JitterBugs - Covert Keyboard Communication Channels

WarTyping, keyboard acoustic emanations, and here comes a full-scale covert espionage tool recently discussed in an in-depth research at the 15th USENIX Security Symposium. Researchers at the CS department of University of Pennsylvania developed a working prototype of a JitterBug Covert Channel :

"This paper introduces JitterBugs, a class of inline interception mechanisms that covertly transmit data by perturbing the timing of input events likely to affect externally observable network traffic. JitterBugs positioned at input devices deep within the trusted environment (e.g., hidden in cables or connectors) can leak sensitive data without compromising the host or its software. In particular, we show a practical Keyboard JitterBug that solves the data exfiltration problem for keystroke loggers by leaking captured passwords through small variations in the precise times at which keyboard events are delivered to the host. Whenever an interactive communication application (such as SSH, Telnet, instant messaging, etc) is running, a receiver monitoring the host's network traffic can recover the leaked data, even when the session or link is encrypted. Our experiments suggest that simple Keyboard JitterBugs can be a practical technique for capturing and exfiltrating typed secrets under conventional OSes and interactive network applications, even when the receiver is many hops away on the Internet."

The trade-off remains on whether physically restoring the device would remain undetected, compared to directly streaming the output outside the network. I'll go for the covert network timing whereas insecurities and flexibility are always a matter of viewpoint.

UPDATE: The future defined - Projection Keyboards

Related resources:
Espionage Ghosts Busters
Covert Channel
Gray-World Team
IP Covert Timing Channels: An Initial Exploration
Information Theory of Covert Timing Channels
Detection of Covert Channel Encoding in Network Packet Delays Continue reading →

Malware Bot Families, Technology and Trends

In case you want to know more about the evolution of bots, and ease of assembling a botnet, why families take the largest zombie share compared to single bachelors only, or which technologies dominate the threatscape - go through the slides of this study on identifying "interesting" bot technologies within a large malware collection. Bot Feature & Technology Trends by Robert Lyda also highlights distribution of bot variants from the following families :

GaoBot
SpyBot
MyTob
PolyBot
PoeBot
gBot
BrepiBot
DanishBot
NetBot
KvdBot
TriBot
TongBot
SdBot
KwBot
BugBot

As well as :

- Emergence of Bots as of eggdrop's 1993 appearance
- 2005 Bot Family Percentage per Month
- Bot Feature Percentage of All Variants
- Bot Feature Percentage Over All Variants
- Bot Technology Trends for 2005
- Bot Packing Analysis
- Prelevance of the Top 12 Packing Tools

To bottom line - bot families result in anti virus software detecting over 200,000 pieces of malware already, trouble is the majority of them have long converted into family members rather than staying bachelors only as it used to be. Malware on demand and Open Source Malware, combined with the ease of packing, are definitely making their impact.

Related resources and posts:
Malware
Splitting a Botnet's Bandwidth Capacity
An Intergalactic Security Statement
Malware Search Engine Continue reading →

DVD of the Weekend - The Final Cut

This weekend's featured DVD is a marvelous representation of a full-scale 1984 type of mass surveillance society, but compared to an utopian party acting as the caring BigBrother, here it's the inavitable advances of technology, and availability of services leading to the ultimate digital preservation of our entire living -- through our own eye-embedded implants. Worth taking your time to watch this "remixing" of reality leading to the ultimate saint, but I have to agree with SFAM's comments on the "usefulness" of the technology for compiling a 30 min funeral clip only. The rest is the plot itself.

A brief summary of The Final Cut :

"In a near undefined future, people may have a Zoe microchip implanted in their nervous system to permit their families retrieve the best moments of their memories and watch on video after their deaths. This process is called "Rememory" and Alan H. Hakman (Robin Williams), a man traumatized by an incident in his childhood, is the best cutter of the Eye Tech Corporation. The company is facing groups that oppose to the "Rememory" and the ex-cutter Fletcher (Jim Caviezel) is leading these opponents. When Alan is assigned to prepare the final cut of the memories of the Eye Tech lawyer Charles Bannister, his Zoe chip is disputed by Fletcher. Meanwhile, Alan finds that he has also an implanted microchip, which is against the rules of a cutter."

You can also go through CyberPunkReview's comments and snapshots of The Final Cut.

Related resources:
Surveillance
Privacy

UPDATE: Seems like Blogspot is only searching through 7 out of my 209 posts, and ignoring the conspiracy theory you can still do it the old fashioned way - Surveillance, Privacy, Malware, Censorship, Cyber terrorism, Intelligence, etc. Continue reading →

Future in Malicious Code 2006

What's new on the malware front? Quite some new developments to be included in Q2's summary for 2006, I'm about to finalize any time now. Just came across to a great continuation of my original Malware - Future Trends publication, this time courtesy of the Royal Canadian Mounted Police, quoting and further expending the discussion on my key points :

- Mobile malware will be successfully monetized
- Localization as a concept will attract the coders' attention
- Open Source Malware
- Anonymous and illegal hosting of (copyrighted) data
- The development of Ecosystem
- Rise in encryption and packers
- 0day malware on demand
- Cryptoviral extortion / Ransomware will emerge
- When the security solutions (antivirus etc.) ends up the security problem itself
- Intellectual property worms
- Web vulnerabilities, and web worms - diversity and explicit velocity
- Hijacking botnets and infected PCs
- Interoperability will increase the diversity and reach of the malware scene

A brief summary :

"This report will provide an overview of the numerous malicious code trends experts are observing and those they predict will be seen in the foreseeable future. This is not a document that will chart the future of malicious code as that would be impossible. Malware writers move very quickly. They are adaptable and very often they are exploiting vulnerabilities before the rest of the security industry is fully aware of them. Their flexibility and reaction speed is essential if they wish to continue to make a profit and stay ahead of the anti-virus companies who are constantly devising new ways to detect and remove hostile code. As a result, some of the trends covered in this document may never fully evolve and others that have not been mentioned will, no doubt, appear.This document will give readers a better sense of what is coming “down the pipe” and perhaps, a better idea of what to look for when dealing with tomorrow’s malicious code."

Professionally questioning a vendor's or mogul's self-mythology is the anti-mogul speciality. Don't just slice the threat on pieces and take credit for slicing it, let's discuss the pie itself.

Meanwhile, keep an eye on my Delicious Information Warfare summaries, and syndicate them if time equals opportunities. Continue reading →

Mobile Devices Hacking Through a Suitcase

Define:nerd

"Luca Carettoni and Claudio Merloni are security consultants at Milan, Italy-based Secure Network. The two created the BlueBag to raise awareness about the potential of attacks against Bluetooth-enabled devices, they said in an interview at the Black Hat security event in Las Vegas. The BlueBag is a roll-aboard suitcase filled with hardware. That gear is loaded with software to scan for Bluetooth devices and launch attacks against those, the two men said. We started evaluating how Bluetooth technology was spread in a metropolitan area, Carettoni said. We went around airports, offices and shopping malls and realized that a covered bag can be used quite effectively for malicious purposes."

Outstanding execution of the idea, I still wonder what would the content of the suitcase look like through an X-ray if they ever get to pass through one of course. Go through the entire photo session at Black Hat 2006, by Joris Evers @CNET NEWS.com's team, as well as over the basics of bluetooth (in)security.

Continue reading →

Achieving Information Warfare Dominance Back in 1962

The point here isn't the consolidation indicated in the article :

"The consolidation involves Singer’s headquarters staff, and subordinate Naval Security Group Activities (NSGA) and detachments (NSGD). When fully completed, the action will combine the Navy's enlisted Cryptologic Technicians and Information Warfare officers into the same organization as the Navy’s Information Systems Technicians and Information Professional officers. The IO warfare area is composed of five core integrated capabilities: Electronic Warfare, Computer Network Operations, Psychological Operations, Military Deception and Operational Security. These combine with related capabilities to provide “Information Dominance,” the concept of controlling an adversary’s use of the information and communications environment while protecting one’s own."

but the advances of intercepting electromagnetic emissions reflected off the Moon back in 1962, through the NRRO 600-Foot Steerable Parabolic Antenna :

"Naval Radio Research Observatory (NRRO). This observatory is to be erected at Sugar Grove, West Virginia for exploiting lunar reflective techniques for the purposes of intelligence collection, radio astronomy, and communications-electronics research. A 600-foot steerable parabolic radio antenna will provide for the reception of electromagnetic emissions reflected off the moon. As an intelligence device it will provide for reception and analyzing emissions from areas of the world not now accessible by any other known method, short of physical penetration. The Observatory is planned to be operational in FY 1962."

Here's more info on the concept :

"Although the 600-ft telescope was never built, a satellite-based alternative, called `GRAB' (Galactic RAdiation Background), was launched in June of 1960. Again, this was a dual-use system. The world's first elint satellite and astronomical observatory were integrated into the same satellite bus, with astronomy serving as an operational front for the whole. A second GRAB was launched in 1962. This interface of classified and basic research tells us about the pursuit of science and science-based technologies during the Cold War."

Nowadays it just seems to be full of bird listeners using parabolic microphones, activists "hacking" TV and Radio signals, and others conducting sophisticated TECHINT on the war field.

Related resources:
InformationWarfare
Cyber Warfare
PSYOPS
Intelligence Continue reading →

One Time Password Generating Credit Card

This is cute as it solves a major problem with customers having to use, and more easily lose tokens. Neat integration with the push of a button on the one time password generating credit card :

"It took InCard four years to develop the card, Finkelstein said. The company combined technology from a Taiwanese display maker, a U.S. battery manufacturer and a French security team, he said. A Swiss partner, NagraID, owns the rights to the process to combine the pieces and actually manufacture the technical innards of the card. The biggest development challenges were the ability to bend the card, power consumption and thickness, Finkelstein said. The result is a card that's as thin and flexible as a regular credit card and is guaranteed to work for three years and 16,000 uses. "Which is about 15 times a day, seven days a week," Finkelstein said."

Compliance with the FFIEC, or an emerging trend of convergence, trouble is it doesn't solve the majority of issues related to phishing attacks, rather it has the potential to undermine other companies' offerings. Now all they need is someone who'll take the role of an evangelist besides the well networked company executives.

Related posts:
Anti Phishing Toolbars - Can You Trust Them?
Heading in the Opposite Direction
No Anti Virus Software, No E-banking for You Continue reading →

But Of Course It's a Pleasant Transaction

Great example of automated bots attacking Ebay's core trust establishing process- the feedbacks provided by users taking advantage of the wisdom of crowds to judge on their truthfulness :

"Again, a sharp eye may notice that feedback comments received from sellers are identical, and read almost in the same order. This is because most 1-cent-plus-no-delivery-cost sellers automate the whole transaction: should someone buy their eBooks for one cent each, some scripts email it automatically to the buyer, and leaves a standard feedback comment on the buyer’s profile. So, if we recollect everything, the following is probably happening:

1. Someone is massively creating randomly named, fake user accounts (probably in a more or less automated fashion).
2. Those fake users, powered by automated web spider software, are set to scavenge eBay for 1-cent "buy it now" items and buy them.
3. Automatically, the 1-cent item seller script is emailing the buyer with the item, and posts its standard feedback on his profile.
4. The fake user automatically responds with a standard feedback comment on the seller’s profile.

In a nutshell: Two bots are talking. And doing business."

The use of CAPTCHAs, and ensuring the bots never manage to register themselves, is as important as the automated the process of bypassing CAPTCHA authentication . Expect to see a much better random generation of pseudo users, and their feedbacks compared to these one. And since Ebay is no longer an intermediary, but a platform, bots got plenty of seed data to begin their life with, don't they?

These very same techniques apply to common networks such as the Internet Relay Chat, and the majority of instant messengers where malware tries to, either take advantage of a momentum and forward itself to a buddy, or keep the discussion going until the time for a fancy photo session exchange has come. Continue reading →

Things Money Cannot Buy

1. Love with tingles
2. True Friends
3. Respect, one when the results go beyond the position and size of market capitalization
4. Style
5. Childhood full of joy
6. Knowledge, diploma and insider leaks are something else
7. And obviously Innovation as you can see at this slide and compare it to the rough reality for the top tech R&D spenders. 800 pound market capitalization gorillas for sure, but not innovators. A knowledge driven society results in talent wars -- permanently attracting the walking case studies is also important.

Outspending ends up in budget allocation myopia, compared to actually prioritizing your R&D efforts. You aren't productive when you have all the cash in the world, exactly the opposite, and passion does play a crucial role when it comes to creativity. Go through a handy summary of a study on Does R&D spending deliver results? as well. Continue reading →

Japan's Reliance on U.S Spy Satellites and Early Warning Missile Systems

With China breathing down Japan's neck, and North Korea crying for attention by actively experimenting with symmetric and asymmetric warfare capabilities, Japan's need for better reconnaissance, and limiting of its imagery gathering dependence has been in the execution stage for years as Reliance on U.S. intelligence on missile launch shows need for improvement :

"The two spy satellites currently in operation are both polar orbiters circling the globe at altitudes of 400 to 600 kilometers. If the fourth, a SAR satellite, is launched in 2007 as planned, it will complete the four-satellite reconnaissance system, and the country will be able to monitor any point on Earth at least once a day, officials said. It will therefore become possible for Japan to monitor day-to-day changes in North Korean missile-launching sites. The problem, however, is if the system will be effective at the moment of a missile launch, which would depend on the weather and positions of the satellites at the time, officials said on condition of anonymity. In stark contrast with Japan, the United States has orbited more than 100 satellites, at least 15 of which are reportedly for intelligence-gathering purposes, they said. As experts put it, the U.S. satellites can identify objects as small as 8 to 9 centimeters in size if weather conditions are ideal. The United States has five early-warning satellites, including one for backup purposes, keeping watch over North Korea around the clock, they said."

They're definitely using open source IMINT on North Korea as well, or requesting detailed imagery on demand through commercial providers, in between further developing their early warning systems. Go through an article on Japan's Information Gathering Satellites Imagery Intelligence in case you're interested in their past efforts in this direction. However, I feel it's their neighbors' cyber warfare capabilities they should be also worried about.

Image courtesy of Northrop Grumman. Continue reading →

DVD of the Weekend - Path to War

As I've been busy catching up with way too many things to list them, I'd better finalize my creativity efforts and provide you with the results as they appear during the week. Meanwhile, current events being constantly streamed and brainwashed from every TV channel you try to watch -- remember how in 1984 only the party leaders had the privillege to turn off their 24/7 propaganda streams? Feel empowered nowadays -- made me think on how today's situation slightly represents the one filmed in the Path to War, especially the partisan warfare activities.You can never win a partisan war, what you'll end up with is your ego and nose bleeding, and your heroistic wings sort of broken. Feeling, or positioning yourself for powerful PSYOPS while destroying a country's infrastructure to eradicate the partisan fighters, is one of my favorite moments in the movie, especially when they realized how they've managed to destroy 140% of Vietnam's infrastructure and were still losing the war.

Even worse, having to power and diplomatic influence to make a change,while being a beauraucrat to win time as someone else's about to take care of your dirty laundry is such a bad example for the rest of the democratic world, yet a convenient one.

Great post at DefenseTech on autonomous warfare, destroy the oil resources to limit the movement of suppliers - have a dozen of grannies move them on bycicles or take it personally, destroy a bridge, and see a wooden one build within day or two, every war is an act of terrorism by itself, where the term "acceptable levels of casualties" constantly jumps from the military to the political dictionary.

Previous DVDs of the Weekend and related comments:
DVD of the Weekend - The Lone Gunmen
DVD of the Weekend - The Outer Limits - Sex And Science Fiction Collection
DVD of the Weekend - War Games
DVD of the Weekend - The Immortals
DVD of the Weekend - Lawnmower man - Beyond Cyberspace Continue reading →

The Beauty of the Surrealistic Spam Art

Given the volume of spam representing over 50% of the world's email traffic, obviously to some it represents a huge sample to draw sadness or anger out of, and of course, visualize the findings. One man's spam is Alex Dragulescu's art :

"He doesn't use Photoshop but simply writes code to create computer art. For the Spam Plants, he parsed the data within junk e-mail--including subject lines, headers and footers--to detect relationships between that data. Then he visually represents those relationships. For example, the program draws on the numeric address of an e-mail sender and matches those numbers to a color chart, from 0 to 225. It needs three numbers to define a color, such as teal, so the program breaks down the IP address to three numbers so it can determine the color of the plant. The time a message is sent also plays a role. If it's sent in the early morning, the plant is smaller, or the time might stunt the plant's ability to grow, Dragulescu said. The size of the message might determine how bushy the plant is. Certain keywords, such as "Nigerian," might trigger more branches. But Dragulescu did not inject any irony. Messages about Viagra do not grow taller, for example."

I feel that now every spammer can pretend about being a stylish art admirer, with his spamming historical performance hanging on the wall, or perhaps it's my surrealistic black humor.

Related posts on spam and visualization :
Fighting Internet's email junk through licensing
An Over-performing Spammer
Consolidation, or Startups Popping out Like Mushrooms?
Dealing with Spam - The O'Reilly.com Way

Visualization, Intelligence and the Starlight project
Visualization in the Security and New Media world Continue reading →

Splitting a Botnet's Bandwidth Capacity

Metaphorically speaking, I always say that the masssess of end users' bandwidth is reaching that of a mid size ISP, while the lack of incentives or plain simple awarenss is resulting in today's easily assembled botnets. Freaky perspective, but that's what I perceive the trade-off out of this major economic boost given the improved connectivity France Telecom is about to offer to its customers in 2007/2008 - Fiber at Home with 2.5Gbits/s download, and 1.2Gbits/s upload. As it looks like, an end user is gonna be worth a hundred more infected ones in the near future.

More on malware. Continue reading →

Latest Report on Click Fraud

Google does have countless features, and it's not even considering to stop rolling new ones, but the secret to its huge market capitalization and revenue stream remains its advertising model fully utilizing the Long tail's concept. Therefore, click fraud remains the key issue to deal with, if they want to continue beating Wall Street's expectations. Last week Google released a commissioned report evaluating their anti click fraud methods, here's an excerpt on the four lines of defense :

"Google has built the following four 'lines of defense' for detecting invalid clicks: pre-filtering, online filtering, automated offline detection and manual offline detection, in that order. Google deploys different detection methods in each of these stages: the rule-based and anomaly-based approaches in the pre-filtering and the filtering stages, the combination of all the three approaches in the automated offline detection stage, and the anomaly-based approach in the offline manual inspection stage. This deployment of different methods in different stages gives Google an opportunity to detect invalid clicks using alternative techniques and thus increases their chances of detecting more invalid clicks in one of these stages, preferably proactively in the early stages."

Despite Eric Schmidt's comments on click fraud as "self correcting" issue, Mark Cuban takes another perspective I find a very relevant one.The key remains the balance between Google's technologies and efforts to build awareness on the problem, very informative report. Pay-per-click is a powerful model forwarding the responsibility for eventual transactions to the advertiser's value added propostion, as compared to a Pay per action model. I doubt Google would have ever reached a stock split debate in its history if it were to use one.

Moreover, with the growing interest in a Pay-per-call model and the rise in voice phishing, it turns the trend into a hot one to keep an eye on for the upcoming future. Continue reading →

An Intergalactic Security Statement

Hell of a comment on the Malware Search Engine. Hackers crack secret Google malware search codes :

"Hidden malware search capabilities within Google which were reserved for antivirus and security research firms just weeks ago have been cracked by hackers, according to security industry sources. The key to finding malware in Google lies in having the signature for the specific malware program, according to researchers from enterprise IT security firm Secure Computing. However, the company reported that these previously hidden search capabilities have recently fallen into the hands of hackers. Why bother creating a new virus, worm or Trojan when you can simply find one and download it using Google? said Paul Henry, vice president of strategic accounts at Secure Computing. Unskilled hackers can use this previously unknown capability of Google to download malware and release it on the internet in targeted attacks as if they wrote it themselves."

Bothering to create a new piece of malware and ensuring its payload gets regularly updated to avoid AV detection is perhaps the most logical need compared to doing reconnaissance for known malware through Google. Looking for the signature means the piece of malware has already been detected somehow, somewhere, namely it's useless even to a script kiddie as I doubt one would do a favor to another, thus increasing the size of someone else's botnet. What you can actually use it for, is look for packed binary patterns, or known functions, and draw up better conclusions.

I really hope Secure Computing are more into harnessing the brand and product portfolio's power of CipherTrust, than they are into the dangers of known malware, not that there aren't exceptions of course!

Space wisdom courtesy of Doctor Fun. Continue reading →

Searching for Source Code Security Vulnerabilities

While Google was quick enough to censor the colourful Malware Search logo -- colourful branding -- here's another recently started initiative, Bugle - a google based source code bug finder :

"Bugle is a collection of search queries which can help to identify software security bugs in source code available on the web. The list at the moment is rather small (you get the idea though), hopefully people will start sending more queries. Source code review is not a straight forward operation , using the list you will get pinpoints and not definite results."

It could easily help you spot source code containing common bugs without the need of using a scientific model to predict vulnerabilities, but you should also consider the powerful source code search engine Koders which is currently searching 225,816,744 lines of code, and provides you with the option to segment your queries based on programming language.

Related resources:
SecureProgramming.com - latest update January, 2005, useful links through
An overview of common programming security vulnerabilities and possible solutions
Insecure Programming by example
Top 7 PHP Security Blunders Continue reading →

Detailed Penetration Testing Framework

This framework is simply amazing, as it takes you through the entire process of penetration testing, step-by-step in between references to the tools necessary to conduct a test -- wish experience was commodity as well. Best practices are prone to evolve the way experience does, so consider adding some of your know-how, and going through Fyodor's Top 100 Network Security Tools list in case you're looking for improved efficiency. It's not about the quality and diversity of tools, but about the quality of the approach, still the framework is a nice one to begin with.

Photo courtesy of IBM, featuring ethical hacker Nick Simicich. You may also find Secure DVD, a collection of the 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) handy. Continue reading →

Anti Virus Signatures Update - It Could Wait

It's a common myth that all AV vendors exchange the malware they come across in between themselves, whereas that's obviously not always the case. And even if they don't, you'd better achieve a higher state of security in respect to ensuring your PC or network are protected from the majority of known malware threats, trouble is the average end users whose Internet connection speed is reaching that of an average ISP (metaphor), doesn't seem to bother because of the following concerns :

- it could wait
- it takes decades to update
- it would influence their superman's productivity
- where's the update button by the way?

From the press release of a commissioned survey :

"Harris Interactive® fielded the online survey among a nationwide sample of 2,079 U.S. adult computer users 18 years of age or older. The survey reveals that: Despite 55 percent being very confident or confident in the protectionoffered by the antivirus program on their computer, 42 percent have been affected by malware. A surprising 65 percent have postponed updating their virus protection. Of these adults, their top reasons for not updating are:

It was too disruptive to what they were doing on the computer - 38%
They thought it was something that could wait - 32%
They thought it would take too long - 27%
They weren’t sure how to update the antivirus program - 14%"

These very same end users represent among the key factors for successful assembling of botnets these days. If you secure the entire population, you'll end up with a secure sample itself, but the novice user's lack of incentives is ruining the whole effect -- and driving the DDoS protection tools market segment of course. I also wonder how did Gartner manage to estimate Panda Software's revenues and market share, given that compared to the rest of the publicly traded companies it's free from the burden of having stakeholders breathing down their neck?

Failures in Detection courtesy of VirusTotal. Continue reading →

When Financial and Information Security Risks are Supposed to Intersect

Interesting security event at Morgan Stanley's NYC headquarters related to insider abuse, mostly interesting because the clients' list and charged fees weren't even uploaded on any removable media, but forwarded to the consultant's private email account :

"A former consultant to Morgan Stanley has been arrested and charged with stealing an electronic list of hedge funds and the rates the investment bank charges them. The hedge funds are clients in the company's prime brokerage business. According to court documents, Chilowitz is accused of sending a copy of the firm's administrative client list and its client rate list for the prime brokerage business in February from Morgan Stanley's offices in New York to his personal e-mail account at his home in Virginia."

I once said that nothing's impossible, the impossible just takes a little while, but given who Morgan Stanley is when it comes to risk management, assessment, let's don't say risk engineering -- psst, paying $15m in order not to pay $1.5B is such a sound investment -- they should have never allowed for this type of info to leave over the Web.

Meanwhile, the WSJ is reporting that Employers Increasingly Firing Staffers for E-mail Violations :

"The news comes from the 2006 Workplace E-Mail, Instant Messaging and Blog survey from the American Management Association and the ePolicy Institute, according to the Journal. The survey found that more than a quarter of the employers queried had fired an employee for violating company e-mail policy, up 9 percent from the 17 percent of employers who let employees go for similar violations in 2001, the Journal reports. On top of this finding, the survey also said that 2 percent of respondents had fired workers for instant-message correspondences that weren’t appropriate, and another 2 percent of employers said they’d fired a staffer for posting distasteful content on a Web log—or blog—be it their professional or personal page, according to the Journal."

Security policies are not the panacea of security, they are the basics, so consider developing and monitoring the effectiveness of one. My advise - think twice before feeling like a smart ass for exploiting your interns next time, and yes, fingerprint your most valuable IP assets as well. Continue reading →

Budget Allocation Myopia and Prioritizing Your Expenditures

Top management's empowerment - the dream of every CSO, or IT manager responsible for allocating the infosec budget, and requesting future increases. The biggest downsize of your current or future empowerment, is how easy it is to get lost in a budget allocating myopia compared to actual prioritizing of your expenditures. According to Gartner, security is all about percentage of budget allocation :

"Organizations that have reached a high level of IT security practice maturity can safely reduce spending to between 3% and 4% of the IT budget by 2008, according to research firm Gartner Inc. By contrast, organizations that are inefficient or have historically under invested in security may spend upwards of 8% of their IT budget on security. This means that many organizations will still be investing aggressively for the next few years. Rich Mogull, research vice president and conference chair of the Gartner IT Security Summit which starts in Sydney Tuesday, said that there are now solutions to most information security problems. It's just a matter of implementing the technology efficiently and effectively so resources can be focused on new threats," Mogull said. While information security has become a highly specialized branch of IT, commodity security functions are often being returned to IT operations. Organizations that are still impacted by everyday, routine threats must ramp up and become more mature in their approach."

I find this a wrong emphasis on higher spending as the corner stone of "better security", and even if it is so, who's your benchmark at the bottom line? In a previous in-depth post on Valuing Security and Prioritizing Your Expenditures, I discussed the currently hard to implement ROSI model, and pointed out the following key points on data security breaches and security investments :

- on the majority of occasions companies are taking an outdated approach towards security, that is still living in the perimeter based security solutions world

- companies and data brokers/aggregators are often reluctant to report security breaches evenwhen they have the legal obligation to due to the fact that, either the breach still hasn't been detected, or the lack of awareness on what is a breach worth reporting

- the flawed approaches towards quantifying the costs related to Cybercrime are resulting in overhyped statements in direct contradiction with security spending

- companies still believe in the myth that spending more on security, means better security, but that's not always the case

- given the flood of marketing and the never ending "media echo" effect, decision makers often find themselves living with current trends, not with the emerging ones, which is what they should pay attention to

There's also a rather simplistic explanation on the effect of industry convergence :

"Mogull also said that functional convergence in security products is occurring. For example, host firewalls, antivirus, antispam, and basic host intrusion prevention are combining into single, desktop agents. In the future, this will make security less complex, he said."

Wish the analyst has reached the potential TCO increase and the beneficial diversification of appliances/products trade-off concept stage, one that naturally depends on the perspective of course. Meanwhile, here's an article on how NOT to "sell security" to your CEO, they tend to understand the basics of ROI, it's just the RO(S)I they want to scientifically apply -- compliance is perhaps your best friend these days. It's not about the percentage of spending, but on what you're actually spending for, and when.

Go through a previous post on information security market trends to consider, and try to stay on the top of security, not in line with it. Continue reading →