Security Curve Weblog

Musings about PCI in the press

First of all, my apologies for not blogging in a while... even after I said that I was back and that I'd be blogging more. It's the holidays, and trust me, I really needed the downtime. Anyway, now I'm back and should be keeping abreast of things - at least until the new year. :-) Anyway, I came across an interesting thing the other day; it was an article from -Rob Pollard entitled PCI Data Security Standard Calls for Next-Generation Network Security. Check out the following excerpt:

"The confluence of network security and network performance creates a secure sphere of vigilance from the core of the network to its edge, enabling IT managers to watch for internal breaches of established security protocols at the same time they are monitoring for external infiltration."

Now, I was interested because of the reference to PCI.  I try keep up on this stuff because I'm a "QDSP" - which, though I would like to tell you stands for "Quasi-Delirious and Spasming with Pain," really stands for "(supposedly-)Qualified Data Security Professional"; what that means in practice is that I've been to VISA's "sit in a room and drink burnt coffee" training.  It also means that I'm approved by VISA to assess people on their PCI compliance.  Since the training didn't really prepare me for some of the things I'd encounter in the field, such as how to conduct a PCI audit or how to interpret the standards (preferring instead to concentrate on the format/structure of the magnetic stripe on a credit card, why it's important not to let criminals get credit card numbers, and why SET was a work of misunderstood genius), I tend to read any articles I can find about PCI to keep abreast. 

Anyway, the point is that I read this in the light of trying to better understand PCI.  Now, before I get into this, let me say that I have no axe to grind here - I think the article was on-track from a security perspective, and I think it was executed very eloquently by the author - I am not doing it down.  However, that being said, I think it illustrates a point that I've been trying to make for a while now - which is that when it comes to compliance, it pays to take what's in the media with a grain of salt.  For example, check this out:

[PCI] requires that network security managers know the established network conversation patterns of every employee, who has access to which servers, what data must be encrypted, and how to restrict access to the most sensitive data stores. 

That's a pretty bold stake in the ground, no?  In order to do this, network managers would have to have detailed information about every user, every application in use, every machine on the network, and every little tidbit of data enterprise-wide.  Wouldn't they?   After all, how would they know what the "established conversation patterns" are if they didn't know what applications were in use?  Or how would they know what data to encrypt if they didn't know what data there is to choose from?  Now, I agree that this type of thing would be useful.  For sure.  But is it mandated?  I don't think it is.  Saying that this is "expensive and time-consuming" is an understatement akin to saying "some people don't really enjoy liver all that much." 

PCI requires a new breed of security technology that can ensure the same level of security for internal operations as for the perimeter... The ideal solution would be able to track routine network usage by every employee, identify when and how critical servers are being accessed, harden and segment networks to proactively prevent unauthorized access to confidential information, and prevent attacks from compromising legitimate access to critical information.

Really?  The same for internal as external?  Look - I'm not saying these aren't good security measures.  All I'm saying is that I don't agree that they're required by PCI; in fact, I would argue that the PCI requirements merely codify what most folks should be doing anyway.

Sorry, been out to lunch.

So, I apologize that I haven't blogged in a week or so; it seems like at the end of the year, it's always the case that I get pinned down with work. Needless to say, I've been busting my hump trying to get a bunch of stuff done. Anyway, sorry about the disappearance.

Our First Annual "Top Grinch" Award

As yes, the Grinch. Everybody loves him. After all, how could you not love a green Ebeneezer Scrooge with a cute dog and Boris Karloff's voice, right? He's cranky, he's cantankerous, and he don't take no guff from all those dismal whos down in whoville. In fact, everybody loves the Grinch the so much that we're willing to overlook the whole "trying to steal Christmas" thing. Right? I mean here's a guy who breaks into people's houses, steals presents from their kids, steals their food off the table (trying to implicate Santa in the process,) and tortures a dog (he does - if you don't think so, watch it again and pay attention to what he does to Max.) What a dirtbag! But we love him anyway - probably because he's green and eventually apologizes.

In that spirit, we're naming our first annual "Grinch" award. For context, this is an award presented to someone who tries their best to steal Christmas but who we love anyway despite their "stake of holly through the heart" attitude. This year's contenders are:

-Sophos for announcing video game-blocking software a week before people receive their new games (note that we're not dinging Microsoft for their functionally-equivalent "must be administrator to install software" feature because they didn't actually exploit the holidays to sell it.)

-Panda for their "New vulnerabilities threaten Christmas shoppers" press release.

-CNN for their "Happy new-year, have some cyber-warfare" story.

-Red Orbit for their "Online Shoppers Need to Be More Secure" story.

-ComputerActive for their "New PCs ripe for Christmas hackers" story

And the winner is (envelope please)...

Panda! Because that mascot of their in the system tray is so damn cute and cuddly-looking that we all love them anyway, even though they did try to exploit the holiday by using it as a draw for a press release on vulnerabilities, and telling us all that we're all going to get some spiffy new fraud for Christmas unless we buckle down (implication: unless we use their product.)

Replacing Risk Management with Pure Awesomeness

Allow me to set the stage to pose to you something I've been thinking about the past few days. Specifically, have you ever noticed how sometimes certain situations tend to favor the ignorant? Follow the logic with me on this... Risk management is about increasing your risk-awareness, right? Now, by "increasing your awareness", I mean that you try to understand what your current risk profile is, you set a tolerance threshold for how much risk you feel you can absorb, and you actively work to remediate any risks that are above the threshold. The process involves understanding your current situation, making a decision about it, and moving on. Now, most of us would tend to assume that understanding your current position is desirable. You'd think so, right? For the organization as a whole, it's probably all upside. The organization is better off understanding where they stand and making intelligent decisions. But what about on an individual level? I mean, are individual employees and executives incented to move to this model?

Compare two different companies: say Company A goes through the risk management process. they find an issue that introduces risk; but for whatever reason, they don't remediate it. Maybe they decide that the risk isn't worth the likelihood it will be exploited; maybe they don't have budget to fix the problem. Whatever the reason, it doesn't get fixed. Now, Company B is a "fly by the seat of the pants" kind of company; they haven't even heard of risk management, let along employ it. They don't have any clue about what problems they may or may not have. Say, hypothetically, they both get hit by the same problem - company A knew about it but didn't do anything while company B had no clue it was an issue. Who's better off? Both companies suffered the same damage, right? Both companies are in a world of hurt and need to take action... But at a micro level... at the level of the individual would you prefer to be in the position of knowing about an issue and not acting or in the position of not knowing? After all, somebody could come around with the benefit of hindsight and say "you KNEW that this problem could occur but yet you elected to IGNORE it" or "who EXACTLY made the decision that this issue costing us x million dollars wasn't a priority?" Yes, somebody in Company A is probably going to be looking for a new job sooner rather than later, don't you think? Company B, on the other hand? Instead, they're saying, "Gee, who knew that could happen? How could we possibly have known?" Force Majure... Another day at the office...

Now, I happen to think risk management is the right way to do things. I don't understand how people can possibly plan if they don't know where they are today. But I think there's something more to it... there needs to be a reason for executives to want to push risk management. And today they arguably have reasons not to (or at least to be nervous about it.)

So, it was with this in mind when I came to reading Pete Lindstrom's blog entry from yesterday where he references the Donn Parker article suggesting we get rid of risk management. Now, when I read Pete's reference to this, I was actually somewhat hopeful... Given what had been on my mind, I thought maybe Donn was going to come up with some straight dope on the issue. Needless to say, I was disappointed. So Donn's take is that we should take risk management and replace it with "unbelievable greatness - with the goal of total and unadulterated awesomeness". Well, maybe that's not exactly what he said... but it's close. What he actually said was that we need to replace risk management with "practical, doable security management" with the goal of "due diligence, compliance consistency, and enablement." Here's the problem with this line of reasoning - "risk management" is a methodology - a process. Having "doable, practical security management" is a state that you come to as a result of some process - not a process itself. One could say, for example, that a potential outcome of risk management as an approach would be having practical, doable security management whereas one could not say the inverse. For example, if I said that instead of driving my car that I wanted to be at my destination. That wouldn't make sense, right? To get to my destination, I need to go through some process. Driving is one option, as is walking, flying, crawling, hopping, skijoring, etc. Anyway, my goal here wasn't to diss Donn - he actually makes quite a few interesting points, not the least of which are critiques about how risk management is currently practiced in enterprise. All valid criticisms. But it wasn't what I was hoping for.

Let the 2007 soothsaying begin

It's time for one of my favorite holiday traditions! And no, I'm not talking about roasting chestnuts, baking cookies, or putting up the tree. Sure, those things are all fun too, but one thing I particularly love is the new-year security predictions from the vendor community. And guess what? It's already started. Now, of course the real fun won't be underway until the end of the year, but in the meantime we can have a bit of fun with the predictions that are already out. McAfee whipped theirs out last week and today IBM's X-Force (formerly ISS) cut loose and let 'er fly. Awesome.

So what's on the horizon for 2007 according to the witches of Endor? Check it out; X-Force says:

- Spear phishing will increase
- Less multi-factor authentication
- Less niche-AV, more holistic security products
- More exploitation of web browser flaws for adware installation

and McAfee says:

- More spearphishing
- More malware on phones and mobile devices
- More malware in video content (think YouTube)
- More use of application scanning software

So, what do you think? Do you agree? I would tend to agree with both firms that phishing will probably increase. I think it's also possible that malware will continue to increase. However, I don't agree with McAfee that there will be more phone malware just like I didn't agree with them when they predicted it for 2006. Just for the record, these were last-year's predictions from McAfee:

- Phone malware to eclipse PC malware: "McAfee... predicts that the damage caused by new mobile threats is likely to be more extensive than those caused by today’s PC threats..."
- Mobile malware to impact wired networks: "...this will result in instantly mature mobile threats that can devastate networks and consumer data with little fanfare or warning"
- More Automated phishing: "McAfee AVERT Labs predicts an increase in distributed phishing Trojans -- Trojans that turn an infected computer into a phishing Web site and then spam others to go to that infected machine or site"

So, maybe they're not the "Great Zoltar" after all. Of course, they didn't get everything wrong. In the "on-target" group of predictions from 2006 were:

- Adware, Spyware, Phishing will continue to grow and fraudulent web sites will continue to pop up

Great Article on HelpNet on using the WMIC

For those of you who don't regularly read Help Net, I recommend that you surf on over and take a look at the PDF "Introduction to the Windows Management Instrumentation Command-line (WMIC)" written by friend and colleague Bill Lynch. Check out the introduction:

It’s quite possible you’ve never heard of the Windows Management Instrumentation Command-line (WMIC), but this well kept secret command-line tool is immensely powerful for gathering information from Windows-based systems. Because it can be used both locally and over the network and is installed by default on most Windows-based systems since Windows 2000, it’s exceedingly useful for both penetration testing and forensics tasks.

Nice, right? Anyway, I highly recommend checking it out; WMI is pretty cool, and who knows what kind of trouble you can get into by using it from the command line. ;-)

More thoughts about Microsoft and Oracle

So, the other week we discussed (cursorily) the ongoing fallout from Dave Litchfield's report regarding the security of Oracle vs. SQL Server. One of the interesting reflections on this comes from Illuminata; if you get a chance, I highly recommend that you read through their discussion on this.

Now, the Illuminata position is that the security of Oracle has eroded over time (that they have more vulnerabilities now than they have in previous versions of the product) while the security of Microsoft's SQL Server has increased. I think this is a useful observation... The only thing that I would point out would be the fact that proving their assertion would be difficult; for example, we've had an uptick in the amount of research activity across the same time window as the increase in Oracle's vulnerabilities. Given that, it could be that the security of Oracle hasn't eroded - it's just that there's more research nowadays. But, normalizing the increase in vulnerabilities against the research growth curve is more math than I feel like doing this morning, so I'll buy in to their assumption for the sake of argument.

Their next assertion is also interesting - which is that other Microsoft products like IE and Windows have also had an increase in overall security, but because of holes in the existing product base, users have not yet begun to pick up on the improvements. Interesting, too. I would tend to agree with this. However, I think there's more going on than just interaction with legacy products that increase the perception of Microsoft products as having security problems. Specifically, there is pressure from competitors, marketing dollars from Apple and others to paint the products as insecure, as well as third-party apps that detract from the security of the individual products.

So, go read this post if you haven't yet. Pay special attention to the part where they tell Oracle that their customers are starting to take notice of issues in the product, and also keep in mind that Illuminata is not a security-specific analyst firm so the fact that they are interested in this means that it's of interest to the IT community outside of just security.

Microsoft's upcoming marketing nightmare

The other day, I was listening to NPR (i think it was "Marketplace") in the car and for some reason they were talking about Vista. I can't remember the exact context, but one of the gentleman being interviewed raised an interesting point - he said (paraphrasing here, since my memory is not so good), "Microsoft has so much riding on Vista that if they can't control the spyware/malware problem, it won't be very good for them." Of course he was right, and it's something that quite a few of us have been commenting on in the security space for quite some time; however, what really struck me about this particular discussion was the fact that it was on NPR - meaning, in my opinion, that the interest in this has been raised significantly (it seems to me that something has to be particularly entrenched in our collective discourse if it gets coverage on the radio - even if it is NPR.) So in my opinion, this means that all sorts of individuals who would otherwise be less than interested are now watching Vista to see how it plays out from a security perspective.

Now, in my opinion, Microsoft has painted themselves into a corner; they've written a number of checks that I don't think any product could possibly cash. Here's what I mean: They've made the claim that it's the most secure MSFT product to date. Couple this with a perception on the part of many that they are seeking to "own" security going forward (I don't think they are, by the way - but there is that perception.) Now throw in the recent press that the SDL has received and the vocal message that they've put forth about the security features built into the product (this is from BusinessWeek, for Pete's sake). All those things combined and you have some very high expectations on the part of consumers. At the end of the day, Microsoft will have to eat some major crow if it turns out that the security is not perceived to be significantly better than previous operating systems. And for the crux of the matter, notice that I didn't say "is significantly better" in that last sentence but instead "perceived to be significantly better"... in actuality, it doesn't really matter all that much whether the security actually is better or not - it just has to be seen as being better by the community at large.

And that won't happen. Period.

Why not? First, Microsoft has to fight the marketing of other firms with a vested interest in painting the OS as insecure. Don't believe me? Does "I'm a Mac" ring any bells? If Mac doesn't spin the security issue, how about the AV software vendors? How many millions of dollars in "Microsoft is insecure" marketing dollars do you think will get spent to herald in the age of Vista? I'm thinking quite a few. Second, there are a ton of researchers chomping at the bit to test their mettle against Vista. It is going to be "target #1" for the foreseeable future for bug-finders, vulnerability researchers, tool makers, spyware manufacturers, etc. Batten down the hatches, because a squall is a-brewin'. Not to mention that they're fighting the natural order - it is the nature of software products to have bugs. And Vista will - I guarantee it. And last but not least, Microsoft is up against a bias in the marketplace the extent of which they have no conception. In other words, they have a matter of weeks - maybe a few months - to change everyone's mind about their software. I think it's pretty unlikely, don't you?

So what happens if Vista is not perceived as secure? I'm not sure, but I'm thinking nothing good (for Microsoft) can come of it when it doesn't happen.