[ISN] Security controls

From: InfoSec News (isnat_private)
Date: Fri Sep 27 2002 - 00:09:10 PDT

  • Next message: InfoSec News: "[ISN] HiverCon 2002 Earlybird Registration closes soon..."

    [Its a little stale for ISN, but the mention of TruSecure's covert ops 
    perked my ears. - WK]
    September 20, 2002 1:01 pm PT
    SECURITY IS ON every CTO's mind these days, but what's the best way to
    evaluate security threats? TruSecure, a Herndon, Va.-based company,
    has come up with a risk assessment philosophy that it says focuses on
    real-world threats. Using a subscription business model, TruSecure
    sells its services to some 700 corporate customers. InfoWorld spoke
    with TruSecure CTO Peter Tippett.
    What is the overall mission of TruSecure?
    We're really trying to change the way people do security. TruSecure is
    organized around defining risk in a way that's measurable. ... Instead
    of measuring [risk] in a company, we measure it in the world, an
    actuarial sort of thing. So we generally don't believe in things like
    doing a risk assessment at a company or doing vulnerability testing.  
    ... What we've set out to do is figure out what percent of
    vulnerabilities represents real risk and how we could go about
    figuring [the risk] out. We set up a pretty large organization that
    includes ICSA [International Computer Security Association] Labs,
    which is a certification and testing facility, like Underwriters Labs.  
    All the firewalls, all the anti-virus products and all those things
    are there. ... We don't do any consulting; we don't sell any software
    or any hardware. Instead we sell a service that measures where a
    company is in relation to things we call "the essential practices."  
    ... Most companies buy a three-year subscription, and during that
    time, we give them a very, very broad array of security services. ...  
    They get testing, they get alerts, [and] they get decision support.  
    They get what amounts to a help desk.
    While everybody else is sitting at home fretting about the crime rate,
    you're out patrolling the neighborhood?
    We are actually out fixing things. ... [We test] every anti-virus
    product every day against every virus that's ever happened in the
    entire world. ... [We do this] by making market-driven mechanisms
    where people give us -- and want to give us -- the knowledge we need
    to figure out what's really going on in the world. [For example,]
    because Cisco hates Check Point, Cisco would be glad to give us an
    attack that they think Check Point will fail. If we run it and Check
    Point fails it (or any of the other firewall vendors), then [the
    vendors] have 10 days to fix it and ship it, or they lose the ICSA Lab
    certification. That same sort of dynamic model gives us all kinds of
    inroads to figure out what really is going on in the computer security
    It sounds like you also have some covert operations going on.
    That's true, we call it "IS Recon" and it very much is a covert
    operation. It's not a hacking group; it's a mole operation. And this
    group has been operating now for almost six years. And it's had dozens
    of team members come and go over the time. We don't believe in hiring
    hackers, we think that's a really bad idea. But we do believe in
    talking and engaging and figuring out what they're saying to each
    other. So we have a really neat set of databases. One that we call
    "The Brain," and one that we call "The Trough," [and] one that we call
    "The Trench." And these [ databases] are the results of our listening
    to or engaging people in what they're doing. For example, The Brain
    database tracks relationships between hacker groups. And currently we
    track 3,000 or 4,000 individuals in about 800 different groups. And of
    course, the names change and the groups change pretty constantly, but
    at any given point in time that's about the number of people whom we
    track. We track which attacks that they've attacked, [and] which sites
    they've hacked.
    So when you find out who did what, do you then go work with law
    We have nothing to do with law enforcement. We have no interest in
    prosecuting anybody, although it has happened many times that [law
    enforcement] comes to us. For example, the FBI came to us and asked us
    who wrote Melissa, and we told them. It took us a day and a half to
    gather 300 or 400 documents together and give [them] to the FBI to
    show [the agents] who wrote Melissa. They arrested the guy. We didn't
    know his real name -- we just knew his e-mail address and his Internet
    address and his IP and the service provider. ... We know his cat's
    name and his girlfriend's name, what city he lived in in which time
    frames, and what his browser was and what other aliases he used.
    To hear Intel and Microsoft tell it, very long instruction words and
    Palladium will solve all these problems in a couple of years.
    I don't think so. Risk is based on people. Technology helps, but
    whatever the technology is, this is a complex world. And the more
    complex it gets, the more vulnerable it gets.
    Peter Tippett, TruSecure
    * Job title: CTO
    * Biggest success: Creating a pragmatic, dynamic, and up-to-date
      corporate information risk model and tracking network
    * Key challenge: Getting people to open up to the power and
      cost-savings of modeled, dynamic, outsourced risk management
    * Favorite escape: Flying
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 02:38:51 PDT