Archive for September, 2009

The Security BS-o-Meter

September 16th, 2009 Comments off

dhs-threat-level-chart-jokeI know this picture’s quality sucks, but it’s my favorite parody of the Homeland Security Threat Level system, so I wanted to include it. Much has been said about this deeply flawed system, and a Tweet from @AdrianLane of Securosis just got me thinking about this again. We’ve all made fun of this system for a huge number of reasons. The big one? It has no impact, representing the most ludicrous example of fearmongering ever put forth by the American government.

There’s some really telling insight here, though, that relates directly to why security is not wholly accepted by people at businesses everywhere. Here are a few corollaries we can draw:

1. The system makes no sense, intrinsically. The colors chosen are arbitrary, and so are the names. When we talk about threats in our environments and networks, we use terms that are really only meaningful to us in many cases, as well. What do those terms mean to the business? What does “Critical” mean versus “High”?

2. The system is meant to spread a bit of fear and keep people on edge. In that regard, it works for many Americans who aren’t clued in to the statistics around terrorist activity likelihood. In short, you’re more likely to be bitten by a rabid snail and die a horrible death than encounter even the slightest hint of terrorist activity in your lifetime. This, of course, is lost on those that actually supported the notion of “Freedom Fries”. Business leaders don’t like FUD, either. Imagine this exchange:

Security guy: We need an IPS!

Business manager: Why?

Security guy: People are attacking our network! We’re all going to die!

Business manager: How are we all going to die? What’s the risk to the business? What else do we have in place? What are the costs?

Security guy: We need an IPS! I need 1 million dollars!

Business manager: Hmmmm….

3. We don’t get enough information about WHY the level is assigned. Sure, this stuff is super-sensitive, but just telling me that things are worse without explaining why doesn’t help me to adapt my behavior in any way. In infosec, we may have the same problem. If I don’t explain WHY the missing patch is a problem, how will a business unit manager understand why I’m ranting about it? Aside from common sense, and reading the news, business managers cannot be expected to understand why security threats are serious, and why vulnerabilities that they can remediate have significant impact if left alone.

4. The worst issue, in my opinion: the Threat Level has absolutely zero actionable information. In other words, it doesn’t tell people what to do. What do you mean, exactly, by “be more vigilant”. How do I get “more vigilant”? Spy on my Muslim neighbors? Well, we make this mistake in infosec all the time. We often fail at helping people help themselves. A classic example of this is the report I generate with a vulnerability assessment. It says a problem is “Critical”. It states the problem, usually in a fairly abbreviated manner. I bring this to someone’s attention. But do I really explain WHY the problem is critical, with explicit descriptions of how it applies in our environment (problem #3, above)? And do I tell people how to fix the problem? And what the risks are of leaving it alone versus fixing? You get my point. It sounds ridiculous, but I have seen MANY reports from pen tests and other assessments that really don’t tell me how to fix the problem, or what happens if I don’t.

Categories: Information Security Tags:

Security Mental Modeling

September 11th, 2009 3 comments

Call me crazy, but it bothers me that information security is so “hard”. I know, I know, seems like we all say this, and we endlessly rail against the usual evils that make our lives suck on a daily basis: management doesn’t understand, infrastructure is too complex, the Dev teams don’t give a $*@#&, etc. And on. And on. I have lived this life – it’s easy to fall into the mindset of going to work each day with a frame of reference that looks a bit like this:

  1. I know my job. ***Whatever this may be***
  2. I know my organization. ***Politics, infrastructure, etc.***
  3. I know my team and their capabilities. ***Who does what***
  4. I know our tools and systems ***Security-specific tools and systems like IDS, SIEM, etc.***
  5. I *think* I know what my problems are.

One thing that’s interesting, though, is that we almost never get to build or design a security architecture from scratch. We just keep adding on or changing the Frankenstein monster that is our security machine, and gradually build up the complexity of it all and lose at least some semblance of control. Ugh. Just for the heck of it, what if you could start with a completely blank slate? I’m not talking tools, just a mindset of how to go about things? At the most simplistic level, my mental security model would probably look a little like this:


Network Level: Create a policy based on “Deny All” and allow only what’s needed.

Host Level: Application Whitelisting and Configuration Management via imaging and policy controls.

Application Level: Secure coding and QA, with behavioral assessment and input filtering.

You’ll also notice an up arrow with the term “Behavioral Assessment” – this signifies the importance (in my mind) of behavioral analysis and comprehension as you move from network –> Host –> Application. In other words, most important at the App, least important at the network. This is NOT to say that host and network behvaioral analysis is unimportant, far from it. But as a starting point, I’d go with the App since we should be able to define the flow of business logic within it and then observe deviation.

Now, of course we want change management and patch management and monitoring tools and all of that…but as a simple mental model? I can get my arms around this thing pretty well. So given that we don’t get a “RESET” button in security…how do we return to a simplified view of things and build from there?

Categories: Information Security, Musings Tags:

Your Hardest Infosec Problem: Getting People to Give a $@%&

September 8th, 2009 1 comment

123-editSo, this post is totally inspired by a Tweet I saw from Zach Lanier (aka @quine). He came! He scanned! He found vulns! He dutifully sent them off to the various IT folks who manage systems and applications! And….(crickets chirping). Nothing. No one cared.

So, this post is meant to give you infosec folks some shiny new ways to get those beloved admins and dev teams to actually RESPOND TO YOUR EMAILS AND PHONE CALLS! Here we go:

  1. As if by magic, several cases of Mountain Dew appear in said admin’s cubicle. You could even add a little sticky note – “Call me. I’ve missed you!”
  2. Hack your admin’s boss’ computer and change the screensaver to the BSOD! This will create some good humor in the department, and you can conveniently drop by in the throes of this madness and bring up your list of issues!
  3. Somehow tie the remediation of those vulns to a free T-shirt. God knows that highly-paid IT professionals will actually engage in physical violence to get a free T-shirt.
  4. Send a meeting invite with the subject “Donuts” or “Pizza”. Works every time.
  5. Pull the classic “ARP Cache Poison your Coworker” trick! Mwahahaha – no more “ThinkGeek” or “Slashdot” for you! Redirect their HTTP requests for geek Web sites to the Barry Manilow Fan Club site. This will get frustrating. Then, when their entire day is ruined, swing by to hear their tale of woe. Mention how you can “look into the problem” with the network folks. Once things are working again, cash in your “grateful points” to discuss the vuln list you sent.
  6. Make a contest out of fixing vulns, or maybe just replying with a reasonable response…? Sure way to get attention? The prize is any-*#$%-thing with XKCD content.

These are just ideas to get you started. Granted, most are silly, or even (gasp!) highly unethical, but hey! Gotta think outside the box here.

Categories: Humor, Information Security Tags:

Random thought: Security Absolutes

September 6th, 2009 1 comment

Over the last few years, I’ve really noticed a trend in security practitioners who tend to ask: “Are we secure?”

Good question.

The problem with this question is that it implies that an absolute answer is required. However, at this point we can all guess that an answer of “yes” is too ambitious, whereas an answer of “no” doesn’t take into account any protective/defensive measures we may have employed.

Security is, in my opinion, unable to accommodate absolutes. There is no black. There is no white. There is only gray. That then leads to the inevitable follow-on: how (in)secure are we? And that, of course, is a much harder question to answer. Much attention has been devoted to security metrics, and Andy Jaquith’s book on the subject is a hell of a good start. Although lately, however, I’ve been doubting the ability of current risk management and metrics “best practices” to adequately frame the “current state” of our security and risk tolerance. Why?

Simple: Things Change.

Unless we’re measuring constantly and re-adjusting our concepts of risk posture, we’re likely to be (almost) always wrong. In its own right, this represents a series of absolutes itself. Every measurement we make, using your favorite metric or risk analysis measure (SLE, ALE, etc) is a point in time. Thus, an absolute, albeit one that is measured and quantified in some way. However, how do we accommodate for changes? How does a change in the environment impact the measurement we are relying on? I know products like Skybox and Redseal do “what-if” types of analysis, but I’m looking more at the big picture – how do we get a real idea of “how secure” we are? In real-time?

And yes, I know – this seems to be the stuff of unicorns and flying pigs, but I don’t want to be cynical or sarcastic forever. At some point, we need to get this right.

Categories: Information Security, Musings Tags: