// BLOG
Trust No One – Then What?
November 14, 2010
At long last, we have been presented with the Holy Grail of information security management and protection strategies. Forrester Research recently declared the Zero Trust Model (http://goo.gl/PT348) that aims to fix the current – broken – model in terms of inherent trust levels, which areas of the network should be protected and from which perspective. In all seriousness, this is a step in the right direction which is only becoming relevant now because of recent advances in various security technologies as well as the underlying computing power which must be in place to run them.
At the core of the Zero Trust Model is that the notion that the existing model – hardened exterior (network perimeter) and trusted internal network – is flawed. Further, that there should be no network location or perspective from which any network traffic or users are considered “trusted.” While this is certainly a valid observation, it is not through gross negligence that the current model was so widely adopted. It is not so much a broken model as it is a model we have evolved past. In the past, the top down approach to implementing information security controls led enterprises to minimize their attack surface area. The external network at large will always be more vast than the internal network. It is this perspective and scale that leads us to secure from the external perspective first. While internal resource may represent varying degrees of trust, everything and everyone from the external network can most certainly be categorized as un-trusted.
While I wouldn’t be so bold as to say we’ve conquered the task of securing our networks from traditional Internet-based attacks, we have made significant strides in this area. We have a multitude of technologies available that effectively shrink the perimeter attack surface area to the point where it is simply no longer an attractive target to many attackers. Enter the new favorite exploit vector for many modern attacks – also known as the users. It’s not that the users themselves cannot be trusted, simply that the network traffic resulting from a successful attack on a user (usual an internal asset) must not be trusted as inherently safe. There are now too many client side attack vectors for the average user to fall victim to, to blindly trust her.
If we don’t trust traffic from the outside, and we can’t trust traffic from our own internal networks, where does that leave us? Frankly, with the current threat landscape, we are now forced to recognize and account for security at ALL layers of the enterprise network. A decade ago this may not have been a realistic goal, but technology is becoming available that can bring this goal within reach with the right approach and the right toolset. Instead of the tired “defense-in-depth” model, we should now assume a “defense-at-all-depths” approach. However, implementing this strategy in reality takes more planning and precision than just a blanket policy to monitor/inspect/analyze every byte that traverses the network. Several key players are emerging in the information security space that are bringing to market unique tools that finally give enterprises a fighting chance in mitigating risk down to an acceptable – or at least manageable level.
At the end of the day, the underlying concept of Zero Trust is really a model of measured trust. To learn more about implementing robust security architecture in your organization, drop us a line.
Securing the Human and Missing the Point
November 9, 2010
SANS (after acquiring Lance Spitzner) has launched a new security awareness program called “Securing the Human“. And, while I applaud them for getting on the bandwagon and realizing that the users are the big threat (and I’ve always been a fan of Lance’s work), they manage to completely miss the point (which Aaron mentioned in his previous post).
Without being too dramatic, I spent a few hours going through the demos of their content and it just made me sad. The content is hokey, poorly edited (note the typo on the Protect Your Passwords poster – should be “use”, not “used”) and guaranteed to do little more than bore the users to death without modifying behavior in the slightest.
Here’s the thing: security awareness is a misnomer. When MAD helps organizations with their security awareness programs, we don’t care if the users are aware. We care that they make the appropriate decisions. Not that they know WHY they’re making the decision, just that they do.
It is exactly the same stance that marketers take. Proctor and Gamble doesn’t care that when you enter your nearest Walmart that you know all of the reasons that Tide is the best detergent. They don’t care that you’re “Detergent Aware”. They care only that, when placing a box of detergent in your cart, that it’s Tide.
Similarly, I don’t care that you know WHY you should use good passwords. I care only that you do. And I can incent you to do that a million different ways that involve no (boring) posters, (sad) screensavers, (unwatchable) videos or (immediately discarded) newsletters.
Here’s the point that SANS missed – we’re taking technologists and trying to treat user behavior modification like system design. It doesn’t work like that. People aren’t puppies. And they aren’t machines.
An exercise for the reader: Figure out why this video has been watched over 145,000,000 times and you’ll understand why your users ignore your security awareness messages.
People Aren’t Puppies
October 25, 2010
Mike Murray, Managing Partner of MAD Security and lead instructor of The Hacker Academy has been on a speaking rampage and from the looks of it things will continue that way for a while. Last week Mike followed a talk given by the President’s White House Cybersecurity Coordinator Howard Schmidt. They spoke to about 300 people at the first TSA (Transportation Security Administration) Cyber-Security Summit. There were people from TSA, other government agencies as well as corporations within the transportation industry, railroads, airlines… Social Penetration was the topic of Mike’s talk mixed with security awareness, the good, the bad and the ugly. To sum it up people are not puppies and such don’t deserve to be treated that way. Question to ask when working on security awareness within your organization…how do we know if what we are doing is working. If you are lucky enough to hear Mike’s talk you will have that answer 
MAD is Hiring
April 25, 2010
The beauty of being a small but fast-growing security consulting firm is that I get the opportunity to hire awesome people often. We really like hiring super-stars either as W2 employees or 1099 contractors.
Right now, we’ve got some openings that we need to fill somewhat quickly:
Check these out – if you think you might be a fit for them (or for any other position that we haven’t listed), send us an email as described on the application page.
Hello world!
January 18, 2010
And welcome to MAD Security. It seems that I’ve done this a few too many times now – starting the nCircle blog, the Neohapsis Labs blog and others.
And, now, I’m writing the first blog entry at our new company, MAD Security.
Those that are used to working with us will notice all the same things that you’re used to – brilliant staff, project management discipline and a commitment to solving the real problems that our clients have.
But you’ll probably also notice some new things. We’re going to be more active in the market and more active in the industry. We’ll work with more partners and vendors. (But only those who share our commitment to doing the right things and, as my friend Sheldon says, “raise the bar” on getting this industry where it’s supposed to go.) And we’re going to be relentless in our pursuit of helping clients get their security right.
Because, more than anything, we’re MAD. In the Tom Peters we-want-to-make-massive-change-and-make-the-world-more-secure sort of way. In the we-won’t-settle-for-less-than-making-our-customers-insanely-better-and-more-effective sort of way. And in the we-won’t-settle-for-less-than-totally-amazingly-cool-and-awesome-work sort of way.
And we hope you’ll get MAD too.
