April 2009 Archives

Well, that's it, another RSA is in the bag. Overall, I had a very enjoyable social experience, but from a professional perspective I felt a bit underwhelmed. The Expo was very thin this year, and lacking in anything of particular gusto. In fact, as noted earlier, there seemed to be a particularly dark cloud hanging over the floor as vendors wondered where the buyers were.

The week was fun, though. Perhaps the best experience wasn't even at RSA, but rather attending part of MiniMetriCon 3.5 at Google's San Francisco office (http://www.securitymetrics.org/) on Monday. If you ever get a chance to attend a MetriCon event, do so. As much as I hate to admit it, metrics make the world go 'round, and these events are a great place to not only learn how to get good quality data, but also to see what data is being generated.

In addition to RSA and MiniMetriCon, I also attended the joint ABA ISC and EDDE meetings, as well as the kickoff of the OASIS KMIP TC. These were all enriching experiences that made for an extremely busy week.

Apparently it's freak-out time again in the mainstream media. Last time it was peanut butter with salmonella. This time? "Swine flu" imported fresh for Mexico City (or so they claim). I'm not going to link to any of the stories, since turning on your TV will be adequate enough. I will link to one site, however. Here's the CDC Human Swine Influenza Investigation site. Please look at this page. Scroll to the "TOTAL COUNT" line and read the number with me.

(I'll pause while you look)
(seriously, take a look)

Ok, back from looking now? Absolutely terrifying, isn't it? Yes, that's right. 21 cases in all of the US at this point. 21. So, you'd better go buy a mask, throw out all your pork products (I don't think Spam counts;), and start warming up your cave of despair.

But, seriously folks, there are two thoughts I want you to carry with you through all this "excitement":

1) Bruce Schneier's rule of mainstream media states that if it's being covered in the mainstream media, then you probably don't have to worry about it, because their business is overhyping low-probability events.

2) The one truism in life today is that we will all die some day. Technology has not overcome this reality, and thus we should expect death to come knocking, whether we like it or not. Put aside fear and replace it with scientific curiosity.

This example is just one more case where we see how poor humans are at performing real-world risk assessment and analysis. Part of the problem is how emotional people get over issues related to death. However, another part of the problem is how blindly accepting the general population is of any BS spewed forth by the mainstream media. It's time to change this, one person at a time. Don't be drawn into FUD-based arguments for low-probability events that will almost certainly have little-to-no impact on your life. Coldly evaluate what you're hearing, seek out the facts (metrics!), and then make a rational decision.

Thus ends my public service announcement for the day. :)

I almost thought I'd see a vendor weep today. Despite official tweets to the contrary, the Expo is not very busy. I'd say the vendors outnumbered attendees this afternoon by at least 2-to-1, and if you remove the press from the attendees, that number is probably more in the 3-5 to 1 range. In other words, it's going to be interesting to see what happens next year after vendors take a hit this year. RSA is not a cheap show to exhibit at, and to have such low turnout can be brutal.

Because of the late hour, I'm not going to do vendor blogs today. Hopefully Th/Fri I'll have time to catch up on those. Suffice to say, there are way too many USB devices, none of which are very interesting. I did, however, have a chance to chat with Alert Enterprise, winner of the Innovation Sandbox earlier this week, as well as Solera Networks, a competitor to NetWitness.

In terms of talks, I briefly sat in on the Cryptographers Panel, but quickly grew bored of the material duplicated from last year. In the afternoon I attended the "Groundhog Day" panel with David Mortman, Martin McKaey, Ron Woerner, and Rich Mogull, moderated by Mike Rothman. In other words, a very fun group! I attempted to live-tweet the panel, with moderate success. You can read those posts here.

Greetings from unseasonably hot San Francisco! Monday was the last pre-RSA day, with 1-day workshops galore. Unfortunately, the press are barred from the workshops, so I attended minimetricon at Google. Talk about a good experience! Particular standouts were presentations from Jeremiah Grossman (real stats on web vulns and attacks) and a discussion of the Verizon Data Breach Incident Report with respect to PCI compliance. It turns out that about 19% of compliant companies get hacked, but in the end it looks like those companies are likely not compliant, either at the time of the attack, or in general. An interesting tidbit from Jeremiah was that XSS is quite prevalent and not frequently resolved, often because of a business need. I asked if the lack of resolution was due to laziness or a lack of viable alternatives and it turns out to be the latter (nice for a change). There simply aren't good alternatives for sites - particular Web 2.0 properties.

Back at RSA, I was able to check out the Innovation Sandbox. Overall, not sure how innovative stuff was (what do I know? AlertEnterprise won, and they do event log and security event management stuff for blended attacks). There were a couple interesting vendors: Yubico, makers of a USB auth token dealy that integrates with OpenID for strong auth on internet services; and BehavioSec, which was a typing behavior analysis program that ran real-time and would detect an intruder on the keyboard, blocking them, etc.

Beyond the Innovation Sandbox, I spent a bit touring the Expo, though didn't get nearly as far as I'd hope. I have scoped out some vendors for sit-down interviews later in the week, as well as have a bead on Bob Griffin at RSA to get the skinny on the new OASIS KMIP TC. I'll blog more about vendors as I interview them.

Post-Expo a bunch of us wandered over to Kate O'Briens for BaySec, which was a lot of fun, though I didn't socialize nearly enough. From BaySec we bounced to the Qualys reception, where I got to meet Anton's wonderful wife. The reception was a nice transition from the open-air pub of BaySec where it had to be in the 90s inside. Overall, it was a fun day, and it promises to be an even better week once the interviews start rolling - stay tuned! :)

I've finally had a chance to sit down and read "PCI Shrugged: Debunking Criticisms of PCI DSS" by Anton Chuvakin and Ben Rothke. My response to the article can also be construed as a follow-up to my earlier post, here.

Overall, I take great issue with the article and assertions made. My primary critique is that they're debunking "myths" or "criticisms" that are based in reality, not in abstract and obscure theoretical PCI realms. It does not matter what the PCI Security Council wants us to believe about the DSS. It only matters how the DSS is used and perceived by those required to comply with it. The simple fact is that the DSS is a checklist (see the SAQ for example) that has a very narrow scope (billing systems with credit card numbers) and that does not look at larger concepts like risk or maturity.

That being said, allow me to do a section-by-section rebuttal.

Greetings! Sorry not to be more substantive lately - saving my energy for RSA, which I leave for TONIGHT. OOF! :) Wanted to share 3 interesting posts from today, in case you missed them...

1) The DNI Email: @jack_daniel comments on receiving an email from the Director of National Intelligence on the released torture memos. I got one, too. Current theory is that they sent it to the RSA press or attendee list. Did you get an email with it, too? Interesting...

2) Lindstrom's Confused Again: Old buddy Peter Lindstrom posted about risk today, but I'm not sure his post makes much sense. Sure, the first bit on likelihood seems right - probability of bad stuff happening is indeed rather important for risk assessment/calculation. However, he goes on to say "...we often suggest that in order to quantify risk we must quantify our consequences as well, but this isn’t the case. Since we are identifying unwanted outcomes anyway, in many cases we implicitly understand the value or loss involved..." which makes me wonder, Is this really true? I'm not sure that we do implicitly understand losses very often. In fact, I'd say that this is one of the core cognitive dissonances with infosec: people really truly do not implicitly (or fundamentally) understand the consequences that stem from their actions online. Think about it. :)

3) Facebook's "Democracy Theater": As suspected, Facebook's new rules have been released and they're really no better than the last go-round. The difference? People now think that things are better. However, according to Light Blue Touchpaper, they're not. Oh, sigh.

If you're coming to RSA, hope to see you next week! I'll be in ABA meetings Sat/Sun, bouncing around Monday, largely free Tuesday, reception-hopping Wednesday, rolling (Gracie Jiu-Jitsu) with @jeremiahg and @Beaker Thursday, and so on. w00t! :)

"Hang in there! 9 life lessons from rock climbing: Matthew Childs on TED.com"
http://blog.ted.com/2009/04/hang_in_there_9.php

9 Rules:
1. Don't let go
2. Hesitation is bad
3. Have a plan
4. The Move is the End
5. Know how to rest
6. Fear Sucks
7. Opposites are good
8. Strength != Success
9. Know how to let go

Watch the video (link above) for the full info. :)

In case you blinked and missed it, I've not been super-active lately. This is because I've just moved from the DC metro area (NoVA) to Phoenix, AZ. This was a lengthy process in order to coordinate with my wife and her job, as well as our kiddo. So, suffice to say, I'm exhausted AND surrounded by boxes. :)

In related news, now that I'm settling into AZ, it's time to leave! :) Yep, Friday night I fly out to San Fran to start pre-RSA meetings, followed by RSA itself (of course). Hope to see you there!

Anton had an interesting post up yesterday titled "Five Reasons to Dislike PCI DSS – And Why They Are WRONG!". As per usual, it's decent writing, EXCEPT that poor Anton is wrong himself (not to mention that he listed 5 "wrong" things, but then the fifth he says "right" to - a little confused by that!:).

So, the two "wrong" reasons that I take issue with are:

1. PCI DSS is a distraction from “real” risk management and security: WRONG!
2. PCI is just checklist security: WRONG!

Here's the thing, I why I have to disagree with him... perception is far more important than reality. Just because the PCI Security Council actually intended for a risk-based approach, and just because they did not intend for it to be checklist security, does not mean this is in fact how it is perceived, let alone used. The fatal flaw is that the preamble of PCI in the beginning (v1.0) did not start "the following may appear to be a prescriptive checklist, but it is instead a way to benchmark organizational maturity using a risk-based model." The fact of the matter is that the PCI DSS does not define risk, does not tell you to setup a risk-based model, does not talk about maturity, etc. They tell you prescriptively what you have to do to become compliant. It's really a hideously bad thing, precisely because of Anton's #3 ("We “got compliant” and now we are breached – it’s PCI’s fault: WRONG!").

The folly behind all this is: if you tell people specifically what needs to be done to achieve compliance, they will do that, and only that. It's the path of least resistance. And no matter how much you disclaim that "PCI compliance does not make you hacker proof" people will still think that compliance == security. Is this right? No. Does this make sense? No. Well, sort of. The problem is that people (generically) still do not fully understand information security. The feedback loops simply don't exist in the brain yet for understanding and reacting to infosec.

So, to Anton, and others, I say that the PCI DSS has brought us to this failure scenario precisely because it used the wrong approach in communicating its mission and intent. The goal stated has always been one of compliance, rather than one of risk reduction, risk resiliency, or proper risk management. The reason we know the goal has always been compliance is because it's mandatory to meet all of their prescriptive requirements. This makes PCI DSS checklist security, whether they intended it to be that or not. Why? Because that's the path of least resistance - the easiest way to get that box checked.

There's an ancient religious aphorism that it's easier for an elephant (or camel) to be threaded through the eye of a needle than it is for (insert your religious preference here). For some reason, while reading Jeff Hawkins' On Intelligence last night the thought occurred to me that PCI is the elephant and our limited budgets are the eye of the needle.

The cost of PCI compliance is getting to be quite staggering. According to a blog post from ElementPS in February, a Gartner survey found that the average Level 1 merchant spent $2.7 million on PCI compliance in 2008, while the average Level 2 merchant spent $1.1 million. In case you're wondering, that's a lot of money!

Toward this end, the PCI Security Council has released a "Prioritized Approach for DSS 1.2" that can help organizations better plan their compliance efforts. Of course, this report comes with the standard caveats that full compliance is still expected, there are no shortcuts, yada yada yada.

So, what's a person to do? Well, it seems to me that you have two choices: shrink the elephant or get a bigger needle eye.

Well, I guess it's about time I catch up with this social networking revolution. :) As of this morning (EDT) you can follow me on Twitter - @falconsview. Join me in mourning the loss of privacy and free time. ;)