Fixing Omissions in 5 Questions

In a recent issue of a leading security magazine was published an “advertorial” with a few missing pieces, we aim to correct the lapse, or at least make a few tweaks that might improve the result.

The main change in data since computers entered the business scene, is the density and ubiquity.  That’s correct in our opinion, but neglects to explain why it’s important, which was part of the question.  It’s important to enterprise IT for one reason, competitive advantage.  That’s business 101, and we’re surprised something that fundamental got overlooked.  So that’s fixed.  C/A, for anyone not familiar with the term, is simply some advantage one company has over another.  It can be technology, funding, personnel, knowledge, IP, or anything that differentiates one company from another.  In simple terms, one could claim that Coke has a competitive advantage over Pepsi because it tastes better.  Or vice versa.  That one’s a holy war, like vi vs any other pathetic excuse for an editor.  C/A is what usually lets one company win, unless it has disadvantages that counteract that advantage.  Like Sony and Betamax.  And  competitive advantage degrades over time, which means ongoing development is necessary.

New examples of types of data breaches are kind of problematic.  O-day, in particular, is something that’s been around since the dawn of hacking.  O-day isn’t really a type of breach, whereas PHI exposure is, but that’s not new either.   A better answer would have been blended threat, but that’s not entirely new, or the Lollable APT buzzword.  The best answer, in our opinion, is not the technique employed but the crimes, since we’re asking about a form of breach.  In which case, massive parallel bank fraud comes to mind.  That’s new.  Not too long ago, less than 10 years, it would have been very, very difficult to pull off a heist using 1000 fake credit cards.  It’s a hell of a lot easier now.  Are the credit card numbers the actual breach, or is draining the accounts the breach?  Meh.  Here’s a solid “new” example, exposing 10,000,000 patient records in a single breach.  Hasn’t happened yet, but it will.  We’ve come close, so I’ll stick with that as a “new” breach.  To do that 10 years ago we’d have needed to raid multiple hospitals EMR applications or an insurer.  Still do, but it doesn’t pay as well as the credit card scams.  Come to think of it, there really isn’t any form of breach that is new, they’re all old hats, matched with shiny new technology.  They just happen bigger, better, faster.

As for why the traditional approach of data protection work, this question is poorly constructed.  For starters, by what definition?   According to a couple famous sources, the traditional approach is to flush money down the  toilet on a bunch of useless vendor solutions that don’t really secure anything, which we agree with.

Moats as defensive measures is sort of traditional, if we’re in the year 1217 fighting the Germans and Estonians.  The analogy of moats is about 30 years behind the times, but its workable, although we’re still looking for “smart screen filters” and keep getting this new Micro$oft thing, which couldn’t be considered a “traditional” approach.  The biggest failure in classical security (in IT, the real world has known this bit since at least the time of Pharaoh),  is the lack of detection to supplement the use of access controls.  Alarms are wonderful things.  Locks are wonderful things.  Locks without alarms aren’t really that useful.  Security, and here is the 100% best definition ever, is a time based system (Schwartau).  So if  4 hour locks, 10 hour firewalls, and 20 hour social engineering education sessions fail, without alarms, you won’t know until you detect it by the article on page 1 of The Post.  And the bad guys win.  That, more than anything else, contributed to a lot of #fail in the past.  Why?  It’s difficult sometimes to write or build alarm systems.  And difficult, in the business world, frequently becomes “not done”.  Here’s a thought, consider it a “competitive advantage” while your competition is getting raided by foreign spies and you’re detecting the attempts and countering.

Encryption is a nice solution for security, although it doesn’t really a solve anything, especially if we’re trading information across a border, which everyone is, and our partners are not encrypting.  Furthermore, claiming that encryption prevents data loss in a breach is absurd, it’s just another bit of time-based security like everything else.  Every data breach we’ve ever worked on or with involved compromised passwords and user accounts, and if you have the credentials, you have the encryption.  Unless they did a really bang up job on the encryption, in which case we’ll just go with screen shots or SE to get what we want.  Without detection, encryption has a reduced impact.  Without monitoring and oversight, it may actually hurt a company, since it creates a blind spot in the risk profile.  Companies should invest in a detection system way before investing in an encryption system.  Otherwise how will they know when someone didn’t encrypt something?

Look, if you want security, you need only a few things, and most of them can be had for free or for much lower costs than vendor solutions.  Follow the SANS Top 20, and invest in detection and alerting infrastructures.   And quality security personnel.  Stop trying to cheap out on security.  It’s just another business center, so treat it like one, and make your business partners treat it like one.



Espionage, Corporate or Government?

Recently, the comment was made in a SANS newsletter (awesome job guys, keep it up) that US government/commercial relations (Patriot Act or no) affect who does business in the US.

Editor’s Note (Pescatore): Of course, this is very much a two-way
street. Many non-US companies see the Patriot Act as meaning that
US-based technology services are government influenced and would put
customer data at risk.

Let’s get real for a moment.  If you think that any sizable nation, say G20, isn’t abusing it’s ability at both the government and corporate level to obtain advantage of some sort, you are sadly out of touch with reality.  The commingling of commercial and government interests goes back to the dawn of spying.  While the majority of business and government goes unmolested (in our humble opinion) anything of “strategic” value, as defined by people with little or no oversight, is likely polluted and pilfered at will.  I’m sure it’s all done in a very professional manner, or companies would shutter their doors, but it’s done.

So when “some unnamed large company” comes to town, they are both target and suspect.  If you have intellectual property you’d like to keep secret, you’d better do a good job of it.  And if you want to business in their home turf, you’d better do a good job of it.

While the spooks would love to be the ones holding the “no more secrets” card, as of today, we’re all still safe, provided we use quality encryption, and don’t screw up our practices.  If you send your sales people to a foreign land with all your pricing and customer data on an unencrypted laptop, you don’t deserve what you’ll get, but you sure deserve a swift kick in the profit centers.

Encryption and travel protocols are just part of the game now.  Keep up or get out.

Professional Advice for Security Wonks

So you’re one of the lucky people that actually managed to land a job in the security field.  Bully.  New Scientist has some good advice for scientists that adapts readily to any professional’s career, but particularly well for security wonks.

First they harp on communication, and who can’t benefit from improving their interpersonal communication skills?

Then they discuss the publication imperative, and this is becoming a more important piece as the field gets more and more crowded.  Not that there’s a shortage of work, but there is a shortage of best places to work.  Like here at Digital Trust.  Professionals that give talks, write articles, run a blog, or just generally hang their reputation on putting stuff out in public, are better prospects for employers.  Publishing something (and not getting trashed for it by your peers) demonstrates characters and commitment.  Anyone can attend a con, but a presenter will probably get preferential hire treatment.  Unless they spoke about something senseless, like Class 3 firearms (that won’t get you anything but giggles).  To be the best, you must contribute something of value.

The rest of the article is self explanatory and easily mapped across.  Don’t neglect the last step, planning.  If you float around the industry you’re not going to end up in the best place.  There are 55 year old firewall admin’s, but there’s also 18 year old firewall admin’s, so the salary situation is sort of feeble.  There are no 18 year old Pen Test leads.  That we know of.  Feel free to submit examples.  So plan out your future.  Use an old person to help you do it.  If step 2 in your plan is CISO, you probably need external assistance.

One thing not mentioned in the article, oddly enough, given recent headlines, is STAY OUT OF TROUBLE!  Just because you think The Man is the enemy at the moment, doesn’t mean you will in 10 years.  And a hacking conviction ruins your chances at certain jobs.  Jobs you may not want right now, but trust us, a bad past is an albatross nobody needs.  It’s the first thing we check when we  hire people.  So don’t.  Just don’t.

Along those lines, and another omission from the article, is DON’T SAY STUPID STUFF IN THE INTERWEBS that you’re not willing to live with forever.  Because it will come out at the most inopportune times.  Like in an interview.  Hey, one of our products is background information on job applicants.