Archive for the ‘Analysts’ Category

Check it out: this morning, yours truly shared space with the L1ndst0rm in an article about security in the channel. Always a pleasure to show up next to the Maverick from Malvern.

First of all, let me start by saying that Sam the Eagle has nothing to do with what I’m about to say – I just liked the awesome picture, ergo I’m linking to it..

Now that that’s out of the way, let’s move on to something less interesting than Sam the Eagle. So, everyone keeps talking about the IBM X-Force 2008 trend report. Being a true lemming at heart, I bought in to all the continuous hype and went to go check out all the awesomeness. After all, 50 percent of vulnerabilities go unpatched? Wow! 70 percent of web applications have never been patched? Holy jiminy! Could it really be that bad?

So then I went and read the report. And allow me to say that the press is (as usual) slightly hyperbolic about the reporting of what’s in there. Maybe because the IBM press release was also slightly hyperbolic. Take for example, the case of “50 percent of vulnerabilities not getting patched.” It turns out, that’s not the whole story. Going to the IBM report:

At the end of 2008, 53 percent of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability. Vendors do not always go back to patch previous year

For the past couple years, I’ve been telling everyone that no, I don’t want a GPS. To appreciate why that’s unusual, you have to understand that my sense of direction is terrible. I can get lost in a supermarket. But then, someone got me a GPS anyway – and when I found out you could download and install Mr. T’s voice into the thing… well, I just had to have it – even at the relatively steep 12 dollar fee. And now I do.

As you might expect, while Mr. T is awesome, his voice can get a little irritating after a few uses. He yells at you, berates you, tells you not to give him any jibber-jabber, and calls you a fool. He’s basically just being Mr. T. But since I paid the 12 bucks already, there’s no way I’m going to turn it off. However, it’s irritating enough that if the thing is on, you’re listening to what it’s saying.

So what does this have to do with anything? I bring it up because I think it’s an appropriate metaphor for something that I saw today with infosec. First, I came across this article where X-Force says that Web Applications are the Achilles heel of business. True? Maybe. It sure sounds good – there do seem to be a bunch of issues with web apps. But basically it’s all conclusion drawn on a relatively small amount of data.

Then I came across this study that says that 88 percent of data breaches are caused by internal negligence. Hmm…

If you accept for a moment that data breaches are one barometer of overall security, why would it be the case that Web Applications are the Achilles Heel? Wouldn’t it be the case that negligence of internal staff – apparently accounting for about 90 percent of the issues reported – was the Achilles heel?

My point is… if there’s all this data collecting going on – why isn’t it being used to draw the conclusions?

I came across the four rules employees love to break today on CSO. They are, in order:

- Tailgating
- Installing rogue wireless access points
- Sharing data inappropriately
- Putting sensitive data in the wrong place

As I was reading through these, what really struck me was the question of why there’s so much discussion about employees doing this and no recognition of the fact that they’re all human nature. The subtext: it’s people being people. Here’s a closer look:

What is tailgating but people wanting to help each other out? If you just watched Aston Kutcher’s “True Beauty”, you know they had a challenge where they tried to see whether someone on a hidden camera would hold a door open for someone they didn’t know struggling to open the door with hands full of hot coffee. It was a “niceness test” – if you hold open the door, you win – if you don’t hold open the door, you lose. It’s so ingrained that it was actually used as the defining attribute of a “nice person”.

Why do we thing that as soon as people step in our office doors, our employees will all of a sudden unlearn a lifetime’s worth of behavior so as to uphold our policy? Call me a skeptic, but that seems unrealistic to me.

Second, sharing data. Same issue. People want to help other people in your company do their job better. So they share the data that (they think) those other people need. How many times a day do we suppose they’re asked to share data that other people really *do* need? How many of those times actually help our business succeed? But our employees are supposed to know about the .5 percent of cases where the other individual is a bad guy? Not.

And don’t get me started on putting data in the wrong place. Jiminy – I do this all the time. Usually it’s because figuring out where it’s supposed to go is a dark art bordering on mysticism. So sue me for making a best guess attempt to figure out where’s the right place.

So the question I have based on this article is – why the focus on employees doing the wrong thing and why not the recognition that human nature is what human nature is? It seems to me that we have to work with human nature to anticipate employee behavior and set our employees up to succeed – in security goals as well as other goals.

For example, why can’t we have a system that prevents employees from sharing data with the wrong people? DLP claims to do this. Does it not work? What’s keeping people from installing it?

Or why can’t we have a physical entry system that prevents tailgating? Since we can reasonably intuit that employees are going to want to let people in if they can (it is, after all, human nature), shouldn’t we anticipate that and put some barrier there? They sell products that do this (mantraps, revolving door entry barriers, etc)… Why do people not buy them and then complain when their employees do exactly what their taught to do from birth?

OK, so if you’re the kind of person who reads this stuff, CIO magazine just published their Global State of Security Survey findings. The article is pretty interesting, but I have to say that the way that overall the reports make my head hurt.

Now, don’t get me wrong. I’m glad that they’re publishing this information (somebody has to do it). I’m not even going to complain about the questions that they asked or how they asked them (I might have phrased them differently, but then again nobody asked for my opinion).

But I can’t help but get fired up when I start looking for example at the conclusions PWC draws from the data. I won’t go into all of them, or I’d be writing this for the rest of the day. But let me give you an example so you can see what I mean. For example, PWC draws the conclusion:

“Compliance is still a priority, of course. Yet few companies have a well-rounded view of their compliance activities.”

From this data:

Although confidence that users are complying with internal security policies still runs optimistically high at 73%, most companies aren

So, did you hear? RSA has decided that “…IT security risk is the largest single obstacle to innovation in… businesses”. Well, OK – to be fair, they didn’t declare it by fiat – instead, these are the results of a poll (IDC conducted it). And – that’s not exactly the question they asked.

Going back to the original report (you have to register if you want to download it), the question they actually asked was: “do you ever back away from innovative business opportunities because of information security concerns?” To which, 80 percent either said “often” or “occasionally”. Now to me, drawing the conclusion that “security is the biggest barrier to innovation” because business folks “occasionally back away from a business opportunity because of security concerns” seems hyperbolic. Backing away from business opportunities when there’s a legitimate security problem seems like good sense to me.

Looking at RSA’s meta-message, it seems to me that their position is twofold: 1) security needs to be involved more strategically in the business, and 2) all innovation needs to be risk-based. I would agree with both of those things. #1 is good security sense, and #2 is good business sense. The issue though, comes about when trying to evaluate who’s job it is to do what. Should Security reach out to the business more (a la #1)? Yes. Absolutely. Should IT security help make risk-based security decisions in conjunction with their businesses? Of course. But wait -all business innovation? Is it IT Security’s job (for example) to do business risk analysis on things like derivatives trading? I don’t think it is. But RSA seems to…

Art Coviello said: “The trading of derivatives is one example. You have very complex financial instruments that to me you need a PhD in applied mathematics to understand, and you have 25 and 30-year-old guys trading them in real time…You have to have the ability on a real-time basis to assess that risk.” Now, I’m not saying that RSA’s message isn’t valuable. I agree that everything a business does should be based on risk. In fact, I argue that it already *is*. It’s just not usually the IT security folks that are quantifying that risk.

For example, in financial services – the folks who do the derivatives trading (usually) have a pretty good idea of *exactly* how risky that is or isn’t. That’s their core competency. And I, for one, don’t think that we in the IT Security business should be telling them how to do it. Now, I’m not saying that IT Security should be out of the conversation entirely – far from it. I just don’t want to be the guy who goes in for brain surgery and gets a cardiologist because “hey, they both can perform surgery.” IT Risk is IT Risk. Business Risk is Business Risk. Let the folks that are good at that do their thing – and by all means invite security to the party – but don’t ask us to understand the business side even close to as well as the folks who’ve been doing it for 20 years.

It’s time for one of my favorite holiday traditions! And no, I’m not talking about roasting chestnuts, baking cookies, or putting up the tree. Sure, those things are all fun too, but one thing I particularly love is the new-year security predictions from the vendor community. And guess what? It’s already started. Now, of course the real fun won’t be underway until the end of the year, but in the meantime we can have a bit of fun with the predictions that are already out. McAfee whipped theirs out last week and today IBM’s X-Force (formerly ISS) cut loose and let ‘er fly. Awesome.

So what’s on the horizon for 2007 according to the witches of Endor? Check it out; X-Force says:

- Spear phishing will increase
- Less multi-factor authentication
- Less niche-AV, more holistic security products
- More exploitation of web browser flaws for adware installation

and McAfee says:

- More spearphishing
- More malware on phones and mobile devices
- More malware in video content (think YouTube)
- More use of application scanning software

So, what do you think? Do you agree? I would tend to agree with both firms that phishing will probably increase. I think it’s also possible that malware will continue to increase. However, I don’t agree with McAfee that there will be more phone malware just like I didn’t agree with them when they predicted it for 2006. Just for the record, these were last-year’s predictions from McAfee:

- Phone malware to eclipse PC malware: “McAfee… predicts that the damage caused by new mobile threats is likely to be more extensive than those caused by today