80/443 more…)

3. “It means classifying your data and installing protection and detection technologies appropriate to the sensitivity of the data.” – I imagine the most common way of classifying data in an SMB is saying it’s all secret. Classifying data is great and makes a lot of sense, until you get into the reality of *gasp* actually doing it. This is where the CISSP hits the road and suffers the knee and elbow scrapes.

4. “It means installing and tuning Data Loss Prevention (DLP) technologies to detect when your sensitive data is leaving your company.” – Just don’t fall into these three traps with DLP: First, don’t expect to plug it in, do a few hours of tuning, and then forget about it. It’ll need ongoing love. You will have false positives and small incidents constantly, or it’s not tight enough. Second, don’t think you can tackle DLP without first coming to terms with data calssification, or at least doing *something* to identify your data and flows. Third, don’t think that DLP will block/detect everything. Does it interrogate 443? Should it? And so on…

5. “It means instrumenting company LANs and WANs so a network baseline can be determined and deviations from this baseline be detected and investigated” – This is another idea I find compelling, but the cloud isn’t helping, nor are consumerland technologies that just spray garbage into your baselines and everyday traffic patterns. Still, if someone FTPs a large amount of data to an external source you’ve not seen before, you really want to know that happened. But again, this is just a part of a blended network security posture and not something to even do until you’ve a maturing security team/process.

The end result of all of this is: SECURITY IS HARD. And it’s only getting harder.

Today’s article rant comes from ComputerWorld’s article titled, “Failure to encrypt portable devices inexcusable, say analysts.” The quote from the article is actually, “‘”There really is no excuse for not encrypting laptops …'” In this world of smartphones and mobile devices, that’s a *huge* distinction, especially since you’re still being told, “good luck,” when it comes to smartphone encryption (Droid Pro being an exception).

Also, it’s annoying to make such blanket statements about inexcusable security measures. It’s inexcusable that orgs not do a risk analysis of their mobile devices and determine whether device encryption is going to be worth their time and money. It may not be.

But I do wonder if executives and managers are vastly naive about the sorts of data their employees are storing on laptops. Many such leaders have verbal expectations that sensitive data is protected and not placed on laptops and how their employees are smarter than that, and so on, but that’s getting back to management by belief, which is a gamble you will eventually lose.

Sometimes it makes me wonder. We trust employees to make proper choices, but then we want employees to be innovative and get their tasks done and be creative. Those values can be just as at odds with each other as security and usability.

Robert Graham has a great series of posts concerning the recent Comodo SSL hack. Start with an intro to web certs, then “Comodo hacker” information, some interview pieces, and finally verifying his own private key. The hack itself illustrates the web of trust the Internet has placed us into (pun intended if you link that to SQLi attacks), specifically that someone else didn’t protect their trusted credentials very well which lead to trusted access into Comodo where other weaknesses were leveraged.

Try to not get too involved in the comments; there’s a wave of politicking in there…

Incidentally, he also has a fun terminology post about “cybersecurity” and “hackers.” I think I agree with his sentiments; I know and prefer to use the terms appropriately, but I also know how they are *really* used day-to-day outside our circles, and accept that.

Lessons learned are always good to pass on, whether by gleaning mistakes others make from disclosure details, or their own words after the fact. Greg Hoglund offered some in the shadow of the recent HBGary Federal incident.

I wouldn’t be entirely surprised if the entire hack really was simply a gleaned password that then lead to other accounts, either by account/passwd reuse or because an email account is the contact target for passwd resets or something. (Side note: downloading a firm’s entire email spool…yes, it’s *that* big of a deal to keep protected. Don’t forget about it in the chatter of CC, SSN, PII, Corp Secrets, bank accounts, corp secrets…)

But in world where everything is connected, everything is on the Internet all the time, and we demand mobile “stuff,” a stolen credential is the new hack, really. Ten years ago that might get you into a corporate web mail account or VPN connection if you were lucky, but otherwise you still needed to get past the corporate virtual walls. Today, no so much. These credentials are also increasingly easy to snarf, sniff, sidejack, and replay…

picked up from the infosecnews mailing list.

I’m a glutton for information, so I about made a mess in my pants when I stumbled upon a pentesting bookmarks compilation put on in part by the folks of SecurityAegis. Everything from cheat sheets to tools to reference links to ongoing information in blogs and forums. Definitely gives me new blood for my rss reader and tons of things to check out in less busy moments.

Adrian Lane posted what is so far the best blog post of 2011 with, “The CIO Role and Security”. If you read the first 5 paragraphs and can’t find any way one of those situations applies to you, then I dare say you’re not working in security (and I might argue you’re not even working in IT!). I love the point that either you’re Getting Things Done for the company, or you’re going to be shown the door, security-be-damned.

I have “just” 4 thoughts to discuss/add.

First, if I were to formulate any one argument “against” this posture, sometimes those groups throwing out ideas/projects really don’t know security and they just don’t have the knowledge to put it in, and therefore they look to the security geek or CIO/CSO to inject their expert opinion. Of course, this is often done in a non-direct, smarmy-feeling way by looking like a deer-in-the-headlights when asked about security. It would be better to just flat out grow some balls and ask directly for help/guidance. Moving a step further, I’d then say Adrian addresses this in his 2nd bullet, but also the people brainstorming these ideas need to take the blinders off and think a little bit about the whole picture, or at least accept it when someone else does their thinking for them.

Second, Adrian’s post applies not just to the C-level role, but also mid-managers and even the techs in the trenches. *Especially* in the SMB world where quite often, it is low-level tech to low-level tech where projects get communicated. Where any sort of getting in the way of projects is a surefire way to start eliminating potential allies for your long-term advancement in that company. Adrian’s point about security adding complexity will always make me wince when I read it, like some mysterious childhood-borne tic/fear. My addition of complexity just might be compensation for your lack of foresight and critical thinking, eh? (Not an uncommon issue, as I will always draw the analogy of risk-based decisions by typical daily drivers on the road. The ability to think beyond 1 move or 5 seconds is rare…really, you nearly cut me off and bottom-out your front bumper to pull into that turn-off…when there is no one behind me and waiting 5 seconds would have been a tense-free situation? Fuck you.)

Third, this is one of the biggest things I like about compliance regulations like PCI. It gives otherwise powerless/underappreciated security advocates a rather firm way of saying, “No,” by having something else say no. I’ve long called this “security by bowling bumpers,” i.e. fine, we’ll let you wildly toss the bowling ball down the lane, but these bumpers are going to give you finite boundaries on where the ball can go.

Fourth, pick your fights. Some projects can probably be seen right away as never going to fly, maybe because of some other reason. Others may be visible and obvious enough that you either need to start getting on board and live with it, or start moving on. There are always initiatives that are bad risk-based decisions, overall, but sometimes you just gotta let it go.

As a parting thought, I think low-level techs and mid-managers make far more risk-based decisions that anyone likes to admit, because they automatically do the cost, risk, ROI dance pretty quickly in their heads up front; maybe not in a way that can satisfy accounting/CFO, but in a way that is pretty accurate if heavily scrutinized; and few get any recognition for it. If you’re a manager and you have an employee who exhibits this skill, please nurture them and keep them close.

The folks at Pauldotcom recently posted 7 ways to not get hacked by Anonymous. The steps are good, but wanted to add something to it.

Yes, the first item should be, “Don’t be douchebags.” And further, don’t be an idiot. How many people go around punching hornet nests? If you do, it’s because that’s your job and you take precautions!

2. Tried and true CMS. I’d add that yes, you should maintain a tried-and-true CMS, but also make sure your web developers exercise restraint in the plugins/addons they include into the CMS, keep an inventory of which ones are included, keep up with new releases, and install new releases of those addins. There are many issues with poorly-made addons to these apps…

There are tons of other points and tips to make…but I’ll just stop there! This should further illustrate the difficulty in keeping up with IT/security these days, even in a “smaller” shop like HBGary Federal.

If there’s a theme in my recent postings, it’s that I’m turning into a curmudgeon; complaining and ranting and shaking my head. I’ll get over it, I’m sure! Just…not yet!

There are so many levels to security, it’s sick. You can talk about microscopic security (in an SMB) or macroscopic (global/universal). Web App or Network or OS. Data or device. High risk/value, low risk/value. Skiddies, APT. General users or highly technical admins. Your customers or your company’s customers. And on and on and on…. It’s crazy. It’s liable to always be the monkey[wrench] chuckling from around a blind corner that keeps poking holes in any sort of best practices or standards or commonality amongst any of them. At some point, you have to get back to the basics and starts making your Laws. You will be breached. No single answer is The Answer. Staff is key. Users are a big weakness. Security vs convenience. The point of business is not digital security. Secure Enough. And so on…

And sadly, for almost every Law, we can come up with, “Yeah buts.” Maybe the Best Practice is that there is no universal Best Practice? Yeah, that will make every executive roll their eyes and find a new consultant/partner/manager/tech. I still have this nagging feeling that our problem is one that is not just at odds with users and convenience, but fundamentally at odds with business and management; that the last 50 years of digital technological development is still dashing a century of business acumen in the face; that they’re just not all that compatible without painful change, much akin to the RIAA/MPAA/newspapers and their painfully changing businesses. Or maybe not. Maybe we’re (IT that is) just an underswell right now, that we’re just heaving up against the older guard of business…like a rolling wave (a slooow one)…that will recede back down in the future? Possible…though it doesn’t help that business keeps dragging IT (and thus security) back into the core business in ways that aren’t very smart or far-seeing. It’s like a heaving wave pushing up against your inflatable raft, while also turning up the wave pool dial and splashing your own face with more water, both sick of it and yet insatiably wanting more. Like McDonald’s fries.

Rafal Los published a post the other day that sparked some of these thoughts of mine, not directly, but just through his tone, really. His post titled, The Path of Least Resistance, went into some not-new, but good thoughts:

…It’s not a stretch to consider that when confronted with a complex, convoluted, and difficult set of security processes and controls users often find ways around them without too much fanfare.

It’s important to remember this applies not only to “users” but also to technical persons, even in fact the administrators creating these policies/processes! We routinely know security processes and routinely ignore them in order to get the *real* immediate issues taken care of. A user needs to reset their password. You know the user, so do you take the time to go through proper procedure or do you pursue the positive feedback that comes from quickly helping the user get on with their life/job? If your boss finds out about either case, which one will get *him* in trouble quicker, and thus which one will get reflected in *your* next professional appraisal? I’d suggest we almost always reward Getting Things Done rather than inconveniencing anyone with process. Even the best customer service stories taught in generic management classes espouse breaking rules to solve problems and send customers away happy.

You can’t do that in security unless you are an expert and can make risk decisions quickly and accurately. Otherwise you should follow process; it’s there to help security in situations where the involved actors aren’t sure what is risky or not. And, by that very nature, will always add inconvenience (or other resources).

Even the most simple concepts of “risky” behavior vs “non-risky” behavior involves negative cost, whether we’re talking security or even safety. I really wonder if there are very many examples where doing something securely is easier (less costly) than doing it insecurely, when simply in the moment and ignoring resulting costs/benefits.

Rafal Los goes on to talk about creating software more securely:

I know this isn’t something novel to read on this blog, or coming from me -but Software Security Assurance efforts have to make producing and releasing more secure software more simple than releasing less secure software.

Now, one can look at this and mistakenly say, “Well, let’s just make it really hard to make insecure software. You have to jump through hoops, sign documents, put your pay on the line, and so on if you want to do something that is less secure (assuming you even know what secure means, which you likely don’t if you even have this problem). That way making it less secure is harder!

I doubt that’s what Rafal was going at, but I’m not sure you can simplify making things more secure from the start. I mean, it’s always going to be *easier* to write simpler, less secure code, right? Accepting raw user input will always be easier than accepting user input after a scrubbing routine. Even the pseudo-code for that illustrates the extra steps, yeah?

Maybe I’m still thinking inside the box. 🙂 If I think of any situations where it is less costly to do some more secure, I’ll post a follow-up.