What the InfoSec Skills Gap Means for the Future

One of the biggest challenges – if not the biggest challenge – facing information security is the lack of skilled talent. As yet another proof point in a long line of reports all saying the same thing, Cisco’s 2014 Annual Security Report says, “it’s estimated that by 2014, the [IT Security] industry will still be short more than a million security professionals across the globe.” You ask any hiring manager, and they’ll agree. And here’s the thing, we might be able to make a dent in the skill gap with education programs, but by-and-large, the information security skills shortage isn’t going to get solved any time soon.

This says to me…

  1. Breaches will continue at least at the current clip resulting in increased industry and government regulations, which will lead to compliance job openings.
  2. Compensation for competent information security personnel will continue to rise and globalize, regardless of whether the person is experienced or not.
  3. Organizations in the best position to hire, train, and retain security talent will carry the day. Education isn’t going to come in the form of reading or certification, but on the job in a more “trial by fire” way.
  4. Organizations will continue to outsource their security needs to where security talent can be best centralized and scaled.
  5. People with limited background in security will be increasingly tasked with performing security jobs – or at least managing the processes.
  6. Super easy-to-use security products and services will be preferred over the more technically sophisticated and feature rich.
  7. The information security skill shortage is actually going to get worse as the economy improves.

Everyone get busy automating!

So Your Nude Selfies Were Just Hacked…

If you haven’t been following the most recent news regarding a wide swath of celebrities whose accounts were hacked and private photos shared, you must have been having a lot of fun on Labor Day and I salute you.

Probably the very first thing most of the victimized celebrities are doing now is damage control – limiting their exposure as much as possible. Yes, their names are going to be put out there. Yes, it’s horribly embarrassing, but it’s also not a time to get caught up in self-pity (or self-blame): there’s work to be done. Being cool-headed and reducing the exposure will reduce the pain overall. Some people might go down the path of making examples out of the alleged perpetrators — but beware the Barbra Streisand effect. The harder you try to hide things, the more people want to see those things — like arial photos of Ms. Streisand’s lavish house, for instance.

But these events bring up an interesting point: What would you do if you were a celebrity who had dodged the bullet, but had similar incriminating photos on their computers, cell phones, etc.? More importantly, what should you be doing right now, this very minute, to make sure that anything you have posted to the cloud and want to keep private actually remains so?

First things first – locate every place that the sensitive information lives.
If it’s on a lover’s phone, an old computer that is collecting dust under your staircase, an old email account, or uploaded onto Dropbox – whatever the case may be, you need to find all of it and get an inventory of what those things are. Once you know what’s there, you have to find a way to securely delete that information. Just putting things in the trash can doesn’t work, unfortunately. Older computers have a knack for keeping lots of copies of things when discs defragment. So you need to securely wipe not only the data, but also the free-space on your computer.

Next use the “mud puddle” rule of thumb.
Ask the company that makes the system in question if there is any way to recover data after you have dumped it in a puddle of mud. If the answer is yes, you have a problem, because it means they have copies of your data and can decrypt it (if it was ever encrypted at all) and access it. Make sure that all copies are deleted and removed securely from all systems, and ask for some proof of that. In the worst case scenario, get your lawyer involved to make sure that all copies are securely and permanently deleted. You have two options with computers – either they are perfectly private and accessible only to you, or they have a high-level of convenience and availability. Choose one.

Next, remove all automated syncing to cloud-based systems.
There is no reason you should be sending all of your information to an environment that you don’t completely control. Find an IT guy to set up a private cloud instance that you can back up your computer to, and make sure you are the only one who can access that system once it’s set up if you have to store information off-site. There’s lots of precious family photos, and emails and documents that would be painful to lose. Back them up in a place that only you have access to.

Choose strong passwords.
It sounds simple but nearly every successful hack involving brute force relies on the individual accounts having weak passwords. Don’t fall for it: choose strong passwords, and make them unique. If your password for your free webmail is the same as for your critical systems that protect your nude pictures, you’re more likely to get hacked. It’s always the weakest link, so keep your passwords unique and strong. There’s a lot of password research out there that says that choosing a “passphrase” made up of several words in a row is the strongest sort of password. If you’re an actress, you are used to memorizing lines to get a part. Consider this just another script you need to memorize, but one that can protect your entire reputation. Or, even better, use “second factor authentication” – a physical token or something you have that cannot be stolen from the Internet, if your provider allows it.

Encrypt your nude selfies.
I’m not going to judge you — nude selfies aren’t bad, but they can be dangerous if you don’t encrypt them. There’s lots of encryption software out there and a great deal of it is free. You can choose something that encrypts your selfies when you’re not looking at them and decrypts them when you want to see them for some reason.

Send encrypted nude selfies.
Similar to the above, if you’re going to be sending nude selfies, make sure you do so in a way that self destructs. Software like Wickr can accomplish that for cell phones. There’s no reason to keep them around forever, and if you do need to keep them, you can always save them and re-send them later.

Don’t send nude selfies at all.
I know it sounds obvious and stupid, but once you become a celebrity, it’s really imperative to avoid sending anything incriminating or even keeping it around at all. If you do have to have it for some reason, make sure you keep it on a computer that isn’t capable of going online, so at least you can keep it compartmentalized. Systems that aren’t online are much harder to hack – and usually require physical access to your premises. This is the reason some militaries are reportedly going back to typewriters – it’s a lot harder to hack something physical without involving breaking and entering.

Pick strong secret questions.
One of the most often overlooked issues in computer security is the secret question. Most secret questions are terrible: “what is your favorite color?” Well, the chances that it’s one of a handful of colors is extremely high, and it’s even higher if you’re a celeb since no-doubt at some point someone asked you that on camera. This makes it extremely easy for someone to guess and therefore access your information. So lie and choose something else – some long string that only you know. Write it down somewhere so you don’t lose it, but keep it safe and unique – similar to passwords. Is your favorite color blue? I hope not. Is your birth date the same one that’s on IMDB? Please tell me no.

Disable everything you don’t need.
Living in LA does require you to use hands-free, and I’m sure driving down Venice Beach in your convertible sounds great, but at the same time every time you turn on wireless on your phone, or bluetooth or any additional service, you are putting yourself at greater risk. It’s all a matter of surface area, and the more things you can disable, the better.

Find a security pro.
I highly recommend you find a good security expert to analyze your life, and figure out how and where you are vulnerable. It might be something stupid and avoidable, like you leave your camera in a hotel room while you are away, or it might be something very complex having to do with configuration settings on your home Wifi. Whatever the case, you really should have someone who knows what they are doing take a look at how you live and give you practical advice on how to protect yourself.

It’s easy to blame the victims, and that’s the very last thing I’d ever want to do. I think, if anything, this just shows what a large percentage of people take nude pictures of themselves, so we can’t judge. But there are definitely a few steps people can take to avoid some of the embarrassment. For those who dodged the bullet, consider yourselves lucky; but perhaps it’s time to take your lucky winning streak and leave the blackjack table while there is still time.

6 Reasons Why ‘Security Guarantees’ Are Good For The Security Community

Since Sentinel Elite was announced, we’ve experienced an exciting amount of interest in it’s money-back guarantee and $250,000 financial coverage for damages suffered if a customer is breached via a vulnerability that we should have discovered but missed. Over the last few weeks, the security community has been buzzing with chatter about software liability, cyber-insurance, and security guarantees. There is an opportunity here for the information security industry to up its game. When done right, security guarantees are going to be really good for the security community. Here’s why:

  1. Truly effective security products become easier for customers to differentiate from those that are…less effective. Similar to how we look at the purchase of cars, electronics, and more, some products have better warranties than others, which signals less purchase risk for the buyer and an increase in perceived quality.
  2. The credibility of the security industry, or individual vendor, is improved because we hold ourselves accountable for the performance of our products. Let’s face it. Security vendors don’t always have a great reputation when viewed by those outside the industry. One argument for why this is, is that when our advice or products fail, we’re not on the hook. Many vendors even profit when disaster strikes, yet the victims – our customers – are left cleaning up the mess. By making ourselves accountable in the event of a breach we can turn this perception around and prove that our goals do align with our customers.
  3. We receive performance and actuarial data that can be directly used to increase the effectiveness of our products. The upside on having to pay-out on a failure to live up to a security guarantee is that we get hard data on what really went wrong. This data is helpful because it tells us why the security control didn’t stop the bad guy. This data is pure gold for product development.
  4. It gives us the ability to quantify and convey the value of security products in dollars and cents. Most often business owners really don’t get the value of what it is that a security product does. We speak in esoteric terms about ‘vulnerability,’ ‘risk,’ ‘threat,’ ‘zero-day,’ and so on – very rarely do we speak in business terms or in dollars and cents that the business owner can truly understand. With security guarantees we can give stakeholders – those who pay for our solutions – a way to understand the value we bring to the business in language they understand and can plug into their financial spreadsheets.
  5. The business interests of a security company are in line with the customer and decisions are made accordingly. One of the most frustrating things for a security professional is encountering situations when what a customer really needs to be more secure is not necessarily what is beneficial for the security vendor. Customers want to spend money on products that help them protect against getting hacked. When vendors provide security guarantees, the highest priority is doing exactly that, which creates a true partnership between the vendor and the customer.
  6. Security guarantees enable defense-in-depth strategies to transcend the concept of simply buying multiple security products to protect the business in the event of financial loss. We know security products are not perfect or all-encompassing, so multiple solutions are needed to guard against breach under this eventuality. With a security guarantee, when all is said and done, the customer is still protected in the event that everything fails – which is more common than not these days.

We continue to appreciate the feedback on this topic and are very much interested in what our customers and the rest of the industry has to say about this. What other reasons are there – positive or negative – for having security guarantees? We would welcome your suggestions in the comments below.

Aviator (Default) Search Change

In an effort to find ways to work with a search provider, we spent a lot of time researching various models that would enable us to stay on the side of our users AND allow us to generate revenue to help us pay for Aviator development. Naturally we attempted to work with DuckDuckGo since they were already our search provider of choice. Unfortunately, the only way they were willing to work with us was to monetize ads, and we just aren’t willing to do that. Browsers monetizing ads is at the root of what’s causing issues for users, stifling security and eliminating privacy.

After months of work we decided that Disconnect Search was the best and most exciting path forward. We have a long-standing relationship with the Disconnect team because of their popular browser plugin, and their privacy record is spotless — and Disconnect was comfortable working a deal with us that didn’t rely on selling ads. You can’t beat that! We were thrilled to find a partner who cares enough about their users and ours to forgo the typical death cycle of mandatory partnerships that revolve around advertising, and instead just revolve around being the default search.

This is just another way we want to be clear that we are on our customer’s side, even in matters of business. Our transparency with our business model is the crux of why our users can trust our decisions to be in their best interest. So, in the coming update you will notice that the browser politely asks you if you want to switch from DuckDuckGo to Disconnect. The option is yours, of course, but this will help us continue to evolve the browser, and we believe Disconnect is the most private search engine we could find to boot. Two birds with one stone, right?!

As always, questions and comments are welcome!

Sentinel Elite: Adding $250,000 Worth of Breach Protection

A week ago WhiteHat launched Sentinel Elite where we made a bold statement, perhaps one of the boldest statements any security vendor can make. We’re offering a financially backed security guarantee: if a website covered by Sentinel Elite gets hacked, specifically using a vulnerability we didn’t identify and should have, the customer will be refunded in full.

Since the announcement, the feedback we’ve received has been both incredible and incredibly interesting. It’s clear to us the concept of a ‘security guarantee’ strikes a nerve and we are finding that others in the industry have called for similar action. In fact, a recent report by ChangeWave (a subsidiary of 451 Research), entitled ‘Corporate Cloud Computing Trends’, says the following:

“We also asked about the importance of being offered a ‘security guarantee’ by cloud service providers. Three-quarters of respondents (74%) say it’s ‘Very Important’ that cloud providers offer a guarantee, and another 22% say ‘Somewhat Important.’ Companies not using cloud place a greater importance on security guarantees than current users. As such, security guarantees give cloud service providers an opportunity to attract new customers.”

Even Dan Geer (CISO, In-Q-Tel), in his Black Hat keynote, called for software liability: “the only two products not covered by product liability are religion and software, and software shall not escape much longer.”

Clearly, this is an idea whose time has come!

While many have been commending us for putting our money where our mouth is, which we appreciate, we’ve also been asked to do more. We heard multiple times that in the long run, a product refund is not substantive enough when compared to customer breach costs in the event of an incident — which could easily extend from six figures on up. And you know what? They are absolutely right! WhiteHat should have more skin in the game. So, we’re taking this feedback to heart and we are upping the ante:

Now, not only will Sentinel Elite customers receive a full refund in the event that their site is breached as a result of a vulnerability that we should have discovered but missed, we will also cover up to $250,000 in damages to the affected company.

Like we’ve said before, WhiteHat is serious about web security. We’re serious when we say a security vendor’s interests should be in line with their customers. We encourage other vendors to follow suit and we encourage their customers to settle for nothing less. This is the best way to achieve better security outcomes, more secure software, and a more secure Web. Other industries have already done this. InfoSec can too!

For more information about Sentinel Elite, please click here.

DHS and Cyberterrorism

The DHS was recently polled on what groups and attacks they are personally most concerned about. This comes from a pretty wide range of intelligence officers at various levels of the military industrial complex. This underscores how the military is thinking and what they are currently most focused on. The tidbits I found interesting are on pages 7 and 8:

https://www.start.umd.edu/pubs/START_UnderstandingLawEnforcementIntelligenceProcesses_July2014.pdf

The DHS seems to be most concerned about Sovereign Citizens and Islamic Extremists/Jihadists (in that order). The rationale isn’t well explained, but I would presume that physical proximity and the radical nature of Sovereign Citizen groups trumps the extremist nature of Jihadists. I’m speculating, but that would seem to make sense. It could also be a reaction to FUD, but it’s hard to say.

More interestingly, the threat they find most viable is Cyberterrorism. That makes a lot of sense, because Cyberterrorism is cheap, can be done instantaneously, can be done remotely, and can be done with minimal skills and at minimal risk. It’s really hard to tell what’s Cyberterrorism versus what is just a normal for-profit attack, and attribution is largely an un-solvable problem if the attacker knows what they’re doing. Also, even if you can identify the correct adversary, extradition/rendition are tough problems.

There’s not a lot of substance here, because it’s all polls, but it’s interesting to see that our industry is at the top of the US intelligence community’s mind.

Security Guaranteed: Customers Deserve Nothing Less

WhiteHat Security Sentinel Elite

Ever notice how everything in the information security industry is sold “as is”? No guarantees, no warrantees, no return policies. This provides little peace of mind that any of the billions that are spent every year on security products and services will deliver as advertised. In other words, there is no way of ensuring that what customers purchase truly protects them from getting hacked, breached, or defrauded. And when these security products fail – and I do mean when – customers are left to deal with the mess on their own, letting the vendors completely off the hook. This does not seem fair to me, so I can only imagine how a customer might feel in such a case. What’s worse, any time someone mentions the idea of a security guaranty or warranty, the standard retort is “perfect security is impossible,” “we provide defense-in-depth,” or some other dismissive and ultimately unaccountable response.

Still, the naysayers have a valid point. Given enough time and energy, everything can be hacked, including security products, but this admission does not inspire much confidence in those who buy our warez and whose only fear is getting hacked. We, as an industry, are not doing anything to alleviate that fear. With something as important as information security is today, personally I think customers deserve more assurance. I believe customers should demand accountability from their vendors in particular. I believe the “as is” culture in security is something the industry must move away from. Why? Because if it were incumbent upon vendors to stand by their product(s) we would start to see more push against the status quo and, perhaps, even renewed innovation.

At the core of the issue is bridging the gap between the “nothing-is-perfect” mindset and the business requirements for providing security guarantees.

If you think about it, many other industries already offer guarantees, warrantees, or 100% return policies for less than perfect products. Examples include electronics, clothing, cars, lawn care equipment, and basically anything you buy on Amazon. As we know, all these items have defect rates, yet it doesn’t appear to prevent those sellers from standing behind their products. Perhaps the difference is, unlike most security vendors, these merchants know their product failure rates and replacement costs. This business insight is precisely why they’re willing to reimburse their customers accordingly. Security vendors by contrast tend NOT to know their failure rates, and if they do, they’re likely horrible (anti-virus is a perfect example of this). As such, vendors are unwilling to put their money where their mouth is, the “as is” culture remains, and interests between security vendor and customer are misaligned.

The key then, is knowing the security performance metrics and failure rates (i.e. having enough data on how the bad guys broke in and why the security controls failed) of the products. With this information in hand, offering a security guarantee is not only possible, but essential!

WhiteHat Security is in a unique position to lead the charge away from selling “as is” and towards security guarantees. We can do this, because we have the data and metrics to prove our performance. Other Software-as-a-Service vendors could theoretically do the same, and we encourage them to consider doing so.

For example, at WhiteHat we help our customers protect their websites from getting hacked by identifying vulnerabilities and helping to get them fixed before they’re exploited. If the bad guys are then unable to find and exploit a vulnerability we missed, or if they decide to move on to easier targets, that’s success! Failure, on the other hand, is missing a vulnerability we should have found which results in the website getting hacked. This metric – the product failure rate – is something any self-respecting vulnerability assessment vendor should track very closely. We do, and here’s how we bring it all together:

  1. WhiteHat’s Sentinel scanning platform and the 100+ person army of Web security experts behind it in our Threat Research Center (TRC) tests tens of thousands of websites on a 24x7x365 basis. We’ve been doing this for more than a decade and we have a larger and more accurate website vulnerability data set than anyone else. We know with a fine degree of accuracy what vulnerabilities we are able to identify – and which ones we are not.
  2. We also have data sharing relationships with Verizon (and others) on the incident side of the equation. This is to say we have good visibility into what attack techniques the bad guys are trying and what they’re likely to successfully exploit. This insight helps us focus R&D resources towards the vulnerabilities that matter most.
  3. We also have great working relationships with our customers so that when something unfortunate does occur – which can be anything from something as simple as a ‘missed’ vulnerability, to a site that was no longer being scanned by our solution that contained a vulnerability, all the way to a real breach – we’re in the loop. This is how we can determine whether something we missed and should have found actually results in a breach.

Bottom line: in the past 10+ years of performing countless assessments and identifying millions of vulnerabilities, there have been only a small number of instances in which we missed a vulnerability that we should have found that we know was likely used to cause material harm to our customers. All told, our failure rate is far less than even one percent (<.01%), which is an impressive track record and one that we are quite proud of. I am not familiar with any other software scanning vendor who even claims to know what their failure rate metric is, let alone has the confidence to publicly talk about it. And it is for this reason that we can confidently stand behind our own security guarantee for customers with the new Sentinel Elite.

Introducing: Sentinel Elite

Sentinel Elite is a brand new service line from WhiteHat in which we deploy our best and most comprehensive website vulnerability assessment processes. Sentinel Elite builds on the proven security of WhiteHat Sentinel, which offers the lowest false-positive rate of any web application security solution available as well as more than 10 years of website vulnerability assessment experience. This service, combined with a one-of-a-kind security guarantee from WhiteHat gives customers the confidence in both their purchase decisions as well as the integrity of their websites and data.

Sentinel Elite customers will have access to a dedicated subject matter expert (SME) who expedites communication and response times, as well as coordinates the internal and external activities supporting your applications security program. The SME will also supply prioritized guidance support, so customers know which vulnerabilities to fix first… or not! Customers also receive access to the WhiteHat Limited Platinum Support program, which includes a one-hour SLA, quarterly summaries and exploit reviews, as well as a direct line to our TRC. Sentinel Elite customers must in turn provide us with what we need to do our work, such as giving us valid website credentials and taking action to remediate identified vulnerabilities. Provided everyone does what they are responsible for, our customers can rest assured that their website and critical applications will not be breached. And we are prepared to stand behind that claim.

If it happens that a website covered by Sentinel Elite gets hacked, specifically using a vulnerability we missed and should have found, the customer will be refunded in full. It’s that simple.

We know there will be those in the community who will be skeptical. That’s the nature of our industry and we understand the skepticism. In the past, other security vendors have offered half-hearted or gimmicky guarantees, but that’s not what we’re doing here. We’re serious about web security, we always have been. We envision an industry where outcomes and results matter, a future where all security products come with security guarantees, and most importantly, a future where the vendors’ best interests are in line with their customers’ best interests. How amazing would that be not only for customers but also for the Internet and the world we live, work and do business in? Sentinel Elite is the first of many steps we are taking to make this a reality.

For more information about Sentinel Elite, please click here.

Better Single Sign-On for WhiteHat Security Customers

WhiteHat has just integrated PingFederate into Sentinel to provide better single-signon support to our customers. With single sign-on, your own single sign-on portal can require exactly what you want from someone logging in – username and password, or an RSA token code, or a text-back number, or a thumb scan – whatever you prefer to uniquely identify your users. This allows you to make your own security as tight as you like.

Once a user has logged in, their authentication can be “federated” – exchanged securely – with other portals, either locally or at other sites. This is where WhiteHat’s PingFederate integration comes in. That login – secured however you want to secure it – can now be transmitted to WhiteHat’s PingFederate instance, which validates it and then passes it on to Sentinel to actually do the login. Only the fact that the user is valid and their email is exchanged; passwords, internal user IDs, and any other identifying information remains on your server and never leaves it. This means you can now authenticate your Sentinel users as stringently as you do those for your own applications.

That sounds pretty nice, but we also support single sign-on for deep links into Sentinel. Those links actually link to our PingFederate instance, which uses the link to bounce you back to your own single sign-on portal and then back into Sentinel with the federated authentication. If you’re already logged in, then the process just takes you into Sentinel after automatically picking up the authentication.

Past these basic features, it’s now possible for us to extend single sign-on to provide more, like automatic provisioning of Sentinel users, directly adding and removing users in Sentinel simply by doing the same with them locally on your sign-on portal. This makes it much easier for your admins to manage Sentinel users, since they’re just like any other users on your system. We’re also looking into the possibility of integrating our Customer Success Center into PingFederate as well, to make accessing either or both Sentinel and our Customer Success Center far easier and simpler.

Remember, you need your own single sign-on solution to connect up with us – if you have one already, give us a call and ask us about integrating Sentinel. One less ID to remember, and one less password to forget!