Vulnerability Management « Beast or Buddha

Responsible Disclosure….Google, Microsoft…..Our Approach.

June 15, 2010

I’ve talked about this before so I won’t rant on again too much about my position….gees, did I have a definitive one?

I agree with the last comments on the last post here from GoogleHack. If the research community hasn’t been able to nail this, then you have issues. If a Google takes a stand – regardless whether “official” or not, it will impact heavily on the debate. It’s Google! This is a really bad thing in my opinion. A “standard” has been set….at least for the time being.

Securus Global has taken the position that we judge all vuln research findings on a case by case basis. The upshot, to the detriment of our marketing is that we’re rarely publishing vulnerability advisories. This may upset some, but we’ve almost come to the conclusion that as a business, it’s no longer a cool thing to do (all the time).

Now please don’t get me wrong……independent researchers publishing stuff, come from a different angle and we respect that fully. We do. They don’t have the backing of a “business” in many cases, but they have a passion and other drivers…..good, bad or looking for a way. We did.

We respect our own team doing this and publishing as “independents” if they choose too. We just see, as a team, another way is working for us, and the companies who engage us directly to work with them.

In the last 12-24 months, it’s been great to be recognised more and more by large security vendors and other major software and hardware developers as an organisation they can trust to get their appliances, software and overall systems tested before going to market. We’ve built a reasonably good reputation through word-of-mouth and there’s now a lot of systems out there that have been fixed up due to our work.

Given these direct relationships, it has been a slight negative though from a broader marketing perspective for Securus Global in that public advisories are not there. Saying that, it does though align with why we started in the first place and it aligns with our approach to the industry overall…..always has had – to improve, to make things better than they were.

Marketing follows.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Comments (1)

Posted in: Applications, Research, Risk Management, Vulnerability Management, Web Application Security

Commoditising Specialist Penetration Testing Services – To Whose Benefit?

June 7, 2010

Commodity: (from Wikipedia): A commodity is a good for which there is demand, but which is supplied without qualitative differentiation across a market. It is fungible, i.e. the same no matter who produces it. Examples are petroleum, notebook paper, milk or copper.

Would you classify; hacking, security testing, targeted vulnerability analysis and research, etc – activities that in one form or another come under the banner of “penetration testing”, as a commodity? Many do…..wrongly!

It seems to be a pattern that the larger the consulting organisation, the greater the drive to rapidly “commoditise” those activities that are; not core to the business, stress* resource capabilities and have less profit margin, (but are a necessary part of their business to compete). The end result is generally an attempt to outsource these capabilities to cheaper labour to relieve the “stress” and to increase profit margins. (*“stress”, in the above scenario: issues, pressures and costs associated with attaining and maintaining exceptional quality people).

Is the assumption, that with a little bit of training and the right tools, anyone can deliver this [penetration testing] work, insulting to the people who are experts in this field? Of course it is. (Even outside the context of “commoditisation”, the topic at hand – you can argue validity on skillset alone for individuals and/or organisations, who don’t view it as a commodity service, but rather market themselves as experts when they are not).

I can see an argument for the commoditisation of penetration testing – but only in a world where nothing is changing, tools mature to cover most likelihoods and scenarios, and a general awareness/expertise level where such knowledge is no longer the differentiator it once was. This is not the world we live in.

Historically we have learned that “outsourcing” can have a detrimental impact upon quality of service, reduced ownership/awareness/oversight/visibility…and security. Valid points in this discussion in my opinion.

The other day I read somewhere someone promoting; “Penetration Testing from the Cloud”? WTF is that? If a client of mine is rolling out a new technology – hardware, software or both, is some outsourcing mob going to be able to effectively test the security of this new system for my client? I doubt it! For businesses dealing with organisations that have self-determined that penetration and other security testing can be done by sweatshops, will they know that their business is being serviced by such sweatshops, (fronted by a reputable name)?

I acknowledge you can commoditise certain things – well to a degree at least…..and even then, you still have to have the caveats in place. As an industry, we are still young and struggling to get even the basics/fundamentals across of Information Security to the broader community. Commoditisation in most cases for our industry is detrimental to the cause. Taking the intelligence out of things is just plain stupidity. Realising it [commoditisation] is being done in most cases to increase the profitability of a company whose focus is purely to make money from you should make you question and thoroughly assess what it is you are buying and whether it really is providing benefits to you.

You can’t run an F1 car on dirty 91 RON. (And if you want to argue that your business is not an F1 car, but rather a Toyota Camry, ask the owner or CEO if he agrees).

Comments (28)

Posted in: Bad Stuff, Dumb Security, Research, Vulnerability Management, WTF, Web Application Security

Counterfeit gear and supply chain security.

May 10, 2010

By Declan Ingram.

Thought provoking read over at the Register: Feds seize $143M worth of bogus networking gear.

While the article is mainly about counterfeit hardware, (Cisco etc), seized in the US, (some of which was used by the US Marines in Iraq), there are two parts that got my attention:

1) The counterfeit gear could have backdoors. (Well yes – and this is not news for many…be surprised if some or most doesn’t).

2) This lovely quote: “In May of 2008, Cisco officials said they had no evidence that any of the counterfeit networking gear contained backdoors” – If these are the same officials that have missed all the other security issues to date (and in the future), then I’m not sure this statement makes me feel any better.

This reminds me of a friend of mine who years ago purchased some pirated operating systems on CD in Malaysia. They had been backdoored and once installed allowed anyone on the Internet to gain full access. I had a giggle, I must say. You really get what you pay for…..and more. (Remote Support?)

The (potential) security problems of pirated software have been well documented for some time. Most will have looked at backdoored ‘cracks’ for proprietary software etc, but bogus hardware? Backdoored from day 0? Cisco gear is generally top shelf, so more likely to get noticed, but what about lesser brands or even your generic ’sourced’ components? The flash drive from eBay? The cheap video card you got for your server so you can install the OS? Have a think about it.

Could organised crime use this to offset the cost of components? OK, that could well just be pure FUD……but..

I bet some, (most?) bogus gear comes from the same factory as the legit gear. Stands to reason. If it is backdoored, what assurance do we have that the legit gear isn’t? How would we, (or anyone else) ever know? Few know where to start in assessing the security of their supply chain.

Comments (5)

Posted in: Bad Stuff, Dumb Security, Forensics, Industry Specialists Talk, Research, Vulnerability Management, cyber crime

Annual Security Surveys/Reports – Central Log for Reference/Access?

March 15, 2010

(Also posted this as a question on Twitter; @ddrazic).

Does anyone know a website that documents and posts links to all the more well known Annual Security Surveys and Reports? So many come out, it’s hard to keep track of them all these days.

While I take most with a grain of salt, some do have some decent substance in there. Which ones do you read and which ones do you brush aside? Keen on your thoughts.

Comments (0)

Posted in: Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime

"Emerging Threats" – Most "emerged" a long time ago….Emerging Responses?

March 8, 2010

A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

Comments (9)

Posted in: Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance

Symantec Customers Immune to Rising Security Threats! (Late Update: Maybe Not!)

February 23, 2010

Symantec Press Release 22 February, 2010: Symantec 2010 State of Enterprise Security Study……

(Time to pump out another piece of marketing to get people thinking about buying Symantec. Here’s the report if you are interested in wasting a few minutes).

Just reading this now…….wooo…..hang on……what I don’t see anywhere in this report is a proud statement that Symantec customers are the lucky few that are safe from malicious attacks that other businesses are facing.

Why is this not in there Symantec? Surely you should be beating your own drums given you so proudly told us all some time ago that your product(s), and I quote; will provide “…proactive protection against unknown and zero-day threats”. It’s the Symantec Guarantee!

As such, surely Symantec customers do not have the same concerns as those poor businesses you mention in your study. Let us know if this was just an error on your part, or Symantec just not wanting to show off here because, surely you would not use bullshit marketing in the past?!

Comments (20)

Posted in: Bad Stuff, Dumb Security, Too cool, Vulnerability Management, WTF, cyber crime

Looking at what makes good Application Security knowledge.

January 7, 2010

It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:

(more…)

Comments (6)

Posted in: Applications, Bad Developers, Bad Stuff, Dumb Security, Forensics, IDS, IPS, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance

Outsourced (unauthorised) Vulnerability Assessment – Testing for Porkies!

August 28, 2009

Looking at data like this from the Conficker Working Group and talking to many Information Security Managers/CSOs still having to deal with outbreaks in their organisations, you have to wonder what’s going on? The general theme seems to be; “Infrastructure lead told us this was under control….they patch (always!)…..they now tell us [post infection], they “sometimes” patch!….Now it’s out of control!”

LOL…usually same guys who see no merit in vulnerability assessment/management systems and penetration testing (plus security in general?). Why buy something like QualysGuard when you can get a pretty thorough test for free I suppose? (If you can deal with the repercussions). From the CSO perspective; Automated Porkie Testing…no client-side input required.

Comments (0)

Posted in: Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, WTF

Macs, Snow Leopard, Malware etc….

August 27, 2009

I suppose having some form of detection “engine” at the ready even if it’s just sitting idle, (if that is really what Apple is considering and it’s not just speculation waffle), makes sense in the longer term…..if that one day comes where all us Mac users come under attack!? Quicker to download a signature than a complete application when time could be of the essense. But if gameovered….doesn’t matter anyway, Hmm….Nothing new here.

Comments (0)

Posted in: Bad Stuff, MAC Security, Vulnerability Management

Randon Links and Rants…….

August 22, 2009

- Didn’t the 4 Corners Episode; “Fear in the Fast Lane” generate some discussion and debate this week? I didn’t post anything about it myself here for a couple of reasons; (1) I didn’t think anything new and worthwhile was worth highlighting, and, (2) People were “twittering up a storm” over it – some of it very over the top. (Refer to #4corners on Twitter search for more on that). Interestingly, from within our own industry, the discussion was more personal – questioning people’s credentials as “experts” as opposed to the actual content itself in many cases. Some fair questions raised and some not so in my opinion. I welcome your thoughts here.

-Which leads me to discussions and analysis on who are the “experts”. Anton Chuvakin, our Qualys and PCI friend ponders the question here; “A Myth of an Expert Generalist“. The same question was also raised in the Beast or Buddha forums a little while ago in the post titled; “Internet Security ‘Expert‘”. I had some thoughts on this topic (and the 4 Corners episode) on my twitter; here and here. Chris Gatford, an industry colleague in Australia and one of the people heavily featured during the 4 Corners episode responded to this here.

- Hackers vs Federal Police was a big story this week here as reported in the SMH; “Hackers break into police computer as sting backfires“. Some things get reported and some don’t: http://r00tsecurity.org/files/zf05.txt. No more to add. Everyone’s a target and everyone’s ownable (well at least you’d bet on it it being the case). Kind of makes a mockery of some of the talk on the conference circuit. Waffle vs substance…what do people want to listen to? Can most even judge?

- I’ve recently been invited to write for Tek-Tips Forums. Yep, that’s my mug. I’ll link the posts from here also when I remember to do so. After coming back from a holiday, the inspirational juices aren’t really flowing but I expect things will start to annoy me and then I’ll be back to normal.

- Had to repost this one: “How not to setup a Hotel Safe”; I took this photo recently in a hotel in Croatia. At first I thought I must be missing something here (like being able to program the code) but no, this is it. Needless to say, I didn’t use the “safe”.

- And finally, off the Information Security topics. The latest issue of Top Gear magazine (which I thought was not the Australian one – yuk….but seems now like some sort of a combination of Aus and UK) has a home fridge magnet Cool Wall – most cool! Here’s my “Cool Wall“.

Comments (0)

Posted in: Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, Web Application Security, cyber crime, news

Older Posts »