Friday, October 22, 2010

Is it really incompatible?

It was interesting to read Gunnar Peterson's rant this week about firewalls getting the number 1 spot in the CSO budgets this week. For those who haven't seen that, here is the core of it:"I had to check the date to make sure that it wasn't 1995 when I read this

The survey of IT pros and C-level executives from 450 Fortune 1000 companies -- commissioned by FishNet Security -- also found that 45 percent say firewalls are their priority security purchase, followed by antivirus (39 percent), and authentication (31 percent) and anti-malware tools (31 percent).

And what threats are these IT Pros and C-level execs concerned about?

Nearly 70 percent say mobile computing is the biggest threat to security today, closely followed by social networks (68 percent), and cloud computing platforms (35 percent). Around 65 percent rank mobile computing the top threat in the next two years, and 62 percent say cloud computing will be the biggest threat, bumping social networks.

Let's see what do mobile computing, social networking, and cloud computing all have in common? Oh yes, they all bypass the firewall's "controls"!How do you reconcile spending on something (firewalls) that does not address any of your top threats? This dichotomy is infosec's biggest problem. We have plenty of good controls and processes to use, what we don't have is enough talent in infosec to integrate them and put them to use. "I will not disagree with Gunnar that there is a chronic problem of incompatibility between the most common security controls being deployed and major threats/concerns. But I'm also a strong advocate of more careful, data-driven approaches, like the New School guys. And on this case my concern is that Gunnar wants to see a direct cause-effect relation between "purchase priority" and "threats". I believe it's reasonable to expect that, but there are some things to consider that can prevent that from happening.Yes, there should be a connection, but only to the extent of "strategy-related spending". When discussing IT expenses we should remember that budgets are normally split between operations and capital expenses. Depending on how intense is the ongoing infrastructure refresh initiatives you'll see more dollars being spent on stuff like than on things related to the new threats, just because you need to keep things running. If the organization is going through a big physical expansion, for example, it will eventually need to put money on things like networking gear. Would it be wrong just because the current innovation focus (and also the threats) is not on the network infrastructure? I don't think so. Think about this as the "Maslow Pyramid" for IT. You'll spend money on the upper layers only when the lower layers are stable. (I'm purposely ignoring more radical approaches such as the Jericho Forum stuff and cloud-based stuff, as they are not all organizations can afford to quickly break IT paradigms every time there's a new trend out there - yes, those new things can help organizations to move faster and avoid being trapped on the continuous maintenance of the )The fact that there is a disparity between top threats and top expenses might not necessarily be related to lack of understanding, skills or security talent. We can blame security professionals for focusing on infrastructure components only, but it only makes sense to do so when they have enough resources AND the option to allocate them as they want. So, if your budget covers only your operating expenses, how can you even try to introduce radical changes to your security model? Yes, it's probably perpetuating the hamster wheel of pain, but changing the status quo will normally require an initial increase in resources and focus (yes, it's not only about money - sometimes you just don't have time!!)  that not all organizations concede to their CSOs.

Friday, October 1, 2010

If cyberwar and cyberterrorism is true, this is a target

I was reading this post from CBC News about the "flash crash" that occured in Dow Jones last May. The SEC report says it was entirely caused by a mistake from a single firm. Hey, the index fall 1000 points in less than one hour! With all this thing about Stuxnet around, can you imagine the impact of a "stock trading stuxnet"? If a single firm can cause that, a worm capable of doing the same thing with trading systems would cause huge losses to the market, and using Dow Jones as an example to US as a country. To make things worse, the trading systems are also becoming more and more standardized, using open protocols like FIX, what makes it even easier to develop such malware. I can also say that there's a lot of non-IT people developing software for those trading companies, what means that the best practices in software development are probably not being followed.So, there is a huge target, the opportunity and certainly people with means. That's the classic triad for "shit happening".

Applied Behaviour Analysis

Very good post from Alex Hutton, one of the best security posts of the past months, for sure.It really seems that ABA has its place in the infosec field. I'm just curious about why Alex is talking about systems and network traffic as behaviour, when ABA theory has a better place for that, the "environment". Even when we start thinking about actions to change behaviour (from the attackers? "users"?), that's usually done through manipulating the environment. And if we end up finding that those subjects usually have similar behaviours, we'll probably find out that the differences are mostly in the diverse environments they interact with, the organizations.The interesting thing about ABA is that it drives us to experimental control for attempts to change behaviour. The implications would certainly force us into finding ways to verify if our controls can really induce behaviour change. That's one of the key issues we have in our field. If the attackers are behaving "accordingly" (i.e. not performing successful attacks), is that due to our attempts to change their behaviour or because of other external stimuli? One of Richard Bejtlich favorite ideas, the continuous testing by a "red team", seems to be a good away to assess if the stimuli we are generating are really successful in causing behaviour change.Certainly a lot of food for thought. What kind of behaviour change we want to produce and how can we test if the stimuli we generate are appropriate for that?