arkanoid
Rating
+0.14
Power
0.38

Any sales pitch mentioning WannaCry is a scam.

snake oil
To suffer a significant damage from WannaCry, you need to craft a redundant clusterfuck of FIVE SIMULTANEOUSLY MET conditions:

  1. Failure to learn from previous cases (remember Cornflicker? It was pretty much similar thing)
  2. Workflow process failure (why do you need those file shares at all?)
  3. Basic business continuity management process failure (where are your backups?)
  4. Patch management process failure (to miss an almost two month old critical patch?)
  5. Basic threat intelligence and situational awareness failure (not like in «use a fancy IPS with IoC feed and dashboard with world map on it», more like «read several top security-related articles in non-technical media at least weekly»)

And after you won the bingo, you expect you can BUY something that will defeat such an ultimate ability to screw up? Duh.

"Security Management" "Maturity" "Model"

A few days ago I twitted this picture:

RSA model for security management "maturity"
with a comment: guess what's wrong with this picture (hint: EVERYTHING).

Not everyone got the joke, so I think it deserves an explanation (sorry).


At a first glance it makes some sense and reflects quite common real world situation: first you start with some «one size fits all» «common sense» security (antivirus, firewall, vulnerability scanner, whatever). Then you get requirements (mostly compliance driven), then you do risk analysis and then voila, you get really good and start talking business objectives. Right?

Wrong.

It is a maturity level model. Which means a each level is a foundation for the next one and cannot be skipped. Does it work this way? No.

Actually you do some business driven decisions all the time from the very beginning. It is not a result, it is a foundation. You may do it an inefficient way, but you still do. With risk analysis. It may be ad hoc, again, depending on the size of your business and your insight into how things work, but from some mid-sized level you simply cannot stick to «checkbox mentality», you need to prioritize. Then you come with checklists and compliance requirements as part of your business risks.

The picture is all upside-down and plain wrong. I understand they need to sell RSA Archer at some point there and that's why they see it this way, but it does not constitute an excuse for inverting reality.

"One Brand of Firewall"

Gatrner sent me an ad of a quite disturbing report ( www.gartner.com/imagesrv/media-products/pdf/fortinet/fortinet-1-3315BQ3.pdf ) which advocates using «one firewall brand» to reduce complexity.

Sorry, guys, one brand of WHAT?

There is no such thing as «general purpose firewall» that fits all. It is a mythical device (and this myth was supported by Gartner for years).
What you call «firewall» is actually one of three (or more) things:

1) A border/datacenter segmenation device. Think high throughput, ASICs, fault tolerance and basic IPS capabilities.
2) An «office» firewall. Think moderate throughput, egress filtering, in-depth protocol inspection, IAM integration and logging capabilities
3) WAF. Enough said, WAF is completely different beast, having almost nothing in common with any of those.

Ah, and a VPN server. It is not a firewall (though it should have basic firewall capabilities). Not falls into any of those categories.

Dear Gartner, have you ever tried to market a pipe-wrench-hair-dryer? You should, you have a talent for that.

On hypocrisy and spyware

I said it earlier this century, "state-sponsored malware/spyware developers ARE de facto blackhats".

There is no «legitimate» third side to receive zero days. Either you give a priority to your software vendor (and contribute to the defensive side) or you do not and contribute to the bad guys. Yes, bad.

Not that I blame vulnerability researchers for being immoral. I am a free market advocate: if a software vendor is not willing to pay a competitive price for vulnerability information, it certainly deserves the consequences. I just hate hypocrites that fail to admit the obvious fact that they are no different to blackhats — because «we sell to government and law enforcement only» clause makes no real difference.

But, wait!



They ARE different.

The ideal black market for zero day exploits is free and open for anyone, including software vendors searching for the exploits in their software. You, as a seller, do not want to sell your exploit to the vendor of the vulnerable software, because you are interested in the exploit's longevity. But on the black market there is no way for you to know if a buyer works for the vendor (directly or indirectly).

Contrary to that, the real market (thoroughly regulated by the government) completely rigs the game to the detriment of the software vendors. First, a software vendor is explicitly banned from participation (by this «we sell only to law enforcement»), no legitimate purchases for a vendor, tough luck. Second, it is open for trusted brokers who make huge profits from the fact they got government approvals (see HBGary leak to find out how hard some people try to set a foot there with quite limited success).

Needless to say, newly proposed so-called «cyber arms regulations» only worsen the situation, making free black market for zero day exploits illegal in favor of government-approved brokers.

So they are not «just» blackhats. They are the most vicious breed. They found a perfect exploit for the government. They use regulations to defeat their victims.

Smartphone is a computer (actually, not, but it should be)



There is a simple remedy to many information security woes about smartphones.

And it is simple. And extremely unpopular. Vendors, operators definitely won't like it.

Just it: turn a smartphone to a computer. No, not like now. Really.

A computer does not run «firmware» bundled by «vendor» and «certified to use». It runs operating system, supplementary components like libraries and device drivers, and applications, both system and users'.

And there are updates. When there is a bug, an update is issued, not by the computer vendor, but by the OS or other software vendor. While «firmware» which FCC et al should care of is the tiny thing that runs inside broadband module you user probably never think of at all.

I've seen people arguing that it would break things. Due to device fragmentation people will get broken updates, brick their phones and overload repair centers. Come on. Never seen bundled OTA firmware update doing that? It is actually safer if the update is going to be granular and won't touch things it does not need to.

But you won't ever seen unfixed remote code execution bug to stay for years or even forever if your phone vendor decides that it no longer necessary to support this model.

I want my smartphone to be a real computer. With OS, applications, and no unremovable bloatware that is burned in by the vendor or (worse) MNO. Do you?

UPDATE: and surely initiatives like this will get middle finger as they deserve and no questions could be raised. You may run anything you want on your COMPUTER.

One more lesson to repeat from HackingTeam breach

(it is a copy of my old LinkedIn blog post, I saved it here because Linkedin sucks big time as a blog platform)

The full story is here:
pastebin.com/raw/0SNSvyjJ
and it is worth reading for all InfoSec professionals and amateurs: perfect, outstanding example of an «old school» hack described step by step.

Also it provides us a classic example of another issue often overlook, or rather intentionally ignored: starting from certain (rather small) organization size and complexity, a sophisticated attacker WILL compromise your Active Directory. There is no «if» in this sentence: it is inevitable. I've seen many pen tests and many advanced attacks by malicious entities — ALL, I mean it, ALL of them ended like that.

That leads us to obvious, yet controversial conclusion: for certain valuable resources it is better to keep them OFF the domain. This means cutting away the whole branch of an attack graph: no SSO, no access from domain-joined admin workstations, no access recovery via domain-based email, no backups on AD-enabled storage, whatever. Which rises some completely different issues, but that's it.

Can you manage this? Can you live with this?

"We are not responsible"



More than 90 percent of corporate executives said they cannot read a cybersecurity report and are not prepared to handle a major attack, according to a new survey.

More distressing is that 40 percent of executives said they don't feel responsible for the repercussions of hackings, said Dave Damato, chief security officer at Tanium, which commissioned the survey with the Nasdaq.


Seriously. They are «not responsible»! Who is, then? Those guys are getting paid enormous amount of money for being MANAGERS. Manager is a person who is responsible — for solving problems he/she might not truly comprehend as well, but that's ok. I do not expect them to really know a thing or two about IT or security. An executive should understand business risks, that's enough. If there is a business risk that an executive does not understand and is not willing to, he/she should consider getting another job, probably McDonalds could offer them an intern position?

Those people say they are utterly incompetent — and they say it in public and get away with that. And everyone thinks it is ok.

I still fail to understand why ransomware is such a big deal



I've seen a lot of companies where it is not — not necessary big corporations with huge IT staff. There is just no reason to have anything of significant value on a workstation (and quite a few reasons to have it on a file share) and it is not a huge complication to live without it.

I'd be more worried about the fact that if you've got ransomware (or any malware at all) it means you have been compromised. And you are just lucky that the attacker was not sophisticated enough to get any other advantage of the situation (in a way that would be even more harmful to you), maintaining covert access for indefinite amount of time and silently ruining your business the way you wouldn't even be able to identify before it's too late.

So it is not about desktop backups, or antivirus, or advanced anti-APT self-guided silver bullets. It is about you.

Some thoughts on enterprise risk management, security awareness and stuff



It all started as a Facebook discussion. A colleague of mine witnessed an impressive talk on a conference: a representative of a penetration testing company claimed he would hack any company in one hour. He was challenged to do this, and here is the solution:

With simple search of social networks and the company’s website, he profiled the target company and obtained a contact of a sales person. Then he crafted simple trojan executable (not really tailored at this time, just some generic one), encrypted the archive and sent it to that person; then he called by phone pretending he has an urgent business proposal and mentioned the email he have just sent.

The salesperson replied: ”I cannot open the documents, my antivirus does not allow me to". «Strange, which one?» "(some name)" «Ok, I will send you a new archive, it should work». And it did (now it was a better crafted trojan).

Yes, simple as that.

Could it be thwarted with a proper training?

Yes. And no.

You may expect some vigilance from a person who understands the risks.
But what the risks are and could a training help to understand it?

From a salesperson's perspective, chances are there is a technical issue. A salesperson estimates the probability of this as, say, 90% (we may discuss his reasoning later).

“If I manage to close the deal, circumventing the procedures that do not allow me to open these documents, I get, say, $30K bonus. If I do not, I get nothing.
10% chance is there is a malicious hacker trying to steal the data from the company. If a hacker succeeds, and I get the blame, I am to be fired and I lose, say, $50K in total consequences”.

Given our salesman has a decent experience and learned some basic probability theory, it is totally acceptable for him to ignore the danger; this would be a reasonably profitable strategy that incurs no extra cost. Add some internal competition among sales people and you easily see that he would play this lottery again and again.

That's how single-parameter optimisation works. One cannot simply turn the «money seeking zombie» mode off.

Let's talk about someone a bit higher in a corporate food chain, or even at the top of it — CEO, CFO, VP of sales, etc.

The perspective changes drastically. If the contract is secured, the company gets $1M. If a large-scale network breach occurs, sensitive data get leaked, or something similarly happens, the company loses $15M. And that persons bonus is affected accordingly.

The balance is all different now (even if we assume probabilities to be the same).

Who is our CISO (or whoever is in charge of the data security) working for? The answer is obvious.

But there are caveats, as usual.

The first caveat is that if, say, our worst-case scenario loss is estimated to be low and the associated damage to be benign, then the doing nothing strategy of risk acceptance (as bad as it sounds) is a business justified course of action.
If you dislike this choice, you may try spend some resources to decrease the probability and the impact, don't expect the business side to be very cooperative. It is still a lot of money, but not enough to let you interfere with any revenue generating processes.

And the second caveat is more serious. It is that all our risk estimations are produced by the business risk management process, which is an enigma for us, a black box. It either works, or we blindly assume it works because it is «someone else's problem».

It the business risk management is ad hoc, or does not exist in your organisation, or is non-functional, it gets substituted with “information security risk management”, where the most prominent «information sources» are: «FBI/CSI reports», «SEC-mandated leak disclosures», «industry analysis reports» — the highest grade nonsense, zero relevance is guaranteed.

It is better than nothing to base our guess on, but a blatant attempt to sell our qualitative estimation as quantitative data is a pure hoax.

However, chances are there is no risk management at all in your company, not even a dysfunctional one.

I think most people in the industry know that, but most are afraid to tell the truth aloud.

If you do not know your business environment, the probability estimation is pointless.
If you do not know the real business impact of a breach, your loss estimation is baseless.

Multiply these to get nonsense squared.

But you need to “justify” your security choices anyway. Scaremongering sounds like a decent plan now?

On coming age of silver bullets

Silver bullet

I keep telling you time and again «there is no silver bullet in Information Security», despite the vendors blatant attempts to claim otherwise.

You cannot buy a box that solves your problems at once. Every tool needs a skilled person to be mastered by. And still we look forward with hope for the best and the victory of reason, while, trying to guess the shape of things to come. There are emerging technologies, deep learning, AIs and stuff that certainly will change everything. Someday. And there are promising startups that already started doing it. But is it really the most important change we expect — right now?
Read more →