Tuesday, April 28, 2009

RSA 2009 Impressions, Part III - Mini-Metricon 3.5

In this 3rd RSA 2009 blog post I will go back in time to my Day 1 of RSA which I spent at Minimetricon 3.5.  Minimetricon event exuded pure awesomeness! Some people bitch about RSA keynotes AND even about RSA content overall; they say they are there to “meet people.” However, Minimetricon (which just “coincided” with RSA) was all about presentations and discussions, especially the latter. It goes without saying that the caliber of people there was quite impressive (e.g. eBay, Google, etc security folks)

First, as a preface, I happen to believe that our inability to “measure security” is one of the top three problems we are facing in security industry today (no, it is not 0-day defense and not clown computing either – metrics actually underlie both of them too). So, here are some tidbits from talks:

Jeremiah web statistics talk was fun; some insights follow:

  • XSS still tops all the web vulnerability charts; SQL injection is close [A.C. - BTW, PCI DSS prohibits both]
  • CSRF is heavily underrated (11%) , likely due to not being discovered en masse.
  • Retails sites: 61% has critical vulnerabilities [A.C. – to me this is the same as “they are 0wned by somebody who cares…” AND did we mention that PCI prohibits these vulns?]
  • Resolution rates are low for XSS; basically, people are just not fixing it [A.C. - did we mention…ah…we did, didn’t we? :-)]
  • There is also a long tail of web vulnerabilities; a lot of vulns are rare on few sites.
  • Overall, “the whole Interweb thing” is hugely complex today – and has its complexity growing (which makes it more fun…)

Verizon breach report came out a few days before; still, their team’s talk was awesome too (and, yes, PCI section caused a bit of a storm)

  • This breach study was insightful, but various people now want “breach cost study”, which will be MUCH harder.
  • PCI slide: PCI compliance rates are claimed; some orgs even say this, verbatim: "we had the PCI paperword filled; how can we be compromised?"
  • On the other hand, their compliance technology metrics are not claimed, but observed (e.g. that penetration of log management was around 5% across the breached organizations); thus claimed compliance rates are HIGHER then the use of tech mandated for being able to claim such compliance (BTW, see PCI Connect)

Fred Cohen did a fun talk on forensics and objectivity:

  • The main idea, as I got it, was that forensics is one area of security where we just HAVE TO be fact-based and objective (and, no, we are not)
  • Mysticism vs science in security; Fred thinks that security will have to become fact-based in the future; must have decisions based on intelligent risk management. Today security is pure mysticism and the use of fact-based metrics is very uncommon (and, yes, today’s risk management = voodoo)
  • And the big question is: will security stop being a black art and start being a science in 10,20,30 years as IT importance grows?

Many of the MiniMetricon talks made me think about the whole “preventative AND monitoring security FAIL” and that maybe “intrusion tolerance” or … “information survivability” (now, Chris, I’ve said it :-)) is really the only way to go. Otherwise, you just accept that everything is 0wned and go home :-) Or go to the cloud.

Finally, I realize why I liked the event so much: it had a very uncommon balance of academic (=smart + totally out of touch) and real-world (=grounded in reality + not having time to think about said reality) people…

Possibly related posts:

Reblog this post [with Zemanta]

Dr Anton Chuvakin