Book Review: All Yesterdays

camarasaurus
Last week, I got my copy of All Yesterdays. (Not the used Amazon versions, as the pricing algorithm is failing hilariously.) I’ve been a fan of Darren Naish’s work since I discovered Tet Zoo years ago. It turns out that in addition to writing amazing articles on the cladistics of extinct crocodilians, he is also good at writing about paleo art.

You might think that paleo art is art done by prehistoric people, but no. In this case, it is art done to provide imaginative reconstructions of life from fossils. I imagine that most people these days are aware of the belief that many of the two-legged dinosaurs were feathered. However, as it often turns out, things are more complex than that. This book explores the history of dinosaur art and, along the way, draws on what we know about natural history, camouflage and mating habits of contemporary species.

So why am I posting this review on a blog that (more or less) focused on information security?

Well, in addition to this book being about pretty pictures of dinosaurs, it is also about an industry working over time to make guesses about the truth, analyze their mistakes in the face of new evidence and, through a constant stream of screw ups, come closer and closer to consensus. As they’ve done this, the consensus has shifted around severals and everyone has had to constantly adjust to the shifting truth.

In effect, it is a book about evolution… the evolution of species… the evolution of understanding… the evolution of the understanding of evolution, so to speak. This happens in all industries, but the younger the industry is, it seems, the less we like to acknowledge that we don’t have all the answers. In Information Security, we don’t like to be wrong and we particularly don’t like to be wrong in front of other people. This is understandable, as when we make a mistake in Security, people could get hurt. However, when we don’t get a chance to discuss our mistakes as a community, we don’t get a chance to improve.

Today, there is some discussion in the community, but mostly within closed mailing lists and at conferences. Unlike in the realm of paleo art, our mistakes tend not to be public, so there are fewer eyes on them and fewer opportunities to get better. Fortunately, there are a tad more hackers than professionals who draw dinosaurs from scientific principles, so we do get an advantage of numbers. Still, there is ample room for improvement.

This book explores the problems that arise from:

  • Taking a superficial view of evidence
  • Not comparing logical conclusions to examples of modern data
  • Avoiding analysis and basing beliefs on the misguided work of others
  • Looking strictly at hard evidence and ignoring behavior
  • Hyper-focusing on dramatic scenarios

Sound familiar?

How do you respond when a moose is on the loose?

What would you do if you discovered that attackers had taken over your server and were in the process of stealing all your data?

What would you do if law enforcement came to your place of work and demanded all of your computers as part of an investigation?

What would you do if a tornado hit your building and spread all of your computers across a mile-wide radius?

If you are like most organizations, you don’t have a plan for everything. You can think of security (in an over-simplified way) of having three areas of control: Detective, Preventative and Reactive. We tend to start with Detective. When antivirus was new, it just alerted you when you had a problem. As the technology improved, it became preventative and would stop bad applications from running. Most security technology, in fact, has followed this pattern. Intrusion Detection moved to Intrusion Prevention. Patch Detection moved to Patch Management. Log Analysis moved to full-fledged SEIM systems.

However, this progression ignores a very powerful tool. As an example, here’s a video:

What would you do if you woke up one morning to find a moose in your swingset? Odds are you’d either deal with it yourself or call someone to deal with it for you. Response is key. When things happen, whether it involves an attacker taking over a system, an external agency taking your stuff or a natural disaster, reacting to the situation is important. You can either do it in an ad hoc way, or try to plan everything out.

In general, organizations that trust their people, just let their people do what they need to do. Organizations that do not trust their people, invest in planning and procedures. What’s interesting is that both methods work… though not always particularly well. Sometimes people hide behind policy and avoid doing the right thing. Sometimes, people hide behind uncertainty and avoid doing the right thing.

The problem here is that “right” and “wrong” are not always clear cut. Consider recent occurrences involving United Airlines, Penn State and FedEx. A reasonable response to events like these would be “we can’t trust our people,” and to address the issue by creating policies.

But, for an even more horrifying view of the world, check out this Google News search on “followed policy.” A wider search on this shows that people who follow policy result in death, brain death and murder suspects being released.

So it would seem that this is a “damned if you do, damned if you don’t” situation, right?

It turns out to err is human… but human error can happen whether or not we are constrained by policy. Using policy to prevent bad things from happening requires not only that you have people who will always follow the policy, but also that you have policies that are 100% correct and written by people who can see the future. Perhaps a better approach would be to use policies as guides that people can refer to when they’re confused. Then, build a culture around the fact it’s okay to make mistakes so long as you’re willing to apologize, attempt to fix things and learn from your error.

Not everything can be avoided. Sometimes you just have to deal.

More on the moose is here.

 

This article was originally published on RJS Smart Security.

The Importance of Exercise (and rhinos)

Exercise. With a few annoyingly fit and perky exceptions, we all hate to do it. Even when it comes to business exercises, where we can avoid the serious danger of getting all sweaty and tired, we still avoid it… generally for reasons comparable to the physical: foolishness, arrogance and wasting time.

In business, time is money. We focus on reducing waste and maximizing profit. When times are tough, we avoid future-focused activities in preference for those that we are fairly certain would benefit us right now… even when future gains would likely be much larger. So, even when we know that exercise would help us, we avoid it because there are other things that need doing.

Then there’s the other side. For a business exercise to be useful, we must learn from it. To learn from it, we must encounter something new. This is socially dangerous as it places us in a situation where, to positively respond to the scenario, we risk being viewed negatively by those around us… so there is resistance to trying new things.

Why risk social censure and waste time when you know what you’d do in a bad situation anyway? After all, we’re smart people. We think about things and we know our environment, right? If a problem happened, we’d just deal with it. Our people would have to work overtime, but we’d get the job done… right?

Well, let’s find out. Suppose you work in a zoo. Suppose one of the risks you face is that of an animal escaping. Your job is to figure out how to deal with the event and get the animal back. How would you do it? Take a couple of minutes and think what you’d do. I’ll wait.

Now, watch this video.

Tell me. In your mental model, which animal escaped? Was it dangerous? Was it hard to recapture? Did you think about what would happen if one or more of your people were injured during the escape? What about people at the zoo? Did you think of children, of adults, of any disabled people and how they might escape? Did you think about the potential damage that an animal could cause to the infrastructure both inside and outside of the zoo? What about the possibility that the animal could survive after escaping and create a breeding population of dangerous animals in the city? Did you plan include alerting the news media and trying to control the story?

Even an exercise can show you things that you might not think of on your own. By running through live exercises, you can encounter serious problems in a safe way. You can discover which events need prevention and which ones would require a pre-planned reaction. If your organization’s culture focuses on predictable work, you might find a resistance to working extra hours to make up for what is perceived for someone else’s problem. If your organization is on the other side of the continuum and tends towards interrupt-driven tasks, you may find that your people are closer to exhaustion than you think, and a true disaster could push them over the edge.

This will allow you to engage in a more accurate risk assessment, allocate resources and move to a more proactive stance. So, you could be prepared for any eventuality, from mountain lion to penguin.

Cuttlefish

I know, I know. The security and squid blog is located elsewhere. Sorry, but I just have to write about this article.

A short time ago, Chuan-Chin Chiao, Kenneth Wickiser, Justine J. Allen, Brock Genter and Roger T. Hanlon published the article Hyperspectral imaging of cuttlefish camouflage indicates good color match in the eyes of fish predators. (How can you resist an article with such a fascinating title?) For those that don’t thrill to reading academic articles about the eyes of coleoid cephalopods (you weirdos), there is a more accessible press release here.

Why am I fascinated about this? Well, cuttlefish have the ability to change their patterning to blending into the background. We’re familiar with how chameleons do this, but cuttlefish are a lot better at it. Not only are they better at it, but they’re also colorblind! (Like me.) That’s right, these critters are capable of changing their own coloration when they can’t even see it.  How do they do it?  Well, sorry to keep you in suspense, but we still don’t know.  There is some suspicion that it involves opsin transcripts, and evidence that body position may have something to do with it, but those theories are insufficient for complete explanation.  What’s interesting is the approach of the paper.

Science, as you know, is all about measurement.  There’s little room for guesswork and lots of opportunity to be wrong.  So if you’re going to measure camouflage, you’d better have a darn good way of doing it.  What these guys did was to take hyperspectral images with a HyperScan VNIR system.  Effectively, it measured the different amounts of 540 different colors to determine how well the cuttlefish blended in to their background.  They looked at their targets as if they were a super predator, with capabilities far beyond that of the predators we know… and the cuttlefish’s technique was still effective.

So what does this mean for us?  Well, for me it means that I lost out, as I am colorblind, but aren’t able to perceive the polarization of light like cuttlefish can (lucky critters).  However, for the rest of us as a group, it means this:

These creatures developed this ability over millions of years through a complex process of trying different ways to hide and, when they failed, being eaten.  From a business perspective, there is some value in failing fast… but little advantage in being eaten.  If you want to develop strong protections, you need to find a predator that lets you know when your defense is working and when it’s not, without eating you.  Ideally, this would be a super-predator that is better than most of the predators out there.

We call these people penetration testers.  Armed not with a HyperScan VNIR, but with tools like network mappers, vulnerability scanners and exploit frameworks, these people can assess your business and let you know if they could break through your defenses and how.  You can then protect yourself better by making appropriate changes.  Sadly, the industry is still young, and it’s hard to identify the super predators from the others. There is a project to help with this, but for now, here’s a quick evaluation process.  When you call a company (like mine) and ask for an evaluation, ask this handful of questions:

  1. How much will a penetration test cost?
  2. How much will a vulnerability assessment cost?
    • Rule of thumb: Due to the time involved, penetration tests cost at least ten times when vulnerability assessments do.  If they don’t, find another company.
  3. What is the difference between a penetration test and a vulnerability assessment?
    • Rule of thumb: If they only say “A penetration test tries to break in, a vulnerability assessment does not”, find another company.
  4. What is your assessment methodology?
    • Here, you should be looking for a standard and repeatable process.  You don’t need to dig into the weeds, but you do want to weed out companies that come across as “We just try stuff at random”.
  5. What problems have your tests caused in the past?
    • Here’s a secret of the industry.  Anyone worth their salt has broken something.  If you don’t sometimes break stuff, you’re not trying hard enough.  Companies that try to gloss over this and say “Oh, our tests are safe” are not super-predators.

Get the right help or get eaten.

It’s that simple.

Don’t Poke the Bear

Grizzly Bear (Ursus arctos horribilis)The world is abuzz today with the news of Gawker’s passwords being leaked. Rest assured, this will not be yet another “the sky is falling” post or yet another hasty analysis of what happened. If you want a good overview, please read Daniel Kennedy’s excellent post over on Forbes.com. If you want to know what it means to the security community, todb’s Metasploit post is good.

No, instead, the only specifics you need to know about this attack is that it hit Gawker, and Gawker owns sites like Lifehacker, Gizmodo and io9 and if you had an account there, you should change your password (details here). If you used that password in other places, you should change it there too. It looks as though Gawker was using poor security on their servers and in the way that they stored passwords. That’s all I’m going to say about the tech. Instead, I’m going to talk about hiking.

I like hiking. You get to be outside, you get to see beautiful scenery and enjoy the air. You get to interact with all sorts of wildlife. On my hikes, I’ve seen butterflies, frogs, rabbits, birds and even things like raccoons. I’ve known people who get far more into hiking than I do, and they report seeing even neater animals like rattlesnakes, wolves, cougars and bears.

Now, when one goes out hiking, one takes on a certain amount of risk. Usually, the risk is much lower than the risk one takes driving to the hiking trail, but I’m not going to get into safety statistics either. The point is that good hikers know to take certain precautions. For example, I’ve been hiking in rattlesnake country. There are lots of ways to deal with rattlesnakes. Here are some examples:

1) Hike where they don’t live.
2) Wear tough boots.
3) Make noise as you walk.
4) Bring a first aid kit with you in case you get bit.
5) Bring anti-venom with you in case you get bit.
6) Wear a full suit of armor.
7) Deploy a fully-automated hunter-killer drone ahead of you.

See, the fundamental problem here isn’t that rattlesnakes have mouthes full of nasty venom that can clot your blood, destroy your limbs or kill your brain. The problem isn’t even that they bite you in less than half a second. The problem is that most rattlesnakes don’t want to bite people, but sometimes people push them into it. After all, they have to wake up, do their little rattly thing, bite you, use up all their venom and then get away before you fall on them. It’s a royal hassle. Really, most rattle snakes just want to go about their day, lounge in the sun, eat a rat or two and sometimes get busy making brand new baby rattlers.

This is true with most of nature’s threats. Leave them alone, and they’ll leave you alone. Even the ones that are bigger, faster and meaner than rattlesnakes. Cougars would rather eat a deer than a person. Wolves want to run around together. Bears mostly just want to sleep. (Sleeping is awesome!)

So what’s the point here?  The thing is, with hiking you can choose your location, however, when you’re on the Internet you cannot. On the Internet there’s just the one hiking “location”. You can look at different things on your hike, but it’s always in the same place… and in that place live all sorts of poisonous snakes, wolves and bears (and even nastier things). You can’t not hike there… and it’s crazy to go everywhere fully armed. It’s no fun to go hiking fully armored, and too expensive to get a ton of drones, much less adding armaments.

No, whether you’re hiking or using the Internet, there are two simple rules:

1) Take basic precautions.
2) Don’t be stupid.

For example, in the hiking world, you wear good boots and carry a walking stick. In the Internet world, you run a modern antimalware system and harden your servers. In the hiking world, you avoid walking on cliffs, don’t stick your hands into dark crevices and don’t poke any sleeping bears you may see. On the Internet, you avoid the nastier sites, keep your systems patched and don’t tick off people with more time and inclination to harm you than you have to defend against it.

Gawker found a sleeping bear. They poked it with a stick. They got mauled. End of story.

Lesson one of Internet security?    Don’t poke the bear.