Network Security Blog

Martin and Rich are joined tonight by our new co-host, Joseph Sokoly, formerly of the Southern Fried Security podcast.  Martin leads off the night with a short story about his kids, in which he once again demonstrates his inability to remember the proper names for people and things (it’s Elevation of Privilege by Adam Shostack, not ‘escalation).  We talk about the most recent round of breach disclosures as well as a brief foray into PCI.  But we do keep it mercifully brief.  Welcome again to Mr. Sokoly, it’ll be nice to have someone a bit more reasonable on the show.

Network Security Podcast, Episode 235, March 29, 2011
Time:  28:08

Show Notes:

• PHPFog Blog:  How we got hacked and why it won’t happen again
• Netcraft:  Comodo hacked
• Hacker takes credit for attack on Comodo
• Romanian Duo hacks MySQL.com
• PCI compliant cloud providers:  No PCI panacea
• Tonight’s music:  The Fool You Took Me For by Bill Johnston

I always enjoy getting a chance to talk with folks like Gene Kim, Josh Corman and Mike Dahn.  We’ve talked about the nature of compliance together many times and I like that all of us have evolving opinions of how compliance influences the world.  We got the gang back together in front of a video camera to talk again about PCI and some of the things that have changed in the last six months.  Gene and I tell the story of how Mike and Josh started arguing last year and what we did to make them realize they were both saying much the same thing in different ways.  Rob Westervelt from SearchSecurity.com led Gene and I through the second part of the discussion, which was actually filmed before the first part of the discussion.  Don’t ask me how that works out, I think it’s one of those Hollywood effects things

RSA Conference 2011:  PCI Compliance:  Debating the benefits, unintended consequences Part 2, Gene Kim and Martin McKeay

RSA Conference 2011: PCI Compliance: Debating the benefits, unintended consequences Part 1 Mike Dahn and Josh Corman

Martin, Rich and Zach are joined tonight by none other than Josh Corman from the 451 Group to talk about the recent RSA breach.  Actually, he was on more to talk about the industries reaction to the breach more than the breach itself.  The reality is that we still know almost nothing about what happened, though Rich has a little insight that goes beyond the press release, since he’s actually talked to folks at RSA.  Which means we know just a little more than nothing, which is not a significant improvement.

Another reason Josh wanted to join us was to talk about one of Rich’s recent articles, called Table Stakes.  We clarify what Rich meant in the original post as well as talking about some of the more touchy feely aspects of the industry.  Except Zach, who doesn’t do touchy feely so much.  And finally we end up with a little rant about those hacks over at the Southern Fried Security Podcast and how they’re always imitating us.  They even have they’re own Bizarro Zack, @jsokoly.

Network Security Podcast, Episode 234, March 22, 2011
Time:  42:06

Show Notes:

• Martin’s roundup of the RSA breach coverage
• Table Stakes over at Dark Reading
• FIRST 2011
• BSides Vienna
• Josh Corman:  Why Zombies love PCI
• Tonight’s Music:  Knobs and Switches by Secret Pop Band

This group of pieces on the recent RSA breach is only the tip of the iceberg, but most of what you’ll read on the story is purely suppositional.  In other words, a lot of educated people are playing a game of “let’s pretend” and blogging about it.  No one who’s writing knows much about the details, almost everything that’s out so far is guess work about what might of happened to RSA.  And while there’s some value to running through possible scenarios, it’s probably not worth the screen time the story has been getting until we know something concrete.

So here’s three stories on the RSA APT.  The first is just the initial facts as they were known late last week, in a story from the Boston Herald.  The second is an analytical brief from NSS Labs, included as an example of some of the conjecture people are making based on what is known.  NSS Labs is known for having some good folks and this report is far from the most outrageous speculation that’s been made so far, but it’s also going to require a lot more information before we can really make a claim like “a string of breaches stemming from this event.”  Dave Shackleford does a very good job of dissecting just how little we know so far in this story and why the ‘A’ in APT is a misnomer.

And finally a story that may or may not have anything to do with what’s happening to RSA, Google is accusing China of messing with their stuff.  It’s kind of hard to trust your servers when you’re sending them to another country that has no compunctions about using any means necessary to ‘protect their citizens’. 

Update:  And moments after I posted this @N0b0d4 posted a very good post by Steve Gibson dissecting the potential risks of this compromise for people using RSA SecurID tokens.  I’m not usually one of Steve’s biggest fans, but he’s taken apart the issues pretty well this time.

PCI has become a way of life, not just for me personally, but nearly every merchant out there who makes a serious number of transactions using credit cards out there.  What was just a murmur on the wind for most folks five years ago has become part of the drumbeat of their every waking hour.  The evolution from something just the largest companies have to deal with to something nearly every merchant has to deal with has been painful for many, and will probably continue to be so for quite some time.  All because PCI has become the dominant standard in security for anyone dealing with credit cards.  And since most businesses deal with credit cards on some level, it’s become the de facto standard for the majority of the security industry.

Branden Williams wrote a post that took me back to some of the early arguments I had Josh Corman, very polarized ‘discussions’ of how PCI was the answer to a lot of security issues vs. PCI was deforming the security market in potentially harmful ways.  I’ve always been of the opinion that PCI is a good lever for getting money to implement projects most security teams should have in place.  Josh states that PCI has been starving other technologies that could go beyond the simple requirements involved in the standard, which is where his infamous “No Child Left Behind of Security” comes from.  Josh and I have since modified both our positions, I have admitted that there are some technologies that PCI ignores that could meet security concerns, while Josh has conceded that some of the technologies that PCI requires are something nearly every business needs in some form. 

I shouldn’t be surprised that there are still a number of merchants out there still in denial about what’s required of them by PCI and their acquiring banks, but I still am a little.  Many businesses have been able to ignore PCI or play lip service to it so far, but as the card brands push compliance (and the risk, incidentally) farther down into the merchant community, that’s going to be harder and harder.  If you’re a single merchant or service provider, no matter how large or small, you’re going to eventually have to concede that compliance is the irresistible force and you’re not an immovable object.  The only real ways to affect change on the PCI standards is going to be to work with them for now, work within the PCI Council and Special Interest Groups and potentially look for a better standard to be created.  Another alternative is to work with state and federal government to affect change, but I can’t imagine how that could improve the situation.

One last point from Brandon’s post to consider is the use of compensating controls; I’ve worked with more than a few merchants who were unable for real, technical reasons were unable to meet with requirements, as have most experienced QSA’s.  Don’t be afraid to use them, if you’re meeting and exceeding the requirement in question.  It’s not a blemish on your Report of Compliance to have a Compensating Control Worksheet, especially if it is well written.

Rich and Zach are on the road this week, so Martin was left alone for this week’s podcast.  Luckily there was already an interview with Larry Ponemon, from the Ponemon Institute about the report “The True Cost of Compliance”, which was sponsored by Tripwire.  Unluckily, I (that is Martin) over-engineered the interview in order to pull out some annoying sounds, which leaves the interview sounding a little muddy.  The content is still good, which is what really matters in any case.  I tried to ask a number of questions that were supplied by folks on Twitter, which I mostly succeeded at.

We’re traveling a lot right now, so the podcast may be spotty for the next couple of months.  We’ll figure out how to make the transition to some new schedules, never fear.

The True Cost of Compliance

Tonight’s Music:  Brown by Children of a New Jazz Era

Network Security Podcast, Episode 232, March 1, 2011
Time: 33:34