Archive for the ‘Musings’ Category

So I was catching up on reading and I happened to stumble upon a post by Sam Curry over at the RSA blog called Little Orange Line – Breaking Out of the Zero Sum Security Curve. Pretty cool read.

I was interested in it for a few reasons… first, it’s Sam, who’s awesome. Second, it’s also interesting to reflect on as a concept. The point that Sam recounts is that security is a zero-sum when it comes to security vs. performance. Meaning, in order for one to win, the other loses – or in other words, that a win for one is a loss for the other (kind of like rock-paper-scissors).

The reason I think it’s interesting is because security/performance are usually trade-offs (enough so that we usually think about it that way), but it doesn’t necessarily have to be the case. Why? Because reduced performance is a byproduct, not a law, in security. Meaning, that there’s no universal constraint that requires it be this way. For example, if you play a game of checkers, one player wins, one player loses. There’s no creative strategy that someone could use that would let both players win. Why not? Because those are the rules. But somebody could come up with a technology that increases performance *and* security – doesn’t usually happen, but it could. Anyway, I think it’s interesting for mulling over.

Also, on a completely different front, there’s more layoffs a-comin’ in FS. I’m interested why we’ve made such strides in fields like engineering and medicine, but yet our approach to operational efficieny. Shouldn’t we have a science of efficiency as advanced as what we have in other sectors? It’s still “fire people to improve efficiency” which seems to me sort of like cutting off a limb to fight infection. Sure it gets rid of the problem, but wouldn’t a more surgical approach be better and more ethical? Why is it that organizations waste time, energy and resources doing things the same old reactive way and then fire a bunch of people because of “operational inefficiencies”? It’s lame.

Someday I’m going to start a corporate efficiency think-tank.

So, if you haven’t read it yet, drop everything and go read Pete Lindstrom’s PCI and Social Proof over at the Spire blog. Not only is it awesome – and right on the money – but it references the awesome Robert B. Cialdini (who’s always right, as it turns out). Plus as a side note, the name “Spire” is cool – it evokes all kinds of cool images, like the one just yonder to the right of “Frostcrag Spire” from Elder Scrolls: Oblivion.

Pete’s point is that PCI ties directly to “Social Norm”/”Social Proof” – basically, it establishes a set of normative values in the merchant community, ergo people care about security because that’s what everyone else is doing. I agree with that.

But I also think there’s another Cialdini factor at work – which is “Commitment and Consistency”. I.e., companies commit to being PCI compliant by buying into the compliance process and filling out the SAQ or hiring an assessor. So they become “the type of people who care about security” and hence their concern about it becomes self-feeding and self-enforcing. Pretty interesting.

Props to Pete for pointing out the connection.

Ed and I watched the film “Pan’s Labyrinth” last night. If you haven’t seen it, it’s worth the rent. A child is taken by her mother to live with a cruel and sadistic Captain who is in charge of “controlling” a rural village in Franco’s Spain. The child’s mother is extremely sick and the Captain is not a step-parent capable of providing any comfort to the frightened child.

Upon arrival, the girl encounters a large flying bug. Seen through her eyes the bug is a “fairy” that leads her, and the viewer, to wonderful places. Throughout the film the images of “fairy’s” world are intercut with very real images of the threat that the Captain’s military force brings to the village and that the rebels in the woods around the military encampment bring to the soldiers. Watching the movie the viewer doesn’t know if the fairy’s world is real (at least in the construct of the film’s world) or simply in the girl’s imagination.

Don’t want to give away the ending, but suffice it to say that one of the messages of the film is that in some ways, it doesn’t matter whether her safe world was a real retreat or a fantastical illusion. The fairy story brought comfort to the girl, and that is what mattered most.

It made me think about whether or not it matters if the security controls we put into place are essentially illusory as long as they bring us some level of comfort. Take for example the fuss and hub-bub going on about eDiscovery. If an organization followed due process and lost or destroyed key information, will that be considered negligence punishable by law or normal spoliation?

What about connecting to the Internet? In general, we feel better with a firewall in place and anti-malware on our hosts – but do these make us more secure? The rise in bot-nets, infected machines’ cycles being sold off to the highest bidder, and phishing indicate that current solutions are not up to the task of protection.

HIPAA addresses protection of critical health information, but from news reports it appears incidence of loss are on the rise. And while PCI is supposed to help provide comfort that our credit card information is being protected, incidents such as the recent one at TJX tell us otherwise.

While none of the regulations or technical measures mentioned above guarantee us on-line safety, there is no denying that we are, without a doubt, doing business on-line.

Perhaps we’re all a bit like that child in “Pan’s Labyrinth” – clinging to fairy stories of security because it’s easier than facing the truth. And, if it gets us through the day, perhaps that isn’t so bad. Business has to go on, is it a terrible thing that we tell ourselves security stories to ensure that it does?

First off, my apologies for being slow on the blogging the past week or so – it’s that time of year when work is at it’s maximum volume, and free minutes are few and precious; the blog – along with my personal grooming – have suffered because of it. In any event, this morning, as I sit in a hotel in upstate New York, I came across an article describing a report by the Business Roundtable that describes how we are all metaphorically sitting around with our pants down waiting for the inevitable “Cyber Katrina.” The watchword from this thinkitank is apparently preparedness – like the boyscouts, we should all be prepared for the fact that any minute now, a digital weathersystem could move in, burst our various levies and leave us homeless… or so they say.

The idea of a “Cyber Katrina” was what really struck me; for years, we’ve been hearing about a Cyber Pearl Harbor, a Cyber 9/11, or a Cyber Tsunami – insert the most recent newsworthy disaster and slap a “cyber” in front of it, and experts have been telling us that it’s going to happen for the past ten years. Which got me thinking – how likely is this really? Nobody seems to really question this concept, but yet the Internet has been around for a while now, and we have yet to see a disaster materialize. Have we just been lucky? I don’t think so.

Instead, I think the metaphor is inapplicable. I think the press (and us as readers) should stop participating in the FUD-mongery by eschewing articles telling us this kind of thing is unavoidable. Look, disasters on the Internet are different from disasters in the physical world. Aside from the fact that nobody dies because they can’t run Solitare for a few days, the kind of damage these events cause renders the metaphor inapplicable. The worst of worms we’ve seen to date like the Morris worm, Code Red, and SQL Slammer that shut down double-digit percentages of the Internet have damages listed in millions of dollars just like a physical disaster. But the kind of damage is different – worms and other outages cause damage mostly in loss of productivity, whereas Katrina caused millions/billions of dollars in property damage. Not the same thing: if houses and other buidlings are washed away, it takes years to rebuild; if machines are disabled, you just reboot and reinstall. in one case, business stops because workers are in the hospital or can’t get to the office – in the other case, you might need to reload some data from backup tapes. Sounds totally different to me…

So, I am asking for a moritorium from the “digital –insert-disaster-here–” crowd. It won’t happen, it can’t happen, so please stop hyping it up.

Once again, the time has come for me to apologize for my mysterious disappearance. As some of you know, I was out at the 2006 RSA convention for the week working sixteen hour days. Needless to say, the quantity of my blogging suffered as a result of the work overload.

I remember, as a starry-eyed pup, going to my first RSA show back in 1998 (I think it was the year with the Viking theme) and expecting that the show would be something bigger than life. I was disappointed in the technical content then, just as I was disappointed in it this time around. While it is always interesting to see the new technologies and startups and it’s always nice to see friends, the discussions were just as disappointing this year as they have been in years past. In fact, when I saw the Bruce Schneier’s restaurant guide, I was at the point where I would say that the conference “jumped the shark”. But then I started thinking, and I had a revelation… All this time, I’ve been getting something valuable from the show, but I haven’t stopped to appreciate it.

As always, the discussions and panels fell short of my expectations, the vendors didn’t offer much that’s new, and the parties were loud and “not my scene”. But judging the show in this way isn’t fair: how much justice can you do to a topic in an hour? How many new and groundbreaking products are there likely to be at any trade show? What did I expect? No, in my opinion, the value of the conference is in the relationships that are made and perpetuated. For example, the Microsoft Blogger luncheon was a high-point – a number of talented, motivated, and interesting people were there sharing their experiences, trading tips and techniques, and talking about security. More personally, I was able to connect with old friends (some of which I haven’t seen in years), make new friends (like the Microsoft engineer whose table we stole at Tandoori) and deepen existing friendships (like having a chance to really connect with a “to remain nameless” – and therefore “stigma-free” – fellow Fantasy and Gaming connoisseur). In other words, the technical content is not the show’s strength – the people attending it are.

So was it worth it? Absolutely. But not because of the keynotes, the workshops, or the expo floor. Did it jump the shark? Maybe. But it was “worth it” where it counts – which has nothing to do with the technical content.

‘Tis the season for console game platforms, and everybody’s gearing up for the new X-Box 360. I actually played some World War 2 fighting game (Call of Duty, maybe?) on the demo unit at Target, and the realism was a bit too much for yours truly. It promises to be one hell of a gaming platform. Sales are expected to be off the charts – according to CNN, Microsoft is expecting 3 million units sold in the first 90 days. Ouch, that’s a lot of units. And one really cool feature of the XBox is the integreated network connectivity – via RJ45 or via Wireless – both are built in and completely seamless.

So, the plan is: in six months, we’ll have tens of millions (or more) of these machines deployed. They’ll all have identical hardware and firmware. They’re all capable of running arbitrary software. And the majority of them will be permanently affixed to the Internet. Hmmm… Is it me, or is this setting off alarm bells for anybody else out there?

How long is it going to be before a malware author figures out that this homogenous XBox world is a “heaven” for their nefarious activities? We’ve already had malware that targets the PSP, why not the even more powerful XBox 360? Wouldn’t every XBox in the country make one hell of a botnet? Not to be negative, but all the signs are there – the media attention that would be focused on an XBox worm would be tremendous, such a worm would have almost unprecedented virulence, and we’ve already seen this type of thing on other platforms. I wonder if the folks over at MSFT have thought about this, and if so what they’ve built in to XBox for security (or at least anti-malware) features? Hopefully they at least have an automatic firmware update capability…

We’ve all seen the DHS security traffic light. You know the one: where green means “move along citizen” and red means “if you can read this you’re probably already crispy.” Don’t worry, I’m not going to rant about the DHS terror alert light – I actually happen to think it’s a good idea. I do wish they would “normalize” the data so that we could move out of yellow every once in a while, but all-in-all, I’ve got no beef with the DHS on this one. However, I do have a beef with all the “wanna-be” traffic lights.

Like a mother hen, the DHS “threat advisory” has spawned a clutch of little infosecurity “threat advisories.” We have at least ten in infosec:

There’s the Symantec “Threat-Con” which tells us about “network incident activity” and “overall malware activity”.

Next, there’s the “Virusometer” from Panda that tells us about what Panda’s software is out there finding “in the wild”.

If that’s not good enough for you, there’s the CA “SECCON” that tells you about the state of “malware and vulnerabilities”.

Of course, there’s the venerable “InfoCon” that tells you about attackers, worms, and the like:

There’s the VirusList.com “Virus Epidemic Threat Level” telling us about, again, malware.

And last but not least are the NY State Office of Cyber Security “Threat Indicator” (currently at low) and the New Hampshire Department of Safety “Alert Indicator” (also at low).

Whew… What a list! In case you haven’t noticed by now, these “indicators” are all reporting more or less the same metrics (mostly AV output), but they have different methodologies for normalizing the data into a high level metric. While one meter might have 3 levels (like “high, medium, low”) somebody else might have four or five (like “unprecedented, eggregious, ridiculously high, severe, and pretty high.”) Not only is the normalization different and the methodology different, but the indicators rarely say the same thing.

So how useful is that? If you said “useful like a glass hammer” I’m right with you. Since I can’t possibly contribute any more confusion than there already is, we see no problem with our adding another voice to the cacaphony. As such, Security Curve proudly announces our new dashboard: the “Horrific Catastrophe Yousa-People-Gonna-Die TerrorMonger Alert Con.” We will post the details in a subsequent post (Diana has some great pictures queued up for it) along with a URL that you can include on your webpage to keep up to date on the fear-mongering.

I’m sick of reading regulatory advice from vendors. Everybody’s getting “suited up” and ready to leap on board the “two factor” bus because of the recent FFIEC authentication guidance. Every tired authentication vendor seems to have come out of hibernation to wave around a copy of this year’s FFIEC authentication guidance and extoll the virtues of two-factor authentication. I think vendors need to stop doing this for once and for all.

A quick search in Google news shows announcements specifically mentioning the FFIEC guidance by TriCipher, by PassMark, by BioPassword, by Callingid, by Entrust, and by ActiveIdentity (nee ActiveCard). Whew, that’s quite a list; I’ve never even heard of some of these people. Yes, vendors are clinging to the FFIEC report like it’s a winning powerball ticket.

The language in these press releases is carefully chosen and in some cases quite deceptive; the implication is that two-factor is 1) a requirement for compliance and 2) that somehow the report recommends specific approaches. Check these out:

- “…provides a variety of two factor authentication methods that meet FFIEC guidance” [TriCipher]
- “…delivers the capabilities examiners will now look for, a second factor for authentication…” [PassMark]
- “The new guidance … require[s] strong authentication when a customer logs into his bank account over the Internet.” [CallingID]

Clearly, there is an agenda at work. Like almost every other piece of regulatory guidance out there, the notion that the vendors would like to install in the buying public is: buy our product and you’re compliant.

My opinion about two-factor authentication is unchanged – that unless something major happens in the industry that it’s not going to be economically feasible for large-scale deployment – particularly in retail banking (or retail brokerage for that matter.) In order to justify my stagnation, I need only draw on the primary sources. Here’s the relevant passage from the 2005 guidance:

- “Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.”

This is not a mandate; “where it’s indicated” means not every case and two-factor authentication is only one option – the others are “layered security” or “other controls.” I have a firewall, does that count as “another control?” Does the fact that I’m sitting at a secure terminal on my bank’s premisis count as “reasonably calculated mitigation?” Once again, this is not prescriptive – nor should it be. The FFIEC is creating a framework within which FS can operate; they are not drastically changing the technology landscape for every bank out there.

But wait isn’t there more, you ask? What about all that stuff in the “background” section (pages 2-3) about the different factors and “what you have, what you know”, etc. There’s a reason for that. This is from the 2005 guidance:

Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents.

By stark contrast, this is from the 2001 guidance:

Authentication methods that depend on more than one factor typically are more difficult to compromise than single factor systems. Accordingly, properly designed and implemented multi- factor authentication methods are more reliable indicators of authentication and stronger fraud deterrents.”

With the exception of the omission of “typically” and the addition of “of authentication”, these two passages are repeated verbatim. 2005: “There are a variety of technologies and methodologies financial institutions can use to authenticate customers…” – 2001: “There are a variety of authentication tools and methodologies financial institutions can use to authenticate customers. ” Etc., etc., etc.

Look – the point is that they’ve been saying this since 2001 and you don’t see two-factor all over the place in bankerage. Actually, I don’t know of any bank – with the exception of Bank of America – that’s actually trying to do two-factor authentication for retail; and BoA has some extenuating circumstances. Actually, in 2001, the FFIEC specifically said, “In general, multi-factor authentication methods should be used on higher risk systems.” This section has been omitted in the 2005 guidance (or maybe they just moved it so that I can’t find it.)

Anyway, thus concludes my rant… From now on, I’m going to strategically ignore vendors that quote the FFIEC; I recommend others (particularly practitioners in Financial Services) do the same… I have no beef with the FFIEC; I think they do what they do very well; however I’m starting to question it when vendors try to make a regulatory play…

I keep seeing the same analogy again and again in the security press. Mostly it goes like this: “It’s good to outsource your information security; your burglar alarm uses a monitoring service, right?” The most recent one I came across was this one – and it’s the same tired metaphor. This time, it’s David Beesley (huge picture of his head found here) from Network Defence (an outsouring provider) telling us that “outsourcing your network security is as easy as outsourcing your office security.” The truth is though, that they are not the same. Here’s why:

The dynamics of “office security” (physical security) change according to locality; meaning, once you wire a facility for burglar, fire, ingress/egress – that’s it. You don’t have to go back in and rewire the alarm system until the facility changes in some way. And how often do the facilities change? Once a decade? Twice? Even if you swapped facilities every year, it’s still pretty infrequent. But, as we all know, information security has nothing to do with locality – instead, it’s tied to business process, personnel, and technology. Now, how often do you change any of those? Once a year? Twice a year? Probably not. We have to update patches, we have to keep education balanced with attrition, we might want to change our business processes for better efficiency… In fact, the infosec landscape changes to some degree every day.

No – unfortunately the only thing “network security” has in common with “office security” is the fact that they happen to have a similar spelling. “Lead guitar” and “lead pipe” have similar spelling; are they the same?

I came across an interesting read on Operating System security today which reminded me of a conversation that I had last week with some folks who make a product called Trustifier. It’s a cool product, and I got permission from the gentleman I spoke with to mention it in this forum for folks that haven’t seen it.

Basically, it’s an enhanced-security Linux distribution much like SE Linux, but with the added benefit of being maintainable. If you’ve ever tried to use SE Linux, you probably know what I mean by that comment – if not, imagine a “Trusted Computing Module” similar to those provided by Trusted HP-UX or the services provided by the TCB – but on steroids. Anyway, anyone who’s ever “bricked” a server by having the root password timeout on one of these systems knows what I’m talking about when I say that these types of systems are difficult to maintain… Googgun (the folks that make Trustifier) are right on the money in their contention that the TCB, SE Linux, etc. are too difficult to maintain to be commercially viable in the long term. Their goal is to take the same services and make it easy. Good goal. I haven’t used the product so I don’t know if they pull it off or not. Sounds good though.

My advice is for folks to keep an eye on this product. From my vantage point, this is something useful provided these folks can pull off their claims.