Jeremiah Grossman’s View on Security Religions

As mentioned in a previous post, Jeremiah Grossman (pictured) and Trey Ford gave a presentation at BlackHat about business logic abuse.  I understand the talk was very popular.

Jeremiah has a poston his blog that goes into a little more depth on how websites look at security in two different ways: in depth or in breadth. 

Each organization must decide for themselves the level of risk they are willing to accept. Security managers are asked to provide budgetary guidance by articulating that spending “$X on Y, will reduce of risk of loss of $A by B%.” These decisions have given rise to two prevailing, but opposing security religions — Depth and Breadth. Graciously referred to as religions for how their value is typically justified resembles more of a belief system rather than rooted in science or metrics.

This is a very interesting post with lots of commentary on the different types of bad guys and the different ways to look at defense.   As an added advantage, there is a link at the bottom to an upcoming encore of the BlackHat presentation!

August 13, 2009 Posted by Laura Mather | Fraud, Online Fraud, Prevention, business logic abuse | business logic abuse, security | No Comments Yet

Security (or lack thereof) in the Cloud

The case of sensitive Twitter documents being exposed due to a breach of an email account and access to the Google Documents application adds fuel the already discussion that is already approaching inferno status.  I’ve heard two very different points of view on whether moving applications to the cloud will help or hinder security.

One side of the debate says that moving applications and data to the cloud is an extremely dangerous proposition.  This group contends that putting applications and data in the cloud make it more accessible to the bad guys while assembling data from multiple organizations all in one place.

I absolutely see the point that moving to the cloud has certain risks and could create efficiencies for the bad guys  (attacking one place instead of many). 

My main worry with keeping data and applications out of the cloud is this: Having an individual instance of each organization’s data and applications sitting within each organization’s data center means the security and protection of those data and applications falls to the security employee/team of each organization.  There are now millions of people/teams worldwide with the charter to protect the applications and data of their organizations.  While almost all of these people are brilliant at what they do, I see a nightmare of keeping all of them up to date on best practices, system patches and updates, etc.

Taking the cloud scenario to its extreme, we see a type of efficiency that can be gained.  When many organizations data and applications are all stored in one place, that place will absolutely have to be an expert at protecting that data and those applications, but it seems like it would be easier to protect a lot of things under one protocol than protecting many things, each in their own disparate environs. 

My preference on this point may have something to do with my being  control freak.  When I think of all of the data and applications that need protecting, it’s easier for me to understand how to protect them if they are all in one place.

The debate on security of the cloud is currently raging.  It would be great to hear some other viewpoints on this topic and see where my logic is flawed.

July 16, 2009 Posted by Laura Mather | Fraud, Online Fraud, Prevention, information security, risk management | security, software-as-a-service | No Comments Yet

Making the 20 Controls for Effective Cyber Defense Approachable

SANS has published “Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance”.  I must admit, I was pleasantly surprised by what was published.

My biggest concern prior to reading the draft was that since this document was supposed to be all-encompassing and was very likely “written by committee”, the guidance would end up being too complicated to understand, let alone implement.  I was wrong. 

The power in the document is that the recommendations are boiled down to 20 simple sentences.  Here they are:

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware.
2. Inventory of Authorized and Unauthorized Software.
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
4. Secure Configurations of Network Devices Such as Firewalls and Routers.
5. Boundary Defense
6. Maintenance and Analysis of Complete Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Testing and Remediation
11. Dormant Account Monitoring and Control
12. Anti-Malware Defenses
13. Limitation and Control of Ports, Protocols and Services
14. Wireless Device Control
15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering
2. Red Team Exercises
3. Incident Response Capability
4. Data Recovery Capability
5. Security Skills Assessment and Training to Fill Gaps

Of course, “Boundary Defense” is not as simple as those two words imply and there are a multitude of details behind each one of these “controls”.  There is definitely a lot to be proven out about whether or not most organizations (government and industry) will be able to make sense of these directives.  But I applaud the authors for at least attempting to make the initial pass at the document un-intimidating.

Security is a complex, acronym-laden practice that can be especially difficult for the uninitiated to approach, let alone tackle.  By keeping the initial steps of this directive relatively simple, the authors have taken the right approach: make people understand the task can be accomplished when they first start. 

And that’s another strength to the structure of the document.  Since it is presented as a webpage, when you get to the bottom, there are links to separate pages for each control.  As a CISO or CTO is working through the plan, they can look at one control at a time and determine how to move forward with it without being overwhelmed by the entire document.

This may be an advantage of the internet – we hide the complexity by making a 100 page book look like a 5 page website with a few links at the end.  If this helps people feel like the task at hand is attainable, that’s a good thing.

February 26, 2009 Posted by Laura Mather | Compliance, Data Loss, General, Prevention | Compliance, controls, government, SANS, security | No Comments Yet

Social Network Security – When will we reach the tipping point?

Bruce Schneier posted a link to an article on Facebook Privacy.   A couple of days earlier, Mario Sundar of LinkedIn posted an article on Security and Privacy on LinkedIn.

It’s fascinating that the security people are starting to pay attention to social networks.  Social networks have always had privacy and security risks.  In fact, they have much bigger privacy risks than typical websites where people have accounts.  E-commerce sites usually don’t show interesting information about where you work, your children’s names, the clubs you belong to, etc.

I’ve been keeping an eye on the progression of social network sites.  Having been responsible for user security on a website for three years, I understand the tradeoffs that have to be made.  Social networks are at the stage where attracting more people to join the social network is much more important than making sure that those users are safe.

I’ve definitely heard cases where marketing teams will tell the security group that protecting millions of users is not nearly as important as attracting millions more users to the website.   The e-commerce websites are starting to learn a valuable lesson, though: having a website that does not protect its users’ privacy and security will scare away users faster than it attracts them.  I’ve talked to several e-commerce companies lately that say they are ramping up their security teams to make sure that their customers have a positive experience.  It’s great to see the priority shifting from gaining new customers to keeping the current customers safe.

My question is: how long will it take for the social network sites to make the same choices?   Since internet time accelerates faster than normal time, my guess is that what took e-commerce companies 5-10 years will likely take social network sites 2-3 years.  I’ve heard rumblings of social network sites placing a priority on security, even if it means a few less registrations, but I don’t have any direct evidence.  If anyone has any anecdotes they’d be willing to share or predictions on how long it will be until we reach the tipping point, I’d be happy to hear them.

February 18, 2009 Posted by Laura Mather | Cost of fraud, Fraud, Online Fraud, Social Networks | privacy, security, Social Networks | No Comments Yet

Increasing Trust vs. Increasing Security

Bruce Schneier had a very interesting post about how the Department of Homeland Security (DHS) has two impacts on Americans: it makes us more secure and it makes us think we are more secure.  I totally agree with the hypothesis that sometimes making people think they are more secure is the appropriate thing to do.  I experienced this personally at a much smaller scale.

When I worked at eBay I was in a group called “Trust and Safety”.  That was a very fitting name for the group since we had two goals: 1) make people feel safe transacting on eBay and 2) actually make them safer when they were transacting on eBay.  Security projects often support one of these goals more than the other, but there are places for both.

Let’s look at an example.  Let’s say that a bad guy finds a way to send scam emails to the users of a website.  In this example, it’s very difficult to send these emails and the bad guy is only able to send out 100 emails even though the website has 10’s of millions of users.   What happens, though, is one of the users who received an email contacts a reporter and the “event” (despite having very little actual impact) gets a lot of coverage.  When things like this happen, users tend to lose trust in a system even though the probability of being impacted by the problem is extremely low.

Events like the one above definitely require a response.  From the security point of view, it doesn’t make sense to commit a lot of man hours and resources to fixing something that has so little security impact.  Instead, it is more valuable to deploy a response that helps increase trust.

An example of something that helps increase trust and does much to increase security (most of the time) is launching or updating a security center.  If a website is concerned that users are worried about their security on the website, one thing the website could do is create a security center and then communicate about the new security center to their customers.  Most customers will never visit the security center (in fact, the ones that do are likely the most security-conscious, but this is a topic for another post) but will be assured that the website cares about security.  This will make them feel better about transacting on the site and will, hopefully, increase their activity.

I saw this all of the time in my past job – balancing trust and actual security.  It could be highly effective to launch a security initiative merely to make people feel better.  But that’s a good thing for the website.  In fact, if people feel better about transacting online, that’s a good thing for the internet in general.

I’d be curious to hear about trust vs. security decisions others have had to make.  I’m sure there are a lots of examples.

January 30, 2009 Posted by Laura Mather | General, Trust | safety, security, Trust | No Comments Yet

Heartland response – Minimizing the damage of breached data

Bruce Schneier often talks about the response to data breaches, like the recent Heartland incident.  In a recent post, Bruce discussed how data breach notification laws encourage companies to improve their security.

While I’m all for encouraging companies to improve their security and see how breach notification laws can help with that, now that a breach has occurred, the next step should be to try to minimize the subsequent damage.

One method for minimizing data loss might be a bit controversial, but could also have a major impact on identifying the use of the stolen cards.  Here’s the idea (try not to judge it until you read the rest of the post): The credit card companies that cancel the impacted cards should privately publish the canceled card numbers to merchants.

This probably needs more explanation.  If the credit card companies had a certain set of merchants where they had very good working relationships – maybe some of the large online merchants, for example – they could give those merchants the list of card numbers that had been canceled.  Then those merchants could look for the canceled cards being used and flag that activity – and anything associated with it – as suspicious.  Since it is likely the bad actors will use the cards in batches and they won’t know which cards were canceled versus which were not, this is one way the credit card companies could help minimize the damage to the merchants.

Some people may be concerned about the privacy of credit card companies sending out credit card numbers.  There are three things to keep in mind about this.  First, the credit card numbers they would send out would not have any other information associated with them – they would just be card numbers.  Second, since the cards themselves would have been canceled, they are no longer owned by any person but are, instead, owned by the credit card companies themselves.  So there shouldn’t be any privacy concerns.  Third, I am not advocating that the card numbers be published on the internet for everyone to see.  Instead, they should be delivered via a secure mechanism only to merchants that are well known, trusted, and are interested in using them to take action.

What would be the right way to make this collaboration happen?

January 27, 2009 Posted by Mike Eynon | Data Loss, Online Fraud | collaboration, credit cards, Data Loss, Online Fraud, security | 3 Comments