How To Survive And Thrive At #SXSW If You’re Not From Texas

John Kindervag

I’ll be in Austin, TX this weekend to participate in South-by-Southwest Interactive. My panel “Big Data Smackdown on Cybersecurity” will be held Sunday, March 11 from 12:30PM - 1:30PM at the Austin Hilton Downtown. Hope to see you there.

Now, I wasn’t born in Texas, but I got here as soon as I could. I’ve lived in Dallas, TX for 30 years so I consider myself an adopted native-Texan. I’ll be at South-by-Southwest Interactive this weekend, so I thought I’d share some tips for all my current and future friends. For those of you from out-of-state – known as furriners – I hope you’ll find this advice helpful.

You’re coming to a foreign country.

Read more

An Unexpected RSA Encounter

Rick Holland

Last Friday, after a long week of RSA conference events and meetings, I eagerly looked forward to slipping on my headphones and enjoying the relative silence of my flight back to Dallas. As I approached my seat, I saw I was sitting next to a United States Air Force (USAF) officer. I looked at his rank and saw two stars on his uniform, making him a major general. I had a sudden sense of nostalgia and I instinctively wanted to salute him. I resisted the urge, introduced myself, and thanked him for his service.

Over the next two hours I had the most unexpected and fascinating conversation of my RSA week. It turned out that my fellow traveler is the commanding officer of the Air Force Research Laboratory (AFRL). According to the website, the AFRL is “the Air Force’s only organization wholly dedicated to leading the discovery, development, and integration of war fighting technologies for our air, space, and cyberspace forces.” We discussed a variety of open source topics, including electromagnetic pulse weapons, cyberweapons, Stuxnet, unmanned aerial vehicles, USAF renewable energy initiatives, as well as national policy.

Read more

Starving The Golden Goose

Andrew Rose

The new revolution in apps and social media continues at a stunning rate. Nearly every day a colleague tells me of another app or site that is bubbling up and about to hit the big time. Many will not break through, but some will capture the imagination and become the next generation of YouTube and Facebook.

The behaviour of certain apps/sites, however, gives me some cause for concern. As a recent entrant to Pinterest, I was alarmed to note that the site takes a copy of the pinned image and serves that from its own servers. The burden of managing copyright issues seems to sit firmly with the users, most of whom never give such legislation a second thought. There is a method for removing content however, unsurprisingly, it’s not half as simple as pinning new content.  Pinterest’s terms and conditions are also interesting, giving it “irrevocable, perpetual, royalty-free” permission to “exploit” member content.

The Pinterest site is building its value on other people’s content — which is fine as long as those people have consented.  I recently looked at some interesting Infographics pinned on the site, all of which must have taken considerable resources to put together, yet I never once needed to visit the source site, which may have perhaps triggered advertising income vital to enabling them to continue their work. I wonder if they even realize their content is available in this way?  

Read more

Lies, Damn Lies, Security Metrics, And Baseball

John Kindervag

The legendary British Prime Minister Benjamin Disraeli is said to have noted that “There are lies, damn lies, and statistics.” Much of the technology world is focused on statistics and metrics. You’ve often heard it said, “If I can’t measure it, it doesn’t exist.” Known as the McNamara fallacy — named after the business tycoon turned Vietnam-era Secretary of Defense — this famous idea failed miserably as a strategy. While it sounds good to the CEO’s ears, there is a corollary bubbling up below him that implicitly states that “If my boss wants to measure something that doesn’t exist, then I’ll invent it!”

Read more

Security Pros Need To Value Pragmatism Above All Else

Andrew Rose

Last night I attended a vendor presentation about cloud-based risk and the threat from nation state attacks. Unfortunately, due to a busy schedule and a difficult journey, I arrived just as the final presentation moved to its Q&A stage. Listening to a Q&A session when I had no idea what the content of the presentation had been was actually quite an interesting experience, unfortunately not for all the best reasons.  A section of the audience immediately dived into the detail and tried to find fault with the solutions that had evidently been outlined. They poked and prodded the presenter until she admitted that no solution was 100% and, yes, there were ways to mount a successful attack even with her recommendations in place. At that point, the questioners sat back in their seats, triumphant – they had won.  There seemed little interest in continuing the conversation to figure out ways to minimize the remaining risk, and their body language suggested that they had mentally discounted everything that had been said.

I was a little disappointed by this. Some S&R pros seem to treat information security as an academic exercise, a challenge where the best argument wins and security is a mere footnote. These folk are often also the ones who overreact to very complex, and very unlikely, technical threat scenarios while overlooking behaviors and processes that may be fundamentally flawed. They appear unhappy with any security solution that isn’t perfect. I had hoped that we all recognized that good security was not about hitting a home-run; it’s much more about applying the 80/20 rule over and over again, iteratively reducing the risk to the organization.

Read more

WikiLeaks And Stratfor Make The Case For More Data Encryption

John Kindervag

Yesterday, WikiLeaks released emails taken in the highly-publicized Stratfor data breach. While many of the emails are innocuous, such as accusations regarding a stolen lunch from the company refrigerator; others are potentially highly embarrassing to both Stratfor and their corporate clients. The emails reveal some messy corporate spycraft that is usually seen in the movies and rarely is illumined in real life. For example, one email suggests that Stratfor is working on behalf of Coca-Cola to uncover information to determine if PETA was planning on disrupting the 2010 Vancouver Olympic Games.

While Stratfor’s response suggests that some of the emails may have been tampered with, this is not the point. As the soon-to-be infamous “Lunch Theft” email shows, that might be merely what the email calls Fred's rule # 2: “Admit nothing, deny everything and make counter-accusations.”

Read more

Force Multipliers - What Security & Risk Professionals Can Learn From Special Forces

Rick Holland

Last week I read an article on wired.com’s Danger Room blog about the elite US military Special Forces command, JSOC.  The units within the Joint Special Operations Command (Delta Force and Seal Team 6) are responsible for the most clandestine and sensitive US military operations, including the Bin Laden raid into Pakistan last year. JSOC is very similar to elite Special Forces (SF) units across the globe including: the Russian Spetnaz, British SAS, French Naval Commandos, and the Israeli Shayetet 13.  These SF units are capable of addressing asymmetric threats that traditional military units aren’t prepared to handle.

In the article, Spencer Ackerman interviews Marc Ambinder, one of the authors of The Command about JSOC. The article piqued my interest and I just finished reading the eBook. Like almost everything I do, I considered the information security implications as I read it.  Today’s infosec threat landscape is dominated by unconventional threats that are difficult to address. How can we leverage the techniques utilized by SF to deal with the cyber threats we face today?  I realize that we have an international audience, and my point isn’t to focus on US policy, but rather to take a deeper look at the unique capabilities of SF units and what lessons we can apply in our roles as S&R professionals.

Read more

Categories:

Open & Honest - Should Breach Disclosure Be Mandatory?

Andrew Rose

A few months ago I shared a flight with a very pleasant lady from a European regulatory body.  After shoulder surfing her papers and seeing we were both interested in information security (ironic paradox acknowledged!) we had a long chat about how enterprises could stand a chance against the hacktivist and criminal hordes so intent on stealing their data.

My flight-buddy felt that the future lay in open and honest sharing between organisations – i.e. when one is hacked they would immediately share details of both the breach and the method with their peers and wider industry; this would allow the group to look for similar exploits and prepare to deflect similar attacks. Being somewhat cynical, and having worked in industry, I felt that such a concept was idealised and that organisations would refuse to share such information for fear of reputational or brand damage – she acknowledged that it was proving tougher than she had expected to get her organisations to  join in with this voluntary disclosure!

Across the US and Europe we are seeing a move toward ‘mandatory’breach disclosure; however they have seemingly disparate intentions.  US requirements focus on breaches that may impact an organisations financial condition or integrity, whilst EU breach notification is very focussed on cases where there may have been an exposure of personal data.  Neither of these seem to be pushing us toward this nirvana of ‘collaborative protection’.

In the UK, I’m aware that the certain organizations, within specific sectors, will share information within their small closed communities, unfortunately this is not widespread and certainly does not reflect the concept of ‘open and honest’ as my flight-buddy would have envisaged.

Read more

Strong Authentication: Bring-Your-Own-Token Is Number Three With A Bullet

Eve Maler

In approaching the research for my recently published TechRadar™ on strong authentication, at first I struggled a bit with overlapping concepts and terminology (as can be seen in the lively discussion that took place over in the Security & Risk community a few months back). The research ultimately revealed that form factor matters a lot -- smartcards in actual card form, for example, have some properties and use cases distinct from smart chips in other devices. So smartcards became one of the 14 categories we included.

The category that quickly became my favorite was "bring-your-own-token." BYOT is Forrester's term for the various methods (sometimes called "tokenless") that leverage the devices, applications, and communications channels users already have. The classic example is a one-time password that gets sent in an SMS message to a pre-registered phone, but we see emerging vendors doing a lot of innovation in this space. You can get a surprising amount of risk mitigation value from this lightweight approach, in which you can treat provisioning not as an expensive snail-mail package, but as a mere self-registration exercise. In a world where hard tokens and smartcards prove themselves to be, shall we say, imperfectly invulnerable, lightweightness can have a value all its own. In fact, BYOT showed up just behind these two venerable methods in the "significant success" trajectory on the TechRadar.

Read more

Rewind And Replay For Web App Vulnerabilities

Andrew Rose

Security threats develop and evolve with startling rapidity, with the attackers always seeking to stay one step ahead of the S&R professional. The agility of our aggressors is understandable; they do not have the same service-focused restrictions that most organizations have, and they seek to find and exploit individual weaknesses in the vast sea of interconnecting technology that is our computing infrastructure.

If we are to stand a chance of breaking even in this game, we have to learn our lessons and ensure that we don’t repeat the same mistakes over and over. Unfortunately, it is alarmingly common to see well known vulnerabilities and weakness being baked right in to new applications and systems – just as if the past 5 years had never happened!

A recent report released by Alex Hopkins of Context Information Security shines a light on the vulnerabilities they discovered while testing almost 600 pre-release web applications during 2011. The headlines for me were:

  • On average, the number of issues discovered per application is on the rise.
  • Two-thirds of web applications were affected by cross site scripting (XSS).
  • Nearly one in five web applications were vulnerable to SQL injection.

It makes depressing reading, but I’m interested in why this situation is occurring:

  • Are S&R professionals simply not educating and guiding application developers?
  • Are application developers ignoring the training and education? Are we teaching them the wrong things or do we struggle to explain the threats from XSS and SQL injection?
  • Are our internal testing regimes failing, allowing flawed code to reach release candidate stage?
Read more