Tag Archives: security

Jul 26 2015
Leave a comment
Blog Posts

Cognitive Dissonance and Incident Response

“In psychology, cognitive dissonance is the mental stress or discomfort experienced by an individual who holds two or more contradictory beliefs, ideas, or values at the same time, or is confronted by new information that conflicts with existing beliefs, ideas, or values.”

Festinger, L. (1957). A Theory of Cognitive Dissonance. California: Stanford University Press.

For your consideration, what follows is the hypothetical discussion between a Pointy Haired Fearless Leader and a Security Analyst regarding the possibility of an organization’s large, web application having been breached. The Frankenapp in question was creatively duct-taped together around the same time that dinosaurs roamed the earth. All characters appearing in this work are fictitious. Any resemblance to real persons living or dead, is because truth is often much funnier than fiction.

SA: There’s a possibility our Super Amazing Custom Web Application has been breached.

PHFL: (Breathes into paper bag as starts to hyperventilate. In between breaths) How did this happen?!

SA: Same way it always does. A user was phished.

PHFL: But why didn’t our Extraordinarily Powerful Security Tools that cost $$$$$ stop this?!

SA: Because they don’t always work. Especially when they don’t have all the data necessary to identify malicious activity.

PHFL: But we paid $$$$$ because the vendor said it would stop APTs!

SA: This isn’t an APT.

PHFL: But we have Super Powerful Web Application Firewalls!

SA: They’re still in learning mode, because the web developers won’t work with us to identify false positives. And a WAF won’t detect phished credentials. We need multi-factor authentication to prevent this.

PHFL: But MFA annoys the users. What about the network firewalls?!

SA: Our firewalls wouldn’t have caught this and our web filtering system hasn’t worked for months.

PHFL: Do we know what accounts were compromised?

SA: We don’t have enough data. We don’t really have many application logs and the ones we do have aren’t being sent to the  SOC to be correlated.

PHFL: Why wasn’t I told about this tragic and desperately horrible situation?!

SA: I’ve been telling you every week since I took the job. I even hired someone to sky-write it twice. I’m also working on an off-Broadway musical called, We’re About to be Pwned Because Our Visibility Stinks and Our Security Tools Are Broken.

PHFL: Well, this is clearly your fault.

Dilbert On Incident Response

Tagged , , , , , ,
Jul 25 2015
Leave a comment
Blog Posts

Security Karma

The Hacking Team debacle continues to make life miserable for defenders everywhere. Any vestige of organizational good will I  may have built up over the last year, is gone after issuing five emergency patch requests over ten days. I’m exhausted and still wondering how many more 0-days are lurking around the corner.

The compromise was epic, with hackers releasing approximately 400GB of data, including thousands of internal emails and memos which were posted on Wikileaks. Reuters reported that all this mayhem was caused by six disgruntled former employees who also released Hacking Team source code.  Frankly, I don’t have much sympathy for David Vincenzetti and his circle of douchery that includes government clients using Hacking Team’s brand of malware to spy on dissidents. While following the story, a Confucian proverb came to mind. “When you ride a tiger, it’s hard to get off.”

And so it has been for The Hacking Team, now bitten by that proverbial tiger and broken, a casualty of their own hubris. Whether they can recover from this disaster is questionable. Their arrogance only surpassed by that other sad sack of the security industry, HBGary, taken down by Anonymous.

There is a story of a soldier who went to see a famous Buddhist Monk, Ajahn Chah, to ask why he had been shot on the battlefield. Why had he been chosen to suffer, was it something he had done in a past life? Ajahn Chah answered that it was the karma of a soldier to be wounded. The real meaning of karma isn’t punishment, it’s simple cause and effect. With the Hacking Team it’s a case of security karma: they chose to enter the arena of offensive security and use the tools of attackers for questionable purposes. By doing so, they increased the odds that they would themselves become an object of retaliation.

Tagged , , ,
Jul 25 2015
Leave a comment
Blog Posts

Security’s Bad Boys

This week’s latest stunt hacking episode seemed to cement the security community’s reputation as the industry bad boy. The Wired car hacking story demonstrated an absence of the responsible disclosure most security researchers strive to follow. While the story indicated that Miller and Valasek have been working with Chrysler for nine months and that they’re leaving out a key element of the published exploit, there’s still going to be enough left to cause some mayhem when released at Black Hat USA next month. Moreover, the story’s writer and innocent bystanders were often in harm’s way during the demonstration on a major highway in St. Louis.

The annual Black Hat conference in Vegas is an adult version of “look what I can do” for the security set, perfectly placed in the city’s carnival atmosphere. A grand spectacle where every breaker competes to get Daddy’s attention by taking apart the toaster, or car in this case. The media loves this stuff and floods outlets with paranoia-inducing stories the few weeks before and during the conference.  What’s so disturbing about these events isn’t the frailty of our technology-enabled stuff aka “Internet of Things,” but the need for a subset of people to focus on its faults. The typical rationale from many of these researchers for their theatrical, hype-infested releases during Black Hat and other security conferences, is that they can’t get any attention from manufacturers when going the path of responsible disclosure. I would argue that this behavior is more about ego than concern for the safety of consumers, because there are plenty of principled researchers, quiet heroes who slog along filing bugs with vendors, unknown and overlooked by the general public.

Most idiots can blow up a cathedral with enough C-4. But it takes a Bernini or Michelangelo with hundreds of talented, dedicated artisans, to design and build one. People who will never be remembered by tourists standing in the middle St. Peter’s, glorying in the majesty of such an achievement.

St. Peter's

Tagged , , , , , , ,
Jul 16 2015
Leave a comment
Blog Posts

Dear Flash, It’s Over

Dear Adobe Flash,

It’s probably insensitive of me to do this in a blog post, but I can’t trust myself to be alone with you anymore. The relationship started out great. Those cute kitten and puppy videos would get me through the most stressful days, when I just needed to turn off my brain off after a day of navigating the network poopfest at work. I wish we could go back and start over again, but after three patches in a week, I’m done. This just isn’t working for me anymore. Okay, I know we could still have some fun times, but I simply don’t feel safe with you anymore. So I’m going to have to end it. And to be clear, it’s not me, it’s you.

P.S. I’d just like to point out the irony of a recent Wired article, “Flash.Must.Die.” It has a Flash popup.

Screenshot 2015-07-16 09.31.52

Tagged , , , ,
Jun 20 2015
Leave a comment
Blog Posts

The MSSP Is the New SIEM

In the last year, I’ve come to a realization about incident management. In most cases, buying a SIEM is a waste of money for the enterprise. The software and licensing cost isn’t trivial, some of them utilizing what I like to call the “heroin dealer” or consumption licensing model. The first taste is free or inexpensive, but once you’re hooked, prepare to hand over your checkbook, because the costs often spiral out of control as you add more devices. Additionally, for most small to medium organizations, the complicated configuration often requires a consulting company to assist with the initial implementation and at least one full-time employee to manage and maintain. Even then, you won’t really have 24×7 monitoring and alerting, because most can’t afford a large enough staff to work in shifts, which means you’re dependent upon email or text alerts. That’s not very useful if your employees actually have lives outside of work. Most often, what you’ll see is an imperfectly implemented SIEM that becomes a noise machine delivering little to no value.

The SIEM’s dirty secret is that it’s a money pit. Once you add up the software and licensing cost, the professional services you spend to get it deployed and regularly upgraded, the hardware, the annual support cost, and staffing, you’re looking at a sizable investment. Now you should ask yourself, are you really reducing risk with a SIEM or just hitting some checkbox on a compliance list?

Alternatively, let’s look at the managed security service provider (MSSP). For a yearly cost, this outsourced SOC will ingest and correlate your logs, set up alerts, monitor and/or manage devices 24×7, 365 days a year. An MSSP’s level-1 and level-2 staff significantly reduce the amount of repetitive work and noise your in-house security team must deal with, making it less likely that critical incidents are missed. The downside is that the service is often mediocre, leaving one with the sneaking suspicion that these companies are happy to employ any warm body to answer the phone and put eyeballs on a screen. This means that someone has to manage the relationship, ensuring that service level agreements are met.

While there are challenges with outsourcing, the MSSP is a great lesson in the economy of scale. The MSSP is more efficient in delivering service because it performs the same functions for many customers.  While not cutting-edge or innovative, the service is often good enough to allow a security team to focus on the incidents that matter without having to sift through the noise themselves. The caveat? While useful in the short-term, security teams should still focus on building proactive controls with automation and anomaly detection for improved response. After all, the real goal is to make less garbage, not more sanitation workers.

Tagged , , , ,
Jun 19 2015
Leave a comment
Blog Posts

Tootsie Roll Pop Security

Recently, it occurred to me that the security of most organizations is like a Tootsie Roll Pop. Hard and crunchy on the outside, soft and chewy on this inside. One bite and you easily get to the yummy center.

How many licks does it take to get to the crown jewels of your organization: your data?

Tagged , , , ,
May 02 2015
Leave a comment
Blog Posts

I’m a Doctor, Not a Security Expert!

While I don’t completely agree with the Rob Ragan’s sentiments in a recent article in Dark Reading on the limitations of security awareness training, I think the writer makes some good points, especially regarding the appropriate use of technical controls in combination with training to mitigate risk. I love the quote he includes from Adrienne Porter Felt from the Google Chrome Security Team:

 “…users are neither stupid nor lazy. They are musicians, parents, journalists, firefighters — it isn’t fair to also expect them to become security experts too. And they have other, important things to do besides read our lovingly crafted explanations of SSL. But they still deserve to use the web safely, and it’s on us to figure out that riddle.”
This was prevalent in my mind as I assisted my Luddite physical therapist last night in resetting her AOL password. She couldn’t get into her account for an entire day, all because a “security feature” locked her account for suspicious activity. Basically, she bought a new iPad and entered her complex password incorrectly multiple times. But because she used IMAP to connect to her account from her laptop, she had no way of knowing that the account had been locked and didn’t understand how to use the UI. So I did the unthinkable: I requested an account reset, then logged into the Gmail account she uses for account recovery and gave her the new password I created for her AOL account. She thanked me and told me how much harder my job was than hers, and that she would never do it. And this admiration was all predicated upon my resetting her password. Supposedly, one of the most trivial activities in IT. Any user should be able to do this, right?
Earlier this week, my team received a request to allow a user to install the Fitbit application on her company-owned system. It prompted an esoteric discussion on the security of the Internet of Things and the Quantified Self. I recommended that we approve the request and said, “Why are we even having this discussion? We’re an organization that has an employee wellness program and we’re wasting precious resources discussing whether or not this application increases organizational risk? We have approved applications that are more dangerous, such as Java, Adobe Flash and Internet Explorer.”
Why are we still so disconnected from our users, making user interfaces that are too complex, byzantine security procedures and arcane policies?
I'm a doctor, not a security expert!
Tagged , , , ,
Apr 03 2015
Leave a comment
Blog Posts

BYOD: Pervasive Computing Has Arrived

A good tool is an invisible tool. By invisible, I mean that the tool does not intrude on your consciousness; you focus on the task, not the tool. Eyeglasses are a good tool — you look at the world, not the eyeglasses. The blind man tapping the cane feels the street, not the cane. Of course, tools are not invisible in themselves, but as part of a context of use. With enough practice we can make many apparently difficult things disappear: my fingers know vi editing commands that my conscious mind has long forgotten. But good tools enhance invisibility. – Mark Weiser, August 16, 1993

Often, I’m at odds with others in the security community over some of the positions I espouse.  My support of BYOD is one of them. While I see the risk in allowing users to bring their own devices to work, my experience in the enterprise has convinced me they’re already doing it, whether or not the IT department officially supports it. So we might as well accept the inevitable and start to work out the ground rules with each other.

Besides, isn’t this a good thing for information technology and society? We are seeing the fruition of Mark Weiser’s work in Ubiquitous or Pervasive Computing at Xerox PARC with the Internet of Things and a flourishing mobile device marketplace. I was drawn to IT in order to solve problems, not drown in the minutia of attack scenarios. Unfortunately, many security professionals can’t see beyond the vulnerabilities and spend most of their time pissing on everyone’s parade.

Regardless, I’ll continue to write and teach on the topic, because I think it’s important to collaborate with the business and the other sectors of IT to find solutions. Towards that end, I’ve written a piece for Dark Reading about tackling that difficult beast, BYOD.Spock does BYOD

Tagged , , , , , , ,
Newer posts