Monthly Archive for August, 2009

Cures versus Treatment

Published by Chandler Howell on August 28, 2009 in Uncategorized. 0 Comments

A relevant tale of medical survival over at The Reality-Based Community:

Three years ago a 39-year-old American man arrived at the haematology clinic of Berlin’s sprawling Charité hospital. (The venerable Charité, one of the great names in the history of medicine, used to be in East Berlin, but it’s now the brand for the merged university hospitals of the whole city.) He had both leukaemia and HIV; you wouldn’t have given much for his chances. Now he has neither. How?

The great cancer researcher and medical writer Lewis Thomas wrote this in 1983 (The Youngest Science, endnote to page 175). The context is his stint as an adviser on health policy in Lyndon Johnson’s White House in 1967:

We recognised three levels of medical technology:

(1) genuine high technology, exemplified by Salk and Sabin poliomyelitis vaccines, which simply eliminated a major disease at very low cost by providing protection against the three strains of virus known to exist;

(2) “halfway” technology, applied to the management of disease when the underlying mechanism is not understood and when medicine is obliged to do whatever it can to shore things up and postpone incapacitation and death, at whatever cost, usually very high indeed, illustrated by open-heart surgery, coronary artery bypass, and the replacement of damaged organs by transplanting new ones…

and (3) nontechnology, the kind of things doctors do when there is nothing at all to be done, as in the case of patients with advanced cancer and senile dementia.We suggested that the rising cost of health care was resulting from efforts to treat diseases of the halfway or nontechnology class, and recommended that basic research on these ailments be sponsored by NIH.

Thomas’ analysis still looks spot on to me. But his optimism has so far not proved justified: the billions poured into medical research ever since have led to many improved treatments but disappointingly few cures. The ideal state for Big Pharma is represented by the state of the art on diabetes and HIV: costly lifelong treatments. For most lethal conditions, we don’t have even that.

Information Security also seems to be stuck in the “halfway” technology mode.  We treat the symptoms by patching and deploying security products to prolong survival, but as of yet, there is no cure.

In most organizations, it’s even worse.  Lack of basic knowledge and awareness, lack of funding and/or misplaced risk tolerance produce more nontechnology, such as Business Acceptance of Risk Forms and Security Dashboards where vanity metrics provide CYA.

Even when we know what the Right Things to reduce a risk are, whether turning off the TV, eating right and getting some exercise or removing admin rights and keeping crapware off the machines, we as a society and as companies all-to-rarely seem to have the will to make it happen.

To twist a line from Dean Wormer, “Fat, dumb and pwned is no way to go through life, son.”

I’m OK When The System Works – Even If It Is A False Alarm

Published by alex on August 28, 2009 in Uncategorized. 11 Comments

———————————

UPDATE:  @lbhuston gives us the dirty low down here: http://stateofsecurity.com/?p=766

———————————

This was a test of the emergency broadcast system.  This was only a test, had this been a real change in the Threat Landscape…..

You may have read in various media outlets about a little incident that happened yesterday concerning the mailing of a CD full of malware to a credit union.

Before we go any further the following caveats totally apply:  I’m pretty close with several of the actors in this “incident”.  In fact, had this been a few years ago, there’s a good chance that I would have been the guy responsible for building the forgery and burning the CD.  So my biases are apparent. And I have purposefully not talked directly with any of the parties (MicroSolved, the credit union, NCUA, SANS, ThreatPost, etc…) before sharing with you my impression and what I take away from yesterday.

So yesterday, there was an alarm raised about a “new” form of attack, purportedly against “banks” or even “the financial infrastructure” if you believed at the time what you saw on everything from national media websites to Twitter.  What has been revealed so far to have really happened was this:

A credit union received a mailed a CD and letter that looked like it was from the NCUA (the gov’t body in charge of CU regulation and governance) claiming to be training materials to be viewed on a PC.  But the credit union saw this as a forgery, and escalated the matter.   Somehow, this attack then turned into multiple attacks on “banks” by the time it hit “big” media.  An alarm went out, and basically by early afternoon, any credit union security admin who could fog a mirror knew that there might be something focused at them.

Except that it was really just part of a contracted, valid penetration test by the security firm MicroSolved.  So really, it was a false alarm.

I would just like to state that I think:

THIS IS NOT A BAD THING*


Real quickly, let’s get this out of the way.  For there to be a false alarm, several things must have failed yesterday.  Having worked for MicroSolved, I can tell you that the paperwork we developed there for scoping is pretty durn good.  When I worked there we set bounds, we described who needed to know and who didn’t, gave expectations as to attack type, general time frames to expect it, and so forth.  The scoping and execution process were always phenomenal (pats self on back).  But as an outsider looking at it now:

There May Have Been A Problem With The Penetration Test Scope.

This could have come from one of two sources, MicroSolved, or the CU. MicroSolved could have stepped out of bounds with scoping, or somehow unwittingly created an exception to a tight scoping process. Alternately, the CU themselves, as they were going through the scoping process, might have left out a key player on their side who is part of the fraud reporting process. I say that because:

There May Have Been A Problem With The Credit Union’s Internal Processes.

For the mailing to get to the NCUA as an actual incident, it would mean that either the credit union had poor fraud reporting processes, or someone at the CU probably didn’t follow procedure and reported to the NCUA out of process.

There May Have Been A Problem With The NCUA Alarm Process.

We don’t know what happened to cause a Pentest to be reported as an actual attack, but somewhere once the ball was handed to the NCUA, there should have probably been a verification process in place (I say this having talked last night – well, laughed is more like it- with ex-NCUA InfoSec friends).  I’m guessing that there may have been a failure here, as well.

There May Have Been A Problem With The General Reporting Process.

By the time it hit SANS, SCMagazine, ThreatPost, Slashdot, The Washington Post, etc. The incident grew from one credit union to pretty much the imminent collapse of the financial infrastructure of western civilization. Again, verification and fact checking.  How it got form one CU to multiple or even across the stream into banks is not known.

With That Out Of The Way…

But if we look at what happened, the time frame in which it all happened, we can see a lot of success:

  • MicroSolved did the right thing in executing a feasible, clever attack.
  • The Credit Union did the right thing in recognizing the attack and reporting it (even if out of process – believe me, as a veteran of Credit Union SE attacks – they could have not caught the attack or even just thrown the material away and not reported it).
  • The NCUA did the right thing and got the word out.
  • The Press/Media/Alerting System did the right thing and raised the alarm.
  • Even we, the Security Professionals via phone to friends and via Twitter, did the right thing as a group and put the notice out.

So rather than playing a cynic and saying the system failed because a false alarm got out, I think we can say:

We Did A Pretty Good Job*

Now of course, the asterisks in both positive statements above should suggest to you my wise reader that I know that repeated false alarms are a bad thing.  And there are certainly lessons learned here.   But pretty much, the system of alarm worked.  We did all right.  And we did much better than one alternative, not sharing information about a perceived critical change in the threat landscape.

Bottom line, we shared information – and that’s pretty durn NewSchool if you ask me.

Visualization Friday – Back From Hiatus

Published by alex on August 28, 2009 in Uncategorized. 2 Comments

Hey all, sorry it’s been so long since I put up some eye candy.  Today’s posts come from the usual sources (flowing data and other various information design blogs) but I also wanted to point you to a new source of cool: http://www.informationisbeautiful.net/

So without futher adieu, your Visualization Friday Posts (some pertinent to the display of information security metrics and knowledge, some just downright fun & cool).

INTERACTIVE DATA SCULPTURE

From :

http://infosthetics.com/archives/2009/08/virtual_gravity_the_physical_weight_of_data.html

WORDS OF WISDOM FROM STEPHEN FEW

Ok, so not a visualization, but information expression architect (my made up title) Stephen Few shares some thoughts on visualization and real world examples of impact:

http://www.perceptualedge.com/blog/?p=601

Seriously, if you’re going to develop and present dashboards or powerpoints about security metrics to any audience but *especially* decision makers, I’d get into Stephen Few.


THE GREAT CITIZENRY FIREWALL

Did you know about the Schengen Wall?    Here’s a great map-based visualization about it found off of http://www.informationisbeautiful.net/2009/walled-world/

post_walled_world_500

JUST FOR FUN

The Total Eclipse of the Heart Flowchart.

Mike Dahn Wants to NewSchool PCI

Published by alex on August 26, 2009 in Science of Risk Management. 0 Comments

And I couldn’t agree more.

Capability and Maturity Model Creation in Information Security

PS – sorry for using “NewSchool” as a verb.

Suing Into the Box

Published by David Mortman on August 20, 2009 in Uncategorized. 0 Comments

Todays New York Times has an interesting article “A Lawsuit Tries to Get at Hackers Through the Banks They Attack” about the folks over at Unspam who are suing under the Can-Spam Act in an attempt to get the names of miscreants who have been attacking banks. More interestingly, they are hoping to force the several banks they suing to cough up information about the nature of the attacks and who was attacked. They hope to use this data to get a better idea of how this attacks are occurring and who is perpetrating them. While I have some concerns about this approach, it is without a doubt an interesting way to go about getting the data. Now we get to sit back and see how hard the banks fight back. Time to get out the popcorn, this will definitely be interesting.

What should the new czar do? (Tanji’s Security Survey)

Published by adam on August 19, 2009 in government. 5 Comments

Over at Haft of the Spear, Michael Tanji asks:

You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will?

My three:

  • De-stigmatize failure. Today, we see the same failures we saw yesterday because we don’t talk about what went wrong. We laugh and point fingers. We need to admit that everyone gets hacked, get over it, and start talking about how it happened and what we can do to learn from it. (This isn’t the same as accepting failure, it’s saying that we understand it happens, and starting to distinguish between what failures might be in our control, and how to expound that set.)
  • Gather data. This is a mirror to the de-stigmitization of failure. The czar should gather as much data as they can on a need-to-share basis, starting with federal systems. What happened? How did the failure manifest? Were there controls in place? Were they credible? Were they managed and monitored?
  • Shoo the mathematicians. No, not shoot, shoo. Send them off the pedestal for a while. Security is a social value, and as a social value, we need to study the human aspects of it like we did at the workshop on security and human behavior. [Update: What I really want is not to eliminate math, but to move to a diverse set of analytic tools. Of course we need math to analyze data, but I think we've gone too far with mathematical models, proven security, and need more engineering rigor. Engineering rigor is obviously based on math, but not done by mathematicians.]

These three goals are possible from a bully pulpit. They don’t require a lot of budget. (Heck, the datalossdb.org guys do it on a volunteer basis.) They’ll be transformational in the way we approach security.

Bonus fourth task: fine anyone $20 each time they say “best practices.”

What’s your take? What should the czar be trying to accomplish?

[Update: Pete Lindstrom takes up the challenge in "If I were a Czar." Who else wants to take a whack at it?]

Heartland/TJX/Hannaford hacker caught

Published by adam on August 18, 2009 in Uncategorized. 1 Comment

I’ve been busy and haven’t had a lot of time to dig in, but Rich Mogull has some really good articles, “Heartland Hackers Caught; Answers and Questions,” and “Recent Breaches- We May Have All the Answers.” I have two questions:

  • Were these custom attacks, or a failure to patch? Reading what’s not in the USSS/FBI announcement in February, it seems patching SQL Server wasn’t the issue, that these were all SQL injections against either custom code or possibly a library that all the victims were using. (Pointers appreciated.)
  • Will the number of breaches reported by retailers fall by more than 10% in the next six months? (Bets appreciated.)

Mortman/Hutton Security-BSides & Black Hat Presentation Available

Published by alex on August 17, 2009 in Uncategorized. 0 Comments Tags: , , .

Hey y’all, happy Monday morning.   I’ve put Dave & my presentation for Security BSides up on slideshare:

http://www.slideshare.net/alexhutton/mortmanhutton-security-bsides-presentation

Mortman/Hutton Security B-Sides Presentation

View more presentations from alexhutton.

Also note that this includes the Black Hat presentation we gave on the Mortman/Hutton Vulnerability/Exploit model.  I hope you will enjoy!

PS – There’s probably audio available for the preso on the BSides site somewhere if you’re really interested.

Incomplete Thought: Compliance, Governance, Audit and Risk aka GRC We’re Doing It Wrong

Published by David Mortman on August 13, 2009 in Uncategorized. 8 Comments

There’s been lots of discussion here and elsewhere about what’s wrong with GRC as a market and that discussion is pretty spot on. However, last week, I was chatting with Alex and it suddenly hit me that while GRC doesn’t work, the very concept is even more broken then we had previously thought. I briefly mentioned this last week on twitter, and promised a more complete breakdown this week so here we go:

First off, it’s not about governance, risk and compliance, but rather about compliance, governance and audit with risk being both an informer and product of the Compliance, Governance, Audit (CGA) process. So once again we have one of Andy Jaquith’s Hamster Wheels of Pain, with risk as an externality.

[Pretend I put a fancy graph with arrows here]

First off, you have a perceived risk, that risk might be the fear of government legislation in your space (hence the creation of pci), it might be something bad happening to a competitor (lead paint on children’s toys) or anything else really. The result of that perceived risk is some sort of compliance demand, which may be formal like PCI, SOX, HIPAA or informal, the CEO declares iPods verboten and every employee must carry a zune for instance. In other words, compliance is just a declared requirement to do (or not do) something. To totally abuse a metaphor, this kind of sounds like the legislative branch of the government.

Secondly, the compliance requirements drive governance requirements. Governance is just a sexy word for enforcement of compliance. In other words, governance is the series of controls and processes you will use to ensure that the compliance need is being met. To continue the metaphor abuse, this more or less maps to the executive branch.

Finally, we have audit. Audit is in the simplest terms, the group that interprets the compliance requirements and then takes those interpretations and applies them to what the governance group did. Sounds a lot like what the courts do (minus the ability to declare certain compliance requirements as null and void).

As the cycle rotates, we have a new state of being which changes both the real and perceived risk states. This new perception drives changes to compliance. Which drives changes to governance which drives changes to audit. Lather, rinse, repeat.

The net result of this that (once again), it’s really about risk, even when you don’t think it is.

Heartland CEO and Outrage

Published by adam on August 13, 2009 in Uncategorized. 2 Comments

Bill Brenner has an interview with Robert Carr, the CEO of Heartland. It’s headlined “Heartland CEO on Data Breach: QSAs Let Us Down.” Some smart security folks are outraged, asserting that Carr should know the difference between compliance and security, and audit and assessment. Examples include Rich Mogull’s “Open Letter to Robert Carr” and Alan Shimel’s “Heartland CEO thought QSA’s would make him compliant and secure.”

Rich wrote:

It is unfortunate that your assessors were not up to date on the latest electronic attacks, which have been fairly well covered in the press. It is even more unfortunate that your internal security team was also unaware of these potential issues, or failed to communicate them to you (or you chose to ignore their advice).

One definition of insanity is to keep doing the same thing over and over and expect different results. Without disagreeing with Rich about the responsibilities of the CEO, we in infosec make lots of assertions about what other people should know. But we rarely test if our attempts to educate get through. There are lots of people who assert, correctly, that the CEO needs to know X, Y and Z. But it’s the responsibility of the people under him to communicate effectively, and reading Brenner’s interview, it’s pretty clear that Heartland’s infosec people didn’t deliver a message that sank in. What’s the message that sinks in? Real hard numbers about how often these things happen and their impact, so the CEO can allocate scarce resources based on something other than assertions that he must invest in this or that. Switching gears for a moment, Alan wrote:

Isn’t that the real travesty of our industry though? Only after the cows have run out and the barn has burned down does anyone really give a crap. Even by his own admission with what happened to him and his company, when he goes to talk to others in his industry the feeling is still it can’t happen to them. What will it take? Does every single one need to to have a security incident?

What it will take is talking about what goes wrong. That’s why I’m glad Carr is speaking out, but he’s doing so anecdotally. As Carr asks:

The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”

Why can that malware be used in 300 attacks, and “compliance” not involve a validation that the AV in use will catch it? It’s because we don’t talk about what’s going wrong. We keep saying the same things over and over, and hoping that they’ll work differently. But here’s a prediction: if the QSAs had said “your anti-malware is missing malware that’s been implicated in 300 breaches,” that issue would have been cleaned up inside of days, either by the vendor adding signatures, or being replaced.

The outrage is that we’re still, as Carr and I put it, sweeping it all under the rug.