The New School of Information Security

On Saturday, I discussed how “I bolluxed our blog theme.”

“More to the point, we here at the New School talk a good game about how we need to talk about problems, rather than cover them up. So here’s our money where our mouths are. I, Adam Shostack, screwed up the blog presentation by not testing the upgrade before rolling it into production.

…
See! That wasn’t so bad. It didn’t cost that much to talk about what went wrong. Of course, it’s small stakes, but doing these things when the stakes are small develops the habits of talking about them and makes it easier to talk about them when the stakes are (or feel) higher.”

So let me talk about another issue. A few years ago, the server at homeport.org got turned into a botnet controller, and I want to talk about what happened.

The short story is easy: we failed to keep awstats up to date, and a known vuln was used to take over the account.

I could discuss some of the usability challenges associated with staying up to date, but don’t want to get into a Windows/UNIX debate here. (Just the facts: compare versions here and here, or look at this and consider how you’d decide on up-to-dateness.)

I think it was discovered by random sysadmin work, but we’re not entirely sure. Tripwire (or some variant) was running, but not covering the directory where the bot code was dropped.

More important though, is that we didn’t actually stay up to date on a service that was exposed to the entire net.

I take a couple of lessons. First, keeping everything up to date is hard. Second, we exposed awstats to everyone. We’ve since corrected that, adding a password to get to the page (and code).

The meta-lesson is that it’s easier to keep quiet than to own up to this stuff, but I’m willing to offer up a start.

Once again, if you think that talking about security incidents is a good thing, or could move us forward, I urge you to start small and disclose more as you can. It’s easier than you might think.

Filed under: disclosure by adam on Tuesday, December 20, 2011
1 Comment »

If you read this blog with a web-reader, you’ll note our (ahem) excellent new theme, and may be saying, wow, guys, “nice job”

Yeah. Ooops.

I upgraded to WordPress 3.3, and upgraded our theme, and in so doing, overwrote some of the CSS that Alex had tweaked. I didn’t test, and so things were wonky. What you see is quick hack fixes.

We could cover this up, pretend it didn’t happen, or blame APT. Hey, it’s true! Adam’s Paucity of Testing led to…oh, I can’t. Really? Even mocking people who blame everything on APT should be over by now. It’s just sad.

More to the point, we here at the New School talk a good game about how we need to talk about problems, rather than cover them up. So here’s our money where our mouths are. I, Adam Shostack, screwed up the blog presentation by not testing the upgrade before rolling it into production.

In more detail: we run this blog on the cheap. We don’t have production and test servers because it costs more. I failed to communicate with my team about the upgrade because past upgrades have gone smoothly. I didn’t bother to see if Alex would have free time to make pretty again if I created this problem, or any other problem. I just went ahead and pushed the button. Somewhere, Gene Kim is weeping at our change control process. Or maybe he’s saying “I told you so.”

No one likes to admit these things. Will we change process in the future? Probably. I haven’t brought Emergent Chaos up to WP3.3, because I’m going to try to test more. Will we backslide? Most likely. You know, these blogs, they’re a hobby, and when a security update hits, I’ll likely slap it out willy-nilly and then test to see if there’s issues.

See! That wasn’t so bad. It didn’t cost that much to talk about what went wrong. Of course, it’s small stakes, but doing these things when the stakes are small develops the habits of talking about them and makes it easier to talk about them when the stakes are (or feel) higher.

Your turn.

Filed under: disclosure by adam on Saturday, December 17, 2011
No Comments »

Last week I did a podcast with Dennis Fisher. In it, we touched on what I might change in the book. Take a listen at: “Adam Shostack on Methods of Compromise, the New School and Learning“

Filed under: Book, disclosure, podcasts by adam on Thursday, December 15, 2011
No Comments »

I really like Gunnar Peterson’s post on “Top 5 Security Influencers:”

Its December and so its the season for lists. Here is my list of Top 5 Security Influencers, this is the list with the people who have the biggest (good and/or bad) influence on your company and user’s security:

My list is slightly different:

1. The Person Coding Your App
2. Your DBA
3. Your Testers
4. Your Ops team
5. The person with the data
6. Uma Thurman
7. You

That’s right, without data to argue an effective case for investing in security, you have less influence than Uma Thurman. And even if you have more influence than her, if you want to be in the top 5, you better be the person bringing the data.

As long as we’re hiding everything that might allow us to judge comparative effectiveness, we’re going to continue making no progress.

Ahh, but which Uma?

Update: Chris Hoff asks “But WHICH Uma? Kill Bill Uma or Pulp Fiction Uma?” and sadly, I have to answer: The Truth About Cats and Dogs Uma. You remember. Silly romantic comedy where guy falls in love with radio veterinarian Janeane Garofalo, who’s embarrassed about her looks? And Uma plays her gorgeous but vapid neighbor? That’s the Uma with the more influence than you. The one who spends time trying to not be bubbly when her audition for a newscaster job leads off with “hundreds of people feared dead in a nuclear accident?” Yeah. That Uma. Because at least she’s nice to look at while going on about stuff no one cares about. But you know? If you show up with some chops and some useful data to back your claims, you can do better than that.

On the downside, you’re unlikely to ever be as influential as Kill Bill Uma. Because, you know, she has a sword, and a demonstrated willingness to slice the heads off of people who argue with her, and a don’t-care attitude about jail. It’s hard to top that for short term influence. Just ask the 3rd guy trying to code your app, and hoping it doesn’t crash. He’s got eyes for no one not carrying that sword.

Filed under: careers, data by adam on Monday, December 12, 2011
1 Comment »

From Keith Weinbaum, Director of Information Security of Quicken Loans Inc.

https://www.quickenloanscareers.com/web/ApplyNow.aspx?ReqID=53545

From the job posting:

WARNING:  If you believe in implementing security only for the sake of security or only for the sake of checking a box, then this is not the job for you.  ALSO, if your primary method of justifying security solutions is to sell FUD to decision makers, then we STRONGLY suggest that you close this page right now as it’s POSSIBLE that reading this job posting will infect your computer with a worm, virus, trojan, nasty bacterium, and/or bovine spongiform encephalopathy OH MY!!!  In fact, you should just stop using the scary interwebs all together!

Kudos, Keith.  You’ve made the Alex Hutton Personal Hall of Fame with this one.

Filed under: Amusements by alex on Thursday, December 8, 2011
1 Comment »

from Biostatistics Ryan Gosling

Including my favorite:

Thanks to my friend Bob Rudis for the headsup.

Filed under: Amusements by alex on Tuesday, December 6, 2011
No Comments »

My colleague Ross Smith has just presented an important new paper, “The Future of Work is Play” at the IEEE International Games Innovation Conference. There’s a couple of very useful lessons in this paper. One is the title, and the mega-trends driving games into the workplace. Another is Ross’s lessons of when games work:

Over the last several years, Microsoft has employed dozens of games and game mechanics in its software development process. Forrester, Forbes and others have covered this work. Table 1 illustrates the areas where productivity games can be the most impactful. Focusing on either expanding skills in rile or “organizational citizenship behaviors” that require core skills &emdash; is the best way to ensure the success of a productivity game. Player motivations is a key component of the success of a productivity game.

	Core	Unique	expanding skills
In role behavior			Most Impact
Organizational Citizenship Behavior	Most Impact

What this means is that if you try to produce a game that replicates or intrudes on either core work (say, writing code) or unique skills that someone already has (say, threat modeling) the game is likely to be less successful. But if you make a game to help people expand their skill (say, in threat modeling), it will be more impactful and accepted. Similarly, if you’re trying to get thousands of people to help check user interface translations for Windows, it helps to use a core skill, like reading another language, rather than a unique skill (again, let’s say threat modeling) that only a few people have.

This table is really useful guidance if you’re thinking of making a game.

Games, by the way, are tremendously New School. Games are New School because they’re a way to address the real human desires to do something (anything) more fun than deal with security stuff. By making it fun, we can entice people into enjoying the things we need them to do. You should consider if a game can address a problem you deal with, and if it’s in the area of expanding skills in a role or organizational citizenship behaviors that rely on core skills, you’re more likely to succeed.

(I’d link to the paper, but unfortunately, IEEE continues to lock up the scientific literature and impede the flow of progress, rather than charge a few dollars more for each conference to cover the costs of serving up the scientific literature.)

Filed under: Doing it Differently, Reports and Data by adam on Thursday, December 1, 2011
No Comments »

Over at the Office of Inadequate Security, Dissent says everything you need to know about a new report from the UK’s Big Brother Watch:

Extrapolating from what we have seen in this country, what the ICO learns about is clearly only the tip of the iceberg there. I view the numbers in the BBW report as a significant underestimate of the number of breaches that actually occurred because not only are we not hearing from 9% of entities, but many authorities that did report probably did not detect or learn of all of the breaches they actually experienced. BBC notes, “For example, it does seem surprising that in 263 local authorities, not even a single mobile phone or memory stick was lost.” “Surprising” is a very diplomatic word. (“What They Didn’t Know: Big Brother Watch report on breaches highlights why we need mandatory disclosure“)

Filed under: breach laws, disclosure, government, Reports and Data by adam on Wednesday, November 30, 2011
No Comments »

I want to call attention to a new, important and short article by Jay Jacobs.

This article is a call to action to break the reliance on unvalidated expert opinions by raising awareness of our decision environment and the development of context-specific feedback loops.

Everyone in the New School is a fan of feedback loops of one form or another. Hypothesis testing, learning, and calling out superstition are all forms of feedback loops.

One thing that Jay brings in that I hadn’t seen is the idea of kind and wicked learning environments. A kind environment is one in which you can quickly get good feedback on things experts agree will help you improve. (Did you fall off the bike?) An unkind environment is, amongst other things, one where feedback comes later, if at all. Jay has a table. It’s on page 2.

You should find Jay’s article here: “A Call to Arms: It’s Time to Learn Like Experts“, or his short blog here.

Filed under: Uncategorized by adam on Monday, November 28, 2011
No Comments »

In possibly the worst article on risk assessment I’ve seen in a while, David Lacey of Computerworld gives us the “Six Myth’s Of Risk Assessment.”  This article is so patently bad, so heinously wrong, that it stuck in my caw enough to write this blog post.  So let’s discuss why Mr. Lacey has no clue what he’s writing about, shall we?

First Mr. Lacey writes:

1. Risk assessment is objective and repeatable

It is neither. Assessments are made by human beings on incomplete information with varying degrees of knowledge, bias and opinion. Groupthink will distort attempts to even this out through group sessions. Attitudes, priorities and awareness of risks also change over time, as do the threats themselves. So be suspicious of any assessments that appear to be consistent, as this might mask a lack of effort, challenge or review.

Sounds reasonable, no?  Except it’s not alltogether true.  Yes, if you’re doing idiotic RCSA of Inherent – Control = Residual, it’s probably as such, but those assessments aren’t the totality of current state.

“Objective” is such a loaded word.  And if you use it with me, I’m going to wonder if you know what you’re talking about.  Objectivity / Subjectivity is a spectrum, not a binary, and so for him to say that risk assessment isn’t “objective” is an “of course!”  Just like there is no “secure” there is no “objective.”

But Lacey’s misunderstanding of the term aside, let’s address the real question: “Can we deal with the subjectivity in assessment?”  The answer is a resounding “yes” if your model formalizes the factors that create risk and logically represents how they combine to create something with units of measure.  And not only will the right model and methods handle the subjectivity to a degree that is acceptable, you can know that you’ve arrived at something usable when assessment results become “blindly repeatable.”  And yes, Virginia, there are risk analysis methods that create consistently repeatable results for information security.

2. Security controls should be determined by a risk assessment

Not quite. A consideration of risks helps, but all decisions should be based on the richest set of information available, not just on the output of a risk assessment, which is essentially a highly crude reduction of a complex situation to a handful of sentences and a few numbers plucked out of the air. Risk assessment is a decision support aid, not a decision making tool. It helps you to justify your recommendations.

So the key here is “richest set of information available” – if your risk analysis leaves out key or “rich” information, it’s pretty much crap.  Your model doesn’t fit, your hypothesis is false, start over.  If you think that this is a trivial matter for him to not understand, I’ll offer that this is kind of the foundation of modern science.  And mind you, this guy was supposedly a big deal with BS7799.  Really.

4. Risk assessment prevents you spending too much money on security

Not in practice. Aside from one or two areas in the military field where ridiculous amounts of money were spent on unnecessary high end solutions (and they always followed a risk assessment), I’ve never encountered an information system that had too much security. In fact the only area I’ve seen excessive spending on security is on the risk assessment itself. Good security professionals have a natural instinct on where to spend the money. Non-professionals lack the knowledge to conduct an effective risk assessment.

This “myth” basically made me physically ill.  This statement “I’ve never encountered an information system that had too much security” made me laugh so hard I keeled over and hurt my knee in the process by slamming it on the little wheel thing on my chair.

Obviously Mr. Lacey never worked for one of my previous employers that forced 7 or so (known) endpoint security applications on every Windows laptop.  Of course you can have too much !@#%ing security!  It happens all the !@#%ing time.  We overspend where frequency and impact ( <- hey, risk!) don’t justify the spend.  If I had a nickel for every time I saw this in practice, I’d be a 1%er.

But more to the point, this phrase (never too much security) makes several assumptions about security that are patently false.  But let me focus on this one:  This statement implies that threats are randomly motivated.  You see, if a threat has targeted motivation (like IP or $) then they don’t care about systems that offer no value in data or in privilege escalation.  Thus, you can spend too much on protecting assets that offer no or limited value to a threat agent.

5. Risk assessment encourages enterprises to implement security

No, it generally operates the other way around. Risk assessment means not having to do security. You just decide that the risk is low and acceptable. This enables organisations to ignore security risks and still pass a compliance audit. Smart companies (like investment banks) can exploit this phenomenon to operate outside prudent limits.

I honestly have no idea what he’s saying here.  Seriously, this makes no sense.  Let me explain.  Risk assessment outcomes are neutral states of knowledge.  They may feed a state of wisdom decision around budget, compliance, and acceptance (addressing or transferring, too) but this is a logically separate task.

If it’s a totally separate decision process to deal with the risk, and he cannot recognize this is a separate modeling construct, these statements should be highly alarming to the reader.  It screams “THIS MAN IS AUTHORIZED BY A MAJOR MEDIA OUTLET TO SPEAK AS AN SME ON RISK AND HE IS VERY, VERY CONFUSED!!!!”

Then there is that whole thing at the end where he calls companies that address this process illogically as “smart.”  Deviously clever, I’ll give you, but not smart.

6. We should aspire to build a “risk culture” across our enterprises

Whatever that means it sounds sinister to me. Any culture built on fear is an unhealthy one. Risks are part of the territory of everyday business. Managers should be encouraged to take risks within safe limits set by their management.

So by the time I got to this “myth” my mind was literally buzzing with anger.  But then Mr. Lacey tops us off with this beauty.  This statement is so contradictory to his past “myth” assertions, is so bizarrely out of line with his last statement in any sort of deductive sense, that one has to wonder if David Lacey isn’t actually an information security surrealist or post-modernist who rejects ration, logic, and formality outright for the sake of random, disconnected and downright silly approaches to risk and security management. Because that’s the only way this statement could possibly make sense.  And I’m not talking “pro” or “con” for risk culture here, I’m just talking about how his mind could possibly conceptually balance the concept that an “enterprise risk culture” sounds sinister vs. “Managers should be encouraged to take risks within safe limits set by their management” and even “I’ve never encountered an information system that had too much security.”

(Mind blown – throws up hands in the air, screams AAAAAAAAAAAAAAAAAHHhHHHHHHHHHHHHH at the top of his lungs and runs down the hall of work as if on fire)

See?  Surrealism is the only possible explanation.

Of course, if he was an information security surrealist, this might explain BS7799.

Filed under: measurement, Science of Risk Management by alex on Friday, November 25, 2011
5 Comments »