John Pescatore

For some reason, the SANS Newsbites didn’t use my comments on the item below, so here it is to fill the Friday blog:

US Government Agencies Say Incidents Are a Daily Occurrence (November 10 & 11, 2009)

A CDW-Government survey of 300 US government IT professionals found that 44 percent of agencies noted an increase in the number of security incidents over last year.  Thirty-one percent of respondents said their agencies experienced at least one cyber security incident every day.  The top areas of concern reported by respondents were malware, inappropriate employee activity or network use, managing access for approved remote users, and data encryption.

Pescatore – I’m really worried about the 69% who *don’t* think they are having daily security incidents. Basically, a day without a security incidents is a day without any Internet connectivity and with no human beings using any computers that have any software running on them.

This week’s Twelve Word Tuesday was about all those holiday season presents showing up on your network when everyone comes back to work on January 5th.  Apple is one of the major vendors of those “toys” and last week colleague Nick Jones asked for input on this question: “Is Apple an Enterprise-class Vendor?” At Gartner’s Asia Pacific Symposium this week, Nick debated another Gartner analyst (Robin Simpson) on this topic, and Nick blogged about it here.

Here is the response I sent Nick from the security perspective:

On the iPhone side, the fact that there is no actually supported management app and that any user can change any policy setting pretty much says it all.

Pretty much the same thing on the Mac side, plus patching issues – Apple vulnerabilities go unpatched for long periods of time, patches come out with any warning or much information at all.

Years ago I did a Research Note on how to quickly judge how serious a vendor was about enterprise security, and I graded lots of vendors. The easy test: go to www.vendorname.com/security and see what you find. Vendors fall into 3 categories:

1. They get it – /security has good security info, an easy place to report bugs, etc.
2. They don’t really get it, but they are in the enterprise business – /security tries to sell you on how secure they are, vs. help you stay secure.
3. Consumer-grade company – you get error 404 or equivalent

Check out www.apple.com/security and you find they are clearly type 3 – nice picture of a snow leopard though…

Take a look and compare Apple, Google, Nintendo, Microsoft, Cisco, Oracle, Juniper, Nintendo, etc. and you see the differences and similarities between consumer-oriented vendors and enterprise oriented vendors – and which enterprise-oriented vendors “get” security.

This litmus test doesn’t really work for security vendors – some of them (like Symantec) make good use of the /security real estate, while for some reason others (like McAfee and Checkpoint) let it waste away in error 404 land.

Back in 2007, I nominated Fireeye as a Gartner “Cool Vendor” since I’m constantly looking for vendors doing interesting things to deal with the “arbitrary malware” problem – developing wire-speed techniques to determine if in-bound executables are malicious or not.

Today there is an announcement that In-Q-Tel (IQT,) the CIA’s “venture capital” organization, has invested in Fireeye:

“FireEye is a critical addition to our strategic investment portfolio for security technologies,” said T.J. Rylander, a Partner at IQT. “FireEye offers a valuable combination of next-generation malware protection, and its approach to detecting and defeating malware is unique and potentially game changing.”

This is no guarantee of success – the vast majority of In-Q-Tel’s investments do not break through to the commercial side – but it is nice to see the US Government making more investment in techniques to deal with current and next generation threats.

Contrast that with another government announcement this week in this AP piece:

WASHINGTON – Stung by an embarrassing electronic leak last month revealing ethics investigations into dozens of lawmakers, Congress moved Tuesday to prohibit federal employees from using the same type of Internet file-sharing software blamed for the disclosure.

Oy – I knew this was coming, as I blogged back on November 2nd when the sensitive government information leaked out via employees with file sharing software installed:

Now, the knee-jerk reaction will likely be to try to legislate bans on P2P software but that is dealing with the symptom, not the problem. The problem is that normal users can never keep up with what needs to be done to keep business data secure on their home PCs or on consumer-grade web sites and services. Enterprises have to put security controls in place to monitor, contain and ultimately secure the use of all business information, whether in the data center, on a managed PC or on a home PC.

This “let’s legislate the problem away” approach never works. The users violated security policy and they will break laws, too. Some of it is as simple as speed limits don’t stop speeding, radar traps and traffic cameras do. But, the other issue is threats continually evolve and users can not be expected to keep up – let alone will legislators or legislation ever keep up. Remember back in 2001 when some politicians wanted to make buffer overflows illegal?

The government investing in using advanced forms of protection is a much better use of tax dollars than more legislation.

How will you secure those iPhone and Android stocking stuffers on 1/5/2010?

MSNBC has a piece on a “vigilante” hijacking a number of Facebook group sites. Facebook’s statement helpfully pointed out “We are still investigating this situation, but an extremely small number of groups have been affected.” Sort of like a doctor saying “I haven’t really finished checking, but at first glance the tumor I did find is pretty tiny.”

MSNBC must be ramping up their security coverage – they had another item on attacks on Twitter sending bogus Direct Messages (private messages between Twitterers) in phishing attacks. MSNBC quotes Twitter’s spokeperson as helpfully pointing out:

Twitter also suggested users who may have gotten the fake Direct Messages to change their log-ins and passwords to prevent unauthorized use of their accounts. Users “should “feel free” to change their passwords if they are worried,” the company said.

That is sort of like the bank saying “Users should “feel free” to use a different ATM machine if the one you were using gave your money to someone else.”

NetworkWorld weighed in with guidance for Facebook users about steps they should take to be safe from “scammy” games that are popular on Facebook. Playing games on Facebook pretty means you agree to give the game company full access to your profile – but even if you don’t play the game, if friends have access to your profile when they play it turns out often they are giving away access to your profile info.  The piece points out that Facebooks “privacy” policies are “ever-changing,” like most consumer-grade sites, so users need to constantly check and keep up with changes.

This is sort of the like if the cellphone companies occasionally decided that if someone in your speed dial list signed up for direct marketing calls, then your phone number would be given to the phone scammers, too.

Looks like responsible users have to be pretty busy keeping themselves safe out there. Sort of like if on an airplane all the passengers had keep looking out the window to avoid other planes, and also remember to lower the landing gear…

I commented here yesterday, and in this weeks SANS NewsBites, about the overhype in Sunday’s 60 Minutes piece on cybersecurity.  One thing that was mentioned was “white card fraud,” where card data stolen on line is put on blank credit, debit or ATM cards and waves of “card present” fraud happens. Nothing new – I think MSNBC had a piece on this in 2006.  But, this is one of the ways that cybercrime makes its “revenue,” and raises the question: why is it so easy to counterfeit cards?

There are various approaches to making it harder. Chip and pin cards raise the bar but they make the cards more expensive. Techniques like Magtek’s Magneprint work with low cost magnetic stripe cards but require their technology in the card readers, and require card issuers to alter their registration process a bit – but nothing all that complicated.

The biggest obstacle is the odd multi-party relationship between card issues, acquirers, merchants and card brands – nothing moves quickly in the credit card industry if it might in anyway impact transaction growth. Seems like merchants lose out the most in this area – consumers have lots of legal protections and the banks and card brands make the rules. Making “white card fraud” harder would certainly be a good thing but seems like it doesn’t have enough benefit for those who make the rules vs. those who have to live by them.

For hype, focus on the threat; for security, focus on the vulnerabilities.

(By the way, here’s an alternate view of the cause of the  Brazilian black-out)

Most of the discussion on “opening up to social networking” seems to focus on the simplistic problem of allowing access from work or blocking it. That’s an easy one – businesses and government agencies will allow access, generally sooner rather than later. The real issue is what security controls need to be added to make sure that use of those sites is safe enough for business use – because by themselves, they are not safe enough for business use.

A piece in NetworkWorld on major cross-site vulnerabilities in Facebook and MySpace points this out.  The business model behind social networking sites is to put ads in front of users and to get high prices for those ads by making sure they are targeted to match users behavior and profiles. There is a built-in incentive to gather information on users and make it available to 3rd parties – a perfect breeding ground for cross-domain leakage problems.

Now, those sites also have a built-in incentive to have loyal users, so they can’t completely lose the trust of users. However, growing ad revenue 20% will always trump temporarily slowing user growth because of data exposure incidents – but if your customer’s data has been exposed through one of those events, the costs to your business will continue for a long time. Especially if you are relying on the “we assumed they were responsible users – we told them not to do that” approach.

Eweek published a puff piece promoting the security of Google’s Android operating system that is starting to show up on some mobile phones. It read like a rip and read job from a Google marketing brochure:

1 – not really valid – we’ve said open source code gets more secure, more quickly but it is the security focus of the development cycle that determines if code starts out and ends up more secure.

2 – Running applications in multiple processes by no means guarantees that “no application gains critical access to system components”

3 – Starting from Linux does not guarantee a more secure OS.

4 – Access restrictions that somehow guarantee that applications won’t harm the user or touch sensitive data would be very nice. No evidence that they have actually achieved this.

5 – Code signing support, nothing new here, but a good thing.

6 – Total hogwash: “Google has shown time and again that it is focused on user security.” Not been true to date any more than any other software vendor.

7. – More hogwash – putting the bug reporting email address on your web site is pretty standard for every software vendor. I did a RN grading IT vendor web sites on this and other web site security pages over 5 years ago.

8 –  Sounds like the UAC feature in Windows Vista, which didn’t exactly prove to be effective, let alone popular.

9 – Not building a media player into the OS is a good thing, but the claims that “One of the most common ways attackers gain entry to a mobile phone is through audio and video running in a web browser” is a totally false strawman.

10 – “Google gets the web” is certainly valid, but so was “Microsoft gets the desktop” – Google certainly does have a good view of web sites and through acquisitions of security companies like Postini does have a good view of malware running out there.  However, talking with Gartner clients at our security conference and the recent Symposium I listened to many complaints from unhappy Postini customers since Google acquired them – it is not clear that Google actually “gets” how to secure the web.

Yesterday, I pointed out that “Transparency plus inspection is the friend of security, freshness not so much.”  This certainly holds true for Android – transparency and freshness, yes – inspection, not so much yet.

Transparency plus inspection is the friend of security, freshness not so much.