Archive for the 'Simple Security' Category

Jun 08 2011

Fundamental flaw in thinking: We’re responsible

Published by under General,Simple Security

Over the last few months I’ve come to the conclusion that we’re doing security wrong.  Not the day to day details, though we’ve gotten a lot of that wrong as well.  I mean we’ve gotten the big picture issues wrong, we’ve made a number of false assumptions about how we should be protecting our enterprises.  We’re building the very concepts we rely upon to develop products, services and systems from on shaky ground.  If you don’t agree, just look around at the ease which hackers are tearing through the defenses of even the largest merchants (Sony) and you have to admit that something isn’t working like it should be.  You can blame businesses for not giving us the resources we need, you can blame a shortage in decent security professionals or you can do some self examination and realize that maybe security best practices and compliance efforts just aren’t working.

When I say we’re doing it wrong, I’m thinking at a more basic level than some of the common fallacies we run into every day.  We all know that ‘firewalls are a security device’ is wrong; they’re just a complex traffic management device and don’t do much more than filter traffic on the grossest level in most cases.  And that’s assuming they’ve been set up correctly, which too many aren’t.  When was the last time you saw good egress rules?  Or the fact that a number of studies have shown that antivirus commonly doesn’t catch more than 70% of all viruses and the number is falling.  These are both assumptions that executives and non-security professionals make, but most of us in the community know that firewalls and AV are just things we put in because the business has come to think of them as the expected minimums. 

But the flaws I’m looking for go deeper than the fallacies of firewall and antivirus effectiveness.  I’m not looking for the nuts and bolts assumptions that we make to work on a day in and day out basis.  I’m trying to examine the deeper assumptions, the ones that we’ve built our entire philosophy of security upon.  In a different context we my call this our morality or religion, which might not be a horrible comparison.  I’m looking to see what are some of the most basic truths we’ve decided for ourselves and what are the errors we’ve made because we’ve built these up from lessons taught to us by others.  Were these assumptions once valid, did they once have a grain of truth or were they merely the most basic and easy rules to put in place because they hadn’t been tested before.  And just as with religious or moral beliefs, to few of us ever take them out of the back of our mind to re-examine the assumptions and see if they still hold up as well to our adulthood as they did to our childhood.  The security assumptions that might have served you well when you were an IDS or firewall administrator may not translate well to a later point in your career, and in fact may cause damage to your reputation.

It’s never easy to change the core of your belief system.  I only know a few people who consciously make a habit of doing it on an annual basis and even fewer who live their lives in a constant state of re-examination.  It’s a powerful tool to be able to look at your worldview, understand that you’ve made some mistakes and adjust to the new realities of how that affects the way you interact with the world.  But it’s painful sometimes, and the change can be difficult.

So enough of the philosophical BS, what are the fundamental flaws in security reasoning that I’ve identified?  I’ll be honest, there’s only one I’ve identified and mulled over to the point that I’m ready to share.  We, security professionals have taken it upon ourselves to be responsible for all risk in the corporate environment.  We started by placing the firewalls around the outside of the network and as more and more complexity was added into the IT infrastructure, we took on more and more of the risk into our philosophy, without really stopping to consider if we are the ones who are responsible for the vulnerabilities and misconfigurations that spawn much of the risk in our environments.  We’ve only rarely been given, or fought for, the authority to make changes in the products and systems that introduce risk, we are all to often nothing more than a speed bump in the corporate culture and a scapegoat for compromises when they happen.  “Why didn’t you protect us?  It’s your fault this happened!”  But if we had little or no ability to change the underlying systems that led to the compromise, why are we considered responsible?  Responsibility without the authority to affect change is the surest route to being a scapegoat in the best of situations.

So why have we accepted this risk responsibility without having any authority?  Because that’s how most of us have been taught to do security.  It’s not only our duty to identify risks and explain them to the business, it’s our duty as security professionals to shoulder that risk and do what needs to be done.  Despite the fact that we can’t change the underlying problems that introduce the risk.  Despite the fact that all too often we don’t have the manpower to deal with the problems we already have.  Despite the fact that we’re not given the budget we need to reduce the risks that existed in the enterprise before some new project introduced even more risk into our overstressed environment.

So if we’re not responsible for the risk in the enterprise, who is?  In a perfect world, the people who introduce the risks should also be the ones responsible for it.  Is the marketing department requiring a new feature on the company web site that also opens up the corporation to a partner?  Then they should be the ones who’s finances bear the burden of paying for the additional monitoring costs.  The development department is doing the programing for the corporate web site, so why is the security department being held responsible when a SQL injection attack not only takes down the site but also discloses a million customer records?  If a proper SDLC had been implemented, if tools for testing the software, if internal training had taken place, the SQL injection should never have happened.  Yes, we can be responsible for adding a layer of protection beyond that, but it’s the development team that should be taking the responsibility, since they’re the team that actually had the authority to make changes and prevent the risk from being placed in the environment in the first place.  We need to stop being the sin eaters of the corporate world, absolving all other departments of their responsibility for the risk to the corporation they introduce on a daily basis.  We need to push back and put the onus of dealing with risks and vulnerability on the shoulders of the people who are closest to the problem.

The fundamental flaw in security thinking is that we can effectively combat the risk for the entire company.  We can’t.  We have to advise and point out where new or existing risks are, but it’s impossible for the security team within an organization to deal with every single potential vulnerability and we shouldn’t even be trying.  We need to make a change to the way we think about security and start pushing that responsibility back on the people who can actually affect change.  It’s amazing how many requirements turn into ‘nice to have’ or ‘we don’t really need that’ when the department asking has to shoulder the responsibility.

There’s no quick fix, I think this is something that needs to be a ‘generational’ change in security.  One of the first things that was brought up when I floated this idea amongst my peers is that we can’t just barge into the corporation and force a new way of thinking on corporations.  And that’s true, we will never be able to make an overnight change to the way other business units perceive us and we can’t be militant in pushing other parts of the organization to take responsibility for their actions.  It will be an unpopular path to take, since no one wants to take back responsibility once it’s been offloaded.  But it’s imperative we start down this path, because this isn’t a problem that’s going to go away, and as more and more compromises happen, we’re only going to be blamed more for issues we had no authority to change.  We have to change the way we approach risk in the enterprise and slowly educate our businesses about where the responsibility for risk really sits.

There are a number of people who I think are already aware of this fundamental flaw in security thinking.  Andy Ellis over at Akamai, Rafal Los at HP and a number of senior security professionals understand that we can’t take the responsibility for all risk and are pushing it back to the proper departments.  This isn’t to say they’re blocking progress, but that they’re telling the departments, “If this is what you need, we will show you the risks involved.  But you will sign off on those risks and accept that if something goes wrong, it’s not the security department who will take the blame.”  Rafal gave a great talk on this recently at BSides Detroit, and my conversations with him subsequently were a large part of the impetus for this post.

Start by changing your own way of thinking about acceptance of risk.  Push back gently at first, but push back.  Even if you’re unable to get a written statement saying that others take responsibility for the risk they’re creating, bring it up in meetings and stop just accepting it for them. Talk to your legal department, make sure the corporate council knows when there’s a risk you think will put the company in danger.  Start cultivating relationships higher in the organization and changing the way other people think about security.  Because as long as we continue to take responsibility for all risk in the corporation, we will be the scapegoats for any compromise and will be unable to be effective.  Not only will we continue to suffer, but the business will continue to be compromised with frightening regularity.

—————-
This marks blog post 2000.  It’s taken 7.5 years.  But it’s been worth it.


[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

18 responses so far

Jun 07 2011

New to Security? Get on Twitter

It’s not uncommon for me to get questions from aspiring security professionals asking, “What should I be doing to break into security?  How can I learn more about security?”  More and more, my answer to that is becoming simpler:  Get on Twitter.  (I’m @mckeay, unsurprisingly enough)

Twitter has become the “digital water cooler” for a huge number of security professionals.  I’m not saying all security professionals are on it, nor should they be.  But we long ago reached a point of critical mass where there are regular conversations on that used to only happen in the hallway tracks at conventions.  If you look at some of the organized conversations that several companies have done on Twitter (Symantec comes to mind) you’ll start to understand that they see a value to it.  If you look at some of the conversations I’ve personally had in the last 24 hours on almost any day, you’ll see bits and pieces that are of great value, even if the majority of the tweets are stupid quips and pointless jabs at friends.

And that’s what twitter is about, not the huge sweeping conversation or revelation that happen once in a blue moon, but the accretion of little ideas, little questions that will lead you to a deeper understanding of what the people who work in the security world day in day out are thinking.  Don’t expect a single tweet to rock your world and reveal the secrets of the universe.  Instead, look for the threads that explain how many people view security and the inner dialogue that led them there.  Don’t try to read every tweet, dip your toes into a communal stream of consciousness.  Boy, that sounds so pretentious when written out, but in a lot of ways, that’s exactly what twitter has become.

You’re going to have to dredge through a lot of crud to find the jewels in the twitter stream.  I know my own twitter stream is a perfect example of that.  For every one tweet I send that has value, I probably send twenty that are in-jokes or stupid references to some meme that no on cares about.  But I hope I make up for that when get started on a rant about PCI compliance or get involved in a conversation about the difference between learning security and learning business. You may have to put up with a hundred tweets or a thousand, but when you get the one piece of information you needed to hear at that specific moment, it will make everything else worth it.

Don’t plan on getting involved in twitter, other than very superficially, for the first month or so.  Send out a ‘hello world’ tweet before you follow your first person; we security types tend to be a little paranoid and may report you as spam if you’re just a raw profile with no tweets or a description of who you are.  Don’t spend a lot of time on twitter, just check in from time to time and add people who sound interesting as time goes by.  If you need a seed list of people to follow, start with Bill Brenner’s Security pros to find on Twitter.  He updates it almost every Friday.  Soak in the conversations and when you feel the time is right, start responding to people and putting forth your own ideas.

My boss recently started on twitter.  I was a little concerned when he followed me, but I figure anything I say on twitter is public anyway, so if he wanted to check in on what I said, it wouldn’t take more than an extra 30 seconds to find anything, so why worry.  If you’re worried about your friends or family or coworkers following you, then make your profile private or just make sure you don’t tweet anything you need to worry about (unlike certain Congressmen).  But one of the most interesting things I realized from having my boss follow me is that I’ve completely abandoned my RSS feeds in favor of getting most of my news from Twitter.  I learn about new stories faster on twitter than I ever did when they were coming to me through my news reader.  Better, I get to benefit of having people who’s views I have some understanding of filtering through the stories before I ever read them.

Once you’ve been on twitter for three to six months, you’ll no longer be an outsider if you’re making an attempt to engage.  Don’t force it, but don’t be afraid to contribute either.  Be natural, talk to the people who are out there, and get an understanding of the community.  There will be many voices, like mine, that seem to be nattering away at almost every hour of the day.  There will be voices that only speak up once every week or two.  Both have their value, both are worth listening to.  And don’t be afraid to unfollow someone if they offend you or seem to be a waste of time.  I won’t mind at all… I mean they won’t mind at all.

You should be looking to get an understanding of how security professionals view not only the hard security issues, but life in general in all the myriad aspects of a security career.  These are real people candidly expressing their viewpoints, exchanging ideas and generally growing by being part of the community.  Once you’ve started gaining that understanding of how people think, the part that’s really going to improve you as a security professional starts: challenge the status quo, question assumptions and look for the areas that people are turning a blind eye towards.

It’s important that new security professionals understand we don’t exist in a job space that’s stable and safe.  Information security as a profession isn’t even 50 years old yet!  Some would say that it’s not even 25 years old as a distinct profession.  And it shows; every day the playing field is changing.  Right now it seems that the bad guys are winning, but by this time next year we may have turned things around and have a good handle on it.  Or things may be so bad you can’t trust anything that your computer tells you.  In either case the only constant you can reasonably expect in a career in security is change.  If you can’t live with that, get out now.

Why is this understanding of change important?  Because a lot of people on twitter come across as experts, either because they purposefully portray themselves as such or because they speak with such authority that other people ascribe that description to them.  In either case, there are a lot of people with strong opinions about how security came to where it is now, what is what in security, and how security should be.  Every one of them has a valid point somewhere, but every one of them makes mistakes and has ideas that won’t fit in your worldview or make sense as they’re presented.  So don’t take them at face value, challenge these ideas, form your own and come to a new understanding of how security was, how security is and how it should be.  If you’re going to be spending time in the security community, you have to realize you’re going to be one of the people who’s going to make the future happen, for better or worse. 

A closing thought: if you’d like a role-model for how to approach the security profession and twitter, ask Joseph Sokoly aka @jsokoly.  Joseph is young, hasn’t quite graduated from college yet, but has already created a name for himself in the community; first by reaching out to other security professionals to learn and later by presenting on breaking into the security field at BSides Las Vegas in 2010.  Is Joseph smart?  Hell yeah.  But is he so special that that alone makes him stand out in a crowd?  Not by a long shot; in a field that includes some brilliant minds, he only sits a little above average.  Where he has proven to be exceptional is that he’s integrated himself into the community and used twitter as his tool to get it started.  Not too many people will be able to reproduce his efforts, but not many people should try.

Twitter is an echo chamber.  Don’t ever make the mistake of thinking it is the sum total of what is out there for the security community or any community.  But do understand that it’s a powerful tool in learning what it means to be a security professional and its a valuable tool for getting to know people.  That involvement may be what gets you your first job as a security professional.  Or it might just teach you a new way of thinking about security.  And its always possible that I’m completely wrong and twitter may be a complete waste of time for you.  But it is worth looking into.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

9 responses so far

Jun 07 2011

Network Security Podcast, Episode 243

Published by under General,Podcast,Simple Security

We blame Rafal Los for this week’s podcast.  He was looking for someone to host a discussion on which is easier to learn, the business side of the business or the security side of the business.  And he had a cast of characters he wanted discuss it with.  Being a well know sucker for these sort of conversations, Martin volunteered to moderate and help move the conversation along.  Except what started as a single discussion may mutate into an ongoing conversation.  No, none us are so passionate about what we do that we’d give up sleep in order to do it, are we?

Joking aside, this is a good discussion of how we view the disconnect between the security within a corporation and the business needs of a corporation.  As with many of these conversations, we all agree it’s a problem, but we don’t come to a concrete conclusion about how we can bridge the gap.  As long as we get more people to think about it though, that’s enough for now.  Look for the discussion under the hashtag #SecBiz on twitter.

Network Security Podcast, Episode 243, June 7, 2011
Time:  1:05:55

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 19 2011

2011 Social Security Awards

I am so behind on my blogging it’s not funny.  I was supposed to say something about the 2011 Social Security Awards a couple of weeks ago, but between running around the country and writing long, boring reports on PCI compliance, something had to fall off the to-do list, and blogging was it.  Which is why it’s a little ironic to break the silence with a post honoring some of the best writers in our business.  After which I’ll probably be going back to radio silence as I try to create a small bubble of calm in my work schedule that will allow me to attend the RSA Conference with minimal interference.  Or at least that’s the theory.

This is the third annual Social Security Blogger Awards, and once again the committee putting it together, led by the incomparable Alan Shimel, has worked hard to improve both the process for deciding the categories and the process for voting.  There were a number of categorizations in last year’s awards that had many of us laughing and shaking our heads in confusion, but by that time it was too late to make changes.  So this year Alan and his team of judges, who are all professional writers who cover the security field, revamped the categories and I think everyone involved will agree that they’ve done a great job of it.  The judges picked the cream of the the blogs and podcasts from all the great people we have writing, now it’s up to you to decide who the real winners are.

As always, I look forward to the night of the Security Bloggers Meetup at RSA.  This year, my influence on the whole process has been minimal, and as always, Jennifer Leggio has been shouldering far more than her fair share of the work.  Not to say I haven’t done anything… well, actually, I haven’t.  We’ve been doing this for a number of years now and it’s clear that Jennifer has a handle on everything and if I try to get further involved I’ll slow things down more than help.  Which goes back to my original point that I’m already too busy with the day job to help much.  But the SBM has become the central event of the RSA Conference, at least for me, and the pivot that all my other plans revolve around for the week.  The few hours we take out of an evening to connect and reconnect with the people in our community who distinguish themselves by trying to express the problems and solutions for our industry is worth more than almost anything else that goes on at RSA, at least for me.  People who are passionate about what we do are always exciting to be around.

Who are your favorites for this year’s Social Security Awards?  I especially like the new category “The single best security blog post of the year”.  Not everyone can write regularly, in fact some people may only put out one or two blog posts a month.  But the thought and quality of writing that goes into those infrequent posts is exceptional and deserves to be recognized.  And the folks who continue to put out exceptional content day after day just blow my mind. 

Go now, vote on the Social Security Awards.  Vote for your favorite, vote for the person you think is most deserving or vote in an utterly random fashion, as long as you vote.  While the awards are for bloggers and by bloggers, the reason we write is for the readers and listeners in the real world.  And this is your chance to help recognize the people you think have had the most impact and influence on our community.  Or at least amused you the most.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jan 03 2011

Good morning 2011

Published by under Blogging,General,Simple Security

It felt good.  I took the last two weeks of 2011 and took a hiatus from Twitter, I tried to stop reading security stories and I generally just stayed away from my home office and computer whenever I didn’t absolutely need to be working.  I still used the iPad and I couldn’t leave my phones behind, but it really felt good to deprioritize social media and email in favor of spending time with my family over the holidays.  And it felt good to just put a little distance between myself and all the stressors on the Internet and in my inbox. 

I don’t do year end reviews and I don’t do predictions; it’s not that I’m against them, it’s that I feel there are a lot of other people out there who have a better 10K foot view than I do.  Plus I hate looking back the next year and seeing how wrong I was about where everything was going.  That being said, I get the feeling that 2011 will be a year of change; too many people are complaining too loudly about being burnt out.  Too many people are saying ‘what we’re doing isn’t working’.  There were too many high profile incidents for people to ignore and keep on doing what they’ve been doing.  Or at least that’s my hope.

Alex Hutton sent out a tweet about a concept called ‘slow hunches‘ not to long ago.  The basic idea is that we all have portions of great ideas floating around in our heads, it’s when these ideas bump against other ideas and let them mature over time that the real game changers start to develop.  That’s a gross simplification of an entire book, but I hope it get’s the message across.  I know I have a number of these partially formed ideas in the back of my head and I know from experience that a number of other people across the industry have similar ideas floating around.  What I don’t know is how we get those ideas together in order to affect change.  Because doing the same ol’, same ol’ isn’t working.

Maybe I’m just optimistic and nothing will change.  But like the idea of slow hunches, there are so many incidents both big and small, happening right now that something has to give.  Rich (Mogull) is often telling me that as long as we can continue to do business within an acceptable level of fraud, nothing is going to change.  And he may be right.  But I hope he’s just more of a pessimist than I am.  And in the bigger picture, I’m sure he is right, since the more things change, the more they stay the same.  But I can still hope that someone amongst our community will come up with a seminal idea this year that will change the way we look at security.  Other than “let’s concentrate on the basics” that is.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Dec 20 2010

There’s nothing wrong with taking pictures

Published by under Government,Risk,Simple Security

I travel around the country a lot in my role as an assessor and being in security, I have a off again on again interest in taking pictures, specifically pictures of some of the odd places I find security cameras and the places they cover.  That and taking pictures of error messages that pop up on various screens and systems that are in public view.  I find it interesting to look at some of the odd places that companies have decided to put a camera and how much of the surrounding area surveillance catch that people probably don’t have any awareness of.  And in this day and age, I’m almost surprised that no one’s commented on my picture taking and called me a terrorist.  But guess what, people: Photographers are NOT terrorists.  Like most other photographers, I’m following a passion, however little someone else may understand it.  Get over your unfounded paranoia and get back to living your life.  And yes, 99.999% of your paranoia about terrorists plots is unfounded, no matter what the DHS and TSA might want you to think.  And most of the other .001% has some level of validity, but it’ll probably never affect you directly.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Dec 03 2010

Caught on Google Streetview

My friend Adrian Lane, over at Securosis, finds the best toys to play with.   This one, called Spokeo, lets you search on a name and see what sort of personal information is out there about that person.  Like Adrian, I always search on myself first, wanting to see what sort of information is out there about me.  And there’s a lot of it; even someone like myself who wishes they had some privacy leaks a lot of information, even if its just in public records.  Luckily I have a father with the same name, so our information is a little mixed up, with a sprinkling of misinformation added in.  If I can’t have privacy, having false information available to search engines is a good second.

The funniest part of looking up myself was finding my house in Streetview, which is offered directly in the Spokeo interface, then turning the camera around to see myself getting out of the car.  The picture’s about two years old, but it still jogged some memories of seeing the Google car drive by.  The picture is blurring and it’d be hard to recognize me from it, but there it is.  Being in a public place (the road), I’m not surprised to be photographed, but it does serve as a reminder of how often we’re being photographed in public, even if we are seldom aware of it.  That is to say that people who don’t live with a mild form of paranoia are seldom aware of. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Oct 13 2010

The Friendly, Snuggly Security Bear and the Internet

If you’re not already scared of the people who want to listen in to your phones, then this video won’t worry you.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Sep 18 2010

Logical fallacies in forums

Maybe it’s a little egotistical to reprint something you sent to a forum, but I thought I did a pretty good pointing out some of the fallacies I see all to often on forum mailing lists.  I doubt that I’ll actually influence the people most guilty of these fallacies, but the people who are borderline may be salvageable.

Good morning dear colleagues,

I wanted to take a moment to make everyone aware of a very useful site I found several years ago that’s helpful when getting involved in argumentation of any sort.  It is the Nizkor Project listing of logical fallacies.  I find it helps me a lot to be able to identify and call out specific logical fallacies, at least to myself, and it helps in forming the response to these logical fallacies.  As is often the case in online forums, the person guilty of the fallacies is either unaware of committing the fallacies in the first place or mistakes these fallacies for honest communication.  In either case, conversations with this sort of individual often devolves into appeals to emotion or ad hominem attacks.  I wanted to take some time this morning to point out a few of the fallacies that seem to be more common on this forum:

http://www.nizkor.org/features/fallacies/

First, the ad hominem attack itself:  http://www.nizkor.org/features/fallacies/ad-hominem.html
This is an attack on the person who’s making the argument rather than the argument itself, aka name calling.  This is also mirrored by the personal attack fallacy (http://www.nizkor.org/features/fallacies/personal-attack.html) where the person claims that any argumentation is a personal attack against them.  This is also related to the appeal to pity, aka ‘They’re picking on me, therefore they must be wrong’ http://www.nizkor.org/features/fallacies/appeal-to-pity.html

The second fallacy I often see is the red herring (http://www.nizkor.org/features/fallacies/red-herring.html)  The answers that are sent to the forum have little or no relation to
the question that was asked.  This can be an innocent case of missing the point or it can be an example of purposefully leading the conversation away from the subject that was originally brought up.  If you see “you’re missing the point” in a reply, this is often the fallacy that was committed.

Another common fallacy on this forum is the appeal to authority (http://www.nizkor.org/features/fallacies/appeal-to-authority.html)  We’re all experts of one level or another in this forum, otherwise we should never have been awarded our CISSP’s in the first place.  However, we sometimes try to falsely extend our authority in one area to cover areas that are tangential to our areas of expertise in was that are not appropriate.  Another example of this is citing vague articles or standards as supporting our cause when they really don’t have any direct bearing on the argument.  For example, just because Bruce Schneier is a respected author and cryptographer, he could not by any means be considered an expert on securing an Exchange server.  Another part of this fallacy that’s common is expecting that just because we hold certificates in certain disciplines, that we’re actually experts in that discipline.  A doctor who graduated at the bottom 5% of his class still graduated after all.

A final fallacy to think on, not because it’s especially common on the forum, but because it’s especially common in our lives in general is the appeal to common practice (http://www.nizkor.org/features/fallacies/appeal-to-common-practice.html)  Everyone is doing it, so it can’t be that bad, can it?  This is a fallacy that should be avoided in every aspect of life, not just security.  As parents have been asking their kids for eons, “If every one of your friends jumped off a cliff, would you jump too?”.  Everyone has a firewall at the perimeter of their network; does that make a firewall a best practice or does that just mean that it’s what people are doing because everyone else is doing it?  It may be the best thing to do in your situation, but unless you evaluate it based on your circumstances rather than what others do, you’ll never know.

I try not to make the mistake of ad hominem attacks, I try to attack a person’s argument whenever possible.  This is not always possible as the number of fallacies in a response rise and overwhelm any content that may be contained in a response.  Rather than continue down a path of personal attacks and appeals to emotion, I try to bow out of the conversation at that point.  But I’m not perfect. Next time you send a reply to the list, take a few minutes to check your logic and see if you’re committing any of these common fallacies.  It will help make your point and increase your standing with your colleagues.  Failure to do so can hurt your standing in the community greatly.

Thank you,

Martin

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

May 24 2010

Will merchants revert to their old ways?

I’m a big fan of tokenization and end to end encryption (E2E2).  Never mind the fact that neither technology is fully developed, nor do we even have a real definition of either technology.  The fact that both of these technologies have the potential to take credit card information our of the general merchant environment and gives the bad guys less reason to attack is enough for me.  It won’t stop attacks against merchants all together, but it will cut down on the value of breaking in and therefore cut down on the number of attacks, at least in theory.  It will also cut down on merchants’ responsibility for meeting with the PCI DSS requirements, since much of environment that the QSA’s have to review will now be out of scope.  But without the threat of PCI (and potential fines/fee increases) will merchants keep up the minimum security safeguards that PCI mandated or will they revert to their old ways and ignore security for the most part?

One of the big questions that comes up over and over again is how effective is PCI in securing the merchant environment.  And the answer is, no one really knows.  Breach disclosure laws prior to 2003 were non-existent, and even once California passed SB1386 and got the legal ball rolling, breach disclosures have been spotty at best.  Now that we’ve got some 40 states that have some form of breach disclosure law, the information we’re able to gather is much more consistent.  Unluckily, we still lost the ability to have any real baseline to measure the success of PCI against and anyone who says that PCI is or isn’t effective is mostly going on their own anecdotal evidence, not hard data.  Verizon’s Incident Metrics Framework may help in gathering statistics going forward, but we’ve already lost the data needed to measure the effectiveness of PCI.  (Disclaimer:  I work as a QSA for Verizon Business)

As tokenization and E2E2 take hold, we’re going to have another chance to see how effective PCI is in securing the merchant environment and whether or not merchants are really going to secure their environment without the threat of PCI hanging over their heads.  There’s almost nothing in PCI that a shop with a good security program shouldn’t be doing in the first place.  Firewall reviews, anti-virus, log monitoring, IDS, etc. are all safeguards that are mandated by PCI but are security measures that any good security shop should be putting in place for their organization by default.  The fact that many organizations couldn’t get the funding for some of these tools until PCI came along is a measure of how hard it is to get the budget for security.  And if organizations start losing the funding for these projects because tokenization and E2E2 have taken the majority of their systems out of the scope of PCI, we’ll know that PCI was the real driver for the safeguards, not any real concerns over security.

PCI is expensive.  Security is expensive.  Not necessarily because the tools are expensive, but because merchants ignored security for years and have had to spend a lot of money and time to implement the tools they should have been running in the first place.  If they can reduce the scope of the systems they have to protect through new technologies and no longer have to be assessed on an annual basis, do you think they’re going to keep paying for the tools that they implemented just for compliance or do you think they’re going to let their IDS and log management tools fall by the wayside?  I know that some of the shops I’ve seen will keep the tools and keep using them properly.  But I think the majority of merchants are going to go back to their old ways and do the bare minimum that their security group can fight to keep.  If your company’s marketing department depends on PCI to make sales, I’d be very afraid of tokenization and end-to-end encryption.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

« Prev - Next »