I just released a report for Dark Reading on how to build a multi-enterprise vulnerability management program. If you are dealing with outsourced vendors, or an outsourced supply chain, you should definitely give the article a read.

To summarize the article:

1. Get your legal contracts in order. So many firms don’t put what they need from their partners into a contract. How do you expect to get what you need then?
2. Establish Communication channels that work for everyone. If you don’t get the right people on the “phone”, nothing will get done – including your security processes
3. Find the person with authority at your partner and ensure they are involved, otherwise your efforts will be useless.

I offer many more details and tips within the article but step #1 is so critical that an entire article should be dedicated to just that!

According to the Wall Street Journal:

A 24-year-old living with his mother in France was arrested for ‘hacking’ into Obama’s twitter accounts in April 2009. Apparently he guesses the answer to a question related to password recovery in order to break into the accounts of famous people; he has no computer science training or financial motive. He posted screenshots to a few online forums and twitter found out within a few hours, either from a tip or from noticing when someone from France logs onto twitter as the President of the United States. (He did not actually tweet as POTUS, but just wanted to show he could break into the account.)

Now, this is news in and of itself but the interesting part is that the following academic paper, released about three weeks ago, told how easy this hack really is to implement. In this paper, Joseph Bonneau of the University of Cambridge and two colleagues from the University of Edinburgh show how hackers stand a 1 in 80 chance of guessing common security questions such as someone’s mother’s maiden name or their first school within three attempts.

According to the blog post announcing the paper’s release, Joseph Bonneau states:

There’s finally been a surge of academic research into the area in the last five years. It’s been shown, for example, that these questions are easy to look up online, often found in public records, and easy for friends and acquaintances to guess.

This is probably what happened to President Obama’s account. It would be interesting to know what the answer was to Obama’s secret question is, but it is very difficult to find the screenshots referenced in the WSJ article. The academic paper continues:

It turns out the majority of personal knowledge questions ask for proper names of people, pets, and places, and the rest are trivially insecure (eg “What is my favourite day of the week?”).

Which is why your system should never ask for things like that. Companies are starting to try and solve this problem. At RSA there was a new company, RavenWhite, which seemed to have a unique new approach which you can learn about at http://www.ravenwhite.com/iforgotmypassword.html

People really need to rethink the way they implement security to the end user. There is no way any automated technology could have prevented Obama’s account from being attacked simply because they were using the system in the perfectly intended way. It is what the user did afterword that differentiated the attacker from an actual twitter user.

Verizon Business Christian Moldes as a great post about Plane Crashes and Security Breaches and how they are very similar. He hits it right on the head! During our engagement wrap-up meetings where we explain the various potential scenarios an attacker can use to break into a client’s network we are always asked to put a specific ranking on a specific risk. I argue that that almost doesn’t matter because normally the big breaches are not from a single vulnerability but many chained together.

Christian quotes Malcom Gladwell, and says:

The typical [plane] accident involves seven consecutive human errors.

When we work with clients we normally see that breaches are caused by a chaining of at least three errors: exploitation of a vulnerability, then a mis-configuration is used to find a privileged account user name and password, and then data is found on the network somewhere it wasn’t supposed to be that the privileged account has access too.

Even with many controls in place you cannot always prevent a security breach. This is the exact reason why we recommend that incident response policies and processes (Which should be tested like you test your Disaster Recovery processes!) should be the FIRST THING you implement when building a security program at an organization followed by detective controls such as logging to detect a breach as soon as possible.

Bruce Scheiner is talking about a great post at the Boston Review about the new age of cyber-warfare, and how cyber-warfare is greatly exaggerated. I couldn’t agree more. Granted, the US government has a cyber-warfare problem. All governments do, however, the bigger problem that is more real today is cyber-crime. I spoke at the Federal Reserve last week on this exact topic.

Small businesses are now being targeted because they have more money in their accounts and it is easier to transfer larger sums of money out of their accounts without fraud detection going off at banks.

A quote from the review sums it all up:

So why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

I try very hard not to do what they describe when I speak but it can be difficult especially to those that are not familiar with the problem.Cyber-crime is the death by a thousands cuts type of problem. $3,000 here, $5,000 there, but it all adds up pretty quickly. Cyber-warfare is much bigger and easier to point at than these small little fraud issues.

If you have 10 minutes of time, read the Boston Review article and give me some feedback. Are we in a situation where we as citizens have to be concerned about cyber-warfare like we were concerned about nukes in years past?

Patch Tuesday is kind of like a monthly holiday for many businesses I work with.  It gives employees a chance to kick back while their computers and systems do all the work of updating (Yes, I am joking).  But is Patch Tuesday really a good idea?  Many have expressed concerns about creating a consistent trend to patching that informs attackers about the update patterns of their targets.

Here are the three main disadvantages to the system of Patch Tuesday:

1. Patch Tuesday, by its very nature, makes exploits public.  So while Patch Tuesday may make things easier for those who take the time to patch, it severely damages those who do not.  Not only are exploits announced but hackers can analyze the patch to figure out exactly how to take advantage of unpatched systems.  For this reason, the existence of Patch Tuesday actually makes the need to patch that much greater.

2.  By having so many patches downloaded at the same time by so many systems, there is a definite toll on the bandwidth.  This could tie up the bandwidth on your corporate network.  But it is a much greater problem on a vendor’s servers who must contend with downloads from everyone who uses their products.

3. If you wait until a set time before patching, then you allow for your software to remain vulnerable until then.  It’s not a big problem when the vulnerability is not widely known, but there have been cases where the vulnerabilities were made publicly known for months before patches were available.  Either way, hackers have a fair amount of time to take advantage of the exploit before it is corrected with the patch.

Ultimately, whether you participate in Patch Tuesday or not depends on the nature of your unique enterprise.  Some organizations cannot afford the risks of waiting to patch and require more vigilant updating to protect their systems.  Other organizations may value the fluidity of operations over security and prefer a monthly scheduled time for patching.

If you’re unhappy with the current Payment Card Industry Data Security Standard (PCI DSS) then now is your chance to complain. The PCI SSC Council has announced a feedback period where you can have the opportunity to “provide detailed and actionable feedback in an effort to revise future editions of the Council’s standards to improve payment data security.”

You may air your grievances during the phase two of the lifecycle process, between July 1 and November 1. The SSC Council is looking to hear from merchants, processors, financial institutions, and other key stakeholders – and I’m sure they are in for an earful. (Like how the only thing you need to be a QSA in North America is 30k, a Highschool education, and 4 days of training)

Many are unsatisfied with the “checklist” format of PCI compliance. They commonly point out how this switches the goal from overall security and risk management to simply compliance. Some of these standards don’t seem to help security at all, such as configuration management. PCI compliance should not be the goal, but it ought to serve as a jumping off point towards promoting better security practices. But too many organizations either have a purely audit-based mentality while others regard the compliance as a frustrating burden.

Does the recent data breach of Heartland Payment Systems prove PCI is useless? Maybe not, but it isn’t 100% effective either. Of course we know nothing can be in security. But does it even provide reasonable security and assurance?

There are some who call PCI DSS “security theatre.” (Like me!) It makes organizations put on a show of security that makes them feel safe, but doesn’t actually do anything. Many organizations even perform their own self-assessments and there is no incentive for them to report anything less than fully compliant.

If you’ve got a bone to pick with the PCI SSC Council over these issues, then you can use their online feedback tool to “proactively propose and discuss revisions to the next iteration of the Council’s standards.” But if you want to complain in person, you can attend their “Community Meetings” in Las Vegas or Prague.