Tag Archives: awareness

Security Budget: How Much vs. How it is Used

I recently saw an article on Forbes that identified some of the major banks and how much money they will be spending on cybersecurity. We are talking about companies like Wells Fargo, Citibank, J.P. Morgan Chase. We are talking about budgets starting around $250 Million a year for cybersecurity. That is a big budget.

In information security it is common to hear questions about how much a company spends on security. There are random numbers thrown out that 10% of the IT budget, or 10% of the total budget should be reserved for security. We also see, with every breach that happens, people claiming that the company didn’t take security seriously. My initial question when I saw the article was “does this mean these banks take security seriously enough?”

The issue is that it is impossible to determine how that money is used. Great, you are spending $200 million a year, but what are you doing with that money? The number really doesn’t mean anything. It doesn’t help other companies determine how to increase their security. Is the answer just spend more money? No. The answer is spend that money more efficiently.

What I want to see is a break down of how that money is allocated.

How much of it is going to employee resources, hardware, software, monitoring, etc.

How much of that is focused on Firewalls, IDS, IPS, Antivirus and other controls.

Is that money used for training, Static or Dynamic analysis tools, scanning tools, 3rd party engagements?

I want to know what they are doing and what appears to be most effective. This information can then be useful to other companies that are still struggling with increasing their security.

Throwing big numbers around gets the user to be interested, but it is that breakdown of information that is what will help others improve their security.

Don’t stop short and just look at overall budget, or get hung up on just those numbers. Dig deeper into how that money is used. You can get the latest and greatest do all flashy light device for a lot of money, or you can get a little less flashy devices that may actually do a better job and be more cost effective. Lets get more discussion around what is actually working vs. what is not working rather than focusing on the size of your budget.

Winning and Infosec: The largest CTF Ever?

You have heard it over and over from the “offensive” side of information security:

“The defense has to be right 100% of the time, but the offense only needs to be right once”


“The offense always wins and the defense always loses.”

Naturally, you see a lot of really good professionals that focus on defense take offense to that. No one wants to hear absolutes like this and frankly they don’t make sense in the info sec world. These statements are morale killers and really don’t do much more than one group telling another they are better than them. Here are a few thoughts on the winning in info sec.

What are Your Goals?
As a business, inherently making you the defense, you have a goal to protect certain assets. A majority of the time it is sensitive information such as copyrights, intellectual property, customer data, etc. In the process of protecting this data, the company performs many different tasks to keep that data safe. One may implement technical controls, such as firewalls, IDS/IPS, network segmentation and egress filtering. They may also write great information security policies and procedures. There are different levels of security that can be implemented, and are usually aligned with the risk the company is willing to accept. To determine this risk, a company will analyze their sensitive assets and determine what the cost of protection is versus the cost of loss and evaluate which is right for the company.

If your goal as a company is to protect consumer credit card numbers (yes this is very narrow in scope for example purposes) and a breach occurs that steals name and address, but no credit card numbers, did you “lose?” Even if credit card numbers get stolen, is it still a “win or lose” situation?

If you are breached, but stay in business, continuing to provide services to your customers in a positive way, did you “lose?”

What Defines the Game?
If there are winners and losers then there must be a game right? What is the definition of the game to determine when a winner is crowned? Currently, it appears as though the game starts when you create a presence on the Internet. There are only two ways to end the game: Leave the Internet or get breached (the offenses self proclaimed victory). What happens if you get breached and stay on the Internet? I guess a new game starts. At the most, a breach means that the offense has scored, but lets not get ahead of ourselves.

Lets look at some breaches and see if the breach should constitute a win.

  • Target, sure they lost a lot of credit card data, yet they are still in business and people still shop there.
  • Sony got owned in a major way, but look, still alive and running.
  • Staples, JimmyJohns, even Chick-fil-a all were breached yet all still running their day to day business with what would appear to be very little fallout.
  • T.J. Maxx was huge in the news a few years ago, still going.
  • Many, many more companies just like this and still running strong.

I don’t see any “winning”, by the offense, in the above breaches.. I see scoring. Scoring that usually doesn’t even come close enough to claim a victory.

If we really look at the situation, the defense actually wins 99% of the time. Web applications and networks are under constant attack from the bad guys and we are not seeing every company sitting on a breach list. Yeah, I know that there are probably a lot of companies that are currently breached and just don’t know it. How many attacks are happening that don’t succeed? Unfortunately, we only hear about that one time the attack works and breaches a company. Going back to the Goals idea above, who are you trying to keep out, the script kiddie or the highly skilled, highly paid attacker that is willing to take years learning your company to attack it. I get it, nothing is 100% secure and an attacker with enough motivation can get into anything, but should that thought overpower the so-called game?

Is it a Game?
There is a huge community in security that looks at the Internet as the greatest capture-the-flag (CtF) ever created. With hundreds of millions of connected systems and web sites it is a plethora of fun and probably quite easy to “score.” I liken it to a golf course that has a ridiculous amount of holes for each tee. So much so that hitting the ball with your eyes closes still has a high chance of landing in one of the holes. Although, as in golf, putting the ball into the hole on one green doesn’t constitute a win, it constitutes a score that is later calculated to determine a winner.

Final Thoughts
We need to get away from the idea that “defense sucks” and “offense is so easy and great.” Sure, some companies are not doing as much on the defensive side as they should, but that doesn’t mean they always lose. Even companies that have great security can fall victim to a breach, but that is usually all it is. I have fallen victim to saying I like the offensive side because it is easier. That I can easily find something to ding you on with your app or network. The reality is that not everything identified as a security flaw or risk is a “win” or even something someone should fix. It goes back to the risk acceptance of the company. I bet I could walk around your house and find problems too, but that doesn’t mean I won.. what would I have even been playing. I would also just be distancing myself from you looking like a jerk. We need to do better at bringing our two sides together, working together to have the information needed to make risk acceptance more accurate.

Breaches Happen: Call to Action

I loaded up Twitter this morning and was bombarded with even more reports of companies getting breached. Latest on the radar include the likes of JPMorgan Chase and some Dairy Queen locations. I won’t even attempt to guess at the number of breaches that have occurred already this year, but at what point to companies sit down and decide to look at their own network and systems?

I am not talking about reaching out to a company to perform a penetration test, or even a risk audit. I am thinking about looking at your actual systems for any signs of compromise like what we are seeing in all of these breaches. Lets just assume that everyone is breached, what would you as a company do? You have an incidence response plan right? Disaster recovery is in place? If any of those above don’t sound familiar, you are already late to the game.

If you are a retailer or have any type of POS system, take a moment and check your systems. There is known malware that may just be sitting on there without your knowledge. You have to go looking for this, rather than just waiting on the Feds to let you know that you have a problem.

If you are a franchise, I recommend you look at your policies for franchisee’s regarding security. Do you have a way to check how they are doing in regards to security? While a breach may occur at an individual location, it is YOUR brand name that will be pasted all over the news. It is debatable whether or not any news is good news, so I don’t recommend taunting that bear.

As an industry we try to put so much effort into defending our systems, which will always be needed. However, we also have to focus on the ability to determine if something has successfully gotten through those defenses. Ordering another Penetration Test will just try to help identify where the gaps are, it will most likely not identify that someone has already exploited it.

I know, I know, we are short on cyber security professionals and we just don’t have the man power. That is excuse for not properly utilizing the resources that you have. You don’t have to be a cyber security professional to understand networking and computer systems. To monitor network traffic looking for anomalies. Network admins and analysts should know what normal traffic looks like and what a normal installation looks like. Changes in that information should spark some interest. We can’t just wait for the network to tell us… we have to start thinking about going and searching for these differences.

We also need to get better at sharing the details of what happened in one breach so the rest of the industry can learn from it. If you are hit by some unknown malware, what are the signs and signatures of it? How did you identify it so the rest of us can go look? We have so many “researchers” testing sites for things like XSS and SQL Injection, lets get some of them researching how the malware can be identified and creating tools to help sniff it out to eradicate it before it effects millions of sites? Crowd sourcing is working great to find things like XSS, why not use it to help snuff bugs quickly.

We need to start digging deep into how we approach security and come up with better ways to protect systems. We need to focus on the ability to identify breaches more quickly. We need to analyze those breaches to get tools available to quickly block the attack methods. Lets start working together to make a difference.

1.2 Billion Passwords… Password Best Practices Again

There is a lot of talk about the recent discovery of what appears to be about 1.2 billion username and passwords stolen. I haven’t seen the list, so I can’t confirm that, but let’s assume it is accurate. Is this something we should be panicking about?

The first question is how many unique people does this actually effect? The chances that it effects 1.2 billion people seems pretty. I haven’t seen any statistics generated but we have to assume that those people that are connected to the internet have more than one user account. The breach says the credentials were pilfered from more than 450,000 sites. Of course that information is not being released, and we don’t need it to protect ourselves.

Practice Good Password Practices

With all the recent breach coverage we can’t help but to continue preaching good password practices. You may ask if it really matters with all the breaches that occur, or what control you really have. It is not like these passwords are stolen from you, the application that stores them is usually the culprit.

As those that create and rely on passwords, we do want to help take care of them as best we can. I can’t control what the developer is doing to protect the password on their end, so I have to assume the worst and do the best I can on my end. At some point, I think we will start to see people actually stop using applications that are not proactively protecting our data, but to do that we need applications that are transparent and show us they are doing things right to gain our business.

Choosing Strong Passwords
We should start off by choosing strong passwords. Unfortunately, a lot of critical applications still don’t support strong enough passwords, but if you can, try to have at least 15 characters in the password. When it comes to password strength it is the length that has the greatest effect. Remember, it is rare that someone is trying to guess Your password, rather they are running software tools to crack large swaths of passwords. I prefer to use pass phrases or sentences to create my password. This makes it easier to remember and more difficult to crack.

Changing Passwords Regularly
Changing your password to critical systems regularly can help avoid your password from being stolen by malicious users. Many corporate systems require password changes every 45-90 days for end users. You should follow that guideline too for personal applications, especially the ones that focus on financial artifacts (such as your bank accounts). Lets hope that a company that has been breached and lost passwords isn’t losing them day after day. We hope it was a one or two time thing. By changing our passwords regularly it increases the chance that the breached data is no longer valid by the time it gets used.

Don’t Reuse Passwords
It is recommended to not use the same password on multiple sites. I understand that this is a pain point because it is difficult to remember that many passwords. Try a password manager, a piece of software to store all your passwords securely, to help solve that problem. The issue with re-using passwords is that many sites allow you to use the same username, or just your email address as the user name. Once your data has been stolen from one application, an attacker may try that password on another site where you use those same credentials. This also includes not using similar passwords. Using passwords like Summer2014 and Fall2014 are not a good idea because if these are identified, it is simple to figure out the pattern and guess the next password in line. This is critical if you do change your password regularly, and an older password got breached.

2 Factor Authentication
If a site offers 2-factor authentication, enable it. Two factor authentication means that the site will prompt you for your username and password and then a secondary piece of information. For example, my bank will send me a token via email that I have to enter. This token is different every time I log in. Many sites are starting to support tools like Google Authenticator, which is an app that runs on your mobile device and provides that 2nd piece of authentication. If you are using sites that do not support 2 factor authentication, write to them and request it. Remember, they are storing your data, you want it protected.

Validate the Hype

When news like this breaks, we often have a tendency to really overreact thinking that it is the end of the world. Credentials got stolen, we are not disputing that, but lets step back and think about what that means. Keep in mind that in this announcement, applications or companies were not named. At this point, it is possible the credentials are for meaningless sites that are not that big of a deal. Due to the nature of the accounts being used to send spam I am guessing many are probably email accounts, but that is just a guess. What has happened in the past can’t really be changed. We change our passwords, we monitor our accounts (like we should be anyway) and we continue reaping the benefits that these applications provide us.

Stay safe, and keep your eyes open.

Danger of USB Devices

There has been lots of news recently regarding a flaw in USB devices that could lead to an unwanted attack. USB stands for Universal Serial Bus and is often associated with thumb drives used to store data. There are many other uses for USB devices, such as your mouse and keyboard. There are even monitors that connect via USB.

Each USB device has a microchip that contains instructions on how it will work. In addition, USB devices are separated into different classes; for example Human Input Devices (HID) for keyboards and mass storage devices like thumb drives. The computer looks at this classification to determine how to handle the device.

From a visual perspective, it is not possible to determine how a USB device will be treated because it is the firmware on the device that contains this information. A good example we have used for years is the teensy device, or rubber ducky. This device looks like a regular thumb drive, but when plugged in, acts like a HID (keyboard).

The concern here is that in an enterprise, there are often controls that block mass storage devices to load onto the end user computers. There are multiple reasons to block these devices. First, the company is trying to stop a malicious user from stealing a bunch of data using a tiny thumb drive. Remember the movie “The Recruit” where they stole info using a thumb drive? Another reason these devices are blocked is that they could contain malicious software ( malware). Block the device, block the malware.

The concern we often see with these controls is that it is difficult to block the human input device because we need a keyboard and a mouse. The idea of the rubber duck is that you, the attacker, can program a sequence of keystrokes onto the device and when it is plugged in it will execute the keystrokes. This technique allows attackers to bypass many controls and possibly gain unauthorized access to the system.

One can disassemble a rubber duck and see the sd card to see it is not a real thumb drive. The issue with this recent news is that regular thumb drives could be recoded to work as a HID without your knowledge. We haven’t seen many details of how to pull this off remotely, however we should be cautious anytime we plug a device into our system.

I will not stop using USB devices anytime soon. Diligence and user awareness are important here.