Security: Soft Sell or Hard Sell?

To the average industry-certified, Slashdot-reading, tried-and-true uber-geek InfoSec analyst, the notion of a "Soft Sell" in Security never crosses the mind. Many have never even realized there was an option here. Why should you implement egress filtering on that firewall? Because it's the secure thing to do, you're putting our organization at risk without it, and because I'm the Subject Matter Expert (SME) and I said so. I have to admit, I was guilty of this until very recently. But experience at my present position has opened my eyes to the possibility that this approach may be far more detrimental than helpful.

First, let's consider exactly what it is I'm talking about, for those who might be scratching their heads as they read this. As InfoSec analysts, we are tasked with the daunting job of convincing users and other IT professionals to follow security best practices as they go about their business, among a litany of other responsibilities. In so many cases, there is a pre-existing behavior that is at odds with information security. Make no mistake, security takes effort, and often times the professionals and users in question make no connection between getting their job done and information security practices beyond the fact that the latter inhibits the former. This makes our job one of coercion: we must convince people to do things differently.

In my experience, most security analysts and managers see repercussions and disciplinary action as the tool of choice to push their InfoSec agenda. This is what I refer to as the "hard sell." Do it, or else...

There is an innate problem with this approach, and every security manager and analyst has seen it, even if they don't realize it. The fallout of such an approach is a deep-seeded annoyance of anything and everything InfoSec-related by all who are affected by this tactic. It is generally accepted in security that "everyone hates InfoSec," and it's a "necessary evil." The problem here is that, when some hard and fast doctrine isn't in place with repercussions clearly spelled out, managers and analysts have a very hard time getting anything accomplished to promote the goals of Information Security.

While users and other IT staff are often loathed as unwilling and uninformed partners by many in Information Security, believe it or not many of them are reasonable people. They may be uninformed, but whose fault is that? By simplifying the problem of Information Security and presenting it in a clear and concise manner, staff can be educated on why we implement certain security policies. This is user education, and many organizations are already active participants. This plays a major role in getting users to follow good security practices without holding a hammer over their head, or the "soft sell." However, this concept is more corporate diplomacy than a one-way communication of the evils of the world to a group of users and IT staff. In order for this to be anything other than "yet another corporate directive," we must give a face and personality to the problem. We must interact with users on a one-on-one basis and simply be nice. Ask them what their major challenges are with information security policies. Ask them how your InfoSec group can make their job easier, while keeping the good security policies you've put in place. They may not know much about InfoSec, but I'm constantly amazed at the quality of feedback I get from users on the security topics that directly affect them every day. These people are experts at doing their job (usually), which means they know exactly where the pain points are. Perform serious follow-up work after receiving a suggestion, and get back to the user to let them know a timeline for implementing their suggestion, or why what they want is impossible. Don't just say "no" from the onset - this will discourage further dialogue.

Imagine if the United States didn't have a State department, and just went about the world demanding things while wielding the big stick of a global superpower without actually talking to anyone (regardless of what you may think of the current administration, there is still an astonishing amount of diplomacy that happens there). This is the state of Information Security at many organizations, and it is holding back progress towards a more secure environment. While it is impossible to be personal to each and every individual at a large organization, it is possible to do this with key decision-makers and managers in whatever your company's line of business is, and their positive attitude towards InfoSec will trickle down. Popularity is linked to momentum, and once you get this momentum going, you will see a rapid improvement in the willingness of your users and fellow IT staff to help your group accomplish its goals. I have seen it, and I am now a believer. But I will caution you against over-reliance on this tactic: there is still a time and place for the hard sell, and you must be willing to use it. Just make sure it's your well-organized Plan-B, and is used sparingly.


A counterpoint to the authentication debate

In the interest of fairness, I present to you a counterpoint to my previous opinions on the question of passwords and alternate authentication methods.

Perusing security news today, I happened across Scott Granneman's column on SecurityFocus and laughed out loud at the coincidence. In his well-written opinion, he makes some similar points but draws a very different conclusion: that Bill Gates is right, and passwords will eventually go the way of the dodo. While I respect Mr. Granneman's opinions and insight, and read his columns fairly regularly, I happen to disagree on this point. But to anyone who likes reading both sides of the story (which everyone should), I highly recommend this article.


Passwords a thing of the past? Let's hope not.

Bill Gates, in a recent interview with C|Net news, forecasted the end of password-based authentication as we know it. While at this point, the statement is nothing more than idle talk, we all know the influence Microsoft has on IT as a whole, and it should not be downplayed. This reflects a mentality at Microsoft, and frankly, it's one we should be wary of.

Mr. Gates took a big - and much needed - step when he announced Microsoft's trustworthy computing initiative last year. The argument that vulnerabilities are so prevalent in MS software due to its ubiquity isn't completely sound. Apache, the world's leading web server, has fared much better than IIS on that front. This was the result of a systemic, company-wide failure to properly address security concerns, and an overhaul was in order. But not everyone was convinced of Redmond's change of heart.

Situations such as this password issue only provide more fuel to pundits who immediately dismissed the trustworthy computing initiative as a diversion from their fundamental security problems. Even the most novice computer security professional has heard the phrase "Something you have, something you know, and something you are." This three-factor authentication should exist for the forseeable future, no matter how great a product Gates & co. builds. The reason is simple: in this day and age, only something you know can't be stolen. It must be guessed, or given away. Your name - something you are - can be discovered easily. Smart cards - something you have - can easily be stolen. Even commercial fingerprint scanning technology can be easily fooled with things like gelatin, and once a fingerprint is compromised, it cannot be changed. The only way to truly secure systems is with something that cannot be obtained without intervention of the user: their password. And I again concede, this can be guessed, but when combined with two other factors of authentication, it makes for a hard nut to crack.

The danger here is that Bill Gates's view and loathing of passwords could be infectuous. This paradigm could be easily shoved down peoples' throats in the form of Longhorn (the next version of Windows), and anyone in InfoSec will tell you that this is something users would love. No password to remember, and change every thirty days? What a glorious thing! Like electrons, users choose the path of least resistance in getting their computing tasks performed.

Microsoft, and more importantly Microsoft's policy-setters, must have a firm grasp on these sort of issues if their trustworthy computing initiative is to be truly successful. Unfortunately, when statements like "In time, we will completely replace passwords," are heard from Gates, one is left to wonder if trustworthy computing really only consisted of one-off code reviews and some notes in a marketing strategy meeting. Let's hope he's not serious.

Comprehensive Information Security Clearinghouse

One thing I've noticed in my time as an analyst is the lack of a leading, authoritative source for the most up-to-the-minute information on threats to confidentiality, integrity, and availability of systems. Anti-virus sites are very timely, but are far from comprehensive and tend to differ on analyses, leaving too much ambiguity. SANS does a very good job for the technically-minded, but they aren't always the most timely group, and the topics covered are at the discretion of one single person for each given day. CERT has a wonderful, long history of being authoritative and quite comprehensive, but due to their insistence on accuracy, tend to lag behind threats by a number of days and don't always provide very complete data. Beyond this, the analyst is left with mailing lists, which require far too much time & attention for one person to get good information and still have time to perform all the other duties that may be assigned to him/her. Finding security-specific, industry news is easier, but often found in yet another location separate from vulnerabilites, malware, etc.

What is needed is a government-funded clearinghouse for threats and vulnerabilities, announcements, etc., covering every aspect of information security. I say "government funded," because this organization needs to be free from a profit-making model. The risk of businessmen sacrificing deliverables to expand profit margins must be eliminated from the equation, but making the solution government-run will immerse it in a quagmire of red-tape, delays, bureaucracy, and most importantly stagnation of fresh thoughts and ideas. Providing funding for an outside group is the best answer.

This shouldn't be a re-invention of the wheel. A lot of good work is being done out there, and should not be neglected. Linking information in CERT with vulnerability data from Bugtraq and exploit data from leading anti-virus firms would be a powerful tool in the right hands, and it's easy to see how this can be applied to other knowledge domains, from policy & procedures to security program management, VPN's, encryption, etc.

Such a group would hold enormous influential power in the industry (another reason it shouldn't be profit-driven), and as such could aid in the resolution of high-impact conflicts or problems, like the malware nomenclature conundrum mentioned in my previous entry. With more money and attention, the DHS is well-positioned within the pool of US Agencies for championing this effort. As it exists today, however, this won't happen. After turning out three leaders in as many years, it's obvious that a systemic problem exists in that agency with regards to InfoSec. Even though the agency's task would only be oversight, without proper care & feeding this would only be another fruitless money pit for taxpayers.


Malware Nomenclature

A number of references have been made recently regarding the need for malware[?] name standards, including an open letter to Anti-Virus companies posted on the SANS Incident Storm Center's diary and authored by Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator. He states that "Sometime [...] earlier this year, your virus variant names got out of synch with other anti-virus software companies," and later challenges the companies to "work together as a community of security professionals and help out your customers at the same time."

Mr. Mosby not only hit the nail on the head, but also gives anti-virus firms too much credit.

While he speaks specifically of virus variants, this sort of name game has been going on for years, and is much more pronounced a problem than simply identifying variants. Notably in my mind is the "Welchia" / "Nachi" worm, which wreaked havoc on one network I had intimate familiarity with. We're not talking "Is this variant AA or AB" here, folks, this isn't even close. And in the dawning hours of a global virus outbreak, having to compare three major virus outlet's descriptions to make sure you're telling your VP the right information about something he read on CNN (that used a name you've never heard of) is an unacceptable time sink. That could be another 100 infected hosts - if you're lucky.

Mr. Mosby's concern over variants becomes a bigger problem when performing detailed forensics on a single infected system, however. Often times, to get the whole picture of what a piece of malicious code is capable of, one must visit websites of multiple vendors. Such detail is necessary when attempting to determine exposure. Without this information, it's hard to justify spending 40 man-hours to rebuild an Exchange server to a reluctant client or manager. And this type of information is nearly impossible to assemble when dealing with malware that has hundreds of variants.

Attempts have been made to establish information-sharing alliances, but unfortunately, like Microsoft's Virus Information Alliance, which met with a great deal of marketing hype in 2003 but whose official website now returns the equivalent of a "404 Not Found", many have been nothing more than that. Those that had genuine intentions have been under-funded, or had relied on the goodwill of a small group of individuals, like the Wild List, which unfortunately could not keep up with the torrent of new malware that began in 2001-2002 despite being the best out there at the time. VGrep seems to be a good tool to help the hapless security analyst, and beginning in 1991 there has been the CARO naming convention. Unfortunately, VGrep is a band-aid solution, and the CARO naming convention lacks widespread adoption (little to no authoritative information seems to be available on the web, and F-Secure is the only company I'm aware of that boasts of following the standard).

I know that communication channels exist between Symantec and McAfee (aka Network Associates) for code analysis. Trend is almost certainly in the mix as well. There's no reason that, while sharing information about the latest threats, they can't find some quick-n-dirty way to name whatever it is they're talking about.

And don't get me started on the industry confusing the definitions of basic terminology like "virus" and "worm"...



This is my welcome message to everyone. I hope the information I publish and comments I provide can offer some insight, for better or worse, into current industry trends, technologies, and innovations.

One of the purposes for this blog is to encourage creative and constructive dialogue, so feel free to comment. All I ask is that, if you do comment, you provide your name.

I plan to update this blog more than once weekly; however, realizing time commitments vary, I make no guarantees :-)