2011 InfoSec Predictions from Zscaler Labs

Its not only the season of giving and but forecasting as well, and I recently received the following Information Security Predictions from Zscaler Labs

• Flash mob hacktivism – we’ll see more attacks similar to Operation Payback, where like-minded strangers quickly organize and attack corporations or government entities in the name of a cause

• Niche malware designed to harvest confidential information from IP-connected devices such as printers and SCADA systems will grow

• Cloud-hosted botnets will grow

• We’ll hear about more indirect data breaches, where not it’s the company affected that was breached, but rather a third-party vendor or organization

• Social networks will become the main communication medium for attackers

• The Information security market will continue to shrink

An interesting list - more about trends than fundamentals - and you can find more details on the Zscaler blog.

Tutorial on Buffer Overflows

Nice tutorial on this perennial security problem from Patrick Schaller of ETH, Zurich.

IT Security Trends FreeMind map from 2008

I recently uploaded a large FreeMind map that I collected over 2008, in an effort to get a handle on the stream of security articles, reports and incidents taking place back then. In short there was a torrent and it remains much the same today. I think you might find the ad hoc classification of material useful, as well as the groups of sources.

Note that links to items from FIRST (Forum of Incident Response and Security Teams) are now broken since their once excellent news service has been discontinued.

All sources for my security and risk FreeMind maps are available here.

How to reason about IT Security Risks

I have been meaning for some time to post a link to this wonderful paper from late 2007 on the top information security risks for the then coming year. The paper was a collaborative work from several groups of security professionals, led by Gary Hinson, keeper of the fantastic NoticeBored site of security awareness material. The paper is excellent in that it clearly separates threats, vulnerabilities and impacts, and then creates risks as scenarios from the interplay of these three collections, with controls coming as final recommendations. The whole approach just seems so clean and sensible, and demonstrates the distinctions amongst risk terms which sometimes get lost in our daily language.

Now added to my IT Risk collection on Scribd, thanks to Gary Hinson for removing the copyright protection.

Security Bloggers Network under attack?

Update: This is a hoax mail leading to a rogue site, so please don't click it. Check out the Lijit blog for details (via Alan).

Just got this from Lijit, the hosting firm for SBN

Two universities rethink Gmail migration plans

The University of California at Davis (UCD) and Yale University were considering moving their email systems onto Gmail, but both have put those plans on hold for the moment. The CIO of UCD, Peter Siegel, said that he was not prepared to risk the security or privacy of the school’s 30,000 faculty and staff.

Yale has delayed a more general migration to Google apps, including Gmail, citing security and privacy concerns over cloud-based management of their data. Michael Fischer, a computing professor, said that

Google stores every piece of data in three centers randomly chosen from the many it operates worldwide in order to guard the company’s ability to recover lost information — but that also makes the data subject to the vagaries of foreign laws and governments, Fischer said. He added that Google was not willing to provide ITS with a list of countries to which the University’s data could be sent, but only a list of about 15 countries to which the data would not be sent.

So there is a concern that the personal data of students and faculty is being stored outside US jurisdictions. However neither UCD or Yale ruled out migrating to Google cloud applications once there was adequate transparency for the protection of data.

Great Security white papers and briefs from Damballa

Security provider Damballa has a great collection of what papers and briefs for download. I have listed a few below, most of which have already been uploaded to Scribd

• The Opt-In Botnet Generation
• The Command Structure of the Aurora Botnet: History, Patterns, and Findings
• Advanced Persistent Threats: A Brief Description
• Extracting CnC from Malware: The Role of Malware Sample Analysis in Botnet Detection
• Serial Variant Evasion Tactics: Techniques Used to Automatically Bypass Antivirus Technologies
• Botnet Communication Topologies: Understanding the intricacies of botnet Command-and-Control
• The Botnet vs. Malware Relationship: The One-to-One Botnet Myth
• Update on the Enemy: A Deconstruction of Who Profits from Botnets
• Anatomy of a Targeted Attack
• Layer 8: How and Why Targeted Attacks Exploit Your Users
• A Technology Comparison: AV, IDS/IPS and Damballa's Response to Targeted Attacks
• Targeted Attacks for Fun and Profit: An Executive Guide to A New and Growing Enterprise Threat

Also don’t forget the recommendation I made on the technical overview at Compass Security, a Swiss company, about a year ago.

6 Hot And Sought-After IT Security Skills

Dark Reading has reported a short list of desirable skills in IT Security, partly because the “IT security job market is booming”. Apparently you’re quite marketable (particularly in the US) if your resume includes

1. Incident-handling/response
2. Compliance know-how
3. Risk management
4. Business acumen
5. Government security clearance
6. Leadership experience

Frankly, I think if you had a sufficient quantity of skill number 4 you would not be in IT Security.

The Swan Song of Mark Curphey

About two months ago Mark Curphey (Security Buddha), in a confessional post, informed us all of his intentions to move on from IT Security, and reinvent himself 2.0-style into web technology, agile development, social software and user experience. He gave his reasons for moving on as follows

For the last few years I have grown increasing disillusioned with the security industry to the point where after nearly two years of thinking and talking about it I have decided that it’s time for me to move on. There is a long list of frustrations and I have seriously thought about a last detailed shot over the bow with some home truths as I see them. The reality is it will probably not be productive. I had commentary about the security circus and the clowns, ring masters and performance artists that play in the big top; commentary about the lack of genuine computer science that finds its way into security; commentary about the lack of business science that is being adopted (why aren’t security people obsessed by Freakonomics?); commentary about the sad fact that for the most part we are still doing “the same old shit” 15 years after I first started (the definition of insanity is to do the same thing twice and expect a different result); commentary about the farce of PCI (and related standards) and people caring about trivial issues (easy to understand and sensationalist in nature) when looming holes that could have major impacts go unnoticed …….I could go on. People thinking they need “purple dinosaur” features in their security software because some marketing spin says so and commentary about the sheer FUD being pumped out by the marketeers. I have watched an industry spin out of control largely paying lip service to the term risk and watched sectors of it become largely irrelevant outside of their own self-fulfilling set of prophesies. When things go right no one notices (at least outside of security) and when things go wrong everyone points fingers. That’s a tough place to be impactful and remain positive.

A tough place to be impactful and remain positive. Mark’s new blog is here, and he still seems to have a few comments to make on security yet.

A Short Security Manifesto

From the Falcon's View

Stop talking about traditional "risk management" as some sort of magical rubric or panacea.
Start talking about threat modeling and legal defensibility.

Stop using ad hoc approaches to security architecture and solutions.
Start adopting a holistic, systemic ISMS-like approach.

Stop delegating ownership of security to IT or other non-business leadership.
Start requiring execs and the board to directly own and be responsible for security.

Stop relying on shortcuts to survive audits.
Start demonstrating actual due diligence by adopting a reasonable standard of care.

Stop looking for ROI to "justify" security.
Start thinking of security as a business enabler that facilitates better decisions and helps protect the business during both the good and the bad times.

How to write an Information Security Policy

Nice 9-page advice from the UK Department of Trade and Industry.

Recent Uploads to Scribd, Dec 17

Here are my recent document uploads to Scribd

• Threat Classification, Web Application Security Consortium
• Statistical-based approach to password guessing
• Clobbering the Cloud
  
• NIST Statistical Test Suite
• 2009 Key Management Report from True Catalyst
• iPhone Privacy presentation from Nicolas Seriot
  

FUDgeddaboudit

I first came across the term fuhgeddaboudit in writing while reading the The Black Swan, where Taleb was answering the question as to whether journalists can be relied on to unearth all of the silent evidence on a given topic - fuhgedaboudit! The term is short for “forget about it”, popularized in US gangster media such as the Sopranos, which google defines as

• An issue is not worth the time, energy, mental effort, or emotional resources
• Whatever the current topic of discussion may be, regardless of who has stated it (even the speaker) is thereby declared null and void and without merit

Both of these sentiments were called forth when I read the recent post from Anton Chuvakin on FUD-based security. Anton was reminding us that FUD is alive and well in IT Security, and actually it has nowhere to go but up in terms of mindshare since more sophisticated methods, such as ROSI, have nowhere to go but down.

Even though FUD is a blunt instrument, Anton argues that it is very effective when it comes to getting things done, allowing real issues to be brought to the table, and limits reliance on decision makers to do the right thing (which they often don’t). He even jokes that FUD is a more pragmatic triad for security than the venerated CIA.

The whole post was ethically stomped on by RThomas (Russell Thomas) from the New School of Information Security blog (NSOIS) who stated in a comment that

FUD is the distorted and irrational exaggeration of fears and uncertainties for the sole purpose of manipulating the decision-maker.

The term "FUD" originated in the 1970s regarding IBM's selling tactics against competitors. The FUD technique was used to destabilize the decision-maker's thinking process regarding potentially viable alternatives. FUD issues raised could not really be answered by the decision-maker or the competitor, and so nagged at the back of the mind. They had the effect of causing the decision-maker to retreat to the safe decision, which was IBM. "Nobody ever got fired for buying IBM" was one famous phrase embodying the effects of FUD …

There are substantial reasons for framing risks in a way that goes beyond simple statement of facts and statistics, namely to deal with the psychology of risk. The ethical security or risk professional will take pains to present scenarios that are feared in a way that the decision-maker can understand and, most important, to see those scenarios in perspective relative to other possibilities and probabilities.

and Russ further drove home his point in an additional post over at the NSOIS, concluding that

Security is always a secondary objective to some other (upside) enterprise objectives. Security investments are always subject to evaluation relative to other investment alternatives, both inside and outside of IT. These are the realities of enterprise performance and leadership. Some security people may stomp their feet in protest, or resort to unethical tactics like FUD, but don’t delude yourself that you are making the world (or the enterprise) a better place.

This is the same sentiment that I addressed in my The Relegation of Security to NFR Status post. NFR stands for non-functional requirement and includes things like ensuring that there is sufficient network capacity, that the servers are adequately sized for peak loads, help desk support is created, back-up and recovery is deployed, the web interface is friendly, and so on. FUD is not really IT Security’s opportunity to get some skin back in the functional (i. e. business) requirements game, as we will still look like uninvited gate crashers at best, and bullies at worst.

At the recent CSI meeting in Washington, as reported by Dark Reading, with my take here in Security Muggles, several CSOs opined that we need better communication with business people on their terms so that Security people are earning a seat at the decision-making table. They want to do more RSVP-ing than crashing.

Wade Baker over on the Verizon blog recently asked how people make security decisions, beginning from the frank assumption that

In most cases, it is impossible to precisely formulate all factors in the decision, so we abandon the “scientific” route and revert to some other method of making it (see below). This is where our predominantly engineering mindset hurts us. Instead, we should realize that organizations have always made decisions using varying amounts of information of varying quality. Our dilemma is not new. Valid and vetted approaches exist for structured decision problems with an abundance of precise data and also for unstructured problems with sparse amounts of “fuzzy” data. These approaches are out there and are eagerly waiting for us to apply them to problems in our domain.

FUD can be seen as a response to this reality, but not a very structured response, and one that ignores the methods and techniques developed in other fields for coping with decisions under uncertainty. Wade also ran a little survey on the approaches that security people use for decision-making and he received just over 100 responses. You can read his summary of the response here, and his summary graph is below.

Even given the small sample size it seems that some people are opting away from FUD, far away in fact. I don’t think IT Security as a profession, or any profession (except maybe politics), has a long run future based on FUD since you don’t need much technical skill or experience to pursue this approach, and there are probably plenty of people for hire to carry out such campaigns who are not particularly well-qualified in security.

So ethical considerations aside, I have never considered FUD a long term strategy. Its persistence I imagine can be attributed largely to regular changes in the ranks of security decision makers, and a mind-numbing churn in technology and the IT sector as a whole. The same “new fears” are being presented to new people, as FUD has gone into heavy syndication in the IT Security industry and its always showing in re-runs somewhere. Put your time and energy somewhere else.

In short fuhgeddaboudit !

Not so sunny for Whit Diffie

Renowned cryptographer Whitfield Diffie has apparently left his position as chief security officer at SUN, according to a recent article at the MIT Technology Review, who were interviewing Diffie on the security of cloud computing. The Register speculates over the reasons for Diffie’s departure from SUN after 18 years of service, suggesting that Oracle “is a company known for making its dollars count rather than indulging meta thinking”. Diffie is currently a visiting professor at Royal Holloway, University of London, which runs perhaps the most respected IT Security graduate program in Europe, while also maintaining an excellent group of researchers.

And what are Diffie’s thoughts on clouds computing? His first statement is quite telling

The effect of the growing dependence on cloud computing is similar to that of our dependence on public transportation, particularly air transportation, which forces us to trust organizations over which we have no control, limits what we can transport, and subjects us to rules and schedules that wouldn't apply if we were flying our own planes. On the other hand, it is so much more economical that we don't realistically have any alternative.

Cloud computing literally turns all our conventional security assumptions inside-out, but Diffie, like others, sees the economic sense, if not the economic certainty. A recent brief on cloud computing by the Economist could spare no more than a few sentences to discuss the security risks. The large economic wheels are turning inexorably toward adoption. Diffie goes on to say that

The whole point of cloud computing is economy: if someone else can compute it cheaper than you can, it's more cost effective for you to outsource the computation.

At the moment companies face an unsatisfying choice: either encrypt data for secure storage in the cloud, forgoing the benefits of cloud computations, or leave it in the clear for maximum computational utility but with a risk of loss or exposure. Diffie mentioned a third alternative, computing with encrypted data, but at present this alternative is not viable. I assume he is referring to the recent encryption breakthrough by Craig Gentry of IBM which could be used to perform searches on encrypted data, albeit 1 trillion times more slowly than Google does today.

In the short term (and maybe the longer term as well) Diffie sees the cloud as a matter of trust. He advises to pick your supplier like you pick your accountant.

mini-Bruce for $89

You can now order an action figure of Bruce Schneier for $89, already down from $100 earlier in week.

From the supplier

"Get an action figure of Bruce Schneier a.k.a. CryptoMan! Buy Bruce's lifelike head mounted on a 12'' action figure body with pre-fitted clothes.

This package includes Bruce Schneier's custom action figure head mounted on a matching DiD or Dragon action figure body with a choice of 2 different clothing styles. You can also buy Bruce Schneier's head on its own and fit it onto your own figurines."

Bruce's take is here.

Security Muggles

The question of “How secure are we?”, essentially a perennial security conundrum, was on the agenda of the recent CSI meeting in Washington, as reported by Dark Reading. What was on offer from a collection of senior security professionals was advice – and perhaps this is the best that can be expected. Christopher Michael, director of information assurance at defence contractor BAE Systems, went as far as basically saying that security status can’t be measured yet security professionals are obliged to do so. So what is to be done? The article has a few ideas, which as presented, don’t flow together particularly well, but some interesting points were made.

The first of which is that security people are predisposed to detail, accuracy and correctness. Donald Knuth, the famous computer scientist, has stated that the reason programming is so hard, therefore so interesting to excel at, is that as a discipline it does not admit approximations – everything must be exact and correct – the processor will not interpret your intentions only execute your commands. And while the traits of detail, accuracy and correctness are necessary for IT activities, they are fundamentally at odds with the type of messages and opinions that senior managers are expecting. Detail, accuracy and correctness can be sacrificed to an extent for the benefits of conciseness, meaning and actionable recommendations. They don’t want to hear about packets, firewall rules or buffer overflows.

I have a soft spot for threat modelling, and appreciate the detail and insights it uncovers, but I often wonder how far up the managerial chain this type of analysis in its raw form can be propagated. Sooner or later you will reach a managerial layer populated by security muggles who will require (or demand) less complicated analyses.

Bill Mann, senior vice president of security product strategy at CA, remarked that “these guys [the muggles] think in spreadsheets”, which is the same sentiment I expressed in Does IT Security Matter? - “Excel is your new best friend - make your spreadsheets work with their (business) spreadsheets”. You perhaps need not take this Excel advice literally but at least think of Excel as the underlying business platform for marshalling data, numbers and money towards business cases. Security, or any other activity, needs to figure prominently in this space to be taken seriously – or at least to get a serious hearing.

This is the same point that Marcus Ranum raised not too long ago, about security people, and their arguments (often objections) being over-ruled by more business-savvy types. We perhaps need to develop skills in one-way hash arguments

Often business has the “snappy intuitively appealing arguments without obvious problems” - plus Excel - while if the security practitioner objects, then by contrast, the “rebuttal may require explaining a whole series of preliminary concepts before it’s really possible to explain why the talking point (i.e. business case) is wrong”. Snappy and plausible usually wins out over lengthy, detailed and correct. There is asymmetry at work here, a “one way hash” argument, and security people have ended up with the hard inversion problem.

In Some Black Swans in IT Security I argued that the the most pernicious problem facing IT Security today

We have called this Black Swan "Good Enough Security" but we may also have chosen risk-based security, the transition from risk to assurance, the diminishing returns of security, or knowing your security posture. Managers and other stakeholders want to know that their IT assets are adequately protected, and it is up to the IT Security person to define that level of adequacy and provide assurance that it is reached and maintained. Most security people are woefully ill-equipped to define and deliver such assurance in convincing business or managerial language.

It is not so much that we must deal with security muggles but rather IT Security people are seen as business muggles.

Focus on securing business processes not the process of securing

The title comes from a list of conclusions I gave at a presentation called Does IT Security Matter? just before Christmas in 2007. The wonderful thing about the writing process is that every now and again you hit upon a pithy phrase like that which communicates so much. But it's like mining for gold - you have to move a lot of earth to find the nuggets.

The full presentation is available on Sribd as shown below. There have been about 1200 reads and 240 downloads. Re-reading it now, the presentation could do with an update, however the core messages are still valid. My main conclusions were

• There is a dependency between IT and IT Security but not a strategic relation
• IT and IT Security are good neighbours but not good friends
• IT Security is one area competing for attention and funding, amongst many
• If you don’t make IT security matter, it won’t
• Focus on securing business processes not the process of securing
• •Excel is your new best friend - make your spreadsheets work with their (business) spreadsheets

Does IT Security Matter?

The Size of our Security World

I was sent a link from StumbleUpon that referred to a post which showed the relative sizes of planets in our solar system, then compared them to our Sun, and moved onto comparisons with much larger other stars. Surprisingly much larger stars - in fact in the final screen-size graphic our Sun is just represented as a single pixel as compared to the Antares, a red supergiant star in the Milky Way. My 15-year-old daughter was impressed by this, and if you have a 15-year-old, then you can appreciate what a momentous achievement this is.

I started out my post-university life working in cryptography, then I spent a long time in IT Security, then IT Risk and most recently in Enterprise Risk Management (ERM). When I look back at crypto now it seems of similar consequence to the proportions of the Sun and Antares - not merely because my professional interests have changed, but in the vast equation that constitutes ERM, crypto is a variable with minor weighting. Its gravitational force is largely exerted on specialists, and rapidly declines (much faster than the inverse square law) beyond that sphere. It's just a pixel on the football-field sized collage of ERM.

My Top 10 Security and Risk Uploads to Scribd

I have been reading and uploading to Scribd for several years now. It is really a vast source of documents and its seems that it has been a victim of its own popularity since now so many varied and inconsequential documents are finding their way to to site. The search function is not quite as effective as it was, and as always been true, the site itself is quite slow.

Over the last couple of years I have slowly uploaded just over 40 documents and presentations, mostly in the area of security and risks. For the last few months I have been getting just over 100 hits per day, and about 12 downloads per day. The total number of hits is now getting close to 20,000, and will reach that mark in the next week. Here is a list of the top 10 visited documents that I have uploaded – the number of reads is in parentheses, and documents in bold type are written by me

1. A Data Centric Security Model (1529)

2. ISACA Risk Framework (1498)

3. How much is enough? A Risk Management Approach to Computer Security (1290)

4. Does IT Security Matter? (1127)

5. Entropy Bounds for Traffic Confirmation (886)

6. Risk Analysis of Power Station survival of Cyber (712)

7. Password Authentication on Mac OS X from Dave Dribin (704)

8. An analysis of the Linux Random Number Generator (702)

9. The Core Components of the Entrust PKI v5 (677)

10. Canadian Government 1999 Threat and Risk Assessment Guide (628)

Thoughts on the Cult of Schneier

Earlier in the year John Viega wrote a short opinion article called The Cult of Schneier, referring to the near-religious following that Bruce Schneier has acquired over his long and successful career in IT Security, and the biblical authority that the Applied Cryptography book has attained. Viega's main issue with the book as it currently stands is that "It's fine and fun to read it, just don't build from it".

I think that Applied Cryptography was a very well-crafted book. It contains an excellent mix of mathematics, exposition, security intrigue and executable code. However for me, and a few other cryptographers I know, the Handbook of Applied Cryptography is a best source of general cryptography information. The book does not enjoy anywhere near the same general recognition as Applied Cryptography, seemingly because it is viewed as a "math book" - correct, factual, thorough and therefore unappealing to a wide audience, as most technical books are. In short it lacks the narrative woven into Applied Cryptography. On the other hand, no one would really confuse the Handbook with a solution manual for designing and implementing secure systems.

Earlier in the year I made a post on Some Black Swans in IT Security, and I listed Bruce as an unexpected phenomenon in the following way

Bruce Schneier is the best known security authority in the world. His blog has hundreds of thousands of readers, his posts can yield hundreds of comments, and his books are bestsellers. His opinions hold sway over both technical people and executives, as well as all the layers in between. He is the Oprah of security - a public figure and a leading opinion maker. The Black Swan aspect of Mr. Schneier is that he has achieved this status through excellent communication (and yes cunning publicity as well) rather than technical prowess. Of course he has technical prowess but that is rather common in security and cryptography. What is uncommon, or even uncanny, is the ability to explain security in terms that can be understood by non-specialists whether it be programmers, professionals, managers or executives. Bruce has literally written himself into the modern history books of security. He has shown, once again, that communication is king - the security explanation is mightier than the security deed.

I don’t really think that there is a cult in operation over Bruce Schneier, but rather a hero was found when security as an industry needed to believe in heroes.