looking at pci stats from 2010 verizon dbir

Posted on by michael

I mentioned previously that I didn’t have much to add to this year’s DBIR. That’s not entirely true, but the thoughts below are definitely not a big deal. The DBIR already spent several pages on PCI-related material, and certainly didn’t (or shouldn’t) need to spend much more on it at this time.

But I still found some of the data interesting.

Which requirements have the best adoption? I’m not surprised by these results all that much. Encrypting transmission (Req 4) is an easy win* when you just look at SSL. Restricting physical access (Req 9) is also an easy win* if you lock your doors (please read the * down below before I raise your hackles too far!). Using and updating Anti-virus (Req 5) is likewise easy, although I’d question how many enterprises are actually validating that updating procedure! And policies (Req 12) are highly adopted, most likely because they tend to be fire and forget. Ideally, I’d like to see policies be the most adopted simply because they should be some of the first check boxes accomplished and/or the quickest to wrap up. (Then again, few people enjoy writing them…)

It is no secret that these particular requirements read quickly as the more clear and easier requirements.

Which requirements have the worst adoption? Developing secure systems (Req 6) is consistently pretty low, and not surprising: it is one of the crappiest single requirements in the PCI DSS. It is vague and downright huge. Regular testing (Req 11) is next, which again is not surprising (vuln scans, IDS/IPS, pen tests), although I think that is usually due to costs as much as anything, both in terms of human hours spent attending to those technologies as well as the capital costs of external pen tests or hardware to satisfy the requirement. I also find that Req 11 is one of the bigger “security geek” items in the list, that really doesn’t even involve general IT operations staff competencies.

As the DBIR rightly points out, the requirements with the most ongoing tasks associated with them are the ones least adopted.

Wait, 2 of them decreased?! – The DBIR mentioned, but I don’t recall it discussing any reason why the anti-virus (Req 5) requirement and vendor-supplied defaults (Req 2) actually decreased 9% and 19%, respectively. AV, as mentioned above, is one of the higher adopted items, yet it decreased; and removing vendor defaults should be a slam-dunk for operations. Maybe the problem, like so many things that are shoddy with security in enterprises, is in the on-going verification of updated AV and validation that vendor-defaults are changed. Or maybe some breaches this past year took advantage of passwords that got reverted back or the attackers removed AV and nothing threw alarms about those systems being unprotected. Who knows…

Like I said, the DBIR didn’t need to spend even more time on PCI, but I found Table 9 (pg 54) to be pretty interesting…just like I had last year.

* By “easy win” I mean these *can* be easily met in limited circumstances. Reality for someone serious about security can still make these items strangely difficult and open to interpretation.

thoughts on my cowon j3 pmp

Posted on by michael

I’ve written previously about my mp3 player/portable media player purchases, namely the Cowon A3 (mp3/video player) several years ago and more recently my Cowon iAudio 7 (nano competitor).

I have now purchased and been using a Cowon J3 PMP. Since I’m not an electronics review blog, I’ll keep my observations short and somewhat personal. Obviously, I’ve been happy enough with Cowon to not deviate from them since I first purchased the A3 as a replacement to my original 4th gen iPod. (The 20gb iPod is ‘permanently’ attached in my car and I’m happy that support for updating it outside of iTunes is far better than it used to be, making it less ‘evil’ in my eyes than it used to be.)

My cons outweight the pros in number, but as far as value goes, the pros far outweigh the cons in my books. The gulf isn’t quite as big as when I got my A3 or even the iAudio 7, but the J3 makes me very happy indeed.

Pros
– sound quality: In short, the sound quality is fucking amazing. I love the full equalizer control and ability to play with some of the enhancing effets in the JetAudio software. I’m hearing songs in a new light with the J3. The 3d surround enhancement also makes me turn around now and then wondering if someone is behind me. Quite honestly, the sound is beautiful and it alone is worth the money.

– easy management: The biggest selling point for me has always been Cowon’s ability to be easy to load files into. Just plug the device into a Linux/Windows PC, it registers as a USB storage device, drag files to the Music folder, unplug and enjoy! I also have no need for playlists, fancy artist/album groupings, or complex playback depending on my mood. I just want to shuffle my 3,000 trance/techno songs. Or 4,000 chill songs. I only have 5 folders holding all of my ~70gb of music.

– small, light: lighter than my cell phone, so it is pocket-worthy! That was always one of the few issues with the A3 being too bulky for normal pockets.

– microsd support: The internal drive is only 32GB, which is small for me, but I love the microsd support. I can buy a new 32GB microsd card, load it with my chill music, and when I want to listen to it, just insert the card. Or just always keep the card in for 64GB available at all times.

– radio: Ok, I don’t listen to the radio, but if I ever needed (weather, emergencies) or wanted (sports, wake-up alarm) to, this guy has a built-in radio function.

Cons
– video support: Somewhat surprising, the files I’ve ripped from my movies that play on my A3 don’t play on the J3. This is somewhat perturbing as I’d rather not re-encode all my files. This kinda leads me to the conclusion that I should just rip my movie backups into ISO files rather than encoded media formats which may become useless or too lossy in the future (a debate I’ve been having with myself for some time now). The ISO files will always be useful as sources for doing future encodings, and my desktop systems will read them just fine for immediate playback. Anyway, it is not a huge deal as I’ve only rarely watched movies on my A3, and my A3 is still quite capable in that regard.

– mp3 playback shows album art: Some people wouldn’t think this is a con, but for me it is. I don’t download and update and manage album art, so most of my songs end up with a blank default icon filling about 2/3 of the mp3-playing screen. I’d love to turn that off or change the display or just have a generic wallpaper, but I’ve yet to find that option. This device isn’t going to convince me to start complicating my life with album art management. I find this a weird inclusion for a device really touted as the simple alternative for people who don’t want bloated music management.

– need an AC adapter: The J3 charges via a USB cable connected to a computer. However, while plugged in, you can’t use the J3 as it goes into a locked mode. Using the AC adapter will allow charging+playback. Not expensive or a huge deal, but just a small annoyance.

– special USB cable: The USB cable is not one I’ve seen before; and of course not one I have replacements for.

– included earbuds: Ok, the earbuds are just fine soundwise, but once you put the soft covers on them, you can’t tell visually which is the Left or Right earbud. I just scratch the outside of the Left one to tell. Also, I don’t get why one side always has a shorter length than the other.

– slow startup: The startup of the J3 is surprisingly slow, but not something that is a huge deal to me. I’m not impatient.

– doesn’t start music upon startup: Again, not a huge deal, but sometimes I’ll go a few minutes without any music before realizing I need to touch Music, and then Play to get things going. My A3 just starts right into whatever was playing when I turned it off.

– spotty accessories: The Cowon isn’t the biggest player on the market in the States, and as such the ability to score excellent accessories such as a padded case are slim. In fact, I still carry my A3 in a PSP case, which it fits into perfectly! I have yet to find something similarly perfect for the J3. Basically, just a padded sleeve or some sort is fine for me.

– shows fingerprints/scratches: The touchscreen and body show fingerprints easily, and the back metal can scratch easily. The “new” appearance of gear is always a tough mental battle to fight, but it is easiest to just accept that things will get scuffed, rather than fret over it! There are more important things in life to fret over.

adobe 0day banshees flying about

Posted on by michael

Just a quick mention of new Adobe 0days that are making the rounds. I may not have bothered since details are so few at this time, but the media is all over these two, particularly the Flash issue. Neither are patched, and Adobe has provided scant mitigation details. Probably because most of the suggestions involve crippling their software or using additional/replacement software that essentially says, “don’t use our tech.”

A week ago, Adobe Acrobat/Reader were hit with a 0day being exploited in the wild.

Yesterday, Adobe Flash had a 0day advisory announcement.

I’m pretty tolerant when it comes to security vulnerabilities in software. While I side with those who say we need to build things secure, I just don’t think that is ultimately realistic. I also have at least some proximity to business and software/web development, so I know what often does or does not go into those processes. I can tolerate security vulns if the business plays response really well.

I can even tolerate security being a new thing to a business and them playing catch-up for a while, kinda like Microsoft has done with Windows and Office products. But Adobe doesn’t appear to be improving, in my observations.

The lesson that gets lost in all of this, though, especially with the general computer-using public and media is the problem of feature bloat trumping security concerns. Adobe may take the lumps from the vulnerabilities, but all of this is probably enabled directly by user demand and use of those features. So, thanks for needing/wanting those features and making the rest of us less secure. (The same argument I make about HTML in email. Thanks for that, Marketing…)

offtopic – starcraft 2 on brutal

Posted on by michael

I just recently beat out the Brutal difficulty level in Starcraft II, so thought I’d just share some tips on the levels I found to be hardest. For better tips, just look up the levels in YouTube for examples of good play. For any player, I’d suggest doing the Normal campaign first, then Hard, then Brutal once you know what you’re doing. If you want multiplayer strategies, I’d highly suggest following Force’s Starcraft 2 Strategy YouTube channel. Have fun!

Outbreak – I found this to be surprisingly difficult. On Brutal, I made 3 bunkers at each entrance, manned mostly with marines and marauders. I didn’t do much with hellions. It helps to focus fire aberrations and the shooting infected. I didn’t bother with the expansion and it helps to wipe out one whole section (I did top) to basically relieve that entrance defense. Return to base with at least 30 seconds of daytime left.

Welcome to the Jungle – The mission wants you to use Goliaths, but they’re just too weak. I had problems early on here, even in Hard! But this mission is actually very easy if you just build up a Marine-Marauder-Medic ball (about 4 marines to 1 medic to 1 marauder) with upgrades and just hop from protoss force to protoss force. Rather than mine any gas yourself, just wipe the protoss off the map and you’re free to do whatever. (There’s even a feat of strength achievement for that.)

The Great Train Robbery – The key here is to build a second Factory and simply pump out Razorbacks along with some marine-medic support. Roam around and kill bunkers when they start getting placed. This is easy once your know what to expect.

In Utter Darkness – A fun mission, but my least favorite to complete and one of the 3 hardest ones. Open with 10 more probes rallied to your minerals, a dark shrine, 2x gateways, and a starport. Then wall off the top entrance with another gateway, and plug the holes with zealots on Hold. From there, start producing (preferably with warp gates) Dark Templar, while using your force and the DTs to beat back the first 3 waves (done right, you won’t lose anything but a phoenix or two). From there, you should have enough time to make enough DTs to do a Hold wall on each entrance. If you get to that point, the rest is easy. Switch to building Void Rays, and use your voids/phoenix to focus fire any Overseers (detectors); basically poke at any approaching waves, kill any detectors, then get out before they reveal and kill your DTs. Pepper your base with cannons using all extra minerals, get air upgrades, and when you can, transition into building carriers. At about 1500-1800 kills you’ll likely need to fall back to the high ground, and the kills will start to rack up quickly. Don’t make a single other ground unit besides DTs enough to make full walls. After the first 3-4 waves, whatever ground forces you have are inconsequential anyway as long as your DT walls hold.

Supernova – One of the 3 hardest Brutal missions. I cheesed this one, though I didn’t want to. I got my CC into the far right-middle of the map along with some repairing SCVs and about 12 Banshees. I then waited until the last few moments to slide up and destroy the artifact. I really always had trouble with these missions with soft or hard timers on brutal. I’ve heard doing this mission when you have Thors makes for an easy win.

Engine of Destruction – One of the 3 hardest Brutal missions.This mission is a breeze if you have Banshees and Vikings unlocked (I didn’t so I had to actually start over; Wraiths are too weak). Build a bunker and siege tank (in siege mode) as your defense in the north. Build a second starport and start pumping out Banshees and later Vikings. Use the initial Wraiths to soften the first 3 bases. Kill Medivacs, Siege Tanks, Battlecruisers, the lone Raven in base 2, and if time permits, Bunkers and Razorbacks. Rally your Banshees north of your bunker as none of the attacks feature anti-air units. If you get past the third base, the rest is downhill from there; just keep making air units. I’d suggest squeezing in an Armory and air upgrades as well, and maybe take over the geysers left behind in the second base. A few Science Vessels are nice, and keep SCVs near the Odin to repair him if he gets into trouble (beware, in Brutal the AI will target repairing units!). Later you’ll be attacked from the south after base 4, but either ignore it or mop up with your air. For my winning playthru, on base 5 the Odin actually got down to 24 hp. Close call!

Maw of the Void – This took me several tries, but my key was to get an Armory early and start warming up air upgrades. Later on the Protoss will be 3/3 and your battlecruisers need to match that. Use the DTs you free to soften the bases up and for sure to take out the last northern and southern generators using some kamikaze-like runs; done right you’ll have just enough alive to get both down. If the mothership vortexes half your fleet, send the rest in and wait it out. You shouldn’t lose a single BC, until the last pushes, with proper repairing and a few support Science Vessels. When not attacking, put them in the middle of the map to cut off any protoss transports or attack waves. Same with DTs (but watch out for attacks with Observers). Be sure not to go too slowly; the protoss can win this through attrition as there just aren’t all that many resources when you have a BC fleet.

All In – I pulled back my defense and built 3 bunkers on each approach. While garrisoning them up, build all Siege Tanks and Banshees. The tanks are for defense on both sides and along the artifact cliff base (just keep building until you have a screen-full! The Banshees are to be sent out en force to kill Nydus Worms while cloaked and add firepower against Kerrigan. I helped my base defense with a line of southeast turrets as well, for the Overlord swarm. To save the artifact later on, build a bunker near it, put some marines in it, and then cover the rest of the artifact plateau with Perdition Turrets.

A Sinister Turn – Get the Robo bay early with a pylon as far back as you can get it. As long as you don’t draw attention to it, it won’t get attacked. Just build Immortals with a few Zealots and Stalkers and you’ll find this easy. Immortals pwn Maar and anything else here. Stalkers start with Blink, so it really helps to Blink them away from Maar after absorbing a few hits. Micro-management of forces really helps on this map.

The Dig – There are three keys here. First, get a defense up early because the first few waves can wipe you out. Even bounce your ground force back and forth until you have enough units. Second, rather than bother with the expansion to the south and moving your bunkers north of it, just bunker the ramp to your base. If you need it later, you can salvage the bunkers. Third, make constant use of the drill to take out Colossus (they give sight to high ground which is killer), High Templar (Psionic Storm destroys tank clusters), Immortals, Archons, and Void Rays when they show up. Queue up multiple targets with the drill to give you more time to develop the rest of our economy and defense. Favor marines and place a few extra turrets for the air waves.

Really, for every other mission, the typical MMM-ball works wonders.

scalable desktop security scanning

Posted on by michael

Jeremiah Grossman has an interesting post that covers 2 neat topics: scalable scanning and WhiteHat’s hardware setup. Cool stuff on the second part. For the first part, I think watching topics like scalable security and scanning would be important for those who think all this IT and more importantly security emphasis these days will lead to further outsourcing of said roles to specialist groups. I’m not an executive or into accounting, but I am not oblivious to the idea that IT/tech/security is not a core competency in most organizations, and instead is a cost center (i.e. not a competitive advantage either). (Yeah, I like dropping terms I actually learned in school now and then…)

Then again, maybe a specific case like Jeremiah’s is a bit strange. I mean, look at how much their hardware (storage) requirements have to increase, and no doubt they need tools and/or people to make sense of the reports, as their scan targets increase. Perhaps desktop scanning software scalability is not the real battleground, but rather how do you do web security scanning quickly and meaningfully (as a sort of macroscopic/meta vantage point)? While admittedly conceding that you can only get x% of the scanning done via automated means.

It (obviously) crossed my mind that another group who may have the use-case for large-scale scans could be attackers. But that may be a bit of a red herring. Do they need to do such huge scans to be successful? No. Even if they did, as demonstrated by Jeremiah, you’d need some serious infrastructure (provided by botnets no doubt) to power the whole thing. The more of that you need, it seems to me the more said attacker would be exposed. Attackers are still far too successful with smaller-scale, smaller-footprint attacks that can be surgically wielded from pinpoint locations that are not hard to expend. Even assuming the worst, I’d doubt attackers would ever need to move above desktop-grade scanners anyway.

Just thoughts!

symantec hack is whack is a case study

Posted on by michael

Yeah, we’ve all heard more than we need to about Symantec’s Hack is Whack campaign and the security holes found in the newborn site.

This is what I call a decently Big Deal; a sort of case study in how even a security giant is dropping a site out onto the internet that is full of holes. Certainly Symantec has security experts enough to review their code and make suggestions, or code it up properly from the start. Or at least have some oversight to slow down the process and make sure marketing has their details buttoned up, right? (I’m quite aware that marketing no doubt implemented and ran with this completely on their own, likely through a third party or even fourth party, but my point will remain…)

This really provides a horrible, sobering example of the state of things right now, especially in how important security truly is to organizations. Far too many do whatever they want, until someone pokes the soft spots and points them out. The more public or damaging, the more likely a quick response is forthcoming. And this from a security company!

I’m not going to go so far as to say this is a call to arms for security to be at the forefront of marketing in Symantec or even any organization. That’s a dreamy ideal, but not one I’m thinking is realistic at this point. No one likes security dragging the timelines out and making things complicated!

It should instead be more of a call to arms for executives to care about this sort of thing, which in turn can start permeating that cultural change in everyone else. It just doesn’t work to be 100% reactive. That is still what I call the Big Gamble in organizational security. Roll it out there and hope no one ever cares too much and finds big holes. That or the attitude that you can’t secure it yourself, so roll it out there and let others provide your QA and security testing for you. I agree you can do those approaches, but they can’t be your only approach. You’ll either continue to be laughed at, or you’ll get pwned and not know it.

I may still be a bit idealistic in my viewpoint. In larger corps, they’re just too big to play catch-up on everything that is going on. In smaller corps, they just want to survive and can’t afford to go slow or imbed security in something that may not even exist in 6 months if it fails.

incomplete thoughts: dreamy aspects of a solid security posture

Posted on by michael

This is another incomplete, but interesting post. Not sure why I started writing this , but I always like the dreamy feel of “best case scenario” types of descriptions. Like what is your dream job? What is your dream vacation? In this case, what is your dream security team posture? I’ve added a thought below in bold. I probably never released this since I likely have said these same items in other blog posts, comments on other blogs, over twitter, and in personal discussions, so it sounds a bit like a broken record to myself.

Simple steps to a strong security posture:

– Staff. Don’t skimp on quality security staff. The anchor of any security team is the skill, talent, and enthusiasm of the top players. It is ok to have some lesser-skilled players or interns. They help provide perspective, an ability to allow senior staff to mentor, be mentored, and possibly do the things that you’d hate to have a $100k staffer do every day like cruise logs or something. In addition, be liberal with their training opportunities, both on and off the books.

– Operate the team as an advisory unit, a monitoring unit, and an active penetration team. Basically, don’t just watch for breaches or react to things already done. Be an internal consultation team for developers, sysadmins, or others who would like or need more guidance on security issues. The team should also be able to and allowed to do planned and unplanned security audits and penetration tests against company assets. It’s not just about implementing, tuning, and addressing trouble tickets about a host-based firewall on desktop systems, or auditing the systems through a central mgmt interface to ensure exceptions aren’t being granted by non-security-minded desktop staff. It’s about helping the business as a whole.

– Be given autonomy and authority in the company to make recommendations, on par with a high-level consultancy. If a security team expects an application to be built securely and offers proper assistance and knowledge to the app team, they should expect to have their concerns addressed reasonably, rather than what often turns into a mgmt political battle or simply ignored demands. It needs oversight over the company assets and IT, really.

– The team should be given some level of operational power or control, especially over their own systems and test systems/networks. Security staff isn’t just about installing endpoint software or watching logs or even consulting or pen-testing internally. They should be able to test and implement changes as needed without having to walk someone else through it or wait (politically and timely) for a real engineer to attend to their ticket. It is my opinion that quality security staff would also make quality operations staff (or quality management in general if that is their focus)…so give them that latitude. (They should also be held as accountable with availability mistakes as operations, when acting in that space.) Of course, this butts up against the problem of having too many hands in the cookie jar, for instance 6 people having access to update firewall rules. That’s 5 extra ways of doing it that don’t match your own philosophy!

incomplete thoughts: 5 of my security pet peeves

Posted on by michael

This is my getting rid of some incomplete thoughts sitting around in my unpublished bucket. This post could be 3 years old or it could be 3 weeks old, I’m not sure. Peeve #4 is a bit of a reality, and I’m not sure I would today include that in here if I rewrote this today. The ending example goes nowhere, and #5 isn’t finished. Either way, just getting this off my chest and published.

5 of my IT security pet peeves. Notice that these are not necessarily technical issues. I don’t feel like our biggest challenges are technical in nature. And while I might call these pet peeves, they don’t necessarily frustrate me nearly as much as most of my driving pet peeves.

1. No Big Box Tool beats a good admin, but we’re obsessed with the Big Box Tools. I’m not a big fan of all-in-one-boxes or UTM or centralized SOC-in-a-BOX. On one hand, I really like the power that tools have been getting in terms of analyzing and collecting data in one place. Sadly, I don’t think any single box performs better than other smaller tools being used wisely by a crafty admin to achieve the same goals. There is a certain watering down (each piece is lower quality compared to specialized tools) and dumbing down (take the analyst away from the guts long enough and he’ll only know how to work the GUI and not dig deeper manually) and feature-bloat (try to pack every option that 10,000 companies will use but no company uses half of them at once) to big boxes that simply cost in terms of quality. The real key here is whether you have a crafty admin with the time necessary to wisely wield those surgical tools. Instead, we too often take the quality hit to save some money…

2. Not enough time. In our American culture, we have this obsession with milking productivity from our workers. We demonize leisure time, personal time, even vacations; maybe not openly, but we insinuate that anything less than 100% is bad. This trickles down into IT staff who have little free time to improve their situation beyond rushing from one fire to the next, or one project to the next. You know you’re in this situation if you’re doing task A, notice that issue X is occuring just because you happen to see it, but know you won’t ever get to it and so just leave it. Security cannot be improved when time is booked. Either you don’t have the time to properly tune tools, investigate alerts (we’ve all had days where 1 alert takes 1 hour and days where 1000 alerts takes 5 minutes), do simple audits to verify security, or keep on top of current news. Let alone the mistakes that will be made due to the pressured time-boxing… You want to improve security? Improve the time your staff has to find and make enhancements. Anything else just means everyone relies on the audits and only does what is prescribed at the time. (This also means your staff needs to be enthused about security, and not just use their extra time to surf YouTube. If you don’t have enthused staff, then replace this item with : People who don’t hire enthused staff!)

3. Too many people still believe ignorance (or ignoring it) is an effective security strategy. I’m borrowing this straight from the article I just posted about earlier, because I think it is an epidemic (pandemic) problem. That noise coming from your engine? Yeah, it’ll go away, right? It wouldn’t happen to us! I think ignorance and human habits of ignoring problems is a real issue. I understand that some risks are accepted and not every problem absolutely needs resources pushed at it to solve it, but collectively we’re sucking with even the basics of digital security. (I think most organizations scope-limit their auditors from half the stuff that is wrong.)

4. Convenience trumps security, or, security is never as easy as it sounds. There are a few tasks that sound easy but illustrate exactly how time-consuming really managing security is: data classification company-wide, account oversight and review, file server permissions audits, knowing exactly what data is where (yay laptops!), log reviews, and change management. Convenience trumping security is a more appropriate way of saying functionality over security.

5. We want security now, for free, and to last for years without further inputs. How many PCI projects have we collectively seen that have deadlines? And after that deadline, PCI (or security) is considered done and the consultants/contractors let go). That’s a win for sure!

Just to juxtapose a few items from above, here is one scenario. You have a not-very-technically-proficient security admin in your company. He’s not given the most access, probably not enough to do this job effectively. He doesn’t have the ability to implement proper NSM without the techs making his requests bottom-of-the-barrel priority. In fact, he doesn’t have much more than the ability to get an All-In-One-Security-Box. Likewise, said security box doesn’t give him much data for an alert. Oh, and by the way, he’s an important admin who talks with execs every few weeks with some certs under his belt, so he feels he gets paid more than someone who does the grunge work like reviewing logs, accounts, or testing those firewall changes. So no one really checks that stuff. When audited, the admin knows just enough to give the auditor enough for a report, keep him away from the things he knows suck, but not enough to allow the auditor to expose underlying issues.

incomplete: a better representation of risk and compliance

Posted on by michael

I really don’t know where the fuck this post came from or where I was going with it. It offers nothing, but the picture links are fun! Took me a bit on the wildebeest one to realize I was trying to say “just another beest in the herd” with the “middle” pic. To my sensitive readers (really, there are sensitive security geeks?), skip the seal pic.

1. Too many words in PowerPoint presentations are bad. More creativity, more pictures, more visualization. Less words, less boring.

2. We also have this need to give quick representations of our risk or compliancy to management, often in the form of scores or grades.

I think these ideas should be combined “mashed up.” Screw the grading scale of A, B, C, and the levels like high, medium, low.

Imagine: You walk into the board room with several managers and execs. They get around to asking you how the company looks as far as compliance to PCI and/or your desired security level. You stand, flip open your notebook, and pull out a card the displays this picture:

seal clubbing

I don’t have to give details, I think it speaks for itself: STATUS BAD!

Here are some more examples of compliance status levels.

Bad
Medium
Good
Good

incomplete: shmoocon podcaster’s meetup interesting topics

Posted on by michael

I wrote this months ago but I guess I forgot to publish it. Maybe I wanted to proof it more? Who knows, but here it is. Any non-bullet points that are bolded were added by me just now.

The mess that was the 2010 Shmoocon podcaster’s meet-up audio is available. I totally could use not hearing Paul “shhh” on a mic ever again! The talking was pretty crazy and all over the place, even disrespectful (hey beer was involved so it’s forgivable), but I feel like they did touch on some extremely important questions. Questions I’d love to hear them discuss again in a more refined situation (arguably, a podcaster’s meetup is more party than panel, however!)

There are no correct answers to these topics! That is probably why opinions in these discussions can be very passionate and even violent! Sometimes in certain properly bounded contexts, there are correct answers, but mostly not.

(Late update: Personally, the more I listen to Chris Nickerson, the more I appreciate his frank opinions and where he has his head. It’s in the right place, and while I know he can have an acerbic sense of humor to some people, he’s increasingly one of those voices worth listening to if he tells you something.)

1. exploit vs not exploit – I’m not sure this topic was given its fair due, but I’m not sure everyone was on the same page in the discussion anyway. Andy Willingham gave this the once-over already in a blog post. The topic brings up good questions on what you do on a test and what is actually meaningful. I notice I didn’t really weigh in on this topic, and honestly the view from the fence is fine for me and probably reflects both my security and operations sides.

2. SMB vs large enterprise – There is a big gap that is hopefully becoming less the elephant in the corner and more one of the usual voices in the conversation. The world of the SMB in security is dramatically different from that of an enterprise or a city-state-nation. Approaches that work for large enterprises can be ridiculous for SMBs, and vice-versa. I think it matters that this came up multiple times. This still needs to come up, and the topic deserves a month of posts in itself.

3. properly presenting findings/recommends to a business – I’m finding it hard to word this topic, but it really runs the gamut of how you present security to an organization. And this digs at a very sensitive topic: security aligning to the business. I sympathize with all sides to this discussion. You could give the security teams and CSO their highly technical reports and let them distill it down to what is relevent. Or you could align yourself with the business and report your findings directly to someone like the CEO, in the CEO’s terms. Honestly, maybe pen-test teams need to have both capabilities and have that project manager/lead who is the one that acts as a temporary CSO in the absence of one. This is a great topic, by the way, and I think really demonstrates the art and the versatility today’s security experts need to have; both the technical chops and the strategic chops and the ability to know when to use each.

4. “good enough security” – I think it was Mick from Pauldotcom that brought this up, and it didn’t get enough treatment, although I think this is also just as passionately divisive a topic as any. When you accept that there is no ultimately “secure” state, or there is no “win” in security, then you really do subscribe to some form of “good enough security.” Where that proper line is drawn is really the art of risk management, and that line is probably far lower for SMBs than large enterprises. Security pros these days have to be able to get into the mode where it’s not just about violently defending every little insecurity, but about recognizing each issue as part of the whole. Bad password policy? Fix it!! Outdated SSLv2 cipher on an internal app that is 5 years old used by one team? Consider letting it slide. (Side note: This is where lack of real security chops can bite many people in the ass. It is inevitable that non-tech people will look at issues presented and demand fixes for each one, even the “low” priotity ones. This creates wasted effort and inefficiency…and so on.)

5. privacy differences between europe and the us – I thought this was an excellent question by Nickerson to spark some conversation on a topic I hadn’t really dwelled on before. Because Europe has a different emphasis on privacy for people, they have an entirely different mindset in regards to security in organizations. Not saying it’s all good, but the difference can be useful.

6. listening to internal security experts vs paying someone outside the company to say the same damn thing – Good point on this topic, and I think every penetration tester or consultant or third party needs to not just work to align with the business and talk in a way the CxO understands, but also empower and support those internal persons who make security happen. Recognize and empower (and not undermine!) the talented security folks out there. Build networks, exchange advice, encourage; don’t have an antagonistic relationship with them, plop down some mysterious report on a CxO’s desk, then walk away briskly. Try to change the way the CxO views her internal support staff so that we can Get Shit Done. But yes, it really, really sucks when a CxO pays top dollar to get a report that says the exact same thing I may have been saying for years.

If there’s any topic I’d love to have brought up because it fits with this motley crew of passionate voices, I’d have asked opinions on MSSPs vs internal staff, both for large enterprises but also SMBs.

incomplete: fundamental cultural changes caused by the internet

Posted on by michael

I’m sure there are plenty, PLENTY, of other essays by far smarter people than me in this topic, so rather than let this languish in the “polish this up” bucket, I’ll throw it out as is because I know I’ll never truly ever finish this. Still, this actually reads fairly decently for a 30-minute stream-of-consciousness bit. Oh, and I know it’s not ten!

Ten Ways Internet/Computers have changed our culture deeply.

– I barely know what a phone book is anymore, if I want to find a location or phone number for a business or category of business that I need to visit, I’ll search for it on the web. This is a culmination of easy, extensive searching and ubiquitous web presence. Phone book? Ok, I’ve used it to find a mechanic on a Sunday…

– Dispelling irrational answers to questions – Back when I was a kid, you had four places to gleen information, in general: media, teachers, parents, public library. Media would have included newspapers, magazines, radio, and television. All of these meant effort and a certain expectation of trust. The web still requires trust, but I can much more quickly find corraborating stories and information and weed out the misinformation. While the web may not give accurate information all the time, it at least gives me a better chance of self-serving accurate information.

– I’m more in control of my time. While the Internet seems to suck time away with an infinite number of things to do and see, it does let me bring back time control into my life. Rather than wait for 30 minutes in the evening news to see the sports scores or tomorrow’s weather, I can get it immediately online. I can skip the things I don’t care about, and read more of what I do care about. I can shop and order products online, research and compare.

– I’m more in control of my tastes and interests. In my youth, I was only exposed to whatever was near at hand, for the most part. Musically, I only experienced what was available on the radio, television, or through friends, all of which precluded most anything that was not pop-oriented. With such portable media and access to anything I want, I can expand my boundaries and listen to musical media that I never, ever will hear on the radio in the central United States. As a kid, if I wanted to figure out the solutions to a particular video game, I had to wait for it to be released in book form, in a magazine, or advice from friends in my neighborhood. My neighborhood for interests is now limitless, and I don’t have to leave a game unsolved.

– My social network has grown. As a child, I had a finite number of people I knew and could spend time with, all of which had to be in close proximity to me, unless I picked up a pen pal. Today, I can get first hand information about life in China through knowing people either in chats or other social networks, or through their blogs and stories.

– My idea of a job has dramatically changed. I can’t actually imagine what I would do for work without the computerization revolution. I have not experience office work without automation or computers or digital information. I’m not that removed from such an archaic workplace, but it certainly seems a world away.

– I am a much more informed and well-supplied consumer. Rather than rely on a magazine, friends, or in-store help, I can self-serve online research on what products are good and which ones to avoid. Hell, I can also buy things online without getting up off my ass, either from storefronts or auction sites. In fact, not only can I research online, but if I want specific item ABCD, I don’t have to hunt my city for it and maybe walk away empty-handed. I pretty much *will* find it online, somewhere.

incomplete: leveling up your security career wow-style

Posted on by michael

This is an incomplete thought I first jotted down a while back, but never fleshed out into some more coherent. I liked the thought though, and wanted to just release as is and get it off my “unpublished” list! I was reminded of this post by Rothman’s recent Securosis blurb about practice (way at the bottom). Thoughts added just now are in bold. Keep in mind this is incomplete, unedited, and unpolished. I ramble and mix things and even repeat things with wild abandon! Oh, and even now as I play some Starcraft 2 and get my ass repeatedly stomped in Platinum 1v1, I know that I can read and practice against the AI and read some more, but nothing will replace actual experience in going into another game and getting stomped and learning the hard way.

I’ve not made it a secret that I’ve been an avid World of Warcraft (WoW) gamer for years. I definitely don’t play as obsessively as I used to (for those in the know, I ‘hardcore’ raided MC, BWL, AQ40, and even some of Naxx40, then skipped ahead after a break to ‘softcore’ raid Hyjal and BT pre-nerfs; since then I’ve done a couple naxx25 clears and that’s it beyond 5m heroics and casual leveling), but even my casual playing sparks some interesting thoughts now and then, especially when it comes to “leveling up.”

In WoW, and really any other RPG game, there are a few key tenets to making the most of your effort. Surprisingly, these tenets can match exactly across to real life endeavors. And every time I put forth some effort to improve one of these tenets in WoW (leveling up a toon, making some gold…), I’m reminded of the opportunity cost of putting that effort into something more tangible like my security career. (Don’t get me wrong; I’m a lifelong video game hobbyist, and I’m not saying video games are useless, but it shouldn’t dominate one’s time, just like any other hobby pursued in leisure time!)

So if you find yourself stuck in an MMORPG gaming rut, start looking to translate that effort over to something useful in security. This may start with asking yourself what it is about gaming that is relaxing, and why security does not bring that same relaxation. If it relaxes, stimulates, and makes you happy, then your free time will be spent in it just as casually as a 4-hour trip into WoW.

1. Knowing your class. From here I was going to go into knowing your skills, strengths, and weaknesses. In WoW, a warrior class doesn’t try to heal, and translate that into security skills and roles…somehow.

2. Grinding (aka leveling up). This is pretty basic to any role-playing game: your character gets stronger the more experience he gets, aka “leveling up.” In gaming, “exerience” is usually a value, even if it is hidden behind the scenes, which accrues as you fight and kill monsters. As your experience increases, you gain more power, and can tackle more powerful monsters, which will gain you experience…and so the hamster wheel begins to turn. A more physical version of this is lifting weights and slowly increasing your limits as your muscles and supporting structure build and grow.

Sometimes this is a “grind.” “Grinding” in WoW means the slow cycle of killing monsters and doing the same ol’ quests to gain your experience; basically it becomes a long, boring grind…kinda like work!

Growth in a security career comes much the same way; the more experience you have, the better you are able to handle the challenges in front of you. Often, this is gained by simply doing security-related things. The more nmap port scans you run, the better you are able to tackle complex scans. The more you use Metasploit to expand your empire, the more you can dig into the lesser-known components of the tool and not get bogged down on strange gotchas. The more PCI audits you do and reports you make, the better and quicker you get with them, and the more value you can provide efficiently to your client.

We often don’t have an end goal in sight, but rather know that we simply want to level up.

3. Leveling up tradeskills. WoW has what are called “tradeskills.” These are skills you build up by doing that activity. For instance, Fishing and Blacksmithing are two tradeskills. You can fish better and do blacksmithing activities better by, well, doing them in the first place. For something like blacksmithing, the higher your skill, the better your opportunity to make really cool and valuable things.

In other words, if you want to be good and useful at something specific, you have to practice it and get better, especially when it comes to various skills you want to acquire. Unlike leveling up, most often this begins with an end goal in mind, for instance, being able to use a particular skill to create/do XYZ which will gain you money or notoriety.

You want to be good at public speaking? You have to do some public speaking. You want to be good at coding exploits? You have to code some exploits. You want to be good at picking locks? Obviously, you have to pick some locks. (Nicely, WoW has a lockpicking skill you can build!)

And just like starting out your skills at a puny level in WoW, you usually start small. You do some low-key public speaking. You walk-through an exploit tutorial. You pick training locks.

So if you want to be known as being good at some tools or aspect of security, you gotta practice it and build up your skill. This isn’t so much a part of your character and confidence like leveling up your character, but more like being good with the tools you have and want.

In WoW, you can leverage these grown “tradeskills” to make in-game money so you can buy cooler gear and weapons. In real life, well, these skills will get your nice REAL things.

3. Gearing up. In WoW, your character’s success relies more on just his level (aka amount of experience earned). Success, especially as you get further into the game, resides very much in the gear and equipment you’ve acquired for your character. You won’t be very successful with a low level sword, but if you find a badass high level sword which you can use, you’ll be nicely ready to do some damage to the next red slime that oozes your way. Gearing up means a few things. First, giving yourself a chance to get/buy/find the gear. Second, knowing what gear is useful to you.

Security careers have the same dilemma. Some tools are going to be useful to you, but some will not.

Strangely, WoW doesn’t have unlimited inventory space for you to keep 1000 pieces of gear. In life, you really don’t have the aptitude and time to likewise hold onto and learn 1000 tools. Figure out what you need to improve, and pursue the tools that will help you succeed in your goals.

WoW players can put a ton of time into picking out, pursuing, and testing out their gear.

Oh, and don’t forget that you can get a bit literal with “gearing up.” A nice pair of slacks and a tie can increase your chances of getting what you need out of management, at times.

4. Socialization. The “MMO” part of the MMORPG genre means “massively multiplayer online,” meaning you’re playing with lots of other actual people around you. You can spend your time in a game like WoW and neven bother with anyone else, but you’ll only be able to learn on your own only so far, and you certainly cannot see most of the end-game content and challenges unless you socialize to some degree. Most often to experience end-game content, you have to join a guild (a group of players, much like a team) and start participating in group runs through tougher dungeons.

Obviously, careers are the same way. You can probably get by on your own for quite some time, but there will be many doors you simply can’t open or even get near without socializing with others in the career. Whether that is simply networking to find new opportunities, gaining contacts you can turn to when you need assistance, or finding smart people from whom you can learn new skills and knowledge. Better yet, this also means socializing with people more “newb” than you are; which gives you a chance to reinforce your own knowledge by regurgitating it to others to help them.

incomplete thoughts: really changing the game?

Posted on by michael

This is an incomplete post that I never published and don’t see myself truly completing. And rather than keep it in my list of nagging unpublished things, I thought I’d release it to the wild that is the blogs.

First, go read Rocky’s piece over at fudsec on changing the game. Then read Mortman’s response over at Securosis. Those two links started whatever thoughts I had below…I think some are points the authors were making, and others are my own responses…but I don’t recall. Any current thoughts I’ll bold.

This quick, dirty synopsis is for my own benefit to better dissect the point of the article, and also demonstrate what I took away, in chunks.

1. The Information Domain is manmade, and it is a domain where we can change the landscape, not be bound to changing for it.

2. We’re short-sighted, rather than long-sighted. We tackle immediate hurdles rather than perform city-planning.

3. Need to change from short-term fixes to long-term strategy.

4. 3 ways: leadership, research, information sharing.

5.Leadership: No one is jumping to save us. We need to lead the way.

6. “[Businesses] need to care much less about being compliant and more about being fundamentally secure – or if you prefer having better visibility into real risk [to the business, not necessarily to an asset].”

7. Too much of what we measure is point-in-time.

8. As infosec pros we have let compliance initiatives drive spending and have ridden along for the ride.

9. We lack the knowledge of the business and how to apply what we do in a meaningful way to the business. I still find this an arguable point. In some cases, the business needs to understand IT (and security) more to better understand business continuity… Nonetheless, this is usually the weakest point in topics like this, not because it is not true, but because it is arguable and situational. Can we always convince business to treat security more aligned with the business or part of the core business line? No. How often are we satisfied that security is good and top notch? Not often, if ever.

10. Vendors fall into the hole of non-innovative solutions that are just meeting our needs, without pushing forward. Vendors ned to be thought-leaders. In turn, vendors need to listen to their customers and deduce their actual needs. Consultants need to listen better. Vendors are in the same boat as internal security experts: trying to sell the idea. It would be far easier to be thought-leaders if security weren’t already perceived as dragging ont he heels of innovation and itself being drug into the boardrooms by breaches/regulations. Huge point about consultants!!! Need to listen better and the industry needs to ditch or teach the charlatans.

11. Get past the “way its been done.”

12. Research. We need to support research. Research should be revolutionary, not evolutionary.

13. Information Sharing. Collaborate with industry competitors.

At this point my notes ended.

thoughts on the 2010 verizon dbir

Posted on by michael

Over a month ago, the 2010 Verizon DBIR was released. I’m still reading through it, but wanted to point out a low and a high point on the report. The low point (and by low, I’m not saying a horrible point, but rather just the lowest point in an already excellent and needed report!) of the report is including a significant amount of US Secret Service data. While this may prove over the years to be a very good inclusion, for now the USSS data obviously influences the percentages and totals. Of course, Verizon’s data set itself may have influences…so maybe the answer is to get more and more contributors and USSS is just the first.

Now, the USSS dataset influence is addressed many times in the DBIR itself. Which actually brings up the high point: the presentation. I love the way this report is worded, almost conversationally. They are candid with the data, point out conclusions, and even fuzzy places where you should maybe take the resultant data with a grain of salt due to whatever reasons. I totally appreciate that! In past years, I could make some inferences from the data that were not covered in the text, but I feel like this year the authors did a great job of analyzing and conversing about the data. I don’t actually feel like I can or need to infer my own conclusions. (Granted, you have to read the text to get that point, as the figures/graphs themselves can be misconstrued when out of context, in some cases.)

Also, the cover has a hidden message again, this year. This continues to lend “geek cred” to this report, along with the conversationally honest writing.