Spliced feed for Security Bloggers Network |
Risk and CVSS (Post 1) [Risktical Ramblings] Posted: 24 Aug 2008 05:02 AM CDT I recently stumbled across the CVSS v2 vulnerability scoring method – as I was writing a post about risk vernacular. Per the CVSS v2 complete guide, "The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impact of IT vulnerabilities." As I started highlighting parts of the guide that were thought provoking from a risk perspective, I realized this would probably result in at least two posts – maybe three. So off we go… I would encourage anyone reading this to perform their own review of CVSS and how it can possibly augment their own risk assessments efforts. In my opinion, there are some really useful "metric vectors" that provide a simple yet powerful way to analyze a vulnerability. In addition, I really like how they have a simple "scoring vector" – essentially a shorthand representation of all the individual "metric vectors". I could see how this could be really useful for archiving / documenting purposes but for also being to programmatically manipulating for other purposes. Thought 1: One of the first things that stood out to me as I started reading the CVSS guide was on page three, where they talk about "prioritized risk". While I agree that their vulnerability score can be considered contextual and be used to compare variance in multiple vulnerabilities– I do not agree that it is representative of the actual risk to the organization. Here is why. No where in CVSS is there a metric for gauging how often assets within your environment - that have the vulnerability being analyzed- are being attacked let alone compromised. Now, I am not implying that the authors and maintainers of CVSS are trying to mislead security professionals – but I think this underscores a problem within our industry about knowing what risk is, the elements that make up risk, and risk vernacular. Let's talk about vulnerability for a minute. Generally speaking, it can be something (noun, a weakness) or a state / condition (adjective, my application is highly vulnerable to x). It would appear that CVSS accounts for both because you use CVSS to determine how vulnerable you are to vulnerability. Sounds confusing – but not all is lost. FAIR – the risk assessment methodology I use - accounts for vulnerability as a condition. Within FAIR, vulnerability is derived from "threat capability" (the percentage of my threat community that can overcome control resistance) and "control resistance" (the percentage of control resistance I have against the "threat population" as a whole; for FAIR, threat community is a subset of threat population). When you have and can leverage a methodology and risk taxonomy like FAIR – you can see how easy it is to not take for granted what I would call risk term generalizations – using terms without truly understanding how they should be properly used or not knowing what they really mean. Just to reiterate – vulnerability is an element of risk – not risk itself. Thought 2: On page 6, section 1.7 of the guide "Quick Definitions", "threat" is defined as the "likelihood or frequency of a harmful event occurring". This is the closest to "threat event frequency" or "loss event frequency" that CVSS comes close to touching. Threat can be both a noun and verb – but I have yet to see a dictionary that includes likelihood in its definition. It may sound like I am splitting hairs on definitions and picking on the CVSS folks – this is not my intention; but some of the concepts being discussed are foundational to understanding risk. To wrap this first post about CVSS, I would offer the following: 1. That the CVSS-SOG consider participating in the The Open Group; specifically in the "Risk Management and Analysis Taxonomy" forum. In the next CVSS related post, I will focus more on the CVSS Metric Groups and how these have forced me to take a step back and evaluate the rigor and consistency I apply to risk assessments. |
Please help by filling out our survey [Episteme: Belief. Knowledge. Wisdom] Posted: 23 Aug 2008 03:11 PM CDT At our recent Defcon 16 talk on Careers, Lee Kushner and I released a survey on careers in the information security industry. Lee and I have spent the last couple of years having a good number of conversations on the way that people navigate careers in this industry, and we have talked about it at a few conferences now. But we got really tired of not having any real data on the topic. There are a good number of “career” or “salary” surveys that are done every year, but all of them have a particular slant - whether they’re performed by a professional organization or a media outlet, there’s a particular audience that is served by the survey that tends to slant the results toward a particular segment of the industry. Lee and I were lamenting this a few months back, and one of us said: “Man, wouldn’t it be fantastic if there was a survey that covered the entire breadth of the industry, with no particular audience as a target?” Since there wasn’t, we decided to create one. And, since we’re not great survey experts, we worked with Dr. Max Kilger, a Ph.D. from Stanford who has done great work with the the Honeynet Project. Max’s brilliant guidance helped us turn the survey into something useful for gathering real, unbiased data on what’s going on in the industry. So, I’m asking - please help us out with this one by filling it out. We’d love to be able to come back at the end of 2008 and give some real data to the industry on what’s actually going on out there |
Red Hat Linux servers compromised [SecuraBit] Posted: 23 Aug 2008 09:34 AM CDT As announced on a Fedora mailing list, some Fedora servers were illegally accessed and “a small number of OpenSSH packages” were singed by the intruder. The servers were taken offline quickly after the breach was discovered. As a security precaution, Red Hat has changed the signing keys for Fedora, updated OpenSSH packages and also issued [...] |
VRT challenge [Random Thoughts from Joel's World] Posted: 23 Aug 2008 08:31 AM CDT The guys and girls over in the VRT (Vulnerability Research Team) at Sourcefire want to give you a challenge. Read this post over here, and get your reverse engineering skills up to par. Have fun! |
Dan Kaminsky loves SecuraBit and you should too! [SecuraBit] Posted: 22 Aug 2008 09:08 PM CDT We tossed him a shirt while he was at the IOActive party just before we ventured up to the Core Impact party in Ceasars Palace. Thanks for your support Dan! |
Latest tools from Defcon 16 [SecuraBit] Posted: 22 Aug 2008 08:46 PM CDT Thanks to Mubix for his posting on ZDNet, below you will find a link that describes all of the latest tools that were presented at Defcon 16. Use them at your own discretion and make sure you have permission if using them on an enterprise network! As Mubix has no control over the ZDnet posting, [...] |
Privacy? What Me Worry? [Liquidmatrix Security Digest] Posted: 22 Aug 2008 03:56 PM CDT I’m always surprised (for some reason) when I wander into a new corporate environment. Walking from the front door to the conference room of the day I invariably pass workstations with Facebook, MySpace or something equally inane gracing the screen. To say nothing of folks who install P2P apps on their corporate systems. Where’d their brains go? It’s not like they don’t get the riot act read to them when they start a new job. For that matter most environments provide regular “security awareness” training. Still it continues. CIO has an interesting article on the enduring disregard that white collar folks have for privacy.
How can we as security folks bridge the gap to help educate folks in a meaningful manner? I’m going to take this box of chocolate bars and go for a walk.
|
Diebold/Premier Voting Machines Crap Setting On 11 [Liquidmatrix Security Digest] Posted: 22 Aug 2008 03:32 PM CDT That purveyor of all things craptacular, as it pertains to electronic voting, is in the news again. (natch) From The Columbus Dispatch:
Recovering tax payer dollars for a start. What about auditing the results of past…oh, who am I kidding? Silly me. So, these machines that “lose” votes will not be fixed in time for the election? I say it’s time for one helluva refund for the State of Ohio. Get those pencils sharpened. Time to roll back to tried and true voting methods. |
Favorite Olympic Moments [The Falcon's View] Posted: 22 Aug 2008 01:22 PM CDT |
SQL-Injection How-To [Roer.Com Information Security - Your source of Information Security] Posted: 22 Aug 2008 11:58 AM CDT SQL Injection attacks uses form inputs in order to manipulate the SQL-server. In these kinds of attacks, the hacker may get control over the server, and thus access information that should be protected. In order to better control and protect yourself against such attacks, it is always nice to know more about how they work. Kassaras has made a very nice How-To, where he explains in detail how you can set up a test system and then try to manipulate it. The post is well worth a read! |
Red Hat’s Fedora Servers Breached [Liquidmatrix Security Digest] Posted: 22 Aug 2008 10:37 AM CDT It turns out that last week Fedora servers, including one that is used to sign packages, were compromised. Red Hat claims that the servers were taken offline as soon as the breach was “quickly” discovered. The question lingers. When were they breached? From Redhat.com:
Running Fedora? You might want to check your systems just to be safe. Also, the folks at Red Hat are asking for anyone that has information on this breach to contact their legal folks via “fedora-legal SHIFT2 redhat com”. They make a point of noting that the Fedora and Redhat servers are separate. The Red Hat servers also use a different key that was not accessed. |
DEFCON 16 The Tools not the Toools [Room362.com] Posted: 22 Aug 2008 09:37 AM CDT Originally posted to the Zero Day blog on Ziff Davis: http://blogs.zdnet.com/security/?p=1735 This article was also referenced in a Dark Reading blog post by John Sawyer: http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=162049 All updates will reside here as I have no control over the article on Ziff Davis. DEFCON, the 9000+ attendee hacker conference in Vegas has become a sort of hydra conference. It has become more like a global fair than what most people think of conferences; even the badge is highly unique. I say this because there are so many things to do at DEFCON, other than going to talks, that you could spend your whole weekend looking at the “World’s Largest Boar!”, so to speak. One of the CTF (Capture the Flag) contest winners this year actually exclaimed that he only made it to 2 talks in 12 years! I am also one of those individuals who barely get a chance to go to talks and now that the speaker pool is so diverse it’s hard to find all of the “stuff” they release. Before anyone has a chance to post “It’s all on the DEFCON CD dummy” I want to challenge them to try. After a weekend of googling (which came back with few results) and making contact with some of the speakers, I provide you with a mostly accurate list of “stuff” that was released at DEFCON this year. If any of the information is inaccurate, or a tool is missing, please contact me and I will update this post. The DEFCON CD can be found here: http://edge.i-hacked.com/defcon16-cd-iso-posted Think you are good enough? The binaries from Capture the Flag have been posted here: http://nopsr.us/ctf2008/ PE-Scambler by Nick Harbour
Packet-O-Matic by Guy Martin
SA Exploiter by Securestate
Fast-Track by Securestate
Beholder – by Nelson Murilo and Luis Eduardo
The Middler – by Jay Beale
ClientIPS – by Jay Beale
Marathon Tool – by Daniel Kachakill
The Phantom Protocol – by Magnus Brading
ModScan – by Mark Bristow
Grendel Scan – by David Byrne
iKat – interactive Kiosk Attack Tool (This site has an image as a banner that is definitely not safe for work! – You have been warned) by Paul Craig
DAVIX – by Jan P. Monsch and Raffael Marty
CollabREate – by Chris Eagle and Tim Vidas
VMware Pen-Testing Framework – by John Fitzpatrick
Dradis – by John Fitzpatrick
Squirtle – by Kurt Grutzmacher
WhiteSpace – by Kolisar
VoIPer – by nnp
Barrier – by Errata Security
Psyche – by Ponte Technologies
|
Reputation Damage & Measurement [RiskAnalys.is] Posted: 22 Aug 2008 09:33 AM CDT Reputation damage can be one of the most difficult concepts to build measurements around. In fact, it can be difficult to develop the actual metrics for the measurements, as well. Damage to things like “corporate reputation” and “goodwill” and “brand equity” can be difficult to wrap even reasonable dollar estimates around (When I use FAIR, I really only care to use one metric when describing loss magnitudes - the almighty currency). Complicating factors is the impact (or lack thereof) of incidents on stock price. Many researchers who identify themselves with the New School of Information Security (yours truly included) want to immediately look at stock price as a bell-weather metric for incident impact. I think this stems from our days of slinging FUD, back when we could scream “Buy a firewall or we’ll have an incident and you’ll be on the front page of the paper and the stock price will go down!” But these days notable incidents seem to suggest that the impact on stock price for an incident is short lived. With qualifications, of course. So what would/should we make of this from Money.co.uk? £12million ($24m) Wiped off Helphire Stock after Malicious Email Sent to Clients
That last paragraph, for me, explains some of the difficulty in tying reputation damage to stock decreases. It’s like when you read the headlines from Bloomberg about why the days stocks (or commodity) prices are up or down. You know, the “Oil closes $3 higher on news that a notable South American dictator has a rather unpleasant boil in a very uncomfortable area” type of headlines. You really do have to question the causality and correlation. So in the Helphire case above - is this new drop in stock really because of the email sent? If so, should we view that $24mil number as an independent data point to describe this sort of attack on reputation, or is the magnitude aggravated due to the long-term trend of stock price? Even when we have “Objective Data” (an in-joke for Adam S.) like this decline in stock price, it is really difficult to provide any sort of precise estimate or measurement - about the future, present or past. The best we can do is use ranges, distributions, that are reasonable based on evidence and observation. So it’s worth filing away this sort of datum for future use - while dutifully acknowledging the qualifiers we might place around it. So the questions I ask here - what should we make of this new information, and how should we view the $24million drop - they’re not rhetorical. I am very interested in your views and welcome your comments! |
All I Need To Know About Project Management I Learnt From My Cats [The InfoSec Blog] Posted: 22 Aug 2008 09:29 AM CDT The most interesting, creative, fun and innovative people don’t run with the pack. You’re a leader because your team believes you are worth following, not because you are appointed leader. You don’t lead by giving orders, you lead by motivation. Don’t expect to generate consensus easily, and be very suspicious when it occurs other than spontaneously. ‘Who’s to blame’ is the [...] |
Fedora servers pwnd [Network Security Blog] Posted: 22 Aug 2008 09:18 AM CDT The servers at Fedora were attacked and compromised recently. The folks at Redhat are confident that none of the Fedora packages were compromised, but I’d be cautious for a while until the whole story is known. |
PaulDotCom Security Weekly - Episode 119 - August 21, 2008 [PaulDotCom] Posted: 22 Aug 2008 09:16 AM CDT Paul & Larry are back in the studio!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian Email: psw@pauldotcom.com |
Are Mission Statements High Entropy? [The InfoSec Blog] Posted: 22 Aug 2008 09:08 AM CDT My friend and fellow security droid Gary Hinson asked why so many corporate mission statements end up being utter gibberish, with more meanings than bits. Hmm. A ‘bit’ being, according to /usr/share/units.dat, a measure of entropy. No Gary, I think that corporate mission statements, like political party policies, are high entropy. and with a high negative correlation with [...] |
Billion and Billions. [The InfoSec Blog] Posted: 22 Aug 2008 09:00 AM CDT No, not a Google its a Sagan! I’m sure that like me you get mails that read something like From:Mr.John Lewis Phone No: 44-702 409 9061 This is to inform you that your funds of US$15 Million has been approved for immediate delivery to you. For the purpose of clarification,you are advised to reconfirm your Full Names,Direct Telephone Numbers,Physical Address with Zip Code [...] |
A sign of the times [The InfoSec Blog] Posted: 22 Aug 2008 08:48 AM CDT |
Security Briefing: August 22nd [Liquidmatrix Security Digest] Posted: 22 Aug 2008 07:38 AM CDT Starting the day off in the dentist chair. The bright side being that Friday has arrived. Have a great weekend everyone! Click here to subscribe to Liquidmatrix Security Digest!. And now, the news…
Tags: News, Daily Links, Security Blog, Information Security, Security News |
Apple’s giving spammers a hand [Network Security Blog] Posted: 22 Aug 2008 12:50 AM CDT I almost think it’s time to create a new blog called “Security Stupidity”. The latest issue to catch my eye is Apple’s “it’s not a security problem because nobody noticed” declaration; Michael Arrington has pointed out that Apple has made it easy for someone to enumerate the me.com and mac.com email address range by making public folders that use the same name as the email address. I’m sure I can think of several dozen people who presented at Defcon a couple of weeks ago who could do this in a matter of hours. Michael Arrington has this one dead to rights: the bad guys have probably already figured this one out and are taking advantage of it as you’re reading this. There’s no way to remove an account name from this list, which means that Apple has no way of fixing this information leak without a major overhaul of their systems. I didn’t sign up for a me.com address before and now I’m glad. I hope you’re not using your me.com or mac.com addresses for anything major, because they’re about to become spam magnets. This is the real power of full disclosure: Michael Arrington tried to tell them, they didn’t do anything so he disclosed, now Apple is going to pay the consequences, along with everyone who owns one of these email accounts. Rather than admitting they’re wrong and fixing the problem (if that’s even possible), Apple will probably continue to deny this is a problem. But once it becomes a widespread issue, they’ll probably still deny it and quietly step up their behind the scenes anti-spam efforts. And we all know how well that’ll work. |
Pwnie Award Winners and Video Posted [...And You Will Know me by the Trail of Bits] Posted: 21 Aug 2008 05:11 PM CDT Congratulations to all of the nominees and winners of the 2008 Pwnie Awards. We had a much larger turnout for the ceremony this year and we actually had people present to accept their awards and give acceptance speeches. In case you missed the awards, you can see the list of winners at the Pwnie Awards site. Or get yourself some fresh popcorn, a cold beer, and some nice buggy code to relax and watch the video that Alex Sotirov just uploaded today. Be sure to mock the guy with the “I 3> Pwnies” t-shirt. |
Many banks have design flaws that facilitate phishing [Tim Callan's SSL Blog] Posted: 21 Aug 2008 04:25 PM CDT The Street picked up some tips I published for people to protect themselves online. That fact got me reading the article originally, but what I want to call your attention to today is the other half of the article, which details some interesting research implying that online banks commit an awful lot of errors that enable phishing against their customer bases. States the article,
The study found that of the 214 U.S. financial institution Web sites that were analyzed, 76% of them had at least one design flaw which could compromise your financial data.
|
AppleCare Support Call Foolishness [Liquidmatrix Security Digest] Posted: 21 Aug 2008 03:08 PM CDT Tom has a post that just has to be read on his experiences with the support folks at Apple. He called them when the hard drive on his wife’s laptop started to fail. From spylogic:
Now, the best part is the rather interesting transcript of his conversation with the support person. Be sure to read the full posting. |
Surprise! Microsoft copies Apple, again. [Random Thoughts from Joel's World] Posted: 21 Aug 2008 12:34 PM CDT According to this article over on BBC News, IE8 will include a "Privacy feature" while browsing. Something that has been in Apple's Safari browser for at least a couple of versions now. I mean, it's obvious they were going to copy it, as it's a great feature... but just wanted to point out the obvious right quick. |
Free online viewable magazines?! [SecuraBit] Posted: 21 Aug 2008 12:15 PM CDT We are going to approach this subject very lightly as I’m sure it’s clearly copyright infringement, however Lifehacker has a great post for a website called Mygazines. (which we won’t link to for legal purposes) Basically it’s a repository of scanned magazines encompassing just about anything and everything your heart desires, minus the pr0n. [...] |
You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment