Thursday, October 23, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

NAC of the living dead [StillSecure, After All These Years]

Posted: 23 Oct 2008 07:15 AM CDT

night of the living dead It is not often I admit I was wrong, but mark this one down, I was wrong. The other day I blogged on McAfee bringing out a stone age NAC.  I could not believe that McAfee would actually show any innovation themselves and develop a product instead of buying one.  OK, so the product looked like it was 2 to 3 years behind the state-of-the-art NAC products. It was NAC for cavemen, but at least they tried.  But I should have known better.  Todd over at Napera left a comment on my post, pointing to a post on his Napera blog. Todd says that the McAfee NAC product is actually based on the stinking, rotting corpse (wait, where have I heard that before) of the Lockdown Networks NAC! I should have known those bold innovators over there would not actually develop their own product.

So McAfee is trying to raise a NAC zombie.  With maybe a little voodoo do they think the Lockdown technology which did not scale, did not test well, had problems with different switches and had all kinds of other issues will now be any better? The Lockdown technology was so bad that they had to close down in the middle of the night because they couldn't find anyone to take it.  After rigor mortis set in, evidently the McAfee folks came by like the invasion of the body snatchers to quietly grab the IP and have tried to resurrect it again. Guys it didn't work the first time, it ain't going to work the second time!  Stop trying to play George Romero and let the dead rest in peace.

I guess I should breathe easier. I actually though McAfee might come out with something competitive! In the meantime it should be interesting to see what happens when they actually try to get this to work at some of their customers.

Reblog this post [with Zemanta]

Police in schools and universities to stifle students' protest against cuts [Security Circus]

Posted: 23 Oct 2008 05:39 AM CDT

Selective Notification [The Security Catalyst]

Posted: 23 Oct 2008 05:05 AM CDT

As the Privacy Director for the Liberty Coalition, I have discovered and documented roughly 100 breaches on our website, There, any member of the public can search for his or her name to find out whether their personal information was exposed, under what conditions, and who’s responsible. The vast majority of these breaches are unintentional. Except breaches by criminal ID theft rings, most breaches are due to ignorance, recklessness or plain stupidity, but not maliciousness.

Inside the Breach

I recently announced such a breach by East Burke High School in the small North Carolina town of Connelly Springs. In short, a staff member had placed personal information online for more than five years. The victims included 163 teachers, bus drivers, custodians, and others who worked at East Burke High School in 2003. The information exposed included names, social security numbers, addresses, phone numbers, job titles, e-mail addresses, and a few unlisted phone numbers.

I notified the school, which removed the file within 20 minutes, and also worked to clear search engine caches. I then worked directly with the Superintendent, David Burleson, who asked for my help drafting a letter to victims, which I was happy to do. As I drafted the letter I put factual assumptions in [brackets], and for the sake of expediency omitted some of the instructions, replacing them with asterisks. I handed him the letter and said told him to review it for factual accuracy and run it by his legal counsel. In addition to the brackets and asterisks, my draft of the letter committed the school district to do five things, including contracting with an identity theft protection company to provide free credit protection services to victims.

Days after I sent the letter to the school district, the Hickory Record ran a copy of the letter as sent by the school district, and I had to chuckle when I saw all of my brackets and asterisks still in the final copy. For example, “As of now, [we don't have any evidence that anyone with bad intentions has seen your personal information].” I also wanted their general counsel to confirm whether North Carolina allowed for credit freezes. The final copy encourages victims to get a credit freeze, with a note to the general counsel: “[Note: Not all states allow a credit freeze].” And this omission for sake of expediency, “visit, and click on “***” for more information.” The Hickory Record has since done some copy editing on behalf of the school district, and edited out the brackets.

Therefore, What?

Now in their defense, I’ve got to give the school district credit for making a good faith effort to notify their employees of the breach. And I can’t be too critical of their failure to edit the letter, especially in a small school district with limited resources.

On the other hand, it turns out they did edit the letter. The school district conveniently removed the promise to provide identity theft protection services to victims. This selective editing is symptomatic of systemic problems with protecting consumer privacy:

  • The market does not value privacy. Ensuring privacy is expensive, but the costs of violating privacy are small. This means that there is a strong financial incentive to do as little as possible to prevent, announce, or clean up a breach. The result is victims often don’t get all of the facts or protections they need.
  • The fox is guarding the hen house. A cruel irony of data breaches is that the responsible organization has a strong incentive to hide or skew the details. Many breaches are under-reported or unreported, regardless of applicable law. With very few exceptions, even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark.
  • Privacy Naivety. If you have ever asked customer service, “does your organization ever share my personal information with other organizations,” the answer is always (and incorrectly) “no.” Unfortunately, consumers incorrectly assume that laws and privacy policies protect their personal information. Employees incorrectly assume that their privacy practices are sound, while company policies often amount to little more than a privacy waiver. An environment of naivety breeds carelessness and increases the risk of breaches.

Consumers should always read breach announcements with a skeptical eye, and press the breaching organization for as much detail as possible.

Clickjacking, CSRF, Social Networking, Oh My [CTO Chronicles]

Posted: 23 Oct 2008 04:00 AM CDT

DarkReading has a good article on the overarching challenges facing security administrators today (bonus alert:  it has an I Love Lucy reference!), including mentions of recently "revealed" vectors around both clickjacking and Cross-site Request Forgery attacks.  I quote revealed since, even though the Princeton researcher's work on CSRF is well documented, we'll have to wait until the Hack in a Box conference to get the full scoop.  The downside of this is that it sure sounds and smells a lot like the Kaminsky thing, and I'm not sure even he would do it that way again.  The upside is that it's a chance/excuse to go to Kuala Lampur, which is a beautiful city with amazing food (the latter being an obvious requirement for the former).  But I digress.

It's easy to come away from the series of darkreading articles with a, well, dark impression of the state of endpoint secuirty these days.  With continually morphing combinations of browser vulnerabilities, infected emails, user gullibility and malware-laden websites, it's difficult to see how any security manager can keep his endpoints malware-free for any window of time.  And all of this is made even worse by the fact that many of the new vulnerabilities aren't bugs per se, but rather dependencies on the very things that help make today's web cool.  So, never mind, one might argue.  We've failed and the cause of malware-free computing is lost.

But perhaps what we need is to change our thinking about what failure is (which is different than re-thinking what is is).  Perhaps we've spent too much time so far putting our collective eggs in the basket of avoiding endpoint infection, when, really, at least some that attention is better spent on the idea of containing infections that are, in the end, inevitable.  Put another way, it's not an engineering failure to have a router (or WAN card, or FRAD, or whatever) failure  in the Bogota office.  It is an engineering failure for that equipment failure to result in a services outage for the people in the Bogota office or anywhere else (I'm not intending to pick on Bogota, by the way.  They have fine food too).  We accepted long ago that what equipment does is fail.  That acceptance didn't stop global data networking, obviously; it simply drove best practices around the notion of engineering for that failure.

My thinking of late, then, is that we've so far put too much attention on the single point of failure that is infection avoidance.  That means (yes) having mechanisms in place to (a) detect the infection and (b) affect the network access of the endpoint in a timely way.  But it also means things beyond just NAC, like the ability to clean/restore the system without having to put a help desk person on a plane.  Not easy, perhaps, but it seems an answer that is at once more in keeping with the traditions of IT, and, well, more hopeful.

links for 2008-10-22 [Srcasm]

Posted: 23 Oct 2008 12:01 AM CDT

A Few Ideas for a More Secure Future. [Digital Bond]

Posted: 22 Oct 2008 07:06 PM CDT

Having been involved in this industry (control system security) for the last five years, a quick examination of what progress has been made in securing critical infrastructure leads me to the conclusion of “not very much”. The industry if still plagued with the same basic vulnerabilities (as noted by the recent release of 3 very simple buffer overflow vulnerabilities and exploits into the public domain) and misconfigurations that were all too common 5 years ago.

Asset owners, those who are actively pursuing more secure deployments, are oft to note that the realities in which they operate are not conductive to security. They deal with old legacy systems with no built in security, the which they can not readily patch, or upgrade. When confronted with the inherent weaknesses in their environments their response is too commonly “we simply can not do anything about it.” There needs to be a paradigm shift then in future products that does not leave asset owners and operators with no options. The reality of their situation needs to change.

As a solution to the legacy problem is not readily apparent, I offer some ideas for future products. Though, in some ways security for control systems has taken “one step forward and two steps backwards”.

What I mean by this is over the last 5 years many companies have had their products examined by researchers, and vulnerabilities have been found and fixed. Yet many “features” in new product lines expose the control system to a wide variety of other exploit pathways. New products with web server management consoles, web based HMIs, and ethernet based “safety systems” quite frankly, give me the willies.

My Wish List for future control system products (or what features I would look for in a control system):

  • Product should provide some form of strong integrity and authenticity control for all on the wire communications. This could be either IPSEC or TLS based. 
  • All system components (hardware, software, field devices etc) should require strong passwords using a strong form of encryption and all password exchanges and key exchanges should be encrypted. 
  • Software, hardware, field devices, etc. must change ALL default passwords upon initial installation.
  •  Systems should have exceptional logging and auditing capabilities. 
  • Products should not come with email, web browser clients by default. HMIs, operator work stations, FEPs, historians, etc should have these removed as they are now the number one exploitation vector in the IT sector.
  •  Control systems should not use a web app based HMI interface requiring the use of a web browser by operators (see above). 
  • All unnecessary software should be removed minimizing the attack surface.
  • Products should not have unsecured web based interfaces into management consoles. All web server based management products must use SSL and require an authenticated login. No blank passwords or default passwords may be allowed. 
  • The system must not have outward facing (from local segment into internet etc.) services necessary for its operation. 
  • Safety Systems should not be ethernet based as this exposes them to common IT vulnerabilities. Do we really want the safety back up systems vulnerable in this manner? (I am aware of a least two teams that have hacked ethernet based safety systems to the point where things that shouldn’t have been able to happen, happened. In test lab settings.)
  • Firewalls should be a standard part of every deployment, configured specifically for the environment. The firewall should strictly limit communications to those expressly needed, and should also limit the local segment (control system) communications to those expressly required.
  • ACLs should be part of the package that limit what operation users can perform. File system ACLs should also be standard.
  • An IDS with the best available rule-sets for the control system should monitor all traffic into and out of the control system. This will alert to the majority of common exploits and returning communications.
  • Host Based IDS (HIDS) should be present on all the systems. They should monitor for out of character traffic, modification of files, and the execution of out of character executables.
  • Products should initiate patch upload from the downstream side and not allow patches to be pushed up to the field devices, servers and workstations. Patches should also be signed by some type of hash to authenticate and validate the patch.
  • Systems should provide redundancy such that patches can be pushed up in real tine with out negatively impacting operations (availability). (This one may qualify as a pipe dream.)
Products designed with these features/specifications would go a long way to securing our critical infrastructure. If the legacy systems are inherently insecure the least we can do is direct the vendors into producing future products that have security as a critical design parameter.

McAfee takes another swing at NAC with Lockdown’s technology [Napera Networks]

Posted: 22 Oct 2008 06:44 PM CDT

My cofounder ChrisB’s blog post on Lockdown Network’s demise in March received an interesting postscript this week. As reported in Network World, McAfee announced that they will be shipping new NAC products in 2009, including new enforcement and support for unmanaged devices not running the McAfee NAC agent.

Alan at StillSecure blogged his surprise at McAfee building or repurposing their own’stone age’ NAC technology, and I quote:

At best this is a finger in the dike strategy until McAfee realizes that they have to do it the McAfee way. They just can’t build innovation and they have to go out and buy a NAC company.

Ironically that’s not the full story. It turns out that McAfee did go and buy a NAC company. In August McAfee quietly acquired what remained of Lockdown, and a close look at LinkedIn shows they have picked up at least one former Lockdown developer. Some of the new McAfee NAC features appear to be based on the network level enforcement technology from the original Lockdown Enforcer product for large enterprises.

This is an attempt to address the issue faced by McAfee’s NAC software (and many agent based approaches). In short, relying on a software agent to control network access only works well if all PC’s have that agent installed. But NAC agent installation is painful. When a laptop wielding guest who doesn’t have administrative rights to install your agent enters the network, it gets complex. It’s hard to see how an IT manager is going to feel comfortable with a network security product that doesn’t have the ability to control traffic at the network level, and this is implicit in the design of many agent based approaches to solving NAC.

It remains to be seen if the McAfee software agent model will mesh well with the Lockdown approach and effectively address customer requirements. McAfee certainly has work ahead of them to shake out the scalability and compatibility issues that plagued Enforcer in the marketplace. Ultimately it’s a bold attempt to merge a traditional agent based approach with Lockdown’s network level enforcement, both of which are fraught with challenges. In the large enterprise it’s possible that they may pull it off, but it’s unlikely to be successful in any company without a hefty IT infrastructure.

The essential concepts behind the Napera product line take a different approach that has evolved beyond early NAC technologies. Napera products were designed for SME customers from day one and our technology is not recycled from large enterprise products. Our direct integration with the Microsoft NAP agent means the Napera N24 is broadly compatible with antivirus and antimalware products from different vendors. The Napera N24 appliance delivers network level enforcement for gigabit wired and wireless networks, which simplifies deployment and removes the need to roll out technologies like SNMP, VLAN’s and 802.1X that are unfamiliar to many SMB and SME IT managers. Finally, Napera deployment is made easier by the software-as-a-service approach which moves the heavy lifting of reporting and management into the cloud.

Regardless of the outcome, McAfee’s refresh of their NAC product line with this new approach is an interesting development in NAC products for the large enterprise. Is this the beginning of NAC consolidation that pundits have been predicting? Only time will tell.

Reblog this post [with Zemanta]

Beyond the Firewall: Why traditional security is not stopping network attacks [Napera Networks]

Posted: 22 Oct 2008 03:26 PM CDT

Tomorrow at 10am PST I’ll be joining Jeff Wilson from Infonetics in a webinar titled ‘Beyond The Firewall’. The focus of our discussion will be on quantifiying and understanding why many businesses remain vulnerable to security threats despite investing heavily in firewalls and antivirus solutions.

If you are interested in learning more, you can sign up for the Webinar here.

"Police are now investigating the link between terrorists and paedophilia in a..." [Security Circus]

Posted: 22 Oct 2008 02:31 PM CDT

Police are now investigating the link between terrorists and paedophilia in an attempt to unravel the system. It could lead to the training of child welfare experts to identify signs of terrorist involvement as they monitor pornographic websites. –Terrorists 'use child porn' to exchange information - TelegraphGod spare us ! We already see the disasters caused by self-styled child porn hunters, we just need to have them deal also with antiterrorism...

Red Flag Compliance postponed for FTC-covered entities [Kees Leune]

Posted: 22 Oct 2008 02:29 PM CDT

While listening to an Educause webcast on Red Flag Compliance, the FTC announced that it would not be enforcing compliance on the Red Flag Legislation until May 1, 2009. That is a major relief and takes a lot of pressure off the remainder of this months. In the mean while, check the FTC site for the formal announcement.

People will always be the weakest link in security. [Nicholson Security]

Posted: 22 Oct 2008 10:05 AM CDT

Yesterday morning I stopped in the local Starbucks to get some coffee.  I noticed when I arrived a customer that was unpacking a laptop bag and getting situated.  While I was waiting in line after ordering my drink, the same customer passed me heading into the restroom.  After I got my coffee I started to head out the door.  I noticed that the customer had booted their laptop and had a Citrix session running with Outlook open.  I looked around and realized that the customer was still in the restroom.  I decided to take a few minutes and sit down across the room and observe.  I noticed that the laptop had a 3G data card plugged in, so I am guessing that was the data connection the customer was using, not the WiFi hotspot.

Lets evaluate the situation.  We have a company that’s IT people need to provide remote access to its users.  They want to keep full control of their data, so they go the thin-client route and use Citrix.  They also must provide the 3G card I am guessing as well.  But after all that a user boots the laptop, I’m guessing VPNs into the company, authenticates through the thin-client, launches Outlook and then takes a health break without locking the system.

I won’t even go into the part about the laptop just sitting untethered on the table.  That is just a whole other issue.  I am really hopeing that all the sensitive and private data in on the thin-client side and not on the local laptop. Sometimes I get tunnel vision on teaching best practices and awareness about security.  All the different technology we can use and policies created to reduce risk, and then you through a user into the mix and its all for not.

I know that many of you will see the same thing sometime today but what is the fix?  The customer I observed, after they did come back 15 minutes later, had a Realtor lapel pin.  I don’t think keeping that user nailed down to a workstation in a secure building is an option.  I would like to hear your stories, in the comments, on how best efforts were made in the name of security and a user killed it all without any thought.  I would also like to hear solutions to fix problems like this.  I think setting the screen saver to turn on after 60 seconds with authentication enabled would be a good start but not sure how the user would feel about that.  :P

P.S. This isn’t just a user issue.  I have seen an Administrator spend 30 minutes climbing through security and authentication, only to walk out of sight of their laptops to get a soda refill, without locking their laptop.  This is truley a people problem not a non-technical user problem.

Random Posts

Early Bandolier Adopter at ISA Expo [Digital Bond]

Posted: 22 Oct 2008 09:40 AM CDT

One last story from ISA Expo. The beta release of Bandolier came out the Monday of ISA Expo and included security audit files for four Telvent OASyS DNA components. An attendee from a large oil company had a security assessment scheduled for the next day. He actually downloaded and used the Bandolier security audit files.

He said a lot of great things about Bandolier. The Bandolier security audit files for Telvent have over 1000 individual audit tests total for the four components, so he came in with a lot of credibility on knowing what to assess in the system. The detailed results on each individual non-compliance blew the owner away.

I’m going to make a bold and somewhat self-effacing statement here. No one in the past could assess the security settings of a Telvent system in the level of detail possible now with Bandolier. Digital Bond has done a number of assessments of Telvent OASyS SCADA systems, and we were not able to come close to the completeness possible now with Bandolier.

Don’t take this as Bandolier being a complete assessment solution. There still is a need to look at system architecture, user roles and authorizations, redundancy, as well as use other scanning tools … However, if you have a system with a Bandolier audit file it would be crazy not to use it in the assessment. Digital Bond does assessments in our consulting practice, and believe we are among the best, but we fully expect and hope other assessment practices use the results of this Department of Energy funded research.

The early adopter also found a problem in some hyperlinks to documentation and had some helpful suggestions to organize sets of documentation in PDF’s in addition to the pages. Please email us your feedback.

Security Roundtable for October 11, 2008 - Social Media Ethics [The Security Catalyst]

Posted: 22 Oct 2008 08:43 AM CDT

The world of blogging, podcasting and social media is a dynamic –and dominant – force in the way individuals share and consume information. In this fast-paced approach to sharing, we stop to consider the ethics involved.

With the help of Jennifer Leggio  - social media expert, former journalist and friend of the Security Roundtable – we tackle the issue of ethics. During this highly informative roundtable discussion, we tackle the responsibility (and credibility) of bloggers, podcasters and especially the individual responsibility of those consuming the information.

This episode is packed with ideas and comments that will get the juices flowing. If you want to continue to conversation with us – join us in the Security Catalyst Community (just pay attention to the naming standard – you must use your real name).

Learn more about the participants:

Jennifer Leggio

Martin McKeay

Michael Santarcangelo (books now available – eBook or hardcover)

This posting includes an audio/video/photo media file: Download Now

PCI Europe Community Meeting, Q/A (Part 2) [Branden Williams' Security Convergence Blog]

Posted: 22 Oct 2008 07:33 AM CDT

Final round of questions from the field!

The first question from this session was "Are end of life operating systems able to be used?" The thing that really worries me about retail is that information security does not seem to be built into the price of goods on the shelf. When someone asks if they are expected to replace hundreds or thousands of devices for PCI Compliance because Microsoft will not support them anymore, I worry more about the overall security of the company. This seems like a reactive approach without any forward strategy, which is unfortunately fairly common.

I understand the business implications here. If your competitors are not doing this, you could face additional price pressures by trying to do the right thing. That said, I am a firm believer in doing the right thing for the best long term growth strategy.

Next couple of questions are arguments of semantics. It also seems that some of the attendees are not fully using the information provided by the Council. There is the Navigating PCI-DSS document that helps with intent, and the FAQ which answers some of the questions that were asked.

Next one was a compliance versus security question. The point made is valid, but with PCI-DSS being applicable to any merchant accepting credit cards regardless of size, you can't expect that the merchant with 100 cards per year is going to jump through the same hoops as a Fortune 500 retailer.

Also, it is a bad idea to spend ten minutes trying to show the Council how smart you are about security. They will remember you, and not necessarily in a good light.

Next question was an excellent point on a potential interpretation of 12.8 that will be giving QSAs a headache. I won't go into it here, but we have to think about intent and use a little common sense.

A question about dates was posed next, but that is answered in the lifecycle document. Also, don't forget, the card brands are the enforcement arm of PCI, not the Council.

Next couple of questions were just minor questions that any QSA should be able to answer.

Then came a merchant that put forth a story about the work he had to do to maintain his business. Again, folks, you've got to build security and compliance into the cost of your product. The one point of his that is valid is that he wants things more prescriptive to avoid variance in QSAs (with applause from a few people at the end). While this is not necessarily achievable, I do think VeriSign might have some solutions for you. If this was you, please email me. We can help you through this on a global scale.

And that concludes the Q/A session!

The Great Thing About Standards… [eIQviews]

Posted: 22 Oct 2008 07:28 AM CDT

"…is that there are so many of them to choose from", or at least so goes the old saying. Information security is no exception; the byzantine tangle of best practices, standards, frameworks, and various governmental and industry mandates that are either dedicated to information security or contain security-related requirements shows no sign of abatement or unification anytime soon. Of course, if you're a person who's responsible for implementing all that stuff in your environment, you're probably feeling some pain. Establishing common controls to meet compliance is a well-tested approach to meeting compliance, but where to begin?

Fortunately, some standards and frameworks for managing security are really starting to mature, to the point where they can become a starting point for building risk-driven common controls that easily map to regulations and other compliance drivers. Most of these frameworks and standards have been around for a number of years but through a combination of broad adoption, continuous feedback from adopters, and a mature management and improvement process, they are rapidly becoming a great starting point for building comprehensive information security. Here are three that I believe are well-balanced (addressing both technical and logical controls), risk-based (where the implementation of some or all controls is based on an analysis of risk to systems and data), and can be implemented across any industry:

· PCI Security Council (PCI) Data Security Standard (DSS) 2.0 – Recently released, the 2.0 version of the PCI-DSS standard focuses on a solid combination of static, pre-defined technical controls (e.g., minimum password lengths and complexity requirements), risk-based technical controls (e.g., business continuity infrastructure), and logical controls (e.g., written policies and procedures, and separation of duty). Although designed specifically for securing chain of custody around credit card data, PCI-DSS is rapidly becoming a standard of controls that organizations are applying to different types of data.

· ISACA Control Objectives for Information Technology (COBIT) 4.1 – The COBIT framework has long been a framework for managing information security. With a focus on processes – not just technology – COBIT has become the standard high-level framework used by global auditing firms to audit against compliance with SOX Sections 302/404, J-SOX, and other major financial regulations that address financial controls. Like other frameworks, COBIT is relatively light on technical controls (although there are some specific technical controls defined for applications, such as event auditing and monitoring); instead, the goal of COBIT is to provide a framework for using risk-based decisions to build and maintain a complete IT management program.

· International Standards Organization (IS) 27002:2005 – One of many IT-related best practice documents issued by ISO, ISO27002 (formerly known as ISO17799) is geared toward helping an organization establish risk-based decisions to build and maintain a security program. Unlike COBIT, which is focused on general IT controls, ISO27002 focuses very squarely on information security. Being part of the ISO family, ISO27002 is augmented with additional ISO-delivered guidance to help certain verticals – healthcare and financial services, for example – implement specific controls that are not only ISO27002 compatible, but compatible with other industry-specific laws and guidance.

Posted in Compliance   Tagged: best practices, Compliance, controls, frameworks   

PCI Europe Community Meeting, Q/A [Branden Williams' Security Convergence Blog]

Posted: 22 Oct 2008 04:33 AM CDT

I always enjoy the Q/A sessions that the Council has at these events. I don't know how many sessions I will be able to blog about (we only want the interesting ones anyway), but here's the first bunch of Q/A from this session!

The first question was around segmentation and SANs. I'd never heard the question asked that way, but most SANs by nature are segmented from each other.

The more interesting point here is what constitutes segmentation? So many assessors only consider firewalls a method of segmentation. According to the documentation provided by the council, segmentation can be accomplished in multiple ways--not just by deploying firewalls. QSAs should be looking at the whole solution, not just fixating on a point solution (hey, sound familiar from a remediation perspective?).

Second question was on sampling... another issue that often comes up. The new version of the standard says to use a representative sample (they used to use the term selective sample), but since the samples are not statistically valid, it makes choosing a sample a bit of a gut feel. You will see variance between QSAs here as we all seem to have a different opinion on what constitutes a representative sample.

Then a question was posed on a move to use standardized solutions. The recent push with the standard is to remove specific products and technologies which is the right way to go (by the way, that is called being vendor neutral, not vendor agnostic). The point was really geared towards small companies that may be looking to buy pre-packaged solutions as opposed to designing their own. I feel their pain; vendors often pitch silver bullet solutions that do not work together very well.

The next question was a cleverly disguised sales pitch. Don't do that. Seriously.

Ahh, my nemesis just asked a question. Guess what question he asked? "Can you make a statement that says you don't have to store cardholder data?" It's in there bud, just take a look. I'll re-iterate for you in case you don't want to search:

Merchants are not required to store cardholder data. Every merchant we have worked with has been able to get their acquirers to accept truncated numbers for chargebacks (or other post-settlement operations). I know that people still believe that the associations require merchants to store data because I had a discussion with a CISO on this issue recently. It would be great if you could stop spreading mis-information.

On the other hand, you do make writing this blog interesting...

The next several questions are nothing that has not been answered before, mostly around scope creep issues.

Back to segmentation, and this one was a customer specific question from a QSA! The old "I have a client that..."

So there you have it! Lots of similar questions from the US PCI meeting.

links for 2008-10-21 [Srcasm]

Posted: 22 Oct 2008 12:01 AM CDT

How do you collaborate internationally? [Srcasm]

Posted: 21 Oct 2008 11:02 PM CDT

I believe that most of you know that I’m working for Passpack now as a community/technology evangelist and one of the most difficult things to get used to is the time zone difference.  The entire Passpack team is located in Rome, Italy which means that they are generally around 6-7 hours ahead of me on the east coast of the US.  This makes for some interesting conversations with me half asleep and they’re on their 5th or 6th cups of coffee.  The second hardest thing to get used to are the methods and tools used to collaborate. 

Of course we have a project management tool and we can now securely share information between our team but it’s very different from sitting down at a conference room table with a hot cup-o-joe and a pen and paper.  We use tools like Skype to chat while online and Google Reader and alerts to make sure that we are following all of the latest news and trends in the web world but I’m curious to ask some of you how you collaborate with your international teams.  What tools help to aid in feeling more connected with the other side of the world?  How do you improve your processes (especially with the time zone difference) while working remotely or even presenting to the group?

I know one tool I have found very valuable is a service called EQO.  Besides having a fantastic domain (who wouldn’t want a three letter domain?) they provide a solid product.  I can put a little bit of money into my account and whenever I need to reach my friends and colleagues in Italy, I simply click on their name (since EQO can import your phone’s address book, it’s easy) and it connects me for a very low cost per minute.  For instance, to call the office in Italy, it’s only 2.3 cents per minute.  Compare that to AT&T which would run me $1.49 per minute!  In addition, their application runs on a huge number of cell phone including Blackberry and and Windows Mobile devices.

I’ve decided to combine EQO with Skype to provide me two very inexpensive solutions to contacting the people that I need to talk to no matter where I am.  I for one hope that people and companies continue to innovate and create solutions that aid in remote and international collaboration.  It’s how our world should work, as one.

Catalyst Community Update for October 21, 2008 [The Security Catalyst]

Posted: 21 Oct 2008 09:04 PM CDT

After a great time at the Microsoft Small Business Summit, I flew home only to spend 5 hours on delay in the Newark airport. I was fine, but was missing the RV! Well, we got the RV back on Friday, loaded it up and headed out on Saturday. We arrived Sunday night in Kansas City - and I was honored to the deliver the keynote for the Midwest Consolidated Security Forum today. It was a blast to see some old friends while making new ones, too.

Due to popular demand - James Costello and I will be hosting a session tomorrow on how to build an awareness program that works, based on our Pop Culture Security program (and yes, I am WAAAAY late on posting our next episode. I blame the thieves - and am almost caught up). Join us if you can! Thursday I am honored to be invited to the CCKC event - 7pm local time. It’s a busy week.

Next Stop? Seattle! I will be leading a session at the Secure World Seattle event — and hoping to meet many of the Security Twits and good friends in the area. Will be my first Halloween in Seattle - and we’re looking forward to it!

Discussion Forum Activity

Here are some recent discussions ripe for contribution or learning:

List of community blogger and podcasters

(I am working to ensure the list is accurate and separate out the blogs from the podcasts - let me know if you need to be updated/included)

What Security Blogs and Podcasts are represented in this community? (


About the Security Catalyst Community

We are a positively focused and supportive community that unites passionate professionals to achieve three goals:

(1) Provide a community where it is acceptable to be vulnerable and ask for help when you need it

(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome - share what you have learned without fear.

(3) Participate in a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

Signing Up for the Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share).

Registration Overview (NOTE THE NAMING CONVENTION)

      Go here:

      Select the register link

      Follow the naming standard: firstname.lastname (include the period between first and last names)

      Your account will be reviewed and approved

      Jump in and share your thoughts!


Where is Michael - onTour Schedule & Updates

As we set out to journey the country, keep tabs on our schedule and opportunities to meet at or follow the progress of the book and speaking tour at As always, if you are on the way (or in the city we are heading), please contact me directly so we can meet. Our RV is our home, and our home is always open to our friends.

I am also spending more time on twitter these days - and would love to engage in the conversation with you. You can learn more about twitter here: and “follow” and chat with me here:

Coming Up:

  • Week of October 20: Kansas City for the MCSF Keynote
  • Week of October 27: Seattle - Secure World Seattle (look for more details coming soon)
  • Week of November 3: Portland, Oregon, Keynote for:
  • Week of November 10: (transit back to East Coast, perhaps via Dallas)
  • Week of November 17: DC Metro - CSI Conference (look for more details) and Philadelphia, PA for a private briefing for the CSO Breakfast Club


Join The Security Catalyst LinkedIn Group

For active members of the Security Catalyst Community

Competitive Truth-O-Meter [CTO Chronicles]

Posted: 21 Oct 2008 04:42 PM CDT

Since we're nearing the end of the silly season that is the presidential election cycle, and since I've spent the past few weeks in the field, I thought it might be fun to run through the truth meter some of the competitive FUD that has come my way.  Competitive FUD is a natural part of the landscape, so this is not at all intended to cry foul; simply to set the record straight.  Thanks and apologies in advance to the good people at for my shameless pilfering of their graphic.

They say:  Mirage technology is based on behavioral threat detection, which while a useful security feature is not NAC.


It depends on what your definition of is is.  It's true that behavioral threat detection is at our roots; it's also true that revoking network access as a result of behavioral badness is controlling network access.  I suppose one could say that controlling network access is not Network Access Control.  I'm glad I'm not the one saying that.

They say:  No persistent or dissolvable agent, which provides a less comprehensive endpoint assessment.


We do offer an on-demand Java control for full endpoint assessment, including patch levels, SMS currency; AV/AS currency and firewall status.  This assessment is done in addition to an OS and Service Port map done from the network side (see below).

They say:  Host-based firewalls must be disabled for compliance scan to take place.


Wrong on at least two levels.  First we have a Java control that can perform a deeper compliance scan, independently of any firewall status.  Second, our network-side scan that maps endpoint OS and open Service Ports is a combination of Active (meaning, packets that we send to the device) and Passive (meaning frames we receive from the mirror) scanning.  So a host that, for example, sent us a RST on port 25 but send another host an ACK on port 25 gets marked as an SMTP server.  Indeed, Mirage is the only company of which I'm aware that uses a combination of active scanning and traffic monitoring to present a complete picture of how an endpoint is behaving on the network.

They say:  Savvy users can circumvent quarantine by setting static ARP cache entries.


What Mirage FUD is complete without some ARP related FUD?  I've written about all of this before here.

They say:  Provides no integration with third party devices (IDS/IPS, VA, etc.)


We've a third-generation API available and documented, as well as any number of vendor-vendor partnerships, including IPS, SEIM, VA, DHCP and more.

They say:  Sensor appliances need to see all endpoint traffic using port mirror or "SPAN" port function on a switch.


More like "is capable of receiving all endpoint traffic."  Every Mirage sensor can take a mirror feed, but no mirage sensor must take a mirror feed.  Further, the communication of endpoint status and behavior through our common security fabric allows a "mixed" deployment, where traffic mirroring is performed at ingress/egress points rather than at every appliance.  This allows us to make behavioral decisions based on traffic from the endpoint headed to, say, the public Internet or the corporate WAN, while avoiding the economies of scale hit that would come from a requirement of mirroring at every deployed sensor.  Somewhere north of 90% of our deployments fit this mixed model.

Mark Wahlberg Talks to Animals [Random Thoughts from Joel's World]

Posted: 21 Oct 2008 03:43 PM CDT

This has been cracking me up for like the past 3 days. I love it.

Of course it has a sequel as well:

Subscribe in a reader

Fear and Loathing in Enterprise Security [eIQviews]

Posted: 21 Oct 2008 09:44 AM CDT

It's October 21, 2008, and we've just been through two of the most turbulent weeks in the history of global financial markets. While perhaps, to borrow from Mark Twain, rumors of the death of capitalism are greatly exaggerated, it's clear that there's no overstating when it comes to the increase in security attacks that go hand-in-hand with turbulent times. As IT news outlet CNET recently posted ( regarding an article in today's upcoming McAfee Security Journal, fraudsters are taking the opportunity to exploit fear by ratcheting up not only the quantity of attacks, but are significantly increasing attack vectors. Veiled in a broad range of scams – fake news stories with shocking headlines ("Dow Drops 2,000 points! Click here for details!"), valueless stocks ("make back the money you lost last week! Buy OTCBB.BADSTCK today!!"), and even targeting industry leaders (Steve Jobs did not collapse from a heart attack last week, thank you very much) – unscrupulous people are continuing to use a broad array of techniques to exploit fear.

Traditional spamming and phishing techniques are being augmented by both technical methods (typosquatting, trojaning, baiting) and social engineering methods (pretexting, quid pro quo) to create a powerful set of tools established for the purpose of getting access to confidential information. When major events occur like the current financial crisis, it's just not rational to assume that employees will abide by, for example, acceptable system use policies, and won't attempt to catch up on news, check their bank account, or try to transfer their 401(k) to less volatile instruments – all of which can expose them to any and all of these techniques. While information security can partially enforce good user behavior, there is no technology in the world that will prevent a person from divulging their social security number, their username or password, or non-public details about their company.

What does all this mean for the enterprise security professional? It means that, more than ever, security tools, technologies and platforms are not enough to protect your environment, your users, and your organization. Anti-malware, proxies, and other technologies are definitely vital to your environment, but addressing the human factor is just as important as implementing the right technology; to that end, employee awareness of information security threats is a critical countermeasure to protecting your people, processes, and technologies. It's critical to ensure all your people – employees, contractors, vendors, and suppliers – understand not only that a policy is in place ("do not divulge private company information to anyone outside the organization"), but more importantly, why it is in place; knowing both the consequences and sanctions of treating information securely will augment your security technologies and help ensure that your people become a critical part of your security program.

Posted in Compliance, Uncategorized   Tagged: awareness, enterprise security, human factors, training   

links for 2008-10-20 [Srcasm]

Posted: 21 Oct 2008 12:03 AM CDT

Extended Validation SSL and increased ATV [Tim Callan's SSL Blog]

Posted: 20 Oct 2008 04:38 PM CDT

Regular readers of The SSL Blog will be familiar with the wealth of research indicating that the presence of a green address bar on a Web site causes an increase in transactions among visitors who see them. With over 60% of site visitors on EV-aware browsers today it's straightforward to calculate the expected impact of those green address bars on your KPIs, assuming that average transaction value (ATV) remains the same.

Assuming that ATV remains the same.

But can we make that assumption? There is research indicating that ATV goes up among those who see green address bars. I refer to two particular studies. The first is research conducted on its own customer base by As the name implies, is a pure-play online drug store servicing the Canadian market. compared abandonment between visitors with EV-aware and older browsers and saw that the number of tickets sold increased by 27% when customers saw green address bars over when they did not. Okay, that jives with what many other businesses have seen. looked into another interesting question as well, however. The company compared the average ticket size between the two groups and found that the EV purchasers had tickets that were an astounding 30% higher on the average. In addition to the 27% increase in transactions completed.

Layer the two on top of each other, and you get an actual contribution to the business of 65% (1.27 x 1.3). A visitor who comes in with an EV-compatible browser (an expected three out of five visitors) is worth on the average 65% more in sales than that same visitor would be if the EV SSL Certificate were not in place.

The second piece of research investigates this behavior more closely. In June, 2007 Carnegie Mellon researchers Janice Tsai, Serge Egelman, et al published the results of their research on privacy and price sensitivity. Test subjects were given a budget to make online purchases using their own personal information (e.g. credit card, shipping address), and whatever money out of their budgets they did not spend they got to keep. Subjects were asked to search for products online using a tool that rated the privacy protection of each site the subjects might visit. In other words, the test subjects were making real decisions about their own private information and using their own money.

Test subjects did not simply go for the lowest price product. They were willing to spend a higher amount on the sites with good privacy protection ratings than they were on the sites with low ratings. That makes sense. The test subjects essentially were paying a relatively small amount of money as insurance against something bad happening with their private information.

It's tempting to attribute this same explanation to the finding, and I do believe it's relevant, but we need to modify our thinking a little. The Carnegie Mellon research saw an increase in average selling price (ASP) when visible privacy assurance was in place. Subjects were willing to pay more for the same item because they felt safe. The research saw an increase in average ticket value (ATV) when visible privacy assurance was in place. Subjects still paid the same amount for their products - ASP was the same - but in this case they bought more or higher priced items.

So what else is going on here? I hypothesize that we're seeing the effect of the fact that not all online sales tickets are the same. Not all shopping carts are equally full. Some people go to to purchase only one relatively inexpensive item. Others go there to buy lots of items or items that cost a lot more money. I can't put my finger on it at the moment (I'll look around and try to find it), but I have seen research in the past indicating that shoppers perceive their personal risk to be higher with online credit card purchases when the price is higher. Your average online shopper believes she's at more risk when making a $1000 credit card purchase than a $10 credit card purchase. This perception in many ways is invalid in that both the risk and consequence of credit card theft are identical for purchases of all sizes. Nonetheless, people are more skittish when they have a large ticket.

I suspect that's what's going on with The average propensity to abandon a transaction increases with ticket size. So people with fuller baskets in the aggregate are abandoning more carts than those with emptier baskets. Now the site does something to display its premium security and increase customer confidence, and as a result users abandon at lower rates. Since abandonment is higher among the high ticket carts, more of those customers finish their transactions, and ATV goes up.

Speed — It’s not always the best. [Srcasm]

Posted: 20 Oct 2008 02:15 PM CDT

I chose my new design for the site and I’m very happy with it.  It took a bit of poking, prodding and modifications but it now looks fine in IE, Firefox and Safari/Chrome and I owe all the thanks to you, the readers.  I’m constantly amazed at how quickly the internet moves — and they’re quality movements.  Within only a few minutes of posting to my blog and sending out a tweet on Twitter, I got response, after response, after response.  I didn’t need to put together a grand ‘ol survey and get a legal department involved in what I can and can’t ask you.  I simply put my thoughts down to virtual pen and paper and voila, a masterpiece (or at least a new blog design) was chosen in mere minutes.

Today we’ve got some of the fastest communication methods available to us.  One-to-one conversations via cell phone or IM are great for individual conversations, and one-to-many conversations can be held on messages boards and FriendFeed to share with the world.  I think it’s great that we can communicate at the speed of light but there is a loss of privacy that comes with the advantage of speed.  That’s why there are companies today that are providing new methods of communicating that also cover privacy and security.

Sites like OtherInbox let you stay anonymous (and cut down on spam) behind the mask you call an email address and tools like PGP allow for encrypted communications between parties that need to keep their secrets, secret.  One of the largest challenges that all of these services will have to overcome is speed.  It takes a bit of setup to get PGP running properly and for OtherInbox, you need to go through all of your accounts and change your email address to an OtherInbox address.  These are barriers to entry that these organizations and others are successfully breaking through.  OtherInbox is working on a way to change your email addresses automatically and companies like Passpack are taking public-private keys and making the process of sending secure messages simple.

All of these organizations have a lot of work ahead of them but they’re all well on their way to making security just as important as speed.

No comments: