2007-11-24

Proper customer email correspondence

Despite the expenditure of a great deal of effort, users are still ill-prepared for email-borne threats. Much of this is due to the mixed messages users receive. We tell users to not click on links in email to strange websites, then send them surveys from third-party companies they've never heard of and encourage them to participate. We tell users to not open attachments they're not expecting, then send out broadcast messages to many recipients with a PDF containing the information they need to read. When I say "we," I don't mean security analysts, but rather employers, service providers, vendors, etc. It's no wonder users still have no idea when they can and can't click on a link, or open an email or attachment.

I get my car insurance from Progressive. Yesterday, I received the following email. This is the type of actions that are needed to maintain user diligence and continue to leverage email as an effective communication mechanism.

======================================================================
Important changes are coming soon to your Progressive e-mails.
==============================
========================================

Dear MICHAEL CLOPPERT:

We're writing to let you know about some important changes to your
Progressive e-mails to ensure that you continue to receive and
recognize them.

Please note these key changes in your e-mails over the next few
months:

- E-mails will be sent from a new address:
customerservice@email.progressive.com

Please add this e-mail address to your address book or approved
senders to ensure that our e-mails reach you.

- Links in the e-mail will point to re.progressive.com instead of
re.progressivedirect.com.

2007-11-23

An Open Letter to SANS

I have been a strong proponent of SANS and GIAC for many years. Their training is, quite simply, the best available in many of the sub-disciplines within Information Security. Their staff represent the best of the best in the industry. I am a member of the SANS advisory board, and while I have no financial incentive in the success of the organization, I feel the continued health of SANS is vital to the Information Security discipline. It is for that reason that I have become concerned about some of the decisions made by SANS over the past few years. Beginning with the decision to separate the practical from certification, and continuing through to the introduction of their Master's degree, I see decisions increasingly being made solely around financial considerations.

In August, Stephen Northcutt asked the advisory board for our thoughts on discontinuing an unprofitable certification. I am posting the bulk of my response below, as it articulates many of my concerns with SANS. It is my hope that by voicing my opinion, positive direction can be maintained in the organization and, by consequence, the industry as a whole.

This cuts right to a core issue about SANS that I have been meaning to bring to the attention of the advisory board & leadership for some time, which is this: SANS needs to decide if its primary mission is to make money, or to educate. Many decisions I've seen from the leadership at SANS in the past few years seem to indicate that it is the former. I hope, for the sake of the integrity of the organization, that this tendency can be changed. It would be rather naive of me to think that this note would begin to turn the ship, but I hope it can raise awareness of the issue. I can say with absolute certainty that it has been noticed by professionals and decision-makers outside of SANS (some of whom I respect greatly); this is a real risk.

Bringing this more to the point, I believe that the value of certifications should not be solely measured by their profitability. SANS needs to remain in good financial standing, no doubt, but costs can be reclaimed elsewhere. Other untapped profit opportunities (corporate sponsorship, linking employers with job hunters, etc.) are out there. Universities face the very same trade-offs. In recent years, a debate has grown about the cost and value of technical degrees versus liberal arts degrees. Merely charging more for some degrees than others was highly controversial for the Universities; dropping less profitable, more technical degrees would be considered unconscionable. If SANS wants to operate at a similar level, I feel it must adopt this sort of mindset.

If [this certification] is judged to be valuable as an educational tool to the Information Security community at large, and it can reasonably be afforded by SANS, it should be kept. Otherwise, you needlessly sacrifice education for a larger bottom line, which advances a financial rather than educational mission. If we feel [this certification] in its current instantiation is a bad way to vet the top of the InfoSec talent pool, then it's a different problem we're talking about and financial concerns shouldn't really play a part in our discussions - the shortcomings should be addressed and a new approach tried before the life of this certification is prematurely cut short.

2007-11-11

Overhaul Anti-Virus Products NOW

It's been a few weeks since the below story appeared in SANS NewsBites, but I wanted to point it out to the community. The story, and subsequent NewsBites editor comments, speaks volumes to not only challenges with Anti-Virus that we're currently experiencing, but also to the attitude of the established Anti-Virus industry towards anyone not already part of their collective. I've lamented about the state of the anti-virus industry in the past, but this particular problem is the most dire for their industry - and the rest of us. The nature of the industry's rebuff of Ed Skoudis and Tom Liston (both highly-respected and recognized security professionals) that is discussed in the comments section below echoes of attitudes I've found amongst individual "antivirus researchers" with whom I've worked - some even as peers and coworkers. I think the root of the problem is Antivirus companies and contributors have developed their own self-serving, self-congratulating circle that espouses "group think" and rejects constructive criticism from anyone not a part of this clique. Further, they do not see themselves as security analysts and companies. Malware has become woven into the fabric of the security challenges facing entities in the 21st century and at this point the two can scarcely be separated in many cases. It's time these companies and contributors begin seeing themselves as part of the larger security industry, not simply a clique that sits at the "cool kids" table at lunch.

Enjoy:
TOP OF THE NEWS
-- Overhaul AntiVirus Product Testing Now
(October 10, 2007)
Momentum is growing for an overhaul of the way anti-virus products are tested. Presently, tests focus on signature-based malware detection and have changed little over the last 10 years. However, anti-virus technology is changing to meet the demands created by new malware, and the organizations believe that tests need to be reformulated to reflect that change. The tests don't examine the effectiveness of behavioral anomaly malware detection, a technique that is proving valuable in catching malware that spreads quickly. Proposals for new testing methods and procedures will be presented in November at the Association of AntiVirus Asia Researchers 2007 Conference in Seoul, Korea.
http://www.theregister.co.uk/2007/10/10/av_tests_revamp/print.html
[Editor's Note (Skoudis);: Given the change in threat, with new malware introduced every hour, this is a good development. My colleagues and I have been pushing for something like this for about 2 years now. I made a call very much like this at a talk during the Anti-Spyware Coalition meeting in February 2006. My colleague Tom Liston and I released a tool called Spycar a year and a half ago to test the behavior-based claims of anti-malware vendors, and discovered that most were either not doing any behavior-based detection at all or had severely broken behavior-based functionality. Many of the anti-malware vendors publicly scoffed at our testing, while a few said that our results were interesting. Just last month, my colleague Matt Carpenter and I tested a bunch of products again, and found that the behavior-based detection capabilities of all the major vendors were severely lacking. I'm hopeful that this new initiative will help improve the state of
behavior-based detection.
(Liston): Saying we were "skoffed at" is Ed's way of being polite. Essentially, they told us that we were amateurs who didn't know what we talking about, even _after_ we had discovered and disclosed serious flaws in the behavior-based detection offered by several major vendors. With increasing numbers of malware being released and the rise of targeted malcode attacks, behavior-based detection is going to become
anti-malware's front line defense. It's nice to finally see this reality being addressed by AV vendors' testing methods, and, of course, it's also nice to be vindicated.
(Northcutt): The anti-virus industry has served us well. Without them, computing might well have failed, but they are a tad stuck in their ways and malware grows ever more complex. I hope that projects like Spycar, which hold vendors responsible for something beyond signature detection, continue to prosper.]