christopher bischoff's List: InfoSec Perspective

• Active Defense," has many definitions and should not be strictly equated to hack back.  Hack back, instead may be considered a subset of "Active Defense," which does include cyber self-defense or cyber self-help.  Whether or not a company can utilize these theories depends entirely on the given facts of a situation.
• My draft definition of "Active Defense" (still a work in progress) is as follows: "a meticulous and escalated approach to a persistent cyber attack wherein the company leadership makes a decision whether or not to progress at pre-determined decision-points, evaluating risk, liability and legal issues."  Each decision-point will include all of the intelligence gathered, all potential options, tools, techniques, possible scenarios, potential risks, liability, and legal issues.  Depending on the facts and the confidence of the decision-maker there can be few decision points or many.  The number of decision-points is also a factor to consider in the scenario and the actual amount of liability, if any, may depend on how meticulous and cautious the decision-maker acted.  For example, the first decision-point may be whether the attack(s) is or are persistent.  "Active Defense" is very fact dependent.

• The premise is clear: the information security community has the know-how and capability to prevent many of the simple attacks that result in breaches. Consistent, disciplined execution of these preventative measures is where we struggle.

• characterize the threats we are dealing with: 

   >> Rogue employees: trusted individuals who exceed their authority for personal gain or to deliberately damage the organization. 

   >> Accidental disclosures: trusted individuals who accidentally damage the organization through inadvertent misuse of data.  

   >> Risky business process: a potential leak due to a business process that is either poorly secured or against policy (but for legitimate business reasons). 

   >> External attacker on the inside: an external attacker who has penetrated the organization and is operating internally. This threat actor might have compromised a trusted account and appear like an internal user.
• For example, when dealing with potential rogue employees, you tend to rely more on monitoring technologies over time. You don't want to interfere with legitimate business activities, so we use policies in tools like DLP to track mishandling of sensitive information. And how the employee extracts the data also tends to follow a pattern. They aren't necessarily technically proficient and will often rely on USB storage, CD/DVD, or private email to extract data. They usually know the data they want before the attack.
• An external attacker will exhibit some of the same behavior, but is likely more technically proficient, will target different data (often, but not always), might leave signs of "hunting around," will access a different set of systems, and tends to use different extraction techniques.
• "Insider threat" doesn't make much sense because when you start trying to address your risks, a bunch of different ones all involve something going on inside your perimeter. To really tackle them, you need to break them apart, prioritize, and use both different security tools or different settings on the same tools.

2 more annotations...

• 10. Privacy (here) Big brother is watching

   

  There is little doubt that advances in technology have radically changed many aspects of our lives, from healthcare to manufacturing, from supply chains to battlefields, we are experiencing an unprecedented technical revolution.

   

  Unfortunately, technology enables the average person to leak personal information at a velocity that few understand. Take a moment and think about how much of your life intersects with technology that can be used to track your movements, record your buying patterns, log your internet usage, identify your friends, associates, place of employment, what you had for dinner, where you ate and who you were with. It may not even be you who is disclosing this information.

   

  We live in a world without secrets and we must act accordingly. Realize that much of what you may think is confidential, isn’t. To borrow an old saying if more than one person knows something it isn’t a secret and if you’re alive today, you have very little privacy.

• 9. Advanced Persistent Threats (here) Alarming people throughly

   

  Advanced persistent threats are real. As hackers moved from hobby-based malware and cyber-vandalism to financially motivated, or state-sponsored hacking we experienced more thoughtful and controlled approaches. APT isn’t a new class of threat that requires a whole new disparate set of technologies to address. In fact many of the technologies you have been using to identify and monitor deviations from normal operating state are suited to provide a base level of visibility into the environment.

   

  Remember, 90 percent of all external attacks take advantage of poorly administered, misconfigured, or inadequately managed systems that any moderately competent hacker can exploit. Sure, there are some real artists out there, but when you can take candy from a baby 90 percent of the time, you rarely need expert safecrackers.

• 8. Data Leak Prevention (here) Somebody put a diaper on my data

   

  DLP was the hottest thing to not happen to protecting data since PGP was a McAfee acquisition (they are now independent again). The promise was that DLP would prevent sensitive and confidential data from getting into the wrong hands. Of course there is a big, wide chasm between preventing leaks and preventing loss…leaks you have some level of control over and is primarily focused on negligent internal employees deviating from operational security policies like copying data to a USB and working on it at home, or forgetting that sensitive, proprietary and confidential actually means don’t send this to people who are not in the circle of trust. Data loss however – the real data problem business is facing, is not something DLP is well-suited to prevent. The main reason is simple. An intelligent, trained attacker who wants access to your data will get it.

• 7. Network Access Control (here) Its all good until someone NACs the CEO

   

  Driven by relentless Cisco and Juniper marketing, NAC was positioned as the best approach to dealing with the increase in infected laptops that were finding their way into the heart of the corporate network and in doing so bypassing all the security technologies that had been aiming at keeping the bad guys out. The market was infatuated with NAC and many vendors came and went, however like many innovations no one seemed to bother to ask if this is the best solution?

   

  Think about why one would use NAC, essentially it is because IT loses visibility and control of their mobile workforce, contractors, and partners that slip in and out of the network…but instead of asking how IT can gain visibility and control into these devices they revert to a giant hammer approach which blocks all access until goodness can be determined, which ain’t easy and doesn’t cover the universe of issues…anyway NAC is somewhere between the trough of disillusionment and gaining a spot on the shelf of forgotten technologies as companies look to alternative approaches to dealing with compromised devices entering their circle of trust.
• Mobile malware will become a reality one day, but that day has not yet come. For the time being, it’s better to focus on improving assets that are actively under threat, such as endpoints, servers, and databases and when it comes to mobile recognize the biggest threat isn’t an eastern european hacker, it is instead a negligent employee that accidentally leaves a hand-held container of corporate secrets in a silicon valley bar

• 2. Virtualization, especially desktop virtualization (here) and (here) I know what kind of computer I am; I’m a computer, playing a computer, playing another computer

   

  Thanks to VMware you can barely turn around today without someone using the V-word and with every aspect of the English language, and some from ancient Sumeria, now beginning with V it will only get worse. There is no question that virtualization holds a lot of promise for the enterprise, from decreased cost to increased efficiency, but between the ideal and the reality is a chasm of broken promises, mismatched expectations and shady vendors waiting to gobble up your dollars and leave a trail of misery and despair in their wake.

   

  This is especially true for desktop or client-side virtualization. Hosted virtual desktops, thin-client computing models, centralizing desktop management into a datacenter and solutions that require heavy back-end infrastructure and perfect implementations of Active Directory are doomed to fail. So tread carefully when a C-level exec or overzealous IT administrator returning from a boondoggle weekend with VMWare or Citrix returns proclaiming the end of the traditional desktop is here and VDI offers nigh-invincible security and systems management attributes.

   

  In some select situations client-side virtualization does hold promise for improved efficiencies, lower cost and improved security and systems management. It has benefits for software distribution and OS deployment models, but until the industry understands that we will not return to thin-client computing models and centralized management is antithetical to every current trend in client computing we will not see widespread adoption of VDI no matter what VDI vendors claim

• 1. Cloud-computing or the “cloud” (here) The biggest risk from the cloud is moisture

   

  OH: Why don’t we just add ‘cloud’ to the message?

   

  the really sad part of that statement is it wasn’t only over heard once or twice but on at least a half-dozen conversations across different companies and technologies…without a doubt the term that has captured more hyperbole, misinformation and confusion is cloud-computing or even worse, the “cloud”…I’m still wondering what Google will do with gmail once this whole “cloud” thing becomes a reality, how will Akamai handle traffic between the “cloud” and the Internet?

   

  Cloud computing provides tremendous promise leading IT towards the land of “dynamic and agile infrastructure” but along the way they must pass through the dark forest of limited to no visibility and near-zero control.

5 more annotations...

• If we want to really improve security and produce sensible results, it’s time for us to wake up to reality and deal with security without unrealistic expectation
• IT changes are almost never implemented as “Big Bang” projects. There is always a phased approach. Paretto is always being applied, 80% of the bad stuff being removed fairly soon and the remaining stays around for a long time. An isolated situation like that wouldn’t be an issue, but in medium and large organizations we can see dozens of cases of older, unsupported, often unsecure technology, configurations, processes, just refusing to go away. That’s the nature of things and I can’t see that changing soon
• The problem is how to build security in that reality. It’s just too common to see great security ideas failing to provide results because they depend on clean, stable environments. That was always the case for the Identity Management projects (“oh, those identity repositories will be retired soon, don’t worry about  those”), Log Management (“the new version that we’ll implement soon supports syslog-ng”), DLP and others. The security architects are developing solutions that depend on perfect scenarios, scenarios that will never become reality. That’s how most of the security technology deployments fail.
• It’s not just “design for failure”. It’s design around failure. Your network is a mess and it will always be like that, deal with it.

2 more annotations...

• came to the conclusion that the security community may have reached an awkward age at which we're grown up enough to be focusing on the golly-gee/whiz-bang/cool stuff (vis-à-vis the "APTification" of all that passes for security discussion) and, as a result, we're neglecting the basic, "Security 101" stuff that raised the bar in the first place.
• Over the past year, how many high-profile hacks have been the result of awesome cutting edge skillz?  How many have happened because someone just flat-out did something dumb?  Take a quick gander at back issues of SANS NewsBites and I think you'll be convinced as well: We truly are neglecting the basics.

• I’ve seen the attitude promulgated that if you’re smart and have skillz, it’s okay to be an asshole.  That it’s somehow okay to hurl insults under the guise of “educating” someone and that they should be grateful for it.  That caring about something gives you permission to display your bad temper for all to see, because you’ll make up for it by doing something really cool.

    

  As far as I’m concerned, nothing could be further from the truth.  There are plenty of egotists in the industry who think they’re entitled to a free pass on manners, and when I’m hiring, I steer clear of them, because there are just as many genius-level hackers who can also manage to behave themselves and work cooperatively with others without starting brawls
• There is absolutely no need to sully enlightenment, integrity, openness and honesty by adding rage (and let’s call it what it really is:  a temper tantrum).  Every honorable goal that security professionals have – be it research, defense, development or education – can be achieved without stomping on fellow humans in the process.  Age does not confer the right to bully others under the guise of “educating” them; nor does any level of experience or knowledge.  No matter how much you’ve contributed to the state of security (or think you’ve contributed – watch that ego again), you still don’t get a pass on any bad behavior, and your lack of social skills is not a badge of honor.  Every industry has its members whose actions make the rest look bad, but at least we shouldn’t be glorifying them.  We have better options right in front of us.
• There is absolutely no need to sully enlightenment, integrity, openness and honesty by adding rage (and let’s call it what it really is:  a temper tantrum).

1 more annotation...

• The roots of calling people “users” are likely harmless and simple: when computers were new, expensive and in limited supply, only a handful of people actually used the system. As a result, it probably made sense to consider those folks as computer users… eventually shortened to “users.”

   

  Today the situation is different.

   

  Somehow this notion of “users are losers” (sometimes written as lusers) transcended drugs and became part of technology. When technology and security practitioners refer to people as users

• The word “user” is a label that instantly strips a person of their identity and objectifies them in a way that creates distance and ultimately prevents us from serving their needs.

   

  Distancing ourselves through language and labels is an unintended protection mechanism (I wrote about this in a 2007 column claiming “It’s time to reboot the security industry”) that reinforces our knowledge, experience and power while shielding us from the knowledge, power and experience of the individuals we work with.

• When working with people, distance is a problem. It creates friction and generates resistance that sometimes results in an adversarial state where everything becomes more complex – and expensive.

   

  Security technology and is not enough: we ultimately need individuals to make better decisions. Instead of creating distance, we need to get closer to people and partner with them to guide actions that bridge the “Human Paradox Gap.”
• Introduced in Into the Breach, the human paradox is the unintentional disconnect created between individuals and the consequences of their actions. Because of the gap between actions and consequences, people do not take responsibility and we’re powerless to hold them accountable. I explore this a bit further in: Why people are not the problem and where to look.

• Our success depends on our ability to get closer to people, to work together to bridge the human paradox gap, to partner on how we protect information.

   

  Dropping the label – protection – of user allows us to build the relationships we need to be successful.

• We work with and serve people.

   

  As a starting point, make a conscious effort to substitute people or individual(s) in place of the term “user.” In some cases, citing employees, contractors, colleagues or the like might be appropriate.

   

  When possible, use direct names or descriptions of real people.

   

  It is important to remember and keep focused on the point that we serve people, not users.

• Change the words to change the perspective

   

  By removing the abstraction of “users” and focusing on the people we serve we necessarily change our perspective.

   

  It’s a simple, yet powerful shift.

   

  In turn, it changes our demeanor and approach.

   

  For example, with my clients, our meetings reference real people, actual examples and explore the potential consequences — positive, neutral and negative — of our decisions. We invite non-security people to the meetings. And in some cases, we actually conduct interviews of individuals to better learn how they do their jobs.

5 more annotations...

• look at addressing the challenges of protecting information
• “People have been unintentionally and systematically disconnected from the consequences of their actions for so long, they are no longer held accountable or take responsibility,” explains Michael. “The real key to protecting information is to engage people in the process and support them with the right tools and technology.”
• Once the change gets started, it is often contagious. People want to take responsibility. People want to make a difference. People want to feel valued and want to participate.

1 more annotation...

• we have been presented a series of reports, complete with statistics, suggesting the cause of security breaches is people. Whether external attackers taking advantage of individuals, insider mistakes or even insider espionage, the overly simple and false conclusion seems to be that people are the problem.
• “breach” (no matter how it is defined) is a symptom. So focusing on preventing security breaches basically creates a losing situation where valuable time, money and other resources are wasted… only to leave the real challenge untouched.
• The real challenge is what I dubbed the human paradox: individuals have been systematically (albeit unintentionally) disconnected from the consequences of their actions. This results in a challenge where people no longer take responsibility and are nearly impossible to hold accountable.
• I liken the current experience described by practitioners as  “security pain” to what new parents learn as “short term gain, long term pain” – or the idea that actions designed to quickly diffuse a situation often create more complicated problems down the road. Basically, the actions taken over the last decade for short-term gain have disconnected people from the consequences of their actions – creating the current pain we feel.
• The rapid pace of change in technology and security over the last decade or so makes it more difficult for professionals to keep up with solutions and potential consequences. Even more complicated, then, is breaking down the range of outcomes and explaining them in a way someone else (without the same background and understanding) could easily understand.

• The answer lies in connecting people to the consequences of their actions; it means we have to bridge the gap. But it’s easier – and more complicated – that just inflicting pain and punishing bad decisions.

   

  So – tell them the consequences and we’re all set, right?

   

  Well, it’s not that easy.

   

  We need to change the way we think, change the way we act and work to cultivate a new culture to address how we manage risk, information and the relationships with the people we serve.

   

  We need more deliberate dialogue: conversation with a purpose that “meets people where they are” and works in a way that allows everyone to learn. When we enter the conversation as equals, each with a valid set of experiences – and a desire to reach common understanding, something magical happens.

   

  Best part: no new investment in technology is needed. This costs time. It requires being present. For some, this is simple, easy and obvious. For others, this is a challenge and will be a rough start.

   

  We have a lot of work to do. I’m here to contribute and lead the change we need.

4 more annotations...

• There are a few principles I like to keep in mind when discussing the insider threat. Some are a little redundant to make a point from a slightly different perspective:

    
   
  1. Once an external attacker penetrates perimeter security and/or compromises a trusted user account, they become the insider threat.
   
  2. Thus, from a security controls perspective it often makes little sense to distinguish between the insider threat and external attackers- there are those with access to your network, and those without. Some are authorized, some aren’t.
   
  3. The best defenses against malicious employees are often business process controls, not security technologies.
   
  4. The technology cost to reduce the risks of the insider threat to levels comparable to the external threat are materially greater without business process controls.
   
  5. The number of potential external attackers is the population of the Earth with access to a computer. The number of potential malicious employees is no greater than the total number of employees.
   
  6. If you allow contractors and partners the same access to your network and resources as your employees, but fail to apply security controls to their systems, you must assume they are compromised.
   
  7. Detective controls with real-time alerting and an efficient incident response process are usually more effective for protecting internal systems than preventative technology controls, which more materially increase the overall business cost by interfering with business processes.
   
  8. Preventative controls built into the business process are more efficient than external technological preventative controls.
   
    

  Thus, the best strategy includes a mix of technology and business controls, a focus on preventing and detecting external attacks, and reliance on a mix of preventative controls and detective controls with efficient response for the insider threat. I really don’t care if an attacker is internal or external once they get onto a single trusted system or portion of my network.

    

  The “insider threat” isn’t a threat. It’s become a blanket term for FUD. Understand the differences between malicious employees, careless employees, external attackers with access inside the perimeter, and trusted partners without effective controls on their systems and activities.

• we expect to see more awareness surrounding security incidents of an “insider job” nature. Attention will grow as a result of an increase in the number of incident reports that show data theft, and security breaches, tied to employees and other insiders.
• UK ICO regulation, from April 2010, encouraged firms to engage affected individuals, or face a heavy (500,000 GBP!) fine. These laws and regulations, while generally discussing the need for security controls, place most of the emphasis on breach notification. In Germany, strict fines are imposed on companies that do not adhere to the privacy laws, which require the publication of all data breaches affecting individuals. A surge in notifications, which will result from an employee accessing data in a way that violates business policy, is bound to occur
• The increased visibility into insider-invoked breaches will close the alleged contradiction between the Verizon Business Investigations Report (VBIR) and the Independent Oracle User Group (IOUG) reports. The former shows that breach investigations are heavily leaning towards hackers, in the traditional sense, from an external source. Yet, the IOUG report shows an inclination towards data breaches stemming from the insider threat. To explain the dissonance between the two, we must bear in mind that the VBIR is constructed out of incidents analyzed by VB. Breaches of an external nature are usually more complex to understand and trace. External attacks would necessitate Verizon Business experts to conduct the required forensic analysis that would yield attack details, such as who was affected, what exactly happened, how it happened, and how to prevent future attacks. On the other hand, internal data breaches are usually of a simpler, technical nature, and quite often easily tied to a specific person post-mortem. Thus, organizations rarely call VB experts to investigate internal breaches. As a consequence, the VBIR is inherently biased towards external attacks. The IOUG report is based on an anonymous survey among DBAs—those who are usually in the line of “hacker” fire. These are the individuals who can actually attest to the true extent of the insider threat.

• Due to new privacy regulations, we will see these numbers reflected in data breach notifications.

   

   To deter the insider threat, organizations should:

   
   
  • Enforce access controls, where access is granted only on a business need-to-know level. This includes eliminating excessive privileges.
   
  • Provide the proper access auditing tools to data centers. These auditing tools should monitor who accesses what data.

2 more annotations...

• Have you noticed that we’re spending more and more but we’re not getting any more secure? Vendors are selling us the latest solution to fix the latest ill…  DLP, PKI, IDS, IPS, Endpoint protection, UTM – an alphabet soup of solutions to address an alphabet soup of regulations, litigation and compliance pressures… PCI, HIPAA, DPA, GLBA, etc. But the threats are changing and the impact is becoming more significant.
• The bad guys are bypassing our firewalls. Anti-virus is deployed but malware flourishes. Identity management expands in complexity and capability and yet unauthorized (and even authorized) abuses continue.
• Anti-virus and firewalls have ceased to be effective, yet we deploy them and claim that “we are now secure.” The security layers continue to thicken and yet a hacker can establish a foothold within a corporate network perimeter by exploiting any one of the thousands of vulnerabilities on an employee’s laptop.
• Focus on what needs to be protected – rather than an infrastructure-based security model with appliances layered upon layer, protect the data. A data-centric security model is like a rifle bullet rather than a shotgun and would be easier to justify financially because the unauthorized access, modification, disclosure or loss of these data can be quantified and expressed to the executives. This also solves a lot of the issues with going to the cloud, because you will not be able to control the environment.  All you can control is the data itself.
• Practice “Don’t Trust and Verify” – when an insider can be compromised and become an outsider, the debate between the external versus the internal threat is moot. No one should be trusted with your data, and those that must access it should be validated and checked with each access. This means that user activity is monitored and analyzed for anomalous behavior.
• Treat commoditized technologies (firewalls, anti-virus, IDS, etc.) as such and stop buying the best-of-breed. Focus your spending on the cutting edge threats and new technologies that give you a true advantage. It may be a short lived advantage, but it will be worthwhile. Wasting money on brand-name technologies because they “look good” or provide a single vendor contact just doesn’t make sense anymore.
• And most importantly, but in a more abstract vein, treat your enterprise like a human body. The human body exists in a turbulent, chaotic state. It’s riddled with bacteria, viral pathogens and other potentially hostile elements. The body has genetic predispositions akin to corporate culture, application vulnerabilities and the like. And yet the body has a way to distinguish between friend and foe (identity management?); it can produce antigens and fight off infections; and it can develop immunities over time. This means that you don’t just distrust people, but applications also. Kernels and applications should constantly ask themselves whether the action is allowed, normal, and valid. The analogy is not perfect, but you can get the idea: Plan and act as if your internal network is hostile and that everyone and everything is trying to get to your data. Assume all of your applications are vulnerable. (They most assuredly are.) And act accordingly. This does not mean you spend unlimited amounts of money to solve all problems. But it does mean that you focus on the root causes and stop trying to address the symptoms.
• A big paradigm shift in your security approach shouldn’t be done all at once. Evaluate your current security posture and conduct frequent risk assessments of everything: technology, business processes, contracts, and even vendor relationships. Question your responses to these risk assessments and take nothing for granted. Don’t be afraid to approach security from a new angle, because the bad guys definitely are doing the same to you.

6 more annotations...

• At #OWASPSummit: "Developers don't know bleep about security". Well, I got news. You don't know bleep about development.
• Bottom line infosec has been delivering the same architecture for 15 years, and is no position whatsoever to throw stones at developers.
• "Blaming software developers for insecurity is the most divisive and counterproductive thing we could possibly do"

1 more annotation...

• The best SSG members are software security people; but software security people are often impossible to find. If you must create software security types from scratch, start with developers and teach them about security. Do not attempt to start with network security people and teach them about software, compilers, SDLCs, bug tracking and everything else in the software universe. No amount traditional security knowledge can overcome software cluelessness.
•   I call it the He Got Game rule. When Spike Lee was making the movie He Got Game about a burgeoning NBA basketball star, he had a choice. He could cast a Hollywood actor like Robin Williams and try to teach him to play realistic looking basketball. Or, they could cast a basketball talent like future NBA all star Ray Allen and teach him how to act. Spike Lee chose ray Allen because he quickly came to the conclusion that it was much easier to teach a basketball player how to act than to teach an actor to play basketball. Its the same in security, its much simpler to teach motivated developers how to threat model, how WS-Trust protocol works, and so on, than it is to teach even motivated security people who are operationally focused on how Websphere, Apache, Directories and other core software technologies are built.
• Rather than obsessing about the latest and greatest threat, its much more strategically important to sort out the logistics, constraints, and economics to distribute and scale out the security mechanisms and processes we have. Specifically how are they impacted by and how do they impact the message flows, endpoints, routing, transformation, and management. These patterns are aptly described and cataloged in Hohpe and Woolf's book and provide an important starting point for meaningful and useful security improvement over time.

1 more annotation...