Last week, I got my copy of All Yesterdays. (Not the used Amazon versions, as the pricing algorithm is failing hilariously.) I’ve been a fan of Darren Naish’s work since I discovered Tet Zoo years ago. It turns out that in addition to writing amazing articles on the cladistics of extinct crocodilians, he is also good at writing about paleo art.
You might think that paleo art is art done by prehistoric people, but no. In this case, it is art done to provide imaginative reconstructions of life from fossils. I imagine that most people these days are aware of the belief that many of the two-legged dinosaurs were feathered. However, as it often turns out, things are more complex than that. This book explores the history of dinosaur art and, along the way, draws on what we know about natural history, camouflage and mating habits of contemporary species.
So why am I posting this review on a blog that (more or less) focused on information security?
Well, in addition to this book being about pretty pictures of dinosaurs, it is also about an industry working over time to make guesses about the truth, analyze their mistakes in the face of new evidence and, through a constant stream of screw ups, come closer and closer to consensus. As they’ve done this, the consensus has shifted around severals and everyone has had to constantly adjust to the shifting truth.
In effect, it is a book about evolution… the evolution of species… the evolution of understanding… the evolution of the understanding of evolution, so to speak. This happens in all industries, but the younger the industry is, it seems, the less we like to acknowledge that we don’t have all the answers. In Information Security, we don’t like to be wrong and we particularly don’t like to be wrong in front of other people. This is understandable, as when we make a mistake in Security, people could get hurt. However, when we don’t get a chance to discuss our mistakes as a community, we don’t get a chance to improve.
Today, there is some discussion in the community, but mostly within closed mailing lists and at conferences. Unlike in the realm of paleo art, our mistakes tend not to be public, so there are fewer eyes on them and fewer opportunities to get better. Fortunately, there are a tad more hackers than professionals who draw dinosaurs from scientific principles, so we do get an advantage of numbers. Still, there is ample room for improvement.
This book explores the problems that arise from:
- Taking a superficial view of evidence
- Not comparing logical conclusions to examples of modern data
- Avoiding analysis and basing beliefs on the misguided work of others
- Looking strictly at hard evidence and ignoring behavior
- Hyper-focusing on dramatic scenarios
What would you do if you discovered that attackers had taken over your server and were in the process of stealing all your data?
What would you do if law enforcement came to your place of work and demanded all of your computers as part of an investigation?
What would you do if a tornado hit your building and spread all of your computers across a mile-wide radius?
If you are like most organizations, you don’t have a plan for everything. You can think of security (in an over-simplified way) of having three areas of control: Detective, Preventative and Reactive. We tend to start with Detective. When antivirus was new, it just alerted you when you had a problem. As the technology improved, it became preventative and would stop bad applications from running. Most security technology, in fact, has followed this pattern. Intrusion Detection moved to Intrusion Prevention. Patch Detection moved to Patch Management. Log Analysis moved to full-fledged SEIM systems.
However, this progression ignores a very powerful tool. As an example, here’s a video:
What would you do if you woke up one morning to find a moose in your swingset? Odds are you’d either deal with it yourself or call someone to deal with it for you. Response is key. When things happen, whether it involves an attacker taking over a system, an external agency taking your stuff or a natural disaster, reacting to the situation is important. You can either do it in an ad hoc way, or try to plan everything out.
In general, organizations that trust their people, just let their people do what they need to do. Organizations that do not trust their people, invest in planning and procedures. What’s interesting is that both methods work… though not always particularly well. Sometimes people hide behind policy and avoid doing the right thing. Sometimes, people hide behind uncertainty and avoid doing the right thing.
The problem here is that “right” and “wrong” are not always clear cut. Consider recent occurrences involving United Airlines, Penn State and FedEx. A reasonable response to events like these would be “we can’t trust our people,” and to address the issue by creating policies.
But, for an even more horrifying view of the world, check out this Google News search on “followed policy.” A wider search on this shows that people who follow policy result in death, brain death and murder suspects being released.
So it would seem that this is a “damned if you do, damned if you don’t” situation, right?
It turns out to err is human… but human error can happen whether or not we are constrained by policy. Using policy to prevent bad things from happening requires not only that you have people who will always follow the policy, but also that you have policies that are 100% correct and written by people who can see the future. Perhaps a better approach would be to use policies as guides that people can refer to when they’re confused. Then, build a culture around the fact it’s okay to make mistakes so long as you’re willing to apologize, attempt to fix things and learn from your error.
Not everything can be avoided. Sometimes you just have to deal.
More on the moose is here.
This article was originally published on RJS Smart Security.
Exercise. With a few annoyingly fit and perky exceptions, we all hate to do it. Even when it comes to business exercises, where we can avoid the serious danger of getting all sweaty and tired, we still avoid it… generally for reasons comparable to the physical: foolishness, arrogance and wasting time.
In business, time is money. We focus on reducing waste and maximizing profit. When times are tough, we avoid future-focused activities in preference for those that we are fairly certain would benefit us right now… even when future gains would likely be much larger. So, even when we know that exercise would help us, we avoid it because there are other things that need doing.
Then there’s the other side. For a business exercise to be useful, we must learn from it. To learn from it, we must encounter something new. This is socially dangerous as it places us in a situation where, to positively respond to the scenario, we risk being viewed negatively by those around us… so there is resistance to trying new things.
Why risk social censure and waste time when you know what you’d do in a bad situation anyway? After all, we’re smart people. We think about things and we know our environment, right? If a problem happened, we’d just deal with it. Our people would have to work overtime, but we’d get the job done… right?
Well, let’s find out. Suppose you work in a zoo. Suppose one of the risks you face is that of an animal escaping. Your job is to figure out how to deal with the event and get the animal back. How would you do it? Take a couple of minutes and think what you’d do. I’ll wait.
Now, watch this video.
Tell me. In your mental model, which animal escaped? Was it dangerous? Was it hard to recapture? Did you think about what would happen if one or more of your people were injured during the escape? What about people at the zoo? Did you think of children, of adults, of any disabled people and how they might escape? Did you think about the potential damage that an animal could cause to the infrastructure both inside and outside of the zoo? What about the possibility that the animal could survive after escaping and create a breeding population of dangerous animals in the city? Did you plan include alerting the news media and trying to control the story?
Even an exercise can show you things that you might not think of on your own. By running through live exercises, you can encounter serious problems in a safe way. You can discover which events need prevention and which ones would require a pre-planned reaction. If your organization’s culture focuses on predictable work, you might find a resistance to working extra hours to make up for what is perceived for someone else’s problem. If your organization is on the other side of the continuum and tends towards interrupt-driven tasks, you may find that your people are closer to exhaustion than you think, and a true disaster could push them over the edge.
I know, I know. The security and squid blog is located elsewhere. Sorry, but I just have to write about this article.
A short time ago, Chuan-Chin Chiao, Kenneth Wickiser, Justine J. Allen, Brock Genter and Roger T. Hanlon published the article Hyperspectral imaging of cuttlefish camouflage indicates good color match in the eyes of fish predators. (How can you resist an article with such a fascinating title?) For those that don’t thrill to reading academic articles about the eyes of coleoid cephalopods (you weirdos), there is a more accessible press release here.
Why am I fascinated about this? Well, cuttlefish have the ability to change their patterning to blending into the background. We’re familiar with how chameleons do this, but cuttlefish are a lot better at it. Not only are they better at it, but they’re also colorblind! (Like me.) That’s right, these critters are capable of changing their own coloration when they can’t even see it. How do they do it? Well, sorry to keep you in suspense, but we still don’t know. There is some suspicion that it involves opsin transcripts, and evidence that body position may have something to do with it, but those theories are insufficient for complete explanation. What’s interesting is the approach of the paper.
Science, as you know, is all about measurement. There’s little room for guesswork and lots of opportunity to be wrong. So if you’re going to measure camouflage, you’d better have a darn good way of doing it. What these guys did was to take hyperspectral images with a HyperScan VNIR system. Effectively, it measured the different amounts of 540 different colors to determine how well the cuttlefish blended in to their background. They looked at their targets as if they were a super predator, with capabilities far beyond that of the predators we know… and the cuttlefish’s technique was still effective.
So what does this mean for us? Well, for me it means that I lost out, as I am colorblind, but aren’t able to perceive the polarization of light like cuttlefish can (lucky critters). However, for the rest of us as a group, it means this:
These creatures developed this ability over millions of years through a complex process of trying different ways to hide and, when they failed, being eaten. From a business perspective, there is some value in failing fast… but little advantage in being eaten. If you want to develop strong protections, you need to find a predator that lets you know when your defense is working and when it’s not, without eating you. Ideally, this would be a super-predator that is better than most of the predators out there.
We call these people penetration testers. Armed not with a HyperScan VNIR, but with tools like network mappers, vulnerability scanners and exploit frameworks, these people can assess your business and let you know if they could break through your defenses and how. You can then protect yourself better by making appropriate changes. Sadly, the industry is still young, and it’s hard to identify the super predators from the others. There is a project to help with this, but for now, here’s a quick evaluation process. When you call a company (like mine) and ask for an evaluation, ask this handful of questions:
- How much will a penetration test cost?
- How much will a vulnerability assessment cost?
- Rule of thumb: Due to the time involved, penetration tests cost at least ten times when vulnerability assessments do. If they don’t, find another company.
- What is the difference between a penetration test and a vulnerability assessment?
- Rule of thumb: If they only say “A penetration test tries to break in, a vulnerability assessment does not”, find another company.
- What is your assessment methodology?
- Here, you should be looking for a standard and repeatable process. You don’t need to dig into the weeds, but you do want to weed out companies that come across as “We just try stuff at random”.
- What problems have your tests caused in the past?
- Here’s a secret of the industry. Anyone worth their salt has broken something. If you don’t sometimes break stuff, you’re not trying hard enough. Companies that try to gloss over this and say “Oh, our tests are safe” are not super-predators.
Get the right help or get eaten.
It’s that simple.
The world is abuzz today with the news of Gawker’s passwords being leaked. Rest assured, this will not be yet another “the sky is falling” post or yet another hasty analysis of what happened. If you want a good overview, please read Daniel Kennedy’s excellent post over on Forbes.com. If you want to know what it means to the security community, todb’s Metasploit post is good.
No, instead, the only specifics you need to know about this attack is that it hit Gawker, and Gawker owns sites like Lifehacker, Gizmodo and io9 and if you had an account there, you should change your password (details here). If you used that password in other places, you should change it there too. It looks as though Gawker was using poor security on their servers and in the way that they stored passwords. That’s all I’m going to say about the tech. Instead, I’m going to talk about hiking.
I like hiking. You get to be outside, you get to see beautiful scenery and enjoy the air. You get to interact with all sorts of wildlife. On my hikes, I’ve seen butterflies, frogs, rabbits, birds and even things like raccoons. I’ve known people who get far more into hiking than I do, and they report seeing even neater animals like rattlesnakes, wolves, cougars and bears.
Now, when one goes out hiking, one takes on a certain amount of risk. Usually, the risk is much lower than the risk one takes driving to the hiking trail, but I’m not going to get into safety statistics either. The point is that good hikers know to take certain precautions. For example, I’ve been hiking in rattlesnake country. There are lots of ways to deal with rattlesnakes. Here are some examples:
1) Hike where they don’t live.
2) Wear tough boots.
3) Make noise as you walk.
4) Bring a first aid kit with you in case you get bit.
5) Bring anti-venom with you in case you get bit.
6) Wear a full suit of armor.
7) Deploy a fully-automated hunter-killer drone ahead of you.
See, the fundamental problem here isn’t that rattlesnakes have mouthes full of nasty venom that can clot your blood, destroy your limbs or kill your brain. The problem isn’t even that they bite you in less than half a second. The problem is that most rattlesnakes don’t want to bite people, but sometimes people push them into it. After all, they have to wake up, do their little rattly thing, bite you, use up all their venom and then get away before you fall on them. It’s a royal hassle. Really, most rattle snakes just want to go about their day, lounge in the sun, eat a rat or two and sometimes get busy making brand new baby rattlers.
This is true with most of nature’s threats. Leave them alone, and they’ll leave you alone. Even the ones that are bigger, faster and meaner than rattlesnakes. Cougars would rather eat a deer than a person. Wolves want to run around together. Bears mostly just want to sleep. (Sleeping is awesome!)
So what’s the point here? The thing is, with hiking you can choose your location, however, when you’re on the Internet you cannot. On the Internet there’s just the one hiking “location”. You can look at different things on your hike, but it’s always in the same place… and in that place live all sorts of poisonous snakes, wolves and bears (and even nastier things). You can’t not hike there… and it’s crazy to go everywhere fully armed. It’s no fun to go hiking fully armored, and too expensive to get a ton of drones, much less adding armaments.
No, whether you’re hiking or using the Internet, there are two simple rules:
1) Take basic precautions.
2) Don’t be stupid.
For example, in the hiking world, you wear good boots and carry a walking stick. In the Internet world, you run a modern antimalware system and harden your servers. In the hiking world, you avoid walking on cliffs, don’t stick your hands into dark crevices and don’t poke any sleeping bears you may see. On the Internet, you avoid the nastier sites, keep your systems patched and don’t tick off people with more time and inclination to harm you than you have to defend against it.
Gawker found a sleeping bear. They poked it with a stick. They got mauled. End of story.
Lesson one of Internet security? Don’t poke the bear.
Autotomy is the fancy name that people give to the well-known tendency for certain lizards to throw off their tails to escape predators. The theory, is that the tail will thrash around and distract the predator, thereby giving the lizard a chance to get away. It must be noted that other critters like octopuses, crabs and some starfish also do this, as do sea cucumbers. (Though the sea cucumbers eject their internal organs instead.)
So what does this mean in the business/IT world? Well, the obvious analogy is to distract an incoming attacker by abandoning your resources and letting them go nuts while you relocate your business to Sri Lanka. However, some might consider this approach somewhat impractical.
However, if we stretch the analogy to the point of breaking (much like a lizard’s tail), perhaps it makes sense to build a business strategy around distracting attackers. There are some technologies that could assist with this. A honeypot is often used to trap attacks so that people can learn from them. This has become even easier now that virtualization has become prevalent. All you have to do is join one of many projects and you’ll have a nice fake network to distract attackers.
Another technique is tarpitting. This technology looks at incoming connections, and if they are not approved, it doesn’t reject them right away, but instead extends the time before the connection is closed. Thus, attackers are delayed and, in theory, you gain the time to build a defense.
In practice, of course, you need to actually be watching for the attack and take defensive action. This technique wouldn’t work very well if the lizard dropped it’s tail and then stared dumbly as the dog wrestled the tail into submission, ate it, digested it, napped for a bit, woke up, got a bit hungry than then saw a nearby tasty tailless lizard. So, if you decide to go after this option, you have to remember to “run and hide”. In other words, keep an eye out for the attacks and be ready to block them.
The Blue Glaucus, also known as the sea swallow, blue sea slug and blue ocean slug (’cause one name just isn’t cool enough for this sucker) is, as Wikipedia says, a pelagic aeolid nudibranch, a marine opisthobranch gastropod mollusk in the family Glaucidae. Which is fancy sciency way to say it’s a slug that lives in the ocean. (If you like to geek out on sciency stuff (like me), read this, and this and this.)
What makes this little critter particularly interesting is that it eats Portuguese Man o’ Wars (should that be “Men o’ War”?). Not only is it immune to the venom, but it also has the ability to absorb the stinging cells (sciency term: nematocyst (aka cnidocyte, ’cause they’re cool too)). It can then concentrate the cells of all the Portuguese Mens o’ Wars it eats and thereby pack a stronger wallop than the original predator.
Business-wise, our friend Glaucy basically performs a hostile takeover, absorbs the general features of the acquisee (proteins) and concentrates that which make them unique (nematocysts/cnidocytes). The lesson here, I think, is to look at what makes others unique and not necessarily one what you have in common. That’s not to say that commonality isn’t important… no acquisition is going to work out if you don’t share common proteins. However, a strategic acquisition isn’t going to be massively successful unless you can take advantage of and preserve the uniqueness.
The same holds true of employees. If we hire employees, it is presumably because they have skills that set them above the rest. (After all, everything else can be automated these days.) Does it really make sense to push them all towards the same lowest denominator? Wouldn’t it make more sense to give each the tools they need (both technical and cultural) to maximize their success? By doing such, you have effectively turned them into little stingers that can pack quite a punch. Then, the trick would be to set them up in teams, so their punch can be concentrated.
Of course, the other lesson to learn from Glaucy is that it’s not just a mass of stinging cells. In order to be a successful organism, it must still move around, hunt and eat. Thus, priority one is successful operation (not uniformity), and priority two is concentration of attack/defense. I often find myself falling into the trap of forgetting about operations and trying to promote uniform environments and tool consolidation in the name of security. After all, that’s best practice right?
Best practice is protecting the business. That means making the business as successful as possible. I’m afraid that we security practitioners often mistake the process for the result. Uniformity is a tool to promote control and control is a tool to promote security. However, as soon as the costs of uniformity and control get in the way of the success of the business, they harm security instead of benefiting it.
- The groundhog is also known as a whistle-pig, due to its tendency to make a whistling noise when predators are near. Much as monitoring systems will send SMS or email messages when an attack occurs.
- Groundhogs have two layers of fur, both a soft undercoat and a guard hairs. This is a classic defense in depth strategy, against both cold and damp threats.
- Groundhogs mostly eat plants won’t pass up the occasional delicious grub or bug. This allows them to supplement their dietary needs without having to track down the rare vegetative high-protein source like nuts or beans, which are needed in small quantities at various points in their lives. This is much like an organization hiring a 1099 resource as needed.
- They are one of the few creatures that truly hibernate and are generally utterly non-responsive for four to five months… which has no direct correlation to business, but there are days when I wish it did.
- They have a wide range of predators, including owls, dogs, bears, bobcats and coyotes. Younger ones are vulnerable to snakes and hawks. Much as a security program is constantly evolving and loses vulnerability to some threats but not others, the successful groundhogs grow large enough to be immune to the snakes and hawks.
- When predators strike, groundhogs will escape them by running to emergency burrows (hot site) or up a tree (cold site).
- Groundhogs are mostly solitary but also live in small communal burrows. This allows them to share the alerting responsibilities and leverage one another’s expertise… in much the same way that small teams can work most effectively in a small conference room where they can collaborate.
- The groundhog is in the Sciuridae family along with the squirrels (and a fragment of their genetic code can be found here (as part of the SequenceJuxtaposer project (which has nothing to do with security, but is still pretty neat))).
Image in the Creative Commons and is courtesy of ~Sage~ on Flickr.
Those of you that have seen the series Planet Earth are probably aware of the glow worm cave. (Those of you that have not have some TV watching to do.) This is a cave full of cute little glow worms that make a light pattern on the ceiling of the cave that is reminiscent of the night stars. It’s a beautiful sight to stare up at those little glittering pinpoints of lights.
Of course, that’s the tourist spiel. In actuality, the “glow worms” are larval gnats that produce mucus and spin out long threads to entrap moths. When a moth becomes deluded by the mights and becomes trapped in the sticky threads, the larvae pull up the moth and liquefy and suck out their internal organs. After secreting mucus and dining upon moths for up to a year, they transform into gnats whereupon they mate and die… which seems like a lot of work to me, but then, I tend not to be consulted in matters such of this.
However, the lesson here is a good one. Namely, it’s probably not worth travelling all the way to New Zealand to visit the the phosphorescent snot worm cave. However, a deeper lesson is that light attracts bugs. (Sure, I could have blogged about the moth and the candle, but then I’d not be able to talk about glow worms.) If you want to know something about the insects that inhabit a cave, just put out a light and see what comes visiting.
We do that in I.T. security to help identify the attackers that are on the Internet. We call them honeypots, which is likely a reference to Winnie the Pooh (I hope), but since I am not (yet) linking children’s literature to security, we’ll ignore that bit for now. Instead, we’ll take a quick look at the value of Lepidopterisy. Just as a scientist can look at the types of moths ensnared in sticky mucusy silk and learn a lot about the ecology cage, a security researcher can examine the malware and attacks found within a honey pot and learn a lot about the sorts of attacks that they may be subjected to.
By creating your own honey pot, you get a chance to deal with attacks before (hopefully) they impact your production systems. However, just like fungus gnats larvae don’t ignore the moths that stumble into their “webs” (strings, really), in order for this to be effective, you can’t ignore what gets caught in the honey pot either.
Poison dart frogs are, not surprisingly, covered with poison. I could go off at length about how different species have different levels of poison, and how not all of them were used to poison darts and how many of them are going extinct due to a nasty fungus that’s only vulnerable to an eyewash solution… but that would be a bit too rambling even for me.
Instead, I’m going to talk about ants. I’m not going to go off about how they are communal, have some interesting chemical signals or even how they are vulnerable to some very interesting fungi that take over their brains (despite how unbelievably cool that is). No, the important thing is that the frogs eat the ants.
Boring, I know.
See, the poison dart frogs don’t generate the poison themselves. Instead, they eat ants and push the poison from the ants out through their skins. Not only is that an awesome example of how a predator can turn a prey’s defense into a defense for the predator while simultaneously rendering it useless for the prey (smart little froggies!), but it’s also an example of the importance of operations.
See, an interesting side effect of this method of defense, is that if the ants go away, then so does the defense. Domesticated poison dart frogs aren’t poisonous (which would make them dart frogs (which, since they neither throw darts nor are tailors, is a horrible name for them)). In order to keep the defense, they have to keep on acquiring ants.
Which gets me into mergers and acquisitions… which is where I wanted to go the whole time. When you conduct an acquisition, as the acquirer, it is often tempting to go for economies of scale and try to get the acquiree to do things your way. This just makes sense. After all, that’s why you bought them, right?
Unless you bought them to kill them as competitors, they probably bring another value to the table as well. If you buy a poison dart company and then tell them “Now that you’re part of GlobalConglomeratedWidgetCoInternational, you have do things our way… and we eat our own dogfood!” you’ll definitely merge them into your organization… but if they’re eating dogfood, they’re not eating ants and you just have a dart company.
When merging operations, pay close attention to the operations of the other company and try to understand why they do things the way they do. There’s generally a good one. Then the question would be whether the loss they face by doing things your way is outweighed by the operational efficiencies, and whether it’s all that important that the darts be poisoned.