Two things to take away from the Bejtlich post, “Stop Killing Innovation,” plus one thing I’d add.

First, stop separating business and IT. This separation, even when done in the mind or as an understood implication based on culture and decisions and attitude, really has fundamental impact on the fabric of IT, and the people in it.

Second, stop causing IT to be risk averse. This kills innovation. This should be a funamental management concept…or even psychological.

And my thing to add: this still comes back down to talented staff, just like I say about having good security. You don’t get it from just education or tools, but rather good staff doing cool things.

Amrit Williams has an awesome post about the state of security, and I thought I’d dive into it. Just to state up front, I agree with some things and disagree with others, but in no way think discussion like this is wrong.

…What underlies all of these positions is a belief that the status quo is woefully ineffective and the industry is slated for self-destruction or, as a whole, we will succumb to a digital catastrophe…

Well, I can confidently say nothing will self-destruct nor any killing catastrophe will happen. People in general are resilient bastards, as is business and technology. In short, life and technology and progress will move on. Sure there may be stumbles and maybe even paradigm-changing events, but that is all still progress, in my book. In short, I don’t believe that sort of belief should exist.

… trapped in an OODA loop that will forever deny us victory against malicious actors because we will never become faster, or more agile than our opponents…

One could argue that we’re not meant to be faster or more agile than our opponents. I’m sure there are military comparisons here somewhere, as well as comparisons to security ever since the first caveman wanted to protect his territory. While the battlefield changes, I really think the core concepts of security really don’t. Why implement more security than you need to meet known and maybe unknown threats? I won’t belabor the point, largely because I won’t go terribly far to defend it. This is just an avenue of discussion that is useful to dive down and dirty into because it helps to figure out people’s religions/beliefs/approaches. I truly believe we need to both react *and* anticipate as much as possible; there is no win, but we don’t have to be drug behind the cart.

Organizations tended to react driven by a security incident or compromise, an audit or compliance event, or due to perceived changes in the threat landscape. For the most part security has been and still is an afterthought.

Truth! There is also the need for someone to think like a paranoid nut (trust no one), the need for expert-level knowledge to properly anticipate and bake in security while also meeting requirements, and so on. But as a corrolary to my above paragraph, the question may be whether security will *always* have a major “afterthought” component to it?

For example the concept and delivery of cloud-computing was introduced and then it was realized that the lack of security…was a huge inhibitor to adoption.

I think the cloud is a poor example. This isn’t a technology that consumerland is clamoring for as the obvious answer. I would say the inability to understand how to integrate the “cloud” into one’s own processes is a bigger inhibitor. (Obviously, I’m not counting gmail or CDN services or hosting services as “cloud” providers.) I think security is a convenient bed-buddy for the fact that these cloud services just aren’t to-die-for-and-obviously-must-have-right-now, nor are they consumerland toys. If consumerland had been behind them, like iphones or mobile devices, security would have had far less actual or perceived weight.

Most security professionals lack an understanding of the operational environment that they work within and they lack the ability to modify that environment even if they did.

Absolutely correct. The reverse is often true as well. Operations lacks understanding on security risks and countermeasures. Hell, most of the time they have no managerial pressure to be secure and every managerial pressure to just get shit done as quickly as possible (scarily the same pressures developers have; maybe more to the point, managers won’t notice if security shortcuts are taken or rules wildly bent; hence our exploding role of auditors). This is why I personally feel (and I’m biased) that someone who can claim the roles of experienced security and experienced sys/netadmin are godly. Mix in some business sense, and you’ve got a closet (and probably quiet) rockstar in the back room.

Security must be operationalized, it must become part of the lifecycle of everything IT. This is the theme for 2011: Operationalizing Security.

I’d agree for the most part (even if I stray as these next few paragraphs develop). And this is exactly like baking in security during the dev lifecycle. It also shares the same problems. I also believe while this is necessary, it’s still not the panacea approach either. “Security as an afterthought” will always be around, but we should be building security in at all stages and making sure that it is part of operations.

However, the real challenge is taking this *out* of just the backroom server operations, and making it a part of the business fabric. But that always adds costs, right? So maybe business will say that this doesn’t make sense, why not save money by tacking on security after, and only when needed?

This is the fight the it ultimately boils down to. It’s not about the differences in how geeks or even IT’s overall approach technology and security. It’s a business and cultural decision on the value of security. And I’m not going to hold my breath that this will get very deeply ingrained. Hell, far too many people don’t physically secure their own homes, let alone cyber space, let alone in business. This will only be a slow burn over generations as they are born with and live with technology.

Buisiness constantly puts me into this situation:

“We’d like to implement ABC.”

“Well, you shouldn’t do ABC because it is insecure, goes against policy, and is going to be a risk. This is bad news. In fact, no I won’t do ABC for you. You should do it this other way, or maybe another way.” (Often, the first two sentences are just my own thoughts or discussion in my team.)

“But *can* you do ABC if we asked you to?”

“Well, yes, technically I can do it. I technically can also make your passwords all be the number ‘3,’ but that’s stupid.”

“Well, we need you to do ABC.”

*facepalm* (What is needed is a security-minded person to champion my viewpoint on their [IT development] side of the fence, and then another on the business side. The art is getting all sides to come to the correct conclusion, and having experts enough everywhere to make those correct conclusions attainable.)

This is where business leaders need to step in and make decisions. It is also the place where expert level knowledge of business, technology, and security need to be in place. And that’s insanely difficult, no matter how much we pray to the gods of IT/business alignment.

See? Now I’ve waded down far enough to find myself hipdeep in the quagmire. Go far enough in any direction, and you’ll find it. Yes, more security needs to be operationalized, but let’s not get too religious about it, since it also is not the ultimate answer.

Catching up on some new feeds, I see Marcus Sachs threw down a quick SANS diary post question about the future of security, framed with recent Stuxnet analysis from Symantec. I have two pieces to pull out.

While the demo is for Stuxnet, it brings home many of the techniques that have been perfected over the past two years to bypass firewalls, intrusion detection systems, and other classic defense mechanisms.

It helps (from a certain perspective) that organizations and people are bypassing these controls during daily business. For instance, the big stink in recent years about SCADA has been the degradation of the traditional “air gap” between those controlling systems and the greater network (even Internet) of the organization. The classic defense mechanism of an “air gap” doesn’t even need to be bypassed by attackers, because it’s already done! Same with challenges in endpoint controls and basically any other traditional, rigid, layer.

Well, we need to start rethinking how we are going to defend our networks in the coming years and decades. Layers of defense are, of course, important – but what should those layers be?

This is a strange question, especially as these layers of defense are deteriorated by users and organizations themselves. I’d probably point to several directions as discussion-starters. I think the real point is there are no longer discrete “layers” so much as a creative blending of existing and new pseudo-layers to create some security value.

Disclaimer: I have no answers at the moment; just contributions to ongoing discussions!

• diligent staff – It might sound stupid and all 1950s, but when all else fails, you really simply have to have skilled staff keeping their fingers on the pulse of the network. Technological layers aren’t going to fix what is increasingly becoming a soft problem; not without defining end truly enforcing rigid limitations/controls. This is fallible, yes, but if one wants to say all these layers of defenses today are failing, you need to move into layer 8…
• get security correct from the start – Obviously software, systems, hardware, and the various ways they’re put together need to be created/implemented in a secure fashion from the start. Unknown attacks will still pop up (0days), but at least start as secure as we possibly know how to be.
• encryption – Basically, encrypt everything. Of course, this cuts both ways, and will impact security visibility as well.
• identity – If you need to blindly trust encrypted communication, you must implement a trusted identity mechanism to control who can dump information into those encrypted communication channels. This includes people as well as devices and even app identity.

I’d say none of these options are realistically possible to fully achieve. Some of all of these can be used. Besides, the whole concept of a layered approach to security *should* imply that no single layer (or even couple of layers) provides full security. Likewise, none of these additional pieces above will do it alone, but rather each should be implemented as much as resources allow, for even more blended approaches.

Of course, we’re back to looking at security less from a technological standpoint and more from a pragmatic or risk standpoint, yeah?

SecTor 2010 videos are available. Consume and learn! Honestly, pages like this are like walking into a candy and comic book store or video arcade when I was 10 (take away the candy, and I guess this still happens!).

Call of Duty: Black Ops (COD:BO) has been released and I spent pretty much my entire evening playing multiplayer on the x-box version. I’m exceedingly pleased with the end results, and it is far superior to the recent unfinished Medal of Honor (which I complained about, twice) and better than most aspects of the last COD game, Modern Warfare 2.

I already liked Treyarch’s previous COD entry, World at War, better than either of the Modern Warfare games, both in single and multiplayer. I liked the guns, pacing, and the polish of things like the menu and lobby systems. The menu system quality Infinity Ward never even came close to as far as ease of use and usefulness of information. Treyarch’s map designs have also been far superior to most of the ones from Infinity Ward. In single player (infinite respawn difficulty aside) WAW was a far better experience than the cobbled-together story and uninspired gameplay of MW2 (and unsatisfying final vehicle and QTE endings). WAW was also a far better experience to complete in veteran. Frustrating, yes, but it felt way better when completed. (I did not bother with Mile-High Club in MW2.)

Similar to what I did for MOH, here are some Day 1 impressions on multiplayer. I stuck to Team Deathmatch for the duration. I wasn’t a high enough level yet (need to be 19) to play Hardcore modes, which is where I spend most of my time. I’m also not going to mention everything I liked; just the things that I really liked above and beyond the norm for COD games. If you read my complaints about MOH, pretty much every one is a positive in COD:BO.

Note: Any mention of money or buying items refers to in-game money that you earn by playing. This is not purchased with real money.

Pros

• Top-notch FPS maps. I absolutely love Treyarch’s map design team. They make interesting maps, large maps, with a great, great eye to competitive play and game flow and versatility. There are spots to camp and ways to attack every camper. This is even more pronounced after having played the horrible MOH maps and the not-nearly-perfect MW2 maps.
• There are 14 maps out of the box. In MOH, it only took about 60 minutes to already be sick of the small map rotation, and map packs in MW2 have given rise to not even seeing every map in a given 6 hour play session. I love the variety.
• Killstreak rewards no longer contribute to earning more of them. So if you call in an airstrike that kills 3 people and you only needed 3 more kills for the next reward, you still have to earn your 3 kills on your own. This is an excellent change, and a subtle shift in making killstreak rewards not contribute nearly as much to the OPness of some players. Chaining killstreaks was common in MW2, and really felt pretty cheap.
• You get upgrades when you want them (mostly). In-game money buys your upgrades. This is cool since you don’t have to wait until like level 28 for the Ghost (camoflage) perk. If you know what you want to get, you don’t have to necessarily wait for the right level to unlock them. Guns and some other items still have a level requirement, but for most things you can open them when you want them. This is really cool and will help streamline class buildouts for experienced players who know what they want to use.
• Menu system is excellent. I hated certain nuances in the MW2 menu system, and MOH was downright awful. WAW had the best one in recent memory, and somehow Treyarch has even one-upped that. It’s beautiful and easy. How hard is it to make one-click voting?! Thank you Treyarch.
• Combat stats. In a word, I fucking love the stats provided by BO. I sorely missed even the small amount of stats provided in WAW that MW2 just didn’t bother with. Happy to see little things as well, like the Nemesis card is back. Little things like that help make a 4-hour session in the same lobby kind of fun.
• kill-death ratio displayed on all score screens. This is the golden stat in team deathmatch (and maybe in any FPS game mode): kills over deaths. If you’re above 1, you’ve been a service to your team, whether you made only 3 kills whiling dying 2 times, or made 30 kills while dying 20 times, you’re still a benefit to your team. It’s great to actually see this number finally represented.
• Party-only chat is back! One of the most annoying parts of x-box MW2 multiplayer was being forced to hear all the racist kids talking, and stealing away any buddy-buddy privacy for talking to your friends. Treyarch brought the WAW style back where your party can stick to party chat for some privacy…and sanity.
• The playercard design-making is interesting, and I can’t wait to see some really cool examples that people make in game, especially the emblem.
• Grenade Launcher/Bazookas (so far) aren’t as low-rent as in MW2. MW2 multiplayer, especially in hardcore, sometimes devolved into who can toss out the most grenade launcher and bazooka shots and score lucky kills. So far, it seems like these weapons aren’t quite as OP as previous games, which is a nice change. It’s possible people just aren’t using them yet…
• Theater mode. I certainly won’t use it much, but the ease of use and power in watching game replays and editing them is amazing. I spent some time in just one of my own games, and was amazed at what you can see and do, from watching anyone in game (even enemies) to snapping out of FPS view into free-floating camera. (caveat: I didn’t find a way to move the camera elevation straight up or down yet.)
• Tomahawk looks fun! Actually, I can’t believe how often I died to one last night. Also, I swear someone threw some sort of homing knife at me once. At least, that’s how it looked in the killcam! I wonder if the crossbow does that… In MW2, I enjoyed working on the throwing knives to unlock that title/emblem (still hard to be effective with them), so knives/tomahawks may be more viable this time around?

Cons

• Small resolution on menu text. If you’re like me and haven’t upgraded your television in 3+ years (I was early on the plasma kick), then there is some annoyance in all the information presented on menu screens. Not a huge deal, but noticable.
• Initial feeling of being overwhelmed by all the things you can buy, especially upon realization that if you want to unlock Red Dot sights on every gun, you don’t just buy it once or even once per weapon type, but actually buy it on every single weapon. This is offset by the quick earning of money to spend. There’s also added tracking of contracts, challenges, your money, what you can and want to buy, and so on. It’s a pretty detailed game that can will be overwhelming at first.
• Playercard design is different from MW2. In MW2, you tended to earn your way through titles and emblems, but in COD you pretty much get to the level you need to be and then buy the designs. I’ll likely just miss the challenges, but not miss the difficulty in getting some of them.
• No preview ability for playercard purchases. Need to spend in-game money to test things out.
• Dogs are back as a killstreak reward, and they’re still a pain in the ass to kill on xbox (stupid controller).
• Melee attacks lack “thunk!” I still miss the WAW melee attacks where there was a very visceral “thunk” of the knife slamming in, as well as a physical jerk of the body that felt exceedingly satisfying. MW2 didn’t come close, and MOH was awful. BO does ok, but it still feels a little weak. By default, it seems you can score knife kills from a half-step farther away than previous games.
• Knifer/Runner build? Speaking of knife distance killing, I don’t think there is a perk anymore to lengthen the distance you can score knife kills. These were very fun in WAW or even MW2 to run around quickly and get knife and other obscenely CQB kills. I’ll try a runner build again at some point. Hmm, no riot shield either, not that that was terribly efficient in any but the smallest maps (Rust)…

In short, it is glorious to not only be playing a COD game again, but to be playing a Treyarch COD game.

Via the infosecnews mailing list I perused a cyber security article in the New Yorker. I wanted to draw attention to two and a half points.

First, I liked the discussion on the difference between “cyber espionage” and “cyber war.” That’s basically been my view of things, and how so many of the threats and “attacks” we’re seeing today are not new…it’s just traditional espionage moving further into the cyber plane. That’s it.

Second, it takes a few pages to sink into the topic of the desire of the NSA to peek into encrypted communication and how that compares to those groups and the public who strive to encrypt everything. This is a complicated picture. For instance, a private company is smaller scale of the same government/citizen issue. If the security teams can’t see into the traffic generated in the company, they also will lose quite a bit of intelligence in their operations. If an employee can set up an encrypted tunnel out port 80, this is still not something easily found and/or blocked my many enterprises. And it certainly is a problem to see what is being sent over that tunnel.

Lastly, I made note of the mention about how the NSA also wants to know the identity of people in these communications. A wholly new topic, really. At least this is far more trackable in an organization, than in a public nation.

By the way, read to the end for the payoff on the EP-3A recon aircraft that helps open the story.

Wanted to link really quickly to a recent example of the problems we face in security, even amongst ourselves. EvilGrade 2.0 was recently released, and the full-disclosure announcement sparked some…discussion. As background, EvilGrade is software that assists an attacker in hijacking the upgrade process of a piece of software and sending its own executable in place of a real upgrade executable, thus having it automatically executed by the software.
The subsequent discussion brings up the points of (I’m just informally summarizing here):

• Hijacking upgrade mechanisms is a vulnerability (or weakness).
• This vuln is not necessarily easy to leverage by an attacker. Has limited (but useful!) applicability. (local network access; targeted; etc)
• There is an opportunity cost to addressing this issue. (Time spent fixing small issue = time not spent elsewhere.
• The issue may be easily fixed with certificate signing. (Everything is always ‘easy’ to someone…)
• Certificate-signing also has its own weaknesses.
• Cert-signing also means added code which means added complexity and possibly more exposure to other attacks.
• Ultimately the question: is this issue worth fixing in product ABC? Is this huge enough that we stop corporate updates until a fixed is proven, audited, and required by regulations? (Ok, I added that last part myself…)

This is a classic example of the belief that every vulnerability must be fixed, no matter the cost vs doing what you can with the resources and costs/risks available to you (which can be very subjective in measure). This sort of argument is pretty much religious. In fact, I’ve called it such in the past with posts about security religions. There are usually no universally correct answers, and there is usually pretty detrimental and venomous discussion once you start down these threads.

But it illustrates the challenges we face even amongst our own in the security circles. It gets worse when you have one person on each side of this discussion whispering into opposite ears of the non-technical business-owner who makes the ultimate decisions. (Although, cost-savers probably always have an inside track in that argument…and ‘doin nothing’ is the easier example to explain…)

Full disclosure: I have sympathies on both sides of that discussion.