[SecurityRatty] tag: apparent

UPDATES GALORE! or, THE PRONOUN WE MEANS YOU AND ME!

Wed, 13 Aug 2008 11:24:17 +0000

So much traveling, so little blogging. Sorry everyone. I’ve gotta say first that I really enjoyed meeting readers and friends of the blog this past two weeks.

Today, allow me to update you on FAIR and the movement towards a formal, open standard. There’s a couple of cool things going on in our little risk-world.

First, The Open Group Security Forum continues to move towards a formal adoption of FAIR.

WHAT DO YOU MEAN “WE” - YOU GOT A STANDARDS BODY IN YOUR POCKET OR SOMETHING?

Our meeting in Chicago a few weeks ago was great, but also slightly disturbing for me. I got pronoun-confusion syndrome. I’m used to using the “we” pronoun to refer to RMI, or Jack and myself as we vet the models. So without even thinking I would said “we have been looking at how loss occurs, and may want to change the model some” and The Open Group Members freaked out (rightfully so). Adrian Seccombe gently reminded me that the “we” was now the Security Forum, and that “we” didn’t go changing things at will without vetting against each other. Man I love this stuff. I get to run our thoughts and ideas past some great folks now - you know, those smart people who tend to have really complex problems and are trying hard to solve them.

Formal Adoption: Soon, Very Soon Now

Formal Adoption basically means we’ve made this document, everyone is close to saying that they generally like it, and once that finally happens then “bam”, we’re ready to move onward and upward with better things (see Cookbooks, below). We’ve got a couple of changes to the current document that have been requested that aren’t a big deal. For example, one request is that we make some statement about general applicability of FAIR to risk domains outside of the IT realm. But once additions like that and others are done, this long process should be complete.

New Document Moving Towards Public Release:

We’ve got a basic document that should be public in the next few weeks on “What Makes a Good Risk Assessment Methodology” - written by yours truly and Jack. It’s a very high-level document, and serves two purposes:

For novices it helps parse out what is important in any undertaking to understand corporate risk (the repeated discussions on the ISO 27001 mailing list make me think it would be a place ripe for such a document).
For those who “know” risk, it helps to re-establish some fundamental principles like the use of scales (ratio, please), the implications of dealing in probabilities, what attributes like consistency and defensibility mean, how “risk” should be reported to the business (something you know, meaningful) and so on.

When this doc is deemed ready for public consumption I’ll be sure to post on this blog here.

COOKBOOKS, EUROPEAN AGENCIES, AND, IRON CHEF “RISK” - WHOSE CUISINE WILL REIGN SUPREME?

One interesting thing that came up in the Chicago meeting was that ENISA (The European Network and Information Security Agency) developed a very nice document that reviewed something like 18 different risk assessment methodologies against their Criteria for Goodness. FAIR was one of the ones they reviewed, and we (the royal “we” used there to include all us FAIR-Folk) did awfully well. Things of interest:

They based their work on the current introduction paper which is not at all a step-by-step guide towards an organizational risk assessment (what ENISA really wanted) and we did pretty well. Well enough that if we had developed a paper along the lines of NIST 800-30 or OCTAVE for the use of FAIR in a formal process, we could have done really, really well. Like won-the-bake-off kind of well.
FAIR is actually not at all incongruous to many of the risk assessment methodologies offered, and in fact compliments many of them by letting those methodologies develop real, structured probabilities. Think OCTAVE, where they basically say “math is (probabilities are) hard, so if you want to do them for reals, good luck! But here’s a nonsensical way to do things if you want to believe in magic-fairy risk“. FAIR fits right in there by stomping on the magic-fairy risk with the jack-boots of rationality. FAIR similarly helps other risk standards that might lack structured probability development.

So The Open Group Security Forum decided that though we could create a new document and totally p0wn any future ENISA bake-off, there wasn’t much demand for the development of that documentation by the membership - a point which was made quite apparent at the beginning of the discussion when one large European company CISO asked “What’s ENISA?” Relevancy is everything, I suppose.

But that second item up there - the one about helping rather than competing with other “risk assessment methodologies” - really struck a chord. So “we” (The Security Forum) are going to develop some “Cookbooks” that basically are high-level documents that say “If you want to use FAIR with (OCTAVE/COSO/CoBIT/Whatever) here’s how it fits, makes it better, and improves your life. I’m pretty excited about these, and our first document looks like it’s going to be COSO integration.

THE OPEN GROUP SECURITY FORUM - THEY’RE A TRUSTING BUNCH (WITH QUALIFICATION, OF COURSE)

Finally, many people have asked me “Why work with The Open Group?” There are many reasons, to be sure, but I will give you one example. Members of the Security Forum there are not only great at vetting the model and getting consensus on risk and risk factors - but they’re quick to start applying. So in Chicago, I thought I’d be talking about FAIR and the standard and fighting groupthink. Nope. Not at all. In fact, the forum members spent more time suddenly discussing use of FAIR in a new Trust Model they’re developing. So all of the sudden, I’m part of a new and exciting project to develop a Trust Model - how cool is that? While formal adoption of the Trust Model will be necessarily long and deliberate - the collaboration and development is happening much faster than I can keep up with. But if you all will allow me, it will help me get my head around it all by blogging about it later this week. So be prepared to read about me dealing in “Trust” a little bit.

Take advantage of this settlement at TransUnion

Sat, 02 Aug 2008 11:31:04 +0000

Hey, it could save you against a theft of your personal data.

clipped from peterhgregory.wordpress.com

Apparent misdeeds result in free credit monitoring for?millions

A class action lawsuit against credit reporting bureau TransUnion has resulted in a settlement that will result in millions of U.S. citizens getting free credit monitoring for as long as nine months.

Fugitive spammer dead in apparent murder-suicide

Fri, 25 Jul 2008 07:29:26 +0000

Spammer and escaped convict Eddie Davidson shot his wife and three-year-old daughter before turning the gun on himself Thursday night in Bennet, Colorado.

Mailing error at the University of Maryland exposes student information

Fri, 18 Jul 2008 05:18:07 +0000

Technorati Tag: Security Breach

Date Reported:
7/17/08

Organization:
University of Maryland

Contractor/Consultant/Branch:
Department of Transportation Services

Victims:
All students registered for Fall 2008 classes

Number Affected:
23,727

Types of Data:
Names, addresses, and Social Security numbers

Breach Description:
On July 1st, 2008, the University of Maryland Department of Transportation Services mailed an on-campus parking brochure to all students registered for Fall 2008 classes as of June 15, 2008. Recipient Social Security numbers were inadvertently exposed on the mailing labels.

Reference URL:
University of Maryland
ABC Channel 7 News
WTOP FM 103.5 News

Report Credit:
University of Maryland

Response:
From the online sources cited above:

On July 1st, 2008, the University of Maryland’s Department of Transportation Services sent all students registered at the time, by U.S. mail, a brochure with on-campus parking information.

On July 8, 2008, the University discovered that the labels on that mailing included the addressees’ Social Security numbers.
[Evan] Sheesh, a fraudster doesn't even have to tamper with the mail if the Social Security number is on the label.

The error was discovered on the morning of July 8 when calls were made to the University.

This parking mailer was sent to all individuals registered for Fall 2008 classes at the University of Maryland as of June 15, 2008.

The mailing list numbered 23,727 individuals.

In our annual effort to provide parking and transportation information to the University community, the names and addresses of all registered students was requested internally at the Department of Transportation Services for the purpose of creating mailing labels for a brochure.

This information was generated by a computer query and included names, addresses and what was believed to be University identification numbers (UIDs).
[Evan] When writing and executing database queries, isn't it a good idea to check the results and see if the information displayed is the information you were looking for? I wonder if UIDs are also nine digits long like Social Security numbers are.

Our normal process is to remove the University ID numbers prior to mailing.
[Evan] Is it safe to assume that "normal process" was not followed in this instance? If so, then why not? There is no mention in the school's response.

It was not apparent to departmental staff that these numbers not only still existed within the file, but were Social Security numbers, and not University ID numbers.
[Evan] Not apparent? They were on the labels!

The numbers were not identified as Social Security numbers and did not show the normal spacing between digits.
[Evan] So it would be xxxxxxxxx instead of xxx-xx-xxxx. What percentage of people would recognize the first set of nine digits as a SSN?

This mailer was sent using third class, bulk mail delivery and may not have been delivered to you yet.

Currently, there is no evidence that anyone's Social Security number has been misused.

The University apologizes and deeply regrets this unfortunate mistake.

We are initiating immediate action to ensure that this error does not recur.
[Evan] Like what? Maybe train people to review their query results and follow "normal process"?

The University of Maryland values the critical importance of your personal information.

We strongly recommend that you take appropriate precautions to mask, black out or destroy this document after use.

In unfortunate situations like this, it is possible that dishonest people may contact you asking for personal information in the guise of offering assistance from the University.
[Evan] Equally unfortunate is the fact that there are a lot of dishonest people.

Please note that the University WILL NOT contact you by phone, e-mail or in any other way requesting personal information regarding this incident.

Please do not release any personal information in response to contacts claiming to be from the University.

In response to this incident, the University, and specifically the Department of Transportation Services, has moved to severely restrict access to sensitive student and faculty/staff information; we believe the fewer individuals who have access to this data will only increase our ability to protect sensitive information.

If individuals feel that they would like to take extra steps beyond the fraud alert, the University has arranged with Equifax to make available, at no cost to them, a 12-month service that includes credit monitoring, customer care, fraud expense reimbursement insurance and access to their credit report.

If you have not received this mailer and are unsure if you are included in the affected group, please call toll-free 1(877) 935-2428, Monday - Friday, 8:30 a.m. - 5 p.m. EST.

You may contact us in one of the following ways:
By telephone: Toll-free 1(877) 935-2428, Monday-Friday, 8:30 a.m. - 5 p.m. EST
Via e-mail: parkingmailer@umd.edu
Mailing address: Regents Drive Garage, Building #202, College Park, MD 20742

Commentary:
The lack of attention to detail coupled with lack of control leads to an increase of risk of confidential information disclosure. Not all that uncommon.

Past Breaches:
Unknown

Lawmakers question another ISP about NebuAd service

Tue, 15 Jul 2008 20:00:00 +0000

Three powerful U.S. congressmen have questioned a Kansas Internet service provider's apparent decision to test a controversial behavioral advertising service that tracks users' Web activities, without notifying its customers of the test.

SQL attacks lob onto tennis association Web site

Thu, 03 Jul 2008 20:00:00 +0000

Visitors to the Association of Tennis Professionals Web site have potentially been infected with spyware after apparent lax security allowed a malicious script to be injected across its pages.

Canadian farmer personal information on stolen CCGA laptop

Sun, 08 Jun 2008 15:32:52 +0000

Technorati Tag: Security Breach

Date Reported:
6/4/08

Organization:
Government of Canada

Contractor/Consultant/Branch:
Canadian Canola Growers Association (CCGA)

Victims:
Farmers

Number Affected:
~32,000

Types of Data:
"social insurance numbers, bank account numbers and other data"

Breach Description:
"OTTAWA, June 5 (UPI) -- Prairie farmers in Canada are upset the federal government waited two months to tell them a laptop computer containing their personal data was missing."

Reference URL:
Winnipeg Free Press
CBC News
United Press International

Report Credit:
Lindsay Wiebe, Winnipeg Free Press

Response:
From the online sources cited above:

About 32,000 Canadian farmers are on the alert after learning a laptop containing their financial information has been stolen.

The laptop was stolen when a programmer working for the Canadian Canola Growers Association took the machine off-site for routine maintenance.
[Evan] No offense to programmers, but in my experience the ways they use information can be some of the most dangerous threats to information security. There is no reason for a programmer to EVER have access to confidential production information. Programmers should only be permitted to work with scrubbed information in a test and/or development environment.

CCGA general manager Rick White described the theft as a classic "smash and grab."
[Evan] Also classic as in another organization that either does not know how or is unwilling to properly secure confidential information.

The laptop has the bank account numbers and social insurance numbers of farmers who applied for Agriculture Canada's advance payments program, which is administered by the CCGA on behalf of the federal government.

Although the theft happened March 30, Canadians weren't sent letters until last week informing them

The federal department has sent letters out to all farmers affected by the theft.

The letter said the laptop was stolen from an undisclosed, remote location in Manitoba.

"We treat this very seriously," White said. "This is an unfortunate incident, a very low-risk one."
[Evan] Mr. White is probably not well versed in risk analysis. Or incident response for that matter.

the strict security measures being used on the laptop reduce the chances of information being misused, White said.
[Evan] Like what?

"There was a very strong password protection on it, [and] there was a biometric fingerprint reader on it," he said. "That would prohibit anyone other than the user or the person with the password to access the data on the laptop."
[Evan] These are "strict security measures"? My emphatic answer is NO! These "strict security measures" are easily bypassed.

but the data was not encrypted
[Evan] The missing piece of the puzzle. Why go through all of the (self-proclaimed) "strict security measures" and not employ encryption. What you get with full-disk encryption is pre-boot authentication and this defeats the boot to CD attack.

Agriculture Canada spokesman Sean Malone said there were security features on the laptop, but a sophisticated hacker could likely bypass them.
[Evan] No sophistication required. A novice could figure it out with Google, a CD, and 15 minutes.

So far, there have been no reports of identity theft among the farmers, the report said.

Pitblado LLP privacy lawyer Brian Bowman said the CCGA and agriculture department deserve credit for notifying people of the breach -- a move not required by Manitoba law.
[Evan] Just because CCGA is not required by law, doesn't mean that they deserve any credit for notification. The information belongs to the victims not CCGA, and as owners of the information don't you think they should be informed of an incident that has the potential affect them personally?

Victim Reaction:
"If they're devilish enough to steal a computer, maybe they're devilish enough to do something with the information,"

"What frustrates me is that they've treated this like it's no skin off their back,"

"They've known this since then and they're only getting the letters out now?"

"I don't want to find out a mortgage has been taken out on our farm."

Commentary:
It is bad enough for an organization to lose confidential information on a poorly protected laptop, but what makes this more troubling is the apparent fact that they still view the practice that led to the breach as a low risk. Clueless and sad.

Past Breaches:
Government of Canada:
December, 2007 - Passport Canada web site suffers serious breach
November, 2007 - Service Canada stolen laptop affects more than 1,600

AT&T management information on stolen laptop

Sun, 08 Jun 2008 14:28:48 +0000

Technorati Tag: Security Breach

Date Reported:
6/4/08

Organization:
AT&T

Contractor/Consultant/Branch:
None

Victims:
AT&T management personnel

Number Affected:
Unknown

Types of Data:
Compensation information, including employee names, Social Security numbers, and salary and bonus information.

Breach Description:
"An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop."

Reference URL:
PogoWasRight
SC Magazine
NetworkWorld

Report Credit:
PogoWasRight

Response:
From the online sources cited above:

An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop.
[Evan] Don't you think that a well known (and respected) company like AT&T would have had the forethought to encrypt laptops?

Employees were first alerted to the theft on the evening of May 22nd by email from Bill Blase, Senior Executive Vice President - Human Resources.

This is to alert you to the recent theft of an AT&T employee's laptop computer that contained AT&T management compensation information

The laptop was stolen May 15 from the car of an employee

The data on the computer was not encrypted -- a violation of company policy -- and included names, Social Security numbers and in some cases, salary and bonus information.

No customer or client data were on the stolen laptop.

the company would not disclose the number of affected individuals, but there is no reason to believe any of the data was being targeted when the machine was stolen.

AT&T repeatedly declined to disclose the number of employees affected "as a matter of policy."

"Usually these are property crimes in which the drive is wiped clean and resold for profit,"
[Evan] This used to be the case, but do you think the same still holds true today? If a thief is going to go through the trouble of wiping the drive, it seems plausible that he/she may also attempt to access/review the information contained on it. Hardware value = ~$1000, Information value = ~$10, $20, $50+ per record. Do the math and it soon becomes apparent that a thief can profit much more by selling the information. I presume that some thieves know this.

The employee who was in possession of the laptop when it was stolen has been disciplined.
[Evan] Was it the employee's responsibility to encrypt the information, or was it his/her responsibility to not store confidential information on it? If the employee was aware of his/her responsibilities, then I can understand the disciplinary action. If not, then AT&T has much bigger problems.

"There are a number of rules governing the handling of encrypted material and the mobile devices handling that material that employees must follow," Sharp said. "It is up to the employee to ensure that any sensitive material is encrypted."
[Evan] Really? It is "up to the employee" to ensure that sensitive material is encrypted? Most of the users I work with wouldn't know the first thing about how to encrypt information. This is why we usually implement policies, standards and procedures to encrypt the entire contents of hard drives as part of the standard laptop build. Encryption is then semi-transparent and we don't need to worry about an incident such as this. Take information security out of the hands of employees if feasible.

AT&T used the breach as a reminder that employees must follow policies.
[Evan] Hopefully this isn't the only time employees are reminded to follow policies.

We deeply regret this incident.

You will soon hear about additional steps we're taking to reinforce our policies to safeguard sensitive personal information and ensure strict compliance in order to avoid incidents like this in the future.

The telecom also says that it is "in the process of encrypting devices," but that may be small comfort to those whose data were on the stolen laptop.
[Evan] Sheesh, hundreds if not thousands of breaches involving lost and/or stolen laptops affecting millions of people and now AT&T is "in the process of encrypting devices"? To AT&T's credit, they do employ thousands of mobile devices which take time to encrypt and it's better late than never. Explain this to the people affected.

AT&T is offering free credit monitoring to those affected

Victim Reaction:
"I'm very disappointed in my company,"

"Eight days passed before we were notified ... and it took up to another 10 days to be informed about requesting a fraud alert and to be given instructions for signing up for credit watch."

"It is pathetic that the largest telecom company in the world -- with more than 100 million customers -- doesn't encrypt basic personal information,"

"I receive company internal e-mails reminding me to contact our legislators about relieving the company of the burdens of regulation," he says. "What happened here shows the company isn't ready to have those burdens lifted."

Commentary:
Excellent work at PogoWasRight.org. Their report contains copies of the actual AT&T correspondence. Obviously, AT&T should have known better.

The Breach Blog was notified via a comment from the wife of an affected employee on May 28th, but we did not have enough information to report. The comment was not approved by me either because the commenter used her real name (out of protection for her and her husband).

Past Breaches:
August, 2007 - AT&T Stolen Laptop, Unknown Number of Former Employees Affected

Pocono Mountain School District "irregularities"

Mon, 02 Jun 2008 08:36:33 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
Pocono Mountain School District

Contractor/Consultant/Branch:
None

Victims:
Students and parents

Number Affected:
Unknown*

*"SCHOOL DISTRICT ENROLLMENT (2007-2008) 11,500 students K-12 (Current as of Oct. 17, 2007)"

Types of Data:
"Student ID, network password, SSN if provided, ethnicity, gender, birthdate, grade, grade year, building no., building name, homeroom no., homeroom teacher, attendance code (if absent today), dietary allergies (for food services), bus assignment, free/reduced lunch status, home phone, primary home mailing address, secondary mailing address, parent names, parent phone numbers, emergency contact names, and emergency contact phone numbers"

Breach Description:
"An apparent cyber break-in of Pocono Mountain School District's computer system has put at potential risk personal information about students and parents, the district announced Friday.

District Superintendent Dwight Pfennig sent home letters on Friday afternoon telling parents about the apparent breach, which the district found out about the previous evening, according to Wendy Frable, director of public information."

Reference URL:
Pocono Mountain School District "Letter to Parents"
Pocono Record
The Morning Call

Report Credit:
Pocono Mountain School District

Response:
From the online sources cited above:

A hacker apparently broke into the computers at Pocono Mountain School District and may have tapped into confidential information concerning students and their parents, the district's superintendent said Friday.
[Evan] This statement is provided by Joe McDonald of The Morning Call. It is unclear if a "hacker" breached the system or if there was another cause for the "irregularities" reported at the school.

District Superintendent Dwight Pfennig sent home letters on Friday afternoon telling parents about the apparent breach, which the district found out about the previous evening, according to Wendy Frable, director of public information.
[Evan] This is a quick notification. I think it is possible to be too quick in notifying victims, almost like The Boy Who Cried Wolf. It seems as though the school has not gathered the facts required to make a proper notification. Judge for yourself.

Frable said the district's technical staff had noted some irregularities during a routine security check Thursday night. "They detected some activity that seemed a little unusual," she said.

The technical staff is checking to see to what extent any personal information — and to whom it may belong — had been compromised.

The district referred the matter to Pennsylvania State Police at Swiftwater for further investigation, Frable said.

The information that may have been compromised includes the following: Student ID, network password, SSN if provided, ethnicity, gender, birthdate, grade, grade year, building no., building name, homeroom no., homeroom teacher, attendance code (if absent today), dietary allergies (for food services), bus assignment, free/reduced lunch status, home phone, primary home mailing address, secondary mailing address, parent names, parent phone numbers, emergency contact names, and emergency contact phone numbers.

"We don't know if anything was accessed," she said, adding that the district will contact anyone whose data had been found to be compromised. Frable also said that very few records include children's Social Security numbers.
[Evan] A breach involving children's personal information is especially bothersome.

We have conducted an internal investigation and suggest you take the following preventative measures now to help prevent and detect any misuse of your or your child’s information.

"As a first step to protect yourself from the possibility of identity theft, we recommend you closely monitor any accounts that may contain any or some of this information," Pfennig wrote in his letter to parents.

If you see any unauthorized activity, promptly contact your service provider and or office of the Executive Director of Technology at (570) 873-7121 Ext. 10151.

"We're just trying to do what's right by everyone," Frable said. "There's no reason to panic anyone, but people should just be cautious."
[Evan] Understandable, but some people will panic anyway. This is why it’s a good idea to gather facts before notification.

Parents got the letters when their children returned at the end of the school day, and at least one parent felt the school was being rather nonchalant.

''It sounds to me like they're trying to downplay it,'' said Ralph Ortega, who lives in Jackson Township. ''It's incredibly vague.''
[Evan] I agree. I question whether this is because there aren't enough facts available yet, or whether the school is not being square with the victims.

Commentary:
This breach leaves us with more questions than answers. People will speculate where there is a lack of clarity. I hope students and parents get the answers to the questions that they should demand answers too.

Past Breaches:
Unknown

SDL Training

Thu, 29 May 2008 11:22:00 +0000

Hi everyone, Shawn Hernan here. Being a security guy is incredibly rewarding because you get to look at virtually any part of a product, from kernel drivers to web services to user education to sales and servicing. You have to do that because a failure in one of those areas can endanger the security of our customers. Microsoft’s SDL process reflects that reality. The process is structured so that you really do have to look at each piece before you can sign off. But sometimes when others want to emulate the success of the SDL, they want to skip steps. They try to boil the SDL down into its component parts, like training, or tooling, or security response. Maybe the most common form of that mistake is training, but you see that same thinking applied to code scanning, security response, and just about every phase of the SDL. “Let’s just train everyone, and all our security problems will go away.” If only it were so easy. I’d like to take a few minutes to try to explain why it’s not really that easy from my own experience.

Have you ever sat in a corporate training? Some are good, some are bad, but did you ever say, “man I can’t wait for training today.” What about mandatory training? What about mandatory training in a subject that you really don’t think is your area? What if you had to do it every year, and got harassed if you didn’t do it? What if you were, say, an audio engineer and were dragged into a security class?

I ran the SDL training program at Microsoft for a long time, and developed and taught a big chunk of the training. I spent hundreds of hours in front of thousands of developers, testers, and program managers. I got some really good reviews (and a few bad ones) on the classes I offered. And I tried to do a lot of things to try to make the trainings interesting. I handed out dozens of fresh peaches in an early class on fuzz testing, for example. The room smelled really nice after that, and there are probably still a few people around Microsoft who think of fuzz testing when they see a peach.

But even on my best day, I was under no illusion that the majority of the audience was excited to be there, and I was certain that they weren’t going to go back to their offices and spend weeks applying the lessons from the class, setting aside other things that are causing present and immediate problems in favor of something that is far off into the future.

You have to work at getting people’s attention – especially as it relates to security and privacy. From time to time, I would see people reading their mail in class, and I would point to them and ask them a question. That did not endear me to the audience as much as the peaches, but embarrassment is always fresh and in season. J

One student wrote of one of my classes, “the basics for secure design - could be replaced by non-anonymous site-wide exam with open material.” He was not alone, I assure you.

Is that an indication that our training, or any training, is pointless? Hardly, but training alone is not a change agent.

Richard Derwent Cooke wrote, “It is a first principle of Change Management that people will act in what they perceive as being their best interests.”

At best, training can provide people with insight into what they need to do to solve a security problem if they believe that solving that security problem is in their best interests.

To be effective, training needs to happen in an environment:

· Where expectations are clearly set (the SDL sets specific minimum requirements).

· People have appropriate incentives and consequences (security is a great career path at Microsoft, and nobody wants to be the one holding up a ship schedule for failure to meet a security requirement).

· Where tools and resources to accomplish the goals are available (we build a whole variety of tools that map to the SDL requirements).

· Where management models the behavior (recall the original BillG TWC memo).

· Where the environment reflects and supports the values presented in the training (apparent in everything Microsoft does).

Don’t make the mistake of thinking that a bunch of training, even really high quality training done periodically, will result in actual behavior change. It won’t. You have to build an environment where people perceive solving security problems as being in their best interests. You have to make security their problem – not in the sense of passing the buck, but in the sense of changing their behavior so they will bring security problems to you.

To illustrate further, I’ll cite two examples. First, fuzz testing. Fuzz testing has been a success story here at Microsoft. Tools arise spontaneously to solve new fuzzing challenges, written by people who believe the challenges are their challenges. There are people who feel ownership for our fuzzing strategy and on-going research and science, there are specific goals and requirements, we have training (remember the peaches?), and internally developed fuzzers have won prestigious awards within the company, handed out by members of the executive staff, and all of this gets revisited periodically as part of the SDL.

By contrast, I’ll choose a less successful area – defect estimation. On my own volition, I created (based mostly on some excellent material from Microsoft Research) and taught a class called “Defect Estimation and Management” and added it to the SDL curriculum. Microsoft is a great place to work in that regard. It was pretty close to the best-reviewed class I taught. But, we have not yet been able to establish a set of tools to estimate security defect density effectively, and establish a fair set of expectations, incentives, and consequences, or even decide what we should do if we had the data. We discovered some things, though. For example, based on what I observed (which should not be construed as rigorous research), it does not appear as if the density of general defects correlates closely with the density of security defects. And Microsoft Research found higher code coverage in testing correlates with higher bug rates in the field.

And so even though people like the idea of defect estimation, and we’ve got some interesting and surprising data, we’ve not yet been successful in changing people’s behavior. Generally speaking, an individual test manager does not feel that establishing a high quality estimate of their defect density is in his or her best interests, as compared to, say, improving the time in which an established series of tests can be performed .

We need to build an environment that has the tools, training, rewards and incentives, and expectations and consequences to change people’s behavior. Not that we’re not trying. But training won’t solve it alone, nor would tools, trophies, rants, testing, code review, or some edict from on high. The SDL is as much about changing the culture and influencing the behavior of individual engineers as it is anything else.

I’m convinced that Microsoft’s SDL process works because it addresses the end-to-end problem - from training through servicing, and provides a complete environment where people feel ownership of their part of the security problem and have the resources to solve it.

So the next time you find yourself sitting in some mandatory training, remember the lessons of the SDL (and most of the research on human performance management): training alone won’t cut it. If you want real behavior change, there have to be things outside the lecture room to influence people to change their behavior.