The Falcon's View

I've read recently, with much interest, a post by Martin McKeay about how he would redesign the PCI framework, as well as an in-depth summary from InfoLawGroup about the most recent entry into the draft legislation pool on security and breach notification. The more I think about this notion of creating standards and laws that spell out certain requirements, the more I think we've gotten it completely backwards. It actually makes me nervous when a regulation goes into such extensive detail, a la PCI DSS, that it tells organizations exactly what they need to do, as if one could possibly say universally what is most appropriate for every organization in their context with their own unique risk profile.

As further evidence that I think we've approach things from the wrong perspective, consider Seth Godin's recent post, "Resilience and the incredible power of slow change," in which he says:

"Cultural shifts create long terms evolutionary changes. Cultural shifts, changes in habits, technologies that slowly obsolete a product or a system are the ones that change our lives. Watch for shifts in systems and processes and expectations. That's what makes change, not big events."

Continue reading "Approaching the Problem Backwards" »

Please Note: This article is cross-posted from fudsec.com.

I've been reading Richard Clarke's latest book, Cyber War, in an effort to delve deeper into the topic. Maybe it's been all the recent inflammatory rhetoric, or maybe it's an earnest interest, or maybe - just maybe - it comes from an innate interest in fighting obtuse uses and abuses of FUD.

The tone of the book initially is far less FUD-y than one might expect. Some of the tech details are clearly off a bit, but overall it's been surprisingly level-headed. Except for the scenarios. These are some of the most over-the-top scenarios I've seen since "digital Pearl Harbor" in 2000. However, in this case it gives me pause, and not just because of the glaring FUD factor.

Continue reading "Cyber War and the Value of FUD" »

Our good friends at NSS Labs have released a new report today independently evaluating the effectiveness of Host Intrusion Prevention Services (HIPS) that are integrated into most mainstream security suites. In this go-round, they've evaluated solutions from AVG, ESET, F-Secure, Kaspersky, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro. As with previous reports I've reviewed (see AV/malware here and IPS here), this report provides a very thorough look at the capabilities of these product suites.

Continue reading "Endpoint Security HIPS Flayed By NSS Labs" »

I was cleaning out some old boxes of "stuff" from days gone by and ran into a hard copy of a presentation that I delivered as part of the interview process at CERT/SEI in Pittsburgh back in 1998. At the time, I had been very hopeful to get a job at CERT as they were doing security work that I simply wasn't seeing in the private sector (at least, not in the Midwest). Alas, it didn't work out, but I digress...

What jumped out at me about this presentation is that, in 12+ years, nothing has changed! The same arguments I made back then about needing to be proactive with security, working to integrate it into all aspects of the business in order to make it implicit and inherent are still true today. Perhaps the most interesting bullet in those slides for me was one where I asked "why aren't we teaching calculus and computer science in elementary schools?" I don't think my audience grokked the question back then, and I'd be surprised if people would even get it today.

Continue reading "A Stroll Down Amnesia Lane" »

As I'm sitting here in FAIR training this week in Cincinnati, I've been starting to apply rational thought to some of the staid and true "best practices" that have become cornerstones of our industry. To me, password complexity has always been somewhat ridiculous, since given enough time any captured password can be broken. This leads me to wonder, what are the common threats passwords, and how does password complexity help protect against those threats?

Sitting here thinking about it, I think there are three common scenarios against which we're developing controls:
1) Brute-forcing an authentication interface.
2) Brute-forcing a captured password hash.
3) Guessing passwords (not using automated controls).

Continue reading "Password Complexity is Lame" »

"And I've seen it before
And I'll see it again
Yes I've seen it before
Just little bits of history repeating"
(Shirley Bassey, "History Repeating")

Continue reading "Of Antiquities and the Old Guard" »

I recently finished reading the book The Blind Side about the life of NFL star left tackle Michael Oher. It was a very good read, with interesting stories - many of which did not make it into the movie version. What I found perhaps most interesting is the parallels between makes a truly great NFL left tackle, and what makes for a highly effective security program. Three physical characteristics were described in the book as being essential to success: long arms, a solid base, and quick feet. Likewise, an effective security program will also embody these characteristics.

Continue reading "InfoSec Lessons from The Blind Side" »

Dave Navetta of InfoLaw Group posted a review of the "EMI v. Comerica: Comerica's Motion for Summary Judgment" a few weeks ago. Part of the case revolved around the use of one-time code tokens for providing a second authentication factor. The argument, which seems to have succeeded, was that these tokens do not provide a reasonable level of protection for accounts. I couldn't agree more!

Folks, as much as one-time code tokens seem like a good idea, and can have a useful place in authentication schemes, they are also not foolproof. In fact, worse than that, organizations that have deployed these tokens in the foolish belief that they will magically halt all phishing and account hacking attempts are laboring under a delusion.

Continue reading "Dear People, Enough With the One-Time Code Tokens" »

I have to admit that I don't have any background in SCADA or Smart Grid, nor have I done any research into the topic. That being said, I'd have to be blind to not notice all the references in infosec these past few years to these systems. Shoot, just in the past couple weeks Siemens SCADA network was having issues with a new 0-day of malware (related to LNK files).

Why are SCADA systems connected to the Internet? I just don't see the upside. At all. It seems like these systems were designed to be closed, and that there's not really any good reason for that status to have been changed. So, what am I missing? 10 years ago the hubris-drenched response from energy companies was that we needn't worry as their systems weren't Internet-connected. Now, it seems, we're at the other extreme, with what seems to be no appreciable improvements to infrastructure security.

Continue reading "What's the deal with SCADA & Smart Grid?" »

Wow, where in the world has July gone? I was just looking at my site and realized that I've not posted anything here all month. Oops! I have a few other posts in the hopper, but for the time being, a quick announcement...

David Navetta and I have been accepted to speak at the 2010 ISSA International Conference. The conference will be held in Atlanta, GA, this year on September 16th. Talk details below...

Continue reading "Speaking at ISSA International Conference" »