Saturday, February 27, 2010

Short Observation on Open Source SIEM

Check out these two pictures, grabbed from my blog’s Google Analytics:

open_SIEM_2008-2010 open_LogMgt_2008-2010
Open source SIEM Open source log management 

These show that people are desperately looking for “open source SIEM” all the time.  In fact, open source SIEM is of higher interest than open source log management. I am really curious about that, but my guess is that folks who are looking for open source logging tools don’t think of them as “log management” in their heads… Vendors, buy me a beer at RSA for this insight :-)

BTW, the next few posts will be about RSA conference– all other blogging activity is hereby STOPPED :-)

Possibly related posts:

Thursday, February 25, 2010

RSA 2010: Where to Find Anton?

Since everybody is  heading down (…up or sideways – in my case) to RSA, here my schedule. If you want to meet up, it will help you to track me down.

  • Monday: Metricon 4.5. Sadly, missing the Cloud Security Summit. Is there anything more important than cloud? Yes, security metrics! :-)
  • Tuesday: mostly meetings with clients, prospects, friends and everybody else. I plan to attend a few GRC-themed RSA presentations in the afternoon.
  • Wednesday: at SecurityBSides, speaking on PCI DSS and otherwise having fun. Come say hi if you are there! Obviously the way to end this day is at the famous RSA Security Blogger Meet-up.
  • Thursday: attending RSA, more meetings with prospects and friends, and – YES! - our PCI DSS book signing (!!!). Come have your PCI book signed by BOTH Branden and me (a rare event indeed!) at 1PM at the RSA bookstore.
  • Friday: yet another day of meetings and RSA presentations.

BTW, we […for any value of ‘we’] totally need to bunch up and do a vendor hall walk – if for no other reason but to make fun of vendors with incompetent marketing, look for hippos (=misspelled HIPAA) and “compliancy” as well as other fun stuff. Maybe this year I should finally organize the “1st Annual RSA Vendor Hall Walk”, especially given that I do not work for a vendor anymore

Tuesday, February 23, 2010

Nobody Is That Dumb ... Oh, Wait XII

RSA is that time of the year when a lot of otherwise hidden hilarity is suddenly exposed – thru the work of noble PR folks. For example, below is a pre-RSA press email I received the other day – it made a perfect candidate for my “Nobody Is That Dumb ... Oh, Wait” series. The last post in the series was a while ago, so this was a perfect opportunity to revive the series.

“I know your time at RSA is filling up, but I wanted to tell you about “Embarrass Security” [company name sanitized – A.C.], a company that is changing the way companies protect their web properties. “Embarrass Security” is going to be at booth No. XXX [sanitized – A.C.] during RSA and will be:

  • Announcing a new ‘counter-hacking appliance’ for enterprises
  • Demonstrating a ‘live hacking & sting operation’  demonstration in the “Embarrass Security” booth (with the disclaimer that no animals will be harmed in the production of the demo)

With the counter-hacking appliance, “Embarrass Security” will demonstrate the ability to alert companies when hackers are knocking at the door, and can also show how they thwart evil intentions by making sure the hackers don’t actually see what they think they’re seeing. “Embarrass Security” enables enterprises to protect their web properties at a deeper level that even the bad guys can’t touch.”

Nothing to add really.. let’s all go buy the “counter-hacking appliances,” thwart some evil intentions and be done with it :-)  I can’t help but wonder what kinda people work for their product management / marketing team…

Possibly related posts:

Saturday, February 20, 2010

Book Review “Cloud Security and Privacy”

Amazon just posted my review for “Cloud Security and Privacy” by Tim Mather, Subra Kumaraswamy and Shahed Latif.

It is reposted below for posterity – and my esteemed blog readers :-)

It goes without saying that I was very excited to pick up the first book on cloud security and privacy. Due to my Cloud Security Alliance (CSA) involvement, I was extremely interested in Tim’s take on the subject. The book is indeed a comprehensive treatise on everything cloud, and everything cloud security. The author team covers the topics based on IaaS/PaaS/SaaS (SPI) for infrastructure, platform, and software as a service model. They address stored data confidentiality, cloud provider operations, identity and access management in the cloud, availability management as well as privacy. My favorite chapter was of course the one on audit and compliance - chapter 8. Another fun chapter was chapter 12 on conclusions and the future of the cloud (which is, BTW, all but assured…).

One of the most important things I picked from the book was a very structured view on separation of security responsibilities between the cloud provider and the customer for all of the SPI scenarios. This alone probably justifies getting your own copy.

As far as technical contents, the book stays fairly high-level even though it touches on the details of SAML and other authentication protocols.

The only downside of the book is its extremely dry writing style. There are only a few examples and case studies. Following “just the facts” model sometimes might lead the reader towards losing interest, no matter how important the subject is – and this subject is pretty darn important. To put this in the context, I do read security books for fun, not only for work.

Enjoy the book!

Possibly related posts:

Workshop on the Analysis of System Logs (WASL) 2010 CFP Out!

Just as last year, Workshop on the Analysis of System Logs is planned. This is the only venue where people who actually THINK about logs can share their findings. Even though it felt a little too academic to my taste at times, 2008 and 2009 events brought some good info (like this gem here, for example). So, a 2010 CFP just came out:

“Workshop on the Analysis of System Logs (WASL) 2010
                        Call for Papers
                      October 3, 2010
                      Vancouver, Canada
                          (at OSDI)
          FULL PAPER SUBMISSION DEADLINE: Sunday, June 13, 2010 
          FINAL PAPERS DUE: Sunday, August 22, 2010
System logs contain a wide variety of information about system status and
health, including events from various applications, daemons and drivers, as
well as sampled information such as resource utilization statistics. As
such, these logs represent a rich source of information for the analysis and
diagnosis of system problems and prediction of future system events.
However, their lack of organization and the general lack of semantic
consistency between information from various software and hardware vendors
means that most of this information content is wasted. Indeed, today's most
popular log analysis technique is to use regular expressions to either
detect events of interest or to filter the log so that a human operator can
examine it manually.
Clearly, this captures only a fraction of the information available in these
logs and does not scale to the large systems common in business and
supercomputing environments.

This workshop will focus on novel techniques for extracting operationally
useful information from existing logs and methods to improve the information
content of future logs.
Topics include but are not limited to:
   o Reports on publicly available sources of sample log data
   o Log anonymization
   o Log feature detection and extraction
   o Prediction of malfunction or misuse based on log data
   o Statistical techniques to characterize log data
   o Applications of Natural-Language Processing to logs
   o Scalable log compression
   o Log comparison techniques
   o Methods to enhance and standardize log semantics
   o System diagnostic techniques
   o Log visualization
   o Analysis of services (problem ticket) logs
   o Applications of log analysis to system administration
So, if you are thinking about logs, submit something!!!
Possibly related posts:

Wednesday, February 17, 2010

“Security Scoreboard” Out!

Something awesome happened in security industry today: Security Scoreboard  launched.  I am amazed - no, deeply amazed! - that nobody has thought about this before. And now Boaz did! Security Scoreboard is a place where information about all the security vendors and products will be aggregated, where products will be rated by users ("this half-baked IPS totally misses Slammer even it slams it in the head!” :-))  and that will help organizations decide which product solves a particular security problem they have. On top of this, the place will not be run by the vendors. And will list competitors explicitly. Think about a Zagat for security products, that is what it is.

In my opinion, Security Scoreboard is one of  the most useful projects in the entire security industry today since it  helps answer that painful question “What security gear to buy to solve a specific  problem?” Deep down, every security professional knows that many purchases “miss the mark” (provided the mark is even there to begin with…) and there is a lot (ah, let’s be honest: A L-O-T!) of confusion about overlapping market segments, poorly defined functionality, compliance marketing noise, etc. In some cases, it is hard to even determine what their freaking box does based on the vendor's own website...

Quote from the site follows:
“Finding the right IT security vendor can be time consuming. Security Scoreboard is a site dedicated to helping security pros looking for a vendor to get oriented quickly.
On Security Scoreboard, you will find all the information security vendors you might be considering buying from. Security Scoreboard lets you quickly identify the players in a given space and provides information and links you need to make the right purchasing decision. Security Scoreboard is a site for security professionals, by security professionals.
Thinking of making an IT security purchase? Don't forget to check our user reviews to make sure that you're not buying a lemon. Are you an IT user? Please submit a review. You can share your experiences and help your colleagues make the right purchasing decision.”
To experience it, check out this sample entry. Also, the site got some interesting press which you can see here.

Finally, I have to add that I am honored to participate in such tremendously useful project!

Monday, February 15, 2010

Fun Reading on Security and Compliance #23

Here is an issue #23 of my “Fun Reading on Security and Compliance,” dated February 16, 2010 (read past ones here). You can judge that my “2blog” folder has been kinda full, since I was too busy working on a few consulting projects.
This edition of dedicated to all bloggers who only care about the opinions of other bloggers. Please grow up! :-)
  1. First, I’d like to highlight a surprisingly intelligent whitepaper "SIEM: Five Best Practices for Success" from some outfit called Pivot Point Security (which I personally never heard of before).  You have to register to get it, but it is worth it for those who are planning to deploy a SIEM.
  2. "Ranum's Rants: Cloud Forum Roundtable": Marcus Ranum + Cloud + Security. What can possibly go wrong? Boom! Quotes: "Cloud Computing is going to happen. In fact, if you think it hasn't happened, it just means you're out of the loop"  and "loud Computing can be seen as the business units' final revenge on IT (and security) for saying "no" one time too many, taking too long, or costing too much"  as well as other fun insights. Read it!
  3. Finally, read this("Don’t ask me, ask that guy over there") and think really hard: "How many organizations out there consider data breach notification laws to be completely irrelevant to them?  Not because they aren’t applicable, but because the organization’s security state is so abysmal that they wouldn’t know a data breach if it sent them a strippergram with their own money? " or even "You’re ignoring the vast majority of people who are responsible in some way for the security of their networks, but (a) don’t know it, (b) don’t care, and/or (c) don’t have the knowledge or management backing to do anything about it."  SO, next time you whine about PCI DSS, keep that in mind!  BTW, while you are there, read this too on political risk.
  4. FUDSec continues to impress; for examples read these two pieces: "FUD and Other Sales Errors" and "FUD Just Feels Right" ("FUD is something we all use, abuse and understand and it is a Good Thing[™] as long as it motivates action and does not lead to submission.").Oh, and this one too: "Guerilla Security Leadership."  And this one: “he argues that FUD is less about security, and more about shills selling security to suckers” and “Why, without a firewall, you're screwed like a slow ape by a fast gorilla!”
  5. Somehow I forgot to mention Ben's "How NOT To Build a Security Program" is a fun read. While on this subject, read “Top 10 Reasons Your Security Program Sucks and Why You Can’t Do Anything About It”: “The bad guys are more interested in attacking you then you are in defending yourself, at least they work longer hours.”
  6. Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream)” is a good piece from Chris Hoff: “Manage compliance, don’t let it manage you because a Cloud is a terrible thing to waste.” :-)
  7. If you read only one piece from all the APT/Google/China crapfest, that’s this one from Richard: “4. The victim named the perpetrator. This amazes me. We need more of this to happen. By doing so a private company influenced a powerful policy maker to issue a statement of a diplomatic nature.”
  8. Finally, a quick – but often useful - reminder from Securosis: “Getting Your Mindset Straight for 2010.” Quote: “Repeat after me: A widget will not make me secure. Neither will two widgets or a partridge in a pear tree.”
  9. Dave always has a very fun prospective on security, here is an example: “Everyone says an attack is "sophisticated" whenever any 0day is involved. But that should be the baseline. Or rather, it IS the baseline and everyone seems to just be finding out.”
  10. AlertLogic folks has quietly launched  and it has some fun posts, like “Cloud-Bashing and The Innovator's Dilemma”: “The most relevant points of debate are about current examples of the fits and starts of cloud evolution.  Will cloud solutions succeed in "trickling" up-market or will they become extinct after a short life?” (they will trickle, for sure - example)
  11. Read these two and weep: “Is Quantified Security a Weak Hypothesis?” (which refers to this [PDF])  and “THE MOST MAGICAL QUESTION OF ALL -- WHY ARE SO MANY BRIGHT PEOPLE FOOLING THEMSELVES ABOUT THE SCIENCE IN NFORMATION SECURITY”: "Read that if you think there is a place for science in information security. On the other hand, if you think information security is something else, better off to go read something on creative journalism, public relations, politics, marketing, etc.”
PCI DSS section:
  1. Fun follow up from our “The Great PCI Security Debate of 2010” is here: “LOAD UP ON STEEL, AND SHOOT IT OUT! PCI AND THE MARKET FOR SILVER BULLETS”: “By way of hypotheses in the market for silver bullets, we then find ourselves seeking to reduce the exposure to those external costs; this causes the evolution of some form of best practices which is an agreed set that simply ensures you are not isolated by difference.”
  2. Heartland Breach: State of Payments Security 1 Year Later” is a fun read as well.
  3. If you have a Forrester subscription, read “PCI Unleashed” by John Kindervag. If not, read Branden’s blog about it: “Just try asking a rep from a payment brand if this is why PCI DSS was started, and you might learn a new way to answer a question without actually answering it.” :-)
  4. Time to Revisit Intent of PCI DSS”  has some curious arguments, like: “When you add up all the money being spent on that compliance effort, you can’t help but wonder if it would be simpler and less expensive for all if the payment card issuers were to stop doing business with a minority of merchants that become embroiled in a fraudulent act until they can prove that they have put the appropriate level of security in place.”
  5. PCI Security Policies and You - Part 3” from Walt shares some wisdom on PCI DSS security policies: ”A good security policy template provides you with a structure while preserving flexibility. It also should lead you to additional resources where this can be useful.”
BTW, I can use a bit more work in March – let me know if you need anything done around the area where I focus: logs, SIEM, etc.
Possibly related posts:

Sunday, February 14, 2010

The Right Place for Information on Common Event Format

… is this place: This is where you can request it via email.


The reason for this post? A lot of Google search traffic for “common event format” lands here on my blog (see picture) and the link above is the correct place to go to.

Now, if those are generic searches looking for some kind of log or event format, then you want CEE (when we finish it, actually)

Possibly related posts:

Wednesday, February 10, 2010

ShmooCon 2010 – Our PCI DSS Panel

It goes without saying that our PCI DSS panel was – for me – the most fun part of ShmooCon 2010. Yes, spectator sports are OK, but the most fun is had when you are playing and kicking the ball – or balls as the case may be in a heated discussion :-) So, Mike Dahn, Jack Daniel, Joshua Corman – over video Skype! he got “snowed out” – and me got to play.

Everybody who’s been to ShmooCon, can easily figure out that the audience there is extremely smart – I sensed there were no “security laggards” in the room. So what happens if you combine PCI and some smart security people? Rage! In fact, we had people from large merchants, QSAs, issuing bank (!) and other organizations. I am amazed that even some non-PCI folks, who can’t tell a QSA from an SAQ found the discussion enjoyable…

It was very interesting to watch that the debate split into two distinct flows: “security vs prescriptive compliance” AND “fuck PCI, they [the brands] must fix the system.” The latter sentiment was very strong, like the Dark Side of the Force (even though there is absolutely nothing dark about it…). It ranged from “why don’t they fix it [the payment system]? they have billions in profit!” (naive) to “if 4 millions of people put the Band-Aids on, is this cure for cancer?” (philosophical). The impression that PCI DSS approach is “too much work” even if good security results from it – which is …how should we put it… not always the case… was also represented. Given the circumstances, it is evident that the view that PCI DSS is many companies’ first encounter with real security management kinda was not very visible…

Also, I always felt it for the issuing bank guys, since they were often left holding the bag for ignorant merchant (TJX anybody?) and unlucky processors or acquirers (Heartland anybody?). But I didn’t expect the present issuers to be so angry at the brands – and not at the merchants! Well, learn something new every day…

The other discussion that even if “checklist security” is offensive to some people, it is the only way to many organization to actually do something. A lot of “risk management stuff” just goes – whooosh! – over their heads. IMHO, this is still an unsolved problem.

Also, somebody very smart in a red blouse :-) said the following: even if we “do everything perfect with PCI DSS”, we will only solve the problem of cardholder data…not any other data (like SSN or key IP) and not any other security issue. Indeed, if PCI DSS magically “just works” and payment card security “becomes 100% secure” , a lot of security work will remain. This is something useful to keep in mind.

I don’t remember signing any NDAs, so I will share some of the reviewer comments that I got from the ShmooCon feedback system (BTW, if you were at the show, please leave the feedback!!)

“Best panel discussion of the con. You could tell there wasn't agreement amongst the panel but the disagreements weren't made personal. Mike and Josh did a great job in explaining their positions and Jack did a super job moderating.”

as well as:

“This dissolved in a religious argument 30 seconds into the talk.”

(in reality, it was maybe 20 minutes into the talk :-))

Overall, the panel was “awesome+” We even took one question from the Internet, something I have not seen at other sessions. Looks like that live video feed was not broadcast in vain… So, watch the video when [correction: it appears that the correct word is “if” here…] it comes out – VERY fun!

BTW, I had an Eureka moment when I spoke to Josh after the panel – deep thought warning! – if we think that the only way to get some merchants to secure their system is to force PCI DSS on them, then how can we expect for them to do a good job with it and not just “check the box”? “Forced standards” and “doing a good job” are hardly compatible.

Finally, thanks to my publisher for providing a copy of the PCI book for the event. I had a chance to wave it at the audience a couple of times :-), but in all the excitement I completely forgot that I wanted to give it out via a contest (FAIL!). In any case, a well-deserving person got the book.

Possibly related posts:

Tuesday, February 09, 2010

ShmooCon 2010 – Show Notes

First things first: ShmooCon was one of the most awesome conferences I attended in quite some time.

If you’d like to see what REALLY was going on as Washington, DC was plunging into a “snow-pocalypse”, go check out #ShmooCon Twitter coverage. Then read other show accounts, such as this one from PaulDotCom.

My note follow below:

First, Bruce’s “intro” was kinda interesting.  For example, he made a couple of TSA jokes (the video was hilarious) and noted that “if you think this is funny, then you’d see that network security is actually worse.” What was interesting to me that he also noted that many organizations prefer to “buy new boxes” rather then do something useful, like log “accepts” and “allows” and analyze them.

Then I went to “Social Zombies II: Your Friends Need More Brains.” This was one of those “shit is bad” presentations. Maybe it’s just me, but somehow the idea that some people disclose too much info (Blippy anyone? Anyone sane? Heloooo…)  fails to scare me.  No shock value really. It can be summarized as "info is out there. done."  Then again, I have to admit that their “KanyeWestify” tool was pretty cool and I downloaded the Maltego tool already, so it was pretty useful (Twitter+Facebook+text mining tools = hilarity! :-)). More coverage of it is here and the deck is here.

Now, “GSM: SRSLY?” talk was massive fun. For one, I had no idea that a [relatively simple] piece of hardware can both capture all local cell phone connections (by easily masquarading as AT&T or T-Mobile)  AND force them into A5/0 mode that means “no encryption – and you don’t know about it.” So, as I said, I didn't know much about the area, but this talk was very enlightening, useful and overall awesome.

Ah, “Build your own Predator UAV @ 99.95% Discount” talk was fun as well. Think what you can do with an autonomic, mostly quiet robot plane that can fly around (10-12 mile range) and do some wireless hacking and video (via video goggles, of course). No missiles though. What can possibly be more awesome than that? Check  out the partial video of it here and many of the UAV building tips are here.

The next presentation was my only disappointment, the  “Cyborg Information Security: Defense Against the Dark Arts” talk. Think of this as Dan Kaminsky, but with no issue described in detail and no Dan Kaminsky :-) Yes, some implantable medical devices are a) wireless and b) unencrypted. This is sad. So what?  But "This shit is bad! FAIL! Epic fail" summarizes the talk well. Not useful, not really amazing - and, honestly, not really shocking either. And as my opinion of the talk was going down – they misspelled HIPAA. At which point I realized: these guys built the talk based on some googling and no real research at all. FAIL! Epic fail! :-)  In some post-show conversation, I actually tried to defend the talk as “raising awareness”, but was beat up by other folks, most of whom labeled is as content-free and aimed only as some posturing.

The Splendiferous Story of Archive Team and the Rapidly Disappearing Digital Heritage” rant was purely that – a rant. But it was 5PM, people were tired and needed a drink – and a rant :-) So it was a perfect fit for the occasion. Apart from reminding everybody about backup (and if there is one thing that everybody always needs a reminder of – that’s backup! I am backing up my laptop as I am typing this :-)), Jason basically talked that some web content just dies – think GeoCities. More details are here.

Even though I am not a web hacker, “Exposed | More: Attacking the Extended Web” aka “owning the APIs” talk was actually very interesting – and useful. I wish he’d speak more about methods to discover undocumented APIs though.

Next – OMFG! – was our “PCI" panel” – but let me first finish with other’s talks and I will write a whole post on that tomorrow.

Also, I went to “Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications” by the zScaler guy and learned about csSQLi  and other interesting offline apps stuff. HTML5 will make security fun again – eh.. that is if it is not fun enough for you know :-) That talk – IMHO – was how “a new security issue”-type talk needs to be presented: with details and ideas for solutions. There is enough of fun and epic FAIL in our realm, but the talk was not just whining about it, but actually taking it apart and showing areas of concern.

Finally, as with any great conference, “hallway conversations” are golden. This time I broke the record and probably deserve the Guinness record book inclusion: on the last day of the show I was involved in – srsly! – a 9 hour (!!!) such conversation. It will probably result in a dozen blog posts, a few papers, a few consulting projects  and some other interesting implications…

The usage of word “fun” count: 8

Thursday, February 04, 2010

Logging, Log Management and Log Review Maturity

This picture depicts log management and SIEM maturity curve and is taken from a soon-to-be-released [eh..make that when-my-consulting-client-decides-to-release-it] Guide to SIEM and Log Management. It says it all – and if your organizations tries to enter in the middle…well... FAIL happens:

















Wednesday, February 03, 2010

Monthly Blog Round-Up – January 2010

As we all know, blogs are a bit "stateless" and a lot of useful security reading material gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is my attempt to remind people of useful content from the past month! If you are “too busy to read the blogs,” at least read these.
So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.
  1. As predicted, my security predictions ( “Security Predictions 2010” and “Security Predictions 2020 (!)” - yes, 2020!) took the #1 spot this month. They are fun – but I will also check how well they panned out early next year. Then we will know who is laughing :-)
  2. How to Stay Compliant? or Ongoing Tasks in PCI DSS,”  a repost of my paper published at was next. Indeed, “getting compliant” is only half the fun (actually, getting validated is only 1/3 of it :-))
  3. SIEM is on a lot of people’s minds. That is why ““I Want to Buy Correlation” or How NOT to Pick a SIEM?” is on the hot list. BTW, I am planning more of “how not to buy a SIEM?” posts…
  4. Top Log FAIL!” is still hot! The post summarizes the most egregious, reckless, painful, negligent, sad, idiotic examples of “Log FAIL.”
  5. MUST-DO Logging for PCI?” took the next spot. BTW, there is a newer post on the subject of PCI DSS logging requirements: “More on PCI DSS and Logging.” This, BTW, has been the main goal of some of my recent consulting projects. Should I maybe talk about “PCI logging in the cloud” next? :-)
  6. Open source SIEM theme continues to drive a lot of traffic – it looks like folks are still desperately googling for it. “Why No Open Source SIEM, EVER?” post takes the spot in Top5 this month again. The older inspiration for this post is “On Open Source in SIEM and Log Management.”  While you are reading up on SIEM , check out the post called “SIEM Bloggables” with key SIEM use cases. BTW, the funny (and new!) part is that I see more queries for “open source log management” as well.
This month I am continuing a new tradition: I am going to thank my top 5 referrers this month (those that are actual humans, that is). So, thanks a lot to the following people whose blogs sent the most visitors to my blog:
  1. Dancho Danchev
  2. Walt Conway
  3. Alexey Babenko (in Russian)
  4. Richard Bejtlich
  5. Gunnar Peterson
Thank you for all the link-love!
See you in February; also see my annual “Top Posts” - 2007, 20082009!
Possibly related posts / past monthly popular blog round-ups:
Obligatory “added everywhere” posts :-)
  • I might be available for fun consulting projects related to logging, log management, SIEM, PCI DSS etc. Please see the services list at my consulting site.

Tuesday, February 02, 2010

Live Test of FUD Value: Pro/Con?

Can you achieve “security goodness” (and common good) by FUD and [possibly] stretching the truth? Let’s debate this one!
The story started here with this letter from an unknown-but-now-infamous PoS (=point of sale aka cash register – for the non-PCI crowd) vendor about using Windows 2000 after Microsoft EOL’s it and no more security updates come. The letter makes an argument that any OS no longer supported by the vendor will be automatically out of compliance. StorefrontBacktalk, that covers retail tech (and payment security), has a good story on this here. They say:
“For your overflowing folder marked “Ludicrous PCI Scare Tactics That Too Many People Believe” comes a renewed effort from some security vendors to say that out-of-date operating systems this year will cause instant PCI non-compliance. ”
So, the statement about “no security patches –> no PCI compliance” clearly does not hold water. It is what is known as “a lie.” Compensating controls can definitely be used in this case and PCI Council even has a FAQ entry about this very subject (quote: “Systems that use operating systems that are no longer supported with new security patches by the vendor, OEM, or developer are not necessarily out of compliance.”)
While embedded and highly “cut down” Windows 2000 can be “made secure” (with whatever definition: secure enough to run while directly connected to the Internet) even in the absence of patches (especially if some whitelisting software is deployed), I personally will trust neither a typical merchant nor a typical PoS vendor to actually do it. If I were a QSA in this case, I’d accept heavy OS changes plus no user access plus host firewalling plus application whitelisting as adequate compensating controls. However, I doubt that this is the case for most of those “W2K holdouts.”  So, IMHO, that outdated stuff “must die” since it puts everyone at risk (think: botnets). If their W2K install dies together with the merchant – then so be it.
Overall, many security folks treat merchants resisting PCI DSS as either stupid or malicious and irresponsible (or both). The merchants, on the other hand, are simply trying to survive and run their businesses. However, at what cost to society? Every one of those W2K boxes CAN BE (and, in many cases, probably IS) used to attack other sites (think: SCADA) and spread malware. Still, is lying the right tactic to get them to upgrade?
For me, this is a hard call to make.
What do you think? “Go FUD!” or “Truth and W2K Rulez!”?
Possibly related posts:

Top Nine Reasons How PCI Is Like APT


It all started from this tweet: “if you read on #PCI and #APT on the same day, you get some pretty darn interesting high.” Some more …mmm…thinking about the subject resulted in this blog post.


BTW, everybody knows what PCI DSS is, what about APT? APT is “Advanced Persistent Threat”, an acronym with a murky past (some say going back to 1876…) that is used to label “some advanced bad shit that just doesn’t go away” – yes, it is that vague. Some fun discussion about it can be found here, here and here and of course here.
So, how is PCI like APT?
  1. “P” in “APT” stands for “persistent”, “P”in PCI stands for … well … PCI is pretty darn persistent.
  2. Both are absolutely a threat, whether of non-compliance or of severe 0wnage…
  3. “Nobody would ever find that we lied on our SAQ” is said sometimes in PCI, and “no APT will want to hack us” is often said about APT.
  4. People under PCI sometimes do not want to update their anti-malware defenses, because they say “it is too hard.” People under APT often also do not update their anti-malware because… hey… what’s the point?
  5. “A” in APT stands for “advanced,” PCI is pretty advanced stuff for some people who have to be compliant with it (think: your neighborhood gas station)
  6. With PCI, you don’t always know what you need to do; with APT you almost never know what to do.
  7. Also, you are never “done” with PCI, you need to maintain compliance and security; you’re absolutely never “done” with APT.
  8. PCI compliance requires logging and monitoring; dealing with APT absolutely requires extensive logging and monitoring.
  9. People refuse to deal with PCI because they do not believe that anything bad will happen to them, similarly people refuse to deal with APT since they don’t know that APT has already happened to them.

UPDATE: an awesome follow-up "Why PCI and APTs are NOTHING alike" from Cassandra Security.

Possibly related posts:

  • All posts labeled humor.

Monday, February 01, 2010

ShmooCon!!! or Anton in DC This Week!

Later this week I will be at ShmooCon, doing a very, very, very fun panel on PCI DSS:

“An Existential Threat To Security As We Know It?

Joshua Corman, Michael Dahn, Dr. Anton Chuvakin, and Jack Daniel

Whether you love it, hate it, or are merely "friends with perks"- compliance is significantly changing what we call security. PCI has been accused of being the Spawn of Satan by some, and yet it has also been credited with advancing security by others. This panel of PCI experts, analysts, and victims will discuss and argue the realities of PCI: its origins, goals, and consequences (intentional and otherwise). PCI is having an impact on priorities, budgets, and personnel, which is being felt throughout the security industry. Unfortunately, there have been few informed discussions of PCI and compliance issues in the technical ranks of the security community. This panel will bring PCI subject matter experts with real-world experience to the technical security professional and hacker audience to discuss, engage, enrage, and argue about what may well be an existential threat to information security as we know it. The diverse viewpoints and experiences of panel members will guarantee a lively and often heated discussion, and will provide a broad base for fielding audience comments, questions, and criticisms. Bring plenty of Shmooballs to this session, you will need all you can get.

Joshua Corman is Research Director for Enterprise Security at The 451 Group and was previously Principal Security Strategist at IBM ISS; Michael Dahn is Global PCI QA Manager for a Verizon Business and was previously the subject matter expert in creating PCI DSS training for Visa USA, Europe, Asia-Pacific, LAC; Dr. Anton Chuvakin is a recognized expert in the field of log management and PCI DSS compliance, he is Principal at Security Warrior Consulting and former Director of PCI Compliance at Qualys; Jack Daniel is some guy with a beard and Sock Puppets who drives the ShmooBus.”

This time, BTW, I will have plenty of time to meet with people since I am in DC from Thursday to Monday. Drop me an email/tweet/etc if you want to meet up and talk SIEM, logs, PCI (well, better logs than PCI :-)), etc. In any case, see you all in Washington, DC later this week!

Dr Anton Chuvakin