Monday, June 16, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Assessing your Organization’s Network Perimeter (pt. 2) [BlogInfoSec.com]

Posted: 16 Jun 2008 06:00 AM CDT

Welcome once again to the risk rack. This time on the risk rack we will be continuing our review of how to assess your organization's network perimeter. As a reminder the identified steps were:

  • Step 1: Define the functions and purposes of your network perimeter.
  • Step 2: Assess the technology used along the perimeter of your network.
  • Step 3: Assess the Processes used to support your network perimeter.
  • Step 4: Assess the People that support your network perimeter.
  • Step 5: Review all the information gathered in steps 1- 4 and establish conclusions and findings.
  • Step 6: Report conclusions and findings and determine action plans.

In Part I we reviewed tips and tricks for Step 1 "Define the functions and purposes of your network perimeter" and started a spreadsheet.

In Part II of "assessing your perimeter" we will be looking at tips and tricks for Step 2: "Assess the technology used along the perimeter of your network."

Let us begin by first defining the term "Technology" for the purpose of this article. Technology for the purpose of this article is defined as any hardware or software as well as architectural design. To provide some structure for the technology assessment I have provided the following stepped approach which I will describe below.

  • Step 1: Define your network perimeter endpoints.
  • Step 2: Identify hardware devices that make up each endpoint
  • Step 3: Identify operating system software and application software for each device.
  • Step 4: Map the hardware and software to the spreadsheet from Part I.
  • Step 5: Perform a technical analysis for each piece of hardware and software based on the functions and purposes they are mapped to.
  • Step 6: Document your observations and findings.

Defining an endpoint is simply identifying any segment of the network that interfaces with an external environment. There are three basic forms of endpoint interfaces:

  1. Private - An external link which is setup to communicate to a single entity (i.e. a standalone modem connection or T1 line) using a 'closed' network.
  2. Semi-Private – An external link that is setup to interface with a number of entities (i.e. modem pool, shared frame relay, etc.) using a 'closed' network
  3. Public – An external link that is that is setup using a open network such as the Internet

Step 1:
The best starting point for identifying network endpoints are detailed network diagrams which you should be able to obtain from your network architect. Working with your network architects you should be able to identify all of your endpoints and establish their specific type. Create a spreadsheet for each endpoint listing the endpoint and the basic form on the spreadsheet with a brief description.

Step 2:
Once you have identified all of the endpoints you should now identify the hardware within the Demilitarized Zone (DMZ) for each endpoint. The DMZ refers to the no mans land between your network and the outside word typically the DMZ begins with a firewall used to buffer your internal network from the outside link and ends with a either another firewall or router that directly interfaces with the external abyss.

Again a good source for this information is a detailed network diagram and a network architect. Some of the types of hardware you are looking for are routers, modems, switches, firewall servers, monitoring servers, mail servers, proxy servers, remote access servers, Load balancers, application servers, etc. Please also note there are many devices that are sold as appliances, these devices must be included as well. In this step you should also capture the type of communication link used at this endpoint i.e T1, T3, Frame, ISDN, PBX, etc..

Update the spreadsheet you created in step 1 with the information accumulated in this step. You should also create a subset of your network diagram depicting each perimeter endpoint. This diagram is a good visual for analysis as well as reporting

In addition to the devices within the DMZ you must also include the other servers that are related to the function and purpose of the endpoint that reside on the internal network i.e. database servers and application servers etc. as the majority of functionality for externally facing services is placed on internal segments for security reasons.

Step 3:
Once you have listed all the devices you must identify all of the software related to each. The first piece of software that must be identified is the operating system of the device. Every device will have some type of operating system including the telecommunication devices and appliances. Using the spreadsheet first created in step 1 update it to reflect the operating system for each device.

After you have completed capturing the operating system information you should then capture any other application running on each device and capture that information on the spreadsheet as well.

Step 4:
Once you have completed step 3 you should have all the raw technology information you need to perform your assessment but prior to performing your analysis you must first cross reference all the information gathered in steps 1 through 3 with the functions and purposes you identified in Part I of "assessing your perimeter" marking the first sanity check of our exercise.

A few notes to consider when mapping devices and software to the functions and purposes:

  1. Start by mapping the end points to the functions and purposes.
  2. It is ok to map end points to multiple functions and purposes.
  3. It is ok to map a device to more than one function and purpose.
  4. It is ok to map a piece of software to more than one function and purpose.
  5. If you can not map any endpoint(s) or device(s) to a function or purpose either you are not supporting that function or purpose or you are missing an end point and devices.
  6. If you can not map any software to a function or purpose either you are not supporting that function or purpose or you are missing some software.
  7. If you can not find a purpose of function for a piece of software you are either missing a function or purpose or the function or purpose of the software is no longer required. (This is probably more common than you might think)
  8. If you can not find a purpose of function for an endpoint(s) and/or device(s) you are either missing a function or purpose or the function or purpose of the endpoint(s) and/or /devices(s) is no longer required. (This is probably more common than you might think)

At this point it is probably a good idea to review your spreadsheet with the network architect (or someone else in your organization that may be suited to assist) to make sure you are capturing the information completely, accurately and have mapped everything effectively. Please make sure you review your list of unmatched components with the architect as well as the architect may be able to fill in the blanks.

Step 5:
Once you have confirmed your information with a trusted source you can finally begin your analysis. For this step you will be required to refer to your organization's security and operational standards. If you do not have security and operational standards then refer to Part III of this series. If you do have these standards your analysis should consist of the following:

Level I by End point

  1. Validation that each device within this endpoint is configured based on the organization's security and operational standards.
  2. Validation that the architecture does not permit bypassing firewall to enter internal network.
  3. Validation that all applications are at the proper version levels as per organization's security and operational standards.
  4. Validation that all applications are at the proper patch levels as per organization's security and operational standards.
  5. Validation that all the patch levels for each device within the endpoint is up to date based on the organization's security and operational standards.
  6. Validation that any monitoring devices are configured as per organization's security and operational standards.
  7. Validation that all end point devices are not vulnerable to network layer penetration attack by performing network penetration test.
  8. Validation that all end point devices are not vulnerable to application layer penetration attack. by performing application penetration test.

Level II by purpose and function.

  1. Validation that the endpoint is in the proper form to support the purpose and functions it is supporting. For example if the purpose and function expects a secure point to point connection to a business partner to transfer sales information and the endpoint is an unprotected public link you have a problem.
  2. Validation that only the required ports and protocols are enabled on the devices to support each purpose and function.
  3. Firewall rules must be examined to ensure that they support the purpose and functions of the endpoint.

A few thoughts before we leave step 5:

  1. Complying with patch levels does not always mean you must have the latest patches in place. What level of patching required should be noted in your standards and if the latest patch levels are not required there should be criteria for why and how to judge if the patch levels meet the documented and agreed upon criteria.
  2. As with patches complying with version levels does not always mean you must have the latest version in place. The version level that is required should be noted in your standards and if the latest version levels are not required there should be criteria for why and how to judge if the version levels meet the documented and agreed upon criteria.
  3. External penetration testing is often performed more reliably by external third parties who perform this function often and have the facilities to execute it quickly and cost effectively. My recommendation is to choose a reliable third party and have them perform periodic penetration testing of your perimeter end points.
  4. Firewall rules must be viewed in their entirety as some rules supersede others. Prior to reviewing the firewall rules get some background on your firewall so that you can understand the full rule set when you read it.
  5. Some appliance vendors will try and tell you that they do not have an operating system but, they do even if it is proprietary there is one and it is usually based on open source UNIX operating system.

Step 6:
Based on the analysis performed in Step 5 document all your observations based on an endpoint level as well as a level for each purpose and function. For continuity these observations should be captured on the same spreadsheet we have been using. Please note that observations can apply to multiple purposes and functions and is acceptable.

I hope this article has been helpful as I have tried to provide as much guidance as I could in a limited format. Please join me next time when we review the Step 3 of assessing your perimeter "Assess the Processes used to support your network perimeter".


Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately.

Google has your back against your ISP [StillSecure, After All These Years]

Posted: 15 Jun 2008 11:06 PM CDT

Its been a while now since word got out that Comcast for sure and possibly other large ISPs were filtering and throttling traffic to their customers. Now Steve Musil over on C/Net is reporting on a report in the Register that Google will be releasing tools that they have developed which will allow users to monitor and identify this type of filtering by your broadband carrier. I am far from a Google fan boy, but I have to give Google a pat on the back for this one. 

The ISPs have tried to stop the government from stepping in here and preventing them from limiting and filtering traffic like this. It is part of the whole net neutrality thing.  The ISPs response is the government doesn't have to step in, the market will take care of itself. Yeah, just like the oil companies say about the price of gas. 

Ultimately I think the ISPs know they are going to lose this fight. Their next play is to start charging you based upon how much bandwidth you use.  We have already seen the noise around that one. It reminds me of my web hosting days.  Some hosts charged you by the bandwidth you used per month. Others gave you unlimited bandwidth but put you on a crowded machine where you had to fight for CPU time and hooked that up to a small pipe that was saturated.  So you did not pay for extra bandwidth, but you couldn't use any either.  Bottom line after a long period of access being cheap and plentiful, the ISP game is back.  You can pay them now or pay them later, but you will pay them.

Zemanta Pixie

Are we going to need TSA backdoors to encryption [StillSecure, After All These Years]

Posted: 15 Jun 2008 09:36 AM CDT

Tsa_gifI was reading an article in Information Week tonight about a case going to the 9th Circuit Court of Appeals about the governments right to search, seize and copy laptops and other electronic devices at our borders.  Two groups that don't often find themselves on the same side of issues, the Electronic Frontier Foundation (EFF) and the Association of Corporate Travel Executives (ACTE) have filed briefs with the court asking them to strike down a lower courts ruling that granted the government these broad powers to confiscate laptops.

As the article points out here in the US there was quite an uproar about China "slurping" laptops from people on travel there, but we seem to think it is OK for our government to do it.  Well at least our government is telling people they are doing it.  What they are not telling us is what they are doing with the data after they search or copy it.  How do we know, no US security but nevertheless confidential data is being secured and or destroyed promptly?  The government telling us "trust me" just doesn't cut it.

However, I think technology is going to pose a bigger problem for the government regardless of whether the court upholds the governments position. I think any terrorist or other bad guy would never have confidential data on their laptop that is not encrypted.  In fact with full disk encryption coming to the masses from the likes of McAfee and others, what will the government do?  Sure they can take the encrypted data to the NSA and let them brute force the keys, but that sounds impractical.  Perhaps, the TSA will demand encryption vendors to put in a back door or secret key that will allow the TSA to decrypt the data similar to what they do with the special luggage locks now.

I know what they can do. Perhaps they can go back to Checkpoint and find out for sure about those back doors that they always suspected was in their software and see if it is there for sure. If so the government can appoint Checkpoint the official encryption vendor for laptops ;-)  Just kidding of course, but really guys.  What self-respecting bad guy is not going to encrypt their data knowing the government has a right to search their laptop.  I think it makes this whole case much ado about nothing.

Zemanta Pixie

Some People Just Don't Know When to Stop [Sunnet Beskerming Security Advisories]

Posted: 15 Jun 2008 09:27 AM CDT

A former corporate executive, currently under home detention since his October 2007 arrest on charges of looting his company of funds has been accused of trying to bypass (unsuccessfully) security monitoring software installed on his home system, even after he promised (via his lawyers) that the attempts to defeat the security system would cease.

From the various news reports and unhappy shareholder comments from across the internet, this effort to bypass the rules, including only being partially successful, doesn't appear to be out of character for someone who has been accused of emptying his company of value and spending the money through a number of personal relationships that are ethically dubious at best.

If you are trying to get the conditions of your home detention reduced, then hacking the monitoring software that is a part of that detention probably isn't the smartest move to make.

Time for a weekend laugh [Roer.Com Information Security - Your source of Information Security]

Posted: 15 Jun 2008 07:50 AM CDT

All right, I needed a laugh, and found my way to the Failblog. This place has potential for fun - particularly if you filter out the kids' comments.

I particularly like this one:

fail-owned-pwned-pictures
more funny fail pictures at FAIL Blog

And - unlike the other comments - this one was nice:

"No submarine trucks? Where do they get all the water?"

"Nah, they're just filling up."

Yes, I admit it. My humour is not on the dry side today.

Happy weekend to all of you from all of me!

Vonage and Ekiga on SUSE Linux [Room362.com]

Posted: 14 Jun 2008 09:52 PM CDT

This was originally posted at http://www.jpugh.org/2008/01/vonage-and-ekiga-on-suse-linux.html

I had to find it via google cache as the page is no longer there or has just been down for the past week. So I am reposting it for reference:

Vonage and Ekiga on SUSE Linux

For the first time ever, I lost my cell phone. No freakin’ idea where it went and this IS the first time I have every lost a phone. Quite pissed.

Regardless…in my searchings for a better way I figured I’d take a look at VOIP using Ekiga. I have been a Vonage user for several years now so that was my first stop. I found an article that outlined using kphone with Vonage so I started digging.

First, you must have a softphone number from Vonage. It’s 9.99 per month and you can register for one at Vonage (do email me as you will get me a free month and I can get you an extra month free!).

Once you have signed up for a softphone number and received all of the gory details simply open Ekiga and input the following into a new account:
Account name - I used Vonage
Registar - sphone.vopr.vonage.net:5061
User - enter your complete softphone number - don’t forget the “1″
Password - enter the password Vonage provided.

Once you click the checkbox to activate it you will see “Registered to sphone.vopr.vonage.net” and you are all set.

Enter in a phone number and enjoy calls through Vonage on Linux!!

Storming SIP Security - now available just a click away [SIPVicious]

Posted: 13 Jun 2008 05:56 PM CDT

Time to release the hakin9 article to the public. This article was first released in the February edition of the English hakin9 magazine.

Download now (takes you to EnableSecurity).


Added: The listings can be found here.
Thanks for Chris Gates for noticing that I forgot to include the listings.

GRC - Love it or hate it [Andy, ITGuy]

Posted: 13 Jun 2008 02:43 PM CDT

Last week I received an email from a marketing firm wanting to know if I'd like to talk to Symantec about IT GRC and an upcoming announcement that they were going to be making. Usually I ignore these emails because my blog is NOT an advertisement for vendors. It's my place to voice my thoughts, good or bad, on technology and security. I try to stay as focused as possible and not get off on tangents regarding politics, religion, personal life, food, or anything else. That includes free advertising for vendors. Plus, I usually am not that interested in talking to marketing people about their product. If I want information on a product I want to talk to the engineers that designed it and support it. Not the marketers and sales guys.

Anyway, since I do have an interest in GRC and like the concept of it I decided to take the bait and have a conversation with them. So we scheduled a time and spent about an hour talking about what Symantec is doing in the GRC space. Of course they have a product that helps manage and maintain your program and that was they jest behind the conversation. They let me in on the announcement that they were making on Wednesday of this week and we had a good conversation. Then they invited me to sit in on a conference call of Wednesday this week where they were having a round table discussion about their offering and getting ready to make their big announcement as part of their Vision Conference. I wasn't sure if I'd get to because of the audit that we were having but I did find time to join in on the call. In preparation for the call they sent me an advance copy of the announcement and a report on IT GRC.

I tried to be a good blogger and read the report before the call but just didn't get the time to do more than skim it quickly. It looked interesting and like it had some good information in it, but I just didn't get the time to really read it. Then the time for the call came and I dialed in, pen in hand (my new Cross fountain pen that I LOVE to write with) ready to take notes and hear some good stuff regarding GRC. Of course you know that didn't happen. I was tired from lack of sleep and 2 1/2 days of audit and my mind wandered. I kept trying to bring it back and just as I'd get focused someone would talk who wasn't close enough to the mic and I couldn't hear them very well and I'd fade again. After about 45 minutes I gave in and hung up.

Today I see that Neil Roiter over at Search Security has a write up on the report and the Symantec Round table. You can check it out if you have any interest in what the report or Symantec has to say regarding this. There are a couple of things that I want to point out myself. It seems that the report seems to validate many of my thoughts regarding IT GRC. Mainly that it isn't about technology but about process. The longer I work in IT and especially dealing with security and compliance the more I appreciate how effective good processes can be in your program.

Here are the things in the Search Security write up that I really like. My comments are in blue.

  • The panel identified bridging that gap between senior management's business goals and IT operations as one of the keys to a successful IT GRC program, especially in complex global business environments with disparate regulatory requirements and a wide range of costs in different parts of the world.  No program is going to work if there is not an understanding between the business and IT as to what needs to be accomplished.
  • "A framework is a framework is a framework," said KPMG's Lesser. "It's taking the key portions and figuring out what are most important to your organization; what are the outside threats, risks and vulnerabilities that you need to consider, and what is going to provide the most value to your organization; defining a framework based on these industry standards that really fits your specific needs." This is so true. There are several good methods that work equally well. It all depends on what works for you and your organization. As long as the business agrees across the board what they are going to use they can all be equally effective.
  • Implementing automation tools, the panel agreed, was the last step in building IT GRC in an organization. See my post here for my thoughts on this.

  • "The poor approach is to say we're going to do IT GRC, and there are some automated tools available," said ISACA's Hale, "and let's implement these without really understanding what GRC is, what their objectives are, who's going to use the information, and how does it support their decision making." Unfortunately this mind set isn't limited to GRC programs. Tools can't fix everything and without good process and policy to back it up they can't really fix anything.

  • "There's no finish line with IT GRC; it's cyclical because the risks, and the threats and the landscape outside is constantly going to be changing." There is no finish line with much in technology especially security and compliance. If you ever get to the point where you think you are finished then you are likely to quit paying attention to it and you will end up in worse shape than before you started.

EeePC 900 in galaxy "hacker" black [Carnal0wnage Blog]

Posted: 13 Jun 2008 12:04 PM CDT

My father's day gift to myself arrived so I've been spending way too much time messing around with the EeePC 900.

Got canvas up and running with no issues



and metasploit, nmap and aircrack. I'll post some notes later but i havent run into anything that wasnt fixable by forums out on the net.

Andrew, What’s Up? [Andrew Hay]

Posted: 13 Jun 2008 09:04 AM CDT

dohHey All,

I thought I’d drop a quick post to let you know what’s been keeping me occupied (and away from blogging) for the last few weeks:

Studying For My CISSP Exam

As many of you know, out of spite, I’ll be taking my CISSP exam on June 28th in Ottawa, Ontario, Canada. This is taking quite a bit of my time so I am very “head-down” trying to jam as much information into my head as possible. Wish me luck!

Writing Another Book

I’ve also signed on to write the Nokia Firewall, VPN, and IPSO Configuration Guide (Syngress, ISBN 9781597492867). Note to self, don’t agree to author a book when planning for a large exam.

Drafting Call-For-Papers for Various Conferences

I’ve been trying to get a bunch of CFPs drafted for various fall conferences. Takes a lot of time to produce quality papers that have a chance of being accepted.

SANS GIAC Gold Paper

My SANS GIAC GCIH Gold paper is due August 22nd, 2008 so I’ve been working on getting all the information I need together to draft a killer paper.

Busy, busy, busy :)

My secret to successful trainings [Roer.Com Information Security - Your source of Information Security]

Posted: 13 Jun 2008 06:38 AM CDT

To facilitate training processes are something I truly enjoy. Particularly when I can enter a class where the energylevel is low, and the participants expects to be handed tasks to work with.

When you enter the room, you feel their lack of motivation. And no motivation usually means a tough day for both participants and the trainer. And if you want people to learn new skills, and hopefully to change their attitude towards the subject, you need them to be motivated.

This is particularly true when training security and user awareness. People act if the topic is as interesting as a piece of dead wood. I believe you me – I do not want to be that piece of wood!

Thus, one of my main focuses during a training is to build; and keep; the energy level high.

This can be done by using groupexercises, open discussions and by sharing of your own crazyness (and boy, can I be crazy!)

I build an environment where it is safe to ask questions and to wonder. A group where they support and help each other – even when I am no longer there. Because only when the motivation and fun is present, can we focus on knowledge transferal. Where the participants get their learning experience. Where the actual message is conveyed, understood and put into use.

 

So now you know my secret to giving successful trainings!

Maltego Community Edition Available [Carnal0wnage Blog]

Posted: 13 Jun 2008 06:07 AM CDT

Paterva has released a community (free) edition of Maltego v2

From the site:

The Community Edition is limited in the following ways:
  • A 15second nag screen
  • Save and Export has been disabled
  • Limited zoom levels
  • Can only run transforms on a single entity at a time
  • Cannot copy and paste text from detailed view
  • Transforms limited to 75 per day
  • Throttled client to TAS communication
http://www.paterva.com/maltego/community-edition/

A Continental nightmare [StillSecure, After All These Years]

Posted: 13 Jun 2008 03:35 AM CDT

The state of the airline industry is a travesty.  Today United announced that they are joining American in charging a fee for even the first bag of checked luggage.  Combined with the ban on liquids that makes it hard to carry on anything, you are forced to pay up.  This is on top of the already jacked up prices and fuel surcharges they are already charging.  They also charge if you want to fly stand by now, extra for exit seats, aisles, etc, etc.  It is not one airline worse than another, they are all pretty bad. 

Today's travel nightmare though comes courtesy of Continental Airlines.  I rarely fly Continental because in coach I find their seats are to close together and my knees get crushed.  But flying home from Denver today, they were the cheapest so I booked the flight. 

I was scheduled to be on a 4:50 flight out of Denver into Houston.  An hour layover, an 8:55 flight from Houston to Ft Lauderdale and I would get me home around midnight.  Long day for sure.  So I finished up my meetings and stuff early in Boulder and saw that Continental had a 2:30 flight from Denver to Houston and a 7:10 connection to Ft Lauderdale that would get me in around 10:20pm.  I left StillSecure HQ around noon and was at Denver airport by about 12:45.  I went to the Continental counter and asked to get on the earlier flight.  Because I am a platinum medallion member of Delta, as a Sky Team member, I am an elite plus level passenger on Continental. In days gone by that would qualify me for same day ticket changes for free.  Not anymore it doesn't!  I don't understand what the price of fuel has to do with charging me for same day ticket changes.  Anyway, they said I could fly stand by for free until June 17th, when even standby is going to cost an extra fee (again they blamed it on fuel costs).

So they put me on standby and told me my luggage would go on the earlier flight.  I then went to the 2:30 flights gate and waited.  The ticket counter agent told me about 20 minutes before take off that they only had me as a silver medallion and due to my low status I was far down the list and would not make the flight.  My luggage would though.  OK, so I will hang at the airport and work a few hours.  Just before the plane takes off they call my name and tell me to wait at the end of the jetway.  They are checking the plane and if there is a seat I can take it.  I get the last seat on the plane, a middle seat. 

I arrive at Houston and proceed to the gate for the 7:10 flight to Ft Lauderdale.  I check in with the agent and she tells me the folks in Denver only put me on standby for the Denver Houston flight and I am not on stand by for the Ft Lauderdale flight.  She can put me on and I will probably make it, but my luggage will be going on the later flight.  Now mind you I can see the plane I just got off of out the window and could have gone to the jetway and told the guys unloading the luggage to grab my bag.  Not wanting to wait two hours in Ft Lauderdale late at night for my luggage to arrive and not wanting to drive down the next day to pick it up I say thanks, but no thanks and decide to wait another two hours for the later flight that my luggage will be on.

I board my 8:55 flight as scheduled and we take off headed for Ft Lauderdale, due to land at 12:15 or so.  The plane is hot as heck and about a half hour into the flight the pilot says that we have a pressurization problem and am turning back to Houston!  We turn back and upon arrival near Houston, he tells us we have too much fuel to land and will have to fly around to burn it off.  We have no air conditioning, it is hot as can be and they are telling me how much they charge because of the cost of fuel that they are now flying around in circles to burn off!

We land in Houston, they find another plane and we finally take off from Houston around 11:45 or so. I am writing this on the plane and am due to land about 2:30am. If I find my luggage came on the earlier flight I am going to kill someone.  In the meantime, I have had enough of Continental for a while and they won't see me on their planes very soon.

End of story, we landed around 2:45 and my luggage was waiting for me, having arrived on the earlier flight.  The Continental employee at the baggage claim will remember Alan Shimel for a while, as I gave him a piece of my mind.

Whats driving the MSSP craze - critical, but non-core functions are fair game for outsourcing [StillSecure, After All These Years]

Posted: 13 Jun 2008 03:29 AM CDT

I don't know what it is, but lately everyone I am speaking to is talking SaaS, outsourcing and MSSPs. Just today I was reading Neil Roiter's column on the latest acquisition by Perimeter eSecurity. The MSSP acquisition kings have now bought Edgeos, a vulnerability scanning service. I don't really know alot about them, but it seems their vulnerability service does not utilize a distributed or local server at the customers location. I am not sure how they deal with things like firewalls and such that would result in very different results from an internal scan, but that isn't the point here. The fact is that MSSP service providers, whether it be large carriers line Verizon or ATT or dedicated security MSSPs like Perimeter or SecureWorks or smaller MSSPs like ProtectPoint here in Florida, are finding fertile ground. I will talk more at the end of the article about what kind of MSSP will likely be your MSSP in the future.

Why are they seeing such success and who are they seeing this success with? My experience with this goes back to my days at Interliant, one of the early ASPs and managed security provider. At one time (late 90's, early 2000) we were probably the largest Checkpoint firewall provider in the eastern US. We managed a bunch of firewalls and that passed for MSSP back than. Still does for a lot of folks today. One of the critical lessons I learned at Interliant was that people will not outsource everything. You can break down what most any organization does into three categories. There are non-critical, non-core activities, critical, but non-core activities and core and critical activities. A company is never going to outsource core, critical activities. Outsourcing non-critical, non-core activities are a no brainer. Showing companies that outsourcing critical, non-core activities is the key to success of the service provider market. These are activities that are critical and therefore must have services for the organization, but they are not core to the organizations functionality and they probably don't have deep expertise in that area. Analysis will show that it is better business to outsource this non-core but critical functionality.

Security is squarely in the sweet spot here. Most organizations acknowledge that security whether for compliance or other business reasons is critical to the business function. However, it is not the core expertise of these companies. Therefore outsourcing it is a smart business move. For the most part, companies do not have the in house expertise to run their own security. Part of the blame lies with security vendors, we make our products to damn hard. Part of the problem is the complexity of the problem to be solved. Security is hard. Another part of the problem is in house security just does not, for the most part, get its fair share of the resources in order to do the job. In any event, I think outsourcing security is not just a fad and is here to stay. It will continue to grow in the years to come.

Just a couple of other things though. Finance is an exception here. Security is a core function in finance, as the security of your money and information is core to a financial institutions function. However, at the mid-size level and below, financial institutions do outsource security. I have seen several MSSPs who specialize in this vertical. Lastly, I think the real battle will be who do you get your managed security from. Do you get from a general purpose network vendor, like Verizon, ATT or IBM or HP? Do you get it separate from your network, from a security expert like Perimeter or SecureWorks? That is where the real battle is going to be over the coming months.

Links for 2008-06-12 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 13 Jun 2008 12:00 AM CDT

Ideal Tool to Solve Real Problems ... of the Near Future? [Anton Chuvakin Blog - "Security Warrior"]

Posted: 12 Jun 2008 09:02 PM CDT

Remember my write-up about an ideal log management tool?

Somebody asked me: "That's great that you have such a clear  vision of a future log management technology - but tell me first what future business problems will such 'ideal tool of the future' solve?"

First, I laughed and said: "Dude, look around, will ya? :-) There are plenty of log-related problems today which we are not even close to solving. We need to solve the problems of today first, before we can get to solving the future problems..."

So, what I consider to be the biggest log-related problems of today?

  1. Not knowing what to log - whether  for compliance, tracking attackers or troubleshooting system problems. Remember all the comedy about "Tell me EXACTLY what to log for PCI?" If not, reread it!
  2. Log volume  - there is too darn many log messages (seriously, 100,000 each second is a lot of log - but there is more at large companies!), and, which is worse, a lot of them are of unknown value to the users (might be useful, might not - but you never know in advance); thus, log clutter networks, systems and brains of security/system analysts.
  3. Log diversity - logs all look different (at least while standards are being developed) and no single person have the skill set to understand  more than a few types. PIX admin groking SAP logs? No way!
  4. In light of the above, just pure bad logs are also a major challenge - logs that miss a key piece of info (like the infamous "login failed" without the username...) or are useless in some other way are sadly common.
  5. How about getting the logs from all the nooks and crannies where they are stuck  (think application logs here) - it is a problem if you want to achieve  (expand, rather) your operational awareness of applications.
  6. Finally (not really, the list can go on and on), making sense of logs in  an automated fashion is still a #1 challenge  (IMHO) - we are getting better creating tools for humans to go thru logs (via reports and search), but log->conclusion process still requires a human, and a darn smart one.

Now, when you read the above think "end user", not "log management  vendor" challenges (I plan to post about these later). My idea of an ideal tool will seek to solve these and others.

Along the same line, this picture from 4th SANS Log Management Survey shows how people perceive the logging challenges:

image

as well as my logging challenges poll (analysis here):

image

Now, let's think of logging problems of the near future, say in 2 years.

But you'd have to wait for the next post for this :-)

EU bloggers under assault by the European Parliament - they need your help [StillSecure, After All These Years]

Posted: 12 Jun 2008 09:09 AM CDT

One of the nice things about having started the SBN was that I have gotten to meet (mostly virtually) many security bloggers from around the world.  Some of the most prolific contributors to the content of the SBN has been the members of the Belgian Security Bloggers Network.  I received word today from one of the authors of one of the blogs, belsec, that they are under assault by the EU government.  It seems in their wisdom, the European Parliament has decided that in the interests of "media pluralism", all blog owners should declare their ownership, affiliations and status of weblog authors.

The explanatory notes of the proposed regulation says this:

In this context the report points out that the undetermined and unindicated status of authors and publishers of weblogs causes uncertainties regarding impartiality, reliability, source protection, applicability of ethical codes and the assignment of liability in the event of lawsuits.
It recommends clarification of the legal status of different categories of weblog authors and publishers as well as disclosure of interests and voluntary labelling of weblogs.

As the belsec author points out, disclosure of their identities would effectively silence their voices.  There is no first amendment freedom of speech or freedom of press constitutional right in Europe. Of course if forced to do so, the Belgian authors could take up blogs based here in the US and escape the disclosure laws of the EU, but why should they have too.  The EU is a democratic, progressive entity.  Forcing these bloggers to make their "status and identity" public should not be mandatory here.

Blogs are todays pamphlets.  Basic freedom of expression, speech and press have been protected for hundreds of years. Forcing these bloggers to identify themselves is a violation of their rights.  What would Thomas Paine and others like him think of this restriction?

If you feel that this is an unfair and unjust restriction on bloggers rights, blog about it. It is our right and to do so and we should use the medium to do so.  If you are a EU citizen write to your representative and demand that this proposed regulation does not go into effect!

Do not take your right to blog lightly.  If you don't stand up for it, it can be taken away from you.

"The world is my country, all mankind are my brethren, and to do good is my religion." - Thomas Paine

Zemanta Pixie

This posting includes an audio/video/photo media file: Download Now

1 comment:

Anonymous said...

Hello all, I would also like to give my opinion on Risk and Compliance.
IT governance, risk and compliance (IT GRC) is about striking an appropriate balance between business reward and risk. The maturity of IT GRC practices for managing reward and risk has a direct impact on the organization. IT GRC encompasses the practices for delivering: Greater business value from IT strategy, investment and alignment, Significantly reduced business and financial risk from the use of IT, and Conformance with policies of the organization and its external legal and regulatory compliance mandates. IT GRC energizes the entire organization to imagine what it can achieve, establishes methods for achieving their objectives, and demonstrates the practices that are proven to work for minimizing business and financial risk. Fundamentally, IT GRC is about striking an appropriate balance between business reward and risk, enabling an organization to more effectively anticipate and manage business risk while more effectively delivering value for the organization. IT governance, risk, compliance, IT GRC, White paper, compliance survey report, 2008 compliance report.
You can also get more information from http://www.compliancehome.com/symantec/