You Can’t Buy Security

Executive Summary: stop buying $tupid $tuff thinking that it will make you more secure.  Fix your fundamentals; there is no magic bullet.

Recently we’ve seen a spate of encryption products show up on the market.  Not to put too fine a point on it, but other people way smarter than us have said repeatedly that you cannot buy your way to secure, and this product family goes above an beyond in support of the argument that buying more security products is wasteful and stupid.  Without naming names, these products “enhance” intranet security by “grouping” servers into trusted and untrusted zones, and offering various tricks for either encrypting communication or denying access.

Now, that sounds an awful lot like what firewalls, VPN’s, and ACL’s do.  And pretty much everyone with anything worth protecting already has those.  While this “new” technology claims to make the job easier by integrating with directory services, the result doesn’t seem to add any additional security.  Let’s examine the specifics.

Server A and server B need to exchange information, and server C, which is not part of the security group, sits on the same switch in the data center.  Server A and B, without any additional technology, can exchange their valuable data in a switched environment, and C can’t see it.  Pretty simple.  If, however, we can compromise the switched environment, via ARP-spoofing or what have you, C can snoop on the transmission.  So more security seems in order.

Add to the mix that server A & B can encrypt their traffic using certificates.  Now C can spoof it and obtain the traffic, but it’s encrypted.  If C can compromise the encryption, by obtaining a copy of the A or B certificate and then attacking the conversation with a man-in-the-middle attack, again, C can get the data.

If A & B implement two factor authentication, using something that can’t be taken off the wire by C, such as an external key, we make the transaction sufficiently complex that we can essentially disregard the threat and accept the remaining risk.

However, if the intruder has access to the network devices at all, the entire exercise is futile, because they’re already inside the perimeter.  Even if they can’t sniff the traffic, they can always compromise the servers directly, which means adding firewalls and alerting to the mix.

That results in a very strong security model, provided everything’s done right of course.

Now look at the addition of software that does all that for us for an additional fee.  What have we gained?  Encrypted communications?  Check.  Source/destination authentication? Check.  Intrusion detection?  Nope.  Wait.  What?  I still need the detection and alerting capabilities?  Yes.  No matter what you need detection and alerting.  It’s part of the fundamental security model.  And if you’ve got detection and alerting working right with everything else, you’ll spot attacks early enough to prevent loss.

You’ve got a detection and alerting system, right?  Watching for anomalies in behavior and data flow?  That’s the #1 priority if not.

But if you have that, and you add the fancy control software, have you gained anything?  Nope.  We have nothing beyond what we had using native technologies that most of the target-market companies already have in place.

What you have gained in addition, is a negative value.  The new system is going to require management.  Since you aren’t shutting off the other stuff, it’s in addition and doesn’t save you anything; it adds to cost.  The new system is going to require monitoring and alerting, which means adding it into your existing capabilities and updating rules, which is an additional cost.  The new system is going to require testing and patching, and since nothing has gone away, it’s in addition to your existing efforts, which makes it an additional cost.  Finally, it’s one more piece of software, increasing your number of attack vectors by one, which is an additional risk.

All in all, not a great day to be selling product X.

What’s worse, some of these vendors are telling people to use their encryption to pass traffic across the ‘net, ala a VPN style connection, only from server to server, and not from firewall to firewall, or at least VPN device to VPN device.  While it’s possible application vendor SoAndSo does do VPN technology better than VPN technology vendor Namebrand, I would bet that it doesn’t.  But even if they do, it’s still no gain over existing technology, meaning it’s still a cost and this is not a redeeming feature.

What it comes down to is what it’s always come down to.  You need to do the basics, and you need to do them well.  It doesn’t matter what you buy if your passwords are weak, and it doesn’t matter that you encrypt if you leave your certificates laying around.  So instead of spending $tupid monie$ on shill-ware like this stuff, invest that money in your people and in doing things right.  You don’t need yet another security tool, it won’t fix anything, and it’s a waste of money.

Demonstrating Value in an Information Security Program

Demonstrating value is key in a corporate setting for running an effective information security program.  If your management team doesn’t clearly understand what benefit they all derive from security, the program will suffer over time.

Demonstrating some value is easy if you have historical metrics.  Metrics being a whole ‘nother topic.  Without them, illustrating value becomes much more difficult, but only for routine items, the kind that don’t really demonstrate the clear value of a security program.

Security people should keep track of proactive fixes and calculate value saved.  If your marketing department nearly sent out a virus laden PDF, can you estimate what that would have cost the company?  Value demonstrated.  If a computer worm affects other companies but not you, can you trace back to why you were unscathed, and if its not just a lucky dodge, you can point to it as value demonstrated.  Every time someone deletes a file and you’re able to recover it with FTK, that’s value.  And it adds up.

While hard metrics like firewall alerts and phishing rejection are nice, they usually are only good for incremental improvements, and are likely to be marginalized because “everyone” does that.  So your program is nothing special.

Whereas if you’re providing security input on a $3M project and suffer no security lapses, that’s personal to at least one manager, and probably meaningful to all of upper management.  They know how much a delay in that project would cost, if they’re doing project management.  That delay you didn’t have to take should be put in the security win column.  You did your job and carried the project without any glitches.  That’s value, perceived, measured, and quantifiable.

Meanwhile, normal security metrics, like password complexity, lock outs, alerts, and blocked access how a steady foundational reward.  But management doesn’t really see those, so despite being concrete, they appear abstract and fuzzy.  Far more real are the items like smooth deployments of non-security services and products that have a security component.

If you have a DDOS attack and thanks to your preparations, the Internet remains open fro business, that’s demonstrated value.  Any business that relies on the Internet knows how much disruption costs.  That difference is a benefit of the security program and should be acknowledged as such.

Usually nobody’s going to blow your horn for you, though, so you need to keep track of these things and get the word out.  In every company newsletter place a brief summary of what’s gone on and how much it saved the company.

At the end of the year, you can quantify the entire period and compare that to the expense of running the program.  If the program is still a cost center and not a profit center, you’re probably doing something wrong.

Stay away from fuzzy representation, like value, if you don’t have hard numbers to back up the claim.  Brand reputation is a very real resource, but without actual measurable damage, and some sort of benchmark, it’s going to look soft.  If you can show a similar incident had a specific effect, and that translates to your situation, it is possible to use it, but usually not.

Occasionally, you’ll be able to use a security program as a cost savings indicator, but most of them will not work well.  This is because security is the only department with contact with the security device/application.  If management as a whole doesn’t feel the direct benefit, the success loses value.  If a new security device/process streamlines an existing process, it can be argued that the first problem was security to begin with, so all that’s happened is a fix has been put in for  a problem, and that’s not value add, that’s value recovered.  Increased efficiency is a soft win.  List it, but don’t count on it getting you a bonus.

Imagine some of the possibilities:

  • You’re data loss prevention program catches the secret formula for your key product leaving for a competitor.
  • Neubot.war worm takes down half the Internet, and you are unscathed because of white-listing run-time applications.
  • A hostile employee tries to sabotage the plant chemistry mix, but can’t because provisioning denied access.

Fighting for ROI using metrics is an uphill battle, but demonstrating value using particular high profile incidents like these makes it much easier, but you have to watch for them.

Do use standard business practices and ROI for budgetary purposes, but its the risk management program that will contribute most to finding new ways to demonstrate value, because it is proactive and not responsive.  If they beneficial system/process isn’t in place prior to the incident, any benefit derived is simply soft response value, and not the hard value that clearly shows value.

Glad to see BYOD taking off…

Bring your own device (BYOD) is a breaking concept whereby corporations allow/require employees to supply their own computing and communications platform (laptop/phone).  It is colossally stupid and that is well documented elsewhere, but for us, it is worse than just having to preserve a different device, because BYOD introduces other parties with additional risk.

When we contract for normal corporate ePreservation services, we engage with a client and have one contract, one privacy agreement, one potential liability.

By permitting employees to use their personal devices, BYOD increases the likelihood that we’re going to have to take personal phone/laptops as part of an evidence preservation effort, and employees aren’t going to like us having access to their personal stuff on those devices.  We wouldn’t want our stuff given to someone else, which is why we strongly recommend clients NOT permit the use of personal devices for corporate business other than phone calls.  We can, after all, get those records from the phone company.  Texting as well, but it’s a slippery slope, until we’re looking at the pictures you sent your friends last New Years Eve.

What’s worse for us, however, is the potential for 3rd party lawsuits.  Your employee whose phone we take to image can potentially hold us liable for harm to the phone, themselves, or their reputation (ask a lawyer for the definitive list).  How could that happen?  The simplest case involves them having personally embarrassing photo’s on the phone and us losing control of it.  It could happen.  They can probably sue us for damages at that point.  And the employer.

Even with a solid employee/company BYOD agreement  in place, no such agreement exists between them and our company.  Even if our contract can serve as a vehicle to transfer responsibility, it’s still a nasty business that could go either way depending on the forum.

Another example is a picture of a 4th party on the phone of the employee.  Regardless of the employee’s ability to sue, the 4th party might be able to establish liability against all three other parties, quite reasonably.  Ask a lawyer to explain it if you’re interested, we only know enough to know there’s potentially a lot of new problems with BYOD.

And that means new insurance, new procedures, and new billing codes.  Yes, while you corporate types are calculating your bonus based on switching to BYOD, we’re looking at our bottom line as well, which means we’ll be charging you different rates for BYOD items.  Which will undoubtedly not make it into the spreadsheets that show how big a bonus you deserve for implementing it.

Go ahead and BYOD, we’re ready to bill you for it.

Criss-cross Client Gaps

What would a consultant do if they had two clients, both of which had the same gap in safe practices, who were each other’s business partner?  As consultants, we’re typically bound by confidentiality agreements.  If one client is doing something that puts the other at risk, it is difficult to advise the one and still maintain confidentiality with the other.  Even if the consultant can refrain from indicating the source of the problem, by remediating, the other client is likely to find out about the other client’s gap, and it may become an issue.  One where they will bring up the consultant’s role in the change.  This may mean losing one or both clients, depending on their inclination.  Yet directly informing either or both has even larger risks.

On the other side of the coin, the consultant, if they have professional morals or some perceived real duty to the clients, cannot let the issue go.  They must somehow prepare both clients.  A subtle hand can press the issue on both sides without letting either part know that there was a conflict.

“The difference between stupid and intelligent people – and this is true whether or not they are well-educated – is that intelligent people can handle subtlety.” – Neal Stephenson


Big Brother Will Help You Mail That Package

While trying to find out how much a medium flat rate box would cost to ship earlier today, we spotted a strange item that roused our privacy hackles.  That other users wouldn’t see unless they happened on this site with their flash settings locked down.  It seems the government, in the form of the USPS, in the form of somebody called, wants to TAKE YOUR PICTURE  just to tell you what a flat rate shipment might cost.  Isn’t that interesting?

can i takez u picchur?

Hey, “might” doesn’t mean they actually *want* to take my picture, just some sloppy flash coding, right?


While we don’t have time to ferret out if it’s a goof or who’s responsible, we do find it interesting that in this day and age, anything like this can see the light of day.

The price of freedom may be eternal vigilance, but this impingement on it is free.


B-Sides & Business

[updated/edited] As a B-Sides sponsor, we’re rather concerned about the post from attrition regarding B-Sides, but we’re certainly glad it came out. We are pulling our, admittedly limited, sponsorship of local B-Sides events until such time as the matter is resolved to public satisfaction, or the entity known as B-Sides is provided with adequate management. We will continue to support local events with time and money, even one’s with a B-Sides logo, but will do so only through direct funding.  To that end, and to ensure B-Sides DE carries on, we’re committing $500 to the next B-Sides DE event.

Here’s hoping for speedy resolution to this situation.


Adding centralized controls for corporate browser settings and locking down security settings to increase security is a great idea, as opposed to letting users do whatever they please. It shows attention and dilligence.

However, doing so while still permitting lax passwords and not alerting on security failures demonstrates a distinct lack of focus. Fine detail settings in the browser won’t help your organization if a bad guy can roll up on your Internet presences and run THCHydra with impunity.

Your internal controls don’t amount to much protection if your external controls are stuck in the 1980’s. Failure to fix the obvious is an invitation to being hacked.

Don’t forget about the simple stuff, and have your systems tested by people that will do more than just point a vulnerability scanner at the address space. Use some sense and focus on what’s going to be most effective, not what was in the news last week.

Check Fraud

One of our clients received a check from a financial institute in the mail last week, a check they weren’t expecting. Given that they don’t even do business with the company who’s check it was, they were quite aware that some mistake had been made. They contacted the company and found out that they weren’t the only stranger getting a hefty check in the mail. At least a dozen checks had been received, and several cashed. The company had suffered some sort of breach and lost banking information, checks, and their FedEx account codes. Not only were they dealing with the fraudulent checks, they had to pick up the bill for the overnight shipping.

Ironically, my client had, just one week prior, received an email regarding an item they posted on Craigslist. The “buyer” stated he would send a check to cover the item and the shipping plus a little extra just in case and my client was to send whatever was left after all the shipping and packaging back to the buyer.

Luckily, our customer was educated (we offer seminars) about various fraudulent scheme’s and called us after the first incident. We had them send a stock response to the mystery buyer that discourages further contact.

Then this check showed up at their office. It could be coincidence.

What’s not coincidence is the use of a fraudulent Craigslist transaction to locate targets for fraudulent schemes. It’s not Craigslist’s fault, this happens with every public forum, like eBay, Gunbroker, chat channels, bulletin boards, and listmails. Before the Internet and computing, it was classified ads in news papers.

It’s been said often enough: the Internet makes everything faster and more efficient, especially crime.

Should you receive an unexpected check, contact the company in question. Even if they sound convincing on the phone, there’s no guarantee who you’re talking to is who is actually attached to the bank account. It’s just a string of numbers; there could be anyone’s name printed at the top of the check. Contact your local FBI office and report the situation.

Here’s one that may be a first, calling cell-phone users about their overdue bills and extracting credit card info, bank account info, personal information, or some combination of these.  You get a call about your overdue bill.  If you blindly proceed to pay, the scam is simple enough, but what about if you know it’s been paid?  Then they drag you through a series of question and answer checks that will (they hope) get you to confirm (reveal) credit card or bank account information.  Both options also allow for obtaining other information, such as passwords, through verbal manipulation.

So be careful and spread the word.

Identification Identity Crisis

Should organizations require and validate a government issued form of identification before granting network access? It’s easy enough to do. Costs a bit for the comparison books and an hour of training, but it will catch the majority of bad identification.  Of course, what to do with it after you’ve caught it…

But how much bad identification, as opposed to high quality forgeries, is seen in any business? No data.

More importantly, as has been pointed out by some bright people in the industry, the secretary is not a security guard, and the security guard is not a security professional.  Some small percentage of false identification is going to result in violence.  Better the guard than the HR representative.

Regardless of whom, outside of the government, nobody without a Treasury department background is going to catch the good forgeries.  So we can at best reduce a risk, but not eliminate it.

Given the possibility of violent confrontations, would a business be better served by a validation after the fact? It depends on the business, but in general, giving network access to the bad guys for any amount of time is a bad idea.

How do you test effectiveness when the mere act of copying a form of identification can be a Federal crime?

It makes perfect sense, wanting to identify persons with access to the network, but the process does not make perfect sense.  In the meantime, businesses will go on accepting fake identification and getting taken by fake ID holders.

All The News That’s Pfffffft To Print

Are you tired of news outlets, official, mainstream, counterculture, blogosphere, or militant (did I miss any?) spouting nonsense about hackers and security in general?  While they’ll likely never get the moniker “hacker” used precisely right, we can at least hold them accountable for the crap they peddle as “news” about “hackers”.

Let’s start with foreign government “hackers”.  If a government sponsored agent is attempting to break into  a foreign government computer system, they are “hacking”, but they are not “hackers”.  They are espionage agents.  Criminals in one country, patriot in another.  Some portion of foreign activity is state sponsored, and hence, is not hackers.  Could we argue that these official or unofficial subcontractors in hostile security are in fact “hackers”?  Sure, but then how to differentiate the regular hackers, the non-government sponsored bunch?  We’d need to start clarifying them all as State Sponsored Hackers or Non-State Sponsored Hackers, with further breakdowns for official and unofficial.  It’s easier just to call them agents, criminals, or spies who are using hacking techniques.  But don’t call them hackers, because they’re not.  While hackers have a variety of reasons for hacking, state activities is not one of them.  It crosses a line.  It’s like saying a police agent using Metasploit is a hacker.  They’re not.  They’re cops.  Or police.  The FBI does not employ “hackers”, it employs agents and uses subcontractors who use hacking techniques, but who are not hackers.  Except maybe on the weekends, but that’s like having a secret identity, and if they get caught, they lose their official jobs.

Now lets look at the idiocy that is numerical misuse.  To state that Company X is attacked 600,000 times a day is like saying that my internal combustion driven automobile explodes 20,000 times on my way to work.  You reporters and bloggers peddling this plotz are IDIOTS.  We mostly knew that already, but this is low hanging evidence that you’ll spew just about anything to fill space or drive revenue, regardless of sensibility.  You’re terrible at the job of reporting and wouldn’t know a fact check if it ran up and bit you on the nose.  Using the logic that produced “600,000 times a day” we can look at almost ANY WEBSITE ON THE ‘NET and find similar figures.  So why didn’t you report that?  Because Company X will drive more traffic, or is more impressive, or is what one person was truly interested in, and the rest of the blogosphere just gobbled it up and reprinted it to fill their pockets.

And by the way, 600,000 times a day for illicit access attempts is lightweight given the size of that particular company and its profile.  A better story would have started with “Why does Company X only get 600,000 attempts at password breaking each day” when comparable sites can be hit millions of times in one day.  That’s news, them not getting attacked more often.  Finding out they get attacked is not news.  Thinking that it is a high amount is not news, it’s just an indicator of the condition (IDIOCY in case you forgot).  Checking on norms and numbers and arriving at a startling realization that is backed up with facts, now that is news worth printing.  And plagiarizing.

So instead of just spewing drivel, make a decision.  Either get out of the IDIOCY business you’re in or start doing some meaningful reporting.  And this is copyrighted 2011 Digital Trust, LLC, in case you forgot.