PCI, PCI, PCI! OK, but are they focusing at the right things?

Reading this is almost clear that PCI is really the standard of the moment. However, I'm still impressed about how security professionals and vendors dealing with it seem to be missing the point about what is really important and needs to be done first.

One of the main security concepts is risk management. As you can't solve all your security problems, you should start by solving the worst. PCI, however, doesn't mention anywhere a risk assessment to be done aiming at credit card data. There are 12 requirements, all of them with the same importance and at the same level. The results of this is that companies are struggling with security solutions without properly assessing if they are trying to solve the worst problems on their control framework.

Everybody is talking about encryption. Encrypt all transmissions, encrypt data at rest, etc. However, did anybody verify if encryption would be the solution for the main data leaks that happened on the last years? Except for those backup tapes and laptops, I really doubt it.

PCI should turn into a more modern framework, with a phased approach of assessing first to identify the major risks and then defining a security strategy. It can list the minimal points that need to be covered, but it's essential to include a prioritization and planning phase. PCI enforces the existence of specific controls. The appropriateness and priority of them, however, is not considered.

The 1.1 version is, in fact, better than 1.0 as it included the concept of compensatory controls and applications security. I still think that it should include more things about security processes. The standard mentions a "security policy". Why not a Security Program?

Best Practices?

Post from Anton Chuvakin, commenting a post from another blog, is one of those to hang on the wall.

The posting that he talks about got a point when it says that there are lots of people trying to follow best practices and standards instead of doing real security. I think it's partially right. If the process is lacking intelligence it won't work anyway. And I agree that there are some "best practices" that are not so best.

But Chuvakin is entirely right to say that using checklists is a good approach when previously there wasn't an approach at all.

They also agree on something that I always fought wherever I worked: "real security is a creative act". Yes, this is not a monkey job! A lot of people believe that perfect security is to create the perfect checklist and put it to be used by less qualified (and cheaper) workers. Not exactly like that. I've seen with my own eyes the difference between the same checklist being used by competent and not-so-competent people. Totally different results.

Some people say that this is trying to make mystery about the job, using "talent" to make it appear bigger than it really is. I think they are exaggerating and sub estimating the problem of doing real security. Without intelligence and knowledge you can't go far. But it's not only that. A standard or "best practice" is just like any other tool for specialists, like the scalpel for the plastic surgeon. When it's handled by the specialist, it can make miracles. When handled by the unskilled, do only harm.

Symantec and SONAR

Symantec bought some time ago a company called Whole Security, which has a very interesting malware detection product that wasn't signature based (it was behaviour based). It happened so much time agor that I thought Symantec was going to simply kill the product. But now there are news that they are putting WS technology in the Norton Antivirus, with a new name, SONAR. Very good, I really want to see this thing working!

They are watching us!

After reading the first part of The Pragmatic CSO I'm convinced that Mike Rothman is just like Scott Adams: THEY ARE WATCHING US!!!

Daily Dilbert from last week shows this power of Mr. Adams here and here.

Two parts from P-CSO caught my eye today. The first was one of those "addicted CSO" dialogues that Mike built so well. The first one (you can check this on the introduction that is freely downloadable from the site) has a part where the CSO mentions the increasing difficulties that he is finding to approve his investments, and the time that he spends with auditors, meetings and assembling business cases. That's sooooo reality!!

The other one was a note about the "Shadow IT", those systems created by business units when the Corporate IT doesn't address their needs. This is also very common, I find a couple of those every day. A good thing about getting business support is that they start to call you when those things are being born. You have the chance to make them start right.

New MS VPN Protocol - or new backdoor covert channel?

I've just read in Network World that MS is developing a new VPN protocol that works over HTTP, to avoid the known problems of making tunnels work through networks with NAT, firewalls and Proxies in place.

I don't question the need for this when talking about the tunnel functionality. The SSL VPNs grew so much exactly to address these questions. In fact, the article in NW mentions that it will be a SSL VPN. However, I can already see problems with malware using it as covert channel to communicate with its master. Being a encrypted protocol, chances of detection by network monitoring will be very low.

But why be worried about it if we already have this feature in other products? Because putting it in the OS will make it easier to use by malware authors. I'm a very bad programmer, but the very little that I know is enough to use the very simple API from Windows features in easy programming languages like VB.

Not that I'm saying it's a bad thing to do. It's common to create features than can be used for good and evil. As security professionals, however, we need to think about how we will deal with the bad part. Disabling the ability to use the protocol by GPO settings could be a option.

Compliance solution in-a-box

My job to comment on security things is much easier now that I'm reading Mike Rothman's news. From today's posting:

"There is no compliance "solution"
Maybe I'm just grumpy, but the anonymous CJ Kelly is annoying me. Yesterday it was her jumping on the printing security risk bandwagon and today it's making some silly statements about compliance. Let's get one thing straight. There is no compliance SOLUTION. It's not something you can buy, not for any price. You need a strong security program as the foundation, and a way to document what you do and why. That's Step 12 of the P-CSO process. She points to Ogren's post (which is right) about the fact that much of the regulation has had little impact on the base level of security of an organization. And it's because a lot of organizations feel no pain because enforcement is a joke. But to say that the issue with compliance is the vendors not bringing forward complete solutions makes my blood boil. Just another example of someone wanting to solve a problem by open up the checkbook. Sorry CJ, it doesn't work like that.
http://www.computerworld.com/blogs/node/4392"

One thing that's quite funny is to watch security boxes vendors saying that their product is 100% SOX Ready. WTF does that mean??? That or something like "with my product being SOX compliance is easy". Whow, I didn't knoew they are selling silver bullet boxes.

PCI is another standard that is suffering from the same evil. PCI has 12 requirements, from access control to data encryption. You can see companies offering vulnerability scanners as the final solution to PCI compliance. My biggest worry is that if they keep pushing these lies is that probably someone is buying it. What kind of CSO do we have out there?

Security Theater

Bruce Schneier mentioned in his blog this post in Slashdot about security theater. I've saw some discussions about it mainly over the point of removing people from physical security points of control. But what really caught my eye was the comment about different audit procedures for code related to new releases and patches.

Has anyone conducted a study to check if code audit is a viable security control for non-software vendor companies? I mean, almost all big companies that don't sell software have internal development teams providing maintenance and new features for the software they use. Does the process of auditing the code for security vulnerabilities bring enough security to compensate its cost?

I believe that the answer for this question is based on several variables, like the amount of changes in the code, the exposure of the software to motivated and skilled attackers and the presence of easier ways to exploit the process which is supported by the software.

Without an analysis of these aspects I think that code auditing processes can be more expensive than accepting the risk, or even becoming just more security theater.

Classification products

Sometimes we are so excited about an idea that we forget to check if someone has got the same one first. Well, I was thinking about removing the dust from my programming books to build something, but suddenly I decided to check Google first.

Here is exactly what I thought: Tools to help on classifying information.

Smart defense in depth example

We can see a very good example of Defense in Depth being used in Microsoft by reading this note from Michael Horward.

They are not only training the developers to produce better code, they are also using tools to avoid the residual mistakes becoming vulnerabilities. Smart.

About Web Applications Security

Imperva recently published a very good article about web applications security.

The article shows numbers about the type and severity of the vulnerabilities usually found in web applications, as well as how this matter is evolving from 4 years ago until now.

The article is a very good resource for those that don't have a regulatory piece like PCI to push web application security in their companies. Even for those that are fighting that war "penetrate and patch vc security built in" the text is very important, as it shows the very high numbers of re-tests that showed critical vulnerabilities and the very small number of them that showed no vulnerabilities at all.

The only problem of the article is that it is from a company that sells application firewalls. Even with all the interesting data presented, the conclusio seems to be something too product-driven. If one tries to use it as a resource to justify developers trainning and security throughout the application life-cycle he may end up on getting only budget for another miracle box.

Very very good blog

Just on this weekend I stumbled upon Mike Rothman's blog. Just by reading two days of his postings and I'm already planning to buy his PDF book "The pragmatic CSO". First because I already have good feelings about anything that uses the word "pragmatic". Second, his postings are so intelligent that I'm really wiling to see what advices he has prepared for a CSO like me.

Today he made a brilliant observation about the discussion about which kind of threat is more important, internal or external. Usually I end up on reading and researching more about internal threats because I think the problems involved are more interesting, but he's made a point on saying that it doesn't matter if it's internal or external, but if it can reach your business systems. one of his phrases: "Enough of these ridiculous insider vs outsider delineations. Protect your damn business systems and the nomenclature will work itself out.". Really loved that.

I'll keep reading it. The format of his comments ("top blog postings") is exactly what was my intention to do here. Unfortunately I have to spent a few more minutes when I'm writing in english, so I'm not able to keep the postings coming. Have to change that this year.

Quote of the week

I've just started reading Mike Rothman's blog, but it seems to be a incredible source of good insights and information. He already won my quote of the week award with this gem about vulnerability severity levels that we usually see in advisories:

"The only severity score that is important is the one you come up with after figuring out if you are exposed."

Perfect. I'm almost believing that the 97 bucks for his book are worthy :-)

He also mentioned Dilbert from 31/12. I'm facing some weeks with dialogs like that since last month :-(