The New School of Information Security

“Anonymized, of course”

adam — Tue, 21 Feb 2012 15:51:10 +0000

I’ve noticed a couple of times lately that as people discuss talking about security incidents, they don’t only default to the idea of anonymization, they often insert an “of course” after it.

But today I want to talk about the phrase “anonymized, of course”, what it means, why people might say it, and how members of the New School should tackle it when it comes up.

First, let’s look at what it means to anonymize aspects of security breaches. That means that we take an incident and hide to whom it happened, the way we do with a small subset of other crimes, primarily rape, but also sometimes defamation. This is good insofar as it inhibits silly finger-pointing and name-calling. But it also stops learning. I can’t go listen to a talk from the CISO of PwnedCo and see what I might learn from what he talks about and what he doesn’t talk about. I can’t see that an award went to the CEO of Comodo, right before they were pwned, and adjust my opinions accordingly.

In other words, anonymization breaks feedback loops.

But that’s probably not what people mean when they say “anonymized, of course”. So what could they mean?

First, it may be an acknowledgement of today’s reality: we have little to no information sharing (never mind publishing). Anonymized may, for a while, be the best we can do. Heck, it may be the best we can ever do. I think we can do better, and “we can’t do better” is a testable hypothesis which fails pretty regular testing. Those of us in the New School think we should learn something when our hypotheses fail.
Second, it may be an attempt to reassure listeners that the speaker is not some crazy radical New School type who wants to do the inconcievable. Excuse me, “inconceivable.” They know that it’s just never worked that way, and feel a need to re-assure themselves and/or others of that obvious reality.
Third, it may be an attempt to delay argument over how much data should be published. Sometimes postponing argument is helpful for moving a project forward overall, other times it’s politics in the worst way.
Fourth, it may be an attempt, conscious or unconscious, to define the boundaries of acceptable debate to exclude the idea of sharing information that includes names. I find this last form, especially in its conscious form, to be the most objectionable. I don’t object to debate, or even rhetoric in its better forms, but attempts to define things as outside what reasonable people can discuss are outside what reasonable people do with reasonable arguments.

So what do we do for each of these meanings?

Acknowledgements of reality are reasonable. However, they have a nasty habit of reinforcing and validating the reality they acknowledge. That can be useful as a matter of transmitting knowledge or approaches. It can also be harmful when what’s reinforced really isn’t reality. (“Of course, the Earth is flat, so you’ll fall off the edge.”) Both this and conscious attempts to align with the old school ways that have kept us superstitious for so long deserve a gentle challenge. Perhaps something in the form of “Do we really need to anonymize this data?”

New Cyber Security Bill: Crowdsource Analysis?

adam — Wed, 15 Feb 2012 16:43:22 +0000

A lot of people I trust are suggesting that the “Collins-Lieberman” bill has a substantial chance of passing. I have some really interesting (and time-consuming) work tasks right now, and so I’m even more curious than usual what you all think, especially how this

According to the press release, the “Collins-Lieberman” bill would:

The Department of Homeland Security (DHS) to assess the risks and vulnerabilities of critical infrastructure systems—whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life—to determine which should be required to meet a set of risk-based security standards. Owners/operators who think their systems were wrongly designated would have the right to appeal.
DHS to work with the owners/operators of designated critical infrastructure to develop risk-based performance requirements, looking first to current standards or industry practices. If a sector is sufficiently secured, no new performance requirements would be developed or required to be met.
The owners of a covered system to determine how best to meet the performance requirements and then verify that it was meeting them. A third-party assessor could also be used to verify compliance, or an owner could choose to self-certify compliance.
Current industry regulators to continue to oversee their industry sectors.
Information-sharing between and among the private sector and the federal government to share threats, incidents, best practices, and fixes, while maintaining civil liberties and privacy.
DHS to consolidate its cybersecurity programs into a unified office called the National Center for Cybersecurity and Communications.
The government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.

Some of that, like risk-based security standards, sounds potentially tremendously positive. There are some clear risks, like DHS will make a best-practices table of risk management activity without any focus on outcomes, and then classify it.

Other bits, like information sharing, sounds worrisome, because the authors clearly know that there’s a risk of privacy and liberty impacts. It’s not clear what the data to be shared is. If that’s (for example) “Verisign has been pwned using a 3-year old Flash expliot” there’s minimal impact to liberty. (Of course, since they haven’t said anything, we don’t know how Verisign was owned.) If it’s “We suspect Kevin Mitnick, then that’s both less useful and more privacy impactful.

Stepping back, where should I look for analysis? Have you looked at the bill? What does it do for the New School pillars? As a reminder, those are:

Learning from other professions, such as economics and psychology, to unlock the problems that stymie the information security field. The way forward cannot be found solely in mathematics or technology.
Sharing objective data and analysis widely. A fetish for secrecy has held us back.
The embrace of the scientific method for solving important problems. Analyzing real world outcomes is the best way for information security to become a mature discipline.

In other words, how New School is this bill?

Predictably Apathetic responses to Cyber Attack

adam — Mon, 13 Feb 2012 16:39:02 +0000

Wh1t3Rabbit has a great post “Understanding the apathetic response to a cyber attack:”

Look, Dana’s right. His business is the organizing and promotion of the UFC fights. Secondary to that business is the merchandising and other aspects of the UFC – but that probably is a significantly smaller portion of the overall company revenue. Now where does the UFC.com website figure into all this? Sure, it’s the web home of the UFC, and people probably hit it a million times a day to get the information on upcoming fights, video clips and such … but at the core of the question is does the website make Dana White money? Judging by his response (NSFW) to the hack – the answer is probably “not enough for him to care a whole lot”. This is interesting.

I wish he’d stopped there. The answer is that business often doesn’t care, because we don’t communicate effectively about why the business should care.

We as a community have two choices. We can bitch and moan about what the people who pay us need to do, or we can ask what we need to do to change things.

I have a strong opinion about which will make us happier in the long run.

Raf (Wh1teRabbit) goes on to make some really good points about why the business should care. So why do I wish he’d stopped? Because it distracts from the issue that he drew attention to, which is our failure to effectively communicate with the folks who pay us. Here’s a guy who might be making a boatload of money from his website, but doesn’t get how it contributes to his bottom line. That’s a failure on the part of the CEO’s geeks to make sure they get credit for a revenue stream. And that leads to a failure on the CEO’s part to care about what they do.

So, how much time are you spending learning to speak executive?

Why Breach Disclosures are Expensive

adam — Tue, 07 Feb 2012 17:11:42 +0000

Mr. Tripathi went to work assembling a crisis team of lawyers and customers and a chief security officer. They hired a private investigator to scour local pawnshops and Craigslist for the stolen laptop. The biggest headache, he says, was deciphering how much about the breach his nonprofit needed to disclose…Mr. Tripathi said he quickly discovered just how many ways there were to count to 500. The law requires disclosure only in cases that “pose a significant risk of financial, reputational or other harm to the individual affected.” His team spent hours poring over a backup of the stolen laptop files.
(“Digital Data on Patients Raises Risk of Breaches“, Nicole Perlroth, The New York Times, Dec 18 2011)

This is the effect of trigger provisions: it’s the biggest headache in dealing with a breach. We shouldn’t be burdening businesses with the decision about what a significant risk entails, exposing them to the liability of making a wrong call, or risking that their decisions will be biased.

Yet More On Threat Modeling: A Mini-Rant

David Mortman — Tue, 07 Feb 2012 15:41:12 +0000

Yesterday Adam responded to Alex’s question on what people thought about IanG’s claim that threat modeling fails in practice and I wanted to reiterate what I said on twitter about it:

It’s a tool! No one claimed it was a silver bullet!

Threat modeling is yet another input into an over all risk analysis. And you know what? Risk analysis/Risk management, whatever you want to call it won’t be perfect either. Threat modeling is in itself a model. All models are broken. We’ll get better at it.

But claiming that something is a failure because it’s not perfect and that it doesn’t always work, is one of the cardinal sins of infosec from my perspective. Every time we do that, we do ourselves and our industry a disservice. Stop letting the perfect be the enemy of the useful.

On Threat Modeling

adam — Mon, 06 Feb 2012 15:58:30 +0000

Alex recently asked for thoughts on Ian Grigg’s “Why Threat Modeling Fails in Practice.”

I’m having trouble responding to Ian, and have come to think that how Ian frames the problem is part of my problem in responding to him. So, as another Adam likes to say, “I reject your reality, and substitute my own.” Here you go:

“Experiences Threat Modeling at Microsoft” covers the trouble that threat modeling is an aspirational tabula rasa, and people project all sorts of requirements onto processes and methodologies.
However, I agree with Ian that there’s lots of “Trouble with Threat Modeling.”
See also my MSDN magazine articles “Uncover Security Design Flaws Using The STRIDE Approach” and “Reinvigorate your Threat Modeling Process” is about how I’m thinking about
threat modeling and some lessons learned. MSDN also published “Getting Started With The SDL Threat Modeling Tool.”

But that’s not my final answer. My final answer is your threat modeling fails because you’re not using Elevation of Privilege.

(Actually, I don’t think that’s why Ian’s threat modeling fails in practice. He’s a smart guy, and I think the issue seems to be one of expectations versus approach, and I think either could be usefully changed, depending on the context.)

Dear Verisign: Trust requires Transparency

adam — Fri, 03 Feb 2012 16:16:17 +0000

On their blog, Verisign made the following statement, which I’ll quote in full:

As disclosed in an SEC filing in October 2011, parts of Verisign’s non-production corporate network were penetrated. After a thorough analysis of the attacks, Verisign stated in 2011, and reaffirms, that we do not believe that the operational integrity of the Domain Name System (DNS) was compromised.

We have a number of security mechanisms deployed in our network to ensure the integrity of the zone files we publish. In 2005, Verisign engineered real-time validation systems that were designed to detect and mitigate both internal and external attacks that might attempt to compromise the integrity of the DNS.

All DNS zone files were and are protected by a series of integrity checks including real-time monitoring and validation. Verisign places the highest priority on security and the reliable operation of the DNS.

This does not suffice to restore my trust in a company to which we have delegated trust decisions across thousands of websites. Verisign concealed a breach from us, and possibly from its own management, according to Joseph Menn, who reports:

The 10-Q said that security staff responded to the attack soon afterward but failed to alert top management until September 2011. It says nothing about a continuing investigation [...]

Reasonable people can differ on what constitutes a thorough analysis. Reasonable people can differ on response activity. We can probably all learn a lot from what happened. Reasonable people can’t argue that Verisign has paid some PR cost, and that they’ll continue to pay it until those who are supposed to trust them are satisfied. That satisfaction requires more than the statements made above. I’m sure Verisign would prefer that the story go away, in which case they should release the report today (with whatever minor redactions are appropriate).

If Verisign has what they believe is a thorough analysis, they need to release as a step along the way to restoring trust in their ability to operate important parts of the internet infrastructure. And Verisign need to release real information soon, before the technical public come to see them as stonewalling.

[Update: Welcome, Schneier blog readers! I wanted to clarify the status: we have a very data-free set of assertions from someone claiming to be a Symantec employee. We do not yet have a detailed report on the investigation that addresses who knew what when, and how they knew it.]

Threat Modeling Fails In Practice

alex — Thu, 02 Feb 2012 16:55:43 +0000

Would be interested in readers thoughts on Ian G’s post here:

https://financialcryptography.com/mt/archives/001357.html

Pulling A Stiennon: In The Cloud, The DMZ Is Dead

David Mortman — Wed, 01 Feb 2012 18:23:24 +0000

Calling something in the cloud a DMZ is just weird. Realistically, everything is a DMZ. After all, you are sharing data center space, and if your provider is using virtualization, hardware with all of their other customers. As such, each and every network segment you have is (or should be) isolated and have only a very small set of allowed ports/protocols/ips etc. So in a very real sense, in public cloud every network segment is a DMZ. And when everything is a DMZ, then calling anything a DMZ becomes pointless.

It’s better to call the segments by their function, e.g. web, app server, db, cache, mq whatever it is that the services in that security group are doing. It had the advantage of being easier to understand, closer to self-documenting and doesn’t imply a level of non-existent security like a term like DMZ does. Also by calling segments by their purpose, it points the security practitioner towards the right mindset of what types of traffic should or shouldn’t be allowed. All in all a very Jericho project kind of mentality.

[ETA: I had completely forgotten that Hoff covered this same issue in his Commode Computing talk last year. In particular see http://pic.twitter.com/wrx7F17R]

Time for an Award for Best Data?

adam — Wed, 01 Feb 2012 17:15:54 +0000

Yesterday, DAn Kaminsky said “There should be a yearly award for Best Security Data, for the best collection and disbursement of hard data and cogent analysis in infosec.” I think it’s a fascinating idea, but think that a yearly award may be premature. However, what I think is sorta irrelevant, absent data. So I’m looking for data on the question, do we have enough good data to issue an award yearly?

Please nominate in the comments.

Also, please discuss what the criteria should be.