August 2010 Archives

I've read recently, with much interest, a post by Martin McKeay about how he would redesign the PCI framework, as well as an in-depth summary from InfoLawGroup about the most recent entry into the draft legislation pool on security and breach notification. The more I think about this notion of creating standards and laws that spell out certain requirements, the more I think we've gotten it completely backwards. It actually makes me nervous when a regulation goes into such extensive detail, a la PCI DSS, that it tells organizations exactly what they need to do, as if one could possibly say universally what is most appropriate for every organization in their context with their own unique risk profile.

As further evidence that I think we've approach things from the wrong perspective, consider Seth Godin's recent post, "Resilience and the incredible power of slow change," in which he says:

"Cultural shifts create long terms evolutionary changes. Cultural shifts, changes in habits, technologies that slowly obsolete a product or a system are the ones that change our lives. Watch for shifts in systems and processes and expectations. That's what makes change, not big events."

He's absolutely hit the nail on the head here. What we need is a culture shift, not some lightning bolt from heaven that suddenly forces a massive corrective action. We're all living with institutional inertia that greatly limits our ability to chart instantaneous course corrections. Instead of mandating long lists of penny-ante requirements, we instead need requirements that will start initiating cultural shifts. In this regard, if PCI DSS 2.0 actually contained a meaningful rewrite, then I would think the new 3-year release cycle would be ok.

Please Note: This article is cross-posted from fudsec.com.

I've been reading Richard Clarke's latest book, Cyber War, in an effort to delve deeper into the topic. Maybe it's been all the recent inflammatory rhetoric, or maybe it's an earnest interest, or maybe - just maybe - it comes from an innate interest in fighting obtuse uses and abuses of FUD.

The tone of the book initially is far less FUD-y than one might expect. Some of the tech details are clearly off a bit, but overall it's been surprisingly level-headed. Except for the scenarios. These are some of the most over-the-top scenarios I've seen since "digital Pearl Harbor" in 2000. However, in this case it gives me pause, and not just because of the glaring FUD factor.

Our good friends at NSS Labs have released a new report today independently evaluating the effectiveness of Host Intrusion Prevention Services (HIPS) that are integrated into most mainstream security suites. In this go-round, they've evaluated solutions from AVG, ESET, F-Secure, Kaspersky, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro. As with previous reports I've reviewed (see AV/malware here and IPS here), this report provides a very thorough look at the capabilities of these product suites.

I was cleaning out some old boxes of "stuff" from days gone by and ran into a hard copy of a presentation that I delivered as part of the interview process at CERT/SEI in Pittsburgh back in 1998. At the time, I had been very hopeful to get a job at CERT as they were doing security work that I simply wasn't seeing in the private sector (at least, not in the Midwest). Alas, it didn't work out, but I digress...

What jumped out at me about this presentation is that, in 12+ years, nothing has changed! The same arguments I made back then about needing to be proactive with security, working to integrate it into all aspects of the business in order to make it implicit and inherent are still true today. Perhaps the most interesting bullet in those slides for me was one where I asked "why aren't we teaching calculus and computer science in elementary schools?" I don't think my audience grokked the question back then, and I'd be surprised if people would even get it today.

As I'm sitting here in FAIR training this week in Cincinnati, I've been starting to apply rational thought to some of the staid and true "best practices" that have become cornerstones of our industry. To me, password complexity has always been somewhat ridiculous, since given enough time any captured password can be broken. This leads me to wonder, what are the common threats passwords, and how does password complexity help protect against those threats?

Sitting here thinking about it, I think there are three common scenarios against which we're developing controls:
1) Brute-forcing an authentication interface.
2) Brute-forcing a captured password hash.
3) Guessing passwords (not using automated controls).

"And I've seen it before
And I'll see it again
Yes I've seen it before
Just little bits of history repeating"
(Shirley Bassey, "History Repeating")

It's almost time, I think, to start the eulogizing for the outmoded mindsets of people who are standing in the way of progress. Almost. If only they'd get onboard or get out of the way. I think it really has reached the binary point of "either you're with us or against us." It simply sickens me to see some of the same widely-known people languishing on in blind stupor with the same tired arguments they've held since before the internet went mainstream. Hey, guess what? It's 2010 - get with the program!

I recently finished reading the book The Blind Side about the life of NFL star left tackle Michael Oher. It was a very good read, with interesting stories - many of which did not make it into the movie version. What I found perhaps most interesting is the parallels between makes a truly great NFL left tackle, and what makes for a highly effective security program. Three physical characteristics were described in the book as being essential to success: long arms, a solid base, and quick feet. Likewise, an effective security program will also embody these characteristics.