06.04.2010

Today’s blog post has been kicking around in the recesses of my mind for a while.  I have been re-writing it for a while and decided to just get it out there so I can move on to other entries while still doing it justice.  It deals with a subject that over time has become much more popularized though not to the degree that other subjects within our space have.   Customized, designer malware.   Some industries and security practioners are much more familiar with this particular family of malicious code and content than are others.   Certainly key elements within the public sector (DoD, Intelligence Community) and private (Defense Industrial Base, High-Tech R&D, Biomedical R&D) are no strangers to this family but as for the majority I have to believe that it is still largely the stuff of myth and folklore.   When one considers the premise of these types of threats and payloads it becomes apparent that they are unique and quite problematic.  It’s a simple value proposition for the attacker:

  1. Study your target(s)
  2. Collect and qualify intelligence while making discretionary decisions on what to discard or retain
  3. Study and evaluate targets of opportunity – technical and non-technical
  4. Develop a strategy which takes into account tactical and strategic goals and allows for fluid diversion from one path to another should the opportunity cost be deemed too high or unreasonable
  5. Engage and begin insertion within the target environment
  6. Locate, identify and observe targets of interest paying special attention to people, process and technologies put in place to protect the targets
  7. Assess opportunity cost
  8. Engage in compromise
  9. Secure targeted object of mission

10. Extricate data and or target (remember the target could be something of a non-digital order, say a next generation telecommunications hand held for example)

11. Secure the target

12. Initiate process to either extort the rightful owners for profit or identify and initiate potential buyers who themselves have been qualified and are ready to engage in a transaction to secure the rights to the target in question

Sounds complex, perhaps even a bit fanciful or fictitious but rest assured dear reader it is anything other than fictitious.  Methodologies of this sort and other similarly enacted methodologies are utilized often within operations that focus on the use of customized and designer malware targeted at an organization or a specific individual within that organization for the express purpose of illegally acquiring information or assets belonging to that organization which – were they to be sold on the open market or destroyed, would have grave impacts upon the way in which the target or victim organization conducts its affairs.

As an industry we should take these threats and their growing prevalence every bit as seriously as some of the other more recently noted families of threats which have recently permeated the cultural zeitgeist.  In the same breath we as an industry need to be quite careful to avoid hysteria and any potential for ushering in an era of cyber-McCarthyism that sees us descend into a chaotic state fraught with implications, finger pointing, blinder-driven views and a lack of the irrefutable.

So how do we begin fighting these threats?  We begin very much in the same way in which we always do by preparing ourselves and forgoing the tendency to take the path of least resistance.   Many times attacks and compromises seen which fall into the family of customized, designer malware leverage as a basis, technologies which are well known and documented.  Root kits, backdoors, and Trojans amongst others have been noted effectively in these scenarios as have been various and sundry examples of ransomware.   I believe that new, enhanced taxonomic views are necessary in the modern world of malicious code and content analysis for combating these challenges.   These views must be much more comprehensive and at the same time reflect the realities occurring within the Internet threat landscape which at times are denounced as being fiction (e.g. if an attack is launched by a nation state or sub national entity for financial gain it cannot be an apt – this is rubbish).  Customized, designer malware may very well be a significant portion of the signal penetrating the noise in an effort to compromise and exploit our businesses, governments and personal lives on scale much more grand than had ever previously been considered.

Tags: , , Filed Under Advanced Persistent Threats (APT), Cyber Crime, Cyber Defense, Information Security Philosophy, Malicious Code, Malicious Content, Subversive Multi-Vector Threats (SMTs), Trojans | Leave a Comment 

05.08.2010

One of my favorite parts of penetration testing is and always has been social engineering.   I love it.  In fact, I love it so much; I developed a real passion for it.  My passion led well beyond the traditional social engineering and evolved into the study and practice of more sophisticated techniques associated with socio-psycho manipulation.  It is a gift of sorts and who am I to question a gift?   When speaking with prospective or current clients with respect to security assessments I have often implored them to include both physical security analysis and social engineering.   This habit was formed upon entry into the world of professional security consulting where I sharpened these skills under the tutelage of many senior to me in both age and experience.   Almost all of my earliest mentors in this space were or had been active in the United States DoD or like intelligence services, most of whom shared a common pedigree not unlike my own hailing from the world of information security and intelligence.   These environments taught us to remain vigilant and open to idea that the unexpected should be expected therefore our ability to address anomalous events must remain categorically strong.

Over the years, within many engagements, activities of this nature were written into SoWs (Statements of Work for the lay person), and acted upon with full approval of parties both able to authorize such activity within and against their organizations and their legal representation (a detail I cannot stress enough that should not be overlooked).  We would engage reconnaissance carefully leveraging skills we had cultivated in our former lives and applying them to the commercial world.  We would engage in deep open source intelligence gathering and analysis in order to supplement our knowledge base regarding our target(s).  We would become familiar with the physical environment in which our targets could and would likely be found.  These locations would range from their places of business, to local restaurants and pubs, to local shopping districts to other geographic locales that we knew to be frequented by parties belonging to the organization, our target, in question.  All the while we would be looking for ingress and egress points in addition to ideal areas for initial contact and exploitation.   We would additionally identified areas in which useful information may or not be discarded by our targets that truly believed that no one would be interested (ah how I loved dumpster diving in my youth!).  Finally, upon having enough information we would begin our careful insertion and infiltration.   There is an art to doing this as much as there is a science and at times, the art becomes (or at least in my experience became), much more valuable.

These exercises almost always proved fruitful, as they would typically be multi-faceted involving multiple small teams each of which was cognizant of the others activities but all tasked with different missions during these exercises within the greater assessment.  Some teams focused more upon the physical compromise of the environment, the acquisition of credentials and knowledge which could be socially engineered or stolen and thus counterfeited to serve our purposes in pushing deeper into the environment escalating our mission per our SoW and charter.  Others would work on compromising individuals, seeking to gain their trust and subsequently their knowledge and any information considered noteworthy.  Others still work on electronic and social engineering utilizing e-mail, web and telephonic techniques all designed to gain the trust of our targets or members of our target organizations in the hopes of escalating our privileges and advancing our efforts.   This was good work.  It was important work.  And it was work that not all are capable of nor designed for.   To the layperson reading this post I imagine it sounds outrageous if not frightening that work of this nature goes on and is conducted by security professionals in an effort to test and assess the security posture of a client and to a degree I can understand that attitude.   However, this work is terribly important and often demonstrates weaknesses not previously accounted for within enterprise environments (public or private), during traditional security assessments and audits.

At this point you may be wondering whether or not there is merit in engaging a qualified team to do provide this type of service in addition to traditional services brought to the table as part of a security assessment.   My personal perspective is that if you have overt responsible for the risk posture of an organization and understand that security or the state of being secure is contingent upon the three legs of the security stool (people, process and technology) being dutifully tested and exercised you most assuredly should do so.   Failure to do so can expose you and your organization to a world of risk, which complying mindlessly with a three lettered data security standard or a mutagenic health-privacy act cannot hope to save you from.   So what are we to do?   First, if you haven’t already done so, conduct a meticulous review and analysis of your organizational information and physical security policies.   If you don’t have any now is the time to remedy this deficiency.   Should you (as I imagine most do, but will refrain from assuming), have these policies on hand review while employing a healthy dose of third party ego; remove yourself from the immediate, intimate involvement with them as they relate to your job and evaluate them as though you were brought in to do so as a third party.  Do they look mature?   Are they clearly articulated and well defined?   Are they comprehensive?   Do they address the natural bridges that occur between physical and logical security?   Provided you have the resources, engage them to conduct preliminary assessments (provided they are qualified to do so), and if they are found to be lacking in the ability, do not hesitate to contact professionals with the appropriate pedigree, background and reputation to speak to about scoping a statement of work on your behalf.   Remember that not every attack of a truly serious nature takes place across a wire and that many begin and end with a simple telephone call, a conversation around a smoking area or via a new hire.

Tags: , , Filed Under Assessment, Information Security Philosophy, Security Philosophy, Subversive Multi-Vector Threats (SMTs), risk management, threat | 1 Comment 

05.07.2010

By nature, I am an empiricist; it is who I am and works for me based on my bent toward analytics and multi-faceted (at times onerous),  levels of thought and pontification.   I am unapologetic about the way I approach things; it is simply who I am.   Having said that, I recognize that I am not – nor is my way of approaching things, universally embraced or right for everyone.   To assert otherwise would be intellectually dishonest.   I am particularly intrigued (and spend a lot of time reading and studying), determinism and randomness theory and philosophy.   For many of us, life is as simple as asking a question which the quintessential Canadian thinking mans band Rush asked on its 1991 album Roll The Bones “why are here, because we’re here, roll the bones”; while for others the question of why and perhaps more importantly the answer is not so simple.  I fall into the latter camp.

I a student of empiricism; I am a stalwart advocate of critical thinking and reasoning especially when it deals with philosophical schools of thought such as determinism vs. randomness and how they interact within the world in which I professionally live and work.   These ideas are not new.  In fact they are quite old.   They are in many respects extremely old and as a result of their vintage, they have been and remain the subject of great debate.   Authors and thinkers such as Nassim Nicholas Taleb, who wrote two of my favorite books on the subject : Fooled by Randomness and The Black Swan: The Impact of the Highly Improbable, go to great lengths to explain these concepts along with their impact on causality.    So too did David Hume, the famed Scottish philosopher, along with Karl Popper and Colin Howson.   Needless to say there is a long and strong tradition in examining deterministic vs. random philosophy as it relates to probability.   The concepts are as old as time itself; as long as mankind has had the ability to reason he has struggled with whether or not events occur due to deterministic causes (or more appropriately because of events which exist and influence other events thus arriving at the cause for a current event), or due to sheer randomness.  We are no different than our predecessor in this respect.   We seek knowledge with respect to the origins of things and events in addition to what there existence will mean to us as we move forward.   This desire to know unequivocally what influences outcomes and the probability of those outcomes is central to the theme of our existence.  As a result, it infiltrates (if we are paying attention), all aspects of our lies from the most complex to the least.   We find ourselves asking why certain things occur at the time and place that they did, and to what end.   I happened to be in New York City last weekend making my way to LaGuardia Airport via the Holland Tunnel at the height of the melee that was underway  surrounding the events of the car bomb discovered in Times Square.   Needless to say, traffic through the Holland Tunnel neither was less than forgiving nor was that which we encountered on way to Queens any better as a result.    On the trip into the city news commentators could be heard speculating with respect to the cause of this event.   Why would a young, respected young naturalized American citizen (Faizal Shahzad), find it acceptable to place a makeshift bomb in Times Square?  What was his reasoning?  His goal?   His message?   Who was behind the activity and what might be the logical extension seen as a result of this event? All valid questions.   All seeking validation with respect to understanding whether or not the causality associated with these questions and the event in question (not to mention the young man), was in fact deterministic in origin or random.  We know that it was in fact not random based on evidence that had been collected and authorities are continuing to investigate the events that lead to this event and ultimately influenced it from the perspective of cause.  We humans tend to this with all manner of things ranging from the serious to the trivial.

With respect to information security or security in general, I believe we do so more often than people realize.  Security or being secure, is in many respects dependent upon being able to detect, identify and observer causality.  In being able to accomplish these three things, we are better positioned to account and prepare for the unknown.  If you stop to think about that for a moment it should become quite clear that the act of securing anything – home, car, host, server, network, people – requires the acknowledgment  of historic reasoning (in both deterministic philosophy and randomness), while at the same time the acknowledgment of the unknown.

We see this often within the friendly confines of our industry.  Take for example the following:  An organization is instructed by a governing body that in order to achieve a state of conformity with its governing body the organization in question must meet and demonstrate achievement of x number of criteria.   Failure to do so will result in negative ratings that may or may not result in fines and / or the inability to conduct business transactions.   The governing body assumes that arriving at a state found to be in alignment with its standards will discount and eliminate (due to deterministic causality), any potential for randomness to manifest, thus negating the possibility.   But what if their assumption is wrong?   What if the data which they have assumed to be whole and comprehensive is not so?

I fear that this is more common than not within our space due to a lack of due diligence and grasp of historical accuracy with a forensic like precision.

Here’s another example:

A software-publishing house for quick processing of financial transactions develops an application.  It is seen as being mission critical to organizations that purchase it looking to capitalize off of any edge they can to beat their competitors to the market.   Speed in this case is very good.   The software publishers, realizing the importance and value of the application to their clientele decide to expeditiously develop and push the code to market rushing through all quality assurance (QA) and beta testing in order to beat the deadlines set by the executive teams in order to realize the greatest degree of revenue possible.  The developers run through the exercise of white boarding the data flow and block diagrams, technical requirement documentation, marketing requirement documents and product roadmap documents.     From there the code is pushed through the QA gauntlet at light speed and rushed into the beta testing customer environments.   Initial results are noted and brought back to product management and engineering who then wrestle with addressing the issues in a timely fashion in order stay within budget (both financial and time budgets), while not missing their window of opportunity within the market space.   The code is run through QA again, and pushed for GA candidacy.

But there is a fly in the ointment.   Some young (or not so young), perhaps charismatic (or at the very least quirky), individual is asked to look at the code or application as part of an audit and assessment and finds that low and behold it is vulnerable to an abundance of potential threats all of which can be exploited in a trivial manner.  At the same time this assessment is occurring the code and its publishers are reaping great successes and accolades.  The code, now a fully baked financial suite is swiftly on its way to becoming one of the most popular suites of its kind in 21st century business; yet, it is as vulnerable to exploitation as a runaway at a Port Authority bus station.  While our young or not so young, assessor of questionable charismatic quality, is reviewing the code, carefully noting the deficiencies and potential for complete exploitation, reports begin trickling into our software publisher that exploitative events have begun.  Worse yet, they were events that were not accounted for during initial or secondary quality assurance testing and thus perceived as being random.   We know however that randomness is simply the failure to take note of events that feed into causality, which therefore can be interpreted as a failure in paying attention to detail.   Perhaps one of the gravest mistakes anyone can make yet all too common within our world and history, let alone our industry.  So what are we to do about this?   How can we, as professionals convey a sense of urgency that supersedes and avoids a “chicken little” like knee-jerk response to events we encounter?  This is easier said than done especially in a world where information travels at the speed of light.   I believe that in order to achieve the proper perspective we need to encourage the following:

This is by no means a trivial event; nor has it ever been an easy proposition.   The ability to interpret historical events and data — even when they appear to be disparate and unrelated is paramount to achieving the goal of comprehensive deterministic understanding.  In short this allows us to avoid via scientific means the pitfalls associated with randomness and its associated theories.   In order that we may achieve this the ability to reflect upon our data sets and circumstance all while applying observing ego is of paramount importance.

Tags: , , Filed Under Assessment, Information Security Philosophy, Threat Modeling, risk management | Leave a Comment 

04.22.2010

Full Disclosure – I am a former McAfee employee, and currently draw a paycheck from a McAfee partner.  The following are clearly my own thoughts and do not represent McAfee, my current/former employer(s) or anyone else.

Having been in the IT security industry for at least a decade, I have come to two key realizations:

1.)  The IT security industry, as it relates to vendors selling products is largely based on FUD (fear, uncertainty, doubt), and

2.) Antivirus in almost no significant way equals comprehensive security

As many across the interwebs have already brought to light, McAfee had a very public snafu with one of their DAT updates (DAT 5958).  Here is a mildly humorous link from Engadget’s site. To be clear, the point of this post is not to say the antivirus market poor or is dead, that McAfee has substandard products or solutions (usually the contrary), but that mistakes like this hurt not just one vendor or end customer, but the entire industry at large suffers.

That last part is an important point, especially in the case of endpoint security. Mistakes happen.  QA processes are not perfect, vendors are trying to cut costs at every turn to increase profitability, so these things happen.  In this specific case, if you were running VirusScan Enterprise with default settings, you will be a bit better than those who enabled “scan process by enable” or ran an on-demand scan with the 5958 DAT and scanned svchost.exe as the SVP of McAfee Support mentions in his blog post.

I see this with a lot of security practitioners where they turn on non-default options and get burned.  Again, not picking on McAfee, but they also had a recent issue in their Patch 3 release of VirusScan Enterprise 8.7i where you enable “Prevent Windows Process Spoofing” (also an option that is disabled by default).  This does not affect you if you don’t start turning on options you don’t fully understand.  So, if you are responsible for endpoint security, a few simple tips:

1.) Have an IT test environment in place.  Like Noah’s Ark, have representative systems (hardware, OS levels and apps installed) to test before you deploy.  Many large enterprises wait 12-24 hours before rolling out DATs, and those who did were largely unaffected by this issue.  Vendors like to throw around FUD here and push people to deploy reactive DAT coverage, and in few instances does security supercede system availability.

2.) Stick with the default options unless you are ready to accept the consequences – if you left the default options in place, neither of these two recent McAfee issues would have affected you.  Quit turning knobs when you don’t fully understand what they do.  A lot of us in IT assume instead of “trust but verify”.

3.) On-Demand scans are of minimal help on end workstations.  AV scanning, especially on a scheduled basis is reactive.  You already have malcode.  Use realtime protection/on-access scanning, whatever.  Save the scheduled reactive scanning for your file servers, SharePoint, and other file and data repositories.

4.) Antivirus is not total security, it is only one countermeasure.  And, most importantly it is a reactive countermeasure at that.  Regardless of what spin vendors put on it (heuristics, sandboxing, lookups in the cloud, etc.) by its very nature it is a reactive countermeasure.  Implement more/better countermeasures, which leads me to …

5.) Complement endpoint security with more than just desktop and network firewalls.  If you don’t use Host-based Intrusion Prevention on your laptops and critical systems, you probably should.  Big difference in detecting malicious code or signature viruses versus stopping malicious traffic, and there is way more to it than blocking a port or protocol.

The point of this is not to unleash a hit piece on a specific vendor or technology, but to make sure practitioners frame the security tools and countermeasures in the appropriate context.  AV won’t save you from malicious traffic for the most part, or from a targeted attack.  Just like network security is not the answer to all of your security issues.  The answer is an honest assessment of your countermeasures and their configurations, and if that maps to an acceptable level of protection versus risk.  Sounds so simple, yet the devil’s in the details.

Filed Under Information Security Philosophy, Malicious Code, Malicious Content, Security Philosophy, threat | Leave a Comment 

04.04.2010

Introduction:  Changing the Paradigm

Lately, cyber-crime legislation seems to be in vogue.  The Cybersecurity Act introduced by Senators Rockefeller and Snowe (S. 773), and the International Cybercrime Reporting and Cooperation Act, introduced by Senators Gillibrand and Hatch, as well as some serious talk in the European Union of creating a treaty to address cyber criminal activity, have caused me to put a lot of thought into what would make such laws or treaties successful, and what would cause them to be ineffective, or worse, detrimental.  We should all be able to agree (based on solid research and evidence), that cybercrime exists, and that, as the Internet knows no legal or national boundaries, that it impacts us all, whether we find ourselves in the Americas, Asia-Pacific Rim, or somewhere in any number of European–Middle Eastern – African nations.

However, though we can agree on the existence and prevalence of cyber-crime globally, what we struggle to do and fail to agree upon is arriving at succinct way in which to address, investigate, and prosecute it on a global level.  As such, the need for a truly international legal framework, one which scales and encourages all nations to participate while ensuring that proper recourse is taken and justice is being served without bias is required now more so than ever before in human history.  Legislation drafted in a vacuum – regardless of the intentions of those parties responsible for its drafting and creation, will only serve to cloud the already murky waters of prosecution while ultimately negatively impacting the ability of one or many nations to prosecute these types of criminals.  A new era in thought and deed is required to usher in a formulaic, repeatable approach to prosecuting those actively involved activities deemed ‘criminal’, while preventing those from considering involvement from getting involved in the first place.

A Farewell to Arms: A New Era in Prosecuting Cyber-Criminals

The first premise of this treatise, I owe to a great conversation I had with Will Gragido of Cassandra Security, Inc.   It involves basing the international cybercrime laws I’m referring to above in the RICO statutes of the Untied States of America.  The Racketeer Influenced and Corrupt Organizations Act (commonly referred to as RICO Act or RICO) is a United States federal law that provides for extended criminal penalties and a civil cause of action for acts performed as part of an ongoing criminal organization.  It was first enacted by section 901(a) of the Organized Crime Control Act of 1970 (Pub.L. 91-452, 84 Stat. 922, enacted October 15, 1970) and is codified as Chapter 96 of Title 18 of the United States Code, 18 U.S.C. § 1961–1968.

Originally, according to Gragido, its authors had envisioned it solely being used in prosecutorial endeavors targeting members of the United States branch of the Italian Mafia known colloquially as La Cosa Nostra.  Its use has been realized beyond its initial purpose and continues to be used creatively by law enforcement in prosecuting others who were actively engaged in organized criminal activity.  As a result, its application is much more widespread and effective than comparable legislation and traditional, perhaps even out dated, prosecutorial tactics.  Were there an equivalent or a porting of the RICO Act to the cyber realm, cyber-law would move forward at the speed of light, thus enabling it to truly meet the needs of the Internet dependent global economy.  RICO-like statutes would mean that we could prosecute people who were racketeering and conspiring to perform illegal acts on the Internet (as implied by the basic tenets of the act), in addition to those who knowingly associate with known criminal entities.  People like Alberto Gonzalez, who was recently convicted for his instrumental role in the TJX data theft – a theft culminating in excess of 44 million credit cards, could have been stopped while in their planning stages.  Legislation such as the type being described here might very well have prevented some other crimes, such as Hannaford, Heartland, 7-11, and countless others.

Tempus Fugit: Time Flies and Waits for No One

We are living in progressive and wondrous times.  The passing of the Rockerfeller-Snowe bill within the Congress of the United States of America demonstrates a small, yet important glimpse of just how progressive they are.  This bill would permit the United States to apply an enforce sanctions against a nation who knowingly harbors cyber-criminals.  Though the bill is well intentioned, and in truth ahead of its time in some respects, it is fatally flawed in many areas not the least of which its failure to approach the importance of geo-presence and location within the legislation.   Criminals, as we all know, can hide, spoof, and bounce off many countries while they commit their crimes little effort provided they are well organized and possess a rudimental knowledge of tcp/ip networking and spoofing techniques.  As a result we would in many cases find ourselves applying sanctions against mules, hapless redirectors, or a botnet lieutenant guilty of nothing more than having an un-patched system connected via an enterprise or home network, to the internet.  I started thinking about how we surf the internet, or in other languages, how we navigate through it.  That gave me an idea that I would propose could be a great foundation.  We need a RICO-like statute that is based on Admiralty law.  I propose calling it Cyber-RICO.

Cyber-RICO: Changing the Rules To Accommodate The Game

One might ask, why Admiralty law?  Well, for a variety of reasons.  First of all, Admiralty law (sometimes referred to as maritime law) deals with questions and offenses that happen in international waters, and I think that we can draw a solid parallel to the cloud like nature of the Internet and those very real waters.  It touches many countries, and we all have a vested interest in protecting it.  More importantly, no one nation can lay claim to, nor police international waters, as by definition, they are international and thus the responsibility of all who use and take advantage of them.  Think about that for a moment.  Who doesn’t use or take advantage of international waters if not directly, than indirectly? International commerce uses these waterways a seaborne transport mechanism for goods and services, much like people the world over use the Internet cloud.  And just like on the high seas, where for millennia privateers and pirates have sought to try to take advantage of the open, permeable nature of these waterways, so too in the Internet age have our own pirates (cyber-criminals) and privateers (economically motivated hackers), who have sought to take advantage of the nebulous nature of the Internet.

Back when maritime laws were developed, the principle reason that drove ratification of these multilateral treaties was self-interest.  Some nations, such as those that provided safe harbor to the pirates, were hesitant to come adopt them at first.  However, when the pirates turned against them, the countries own self-interest quickly encouraged them to ratify and espouse such a law

The basis of maritime law is that any country that has signed the multilateral treaty can involve themselves in the enforcement of the laws.  In the same fashion, the Internet Cyber-RICO would give countries the ability to prosecute cybercriminals that commit these crimes on the high seas of the Internet.  Even when country boundaries are crossed, international task forces could now work with a common framework of enforcement, such as with the current anti-piracy task forces that are working off the coast of Somalia.  They respond to any call for assistance, regardless of the flag that the afflicted vessel is flying.  That is the right spirit of the law, and it would work as well as it relates to cybercrime.

Filed Under Cloud Computing, Crime and Punishment, Cyber Crime, Information Security Philosophy, Uncategorized | 1 Comment 

03.23.2010

Yesterday  I read a blog post at securosis.com which inspired me to think about innovation and our industry.  Rich asserted in his post that there is no market for security innovation.  Whether you believe this to be the case or not is irrelevant as my intention is not to debate this (personally I believe that there should always be a pragmatic side to innovation; that innovation should not only address preexisting deficiencies within available solutions but raise the bar in terms of effectiveness and applicability while offering potentially amazing peripheral benefits), point but rather to foster further discussions having to do with information security and the markets which are impacted as a result.  To begin with, Rich’s post gave me cause to consider the value we place on innovation as individuals and collectives and how said values impact innovation.   I believe this varies and, as Rich alluded to in his post, there is a spectrum associated with innovation in our industry. One end of that spectrum is expressed by that which lacks pragmatic value but is valuable in academic circles.  It is easy to discount this type of innovation as being purely academic and as a result, less valid than other more practical forms of innovation however, it is often through the most convoluted, esoteric innovation which new, massively applicable forms of innovation occur.  On the other end of the spectrum is the painfully practical; the ‘hammer and nails’ practical innovation which may or may not be terribly innovative (I’m willing to wager and on the latter), at all but really representative of the status quo.  If it isn’t broken don’t fix it…or improve upon it for that matter.  Then there is the happy medium; the gray area which I feel represents the best of everything the spectrum has to offer.  Here we see an ‘enlightened’ innovation coming to fruition.   This is the ideal and for what it is worth, what I strive for in my own work.   I believe here, we find that healthy blend of the practical and pragmatic and the truly mysterious; the realm of the dreamer where one is limited only by his or her creativity and ability to conceive and conceptualize.   To me, this is a beautiful thing.

After much meditation on Rich’s blog post, I arrived at a conclusion where I have found myself at many times before:

  1. Innovation is not dead
  2. Innovation is not non-existent
  3. Innovation does not require the creation of new markets though often times this is what occurs (I have reason to believe that this occurs not always due to impracticality but to bad marketing and a lack of clarity & vision on the part of the organizations in question)
  4. Innovation will always occur — whether in the basements, garages or livings of the United States of the formal research & development labs

As Thomas Edison said, ‘discontent is the first necessity of progress’.  Edison, like so many other men of action, knew the value of owning one’s dissatisfaction with situations and circumstance.  He knew that in doing so, a man (when properly motivated and given the room to do so), will work towards advancing and innovating in the present to ensure the future.   It is the same today as it was yesterday.  Innovation is neither dead nor unaccounted for.  Innovation is not for the weak, faint of heart, or lazy.  No.  In fact, innovation is (though some would have you think otherwise), is quite challenging.  It takes vision.  And vision is not something rooted in the sweet waters of the lazy or of those who are ‘busy for busy’s sake’.    Edison knew this.  He said “ Being busy does not always mean real work.  The object of all work is production or accomplishment and to either of these ends there must be forethought, system, planning, intelligence, and honest purpose, as well as perspiration.  Seeming to do is not doing”.  In the post I read yesterday, the author challenged the readers to consider whether or not innovation occurs organically and in response to new challenges or if it is dreamt up by academics with no practical or pragmatic application in mind.   I personally believe that innovation, as did Edison, occurs with one’s recognition of discontent in a something and would go beyond that to suggest that it is also the result of dreaming powerful, world changing dreams.  Whether it is a product, service, or combination of both; the recognition of the cycle of discontent and  progress via innovation is alive and well.

In our industry, we’re often faced with a veritable dead sea of mediocrity.  Large vendors (and some smaller ones) push the mediocre (at times with new and creative campaigns), as opposed those which are arguably more insightful.  The result is that innovative solutions are often overlooked due to their being new, innovative, or the product of a ’start up’.  The author of the blog wrote that innovation often forces the creation of a market rather than attacking a pre-existing one.  There may be some truth to that though I’d argue that this is not necessarily bad.  In my humble opinion innovation will continue as long as there are those willing and able to look at the world around them and say unequivocally that the status is quo is both unacceptable and illogical.   It will continue so long as there are those with vision who are unwilling to accept the mundane and mediocre being force fed to the masses by large, bloated vendors whose vision extends only as far as their balance sheets.

Tags: , Filed Under Information Security Philosophy | 2 Comments 

02.15.2010

CODE BLUEIt is no secret that the world is a complex place.   Look at any news report on any network regardless of what your geopolitical bent is and you will notice three things:

  1. Everyone has an opinion
  2. Everyone’s opinion to him or herself is right and sacred
  3. Opinions without action are worthless

I am a huge fan of Erik Erikson, the revered developmental psychologist and psychoanalyst best known for his theory on social development.  His work and research in the field of ego psychology and social psychological development was landmark and amongst the neo-Freudian community, he in my opinion stood far above his peers.   Eriksonian theory suggests that psychosocial development occurs in a series of stages, which requires successful mastery of the initial stage in order to properly prepare and set the stage for all latter stages.   Likewise, Erikson theorized that the failure to master the initial stages can have a damning effect upon development though that this not to say that one cannot recover from and overcome these obstacles and subsequently (with hard work and diligence), arrive at a place which is prime for the stage one finds themselves in (there are of course limits and caveats associated with this, especially in considering the earliest stages where in the subject is still an infant and largely dependent upon others for nurturing).   The following table depicts Erikson’s stages of social psychological development nicely.

Table 1: Erikson’s Stages of Social Psychological Development

Stage Basic Conflict Important Events Outcome
Infancy (birth to 18 months) Trust vs. Mistrust Feeding Children develop a sense of trust when caregivers provide reliability, care, and affection. A lack of this will lead to mistrust.
Early Childhood (2 to 3 years) Autonomy vs. Shame and Doubt Toilet Training Children need to develop a sense of personal control over physical skills and a sense of independence. Success leads to feelings of autonomy, failure results in feelings of shame and doubt.
Preschool (3 to 5 years) Initiative vs. Guilt Exploration Children need to begin asserting control and power over the environment. Success in this stage leads to a sense of purpose. Children who try to exert too much power experience disapproval, resulting in a sense of guilt.
School Age (6 to 11 years) Industry vs. Inferiority School Children need to cope with new social and academic demands. Success leads to a sense of competence, while failure results in feelings of inferiority.
Adolescence (12 to 18 years) Identity vs. Role Confusion Social Relationships Teens need to develop a sense of self and personal identity. Success leads to an ability to stay true to yourself, while failure leads to role confusion and a weak sense of self.
Young Adulthood (19 to 40 years) Intimacy vs. Isolation Relationships Young adults need to form intimate, loving relationships with other people. Success leads to strong relationships, while failure results in loneliness and isolation.
Middle Adulthood (40 to 65 years) Generativity vs. Stagnation Work and Parenthood Adults need to create or nurture things that will outlast them, often by having children or creating a positive change that benefits other people. Success leads to feelings of usefulness and accomplishment, while failure results in shallow involvement in the world
Maturity(65 to death) Ego Integrity vs. Despair Reflection on Life Older adults need to look back on life and feel a sense of fulfillment. Success at this stage leads to feelings of wisdom, while failure results in regret, bitterness, and despair.

At this point, you, the reader, may be wondering just what this has to do with what I typically write on here.   That is a great question and I am glad you are thinkingJ.  I believe our industry has, in many ways, met with conflicts (as described by Erikson or challenges), and failed in conquering them thusly finding itself following a derelict trajectory.   I believe several factors have contributed to this:

  1. An inordinate amount of emphasis being placed on compliance for compliance sake as opposed to improvement of risk posture
  2. A fundamental lack of value and understanding with respect to information security and all It influences in business and outside of it historically (though I feel this is beginning to change…slowly)
  3. Errant thinking and marketing campaigns on the part of certain vendors (you know who you are and as such there is no need to point you out here)
  4. The errant belief that what worked in the past will work today or tomorrow (applies to technology as well as thought / philosophy)
  5. The accepted ‘norm’ of intellectual dishonesty which has become grossly apparent to the trained eye and experienced practitioner

In terms of development, it is my opinion that the industry has progressed, though not without lumps and as a result, of incurring said lumps has approached each successive stage of development in a manner which though not ideal is certainly able to be right sized.    Should this right sizing not occur, I believe the industry at large will square and settle nicely into developmental stage 7 “Middle Adulthood” characterized by Generativity vs. Stagnation finding itself landing precariously in the realm of stagnation.   I do not do stagnation well, do you?   If not, let us continue to challenge our peers, our industry, our clients, our customers and ourselves to reclaim our industry and ensure generativity for all.

Tags: , Filed Under Cyber Defense, Information Security Philosophy, Security Philosophy, Uncategorized, risk management | Leave a Comment 

02.15.2010

Software is an essential, non-negotiable aspect of everything we experience in our daily lives.  It is a technological parallel of water to the biological realm.  All things within the worlds that govern the use and application of either software or water rely upon the sanctity and “cleanliness” of these resources in order to progress forward and ensure their existence.   Without a sense or guarantee of purity, much stands to be lost; most of which can only be hypothesized about or guessed at until an event of interest solidifies the inclinations of those who are speculating.  Consider all that you interface with on a daily basis, regardless of where you are located geographically on planet Earth.   Your communications systems, your medical and emergency response systems, your transportation systems, your drinking water and water treatment facilities, your power industry systems (end to end), your financial systems, your military systems etc etc.   This is a relatively short list and though that may be the case (and though I am fully aware of the greater scope of systems and technologies affected by software), we can see that precious little in the age in which we live exists outside the realm of engineering which is dependent upon secure software development.   Traditionally, software development lifecycles (SDLC) have been individually governed either by those parties responsible for the ‘framework’ of tools and / or coding languages which are used for development or by those parties within a given organization who have assumed responsibility for development are actively moving towards goals being set forth by their units of business which they support.  Whatever the case may be, there are certainly ample examples of glaring deficiencies within these processes, deficiencies which (when left unaddressed provided they are found or worse, ignored despite having been found), often have cataclysmic ends.

As professionals working in the business world, plying our tradecraft we need to ask ourselves, our clients, our customers and anyone else who will listen (ideally those who have a ‘Stake’ in the decision making process which impacts the generation and delivery of this code), why we allow an insecure state to exist in something so key to our everything we do.  There are many reasons one could point to for the existence of these deficiencies:

a) Meeting or exceeding expectations of the investment community

b) Exceeding the ability of the competition to get to market and thusly secure a more stable position

c) Realization of a conceptualized solution to a need / want in the absence of irrefutable data

a) Coding with security in mind is as much an art as it is a science however it can be, in repeatable fashion via soundly crafted   process & procedure in addition to training and encouragement of skill set development be achieved

b) Resource / personnel challenges

a) Self-explanatory but can certainly be expanded upon in more gross detail at a later time

a)  Art meeting science; one cannot rush greatness or soundness of design however one can, through the use and employment of the right people, process and technology achieve the goals and complete the mission

b) Patience is non-negotiable

a) People fear what they do not understand

b)  People fear what they do understand but are unable to influence and / or change

c) People fear what they cannot contemplate

The net effect for our discipline and tradecraft is that we see (and experience daily), the results of either poor or total absence of, proper SDLC.   We cannot afford to become comfortable or complacent in a system which has to date, zero accountability and as such many are looking at the present, towards the future with new, bold ideas in mind hoping to effect change.  One such organization is one which I have both the privilege and honor of being affiliated with, The Rugged Software Initiative http://www.ruggedsoftware.org/ and https://groups.google.com/a/owasp.org/group/rugged-software.  My friend and colleague, Josh Corman, along with David Rice (author of “Geekonomics” and security professional), and Jeff Williams (CEO, Aspect Security) developed this concept and, with the help / guidance of several industry figures, delivered the Rugged Manifesto and initial presentation which they presented and released at SANS Application Security Summit February 5, 2010.   This is not the first time an SDLC methodology has been proffered up for the masses however, it is one of the only times which I can readily recall that a collective body of like minded individuals from disparate elements of industry have developed a framework akin to this which they hope to see adopted by the masses as mechanism for combating the threats presented by the deficiencies I mentioned earlier and others as well.  That being said, I and my peers at Cassandra Security stand in support of Rugged.  Many of us have and continue to function in assessor & auditor capacities and understand all too well the flawed state of code in the world today through our own analysis and through the work of others.  We believe in the concept and the goal.   Do we believe that it will be adopted universally and that all software development flaws will be eliminated?  No, we do not but we are hopeful that in encouraging the adoption and support of this ideal that we as professionals, as colleagues can encourage industry to address the points I made above and those contained within the body of The Rugged Software Initiative and Manifesto in order to mitigate the risk.   Get Rugged, it might just save your life.

Tags: , , Filed Under Audit, Cyber Defense, Information Security Philosophy, Security Philosophy, risk management | Leave a Comment 

02.11.2010

201002111745.jpg There is a lot of perennial talk of social engineering and direct project/resource management. Attempts to solve complicated political situations with manipulation or a slick widget tend not to work very well over time. They are not addressing the underlying issue.

The wedge of compliance or a mandate from a framework may get some base requirements moving. However, in order to get people; chief executives and influential management, towing the line for a healthy risk and security governance program, it will take something more. It takes a bidirectional respect for the people involved and bringing the conversation to them in terms that they, your audience, understands.

In short, technology risk in general is not well understood by many practitioners. Outside of direct practitioners it is barely understood at all. Technology risks to business can be so complicated to understand that it needs to be interpreted and put into well understood terms that everyone understands, such as dollars.

Fostering a climate of respect and reward of long term goals instead of a short-term win is key to the success of any real life security governance program.

I have some thoughts on how to begin.

Respect your audience:

Respect peoples time:

201002111747.jpg Respect your resources:

Respect the constraints of your organization:

Too often I hear other fellows in the trade using harsh words to begrudge people who do not understand risk management instead of lamenting their inability to express it in terms that they will understand. Too often problems arise in not communicating effectively and in not earning or giving respect. This failure in communication was what I read into this CSO Online article about a $10M raise in budget after a showboaty penetration report.

Ira says “grab by the balls.” I say “communicate effectively and with respect.”

Filed Under Information Security Philosophy | Leave a Comment 

02.02.2010

In business, accountability is something that cannot be stressed enough.   This was true before the economic breakdown of 2009, and will continue to be long after.  Accountability is of paramount importance and perhaps more so than anything else, it is a good thing.   Accountability is something that at some base level, all humans can relate to.   Ask any child whether or not they receive reprimanding by their parents when found to be in violation of a rule and you will almost assuredly receive a response of ‘Yes’.   If you receive a ‘No’ than perhaps, that is a sign of bigger challenges and problems to come.   Regardless of the response, my belief is that you would be hard pressed to find anyone with any amount of intellectual honesty who would say that being accountable is a bad thing.

Accountability is a good thing.  It is of imperative importance.  Accountability aids us in the definition; maintenance and articulation of healthy boundaries that all humans need and require (though are not always seen or found present).  Boundaries, rooted in the freedom afforded by accountability, enable us to live, grow and prosper with the understanding that we are all responsible for our actions (of course there are things which we cannot control however our responses to external stimuli as Marcus Aurelius taught us, are well within our sphere of influence).  Accountability provides much more in the way of freedom than most would initially suspect.

As information security professionals, we should all (I will not assume that all do however, I will suggest that we all should), be cognizant of the value of accountability.   If one looks at the continuum of information security, and its role within modern business today (regardless of the vertical or sector), one can conclude that being accountable should not be negotiable.  We do not live in a perfect however and as a result, we must assume that in some organizations, for better or worse, it will be seen as being negotiable.  In those cases where it is deemed negotiable, one need not look any further than to the leadership in place and their vision for both the culture.  Similarly, in those environments where it is deemed unacceptable to be negotiable with respect to accountability one need not look any further than the organizational the leadership teams.   When moral flexibility is allowed to negatively influence accountability, it should surprise no one when armies of auditors, assessors, consultants, vendors descend upon the environment in question to aid the bewildered, understaffed information security teams and management.  There is blood in the water and sharks can smell it for miles off.

The impact upon the organizational culture, receptivity and tone becomes more pronounced as well.  The cultural attitudes of the organization in question, in addition to the sub-cultures that exist within the primary organizations business units.  Any number of scenarios can come about as a result from those that are extremely open, productive and collaborative to those that are terribly conflicted and shut down from a productivity perspective.  Enterprises (whether in the public or private sector), do not need to settle for scenarios which encourage mediocrity and closed minded attitudes.  The establishment of accountability as an elementary aspect of organizational culture and politics (social and / or formal), is a wonderful place to begin.   This does not mean that organizations should begin encouraging Orwellian information gathering campaigns where rewards are given to those who inform on their co-workers infractions (real or perceived), but rather where all parties from within all roles understand their contribution to the organization in any and all forms to and including being accountable for ones’ own actions and to one another so as to prevent any damage to the organization and / its assets (tangible and intangible alike).

You might be saying to yourself as you read this “that sounds wonderful Will, however I live in the real world and work there to.   I have no use for esoteric philosophical idealism when I need to get the job done today, especially when I have to demonstrate compliance for God knows what to God knows who”.  Fair enough, I can appreciate that which is exactly why reply would go something like this “Of course you don’t, you’ve got a lot to accomplish in little time and with even less in the way of resources however if you take a few steps back from the situation, employing observing ego you will see that the advocacy of accountability in the form I am speaking of (predominantly through sound risk management based security programs and frameworks), would relieve you of much (not all), of the challenges you face”.  Crazy you?  Unrealistic?  Immature? Handsome (had to throw that in to see if you were paying attention ;) .  My assertion is that through the adoption of a solidly crafted risk based security program and framework; accountability can be achieved where it currently does not exist and supported & enhanced where it already does so.

So how do we get there from here in the absence of accountability?   The first step is to revisit your organizations P3 (process, procedure, and policy) to see what exists (if anything), to do date.   Odds are, something does though the state and maturity might vary.   Should you find yourself in a situation where you have none or what is roughly the equivalent of none, fear not.  This is not necessarily disastrous however, it should be addressed and amended swiftly in order to ensure the organization maintains its risk posture or, at the very least, becomes cognizant of it.

Tags: , , Filed Under Assessment, Audit, Cyber Defense, Information Security Philosophy, risk management | 2 Comments 

Next Page »