The New School of Information Security

Why Sharing Raw Data is Important

adam — Fri, 11 May 2012 16:20:18 +0000

Bob Rudis has a nice post up “Off By One : The Importance Of Fact Checking Breach Reports,” in which he points out some apparent errors in the Massachusetts 2011 breach report, and also provides some graphs.

Issues like this are why it’s important to release data. It enables independent error checking, but also allows people to slice and dice the issues in ways that otherwise are only accessible to a privileged few with the raw numbers.

Toorcamp: Gender Issues, Cognitive Psychology and Hacking

adam — Fri, 27 Apr 2012 15:54:44 +0000

So the announcement for Toorcamp is out, and it looks like an exciting few days.

A few talks already announced look very new school, including “How you can be an ally to us females” by Danielle Hulton and Leigh Honeywell, and “Cognitive Psychology for Hackers.”

It’s in the far northwester corner of the US, and you should check it out.

Checklists and Information Security

adam — Tue, 10 Apr 2012 15:57:59 +0000

I’ve never been a fan of checklists. Too often, checklists replace thinking and consideration. In the book, Andrew and I wrote:

CardSystems had the required security certification, but its security was compromised, so where did things goo wrong? Frameworks such as PCI are built around checklists. Checklists compress complex issues into a list of simple questions. Someone using a checklist might therefore think he had done the right thing, when in fact he had not addressed the problems in depth…Conventional wisdom presented in short checklists makes security look easy.

So it took a while and a lot of recommendations for me to get around to reading “The Checklist Manifesto” by Atul Gawande. And I’ll admit, I enjoyed it. It’s a very well-written, fast-paced little book that’s garnered a lot of fans for very good reasons.

What’s more, much as it pains me to say it, I think that security can learn a lot from the Checklist Manifesto. One objection that I’ve had is that security is simply too complex. But so is the human body. From the Manifesto:

[It] is far from obvious that something as simple as a checklist could be of substantial help. We may admit that errors and oversights occur–even devastating ones. But we believe our jobs are too complicated to reduce to a checklist. Sick people, for instance, are phenomenally more various than airplanes. A study of forty-one thousand trauma patients in the state of Pennsylvania–just trauma patients–found that they had 1,224 different injury-related diagnoses in 32,261 unique combinations. That’s like having 32,261 kinds of airplane to land. Mapping out the proper steps for every case is not possible, and physicians have been skeptical that a piece of paper with a bunch of little boxes would improve matters.

The Manifesto also addresses the point we wrote above, that “someone using a checklist might think he’d done the right thing”:

Plus, people are individual in ways that rockets are not–they are complex. No two pneumonia patients are identical. Even with the same bacteria, the same cough and shortness of breath, the same low oxygen levels, the same antibiotic, one patient might get better and the other might not. A doctor must be prepared for unpredictable turns that checklists seem completely unsuited to address. Medicine contains the entire range of problems–the simple, the complicated, and the complex–and there are often times when a clinician has to just do what needs to be done. Forget the paperwork. Take care of the patient.

So it’s important to understand that checklists don’t replace professional judgement, they supplement it and help people remember complex steps under stress.

So while I think security can learn a lot from The Checklist Manifesto, the lessons may not be what you expect. Quoting the book that inspired this blog again:

A checklist implies that there is an authoritative list of the “right” things to do, even if no evidence of that simplicity exists. This in turn contributes to the notion that information security is a more mature discipline than it really is.

For example, turning back to the Manifesto:

Surgery has, essentially, four big killers wherever it is done in the world: infection, bleeding, unsafe anesthesia, and what can only be called the unexpected. For the first three, science and experience have given us some straightforward and valuable preventive measures we think we consistently follow but don’t.

I think what we need, before we get to checklists, is more data to understand what the equivalents of infection, bleeding and unsafe anesthesia are. Note that those categories didn’t spring out of someone’s mind, thinking things through from first principles. They came from data. And those data show that some risks are bigger than others:

But compared with the big global killers in surgery, such as infection, bleeding, and unsafe anesthesia, fire is exceedingly rare. Of the tens of millions of operations per year in the United States, it appears only about a hundred involve a surgical fire and vanishingly few of those a fatality. By comparison, some 300,000 operations result in a surgical site infection, and more than eight thousand deaths are associated with these infections. We have done far better at preventing fires than infections. [So fire risks are generally excluded from surgical checklists.]

Security has no way to exclude ~~insiders~~ the fire risk. We throw everything into lists like PCI. The group who updates PCI is not provided in depth incident reports about the failures that occurred over the last year or over the life of the failure. When security fails, rather than asking, ‘did the checklist work’, the PCI council declares that they’ve violated the 11th commandment, and are thus not compliant. And so we dan’t improve the checklists. (Compare and contrast: don’t miss the long section of the Manifesto on how Boeing tests and re-tests their checklists.)

One last quote before I close. Gawande surveys many fields, including how large buildings are built and delivered. He talks to a project manager putting up a huge new hospital building:

Joe Salvia had earlier told me that the major advance in the science of construction over the last few decades has been the perfection of tracking and communication.

Nothing for us security thought leaders to learn. But before I tell you to move along, I’d like to offer up an alpha-quality DO-CHECK checklist for improving security after an incident:

Have you addressed the breach and gotten the attackers out?
Have you notified your customers, shareholders, regulators and other stakeholders?
Did you prepare an after-incident report?
Did you use Veris, the taxonomy in Microsoft’s SIR v11 or some other way to clarify ambiguous terms?
Have you released the report so others can learn?

I believe that if we all start using such a checklist, we’ll set up a feedback loop, and empower our future selves to make better, and more useful checklists to help us make things more secure.

Dear FBI, Who Lost $1Billion?

adam — Thu, 05 Apr 2012 15:56:49 +0000

In a widely discussed op-ed, Richard Clarke wrote:

It’s not hard to imagine what happens when an American company pays for research and a Chinese firm gets the results free; it destroys our competitive edge. Shawn Henry, who retired last Friday as the executive assistant director of the F.B.I. (and its lead agent on cybercrime), told Congress last week of an American company that had all of its data from a 10-year, $1 billion research program copied by hackers in one night. Gen. Keith B. Alexander, head of the military’s Cyber Command, called the continuing, rampant cybertheft “the greatest transfer of wealth in history.”

I’d like to ask a few questions. Actually, just one. Please let us know the case you’re discussing. This is a major crime. The FBI doesn’t report “we had a bank robbery at some Seattle bank last week,” they say which bank at which address. Further, assuming that this is a public company (because few private companies could sustain such investments), then the SEC requires disclosure. Now, you might claim that the company disclosed a billion dollar loss, in which case, Mr. Henry could name names. You might say that the company disclosed a billion dollar loss and no one cared, but I would be forced to question your credibility. You might also say that the company disclosed and no one noticed, because their lawyers were so clever in their drafting, but that would be tantamount to accusing them of deceptive reporting, and the FBI should be investigating if their CEO belonged in jail.

There is, of course, an alternate hypothesis, which is that this is a class of accounting that I’ll call 911 accounting. If you’ll recall the early 1990s, Knight Lightning was accused of receiving stolen property valued at $79,449. It later came out that the documents were available for sale for $13.

So there are three possibilities:

The company is privately held (and is able to invest a billion dollars over 10 years)
The company is public (and was required to inform its shareholders)
Mr Henry, or the people who provided him the information, is playing fast and loose with the numbers

Thoughts on relative probability, or other elements of how to parse that claim, are welcome.

How Harvey Mudd Brings Women into CS

adam — Wed, 04 Apr 2012 15:25:24 +0000

Back in October, I posted on “Maria Klawe on increasing Women in Technology.” Now the New York Times has a story, “Giving Women The Access Code:”

“Most of the female students were unwilling to go on in computer science because of the stereotypes they had grown up with,” said Zachary Dodds, a computer scientist at Mudd. “We realized we were helping perpetuate that by teaching such a standard course.”

To reduce the intimidation factor, the course was divided into two sections — “gold,” for those with no prior experience, and “black” for everyone else. Java, a notoriously opaque programming language, was replaced by a more accessible language called Python. And the focus of the course changed to computational approaches to solving problems across science.

“We realized that we needed to show students computer science is not all about programming,” said Ran Libeskind-Hadas, chairman of the department. “It has intellectual depth and connections to other disciplines.”

Well, sometimes computer science has depth and connections to reality. Other times we get wrapped around some little technical nit, and lose sight of the larger picture. Or sometimes, we just talk about crypto and key lengths.

If we want more diversity in computer security, we have to look around, see what’s working and take lessons from it. Otherwise, we’re going to stay on the hamster wheels. There’s excellent evidence that more diversity helps you solve certain classes of problems better. (See, for example, “Scott Page’s The Difference.)

How to mess up your breach disclosure

adam — Fri, 30 Mar 2012 15:57:46 +0000

Congratulations to Visa and Mastercard, the latest companies to not notify consumers in a prompt and clear manner, thus inspiring a shrug and a sigh from consumers.

No, wait, there isn’t a clear statement, but there is rampant speculation and breathless commentary.

It’s always nice to see clear reminders that the way to get people excited about a breach is to dribble out the information. For what little the public knows, to help Brian Krebs piece together the story and decide how the public will come to understand it because Visa and Mastercard aren’t talking, see MasterCard, VISA Warn of Processor Breach.

Doctors Make Mistakes. Can we talk about that?

adam — Mon, 26 Mar 2012 15:22:28 +0000

That’s the title of this TED Talk, “Doctors Make Mistakes. Can we talk about that?”

When was the last time you heard somebody talk about failure after failure after failure? Oh yeah, you go to a cocktail party and you might hear about some other doctor, but you’re not going to hear somebody talking about their own mistakes. If I were to walk into a room filled with my colleages and ask for their support right now and start to tell what I’ve just told you right now, I probably wouldn’t get through two of those stories before they would start to get really uncomfortable, somebody would crack a joke, they’d change the subject and we would move on. And in fact, if I knew and my colleagues knew that one of my orthopedic colleagues took off the wrong leg in my hospital, believe me, I’d have trouble making eye contact with that person.

That’s the system that we have. It’s a complete denial of mistakes. It’s a system in which there are two kinds of positions — those who make mistakes and those who don’t, those who can’t handle sleep deprivation and those who can, those who have lousy outcomes and those who have great outcomes. And it’s almost like an ideological reaction, like the antibodies begin to attack that person. And we have this idea that if we drive the people who make mistakes out of medicine, what will we be left with, but a safe system.

But there are two problems with that…

I’ll just say, security professionals make mistakes, too.

Can we talk about that?

BSides Las Vegas 2012 Contest

David Mortman — Thu, 22 Mar 2012 02:37:43 +0000

BSides LV 2012 tickets sold out in under 30 hours last week. I have acquired five tickets to give away. More details later, but the tickets will go to the person or people who have the best story of how they applied the principles of the New School in a real life situation. Start planning those responses folks!

Feelings! Nothing but feelings!

adam — Thu, 15 Mar 2012 15:14:31 +0000

At BSides San Francisco, I met David Sparks, whose blog post on 25 security professionals admit their mistakes I commented on here. And in the department of putting my money where my mouth is, I talked him through the story on camera. The video is here: “Security Guru Tells Tale of How His Blog Became a Botnet Server ”

It felt weird. It really did. I’m glad I did it. I want to continue to be able to talk about owning up to mistakes, and a big part of that is how we feel about talking about it. It’s all to easy to talk about something else, and not learn from it.

On which, kudos to Chris Hoff for talking about his story in “A Funny Thing Happened On My Way To Malware Removal….” Kudos to Jeremiah Grossman for owning up to being “Terrified” before getting on stage. And kudos to Bill Brenner for writing his OCD Diaries.

Despite our aspirations, we’re not computers. We’re not fully rational beings. We’re collections of tiny advantages collected in an expressed genome. We are products of our experiences through life. Pretending it’s all about the technology hasn’t worked.

I’m eager to learn from my mistakes and share the lessons, but I don’t always see those lessons myself. So sharing the stories and learning from each other will give us advantages, let us become products of not only our experiences, but those of others, and drive our ability to make information security a lot more fun.

Seeing more than the technology is one of the key themes that Andrew and I wrote about in the New School, and I think it deserves more attention.

We’re not going to be all about feelings here, but we’re going to talk more about the human side of security.

Entice, Don’t Scold

adam — Wed, 14 Mar 2012 14:53:25 +0000

I really like what Adrian Lane had to say about the cars at RSA:

I know several other bloggers have mentioned the exotic cars this year in vendor booths on the conference floor. What’s the connection with security? Nothing. Absolutely nothing. But they sure pulled in the crowds. Cars and booth babes with matching attire. I admit the first time I swung by Fortinet’s booth was to see the Ferrari. Sure, it was an unapologetic lure. And it worked. I even took a photo, I was so impressed with the beauty of its engineering.

Nice, huh?

It’s too easy to be dispassionate about security, especially when talking about cryptography or key management. Heck, I have seen presentations on social engineering that had the sex appeal of paint brushes. How many of you have seen the “blinky light phenomena”, where buyers prefer hardware over software because there was a very cool looking (read: tangible) representation of their investment? But security users – or should I say security buyers – are motivated by human factors like everyone else. Too many CTOs I speak with talk about what we should be doing in security, or the right way to solve security problems. They fail to empathize with IT guys who are trying to get multiple jobs done without much fanfare. And many of them don’t want to talk about it – they want to get out of their cubicles for a day, walk around some shiny cars, have someone listen to their security issues and bring some tchochkes back to their desks. Human behavior is not just an exploit vector – it’s also part of the solution space.

It can sometimes feel like security experts spend their lives failing to empathize with the fellow who wants to look at the cool car. Rather, we scold and declare everything a large risk. What a pain! We need to understand the people who we’re there to protect, and treat them as human beings.

We need to entice them to do what we want. The bad guys know this. We scold people about clicking on dancing pigs, all the while understanding that dancing pigs are fun. There are bad guys who that know dancing pigs are fun, so they wrap their sploits in promises of dancing pigs.

There’s all sorts of ways to entice. Some of them, like scantily clad women, will irk some of your audience. Some of them, like a car, are expensive. Some of them, I hope, find a good spot of inexpensive, approachable, and enticing.

That’s really what Elevation of Privilege is all about. Enticing busy people into the craft of threat modeling. And into our trade show booth. (That’s how we get budget to keep giving away copies. See? It’s a virtuous circle of enticements, all wrapped up in ~~cellophane~~ a pretty box!)

I didn’t realize that when I made it. I thought it was about flow (see my 2010 short BlackHat talk, “The Easy Way To Get Started Threat Modeling“) but as I started talking to more people, the stories that came back were about something else. The stories came back about people stopping at a desk to look at it. About people newly willing to take meetings with security teams. About young kids enthralled by the graphics. Because they wanted to learn more.

There’s a lot of unexplored territory in enticing people into security. Why not give it a try?