Better/cheaper to give bug-free developers huge stock options than reward vulnerability finders.
Category: Uncategorized Tags:
John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry
Twelve Word Tuesday: Bug Bounty Bonanzas Bother Me
by John Pescatore | August 2, 2011 | Submit a Comment
How About a Big Battle Over Refusing to Increase the “Vulnerability Ceiling”?
by John Pescatore | August 1, 2011 | 1 Comment
Just imagine if each year, we had the software equivalent of the imaginary “debt ceiling” – the Vulnerability Ceiling. If all global CIOs didn’t vote to increase the total number of software vulnerabilities, software vendors could not sell new versions of their software until the total number was reduced below that ceiling.
Of course, that would lead to a lot of lobbying by software vendors, wining and dining CIOs and CEOs, so we’d probably be forced to come up with a more flexible approach, maybe “vulnerability credits” where software vendors with really nasty code with lots of vulnerabilities could pay those vendors who actually invested in their product design and software development processes to reduce vulnerabilities.
Of course, software vulnerabilities are sort of like global warming – just moving the vulnerabilities/carbon from one vendor/country to another really wouldn’t achieve anything overall. Plus, as each “vulnerability ceiling” deadline neared, it would lead to breathless press coverage, totally blocking out any traditional summertime stories like eggs being poached on driveways or squirrels getting stuck in ice dispensers seeking relief from the heat. OK, that would be a good thing – plus it would be nice seeing all the companies who wrote the most secure applications getting all this money from the Swiss cheese code writers.
Probably the real deal killer, though, is the nightmare scenario of an actual “software vulnerability default” where no software vendors could sell a new version until they cleaned up the old one: the software economy would collapse as enterprises realized they really did not need any new versions of software, and they could live happily ever after on stable, old code…
Category: Uncategorized Tags:
Has OWA Really Caused Any Owwies?
by John Pescatore | July 27, 2011 | Submit a Comment
I’m spending a lot of time with Gartner clients as they try to address the risks of letting employees use employee-owned smartphones to access business email and business systems. We go through all the risks, but one question I always ask is “Do you support Outlook Web Access?”
The answer is invariably yes. OWA has been out and in use for almost 15 years now, with widespread use during the 10 years since Windows 2000 came out. So, for over a decade employees have been able to access corporate email from their personally owned home PCs (or anything else with a browser), store work related documents on their home PCs, and often even access shared files and Intranet systems using Outlook Web Access – and the same is true for use of SSL VPNs, which allow even broader access from home PCs.
Now, Microsoft and the SSL VPN vendors have build lots of security capabilities into those products, but most enterprises have not turned on attachment blocking or remote cleanup or many of the advanced features at all – and there have not been many incidents even so. So why all the focus on the risks of allowing employees to use personally owned smartphones?
Well. one big reason is that home PCs usually sit in one place and the employee rarely loses it or has it stolen. Nor does the user change home PCs every 18 months or so – the risks definitely are lower that the device will be out of the possession of the user. However, such a high percentage of home PCs are compromised with bot clients and other malware that the risks of data loss via malware is actually much higher using web mail clients on home PCs than using smartphones.
The real message is to meet in the middle: don’t try to apply draconian security policies to the use of personally owned smart phones but also don’t take a “don’t ask, don’t tell” policy on OWA use, either. We have a continuing series of research notes on this: Ken Dulany and John Girard with “Four Architectural Approaches to Limit Business Risk on Consumer Smartphones and Tablets” and John Girard and I with “Critical Security Questions to Ask Before You Support a New Smartphone Platform.” with another one to come in August.
Category: Uncategorized Tags:
Twelve Word Tuesday: The FBI Won’t Stop Anonymous/LulzSec, But You Can
by John Pescatore | July 26, 2011 | Submit a Comment
If you build it securely, they’ll come – but leave without your data.
Category: Uncategorized Tags:
No Insurance Policy Ever Protected a Customer, and Lots of them Don’t Even Limit Business Risk
by John Pescatore | July 22, 2011 | 6 Comments
Sony has publicly stated that the direct costs in 2011 in dealing with their failure to protect PlayStation Network customer data will top $170M – and that doesn’t even count what they may end up paying out in settlements and the associated legal costs. Sony, of course, had insurance and expected that would bound how much out of pocket expense Sony would have, vs. how much the insurance carrier, Zurich American, would pay out.
Ooops – according to The Register, Zurich American filed suit against Sony saying:
According to the complaint, Sony tendered the complaints and claims to Zurich and has demanded that the insurer defend it against the claims. It goes on to say ZAIC isn’t obligated to cover the costs because Sony’s insurance policy insures only against legal claims for “bodily injury”, “property damage”, and “personal and advertising injury”.
“ZAIC therefore has no obligation to defend or indemnify the Sony defendants under the ZAIC Excess Policy for the claims asserted in the class action complaints or the miscellaneous claims,” the complaint, filed in the Supreme Court of New York County, stated. It seeks a court ruling that none of the hack attacks qualify for coverage.
Now, Sony may win this law suit (though legal fees to do so will likely eat up quite a bit of the risk bounding the insurance policy offered in the first place) and whoever made the decision as to what type of insurance the PlayStation Network carried looks to have made a big boo-boo, but depending on insurance to bound risks in information security has continued to prove woefully inadequate.
Software engineering is still an oxymoron. There is no table of strengths for software, no handbook of materials, no basis for insurance estimators to determine risk. Fire insurance can look at materials used, fire suppression in place. Auto insurance can look at the track record of the particular car and particular driver to set rates. Not so with software – none of that works.
The first attempts at issuing cybersecurity insurance policies tried to rely on BS7799 and then ISO27001 type audits but the week after the audit everything changed – it is like issuing fire insurance to buildings that go from fire retardant ceiling tiles to gasoline coated ones because of a new consumer fad.
It really falls back to either the payout of the insurance barely exceeding the premium costs because the insurers have no realistic way to monitor risk (and won’t), or falling back on more general liability policies, the most likely approach to go. But even that requires making sure liability policies cover other than traditional forms of “damage,: as Zurich American’s language in their suit points out.
Almost invariably, the costs of avoiding a security incident are less than the costs of dealing with the impact of an incident. A Sony lessons-learned will very likely find some simple precautions and process improvements could have protected those 77 million accounts for less than the $300M+ this incident will end up costing Sony. Paying more attention to the terms of their insurance policies may have helped bound that overall risk somewhat better, but insurance would not have prevented 6 weeks of customer down time and would still likely leave Sony spending more on incident response than it would have spent on incident prevention.
Category: Uncategorized Tags:
What You Hold In Your Hand Can Be a Lot More Secure Than What You Open on Your Lap
by John Pescatore | July 21, 2011 | 1 Comment
From a security perspective, Blackberries and iPhones are lightyears ahead in security compared to a Windows laptop. Rim and Apple have had the advantage of controlling both the hardware and the operating systems, where Windows grew up in a time where the mantra was the OS had to run on any commodity hardware that met the basic BIOS and PC specifications. Over the years Windows had to have backwards compatibility with previous versions of a wildly evolving operating systems, and Microsoft jammed more and more application level functionality into the OS as part of its strategy to compete. All these are major factors in why even today it is difficult to keep a Windows PC secure.
RIM and Apple came along with very restrictive models, dictating the hardware and software combination and making it much harder (but not impossible) for users to load arbitrary executables – and, lo – the market loved it. The safety of being able to click on an app without having it explode in your face or mail your credit card number to criminals in Russia or China by far outweighed the fact that you only have 500 games to choose from, not 5,000.
This is not to say these devices are invulnerable – just as Windows can be rootkitted, iPhones can be jailbroken. Blackberry has had exploitable software vulnerabilities, as well. However, the change in the model has shifted the risk on these phones from a malware focus to a protection of data on the device focus – the biggest risk is physical loss of control of the device (theft, misplacement, phones that show up on eBay with all data on them, etc) putting a premium on local encryption and access policy support – not adding on layers of inneffective anti-malware software like in the PC days.
Droid came out and tried to go back the wild wild days of the PCs (any hardware! many versions of the OS! no restrictions on apps!) and immediately got hit by malware, and the market has already said “hey, where’s your App Store??” and Amazon and others have already started to offer App Stores for Droid.
This is huge – it is like users choosing cars that get high mileage and safety features over convertibles and roll-over prone SUVs. The market is driving smartphones in a much safer direction – the trick is for IT to be able to react and embrace this trend, vs. fight it and try to apply old world PC thinking to how these new devices should be managed and secured.
Category: Uncategorized Tags:
Twelve Word Tuesday: You Have to Put Your Foot on the Brake to Go from Park to Drive, But Click on a URL and Boom!
by John Pescatore | July 19, 2011 | Submit a Comment
Like manufacturers of explosives, software vendors really should appoint Chief Safety Officers.
Category: Uncategorized Tags:
The Perimeter Persists Because Infrastructure is Never Good at Protecting Infrastructure
by John Pescatore | July 14, 2011 | Submit a Comment
Much the opposite of Generalissimo Francisco Franco, the perimeter is nowhere near dead. Mainly because it makes good business sense, even if it does not make for good PhD theses.
Years ago the laptop was supposed to mean the perimeter was dead. Nope, we put a piece of the perimeter (firewall) on the laptop, required it to connect at the perimeter (VPN gateway) and often checked it when it came back to the network (Network Access Control.)
Then, when Microsoft came out with Vista and Server Domain Isolation, the perimeter was going away because PCs and servers would just run IPSec to each other and there would be no need for a perimeter. Nope, but Vista really didn’t happen either.
But Windows 7 did happen, and the perimeter was supposed to go away when Microsoft renamed SADI Direct Access and PCs and servers would just run IPSec to each other and there would be no need for a perimeter. Nope, turns out that Microsoft added a Direct Access server at the perimeter, saying:
Because DirectAccess servers provide intranet connectivity to DirectAccess clients on the Internet, DirectAccess servers are installed in your perimeter network, typically between your Internet-facing firewall and your intranet.”
Now with cloud, the perimeter is supposed to be extinct again. Nope, turns out businesses are using cloud-based security as a service to inject perimeter security policy between their use of the cloud and threats and between their data in the cloud and users, or just integrating cloud services into the perimeter based SOA governance/security approaches.
Businesses don’t send paychecks to the customers or business partners, and don’t send products to their employees. There is an inside and an outside, and always will be. In physical security we found that locks on doors and safes and vaults were required to protect the physical infrastructure from attacks. Theoretically we could make jewelry and cash and flat screen TVs and prescription drugs theft-proof but the cost of doing do, and the interruption of business, has proven it would be a bad business decision.
The equivalent in the information world is trusting PCs and servers and data protect themselves. I can tell you the exact day you will know that will make business sense: the second Tuesday of the month after they publish a table of material strengths for software. On that day there should be no more software vulnerabilities to worry about in all those endpoints.
Of course, the it is very likely that the sun will go out before we get to that day…
Category: Uncategorized Tags:
Still in Denial About Denial of Service?
by John Pescatore | July 13, 2011 | Submit a Comment
Thirty five years ago today I was working at my summer job at JFK airport in New York and all the lights went out – only the control towers were lit, a very eerie sight from a truck driving around the tarmac. This was the great Northeast blackout of 1977.
There have been a number of those over the years – 2003 was the last big one, I think. Now everyone tends to try to overhype cyber-threats as the cause of these outages, but generally they are environmental or operational failure driven. Breathless reports always cite “hackers can take down the power grid any time they want” but for some reason they don’t but mother nature does.
Anyway, we learned by the mid 1980s that mainframes and servers without electricity were pretty much just big, expensive paperweights, so the Uninterruptible Power Supply/Battery Backup industry grew up. Here in the 2000′s we are finding that PCs and data centers without Internet connectivity are just big, expensive, electricity-consuming paperweights – when the Internet is down business comes to a crawl.
There have definitely been environmentally caused Internet outages, but in this case denial of service attacks are the leading cause. There are low scale attacks that anyone who can spell LOIC can launch and then there are large scale distributed attacks that take a bit more knowledge of botnets and the like, but DoS attacks are basically like thunderstorms on the Internet: hard to predict when they will hit, but they will and you can build a thunderstorm-proof Internet connection – just the way you can have thunderstorm proof power to your datacenter.
Basically, it is time to have DDoS protection considered as part of Business Continuity planning, just the way redundant Internet connections and backup datacenters are planned for and funded.
Category: Uncategorized Tags:
Twelve Word Tuesday: Adobe and Apple Need to Emulate The World’s Most Secure Graphic Display Tablet
by John Pescatore | July 12, 2011 | 2 Comments
Happy 51st birthday, Etch-a-sketch! No hacks, no vulnerabilities – match that Flash, IOS!
Category: Uncategorized Tags:
