Robert J. Brown

If you haven't seen the news reports, Consumer Reports has been catching quite a bit of flack for their recent test of antivirus products. The methodology they used was to take existing viruses, modify them in some way, and then test to see which virus scanning products picked up their "new" viruses. Apparently many people in the security community think this is a Bad Idea because it involves the creation of "new" viruses. This was irresponsible in their eyes.

I'd like to outline why I think what Consumer Reports did was a good thing and why I am in support of their efforts.

The major virus software developers, including McAfee and Symantec, have an enormously profitable business selling software and virus definition updates. It's a great business idea - people keep paying for the software over and over because it is licensed and not sold outright. The challenge from a security perspective is that antivirus software is more reactive than proactive - it has similarities to the traditional issues with a pattern-based intrusion detection system. They are both great for stopping specific known threats, but do not work as well against unknown threats.

To understand why this is an issue, let's think about how an attacker works. Look no further than 9/11, Richard Reid, or the recent case in London of the liquid bomb plot. The attackers analyzed the security controls in place at the airports and attempted to exploit vulnerabilities in those defenses. They did not try to pack a suitcase with a bomb and check it in because they knew that this was not as likely to work and may be caught in the security scanners. In the same manner, an attacker wishing to distribute a virus can test their new code against the top products in the market just by downloading them. The bad guys are analyzing the defenses to find a hole. It's an endless arms race and the only way to get better is by improving the products to better defend against new attacks.

Focusing on this specific class of product - antivirus - how do you defend from a situation where the bad guys can see your controls and create tactics to evade them? One way is to improve the products in such a way that they are self-defending. McAfee even claims to have done this on their web site:  "<VirusScan's> advanced heuristics and generic detection even finds new, unknown viruses."

I'm glad the product is able to do that. As an informed consumer, I'd like to know how well the product stacks up to those claims. As a CISO, it's my business to identify and mitigate risks to my company. I want to know what product can best protect me from both known and unknown threats.

Moving back to Consumer Reports, they figured (rightly so) that the only way to validate the product claims was to modify existing viruses and test them against the software. So they created new variants of known viruses and reported the results. Did their new viruses "escape" and infect anything other than their testbed? To date, nothing has been reported. No damage was done because they appear to have employed care in how they conducted the test. I would expect this from an industry leading product evaluation company that brought in competent  security consultants such as Dr. Avi Rubin.

What's the bottom line? Consumer Reports obtained an independent test result that I am very interested in - which products were best able to cope with new and evolving threats. This information is valuable to me because it was created by a credible not-for-profit institution and provides details to help me choose the best product for defending against both existing and new threats.

Posted by Robert J. Brown at 11:00 PM | Permalink

I was installing my own Squid cache this weekend for my home network and wanted to set it up such that when my devices are home, they automatically use the proxy. I looked into it a bit, and Windows Proxy Auto Detect, or WPAD, seemed like a good solution. Basically, you turn on "automatic proxy detection" in your browser - be it Internet Explorer, Firefox, Flock, Safari, or anything else - and it automatically finds the proxy server.

How does it find the server? It uses a DHCP configuration setting or DNS to search for the entry "wpad.yourdomain.com" where yourdomain.com is your local domain as served up by your DHCP server. If that host resolves, it looks on that server for a wpad.dat file - a small bit of javascript that tells the browser what the proxies are. If that file is there, the browser blindly trusts it and executes the javascript to obtain the proxy settings right from that file - even if you have completely disabled Javascript in the browser. The next logical question for me was "where is the authentication for this?" and the answer is: there is no authentication.

This is scary for a number of reasons. If you can set a proxy for someone, that means you can force them to connect to a proxy YOU control. This is a man-in-the-middle attack and you can now obtain login credentials or anything else - including for SSL sites. Now, this gets even better if you combine it with a DNS cache poisoning attack or a second/fake DHCP server. How about you go to the local wireless hotspot and redirect WPAD to a server you control (even prior to asking for the credit card input)? You can now intercept their browsing sessions. How about you check into a local hotel? Do you suspect that a number of executives will be staying there with browsers preconfigured to look for a local proxy? I do. Oh, and the best part of this is that this is 100% transparent to the user - no pop-up box or other warnings are provided.

Allowing an unauthenticated network device/file to modify your behavior without your knowledge or consent is bad security. Although there have been published exploits for this in the past (and Microsoft fixes such as MS99-054), this remains as a vulnerability - especially combined with DNS cache poisoning or a second DHCP server controlled by an attacker. In today's world, the assumption must be made that computers are not stationary. They move around, and hence their security environment changes with them. Long-standing "features" like WPAD should be either secured or eliminated based on risk. The world has changed since this was introduced and our products should also change based on the updated risk profile.

Posted by Robert J. Brown at 10:02 PM | Permalink

Enclosed is my presentation "The Executive Guide to Information Security" given at the 2006 WesCorp CFO Forum event. The presentation is an enhanced podcast meant for viewing in Apple iTunes, Quicktime, or via an iPod. Click on this link to download the presentation or view it in Quicktime. The podcast is an overview of information security and risk management aimed at an executive management audience.

You can subscribe to the Podcast via the orange icon at the right side of the page. Drag that icon to your iTunes Podcast menu and it should automatically subscribe you.

Posted by Robert J. Brown at 5:30 PM | Permalink

I have been doing quite a bit of research on enhanced podcasts. Enhanced podcasts allow the publisher to insert chapters and additional graphics to the podcast file. For my purposes, this means I could take a presentation, break it up into chapters, and re-insert the slides from the presentation to each chapter. The listener could then review the presentation with the slides.

I will be posting an enhanced podcast of my 2006 WesCorp CFO Forum presentation on information security. Here's how to use it in iTunes.

1. Open iTunes and click on the "Podcast" link on the left side.

2. Drag-and-drop the enhanced podcast link to iTunes. It should properly download and import the file.

3. Click the "Edit" menu at the top and "Show Artwork" to view the slides. A small window should open up on the left side of iTunes.

4. Start playing the podcast. If you wish to jump between chapters, there is a small icon that appears at the top of iTunes just to the right of the presentation window and left of the search box. You can select the drop-down menu to navigate the presentation.

5. If you copy the file to the iPod, the controls to jump back and forth should just work. The slides will be shown if you have a video iPod.

Hopefully this will be of help to others that wish to view enhanced podcasts. I will upload future presentations in this format as well.

Posted by Robert J. Brown at 5:29 PM | Permalink

I thought I would use a few blog posts to discuss sales - in this case the sale of information security products and services. As someone with overall responsibility for security, I receive at least 5 calls per day from people that I do not know that are trying to sell me a product. I am sure that I am not alone in this endless string of unsolicited phone calls. Don't get me wrong - I'm not an unfriendly person and I definitely recognize the value of networking and relationships. I just don't find it very effective to cold call someone out of the blue with the intention to sell them a product or service.

Ask yourself this question: do you like to receive unsolicited calls at home during dinner time? I don't either because I have that time set aside for family. There is a reason that a national do-not-call list exists. Daytime product/service sales calls tend to fall in the same category. A typical cold call conversation with me goes like this:

Caller: "Hi, is this Robert?" <I also get a lot of calls asking for the previous person in my job - that's another big no-no. I'm not new to my position - update your phone list before calling.>

Me: "Yes. What is this in regards to?"

Caller: "I'm so-and-so with such-and-such company. We have x y z and here's why it is great." OR "How are you addressing X Y Z law that you must comply with?"

Me: "Thank you for your interest in our company, but we are not looking for additional vendors."

Caller: "Can I follow up with you with more information?"

Me: "No thank you."

That's it. Every conversation is the same and they happen all the time. The first thing to realize when calling someone out of the blue is that they receive many other calls from vendors offering similar services. If you employ the tactics described above, you are using the same conversation that every other rep or inside salesperson uses when calling. It's not that I don't want/need your product but I don't appreciate the distraction from the work I am focusing on for the same reasons you don't like to be called during dinnertime. Leaving a cold voicemail is even worse - you will not receive a reply.

How about a different approach?

Take a longer-term view focused on development of a relationship rather than trying to interest me in your product. Here are a few tips to start with:

1. Know who you are calling. People will generally tell you who is responsible for a certain area - start with the admin assistants and ask questions. Make sure you have the name and general area of responsibility correct.

2. Know the company you are calling. I have many people that call me asking for a different credit union that has a similar-sounding name.

3. Know the industry and regulations. I am not subject to Sarbanes-Oxley; a quick review of the law and my company will tell you that. Don't try to sell me a product that answers that regulation because it's not applicable. You will lose credibility with that approach and that is a killer when you are contacting someone that you do not know.

4. Find someone that knows me or something about me. You have other clients and vendor contacts - find a mutual relationship. This would be a much better way to introduce yourself. Either ask your contact for an introduction or mention that person directly. I'm also involved in ISACA and ISSA - perhaps you belong to the same chapter. I have a web site and blog - perhaps you have read it. I am an active member of LinkedIn - send an invitation to join your network. Find something that gives you a connection to the person you are calling beyond the product/service you are selling. Give it some thought and put Google to work and you will quickly find the right information.

5. Lead with technology - not telephone. Phone calls are very disruptive and e-mail is not. Send a personalized e-mail to introduce yourself and mention something from #4.

6. Offer value / ask opinions. Perhaps your CTO gave a recent presentation at a conference and you'd like to discuss. Perhaps you are encountered a problem at a different client that we may have solved and would like more information. These are all good ways to get a foot in the door. In my previous employment I was very successful with this - I read a CSO Magazine article about a CISO and called to talk to him about the article. I got the meeting and won the relationship because I didn't lead with an attempt to sell something.

7. Look long-term. People change jobs from time to time. Perhaps you can't help me today, but you might be at a different company tomorrow. If you have a relationship you can take that with you and have an easier time getting a return call or meeting.

These are a few simple suggestions that you can use to improve your success rate - not just with me but with your other prospects and targets. Hopefully you will find them of value.

Posted by Robert J. Brown at 9:00 PM | Permalink

I recently came across a number of articles on bump keys. This is in regards to an attack on most types of physical locks. The idea is that most locks are vulnerable to an attack that enables the simple opening of a lock via a special key that is cut to "maximum depth". Have a look at this site for a demonstration of a bump key.

Of course, the first thing that came to mind was the fact that this would make an excellent on-stage demonstration for a presentation. I picked up a set of keys from eBay for $10 shipped. The 5 bump keys will open most of the commercial locks on the market. That's a scary thought and is a huge vulnerability.

I see this issue as being similar in nature to that of the DVD decss issue of a few years ago. The encryption keys that are used to prevent theft of content on DVDs were cracked and made public. Instead of fixing the vulnerability (which would be next to impossible given hardware in the field), the DMCA law was used to try to make the source code illegal. In the case of bump keys, it looks like we are moving down the same path - a South Dakota attorney is pushing to make it a crime to ship bump keys via the mail.

Wouldn't a better approach be to increase awareness of the vulnerability so consumers can make intelligent decisions about the type of locks they purchase? The goal is to remediate the vulnerability and close the hole. In this case, a determined attacker will be able to acquire a bump key regardless of a law preventing their sale or distribution - all they need is a standard key cutting machine. If you draw a parallel to software vulnerabilities, it would be similar to trying to make the Metasploit Framework illegal. It won't get to the root of the issue which is risk mitigation and remediation of a known vulnerability.

Posted by Robert J. Brown at 10:30 PM | Permalink

With the interesting developments this past week regarding the terrorist plot to blow up the airlines, it's interesting to finally see an article that discusses the real security issues. Wired News is running an article that talks about why it is more important to protect against suspicious people rather than tools that may be used. An attacker can always get the tools on to the plane. How about smuggling banned substances in condoms, such as a drug mule might do? I also thought about the explosive belt that is mentioned in the article. How about the tactic that prisoners use with the use of their internal orifices to hide things? The reality is that if you want to stop the bad guy, focus on the behavior. The Israeli airport security folks have it right - they ask questions and look for signs of nervous behavior. If you are going to blow yourself up, you will likely have some telltale sign of this when questioned.

There are many lessons to be learned here - not just for airport security but also for information security. The important point is to analyze the threats, categorize them appropriately, and align your defenses where they make the most sense. We all have a limited amount of resources to deploy when protecting information and lessons such as this go a long way to refining our risk assessment methodologies.

Posted by Robert J. Brown at 3:28 PM | Permalink

A: Here are the steps:

1. Join LinkedIn and establish your profile. The profile MUST include your position at PW/CL or PwC in the experience section.

2. Send me a connection request to my email address: rjb AT robertjbrown D0T com. This can be done via the big yellow button in the upper-right corner of the LinkedIn site.

3. When sending the connect request, indicate that you are a PW/CL or PwC Alumni, the years you worked at the firm, your office location during your time with the firm, and the name of the Partner you reported to. Incomplete applications will be denied.

Note: I am the only administrator for the site and it sometimes takes me a few days to get back to you. I do reply to all connection requests and group additions.

Posted by Robert J. Brown at 7:46 PM | Permalink

A: Answer from the LinkedIn web site:

Many professionals advance their business goals by counting on professional groups, alumni groups and workgroups to make vital new business contacts which will enhance their trusted connections. To support this important type of networking, LinkedIn? for Groups enables existing groups to get their members “Linked In” — bringing their members extra features for networking and strengthening interconnections between each other.

Benefits for group members:

-- Accelerate your career through referrals from group members
-- See a list of all your fellow group members
-- Search within your group for vital new contacts
-- Use special contact settings to communicate directly with fellow members

Posted by Robert J. Brown at 7:43 PM | Permalink

A: Answer from the LinkedIn website:

LinkedIn is an online network of more than 5 million experienced professionals from around the world, representing 130 industries. When you join, you create a profile that summarizes your professional accomplishments. Your profile helps you find and be found by former colleagues, clients, and partners. You can add more connections by inviting trusted contacts to join LinkedIn and connect to you.

Your network consists of your connections, your connections’ connections, and the people they know, linking you to thousands of qualified professionals. Through your network you can:

-- Find potential clients, service providers, subject experts, and partners who come recommended
-- Be found for business opportunities
-- Search for great jobs
-- Discover inside connections that can help you land jobs and close deals
-- Post and distribute job listings
-- Find high-quality passive candidates
-- Get introduced to other professionals through the people you know

LinkedIn is free to join. They also offer paid accounts that give you more tools for finding and reaching the right people, whether or not they are in your network.

Posted by Robert J. Brown at 7:39 PM | Permalink

Posted by Robert J. Brown at 7:36 PM | Permalink