Wednesday, November 12, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Samurai Web Testing Framework - Web Application Security LiveCD [Darknet - The Darkside]

Posted: 12 Nov 2008 05:52 AM CST

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use [...]

Read the full post at darknet.org.uk

Network Security Podcast, Episode 127: DHS Secretary Michael Chertoff [Network Security Blog]

Posted: 11 Nov 2008 11:54 PM CST

When I first got an invitation to attend a roundtable discussion with Department of Homeland Security Secretary Michael Chertoff, I thought thought it was a hoax, as did some of the people I asked about it.  A little fact checking revealed that it was the real deal, but the meeting was in Washington, DC.  Traveling cross country for an hour meeting isn’t in my budget, so I regretfully passed on the opportunity.  Fast forward a month and the invite comes again, but this time it’s happening at Stanford University.  There’s no way I could pass that by.  Andrew Storms and George Ou expressed interest in going and Secretary Chertoff’s Press Secretary, Caroline Dieker, made the arrangements and we were all invited to attend.

I was impressed by Secretary Chertoff; he speaks plainly, with only a little of the evasion I’d expected from someone in a position like his.  I don’t agree with all his arguments and ideas, but he was very open to discussing them publicly.  I almost feel bad that he’s going to be gone come January.  I tried to tweet the whole thing as much as possible, but it’s easy to get distracted in a situation like this.  I captured the entire conversation on my little iRiver 795 and here it is so you can listen for yourself. 

Network Security Podcast, Episode 127, November 11, 2008 - Blogger Roundtable with DHS Secretary Michael Chertoff

I’m posting a copy of the live tweets in the comments, along with the replies.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

This posting includes an audio/video/photo media file: Download Now

Seinfeldian Estimates [BumpInTheWire.com]

Posted: 11 Nov 2008 11:27 PM CST

Elaine: So you’re saying only about 5% is datable??
Jerry: Yeah.
Elaine: Then how are all these people hooking up and getting married??
Jerry: Alcohol.

Is that even a word?  Seinfeldian?  If its not it is now.  I’d say that the estimate referenced above applies to a lot of meetings as well.  I’ve spent the last two days in all day meetings and I’d say about 5% of it was of value to myself.  And I’d feel safe guestimating that others had the same experience.  If you’re gonna gather up a bunch of people and individually they are only going to get value ouf of 5% of the content I don’t know how you can consider the meeting worth while.  It wasn’t a complete waste though.  It did allow me to catch up on some reading and planning for a few things.  Its funny how even with a room full of people discussing things you can get a lot of things accomplished knowing that you are not going to be interrupted.

We did have a little NAC experience this morning in this meeting.  One of the presenters wanted network access so we plugged him into the port for secure, guest access.  Something was a miss on his notebook because he wasn’t able to get internet access or any network activity for that matter.  Of course I thought something was wrong with our LANenforcers but after the meeting late this afternoon I took a different notebook up there and was able to successfully get internet access as a guest.  So the NAC solution was working.  This guy must have had something local to his PC causing network issues.

Outsourcing Security is NOT Riskier [Matt Flynn's Identity Management Blog]

Posted: 11 Nov 2008 02:34 PM CST

Network World posted an article yesterday titled Myth or truism? Security experts judge conventional wisdom. I really love the idea of putting a panel of security experts together for a single question - it gives you multiple points of view on an issue. I also like that it wasn't conversational. Without hearing the other expert answers, people were free to wildly disagree with the crowd.

Expert Advice

The first take-away is that there is almost never consensus. So, add your own perspective to whatever security advice you hear. There will usually be someone smart who disagrees and you'll need to find your own middle ground based on your individual needs.

Outsourcing Security

The other really interesting thing I took away is on the topic of Outsourcing Security. Other than one, all of the experts seem to acknowledge the potential for better security in outsourcing. I often hear the argument that outsourcing has benefits in spite of security concerns. But, this panel had good reasons why outsourcing may create better security. Here are a few of the responses:
People are risky, whether they get a paycheck signed by you or one signed by the outsourcer... Often, an outsourcer has more security measures in place than you do.
- Bruce Schneier

If you need 24/7 coverage, choose a solid managed security service provider, and choose the right services to outsource.
- John Pescatore

Outsourcers can hire better people and because they see more real bad things, they are better at reacting.
- Richard Stiennon
As I said above, think about your own needs and make your own analysis, but hopefully we can agree to stop assuming that outsourced security is less secure.

Technology is not the answer to compliance [PCI Blog - Compliance Demystified]

Posted: 11 Nov 2008 01:26 PM CST

I want to take a stand against people who preach technopliance.  Technopliance is the believe that compliance only comes through technology, and that getting the wrong technology will make you non-compliant.  I’ve always said that technology will not make you compliant or non-compliant, but properly configured technology can reduce risk and help protect cardholder data.

Last year, people said virtualization would break compliance.  This year, people said cloud computing would break compliance.  And every day people say you need one technology or another to get compliant.  This frustrates both sides of the aisle: information security professionals and compliance struggling towards compliance.  It’s the configuration of that technology, not the product itself.  It’s the utility of those systems in risk management, not the application of point solutions.

Here is an actual story about a company trying to reduce their compliance requirements.  A company was receiving credit card numbers (just the PAN) for correlation purposes.  They realized they didn’t need the PAN, just a unique reference number.  They decided to securely hash the PAN (salted value) and only receive that hash of the pan, leaving no possibility of them ever getting back to the original PAN.  By doing this they were not “storing, processing, or transmitting cardholder data”, nay they were not even receiving it!  But someone was telling them they needed PCI compliance, and technology would get them there.  If they don’t receive the information, then what is there to protect?  What is there to make compliant?  Nothing.

One thing I’m learning from companies that have been through the compliance ringer for 1, 2, or 3+ years is that they are looking to reduce their costs and reduce the roadblocks.  They no longer care as much about compliance technology, and focus instead on risk management.  They care about reducing their costs and managing risk.

If you want the secret to success, focus on risk management with compliance being a byproduct, not the driving focus.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

All the stuff I don’t have time to blog about [Network Security Blog]

Posted: 11 Nov 2008 09:06 AM CST

We’re all busy and the more stories I accumulate in my browser, the less time it seems I have to do anything with them.  So in order to clear out some of the open tabs, here’s some of the stories I’ve been reading lately:

Is that enough?  I think so.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

A Beginners Guide to Integrating Security into the SDLC (Part One) [Ascension Blog]

Posted: 11 Nov 2008 07:37 AM CST

In response to a few inquiries that I've gotten I've decided to address the basics of how to integrate security into a system development lifecycle (SDLC).  This work was initially part of a paper that I wrote for my Masters program at Norwich University.  I've shared the paper with a few clients when the subject has come up and the feedback has been positive enough that I've decided to revamp it for posting here. 

 

The paper was written under the assumption that the reader would be unfamiliar with the technical aspects of information security (as is true of most management types – after all that is what they hired us for isn't it).  My aim was to illustrate information security without being overly technical and thus risk losing my audience.  The paper was a bit too long to place in one post here so I've decided to break it up into a few installments.   So without further adieu – A Beginners Guide to Integrating Security into the SDLC. 

 

Introduction

 

The goals of any company are to deliver a quality product at the lowest reasonable cost and with the highest profit potential.  The emergence of the Internet over the last 30 to 40 years has caused a shift in the typical business model and drastically influenced the way that companies conduct business.   

 

Information Security is really a subset of business risk management, which has been around for centuries.  The protection of information itself has been traced as far back as the Renaissance and double entry bookkeeping as a tool for measuring and controlling corporate assets (1).  As the means of recording and maintaining information evolved over time, so did the methods of controlling information. 

 

Effective Information Security is security that is incorporated at the onset of a project.  If it is included as a requirement early in the system development and/or acquisition process, it typically results in less expensive and more cost effective security.  Waiting to integrate security until later in the process usually results in interoperability issues and increased cost. 

 

 

The purpose of information and information systems is to process, store, transmit, and receive information for individuals and people to use in some form.  In order for this information to be useful, it must be accessible by those individuals who need it, maintain its integrity, and be available when needed.  These objectives are classically referred to as the security triad: confidentiality, integrity, and availability. 

 

 

In order to achieve these objectives, some measure of quality control needs to be enacted to ensure the achievement of these objectives.  Because information systems involve the interaction of people with machines in order to access and interact with the actual information, information security involves human elements as well as technical elements. 

 

Dr. Joseph Juran, a pioneer in quality management, "is recognized as the person who added the human dimension to quality – broadening it from its statistical origins (2)."  Incorporating security as a requirement at the onset of a project is part of the quality control process and must address not only the technical controls employed within systems but also how humans will actually interact with the technology employed.

 

The following sections address the integration of information security concerns within the system development life cycle and how it reduces risks to a manageable level.  Following in the spirit of the Pareto Principle (see Footnote 1), recommendations focus on measures which are both cost effective and risk averse.

 

Footnote1: It was the Italian economist Vilfredo Pareto who, at the beginning of the 20th Century, observed that 80% of the wealth in Italy was owned and/or controlled by 20% of the population.  While many others also observed similar phenomena, Dr. Joseph Juran, described what he termed as the “vital few and trivial many.”  Dr. Juran was able to identify that typically 20% of the defects cause 80% of the problems in a product.  "The 80/20 Rule" or Pareto's Principle, as illustrated by Dr. Juran, can be applied during the SDLC to achieve the implementation of quality security controls as well as ensure cost effectiveness.

 

In Part Two we'll address the Key Roles and Responsibilities within the SDLC, Security Properties, and the Phases of the SDLC. 

 

In Part Three we'll look at each of the SDLC Phases and review the security considerations of each.

 

And in Part Four we'll wrap it all up into a conclusion. 

 

I'd be interested in hearing any feedback you may have.  Translating security to management is always a moving target so the more viewpoints that can be incorporated into the approach the better. 

 

 

References:

National Institute of Standards and Technology, Special Publication 800-64 – Revision 1, Security Considerations in the Information System Development Life Cycle, June 2004

 

Sources Cited:

 

1 - Bosworth, Seymour. Jacobson, Robert V.  "Brief History and Mission of Information System Security." Computer Security Handbook, Fourth Edition. Ed. Seymour Bosworth, M. E. Kabay.  New York: Wiley & Sons, 2002.  1-3.

2 - Our Founder: Juran Institute (http://www.juran.com/lower_2.cfm?article_id=21)


[1]

[2]

WPA Wi-Fi Encryption Scheme Partially Cracked [Darknet - The Darkside]

Posted: 11 Nov 2008 03:18 AM CST

Well WEP came down long ago, it was only a matter of time before the standard that succeeded it fell too - WPA. The big news last week was that WPA has been cracked finally, it’ll be discussed this week at the PacSec Conference. After the insecurity of WEP was exposed the majority of routers and [...]

Read the full post at darknet.org.uk

What would you ask the Department of Homeland Security Secretary? [Network Security Blog]

Posted: 10 Nov 2008 08:39 PM CST

Michael Chertoff, the Secretary of the Department of Homeland Security, will be here in California tomorrow.  He’s hosting a blogger roundtable on Cybersecurity and I’m one of an unknown number of security bloggers who’ll be attending the event and talking to Mr. Chertoff face to face.  Quite frankly I was surprised that the Department of Homeland Security was even aware of blogs, let alone willing to step out of Washington to talk to us in person.  I probably shouldn’t be, since the TSA has had a blog for months now, even if I rarely agree with what they post there and never take it at face value.

Mr. Chertoff is on his way out due to the change in leadership our country is going through, but he’s held a highly political and thankless job for some time now.  He has a unique view of the security of not only our nation, but every nation in the world.  So what would you ask the man who’s been responsible for ‘homeland security’?  What do you want to know about how we’re doing security at the highest levels?  What burning questions about the TSA and your shoes are eating away at you?  If it was you going to talk to Mr. Chertoff tomorrow, what’s the one question you’ld ask?

I have a number of my own questions, but I know that you can come up with even better.  Leave a comment on this post with the question you’d ask.  Keep it short and concise, make it topical to cybersecurity.  I won’t be asking any ‘attack’ questions, but I’m perfectly willing to ask some of the hard questions.  Personally, I want to know what it’s like to be placed in charge of Homeland Security without any real power to affect change?  Except that most security managers already know what that’s like.

We’re allowed to bring cameras and audio equipment, but no video.  Most of my equipment is for close up interviews, but I’ll do the best I can with what I have.  I’m just hoping the Secret Service doesn’t decide that some of my equipment isn’t acceptable.  Or decide that I’m a security risk at the last minute.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Downplaying Security [ImperViews]

Posted: 10 Nov 2008 02:58 PM CST

protected cable.JPGI received some comments regarding the extortion blog post I wrote earlier this week. In one of those comments, a friend drew my attention to a previously written article in the Chronicles of Dissent (I've praised this blog in the past; it's one of the best out there). After reading their entry, I second every word written in that post: 
 

Express Scripts said it deploys a variety of security systems designed to protect their members' personal information from unauthorized access. "However, as security experts know, no data system is completely invulnerable," Paz said. "We continue to conduct our investigation. We are notifying our members and clients to enable them to take steps to protect themselves from possible identity theft."

While I think most of us would agree that no data system is completely invulnerable, there are avoidable problems.  Storing SSN is among those decisions that I consider "avoidable error."  You do not need a Social Security number to process a pharmacy claim -- you need the member's plan ID number/membership number and the prescription bill.  In my opinion, there is simply no valid reason for using SSN in this day and age.
 

Source: The Chronicles of Dissent

So it's seems that security (actually the ability to provide security) is downplayed each time there is a security breach or data has been stolen. As a customer (and a security professional), I would like to know exactly what companies are doing to protect my proprietary information. Having fought the information security and data protection battles for more than a decade, I know that this is a perfectly reasonable request. It's not even a matter of cost as much as it is a matter of will.

IT Horror Stories [Network Security Blog]

Posted: 10 Nov 2008 08:56 AM CST

Congratulations to Jason, the winner of the free pass to CSI.  Here’s his story about how a minor change to a script almost caused a major disaster.  I have my own war story about scripts I’ll share later this week.  Here’s a hint:  Always make sure you’re in the proper directory when running your scripts.

This happened when I was first learning to admin UNIX boxes. Another
SysAdmin and I were working on a shell script to lowercase the file
names of 30-40 million image files. They were on an NFS mount that was
used by several servers. These images were part of detail listings of a
relatively busy web site and we were right in the middle of the day.

Now that the background of the mess are fully explained, the story
gets going. We went through several revisions and were testing against
a directory on a desktop system. Nothing destructive happened during
testing and we were getting fairly comfortable with the "safety" of the
script.

We finally thought we had a working script, so we moved it to the
prod server. Then we noticed a "minor" change that needed to be made on
it. We made the change then decided that since this was a such a small,
little tweak we could run it on the live NFS mount without any further
testing. Fire in the hole!

The script took off and we watched it run. All was well. Then my
phone rang from the NOC. A panicked operator was on the phone saying,
"Hey what's happening with listing images from xyz.com? They are all
coming up as 404s!" I killed the script while thinking some thing like
"oh crap, oh crap, oh crap!" Sure enough the script had wiped out about
50% of the images. Amazing how fast a shell script can delete when it
goes haywire.

We pointed the web servers to a backup copy of the images, then
started to recover to the production mount. The backup was a couple
days old, so our image processing guys had to re-upload the missing
work. I was lucky that the online backup was there. I had taken it for
reasons unrelated to this event. The next day I got to explain to the
CIO what had happened.

The moral of the story was backup first and test your script until
it is golden before going live. Then test it again and again and again.
Make sure you are doing at the proper time, then go to production. We
didn't have change control, so I'd add get all the approvals now too.
Cover your butt.

It was a good lesson. I've never done anything like that again in the last 7 years.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Got SIEM? - Part II [eIQviews]

Posted: 09 Nov 2008 10:30 AM CST


The first issue we need to look at regarding the current state of SIEM is, quite simply, the breadth of data that SIEM solutions can address.  Typically, I look at technology solutions as tools to solve business problems; I've never been a big fan of the "technology for technology's sake" approach to I.T.  So, in that vein, the first question that comes to mind is, "why do we need SIEM in the first place?"  I'd like to discuss two of those use cases here.

Today, SIEM technologies generally rely on a fairly limited set of data: operating system and application log data (from sources such as syslog), Windows event logs, and (in some cases) vulnerability data from scanning engines.  While the events and other data collected from these sources are certainly related to each other from a security perspective, they don't represent a truly complete set of data.  Looking at a typical security incident – such as a system breach initiated from either inside or outside the network – it's clear that having access to other security-related data would provide organizations with a more broad set of information to properly identify and mitigate such an incident.

As an example, a SIEM tool is useful for determining when a system is compromised, since this information is generated in log events; but what happens when an attacker disables logging on a compromised system?  How can a SIEM determine when a malicious user installs trojaned code on a compromised host, or creates a new administrative account, when logging is disabled?  In these cases, having access to a broader set of data collected through methods other than logging – such as configuration and asset data, transport-layer or (preferably) application-layer network data, and even individual host performance metrics (e.g., CPU, disk usage, network bandwidth, etc.) gives organizations critical additional security information to maintain the confidentiality, integrity, and availability of data.

Another use case is compliance management; while the ability to capture, monitor, and alert on certain types of events is a critical function that SIEM solutions serve well, in reality, compliance is about a lot more than events; regulations and best practices such as PCI, COBIT (and by extension, SOX), ISO27002, and many others mandate not only the capturing of specific types of events, but also ensuring system configuration standards, and – in some cases, such as internal standards and metrics measurement – performance and capacity management.  Without the ability to capture configuration and asset data (e.g., installed applications, system patch levels, and file integrity checks), the role of SIEM tools in the world of compliance automation will be limited to small "wedges" of the compliance universe.  Until SIEM solutions evolve into more comprehensive engines for capturing a broader array of security data, their use will likely continue to be relegated to specific point solutions in customer environments, rather than functioning as enterprise platforms to support enterprise-wide security, risk and compliance.

Next Up: Why scalability becomes increasingly important for SIEM.

Posted in Uncategorized   Tagged: SIEM enterprise security   

Des fameuses faiblesse de TKIP… [SOURCE Conference Blog]

Posted: 09 Nov 2008 04:05 AM CST

Its Husker Time [BumpInTheWire.com]

Posted: 08 Nov 2008 08:09 AM CST

You know what Saturday means…Husker pick time.  The Kansas Jayhakws (+1) go to Lincoln, Nebraska to take on a team that is almost identical statistically.  Home team wins.

Huskers 40

Jayhawks 34

Worse than the Government [IT Security: The view from here]

Posted: 07 Nov 2008 05:16 PM CST

I've been going to the gym recently, finally shifting some of the weight I put on in Spain, and from being wined and dined by Americans for the last few months. It was a very enjoyable experience getting fat, but getting thin again isn't so bad either, once you get used to it. This is all largely beside the point though.

On my way out of the gym, I booked another appointment with a trainer, a weights workout as today was a cardio session. He logged in to the PC on the front desk, and pointed to a piece of paper, shrugged and said "great security huh?"


"TO ALL LEISURE STAFF, PASSWORD IS 'SUMMER'"

it read. "You do know I'm an IT Security Consultant, right?". He did, we'd just been chatting about it, and it's on my membership form.

"You have to log in twice", he muttered. "That's because it's a Citrix session to another server" I said, ill advisedly, not thinking that the guy who works in the gym may have other interests to me. Bless him, he tried "Oh, really?" he said. "Er, yeah" I replied, realising that I'd made some sort of social faux pas. Again, I've veered off the point.

I got home tonight to find a letter from a medical consultant, whom I have to visit soon. In fact, there were 2 from the same hospital. The first one contained details of a Mrs. X, divorced, 64 years old, with her address, just up the road. She must be reasonably wealthy as it is a private hospital. This is probably enough information for me to blackmail her at the very least. I hate to think what could happen if this got into the wrong hands.

It's not the first time this has happened recently either. A couple of weeks ago, a financial company I use sent me a letter for Mr and Mrs X.'s pension fund, which was sitting at around £250,000. I had their details, address, phone number, and details of their holdings.

This happens all too often. Fortunately I am an honest type, and security conscious. Many are not. Our government being a prime example.

On a more positive note, I was also asked today to take part in a security presentation at Christmas to help the masses understand how easy it is to hack into various accounts with minimal information. I'm looking forward to it, but really need something visually striking so the crowd doesn't get bored. Some fun hacks and something which isn't going to get me into trouble. This could take some time...

Infrastructure 2.0 - Recent Post Roundup [ARCHIMEDIUS]

Posted: 07 Nov 2008 04:07 PM CST

I think it is very likely that network infrastructure will be transformed in coming years by new levels of automation and connectivity intelligence driven by demands from new IT initiatives, from RFID to collaboration, data center virtualization and even cloud computing.  I think we'll call this transformed network infrastructure 2.0.  The following are recent blogs [...]

Sarbanes Oxley, good to hear people questioning [Security Balance]

Posted: 07 Nov 2008 10:23 AM CST

John Pescatore is right when he says that talking about less regulation at this time seems to be not aligned with the current crysis, but the article he is pointing to is very precise on saying that the costs from SOX are pretty high and, as we could see, it wasn’t able to prevent cases like Bear Sterns, Lehman Bros., AIG and Merrill Lynch. Accountants are as creative as lawyers, they will always look for breaches in the controls (laws) to do their magic.

SOX brought a lot of money to Information Security, but it also brought some directed focus on some controls that are not always the most required for all organizations. It would be nice to see a review of the law, verifying its results and actual costs.

US Government Detects Attacks on Obama and McCain Computers [SOURCE Conference Blog]

Posted: 07 Nov 2008 10:18 AM CST

Now that the presidential race is over Newsweek is reporting that the US Government, through the FBI and Secret Service, notified the Obama and McCain campaigns that their computers had been compromised and sensitive documents copied.

…the FBI and the Secret Service came to the campaign with an ominous warning: “You have a problem way bigger than what you understand,” an agent told Obama’s team. “You have been compromised, and a serious amount of files have been loaded off your system.” The following day, Obama campaign chief David Plouffe heard from White House chief of staff Josh Bolten, to the same effect: “You have a real problem … and you have to deal with it.” The Feds told Obama’s aides in late August that the McCain campaign’s computer system had been similarly compromised.

This information demonstrates that the US government has a sophisticated intrusion detection capability. This is likely part of the NSA internet surveillance system that was made public by an AT&T technician in 2006.

It is likely that the system has a set of watch IP ranges that are sensitive from a national security perspective. The campaigns’ computers were probably on this list. The traffic between foreign IP addresses and these watch IPs is then scrutinized for espionage. The pattern of activity flagged would be Microsoft Office documents and PDFs being retrieved or other intruder signs such as an encrypted tunnel with a foreign endpoint.

This shows that the US Government has the capability to detect some types foreign attacks although they probably have to be selective of the IP ranges they monitor. It’s nice to know that if the White House computers were leaking documents to China or Russia that there is some detection capability, but the fact that this is done at the Internet backbone level means any IP could be targeted and it might not just be to look for foreign intrusions.

No comments: