Now, this is nothing new, and as I stated before, has been going on for years. I’m not even going to go to the political discussion on whether this is sponsored by the government (or have been turned a blind eye by it), as opposed to Israeli hackers that would like to retaliate but know that they would be charged in their country for computer crimes.

No.

The focus here is that there was such a huge media outrage over the fact that so many (more than 100,000) user accounts have been affected, and everyone is scrambling to figure out who should have notified who on what. A couple of funny things to consider in this incident:

1. There are more than a couple of companies in Israel that specialize in gathering intelligence on such forums as their core business. One company has even been quoted that they knew of this issue months ago.
2. Some of the accounts that have been breached belong to government personnel (or at least have a .gov.il email account with it’s corresponding password).
3. The sites that have been breached were not notified until a couple of days ago. They have no-one to consult with in terms of how to handle this incident, or how to fix their issues (ever heard of one-way password hashing??? apparently not…).

Why am I bringing up these specific point? Let’s see, and now from a perspective of a normal CERT that if would have been here would have addressed these as follows:

1. Companies that deal with security research can send their insights over local security incidents to a coordinating entity – IL-CERT that would manage the anonymous and responsible notification to the affected parties. No need to figure out a local policy for notifications, no need to dig out contact details for obscure police departments and guesstimate whether they even care about your data, and no need to get into the politics of the existing semi-CERTS and who they constituency is.
2. Coordination and notification to government related bodies would  be handled through the ILGOV-CERT (although their website is not too promising, there are ways to reach them…). Additionally, collateral damage notification would also be handled in the same way (i.e. – a .gov.il site has not been breached, but .gov.il account have been found through breaching a .co.il server. This is the kind of thing that ILGOV-CERT does not know how to handle right now…).
3. Incident handling support and assistance would have been provided by subject-matter experts to any site that have experienced a breach. No cost associated (unless actual work on the servers or code would have been sought after, in which case the IL-CERT would have probably done a referral as initially it would not be a commercial body).

Simple huh? And you keep wondering how come a place where so much innovation in science, technology and security has come from is still in the dark ages of it’s own internet security…

Related posts:

1. FIRST and IL-CERT
2. Cyber[FUD]Fare – repost from fudsec.com
3. The China/Google thing, accountants and other miscreants

The question is usually presented by someone who’s in charge of “Security” in an organization. Now, I wouldn’t have had a problem with this if this was a technician, or a pen-tester of sorts, but I get really nervous when the CISO/CIO/Security manager is the one asking.

I think that this question is highly inappropriate for two reasons:

1. You should not be looking for “technology”. Buying a product is not going to make you more secure or less secure.
2. You should not be trying to protect a technology. Your servers, networks, routers, PCs, etc… are not the focus of information security. The information is…

Having been working with senior management – sometimes as an advisor/consultant, and sometimes as a “virtual CISO”, I know that this is not what we expect the CISO or security manager to ask. We expect business savvy, we expect an understanding of what the information assets are, what are the information critical paths, who owns the information and what is the impact of every asset on the business. We expect that the understanding of how each assets fits into the grand scheme of things would be clear to whoever is in charge of securing it, and we expect them to take into account what is the potential damage related to each of these assets (in terms of losing it, having it fall into the wrong hands, etc…).
For me (or us when talking as management) this is the only way to approach security. Funny how things get a little unclear when all you thought you needed to know was which vendor/product fits where in your topology, huh?

What strikes me as most peculiar is the fact that a lot of these security “professionals” find themselves in a self proclaimed identity crisis, having to deal with business requirements and financial understanding of how the business operates. and the weirdest thing is that they often choose to get back to what then “know” best – the technology side of things. Definitely not the way to make a move…

I’m really hoping that all this preaching of “know thyself before you know your enemy” would help somehow, because right now unfortunately the situation at hand only brings us more business (not that I’m complaining). But seriously now – technology is fine and cool, but having the aptitude to know where it fits, not on an architectural level, but from a business perspective is the key to what we do. Get back to the drawing board, erase the network topology and start drawing the business one!

Related posts:

1. Practical vs. Regulatory – the votes are in!
2. Who owns your online identity? Facebook squatters on the rise
3. Being in the middle (or: things we didn’t manage to learn in a decade)

Disclaimers aside, down to business.

What have we learned over the past decade in the security business – let’s see: AV is pretty much the same as it was in 2000 (which is the same as it was in 1990, you get the point). Firewalls do pretty much the same give or take a couple of useless protocols that nobody needs. Oh, oh, I know (yeah – I can hear you from the back of the room) – WAF!. Well, WAF right back at you. Doesn’t work, didn’t work back in the days when it took 3 days to configure it for a small site, and still doesn’t do much good other than the simple stuff (which you can get for free at ModSecurity).

We have almost no technological advantage over what we used to have 10 years ago. So, you must say, we learnt that we as security people must have gone through so much that we manage and deal with the risks and threats much better. Yes, that’s a tear at the corner of my eye. How much I wish you were right.

The same people who I used to see so excited by their newfangled CxO title and their big office 10 years ago, who didn’t know what to do in order to do their jobs, are not doing any better than most companies nowadays.

Then, just like now, they are still trying to find the right “stuff” that’s going to save their world if they just buy/lease/license it and install it in a shiny new rack. Now, just like then, we are focused on finding “vulnerabilities” and categorizing them “high, medium, low” (or whatever scale that doesn’t mean anything) in our networks, operating systems and applications. Then, just like now, we can’t tell the difference whether a threat will render our business useless, rob us blind, or just evaporate like a baby hiccup with a faint noise of “FUD”.

I meet a lot of talented young (and old) security people, they are all bright-eyed, bushy-tailed and ready to fight until the last drop of blood over what they were trained/self-taught/researched. And I envy them. I envy the ability to just disconnect, to adapt that tunnel-vision that allows them to dig right in to the utter abyss of a technical challenge. I also meet a lot of people with broad vision of how security should be. They have forgotten the technical mumbo-jumbo the kids are talking about today. “Sea surf? Yeah! I remember surfing when I was a kid…”, “Sequel? Which one? I thought the matrix series was over…”, “But let me tell you about my new world cyber-peace strategy…”. You get the point.

And don’t even get me started on all these certifications that everyone goes after. The sad fact is, these things have kept us back from thinking differently. They boxed us into whatever the course/certification/training is trying to cram into us on a technical level, and basically leave it at that. It created a 400 pound gorilla of money sucking industry without really giving us back any more talent. Most of my friends in the industry have some kind of certification (or two, or ten), but I still call them friends not because the number of certs they have on their business card, but because I know they don’t really need these certs to be professional security people.

What I’m still struggling with is the middle. I have always been looking for the middle (even as a kid – “your son is about average, but he’s got great potential” was a recurring parent-meeting slogan through all my school years). The middle which have built itself over the foundations of technical research, got their hands dirty in pen-tests, trying out new products, breaking stuff left and right, losing once in a while to get their bearings right. The middle who didn’t get blinded by a new management position, and kept relatively up-to-date on what’s going on. The middle who didn’t skip last year’s DefCon/BlackHat/Shmoocon/[your-favorite-con] talk because he thought it was some passing fad (and didn’t want to admit that it’s just too darn complicated for them to get into new stuff). The middle who took up looking at how the business works. From the numbers, through the sales, operations, tech-support, client meetings, competition and the board-room decisions. We forgot that this middle is our only chance to make progress, because this middle can translate the latest threat to numbers. Numbers that not only the CIO/IT guy can understand, but the CFO, the accountant, the COO and the order fulfillment guys can understand. The real impact on the business. With numbers, with a strategy on how (if ever) to address it, with an understanding that it might not be the latest and greatest gizmo that we need here, but something much simpler. An old solution, a tweak here and there – in a product, or a business operation. A quick chat with the procurement department on how they process stuff, or a change in the way that the sales organization works in the field when they run off to customers and meet the competition.

I find myself trying to fit in the middle too many times. I’ll admit it – I didn’t think of a middle back when I started getting paid for breaking things, but I saw the middle. I haven’t figured out the right terminology until 6 or 7 years ago for this middle. But darn it! (imagine what I held back until now…) I like that middle, and unfortunately (or fortunately as my accountant would say) we are still bad at filling that middle. We still haven’t bridged the gaps between the techies and senior management (I’m obviously generalizing, but look at your average F-100 company – you’ll get it…). Between the millions of dollars we spend on the wrong things, and the vague strategies we build on top of them to fend off auditors and boardroom questions.

Let’s get the good guys from both sides back to the middle. Let’s get the techies some business training, dress ‘em up nice and give them the tour. Let’s send our CxO’s to DefCon for a refresher on how things are done these days. There’s no shame in learning. If I find a day in which I didn’t have a chance to learn something new – technical, financial, political, strategy or disassembly, I feel wrong. Let’s justify our overpriced salaries and really make something out of it. We were used to be paid to think outside the box, and all we did since we started getting paid is to paint the box in crayons.

Break the box. Down to it’s nails and planks. See what makes it tick. Reassemble, open, get out, close it, and think how to make it better.

p.s. – what’s with the parenthesis you ask? well, that’s just how I like to write, and besides – it leaves room to put things in the middle

Related posts:

1. CyberCrime, CyberWarfare, and 2010
2. Cyber[FUD]Fare – repost from fudsec.com
3. The community to the rescue again

In Israel, insurance agencies are not yet at the stage where they provide full access to insured parties online to their insurance and policy information, but should be getting ready to do so. Some of the considerations and implications of creating the infrastructure for such access is discussed in the article in light of the risk management requirements set forth by regulation for such organizations. Financial institutions have been facing the same issues for years now since online banking have become a standard so it’s a great opportunity to reexamine what policies are applicable and what technologies can be used to enforce them in a very similar environment.

Related posts:

1. Practical vs. Regulatory – the votes are in!
2. Identity crisis
3. Clouds, and the winds that blows them away…

The basic realm of what we are all doing on a daily basis (at least the ones that deal with information security and risk management) is trying to make sure that we keep our information intact, comply with the relevant regulation for our industry, and have it all done within a budget. Nevertheless, often one can see one of two approaches being applied in the field – the practical one, and the regulatory one. The more practical approach looks for the relevant risks and tries to control them and minimize their exposure to relevant threats. The regulatory one state that we’ll pick the “best practice” solutions that would have us comply with the regulation, and by doing so we should be OK as the rest of the world pretty much does the same.

Unfortunately, the practical approach that fuels logical thinking, understanding your assets, risks, threats and resources available, and tries to constantly adapt your security measures to them is rarely adopted, and I have only seen a few select organizations “make the plunge” into the thinking zone. It is more often that one would find an organization that has hired consultants to perform risk assessment and gap analysis (which is a basic part of most regulatory requirements these days), and then have them use whatever budget available for the certification to install security products (again – best practices…) which would cover all the “high” risks found in the risk assessment, and some of the “medium” ones.

I truly think that the gap between the practical approach and the regulatory one is not that big (guess which one I endorse…). The root cause for what brought most of the commercial and financial organizations to adopt the regulatory approach has been the crackdown of governments and regulatory body post Enron/WorldCom/the credit crisis/[add your financial/corporate crisis here] on companies worldwide, and the immediate proliferation of information security “professionals” that were merely technicians or integration engineers with a fancy title. Budgets were allocated, products were evaluated, and with the endorsement of a savvy accounting firm you could find yourself compliant in no time with a brand new lineup of “best practice” products in your network.

Taking a step back, and actually looking at the regulatory requirement (interesting homework for you – take a look at your “favorite” one and try to look at it in as an objective view as possible), it’s clear that most regulations can be adhered to without just hopping on the vendor product bandwagon. A careful assessment (as noted – part of any basic compliance project) can map out the actual assets that YOU need to protect (which are obviously different than someone else’s assets – hence the regulation can’t over them all specifically), and provide you with the scale to measure how much capital would be WISELY spent on protecting the said asset. I promise you, that after going through this drill, you’ll find that the money that is needed to really protect your information and mitigate the risks relevant to your organization, is less than what you would have spent on “best practice” solutions that provide mediocre protection for some general phantom assets which the regulator pointed to.

The final step in keeping this process in the “practical” land and preventing the regulatory approach to pop up on the next time the certification date looms is to keep running those numbers – what is my risk, what are the ACTUAL threats I’m facing, how do my current measures stand against the threats, and how have my asset valuation changed. By keeping this measurement practice up-to-date, you can easily (and again – cost effectively) adjust the protections appropriately, stay compliant (and not just for the first month after certification), and see an actual benefit out of all the budgets spent on information security and risk management.

To quickly sum up, I’ll include an excert from a post by valsmith that I highly concur with:

Many companies have not yet developed the ability to identify, document or even discuss the real risks to their business and are barely holding on by figuring out whatever regulations they need to follow and checking off the boxes. They need to pass. Shinking budgets mean they need it cheap. This means that pen testers are selling something with little real world, but lots of bureaucratic, value.

Related posts:

1. Identity crisis
2. Drawing the line – securing an organization while thinking of users…
3. Being in the middle (or: things we didn’t manage to learn in a decade)

Related posts:

1. Drawing the line – securing an organization while thinking of users…
2. Practical vs. Regulatory – the votes are in!
3. IFRAME is a security risk???