Apologies in advance, for the length of this post…

In a perfect world…
… we’d know which specific threat agent was going to act against us and know the capability of that threat agent in absolute terms (e.g., pounds per square inch), as well as know (through testing) what our resistance capabilities are in those same absolute terms. If we had this information AND assuming this information was precisely correct all of the time, vulnerability becomes a clear and simple binary consideration — we will be or we won’t be.

Stating the obvious (anyway)
Losses occur when threat events take place that we’re vulnerable to. This is true whether we’re talking about weather events, human error, or malicious acts. Obviously, we don’t experience loss with every threat event, which means we’re only vulnerable sometimes — i.e., less than 100% of the time. This means there is some probability associated with whether we’ll be vulnerable to any given threat event. The process of measuring vulnerability is intended to help us understand what that probability is likely to be.

Simplest approach
Perhaps the simplest approach is to identify the threat community you’re analyzing risk against and simply estimate your ability to resist the capabilities of that threat community. For example, we might estimate that our web application is capable of resisting all but the top 2% of the cyber-criminal threat community — i.e., two out of a hundred hackers have the skill and resources to defeat the application’s security.

This works as a quick-and-dirty solution, and in many cases is good enough. Read on if you’re interested in a somewhat more involved approach.

Uncertainty
Unfortunately, in the real world we usually don’t know:

• Which threat agent is going to act next,
• What their capabilities are, or
• What our resistance capability is going to be

Making matters even more challenging:

• We don’t have an absolute measurement scale for some threat categories (e.g., human capability)
• Our measurements are imprecise (e.g., we can’t measure force or resistance perfectly)
• One or more of the values being measured may vary over time (e.g., hurricane wind speed varies throughout the lifetime of the storm, and strength can change throughout the lifetime of a control )
• One or more of the values being measured may vary across a population (e.g., not all hurricanes have the same wind speed)

When absolute scales apply
(Warning: This is an illustration and not an engineering exercise, for those who might want to argue details.)

Some types of threat categories can be measured using absolute scales (e.g., wind speed in miles per hour), which makes things a bit more straightforward. For example, thru testing we could estimate that a structure should be capable of resisting wind forces between 150 and 200 MPH.

By using a distribution to describe this measurement, we account for the fact that under some circumstances wind speeds of less than 150 MPH might compromise the structure, while in some circumstances the structure may be able to withstand speeds greater than 200 MPH.

If we wanted to measure the structure’s vulnerability to a specific type of storm (e.g., a tornado) we could plot a similar distribution for tornado wind speeds (black curve below). This distribution reflects the fact that wind speeds vary from tornado to tornado, ranging from under 100 MPH to over 300 MPH, with most falling in the 200 MPH range. (Keep in mind this is just an illustration and isn’t intended to reflect actual tornado data.)

In order to determine the probability of being vulnerable, we’d use a Monte Carlo function to:

1. Take a random value from the tornado distribution and from the structural resistance distribution
2. Compare the values — i.e., for this iteration, determine whether wind speed was greater than resistance
3. If wind speed was greater, increment a counter that tracks the number of vulnerable instances
4. Repeat a thousand iterations (or ten thousand, a million, etc.),
5. After completing all of the iterations, the vulnerability counter divided by the number of iterations provides the probability of this structure being vulnerable to tornado winds

When an absolute scale doesn’t exist (the human threat community)
Human threat capability can be boiled down to skills and resources. Because skills and resources vary from individual to individual, we can characterize threat community capability as a distribution. At one end of the distribution are those threat agents who have the least capability, while at the other end are those who are the most capable. As seems to be the case for most things in nature (e.g., weather events), the distribution is probably pretty close to being bell-shaped (i.e., the majority of threat agents fall somewhere below those who are most capable and above those who are least capable).

A “100% secure” control (if such a thing existed) could be illustrated as existing outside of the threat community capability distribution. It would be 0% vulnerable.

More realistically, we can in most cases expect that some portion of the threat population would have the skill and resources to compromise a control (shown below).

Now, because of the uncertainties regarding threat capabilities and control strength, it would be more accurate to describe control strength as a distribution as well. For example, we expect the control is at least resistant to 90% of the general threat population, and may be resistant to as much as 99%+ of the population.

This is fine as far as it goes, but it doesn’t get us the answer we’re looking for in most circumstances. Most of the time it isn’t enough to know our vulnerability to the general threat population. In most analyses, we want to know what our vulnerability is to a particular threat community (e.g., cyber criminals, nation-state intel units, etc.). In that case, we’d have to plot the capability of the threat community in question (red distribution).

With that plotted, we can run our Monte Carlo function again, generating a probable vulnerability by taking random samples from the control distribution and the distribution of the specific threat community in question.

The key to measuring vulnerability in the absence of an absolute scale is to use the general population capability as the comparative baseline for both control strength and the capability of the threat community in question.

Considerations
Of course, because some malicious threat communities tend to share knowledge and tools, there can be an equalizing effect, which potentially narrows the width of the threat capability curve (shown below) but likely wouldn’t change its fundamental bell-shape. The good news is that this narrowing effect wouldn’t alter how we measure. The bad news is that it does affect vulnerability, which we know intuitively anyway.

Another consideration is the fact that the capability of the malicious population evolves over time — i.e., the curve shifts to the right along the continuum. For example, at one time in the past DES was considered invulnerable to brute force cracking. It isn’t any longer. In other words, we could say that the control stayed in place along the continuum, but the capability curve shifted to the right. This highlights the fact that it’s important to maintain a bead on how threat capability evolves, so that you can evolve your defenses as well. Also, this is good fodder for the importance of defense-in-depth.

Concerns
An obvious concern is the inexact nature of these estimates and the potential for the analyst to estimate badly for various reasons. We’ve covered this issue previously in other postings, so I won’t go into it in depth now. Suffice it to say that yes, this is an imprecise measurement fraught with all of the goblins that any measurement approach is subject to. That said, keep in mind a few things:

• The ability to estimate effectively can be significantly improved using calibration techniques
• There’s no such thing as a perfectly precise measurement, whether you’re using a laser or the width of your thumb to do the measuring. Therefore, the purpose of measurement is to reduce uncertainty, not eliminate it
• You can apply confidence levels to your estimates, both to describe the probability of actual values being outside of the estimated minimum and maximum, and to shape the peakedness/flatness of the curve
• Monte Carlo analysis is designed to help account for the uncertainty in measures
• You should never convey to management that these numbers are precise. In my experience management won’t have any problem with this, as the numbers they’re given from other business disciplines have precision challenges of their own.

Bottom line — If you’re trying to quantify risk, then you have to quantify vulnerability. This is one logical means of doing so. What’s more, it seems to accurately reflect how we subconsciously evaluate and quantify vulnerability anyway, only it brings the analysis to the surface. And by bringing it to the surface, it allows us to better understand and analyze risk scenarios.

If there’s interest, I can provide a couple of examples in a future post. Also, if there’s interest, I can include an example where the threat event is due to error rather than malicious intent.

In fact, I found the article to be rather upsetting. Not because of the article’s thesis that strong authentication through a national ID program would not necessarily pose a threat to privacy; but rather, because of their naive (and irresponsible) handling of the realities of the biometric authentication challenge. They gloss over the real security challenges with creating a national biometric infrastructure. Here are the two quotes that are most misleading:

• “Confusing privacy with anonymity has delayed implementation of robust, virtually tamper-proof biometric authentication to replace paper-based forms of ID that neither assure privacy nor reliably prove identity.”
• “This emerging technology makes it virtually impossible to assume someone else’s unique identity.”

The problem that the authors are glossing over is that no such technology exists today, and it is unlikely to ever exist. Now, to be fair, I am assuming that a critical success factor for any national biometric program, as described, would be that the authentication devices have to be available, and usable, anyplace paper-based IDs can be used today. This of course implies that the authenticator must be an inexpensive, commodity device, easy to purchase, maintain, and operate. Such a device would have to be even more ubiquitous than the electronic credit card machine.

The problem is that the authenticator itself may be in the possession of the attacker (Perhaps after you authenticate your legitimate purchase the clerk desires to use your identity herself…). In the history of security controls, when the attacker has unsupervised at-will physical access, the attacker wins. Here are a few examples:

• Defeated copy protection on DVDs ( more & more info)
• Cold Boot Crypto Attack on hard disk encryption (more info)
• MiFare RFID Cards (more info)
• Skimming devices attached to ATM machines to steal card and PIN data (more info)

Of course, all of these systems worked in the lab. But when a security system is widely deployed, it has to withstand an enormous amount of scrutiny, and minor flaws will be exploited. And of course, the greater the financial gain, the greater the time and energy attackers invest in trying to defeat the system. The authors of the article ignore these issues, idealistically assuming biometrics will just work.

Now, of course there are lots of examples where biometrics work very effectively. But I would propose that biometric authentication is most useful when the authentication device is physically secure and the authentication itself is supervised. The MiFare example above also demonstrates two other issues:

• The system chose not to implement a reviewed and standard cryptographic algorithm - always a bad idea
• MiFare was able to sell 1 billion cards and authenticators before the system failed

The cost of investing in a national biometric authentication program, and then having the security fail, is enormous. Can you imagine deploying a biometric authentication infrastructure to every bank, police car, restaurant, shop, etc. and then having video on YouTube of it being defeated ?

- Erik

BTW, Maybe the attacker doesn’t even need to tamper with the device -> ftp://ftp.ccc.de/pub/video/Fingerabdruck_Hack/fingerabdruck.mpg

Art of Information Security would love your feedback !

What do the Cold Boot Crypto Attack, DVD Players, and MiFare tell us about the Future of Biometrics?

I’ve met thousands of IT pros during my years speaking at conferences around the world. And if there’s one thing that’s true for all of us it’s that all IT pros become support professionals for their family, their friends, and their neighbors—your “FFN” base, as I call it. And, like doctors, we’re expected to provide this kind of support for free!

Once upon a less-demanding time, these questions were rare and usually involved things like setting up Windows, configuring printers, snarfing from the free wireless network across the street—the sorts of things that normal people don’t do when going about their daily lives (face it, we IT pros aren’t normal). So the monthly late-evening phone call usually wasn’t a burden. Alas, those days are now nothing more than wistful memories.

You see, the bad guys (and, increasingly, girls) who lurk in the Internet’s dark alleys and secret passages have discovered that those who constitute your FFN are prime targets for their reprehensible ways. The millions of home computers squatting on kitchen counters and in bedrooms don’t enjoy the protection that corporate PCs do—no fortified network, no centralized administration and updating, no traffic inspection, no security policies. Rarely do the people in our FFNs possess detailed security knowledge, so home computers are ripe targets for attack. The bad guys know this, and they’re rapidly taking over as many machines as they can get their grubby little hands on.

For a while now, Microsoft has provided easy-to-follow guidance for home users at our Security at Home site. This is an excellent resource, with information on how to protect your computer, yourself, and your family. However, we can’t do it alone—we need your help! Maybe it’s already happened to many of you; if not, it’ll happen soon: you’ll become a security consultant for your FFN. That’s right, you. Stop glancing around the room, don’t slink down in your chair and hope I won’t see you. Your FFN is having security problems right now, and they need your help.

What to say, you ask? Where to go for guidance on how to talk to your FFN? It’s the same place: Security at Home. I’ll review some of the most important steps you can take.

Four steps to protect your computer

These aren’t optional; they aren’t open for debate. At the very minimum, all computers connected to the Internet should follow these steps.

1. Keep your firewall switched on.
2. Keep Windows up to date.
3. Use updated antivirus software.
4. Use updated antispyware software.

Computers running Windows Vista or Windows XP Service Pack 2 (SP2) already have firewalls that are enabled by default. Leave them running. I've yet to see any example of applications typically run on home computers that would break because the firewall is running. There’s simply no excuse for running a PC connected to the Internet without a firewall. Computers running anything older than Windows XP SP2 should be upgraded immediately—and this is again where you can help. Visit your FFN and ensure that everyone has installed the service pack.

Make a habit of ensuring that the automatic update client is running whenever you visit your FFN. This feature exists for them and minimizes the amount of work you need to do. Let Microsoft take care of patch management for your FFN—outsource it to us by making sure that all computers are downloading and installing updates automatically.

Simply using a firewall and installing updates can be enough to protect a computer from most attacks. But as we security consultants (stop looking around the room again!) know, attackers don’t target only computers. They target people, often by concealing malicious software inside tempting packages delivered by e-mail or Web sites. We call this the “dancing pig” phenomenon—no amount of self-control can stop someone from clicking on links or running attachments when the payoff is the promise of tutu-clad swine parading across the screen! So to add to a home computer’s defense, we need utilities that detect and remove malicious software. Antivirus and antispyware tools can take care of this for you. (Yes, you need both; they detect different kinds of attacks.)

The case could be made that antivirus and antispyware tools aren’t necessary for computers whose users are highly skilled, security savvy, and have an experienced feel for recognizing malware before it strikes. Indeed, I’ve written about this before ("Antivirus softwre—who needs it"? and "More on the necessity of antivirus software"). However, for my FFN, antivirus and antispyware are requirements. They should be for your FFN, too.

The Malicious Software Removal Tool also helps to eliminate malware. It’s updated each month through the automatic update client and runs the next time a computer boots. It scans for and removes common malware like certain prevalent worms and rootkits. Since the tool’s introduction, millions of computers have been cleaned of billions of pieces of malware.

If you need to quickly scan a computer for malware, try the Windows Live OneCare safety scanner. It’s free, and it might be a useful habit for you to develop every so often when you get a call from an FFN. There are two versions of the scanner. One is for Windows XP, the other is a beta for Windows Vista.

What about ensuring that your FFN runs as non-admin? That would be an excellent step, but a lot of software written for the home market still requires being an admin to install and run (yeah, not everyone realizes the Earth is round). Such software should be tossed in the junk bin—yet if you need to manage some knitting projects, and there’s only one program you can find that works for you, sigh… Non-admin is a tough call. Perhaps you can enforce it on the home network in your own house, since you’re right there. Enforcing it on the computers in your FFN, though, might end up creating more work for you.

Keep your information more secure

Spam and scams are the techniques most bad guys use to steal your information to try to assume your identity. I don’t like the common term “identity theft”—how can you really steal someone’s identity? You can steal a purse, thus denying the purse’s benefit to its original owner. But you simply can’t take away someone’s identity. Think of identity theft as a form of impersonation attack (it’s like spoofing a human, I suppose). To impersonate you, the bad guy needs to obtain information about you. Phishing scams and spam lure millions of unsuspecting folk (these would be your FFN) into divulging secret details they’d never tell their pastors or principals or parents.

To reduce the likelihood of having your identity impersonated, teach your FFN to follow a few simple steps.

1. Use the phishing filter that’s built into Internet Explorer 7.
2. Reduce the amount of spam in your e-mail.
3. Use good passwords online.

The phishing filter in Internet Explorer 7 includes a long list of known phishing sites, and it warns users if a site they’re visiting is on the list or exhibits characteristics typical of phishing sites. The filter can communicate with an online service to keep itself updated—and this is important, since phishing sites often disappear after just a couple days.

Windows Live Hotmail, Windows Live Mail, and Windows Mail—probably the most common mail programs in your FFN—include technology to reduce spam. Their spam filters are updated regularly through Microsoft Update, which is yet another excellent reason for keeping the automatic update client enabled. Also be sure that you configure them to block images in HTML mail, which are often used for secretly tracking whether someone’s read a message.

Don’t forget to teach your FFN about basic techniques they can learn to become more security savvy. Common practices like disguising your e-mail address on discussion boards (me AT example DOT com), using a separate e-mail address for newsletters and online transactions (yes, you can have more than one Hotmail account), and being aware of prechecked boxes on Web forms that will result in things you didn’t want—for example, various toolbars, sharing your e-mail address with “partners,” or signing you up for newsletters that you can’t unsubscribe from.

Similarly, spam becomes easy to spot once you get in tune with its characteristics. Don’t reply to any message that wants personal details. It’s highly unusual; legitimate sites will use Web pages to sign up for services or maintain accounts. If you get an e-mail message that appears to come from your bank, don’t read it—delete it. Then call your bank; if they need something from you, their customer service department can handle it. Legitimate businesses simply don’t use e-mail to conduct account maintenance transactions, because e-mail itself is insecure. Never click on links to any kind of online payment service you use; instead, type the address directly into the browser’s address bar. If you hover your mouse over a link, the real URL appears in a small box—and if they don’t match, then yep, the e-mail message is definitely fraudulent.

While working with your FFN, make the link between online safety and personal safety. Most of us wouldn’t wander down random smelly alleys in isolated parts of the city during the middle of the night. It’s the same with your e-mail. Ignore attachments you don’t expect, avoid pleas for giving to “charities,” dismiss any messages that promise easy money, and don’t reply to any spam—all this does is confirm that your e-mail address is legitimate, guaranteeing that you’ll get more. Teach your FFN to make regular use of Snopes.com, one of the best sites on the Internet for learning whether something is legitimate or a scam. Type a few words from the suspicious e-mail message into the site’s search box and see what the results are.

Web sites often require you to log on. This means you need to create a user ID and password for every site you might visit. There’s a lot of discussion about what constitutes a “good” password; personally, I’m a fan of length rather than complexity. A simple 15-character passphrase (think short sentence) is easy to remember, quick to type, and far stronger than any short complex password. A passphrase like this will withstand any kind of automated password attack, including those based on rainbow tables. And you can even use a method that helps you remember unique phrases for each site, if you wish:

• Web mail: "my dog and i got the mail"
• Shopping: "my dog and i bought some stuff"
• Office: "my dog and i went to work"

If you don’t follow this kind of system, eventually you’ll start to forget which password you used on which Web site. Ugh, how can you manage it all? How can you have strong and unique passwords on the 60 different sites you visit every day? If the site uses basic authentication, you can instruct Internet Explorer to remember its password—however, few sites use this method. Instead, forms-based authentication is far more common, and Internet Explorer can’t remember these. Some sites have “Remember my password” checkboxes on the logon forms, which causes the site to store your password in an encrypted cookie (this is fine). There are many third-party programs you can use to manage passwords; one popular and well-regarded one is the free Password Safe.

Won’t all this just overwhelm my FFN?

Not really. Ordinary people subconsciously make security and safety decisions every day—going to the same hot dog vendor you’ve always trusted, changing lanes after verifying the target lane is unoccupied, walking along known streets with good lighting. Being safe online is really no different than being safe in the real world. Yet, online, people have a tendency to move toward one of two extremes—trusting everything they read and receive or becoming suspicious and essentially refusing to engage in anything online. Maybe it’s because online threats use scary language (like “identity theft”) and receive attention that far outweighs the risks (like child predators).

The threats we all face daily online are really no different than the threats we’ve all faced ever since we came down from the trees. This doesn’t mean we should ignore them or become too agitated. It means that we can apply the common sense most of us already have, aided with numerous tools and bits of good advice from software vendors, and—most importantly—a cadre of IT pros who can help their FFNs become savvy enough to protect their computers, themselves, and their families so that they can integrate the vast power of the Internet into their normal routines and enjoy everything it has to offer.

This article gave you some starting points for conversations with your FFN. There’s far more to explore. Spend an evening perusing the resources we’ve provided for you at Security at Home. We’re regularly updating the pages here to ensure that the information is current and relevant for home users. We’ve also created a newsletter specifically for home computer security, an online safety and security magazine, and several videos that cover a variety of security topics.

One more thing: accept our humble thanks for your help. We believe that you, our IT pros, can become the most valuable element in spreading the message of how to be safe and secure online. Thank you!

If you are looking for the latest cutting edge computer hacking techniques you are not going to get them in this show. The computer angle is only mentioned in passing and in very general terms. This makes sense because most people watching this are not going to understand or even care. They do use some good tech hacks though. They plant a remote control trojan in Episode 1 and in Episode 2 use a wireless cam and get into the customers servers by posing as PC repair people.

Otherwise it is a throughly entertaining lesson in the frailties of physical security. They break into some insanely security conscious places ( a super high end jewelry store and a rare auto dealership) and make out with the goods. This is a real wakeup call for everyone and pretty much mirrors what I said in my pen test vs assessment post.  Not many organizations can withstand a  direct focused attack, either physical or electronic on there resources.

I hope to see some more of these, they are a blast to watch.

Post from: Grumpy Security Guy

My Review of Tiger Team

Account lockouts

Account lockout is a poor substitute for good passwords -- and is one of the most expensive security features you can use. Let's think about this by considering the threat. What threat does account lockout (attempt to) mitigate? Password guessing. How can you make password guessing attacks become useless for an attacker? Two ways: implement lockouts or use good (meaning long) passwords.

Consider the first choice, account lockouts. The typical cost to an organization to reset locked accounts is US$75 per help desk call. In a medium or large organization, this can become a very high monthly maintenance cost. In nearly all instances, the call results from users locking themselves out (too many vodka tonics on the plane, maybe?), not users encountering locked out accounts because some bad guy was trying to guess passwords. Account lockouts have one more -- very bad -- problem: they create opportunities for bad guys to conduct denial-of-service attacks against accounts or entire domains! Even if you use a timed unlock of, say, 15 minutes, then the attacker can write his script to churn through thousands of bogus logon attempts every 15 minutes 2 seconds. So, contrary to the claim, enabling this setting actually can have significant impact on usability.

Account lockout is there for people who absolutely need it. But I can't think of any instance where this is true. Instead, have a policy that requires simple passwords at least 15 characters long. Forget about complexity rules that force people to write down passwords. A simple 15-character passphrase (think short sentence) is easy to remember, quick to type, and far stronger than any short complex password. A passphrase like this will withstand any kind of automated password attack, including those based on rainbow tables. And you can even use a method that helps you remember unique phrases for each site, if you wish:

• web mail: "my dog and i got the mail"
• shopping: "my dog and i bought some stuff"
• office: "my dog and i went to work"

This is why we disable account lockout by default. There are much better --  and much less expensive -- ways to mitigate the threat.

Disabling unused accounts

You're right, there's no built-in method to automatically disable unused accounts. A variety of third-party products can provide you with this functionality. I suspect some of them might be free, perhaps simple scripts even. I tried searching on "automatically disable unused accounts" and saw a few hits that looked promising. This particular function, however, rightly belongs in the HR process. A number of customers I've spoken with have automated the account creation/disablement/deletion process, incorporating it into HR systems. When a new user is hired, the account is created; when the user departs, the account is disabled; some time later, it's deleted. The HR systems take care of this, not domain or enterprise administrators. I wrote more about this subject in "When you say goodbye to an employee."

Password expiration

Password expiration is an important setting for everyone. It mitigates two threats: employees sharing passwords and bad guys discovering passwords. Because we can eliminate the second threat using long simple passphrases as I described above, then we have only one remaining threat: password sharing. Your estimation of how prevalent this threat is in your environment will guide you toward choosing an expiration time that works for you. 42 days is a reasonable default; our own corpnet uses 70 days. My experience with most customers shows that password sharing isn't a problem. So for those who do enforce long simple passphrases, I suggest that a reasonable default for expiration is 120 days.

Windows begins notifying you 14 days before your password expires. You can change this time period through group policy. I was in a similar situation recently. Last month my domain password expired while I was in Australia for TechEd there. I could continue to log on to my laptop with cached credentials, but couldn't use Outlook Web Access or RPC+HTTP of course. So I connected to a Terminal Server computer we have on the Internet, logged on there, and changed my password.