This post is for the INFOSEC people that we know, and especially for the ones we haven’t met yet, as it’s about traveling, meeting fellow professionals, and maybe getting leads and/or valuable new contacts.

This profession, more than any other, seems to thrive on ‘cons (conventions), but sometimes, you want to travel someplace that doesn’t have a ‘con or just doesn’t have one going on at the right time.  In these cases, there are places you can turn to, to make the best of a bad situation.

First, do you have friends there from con’s that you can visit?  If so, Bob’s your uncle.

Second, while there might not be an INFOSEC show of any sort, there are plenty of other options.

There are local user groups, in particular, chapters for the ISC2, ISACA, and AITP.  While it might not be as much fun as hack3rcon, it’s a business connection you can use.

There are local hacking groups, as well as maker groups.  Any of these can usually be reached out to for a get together.

A good source of event lists is here: http://infosecevents.net/  Just plug in your city, and it should give you a list of possibilities.

So if you need to travel, you can usually tie it to business.  You get to write off the trip, and you get to meet new folks in the industry.

 

Must is such a charged word.  So when someone tells you, you must do something, it needs to be something worthy of the grand imperative.

If you’re a large company, especially a publicly held company, and you are providing remote access for internal users, either email, or VPN, or anything really, and you’re not using a secondary form of incident detection, you are (in our opinion, which is not legal advice) a negligent fool, putting the entire company at risk of catastrophic loss.  There’s a list of things you *should* be doing.

That’s pretty strong language.  Put another way, if you’re not operating (and testing, and verifying) a detection system for evil access attempts, you’re an idiot.  And if it comes out in some sort of court case, you’re going to get slaughtered.  Unless opposing counsel is equally dim (we’re available  for consult in such situations).

This detection stuff is IN ADDITION to any sort of strong or secondary authentication scheme.  Strong authentication only gets you so far.  It knocks off the low end evil-doers.  It does nothing to stop the more sinister, serious bad guys.

What makes it truly damning as a failure to execute by management, is that detection is such a simple addition.  It’s not expensive, it’s not complicated.  It can be done with a tiny outdated computer, freeware linux, and a couple of shell scripts.  Which is why, if you’re not doing it, you deserve to be hung by the thumbs at the shareholder’s liesure.  Or your customers.  Whoever will be most angry that hackers broke into your company and stole your precious data.

It’s not even hacking, really, since a monkey could be trained to do it.  Still criminal, though.

Without detection apparatus, you are so far off base as to be playing a different game.  Tiddlywinks, maybe.  Ball and jacks.  The disdain that should be leveled at such companies in the here-and-now is extreme.  You may as well just resign in disgrace now, and save us all the trouble of a court case down the road.  This is negligence.  Gross negligence, in the disgusting sense, not the legal sense; that’s for a jury to decide.  [update] Here’s an excellent current legal example of negligence in action and the legal implications.  If you fail to do something so obvious that an average person would think it should have been done, you are negligent.  Ask a lawyer to explain negligence law, we’re just geeks.

And if you’re not a large company, take a second look at that part above where we describe how easy it is to set up monitoring.  Do it.  You don’t need $100,000 custom supercomputers with lots of shiny  blinking lights.  They have some neat bells and whistles, but the fundamentals are available for less than $1000.  So do it.

If you’re a tiny company, you shouldn’t be providing that sort of remote access.  Use gotomypc.

ftp, smtp, http, https, smb, rdp, etc…: we see these things too often still, publicly accessible, with no secondary level of security.  Shame on you.  3rd graders can break into your company undetected using smart phones.  It’s 2012, and it’s high time we started holding people accountable for lax security.

 

In a recent issue of a leading security magazine was published an “advertorial” with a few missing pieces, we aim to correct the lapse, or at least make a few tweaks that might improve the result.

The main change in data since computers entered the business scene, is the density and ubiquity.  That’s correct in our opinion, but neglects to explain why it’s important, which was part of the question.  It’s important to enterprise IT for one reason, competitive advantage.  That’s business 101, and we’re surprised something that fundamental got overlooked.  So that’s fixed.  C/A, for anyone not familiar with the term, is simply some advantage one company has over another.  It can be technology, funding, personnel, knowledge, IP, or anything that differentiates one company from another.  In simple terms, one could claim that Coke has a competitive advantage over Pepsi because it tastes better.  Or vice versa.  That one’s a holy war, like vi vs any other pathetic excuse for an editor.  C/A is what usually lets one company win, unless it has disadvantages that counteract that advantage.  Like Sony and Betamax.  And  competitive advantage degrades over time, which means ongoing development is necessary.

New examples of types of data breaches are kind of problematic.  O-day, in particular, is something that’s been around since the dawn of hacking.  O-day isn’t really a type of breach, whereas PHI exposure is, but that’s not new either.   A better answer would have been blended threat, but that’s not entirely new, or the Lollable APT buzzword.  The best answer, in our opinion, is not the technique employed but the crimes, since we’re asking about a form of breach.  In which case, massive parallel bank fraud comes to mind.  That’s new.  Not too long ago, less than 10 years, it would have been very, very difficult to pull off a heist using 1000 fake credit cards.  It’s a hell of a lot easier now.  Are the credit card numbers the actual breach, or is draining the accounts the breach?  Meh.  Here’s a solid “new” example, exposing 10,000,000 patient records in a single breach.  Hasn’t happened yet, but it will.  We’ve come close, so I’ll stick with that as a “new” breach.  To do that 10 years ago we’d have needed to raid multiple hospitals EMR applications or an insurer.  Still do, but it doesn’t pay as well as the credit card scams.  Come to think of it, there really isn’t any form of breach that is new, they’re all old hats, matched with shiny new technology.  They just happen bigger, better, faster.

As for why the traditional approach of data protection work, this question is poorly constructed.  For starters, by what definition?   According to a couple famous sources, the traditional approach is to flush money down the  toilet on a bunch of useless vendor solutions that don’t really secure anything, which we agree with.

Moats as defensive measures is sort of traditional, if we’re in the year 1217 fighting the Germans and Estonians.  The analogy of moats is about 30 years behind the times, but its workable, although we’re still looking for “smart screen filters” and keep getting this new Micro$oft thing, which couldn’t be considered a “traditional” approach.  The biggest failure in classical security (in IT, the real world has known this bit since at least the time of Pharaoh),  is the lack of detection to supplement the use of access controls.  Alarms are wonderful things.  Locks are wonderful things.  Locks without alarms aren’t really that useful.  Security, and here is the 100% best definition ever, is a time based system (Schwartau).  So if  4 hour locks, 10 hour firewalls, and 20 hour social engineering education sessions fail, without alarms, you won’t know until you detect it by the article on page 1 of The Post.  And the bad guys win.  That, more than anything else, contributed to a lot of #fail in the past.  Why?  It’s difficult sometimes to write or build alarm systems.  And difficult, in the business world, frequently becomes “not done”.  Here’s a thought, consider it a “competitive advantage” while your competition is getting raided by foreign spies and you’re detecting the attempts and countering.

Encryption is a nice solution for security, although it doesn’t really a solve anything, especially if we’re trading information across a border, which everyone is, and our partners are not encrypting.  Furthermore, claiming that encryption prevents data loss in a breach is absurd, it’s just another bit of time-based security like everything else.  Every data breach we’ve ever worked on or with involved compromised passwords and user accounts, and if you have the credentials, you have the encryption.  Unless they did a really bang up job on the encryption, in which case we’ll just go with screen shots or SE to get what we want.  Without detection, encryption has a reduced impact.  Without monitoring and oversight, it may actually hurt a company, since it creates a blind spot in the risk profile.  Companies should invest in a detection system way before investing in an encryption system.  Otherwise how will they know when someone didn’t encrypt something?

Look, if you want security, you need only a few things, and most of them can be had for free or for much lower costs than vendor solutions.  Follow the SANS Top 20, and invest in detection and alerting infrastructures.   And quality security personnel.  Stop trying to cheap out on security.  It’s just another business center, so treat it like one, and make your business partners treat it like one.

 

 

Recently, the comment was made in a SANS newsletter (awesome job guys, keep it up) that US government/commercial relations (Patriot Act or no) affect who does business in the US.

Editor’s Note (Pescatore): Of course, this is very much a two-way
street. Many non-US companies see the Patriot Act as meaning that
US-based technology services are government influenced and would put
customer data at risk.

Let’s get real for a moment.  If you think that any sizable nation, say G20, isn’t abusing it’s ability at both the government and corporate level to obtain advantage of some sort, you are sadly out of touch with reality.  The commingling of commercial and government interests goes back to the dawn of spying.  While the majority of business and government goes unmolested (in our humble opinion) anything of “strategic” value, as defined by people with little or no oversight, is likely polluted and pilfered at will.  I’m sure it’s all done in a very professional manner, or companies would shutter their doors, but it’s done.

So when “some unnamed large company” comes to town, they are both target and suspect.  If you have intellectual property you’d like to keep secret, you’d better do a good job of it.  And if you want to business in their home turf, you’d better do a good job of it.

While the spooks would love to be the ones holding the “no more secrets” card, as of today, we’re all still safe, provided we use quality encryption, and don’t screw up our practices.  If you send your sales people to a foreign land with all your pricing and customer data on an unencrypted laptop, you don’t deserve what you’ll get, but you sure deserve a swift kick in the profit centers.

Encryption and travel protocols are just part of the game now.  Keep up or get out.

So you’re one of the lucky people that actually managed to land a job in the security field.  Bully.  New Scientist has some good advice for scientists that adapts readily to any professional’s career, but particularly well for security wonks.

First they harp on communication, and who can’t benefit from improving their interpersonal communication skills?

Then they discuss the publication imperative, and this is becoming a more important piece as the field gets more and more crowded.  Not that there’s a shortage of work, but there is a shortage of best places to work.  Like here at Digital Trust.  Professionals that give talks, write articles, run a blog, or just generally hang their reputation on putting stuff out in public, are better prospects for employers.  Publishing something (and not getting trashed for it by your peers) demonstrates characters and commitment.  Anyone can attend a con, but a presenter will probably get preferential hire treatment.  Unless they spoke about something senseless, like Class 3 firearms (that won’t get you anything but giggles).  To be the best, you must contribute something of value.

The rest of the article is self explanatory and easily mapped across.  Don’t neglect the last step, planning.  If you float around the industry you’re not going to end up in the best place.  There are 55 year old firewall admin’s, but there’s also 18 year old firewall admin’s, so the salary situation is sort of feeble.  There are no 18 year old Pen Test leads.  That we know of.  Feel free to submit examples.  So plan out your future.  Use an old person to help you do it.  If step 2 in your plan is CISO, you probably need external assistance.

One thing not mentioned in the article, oddly enough, given recent headlines, is STAY OUT OF TROUBLE!  Just because you think The Man is the enemy at the moment, doesn’t mean you will in 10 years.  And a hacking conviction ruins your chances at certain jobs.  Jobs you may not want right now, but trust us, a bad past is an albatross nobody needs.  It’s the first thing we check when we  hire people.  So don’t.  Just don’t.

Along those lines, and another omission from the article, is DON’T SAY STUPID STUFF IN THE INTERWEBS that you’re not willing to live with forever.  Because it will come out at the most inopportune times.  Like in an interview.  Hey, one of our products is background information on job applicants.

 

Executive Summary: stop buying $tupid $tuff thinking that it will make you more secure.  Fix your fundamentals; there is no magic bullet.

Recently we’ve seen a spate of encryption products show up on the market.  Not to put too fine a point on it, but other people way smarter than us have said repeatedly that you cannot buy your way to secure, and this product family goes above an beyond in support of the argument that buying more security products is wasteful and stupid.  Without naming names, these products “enhance” intranet security by “grouping” servers into trusted and untrusted zones, and offering various tricks for either encrypting communication or denying access.

Now, that sounds an awful lot like what firewalls, VPN’s, and ACL’s do.  And pretty much everyone with anything worth protecting already has those.  While this “new” technology claims to make the job easier by integrating with directory services, the result doesn’t seem to add any additional security.  Let’s examine the specifics.

Server A and server B need to exchange information, and server C, which is not part of the security group, sits on the same switch in the data center.  Server A and B, without any additional technology, can exchange their valuable data in a switched environment, and C can’t see it.  Pretty simple.  If, however, we can compromise the switched environment, via ARP-spoofing or what have you, C can snoop on the transmission.  So more security seems in order.

Add to the mix that server A & B can encrypt their traffic using certificates.  Now C can spoof it and obtain the traffic, but it’s encrypted.  If C can compromise the encryption, by obtaining a copy of the A or B certificate and then attacking the conversation with a man-in-the-middle attack, again, C can get the data.

If A & B implement two factor authentication, using something that can’t be taken off the wire by C, such as an external key, we make the transaction sufficiently complex that we can essentially disregard the threat and accept the remaining risk.

However, if the intruder has access to the network devices at all, the entire exercise is futile, because they’re already inside the perimeter.  Even if they can’t sniff the traffic, they can always compromise the servers directly, which means adding firewalls and alerting to the mix.

That results in a very strong security model, provided everything’s done right of course.

Now look at the addition of software that does all that for us for an additional fee.  What have we gained?  Encrypted communications?  Check.  Source/destination authentication? Check.  Intrusion detection?  Nope.  Wait.  What?  I still need the detection and alerting capabilities?  Yes.  No matter what you need detection and alerting.  It’s part of the fundamental security model.  And if you’ve got detection and alerting working right with everything else, you’ll spot attacks early enough to prevent loss.

You’ve got a detection and alerting system, right?  Watching for anomalies in behavior and data flow?  That’s the #1 priority if not.

But if you have that, and you add the fancy control software, have you gained anything?  Nope.  We have nothing beyond what we had using native technologies that most of the target-market companies already have in place.

What you have gained in addition, is a negative value.  The new system is going to require management.  Since you aren’t shutting off the other stuff, it’s in addition and doesn’t save you anything; it adds to cost.  The new system is going to require monitoring and alerting, which means adding it into your existing capabilities and updating rules, which is an additional cost.  The new system is going to require testing and patching, and since nothing has gone away, it’s in addition to your existing efforts, which makes it an additional cost.  Finally, it’s one more piece of software, increasing your number of attack vectors by one, which is an additional risk.

All in all, not a great day to be selling product X.

What’s worse, some of these vendors are telling people to use their encryption to pass traffic across the ‘net, ala a VPN style connection, only from server to server, and not from firewall to firewall, or at least VPN device to VPN device.  While it’s possible application vendor SoAndSo does do VPN technology better than VPN technology vendor Namebrand, I would bet that it doesn’t.  But even if they do, it’s still no gain over existing technology, meaning it’s still a cost and this is not a redeeming feature.

What it comes down to is what it’s always come down to.  You need to do the basics, and you need to do them well.  It doesn’t matter what you buy if your passwords are weak, and it doesn’t matter that you encrypt if you leave your certificates laying around.  So instead of spending $tupid monie$ on shill-ware like this stuff, invest that money in your people and in doing things right.  You don’t need yet another security tool, it won’t fix anything, and it’s a waste of money.

Demonstrating value is key in a corporate setting for running an effective information security program.  If your management team doesn’t clearly understand what benefit they all derive from security, the program will suffer over time.

Demonstrating some value is easy if you have historical metrics.  Metrics being a whole ‘nother topic.  Without them, illustrating value becomes much more difficult, but only for routine items, the kind that don’t really demonstrate the clear value of a security program.

Security people should keep track of proactive fixes and calculate value saved.  If your marketing department nearly sent out a virus laden PDF, can you estimate what that would have cost the company?  Value demonstrated.  If a computer worm affects other companies but not you, can you trace back to why you were unscathed, and if its not just a lucky dodge, you can point to it as value demonstrated.  Every time someone deletes a file and you’re able to recover it with FTK, that’s value.  And it adds up.

While hard metrics like firewall alerts and phishing rejection are nice, they usually are only good for incremental improvements, and are likely to be marginalized because “everyone” does that.  So your program is nothing special.

Whereas if you’re providing security input on a $3M project and suffer no security lapses, that’s personal to at least one manager, and probably meaningful to all of upper management.  They know how much a delay in that project would cost, if they’re doing project management.  That delay you didn’t have to take should be put in the security win column.  You did your job and carried the project without any glitches.  That’s value, perceived, measured, and quantifiable.

Meanwhile, normal security metrics, like password complexity, lock outs, alerts, and blocked access how a steady foundational reward.  But management doesn’t really see those, so despite being concrete, they appear abstract and fuzzy.  Far more real are the items like smooth deployments of non-security services and products that have a security component.

If you have a DDOS attack and thanks to your preparations, the Internet remains open fro business, that’s demonstrated value.  Any business that relies on the Internet knows how much disruption costs.  That difference is a benefit of the security program and should be acknowledged as such.

Usually nobody’s going to blow your horn for you, though, so you need to keep track of these things and get the word out.  In every company newsletter place a brief summary of what’s gone on and how much it saved the company.

At the end of the year, you can quantify the entire period and compare that to the expense of running the program.  If the program is still a cost center and not a profit center, you’re probably doing something wrong.

Stay away from fuzzy representation, like value, if you don’t have hard numbers to back up the claim.  Brand reputation is a very real resource, but without actual measurable damage, and some sort of benchmark, it’s going to look soft.  If you can show a similar incident had a specific effect, and that translates to your situation, it is possible to use it, but usually not.

Occasionally, you’ll be able to use a security program as a cost savings indicator, but most of them will not work well.  This is because security is the only department with contact with the security device/application.  If management as a whole doesn’t feel the direct benefit, the success loses value.  If a new security device/process streamlines an existing process, it can be argued that the first problem was security to begin with, so all that’s happened is a fix has been put in for  a problem, and that’s not value add, that’s value recovered.  Increased efficiency is a soft win.  List it, but don’t count on it getting you a bonus.

Imagine some of the possibilities:

  • You’re data loss prevention program catches the secret formula for your key product leaving for a competitor.
  • Neubot.war worm takes down half the Internet, and you are unscathed because of white-listing run-time applications.
  • A hostile employee tries to sabotage the plant chemistry mix, but can’t because provisioning denied access.

Fighting for ROI using metrics is an uphill battle, but demonstrating value using particular high profile incidents like these makes it much easier, but you have to watch for them.

Do use standard business practices and ROI for budgetary purposes, but its the risk management program that will contribute most to finding new ways to demonstrate value, because it is proactive and not responsive.  If they beneficial system/process isn’t in place prior to the incident, any benefit derived is simply soft response value, and not the hard value that clearly shows value.

Bring your own device (BYOD) is a breaking concept whereby corporations allow/require employees to supply their own computing and communications platform (laptop/phone).  It is colossally stupid and that is well documented elsewhere, but for us, it is worse than just having to preserve a different device, because BYOD introduces other parties with additional risk.

When we contract for normal corporate ePreservation services, we engage with a client and have one contract, one privacy agreement, one potential liability.

By permitting employees to use their personal devices, BYOD increases the likelihood that we’re going to have to take personal phone/laptops as part of an evidence preservation effort, and employees aren’t going to like us having access to their personal stuff on those devices.  We wouldn’t want our stuff given to someone else, which is why we strongly recommend clients NOT permit the use of personal devices for corporate business other than phone calls.  We can, after all, get those records from the phone company.  Texting as well, but it’s a slippery slope, until we’re looking at the pictures you sent your friends last New Years Eve.

What’s worse for us, however, is the potential for 3rd party lawsuits.  Your employee whose phone we take to image can potentially hold us liable for harm to the phone, themselves, or their reputation (ask a lawyer for the definitive list).  How could that happen?  The simplest case involves them having personally embarrassing photo’s on the phone and us losing control of it.  It could happen.  They can probably sue us for damages at that point.  And the employer.

Even with a solid employee/company BYOD agreement  in place, no such agreement exists between them and our company.  Even if our contract can serve as a vehicle to transfer responsibility, it’s still a nasty business that could go either way depending on the forum.

Another example is a picture of a 4th party on the phone of the employee.  Regardless of the employee’s ability to sue, the 4th party might be able to establish liability against all three other parties, quite reasonably.  Ask a lawyer to explain it if you’re interested, we only know enough to know there’s potentially a lot of new problems with BYOD.

And that means new insurance, new procedures, and new billing codes.  Yes, while you corporate types are calculating your bonus based on switching to BYOD, we’re looking at our bottom line as well, which means we’ll be charging you different rates for BYOD items.  Which will undoubtedly not make it into the spreadsheets that show how big a bonus you deserve for implementing it.

Go ahead and BYOD, we’re ready to bill you for it.

What would a consultant do if they had two clients, both of which had the same gap in safe practices, who were each other’s business partner?  As consultants, we’re typically bound by confidentiality agreements.  If one client is doing something that puts the other at risk, it is difficult to advise the one and still maintain confidentiality with the other.  Even if the consultant can refrain from indicating the source of the problem, by remediating, the other client is likely to find out about the other client’s gap, and it may become an issue.  One where they will bring up the consultant’s role in the change.  This may mean losing one or both clients, depending on their inclination.  Yet directly informing either or both has even larger risks.

On the other side of the coin, the consultant, if they have professional morals or some perceived real duty to the clients, cannot let the issue go.  They must somehow prepare both clients.  A subtle hand can press the issue on both sides without letting either part know that there was a conflict.

“The difference between stupid and intelligent people – and this is true whether or not they are well-educated – is that intelligent people can handle subtlety.” – Neal Stephenson

 

While trying to find out how much a medium flat rate box would cost to ship earlier today, we spotted a strange item that roused our privacy hackles.  That other users wouldn’t see unless they happened on this site with their flash settings locked down.  It seems the government, in the form of the USPS, in the form of somebody called prioritymail.com, wants to TAKE YOUR PICTURE  just to tell you what a flat rate shipment might cost.  Isn’t that interesting?

can i takez u picchur?

Hey, “might” doesn’t mean they actually *want* to take my picture, just some sloppy flash coding, right?

Oh.

While we don’t have time to ferret out if it’s a goof or who’s responsible, we do find it interesting that in this day and age, anything like this can see the light of day.

The price of freedom may be eternal vigilance, but this impingement on it is free.