Talking with David Rice; insecure software implications, regulation, vendors, making change and other things….

July 29th, 2008 Drazen Drazic

David Rice is an internationally recognised information security professional and author of the critically acclaimed book, “Geekonomics: The Real Cost of Insecure Software.”  For a decade he has advised, counseled, and defended global IT networks for government and private industry. David has been awarded by the U.S. Department of Defense for “significant contributions” advancing security of critical national infrastructure and global networks. He is a frequent speaker at information security conferences and currently Director of The Monterey Group.

I had a chance to talk with David recently and I hope you enjoy the read.

———————————————————————————-

BorB: Thank you for taking the time for a chat David. I thoroughly enjoyed the book and would recommend it to everyone. What’s the feedback been like from the industry and non-industry (consumers) in general?

DR: Thank you for the opportunity to join the discussion on your blog. Feedback from the information security industry has been overwhelmingly positive. Defending against an unrelenting stream of software vulnerabilities is simply unsustainable. It also happens to be ridiculously expensive. I think people get that point. Software manufacturers and security vendors have led us into a cul-de-sac that we have been wandering around in for a few years, and the frustration is palpable. I think approaching insecure software from an economic perspective has started opening doors that lead out of the cul-de-sac and there is a feeling of hope in that.

The response from outside the information security industry, particularly consumers, has been a mixture of enlightenment, shock, and dismay. For example, a U.S. government representative stated to me, “I can’t put [the book] down. It’s incredible because I’ve never really thought about things this way before.” On a recent radio interview the host asked (rather desperately I might add), “Why isn’t this stuff [cyber attacks] being reported? What do we do?” By the tone of his voice, I could tell he was truly disturbed as well as surprised. It was as if someone told him cigarettes cause lung cancer, manufacturing creates pollution, or fatty foods cause heart disease. Yes, indeed, software can have significant private and social costs also.

On the whole, I think these reactions are healthy and normal. Some people are getting concerned, and some angry. These reactions, and those like them, are understandable and I take such reactions as a good sign. It means that listeners are re-adjusting their viewpoints based on the information presented to them. In the end, I don’t think if we inside the security profession really comprehend just how far behind the rest of the populace is in understanding the issues of cyber security.

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 11 Comments »

Web Application Security Professionals Survey

July 28th, 2008 Drazen Drazic

As you know, I am not a fan of most IT security surveys but Jeremiah Grossman’s Web Application Security Professionals Survey is an exception. The full survey and comments are well worth downloading. (And if you use HackerSafe, well what did you expect industry specialists were going to say?!) :-)

Posted in Applications, Bad Stuff, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Responsible Disclosure Debates……What about No Disclosure?

July 27th, 2008 Drazen Drazic

This topic has been hot again in recent times and we’ve been asked a few times on what our position to this is. In the past, and with our previous relationships, we’ve been in the “responsible disclosure” camp. Advisories went out after the vendors had announced patches to the vulnerabilities announced, (and in some cases exploits developed in parallel to confirm the proof of concept). It seems the camps are divided in two as described here but is the third option of no-disclosure outside of vendor/client a major consideration that hasn’t had much discussion (relatively)? What percentage of vulns in systems and applications are never disclosed? Why isn’t this seen as potentially a major part of how vulns are dealt with? How skewed are figures in yearly stats and surveys due to this area, (and I don’t mean sales of vulns to organisations who buy them - I mean those vulns discovered in vendor systems and applications and those detected in personal engagements for clients for home grown systems and applications)?

Read the rest of this entry »

Posted in Applications, Bad Stuff, Disclosure Laws, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 9 Comments »

Cheap PCI DSS Compliance?

July 24th, 2008 Drazen Drazic

An interesting story here on another hosting provider looking at the potentially lucrative PCI DSS compliance market. From the Australian IT; “IT security on the cheap“. What concerns me here are promises being made by new entrants into the PCI market. Organisations looking at companies like this, or anyone promoting quick and easy solutions to compliance need to seriously investigate what it is they are getting. Cheap and secure hosting alone does not make for simple PCI DSS compliance, and every customer will have more internal process, procedure and application issues around compliance that may far outweigh in terms of number of requirements satisfied, those statisfied by outsourcing some responsibility out to a third-party.

Compliance with PCI DSS is not cheap and it’s not simple. Anyone who promotes it as cheap and simple should be assessed very carefully.

In recent times, Securus Global has been working with manageNET to develop a truly secure hosting environment for clients and their PCI DSS compliance. Both organisations understand how complex each individual organisation’s requirements can be, so while core secure hosting may not be relatively complex, each individual company’s environments around credit card processing, storage and transmission differ, so all solutions are developed on a client by client basis. If a hosting provider is not doing this, they shouldn’t be in this game. End of discloure.

BTW, the comment in the article; “Meanwhile, merchants that store credit card information would have to complete up to 223 questions every quarter to adhere to PCI DSS guidelines” is wrong obviously. Also, gees I’d be concerned dealing with someone who; “After taking a beating on the stock exchange, BlueFreeway hopes to revive its fortunes with the solution, squarely aimed at small and medium-sized enterprises (SMEs)” :-)

Posted in PCI, PCI DSS, Risk Management, Vulnerability Management | 3 Comments »

The thing is that anything seems to be plausible…..

July 22nd, 2008 Drazen Drazic

From idea to concept, to proof of concept, almost anything to break the Net and systems on it is plausible. It’s been done over and over but because it’s been done as one offs so to speak, and dealt with as one offs, everything doesn’t seem as doomsdayish.

The DNS stuff has some wondering if the Net could potentially cope with this vuln. It will because it will be addressed as a one-off. One of a million such stories:
http://www.theregister.co.uk/2008/07/21/dns_flaw_speculation/

Is this latest DNS one a really bad one? I don’t know enough about it to comment.

All I know is that based upon the history of the Internet and what could happen, nothing can be discounted and anyone who thinks that the whole Net is eternally safe from a real big hit is probably optimistic.

End of the day, it’s the nuts we have to worry more about than the Net criminal elements. Everything going to crap is bad for business - for everyone. Just my 2c.

Posted in Bad Stuff, Research, UFOs, WTF, cyber crime | 4 Comments »

Does this remind me of some haxors? :-)

July 18th, 2008 Drazen Drazic

Posted in To cool | 2 Comments »

The more QSAs, the better you must be against your competition!

July 17th, 2008 Drazen Drazic

I am proud to announce that Securus Global (ie; in case you did not know, our company), has 5 QSAs now!!!

Now if you are working in a large multi-national, that won’t seem like much. But here in the Aisa Pacific region, that places us at close to the top in terms of number of certified “experts” in PCI DSS! We must be good now! We have more than most of our competition!!!! We’re going to win more business now!

Hmmm……”We must be good now!”…..we always were, even with 1 QSA. But, the last statement is so true. We are going to win more business now in the PCI DSS area….because of numbers. We know that because we lost jobs last year for no other reason than we had less QSAs than a couple of our competitors.

Sadly, certification numbers to some mean the world. While it doesn’t sound like much, 6 jobs we lost for PCI came down to the CIO or CEO going against the security dudes recommendation that they go with SG for no other reason than company X has more QSAs! WTF? True…….

Yeah, we lost a few other bids on price but that’s life….it happens when some people don’t know you but I now know, I have, based upon stats, the opportunity to win some of those jobs we would have lost.

Critical thinking has not made it’s way to many CIOs…….never has since the “CIO” title was invented and CIOs are still the main reason why most companies are so badly managing security. We rave on and on and on about security dudes needing to be “certified”…..that’s not the problem…..CIOs need to be certified! If you work in IT and are at that level and know jack about IT security, you are the stuff of Scott Adam’s inspiration!

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Risk Management, WTF | 4 Comments »

Priorities…..

July 17th, 2008 Drazen Drazic

I notice little gets reported about Net Neutrality but we’re deluged with iPhone news. Wireless (in)security is no longer a hot topic but Symantec announcing it will speed up it’s products is big news. WAFs are a hot topic but we’ve long forgotten that good basic practices help security more than any tool will. Another annual BS security survey on how bad things are will be reported everywhere, but few will drill down to the question of why the business worlds overall state of security is poor. Everyone is in “the cloud” but no one reports almost 20 years of those company’s previous promises/failures.

Everything is wonderful! :-) Just don’t mention PCI.

Posted in Bad Stuff, Dumb Security, Risk Management, WTF, cyber crime | 5 Comments »

Security Professional’s Guide to Interviewing your Potential New Company

July 15th, 2008 Drazen Drazic

Another friend in the industry is leaving his company at the end of this week. Sadly, it’s for the same reasons everyone else I know in recent years have left their employers (to test the waters elsewhere) - “this place just doesn’t really care about security!”, “It’s all lip service!”, “they just don’t understand nor want to listen!”, “the security team has no support” etc etc etc…..same old stuff.

I don’t blame any of them. I’ve been in that position before myself a few times. You just get to a stage where you think it’s just not worth it anymore and surely there’s something better for me. But the grass is not always greener elsewhere as we know. Chances are, particularly in Australia, the next employer is not going to be much better if you’re looking for a place that takes Information Security seriously. But there are exceptions…. So how do you find out whether the potential new company is going to be any better based upon a 1 hour interview?

Read the rest of this entry »

Posted in Uncategorized | 5 Comments »

Kiwicon 2k8 - CFP

July 13th, 2008 Drazen Drazic

Kiwicon 2k8 reminder…. not that anyone would have forgotten; 27-28 September, 2008. Details:
http://www.kiwicon.org/

Posted in Research, To cool | 2 Comments »

AISA - Challenges, Change and the Future - Interview with AISA Chair, Stephan Overbeek

July 11th, 2008 Drazen Drazic

I’ve posted before about the Australian Information Security Association. AISA is volunteer run organisation of Information Security professionals with branches in almost every capital city in Australia and in excess of 800 members. The number of members in recent times has grown significantly and AISA as an “organisation” as opposed to an “Interest Group”, which it started as, is growing also. In this chat with Stephan Overbeek (the current Australian Chair) of AISA, we talk about the organisation, focus on valid questions and concerns raised by many in the industry here (including myself) about AISA and look at what AISA’s plans for the future are. (Note: I am an AISA member and a volunteer on the Executive committee as I have mentioned in the past).

Read the rest of this entry »

Posted in Industry Specialists Talk | No Comments »

Net Neutrality: Are Content Filtering Practices being Actively Run by Large Australian ISP, Consumer Rights Left Un-Defended?

July 9th, 2008 Drazen Drazic

Opinion Piece: By Wade Millican (with Drazen Drazic)

The recent content filtering issues we discussed pertaining to TPG are very concerning in their own right, but they are part of a much much bigger picture - something before the Senate of the United States.

They are part of a topic termed Net Neutrality. This is a battle taking place between the old-school traditional telco companies like ATT, MCI, Verizon, with the objective to make more money by re-charging for their Internet services. With the cost of bandwidth so cheap, there is supposedly no money in the market and thus they are all going broke?! In response, they are diversifying with service arms and branches but are also looking to re-coup costs on the leased lines. To do this, their goal is for content providers, such as Google (as but one example) to pay, to assure a certain quality of service to the end user’s PC. (Side note: This is a big issue when the line is provided all the way through with one provider, which is common both in the US and in Australia).

Read the rest of this entry »

Posted in Uncategorized | 3 Comments »

Web Content Filtering in Australia? Didn’t think so…..but…

July 8th, 2008 Drazen Drazic

Some interesting stuff floating around about web content filtering with TPG. You have to ask what is going on here. Is this a well-intentioned system that has just gone wrong in terms of deployment for the ISP?

http://www.inthemix.com.au/forum/showthread.php?t=228479

http://forums.whirlpool.net.au/forum-replies-archive.cfm/946858.html

Surely there’s a “problem” here that needs to be addressed. Opt-out options (in terms of content filtering being a standard from the ISP) are not what we are used to in Australia in terms of access to Internet content. Without going too hard and giving them the benefit of the doubt for now, it will be interesting to see how this plays out.

Hat tip to Wade.

Posted in Bad Stuff, Dumb Security, WTF | 10 Comments »

Australian Government E-Security Review….

July 6th, 2008 Drazen Drazic

The AGD is leading a review of the Government’s e-security policy, programs and capabilities.
http://www.ag.gov.au/esecurityreview

Submissions are due by 31st July 2008.

The “key areas the ACS [Australian Computer Society] believes will present the major security threats to Australia in coming years” quoted in this SC Magazine article are interesting. Not sure what the ACS means with their last couple of suggestions though.

Personally, I would throw in the following as major security threats for consideration as opposed to what the ACS sees as a priority. Keen to hear what others think:

• Insecure and poorly developed software in critical infrastructure (and in general)
• Protection of critical infrastructure across all CI sectors (broad I know)
• Cyber-crime, cyber-espionage (further protection of state)
• Lack of any liability on software developers in general - hey, it all comes down to software doesn’t it? (inc false and misleading advertising by security product vendors)
• Web 2.0 and other new technologies - rapid deployment vs. business impact implications analysis (how do you stop this though?)
• Awareness and understanding across the business, government and consumer worlds - lack of regulation, establishment of base level requirements for security and looking at root cause

I know some of the above is broad in scope and I’m sure that we could develop a large list but at the same time analysis vs practical and realistic solutions to issues needs to be considered. There are many trains of thought - some believe we must just adapt and accept that we’ll always be living and working in an insecure IT world. Others have more hope and that we can turn things around with great effort. Is there a middle ground in the IT world as mirrored in society in general? Can we segment the good from the bad and acknowledge the “grey” areas will always be there?

Posted in Research, Risk Management, Vulnerability Management, cyber crime, governance | 3 Comments »

Everyone is on the WAF bandwagon!!!……WTF?

July 5th, 2008 Drazen Drazic

I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All  heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, To cool, Vulnerability Management, WTF, Web Application Security, cyber crime | 16 Comments »

Internet Banking in NZ - Will be interesting to see some test cases….

July 4th, 2008 Drazen Drazic

The Kiwis have had this on the table for a while. Computerworld NZ and MIS Australia amongst others have covered it recently with changes being made to the rules governing online banking in New Zealand.

The Computerworld NZ story has a quote that doesn’t seem to make that much sense but in context of the history of this and what could have been, is now a bit more understandable; The move is expected to boost customer confidence that losses from online fraud will be covered by the banks”.

While the motives are clear, regardless of spin put on the reasons, it does raise more questions than it answers and is something I suppose will be tested eventually in a legal scenario.

Mac and Linux users I suppose need to be worried. Will basic firewalls on those systems constitute “security software”? This will be an interesting one to follow. I am sure banks in other countries that don’t throw liability back as a general rule are also watching this.

Posted in Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 1 Comment »

The Pope is coming so you must be nice or you’ll be in trouble…

July 3rd, 2008 Drazen Drazic

By straxd

Nobody expects an Australian inquisition….

Most of you have probably heard by now that new regulations have been enacted for World Youth Day in Sydney which allow police to fine up to $5500 and possibly imprison people who “annoy and inconvenience” World Youth Day participants. From the SMH; co-incidentally written by Julian of Chaser fame. One could put forward the argument that this has been setup for the Chaser team and other organised mobs are being discriminated against unfairly. Why should the Chaser team spoil the fun for everyone! :-)

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Industry Specialists Talk, WTF | 15 Comments »

McAfee concludes some awesome research….

July 2nd, 2008 Drazen Drazic

I don’t really know what more to add. Just in case you weren’t aware of spam and its prevelence and intent:

http://www.networkworld.com/news/2008/070108-mcafee-spam-experiment.html?page=1
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/01/MNFH11HHOU.DTL

Probably covered best here by the boys at Zero Day at ZDNET US:
http://blogs.zdnet.com/security/?p=1390

I need to think up some out-there research project that we can undertake through Beast or Buddha. Any suggestions?

Posted in Bad Stuff, Dumb Security, Research, WTF, cyber crime | 1 Comment »