What Helps You with PCI?

Posted on March 2, 2010 by Brent Huston

Yesterday, at RSA much press attention was paid to a metric that 41% of all organizations tested needed temporary compensating controls to meet even the minimum security provided by PCI DSS compliance.

This led us to this discussion. If so many organizations need temporary controls to do the minimum, then what controls, in your experience, are the most worthwhile for those struggling to meet PCI?

Please leave a comment and tell us what controls you find most useful, easiest to leverage and worth the investment for PCI compliance.

As always, thanks for reading and we look forward to your input.

[Tangent] Can infosec VARs Really Make an Evangelical Sale?

Posted on August 1, 2008 by Brent Huston

We have been having quite a struggle finding infosec VARs to resell our HoneyPoint products. The problem seems to be that HoneyPoint and the idea of a Next Generation Distributed Honeypot product are such a radical concept to most organizations that they require evangelism and education for the customers to understand the value of the product and why it is a better solution that they are using now. It usually takes a while for them to understand that they can free themselves from false positives and the overhead of many of the detective tools they are using today if they simply embrace the idea of thinking differently about the problem.

VARs today seem to be focused solely on the products that are demand driven. They want to sell the Cisco products, the copies of anti-virus and the stuff that clients are already used to asking for. The days of VARs looking for ways to shake up the markets, establish value with fresh approaches and build their businesses by leveraging rapport with their customers by solving their deeper problems seem to be all but gone. Sure, you can find VARs to resell your widget or appliance if you have a model that requires little work, even if it has a small margin. But, it seems like finding evangelical VARs is nearly impossible in today’s market. If they are out there, we don’t seem to be able to find them.

I really feel like that is a bad thing for the market and for the clients. In the early days of MSI and the security industry, there was a lot to be gained by being a VAR that was able to bring bleeding edge solutions to customers. I can remember working with clients to help them understand new protective technologies like the Sidewinder firewall from Secure Computing, Real Secure from ISS and spending a lot of time traveling, talking to clients and listening to them explain the things that hurt them – then digging into the net and our brains for REAL, DEEP solutions that addressed the root problems that they were experiencing. For me, at least, that was the exciting thing about being a VAR – finding that next breakthrough that could really empower some of my clients in a way that they may not even have known that they needed until we showed them that a better way was available. That was exciting, fun and really gained us the trust of organizations who have been clients for nearly two decades now.

If there are any VARs out there that you think fit this model, I would like to hear about them. I would love to find a few folks who are willing to help evangelize what is clearly a better solution to the insider threat and to securing virtual environments. I would like to work with someone who shares that energy, passion and willingness to help solve deeper problems than traditional “network gear” resellers will ever be able to uncover. If you’re out there, give me a call – I think we have something to talk about…

April Virtual Event MP3 Available – Selling Security to Upper Management

Posted on May 15, 2008 by Brent Huston

We are pleased to announce the availability of the MP3 from last month’s virtual event that covered the selling of security to upper management.

We got great feedback on the event and plan to continue our monthly virtual presentations. If there are topics you would like to see us cover or want us to dig into, please drop us a line or comment.

The slides for this presentation are available here.

The MP3 is available here.

Thanks again for spending time with us. We really love working with each and every one of you!

Ohio Votes Today

Posted on March 4, 2008 by Brent Huston

The day for the Ohio primary is here. With a ton of media attention focused on our state, a new voting process in place and the removal of the touch-screen systems our primary is certain to have its ups and downs today.

When we reviewed the security of the Ohio voting system, we did find some serious issues. However, the optical scanning systems from our review were less prone to problems under normal voting use than the touch screens. Therefore, we agree that the optical scanners are a more secure choice, especially in the way that our Secretary of State has outlined their use.

Voters in Ohio today should expect some lines and a small amount of confusion and hype. But, careful review of your ballot, care marking of your selections and following the published procedures should make the process easy, reliable and interesting. Our only words of caution are to ask for another ballot if you make a mistake and refrain from marking anywhere except in the square of your chosen candidate. Again, take a few moments and review the ballot before you turn it in.

The Secretary of State has taken great measures to ensure oversight and accountability for all votes and voters around our state. The various boards of election and other officials have also taken great steps toward improving the security of the process. They are all to be commended for achieving the progress we have made thus far, in such a short amount of time.

While there is still quite a bit of work to be done around electronic voting and elections security; today is a good day to look at the work we have done so far. Together, citizens, politicians and government can work to find a useful, reliable and secure way to continue the wonderful democracy that we, as Americans, enjoy.

Do your part. Vote. Stay engaged in the debate about electronic voting and don’t be afraid to let others know what you think…

Three Examples of Thinking Differently About InfoSec

Posted on January 3, 2008 by Brent Huston

Today, I am putting my money where my mouth is. I have been talking about thinking differently about infosec as being a powerful tool in the future for several months now, but here are three concrete examples of how security folks need to think differently than they do today. (Note that some of you may have already begun to embrace these ideas – if so, awesome, you are ahead of the curve!)

#1 – Think like attackers AND defenders – We as infosec folks often get so caught up in our statements of ethics, credos and agreements about behavior that we get trapped inside them and become blind to the methods and ways of attackers. Many security folks I meet have taken such steps to distance themselves from attackers and they often show utter disdain for attackers, tools and techniques that they are essentially blind to the way attackers think. This is a dangerous paradox. If you don’t understand your opposition, you have no way of being effective in measuring your defensive capabilities. If you can’t think like an attacker, maneuver like an attacker and understand that they are not bound by the rules that you attempt to impose on them – then you will likely have little success in defending your organization against them. To better defend our assets, we have to be able and willing to understand our enemies. We have to have a realistic knowledge and capability to replicate, at the very least, their basic tools, techniques and attitudes. Otherwise, we are simply guessing at their next move. Essentially without insight and understanding, we are playing the “security lottery” in hopes of hitting the big defensive jackpot!

#2 – Deeper defenses are better defenses – We must extend defense in depth beyond an organizational approach to a data-centric approach. The closer to the data the controls are implemented, the more likely they are to be able to add security to the core critical data. (Of course, normal rationality applies here. The controls have to be rational, effective and properly implemented and managed – as always!) This is why security mechanisms like enclaving, data classification and eventually tagging are the future of enterprise security. If we start to think about our security postures, deployments and architectures with these ideas in mind today, we will be able to leverage them in their present state and eventually gain the maximum from them when they are fully ready for integration.

#3 – Think risk, not compliance – I am going to continue to talk about this, no matter how much heat I get from the “compliance guru set”. Striving for compliance with various regulations or standards is striving for the minimum. Guidance, regulations and law are meant to be the MINIMUM BASELINE for the work we need to do to separate liability from negligence. Compliance is a milestone, not a goal. Effective understanding and management of risk is the goal. Don’t be deceived by the “compliance guru set’s” argument that meeting baselines if effective risk management. It is NOT. Regulatory compliance, ISO/PCI compliance pays little attention to and has little management for attacker techniques like vulnerability chaining, management/analysis of cascading failures or zero-day/black swan (Thanks, Alex!) evolutionary capabilities. This step requires upper management education and awareness as well, since those that control the budgets must come to see compliance as a mile marker and not the end of the race ribbon!

I hope this helps folks understand more about what I am saying when I assert than in 2008, we have to think differently if we want infosec to improve. Of course, thought has to precede action, but action is also required if we are going to change things. What is clear, from the problems of 2007 and further back, is that what we are doing now is NOT WORKING. It should be very clear to all infosec practitioners that we are losing the race between us at attackers!

Bandwagon Blog: Why Isn’t Compliance & Regulation Working?!?

Posted on January 2, 2008 by Brent Huston

Everyone else seems to be blogging about it, so why not a “me too” blog from a different angle?

The main security questions people seem to be asking over the last few days are “Why are data theft and compromise rates souring? I thought that regulations like GLBA, HIPAA, various state laws, PCI DSS and all the other myriad of new rules, guidelines and legislation were going to protect us?”

The answers to these questions are quite complex, but a few common answers might get us a little farther in the discussion. Consider these points of view as you debate amongst yourselves and with your CIO/COO/CEO and Board of Directors in the coming months.

What if compliance becomes another mechanism for “doing the minimum”? The guidance and legal requirements are meant to be minimums. They are the BASELINES for a reason. They are not the end-all, be-all of infosec. Being compliant does not remove all risk of incidents, it merely reduces risk to a level where it should be manageable for an average organization. This absolutely does NOT mean, “have some vendor certify us as compliant and then we are OK.” That’s my problem with compliance driven security – it often leaves people striving for the minimum. But, the minimum security posture is a dangerous security posture in many ways. Since threats constantly evolve, new risks continually emerge and attackers create new methods on an hourly basis – compliance WILL NOT EVER replace vigilance, doing the right thing and driving defense in depth deep into our organizations. Is your organization guilty of seeing compliance as the finish line instead of a mile marker?

Not all vendors “do the right thing”. Vendors (myself included) need to sell products and services to survive. Some (myself NOT included) will do nearly anything to make this happen. They will confuse customers with hype, misleading terminology or just plain lie to sell their wares. For example, there are some well known PCI scanning vendors who never seem to fail their clients. Ask around, they are easy to find. If your organization is interested in doing the minimum and would rather pass an assessment than ensure that your client data is minimally protected, give them a call. They will be happy to send you a passing letter in return for a check. Another example of this would be the “silver bullet technology” vendors that will happily sell their clients the latest whiz-bang appliance or point solution for fixing an existing security need, rather than helping clients find holistic, manageable security solutions that make their organization’s security posture stronger instead of the vendor richer….

Additionally, many compliance issues reinforce old thinking. They focus on perimeter-centric solutions, even as the perimeter crumbles and is destroyed by disruptive technologies. Since regulations, laws and guidance are often much slower to adjust to changes than Internet-time based attackers and techniques, the compliance driven organization NEVER really catches up with the current threats. They spend all of their time, money and resources focused on building security postures and implementing controls that are often already ineffective due to attacker evolutions.

Lastly, I would reinforce that there are still many organizations out there that just simply will not “do the right thing”. They believe that profit surpasses the need to protect their assets and/or client data. They do not spend resources on real security mechanisms, fail to leverage technologies appropriately, remain careless with policy and processes and do little in terms of security awareness. There are a lot of these organizations around, in nearly every industry. They do security purely by reaction – if they have an incident, they handle that specific issue, then move on. Since consumer apathy is high, they have little to no incentive to change their ways. The only way to enhance the security of these folks is when everyday buyers become less apathetic and veto insecure organizations with their spending. All else will fall short of causing these organizations to change.

So there you have it. A few reasons why regulation is not working. I guess the last one I would leave you with comes from my 16+ years in the industry – good security is hard work. It takes dedication, vigilance, attention to detail, creative AND logical thinking and an ability to come to know the enemy. Good security, far beyond compliance, is just plain tough. It costs money. It is rarely recognized for its value and is always easier to “do the minimum” or nothing at all…

0wned By a Picture Frame & Other Digital Errata

Posted on December 26, 2007 by Brent Huston

First it was Trojan firmware on network routers, firewalls and other network appliances. That was followed by attackers installing trojans and malware on USB keys and then dumping them back into those sale bins by the registers. Now, SANS is reporting that a number of digital picture frames sold by retailers were pre-infected with malware, just waiting to be mounted on a PC during the picture loading process.

As we have been predicting in the State of the Threat presentations for more than a year, the attackers have found new and insidious ways to turn the newest and seemingly most benign technologies into platforms of attack. Now that just about everything from refrigerators to washing machines and from toasters to picture frames have memory, CPU and connectivity – the vectors for malware introduction and propagation are becoming logarithmically more available. As computers, mesh networks and home automation continue to merge, we have to think differently about risk, threats and vulnerabilities.

Until we as security folks can get our head around overall strategies for securing the personal networks and tools we become more dependent upon each day, we have to rely on point tactics like wiping drives when we get them, reloading firmware on all devices – even new ones – from trusted vendor sources and doing the basics to secure home and business networks and systems. Hopefully, one day soon, we can build better, more proactive solutions like integrated hashing, malware identification and other mechanisms for alerting users to basic tampering with our devices. While we geeks are getting the wired world we always dreamed of, we are learning all too quickly that it comes with some unexpected risk…

Bad News in Trends of 2007

Posted on December 11, 2007 by Brent Huston

The infosec community got some bad news today in the first release of trends for 2007. Overall, things are not going as well as we would like. Attacks continue to rise and successful compromises that end in data compromise are up.

Attackers seems to have fully embraced client-side attacks and bot-nets for performing illicit activity and laptop theft is also seen as rising. As expected, identity theft is rapidly becoming a huge criminal enterprise with an entire underground economy emerging to support it.

Reports came out today that showed that malware attacks have doubled in 2007 and that data theft rates have TRIPLED!

From our standpoint, this validates that existing traditional security controls based around the perimeter simply are NOT WORKING. We must establish defense in depth. We must embrace enclaving, encryption of sensitive data and portable systems and establish proactive security mechanisms that can raise the bar of compromise out of the reach of the common attacker. Until we begin to think differently about security, data protection and privacy – these trends remain likely to increase even further.

A Couple of Interesting Developments

Posted on November 3, 2007 by Brent Huston

First, a couple of new tools are available specifically geared at cracking Oracle 11g password hashes. These are specifically aimed at attacking the newest features that 11g introduces to better protect the passwords. They also have some short cuts for those folks still making the old style DES passwords available (likely for backwards compatibility with older apps or uses). Essentially, these new mechanisms are slower than old hash attacks, but are still effective. In today’s world of computational power and bot-net distributed password cracking capability, it is pretty darn safe to assume that if the attacker can get the hash – they can get the password.

Another issue that is likely to be an annoyance for some folks is that a new remote Denial of Service attack has been identified in Ubuntu 6.06 DHCP server. While the attacker can’t really gain access to the system using it, they can replace the dead DHCP server with their own, which could include malicious entries and other annoyances. This DHCP server is popular in many cyber cafes I have visited – particularly outside of the US. Just another reminder that you have to pay attention to network connectivity. It might seem like ubiquitous wireless access is a boon, but without the capability to trust the network you use, you have little reason to trust the content you receive! — Just a reminder!

Noel Brings Reminder to Review DR/BC Plans

Posted on November 2, 2007 by Brent Huston

For those folks on the east coast, Hurricane Noel should probably figure into your weekend plans. The storm is looking like a near miss for much of the eastern seaboard, but should be a strong reminder for folks to review their Disaster Recovery and Business Continuity plans for currency.

If you look in your policies folders and don’t see a DR/BC plan, now might be a good time to form a task group for making them. Given the wacky weather patterns lately, they might prove to be handy in the future. At the very least, you can rest a little easier just knowing they are there.

For those folks wondering what I am talking about, click here for more info on the storm.

If you want to do more reading on DR/BC policies, check out this wikipedia article.

MSI :: State of Security

Insight from the Information Security Experts

Tag Archives: security