Because I'm all about the "good enough."

Saturday, March 22, 2014

The power of change.

[Yeah, I know, it's been a long time since I updated this blog. When you write for a living, you tend to write the things you get paid for first, and often you don't have any time or ideas left over after that.]

So much of security is about doing it, not just having it. The best products can be useless in the wrong hands: you have something that's supposed to be blocking, but you have it only in logging mode. Or you have it in blocking mode, but you only enabled a few of the available rules. You have it installed in the wrong location on your network because that's the only place you could put it. It tells you what you need to know, but you never have time to look at it. And so on.

I believe that most of security relies on detecting and controlling change. And there are so many aspects to change that have to be considered.

  1. Recognizing change. Do you know how your systems, operations and usage patterns are supposed to be? This is probably the biggest challenge, believe it or not. Just knowing your baseline, in everything that happens in your environment, will be impossible for any one group or team. This baseline knowledge is institutional, and will be spread across staff at every level. The network team may know what normal traffic looks like, but they may not know what makes it normal.
  2. Detecting change. This might sound like it's the same as the item above, but it's not. Detection implies both recognition and timeliness. It requires finding what has changed, when, in what way, and by how much. 
  3. Understanding change. This is the next step in the line: if you know what has changed, and the details, then you should be able to understand the root cause of the change (someone was trying to restore a database) and the implications of the change (it clobbered the production version and now it has to be rebuilt, before the stock markets open in the morning). Or you realize that the change happened for a particular reason, and it will likely be followed by other changes (a connection is made to an unknown external system, and your sensitive data is about to head in that direction).
  4. Initiating change. Making a change happen is often interwoven with politics. Why do you want to initiate the change? Are you allowed to request it? Who will execute the change? These are all big questions when, for example, you are trying to get a security hole plugged ("Turn off that SMTP relay! Now!!").
  5. Designing change. If you understand the effects of a change, you may need to make sure it happens with certain timing, in a certain sequence, on certain systems, done by certain people. You have to design the change, especially if it's a complex one -- say, a migration off of Windows XP.
  6. Controlling change. Making a change happen the way you designed it to happen, within the time frame that you need, without political or organizational fallout, is harder than you think. It may take longer than you hoped for that application's vulnerabilities to be patched. If changes need to be approved by other entities, you may need to persuade them to give that approval. The person assigned to execute the change doesn't actually know how to do it, and is going to do it wrong. Reverting a change could be more complicated than making the original change. 
  7. Preventing change. Most people think that security is all about this part, but it's not. Any business requires change, and it's up to the security team to help ensure that change happens in the right ways. In some cases it's still important to stop some changes from occurring (such as malware being deposited), but the prevention has to be fine-grained enough to address only those change cases. For example, this setting can be changed, but it should never be done on Sundays. This rule can be changed, but only by people in this role. Or something can be changed, but it has to create a notification for someone else who needs to know about it. These types of changes should not be made unless they are logged. 

Business rules, as well as risk management decisions*, will dictate how changes are initiated, designed, approved, executed, recorded and evaluated. And if you don't have a good handle on these business and risk requirements, you'll be severely hindered in detecting unauthorized changes and responding to them.

You can't use malware detection if it takes too much work to figure out what a false positive is. Rather than being able to understand those changes, you'll ignore alerts about them until a bigger change happens as a result. (Or until you get a call from the Secret Service.)

There's no point in running a vulnerability scanner if you can't cause fixes to be made based on the findings. Moreover, you shouldn't use a vulnerability scanner as a "compliance detection" tool: it may tell you that your systems are configured exactly the way your policies specified and they haven't changed, but you may have stupid policies.

If you can't figure out the effects of a change, then you will either try to prevent it out of fear, or you will execute it wrongly. If you don't know how a change is made, you can't design a process that will limit collateral damage.

Luckily, you can start mastering all these aspects of changes without spending a lot of money. Just knowing what your systems, applications and users are supposed to do is a huge start towards effective security -- and it takes time, but it's cheap. After that, the road will be different for every organization, because the changes, effects and control points will be different. There will be things you can't change, changes you can't detect, or business processes that constrain (or mandate) change. Look at what power you have over change, to figure out how secure you can be.

*Notice I didn't say "security best practices."

Thursday, November 21, 2013

What's my name? No, really, what is it?

[Warning: rant ahead. Slow to impulse power, Mr. Sulu.]

Ever since I've been responsible for user-facing applications -- which is probably since the early Jurassic period -- and ever since I've been using pentesters on those apps, which was probably two seconds after the Jurassic was over -- I've run into the same problem, over and over again.

It's the ridiculous security trope that "username and password feedback is bad."

It's one of the first things that a pentester points out: you can find out valid email addresses or usernames by putting in a bad one and looking at the response. Yes, I know this to be the case.


Anyone who has had to provide user support on an application knows how much of that burden is due to users forgetting their usernames, or forgetting which email address they used. Remember: you have one application. The user may have dozens or hundreds of accounts in applications across the Internet, some of which they may use only once in a few years. It's unrealistic to expect them to have been writing down which usernames, email addresses and passwords they've been using since the '90s (especially if they were assigned those usernames - remember when that was a fad?). Unless you think it's okay for them to have saved everything in their browser ... no? I didn't think so.

It's bad enough when they get a clear message saying "We've never heard of you," and they're sure that they do have an account on that system.

Can you imagine how much worse the support load gets, and how much more frustrating it is for the user, if the application refuses to tell them what's wrong?

We may or may not have sent a password reset email to the address you typed in. Even if we sent one, you may not be registered on our system, so the password won't do you any good. Ha ha ha. Take THAT, HaXX0rz!!!1

If you want to prevent user enumeration attacks, you had better have a good alternative in mind. You CANNOT forget the real reason the system is there, and what that user understands and needs in order to use it. If you can't suggest anything that helps, then you are myopic in the extreme, and you're probably just playing reindeer games with other hackers, not contributing usefully to the business that hired you.

Treating username feedback as evil is just playing into the "security by obscurity" mindset. If your system can't withstand attacks by someone who knows a valid username or email address, then you have MUCH bigger problems to solve. Throwing your users under the bus because it's easier for YOU is not the way to solve them.

Thank you for listening.

Friday, July 26, 2013

Things I've learned about CFPs.

Here are some great tips in this article on how to submit to calls for papers (CFPs). I'd like to add a few more, based on my own experience:

  • Don't be afraid to reveal the plot. Some people think that they need to submit something very high-level and save the good stuff for the actual talk. As it turns out, this isn't true. You have to show a little leg (or a lot) so that the reviewers know enough about what the conference will be getting. 
  • Here are some things that I personally find less enticing as topics: presos about reports (why can't I just read the original report, not sit for an hour listening to someone talk about it?); talks about surveys (unless they promise really surprising or controversial results); talks about historical topics (the only person I've known to do this well is Schuyler Towne); and meta-talks that aren't about security themselves, but are about 'X in security.' (Analysts in security, women in security, beards in security, ear-candling in security, whatever.)
  • If you're submitting a talk on how bad things are in security, join the club of about 1,000,000 members. If you're submitting a talk on how you fixed something in security, you have a much better chance of standing out from the crowd.
  • They say you can't judge a book by its cover, but the cover IS part of the book, and that's all the reviewers are going to see. Make sure the title and the dust jacket blurb are really compelling. Really - go look at some best-selling books for examples. When it comes time for the conference, people are going to choose to attend your talk or not in about half a second when they're reading the schedule. You'll need to grab them right then and there.
  • If you're not accepted, ask for feedback. Most conference committees will give you feedback if you ask nicely. This will help you fix your submission for next time. Sometimes it's a matter of "We got 20 submissions on this topic, and sorry, yours wasn't the strongest." Sometimes it's "Are you kidding? Why did you ever think this was an appropriate submission?" I've seen a case where someone submitted the same (appalling) talk abstract over and over again, year after year. Maybe they thought the conference review was a lottery, and they'd win it some day. But if only they'd asked for feedback, it could have saved them the trouble of submitting every year, because it was NEVER going to be accepted.
 Good luck to all, and may the odds be ever in your favor.

Thursday, June 20, 2013

Sauce for the gander.

I attended the Dell annual analyst conference a couple of weeks ago, and was privileged to witness something that made me extremely happy.

As is typical with these analyst events, the vendor features a few customer companies who talk about what they've done with the vendor products, how it helped their business, etc. Also, as is typical with analyst events, we all get little souvenir bags handed out to us with vendor-branded schwag.

Well, all the stars aligned this time, because one of the featured customers was Revlon.

And the goodie bags all contained Revlon products. You know -- lipstick, mascara, nail files, that sort of thing. As a sop to the men, there was a masculine sort of deodorant stick included.

I couldn't help but grin when I saw the reactions around the room. Most of the men were looking into the bag with an expression of, "What the ... I don't even ... what IS this? This isn't meant for me. WTF am I supposed to do with this?"

Guess what, guys in technology? This is EXACTLY the reaction that we (straight) women have when we're confronted by a booth babe.

Le boom.

Monday, June 10, 2013

If at first you don't succeed, FAIL, FAIL again.

Here's an example of security FAIL at its finest.

I have an account for a service online, for which I have to manage things for the rest of my family as well. This service recently switched to another company, and I logged into the new website to find that their policy is that my oldest child is considered an "adult dependent," and I have to get permission to manage the service for her. This "permission" comes in the form of an "invitation" that she needs to send me, which sends me a magic code that I have to input from my account, and then my access is enabled, and everything is supposed to be hunky-dory.

The only thing is, my child is not set up with her own account, because up until now she was just set up as a dependent. So I asked Customer Service what to do, and they said, "Have her register an account and then send you an invitation."

To hell with that. I registered her account myself, which was linked to my own member ID anyway. I figured they would bounce a registration with a duplicate email address, so I used a second email address of my own. They didn't even send a confirmation link to that address; as soon as I registered with all the demographic information (which of course I know quite well), I was logged in to "her" account. And I just took care of business.

So here's where the security design fails, bigtime. I don't know whether someone bothered checking for a duplicate email address on registration, but it didn't matter, because they didn't even use it to confirm before finishing the account setup. And there is absolutely nothing to stop me, as a parent, from setting up the account myself. I can have more than one email address. I know all the demographic info. I can set up the challenge questions with answers that I know. So what is the freaking point of this whole "dependent" exercise?

The fact of the matter is, they have nothing in place to stop an impersonator. Short of reviewing the email address and guessing that it's not hers, there is no way to enforce this ridiculous policy. Drop a cookie to make sure the registering browser is unique? I can delete it. Same IP address? Of course; we live in the same house and she's using my computer. Send her some other individual magic ID number to the house? I get her mail.

This is one of these "paper tiger" security policies that simply annoys me for a span of 15 minutes.

Tuesday, May 21, 2013

The view from the other side.

Many thanks to Wim Remes, (ISC)^2 board member, for sending me his view of the cert issue and for letting me post it here. DISCLAIMER: this is Wim's own view and does not represent the rest of the board or the organization as a whole.

Hey there,

I do disagree on the CISSP being an entry level cert. It's a pity it has been used by HR drones as a bar for selection because I honestly believe that was never the goal of the cert. With prevalence came expectations too high for a piece of paper to fulfill, or for an organisation to prove the contrary. In my opinion the cert, first and foremost, establishes a common vocabulary among professionals that allows us -even though from different backgrounds and with different focus areas- to talk the same language and understand eachother. The second part I believe the organisation does -not the cert itself- is support an ecosystem of professionals. This has been established through a revised strategy (member-focused instead of product-focused) last year and the establishment of our chapter program. This ecosystem relies on an influx of 'new' people and the support of 'elders'.

While I respect your decision, I don't think it's the right one. In what we are trying to accomplish, people like you are elementary. And frankly, there is no other org that is positioned to even try this.

If anything, we need to work on communication. I do know that more than 50% of what I've written here is not commonly known among the membership and that is a very sad state of affairs.

We have done nothing but focus on preparing the org to go full force on the member-focused strategy, because it is the right thing to do.

Again, I fully respect your decision. Nothing I can do about that.


Going paperless.

UPDATE:  Boy, this generated a lot more response than I had anticipated.

Let me make it clear: I really respect and admire what members of the (ISC)^2 board are trying to do, and they have a big job ahead of them. I don't think the CISSP is completely useless; there are areas where it's quite useful (I could write a whole post just on the challenges of hiring security pros in government). It's just not something I personally want to put time and money into maintaining.

If anyone can make me change my mind, it'll be Wim Remes and Dave Lewis; they can do just about anything they put their minds to. They're the vanguard of people who are trying to improve the industry, and the world is a better place already because of them.


Much as I love some of the (ISC)^2 board members and heavily involved volunteers, I've decided to let my CISSP certification lapse.

I never actually planned to get it to begin with; I only signed up for the exam because there was a job I thought I might apply for, and the CISSP was required. By the time I decided to go in a different career direction, it was too late for me to get my exam fees back (and for that amount of money, I could have bought a laptop or some wicked designer shoes). So I crammed for about a day and a half, went to the exam, came out two hours later, and was done. Relatively painless, except for the extortion I had to do of certain former colleagues to get the recommendation forms filled out.

Since then, having that certification has done nothing for me, except to make me have to look up my number every so often when registering for a conference. As an analyst, I earn CPEs at least once a week, and I suppose if I could just send (ISC)^2 a link like this to be done with the submission, it might be less annoying. But filing them individually? And possibly being audited on them? Ain't nobody got time for that.

Besides, it still chafes me to think of paying good money every year to be allowed to do something I don't want to do anyway: put letters after my name. At this point, CISSPs are so common, they're like a bachelor's degree:* if you have to brag about it, you probably don't have anything else going for you.

After decades of being in IT, I no longer want to bother proving how much I know. If someone can't figure it out by talking to me or reading my writing, then I don't want their job. If they feel so strongly about that certification that they won't waive it for me, then they don't want me either, and that's okay. (And if someone is trying an argument from authority and won't listen to me because I don't have a current CISSP, then send 'em my way; I could use the belly laugh.)

I suppose a CISSP might be useful for people starting out in security, who need to prove that they've actually put in a few years at it and know the basics. It's a handy first sorting mechanism when you're looking to fill certain levels of positions. But by the time you're directly recruiting people, you should know why you want them other than the fact that they're certified. And then the letters aren't important.

I know that the (ISC)^2 board is working hard to pump up the value of the certifications, and I wish them luck with that. I think their biggest challenge will be getting them out of the category of "gate tickets": if having one helps you get through a gate, then you won't feel like you need it any more after that. (You don't have to keep maintaining a college degree; once you've obtained it, that's good enough for anyone who requires it.)

It'll be hard to create ongoing value for those of us who are past that stage in our careers. Especially for those of us who are too old to go kicking down doors. Maybe in the far future, a security certification will hold the same weight as an engineering one, and need to be maintained in good standing in order to practice your craft. But for that to happen, a lot of other attitudes around security will need to change. More on that in another post.

*Which I also don't have, by the way.