InfoSec aXioms

My previous RSA 2012 call for action, security IQ, compared information security to heavily regulated and competitive industries such as the drugs and aviation industries, calling for a standard qualification mechanism, governmental or academic.

However, this may not be the only model the information security should take to ensure we are all better prepared for future security challenges. An alternative approach is to deviate to some degree from the commercially centric nature of the industry and work more closely together.

The question is what should be the model? A Leviathan model may provide the best security but is too utopian for an area which is mostly commercially driven....

My second call for action for 2012, following security cloudification, and this time one I think would not be met, is for a standard measurement of security intelligence, call it Security IQ. Security intelligence is exclaimed as the next big thing in information security, and rightfully so. As a result, the question of how to evaluate the quality of these intelligence becomes important. This is true for in house security intelligence and even more so when we outsource our security intelligence. As discussed in “Black Cats, White Cats”, black listing controls such as intrusion prevention systems and Anti-Virus software transfer the responsibility of security intelligence to the vendor leaving the customer at the mercy of smart marketing people, raising the need for a standard society wide metric for measuring the quality of security intelligence.

My recent posts have been introspective, reflecting on the state of information security. I feel the urge, especially now a few days before RSA, to venture into the future rather than address the present. Since I am shy of future telling, I will focus on a call for action: what I think should happen in information security in the coming years. Next week on the RSA exhibition floor, we will all see if 2012 will see the beginning of those trends.

Saying that, my first post is about an area that I think will be center stage this year: security in the cloud.

The famous proverb “Knowledge is power” is attributed (probably wrongly) to Sir Francis Bacon, one of the founding fathers of the modern science. Usually referring to the contribution of science to the progress in human well-being in modern times, it is often criticized on the grounds that it takes action and not just knowledge to achieve progress.

The world of information security presents a similar dilemma. In my previous post, “black cat, white cat”, I divided the world of security controls into black listing tools for detecting and preventing attacks and whitelisting tools enforcing policies. However this is not the only categorization one can make of security tools: an orthogonal categorization would be between passive controls, the “knowledge”, and active controls, the “action”. Is knowledge power? Are passive controls which provide us with information but do not take an action effective?

Deng Xiaoping, might be the most important leader of the post war era. One of the most famous sayings attributed to him is that it does not matter if the cat is black or white as long as catches mice. This pragmatic ideology allowed Deng to incorporate market economy into an autocratic socialist system to create a most successful, though admittedly troubled, society.

Deng’s lesson is valid everywhere: we can argue about ideology forever, but true value is measured by results. The saying is also symbolically relevant to information security as we tend to divide security controls into two major groups: black listing and white listing, which represent two opposite risk mitigation philosophies.

In the last couple of weeks Saudi and Israeli hackers have been busy exchanging attacks on web sites in the respective counties and publishing personal information, including credit card numbers for citizens of the other side. This is far from the first time that the Arab Israeli conflict resulted in hacking contests, usually happening around periods of tension such as the Gaza invasion in 2009 or the Turkish Flotilla to Gaza in 2010. These incidents provide a very interesting insight into psychology of our reaction to violence in general and cyber violence in particular.

While we all chant a potential breach impact in a well-rehearsed manner, it is doubtful that we, as individuals or as a society, evaluate breach impact to its full extent. Why do we downplay breach impact and allow so many computers and even web servers to be infected?

Industry research such as Larry Suto’s is often superficial and at times driven by external motivations. So where should we derive our research data from? While one answer may be to forgo with research data all together, another option that comes to mind is academic research. An academic paper comparing vulnerability discovery techniques that I encountered is a good test case for that...

Last week I gave a presentation at Source Barcelona about security testing of RESTful Web Services. While the security aspects of RESTful Web Services are rather similar to normal web applications, testing them poses different challenges discussed in the presentation.

The presentation includes:

Larry Suto, who brought scanners wars 1 and 2 has published a WAF effectiveness research. As usual, Larry’s work is fun to dissect. While Larry’s research is not worse than your average analyst’s work, he does try to base his conclusion on more concrete and pseudo-scientific research making it much more vulnerable to scrutiny.