Monday, December 18, 2017

The positive blog entry - Launching 2018 on the right foot.

One of my security guru friends (Robert) challenged me to making a positive blog post as many (most...well... all) of my posts involve some level of aggressiveness towards human stupidity.

I committed to producing a light hearted, positive post before the end of the year.

Here goes.



Many years ago, I stated that just when you feel you have hit the bottom of the human stupidity barrel, you find a false bottom and the rabbit hole goes even deeper.



It took a 30 year carrer to finally cross an entire ecosystem that did not follow the same negative progression of downhill motion that I observed in so many enterprises.

As a security professional, I spend most of my time explaining risks to some level of management and watching the message die at that level.  Rarely are the board members advised of serious issues and senior management usually stays in the dark.  This is mostly based on peoples Ego's with a capital E.  So I spend a lot of time trying to get the message to the right people.  In fact that is why at the start of 2010 I decided to move to senior management coaching almost exclusively.

Enter a new client, circa 2014.

I'm brought in by a friend and told very little on the client.  Aside from the type of business and their yearly revenue.   The numbers being large, I first refuse the client, as I do not want another "traded" company in my client portfolio.   Traded companies are synonymous with cover ups, lies and messages that do not get to the top.

Robert.... wait for it.... this is really positive!

My friend explains that this is a privately owned company, and that the CIO is a really nice guy.

Strike two.  Security reporting to the CIO is a nightmare scenario.   A daily conflict of interest.  The security initiatives essentially critiquing the CIO.  Who wants to live through that.

For some strange reason, I still went to the meeting.  After all, I am an optimist.

Hence started a long term relationship that I qualify as one of the best of my career.

It had to happen at some point, statistically these ingredients had to exist somewhere.

I started working with the CIO and the staff that comprised the IT team, and started seeing the light that was missing for so long in so many places.  The staff is overworked and understaffed, same as in all enterprises, however they are professional, knowledgable and usually pretty reasonable.

You see, this client is fundamentally different.   No one is lying.  if it's blue it's blue, if it's orange with green dots... so be it.

That's right, people just say what they think, and you don't get shot in the face, fired, pushed aside or asked to leave the tribe.

When highlighting some security issues, management wants them fixed.  All of it.   I found myself in a new situation.  One that reversed my roll of 30 years.   You see at this client, you have to do two very important things:

1) Prioritize security issues based on risk 
2) Push back and refuse to address all of them based on the identified risks

Number 2 isn't new, it's the basis of risk management, but REFUSING to allow them to fix something is.  In other words, I actively participate in saying NO we are not going to fix that.

Like many large enterprises, external audits happen.  At one point we get a bunch of enlightened auditors who find some really important findings (sarcasm is positive....)

Here are two examples (classics for auditors who might not have a strong technical background)

a) SNMP using public community strings for hardware that isn't important and isn't manageable through SNMP (only statistics can be accessed).

b) Out dated network hardware managed through HTTP.

So what do you think happened.   It was a priority to fix all issues including these two lame ducks.  The Security teams role was to say NO, we are not wasting (sorry... positive terms.... investing) valuable time in addressing these findings.

The reasoning is simple, (A) cannot be used to reap any benefits, and (B) uses a unique password, over a switched internal network, used less then once a year, on outdated hardware, with no value once compromised.

So we wrote up a derogation stating why we weren't going to fix it, and the CEO signed off on it.    That's right, the CEO wants to see everything and wants to keep informed of our security posture.  And he doesn't just want to sign off on it, he wants to understand it.

This still makes my eyes tear up.  A series of senior managers who accept their current condition, want to be aware and take the best decisions, AND decide to take actions as required and as identified by the experts they have in their teams.

Holy shit.

In fact, perhaps I shouldn't write this part down....

A few weeks ago, I stumbled on something security related, and I immediately (like a high school freshman) fired off an email to inform the CIO that I was investigating XYZ.

Well that genius went and told the CEO immediately !   

My phone rings, it's the CIO.  He says "hey about that thing, the CEO would like an update this afternoon"

Son of a bitch !   An update !   I don't even know what is going on yet and I'm the one who saw it first !

I've never had this issue to manage ! 

For the first time in my life, the entire ecosystem is transparent and I have to take a pause and figure it all out (mostly) before sending a memo if I don't want to be questioned about how we are going to fix it before I know what it is!

This being all said, the security admin and myself now have an agreement that we should hold off for at least an hour and figure things out before we tell anyone.

A long way from the usual attitude of telling senior management years later that most companies seem to have.



Note for my client:  Don't worry.... wink wink...  we will tell you immediately if it seems grave.  But like all emergencies, we will gather a reasonable amount of information to better communicate the actual situation to you before plugging you into a cerebellum.  





So in this holiday season, I count my blessings to have had the chance to cross an enterprise with good family values across all layers.

Are there things that can be improved, of course.  From a security point of view, this is the healthiest attitude I have seen in any enterprise.  

Perhaps as far as attitude is concerned, this company should write a book.

This by far is the most positive experience I have had as acting CSO in any enterprise.

So there you have it Robert, one positive post, with a dabble of sarcasm, a little bit of realism and a lot of hope for other enterprises.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com

'Tis the season.... to fall victim to scams

Friendly reminder that during the holiday period, an increase in scams of all kinds takes place.


I just received this very legitimate looking email from the Canadian Revenue Agency.

Everything looks good except the fact that they do not love me (or any of you) enough to send you a document.

Testing out the document, only 5 of 59 anti-viruses actually detect this document as malicious (based on file signatures).

So over the holiday season, please do not believe emails asking you to do anything, or SMS messages asking you to visit a site, or a phone call, or even traditional mail (yes... I got a real envelope with a real stamp that was a full blown scam).

Essentially, anyone who loves you shouldn't be sending you anything you click on unless you talked before hand and are expecting the link or file.

Trust no one.

When in doubt, contact the sender directly using the phone number you already know or the number from their actual website.






_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com


Wednesday, December 13, 2017

Is Tenable pulling an Equifax / Ashley Madison ?


One of the founders tried to appeal to the security crowd with a posting about how these new FEATURES are better for the end user, and in my opinion it is the biggest pile of crap since the last US election (slight exaggeration for effect, but still a pile of dung).

https://www.tenable.com/blog/a-clarification-about-nessus-professional

He started by explaining how he created the product for consultants and penetration testers, etc.

Then goes on to explain that supporting multiple users is complicated and since the users cannot share reports it wasn't worth the effort.

Hey genius, if we migrate or version 6 to 7 any users we have created get ported over and according to Tenable support they will always be there, you just can't create NEW ones and if you install from scratch you are limited to just one.

So who is full of shit here.  If the system can continue to support multiple users, then limiting the addition of NEW users is a marketing game not a technical one.  Aside from the fact that limiting to a single user and forcing enterprise users to share passwords is absurdly nuts.

And this is how he explains it:  "We evaluated this feature and realized it adds confusion".  really... confusion.... each human has their own user account and this is confusing.   

Second issue, the API.

It's complicated to have a secure API and maintaining it is also complicated.
And people used it to aggressively and it could impact the performance of the product.

So we left it there but killed the features that allow you to launch a scan.

WHAT !!!!

So if I use my MacBook too aggressively (like a baseball bat) Apple will start making laptops with no mouse pad.

And all the features still work if you buy the bigger solution and it talks to the scan engines just fine.


  • The reason you removed multi users is marketing.
  • The reason you are crippling the API is marketing.
  • You want people to buy your TENABLE.IO solution and your Cloud based solution.


For the love of all gods please do not try to shovel shit down the throats of the hardcore technical folks who have supported you from the start and made you what you are today.

It's disgusting, insulting and revolting.

Actually, it's disrespectful, but it sure as hell is "Doing Business the American way".

And while we are on that note, please remove from the NEW FEATURES & IMPROVEMENTS section both items which for everyone who reads English, are NOT IMPROVEMENTS OR FEATURES.

I prefer being told the truth and not being filled with bull and then having someone add to it trying to tell us it is for our own good.   If I overload my Nessus scanner through the API, that's my problem, not yours.

And Renaud, as a founder, you have failed.  You've made a lot of money, and built an empire, but you have failed the "community" who supported you for the last 13 years since the fork of 2005.

So why the click bait title mentioning Equifax and Ashley Madison.  Simple, to some extent, they all treat their customers below what I deem acceptable, and the truth is we are not their customer we become their product (think about that), and one thing is for sure, they all lie about their true motives.

Shareholders care about increasing recurring revenue and growing large enterprise user base.  That's how you make your wall street value go up.

In this case we have not only a shareholder, but a founder making up numbers.

He states, and I quote "Less than 2% of users use the remote scan API, and there are only a handful of scanners out there with multiple users.".  These are numbers he has no way of knowing.    A "Handful"..... every scanner I have ever worked with had multiple users.  Must be a Canadian thing.    So the bull sounds just like Equifax and Ashley Madison to me, just write up a press release and make stuff up. 

Speaking of Canadians, and almost every other country.  We have data residency laws and the US has brilliant laws like the US Patriot Act.  What this means is that you can't push us to use a Cloud based solution unless it is hosted in our own country.  And Tenable doesn't offer cloud services in every Country.  So we simply can't use your cloud products.  Not that I would want to.

Sad day in my mind.   And I'm an optimist !


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com



Tuesday, December 12, 2017

Tenable is killing Nessus Professional - When a security company sabotages a good product

Sad day today for any user of 
Tenable Nessus Professional.




As is the case with many security companies who are working towards making their products cool, Tenable is pushing their customers to the Cloud.   A security tool in the cloud just doesn't fly with me.

Tenable just released Nessus version 7.0 and along with it has killed two basic features that are critical to many smaller businesses and especially consultants.

A security company, that produces a security product, is now releasing software that imposes a less secure state, and cripples the product used by thousands without communicating these changes ahead of the release.  SURPRISE !  

In fact, the features they are crippling, they are listing as FEATURES and IMPROVEMENTS!




So naturally I thought the wording simply was wrong and had to call Tenable to have them provide me with the amazement that no... the wording is right.  

These crippled items are FEATURES.

The first item sabotaged is the ability to create users.   You read that correctly.  USERS.

This applies to anyone paying the $2,190 a year for single scan engine (Nessus Professional).  You now have to share a password.  You can scan as many assets as you want, but the security person needs to share his/her password with the technical folks so they can work through the findings within the tool.

Normally within a business, you would create accounts for scanning, and perhaps accounts for simply reviewing the scan results (like when an auditor comes in to review results).  Or you would separate your assets by groups such as Linux servers, and Windows servers.  You would have different accounts set up for each asset group.

For a consultant, you would have a user account for each client.  

This makes sense since scan policies usually include authentication credentials for the operating systems being scanned.

In version 7.0, you can no longer create users.  Single user mode is the only way to go.

The product should therefor no longer be used by consultants since clients generally do not want their information mixed with others.

Within a business, a single scanner will now have a single user account, this means that if two technical people need to review the findings, they need to share the password !!!!   

We are in 2017, preaching to our user base to NEVER share passwords and this security product, a long time leader is now imposing insecure practices.

What else did they sabotage.  Well, it seems that they have crippled the API (restricted API).  So if you wrote yourself some tools using the API, you are screwed.

They made the API available, it contributed greatly to the popularity of the product, now go screw yourself, no more API.

As far as loyalty to customers, this is once again, a CLEAR demonstration of capitalism.  The exact attitude that hurts the over all security of our entire ecosystem.

I have been a long time defender and promoter of Tenable and their solutions.

I use their tools in conferences and training seminars.

I include their tools in the classes I teach in two Universities.

Today is the end of an era.  The era of reasonable priced commercial tools produced by companies who first wanted to offer a great security tool not just make a buck.

I predict that projects like OpenVAS are going to see a large increase in popularity and support.

I for one have to now integrate OpenVAS in my conferences and university classes and drop Tenable from my curriculum.

I also now have to ask myself what tool best offers the features I need as a consultant and what to recommend for smaller businesses.

Imposing cloud based solutions simply is not something I can get behind for a security tool.

And crippling products and calling it a feature isn't either.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Banning TP-LINK..... the correct strategy?

OBJECTIVE:  Something to think about.  This type of news comes around frequently over the last decade.   Should we ban a Chinese manufacture...