ChoicePoint CISO Richard Baich has the following to say about how ChoicePoint inadequately defended our most private credit, medical, insurance, salary, tax and earnings information.. Does this make anybody else's hair stand on end? Check out the choice comments below:
"This is not an information security issue... This type of fraud happens every day. " - Thanks, Rich. Of course, I always suspected that the "stewards" of my semi-personal information (e.g. address and phone number and such) were leaking it out, as Dick here indicates, "every day." However, I sort of thought that my financial or medical information was between me and only those with a "need to know." I was wrong - apparently. Apparently, they see the loss of 145,000 records as "not an information security issue." I'm curious what type of issue it is - Maybe Richard sees it more as a Media Relations issue? How about a Sales issue? "Darn sales department - they are always slacking when it comes to ensuring the security of all that information." Bah. Wishing it to be somebody else's problem won't make it any better.
" I was at RSA among other CISOs when the media frenzy around this kicked in." Am I misunderstanding or did he just imply that their process is so hosed up that he (the CISO) didn't even hear about the pending disclosure until after the media reports? Strange as it sounds, I actually hope that their process is that hosed, since the only other alternative is that he did know about it but chose to "otherwise occupy" himeself at RSA when they disclosed. (Maybe he was busy indulging in a bit of free cheese danish over at the Verisign sponsored "CISO refreshment table" - I don't blame him, the danish are the first to go.)
"What would help (the security) industry is to say that a mislabeling of this event as a hack is killing ChoicePoint." ??? Hack or fraud. Excuse me, but really - who cares?
"...this has been mislabeled a hack and a security breach. That's such a negative impression that suggests we failed to provide adequate protection.." Um. Still not following you. Is the argument that the 145,000 records fall under the auspices of "adequate protection"? Or is the argument that it's not *really* a security breach because they didn't h4x0r some server over there? Oh! I have a great rationalization - how about this: it's not an information security "breach" because all ChoicePoint's information security resources were involved in intense, precision, laser-focused infosec planning activities at the W bar when the fraud/hack took place.
Poor form, ChoicePoint...
There has been a lot of speculation about exactly what happened to Paris' Sidekick (her little mobile PDA device)... Just in case you haven't heard, Paris Hilton suffered a very unfortunate exposure of her personal information when the data from her sidekick was exposed to the world.
The question I've seen over and over is... how did it happen? Did she have a weak password? Or was there a known exploit? In the absence of further evidence, all we really can do is speculate (although the 'sploit on rootsecure looks pretty convincing to this casual observer.)
One of the things that I find interesting is how T-Mobile can insinuate that this is somehow Paris' fault. Lest we forget, one of the parties in this equation has a sordid history of having their private bits exposed over and over again in the public eye... and I don't mean Paris. For example, remember when that guy had complete run of the T-Mobile network for over a year or when T-Mobile had all that data on secret service agents stolen? Oh yeah, and I almost forgot, remember when T-Mobile wasn't sure who stole what because they didn't keep sufficient audit data? Seems to me T-Mobile's cry of "maybe Paris had a weak password" is looking pretty flimsy in the light of their previous security debacles.
In any event, maybe this will be a good thing for the big pink T. After all, we've had device ID capability for quite a while now. Maybe one of these phone companies will wake up and realize that maybe if I access their website from a sidekick that they should limit access to people with... well, sidekicks.
There was a lot of discussion this RSA about if vendors should be accountable for the security of their software. This is a very difficult question to answer, but I think we need to ask another more basic question - specifically, should vendors be accountable for the accuracy of their marketing statements? As consumers, we need to be very careful – sometimes even vendors selling a product do not understand the implications of certain marketing statements. This is not always due to greed or malice (although unfortunately sometimes it is) - usually it is due to the desire to express the good points of a new technology.
To paraphrase one comment I heard on the show floor of RSA, "My IDS will stop new categories of attacks without requiring a signature update." Why can't this statement be true? Let's assume for a moment that it is true. Because "new categories of attacks" are categories of attacks that (by definition) have not been discovered yet - since they have not yet been discovered, the IDS would have to somehow know the difference between "undesirable" effects and "permissible" effects for every given packet that it sees - such systems are possible - in fact, this is how "heuristic" AV scanning works. For example, one "new category of attack" might only affect systems that have a particular hostname or that run a particular service - since an IDS vendor can't know about every possible new attack vector ahead of time (if they could, they'd be in business as an oracle rather than a technologist,) the IDS system would have to actually execute all incoming requests against an identical target for which the attack is targeted. So why can't a vendor actually have virtual hosts that account for all the system configurations on your network and make desireable/permissable decisions "on the fly" like heuristic AV does on a single host? Since every machine instance is different (even identical operating system instances are in different states when run on different machines and at different points in time) and we can't exclude any software on the machine as a possible target of attack, we would need to record and analyze the whole target machine; aside from performance issues, logistical issues (associated with keeping every image current,) and architecture issues (having a virtual hardware image of every architecture on our network,) the space issues alone would limit us. If, for example, we had 1000 machines on the network each running WinXP, we would need about 3 terabytes of storage for the virtual images alone.
In another context, I had a conversation with a CEO of a security company who told me, "My software fundamentally changes the way SSL functions on both the client and the server side, but it doesn't require you to download any new software on either end." This statement is technologically impossible - machines do not "automatically" change their behavior to do new things... SSL behaves according to the rules of SSL and not according to the rules of telnet. SSL has been programmed to function a particular way, and if we want to change it to behave in a different way that has not been accounted for by the implementer, we have to install new software. When I pressed the individual who made this statement, he conceded that some new software was required (he attempted to counter that it didn't really count as new software because it was an ActiveX control.)
I think as consumers we need to be sure to discuss with vendors ahead of time exactly what we think we are getting from a product and compare it with what they think they are supplying. If the two don’t match, the best time to find that out is before a sale and not after. "Before the sale" discovery of a disconnect leads to more repeat business for the vendor and a happy purchase on the customer’s part – "after the sale" discovery leads to dissatisfied customers and less future business for vendors. As Diana very succinctly put it, "vendor hype benefits no one" and acts to the detriment of all; in fact, the long-term consequences of inaccurate statements are worse for the vendor than they are for the customer (the customer loses out just once, but the vendor loses once for each sale made this way.)
Another RSA Conference has come and gone. This time around the theme was The Codes of Prohibition". Bill Gates (MSFT) and John Thompson (SYMC) gave opening remarks on Tuesday and on Thursday Simon Singh, who was probably invited to discuss "The Code Book" took those of us in the audience through a delightful romp covering his musings on "The Big Bang" which included a demonstration of the human brain's capability for pattern matching when specific patterns are expected using a snippet of Led Zeppelin's "Stairway to Heaven" as the proof point.
All well and good, but what, has changed, *really* changed, in security? I've been in this business for 15 years now and attended my first RSA Conference in 1998, but I can't escape the lingering frustration with an industry that's so very often chasing its own tail.
Are enterprises any more secure than they were 10 years ago? Of all the cost and splash on the show floor from new and existing vendors, have we been able to establish a sane and sensible approach to IT risk mangement? Sadly, I think not. At RSA this year the vendor money was more apparent, the attendance numbers were up, but where are we? Are we doing a better job of protecting our most critical assets?
The answer, as is so often the case in this field, is a grey one. Without a doubt we have seen some incredible advances in the available technology, network management has reached a level of maturity (though, sadly, not a 'secure' one, yet), Single Sign On (or more accurately reduced sign on) is a reality in many organizations, and the ability to sign off on 404 for many companies required a process, audit, and reporting trail that far excedes what was available in the past. But still, as a network admin at heart, I find myself frustrated. All I ever wanted to do was to provide the intelligence and infrastructure to help the companies I worked for run their business as well as possible.
Yet as I looked over the show floor, saw all the available technology, I winced. More solutions, more servers, more byzantine audit trails. Where are the standards and coherent integration required to make a truly intelligent and appropriately risk managed enterprise? The SAML interoperability demonstration and the work towards a common criteria for ranking vulnerabilities, CVSS , Common Vulnerability Scoring System, give me hope.
"Security" - rather appropriate Risk Management - is about sharing the right information and disseminating that information so it can be acted on in the most efficient way possible. Of course, yes, each vendor has a product or service to sell so the lure of doing it in a way that eliminates competition is understandable. But we're in a much bigger community here, we, as IT professionals and stewards must also learn how to work together, interoperate via standards, for the greater good. Whether we like it or not, we now live in a world that is dependent on digital information.
And our responsibility as members of this community is to learn how to work together to protect that information. The "my product's better than your product" mentality is understandable, and arguably required by the folks on Wall Street, but it won't get our industry where it needs to go. Innovation is critical to our future, which often means a new, niche concept from a small group of talented and creative people. But failure to understand that we must, in some way, work together (share standards, interoperate) will create nothing more than the cacophonous and largely indecipherable vendor hysteria that colored this year's conference.
Let's all work together towards the greater good - it doesn't mean we have to stop competing - but it does mean we all need to think about what's best for protection of digital assets even as we attempt to create the next, most important piece, of the risk management puzzle. Working towards shared standards and levels of risk acceptability is, as Martha would say, a "good thing." But, sadly, something that was not recognized in a holistic sense this year. Nor in previous years. We can do better. Let's challenge ourselves and as a discipline accept that challenge. Our most critical assets are at risk. Sure, each security vendor company lives and dies by the financials at the end of each quarter, but if we want to "build to last" and also, build to protect - we must think more completely. Want to really provide "security" to the enterprise? Build tools that work, intelligently, with the other tools in the market.
Silo'd security is an oxymoron - security tools must protect the business. And the only way to make that happen is to build tools that work with, rather than against, each other.
That's my take away from the RSA Conference 2005 - what's yours?