More than most other engineering areas, information security is an elusive practice. Practitioners are called both geniuses and gurus, sometimes depicted as white coated lab scientists and sometimes as mavericks. Is it a science or a religion? Is it based on empirical evidence, common sense or preconditioned beliefs? Does the data even exist?

This blog attempts to discuss those and related issues by breaking out of the walls of information security, exploring comparative practices as well as relevant research fields such as cognitive psychology and philosophy of science. Some of the specific areas discussed are: risk management, incidents and vulnerabilities statistics, intellectual property, patents and the open source model and information security tools evaluation and categorization.

Subscribe to InfoSec aXioms RSS

RSA 2012 #3: The Leviathan or Federation of Free States?

Submitted by Ofer Shezaf on 26 February 2012 - 10:35am
Share/Save

My previous RSA 2012 call for action, security IQ, compared information security to heavily regulated and competitive industries such as the drugs and aviation industries, calling for a standard qualification mechanism, governmental or academic.

However, this may not be the only model the information security should take to ensure we are all better prepared for future security challenges. An alternative approach is to deviate to some degree from the commercially centric nature of the industry and work more closely together.

The question is what should be the model? A Leviathan model may provide the best security but is too utopian for an area which is mostly commercially driven....

RSA 2012 #2: Security IQ

Submitted by Ofer Shezaf on 23 February 2012 - 10:34pm
Share/Save

My second call for action for 2012, following security cloudification, and this time one I think would not be met, is for a standard measurement of security intelligence, call it Security IQ. Security intelligence is exclaimed as the next big thing in information security, and rightfully so. As a result, the question of how to evaluate the quality of these intelligence becomes important. This is true for in house security intelligence and even more so when we outsource our security intelligence. As discussed in “Black Cats, White Cats”, black listing controls such as intrusion prevention systems and Anti-Virus software transfer the responsibility of security intelligence to the vendor leaving the customer at the mercy of smart marketing people, raising the need for a standard society wide metric for measuring the quality of security intelligence.

RSA 2012 #1: Security Must Be Clouded

Submitted by Ofer Shezaf on 23 February 2012 - 9:48am
Share/Save

My recent posts have been introspective, reflecting on the state of information security. I feel the urge, especially now a few days before RSA, to venture into the future rather than address the present. Since I am shy of future telling, I will focus on a call for action: what I think should happen in information security in the coming years. Next week on the RSA exhibition floor, we will all see if 2012 will see the beginning of those trends.

Saying that, my first post is about an area that I think will be center stage this year: security in the cloud.

Scientia Potentia Est (Knowledge is Power)

Submitted by Ofer Shezaf on 22 February 2012 - 10:36pm
Share/Save

The famous proverb “Knowledge is power” is attributed (probably wrongly) to Sir Francis Bacon, one of the founding fathers of the modern science. Usually referring to the contribution of science to the progress in human well-being in modern times, it is often criticized on the grounds that it takes action and not just knowledge to achieve progress.

The world of information security presents a similar dilemma. In my previous post, “black cat, white cat”, I divided the world of security controls into black listing tools for detecting and preventing attacks and whitelisting tools enforcing policies. However this is not the only categorization one can make of security tools: an orthogonal categorization would be between passive controls, the “knowledge”, and active controls, the “action”. Is knowledge power? Are passive controls which provide us with information but do not take an action effective?

Black Cat, White Cat

Submitted by Ofer Shezaf on 16 February 2012 - 11:48am
Share/Save

Deng Xiaoping, might be the most important leader of the post war era. One of the most famous sayings attributed to him is that it does not matter if the cat is black or white as long as catches mice. This pragmatic ideology allowed Deng to incorporate market economy into an autocratic socialist system to create a most successful, though admittedly troubled, society.

Deng’s lesson is valid everywhere: we can argue about ideology forever, but true value is measured by results. The saying is also symbolically relevant to information security as we tend to divide security controls into two major groups: black listing and white listing, which represent two opposite risk mitigation philosophies.

Cyber Terrorism or Cyber Hooliganism?

Submitted by Ofer Shezaf on 20 January 2012 - 10:45pm
Share/Save

In the last couple of weeks Saudi and Israeli hackers have been busy exchanging attacks on web sites in the respective counties and publishing personal information, including credit card numbers for citizens of the other side. This is far from the first time that the Arab Israeli conflict resulted in hacking contests, usually happening around periods of tension such as the Gaza invasion in 2009 or the Turkish Flotilla to Gaza in 2010. These incidents provide a very interesting insight into psychology of our reaction to violence in general and cyber violence in particular.

Should we blame Darwin’s evolution?

Submitted by Ofer Shezaf on 26 November 2011 - 12:57am
Share/Save

While we all chant a potential breach impact in a well-rehearsed manner, it is doubtful that we, as individuals or as a society, evaluate breach impact to its full extent. Why do we downplay breach impact and allow so many computers and even web servers to be infected?

Will academic security research provide the answer?

Submitted by Ofer Shezaf on 20 November 2011 - 9:41pm
Share/Save

Industry research such as Larry Suto’s is often superficial and at times driven by external motivations. So where should we derive our research data from? While one answer may be to forgo with research data all together, another option that comes to mind is academic research. An academic paper comparing vulnerability discovery techniques that I encountered is a good test case for that...

Pen-testing RESTful Web Services

Submitted by Ofer Shezaf on 20 November 2011 - 1:40am
Share/Save

Last week I gave a presentation at Source Barcelona about security testing of RESTful Web Services. While the security aspects of RESTful Web Services are rather similar to normal web applications, testing them poses different challenges discussed in the presentation.

The presentation includes:

Suto strikes again, or getting the desired results regardless of data

Submitted by Ofer Shezaf on 17 November 2011 - 11:37pm
Share/Save

Larry Suto, who brought scanners wars 1 and 2 has published a WAF effectiveness research. As usual, Larry’s work is fun to dissect. While Larry’s research is not worse than your average analyst’s work, he does try to base his conclusion on more concrete and pseudo-scientific research making it much more vulnerable to scrutiny.

Pages