How do you manage your #InfoSec #CyberSecurity #Privacy #Policy #Security news intake?

I’m in the process of reevaluating my news feeds. The method is much the same as evaluating Cyber Security threat intelligence feeds. Is it:

  • Timely?
  • Accurate?
  • Actionable?
  • Updated?
  • Adding value?

I categorize my information intake in several ways:

  • News
  • Analysis, Editorial & Opinion (most blogs, podcasts, and personal social media feeds)
  • Technical
  • Press releases

With all of this, I find myself overwhelmed with data. Much is redundant and not adding value. Some adds value but isn’t timely. Some opinion is fopped of as news. Branded content permeates.

What sources do you use? How to you consume them? How do you value them?

A new stack-based overflow vulnerability discovered in AMD CPUs

From Security Affairs:

Google expert discovered a new stack-based overflow vulnerability in AMD CPUs that could be exploited via crafted EK certificates,
Chip manufacturers are in the tempest, while media are continues sharing news about the Meltdown and Spectre attacks, the security researcher at Google’s cloud security team Cfir Cohen disclosed a stack-based overflow vulnerability in the fTMP of AMD’s Platform Security Processor (PSP).

The vulnerability affects 64-bit x86 processors, the AMD PSP provides administrative functions similar to the Intel Management Engine.

We’re going to see a lot more investigation into hardware vulnerabilities. It won’t be pretty, I expect.

What researchers discover will not be easy or inexpensive to fix. My hope is that hardware manufacturers realize it is less expensive and better for their reputation to improve their processes in relation to secure-by-design.

The Strange WannaCry Attribution

I’ve been trying to figure out why the U.S. government thought it was useful to attribute the WannaCry attack to North Korea

The Strange WannaCry Attribution:

I’ve been trying to figure out why the U.S. government thought it was useful to attribute the “WannaCry” attack to North Korea …

… I must be missing something here. Probably what I am missing is that the public attribution sends an important signal to the North Koreans about the extent to which we have penetrated their cyber operations and are watching their current cyber activities. But that message could have been delivered privately, and it does not explain why the United States delayed public attribution at least six months after its internal attribution, and two months after the U.K. had done so publicly. Perhaps the answer to the delay question, and another thing I am missing, is that the public attribution is part of larger plan related to a planned attack on North Korea because of its nuclear threat. Bossert’s unconvincing op-ed and incoherent press conference wouldn’t support either interpretation; and if either interpretation is right, it still comes at a cost to general deterrence. But perhaps, surely, hopefully, there is more here than meets the eye.

(Via Lawfare – Hard National Security Choices)

This WannaCry Attribution was a head scratcher for me, too. Listeners of the late lamented PVC Security podcast know that I am generally not a fan of attribution, or more specifically see only limited real life usefulness for 97% of companies’ and individuals’ security. For governments, intelligence agencies, the military, and law enforcement there is more value, but how much value so far after the fact?

This piece by Jack Goldsmith lays out pretty much every issue I have with this plus provides something of a timeline for those for whom this is ancient history (in security terms, anyway).

Got a theory or opinion on this?

Quote of the Day

… strategy must assume that contact and action are never absent.

Quote of the Day:

“Every policy document on cyberspace begins with the notion that it is interconnected — and yet we declare it a military domain, rather than a domain in which the military must operate simultaneously with allies, adversaries, the business sector, and individuals. Interconnectedness means that national security actors are in contact with other players and, unlike in strategic environments in which deterrence might succeed, it suggests that strategy must assume that contact and action are never absent.” — Richard Harknett, in a letter on the Fall 2017 issue of International Security

(Via Foreign Policy)

This well phrased quote not only speaks to bad strategy in spite of the obvious. It also speaks to the danger of institutional thinking, that hard to escape collective default mindset.

Echoing Click Bait

A friend pointed out to me that an article I shared was little but click bait. I admit to only skimming the content before posting. I do that.

Unless a URL I post on social networks refers to prjorgensen.com, pvcsec.com, or one of my other sites directly, I apply cursory or less verification as to the authenticity, veracity, quality, security, or reliability of the data.

The journalist in me WANTS to vet everything I post via all the media. I lack the time.

What do you do? How do you not echo click bait?

Comment here or hashtag #askpvcsec on Twitter.

RDRDS, or Five Points of Security Architecture

There’s a concept that gained some traction not too long ago, called anti-fragile. The idea is to make things that can withstand a certain level of abuse without failing. Bend, don’t break is the easy way of thinking about it.

I think the concept of anti-fragile is a good one, but it is too limiting. I prefer RDRDS – Redundancy, Diversity, Resiliency, Depth, and Simplicity – or Five Points of Security Architecture.

We security professionals talk about the CIA triangle – confidentiality, integrity, and availability. Availability is often overlooked. RDRDS addresses that. Integrity is also covered in this scheme, in that the systems that data rely upon need not just make sure the data is available but that it remains unaltered, either intentionally or otherwise. RDRDS helps assure that because it’s built into the concept and the quality of those systems is known in advance of their use.

Operationally, availability is critical. When I was a network manager I mostly lived in the operations world. When systems fail the phone starts ringing. Focusing on operational issues becomes a simple math problem in many organizations, and we should take advantage of it. Is the cost of implementing and maintaining these redundant systems worth it? How many minutes of downtime pays for these systems?

When I talk about RDRDS, what do I mean?

Redundancy

  • Duplication of components or circuits to provide survival of the total system in case of failure of single components.

Firewalls are the canonical examples of security tools deployed in a redundant configuration. In most organizations they are a pair of nodes in a cluster, although 3 or more nodes and multiple clusters are not uncommon.

We want critical systems to be redundant. By redundant, I mean they should keep running in the event of any specific element failing. This is typically handled via clustering, secondary paths, and load balancing among other tools.

Diversity

  • The quality of being different or unlikeness.
  • A variety.
  • Diverse types or examples.

Diversity basically boils down to not relying on a single thing: vendor; technology; or philosophy. Lacking diversity limits the value of redundancy.

Diversity also means avoiding single points of failure in a system. For example, having a server with two power supplies plugged into the same power circuit is an example of having redundancy (two power supply units) but a lack of diversity (one power circuit). Purchasing two data circuits from different providers when they both come in on the same cable through the same conduit is another example.

Resiliency

  • the physical property of a material that can return to its original shape or position after deformation that does not exceed its elastic limit.
  • an occurrence of rebounding or springing back.

Resiliency deals with the margins, the exceptions, the extremes in a system. How well can the system handle not just peak loads but also a lack thereof and return to a normal state?

It also talks to the ability to get the system back up and running after an event, such as a fire. Resiliency can also be described as scalability, the ability to shrink and grow as needed. Also elasticity, the ability to bend and flex but not break.

The concept of anti-fragile I think mostly touches on resilience, though to an extent it encompasses all of the concepts here.

We want systems that are properly sized and can handle peak loads without falling over. We want them to load balance or calculate the relative cost between possible paths. It should be possible to isolate and route around broken components. A modular and distributed design provides resiliency, plus provides additional benefits when it comes to upgrades and maintenance and the like.

Depth

  • Strength held in reserve, especially a supply of skilled or capable replacements.
  • A team with depth at every position.
  • The degree of richness.
  • Complete detail.
  • Thoroughness.

Defense In Depth (DID) is a common mantra in the industry since the 90’s, maybe earlier. What does depth provide us? If we stack all of our assets at the perimeter then how does that help us when something gets inside anyway? Think about the internal malicious actor. Layering security throughout the infrastructure, thereby not placing all of one’s eggs into one basket, provides depth as well as diversity.

Depth can also address third party connections as well as upstream issues from suppliers, partners, vendors, and so on.

Information Sharing and Analysis Centers (ISAC) data and broad threat intelligence adds to depth. CERTs and the Internet Storm Center (ISC) and other third party threat intelligence vectors also enrich depth.

From a personnel perspective, making sure that the one professional with all the institutional knowledge documents it so that she can take an uninterrupted vacation is also part of depth.

Simplicity

  • The quality or state of being not complex, or of consisting of few parts.
  • A freedom from complexity or intricacy.

Modularizing systems, like deploying a log management solution that the Security Incident & Event Monitoring (SIEM), operations monitoring, and other systems tie into. In networks, separating the access, distribution, and core layers.

Gap analysis helps with simplification. Compartmentalization of systems without compartmentalizing data, thereby allowing maintenance and potential component replacement without losing fidelity of data sources is valuable.

Above all, avoid introducing artificial complexity.

What does all of this mean from a security perspective?

There are several basic questions that need answers before you can proceed with RDRDS/the Five Points:

  1. Should security systems fail open or closed? By this we mean in the electrical engineering sense – failing open means that the circuit is broken and traffic stops flowing. Failing closed means that the circuit isn’t broken and traffic continues to flow.
  2. What are the security thresholds?
    1. How long can the IDS/IDP be down?
    2. How long can notifications from the SIEM be down or delayed?
    3. What is the cost per minute of downtime?
    4. What is the sensitivity of the data?
  3. What is the comfort level with F/OSS (Free/Open Source Software) as secondary systems?
  4. What are you trying to protect?

There are other questions, and we will flesh those out as the concept is developed. Your comments and questions are welcome here, at hashtag askpvcsec, or email [email protected].

By the way, these Five Points can apply to any system – servers or databases or IT or applications or personnel or finance or anything.

Postscript

Due to an error on my part, I lost track of what dictionaries I pulled the various definitions from. I will endeavor to cite them appropriately.

My Firefox Extensions & Tweaks

I’ve had/wanted to rebuild my work laptop several times over the past few months. Sometimes I have another machine nearby to validate what I’m adding. Lately that case is the exception. To help me remember and to share with all of the ones of you, here are my must have Firefox Add-Ons/Extensions:

Several of the above are from my Widescreen Firefox post (signified by a *). The others are primarily for security & privacy (signified by a !) or convenience (signified by a ^).

Since I’m away from my main machine I might have missed an extension, but t These are the mainstays of my Firefox experience.

In the Customize Toolbar dialog I enable “Use Small Icons” and remove the search bar, the home button, and the bookmarks button.

There are more customizations, but this is enough for now. I will post additional tweaks to this later.

The other todo is coming up with a good mechanism for distributing the various add-ons’ configurations to other systems. Dropbox may be the obvious solution, but check back here for updates.

Has this been helpful to you? What are your must have extensions or tweaks to Firefox? I didn’t even get into my about:config adjustments. Those will be updated here, too.