The New School of Information Security » Uncategorized

BSides Las Vegas 2012 Contest

David Mortman — Thu, 22 Mar 2012 02:37:43 +0000

BSides LV 2012 tickets sold out in under 30 hours last week. I have acquired five tickets to give away. More details later, but the tickets will go to the person or people who have the best story of how they applied the principles of the New School in a real life situation. Start planning those responses folks!

How’s that secrecy working out?

adam — Wed, 07 Mar 2012 15:45:16 +0000

Last week at RSA, I was talking to some folks who have reasons to deeply understand a big and publicly discussed breach. I asked them why we didn’t know more about the breach, given that they’d been fairly publicly named and shamed. The story seems to be that after the initial (legal-department-driven) clampdown on talking, they started briefing various organizations under NDA about what had happened. I want to share what I learned without naming and shaming the organization in question, because I think that’s counter-productive.

Along the way, one of the servers used by their attackers went away. Claims were made that the attackers learned the IP address was under investigation, and that caused the server to go away. (There’s either leaps of logic that would make Baryshnikov proud, or some intel. My suspicion leans towards the former, since the latter would make the server going away less interesting.) When the server went away, elements of the US government freaked out and told the organization to stop talking.

How’s that secrecy working out for us?

I think the answer is poorly. If we can’t share information about breaches, scaling the breaches is nearly free for the attackers. Something as simple as a domain or IP is shared in carefully controlled phone calls, and then people get upset and forbid additional information sharing.

This is apparently the reality of the “information sharing” programs that are at the heart of America’s cyber-security strategies. A failure of imagination combines with a fear of being Manning’d to result in the most trivial of trickles of information being shut down.

Again I ask, how’s that secrecy working out for us?

Well, we get RSA sessions like “Stress and Burnout in the InfoSec Community.” We get things like the CISO of a very large company, who told me “I almost want to slap Anonymous, just so they hack us and get it over with.” (Actually, what he said was more colorful, and somewhat identifying of his employer, so the quote is anonymized.)

The why is because we (writ broadly) prevent ourselves from learning. We intentionally block feedback loops from developing.

Now, it may be that there was real intelligence gold in that server. Maybe we’d have evidence that the Chinese government is funding attacks on the American government. But we have that. Everyone believes that. Is there evidence so important, or defensive knowledge so valuable that it’s worth preventing information sharing?

Obviously not. Because once gathered, it can’t be shared.

Let me add an analogy. In deciding how to use the Ultra information from the Enigma breaks, Churchill focused on ensuring that there was an alternate means to get the information. Those truths were so valuable that they were surrounded by a bodyguard of lies, and sometimes that makes sense. But if we treat all information as Ultra, then our commanders can’t use it to do their jobs, and it does us no good to gather.

So I’ll leave you with one last question: how’s that secrecy working out for us?

Congratulations!

adam — Thu, 01 Mar 2012 23:36:03 +0000

Our sincere congratulations to all the winners of the Social Security Blogger awards.

FEAR AND LOATHING IN SAN FRANCISCO (RSA PRE-GAME)

alex — Sun, 26 Feb 2012 14:02:30 +0000

So it’s early Sunday AM, and I’m getting my RSA Schedule together finally. So here’s what I’m looking forward to this week, leave us stuff in the comments if you’ve identified other cool stuff:

===============

Monday: 8 freaking AM – I’m talking with Rich Mogull of @securosis about Risk Management. Fun!

Monday is also Metricon, this year run by Russ and Scott Crawford. Should be good.

I’m capping my Monday off 4-5pm at BSides for this little gem:

Name: Dr. Mike Lloyd
Talk: Metrics That Don’t Suck: A New Way To Measure Security Effectiveness

===============

On the Tuesday, I’ll be speaking with Mortman, @csoandy, Ally Miller, Bob Blakely at the Risk Management Smackdown II: Wrath of Kuhn

It’s in room 309. Don’t know how this happens, but I get to be the dumbest person on the panel.

That afternoon, I’ll probably pop over to BSides to hear Wade Baker and Chris Porter talk, and @ch0rt is doing a part 2 to his Security Moneyball talk.

===============

On Wednesday, at 10am in room 309, I’ll be talking about Metrics. Should be awesomesauce. Don’t know how this happens, but I get to be the dumbest person on the panel (again).

===============

THURSDAY, THURSDAY, THURSDAY!!!!!

Preston Wood, Kelly White, and Mike Fowkes from Zions Bancorp are talking about their Hadoop install and Security Data Warehouse. So, yeah. The hype? Pshaw, these guys are DOING IT. GO. Go to see this. Srsly.

That afternoon, there’s a peer2peer risk management session going on. Ally Miller and I are talking about Frameworks for some reason.

===============

FRIDAY

On Friday I gotta get down. I’ll spend a large amount of my time trying to figure out if I should take the front seat, or kick it in the back seat.

“Anonymized, of course”

adam — Tue, 21 Feb 2012 15:51:10 +0000

I’ve noticed a couple of times lately that as people discuss talking about security incidents, they don’t only default to the idea of anonymization, they often insert an “of course” after it.

But today I want to talk about the phrase “anonymized, of course”, what it means, why people might say it, and how members of the New School should tackle it when it comes up.

First, let’s look at what it means to anonymize aspects of security breaches. That means that we take an incident and hide to whom it happened, the way we do with a small subset of other crimes, primarily rape, but also sometimes defamation. This is good insofar as it inhibits silly finger-pointing and name-calling. But it also stops learning. I can’t go listen to a talk from the CISO of PwnedCo and see what I might learn from what he talks about and what he doesn’t talk about. I can’t see that an award went to the CEO of Comodo, right before they were pwned, and adjust my opinions accordingly.

In other words, anonymization breaks feedback loops.

But that’s probably not what people mean when they say “anonymized, of course”. So what could they mean?

First, it may be an acknowledgement of today’s reality: we have little to no information sharing (never mind publishing). Anonymized may, for a while, be the best we can do. Heck, it may be the best we can ever do. I think we can do better, and “we can’t do better” is a testable hypothesis which fails pretty regular testing. Those of us in the New School think we should learn something when our hypotheses fail.
Second, it may be an attempt to reassure listeners that the speaker is not some crazy radical New School type who wants to do the inconcievable. Excuse me, “inconceivable.” They know that it’s just never worked that way, and feel a need to re-assure themselves and/or others of that obvious reality.
Third, it may be an attempt to delay argument over how much data should be published. Sometimes postponing argument is helpful for moving a project forward overall, other times it’s politics in the worst way.
Fourth, it may be an attempt, conscious or unconscious, to define the boundaries of acceptable debate to exclude the idea of sharing information that includes names. I find this last form, especially in its conscious form, to be the most objectionable. I don’t object to debate, or even rhetoric in its better forms, but attempts to define things as outside what reasonable people can discuss are outside what reasonable people do with reasonable arguments.

So what do we do for each of these meanings?

Acknowledgements of reality are reasonable. However, they have a nasty habit of reinforcing and validating the reality they acknowledge. That can be useful as a matter of transmitting knowledge or approaches. It can also be harmful when what’s reinforced really isn’t reality. (“Of course, the Earth is flat, so you’ll fall off the edge.”) Both this and conscious attempts to align with the old school ways that have kept us superstitious for so long deserve a gentle challenge. Perhaps something in the form of “Do we really need to anonymize this data?”

Threat Modeling Fails In Practice

alex — Thu, 02 Feb 2012 16:55:43 +0000

Would be interested in readers thoughts on Ian G’s post here:

https://financialcryptography.com/mt/archives/001357.html

Please Participate: Survey on Metrics

alex — Mon, 16 Jan 2012 17:24:24 +0000

I got an email from my friend John Johnson who is doing a survey about metrics. If you have some time, please respond…

————————————————————————————————————————————————

I am seeking feedback from others who may have experience developing and presenting security metrics to various stakeholders at their organization. I have a number of questions I’ve thought of, and put them into a simple survey form. I am looking for any examples of the good, bad and ugly involved in developing meaningful metrics. What has worked well and what has failed miserably? How have you packaged and presented the results in a meaningful way to your executives?

If you can spare a few minutes, please consider taking this survey. Even if you answer one question, it is helpful!

https://docs.google.com/spreadsheet/viewform?formkey=dGhDLXZHQVB5eEZoSy03aU5JQnZxV2c6MQ

You may also simply share an example, graphics or slides via email. I will be using your feedback to facilitate peer discussions and in a presentation aimed at educating security professionals on how they can improve their security metrics program.

Thanks in advance,

John

How to Send Adam into Hysterics

alex — Tue, 10 Jan 2012 13:27:54 +0000

Via Nathan Yau’s awesome Flowing Data blog.

Steve Bellovin’s “Lessons from Suppressing Research”

adam — Wed, 04 Jan 2012 16:26:45 +0000

Steve Bellovin has a good deal of very useful analysis and context about “an experiment that showed that the avian flu strain A(H5N1) could be changed to permit direct ferret-to-ferret spread. While the problem the government is trying to solve is obvious, it’s far from clear that suppression is the right answer, especially in this particular case.”

Steve’s post contains excellent context, putting the issue in context of nuclear secrets, cryptography and software vulnerability disclosure. I want to follow up a bit on his closing:

The ultimate decision may rest on personal attitudes. To quote Fouchier one more time, “The only people who want to hold back are the biosecurity experts. They show zero tolerance to risk. The public health specialists do not have this zero tolerance. I have not spoken to a single public health specialist who was against publication.”

I think that personal preference is one way to think of this, and perhaps in fact, personal preference drives the choice of profession. But perhaps what’s really happening is that public health specialists are operating with a different set of drivers than “biosecurity experts.” In particular, given the very low incidence of ‘biosecurity incidents,’ perhaps ‘biosecurity experts’ are operating in a world where all threats exist only on paper (or in papers). In contrast, public health professionals have real epidemics and pandemics to deal with. They’re forced to deal with the propaganda of anti-vaccination nuts whose fear of autism is killing people with whooping cough and other diseases. They have to deal with contamination of the food supply. They can reasonably prioritize preventing salmonella or e.coli over theoretical terrorist threats.

However, this narrow focus on preventing all problems (in contrast to risk management, cost-benefit or other pragmatic approaches) is not unique to bio-security experts. The security professional, focused by definition on security, will naturally tend towards zero tolerance for risks.

An example, already reduced to absurdity, is visible in the TSA. Their goal is not balanced security, it’s a relentless and offensive pursuit of security at the expense of dignity, calm, and cupcakes. But we should not be surprised at their pursuit of the cupcake. It’s the natural result of having an agency focused entirely on security.

This is, by the way, relates to why CISOs should report into a functional area of the business, be it operations or IT, rather than reporting to the CEO. If the CISO is focused entirely on security, then those concerns need to be balanced with the overall operational picture by someone with accountability for delivering of a whole to the business, not treated as some special magic.

“It’s Time to Learn Like Experts” by Jay Jacobs

adam — Mon, 28 Nov 2011 15:26:03 +0000

I want to call attention to a new, important and short article by Jay Jacobs.

This article is a call to action to break the reliance on unvalidated expert opinions by raising awareness of our decision environment and the development of context-specific feedback loops.

Everyone in the New School is a fan of feedback loops of one form or another. Hypothesis testing, learning, and calling out superstition are all forms of feedback loops.

One thing that Jay brings in that I hadn’t seen is the idea of kind and wicked learning environments. A kind environment is one in which you can quickly get good feedback on things experts agree will help you improve. (Did you fall off the bike?) An unkind environment is, amongst other things, one where feedback comes later, if at all. Jay has a table. It’s on page 2.

You should find Jay’s article here: “A Call to Arms: It’s Time to Learn Like Experts“, or his short blog here.