Recently in infosec Category

Bruce Schneier would have us believe that security awareness training is pointless. People have inadequate incentive to change, and thus why waste the time, money, or energy? And, to a degree, he is certainly correct. The old-fashioned once-per-year computer-based training modules to which many (if not all) of us have been subjected are, in fact, completely worthless. After all, these training modules are a mere blip on the radar of one's life, with no foundation in reality, and making no meaningless impact on how we conduct our jobs.

However, that is not the state of practice in the industry. Or, more specifically, it's not the leading edge state of practice. Moreover, his comments ignore much that we know about approaches, learning styles, incentives, etc., based on research from the past few years.

Unless you were off-planet last week, you've probably heard about President Obama's latest Executive Order, directing various agencies to step up their game on "critical infrastructure" cyber security. As part of this directive, NIST will be building a new framework oriented toward critical infrastructure that will help document processes, standards, best practices, etc, etc, etc. Gah!

The 1980s called and they want their lousy idea back. The 1990s also called, but they just repeated the prior point. The 2000s called and said "What is this, the '80s?!"

If frameworks were going to get the job done, then the job would be done. If securing data and operations was really such a simple task, then we would not be having this conversation, nor would we be reading reports, like Mandiant's big "APT1" blow-out from yesterday (you know, the big shocker that revealed that China is, in fact, hacking everyone... ok, not a shocker... or even really news... since we pretty much already know all that, right?).

A theme I've seen surface lately is this notion that "good enough isn't good enough." My response to this is quite simple: if what you're doing isn't commercially reasonable and legally defensible, then your notion of "good enough" is itself flawed. At the end of the day, businesses should be aiming for "good enough" insomuch as that means doing as much as is reasonable and appropriate without wasting resources.

I would submit that anybody who argues against aiming for "good enough" simply doesn't understand how business operates, nor do they truly understand risk management. Infosec is not some zero-sum game where we can magically defeat all threats, eliminate all vulnerabilities, and go home "winners." Rather, it's a journey, not a destination. Every day we have to account for new threats and new vulnerabilities. However, we should not be focusing exclusively or obsessively on them. Instead, we should be focusing on the business and what it values and has of value.

It's that time of year again, but since I like to buck the mainstream, I figured, why do a "predictions" piece when I could just as easily do an observations/trends piece? So... here ya go...

Three Trends for 2013
1. Human Risk
2. Gamification
3. Increased Federal Activity

Context is everything. The headline question is, of course, a troll. Authorization definitely matters, and especially within the context of the Computer Fraud and Abuse Act (CFAA), which is the trigger for this post. A fusillade of question around authorization cropped up last week thanks in large part to a blog post by @ErrataRob in which he states that the CFAA is dangerously vague and indeterminate on this question of authorization. In some ways he was right, but in others it was just misleading... to make matters worse, the coverage through the tech industry has been a touch fatalistic, trending toward uninformed and absurd... so, here goes my contribution! (read that as you will;)

It's Halloween, which not only means costumes, parties, candy, and trick-or-treaters, but also the close of the annual Cybersecurity Awareness Month (among other things to be aware of). So... are you more aware today than you were on October 1st? :)

In preparation for an upcoming talk, I ended up going down the path of reading up on the recent history of technological advances, highlights of malware and attack evolution, the highlights of infosec innovation, and landmark laws and regulations that have impacted infosec and privacy. Yes, that's a mouthful, but it turned out to be very interesting. And, since I bugged people online and on lists to help with input, I figured the least I could do was to summarize my findings as best as possible here.

An article popped-up on HelpNetSecurity earlier today highlighting an interesting, if not contradictory, survey report released by NCSA and Symantec. In the SMB-oriented survey, about 3/4ths of respondents indicated that they felt cybersecurity is "critical to their success," but at the same time about 2/3rds indicated that they "aren't concerned about cyber threats" (either internal or external). Even more perplexing, the vast majority indicated not having formal written policies, yet at the same time the vast majority were satisfied with their cybersecurity posture.

This, my friends, is an interesting paradox. How is it that businesses can, on the one hand, claim to be aware of the importance of cybersecurity practices, and yet, on the other hand, so completely fail to comprehend what practices are necessary and important? To me, there are three likely components to the answer.

You may have heard that Gartner's latest Magic Quadrant for Enterprise GRC (EGRC) was released this month (see a summary here, or go buy a full copy over here). There's been a ton of press releases and media coverage since Gartner's announcement, as well as some interesting responses. However, if you look at the MQ graphic itself, what you'll find is a melange of random tech companies providing solutions in a wide range of areas that may or may not qualify as "EGRC."

According to their summary report, Gartner says that they define EGRC around four (4) key functions: risk management, audit management, compliance and policy management, and regulatory change management. However, as much as this might sound like a coherent set of criteria, their application of this definition is odd and inconsistent. For example, SAP and SAS both show up in the "Leaders" quadrant, yet SAS appears to barely meets these four functions, and certainly not in the comprehensive way you might expect, and SAP is even weaker at meeting these criteria (their "EGRC" solution is just one plugin module in their overall ERP framework). In both cases you would be far more likely to look to these technologies for financial risk management, and not for enterprise risk management. It's rare to encounter either of these products in the GRC RFPs and bake-offs we're seeing every month, and yet they're supposedly "Leaders" in the space? The same can in fact be said for 7 of the 9 products listed in that quadrant; they're simply not seen in routine GRC competitive situations much, if at all.

Michael Rasmussen, who by most accounts invented the "GRC" monicker to describe the market space, has posted a vitriolic rant about this latest Gartner report, highlighting many of the discrepancies that the report and associated research process contain. Of his complaints, I think the most important one is that the report is "a mile wide and an inch deep." In his retort, French Caldwell (co-author of the MQ report) even agrees that this is a shortcoming of the process and marketspace. This is curious to me... if you, as the authoring analyst, realize that you've defined the space too broadly, why would you then move forward with publishing a report at all? It seems to me that EGRC is ripe for re-segmenting, such as around Financial GRC, Legal GRC, etc.

There's a new Java 0-day exploit circulating in the wild, supported by a Metasploit module, among others. In response to this new vulnerability, I received the below email from a security vendor overnight:

I found their email to be a bit alarming, since it suggests what I would consider to be a "nuclear option" approach to the problem. Unfortunately, I find it oddly lacking in reasonable context, risk analysis (which rarely can be universalized, but must rather be performed on a per-entity basis), as well as to be a near-impossible suggestion to implement (not technically, but rationally).