Author Archives: James Jardine

About James Jardine

I am a security consultant and entrepreneur. I started my career as a developer, mostly focusing on .Net development. For the past 10 years, I have been more focused on application security.

Does “Research” Terminology Reduce Adoption Rates?

What is your reaction to this tweet?

In the drive to “do something,” many applaud this as a reasonable step. I think it actually might harm our efforts and slow our progress.

Words matter.

Does the use of the term “research” reduce adoption rates vs. if we used the term QA or QC?

What is wrong with the term security research? Why might QA or QC be a better selling point?

Consider how businesses handle “research” versus quality assurance/control. In most cases, businesses have budget for quality work. They recognize the importance of producing to the level of quality expected in the marketplace.

The role of QA/QC is one of trust. Partnering together to produce a better product. A way to protect the company while growing the bottom line.

Research is a confusing concept. It either harkens back to grade school papers, college projects, or huge corporate investments. And in the corporate world, research is tightly controlled and wrought with failure. The hope is a small amount of success to make up the difference.

Research is about the future. Quality is about the current state.

Confusing the opportunity: security research

Security research is not well understood. Not even within the “research” community – Bug Bounties refer to their testers as “researchers”, “bounty hunters”, etc.Combining two expensive, confusing terms together creates additional barriers and hurdles.

Where does it fall within the budget? Is it a security item, an application item?

Does this make security testing or research bad? No. It highlights the fact that when working with an organization, perception matters.

When you approach an organization regarding security testing and approval, are they more apt to go with something that sounds familiar, they understand the value, and fits their model, or go with an option that is often interchanged with “hacker”, and they really don’t understand the value? You hear all the time how different groups need to speak the language of their consumer. While I am not a fan of the idea of all these different languages, I do think that using terminology that is familiar to the consumer provides a better connection and opportunity.

In this case, you are selling testing services. These are QA/QC services to offset the internal testing they are doing, while adding a specific focus on a limited classification of bugs. Would changing our terminology change the adoption rate?

I would love to hear others opinions on how they think choice of terminology affects adoption rate.

Security Budget: How Much vs. How it is Used

I recently saw an article on Forbes that identified some of the major banks and how much money they will be spending on cybersecurity. We are talking about companies like Wells Fargo, Citibank, J.P. Morgan Chase. We are talking about budgets starting around $250 Million a year for cybersecurity. That is a big budget.

In information security it is common to hear questions about how much a company spends on security. There are random numbers thrown out that 10% of the IT budget, or 10% of the total budget should be reserved for security. We also see, with every breach that happens, people claiming that the company didn’t take security seriously. My initial question when I saw the article was “does this mean these banks take security seriously enough?”

The issue is that it is impossible to determine how that money is used. Great, you are spending $200 million a year, but what are you doing with that money? The number really doesn’t mean anything. It doesn’t help other companies determine how to increase their security. Is the answer just spend more money? No. The answer is spend that money more efficiently.

What I want to see is a break down of how that money is allocated.

How much of it is going to employee resources, hardware, software, monitoring, etc.

How much of that is focused on Firewalls, IDS, IPS, Antivirus and other controls.

Is that money used for training, Static or Dynamic analysis tools, scanning tools, 3rd party engagements?

I want to know what they are doing and what appears to be most effective. This information can then be useful to other companies that are still struggling with increasing their security.

Throwing big numbers around gets the user to be interested, but it is that breakdown of information that is what will help others improve their security.

Don’t stop short and just look at overall budget, or get hung up on just those numbers. Dig deeper into how that money is used. You can get the latest and greatest do all flashy light device for a lot of money, or you can get a little less flashy devices that may actually do a better job and be more cost effective. Lets get more discussion around what is actually working vs. what is not working rather than focusing on the size of your budget.

EMV Chip cards: Overview

When you shop at a store with a credit card it is typically done by swiping your card to conduct the transaction. The swiping action allows the credit card terminal to read your credit card number off of a magnetic strip on the back of the card. The downside to the magnetic strip technology is that it is very easy and cheap for the bad guys to reproduce. A common way for the bad actor to get your credit card number is to use a skimmer, a small device that goes over the normal reading mechanism, to steal the data. Once this is done, they can then create a new card with the same information and then attempt to use it at a store.

What is an EMV Card?
In an effort to reduce card present fraud, cards are making the switch to EMV (Europay, MasterCard, Visa) cards. EMV cards use a smart chip, rather than the magnetic stripe, to provide the information needed to complete the transaction. Unlike the old magnetic cards that you swipe, the EMV cards are “dipped” by inserting the chip side of the card into the card reader. The card stays in the device for a few seconds until the transaction is complete. One of the features of the chip is that it sends a unique token for use with each transaction making it harder for a malicious user to replicate the data, even if it is retrieved.

The EMV cards are also much more costly to create, which adds to the complexity for a theif creating fraudulent cards.

Two Options: Chip + Pin and Chip + Signature
There are two ways that EMV cards are used. The first way is called Chip and Pin. In this scenario, a user has a numeric pin that has to be input when using the card in person. This is very similar to how a debit card works today. The requirement of the pin helps protect the card from being replicated by a bad actor, or used by someone that may have stolen the actual card from you. Of course this can be a tricky scenario when you have multiple credit cards when trying to remember the pin for each card.

The other way is called Chip and Sign. In this scenario, the card owner doesn’t have a pin, but rather is required to sign for the transaction. This is very similar to how most credit cards still work today. This is actually much easier to bypass because you may be forging just a signature, not trying to come up with a pin number.

Reduces Risk for Card Present Transactions
I mentioned earlier, this only adds security to the Card Present scenario. This doesn’t change anything for the Card Not Present (shopping online) scenario. Also, know that it will be a while before we see chip only cards. For the time being the newer cards will have both a chip and the magnetic stripe. This is because it is going to be a while before every vendor makes the switch to EMV. Keeping the magnetic stripe also reduces the security a bit since there will still be a lot of places that won’t upgrade and will still use the magnetic stripe.

For Consumers
The biggest change is that you will use your card by “dipping” it, rather than swiping for in person transactions. The goal is to reduce your card being replicated by a bad actor and having funds racked up on your account. Most credit cards are zero liability so this may or may not be very noticeable to most consumers. Hopefully it will at least cut down some of the card present fraud that happens. Only time will tell.

For Businesses
The liability is changing with the push for EMV cards. If you are not following the recommended approaches, such as requiring EMV vs. the magnetic stripe, you may find yourself liable for any fraudulent charges. Make sure that you are validating the cards and the card holder when accepting credit cards to help reduce your liability. Update to accepting the EMV chip data vs the magnetic stripe.

Final Thoughts
This won’t solve all of the problems, but it is a step in the right direction. The United States is one of the last countries to adopt the chip technology. Many of the credit cards will be chip and sign, but you may get a few that are chip and pin.

Remember, no matter what technologies get added to protect our credit cards, it is still your responsibility to monitor your statements and report any fraudulent charges. it is part of the responsibility of having a credit card.

Versioning the SDLC to Indicate Security Level

I recently saw a tweet that mentioned how trending SecDevOps is becoming. For those that don’t know, that is the “secure” devops, or shall I say devops with security injected. It really got me thinking about not only devops, but also the Software Development Life Cycle (SDLC). We keep saying security can’t be bolted on and that it needs to be built in, yet we keep bolting it on.

For years, we have talked about how the SDLC doesn’t have security built in and how we can create a “secure” SDLC, or the Secure Development Lifecycle (SDL). My concern is that as long as we have an SDLC and a “Secure” SDLC, or a DevOps or “Secure” DevOps, we will always have the insecure implementation. In addition, we are lacking a way to determine what security enhancements are built into “your” SDLC.

So why not version these items? Rather than creating a “Secure” SDLC (or SDL) lets look to create SDLC 2.0. Now this wouldn’t be the end all for a secure SDLC, but it could be used to build a maturity model to help identify what controls are in place. Like BSIMM or OpenSAMM, it creates the opportunity for a maturity model to form. This maturity model not only provides goals for the organization to grow towards, it also makes auditing easier. Imagine going through a PCI audit and instead of answering a bunch of questions on your secure SDLC you can select what version you conform to. We seem to have too many different ways of doing things around application security which makes it more confusing. Development programs know SDLC, so versioning it vs. BSIMM or OpenSAMM may have some better traction. This is just a thought.

The same concepts go for versioning devops, or any other framework we are using. This is not something that could possibly happen overnight, but if properly implemented could be very beneficial. I would be curious if there are any thoughts on this, or if it has even been thought of previously. Is this possible? What would go in each version to help build up to a mature program?

Hacking Cars: Taken Seriously?

Turn on an ad for new vehicles and you are bound to see how connected they are to our lives. Gone are the days when your vehicle is just a stand alone product. Now we are seeing cars that have internet connectivity. We are moving past the simple satellite radio or GPS systems and becoming connected to a lot of data. Security folks have been talking about vehicle security for a while now and a few researchers have been focusing on showing how serious the security of these vehicles is.

Today, a story was released on Wired “Hackers Remotely Kill a Jeep on the Highway – With Me In It” (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/) describing how a Jeep was remotely controlled by a laptop 10 miles away. For the full details, check out the link I just provided. Once the story hit the airwaves, it received lots of attention, both good and bad.

Lets start with the positive side of things that were shown. It is possible to actually show the capability to breach a vehicles systems (remotely) and then control many of the functions. These functions include the radio, wipers, temperature controls, transmission and brakes to name a few. It is a concern that this can be done without authorization. I certainly do not want my vehicle to be taken over while I am driving it making it unsafe for myself or my family. The highlight: Security is important for vehicles with them being more reliant on software and internet connectivity.

Rumor is that there is a patch for the vehicle to fix this issue. The issue we now have to address is how do we efficiently and effectively get these patches to the vehicles. At this point, bringing the vehicle in to a dealership to have the software updated is the only real option.

The negative reception is where it gets interesting. They decided to do this experiment on a highway with other vehicles around traveling at the speed limit (70 MPH). At one point the driver is explaining how he can’t see because the windshield wipers are going with the fluid spraying. At another point, they cut out the transmission and the vehicle slows way down on the highway where there was no breakdown lane. That is a brief and probably insufficient summary, however the point is that a lot of people are upset.

This type of testing in a public place like this puts the other drivers on that highway at risk. This is not much different than the plane hacking bonanza that happened a few months ago (http://www.cnn.com/2015/05/17/us/fbi-hacker-flight-computer-systems/) causing a huge backlash. It is one thing to look for security issues that may help make things safer, but it is critical that the testing of these theories are done in a controlled environment, not putting people at risk. They don’t test vehicle crash ratings on the highway, they do it in a secluded area where safety is a priority.

If you are going to research security issues, no matter what they are, it is critical to think about this type of stuff before you just jump on in. While I understand that this type of stunt hacking is great for advertising an upcoming talk at your local hacker conference, it is not acceptable when directly putting other people at risk. You want to hack a plane? Get an airline to get you into a hangar in a controlled environment. The other option, by a plane to test out yourself. But don’t do it on a plane full of passengers at 30,000 feet. In this case, the researchers went out and acquired the vehicle and researched in their own facilities. The issue arose when they did their testing on a highway and not on a closed course. Security research is walking a fine line and it will require the best foot forward to push it in a positive direction. If all people see is the stunt hacking they will lose sight of the real issue at hand and just see these stunts as reckless. It will have the opposite effect of what the end goal is: to increase security awareness and security of the devices or products.

If you are in the market for a new vehicle, don’t be afraid to ask questions about the security of the vehicles communication systems. The more we dig as consumers the more aware the manufacturers will be. At some point, promoting security as a feature will be critical to beating out the competition ultimately forcing everyone to get on board. Be smart and stay safe.

Ashley Madison site breached

If you are keeping up with the news you have probably already heard about the breach of the adult site known as Ashley Madison.   Here is a link to one of the articles about it: http://money.cnn.com/2015/07/20/technology/ashley-madison-hack/index.html. Like the breach at Adult Friend Finder (http://money.cnn.com/2015/05/22/technology/adult-friendfinder-hacked/) a few months ago, this type of incident is a little different than the usual breach.   This breach is less about identity information (although at the root has a lot to do with it), financial information, or even health information.   The focus of this type of site/service is on secrecy and discreetness.   It is about sharing sensitive information about an individual’s private life.

As we become more content with the Internet and the freedoms it provides us, we often start to overlook the reality that it creates.  Some people think what they do on a computer isn’t real, rather, more of a game.   That the effects are not real.   We have this notion that everything we do is anonymous, leading us to take more risks than we might have otherwise.  Take a moment and think about some things you might have said or done online that you most likely wouldn’t have done in person.  Think about how quickly that can snowball out of control.  

The breach at Ashley Madison should serve as a reminder that what we do may not be as anonymous as we thought.   That the effects of our actions may turn out to have some real life consequences.   Is it possible someone was just curious and meant no harm signing up on the site?  Maybe they got in a fight with their spouse, had a bad day at work, were just bored.   Of course those may not be acceptable excuses for joining a site that promotes adultery, but it could be something that small that led to the initial curiosity.  There are also people just looking for another relationship.  Anyone who has their name released as being a member has the same potential consequences.  You may be publicly criticized, sorry.. that is what society does now.  Your job or career could be effected. Your relationship with your significant other and/or children can be effected.  The list goes on.

We are all still learning the effects our online actions have on us over time. Our parents didn’t have nearly as much technology so many of us are learning on our own. We need to understand that, just like business, we assume a level of risk when acting online.  There is no 100% secure systems.  It doesn’t matter if we are talking online banking, adult sites, social media, or password managers.  There is always some level of risk.  We must learn to calculate that risk and determine if it is worth it.  We are often quick to blindly accept the risk for the quick reward.  Share your contacts for some coins in a game.  Post atrocious comments for a chance to feel like you stood for something.  

Is there a risk to joining an adult site like this?  Of course there is.  For many, that risk is acceptable for their own personal reasons.  Some members may had not really considered the risks, while others may have given great thought to joining.  Either way, the risk is there.   The big question in this situation is regarding what that risk now means to the individuals involved.

The media hypes this up to be devastating.  However if we look back at Adult Friend Finder, after a few days, you stopped hearing much about it.  This doesn’t mean that there were no consequences suffered by users effected by that breach, but it did quiet down a lot.  Maybe it was because of the personal nature that people didn’t want to put it out for everyone to see.  That makes it difficult to judge the real effect that this breach will have.

It will be interesting to see what types of effects this has going forward.  In the meantime, we should ensure that we are thinking about the risks. Be safe everyone.

Adult FriendFinder Hack: ID Theft is NOT the Only Game in Town

When a breach occurs that shares our personal information we immediately think about identity theft and credit card fraud. More recently we are seeing more health information compromised as well, but the Adult FriendFinder breach changes that focus. The hack still revolves around personal information, but with the exception of the username/password, it does not include social security numbers or credit card numbers. Rather, this breach is focused on a persons sexual preferences or desires.

According to the story at CNN and other news sources, username and passwords were retrieved. As with any breach like this, it is recommended to change your passwords on other sites if you are reusing them, and definitely change the password for this site. While that can be devastating if your username/password combo work on other sites, especially financial sites, we are seeing a different concern arise here.

There are a lot of different data privacy or data breach notification laws that have been passed throughout the country. Originally the focus was on identity data, then moved to health data. Even more recently, Illinois is trying to include marketing data as well. In this situation, we have sexual preference data. This isn’t used to steal a persons identity or charge up their credit card accounts. This type of data is used for extortion or reputational harm. In our overly judgmental society, this type of data can destroy your livelihood.

It has already been shown that victims of the breach can be identified and that there are bad guys that are already using this data to start attacking them. How could they attack? The easiest way is by using identified social media accounts to send spear phishing attacks about the situation to them. A user clicks on the link in the email attack and is presented with a malicious file that gives the attacker control over their machine. This is probably the most likely attack because it is easy and efficient.

The second option is to extort those victims. Tell them that you have this information and if you don’t pay a large sum of money, that information will go public. Of course that information pretty much is public, and the organization of that may be more costly to the bad guys making this less attractive.

In either case, they are playing off of the victim’s fears of this information being leaked. Unlike a credit card number or a password, you can’t just change this information once it is made public. You can attempt a cover story of “that isn’t me” or “I just made that up” but recovering becomes a nightmare.

Even worse, besides not using the site, there is nothing you could do to prevent this hack. While they haven’t given details of how the site was hacked, it appears as though it was from the server, and not a user’s computer. Of course, there is a chance that this could be wrong, but if not, a user of the site has very little control over this happening. We rely on a site to protect this type of data because when they don’t, it can create a nightmare for the users of the site.

If you think you were a victim of this breach, be on the look out for phishing emails. Emails that claim to be about this breach asking you to go to a site to change your credentials, or input other information. Go to the site directly and change your password. If extortion occurs I would recommend reaching out to the local authorities for assistance on what to do.

Hacking Airplanes…Lets Think About This

Recent news of airplane security and the did or didn’t someone take control of an airplane during a flight is scattered across the web. There are lots of opinions on whether or not the inflight entertainment systems and the airplane control systems are connected or not. I haven’t tested an airline system, so I can’t say for sure, and it may be different depending on the type of plane. One glaring issue here is we don’t know and there are a lot of people that don’t know either, while acting as if they do know. Is airplane security a concern? Of course it is, what security isn’t a concern? What is the right approach to having it tested?

United Airlines recently announced a bug bounty program. For those that may not know, a bug bounty program is set up by companies to recognize or reward security testers for identifying security bugs in their applications. Some of the big names like Google, FaceBook and Twitter have been doing this for a while now. While not something everyone is prepared for, it can help identify some of the security bugs in your applications, although many of these flaws should be identified internally by developers and QA before release to production. Any average person can participate in most bug bounties, no skills required (we won’t dig into that for this piece).

What seems to be interesting with the United program, at least what we see on Twitter, is that there is some concern that the airplane and in-flight systems are out of scope. This means that while you can test United’s external applications, they are NOT giving permission for anyone to test the airline systems during a flight. Airline security has been propelled into the spotlight recently with stories like GAO: Newer aircraft vulnerable to hacking and Chris Roberts tweeting on a plane about it and then getting questioned by authorities for hours upon arrival.

Does United have it right, by banning hacking on the plane? But what about the children you say? First off, without permission, you shouldn’t be security testing something that isn’t yours. I know there are lots of debate around this topic, but lets just get the permission thing out of the way. I understand, if the systems are not safe, then the issue should be addressed. Many will tell you that the only way to know if it is safe is to have any Joe Blow out there firing away at it. If telling the airline about it doesn’t get them to fix it then doing something a bit more rash is needed “for your safety”. Be prepared, when it comes to public disclosure of flaws that contain working exploits that are not patched “YOU” are the collateral damage.

Lets get real here for just a moment. Lets take a moment to realize that things that happen on computers DO have real consequences. Messing around on a website that exposes sensitive information is bad enough, but to think that allowing anyone to attempt hacking a plane to look for security vulnerabilities at 30,000 feet is a good idea is just ludicrous. You are directly, and immediately putting the lives of everyone on that plane at risk. Maybe you should do a vote to see who is ok with you attempting this. After events such as 9/11, I don’t think you want to announce you are hacking the plane.. you may find yourself duct taped to a chair and bruised up a bit for the remainder of the diverted flight.

In the professional world of security, when we want to test the security of something like this, we seek out the vendor and get a contract that outlines what testing will be done. Obviously this requires the vendor to agree to a contract and the testing. In this scenario, the testing would most likely be done in an airplane in a hangar at the airport, not at 30,000 feet and with no other passengers on board. If you are unable to get the vendor to commit to a contract for testing, then hopefully making people aware of the potential issue and the risks they assume by using that vendor could be enough to force the vendor into it. In our market, people stop using a service, vendor starts listening to people.

In the case of United, and hopefully any other airline that decides to open a bug bounty, I think they are making a good decision in not opening up a bounty on the airline systems. Of course these systems are critical, especially since they keep the plane safe in the air, but we need to make intelligent decisions about how things get tested. This decision by United does not seem to be a method of trying to silence “researchers” about the potential security vulnerabilities in the airplane. This is a move to keep people safe during a flight. We have ways to test, as mentioned earlier with the contract in a controlled environment, we don’t have to do it in the air with other passengers. It is also a smart decision to not open a bug bounty on those systems because with critical systems like this you want to ensure that only trained experts are assessing the system. Someone that can understand the fragility of the environment, the way it works, the things that shouldn’t be done. You start letting John in 34C who just learned what Metasploit is start firing exploits at a system all ad hoc, you are asking for a world of hurt.

If you really want to test the security of an airplane and its flight controls, pony up and buy a plane to do the testing. We see this with the guys that are testing the security of cars. They get funded or pay out of their own pocket to get a vehicle that they can test out the security. Look at some of what they have done, it doesn’t always go as planned. They are not hopping on a city bus and hacking it. They are not hopping on a train and attempting to hack it. They are doing their best to create a controlled environment to test in a safe environment.

Everything has security issues. There will never be a time when we don’t have some security issue still around in a system. We should be glad that due to recent events the airlines have not banned electronic devices on airplanes.. Yet if we keep making decisions to put people at risk with this type of “research” we will probably really learn with “chilling security research” really means.

What Happens When All SSNs are Breached

Visit any news site or social media outlet and you are bound to see news of some new company getting breached. It is a lot of what we talk about these days. Whether it is passwords, credit card information, health information or social security numbers, if it is breached it is headline news. With the exception of those trying to scam the system and get a quick payday, it is getting to the point where most people outside of the information security industry just write it off and don’t give it much thought.

There is a difference between social security numbers or health information that distinguish them from passwords or credit card numbers. They are much harder to replace. Taking a quick look at passwords we can see that it is easy to change them. If my password gets breached, I create a new one. It is usually a simple process that takes very little time. This is especially true if using different passwords for different sites. Credit cards are also fairly simple to replace and come with zero liability. If my card gets breached and there are fraudulent charges I just report them and they are removed. The bank sends me a new credit card and if I am doing regular monitoring of my statements the biggest hassle is changing the credit card that is stored on the different sites.

With social security numbers it is much more difficult to replace them. While they were not meant to be used as identifiers in all of these systems, they unfortunately are. Countless numbers of sites store your social security number increasing the risk to it. Getting a new number can be very difficult, not just the process of getting the new number but also updating everyplace that has it.

What happens if all of the social security numbers get breached? With under 400 million people in the united states how long will it take with all of these breaches for all numbers to have been breached? I know, we could just create all of the numbers that fit the format of xxx-xx-xxxx, but I am talking number with other identifying information. If all of the numbers get breached, what do we do next? Is it still worth spending so much money trying to protect them in our systems? We can’t get people to encrypt them now, will they continue to do it when they are all in the public domain? Do we finally start moving to a new identifier, albeit probably too late? Maybe it is just a money ticket for identity monitoring and credit monitoring companies. Will the duty to protect this information be removed when it is public domain? As we have seen with other breaches, once something is in public domain, no matter how it got there, it is fair game. It raises an interesting situation when a finite set of data is at risk. Do you know what your company is doing to protect this type of information? Better yet, as a consumer, do you have any concern about your SSN being stolen? Chances are very good it is already out there somewhere.

Winning and Infosec: The largest CTF Ever?

You have heard it over and over from the “offensive” side of information security:

“The defense has to be right 100% of the time, but the offense only needs to be right once”

or

“The offense always wins and the defense always loses.”

Naturally, you see a lot of really good professionals that focus on defense take offense to that. No one wants to hear absolutes like this and frankly they don’t make sense in the info sec world. These statements are morale killers and really don’t do much more than one group telling another they are better than them. Here are a few thoughts on the winning in info sec.

What are Your Goals?
As a business, inherently making you the defense, you have a goal to protect certain assets. A majority of the time it is sensitive information such as copyrights, intellectual property, customer data, etc. In the process of protecting this data, the company performs many different tasks to keep that data safe. One may implement technical controls, such as firewalls, IDS/IPS, network segmentation and egress filtering. They may also write great information security policies and procedures. There are different levels of security that can be implemented, and are usually aligned with the risk the company is willing to accept. To determine this risk, a company will analyze their sensitive assets and determine what the cost of protection is versus the cost of loss and evaluate which is right for the company.

If your goal as a company is to protect consumer credit card numbers (yes this is very narrow in scope for example purposes) and a breach occurs that steals name and address, but no credit card numbers, did you “lose?” Even if credit card numbers get stolen, is it still a “win or lose” situation?

If you are breached, but stay in business, continuing to provide services to your customers in a positive way, did you “lose?”

What Defines the Game?
If there are winners and losers then there must be a game right? What is the definition of the game to determine when a winner is crowned? Currently, it appears as though the game starts when you create a presence on the Internet. There are only two ways to end the game: Leave the Internet or get breached (the offenses self proclaimed victory). What happens if you get breached and stay on the Internet? I guess a new game starts. At the most, a breach means that the offense has scored, but lets not get ahead of ourselves.

Lets look at some breaches and see if the breach should constitute a win.

  • Target, sure they lost a lot of credit card data, yet they are still in business and people still shop there.
  • Sony got owned in a major way, but look, still alive and running.
  • Staples, JimmyJohns, even Chick-fil-a all were breached yet all still running their day to day business with what would appear to be very little fallout.
  • T.J. Maxx was huge in the news a few years ago, still going.
  • Many, many more companies just like this and still running strong.

I don’t see any “winning”, by the offense, in the above breaches.. I see scoring. Scoring that usually doesn’t even come close enough to claim a victory.

If we really look at the situation, the defense actually wins 99% of the time. Web applications and networks are under constant attack from the bad guys and we are not seeing every company sitting on a breach list. Yeah, I know that there are probably a lot of companies that are currently breached and just don’t know it. How many attacks are happening that don’t succeed? Unfortunately, we only hear about that one time the attack works and breaches a company. Going back to the Goals idea above, who are you trying to keep out, the script kiddie or the highly skilled, highly paid attacker that is willing to take years learning your company to attack it. I get it, nothing is 100% secure and an attacker with enough motivation can get into anything, but should that thought overpower the so-called game?

Is it a Game?
There is a huge community in security that looks at the Internet as the greatest capture-the-flag (CtF) ever created. With hundreds of millions of connected systems and web sites it is a plethora of fun and probably quite easy to “score.” I liken it to a golf course that has a ridiculous amount of holes for each tee. So much so that hitting the ball with your eyes closes still has a high chance of landing in one of the holes. Although, as in golf, putting the ball into the hole on one green doesn’t constitute a win, it constitutes a score that is later calculated to determine a winner.

Final Thoughts
We need to get away from the idea that “defense sucks” and “offense is so easy and great.” Sure, some companies are not doing as much on the defensive side as they should, but that doesn’t mean they always lose. Even companies that have great security can fall victim to a breach, but that is usually all it is. I have fallen victim to saying I like the offensive side because it is easier. That I can easily find something to ding you on with your app or network. The reality is that not everything identified as a security flaw or risk is a “win” or even something someone should fix. It goes back to the risk acceptance of the company. I bet I could walk around your house and find problems too, but that doesn’t mean I won.. what would I have even been playing. I would also just be distancing myself from you looking like a jerk. We need to do better at bringing our two sides together, working together to have the information needed to make risk acceptance more accurate.