« Basic Rules to Defend Against Google Hacks | Main | Storm Worm is Double Trouble »

Listen to or download the entire 10:03 podcast below:

Download file

What follows is a summary of my discussion with Mike Rothman, top analyst and founder of the website Security Incite, where we discuss the recent escalation of security attacks, what a CSO needs to focus on to counter these attacks, as well as why open source security is a myth, what went so very wrong with the recent TJX breach, and, finally, why every CSO needs to read his book “The Pragmatic CSO: 12 Steps to Being a Security Master.”

Recently on your website, you said it is always darkest before the dawn, and that it is probably going to get a bit darker in the near term. Can you elaborate?

You bet. Even this week (note: this podcast was recorded April 5) we had a huge issue with animated cursors and that kind of came out of nowhere. That is really what I would call a zero day attack. I guess some folks knew there was an exploit or vulnerability out there but the general public had no idea until they could be attacked by it and then all hell broke lose.

So when I say “It’s always dark before the dawn” it seems that a lot of the folks I spoke to in the last week, they're a little discouraged because we keep having these issues and as much time and money we spend the bad guys always seem to find some other hole to come in and reek havoc. So from my standpoint I think we’re going to continue to see more of those because fundamentally a lot of the older operating systems, and by that I mean Windows 2000 and Windows XP, are inherently problematic. Vista helps a lot of those things, but what we’re talking about is a 2 or 3 year time frame until folks decide to upgrade to Vista or go to an alternative operating system that may have more security aspects to it. But I think that it’s really important to focus on the things they can control and be able to react quickly so when we see an issue like we saw this week we’re able to react very quickly to it.

What do you think a CSO needs to focus on today to keep their systems secure in this increasingly dangerous online world?

There’s probably about a million things that folks can really focus on, but if I said I had to focus on one thing, well, I don't know if I could focus on one thing, but what CSO's need to worry about today is really understanding what is their most critical system. Because a lot of people do the generic stuff, they put a firewall in place, they put a IDS or IPF in place, they run AV all over the place, they do some antispam because that’s annoying, but they don’t really have the context of what their business is about.

If there is one thing I philosophically believe is you can't get to everything. The list is too long. If you run a scanner against your networks or applications you’ll find that you could literally work for the next 500 days straight and still not get everything done so the reality is you have to focus, you have to prioritize, and by prioritizing I mean you have to understand what's important.

Once you understand what's important than you can put a plan in place to protect whether it’s data or a system or an application or a network. Once you understand what’s important to your business then you can design a defensive strategy to protect it.

What is the main thing preventing a CSO from accomplishing this?

I think a good portion of it is politics. Most security folks come out of the technical ranks. That’s been the career path. One day they’re bestowed a chief security title or director of security and they haven’t really been trained to play the game.

What do I mean by the game? I mean the funding game. Which is, I’ve got to able to make a case for why the stuff I want to do is important. I’ve got to be able to make a case to the folks who count the money about how either I’m going to save money or make money by the things that I’m doing. From that perspective, it really has been a challenge for a lot of security orientated folks to get the funding they need to adequately protect their data and their systems just because they really don’t know the language of business that they need to talk in in order to get that type of funding.

I also read that you’re working on a piece about security and open source? Why do you think open source security is a myth?

I think open source is fantastic. The software that runs my website is open source. But I don’t necessarily know from a security stand point that open source is anything more than a distribution channel or a way to take a product to market. I think we’re blurring the lines between free software and open source software. Open source, even something like Metasploit, which is a penetration testing tool, that’s free. It used to be open source, but now it’s basically free software because they’ve tightened the license to make sure people don’t use it for commercial means.

So from that standpoint, what has happened in security that hasn’t really happened in a lot of other markets like content management or some of the other places where open source really excels is there hasn’t been an ecosystem that has been built up around a specific tool; there’s basically been a company. So if you look at Snort, the company is Sourcefire, if you look at Nessus, the company is Tenable. Those are great tools, and yes they’re free, from that standpoint, but I wouldn’t certainly call them open source.

Would you discuss the recent breach with TJX, and how incident response and crisis communications would have made a difference?

I always point back to the issue that Johnson & Johnson had with Tylenol. That was years ago and I was just a kid and there was bedlam and everybody was terrified and they were tossing their Tylenol out of their windows because they were scared. The CEO got on TV and accepted responsibility and said this is what my plan is going to be to both restore your trust in my company as well as the product and this is what we’re doing to make sure it never happens again. That started the whole thing with sealing the drugs and making sure you’ve got tamper proof packaging. It really was a watershed moment in crises communications.

You look at how TJX handled their data breach which was, well, we didn’t tell you for a couple of months. Sorry. You could tell they didn’t even mean it and we’re not going to give you any credit monitoring all 45 million customers that have been transgressed because, you know, at the end of the day I don’t legally have to and my margins are like 2% so there is no way I can stay in business and do that. It just felt that every step of the process they were stonewalling the public, they were treating their customers shabbily. I think that comes back and bites you.

A brand is a very hard thing to build and is a very significant thing to waste. You do one stupid thing and years of good karma go by the wayside. I think by handling the situation a lot more effectively, TJX could have made this much less of an issue. But they stonewalled, they didn’t admit a problem, they tried to blame other people, and they wouldn’t do the right thing for customers. So at the end of the day, I believe customers won’t do the right thing by them.

What do you think a CSO needs to focus on in the future for security?

Their applications. It’s a simple discussion. It gets back to what I said before: you have to figure out what’s important. I think, in terms of business systems, which are kind of automated business processes, kind of the technology that automates that process is some kind of application. Applications are clearly the path of least resistance for the bad guys now. So whether its attacks like cross-site scripting or cross-site request forgery or a lot of other new fangled application attacks, that is the path of least resistance and that is where a lot of security folks need to start focusing their efforts.

You do that a couple of ways: you want a gateway to protect that specific application traffic. You also want to start working with your developers to educate them as to what they should be coding in a secure fashion - wat that means and how they can eliminate a lot of these problems before software is even published.

Finally, tell me about your book, the Pragamatic CSO, and why should a CSO buy it?

The Pragmatic CSO was born out of a lot of frustration that I heard. Not only from myself, but from a lot of my clients and a lot of my contacts in the industry. A lot of it gets back to what I said before, relative to not being able to justify or put a value on what security does. What security people have done is they’ve gotten addicted to throwing a new product at the problem. They’ve gotten addicted to generating a report and hoping the auditors go away. They’ve just gotten addicted to trying to take the easy path is the best way I can put it. Not that it’s easy in any stretch of the imagination, but it’s also not gotten them anywhere. We are largely in the same place we were a couple of years ago and, from my standpoint, that’s not a good thing.

What I really built with the 12 step program that I laid out in the Pragmatic CSO is a way to prove relevance to business users. It’s a way to show the context of what security can do for an organization’s business and, again, make sure that you are constantly communicating, managing expectations, hitting milestones, basically treating your security operation as a business. Not a lot of people are talking this language. Thus far, since I released the book since early January, it has been very well received.

Posted by pschooff in Better Protection |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/1726