The SOX Jockey

Simple Universal Authentication

2008-09-30T21:47:00.002-04:00

From one of my favorite blogs, GNU Citizen, comes this simple and elegant proposal for authentication. It is only suitable for lower value transactions, but it could form the basis for stronger authentication, and it sure beats complicated registration processes. I have come to regret some of the heavier processes I've put on some sites I maintain, and this might do the trick.

Red Hat / Fedora Server Compromise

2008-08-22T22:45:00.002-04:00

Sorry for the long blogging vacation!

If you run Fedora or Red Hat, you owe it to yourself to read about the compromise of their package servers, and run the checker script to ensure you don't have compromised packages. See the blacklist package page here.

Data Leakage Prevention

2007-09-28T19:50:00.000-04:00

DLP is all the rage. It ranks as one of the most sought after product sets in corporate security arenals these days. The motivation is obvious: state data breach laws are driving controls around sensitive information, particularly consumer information, in an effort to reduce the likelihood of reportable events. Management needs to know what to expect from all the hype surrounding these products.

The key fact about DLP products that is emerging under this scrutiny is that they are not particularly good at stopping intentional loss driven by malice or greed. The determined attacker has a number of methods for foiling most leak prevention products including encryption, obfuscation, or non-network based egress vectors.

While DLP products may not stop criminals, they can be pretty effective at policing your normal egress points.

As I've heard it said best. "These products can stop stupid." And that may be worth the price of admission.

Black Hat USA 2007 / DEFCON15

2007-08-06T21:25:00.000-04:00

I am just back from Vegas. Black Hat was unique for me this year in that I had the opportunity to give a Turbo Talk on Social Networking Sites. Black Hat continues to grow, and the networking opportunities are always unparallelled. I know I'll be spending plenty of time with the presos outside of sessions since there are more worthy topics than time to attend them.

I'm always amazed at the exploits and research presented at Black Hat. I wished I could have travelled with more colleagues this year, but I did get introduced to some great people by former co-worker Mike Murray. Given the "sploitage" this year, hopefully we will all follow our better angels.

Here I am with Mike at the Black Hat Speaker's Party. There were a lot of security luminaries to rub elbows with. It was a nice time at the top of the Centurion Tower Penthouse. Lots of folks were in a talkative mood, and I think a good time was had by all. It was a great way to start the briefings.

DEFCON was awesome. I think more solid presentations came from DEFCON than from Black Hat this year. Also, DEFCON runs a tight ship with their goons keeping order under many a challenging circumstance. How they run 50% more attendees than Black Hat in one third of the space is beyond me. I told Mike he was a DEFCON rock star, with two SRO presos.

Public or Private?

2007-07-22T21:28:00.000-04:00

This event at Oxford is a clear reminder that what social networking site users think is private usually isn't. Sometimes I wonder how many incidents it will take for the average user to avail themselves of the privacy settings at these sites. I do see an uptick in the use of privacy settings, but it still isn't the majority of users.

Social Networking Sites in the blogosphere

2007-06-22T20:51:00.000-04:00

I love to see coverage of Social Networking Site security issues, such as this post at GNU Citizen.

Black Hat

2007-06-06T06:49:00.000-04:00

I'm looking forward to giving a Turbo Talk at Black Hat this year on Social Networking Sites.

The Black Page

2007-05-22T21:10:00.001-04:00

I recently came across The Black Page at Black Hat. It has some interesting coverage on things not usually seen elsewhere. I particularly found the claims (as of yet unsubstantiated) about offshore development elevating the porosity of computing systems.

Appliance vs. Pet redux

2007-04-30T20:39:00.000-04:00

The announcement by Dell that they will resume offering Windows XP is a good example of the complexity and code bloat that is associated with the modern PC. It has finally gotten to the point that some consumers are rebelling at upgrades for upgrades' sake. If consumers can't or won't manage the nifty new features of these upgrades, what makes us think they can manage the security features of the upgrade?

Civil blogging

2007-04-09T07:30:00.000-04:00

In the wake of the Sierra incident (thanks Mike for the excellent commentary), I commend this article at the New York Times (say it isn't so -- the Old Grey Lady has something useful to say?!?). Civil speech is the freest speech.

Appliance vs. Pet

2007-04-02T07:02:00.000-04:00

If a PC was an appliance, it wouldn't need 40+ security updates the day it is installed. It wouldn't need third party virus protection either.

The PC as pet instead of appliance

2007-03-27T18:42:00.000-04:00

I have been thinking about how far short of consumer expectations the typical PC falls. Consumers expect to buy a computer and have it function like a TV. It just doesn't. It has to be updated, virus protected and patched. It can turn on you in an instant with the mysterious Blue Screen of Death. Although a Mac is significantly friendlier, it still needs a fair amount of care and feeding. Consumers should be thinking of the PC as a pet, not an appliance. I'll probably blog on this thread for a little while...

Keeping up with the threats

2007-03-11T21:53:00.000-04:00

We had a presentation to our developers of OWASP top ten web threats by WhiteHat Security, a solid outfit in this arena. It was a great opportunity to broaden the exposure of the general IT community to current security threats.

The resulting conversations reminded me that we all tend to get stovepiped in our respective disciplines, and significant developments are rarely effectively communicated cross-discipline.

The Regulator Cometh

2007-02-28T19:55:00.000-05:00

In the wake of the TJX breach, the Massachusetts legislature is considering a bill that would impose all downstream consumers' costs of a breach on the company suffering the breach. If companies don't improve their information security, consumers will have no alternative but to push for laws that will force the improvement of practices in the handling of data.

As it is in most industries, self-regulate, or be regulated.

Virtualization Injection?

2007-01-30T07:45:00.000-05:00

With the headlong rush to virtualization in most data centers, there is going to be a rash of digital accidents and injuries resulting from loose configuration of VM hosting hardware.

Many of these facilities, IBM P-Series, VMWare, and so forth, have decent interfaces and security capabilities. The problem, as we've seen with other technologies, is the sparkly promise of vastly reduced costs that drives insecure colocation of applications with differing security models on the same hardware. The inevitable cross-connections between these applications, or the inordinate desire to boost utilization can result in profoundly insecure configurations that can threaten every application on the platform.

Firms need to ensure that standards are in place prior to virtualization deployments. And the controls for these deployments need to check for configuration integrity at risk points related to the connections between the virtual machines, and between the virtual machines and the network.

A different kind of wireless

2007-01-27T10:06:00.000-05:00

Sometimes you have to broaden your understanding of technology. From the New Hampshire Union Leader, on how to install a wireless security system:

Go to a second-hand store, buy a pair of men's used work boots, a really big pair.

Put them outside your front door on top of a copy of Guns and Ammo magazine.

Put a dog dish beside it. A really big dish.

Leave a note on your front door that says something like 'Bubba, Big Mike and I have gone to get more ammunition -- back in half an hour. Don't disturb the pit bulls, they've just been wormed.'

Confidence in Software

2007-01-18T22:18:00.000-05:00

This Computerworld article points out the need for open reviews of software as a prerequisite for public trust in services like electronic voting. As a student of politics and information security, this story has fascinated me. The short version is that a statistically improbable undercount (lack of votes by voters for one particular race) has raised significant questions about the validity of electoral results for a US Congress seat in Florida. Though a judge quashed the Democrat (losing) candidate's request to review the code, this issue won't go away until light floods the "black box."

Bruce Schneier Interview

2007-01-10T06:36:00.000-05:00

This interview with Bruce Schneier in Dark Reading is interesting. I like his emphasis on the "big picture". In speaking to a reporter after the recent Tacoma, WA school shooting, he challenged people to rethink metal detectors in schools:

"The goal isn't to stop shootings in schools. It's to stop shootings," he says, by investing in ways to ensure a kid doesn't resort to violence at all. "If a kid shoots another kid in the playground because there's a metal detector in the building," then the physical security was ineffective, he adds.

"That's a tough message for people to hear."

4 Options to Manage your Security Program (Part quattro)

2007-01-08T21:57:00.000-05:00

Option 4: Manage by Risk

WHAT: Manage your security program by evaluating and responding to risk.

HOW: Measure, evaluate, and respond to risk as defined by your business.
Note that this is not an IT process.

BENEFITS: Your security is best matched to your business.

AM I DOING THIS?: Is your business happy with your contribution?
Do they choose the risks they take or mitigate?

DIFFICULTY: This is hard because of the work, planning and
communication required.

RECOMMENDATION: This is as good as it gets.

4 Options to Manage your Security Program (Part trio)

2007-01-05T20:58:00.000-05:00

Option 3: Manage by Best Practice

WHAT: Manage your security program by doing "best practices."

HOW: Implement every "best practice" for security known to humankind.
Exceed each practice for a truly comprehensive security program.

BENEFITS: No one can accuse you of being "insecure."

AM I DOING THIS?: Does your business have any revenue? Then you're not.

DIFFICULTY: This is hard because you will be known as the "Ministry of No."

RECOMMENDATION: Managing by Audit may be better.

4 Options to Manage your Security Program (Part deux)

2007-01-04T07:35:00.000-05:00

Option 2: Manage by Audit

WHAT: Auditors or customers will tell you what is required.

HOW: Fully disclose your weaknesses in controls when your auditors or customers perform an audit. Do what your auditors tell you.

BENEFITS: Expenditures are minimal since this essentially is the lowest common denominator of security program management.

AM I DOING THIS?: Are you continually responding to audits?

DIFFICULTY: This is hard because it is frequently confrontational. On the other hand, it is easy to justify the expenditures required under "compliance."

RECOMMENDATION: Better than Managing by Breach, but not the best.

4 Options to Manage your Security Program (Part uno)

2007-01-02T19:34:00.000-05:00

Option 1: Manage by Breach

WHAT: Managing your security program by breach is easy. Just wait for the iratecustomer/regulator/Attorney General to call telling you what was lost.

HOW: Send your loss notifications promptly.

BENEFITS: No up front costs. No planning. If you are the lucky type,
this could be effective and cheap.

AM I DOING THIS?: Does CNN (or better FOX!) have a reserved parking spot outsideyour company headquarters or your data center?

DIFFICULTY: This gets easier over time because you have fewer
customers and less data. Eventually the problem
goes away when your company does!

RECOMMENDATION: Nope.

Top 10 Security Predictions for 2007

2006-12-19T20:39:00.000-05:00

Responding to my tag from Mike, here are my top 10 security predictions for 2007. I've broken mine into 5 vulnerability oriented predictions, and 5 industry ones.

1. SCADA sploits will break out.

I am no SCADA expert, but if one tenth of what Jim C says could happen does happen, things could get pretty ugly!

2. Virtualization will get own3ed.

The big push to virtualization will make it a juicy enough target that embarrassing vulnerabilities will be revealed in 2007.

3. Social Networking Sites will be patient 0 (over and over).

SNS are digital Bird Flu. Web worms will take this threat vector from the back page to the front page as repeated exploits are discovered and gain broad coverage.

4. Phishing will increase, despite strong efforts to curtail it.

Phishing is exploding, and even with phish bait warning widgets, regulation, and user education, you ain't seen nothing yet.

5. Vista will be the most secure Windows yet.

A bright spot in a sea of vulnerability predictions, Vista will have fewer defects than previous versions of Windows. But that doesn't mean zero defects or security vulnerabilities!

6. The glory days of security spend are behind us.

Business will hold steady or cut security spending in an effort to control compliance oriented costs.

7. Process, process, process.

Security spending will slant towards process control versus product acquisition. Metrics, oversight and control are in. Flashy objects are out.

8. Outsourcing is your friend.

There will be more security outsourcing in 2007 as specialization will enable cost controls that cannot be attained through DIY.

9. Auditors rule.

The driving force behind security and compliance initiatives will continue to be the auditors.

10. SOX pressures will not abate.

Despite the change in Congress, and my post that change might be coming, there won't be enough pressure to overcome the Democratic urge to regulate.

Throw the Bus in Reverse!

2006-12-15T20:08:00.000-05:00

The mantra a few years ago was, "Everything is going to the web!" Companies, counties, agencies all rushed to put records and information online. Some states passed laws requiring documents like public legal proceedings to be put on the web.

This article shows how the pendulum has swung. Now massive redaction efforts are needed to reel in personal, sensitive information from the public web.

What goes around comes around...

Security for Growth

2006-12-14T21:21:00.000-05:00

This article by Robert Reich talks about the imperative for globalization and innovation. Reich says that IT managers frequently think too much about security, and not enough about innovation. That is undoubtably true.

I think this is a possible way out of the regulatory black hole. Strive to make security the enabler for innovation, and you can assist in making the business safer *and* more dynamic.

Legal Overreach

2006-12-08T11:12:00.000-05:00

This recent article is about a change in Britain's Computer Misuse Law may have far reaching effects. It essentially outlaws the distribution of computer tools that may be used as hacker tools.

If hacker tools are outlawed, only outlaws will have hacker tools...

The Dark Underside of SOX

2006-12-05T20:03:00.000-05:00

This older article was the leading edge of what is now a pronounced trend in American finance. The trickle demonstrated by Niagra Corp in 2004 has become a flood that threatens New York's preeminence as a world finance center. Additionally, companies are listing in London and other jurisdictions less onerous than the US to escape unnecessary regulation. New York is gearing up to respond, and it is interesting to see such stalwart opponents of american enterprise as Chuck Schumer describing the situation as "serious." This issue should be an interesting test for the new Congress.

I think the circumstances may be ideal for a partial rollback of regulation, and the political calculus goes as follows: just as Nixon was the ideal President to go to China in 1972 due to his impeccable anticommunist credentials, Democrats would be the ideal party to partially relax onerous regulation. Their unparalleled hostility to business innoculates them against any perceived softness towards business interests, just as Nixon's diplomatic thaw with China was immune from any "soft-on-communism" oriented attacks.

Evading rather than helping compliance?

2006-12-04T07:13:00.000-05:00

This article discusses a product from VaporStream which apparently dramatically increases privacy of email by wiping the data stream of sender and receiver information. For individual users seeking privacy, this seems like a clear benefit. But for corporate IT attesting to compliance, this seems like a nightmare. How do you know the emails that are business records were sent outside the product by normal accountable means?

PCI Standard to the Rescue?

2006-11-29T22:09:00.000-05:00

I'm not sure I agree with this glowing praise of the updated PCI Standard from Richard Stiennon. Although the PCI Standard has much to commend it as a private standard to advance credit card information security, the standard is a bit of a one-size-fits-all approach that doesn't account for the compensating controls or complexity of some of the larger credit card processors.

There's no doubt that credit card data security needs to improve, but there's more to PCI than "just remember two things: scan your websites and don't store credit card data." If you have need to store and later refer to the data, the standard demands that you encrypt it. But encryption poorly done won't advance security even if it meets the letter of the standard. Furthermore, the storage of the data, whether or not encrypted, implies a need to deliver it to certain users in a usable (i.e. unencrypted) form. So the vectors of potential loss must be assessed and managed, regardless of the encryption of the data at rest or in flight.

The thing *I* remember about PCI? "Data security is HARD."

Backlash

2006-11-27T20:58:00.000-05:00

I was discussing the merits of application scanning with some colleagues recently. Though scanning has its benefits, its costs are not always frankly discussed. In a case where scanning caused an application impact, the backlash against such possible impacts resulted in an inability to support broad ongoing scans.

The lessons I took from this:
1) Security functions are more about people and process than technology
2) Experience in one area (successful OS and port scans) do not translate to other areas
3) A successful track record is needed to compensate for the inevitable glitch

PSAs for InfoSec?

2006-11-24T12:54:00.000-05:00

We have Public Service Announcements (PSAs) for everything from parents eating dinner with their kids to quitting smoking. With the rise of criminal identity theft rings and ubiquitous botnets, have we come to the day when we need an ad campaign to get people to keep their home machines clean and do their internet banking only from trusted devices?

Thanksgiving Haiku (work)

2006-11-23T11:30:00.000-05:00

Thankful for the work
Glad I work by brain not back
Thinking is better

Thanksgiving Haiku

2006-11-23T11:25:00.000-05:00

Time for family
Thank God for the abundance
We are Pilgrims too

Controls for Crooks

2006-11-22T18:48:00.000-05:00

This article shows how a technical detective control coupled with manual enforcement procedures is catching crooks in NY. I frequently see too much reliance on technical controls, resulting in a lack of follow-through to deliver the value of the control. On the other extreme, I also see an avoidance of technical controls resulting in weak manual procedures that would be enhanced by a technical backstop. It seems this is a difficult balance to achieve in practical operations, but we won't get the kind of return on technical investments we need if we don't achieve that balance. The NY implementation mentioned in this article seems like the correct balance. I hope the State of NY gets a bigger return than they even expect.

Fusion fun in your spare time

2006-11-21T19:42:00.000-05:00

Jim put me on to this. Power so cheap it won't be metered, here we come!

File under "never a dull moment"

2006-11-20T21:01:00.000-05:00

A new plausible threat vector in PCI cards is described here. This is very interesting in that the storage on PCI cards is hardly the only non-volatile storage medium for this kind of attack. Of course, USB thumb drives have already shown their potency in this arena.

Interesting searches

2006-11-18T12:53:00.000-05:00

I've been preparing for some Social Networking Site presentations coming up. Mike suggested looking at searches related to current and former employers, and boy does it bring up some interesting stuff!

Try "site:myspace.com your-employer-here" and see where it takes you.

New Laptop Security

2006-11-11T09:03:00.000-05:00

This is an interesting article on improved integrated security on laptops. It requires an extra authentication at boot time. It seems to me that the tightening rules for safe harbor in data breach laws will force most enterprises to this more invasive model soon. (My employer has whole-drive encryption for laptops and desktops, but doesn't currently require a preboot logon.)

Sarbanes Limerick

2006-10-29T14:35:00.000-05:00

There was a Senator Sarbanes
who thought Corporate America a bane
I'll fix them, he said
the law kills felons dead
but our sanity is now on the wane

Oxley Limerick

2006-10-29T14:28:00.000-05:00

Meet Representative Oxley
who said accounts are kept poorly
he then passed a law
that sticks in our craw
the paperwork is quite squirrely

Social Networking Site (SNS) Sleuthing

2006-10-28T21:34:00.000-04:00

I became interested in social networking sites and data mining possibilities after the Riverton, Kansas case. I wanted to see if data mining could provide law enforcement with a credible tip prior to an event such as the manual prevention that took place in Riverton. I have read with interest about Kevin Poulsen's script for catching predators. I have done some automated data mining of MySpace that is not dissimilar to his. If I get those scripts published, I'll blog it here.

I have been looking at social networking sites and data mining techniques that may assist investigators in making effective use of them. Here's a page of tips for investigators. As I add to it, I'll keep the SOX Jockey up to date.

Know your business

2006-10-28T17:57:00.000-04:00

Recently Bill P chirped about a frequent lament in our shop: the necessity of knowing your business and understanding its needs. There is no doubt that IT and Security professionals need to think of their job as serving the customer of their business, yet this fundamental truth is honored in the breach more often than not. Bill was "plogged" (plugged in a blog) here.

I have had numerous opportunities to learn something and add value in the same engagement when I meet with business people who have a specific IT need, rather than just meeting with IT intermediaries like software developers and project managers. I have found on more than one occasion that the "insecure" thing I am being asked to support or enable is in reality a significant improvement over current business practice. Yet I was unaware of that current practice until I had the opportunity to meet with the real business people struggling to fulfill a real business need in the absence of an appropriate solution.

Frequently, security professionals can bring a unique perspective to business problems by hewing to a risk management approach that enables business progress while limiting the downside risks. And the security folks may find themselves advocating approaches that would be labeled "insecure" in the ivory tower, but have real street creds when it comes to lowering risk and getting stuff done.

Winter in New England Haiku

2006-10-27T23:38:00.000-04:00

A seasonal change in our home resulted in the following Haiku from my wife:

Heat

Clink, Clink, welcome back
We said goodbye many months ago
Welcome friend and warm

Security "Experts"

2006-10-11T20:47:00.000-04:00

Gartner analyst Rich Mogull makes a great point about Information Security when he discusses the difficulty of actually simplifying security issues in his posting on experts.

Security is hard, complex, and challenging. So here's a second for the self-serving plug that we security professionals are indispensable!

SOX Haiku

2006-10-11T20:03:00.000-04:00

Compliance nightmare
Messrs Sarbanes and Oxley
Oh Lord rescue us

Risk

2006-10-09T21:01:00.000-04:00

risk noun the possibility of injury or loss.

Escaping the regulatory black hole will involve developing competence in managing risk in all its forms. For Information Security, that is going to involve relating IT risks to business impact. If we do that well, the very risks identified in risk management should map exactly to the risks and controls required by Sarbanes-Oxley.

If we do the right thing, we'd blow right by "compliance" as we strive for "competence". Then the compliance treadmill would fade into the background as we make competence a business differentiator.

The perl of SSH defense

2006-10-05T22:23:00.000-04:00

Many articles have been written on SSH attacks that have been going on for a few years. I myself have seen upwards of 1500 attacks in a single day from zombie machines. Most of the articles suggest defensive moves I find too limiting for my home machine, which I generally want available regardless of where I am.

Since the basic nature of the attack is brute force, limiting access based on an adaptive script that blocks access after a low number of bad logins from an IP address has worked for me. I still have access to my machine (no collisions yet!) but have little fear of a successful brute force attack.

Here's my script (for OpenSSH on Linux with iptables):

#!/usr/bin/perl
# sshd_mon.pl - monitor/block bad login attempts on SSHD
# usage: sshd_mon.pl host file
$host = shift;
$file = shift;
open(FIFO, "< $file") or die "Cannot open $file\n";
while () {
if (/$host sshd/) {
if (/failed password for .*? from (\d.*\d) port/i) {
$bad_ip = $1;
$bad_ip =~ s/ *$//;
$bad_ip =~ s/^ *//;
if (!defined($bad_ips{$bad_ip})) {
$bad_ips{$bad_ip} = 0;
}
if (++($bad_ips{$bad_ip}) == 5) {
`/sbin/iptables -A SSHDROP -s $bad_ip -j DROP`;
print "/sbin/iptables -A SSHDROP -s $bad_ip -j DROP\n";
}
}
}
}

Cheers!

Audits Uber Alles

2006-10-04T22:37:00.000-04:00

This article on Dark Reading is an ominous commentary for the SOX Jockey...

Changes in the corner office

2006-10-04T22:22:00.000-04:00

My colleague Mike Murray is on to something regarding compliance versus security in his post "The Death of the CISO". We'll certainly be seeing security seeking its new level in corporations if CISOs are being phased out. It will be interesting to see how the balance between compliance and security plays out as the management chain changes. Hopefully an emphasis on risk over raw compliance will shape that balance in a beneficial way.

Escaping the regulatory black hole

2006-10-04T21:58:00.000-04:00

Can Information Security professionals escape the regulatory black hole? You know, the recent propensity for all things security to be subsumed by compliance and/or audit? I'll be ranting on that topic for some time, I imagine.