The New School of Information Security » Doing it Differently

How to mess up your breach disclosure

adam — Fri, 30 Mar 2012 15:57:46 +0000

Congratulations to Visa and Mastercard, the latest companies to not notify consumers in a prompt and clear manner, thus inspiring a shrug and a sigh from consumers.

No, wait, there isn’t a clear statement, but there is rampant speculation and breathless commentary.

It’s always nice to see clear reminders that the way to get people excited about a breach is to dribble out the information. For what little the public knows, to help Brian Krebs piece together the story and decide how the public will come to understand it because Visa and Mastercard aren’t talking, see MasterCard, VISA Warn of Processor Breach.

Doctors Make Mistakes. Can we talk about that?

adam — Mon, 26 Mar 2012 15:22:28 +0000

That’s the title of this TED Talk, “Doctors Make Mistakes. Can we talk about that?”

When was the last time you heard somebody talk about failure after failure after failure? Oh yeah, you go to a cocktail party and you might hear about some other doctor, but you’re not going to hear somebody talking about their own mistakes. If I were to walk into a room filled with my colleages and ask for their support right now and start to tell what I’ve just told you right now, I probably wouldn’t get through two of those stories before they would start to get really uncomfortable, somebody would crack a joke, they’d change the subject and we would move on. And in fact, if I knew and my colleagues knew that one of my orthopedic colleagues took off the wrong leg in my hospital, believe me, I’d have trouble making eye contact with that person.

That’s the system that we have. It’s a complete denial of mistakes. It’s a system in which there are two kinds of positions — those who make mistakes and those who don’t, those who can’t handle sleep deprivation and those who can, those who have lousy outcomes and those who have great outcomes. And it’s almost like an ideological reaction, like the antibodies begin to attack that person. And we have this idea that if we drive the people who make mistakes out of medicine, what will we be left with, but a safe system.

But there are two problems with that…

I’ll just say, security professionals make mistakes, too.

Can we talk about that?

Feelings! Nothing but feelings!

adam — Thu, 15 Mar 2012 15:14:31 +0000

At BSides San Francisco, I met David Sparks, whose blog post on 25 security professionals admit their mistakes I commented on here. And in the department of putting my money where my mouth is, I talked him through the story on camera. The video is here: “Security Guru Tells Tale of How His Blog Became a Botnet Server ”

It felt weird. It really did. I’m glad I did it. I want to continue to be able to talk about owning up to mistakes, and a big part of that is how we feel about talking about it. It’s all to easy to talk about something else, and not learn from it.

On which, kudos to Chris Hoff for talking about his story in “A Funny Thing Happened On My Way To Malware Removal….” Kudos to Jeremiah Grossman for owning up to being “Terrified” before getting on stage. And kudos to Bill Brenner for writing his OCD Diaries.

Despite our aspirations, we’re not computers. We’re not fully rational beings. We’re collections of tiny advantages collected in an expressed genome. We are products of our experiences through life. Pretending it’s all about the technology hasn’t worked.

I’m eager to learn from my mistakes and share the lessons, but I don’t always see those lessons myself. So sharing the stories and learning from each other will give us advantages, let us become products of not only our experiences, but those of others, and drive our ability to make information security a lot more fun.

Seeing more than the technology is one of the key themes that Andrew and I wrote about in the New School, and I think it deserves more attention.

We’re not going to be all about feelings here, but we’re going to talk more about the human side of security.

Entice, Don’t Scold

adam — Wed, 14 Mar 2012 14:53:25 +0000

I really like what Adrian Lane had to say about the cars at RSA:

I know several other bloggers have mentioned the exotic cars this year in vendor booths on the conference floor. What’s the connection with security? Nothing. Absolutely nothing. But they sure pulled in the crowds. Cars and booth babes with matching attire. I admit the first time I swung by Fortinet’s booth was to see the Ferrari. Sure, it was an unapologetic lure. And it worked. I even took a photo, I was so impressed with the beauty of its engineering.

Nice, huh?

It’s too easy to be dispassionate about security, especially when talking about cryptography or key management. Heck, I have seen presentations on social engineering that had the sex appeal of paint brushes. How many of you have seen the “blinky light phenomena”, where buyers prefer hardware over software because there was a very cool looking (read: tangible) representation of their investment? But security users – or should I say security buyers – are motivated by human factors like everyone else. Too many CTOs I speak with talk about what we should be doing in security, or the right way to solve security problems. They fail to empathize with IT guys who are trying to get multiple jobs done without much fanfare. And many of them don’t want to talk about it – they want to get out of their cubicles for a day, walk around some shiny cars, have someone listen to their security issues and bring some tchochkes back to their desks. Human behavior is not just an exploit vector – it’s also part of the solution space.

It can sometimes feel like security experts spend their lives failing to empathize with the fellow who wants to look at the cool car. Rather, we scold and declare everything a large risk. What a pain! We need to understand the people who we’re there to protect, and treat them as human beings.

We need to entice them to do what we want. The bad guys know this. We scold people about clicking on dancing pigs, all the while understanding that dancing pigs are fun. There are bad guys who that know dancing pigs are fun, so they wrap their sploits in promises of dancing pigs.

There’s all sorts of ways to entice. Some of them, like scantily clad women, will irk some of your audience. Some of them, like a car, are expensive. Some of them, I hope, find a good spot of inexpensive, approachable, and enticing.

That’s really what Elevation of Privilege is all about. Enticing busy people into the craft of threat modeling. And into our trade show booth. (That’s how we get budget to keep giving away copies. See? It’s a virtuous circle of enticements, all wrapped up in ~~cellophane~~ a pretty box!)

I didn’t realize that when I made it. I thought it was about flow (see my 2010 short BlackHat talk, “The Easy Way To Get Started Threat Modeling“) but as I started talking to more people, the stories that came back were about something else. The stories came back about people stopping at a desk to look at it. About people newly willing to take meetings with security teams. About young kids enthralled by the graphics. Because they wanted to learn more.

There’s a lot of unexplored territory in enticing people into security. Why not give it a try?

Stop sinning with complaints about the coffee budget

adam — Tue, 06 Mar 2012 16:14:59 +0000

Someone respected wrote on a private mailing list:

“If you spend more on coffee than on IT security, then you will be hacked. What’s more, you deserve to be hacked.” — Richard Clarke, keynote address, RSA 2002

To which, verily I say: Doom!

Doom!

You commit the sin of false comparison! You have angered Furlongeous, god of measurement! We are doomed to wander the wilderness for a hard-to-predict number of fortnights!

Hie! Hie! Burn them before they anger the gods further!

But this is not just false comparison, it is coveting, and after we burn them, we must gouge out their covetous eyes!

Admitting Mistakes

adam — Fri, 24 Feb 2012 17:42:25 +0000

Tripwire’s blog has “25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them.” I’m glad to see attention paid to the simple reality that we all make mistakes.

Extra points to Bill Brenner, Pete Lindstrom, Andrew Hay, Chris Wysopal, Rob Ton and Larry Ponemon for being willing to talk about mistakes that had technical security consequences. Not that the soft skills are unimportant, but a great many folks think that with technical ability, you can overcome that. The tech skills are core to how we present as security people, and being willing to own up to those is a praise-worthy act.

My own contribution is “Owning Up to Pwnage (Part 2).”

Predictably Apathetic responses to Cyber Attack

adam — Mon, 13 Feb 2012 16:39:02 +0000

Wh1t3Rabbit has a great post “Understanding the apathetic response to a cyber attack:”

Look, Dana’s right. His business is the organizing and promotion of the UFC fights. Secondary to that business is the merchandising and other aspects of the UFC – but that probably is a significantly smaller portion of the overall company revenue. Now where does the UFC.com website figure into all this? Sure, it’s the web home of the UFC, and people probably hit it a million times a day to get the information on upcoming fights, video clips and such … but at the core of the question is does the website make Dana White money? Judging by his response (NSFW) to the hack – the answer is probably “not enough for him to care a whole lot”. This is interesting.

I wish he’d stopped there. The answer is that business often doesn’t care, because we don’t communicate effectively about why the business should care.

We as a community have two choices. We can bitch and moan about what the people who pay us need to do, or we can ask what we need to do to change things.

I have a strong opinion about which will make us happier in the long run.

Raf (Wh1teRabbit) goes on to make some really good points about why the business should care. So why do I wish he’d stopped? Because it distracts from the issue that he drew attention to, which is our failure to effectively communicate with the folks who pay us. Here’s a guy who might be making a boatload of money from his website, but doesn’t get how it contributes to his bottom line. That’s a failure on the part of the CEO’s geeks to make sure they get credit for a revenue stream. And that leads to a failure on the CEO’s part to care about what they do.

So, how much time are you spending learning to speak executive?

On Threat Modeling

adam — Mon, 06 Feb 2012 15:58:30 +0000

Alex recently asked for thoughts on Ian Grigg’s “Why Threat Modeling Fails in Practice.”

I’m having trouble responding to Ian, and have come to think that how Ian frames the problem is part of my problem in responding to him. So, as another Adam likes to say, “I reject your reality, and substitute my own.” Here you go:

“Experiences Threat Modeling at Microsoft” covers the trouble that threat modeling is an aspirational tabula rasa, and people project all sorts of requirements onto processes and methodologies.
However, I agree with Ian that there’s lots of “Trouble with Threat Modeling.”
See also my MSDN magazine articles “Uncover Security Design Flaws Using The STRIDE Approach” and “Reinvigorate your Threat Modeling Process” is about how I’m thinking about
threat modeling and some lessons learned. MSDN also published “Getting Started With The SDL Threat Modeling Tool.”

But that’s not my final answer. My final answer is your threat modeling fails because you’re not using Elevation of Privilege.

(Actually, I don’t think that’s why Ian’s threat modeling fails in practice. He’s a smart guy, and I think the issue seems to be one of expectations versus approach, and I think either could be usefully changed, depending on the context.)

Aviation Safety

adam — Wed, 25 Jan 2012 16:06:00 +0000

The past 10 years have been the best in the country’s aviation history with 153 fatalities. That’s two deaths for every 100 million passengers on commercial flights, according to an Associated Press analysis of government accident data.

The improvement is remarkable. Just a decade earlier, at the time the safest, passengers were 10 times as likely to die when flying on an American plane. The risk of death was even greater during the start of the jet age, with 1,696 people dying — 133 out of every 100 million passengers — from 1962 to 1971. The figures exclude acts of terrorism.

…
There are a number of reasons for the improvements.

The industry has learned from the past. New planes and engines are designed with prior mistakes in mind. Investigations of accidents have led to changes in procedures to ensure the same missteps don’t occur again.
Better sharing of information. New databases allow pilots, airlines, plane manufactures and regulators to track incidents and near misses. Computers pick up subtle trends. For instance, a particular runway might have a higher rate of aborted landings when there is fog. Regulators noticing this could improve lighting and add more time between landings.

(“It’s never been safer to fly; deaths at record low“, AP, link to Seattle PI version.)

Well, it seems there’s nothing for information security to learn here. Move along.

New School Approaches to Passwords

adam — Tue, 10 Jan 2012 17:06:20 +0000

Adam Montville left a comment on my post, “Paper: The Security of Password Expiration“, and I wanted to expand on his question:

Passwords suck when they’re not properly cared for. We know this. Any other known form of
authentication we have is difficult because of the infrastructure required to pull it off. That
sucks too. Does this leave us at a stalemate where we need to get people to care about their
passwords?

I think the answer is “almost.” We need to agree that passwords suck when they’re not properly cared for, and that caring for them is hard. So we need to assume that passwords will tend to be poor, reused, etc, and develop methods to deal with that. Most of our mechanisms today punish users. We tell them to memorize 100 or more unique passwords, and then “security experts” abuse them for re-use or using a password management tool.

Cormac Herley has claimed that the password has a set of properties including being subject to memorization that make it impossible to replace, and we should accept that and start engineering for it. (“A Research Agenda Acknowledging the Persistence of Passwords” and “Passwords: If We’re So Smart Why Are We Still Using Them?“)

Similarly, Nate Lawson posted “On the evolving security of password schemes” which closes “most admins focus too much on increasing entropy of user choices and not enough on decreasing the attacker’s guess rate and implementing responses to limit their access when they do get a hit.” Indeed.

We need to observe the world, and ask how we can work within the constraints it presents regardless of if those constraints are economic, sociological or evolutionary.