Is Past (Security) Performance Indicative of Future Results?

It’s a phrase you will see in the fine print of any document related to past performance of a money manager, mutual fund, or managed financial account: “Past performance is not necessarily indicative of future results.” The same disclaimer could easily be applied to information security products and their ability to stop threats.

The most obvious technology this statement applies to: anti-virus. While it does a great job at doing what it was designed to do–block known, malicious files–it has limitations in the kinds of malicious files it can identify. It also can be a source of additional vulnerabilities, such as what recently was discovered in Symantec’s Endpoint products by Google. I suspect any widely security technology will suffer a similar fate: either the technology itself is attacked or the technology is rendered ineffective through innovation by the bad guys.

Where I think “past performance” is indicative with security products is: how quickly are security issues discovered with the product remediated. Because let’s face it: every security product will be vulnerable to some discovered issue at some point. What ultimately matters is: how quickly do you remediate these issues.

For a company that uses “Prevention is Non-Negotiable” as their marketing message, Palo Alto Networks is not so good at fixing security issues discovered in their products. Here’s the latest example from the PAN-OS 7.1.4 release notes:

PAN OS 7.1.4 Fixed CVE

The National Vulnerability Database lists this as a high-severity issue. The time to issue a public patch? Nearly 6 months from date of discovery. Based on the response times Check Point has seen when security vulnerabilities were responsibly disclosed to them, this timeframe doesn’t seem all that surprising.

To be fair, it’s possible that Palo Alto Networks did a risk assessment on these issues and determined the likelihood of exploit is low enough that they didn’t need to fix these issues urgently. They may be right, but when you preach “Prevention is Non-Negotiable,” taking 6 months to fix a known security vulnerability in your product just looks bad. Actions, ultimately, speak louder than marketing.

Disclaimer: My employer, Check Point, believes in addressing issues like this quickly. These views, however, are my own.

Do You Really Need Threat Intelligence?

​From Beyond Whack-A-Mole “Intel”:

In all of this, after the hours spent finding it, ripping it apart, and figuring out which IP or domain it came from so you can write a signature, blacklist and block it, what have you learned about your enemy? Better yet, what have you converted from an observation into codified knowledge that can be used later – that is not an IOC? What do you know about their objectives, short and long term? What do you know about their resource needs, infrastructure, motivations (are they political or financial)?

To put it another way: you spend a lot of time figuring out what happened, but not why it happened. Not the technical reasons–those are easy–but who was behind the attack, what was their motivation, what are they really after, and so on.

The author of this piece suggests a need to actually perform this research–after whacking the mole, of course. I see a couple of problems with this suggestion:

  1. Most organizations are not actively targeted. They are merely collateral damage suffered from larger efforts to spread malware. These organizations lack the resources to do this sort of research anyway and, even if they did, barely have the resources to act on that information.
  2. The largest organizations that are actively targeted have the staff to do this (and they largely already are). Could they be better at it? Sure.

I’m not saying threat intelligence is a bad thing, I’m just saying in the hierarchy of information security needs, there are several base needs that must be satisfied first. Many organizations will never get to the point of needing this.

What I think would be useful to a larger percentage of organization are tools that leverage threat research others are already doing and actually act on that research automatically. And no, I’m not talking about just IOCs (which will undoubtedly be part of this)

I know what you’re thinking: it sounds like an easy button for security. It doesn’t exist today, but I have no doubt someone will create it. We’re going to need it to stay one step ahead.

Disclaimer: My employer, Check Point, may or may not be working on such a thing, I don’t know. These views, however, are my own.

Resisting Comparison

​From Sophos Blog: Thoughts on Comparative Testing

Cylance itself has acquired access to many other vendors’ products, including Sophos, and has been using them in its own competitive testing in public demos, in violation of end user licenses. In fact, Cylance just renewed its licenses for Sophos products through one of our partners. When Cylance acquires our software we don’t threaten the reseller. Note that despite our efforts, to date, Cylance has been unwilling to allow us to license its products.

As long as there has been a marketplace for products, vendors of products have always sought to acquire the competition’s products to understand if they are better and how. Likewise, third party analyst firms acquire products from a number of vendors in a space to compare and contrast them. No matter what vendors might try to do, including End User License Agreements to restrict product uses, these activities will continue unabated.

It seems silly to me that organizations deploy products to protect their critical assets without doing due diligence to make sure the products do what their marketing claims it does. That said, information security departments in companies of all sizes are understaffed and barely have the time to operate the tools they have, much less evaluate the efficacy of new tools.

A quality information security product should stand up to reputable third party scrutiny. Even if you don’t do a direct comparison yourself, there are plenty of analyst firms who do these sorts of comparative evaluations and publish their results (usually for a fee). While it’s impossible for vendors to participate in all third party testing and not all third party evaluations are created equal, a dearth of third party evaluations for a particular vendor’s products should be a huge red flag.

The one sort of scrutiny that no vendor can ignore is the scrutiny of the bad guys. They are guaranteed to find the product flaws you didn’t find in testing or didn’t find documented in the third party evaluation reports that you didn’t read.

Disclaimer: My employer, Check Point, also recently called out a competitor on their marketing claims. These views, however, are my own.

​Good Password Hygiene Key To Protecting Social Media Accounts

​From Miscreants breach NFL’s Twitter account, reveal its weak password

Online miscreants took over the National Football League’s Twitter account and used it to falsely report the death of league commissioner Roger Goodell.

During the brief span that @NFL was taken over, it followed exactly one new Twitter account—specifically, @IDissEverything, which has now been suspended. Before the account was suspended, it claimed the password protecting the NFL Twitter feed was “olsen3culvercam88.” The Daily Dot said someone connected to the IDissEverything account claimed the password was revealed after someone managed to get into the email of a social media staffer at the NFL, where we found the credentials in a message.” It’s still not clear how the group got access to the e-mail account.

Between all the various password dumps that have taken place recently—32 million Twitter credentials, anyone?, generally poor password choices, and even poorer password hygiene, it seems a lot of social media accounts are getting hacked these days. Including those of Facebook CEO Mark Zuckerberg and Twitter co-founder Ev Williams.

Given how people are slow to change their habits, I don’t see this trend changing anytime soon. To make matters worse, social media services themselves can have security issues, too. My colleagues at Check Point helped Facebook find a pretty serious issue in their Messenger application.

Earlier this week, I was interviewed by reporter Annie Gaus for an article on these credential breaches. The advice I was quoted giving in the article shouldn’t be anything you haven’t heard before. Now might be a good time to implement it, especially if you happen to be a high-profile person or someone who manages the social media accounts of organizations.

Use Strong, Unique Passwords For Each Site

If there’s one thing these recent site hacks taught us, it’s that using the same password on every site is a bad idea. People still generally pick passwords that, in the immortal words of Spaceballs, an idiot would have on their luggage!

So, yes, use a unique password on each site. Also, make sure it’s not something simple. Complexity is good. Length is better. Long and complex is even better!

My favorite way to get a sense how good of a password I’ve chosen is to use the Password Haystack page from Gibson Research. It’s not a “password strength meter” but it gives you a good idea how long it would take for your password to be guessed via brute force. There’s also some good advice on this page on how to construct a password that is both easy to remember and strong enough to hold up to brute force guessing.

Use A Password Manager

While it is true a password manager creates a single point of attack—and failure—a good password manager has several benefits that outweigh the risks. This assumes you use it with a strong master password, of course.

  • Provides a way to securely sync password vaults across multiple computers and mobile devices.
  • Allows you to use more complex passwords without having to remember them.
  • Provides an indication of the last time you used a specific password.
  • Provides an indication of the last time you changed a specific password.
  • Provides a mechanism to tell you when you are using the same password on multiple sites.

LastPass is my password manager of choice. Other people like 1Password. I can’t speak for others that may exist, though I can assure you they are not all created equal.

Use Two Factor Authentication

Many services now offer Two Factor Authentication, either using SMS or the relatively standard TOTP/HOTP tokens implemented by Google Authenticator, Authy, and others. While it does prevent someone from brute-force guessing your password, it doesn’t prevent someone from phishing you. Be careful out there!

If You’re Not Using a Social Media Account, Close It

Given people’s propensity to use the same login and password everywhere, and the ever increasing odds of sites getting hack, close social media accounts you’re not using. That said, you might consider changing the password to something complex before you close it on the off chance the service doesn’t actually delete your data and the site later gets hacked.

Assume All Social Media Is Public, Act Accordingly

This is not necessarily a security issue, and wasn’t one of the items highlighted in the article I was quoted in, but it is a privacy issue and important none the less.

Personally, I don’t think Facebook and the like are intentionally trying to make everything you do public (though plenty have good reason to think that). I’m saying this because, like everything else, social media accounts can and will be hacked. Or are vulnerable to issues through their API. Also, people can easily screenshot any social media interaction—including and especially private ones—and make it public instantly.

You’re better off assuming anything you input into social media, SMS, iMessage, WhatsApp, Telegram, or whatever can and will be made public. Act and share accordingly.

If You Have To Share Social Media Passwords, Do It Securely

While it is generally bad practice to share any passwords, individuals in companies who maintain a corporate social media presence often end up having to share credentials as a practical matter. Twitter is one common example.

If you absolutely have to do this, then you should not share passwords over email, SMS, WhatsApp, and so on in plaintext. These mechanisms, or the device you run them on, could be compromised in some way.

An encrypted container of some kind is the way to go. For example, I use Microsoft Word documents protected with Check Point Capsule Docs, which encrypts the document and allows me to restict documents to specific individuals only. Only those individuals will be able to read the document. I can also restrict what they are able to do with the documents as well.

Another way to accomplish the same task: LastPass, which also has a password sharing feature.

Change Your Passwords Occasionally

Even if you use complex, unique passwords on every site, changing passwords occasionally is not a bad idea. Once a year is probably often enough, though some events may necessitate changing your password more often:

  • If it’s a shared password (see above), change it if someone no longer needs access to the account (e.g. when they leave the organization or change roles).
  • A breach is reported on a specific site.
  • If you got a password reset email that you didn’t request.

Changing your password will allow your password to be hashed with stronger algorithms, which sites will often switch to over time.

Disclaimer: If you don’t know by now, I work for Check Point Software Technologies. However, these are my own thoughts.