Grey bar Blue bar
Share this:

Thu, 3 Nov 2011

Squinting at Security Drivers and Perspective-based Biases

While doing some thinking on threat modelling I started examining what the usual drivers of security spend and controls are in an organisation. I've spent some time on multiple fronts, security management (been audited, had CIOs push for priorities), security auditing (followed workpapers and audit plans), pentesting (broke in however we could) and security consulting (tried to help people fix stuff) and even dabbled with trying to sell some security hardware. This has given me some insight (or at least an opinion) into how people have tried to justify security budgets, changes, and findings or how I tried to. This is a write up of what I believe these to be (caveat: this is my opinion). This is certainly not universalisable, i.e. it's possible to find unbiased highly experienced people, but they will still have to fight the tendencies their position puts on them. What I'd want you to take away from this is that we need to move away from using these drivers in isolation, and towards more holistic risk management techniques, of which I feel threat modelling is one (although this entry isn't about threat modelling).

Auditors

The tick box monkeys themselves, they provide a useful function, and are so universally legislated and embedded in best practise, that everyone has a few decades of experience being on the giving or receiving end of a financial audit. The priorities audit reports seem to drive are:

  • Vulnerabilities in financial systems. The whole audit hierarchy was created around financial controls, and so sticks close to financial systems when venturing into IT's space. Detailed and complex collusion possibilities will be discussed when approving payments, but the fact that you can reset anyone's password at the helpdesk is sometimes missed, and more advanced attacks like token hijacking are often ignored.
  • Audit house priorities. Audit houses get driven just like anyone else. While I wasn't around for Enron, the reverberations could still be felt years later when I worked at one. What's more, audit houses are increasingly finding revenue coming from consulting gigs and need to keep their smart people happy. This leads to external audit selling "add-ons" like identity management audits (sometimes, they're even incentivised to).
  • Auditor skills. The auditor you get could be an amazing business process auditor but useless when it comes to infosec, but next year it could be the other way around. It's equally possibly with internal audit. Thus, the strengths of the auditor will determine where you get nailed the hardest.
  • The Rotation plan. This year system X, next year system Y. It doesn't mean system X has gotten better, just that they moved on. If you spend your year responding to the audit on system Y and ignore X, you'll miss vital stuff.
  • Known systems. External and internal auditors don't know IT's business in detail. There could be all sorts of critical systems (or pivot points) that are ignored because they weren't in the "flow of financial information" spread sheet.
Vendors Security vendors are the love to hate people in the infosec world. Thinking of them invokes pictures of greasy salesmen phoning your CIO to ask if your security chumps have even thought about network admission control (true story). On the other hand if you've ever been a small team trying to secure a large org, you'll know you can't do it without automation and at some point you'll need to purchase some products. Their marketing and sales people get all over the place and end up driving controls; whether it's “management by in-flight magazine”, an idea punted at a sponsored conference, or the result of a sales meeting.

But security vendors prioritisation of controls are driven by:

  • New Problems. Security products that work eventually get deployed everywhere they're going to be deployed. They continue to bring in income, but the vendor needs a new bright shiny thing they can take to their existing market and sell. Thus, new problems become new scary things that they can use to push product. Think of the Gartner hype curve. Whatever they're selling, be it DLP, NAC, DAM, APT prevention or IPS if your firewall works more like a switch and your passwords are all "P@55w0rd" then you've got other problems to focus on first.
  • Overinflated problems. Some problems really aren't as big as they're made out to be by vendors, but making them look big is a key part of the sell. Even vendors who don't mean to overinflate end up doing it just because they spend all day thinking of ways to justify (even legitimate) purchases.
  • Products as solutions. Installing a product designed to help with a problem isn't the same as fixing the problem, and vendors aren't great at seeing that (some are). Take patch management solutions, there are some really awesome, mature products out there, but if you can't work out where your machines are, how many there are or get creds to them, then you've got a long way to go before that product starts solving the problem it's supposed to.
Pentesters

Every year around Black Hat Vegas/Pwn2Own/AddYourConfHere time a flurry of media reports hit the public and some people go into panic mode. I remember The DNS bug, where all that was needed was for people to apply a patch, but which, due to the publicity around it, garnered a significant amount of interest from people who it usually wouldn't, and probably shouldn't have cared so much. But many pentesters trade on this publicity; and some pentesting companies use this instead of a marketing budget. That's not their only, or primary, motivation, and in the end things get fixed, new techniques shared and the world a better place. The cynical view then is that some of the motivations for vulnerability researchers, and what they end up prioritising are:

  • New Attacks. This is somewhat similar to the vendors optimising for "new problems" but not quite the same. When Errata introduced Hamster at ToorCon ‘07, I heard tales of people swearing at them from the back. I wasn't there, but I imagine some of the calls were because Layer 2 attacks have been around and well known for over a decade now. Many of us ignored FireSheep for the same reason, even if it motivated the biggest moves to SSL yet. But vuln researchers and the scene aren't interested, it needs to be shiny, new and leet . This focus on the new, and the press it drives, has defenders running around trying to fix new problems, when they haven't fixed the old ones.
  • Complex Attacks. Related to the above, a new attack can't be really basic to do well, it needs to involve considerable skill. When Mark Dowd released his highly complex flash attack, he was rightly given much kudos. An XSS attack on the other hand, was initially ignored by many. However, one lead to a wide class of prevalent vulns, while the other requires you to be, well, Mark Dowd. This mean some of the issues that should be obvious, that underpin core infrastructure, but that aren't sexy, don't get looked at.
  • Shiny Attacks. Some attacks are just really well presented and sexy. Barnaby Jack had an ATM spitting out cash and flashing "Jackpot", that's cool, and it gets a room packed full of people to hear his talk. Hopefully it lead to an improvement in security of some of the ATMs he targeted, but the vulns he exploited were the kinds of things big banks had mostly resolved already, and how many people in the audience actually worked in ATM security? I'd be interested to see if the con budget from banks increased the year of his talk, even if they didn't, I suspect many a banker went to his talk instead of one that was maybe talking about a more prevalent or relevant class of vulnerabilities their organisation may experience. Something Thinkst says much better here.
Individual Experience

Unfortunately, as human beings, our decisions are coloured by a bunch of things, which cause us to make decisions either influenced or defined by factors other than the reality we are faced with. A couple of those lead us to prioritising different security motives if decision making rests solely with one person:

  • Past Experience. Human beings develop through learning and consequences. When you were a child and put your hand on a stove hot plate, you got burned and didn't do it again. It's much the same every time you get burned by a security incident, or worse, internal political incident. There's nothing wrong with this, and it's why we value experience; people who've been burned enough times not to let mistakes happen again. However, it does mean time may be spent preventing a past wrong, rather than focusing on the most likely current wrong. For example, one company I worked with insisted on an overly burdensome set of controls to be placed between servers belonging to their security team and the rest of the company network. The reason for this was due to a previous incident years earlier, where one of these servers had been the source of a Slammer outbreak. While that network was never again a source of a virus outbreak, their network still got hit by future outbreaks from normal users, via the VPN, from business partners etc. In this instance, past experience was favoured over a comprehensive approach to the actual problem, not just the symptom.
  • New Systems. Usually, the time when the most budget is available to work on a system is during its initial deployment. This is equally true of security, and the mantra is for security to be built in at the beginning. Justifying a chunk of security work on the mainframe that's been working fine for the last 10 years on the other hand is much harder, and usually needs to hook into an existing project. The result is that it's easier to get security built into new projects than to force an organisation to make significant “security only” changes to existing systems. The result in those that present the vulnerabilities pentesters know and love get less frequently fixed.
  • Individual Motives. We're complex beings with all sorts of drivers and motivations, maybe you want to get home early to spend some time with your kids, maybe you want to impress Bob from Payroll. All sorts of things can lead to a decision that isn't necessarily the right security one. More relevantly however, security tends to operate in a fairly segmented matter, while some aspects are “common wisdom”, others seem rarely discussed. For example, the way the CISO of Car Manufacturer A and the CISO of Car Manufacturer B set up their controls and choose their focus could be completely different, but beyond general industry chit-chat, there will be little detailed discussion of how they're securing integration to their dealership network. They rely on consultants, who've seen both sides for that. Even then, one consultant may think that monitoring is the most important control at the moment, while another could think mobile security is it.
So What?

The result of all of this is that different companies and people push vastly different agendas. To figure out a strategic approach to security in your organisation, you need some objective risk based measurement that will help you secure stuff in an order that mirrors the actual risk to your environment. While it's still a black art, I believe that Threat Modelling helps a lot here, a sufficiently comprehensive methodology that takes into account all of your infrastructure (or at least admits the existence of risk contributed by systems outside of a “most critical” list) and includes valid perspectives from above tries to provide an objective version of reality that isn't as vulnerable to the single biases described above.

Fri, 15 Jul 2011

Security Policies - Go Away

Security policies are necessary, but their focus is to the detriment of more important security tasks. If auditors had looked for trivial SQL injection on a companies front-page as hard as they have checked for security polices, then maybe our industry would be in a better place. I want to make this go away, I want to help you tick the box so you can focus on the real work. If you just want the "tool" skip to the end.

A year and a half ago, SensePost started offering "build it" rather than "break it" consulting services, we wanted to focus on technical, high-quality advisory work. However, by far the most frequently "consulting" request we've seen has been asking for security policies. Either a company approaches us looking for them explicitly or they want them bolted on to other work. The gut feel I've picked up over the years is that if someone is asking you to develop security policies for them, then either they're starting on security at the behest of some external or compliance requirement or they're hoping that this is the first step in an information security program. (Obviously, I can't put everything into the same bucket, but I'm talking generally) Both are rational reasons to want to get your information security policies sorted, but getting outside consultants to spend even a week's worth of time developing them for you, is time that could be better spent in my opinion. My reasons for this are two-fold:

  • If you're starting a security program, then you have a lot to learn and possibly a lot of convincing of senior management to do. Something like an internal penetration test (not that I'm advocating this specifically instead of policy) will give you far more insight into the security of your environment and a lot more "red ink" that can be used to highlight the risk to the "higher ups".
  • Security policies don't "do" anything. They are a representation of management's intention and agreements around security controls, which in the best case, provide a "cover my ass" defense if an employee takes you to task for intercepting their e-mails or something similar. The policies need to be used to derive actual controls, and are not controls in themselves.
Instead, we too often end up in a world where security policies, rather than good security, is the end goal while new technologies keep us amused developing new ones (mobile policies, social media policies, data leakage policies etc.)

Saying all of this is fine, but it doesn't make the auditors stop asking, and it doesn't put a green box or tick in the ISO/PCI/CoBIT/HIPAA/SOX policies checkbox. Previously, I've pointed people at existing policy repositories, where sample policies can be downloaded and modified to suit their need. Sites such as CSOOnline or PacketSource have links to some policies, but by far the most comprehensive source of free security policy templates is SANS. The problem is people seem to look at these, think it looks like work, and move on to a consultancy that's happy to charge for a month's worth of time. Even when you don't, the policies are buried in sub-pages that don't always make sense (for example, why is the Acceptable Use Policy put under "computer security"), even then several of them are only available in PDF form (hence not editable), even though they are explicitly written as modifiable templates. What I did was to go through all of these pages, download the documents, convert them into relevant formats and categorise them into a single view in a spreadsheet with hyperlinks to the documents. I've also included their guidance documents on how to write good sec policies, and ISO 27001-linked policy roadmaps. I haven't modified any of the actual content of the documents, and those retain their original copyright. I'm not trying to claim any credit for others' hard work, merely make the stuff a little more accessible.

You can download the index and documents HERE.

In future, I hope to add more "good" policies (a few of the SANS policies aren't wonderful), and also look into expanding into security standards (ala CIS Security) in the future. If necessary, take this to a consultancy, and ask them to spend some time making these specific to your organisation and way of doing things, but please, if you aren't getting the basics right, don't focus on these. In the meantime, if you're looking for information security policies to go away, so you can get on with the bigger problems organisations, and our industry in general are facing, then this should be a useful tool.

Tue, 2 Mar 2010

So long.. and thanks for everything..

Considering how freely i've ranted on our blog over the past few years i found it incredibly hard to to write this post. SensePost has been my home for the better part of a decade and i have been haroon@sensepost.com much more than i have been haroon meer.

In truly boring last post manner i wanted to quickly say thanks to everyone for making it such a fun ride. From the awesome people who took a chance on us when we were scarily young and foolish, to the guys (and girls) who joined us to help make SP elite. From the many customers who tolerated my sloppy dressing to Secure Data Holdings who have been awesome in every interaction we have ever had with them. From the people who have used our tools, read our work and contributed ideas to the people who read this blog (Hi Mom!).

Seriously.. thanks muchly!

It's been an awesome 10 years and with the quality of guys that remain at SensePost, it's a safe bet that the next 10 are going to be even better..

The question that everyone asks me is "what now?". The short answer still has 2 parts..

  • I'm going to take a vacation.. (a short one, but im hoping to spend a week or 2 re-introducing myself to family members who vaguely recall me..)
  • I'm going to be starting in a new direction, with [thinkst]
I won't go into tremendous detail here on thinkst (for that you will have to read/subscribe to my ramblings on http://blog.thinkst.com) - but the overarching hope is to focus slightly differently..

With Penetration Testing and Research over the past while I've spent a lot of time and energy trying to find new ways to break stuff, and new ways to break into stuff.. (it's been incredibly fun!)

I'm hoping now to be able to aim the same sort of bull-headedness at defending stuff, and at building solutions that give applications and networks a fighting chance.

I'll still pop in occasionally at the SensePost offices (mainly to have the coffee and lose at foosball), and my relationship with Secure Data Holdings also remains intact (Other than our historical relationship, Thinkst is doing some consulting work for SDH, making them our first customer!). Hey.. you might even still find me bending your ear on this blog..

So.. all that remains is to say thanks again.. it's been amazingly fun, incredibly rewarding and "rockingly leet"

Sincerely

/mh

Wed, 17 Feb 2010

SensePost Ten Years Old

After ten fascinating years, during which many people have contributed in so many ways to the place that is SensePost, by strange coincidence it falls on me to pen the words that mark our first decade in existence. To quote Robert Hunter: "What a long strange trip it's been". SensePost was officially founded on February 14, 2000. Of everyone who was involved at that time, I'm the only one still working here, which earns me the dubious honor of 'oldest employee'. Do I get a gold watch? I meant to think much more over the last few weeks and months about how we should celebrate this day, or what I would write in a letter like this, but in the end (business being business) I'm writing this in a rush on a Sunday evening, with another three big things to complete before I allow myself to go to bed. Then again much of our success (in so far as we've been a success) happened in hurry on a Sunday night, so let's not write this little piece off too soon, shall we?

The vision for SensePost developed between myself and Roelof Temmingh late in 1999. To be fair, Roelof was by far the more skilled and experienced at that time, and the notion of a commercial venture rooted in computer hacking as a service was born primarily with him. But I like to think I played a small part in shaping and molding the ideas that formed during the early part of that summer. Certainly I believe it was my epiphany that as long as we waited for others to make the calls, we would never never really be in charge of our own destiny, that finally convinced us to leave our jobs and set out on this new venture. It was the height of the 'dotcom' boom, we knew more about everything than anyone, and we thought we'd be rich before two years were out. Of course it wasn't that simple, but its been a crazy happy journey nevertheless and I don't regret a minute of it.

It wasn't all about money of course. There was also a dream. We saw a small group of people, technical, hard working, passionate about computers and security, and with poor fashion sense. We had wild ideas about a grunge-style internet cafe with drinks named after shell commands, big screens and 70's pop. I also recall some discussions about a scooter with a fax machine mounted on it, but we won't go there. Basically, we had no idea what we were doing. Yup. Roelof and I had passion, idealism, energy, a whole lot of arrogance, and a little bit of skill, but not much more. We were 24 years old, had about US$ 6,000 between us, and probably barely enough collective business acumen to open a cheque account.

Help came from a very unexpected place. As it turned out the managing director of the company we were leaving, an ueber-suite, the boss of our boss, public enemy number one, prime-evil himself, had resigned the company just weeks before we did. His name is Luc de Graeve and instead of calling down the gods of corporate South Africa to punish us for our insolence, he kindly and gently offered us advice and support, which we eventually, suspiciously, accepted. And so was formed a relationship that would culminate with Luc becoming a major shareholder and our managing director for eight years until after we eventually sold to Secure Data in 2008.

In the sidelines at that time, but a secret member of our troupe right from the start, was Chris Erasmus. Chris has joined a team Roelof was starting at our previous company and we promised to invite him in the moment SensePost was on its feet. And so Chris joined us as a shareholder only a few short months after we started. Although Chris was the first of the founders to leave, he played a formative role in establishing our culture, values and identify. His sincere manner and unique stye left an indelible impression on each of us and on the business itself that can still be felt today.

And then there was Jaco. Jaco van Graan had also worked with Roelof, Luc and me, but had left before the rest of us to take a security job at a major ISP. On the side, he and two friends had started an accounting and audit practice called TJC. They planned to specialize in helping small businesses like ours and approached us with a very attractive proposal. Before too long Jaco would join us as 'financial director' and BS 7799 specialist. We wondered at the time whether it wasn't too soon to require a full time financial manager, but the indisputable balance and control we've had in all our financial and commercial matters since that day testify that it was the right call.

Next join our team was Haroon Meer. We met him online while he worked at Durban university and invited him to come visit us at the 'office' we ran out of Roelof's master bedroom. He soon went on to join the directors and eventually become our technical director and in many ways the heart and soul of our business. After I finish writing this post, I have to write some words for his farewell. His contract with Secure Data has expired and he's moving on to his next big adventure. I sincerely wish him well, but already miss him dearly.

The contract I'm referring to with Secure Data is part of the purchase agreement with them. Under that agreement three of the shareholders - myself, Haroon and Jaco - were obliged to stay for a fixed term after the purchase. That period has not yet ended, but Secure Data has allowed for him to break a little early. In this, and many other things, Secure Data has been a good partner to us. The decision to sell the business back in 2008 was a not an easy one and we entered into the deal and subsequent contract period with more than a little trepidation. But Dean and Johan have understood us well and have graciously allowed us to continue being who we are. Thus, I say with confidence, that nothing has changed in our culture or values since joining Secure Data. I suspect this is unusual in such cases, and I'm extremely grateful for it. Indeed, Dean has proven to be wise and insightful leader.

So our tenth birthday also marks the end of our journey with Haroon. Of the original people, only myself and Jaco now remain. I feel I've said goodbye to too many people over the past decade. I hate it. But I've also come to learn that the business is bigger than any individual one of us. Each time somebody leaves I dread it, and each time we somehow survive. Over the years the business has grown from strength to strength and today we boast much more skill, energy and talent than Roelof, Haroon, Chris, Luc, Jaco or I ever had.

Time doesn't allow me to tell the whole SensePost story in detail and I guess there's really not all that much to tell. But there are some players I just have to mention: My deepest love and respect to Roelof - my friend and mentor - and Luc - long our leader and the biggest set of footsteps anyone ever had to follow. @haroonmeer - I've already said how much I'll miss you. Chris - I hope to see you again soon. Kim, Gareth, Lizelle, Christoff, Herman, Jacof, Nithen, George, BradleyW, Craig, Lohan, Frank, James, Glenn - thank you all sharing a part of your journeys with us. And to our customers: I can't mention you by name, but some of you have supported us from the very beginning, and all of you have been gracious, patient, loyal and extremely supportive. Thank you! Without you we would lack any meaning. And I must mention … Black Hat. Ping and Jeff gave us a chance when nobody had to, and opened up the door that would eventually allow us to become a truly global company with customers on all five continents. Thank you Ping and Jeff. My hope is only that we can give people the kind of leg-up that Black Hat gave us.

So how have we done over the last ten years? The other day Haroon - ever our conscience - mentioned Sun CEO Jon Schwartz's memo at the time of the acquisition by Oracle. Haroon was saying how he kept record of the memo to remind himself of the kind of company he wants to work for, so I thought it might offer a good benchmark against which we can judge ourselves…

Schwartz: "Sun's people have always stood apart as the brightest, most passionate, and most inspiring… I've always been surrounded by the best and brightest individuals I've ever come across…"

I certainly don't count myself amongst the best and the brightest, and SensePost is certainly no Sun, but I can say honestly and sincerely, in the words of Schwartz himself: It's "been an honor and privilege, for which I'm enormously thankful".

Schwartz: "[Our] Technology, alongside our employees and partners, have changed the world"

From the beginning, SensePost has had the courage to build and release technologies that make a difference to how we think and work, have made a difference to our industry and ultimately to our customers. And we're still doing it today. Sure, our's is a small galaxy, but I'm proud of the difference we've made in it.

Schwartz: "Amidst the toughest market and customer situations imaginable, I'm proud we've always acted with integrity, with a sense for what's right, and not simply what's expedient."

This is perhaps the part of our makeup of which I'm the most proud. SensePost has always been a values-driven organization and I believe I can say with all truth that we've never compromised on our values. We've been fair and honest in all our dealings with our customers, our staff, our suppliers and even our competitors. I'm proud to say that I can't think of one person in our industry, in South Africa or abroad, that I'd be ashamed to run into.

Much of what's happened over the last ten years has taken me by surprise, so its hard to comment intelligently on what the next ten years will hold. But what I do know is this: At its heart, I believe, SensePost is about learning. Learning and teaching. We believed at the time (arrogantly I suppose) that we knew more than anyone else. Not anyone else in the whole world I mean, but the more than the people and businesses we were dealing with at the time. And our heart… was to teach them.

This spirit of teaching is still at the heart of our business model, and must remain at our own hearts also. Teaching is how we add value to everyone we deal with - our staff, but most especially our customers. Its a generous spirit, for to teach is a fundamentally generous thing. Teaching is not about fame or money, its about sincerely caring for the other and wanting to empower and enable them. The fame and money, if you're lucky, will follow.

To be a good teacher, however, one must first be a student. Thus, as the rate of technological development catapults, and as the world around us becomes ever more complex, we need to learn. We need to hunger for knowledge, insight and understanding and seek it out at every cost. We need to work harder, think deeper, push ourselves at every opportunity. The moment we stop doing this. The moment we start to make assumptions and take things for granted… that will be the moment when we start to fail.

And to end, two more quotes from Schwartz:

"We're known as self-starters, capable of ethically managing through complexity and change, for delivering when called upon, and for inventing and building the future. With the world economy stabilizing, I'm very confident you'll land on your feet. You're a talented, tenacious group, and there's always opportunity for great people."

So, to Jaco's team in finance - thank you for keeping the wheels turning and for reminding us what it is to 'serve' others. To the analysts in our assessment team - thank you for the continuous quality and passion of your work. That's how we roll. To the VMS team and developers, you hold the keys to our future. Keep it up - your moment will soon come. To Shane and Bradley, sales and presales - you are our link to our customers and the rudder that steers our ship. To Dominic in consulting - thanks for joining us at last. To Junaid ... welcome on board. May your full potentials be realized with us. To others that have already left us - thank you for sharing with us - may you have success wherever your paths have taken you.

And finally:

"Thank you, again, for the privilege and honor of working together."

URL for Schwartz's memo to Sun: http://news.cnet.com/8301-1001_3-10440125-92.html